1 / 55

Reductions

Reductions. Christina Brzuska Tel-Aviv University. Limitations of Impossibility Results. Impagliazzo-Rudich: Standard techniques ? Certain ``types“ of reductions Goal of this talk: Define types of reductions. ?. References.

tokala
Télécharger la présentation

Reductions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reductions Christina Brzuska Tel-Aviv University

  2. Limitations of Impossibility Results • Impagliazzo-Rudich: • Standard techniques ? • Certain ``types“ of reductions • Goal of this talk: Define types of reductions ?

  3. References • Notions of Reducibility between Cryptographic Primitives Omer Reingold, Luca Trevisan, Salil Vadhan • Notions of Black-Box Reductions, Revisited Paul Baecher, CB, Marc Fischlin

  4. Reductions in Cryptography Goal: signature scheme from some assumption public key signature requests Adversary A scheme S Game C forgery Reduction R Reduction: if A breaks scheme S then RA wins game C

  5. One-Time-Signatures from OWFs (Lamport) Construction based on f just one OWF Game public key signature request Adversary A scheme S f y=f(x) x* forgery Reduction R OWFs  One-Time Signatures: Construction + Reduction

  6. Construction KeyGenf, Signf, Verifyf Assume f isone-way. Provesecurityofthisscheme. • KeyGenf: a1,…,an b1,…,bn f(a1),…,f(an) f(b1),…,f(bn) • Signf(sk,m): m=m1,…,mn=0010…0 a1a2 a3a4 … an b1b2 b3b4 … bn m 0 0 1 0 … 0 • Verifyf(pk,m,¾): Check whetherpre-images matchpk sk pk ¾

  7. Security Reduction RA,f A adversaryagainstsignaturescheme f(a1) f(a2) f(a3) f(a4) … f(an) f(b1) f(b2) f(b3) f(b4) … f(bn) a1 a2 a3 a4 … an b1 b2 b3 b4 … bn m 0 0 1 0 … 0 RA,f gets y=f(x), tries to compute a pre-image of y f(a1) f(a2) f(a3) f(a4) … f(an) f(b1) f(b2) f(b3) f(b4) … f(bn) a1 a2 a3 a4 … an b1 b2 b3 b4 … bn pk sk y Hope for Forgery m* ¾ ¾ ??? Hope for query m

  8. Fully Black-Box Reductions 9 PPT Construction (KeyGen, Sign, Verify) 9 PPT Reduction R 8 Adversary A 8 Function f Afbreaks (KeyGenf, Signf, Verifyf)  RA,fbreaks f 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Primitive f AfbreaksGf  RA,fbreaks f

  9. (Im)Possibility Results One-Way Functions Pseudorandom Generators Minicrypt Pseudorandom Functions Pseudorandom Permutations Message Authentication Codes Cryptomania Symmetric Encryption Signature Schemes Key Agreement [IR89] Signature Schemes[NY90, R91]

  10. Impagliazzo Rudich • This afternoon • Oracle result • Relative to O: OWFs, but no key agreement O(.)

  11. Which techniques are ruled out? • Thereexists an oracle O: • One-wayfunctionsexist relative to O, • KA does not exist relative to O. • Foranyoracle O: • Ifone-wayfunctionsexist relative to O, • then KA exists relative to O. Oracle Separation rules out ? Relativizing Reduction ? 9 PPT Construction KA 9 PPT Reduction R 8 Adversary A 8 Function f Fully Black-Box Reduction AfbreaksKAf  RA,fbreaks f

  12. Fully Black-Box Reduction implies Relativizing Reduction

  13. Relativizing Reductions • Foranyoracle O: • Ifone-wayfunctionsexist relative to O, • thenone-time signaturesexistrelative to O. • P1 is efficient algorithm • f= P1O is one-way. • No PPT A can invert f. • A also gets access to O f O(.) O(.) A P1

  14. Relativizing Reductions • Foranyoracle O: • Ifone-wayfunctionsexist relative to O, • thenone-time signaturesexistrelative to O. f Sig O(.) O(.) O(.) A P1 P2

  15. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW Take an Oracle O. Wehavetoshowthat: • Ifone-wayfunctionsexist relative to O, • thenone-time signaturesexists relative to O. f Sig O(.) O(.) O(.) A P1 P2

  16. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • Assume, OWFs exist relative to O. • Weshowthatone-time signaturesexist relative to O. Sig f O(.) P1 f Sig O(.) O(.) O(.) A P1 P2 G

