Information Theoretic Cryptography
Introduction
Benny Applebaum
Tel Aviv University
BIU Winter-School of Information-Theoretic Cryptography
February 2020
Communication and Computation in the presence of adversary
Honest party Honest party
Adversary
Computational Cryptography
โข Encryption
โข Authentication
Honest party Honest party
Adversary
Computational Cryptography
โข Commitments
โข Coin Tossing
โข ZK-Proofs
โข Secure Computation
Adversary
Computational Cryptography
Exploit computational limitation to achieve privacy/authenticity/โฆ
AdversaryPoly-bounded
Computational Cryptography
Information-Theoretic Cryptography
Exploit information gaps to achieve privacy/authenticity/โฆ
AdversaryComputationally unbounded
Exploit information gaps to achieve privacy/authenticity/โฆ
AdversaryComputationally unbounded
Information-Theoretic Cryptography
AdversaryComputationally unbounded
Exploit information gaps to achieve privacy/authenticity/โฆ
Information-Theoretic Cryptography
(Shallow) Comparison
Computational Cryptography
โข Comp-limited adversary
โข Unproven assumptions
โข Composability issues
โข Complicated defโs
โข Allows magic (PRG/PKC/OT/)
โข Short keys
โข May be comp. expensive
IT Cryptography
โข Comp-unbounded adversary
โข Unconditional (no assumptions)
โข Good closure properties
โข Easy to define and work with (concretely)
โข No magic (useless w/o information gaps)
โข Long keys/large communication
โข Typically fast (for short messages)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto TowerAssumption
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto Tower
One-time pad
AES
RSA
OT
Obfuscation
Time (per-bit)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto Tower: Realistic View
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto Tower: Realistic View
GGMGLHILL
DDH-KARSA-OAEPFDH-RSA
GMW-MPC GMW-ZK Yao-GC
MMAPS-based obfuscation
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The best of all worlds
Problem
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The best of all worlds
Problem
Problem
Two Case Studies:
Perfect Encryption & Error Correcting Codes
Image credits:
Photo: CC BY SA 4.0, by DobriZheglov, https://commons.wikimedia.org/wiki/File:Claude_Shannon_1776.jpgAli Baba's cave: CC BY 2.5, by Dake, https://commons.wikimedia.org/wiki/File:Zkip_alibaba{1,2,3}.png
Case Study 1: Perfect Encryption [Shannon 48]
Alice Bob
Message ๐ โ 0,1 ๐
Case Study 1: Perfect Encryption [Shannon 48]
Secrecy: For every ๐, ๐ โ 0,1 ๐ EK(๐) โก EK(๐)
where ๐พ โ๐ ๐ฒ
๐ โ 0,1 ๐
Private key ๐พ โ ๐ฒ
Ciphertext EK(๐)Encryption Decryption
Private key ๐พ โ ๐ฒ
๐ โ 0,1 ๐
