1 / 30

Does Privacy Require True Randomness?

Does Privacy Require True Randomness?. Yevgeniy Dodis New York University. Joint work with Carl Bosley. Randomness is Important. Even in Everyday Life. Even in Cryptography…. Secret keys must have entropy Many primitives must be randomized (encryption, commitment, ZK)

andralyn
Télécharger la présentation

Does Privacy Require True Randomness?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley

  2. Randomness is Important IPAM Workshop

  3. Even in Everyday Life IPAM Workshop

  4. Even in Cryptography… • Secret keys must have entropy • Many primitives must be randomized (encryption, commitment, ZK) • Common abstraction: perfect randomness • strong assumption, hard to get right IPAM Workshop

  5. Randomness is Hard to Get IPAM Workshop

  6. Coins cannot be trusted too IPAM Workshop

  7. Especially with Active Attackers IPAM Workshop

  8. Perfect Randomness • Hard to get as we just saw • Do we really need perfect randomness? • Imperfect source: family of distributions satisfying some property (i.e., entropy)? • “Tolerate” imperfect source: have one scheme correctly working for any D in the source • Main Question: which imperfect sources are enough for Cryptography? IPAM Workshop

  9. Extractable Sources • Sources permitting (deterministic) extraction of nearly perfect randomness • such sources suffice for (almost) anything perfect randomness is enough for • However, many sources non-extractable  • E.g., entropy sources [SV86,CG89] • Are extractable sources the only “good” sources for cryptography??? • Depends on application… IPAM Workshop

  10. Current Answers • Correctness/Soundness: NO  • Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04] • Authentication/Unpredictability: NO  • Quite weak sources enough for MACs [MW97] (& even weaker for interactive MACs [RW03]) • Enough for signatures as well, assuming “strong OWPs” [DOPS04] • General sources: separation between authentication and extraction [DS02] IPAM Workshop

  11. Privacy/Indistinguishability Mixed indications: • All known techniques (pseudorandomness,…) critically rely on perfect randomness • Studied non-extractable sources are not enough for privacy as well [MP91, DOPS04] • 1-bit case [DS02,DPP06]: strict implications extractionencryption2−2secretsharing • What about the general, multi-bit case??? IPAM Workshop

  12. Our Main Result • Nearly perfect randomness is inherent for inform.-theoretic private key encryption • Theorem 1: If n-bit source S admits a good b-bit encryption, where b > log n, then one can deterministically extract b nearly perfect bits from S! • Note: if Enc is efficient, then so is Ext • Theorem 2: There are non-extractable n-bit sources S admitting a perfect encryption of b (log n loglog n) bits IPAM Workshop

  13. Interpretation • Theorem 1: to encryptb bits • Either the secret key length is exponential, or • S is extractable and, in fact, “perfect enough” to apply (an almost) b −bit one−time pad ! • Thus, if b is “non-trivial”, then • Cannot afford to sample exponentially long key • Must find a source capable of extracting almost b random bits to begin with  • Might as well extract and use one−time pad • One−time pad is universal after all  IPAM Workshop

  14. Interpretation • Theorem 2: glimmer of hope  • Encryption of up to (log n loglog n) bits does not imply extraction of even 1 bit • Non-trivially extends the 1-bit separation of [DS02] to (log n loglog n) bits • For encrypting very few bits true randomness is not inherent IPAM Workshop

  15. Extensions • Computational security: implies extraction of bpseudorandom bits • In particular, at least 1 statistical bit! • Efficiency: poly-time encryption  poly-time extraction (non-explicit ) • Other primitives: extends to public-key encryption, perfectly-binding commitments IPAM Workshop

  16. Conclusions • One-time pad is universal for private-key encryption • Strong indication that (nearly) perfect randomness is inherent for privacy • Open questions: • De-randomize construction of extractor • Extend to other (all?) privacy applications • Classify crypto apps w.r.t. randomness IPAM Workshop