  17. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • Assume, OWFs exist relative to O. • Weshowthatone-time signaturesexist relative to O. Sig O(.) P2 P1 f Sig O(.) O(.) O(.) A P1 P2 G

  18. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • P2 isefficient. • WecanimplementGfeff. rel. to O. • IsSig=GfsecureOT-Sig-scheme? Sig O(.) P2 P1 f Sig O(.) O(.) O(.) A P1 P2 G

  19. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • P2 isefficient. • WecanimplementGfeff. rel. to O. • IsSig=GfsecureOT-Sig-scheme? Sig f f Sig O(.) O(.) O(.) A P1 P2 G

  20. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • Assumetow. contr., thereis PPT A such that AObreaksGf. • Then, RA,fbreaks f. • RA,feff. implementable rel. to O? Sig f O(.) A G

  21. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • RA,fefficientlyimplementable relative to O: f f O(.) O(.) O(.) O(.) efficient P1 A A P1 R R

  22. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • Fullyblack-box reductionimpliesrelativizingreduction (in general). • Oracle separation à la Impagliazzo-Rudichrules out relativizingreductionsandthus also fullyblack-box reductions. I want to try to build a key agreement scheme from a one-way function. What shall I do? How can I get around Impagliazzo-Rudich?

  23. Circumventing Impossibility Results • C: Construction may work for all f (black-box) or for all f, there is a construction (non-black-b) 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f AfbreaksGf  RA,fbreaks f

  24. Example: weak OWF  OWF • Weakly OWF: Inverting probability is smaller than 1-(1/poly). • For every weakly OWF f, there is some poly n: Gf: (x1,…, xn)  (f(x1),…,f(xn)) is one way. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f AfbreaksGf  RA,fbreaks f

  25. Circumventing Impossibility Results • A: The reduction R may work for all A (black-box) or for all A, there is an R (non-black-box) 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f AfbreaksGf  RA,fbreaks f

  26. Example: Goldreich-Levin • OWF f: (x,r)  f’(x),r • Then, h(x,r):=<x,r> is a hardcore bit for f: Given f(x,r), it is hard to predict h(x,r) • Reduction from predicting b=h(x,r) to inverting f. 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f AfbreaksGf  RA,fbreaks f

  27. Example: Goldreich-Levin • Predicting to inverting (decision to search) • Uses amplification techniques • The reduction R depends on the success probability of A 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f AfbreaksGf  RA,fbreaks f

  28. Circumventing Impossibility Results • P: The reduction R may work for all primitives f (black-box) or for all f, there is an R (non-b-b) 9 PPT Construction G 9 PPT Reduction R 8 Adversary A 8 Function f AfbreaksGf  RA,fbreaks f

  29. CAP Notation BBB (fullyblack-box) 9 PPT Construction G 9 PPT Reduction R 8Adversary A 8 Primitive f Construction {B,N} Adversary  {B,N} Primitive  {B,N} AfbreaksGf  RA,fbreaks f 9 PPT Construction G 8 Primitive f 8 Primitive f 9 PPT Construction G 9 PPT Reduction R 8Adversary A 8Adversary A 9 PPT Reduction R 9 PPT Reduction R 8Primitive f 8Primitive f 9 PPT Reduction R

  30. Three Questions • Is the construction black-box with respect to the primitive? • Is the reduction black-box with respect to the adversary? • Is the reduction black-box with respect to the primitive? Construction {B,N} G: f Adversary  {B,N} R: A Primitive  {B,N} R: f

  31. As a Picture x CircumventImpagliazzo-Rudichwith an NNN-reduction! BBB BNB BBN NBB NNB BNN NBN NNN Relativizing Reductions

  32. 8 function f 9 PPT Construction G 8 Adversary A 9 PPT Reduction R Assumption AfbreaksGf  RA,fbreaks f Take an Oracle O. Wehavetoshowthat: • Ifone-wayfunctionsexist relative to O, • thenkeyagreementexistsrelative to O. Analogous Proof f KA O(.) O(.) O(.) A P1 P2 What now?

