Upload
tokala
View
31
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Reductions. Christina Brzuska Tel-Aviv University. Limitations of Impossibility Results. Impagliazzo-Rudich: Standard techniques ? Certain ``types“ of reductions Goal of this talk: Define types of reductions. ?. References. - PowerPoint PPT Presentation
Citation preview
Reductions
Christina BrzuskaTel-Aviv University
Limitations of Impossibility Results• Impagliazzo-Rudich:
• Standard techniques ?• Certain ``types“ of reductions• Goal of this talk: Define types
of reductions
?
References• Notions of Reducibility between Cryptographic
Primitives Omer Reingold, Luca Trevisan, Salil Vadhan
• Notions of Black-Box Reductions, Revisited Paul Baecher, CB, Marc Fischlin
Reductions in Cryptography
Adversary A
Adversary A
signaturerequests scheme
Sscheme
S
public key
forgery
GameC
Reduction R
Reduction: if A breaks scheme S then RA wins game C
Goal: signature scheme from some assumption
One-Time-Signatures from OWFs (Lamport)
Adversary A
Adversary A
signaturerequest
public key
f
just one
y=f(x)
x*
OWF Game
OWFs One-Time Signatures: Construction + Reduction
Reduction Rforgery
schemeS
schemeS
Constructionbased on f
Construction KeyGenf, Signf, Verifyf
– KeyGenf: a1,…,an
b1,…,bn
f(a1),…,f(an)
f(b1),…,f(bn)
– Signf(sk,m): m=m1,…,mn =0010…0
a1 a2 a3 a4 … an
b1 b2 b3 b4 … bn
m 0 0 1 0 … 0– Verifyf(pk,m,¾): Check whether pre-images match pk
pk
sk
¾
Assume f is one-way.Prove security of this scheme.
Security Reduction RA,f
f(a1) f(a2) f(a3) f(a4) … f(an)
f(b1) f(b2) f(b3) f(b4) … f(bn)
a1 a2 a3 a4 … an
b1 b2 b3 b4 … bn
m 0 0 1 0 … 0RA,f gets y=f(x), tries to compute a pre-image of y
f(a1) f(a2) f(a3) f(a4) … f(an)
f(b1) f(b2) f(b3) f(b4) … f(bn)
a1 a2 a3 a4 … an
b1 b2 b3 b4 … bn
¾
sk
pk
y
???
¾Hope forquery m
Hope forForgery m*
A adversary against signature
scheme
Fully Black-Box Reductions
Af breaks (KeyGenf, Signf, Verifyf) RA,f breaks f
9 PPT Construction (KeyGen, Sign, Verify) 9 PPT Reduction R 8 Adversary A 8 Function f
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Primitive f
(Im)Possibility Results
One-Way Functions
Pseudorandom Permutations
Pseudorandom Generators
Message Authentication Codes
Symmetric Encryption
Key Agreement[IR89]
Pseudorandom Functions
Signature Schemes
Minicrypt
Cryptomania
Impagliazzo Rudich
• This afternoon• Oracle result • Relative to O: OWFs, but no key agreement
O(.)
Which techniques are ruled out?
• There exists an oracle O:– One-way functions exist relative to O,– KA does not exist relative to O.
• For any oracle O:– If one-way functions exist relative to O,– then KA exists relative to O.
Af breaks KAf RA,f breaks f
9 PPT Construction KA 9 PPT Reduction R 8 Adversary A 8 Function f
OracleSeparationrules out
Fully Black-BoxReduction
?RelativizingReduction
?
Fully Black-Box Reduction implies
Relativizing Reduction
f
Relativizing Reductions
• For any oracle O:– If one-way functions exist relative to O,– then one-time signatures exist relative to O.
O(.)
P1
• P1 is efficient algorithm
• f= P1O is one-way.
• No PPT A can invert f.• A also gets access to O
O(.)
A
Relativizing Reductions
• For any oracle O:– If one-way functions exist relative to O,– then one-time signatures exist relative to O.
