SLIDE 1
On Assumptions and the Limits of Cryptography
Nils Fleischhacker Bochum, January 23, 2019On Assumptions and the Limits of Cryptography Nils Fleischhacker - - PowerPoint PPT Presentation
On Assumptions and the Limits of Cryptography Nils Fleischhacker - - PowerPoint PPT Presentation
On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 23, 2019 The sad truth is: At the moment we cant! Not really. Can we know whether all of this is secure? So, how do we know all of this is secure? 2 The sad
SLIDE 2 2
So, how do we know all of this is secure? Can we know whether all of this is secure? The sad truth is: At the moment we can’t! Not really.
SLIDE 3 2
So, how do we know all of this is secure? Can we know whether all of this is secure? The sad truth is: At the moment we can’t! Not really.
SLIDE 4 2
So, how do we know all of this is secure? Can we know whether all of this is secure? The sad truth is: At the moment we can’t! Not really.
SLIDE 5 2
So, how do we know all of this is secure? Can we know whether all of this is secure? The sad truth is: At the moment we can’t! Not really.
SLIDE 6 2
So, how do we know all of this is secure? Can we know whether all of this is secure? The sad truth is: At the moment we can’t! Not really.
SLIDE 7 2
So, how do we know all of this is secure? Can we know whether all of this is secure? The sad truth is: At the moment we can’t! Not really.
SLIDE 8 2
So, how do we know all of this is secure? Can we know whether all of this is secure? The sad truth is: At the moment we can’t! Not really.
SLIDE 9 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 10 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 11 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 12 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 13 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 14 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 15 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 16 3
The Cryptographic Landscape
DS PKE 2PC FHE iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 17 3
The Cryptographic Landscape
DS PKE 2PC FHE iO iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 18 3
The Cryptographic Landscape
DS PKE 2PC FHE iO iO
One-way Functions Trapdoor Permutations Trapdoor Permutations Oblivious Transfer LWE Multi-Linear Maps Multi-Linear Maps
Well this seems like a terrible idea!
SLIDE 19 4
One-Way Functions
f x ???
SLIDE 20 4
One-Way Functions
f x y ???
SLIDE 21 4
One-Way Functions
f x y ???
SLIDE 22 4
One-Way Functions
f x y ???
SLIDE 23 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P NP
SLIDE 24 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P NP
SLIDE 25 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P NP
SLIDE 26 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P NP
SLIDE 27 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P NP
SLIDE 28 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P NP
SLIDE 29 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P ̸= NP
SLIDE 30 5
Why We Need to Make Assumptions
OWF ENC MAC PKE 2PC FHE
P ̸= NP
SLIDE 31 6
Idea Behind Provable Security
Assumption ENC MAC 2PC
SLIDE 32 6
Idea Behind Provable Security
Assumption ENC MAC 2PC
SLIDE 33 6
Idea Behind Provable Security
Assumption ENC MAC 2PC
SLIDE 34 6
Idea Behind Provable Security
Assumption ENC MAC 2PC
SLIDE 35 6
Idea Behind Provable Security
Abstract Assumption ENC MAC 2PC
B P
SLIDE 36 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 37 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 38 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 39 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 40 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 41 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 42 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 43 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 44 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 45 7
Determining Minimal Assumptions
Statistical Security One-Way Functions Trapdoor Permutations Oblivious Transfer . . . Fully Homomorphic Encryption . . .
SLIDE 46 8
3-Round ZK-Proofs [FGJ18] 2-Party Computation Obfuscation Any Assumption
SLIDE 47 8
3-Round ZK-Proofs [FGJ18] 2-Party Computation Obfuscation Any Assumption
SLIDE 48 9
Zero-Knowledge Proof Protocols
▶ A Zero-Knowledge Proof allows me to to prove that a statement is true without revealing the reason why. A ZK-Proof must be
Sound Zero-Knowledge
Incredibly useful tools in Cryptography
SLIDE 49 9
Zero-Knowledge Proof Protocols
▶ A Zero-Knowledge Proof allows me to to prove that a statement is true without revealing the reason why. ▶ A ZK-Proof must be
▶ Sound Zero-Knowledge
Incredibly useful tools in Cryptography
SLIDE 50 9
Zero-Knowledge Proof Protocols
▶ A Zero-Knowledge Proof allows me to to prove that a statement is true without revealing the reason why. ▶ A ZK-Proof must be
▶ Sound ▶ Zero-Knowledge
Incredibly useful tools in Cryptography
SLIDE 51 9
Zero-Knowledge Proof Protocols
▶ A Zero-Knowledge Proof allows me to to prove that a statement is true without revealing the reason why. ▶ A ZK-Proof must be
▶ Sound ▶ Zero-Knowledge
▶ Incredibly useful tools in Cryptography
SLIDE 52 10
Round-Complexity of ZK-Proofs for NP
[GO94] [GK96]
SLIDE 53 10
Round-Complexity of ZK-Proofs for NP
[GO94] [GK96]
SLIDE 54 10
Round-Complexity of ZK-Proofs for NP
[GO94]
✓
[GK96] SLIDE 55 10
Round-Complexity of ZK-Proofs for NP
[GO94]
✓
[GK96] SLIDE 56 10
Round-Complexity of ZK-Proofs for NP
[GO94]
✓
[GK96] SLIDE 57 11
Compressing Proofs
SLIDE 58 11
Compressing Proofs
SLIDE 59 11
Compressing Proofs
SLIDE 60 12
3-Round ZK-Proofs [FGJ18] 2-Party Computation [DFKLS14] Obfuscation Any Assumption Malicious PUFs
SLIDE 61 13
Secure Two-Party Computation from PUFs
▶ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. Use Physically Uncloneable Functions
Behave like random functions. Cannot be copied.
