Notions of Black-Box Reductions, Revisited ASIACRYPT 2013 Paul - - PowerPoint PPT Presentation

Notions of Black-Box Reductions, Revisited

ASIACRYPT 2013

Paul Baecher, Christina Brzuska, Marc Fischlin

Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and Center For Advanced Security Research Darmstadt (CASED)

Introduction

1

The Cryptographic Zoo

OWF PRG OWP PRF PKE SIG MAC COM CRHF MPC ZK PRP KA

• basic issues in cryptography
• what can be built from what?
• how (efficient)?

2

A Typical Theorem in Cryptography

Theorem: Let f be a P e.g. OWP . Then construction G[f ] is a Q e.g. PRG .

f G[f ]

constr.

Question 1: what is G[f ]?

3

A Typical Theorem in Cryptography

Theorem: Let f be a P e.g. OWP . Then construction G[f ] is a Q e.g. PRG .

f G[f ]

constr.

Question 1: what is G[f ]?

• construction G uses f as an oracle (G f )
• construction G uses f in some constricted way
• construction G uses f ’s code
• ???

3

A Typical Theorem in Cryptography

Theorem: Let f be a P e.g. OWP . Then construction G[f ] is a Q e.g. PRG .

f G[f ]

constr.

(corollary: if P exists, then Q exists.) Question 1: what is G[f ]?

• construction G uses f as an oracle (G f )
• construction G uses f in some constricted way
• construction G uses f ’s code
• ???

3

Proving the Theorem

Theorem: Let f be a P. Then construction G[f ] is a Q.

f G[f ] S[A, f ] A

constr. red.

• almost always: proof by reduction (show the contrapositive)
• transform an attack on G into an attack on f
• if algorithm A breaks G, then algorithm S[A, f ] breaks f

4

Proving the Theorem

Theorem: Let f be a P. Then construction G[f ] is a Q.

f G[f ] S[A, f ] A

constr. red.

• almost always: proof by reduction (show the contrapositive)
• transform an attack on G into an attack on f
• if algorithm A breaks G, then algorithm S[A, f ] breaks f
• S[A, f ] is the (constructive) reduction
• Question 2: what is S[A, f ]?
• Question 3: what is S[A, f ]?

4

Why We Care About these Questions

• very important for impossibility results / separations
• i.e., much weaker versions of P exists ⇒ Q exists
• what exactly is being ruled out?
• . . . and what is left to try?
• impossibility results are inspiring
• enforces precise definitions of primitives
• “we separate xyz from OWFs. . . ”
• more black box, more efficient, more practical (usually)
• better understanding of a fundamental technique in our field

5

Notions of Reductions

f G[f ] S[A, f ] A

constr. red.

• Defined by Reingold, Trevisan, and Vadhan (TCC ’04,

[RTV04])

• three∗ types of reductions:

6

Notions of Reductions

f G[f ] S[A, f ] A

constr. red.

• Defined by Reingold, Trevisan, and Vadhan (TCC ’04,

[RTV04])

• three∗ types of reductions:

fully black box. ∃S∀A: if A breaks G f , then SA,f breaks f .

6

Notions of Reductions

f G[f ] S[A, f ] A

constr. red.

• Defined by Reingold, Trevisan, and Vadhan (TCC ’04,

[RTV04])

• three∗ types of reductions:

fully black box. ∃S∀A: if A breaks G f , then SA,f breaks f . semi black box. ∀A∃S:

• rder switched

if Af f oracle breaks G f , then Sf no A oracle breaks f .

6

Notions of Reductions

f G[f ] S[A, f ] A

constr. red.

• Defined by Reingold, Trevisan, and Vadhan (TCC ’04,

[RTV04])

• three∗ types of reductions:

fully black box. ∃S∀A: if A breaks G f , then SA,f breaks f . semi black box. ∀A∃S: if Af breaks G f , then Sf breaks f . weakly black box. ∀A∃S: if A no f oracle breaks G f , then Sf breaks f .

6

Notions of Reductions

f G[f ] S[A, f ] A

constr. red.

• Defined by Reingold, Trevisan, and Vadhan (TCC ’04,

[RTV04])

• three∗ types of reductions:

fully black box. ∃S∀A: if A breaks G f , then SA,f breaks f . semi black box. ∀A∃S: if Af breaks G f , then Sf breaks f . weakly black box. ∀A∃S: if A breaks G f , then Sf breaks f .

6

In This Work

• even more, fine-grained notions
• . . . derived in a systematic way

7

In This Work

• even more, fine-grained notions
• . . . derived in a systematic way
• consider, for example,
• reduction makes non-black-box use of primitive, but black-box

use of adversary (think meta reductions)

• efficient primitives and/or adversaries
• black-box use, but partial information (run time, #queries,

. . . )

• [RTV04] too coarse to capture such differences

7

CAP

8

Three Questions: A Short Encoding

f G[f ] S[A, f ] A

constr. red.

Q1: what is G[f ]? Q2: what is S[A, f ]? Q3: what is S[A, f ]?

9

Three Questions: A Short Encoding

f G[f ] S[A, f ] A

constr. red.

Q1: what is G[f ]?

C

Q2: what is S[A, f ]? Q3: what is S[A, f ]?

9

Three Questions: A Short Encoding

f G[f ] S[A, f ] A

constr. red.

Q1: what is G[f ]?

C

Q2: what is S[A, f ]?A Q3: what is S[A, f ]?

9

Three Questions: A Short Encoding

f G[f ] S[A, f ] A

constr. red.

Q1: what is G[f ]?

C

Q2: what is S[A, f ]?A Q3: what is S[A, f ]?

P

9

Three Questions: A Short Encoding

f G[f ] S[A, f ] A

constr. red.