A
O(.)
f
O(.)
P1 Sig
O(.)
P2
Take an Oracle O. We have to show that:–If one-way functions exist relative to O,– then one-time signatures exists relative to O.
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Assumption
A
O(.)
f
O(.)
P1 Sig
O(.)
P2
OT-Sig
OW
– Assume, OWFs exist relative to O. – We show that one-time signatures exist
relative to O.
Sig
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Assumption
GA
O(.)
f
O(.)
P1 Sig
O(.)
P2
f
O(.)
P1
OT-Sig
OW
– Assume, OWFs exist relative to O. – We show that one-time signatures exist
relative to O.
Sig
P2
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Assumption
GA
O(.)
f
O(.)
P1 Sig
O(.)
P2
O(.)
P1
OT-Sig
OW
Sig
P2
– P2 is efficient.– We can implement Gf eff. rel. to O.– Is Sig=Gf secure OT-Sig-scheme?
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Assumption
GA
O(.)
f
O(.)
P1 Sig
O(.)
P2
O(.)
P1
OT-Sig
OW
Sig
– P2 is efficient.– We can implement Gf eff. rel. to O.– Is Sig=Gf secure OT-Sig-scheme?
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Assumption
GA
O(.)
f
O(.)
P1 Sig
O(.)
P2
OT-Sig
OW
f
Sig
– Assume tow. contr., there is PPT A such that AO breaks Gf.
– Then, RA,f breaks f.– RA,f eff. implementable rel. to O?
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Assumption
GA
O(.)
OT-Sig
OW
f
efficient
–RA,f efficiently implementable relative to O:
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Assumption
R
OT-Sig
OW
A
O(.)
f
O(.)
P1
R
A
O(.)
f
O(.)
P1
–Fully black-box reduction implies relativizing reduction (in general).–Oracle separation à la Impagliazzo-Rudich rules out relativizing reductions and thus also fully black-box reductions.
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
AssumptionOT-Sig
OW
I want to try to build a key agreement scheme from a one-way function. What shall I do? How can I get around Impagliazzo-Rudich?
Circumventing Impossibility Results
• C: Construction may work for all f (black-box) or for all f, there is a construction (non-black-b)
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Example: weak OWF OWF
• Weakly OWF: Inverting probability is smaller than 1-(1/poly).
• For every weakly OWF f, there is some poly n: Gf: (x1,…, xn) (f(x1),…,f(xn)) is one way.
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Circumventing Impossibility Results
• A: The reduction R may work for all A (black-box) or for all A, there is an R (non-black-box)
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Example: Goldreich-Levin
• OWF f: (x,r) f’(x),r• Then, h(x,r):=<x,r> is a hardcore bit for f: Given
f(x,r), it is hard to predict h(x,r)• Reduction from predicting b=h(x,r) to inverting f.
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Example: Goldreich-Levin
• Predicting to inverting (decision to search)• Uses amplification techniques• The reduction R depends on the success
probability of A
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
Circumventing Impossibility Results
• P: The reduction R may work for all primitives f (black-box) or for all f, there is an R (non-b-b)
Af breaks Gf RA,f breaks f
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f
CAP Notation
Construction {B,N}Adversary {B,N}Primitive {B,N}
9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Primitive f
9 PPT Construction G8 Primitive f
8 Primitive f9 PPT Construction G
9 PPT Reduction R8 Primitive f
9 PPT Reduction R8 Adversary A
8 Primitive f9 PPT Reduction R
Af breaks Gf RA,f breaks f
8 Adversary A9 PPT Reduction R
BBB (fully black-box)
Three Questions• Is the construction black-box with respect to the
primitive?• Is the reduction black-box with respect to the
adversary?• Is the reduction black-box with respect to the
primitive? Construction {B,N} G: fAdversary {B,N} R: APrimitive {B,N} R: f
As a Picture
NNN
BNN
BBN
NNB
NBB
BBB
BNB
NBN
Circumvent Impagliazzo-Rudich withan NNN-reduction!
