on black-box separations in cryptography omer reingold closed captioning and other considerations...
TRANSCRIPT
On Black-Box Separations in Cryptography
Omer Reingold
Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and
Salil Vadhan
Crypto - The Merry “Old” DaysCrypto - The Merry “Old” Days
IdentificationDigital
Signatures
Cryptographic Protocols, Cryptographic Protocols, Primitives, and AssumptionsPrimitives, and Assumptions
EncryptionElectronic
Voting
ElectronicCommerce
One-WayFunctions
Pseudo-RandomGenerators
TrapdoorPermutations
Factoring
RSA
DDH
ObliviousTransfer
Strong RSADense Crypto
System
HomomorphicEncryptionUOWHFs ID Based
EncryptionPIRs
Determining The Relationships Among Different Primitives
Most tasks in complexity-based crypto imply PNP (or even OWF).
• Simplify our conception of the world.• Construct protocols with as strong security
guarantee as possible.
Reductions: Given any implementation of primitive A,
construct implementation of primitive B.
OWF
PRG
PRF
MAC ENC
COM
ZK
ID
UOWHF
SIG
TDP
PKE OT
KACCA-PKE
CLAW-FREE
CF-HASH
Some Known Reductions
NIZK
Are All Crypto Primitives Equivalent?
• If so: either no cryptography or Cryptomania!
• But some tasks seem “significantly harder” than others (e.g. private key vs. public key encryption).
• In what sense can we claim that primitive A does not imply primitive B if we believe that both exist?
After all, a reduction of B to A can ignore A and build B from scratch ...
Black-Box Separations – Where it Begun
Impagliazzo-Rudich [89]
While not clear how to formalize/show non-implications in general can do that wrt black-box reductions.
(Fully) Black-Box Reductions
Given a black-box implementation for primitive A, construct implementation of primitive B.
AB
Usually, still not structured enoughto rule out: Need black-box proof of security (several flavors).
Adv. for B
Adv. for A
A
Such fully black-box reductions relativize (hold relative to every oracle).
What's not Black Box?
• No idea … ask Boaz …• Oh well … Cook-Levin reduction is used in:
OWF “ZK proofs for all NP” [GMW91] Non–BB carries on to applications:– Semi-honest OT malicious OT [GMW87]
– OWF ID schemes [FFS88]
• Similarly, circuit of f used in secure computation of f. [Yao86,GMW87]– [Beaver96] Few OTs + OWF -> Many OTs
• Barak’s Non-BB ZK and subsequent results. Use both old and new non-bb techniques.
What do Black-Box Separations Mean?
• This talk will concentrate on mathematical rather than philosophical meaning. Still …
• Few Non black-box techniques (and in limited settings). Inherent limitation on efficiency.
• Therefore, black-box separations are explanation/indication for the hardness of finding reduction (esp. efficient ones).
• BB-reductions more robust – work wrt. “physical implementations” of primitives.
What do Black-Box Separations Mean?
• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)
Analogy from complexity:• A Cook/Karp reduction of problem A
to problem B is a black-box proof that B P A P.
• SAT P QBF2 P true but inherently non-BB (QBF2 is “quantified Boolean formula with 2 alternations”).
What do Black-Box Separations Mean?
• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)
Examples from cryptography:• TDP seems to be of different
complexity than OWF. [IR89] supports.• Collision resistant hashing might have
seemed similar in nature to OWFs. [Simon98] challenged (this is consistentwith recent cryptanalysis attacks against popular hash functions).
What do Black-Box Separations Mean?
• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)
Guidance for black-box constructions? • Particular construction cannot be proved
in BB? May be easier to change the construction than overcome the obstacle.
• Examples: – Want to reduce Stat-Commit to OWF? Probably not a
good approach: Stat-Commit -> OWP -> OWF.– [Myers 04], shows no BB proof for one particular
natural construction (static to adaptive security).
What do Black-Box Separations Mean?
• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)
Word of warning:• Potentially, a non black-box proof may
follow a black-box approach most of the way with a “small” non black-box fix.
Black-Box and Oracle Separations
• [IR89] there exists an oracle relative to which one-way function exists but key-agreement does not:
No fully black-box reduction of key-agreement to one-way function.
