On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018
2
2
2
So, how do we know all of this is secure? 2
The sad truth is: We don’t! Not really. So, how do we know all of this is secure? 2
The Cryptographic Landscape 3
The Cryptographic Landscape PKE DS 3
The Cryptographic Landscape 2PC PKE DS 3
The Cryptographic Landscape iO FHE 2PC PKE DS 3
The Cryptographic Landscape iO FHE 2PC PKE DS Trapdoor Permutations Trapdoor Permutations One-way Functions 3
The Cryptographic Landscape iO FHE 2PC PKE LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3
The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3
The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3
The Cryptographic Landscape FHE 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3
The Cryptographic Landscape FHE Well this seems like a terrible idea! 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3
One-Way Functions x f 4
One-Way Functions y x f 4
One-Way Functions y x f 4
One-Way Functions y x f ??? 4
Why We Need to Make Assumptions 5
Why We Need to Make Assumptions ENC OWF 5
Why We Need to Make Assumptions ENC MAC OWF 5
Why We Need to Make Assumptions ENC MAC PKE OWF 5
Why We Need to Make Assumptions ENC MAC PKE OWF 2PC 5
Why We Need to Make Assumptions ENC MAC PKE OWF 2PC FHE 5
Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5
Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5
Idea Behind Provable Security ENC 2PC MAC 6
Idea Behind Provable Security ENC 2PC MAC 6
Idea Behind Provable Security ENC Assumption 2PC MAC 6
Idea Behind Provable Security ENC Assumption 2PC MAC 6
Idea Behind Provable Security ENC Abstract B P Assumption 2PC MAC 6
Determining Minimal Assumptions Statistical Security 7
Determining Minimal Assumptions One-Way Functions Statistical Security 7
Determining Minimal Assumptions Trapdoor Permutations One-Way Functions Statistical Security 7
Determining Minimal Assumptions Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7
Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7
Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7
Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7
Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7
Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7
Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7
Schnorr 2-Party Obfuscation Signatures Computation 8
Schnorr 2-Party Obfuscation Signatures Computation Most Natural Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] 8
Schnorr Signatures ◮ Very simple, very efficient! 9
Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But 9
Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model 9
Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model ◮ Proof is extremely loose. 9
Schnorr Signatures The security of Schnorr signatures cannot be reduced to the discrete logarithm assumption using a naturally restricted reduction in a less idealized model (NPROM). The result holds under the slightly stronger one-more discrete logarithm assumption. 10
Schnorr Signatures The security of Schnorr signatures cannot be tightly reduced to any natural non-interactive assumption using a generic reduction. The result holds unconditionally. 11
Schnorr 2-Party Obfuscation Signatures Computation Most Natural Malicious PUFs Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] 12
Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. 13
Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions 13
Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. 13
Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. ◮ Cannot be copied. 13
Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful ? ? [BFSK11] Unconditional [OSVW13] 14
Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful [BFSK11] Our Paper Our Paper Unconditional [OSVW13] 14
Schnorr 2-Party Obfuscation Signatures Computation Stateless Malicious PUFs Most Natural Malicious PUFs Statistical Assumptions Security (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] [BBF16] 15
Statistically Secure Obfuscation r O C ′ C 16
Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) 16
Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) ◮ (1 − ǫ ) -Approximate Correctness: For any circuit C , � C ′ ( x ) = C ( x ) � Pr ≥ 1 − ǫ ( n ) r,x 16
Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) 17
Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) ◮ (1 − δ ) -Correlation Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ δ ( n ) 17
Why Do We Even Care About Approximate Correctness? Because approximate obfuscation is useful! [MMNPs16,SW14,Hol06] 1 Allows PKE from OWF Statistical Distance δ 0 . 75 0 . 5 0 . 25 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 18
Main Result ◮ If statistically secure, approximately correct iO (saiO) exists, then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ More Generally: If (1 − δ ) -statistically secure, (1 − ǫ ) -approximately correct correlation obfuscation (sacO) exists with δ ( n ) ≤ 1 3 − 2 1 3 ǫ ( n ) − poly ( n ) , then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ For very weak parameters, a trivial construction of sacO exists with δ ( n ) = 2 ǫ ( n ) . 19
The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20
The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result Allows PKE from OWF 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20
Recommend
More recommend