SLIDE 1
On Assumptions and the Limits of Cryptography
Nils Fleischhacker
Bochum, January 24, 2018
2
On Assumptions and the Limits of Cryptography Nils Fleischhacker - - PowerPoint PPT Presentation
On Assumptions and the Limits of Cryptography Nils Fleischhacker - - PowerPoint PPT Presentation
On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018 2 2 2 So, how do we know all of this is secure? 2 The sad truth is: We dont! Not really. So, how do we know all of this is secure? 2 The
SLIDE 2
SLIDE 3
2
SLIDE 4
2
SLIDE 5
2
So, how do we know all of this is secure?
SLIDE 6
2
So, how do we know all of this is secure? The sad truth is: We don’t! Not really.
SLIDE 7
3
The Cryptographic Landscape
SLIDE 8
3
The Cryptographic Landscape
DS PKE
SLIDE 9
3
The Cryptographic Landscape
DS PKE 2PC
SLIDE 10
3
The Cryptographic Landscape
DS PKE 2PC FHE iO
SLIDE 11
3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations
SLIDE 12
3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE
SLIDE 13
3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps
SLIDE 14
3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps
SLIDE 15
3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE
SLIDE 16
3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE
Well this seems like a terrible idea!
SLIDE 17
4
One-Way Functions
f x
SLIDE 18
4
One-Way Functions
f x y
SLIDE 19
4
One-Way Functions
f x y
SLIDE 20
4
One-Way Functions
f x y ???
SLIDE 21
5
Why We Need to Make Assumptions
SLIDE 22
5
Why We Need to Make Assumptions
OWF ENC
SLIDE 23
5
Why We Need to Make Assumptions
OWF ENC MAC
SLIDE 24
5
Why We Need to Make Assumptions
OWF ENC MAC PKE
SLIDE 25
5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC
SLIDE 26
5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
SLIDE 27
5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P = NP
SLIDE 28
5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P = NP
SLIDE 29
6
Idea Behind Provable Security
ENC MAC 2PC
SLIDE 30
6
Idea Behind Provable Security
ENC MAC 2PC
SLIDE 31
6
Idea Behind Provable Security
Assumption ENC MAC 2PC
SLIDE 32
6
Idea Behind Provable Security
Assumption ENC MAC 2PC
SLIDE 33
6
Idea Behind Provable Security
Abstract Assumption ENC MAC 2PC
B P SLIDE 34
7
Determining Minimal Assumptions
Statistical Security
SLIDE 35
7
Determining Minimal Assumptions
Statistical Security One-Way Functions
SLIDE 36
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations
SLIDE 37
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer
SLIDE 38
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 39
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 40
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 41
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 42
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 43
7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 44
8
Schnorr Signatures 2-Party Computation Obfuscation
SLIDE 45
8
Schnorr Signatures [FF13,FJS14] 2-Party Computation Obfuscation Most Natural Assumptions (tightly) Discrete Logarithm Assumption
SLIDE 46
9
Schnorr Signatures
◮ Very simple, very efficient!
SLIDE 47
9
Schnorr Signatures
◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But
SLIDE 48
9
Schnorr Signatures
◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But
◮ Proof in the Random Oracle Model
SLIDE 49
9
Schnorr Signatures
◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But
◮ Proof in the Random Oracle Model ◮ Proof is extremely loose.
SLIDE 50
10
Schnorr Signatures
The security of Schnorr signatures cannot be reduced to the discrete logarithm assumption using a naturally restricted reduction in a less idealized model (NPROM). The result holds under the slightly stronger one-more discrete logarithm assumption.
SLIDE 51
11
Schnorr Signatures
The security of Schnorr signatures cannot be tightly reduced to any natural non-interactive assumption using a generic reduction. The result holds unconditionally.
SLIDE 52
12
Schnorr Signatures [FF13,FJS14] 2-Party Computation [DFKLS14] Obfuscation Most Natural Assumptions (tightly) Discrete Logarithm Assumption Malicious PUFs
SLIDE 53
13
Secure Two-Party Computation from PUFs
◮ The idea: Use secure hardware to overcome impossibility of
information theoretically secure 2-PC.
SLIDE 54
13
Secure Two-Party Computation from PUFs
◮ The idea: Use secure hardware to overcome impossibility of
information theoretically secure 2-PC.
◮ Use Physically Uncloneable Functions
SLIDE 55
13
Secure Two-Party Computation from PUFs
◮ The idea: Use secure hardware to overcome impossibility of
information theoretically secure 2-PC.
◮ Use Physically Uncloneable Functions
◮ Behave like random functions.
