on assumptions and the limits of cryptography

On Assumptions and the Limits of Cryptography Nils Fleischhacker - PowerPoint PPT Presentation

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018 2 2 2 So, how do we know all of this is secure? 2 The sad truth is: We dont! Not really. So, how do we know all of this is secure? 2 The


  1. On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018

  2. 2

  3. 2

  4. 2

  5. So, how do we know all of this is secure? 2

  6. The sad truth is: We don’t! Not really. So, how do we know all of this is secure? 2

  7. The Cryptographic Landscape 3

  8. The Cryptographic Landscape PKE DS 3

  9. The Cryptographic Landscape 2PC PKE DS 3

  10. The Cryptographic Landscape iO FHE 2PC PKE DS 3

  11. The Cryptographic Landscape iO FHE 2PC PKE DS Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  12. The Cryptographic Landscape iO FHE 2PC PKE LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  13. The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  14. The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  15. The Cryptographic Landscape FHE 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  16. The Cryptographic Landscape FHE Well this seems like a terrible idea! 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  17. One-Way Functions x f 4

  18. One-Way Functions y x f 4

  19. One-Way Functions y x f 4

  20. One-Way Functions y x f ??? 4

  21. Why We Need to Make Assumptions 5

  22. Why We Need to Make Assumptions ENC OWF 5

  23. Why We Need to Make Assumptions ENC MAC OWF 5

  24. Why We Need to Make Assumptions ENC MAC PKE OWF 5

  25. Why We Need to Make Assumptions ENC MAC PKE OWF 2PC 5

  26. Why We Need to Make Assumptions ENC MAC PKE OWF 2PC FHE 5

  27. Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5

  28. Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5

  29. Idea Behind Provable Security ENC 2PC MAC 6

  30. Idea Behind Provable Security ENC 2PC MAC 6

  31. Idea Behind Provable Security ENC Assumption 2PC MAC 6

  32. Idea Behind Provable Security ENC Assumption 2PC MAC 6

  33. Idea Behind Provable Security ENC Abstract B P Assumption 2PC MAC 6

  34. Determining Minimal Assumptions Statistical Security 7

  35. Determining Minimal Assumptions One-Way Functions Statistical Security 7

  36. Determining Minimal Assumptions Trapdoor Permutations One-Way Functions Statistical Security 7

  37. Determining Minimal Assumptions Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  38. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  39. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  40. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  41. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  42. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  43. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  44. Schnorr 2-Party Obfuscation Signatures Computation 8

  45. Schnorr 2-Party Obfuscation Signatures Computation Most Natural Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] 8

  46. Schnorr Signatures ◮ Very simple, very efficient! 9

  47. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But 9

  48. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model 9

  49. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model ◮ Proof is extremely loose. 9

  50. Schnorr Signatures The security of Schnorr signatures cannot be reduced to the discrete logarithm assumption using a naturally restricted reduction in a less idealized model (NPROM). The result holds under the slightly stronger one-more discrete logarithm assumption. 10

  51. Schnorr Signatures The security of Schnorr signatures cannot be tightly reduced to any natural non-interactive assumption using a generic reduction. The result holds unconditionally. 11

  52. Schnorr 2-Party Obfuscation Signatures Computation Most Natural Malicious PUFs Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] 12

  53. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. 13

  54. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions 13

  55. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. 13

  56. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. ◮ Cannot be copied. 13

  57. Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful ? ? [BFSK11] Unconditional [OSVW13] 14

  58. Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful [BFSK11] Our Paper Our Paper Unconditional [OSVW13] 14

  59. Schnorr 2-Party Obfuscation Signatures Computation Stateless Malicious PUFs Most Natural Malicious PUFs Statistical Assumptions Security (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] [BBF16] 15

  60. Statistically Secure Obfuscation r O C ′ C 16

  61. Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) 16

  62. Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) ◮ (1 − ǫ ) -Approximate Correctness: For any circuit C , � C ′ ( x ) = C ( x ) � Pr ≥ 1 − ǫ ( n ) r,x 16

  63. Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) 17

  64. Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) ◮ (1 − δ ) -Correlation Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ δ ( n ) 17

  65. Why Do We Even Care About Approximate Correctness? Because approximate obfuscation is useful! [MMNPs16,SW14,Hol06] 1 Allows PKE from OWF Statistical Distance δ 0 . 75 0 . 5 0 . 25 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 18

  66. Main Result ◮ If statistically secure, approximately correct iO (saiO) exists, then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ More Generally: If (1 − δ ) -statistically secure, (1 − ǫ ) -approximately correct correlation obfuscation (sacO) exists with δ ( n ) ≤ 1 3 − 2 1 3 ǫ ( n ) − poly ( n ) , then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ For very weak parameters, a trivial construction of sacO exists with δ ( n ) = 2 ǫ ( n ) . 19

  67. The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20

  68. The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result Allows PKE from OWF 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20

Recommend


More recommend