Reductions

Reductions

Christina BrzuskaTel-Aviv University

Limitations of Impossibility Results• Impagliazzo-Rudich:

• Standard techniques ?• Certain ``types“ of reductions• Goal of this talk: Define types

of reductions

?

References• Notions of Reducibility between Cryptographic

Primitives Omer Reingold, Luca Trevisan, Salil Vadhan

• Notions of Black-Box Reductions, Revisited Paul Baecher, CB, Marc Fischlin

Reductions in Cryptography

Adversary A

Adversary A

signaturerequests scheme

Sscheme

S

public key

forgery

GameC

Reduction R

Reduction: if A breaks scheme S then RA wins game C

Goal: signature scheme from some assumption

One-Time-Signatures from OWFs (Lamport)

Adversary A

Adversary A

signaturerequest

public key

f

just one

y=f(x)

x*

OWF Game

OWFs One-Time Signatures: Construction + Reduction

Reduction Rforgery

schemeS

schemeS

Constructionbased on f

Construction KeyGenf, Signf, Verifyf

– KeyGenf: a1,…,an

b1,…,bn

f(a1),…,f(an)

f(b1),…,f(bn)

– Signf(sk,m): m=m1,…,mn =0010…0

a1 a2 a3 a4 … an

b1 b2 b3 b4 … bn

m 0 0 1 0 … 0– Verifyf(pk,m,¾): Check whether pre-images match pk

pk

sk

¾

Assume f is one-way.Prove security of this scheme.

Security Reduction RA,f

f(a1) f(a2) f(a3) f(a4) … f(an)

f(b1) f(b2) f(b3) f(b4) … f(bn)

a1 a2 a3 a4 … an

b1 b2 b3 b4 … bn

m 0 0 1 0 … 0RA,f gets y=f(x), tries to compute a pre-image of y

f(a1) f(a2) f(a3) f(a4) … f(an)

f(b1) f(b2) f(b3) f(b4) … f(bn)

a1 a2 a3 a4 … an

b1 b2 b3 b4 … bn

¾

sk

pk

y

???

¾Hope forquery m

Hope forForgery m*

A adversary against signature

scheme

Fully Black-Box Reductions

Af breaks (KeyGenf, Signf, Verifyf) RA,f breaks f

9 PPT Construction (KeyGen, Sign, Verify) 9 PPT Reduction R 8 Adversary A 8 Function f

Af breaks Gf RA,f breaks f

9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Primitive f

(Im)Possibility Results

One-Way Functions

Pseudorandom Permutations

Pseudorandom Generators

Message Authentication Codes

Symmetric Encryption

Key Agreement[IR89]

Pseudorandom Functions

Signature Schemes

Minicrypt

Cryptomania

Impagliazzo Rudich

• This afternoon• Oracle result • Relative to O: OWFs, but no key agreement

O(.)

Which techniques are ruled out?

• There exists an oracle O:– One-way functions exist relative to O,– KA does not exist relative to O.

• For any oracle O:– If one-way functions exist relative to O,– then KA exists relative to O.

Af breaks KAf RA,f breaks f

9 PPT Construction KA 9 PPT Reduction R 8 Adversary A 8 Function f

OracleSeparationrules out

Fully Black-BoxReduction

?RelativizingReduction

?

Fully Black-Box Reduction implies

Relativizing Reduction

f

Relativizing Reductions

• For any oracle O:– If one-way functions exist relative to O,– then one-time signatures exist relative to O.

O(.)

P1

• P1 is efficient algorithm

• f= P1O is one-way.

• No PPT A can invert f.• A also gets access to O

O(.)

A


• For any oracle O:– If one-way functions exist relative to O,– then one-time signatures exist relative to O.

A

O(.)

f

O(.)

P1 Sig

O(.)

P2

Take an Oracle O. We have to show that:–If one-way functions exist relative to O,– then one-time signatures exists relative to O.


9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f

Assumption

A

O(.)

f

O(.)

P1 Sig

O(.)

P2

OT-Sig

OW

– Assume, OWFs exist relative to O. – We show that one-time signatures exist

relative to O.

Sig



Assumption

GA

O(.)

f

O(.)

P1 Sig

O(.)

P2

f

O(.)

P1

OT-Sig

OW

– Assume, OWFs exist relative to O. – We show that one-time signatures exist

relative to O.

Sig

P2



Assumption

GA

O(.)

f

O(.)

P1 Sig

O(.)

P2

O(.)

P1

OT-Sig

OW

Sig

P2

– P2 is efficient.– We can implement Gf eff. rel. to O.– Is Sig=Gf secure OT-Sig-scheme?



Assumption

GA

O(.)

f

O(.)

P1 Sig

O(.)

P2

O(.)

P1

OT-Sig

OW

Sig

– P2 is efficient.– We can implement Gf eff. rel. to O.– Is Sig=Gf secure OT-Sig-scheme?



