1 / 30

310 likes | 419 Vues

Does Privacy Require True Randomness?. Yevgeniy Dodis New York University. Joint work with Carl Bosley. Randomness is Important. Even in Everyday Life. Even in Cryptography…. Secret keys must have entropy Many primitives must be randomized (encryption, commitment, ZK)

Télécharger la présentation
## Does Privacy Require True Randomness?

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**Does Privacy Require True Randomness?**Yevgeniy Dodis New York University Joint work with Carl Bosley**Randomness is Important**IPAM Workshop**Even in Everyday Life**IPAM Workshop**Even in Cryptography…**• Secret keys must have entropy • Many primitives must be randomized (encryption, commitment, ZK) • Common abstraction: perfect randomness • strong assumption, hard to get right IPAM Workshop**Randomness is Hard to Get**IPAM Workshop**Coins cannot be trusted too**IPAM Workshop**Especially with Active Attackers**IPAM Workshop**Perfect Randomness**• Hard to get as we just saw • Do we really need perfect randomness? • Imperfect source: family of distributions satisfying some property (i.e., entropy)? • “Tolerate” imperfect source: have one scheme correctly working for any D in the source • Main Question: which imperfect sources are enough for Cryptography? IPAM Workshop**Extractable Sources**• Sources permitting (deterministic) extraction of nearly perfect randomness • such sources suffice for (almost) anything perfect randomness is enough for • However, many sources non-extractable • E.g., entropy sources [SV86,CG89] • Are extractable sources the only “good” sources for cryptography??? • Depends on application… IPAM Workshop**Current Answers**• Correctness/Soundness: NO • Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04] • Authentication/Unpredictability: NO • Quite weak sources enough for MACs [MW97] (& even weaker for interactive MACs [RW03]) • Enough for signatures as well, assuming “strong OWPs” [DOPS04] • General sources: separation between authentication and extraction [DS02] IPAM Workshop**Privacy/Indistinguishability**Mixed indications: • All known techniques (pseudorandomness,…) critically rely on perfect randomness • Studied non-extractable sources are not enough for privacy as well [MP91, DOPS04] • 1-bit case [DS02,DPP06]: strict implications extractionencryption2−2secretsharing • What about the general, multi-bit case??? IPAM Workshop**Our Main Result**• Nearly perfect randomness is inherent for inform.-theoretic private key encryption • Theorem 1: If n-bit source S admits a good b-bit encryption, where b > log n, then one can deterministically extract b nearly perfect bits from S! • Note: if Enc is efficient, then so is Ext • Theorem 2: There are non-extractable n-bit sources S admitting a perfect encryption of b (log n loglog n) bits IPAM Workshop**Interpretation**• Theorem 1: to encryptb bits • Either the secret key length is exponential, or • S is extractable and, in fact, “perfect enough” to apply (an almost) b −bit one−time pad ! • Thus, if b is “non-trivial”, then • Cannot afford to sample exponentially long key • Must find a source capable of extracting almost b random bits to begin with • Might as well extract and use one−time pad • One−time pad is universal after all IPAM Workshop**Interpretation**• Theorem 2: glimmer of hope • Encryption of up to (log n loglog n) bits does not imply extraction of even 1 bit • Non-trivially extends the 1-bit separation of [DS02] to (log n loglog n) bits • For encrypting very few bits true randomness is not inherent IPAM Workshop**Extensions**• Computational security: implies extraction of bpseudorandom bits • In particular, at least 1 statistical bit! • Efficiency: poly-time encryption poly-time extraction (non-explicit ) • Other primitives: extends to public-key encryption, perfectly-binding commitments IPAM Workshop**Conclusions**• One-time pad is universal for private-key encryption • Strong indication that (nearly) perfect randomness is inherent for privacy • Open questions: • De-randomize construction of extractor • Extend to other (all?) privacy applications • Classify crypto apps w.r.t. randomness IPAM Workshop**Details!**Let the fun begin! IPAM Workshop**Deterministic Extraction**• n-bitsourceS=familyof distributions {K} on {0,1}n • ℓ-bit extractor Ext for S: • Ext: {0,1}n {0,1}ℓ • Ext is -fair if for allKS, we have SD( Ext( K ), Uℓ) • S is (ℓ, )-extractable if there is an -fair extractor Ext for S IPAM Workshop**Private-Key Encryption**• Alice & Bob share n-bit key k K, forKS • b-bit encryption scheme (Enc, Dec) for S: • Enc: {0,1}b {0,1}n C, Dec: C {0,1}n {0,1}b • For all m {0,1}b, k {0,1}n, Dec(Enc(m, k), k) =m • (Enc, Dec) is -secure if for allKS and m {0,1}b SD( Enc(m,K), Enc(Ub,K )) • S is (b, )-encryptable if there is a -secure b-bit encryption scheme (Enc, Dec) for S IPAM Workshop**Results Restated**Theorem 1: Ifn-bitS is (b,)-encryptable and b > log n + 2log(1/),then S must be (b−2log(1/), + )-extractable Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where IPAM Workshop**Proof of Theorem 1**• Let S’ = { Enc(Ub, k) | k {0,1}n } • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact, Ext(k) = Ext’(Enc(0, k)) • Proof: take any KS. Then IPAM Workshop**Proof of Theorem 1**• Let S’ = { Enc(Ub, k) | k {0,1}n } • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact, Ext(k) = Ext’(Enc(0, k)) • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable IPAM Workshop**Proof of Theorem 1**• Let S’ = { Enc(Ub, k) | k {0,1}n } • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable • Say Xis b -flat if Xis uniform on 2bvalues • Note: all X S’ are b -flat (can decrypt!) • Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable • Implies Lemma 2 and Theorem 1 IPAM Workshop**Proof of Lemma 3**• Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable • Proof: Let ℓ=b−2log(1/), B = 2b, L=2ℓ=B2 • Pick randomf :C {0,1}ℓ • b -flat X S’, Chernoff + union bound • Another union bound over all X S’, IPAM Workshop**Observations**• [TV00]: enough to pick n-wise independent f • Lemma 3’: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is efficiently (b−2log(1/)−log n,)-extractable • Corollary: If Enc is efficient so is Ext • Extends to computational setting • Extract pseudorandom bits • Perfect binding enough • Covers public−key encryption and perfectly−binding commitment IPAM Workshop**Proof of Theorem 2**Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where Theorem 2’: For b <log n−loglog n –1, there is a b-bit E = (Enc,Dec) for which Good(E) is not(1,)-extractable, where Good(E) = {K|E is Shannon-secure under K} IPAM Workshop**Proof of Theorem 2’**• Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1) • Note, N< SB, so S> N1/B(> Bfor our params) • M=[B], C=[S], K={all B-tuples of ciphertexts} K = { k = (c1…cB) | ci cj for i j } • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c • Take any Ext: [N] {0,1} • Case 1: have0-monochromatic perfect K • Fix Ext to 0 with K, done • Case 2: no such 0-monochromatic perfectK • [Lemma] perfect K’ s.t.Pr[Ext(K’) = 0] < B2/S IPAM Workshop**Proof of Main Lemma**• Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1) • Note, N< SB, so S> N1/B(> Bfor our params) • M=[N], C=[S], K={all B-tuples of ciphertexts} K = { k = (c1…cB) | ci cj for i j } • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c • Main Lemma: if cannot fix Ext to 0, then perfect K s.t. Pr[Ext(K) = 0] < B2/S IPAM Workshop**Proof of Main Lemma**Not to prove Theorem 2’ Not to prove Main Lemma IPAM Workshop**Thank You !**But don’t go, we need to prove main lemma !!! IPAM Workshop

More Related