CRYPTOGRAPHIC HARDNESS

OTHER FUNCTIONALITIES

Andrej BogdanovChinese University of Hong Kong

MACS Foundations of Cryptography| January 2016

K-to-one functions

Say f is K-to-1 if for every y, |f-1(y)| = K

Complexity of proof system grows linearly in K When say K = 2n/2 this is exponential in n

Can we do better?

INTERACTIVE PROOFS

Graph isomorphism

is isomorphic to

Claim:

Proof:

Graph non-isomorphism

is not isomorphic to

Claim:

Interactive proof:G0

G1

Verifier:Choose random bit b, permutation pSend graph G = p(Gb)

Prover: Answer with b’Verifier:If b’ = b, declare “probably not isomorphic”

Graph non-isomorphism

Analysis:If G0, G1 not isomorphic, then prover knows for surethat G came from Gb, so he can answer b If G0, G1 isomorphic, then G is equally likely to have come from G0 /G1, so he can guess b with prob 1/2

Is there a classical proof system for graph non-isomorphism?

Decision problems

Recall SUBSET-SUM:

Decision version L:LYES are those eqn that have a solutionLNO are those eqn without a solution

13174331003415 x1 + 17285145771356 x2 + 19133308147607 x3 + 20768399988658 x4 + 22857403444525 x5 + 27320889680330 x6 + 32609413435035 x7 + 33346249486015 x8 + 36451703583100 x9 + 44137263807532 x10 + 44383378110073 x11 + 46011207828303 x12 = 40168796369884

Given eqn =

, find a solution x in {0, 1}12(if it exists)

Given x, decide if x is in LYES or in LNO

The class NP

input zVerifier Proverefficient unboundedproof p

YES/NO

Completeness:If z ∈ LYES, then VP(z) = YESSoundness: If z ∈ LNO, then VP*(z) = NO

for every P*

An(other) NP-complete problem: SAT

Input:

A set C ⊆ {0, 1}n specified by a circuit

LYES: C is not empty

LNO: C is empty

C(x1, x2, x3): y := x1 and x2 and x3

z := y or (not x1)output z and (not y)

Prover: Send x ∈ C (if x in LYES) Verifier:

Accept if C(x) evaluates to 1.

Interactive proofs

Given a (promise) decision problem L

Verifier Proverinput zrandomized

efficientunboundedq1

a2

qR-1aR

. . .

YES/NO

Completeness:If z ∈ LYES, Pr[VP(z) = YES] ≥ 3/4Soundness: If z ∈ LNO, Pr[VP*(z) = YES] < 1/4

for every P*

Normal form for interactive proofs

The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form

a(z, r)Verifier Proverpublic randomness r

There is a compiler for converting protocols into this form; we’ll do an example instead.

An “AM-complete” problem

Input:

A set C ⊆ {0, 1}n (specified by a circuit) A size estimate 0 < S < 2n

LYES: |C| ≥ S

LNO: |C| < S/8

Verifier:

Interactive proof:Send a random 2-universal hash functionh: {0, 1}n → {0, 1}r where 2S ≤ 2r < 4S

Prover: Send x (and a proof that x ∈ C) Verifier:

Accept if x ∈ C and h(x) = 0.

The set size lower bound protocol

Input:

A set C ⊆ {0, 1}n

A size estimate 0 < S < 2n

LYES: |C| ≥ S

LNO: |C| < (1 – e)S

An error parameter e > 0

Running time of verifier is linear in |C|/e

Proof:

Run original protocol on (Ck, Sk), k = 3/e

Graph non-isomorphism via set size

Given G0, G1 we want a proof of non-isomorphism For simplicity we’ll assume G0, G1 have no automorphisms

C = {p(Gb): p is a permutation, b is a bit}

G0, G1 are isomorphic |C| = n!

G0, G1 are not isomorphic |C| = 2∙n!

Reduction to set size lower bound:

AM ≈ NP

a(z, r)Verifier Proverpublic randomness r

If we replace r by the output of a suitable pseudo-random generator, proof can be derandomizedUnder a plausible assumption in complexity theory, AM = NP.

BACK TO CRYPTOGRAPHY

Hardness of regular one-way functions

Say f: {0, 1}n → {0, 1}n - k is 2k-to-1Suppose we have a reduction R? that, given an inverter I for f, solves L

Verifier will emulate reduction

Prover will emulate random inverter IGiven a query b, return each a s.t. f(a) = b with probability 2-k independently of previous queries and answers

Hardness of regular one-way functions

b1

a1 = I(b1)

. . .

Verifier Prover

bt

at = I(bt)

x ∈ L Prr, I[RI (x; r) accepts] ≥ 2/3

x ∉ L Prr, I[RI (x; r) accepts] < 1/3

|{(r, a1, …, at) valid and accepting}| ≥ (2/3) 2|r| + kt

|{(r, a1, …, at) valid and accepting}| < (1/3) 2|r| + kt

Hardness of regular one-way functions

y1

x1 = I(y1)

. . .