  17. Details! Let the fun begin! IPAM Workshop

  18. Deterministic Extraction • n-bitsourceS=familyof distributions {K} on {0,1}n • ℓ-bit extractor Ext for S: • Ext: {0,1}n {0,1}ℓ • Ext is -fair if for allKS, we have SD( Ext( K ), Uℓ)   • S is (ℓ, )-extractable if there is an -fair extractor Ext for S IPAM Workshop

  19. Private-Key Encryption • Alice & Bob share n-bit key k  K, forKS • b-bit encryption scheme (Enc, Dec) for S: • Enc: {0,1}b {0,1}n C, Dec: C  {0,1}n {0,1}b • For all m  {0,1}b, k  {0,1}n, Dec(Enc(m, k), k) =m • (Enc, Dec) is -secure if for allKS and m  {0,1}b SD( Enc(m,K), Enc(Ub,K ))   • S is (b, )-encryptable if there is a -secure b-bit encryption scheme (Enc, Dec) for S IPAM Workshop

  20. Results Restated Theorem 1: Ifn-bitS is (b,)-encryptable and b > log n + 2log(1/),then S must be (b−2log(1/), + )-extractable Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where IPAM Workshop

  21. Proof of Theorem 1 • Let S’ = { Enc(Ub, k) | k  {0,1}n } • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact, Ext(k) = Ext’(Enc(0, k)) • Proof: take any KS. Then IPAM Workshop

  22. Proof of Theorem 1 • Let S’ = { Enc(Ub, k) | k  {0,1}n } • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact, Ext(k) = Ext’(Enc(0, k)) • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable IPAM Workshop

  23. Proof of Theorem 1 • Let S’ = { Enc(Ub, k) | k  {0,1}n } • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable • Say Xis b -flat if Xis uniform on 2bvalues • Note: all X S’ are b -flat (can decrypt!) • Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable • Implies Lemma 2 and Theorem 1 IPAM Workshop

  24. Proof of Lemma 3 • Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable • Proof: Let ℓ=b−2log(1/), B = 2b, L=2ℓ=B2 • Pick randomf :C  {0,1}ℓ • b -flat X S’, Chernoff + union bound  • Another union bound over all X S’, IPAM Workshop

  25. Observations • [TV00]: enough to pick n-wise independent f • Lemma 3’: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is efficiently (b−2log(1/)−log n,)-extractable • Corollary: If Enc is efficient  so is Ext • Extends to computational setting • Extract pseudorandom bits • Perfect binding enough • Covers public−key encryption and perfectly−binding commitment IPAM Workshop

  26. Proof of Theorem 2 Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where Theorem 2’: For b <log n−loglog n –1, there is a b-bit E = (Enc,Dec) for which Good(E) is not(1,)-extractable, where Good(E) = {K|E is Shannon-secure under K} IPAM Workshop

  27. Proof of Theorem 2’ • Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1) • Note, N< SB, so S> N1/B(> Bfor our params) • M=[B], C=[S], K={all B-tuples of ciphertexts} K = { k = (c1…cB) | ci cj for i  j } • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c • Take any Ext: [N]  {0,1} • Case 1: have0-monochromatic perfect K • Fix Ext to 0 with K, done • Case 2: no such 0-monochromatic perfectK • [Lemma]  perfect K’ s.t.Pr[Ext(K’) = 0] < B2/S IPAM Workshop

  28. Proof of Main Lemma • Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1) • Note, N< SB, so S> N1/B(> Bfor our params) • M=[N], C=[S], K={all B-tuples of ciphertexts} K = { k = (c1…cB) | ci cj for i  j } • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c • Main Lemma: if cannot fix Ext to 0, then  perfect K s.t. Pr[Ext(K) = 0] < B2/S IPAM Workshop

  29. Proof of Main Lemma Not to prove Theorem 2’ Not to prove Main Lemma IPAM Workshop

  30. Thank You ! But don’t go, we need to prove main lemma !!! IPAM Workshop

More Related