Relativizing Reductions
x
Take an Oracle O. We have to show that:–If one-way functions exist relative to O,– then key agreement exists relative to O.
Af breaks Gf RA,f breaks f
8 function f9 PPT Construction G 8 Adversary A9 PPT Reduction R
Assumption
A
O(.)
f
O(.)
P1 KA
O(.)
P2
AnalogousProof
What now?
Circumventing Impagliazzo-Rudich
Exploit efficiency!Let‘s try to find a NNNa reduction!
Af breaks Gf RA,f breaks f
8 Primitive f9 PPT Construction8 Adversary A9 PPT Reduction R
PPT
Also Impossible!
efficient A
Proof is not straightforward
R
A
O(.)
f
Not PPT
8 Primitive f9 PPT Construction G8 PPT Adversary A 9 PPT Reduction R
Af breaks Gf RA,f breaks f
Not PPT, if f isInefficient.
Can we embed O into f?
Key Agreement
Impagliazzo Rudich Oracles
Easy/P/BPP
Key Agreement
Minicrypt
NP
PSPACE 1. Add PSPACE oracle2. Add a random function f.3. Prove, f is one-way.4. Prove, KA is easy to break.
MinicryptEasy/P/BPP
Relative to oracle O=(PSPACE,f) :-OWFs exist.-KA does not exist.
Embed PSPACE oracle into f
1. Add PSPACE oracle2. Add a random function f.3. Prove, f is one-way.4. Prove, KA is easy to break.
f‘: (x,x‘,test) 0||f(x), if test is not 0….01||PSPACE(x‘), if test is 0…0
Relative to oracle O=(PSPACE,f) :-OWFs exist.-KA does not exist.
Still a One-Way function, because the probability that
test=0…0 for a random (x,x‘,test) is tiny.
Access to f‘ and (f,SPACE) is the same
R
A
O(.)
f
Not PPT
8 Primitive f9 PPT Construction G8 PPT Adversary A 9 PPT Reduction R
Af breaks Gf RA,f breaks f
Not PPT, if f isInefficient.
Can we embed O into f?
f‘: (x,x‘,test) 0||f(x), if test is not 0….01||PSPACE(x‘), if test is 0…0
Sig
– Assume, OWFs exist relative to O. – If f is a OWF relative to O, then so is f‘– Use f‘ in proof
Af breaks Gf RA,f breaks f
8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R
Assumption
A
O(.)
f‘
O(.)
P1
O(.)
P2
OT-Sig
OW
f‘: (x,x‘,test) 0||f(x), if test is not 0….01||O(x‘), if test is 0…0
– f‘ is an OWF relative to O. – We show that one-time signatures exist
relative to O.
Sig
Af breaks Gf RA,f breaks f
8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R
Assumption
GA
O(.)
f‘
O(.)
P1 Sig
O(.)
P2
f‘
O(.)
P1
OT-Sig
OW
– f‘ is an OWF relative to O. – We show that one-time signatures exist
relative to O.
Sig
P2
Af breaks Gf RA,f breaks f
Assumption
GA
O(.)
f‘
O(.)
P1 Sig
O(.)
P2
O(.)
P1
OT-Sig
OW
8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R
Sig
P2
– P2 is efficient.– We can implement Gf‘ eff. rel. to
O.– Is Sig=Gf‘ secure OT-Sig-scheme?
Af breaks Gf RA,f breaks f
Assumption
GA
O(.)
f‘
O(.)
P1 Sig
O(.)
P2
O(.)
P1
OT-Sig
OW
8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R
Sig
– P2 is efficient.– We can implement Gf‘ eff. rel. to
O.– Is Sig=Gf‘ secure OT-Sig-scheme?
Af breaks Gf RA,f breaks f
Assumption
GA
O(.)
f‘
O(.)
P1 Sig
O(.)
P2
OT-Sig
OW
f‘
8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R
Sig
– Assume tow. contr., there is PPT A such that AO breaks Gf‘.