SLIDE 56
13
Secure Two-Party Computation from PUFs
◮ The idea: Use secure hardware to overcome impossibility of
information theoretically secure 2-PC.
◮ Use Physically Uncloneable Functions
◮ Behave like random functions. ◮ Cannot be copied.
SLIDE 57
14
Secure Computation from PUFs
[BFSK11] [OSVW13]
? ?
Honest Malicious Stateless Malicious Stateful Unconditional
SLIDE 58
14
Secure Computation from PUFs
[BFSK11] [OSVW13] Our Paper Our Paper Honest Malicious Stateless Malicious Stateful Unconditional
SLIDE 59
15
Schnorr Signatures [FF13,FJS14] 2-Party Computation [DFKLS14] Obfuscation [BBF16] Most Natural Assumptions (tightly) Discrete Logarithm Assumption Malicious PUFs Stateless Malicious PUFs Statistical Security
SLIDE 60
16
Statistically Secure Obfuscation
O C C′ r
SLIDE 61
16
Statistically Secure Obfuscation
O C C′ r
◮ Perfect Correctness: For any circuit C
∀x : C′(x) = C(x)
SLIDE 62
16
Statistically Secure Obfuscation
O C C′ r
◮ Perfect Correctness: For any circuit C
∀x : C′(x) = C(x)
◮ (1 − ǫ)-Approximate Correctness: For any circuit C,
Pr
r,x
- C′(x) = C(x)
- ≥ 1 − ǫ(n)
SLIDE 63
17
Statistically Secure Obfuscation
O C C′ r
◮ Indistinguishability Obfuscator: For any pair of circuits,
such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ negl(n)
SLIDE 64
17
Statistically Secure Obfuscation
O C C′ r
◮ Indistinguishability Obfuscator: For any pair of circuits,
such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ negl(n)
◮ (1 − δ)-Correlation Obfuscator: For any pair of circuits,
such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ δ(n)
SLIDE 65
18
Why Do We Even Care About Approximate Correctness?
Because approximate obfuscation is useful! [MMNPs16,SW14,Hol06] 0.1 0.2 0.3 0.4 0.5 0.25 0.5 0.75 1 Correctness Error ǫ Statistical Distance δ
Allows PKE from OWF
SLIDE 66
19
Main Result
◮ If statistically secure, approximately correct iO (saiO) exists,
then either one-way functions do not exist, or NP ⊆ AM ∩ coAM.
◮ More Generally: If (1 − δ)-statistically secure,
(1 − ǫ)-approximately correct correlation obfuscation (sacO) exists with δ(n) ≤ 1
3 − 2 3ǫ(n) − 1 poly(n), then either one-way
functions do not exist, or NP ⊆ AM ∩ coAM.
◮ For very weak parameters, a trivial construction of sacO exists
with δ(n) = 2ǫ(n).
SLIDE 67
20
The Landscape of Correlation Obfuscation
0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Correctness Error ǫ Statistical Distance δ
Achievable with Trivial Construction Ruled out by Negative Result
SLIDE 68
20
The Landscape of Correlation Obfuscation
0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Correctness Error ǫ Statistical Distance δ
Achievable with Trivial Construction Ruled out by Negative Result Allows PKE from OWF
SLIDE 69
21
Publications
On the Existence of Three Round Zero-Knowledge Proofs (EUROCRYPT 2018)
Nils Fleischhacker, Vipul Goyal, Abhishek Jain
Efficient Cryptographic Password Hardening Services From Partially Oblivious Commitments (CCS 2016)
Jonas Schneider, Nils Fleischhacker, Dominique Schr¨
- der, Michael Backes
On Statistically Secure Obfuscation with Approximate Correctness (CRYPTO 2016)
Zvika Brakerski, Chris Brzuska, Nils Fleischhacker
Two Message Oblivious Evaluation of Cryptographic Functionalities (CRYPTO 2016)
Nico Doettling, Nils Fleischhacker, Johannes Krupp, Dominique Schr¨
- der
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys (PKC 2016)
Nils Fleischhacker, Johannes Krupp, Giulio Malavolta, Jonas Schneider, Dominique Schr¨
- der, Mark Simkin
On Tight Security Proofs for Schnorr Signatures (ASIACRYPT 2014)
Nils Fleischhacker, Tibor Jager, Dominique Schr¨
- der
Feasibility and Infeasibility of Secure Computation with Malicious PUFs (CRYPTO 2014)
Dana Dachman-Soled, Nils Fleischhacker, Jonathan Katz, Anna Lysyanskaya, Dominique Schr¨
- der
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures (EUROCRYPT 2013)
Marc Fischlin, Nils Fleischhacker
SLIDE 70
22