Verifier Prover

yt

xt = I(yt)x ∈/∉ L

x ∈ L Prr, I[RI (x; r) rejects] ≥ 2/3

x ∉ L Prr, I[RI (x; r) rejects] < 1/3

|{(r, x1, …, xt) valid and rejecting}| ≥ (2/3) 2|r| + kt

|{(r, x1, …, xt) valid and rejecting}| < (1/3) 2|r| + kt

What we did so far

We sketched why security of “structured” one-way functions cannot be provably NP-hard

(More complicated for arbitrary functions)

It may be that there exist such NP-hard to break functions; if true this is not provable

Next we show examples where breaking the crypto is (provably) not NP-hard

Indistinguishability obfuscation

OC Ц

Functionality:

Ц ≡ C

Security:

If C ≡ C’ then random vars Ц and Ц’ are indistinguishable

(Ц(x) = C(x) for all x)

Kinds of indistinguishability

PerfectX and X’ look identical to every (boolean) testStatisticalno test can distinguish with advantage > 1% Computationalno efficient test can distinguish with advantage > 1%

Indistinguishability obfuscation

No statistically secure indistinguishability obfuscation exists*

* Unless NP is in coAM

OC Ц

STATISTICAL ZERO-KNOWLEDGE

Graph isomorphism

is isomorphic to

Claim:

Proof:

Verifier learns the isomorphism!

A zero-knowledge proof

Input:

Prover:Choose random H isomorphic to G0 and G1Send H

Verifier:Answer with bProver:Reveal isomorphism between H and Gb

Two graphs G0, G1

(Assume isomorphic)

Verifier:If H ≡ Gb, say “G0, G1 probably isomorphic”Otherwise say “G0, G1 not isomorphic”

Zero-knowledge proofs

If G0, G1 are isomorphic, verifier does not learn the isomorphism (or anything else) So graph isomorphism has zero-knowledge proofsThe proof for non-isomorphism is also zero-knowledge!

Every problem that has zero-knowledge proofs also has zero-knowledge refutations

… or SZK ⊆ AM ∩ coAM

Statistical distance (SD)

Input:

Two random variables X, Y over {0, 1}n

LNO: X and Y are 1% statistically indistinguishable

LYES:

(specified by samplers)

X and Y are 99% statistically distinguishable

SD has statistical zero-knowledge proofs (and is in fact SZK-complete)

BACK TO CRYPTO

Indistinguishability obfuscation

No statistically secure iO exists unless NP has short interactive refutations

Proof:

Assume it didLet C be any set (circuit) …and Z be the empty set (zero circuit) If C empty, then C ≡ Z…so Ц and З are stat indistinguishableIf C empty, then C(x) ≠ Z(x) for some x…so Ц and З are perfectly distinguishable

Indistinguishability obfuscation

No statistically secure iO exists unless NP has short interactive refutations

We just saw a reduction from SAT to SD (assuming statistically secure iO)

Since SD has short refutations, so does SAT (and all of NP)

Public-key bit encryption

SKPKBobAliceb

EncPK(b) DecSK( )

b

EncPK(b)PK

message indistinguishability(PK, EncPK(0)) and (PK, EncPK(1))

are computationally indistinguishable

El Gamal encryption

g, h in some large cyclic group

PK = ( g, h ) gSK = hsuch that

EncPK(b) = ( gr, 2bhr )where r random

DecSK(x, y) = b such that xSK = 2b y

Homomorphism of encryptions

EncPK(b) = ( gr, 2bhr )

EncPK(b) EncPK(b’) and EncPK(b + b’)are identically distributed

DecSK(EncPK(b) EncPK(b’)) = b + b’

strongly homomorphic

weakly homomorphic

Breaking homomorphic encryption

Homomorphic encryption for XOR is not NP-hard to break*

… because it can be broken in statistical zero-knowledge(nothing special about XOR, true for “most” f )

* Unless NP is in coAM

Rerandomization

The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key

C = ( gr, 2bhr )PK = ( g, h ) gSK = hsuch that

RerPK(C) = C ∙ ( gr’, hr’ )

El Gamal example

is i.i.d with C

Rerandomization from evaluation

strong homomorphic evaluator for XOR

HEn

c(0)

Enc(b)

Enc(0)

Enc(0)

Enc(

b)

Enc(1)

Enc(1)

Enc(1)

Rer

Rerandomization from evaluation

HEn

c(0)

Enc(0)

Enc(0)

Enc(0)

To H, Enc(0) indistinguishable from Enc(0)so output of H must forget most of Enc(0)

Rerandomization from evaluation

If H is a strong homomorphic evaluator for majority on k bits,then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.

Lemma

We prove a weaker version for weak homomorphic evaluators and any sensitive f.

Distinguishing rerandomizations

Rerandomizable encryption can be broken in statistical zero-knowledge:

Enc(b)Rer( ) Enc(0)If b = 0, they are statistically close

vs.

If b = 1, they must be statistically farso they can be distinguished in SZK

Conclusion (and more)

Complexity helps us understand certain (theoretical) limitations of cryptographyStructured one-way functions aren’t provably NP-hard One-way permutations [Brassard, Goldreich-

Goldwasser]2-to-1 [Akavia-Goldreich-Goldwasser-Moshkovitz]K-to-1, size-verifiable [AGGM, B.-Brzuska]

General OWFs under non-adaptive reductions[Feigenbaum-Fortnow, B.-Trevisan, AGGM]

Hash functions, limited adaptivity[Haitner-Mahmoody-Xiao]

Conclusion (and more)

Crypto that can be broken in SZKHomomorphic encryption [B.-Lee]Private information retrieval [Vaikutanathan-Liu]

There is no statistically secure iO[Goldwasser-Rothblum]