Assumption

GA

O(.)

f

O(.)

P1 Sig

O(.)

P2

OT-Sig

OW

f

Sig

– Assume tow. contr., there is PPT A such that AO breaks Gf.

– Then, RA,f breaks f.– RA,f eff. implementable rel. to O?



Assumption

GA

O(.)

OT-Sig

OW

f

efficient

–RA,f efficiently implementable relative to O:



Assumption

R

OT-Sig

OW

A

O(.)

f

O(.)

P1

R

A

O(.)

f

O(.)

P1

–Fully black-box reduction implies relativizing reduction (in general).–Oracle separation à la Impagliazzo-Rudich rules out relativizing reductions and thus also fully black-box reductions.



AssumptionOT-Sig

OW

I want to try to build a key agreement scheme from a one-way function. What shall I do? How can I get around Impagliazzo-Rudich?

Circumventing Impossibility Results

• C: Construction may work for all f (black-box) or for all f, there is a construction (non-black-b)



Example: weak OWF OWF

• Weakly OWF: Inverting probability is smaller than 1-(1/poly).

• For every weakly OWF f, there is some poly n: Gf: (x1,…, xn) (f(x1),…,f(xn)) is one way.




• A: The reduction R may work for all A (black-box) or for all A, there is an R (non-black-box)



Example: Goldreich-Levin

• OWF f: (x,r) f’(x),r• Then, h(x,r):=<x,r> is a hardcore bit for f: Given

f(x,r), it is hard to predict h(x,r)• Reduction from predicting b=h(x,r) to inverting f.



Example: Goldreich-Levin

• Predicting to inverting (decision to search)• Uses amplification techniques• The reduction R depends on the success

probability of A




• P: The reduction R may work for all primitives f (black-box) or for all f, there is an R (non-b-b)



CAP Notation

Construction {B,N}Adversary {B,N}Primitive {B,N}

9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Primitive f

9 PPT Construction G8 Primitive f

8 Primitive f9 PPT Construction G

9 PPT Reduction R8 Primitive f

9 PPT Reduction R8 Adversary A

8 Primitive f9 PPT Reduction R


8 Adversary A9 PPT Reduction R

BBB (fully black-box)

Three Questions• Is the construction black-box with respect to the

primitive?• Is the reduction black-box with respect to the

adversary?• Is the reduction black-box with respect to the

primitive? Construction {B,N} G: fAdversary {B,N} R: APrimitive {B,N} R: f

As a Picture

NNN

BNN

BBN

NNB

NBB

BBB

BNB

NBN

Circumvent Impagliazzo-Rudich withan NNN-reduction!


x

Take an Oracle O. We have to show that:–If one-way functions exist relative to O,– then key agreement exists relative to O.


8 function f9 PPT Construction G 8 Adversary A9 PPT Reduction R

Assumption

A

O(.)

f

O(.)

P1 KA

O(.)

P2

AnalogousProof

What now?

Circumventing Impagliazzo-Rudich

Exploit efficiency!Let‘s try to find a NNNa reduction!


8 Primitive f9 PPT Construction8 Adversary A9 PPT Reduction R

PPT

Also Impossible!

efficient A

Proof is not straightforward

R

A

O(.)

f

Not PPT

8 Primitive f9 PPT Construction G8 PPT Adversary A 9 PPT Reduction R


Not PPT, if f isInefficient.

Can we embed O into f?

Key Agreement

Impagliazzo Rudich Oracles

Easy/P/BPP

Key Agreement

Minicrypt

NP

PSPACE 1. Add PSPACE oracle2. Add a random function f.3. Prove, f is one-way.4. Prove, KA is easy to break.

MinicryptEasy/P/BPP

Relative to oracle O=(PSPACE,f) :-OWFs exist.-KA does not exist.

Embed PSPACE oracle into f

1. Add PSPACE oracle2. Add a random function f.3. Prove, f is one-way.4. Prove, KA is easy to break.

f‘: (x,x‘,test) 0||f(x), if test is not 0….01||PSPACE(x‘), if test is 0…0

Relative to oracle O=(PSPACE,f) :-OWFs exist.-KA does not exist.

Still a One-Way function, because the probability that

test=0…0 for a random (x,x‘,test) is tiny.

Access to f‘ and (f,SPACE) is the same

R

A

O(.)

f

Not PPT

8 Primitive f9 PPT Construction G8 PPT Adversary A 9 PPT Reduction R


Not PPT, if f isInefficient.

Can we embed O into f?

f‘: (x,x‘,test) 0||f(x), if test is not 0….01||PSPACE(x‘), if test is 0…0

Sig

– Assume, OWFs exist relative to O. – If f is a OWF relative to O, then so is f‘– Use f‘ in proof


8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R

Assumption

A

O(.)

f‘

O(.)

P1

O(.)