– Then, there is PPT A‘ such that A‘f‘
breaks Gf‘ and RA‘,f‘ breaks f‘.
Af breaks Gf RA,f breaks f
Assumption
GA
O(.)
OT-Sig
OW
f‘
8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R
f‘: (x,x‘,test) 0||f(x), if test is not 0….01||O(x‘), if test is 0…0
efficient
–RA‘,f‘ efficiently implementable relative to O:
Af breaks Gf RA,f breaks f
Assumption
R
OT-Sig
OW
A
O(.)
f‘
O(.)
P1
R
A
O(.)
f‘
O(.)
P1
8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R
Theorem
If there is an NNNa-reduction from key agreement to one-way functions, then there is relativizing reduction from key agreement to one-way functions.
CorollaryThere is no NNNa-reduction from key agreement to one-way functions.
Circumventing Impagliazzo-Rudich
Exploit efficiency (of A and f)!Let‘s try to find an NNNap reduction!
Af breaks Gf RA,f breaks f
8 Primitive f9 PPT Construction G8 PPT Adversary A9 PPT Reduction R
Also impossible?
efficient A,fPPT
A Trivial Reduction
Assume, secure key agreement exists.
Af breaks Gf RA,f breaks f
8 PPT Primitive f9 PPT Construction G (ignores f) 8 PPT Adversary A 9 PPT Reduction R (ignores everything)never happens
Showing impossibility resultfor NNNap-reduction showing impossibility of key agreement altogether
A Non-Trivial Reduction
Assume, secure key agreement exists.
Af breaks Gf RA,f breaks f
9 PPT Construction G (ignores f) 9 PPT Reduction R (ignores everything)8 Adversary A 8 PPT Primitive f
Not PPT, if A is not PPT
never happens
A Non-Trivial Reduction
Assume, secure key agreement exists.
Af breaks Gf RA,f breaks f
9 PPT Construction G (ignores f) 9 PPT Reduction R (ignores everything)8 PPT Adversary A 8 Primitive f
Not PPT, if f is not PPT
To Circumvent Impagliazzo Rudich
• Try NNNp or NNNap• Exploit the efficiency of the primitive f• Else, impossible…• …if you have an idea, first check whether it
falls into the impossibility result.
General Recipe
• Take an impossibility result• Understand what it rules out• Take into account 3-5 questions:
C: Does it apply, if Construction G depends on Primitive f?A: Does it apply, if Reduction R depends on Adversary A?P: Does it apply, if Reduction R depends on Primitive f?
a: Does it apply, if we only quantify over eff. Adversaries A?p: Does it apply, if we only quantify over eff. Primitives f?
General Recipe
• Take an impossibility result• Understand what it rules out• Take into account 3-5 questions:
C: How can Construction G depend on Primitive f?A: How can Reduction R depend on Adversary A?P: How can Reduction R depend on Primitive f?
a: Does it apply, if we only quantify over eff. Adversaries A?p: Does it apply, if we only quantify over eff. Primitives f?
Find techniques outside the impossibility resultThis afternoon: Non-BB Techniques!
Note on Negative Results
• Try to rule out a big class of reductions• Try to make the class as explicit as possible– 5 questions: CAPap– Understand dependencies
• Try to rule out efficient primitives (powerful!)– Consider Meta-Reductions
Wednesday morning
Summary
• Impossibility results rule out certain techniques/types of reductions
• 5 questions to understand an impossibility result
• Oracle Separations– Use efficient
primitives!
Construction {B,N} G: fAdversary {B,N} R: APrimitive {B,N} R: f
Efficient Adversaries only? XYZaEfficient Primitives only? XYZp
Circumventing Impossibility Results• Zero-Knowledge: – B01, L01, BP12,…
• Fair Multi-Party Computation:– LZ13
• Obfuscation:– W05, CD08, BC10, CKVW10, H10, HRSV11,…
• RSA-FDH:– DHT12, KK12
• KDM-Secure Encryption:– BHHI09, A11