On the Impossibility of Tight Cryptographic Reduc:ons Christoph - - PowerPoint PPT Presentation

On the Impossibility of Tight Cryptographic Reduc:ons

Christoph Bader, Tibor Jager, Yong Li, Sven Schäge

Ruhr-University Bochum EUROCRYPT 2016

1

“Tight” Cryptographic Reduc:ons

2

• 1. Define a security model
• 2. Prove: efficient a/acker A implies efficient

algorithm R that solves a “hard” problem P

pk (m*,s*) Adversary A si mi Q :mes

“Tight” Cryptographic Reduc:ons

3

• 1. Define a security model
• 2. Prove: efficient adversary A implies efficient

algorithm R that solves a “hard” problem P

Instance of P Solu:on pk (m*,s*) Adversary A Reduc:on R si mi Q :mes

“Tight” Cryptographic Reduc:ons

4

• 1. Define a security model
• 2. Prove: efficient adversary A implies efficient

algorithm R that solves a “hard” problem P Reduc:on R is :ght, if tR ≈ tA and succR ≈ succA

Instance of P Solu:on pk (m*,s*) Adversary A Reduc:on R si mi Q :mes

Why is :ght security interes:ng?

• Do schemes with :ght security exist?

– Inherent :ghtness lower bounds?

• Tightness has impact on theore:cally-

sound selec:on of parameters

– “Non-:ght“ reduc:on => large parameters – Tight reduc:on => smaller parameters

5

Why is :ght security interes:ng?

• Do schemes with :ght security exist?

– Inherent :ghtness lower bounds?

• Relevant for theore:cally-sound

selec:on of parameters

– “Non-:ght“ reduc:on large parameters – Tight reduc:on smaller parameters

6

Many Tightly-Secure Cryptosystems

7

Digital Signatures

• Katz-Wang (CCS 2003)
• Schäge (Eurocrypt 2011)
• ...

Public-Key Encryp:on

• Bellare, Boldyreva, Micali (Eurocrypt 2000)
• Hoeeinz, Jager (Crypto 2012)
• Gay, Hoeeinz, Kiltz, Wee (Eurocrypt 2016)

(best paper)

• ...

Pseudorandom Func:ons

• Naor-Reingold (FOCS 1997)
• Lewko-Waters (CCS 2009)
• Jager (ePrint 2016)
• ...

Iden:ty-based Encryp:on

• Chen, Wee (Crypto 2013)
• Blazy, Kiltz, Pan (Eurocrypt 2014)
• ...

Key Exchange

• Bader, Hoeeinz, Jager, Kiltz, Li (TCC 2015)

Many Tightly-Secure Cryptosystems

8

Digital Signatures

• Katz-Wang (CCS 2003)
• Schäge (Eurocrypt 2011)
• ...

Public-Key Encryp:on

• Bellare, Boldyreva, Micali (Eurocrypt 2000)
• Hoeeinz, Jager (Crypto 2012)
• Gay, Hoeeinz, Kiltz, Wee (Eurocrypt 2016)

(best paper)

• ...

Pseudorandom Func:ons

• Naor-Reingold (FOCS 1997)
• Lewko-Waters (CCS 2009)
• Jager (ePrint 2016)
• ...

Iden:ty-based Encryp:on

• Chen, Wee (Crypto 2013)
• Blazy, Kiltz, Pan (Eurocrypt 2014)
• ...

Key Exchange

• Bader, Hoeeinz, Jager, Kiltz, Li (TCC 2015)

Which proper:es must a cryptosystem (not) have to allow for a :ght security proof?

Coron‘s Result* (1/2)

(Eurocrypt 2002)

9

pk (m*,s*) si mi

Q :mes

* see also Kakvi and Kiltz, Eurocrypt 2012 ** generalized to re-randomizable signatures by Hoeeinz et al., PKC 2012

• Digital signatures

– single-user selng – unique signatures**

Coron‘s Result* (1/2)

(Eurocrypt 2002)

10

• Digital signatures

– single-user selng – unique signatures**

pk (m*,s*) si mi

Q :mes

Result: If a signature scheme has unique signatures, then any security reduc:on “loses” a factor of at least 1/Q.

