cryptographic hardness other functionalities andrej bogdanov chinese university of hong kong macs...
DESCRIPTION
INTERACTIVE PROOFSTRANSCRIPT
CRYPTOGRAPHIC HARDNESS
OTHER FUNCTIONALITIES
Andrej BogdanovChinese University of Hong Kong
MACS Foundations of Cryptography| January 2016
K-to-one functions
Say f is K-to-1 if for every y, |f-1(y)| = K
Complexity of proof system grows linearly in K When say K = 2n/2 this is exponential in n
Can we do better?
INTERACTIVE PROOFS
Graph isomorphism
is isomorphic to
Claim:
Proof:
Graph non-isomorphism
is not isomorphic to
Claim:
Interactive proof:G0
G1
Verifier:Choose random bit b, permutation pSend graph G = p(Gb)
Prover: Answer with b’Verifier:If b’ = b, declare “probably not isomorphic”
Graph non-isomorphism
Analysis:If G0, G1 not isomorphic, then prover knows for surethat G came from Gb, so he can answer b If G0, G1 isomorphic, then G is equally likely to have come from G0 /G1, so he can guess b with prob 1/2
Is there a classical proof system for graph non-isomorphism?
Decision problems
Recall SUBSET-SUM:
Decision version L:LYES are those eqn that have a solutionLNO are those eqn without a solution
13174331003415 x1 + 17285145771356 x2 + 19133308147607 x3 + 20768399988658 x4 + 22857403444525 x5 + 27320889680330 x6 + 32609413435035 x7 + 33346249486015 x8 + 36451703583100 x9 + 44137263807532 x10 + 44383378110073 x11 + 46011207828303 x12 = 40168796369884
Given eqn =
, find a solution x in {0, 1}12(if it exists)
Given x, decide if x is in LYES or in LNO
The class NP
input zVerifier Proverefficient unboundedproof p
YES/NO
Completeness:If z ∈ LYES, then VP(z) = YESSoundness: If z ∈ LNO, then VP*(z) = NO
for every P*
An(other) NP-complete problem: SAT
Input:
A set C ⊆ {0, 1}n specified by a circuit
LYES: C is not empty
LNO: C is empty
C(x1, x2, x3): y := x1 and x2 and x3
z := y or (not x1)output z and (not y)
Prover: Send x ∈ C (if x in LYES) Verifier:
Accept if C(x) evaluates to 1.
Interactive proofs
Given a (promise) decision problem L
Verifier Proverinput zrandomized
efficientunboundedq1
a2
qR-1aR
. . .
YES/NO
Completeness:If z ∈ LYES, Pr[VP(z) = YES] ≥ 3/4Soundness: If z ∈ LNO, Pr[VP*(z) = YES] < 1/4
for every P*
Normal form for interactive proofs
The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form
a(z, r)Verifier Proverpublic randomness r
There is a compiler for converting protocols into this form; we’ll do an example instead.
An “AM-complete” problem
Input:
A set C ⊆ {0, 1}n (specified by a circuit) A size estimate 0 < S < 2n
LYES: |C| ≥ S
LNO: |C| < S/8
Verifier:
Interactive proof:Send a random 2-universal hash functionh: {0, 1}n → {0, 1}r where 2S ≤ 2r < 4S
Prover: Send x (and a proof that x ∈ C) Verifier:
Accept if x ∈ C and h(x) = 0.
The set size lower bound protocol
Input:
A set C ⊆ {0, 1}n
A size estimate 0 < S < 2n
LYES: |C| ≥ S
LNO: |C| < (1 – e)S
An error parameter e > 0
Running time of verifier is linear in |C|/e
Proof:
Run original protocol on (Ck, Sk), k = 3/e
Graph non-isomorphism via set size
Given G0, G1 we want a proof of non-isomorphism For simplicity we’ll assume G0, G1 have no automorphisms
C = {p(Gb): p is a permutation, b is a bit}
G0, G1 are isomorphic |C| = n!
G0, G1 are not isomorphic |C| = 2∙n!
Reduction to set size lower bound:
AM ≈ NP
a(z, r)Verifier Proverpublic randomness r
If we replace r by the output of a suitable pseudo-random generator, proof can be derandomizedUnder a plausible assumption in complexity theory, AM = NP.
BACK TO CRYPTOGRAPHY
Hardness of regular one-way functions
Say f: {0, 1}n → {0, 1}n - k is 2k-to-1Suppose we have a reduction R? that, given an inverter I for f, solves L
Verifier will emulate reduction
Prover will emulate random inverter IGiven a query b, return each a s.t. f(a) = b with probability 2-k independently of previous queries and answers
Hardness of regular one-way functions
b1
a1 = I(b1)
. . .
Verifier Prover
bt
at = I(bt)
x ∈ L Prr, I[RI (x; r) accepts] ≥ 2/3
x ∉ L Prr, I[RI (x; r) accepts] < 1/3
|{(r, a1, …, at) valid and accepting}| ≥ (2/3) 2|r| + kt
|{(r, a1, …, at) valid and accepting}| < (1/3) 2|r| + kt
Hardness of regular one-way functions
y1
x1 = I(y1)
. . .