Perfect SecrecySecrecy: For every ๐, ๐ โ 0,1 ๐ EK(๐) โก EK(๐)
where ๐พ โ๐ ๐ฒ
โ ๐ถ, Pr๐พ๐ธ๐พ ๐ = ๐ถ = Pr
๐พ๐ธ๐พ ๐ = ๐ถ
Statistical SecrecySecrecy: For every ๐, ๐ โ 0,1 ๐ EK(๐) โ EK(๐)
where ๐พ โ๐ ๐ฒ
โ set of ciphertexts ๐, Pr๐พ๐ธ๐พ ๐ โ ๐ โ๐ฟ Pr
๐พ๐ธ๐พ ๐ โ ๐
Statistical SecrecySecrecy: For every ๐, ๐ โ 0,1 ๐ EK(๐) โ EK(๐)
where ๐พ โ๐ ๐ฒ
โ unbounded ๐ด๐๐ฃ, Pr๐พ๐ด๐๐ฃ ๐ธ๐พ ๐ = 1 โ Pr
๐พ๐ด๐๐ฃ ๐ธ๐พ ๐ = 1 โค ๐ฟ
Computational Secrecy [GMโ82]Secrecy: For every ๐, ๐ โ 0,1 ๐ EK(๐) โ EK(๐)
where ๐พ โ๐ ๐ฒ
โ comp โ bounded ๐ด๐๐ฃ, Pr๐พ๐ด๐๐ฃ ๐ธ๐พ ๐ = 1 โ Pr
๐พ๐ด๐๐ฃ ๐ธ๐พ ๐ = 1 โค ๐ฟ
One-Time Pad is Perfectly Secure
Message ๐ โ 0,1 ๐
Private key ๐พ โ๐ 0,1 ๐Private key ๐พ โ๐ 0,1 ๐
EK ๐ = ๐พโ๐
โ๐, ๐, EK(๐) โก EK(๐)
DK ๐ถ = ๐ถ โ๐พ๐ฎ
๐ฎ ๐ฎ
+
โEncryption Decryption
Proofโ๐, ๐, EK(๐) โก EK(๐)
Claim: โ ๐, ๐ถ, Pr๐พ๐ธ๐พ ๐ = ๐ถ = 1/|๐บ|
Pr๐พ๐พ +๐ = ๐ถ = Pr
๐พ๐พ = ๐ถ โ๐ = 1/|๐บ|
Put differently: For every ๐ the mapping ๐พ โฆ ๐ธ๐พ ๐
is a bijection from randomness space to ciphertext space
In fact, non-degenerate linear mapping
Efficiency Measures
Alice Bob
Message ๐ โ 0,1 ๐
Private key ๐พ โ๐ 0,1 ๐ Private key ๐พ โ 0,1 ๐
EK ๐ = ๐พโ๐ DK ๐ถ = ๐ถ โ๐พ+ โ
Communication, Randomness, Round complexity
โข OTP: Optimal !
Riddle: Broadcast Encryption [Fiat-Naor94]
Alice
Bob1
Message ๐ โ {0,1}Subset ๐
Keys ๐พ1, โฆ , ๐พ๐
key ๐พ1
EK ๐, ๐
Bob N
key ๐พ๐
Subset S Can decrypt iff๐ โ ๐บBob ๐
โฆ
โฆ
key ๐พ๐
Riddle: Broadcast Encryption [Fiat-Naor94]
Alice
Bob1
Message ๐ โ {0,1}Subset ๐
Keys ๐พ1, โฆ , ๐พ๐
key ๐พ1
EK ๐, ๐
Communication?
Randomness (length of each key)?
Best tradeoffs?
Bob N
key ๐พ๐
Subset S Can decrypt iff๐ โ ๐บBob ๐
โฆ
โฆ
key ๐พ๐
Case Study 2: Error Correction/Detection [Hamming47, Shannon48]
Codeword ๐ถ = (๐ถ1, โฆ , ๐ถ๐)
Encode Decode ๐ โ 0,1 ๐๐ โ 0,1 ๐
Can tamper (erase/corrupt)
up to ๐น-fraction of symbols
or โฅ
Shannon: Solutions with optimal communication overhead
โข Random linear mapping is optimal [Varshamov]
โข Later efficient constructions
Unified view: Distributed Storage
Alice
Message ๐ โ 0,1 ๐
๐ถ1
Bob N
๐ถ๐
Encoding
โฆ
๐ถ๐
Coding setting:
Adv. actively corrupts/erase servers
Decoding๐ โ 0,1 ๐
Unified view: Distributed Storage
Alice
Message ๐ โ 0,1 ๐
๐ถ1
Bob N
๐ถ๐
Encoding
โฆ
๐ถ๐
Secrecy setting:
Adversary passively corrupts servers
Decoding๐ โ 0,1 ๐
Unified view: Distributed Storage
Alice
Message ๐ โ 0,1 ๐
๐พ
๐ธ๐พ ๐ = ๐พ +๐
Encoding
Secrecy setting:
Adversary passively corrupts servers
Decoding๐ โ 0,1 ๐
Unified view: Distributed Storage
Alice
Message ๐ โ 0,1 ๐
๐พ1
Bob N
๐ +๐พ1 +โฏ+ ๐พ๐
Encoding
โฆ
๐พ๐
Secrecy setting:
Adversary passively corrupts servers
Decoding๐ โ 0,1 ๐
Can we achieve privacy & resiliency?