• Many other BB separations/lower bounds[Rud91,Sim98,KST99,KSS00,GKM+00,GT00,GMR01,CHL02,...]– Various notions of BB reductions, in
particular not always implying oracle separation (e.g. [GMR01]).
Crypto After IR (Impagliazzo’s Worlds)
Trapdoor Permutation
Public Key Encryption
Key Agreement
Secure Multi-PartyComputation (OT)
Private Key Encryption
One Way Functions
Digital Sig.
Pseudorandom Generators
Algoritmica, Heuristica, Pessiland
Not even an hierarchy of problems [GKMVR00]
This Talk
• [IR89]: The separation, its proof and interpretation of results.
• As many separations and proof intuitions. Focus on techniques and subtleties.
Beware: some cheating involved
The Impagliazzo-Rudich Results• Thm: If P=NP, Key Agreement (KA) is impossible in
the Random Oracle model:
KA (Alice,Bob) Eve, for random permutation f, Evef breaks (Alicef,Bobf)
• Cor 1: There is an oracle relative to which OWP exists and KA does not.
The oracle: (f, PSPACE) since PPSPACE=NPPSPACE
• Cor 2: There is no fully-BB reduction from KA to OWP.
• Cor 3: …
[IR89] - Why f is OWP• Intuitively obvious: when trying to invert f on some
y=f(x), have no chance unless accidentally query f on x.
• With q queries chances for that < 2q/2n
More formally: M making q queries, n-bit y
Prf[Mf(y) = f-1(y)] < (2q+2)/2n
• Fix n, by Markov Prf { Pry [Mf(y) = f-1(y)] > n2(2q+2)/2n } < 1/n2
M, with prob. 1 over f Pry [Mf(y) = f-1(y)] > n2(2q+2)/2n
only finitely often ….• With prob. 1 over f, M …
Why f is OWP Against Circuits• Too many circuit families for uniform argument (not
enumerable).• [GT00]: f is exponentially hard even against circuits.• High level idea: Consider C that makes q queries and
-inverts f. • C gives some non-trivial information on f
a compact description of f, relative to C. • Loosely, the description of f contains two carefully
chosen subsets X and Y and f|{0,1}n\X
– f(X)=Y.– Y contains ≥ 1/q frac. of y’s on which C inverts.
– X and Y allow reconstruction of f|X.
• Setting parameters correctly: #descriptions << (2n)! C only -invert exp. small fraction of the f’s.
[IR89] – How Eve Finds the Secret
• Recall, we assume P=NP, and want to show that Evef breaks (Alicef,Bobf).
• P=NP implies that without f no cryptographic hardness. In particular, no KA !
• In fact, for the purpose of oracle separation, we can essentially assume Eve, Alice and Bob are all powerful and only bounded by number of queries to f.
• In this setting, a clear characterization of
“knowledge”: The queries made to f and its answers.
[IR89] – How Eve Finds the Secret Cont.
• If s is the key agreed by Alice and Bob, assume wlog that both parties query f on s. Therefore s is an “intersection query”. Enough that Eve finds all “likely” intersection queries.
Eve’s algorithm (over simplified):• Let T be the transcript of (Alicef,Bobf), let L be a
list of queries and answers to f (initially empty). Repeat polynomial number of times: – Simulate: sample a random view of Alice which is
consistent with T and L. – Update: Repeat all the “simulated queries” Alice makes,
but this time to real f. Insert to L.
• Output a random query from L.
[IR89] – How Eve Finds the Secret Cont.
Eve’s algorithm (over simplified):• Let T be the transcript of (Alicef,Bobf), let L be a list
of queries and answers to f (initially empty). Repeat polynomial number of times: – Simulate: sample a random view of Alice which is
consistent with T and L. – Update: Repeat all the “simulated queries” Alice makes,
but this time to real f. Insert to L.
• Output a random query from L.Intuition: • Whenever simulated Alice is consistent with real
Bob’s view, simulated Alice has a fair chance to query s.
• Any inconsistency reveals one of Bob’s queries. This can happen only polynomial number of times.
[IR89] Results – Revisited• Thm: If P=NP, Key Agreement (KA) is impossible in
the Random Oracle model.
• Cannot get a more natural and meaningful separation.