SLIDE 62 13
Secure Two-Party Computation from PUFs
▶ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ▶ Use Physically Uncloneable Functions
Behave like random functions. Cannot be copied.
SLIDE 63 13
Secure Two-Party Computation from PUFs
▶ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ▶ Use Physically Uncloneable Functions
▶ Behave like random functions. Cannot be copied.
SLIDE 64 13
Secure Two-Party Computation from PUFs
▶ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ▶ Use Physically Uncloneable Functions
▶ Behave like random functions. ▶ Cannot be copied.
SLIDE 65 14
Secure Computation from PUFs
[BFSK11] [OSVW13] Our Paper Our Paper
? ?
Honest Malicious Stateless Malicious Stateful Unconditional SLIDE 66 14
Secure Computation from PUFs
[BFSK11] [OSVW13] Our Paper Our Paper
? ?
Honest Malicious Stateless Malicious Stateful Unconditional SLIDE 67 15
3-Round ZK-Proofs [FGJ18] 2-Party Computation [DFKLS14] Obfuscation [BBF16] Any Assumption Malicious PUFs Stateless Malicious PUFs Statistical Security
SLIDE 68 16
Statistically Secure Obfuscation
O C C′ r Perfect Correctness: For any circuit
- Approximate Correctness: For any circuit
SLIDE 69 16
Statistically Secure Obfuscation
O C C′ r ▶ Perfect Correctness: For any circuit C ∀x : C′(x) = C(x)
- Approximate Correctness: For any circuit
SLIDE 70 16
Statistically Secure Obfuscation
O C C′ r ▶ Perfect Correctness: For any circuit C ∀x : C′(x) = C(x) ▶ (1 − ϵ)-Approximate Correctness: For any circuit C, Pr
r,x
[ C′(x) = C(x) ] ≥ 1 − ϵ(n)
SLIDE 71 17
Statistically Secure Obfuscation
O C C′ r ▶ Indistinguishability Obfuscator: For any pair of circuits, such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ negl(n)
- Correlation Obfuscator: For any pair of circuits,
SLIDE 72 17
Statistically Secure Obfuscation
O C C′ r ▶ Indistinguishability Obfuscator: For any pair of circuits, such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ negl(n) ▶ (1 − δ)-Correlation Obfuscator: For any pair of circuits, such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ δ(n)
SLIDE 73 18
Why Do We Even Care About Approximate Correctness?
Because approximate obfuscation is useful! [MMNPs16,SW14,Hol06] 0.1 0.2 0.3 0.4 0.5 0.25 0.5 0.75 1 Correctness Error ϵ Statistical Distance δ
Allows PKE from OWF
SLIDE 74 19
Main Result
▶ If statistically secure, approximately correct iO (saiO) exists, then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ▶ More Generally: If (1 − δ)-statistically secure, (1 − ϵ)-approximately correct correlation obfuscation (sacO) exists with δ(n) ≤ 1
3 − 2 3ϵ(n) − 1 poly(n), then either one-way
functions do not exist, or NP ⊆ AM ∩ coAM. ▶ For very weak parameters, a trivial construction of sacO exists with δ(n) = 2ϵ(n).
SLIDE 75 20
The Landscape of Correlation Obfuscation
0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Correctness Error ϵ Statistical Distance δ
Achievable with Trivial Construction Ruled out by Negative Result
SLIDE 76 20
The Landscape of Correlation Obfuscation
0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Correctness Error ϵ Statistical Distance δ
Achievable with Trivial Construction Ruled out by Negative Result Allows PKE from OWF