  33. Circumventing Impagliazzo-Rudich Also Impossible! Exploit efficiency! Let‘s try to find a NNNa reduction! efficient A 8 Primitive f 9 PPT Construction 8 Adversary A 9 PPT Reduction R PPT AfbreaksGf  RA,fbreaks f

  34. Proof is not straightforward Not PPT f O(.) 8 Primitive f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R A R Not PPT, if f is Inefficient. Can weembed O into f? AfbreaksGf  RA,fbreaks f

  35. Impagliazzo Rudich Oracles PSPACE • Add PSPACE oracle • Add a random function f. • Prove, f is one-way. • Prove, KA is easy to break. NP • Relative to • oracle O=(PSPACE,f) : • OWFs exist. • KA does not exist. Minicrypt Key Agreement Easy/P/BPP Key Agreement Minicrypt Easy/P/BPP

  36. Embed PSPACE oracle into f • Add PSPACE oracle • Add a random function f. • Prove, f is one-way. • Prove, KA is easy to break. • Relative to • oracle O=(PSPACE,f) : • OWFs exist. • KA does not exist. Still a One-Way function, becausetheprobabilitythattest=0…0 for a random (x,x‘,test) istiny. f‘: (x,x‘,test)  0||f(x), if test is not 0….0 1||PSPACE(x‘), if test is 0…0

  37. Access to f‘ and (f,SPACE) is the same f‘: (x,x‘,test)  0||f(x), iftestis not 0….0 1||PSPACE(x‘), iftestis 0…0 Not PPT f O(.) 8 Primitive f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R A R Not PPT, if f is Inefficient. Can weembed O into f? AfbreaksGf  RA,fbreaks f

  38. 8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • Assume, OWFs exist relative to O. • If f is a OWF relative to O, then so is f‘ • Use f‘ in proof f‘: (x,x‘,test)  0||f(x), iftestis not 0….0 1||O(x‘), iftestis 0…0 f‘ Sig O(.) O(.) O(.) A P1 P2

  39. 8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • f‘ is an OWF relative to O. • Weshowthatone-time signaturesexist relative to O. Sig f‘ O(.) P1 f‘ Sig O(.) O(.) O(.) A P1 P2 G

  40. 8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • f‘ is an OWF relative to O. • Weshowthatone-time signaturesexist relative to O. Sig O(.) P2 P1 f‘ Sig O(.) O(.) O(.) A P1 P2 G

  41. 8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • P2 isefficient. • WecanimplementGf‘ eff. rel. to O. • IsSig=Gf‘ secureOT-Sig-scheme? Sig O(.) P2 P1 f‘ Sig O(.) O(.) O(.) A P1 P2 G

  42. 8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • P2 isefficient. • WecanimplementGf‘ eff. rel. to O. • IsSig=Gf‘ secureOT-Sig-scheme? Sig f‘ f‘ Sig O(.) O(.) O(.) A P1 P2 G

  43. 8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • Assumetow. contr., thereis PPT A such that AObreaksGf‘. • Then, thereis PPT A‘ such thatA‘f‘breaksGf‘andRA‘,f‘ breaks f‘. Sig f‘ O(.) f‘: (x,x‘,test)  0||f(x), iftestis not 0….0 1||O(x‘), iftestis 0…0 A G

  44. 8 Function f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R OT-Sig Assumption AfbreaksGf  RA,fbreaks f OW • RA‘,f‘ efficientlyimplementable relative to O: f‘ f‘ O(.) O(.) O(.) O(.) efficient P1 A A P1 R R

  45. Theorem If there is an NNNa-reduction from key agreement to one-way functions, then there is relativizing reduction from key agreement to one-way functions. Corollary There is no NNNa-reduction from key agreement to one-way functions.

  46. Circumventing Impagliazzo-Rudich Also impossible? Exploit efficiency (of A and f)! Let‘s try to find an NNNap reduction! efficientA,f PPT 8 Primitive f 9 PPT Construction G 8 PPT Adversary A 9 PPT Reduction R AfbreaksGf  RA,fbreaks f

  47. A Trivial Reduction Showingimpossibilityresult forNNNap-reduction showing impossibilityofkeyagreement altogether Assume, secure key agreement exists. 8 PPT Primitive f 9 PPT Construction G (ignores f) 8 PPT Adversary A 9 PPT Reduction R (ignores everything) neverhappens AfbreaksGf  RA,fbreaks f

  48. A Non-Trivial Reduction Assume, secure key agreement exists. 9 PPT Construction G (ignores f) 9 PPT Reduction R (ignores everything) 8 Adversary A 8 PPT Primitive f neverhappens AfbreaksGf  RA,fbreaks f Not PPT, if A is not PPT

  49. A Non-Trivial Reduction Assume, secure key agreement exists. 9 PPT Construction G (ignores f) 9 PPT Reduction R (ignores everything) 8 PPT Adversary A 8 Primitive f AfbreaksGf  RA,fbreaks f Not PPT, if f is not PPT

  50. To Circumvent Impagliazzo Rudich • Try NNNp or NNNap • Exploit the efficiency of the primitive f • Else, impossible… • …if you have an idea, first check whether it falls into the impossibility result.

More Related