• How can a reduction overcome this separation?• Traditional interpretation: to overcome the separation
the construction of KA must use code of OWP.
• [RTV04] shows that there is no limitation in using OWP as a black box in construction of KA. Separation might be overcome using code of adversary in proof of security (as in [Bar01,Bar02]).
Taxonomy of Black-Box Reductions I (the case OWF ) KA) [RTV04]
Black-box implementation:
eff. (Alice, Bob) s.t. OWF f (Alicef,Bobf) is a secure KA. Proof of security: Eve breaking (Alicef,Bobf) ) Adv inverting f
Fully-BB reduction: eff. Adv Eve (even not eff)
[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]
Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
[IR89] No relativizing, thus also No Fully; If P=NP no Semi
f (Alice,Bob)
Semi-BB vs. Relativizing
Fully-BB reduction: eff. Adv Eve (even not eff)
[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ] Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
[IR89] No relativizing, thus also No Fully; If P=NP no Semi
Semi: BB implementation with arbitrary pf of security? No - [RTV04] No relativizing ) No Semi
•Pf idea: can embed into f an arbitrary oracle, in particular can embed Eve. “Embedding technique” due to [Sim98]
Semi-BB vs. Relativizing
Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
[RTV04] No relativizing ) No Semi
Pf sketch:– Let O be oracle s.t. 9 OWF g and no KA
– Define
– Every (Alicef,Bobf) can be broken in PPTf, but f cannot be inverted in PPTf ) no semi-BB reduction
Taxonomy II – BB Implementation with Free Proof of Security
Fully-BB reduction: eff. Adv Eve (even not eff)
[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ] Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]
Now Eve is really efficient.
Fully-BB Relativizing Semi-BB Mildly-BB FreeFully-BB Relativizing Semi-BB Mildly-BB Free
The Power of Mildly-BB
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]
• Only Mildly-BB separations are about efficiency of reductions [GT00,GGK03].
• Thm: 9 OWF ) 9 KA if and only if there is a mildly-BB reduction from KA to OWF.
• Conclusion: the restriction is in BB proof of security rather than in BB implementation.
Fully-BB Relativizing Semi-BB Mildly-BB Free
The Power of Mildly-BB
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ] • Thm: 9 OWF ) 9 KA if and only if there is a
mildly-BB reduction from KA to OWF.
• Pf sketch: Given OWF oracle f (against PPTf ), construct secure KA (against PPT).
Case I: 9 KA
– Construction ignores oracle, just executes secure KA
Fully-BB Relativizing Semi-BB Mildly-BB Free
The Power of Mildly-BB
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ] • Thm: 9 OWF ) 9 KA if and only if there is a
mildly-BB reduction from KA to OWF.
• Pf sketch: Given OWF oracle f (against PPTf ), construct secure KA (against PPT).
Case II: No KA and therefore no OWF
– Every function easy to compute is easy to invert.) Oracle-OWF f must be hard to compute.
– KA protocol: Alice sends random (x,r), agree on hf(x),ri
Fully-BB Relativizing Semi-BB Mildly-BB Free
OWF vs. OWP• [IR,KSS00] Random Oracle separates OWF from
OWP.• A much simpler argument for weaker result:Thm. Gf is a permutation for every function f For all f
can invert Gf (using a PSPACE-complete oracle). Adv algorithm on input y= Gf(x):• Let L be a list of queries and answers to f (initially
empty). Repeat polynomial number of times: – Simulate: generate some f’ and x’ such that f’ is consistent
with L and y= Gf’(x’). – Update: Repeat all the “simulated queries” of Gf’(x’) but
this time to real f. Insert to L.
• Output last x’.
Correctness: If x’ x then the evaluations Gf(x) and Gf’(x’) must reveal a new inconsistency of f and f’.
OWF vs. OWP Cont.Where is the weakness? To argue that G is insecure
we assumed it is correct: Gf is a permutation for every function f.
Is this legitimate?
More on Relatevizing vs. BB Reductions
• In some scenarios (e.g. KA -> OWF),
No relativizing reduction , No fully-BB reduction.