Q1: what is G[f ]?

C

Q2: what is S[A, f ]?A Q3: what is S[A, f ]?

P

• C, A, P ∈ {N, B}
• Non black box / Black box

9

Obtaining Actual Definitions

f G[f ] S[A, f ] A

constr. red.

example: BBB 1. what is G[f ]? B “∃G” ≺ “∀f ” what is S[A, f ]? B what is S[A, f ]? B

10

Obtaining Actual Definitions

f G[f ] S[A, f ] A

constr. red.

example: BBB 1. what is G[f ]? B “∃G” ≺ “∀f ” what is S[A, f ]? B “∃S” ≺ “∀A” what is S[A, f ]? B “∃S” ≺ “∀f ”

• 2. “∃G”, “∃S”≺ “∀f ”, “∀A”

10

Obtaining Actual Definitions

f G[f ] S[A, f ] A

constr. red.

example: BBB 1. what is G[f ]? B “∃G” ≺ “∀f ” what is S[A, f ]? B “∃S” ≺ “∀A” what is S[A, f ]? B “∃S” ≺ “∀f ”

• 2. “∃G”, “∃S”≺ “∀f ”, “∀A”
• 3. ∃G, S ∀f , A

Af ,G f breaks G f = ⇒ SAf ,f breaks f

10

Obtaining Actual Definitions

f G[f ] S[A, f ] A

constr. red.

example: NBB 1. what is G[f ]? N “∀f ” ≺ “∃G” what is S[A, f ]? B “∃S” ≺ “∀A” what is S[A, f ]? B “∃S” ≺ “∀f ”

• 2. “∃S”≺ “∀f ”≺ “∃G” and “∃S”≺ “∀A”
• 3. ∃S ∀f ∃G∀A

Af ,G f breaks G f = ⇒ SAf ,f breaks f

10

Obtaining Actual Definitions (cont’d)

f G[f ] S[A, f ] A

constr. red.

Name Summary of definition BBB ∃G ∃S ∀f ∀A ((G f , Af ) ⇒ (f , SA,f )) BNB ∃G ∀A ∃S ∀f ((G f , Af ) ⇒ (f , SA,f )) BBN ∃G ∀f ∃S ∀A ((G f , Af ) ⇒ (f , SA,f )) BNN ∃G ∀f ∀A ∃S ((G f , Af ) ⇒ (f , SA,f )) NBB ∃S ∀f ∃G ∀A ((G f , Af ) ⇒ (f , SA,f )) NBN ∀f ∃G ∃S ∀A ((G f , Af ) ⇒ (f , SA,f )) NNN ∀f ∃G ∀A ∃S ((G f , Af ) ⇒ (f , SA,f ))

see page 305 of the proceedings (Part I)

11

Basic Relations

BBB BBN NBB implication (strict)

12

Basic Relations

BBB BBN BNN NNN NNB NBB BNB NBN implication (strict)

12

Basic Relations

BBB BBN BNN NNN NNB NBB BNB NBN implication (strict) implication w.r.t. separations

12

There is More. . .

• adversaries A can be PPT or inefficient
• [RTV04]: mixed
• here: inefficient up to now
• all previous notions can be considered for efficient adversaries
• shorthand: CAPa, restricted quantification ∀ PPTA

13

Another Dimension

BBB BBN BNN NNNa NNBa NBBa NNN NNB NBB BBBa BBNa BNNa BNB NBN BNBa NBNa

14

Another Dimension

BBB BBN BNN NNNa NNBa NBBa NNN NNB NBB BBBa BBNa BNNa BNB NBN BNBa NBNa relativizing (e.g., [IR89])

fully relativizing semi ∀∃-semi weakly ∀∃-weakly free

14

Another Dimension

BBB BBN BNN NNNa NNBa NBBa NNN NNB NBB BBBa BBNa BNNa BNB NBN BNBa NBNa relativizing (e.g., [IR89]) note: not all CAPa implications are strict

14

Neither B nor N

15

Parameterized Reductions

• consider the Goldreich–Levin

hardcore bit [GL89]

• reduction requires success

probability of adversary (but nothing else)

• black box? non black box?

BBB BBN BNN NNN NNB NBB BNB NBN

16

Parameterized Reductions

• consider the Goldreich–Levin

hardcore bit [GL89]

• reduction requires success

probability of adversary (but nothing else)

• black box? non black box?

BBB BBN BNN NNN NNB NBB BNB NBN somewhere here?

• parameterized reduction
• here: par(A) := success probability
• BBB w/ param: Af ,G f breaks G f =

⇒ SAf ,f (par(A)) breaks f → parameters made explicit

16

Summary

• things I forgot to tell you
• CAPp: efficient primitives
• CAPap: efficient adversaries and efficient primitives
• careful when defining primitives

17

Summary

• things I forgot to tell you
• CAPp: efficient primitives
• CAPap: efficient adversaries and efficient primitives
• careful when defining primitives
• things to remember
• given any reduction/separation, ask three (five) questions
• “impossibility” rarely means impossible
• look for hidden parameters

17

The End

Thank you!

?

18

References

Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. In STOC 1989 [STO89], pages 25–32. Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In STOC 1989 [STO89], pages 44–61. Omer Reingold, Luca Trevisan, and Salil P. Vadhan. Notions of reducibility between cryptographic primitives. In Moni Naor, editor, TCC 2004: 1st Theory of Cryptography Conference, volume 2951 of Lecture Notes in Computer Science, pages 1–20, Cambridge, MA, USA, February 19–21, 2004. Springer, Berlin, Germany. 21st Annual ACM Symposium on Theory of Computing, Seattle, Washington, USA, May 15–17, 1989. ACM Press. 19