* see also Kakvi and Kiltz, Eurocrypt 2012 ** generalized to re-randomizable signatures by Hoeeinz et al., PKC 2012

Coron‘s Result (2/2)

(Eurocrypt 2002)

11

Instance of P Solu:on Reduc:on R pk (m*,s*) si mi Q :mes

Coron‘s Result (2/2)

(Eurocrypt 2002)

12

Instance of P Solu:on Reduc:on R Meta-Reduc:on M Instance of P Solu:on pk (m*,s*) si mi Q :mes Simula:on of Adversary A

Coron‘s Result (2/2)

(Eurocrypt 2002)

13

Coron shows: If a signature scheme has unique signatures, then any reduc:on R implies an algorithm M that solves P

• In :me tM ≈ tR
• With

✏M ≥ ✏R − 1 Q · ✓ 1 − Q |MsgSpace| ◆−1

Instance of P Solu:on Reduc:on R Meta-Reduc:on M Instance of P Solu:on pk (m*,s*) si mi Q :mes Simula:on of Adversary A

Coron‘s Result (2/2)

(Eurocrypt 2002)

14

Coron shows: If a signature scheme has unique signatures, then any reduc:on R implies an algorithm M that solves P

• In :me tM ≈ tR
• With

✏M ≥ ✏R − 1 Q · ✓ 1 − Q |MsgSpace| ◆−1

Instance of P Solu:on Reduc:on R Meta-Reduc:on M Instance of P Solu:on pk (m*,s*) si mi Q :mes Simula:on of Adversary A “Annoying term”

Limita:ons of Coron‘s Technique

• Restricted but reasonable class of reduc:ons:

– Treat adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding)

• Rela:vely complex analysis

15

Limita:ons of Coron‘s Technique

• Restricted but reasonable class of reduc:ons:

– Treat adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding)

• Rela:vely complex analysis

16

• Only useful in selngs where Q << |MsgSpace|

– Acceptable for [C`02, KK`12, HJK`12] – Makes applica:on to other sePngs difficult

✏M ≥ ✏R − 1 Q · ✓ 1 − Q |MsgSpace| ◆−1

“Annoying term”

Mul:-User Security of Signatures

17

• A receives N public keys
• Q signature queries
• Corrupt N-1 users
• Goal: :ght security in

– Number of signatures Q – Number of public keys N

pk1, ..., pkN (m*,s*)

Mul:-User Security of Signatures

18

• A receives N public keys
• Q signature queries
• Corrupt N-1 users
• Goal: :ght security in

– Number of signatures Q – Number of public keys N

pk1, ..., pkN (m*,s*) si (mi, j)

Mul:-User Security of Signatures

19

• A receives N public keys
• Q signature queries
• Corrupt N-1 users
• Goal: :ght security in

– Number of signatures Q – Number of public keys N

pk1, ..., pkN (m*,s*) si (mi, j) skj j

Mul:-User Security of Signatures

20

• A receives N public keys
• Q signature queries
• Corrupt N-1 users
• Desired: :ght security in

– Number of signatures Q – Number of public keys N

pk1, ..., pkN (m*,s*) si (mi, j) skj j

Mul:-User Security of Signatures

21

• A receives N public keys
• Q signature queries
• Corrupt N-1 users
• Desired: :ght security in

– Number of signatures Q – Number of public keys N

pk1, ..., pkN (m*,s*) si (mi, j) skj j

Single-user security mul:-user security But the reduc:on is not :ght, loses a factor 1/N