Verifier Prover
yt
xt = I(yt)x ∈/∉ L
x ∈ L Prr, I[RI (x; r) rejects] ≥ 2/3
x ∉ L Prr, I[RI (x; r) rejects] < 1/3
|{(r, x1, …, xt) valid and rejecting}| ≥ (2/3) 2|r| + kt
|{(r, x1, …, xt) valid and rejecting}| < (1/3) 2|r| + kt
What we did so far
We sketched why security of “structured” one-way functions cannot be provably NP-hard
(More complicated for arbitrary functions)
It may be that there exist such NP-hard to break functions; if true this is not provable
Next we show examples where breaking the crypto is (provably) not NP-hard
Indistinguishability obfuscation
OC Ц
Functionality:
Ц ≡ C
Security:
If C ≡ C’ then random vars Ц and Ц’ are indistinguishable
(Ц(x) = C(x) for all x)
Kinds of indistinguishability
PerfectX and X’ look identical to every (boolean) testStatisticalno test can distinguish with advantage > 1% Computationalno efficient test can distinguish with advantage > 1%
Indistinguishability obfuscation
No statistically secure indistinguishability obfuscation exists*
* Unless NP is in coAM
OC Ц
STATISTICAL ZERO-KNOWLEDGE
Graph isomorphism
is isomorphic to
Claim:
Proof:
Verifier learns the isomorphism!
A zero-knowledge proof
Input:
Prover:Choose random H isomorphic to G0 and G1Send H
Verifier:Answer with bProver:Reveal isomorphism between H and Gb
Two graphs G0, G1
(Assume isomorphic)
Verifier:If H ≡ Gb, say “G0, G1 probably isomorphic”Otherwise say “G0, G1 not isomorphic”
Zero-knowledge proofs
If G0, G1 are isomorphic, verifier does not learn the isomorphism (or anything else) So graph isomorphism has zero-knowledge proofsThe proof for non-isomorphism is also zero-knowledge!
Every problem that has zero-knowledge proofs also has zero-knowledge refutations
… or SZK ⊆ AM ∩ coAM
Statistical distance (SD)
Input:
Two random variables X, Y over {0, 1}n
LNO: X and Y are 1% statistically indistinguishable
LYES:
(specified by samplers)
X and Y are 99% statistically distinguishable
SD has statistical zero-knowledge proofs (and is in fact SZK-complete)
BACK TO CRYPTO
Indistinguishability obfuscation
No statistically secure iO exists unless NP has short interactive refutations
Proof:
Assume it didLet C be any set (circuit) …and Z be the empty set (zero circuit) If C empty, then C ≡ Z…so Ц and З are stat indistinguishableIf C empty, then C(x) ≠ Z(x) for some x…so Ц and З are perfectly distinguishable
Indistinguishability obfuscation
No statistically secure iO exists unless NP has short interactive refutations
We just saw a reduction from SAT to SD (assuming statistically secure iO)
Since SD has short refutations, so does SAT (and all of NP)
Public-key bit encryption
SKPKBobAliceb
EncPK(b) DecSK( )
b
EncPK(b)PK
message indistinguishability(PK, EncPK(0)) and (PK, EncPK(1))
are computationally indistinguishable
El Gamal encryption
g, h in some large cyclic group
PK = ( g, h ) gSK = hsuch that
EncPK(b) = ( gr, 2bhr )where r random
DecSK(x, y) = b such that xSK = 2b y
Homomorphism of encryptions
EncPK(b) = ( gr, 2bhr )
EncPK(b) EncPK(b’) and EncPK(b + b’)are identically distributed
DecSK(EncPK(b) EncPK(b’)) = b + b’
strongly homomorphic
weakly homomorphic
Breaking homomorphic encryption
Homomorphic encryption for XOR is not NP-hard to break*
… because it can be broken in statistical zero-knowledge(nothing special about XOR, true for “most” f )
* Unless NP is in coAM
Rerandomization
The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key
C = ( gr, 2bhr )PK = ( g, h ) gSK = hsuch that
RerPK(C) = C ∙ ( gr’, hr’ )
El Gamal example
is i.i.d with C
Rerandomization from evaluation
strong homomorphic evaluator for XOR
HEn
c(0)
Enc(b)
Enc(0)
Enc(0)
Enc(
b)
Enc(1)
Enc(1)
Enc(1)
Rer
Rerandomization from evaluation
HEn
c(0)
Enc(0)
Enc(0)
Enc(0)
To H, Enc(0) indistinguishable from Enc(0)so output of H must forget most of Enc(0)
Rerandomization from evaluation
If H is a strong homomorphic evaluator for majority on k bits,then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.
Lemma
We prove a weaker version for weak homomorphic evaluators and any sensitive f.
Distinguishing rerandomizations
Rerandomizable encryption can be broken in statistical zero-knowledge:
Enc(b)Rer( ) Enc(0)If b = 0, they are statistically close
vs.
If b = 1, they must be statistically farso they can be distinguished in SZK
Conclusion (and more)
Complexity helps us understand certain (theoretical) limitations of cryptographyStructured one-way functions aren’t provably NP-hard One-way permutations [Brassard, Goldreich-
Goldwasser]2-to-1 [Akavia-Goldreich-Goldwasser-Moshkovitz]K-to-1, size-verifiable [AGGM, B.-Brzuska]
General OWFs under non-adaptive reductions[Feigenbaum-Fortnow, B.-Trevisan, AGGM]
Hash functions, limited adaptivity[Haitner-Mahmoody-Xiao]
Conclusion (and more)
Crypto that can be broken in SZKHomomorphic encryption [B.-Lee]Private information retrieval [Vaikutanathan-Liu]
There is no statistically secure iO[Goldwasser-Rothblum]