• Not always: Consider the construction of Trapdoor (poly-1) Functions from PKE. – [BHSV98] gives a construction in the random oracle
model. Hard to come up with an oracle separation (as the oracle
may potentially be used for BHSV-transformation).– [GMR01] solves it by showing for any particular
construction an oracle that foils it (rather than giving one oracle that foils all constructions).
• [Myers04] takes it further, considers one specific (but very natural) construction and gives an oracle that foils it.
Are we happy/unhappy with this?
[Rudich91]: Hard to Reduce Interaction
• [Rud 91] Separate k-message KA from (k-1)-message KA.
For k=3 oracle O contains: f1, f2, f3, length tripling random functions, R defined below, П - PSPACE complete.
3 KA :
On an “incorrect” input R outputs a random string.
Bob s
Alicez,r
z = R (s,m3)
m1 =f1 (z,r)
m2 =f2 (s,m1)
m3 =f3 (z,r,m2)
z
[Rud91]: No 2-KA ( PKE) relative to O
•Without R no KA [IR89]•Let (Alice’,Bob’) be two message protocol.•Assume Alice’ makes a useful query R (s,m3).
– (s,m3) is a “correct” input to R must have been created by 3 “correct” consecutive invocations either Alice’ or Bob’ must already know z,r,s.
– If its Alice’, R is not needed. – Otherwise, Eve can also know (s,m3) and apply R.
Bob s
Alicez,r
z = R (s,m3)
m1 =f1 (z,r)
m2 =f2 (s,m1)
m3 =f3 (z,r,m2)
z
How do we define BB access to a protocol?
• In [Rudich91] and most subsequent works this means black-box access to the message and output functions of the parties.
• Can consider a more restricted notion where the access is to a third party implementing the functionality. (Closer in spirit to a physical implementation).
• May make arguments much simpler but need to be careful. For example OT in this model does not imply OWF.
• Other possible formalizations in between [HKNRR05]
OWF vs. Collision Resistant Hashing• [Simon98] gives an oracle separating the two.• Here “Simon Light”: In particular, consider only
regular hash functions (every image has the same number of preimages). – Regular coll. resistant implied by claw-free
permutations.
• Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows:
If Cg is regular for every function g then Q outputs uniformly selected x and x’ such that Cf(x) = Cf(x’).
Note: relative to this oracle may have collision-resistant hash functions (using Q itself). [Simon98] handles this case as well.
OWF vs. Collision Resistant Hashing Cont.
• Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows:
If Cg is regular for every function g then Q outputs uniformly selected x and x’ such that Cf (x) = Cf
(x’).
Proof intuition: Assume want to find f-1(y).• Due to universal regularity, the only information
given by x and x’ are the values of f queried by the evaluations Cf(x), and Cf(x’).
• As long as none of these queries is f-1(y) not much help.
• By regularity, x and x’ are each uniformly distributed (though they are correlated).
• By union bound, only negligible chance to encounter f-1(y).
Limitation On Efficiency
• This line considers the most efficient (black-box) construction (rather than the minimal assumption necessary) [KST99,GT00, GGK03].
• Example: OWP PRG.
• Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP).
PRGseedm bits
f
outputm+k bits
Limitation On Efficiency Cont.
• Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP).
• Idea: Define f(w,z)=g(w),z,where w is O(s)-bit long and g is random Each invocation only gives O(s) bits of randomness Can simulate f using randomness from the seed.
PRGseedm bits
f
outputm+k bits
Concluding Remarks
• Many more beautiful arguments we did not touch!
• BB separations - a useful research tool. • The extent to which the proof of security
is black-box plays a major role.
• Definitions are subtle, need to make sure we understand the mathematical/philosophical meaning of what we prove.
Some Open Problems
• More Non black-box techniques.
• Can we “Razborov-Rudich” Impagliazzo-Rudich ?
• Power of reductions that use code of primitive but are BB wrt adversary?
[GKMVR00] incomparability of PKE and OT
OT PKE by an extension of [Rud91].PKE OT by oracle containing: f1, f2, R, П, (similar to [Rud91]) to allow PKE. But with a small twist…
Bob z,s
Alicer
z
m1 =f1 (r)
m2 =f2 (z,s,m1)
z = R (r,m2)
Important: define f2 and R to output on “incorrect” inputs (sort of validity tests) Prevent this specific key agreement from being “fakable”, and turns out to be sufficient.