Applying Coron’s technique to the mul:-user selng

22

• To show that this loss is impossible to avoid:
• Applying [Coron 2002], we get

✏M ≥ ✏R − 1 N

Applying Coron’s technique to the mul:-user selng

23

• To show that this loss is impossible to avoid:
• Applying [Coron 2002], we get

✏M ≥ ✏R − 1 N · ✓ 1 − N − 1 N ◆−1 ✏M ≥ ✏R − 1 N

Applying Coron’s technique to the mul:-user selng

24

• To show that this loss is impossible to avoid:
• Applying [Coron 2002], we get

✏M ≥ ✏R − 1 N · ✓ 1 − N − 1 N ◆−1

Equal to N

Trivial bound, because of the “annoying term”

✏M ≥ ✏R − 1 N

Our approach

Goal: Prove that 1/N-loss is impossible to avoid

• 1. Define a weaker security defini:on

– Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons!

• 2. New meta-reduc:on technique

– No “annoying term” – Weakness of security defini:ons enables simple and clean analysis

• 3. Generalize this technique to other primi:ves

25

Our approach

Goal: Prove that 1/N-loss is impossible to avoid

• 1. Define a weaker security defini:on

– Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons!

• 2. New meta-reduc:on technique

– No “annoying term” – Weakness of security defini:ons enables simple and clean analysis

• 3. Generalize this technique to other primi:ves

26

Weak Mul:-User Security

27

pk1, ..., pkN skj j ski for i≠j

• A receives N public keys
• Corrupt users
• Signature queries
• A has to compute skj

Weak Mul:-User Security

28

pk1, ..., pkN skj j ski for i≠j

No :ght security proof for “weak” security

• No :ght security proof for any “stronger” no:on
• A receives N public keys
• Corrupt users
• Signature queries
• A has to compute skj

Weak Mul:-User Security

29

pk1, ..., pkN skj j ski for i≠j

No :ght security proof for “weak” security

• No :ght security proof for any “stronger” no:on
• A receives N public keys
• Corrupt users
• Signature queries
• A has to compute skj

Makes sense for any public-key scheme!

Our approach

Goal: Prove that 1/N-loss is impossible to avoid

• 1. Define a weaker security defini:on

– Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons!

• 2. New meta-reduc:on technique

– No “annoying term” – Weakness of security defini:ons enables simple and clean analysis

• 3. Generalize this technique to other primi:ves

30

Our result

• Restricted but reasonable class of reduc:ons:

– Use adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding)

• Rela:vely simple analysis

31

✏M ≥ ✏R − 1 N · ✓ 1 − N − 1 N ◆−1

Tightness Bound: Intui:on

32

pk1, ..., pkN skj j ski for i≠j

Reduc:on R Instance of P Solu:on

Tightness Bound: Intui:on

33

pk1, ..., pkN skj j ski for i≠j

Reduc:on R

• 1. Only one index j such that R can output ski for all i≠j

R not :ght!

• 2. More than one j P not “hard”!

Instance of P Solu:on

Tightness Bound: Intui:on

34

pk1, ..., pkN skj j ski for i≠j

Reduc:on R

• 1. Only one index j such that R can output ski for all i≠j

R not :ght!

• 2. More than one j P not “hard”!

Instance of P Solu:on

Tightness Bound: Proof Sketch (1/2)

35

• 1. Run R un:l right a[er it outputs pk1, ..., pkN,

save the state of R

• 2. Run R star:ng from this state for all j from 1 to N,

un:l R outputs the secret keys ski for all i≠j

pk1, ..., pkN

Reduc:on R Instance of P Instance of P Meta-Reduc:on M

Tightness Bound: Proof Sketch (1/2)

36

• 1. Run R un:l right a[er it outputs pk1, ..., pkN,

save the state of R

• 2. Run R star:ng from this state for all j from 1 to N,

un:l R outputs the secret keys ski for all i≠j

pk1, ..., pkN j ski for i≠j

Reduc:on R Instance of P Instance of P Meta-Reduc:on M

Tightness Bound: Proof Sketch (1/2)