Alice
Message ๐ โ 0,1 ๐
๐พ1
Bob N
๐ +๐พ1 +โฏ+ ๐พ๐
Encoding
โฆ
๐พ๐
Secrecy setting:
Adversary passively corrupts servers
Decoding๐ โ 0,1 ๐
Secret-Sharing (Giladโs talk)
Alice
Message ๐ โ 0,1 ๐
๐ถ1
Bob N
๐ถ๐
Encoding
โฆ
๐ถ๐
Threshold setting:
Corruption bounds ๐๐๐๐ก๐๐ฃ๐ , ๐๐๐๐๐ ๐ข๐๐ , ๐๐๐๐ ๐ ๐๐ฃ๐
Decoding๐ โ 0,1 ๐
Secret-Sharing (Giladโs talk)
Alice
Message ๐ โ 0,1 ๐
๐ถ1
Bob N
๐ถ๐
Encoding
โฆ
๐ถ๐
Threshold setting:
Corruption bounds ๐๐๐๐ก๐๐ฃ๐ , ๐๐๐๐๐ ๐ข๐๐ , ๐๐๐๐ ๐ ๐๐ฃ๐
Decoding๐ โ 0,1 ๐
General Secret-Sharing (Bennyโs talk)
Alice
Message ๐ โ 0,1 ๐
๐ถ1
Bob N
๐ถ๐
Encoding
โฆ
๐ถ๐
General corruption patterns:
โข Related to Broadcast encryption problem
โข Huge gaps between LBs and UBs
Decoding๐ โ 0,1 ๐
Private Information Retrieval (Yuval+Klim)
Alice
Message ๐ โ 0,1 ๐
๐ถ1
Bob N
๐ถ๐
Encoding
โฆ
๐ถ๐ Decoding๐ โ 0,1 ๐
Private Information Retrieval (Yuval+Klim)
Bob N
โฆ
๐
Alice
Decoding
Private Information Retrieval (Yuval+Klim)
๐
Bob N
๐
โฆ
๐
๐[๐]
Alice
index ๐ โ {1,โฆ , ๐}
Hide access pattern i
Private Information Retrieval (Yuval+Klim)
Bob N
โฆ
๐[๐]
Alice
index ๐
Hide access pattern i
โข Power of non-linearity
โข Huge gaps between LBs and UPs
Computation: Beyond Storage
๐ฅ1
๐ฅ2 ๐ฅ3
๐ฅ4
๐ฅ5
๐ฅ6
TrustedParty
Consensus (Ittaiโs talk) Achieving Agreement at the presence of failures/corruptions/delays
1
56
3
2
4
Only correctness requirement No privacy requirements
1
1
1
1
General Secure Computation (Yuvalโs talk)Compute joint function of the parties inputs
๐ฅ1
๐ฅ2 ๐ฅ3
๐ฅ4
๐ฅ5
๐ฅ6
๐น(๐ฅ1, โฆ , ๐ฅ5)
Passive adversaries
โข Privacy
Active adversaries
โข Correctness & Privacy
General Functions
General Secure Computation (Yuvalโs talk)Compute joint function of the parties inputs
๐ฅ1
๐ฅ2 ๐ฅ3
๐ฅ4
๐ฅ5
๐ฅ6
๐ฅ1 +โฏ+ ๐ฅ5
Challenge:
Design 1-private protocol for sum over G
Proofs in Non-Interactive Setting (Nivโs Talk)
๐ฅ1
๐ฅ2 ๐ฅ3
๐ฅ4
๐ฅ5
๐ฅ6
๐น(๐ฅ1, โฆ , ๐ฅ5)=1
prover
verifiers
๐ฅ1
๐ฅ2 ๐ฅ3
๐ฅ4
๐ฅ5
๐ฅ6
๐น(๐ฅ1, โฆ , ๐ฅ5)
receiver
senders
Randomized Encoding & Constant-Round MPC (Bennyโs Talk)
Summary: Information Theoretic Cryptography
โข Cool questions
โข Exciting connections withโข Coding, Information-theory, Communication Complexity,
Computational complexity, Theory of Computation
โข Relevant to computational crypto as well
โข Many open problems
โข New conference: ITC 2020, June 17-19, 2020 in Bostonโข PC: Daniel Wichs, General Chairs: Adam Smith & Yael Kalai
Have a Good Time!