on the efficiency of 2 generic cryptographic constructions
DESCRIPTION
On the Efficiency of 2 Generic Cryptographic Constructions. Luca Trevisan U.C. Berkeley joint work with Rosario Gennaro (IBM). Generic Constructions. From a OWP of security S we can get a PRG of expansion k that evaluates the OWP O(k/log S) times [ BMY & GL ] - PowerPoint PPT PresentationTRANSCRIPT
On the Efficiency of 2 Generic Cryptographic
ConstructionsLuca Trevisan
U.C. Berkeley
joint work with Rosario Gennaro (IBM)
Generic Constructions• From a OWP of security S we can get a
PRG of expansion kthat evaluates the OWP O(k/log S) times [BMY & GL]
• From the hardness of discrete log, we can get a length-doubling PRG that requires O(1) exponentiations
• Can we improve BMY or is there a genericity/efficiency trade-off?
Generic Constructions (continued)
• UOWHF: family Hs: {0,1}m ->{0,1} m-k given random x, s, hard to find x’such that Hs(x)=Hs(x’)
• From a OWP of security S, can get a UOWHF of compression k that evaluates the OWP O(k/log S) times [NY & GL]
• Can we do better?
What is the Question?
• Impossible to prove that “every construction of a PRG based on a OWP needs at least q evaluations of the OWP”
• Suppose we have a provably good PRG, then there is a construction of “PRG based on a OWP” that uses zero evaluations and has arbitrary expansion
“Current Techniques”
• We can try to prove that
“every construction of a PRG based on OWP and analyzed using current techniques evaluates the OWP at least q times”
Impagliazzo - Rudich
• Impagliazzo & Rudich face same problem when trying to prove that “there is no key-agreement (KA) construction based on OWP”
• If key agreement is possible, then key agreement is possible “using one-way permutations”
• They argue that there is no KA construction based on OWP that can be analyzed using “current techniques”
How to Model Standard Crypto Reductions (1)
Weak black-box KA based on OWP:
Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.
Then there are PPT A,B such thatthere is no PPT E that breaks the KA protocol (Af,Bf) with noticeable prob.
Comments
• In a weak BB construction we use that f is one-way but not that f has a poly-size circuit
• Weak BB captures all known constructions except some zero-knowledge based ones. (Notably, identification schemes)
• Mind-twister observation 1 [Reingold-T.-Vadhan]The statements “OWP imply KA” and “there is a weak black-box construction of KA based on OWP” are equivalent
How to Model Standard Crypto Reductions (2)
Semi black-box KA based on OWP:
Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.
Then there are PPT A,B such thatthere is no PPT E such that Ef breaks the KA protocol (Af,Bf) with noticeable prob.
Comments• In semi-BB do not use the fact that adversary for
construction has small size (but may use that is has small size relative to f)
• All known constructions (except id. protocols) are also semi-black box.
• Impagliazzo-Rudich: a semi-BB construction of KA from OWP implies P=/=NP
• Reingold-Vadhan: unconditionally impossible
How to Model Standard Crypto Reductions (3)
Fully black-box KA based on OWP:
For every f there are PPT A,B,R such that
If E breaks the KA protocol (Af,Bf) with noticeable prob.
Then Pr[Rf,E(f(x))=x] > noticeable
Comments
• All known reductions yada yada yada
• Impagliazzo-Rudich: unconditionally, there is no fully BB construction of KA based on OWP
(even if fully BB condition is satisfied only for most f instead of for every f)
Relativizations
• Alternative approach:– Find an oracle relative to which KA is
impossible but OWP exist– Then no relativizing construction of KA
based on OWP can exist• Reingold-Vadhan: an unconditional
impossibility of semi-BB is equivalent to an oracle separation
The Small Picture(on KA using OWP)
No semi-bb construction
Oracle separation
No fully-BB construction
No weakly-BB construction
Previous Results on Efficiency
• Kim-Simon-Tetali: there is an oracle relative to which every construction of UOWHF of compression k based on OWP evaluates the OWP (k1/2) times.
• No negative result on PRG based on OWP
Our Results (Gennaro-T00)• If there is a weakly-BB construction
of UOWHF based on OWPthat uses o(k/log S) evaluations, then one-way functions exist (and zero evaluations are enough)
(Also, unconditionally, no semi-BB construction with o(k/log S), and an oracle relative to which. . . )
• Same for PRG of expansion k
Pseudorandom Generators
Suppose there were weak-BB construction of expansion k with q=o(k/logS) invocations
If f is one-way with security S, then output is pseudorandom
Weak-BB
PRG
seedm bits
f
outputm+k bits
Hardness of Random Permutations
• If a permutation f: {0,1}t -> {0,1}t is picked at random, whp:– For every A of size < 2t/5
Prx[Af (f(x)) =x ] < 2-t/5
• Pick at random f:{0,1}5logS->{0,1}5logS Define g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),bThen g is whp one-way with hardness S
Generator Works with Random g
• Pick g at random as above, pick seed at random, give seed and oracle access to g to PRG construction
• Output distribution is pseudorandom
Weak-BB
PRG
seedm bits
outputm+k bits
gq queries
Simulation with no Oracle
• Output can be sampled with m + 5qlog S < m+k random bits.
• We have unconditionally a PRG
Weak-BB
PRGseedm+5qlog S bits
outputm+k bits
simulate q queries
Hash Functions
• Suppose we have weak-BB UOWHF of compression k with q=o(k/logS) invocations
UOWHF
gx
m bits
Hs(x)
m-k bits
• Secure if g is one-way of hardness S
s
Random g
• Pick at random f:{0,1}5logS->{0,1}5logS Define g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),b
• Modify construction so that the f part of oracle queries is given in output
• The construction is still compressing and secure
UOWHF Hs (x),f(a1),…,f(aq)
m-k+qlogS bits
gx
m bits
s
Unconditional Construction
• Define Hs,r: on input x, simulate weak-BB
construction Hs on input x, use r to simulate
random oracle f
• Compresses m bits to m-k+5qlog S<m bits and is secure
Conclusions
• Similar bounds for secure public key encryption and signatures (GKM)
• Stronger bounds for PRG constructions from OWF? (or, can we improve efficiency of HILL?)
– Mind twister observation 2 [Reingold-T-Vadhan]:There IS a weak-BB construction of PRG from OWF that makes O(k/log S) invocations
The weak-BB Construction• Suppose one-way functions exist:
then using HILL we can construct a “OWF-based” PRG that makes zero invocations
• Suppose one-way functions do not exist: then Gf(<h>,x) =<h>,h(f,x) where h is hash function mapping 2n bits into n+1 bits, satisfies def. of weak-BB construction.
• Using Levin’s universal one-way function, possible to come up with a single construction that is provably weak-BB and makes few invocations. (What does it mean?)