37

• 1. Run R un:l right a[er it outputs pk1, ..., pkN,

save the state of R

• 2. Run R star:ng from this state for all j from 1 to N,

un:l R outputs the secret keys ski for all i≠j

pk1, ..., pkN j ski for i≠j

Reduc:on R Instance of P Instance of P Meta-Reduc:on M

M learns all secret keys

Tightness Bound: Proof Sketch (2/2)

38

pk1, ..., pkN skj j ski for i≠j

Reduc:on R Instance of P Instance of P Meta-Reduc:on M Simula:on of Adversary A

• 1. Execute R once again, star:ng from
• 2. Simulate A that chooses j uniformly random
• 3. Output skj

Tightness Bound: Proof Sketch (2/2)

39

pk1, ..., pkN skj j ski for i≠j

Reduc:on R Instance of P Solu:on Instance of P Solu:on Meta-Reduc:on M Simula:on of Adversary A

• 1. Execute R once again, star:ng from
• 2. Simulate A that chooses j uniformly random
• 3. Output skj

Perfect simula:on of a successful adversary

Requirements on the public-key scheme

• For each pk there is only one unique sk (*)
• One can efficiently verify that a given sk

belongs to a given pk

• Holds for many known construc:ons

40

(* In the paper: generalized to re-randomizable keys)

Requirements on the public-key scheme

• For each pk there is only one unique sk (*)
• One can efficiently verify that a given sk

belongs to a given pk

• Holds for many known construc:ons

41

Result: A public-key scheme that sa:sfies the above condi:ons cannot have a :ght security proof in the mul:-user selng with corrup:ons.

(* In the paper: generalized to re-randomizable keys)

Our approach

Goal: Prove that 1/N-loss is impossible to avoid

• 1. Define a weaker security defini:on

– Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons!

• 2. New meta-reduc:on technique

– No “annoying term” – Weakness of security defini:ons enables simple and clean analysis

• 3. Generalize this technique to other primi:ves

42

Goal: easy applicability

43

Generalized experiment

Strengthened versions of [C02, KK12, HJK12] Mul:-user security with corrup:ons Security of non-interac:ve key exchange

“Master theorem” Special cases

Generaliza:on to Abstract Rela:ons

44

x1, ..., xN wj j wi for i≠j S = {(x1, w1), (x2, w2), ... , (xN, wN)}

Requirements on S:

• Efficient verifiability
• For each statement x, the

witness w is unique (or re-randomizable)

Generaliza:on to Abstract Rela:ons

45

x1, ..., xN wj j wi for i≠j S = {(x1, w1), (x2, w2), ... , (xN, wN)}

For example:

• Public key crypto in the mul:-user selng:

S = {(pk1, sk1), (pk2, sk2), ... , (pkN, skN)}

• Unique signatures in the single-user selng:

S = {(m1, s1), (m2, s2), ... , (mN, sN)}

Requirements on S:

• Efficient verifiability
• For each statement x, the

witness w is unique (or re-randomizable)

Generaliza:on to Abstract Rela:ons

46

x1, ..., xN wj j wi for i≠j S = {(x1, w1), (x2, w2), ... , (xN, wN)}

For example:

• Public key crypto in the mul:-user selng:

S = {(pk1, sk1), (pk2, sk2), ... , (pkN, skN)}

• Signatures in the single-user selng:

S = {(m1, s1), (m2, s2), ... , (mN, sN)}

Requirements on S:

• Efficient verifiability
• For each statement x, the

witness w is unique (or re-randomizable)

Summary

New techniques to prove inexistence of :ght reduc:ons

• Stronger results but simpler proof
• More applica:ons
• Easy to check whether a construc:on can

have a :ght security proof

• Easy to adapt to other applica:ons via generic

“master theorem”

47

Summary

New techniques to prove inexistence of :ght reduc:ons

• Stronger results but simpler proof
• More applica:ons
• Easy to check whether a construc:on can

have a :ght security proof

• Easy to adapt to other applica:ons via generic

“master theorem”

48

Thank you!