P2

OT-Sig

OW

f‘: (x,x‘,test) 0||f(x), if test is not 0….01||O(x‘), if test is 0…0

– f‘ is an OWF relative to O. – We show that one-time signatures exist

relative to O.

Sig



Assumption

GA

O(.)

f‘

O(.)

P1 Sig

O(.)

P2

f‘

O(.)

P1

OT-Sig

OW

– f‘ is an OWF relative to O. – We show that one-time signatures exist

relative to O.

Sig

P2


Assumption

GA

O(.)

f‘

O(.)

P1 Sig

O(.)

P2

O(.)

P1

OT-Sig

OW


Sig

P2

– P2 is efficient.– We can implement Gf‘ eff. rel. to

O.– Is Sig=Gf‘ secure OT-Sig-scheme?


Assumption

GA

O(.)

f‘

O(.)

P1 Sig

O(.)

P2

O(.)

P1

OT-Sig

OW


Sig

– P2 is efficient.– We can implement Gf‘ eff. rel. to

O.– Is Sig=Gf‘ secure OT-Sig-scheme?


Assumption

GA

O(.)

f‘

O(.)

P1 Sig

O(.)

P2

OT-Sig

OW

f‘


Sig

– Assume tow. contr., there is PPT A such that AO breaks Gf‘.

– Then, there is PPT A‘ such that A‘f‘

breaks Gf‘ and RA‘,f‘ breaks f‘.


Assumption

GA

O(.)

OT-Sig

OW

f‘


f‘: (x,x‘,test) 0||f(x), if test is not 0….01||O(x‘), if test is 0…0

efficient

–RA‘,f‘ efficiently implementable relative to O:


Assumption

R

OT-Sig

OW

A

O(.)

f‘

O(.)

P1

R

A

O(.)

f‘

O(.)

P1


Theorem

If there is an NNNa-reduction from key agreement to one-way functions, then there is relativizing reduction from key agreement to one-way functions.

CorollaryThere is no NNNa-reduction from key agreement to one-way functions.

Circumventing Impagliazzo-Rudich

Exploit efficiency (of A and f)!Let‘s try to find an NNNap reduction!


8 Primitive f9 PPT Construction G8 PPT Adversary A9 PPT Reduction R

Also impossible?

efficient A,fPPT

A Trivial Reduction

Assume, secure key agreement exists.


8 PPT Primitive f9 PPT Construction G (ignores f) 8 PPT Adversary A 9 PPT Reduction R (ignores everything)never happens

Showing impossibility resultfor NNNap-reduction showing impossibility of key agreement altogether

A Non-Trivial Reduction



9 PPT Construction G (ignores f) 9 PPT Reduction R (ignores everything)8 Adversary A 8 PPT Primitive f

Not PPT, if A is not PPT

never happens

A Non-Trivial Reduction



9 PPT Construction G (ignores f) 9 PPT Reduction R (ignores everything)8 PPT Adversary A 8 Primitive f

Not PPT, if f is not PPT

To Circumvent Impagliazzo Rudich

• Try NNNp or NNNap• Exploit the efficiency of the primitive f• Else, impossible…• …if you have an idea, first check whether it

falls into the impossibility result.

General Recipe

• Take an impossibility result• Understand what it rules out• Take into account 3-5 questions:

C: Does it apply, if Construction G depends on Primitive f?A: Does it apply, if Reduction R depends on Adversary A?P: Does it apply, if Reduction R depends on Primitive f?

a: Does it apply, if we only quantify over eff. Adversaries A?p: Does it apply, if we only quantify over eff. Primitives f?

General Recipe

• Take an impossibility result• Understand what it rules out• Take into account 3-5 questions:

C: How can Construction G depend on Primitive f?A: How can Reduction R depend on Adversary A?P: How can Reduction R depend on Primitive f?

a: Does it apply, if we only quantify over eff. Adversaries A?p: Does it apply, if we only quantify over eff. Primitives f?

Find techniques outside the impossibility resultThis afternoon: Non-BB Techniques!

Note on Negative Results

• Try to rule out a big class of reductions• Try to make the class as explicit as possible– 5 questions: CAPap– Understand dependencies

• Try to rule out efficient primitives (powerful!)– Consider Meta-Reductions

Wednesday morning

Summary

• Impossibility results rule out certain techniques/types of reductions

• 5 questions to understand an impossibility result

• Oracle Separations– Use efficient

primitives!

Construction {B,N} G: fAdversary {B,N} R: APrimitive {B,N} R: f

Efficient Adversaries only? XYZaEfficient Primitives only? XYZp

Circumventing Impossibility Results• Zero-Knowledge: – B01, L01, BP12,…

• Fair Multi-Party Computation:– LZ13

• Obfuscation:– W05, CD08, BC10, CKVW10, H10, HRSV11,…

• RSA-FDH:– DHT12, KK12

• KDM-Secure Encryption:– BHHI09, A11

Documents

Reductions