1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor.
37
1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor
-
Upload
philip-johnson -
Category
Documents
-
view
214 -
download
0
Transcript of 1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor.
1
How to Prove that Minicrypt=Cryptomania
(in the future)
Danny Harnik Moni Naor
2
The world(s) according to Impagliazzo
• 5 possibilities – based on different crypto-
computational assumptions.
• The top two worlds:– Minicrypt – One Way Functions
exist, some of crypto possible (shared key encryption, commitments, signatures…)
– Cryptomania – Oblivious Transfer (OT) protocols exist, almost anything imaginable is possible.
Cryptomania
Minicrypt
Pessiland
Heuristica
Avg NP = Avg P
Algoritmica
P=NP
Cryptomania
Minicrypt
Pessiland
Heuristica
Avg NP = Avg P
Algoritmica
P=NP
f:{01,}* {0,1}* is one-way if is easy to compute but hard to invert.• f(x) computable in poly-time• No PPTM can find an inverse to f(x) for a random x
3
Oblivious Transfer
Alice
Bob
b
zb
OT protocol:OT protocol:• Bob learns zb.• Bob doesn’t learn z1-b.• Alice does not learn b.
z0, z1
Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica
Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica
• OT is complete for Secure Computation !– General framework that captures many cryptographic
tasks, auctions, voting, e-commerce…)– Implies public key crypto
5
A more refined view
OTPublic Key Encryption
CCA-Secure PKEPIR
Secure MPC
ZK Proofs for all of NP
Shared-key Encryption and Authentication
Commitment scheme
Signature Scheme
UOWHFs Coin flipping
Efficient online memory checking
minicrypt
cryptomaniaTrapdoor permutations
One-way functions
Computational Pseudorandomness
2 roundsSecret Key Exchange
6
Separating the worlds
OTPublic Key EncryptionSKE
CCA-Secure PKEPIR
Secure MPC
ZK Proofs for all of NP
Shared-key Encryption and Authentication
Commitment scheme
Signature Scheme
UOWHFs Coin flipping
Efficient online memory checking
minicrypt
cryptomaniaTrapdoor permutations
One-way functions
Computational Psuedorandomness
Impagliazzo and Rudich 1989: there is no blackbox construction of OT from OWF.
8
The Minicrypt = Cryptomania question
“Minicrypt = Cryptomania?” is the most important problem in complexity and cryptography where
• We do not know the answer
• There is a good chance to resolve it in the near future
Omer Reingold: NL = L is a contender for the title
9
Recent RSA Cryptographers Panel Feb 2006
• Adi Shamir’s prediction: no existing Public-key Cryptoysystem will survive 30 years from now
• Martin Hellman: very little genetic diversity in public-key cryptosystems. – RSA and Diffie-Hellman 1970’s– Elliptic curves – 1980’s Should add: lattice based schemes
10
Common View
One-wayness is simple to come by
But obtaining secret-key exchange or OT requires a lot of structure (and knowledge)
Yuval Ishai: young nerd vs. Don Coppersmith
11
Approaches for showing Minicrypt = Cryptomania
• Via Secret Sharing for Generalized Access Structure – Due to Steven Rudich – Unpublished as far as I can tell
• Via compressibility of NP problems– Due to Harnik and Naor– See ECCC Report (or on home page)
• Bonus material: from SKE to OT via interactive oblivious sampling (IOS)
12
Secret sharing and Access Structures• Dealer has secret x• Gives to users P1, P2, …, Pn shares s1,s2, …, sn.
– The shares are a probabilistic function of x
• A subset of users A is either authorized or unauthorized
Want:• An authorized subset of users A = {i1, i2, …, iℓ} to be able to
reconstruct x based on their shares {si1, si2
, … siℓ}
• An unauthorized subset not to gain any knowledge about x
• Famous example - Threshold Secret Sharing – Authorized subsets: those containing t or more users– Unauthorized subsets: those containing less than t users– Shamir’s solution: based on a degree t-1 polynomial q
• with q(0) = x and si = q(i)
13
Access StructuresTo define the requirements from such a scheme:• Access Structure FF
– The collection of authorized subsets• To make sense: FF should be monotone
if A’ ½ A and A’ 2 FF then A 2 FF – Can consider FF00 – the collection of all minimal sets of F
Perfect secret sharing scheme:• Any unauthorized subset gains absolutely no information on the secret. If the secret is
a r.v. X then – for any distribution of X – for any A F F
H(X|A)=H(X).
Theorem [Ito, Saito and Nishizeki 1987] : for every access structure FF there exists a perfect secret sharing scheme
Size of shares: proportional to |FF00|
14
The complexity of F and the size of sharesWant efficient secret sharing schemes
Complexity of FF: given a subset A ½ {P1,P2, …, Pn} decide whether A is authorized or not authorized
Theorem [Benaloh-Leichter 1988] : if authorization can be decided by a monotone formula , then there is a perfect secret sharing scheme where the size of a share is proportional to ||
Other computational devices: monotone span programs [Karchmer Wigderson 1993]
Major question: can you prove a lower bound on the size of the shares for some access structure?– Even a non constructive result is interesting
What about directed connectivity?
15
Computational Secret Sharing• Perfect secret sharing scheme:
– Any unauthorized subset gains absolutely no information on the secret. For any r.v. X for any A F, H(X|A)=H(X).
• Computational secret sharing scheme:Any unauthorized subset gains no useful information on the
secret. In the indistinguishability of encryption style: – for any PPT Adversary B – for any x0 and x1 for any A F,– The advantage of B given the shares of A in distinguishing
whether x=x0 or x=x1 is negligible
16
Computational Secret Sharing• Theorem: suppose one-way functions exists: if
authorization can be decided by a monotone circuit C there is a computational secret sharing scheme where the size of a share is proportional to |C|
Construction reminiscent of Yao’s garbled circuit
• What about monotone access structure that have small non-monotone circuits?– Matching:
• users correspond to edges in the complete graph • Authorized sets: those graphs containing a perfect matching
Wi
WkWj
PRG
Gate
17
Secret Sharing and Oblivious Transfer– Hamiltonian:
• users correspond to edges in the complete graph • Authorized sets: those graphs containing a Hamiltonian cycle Want an efficient scheme for minimal authorized subsets – when given the
witness (cycle)
Theorem: If• One-way functions existand• An efficient secret sharing scheme for the Hamiltonian problem
exists then Oblivious Transfer Protocols exist.
– i.e. Minicrypt = Cryptomania
Construction is non-blackbox
18
Distinguishing Hamiltonian from Non-HamiltonianTheorem: if one-way functions exist, then there exists a pair of poly-time
distributions on graphs D0 and D1 such that• G 2 D0 is non-Hamiltonian (almost always)• G 2 D1 is Hamiltonian (generation process yields the cycle as well)• D0 and D1 are indistinguishable:
– for any PPT B the advantage of B given G generated by Db in guessing b is negligible (in case of D1 only the graph is given)
Proof: if one-way functions exist then, there exist two indistinguishable
distributions D’0 and D’1 on strings with (almost) disjoint support– Via bit commitment protocol
– Possible to generate them with a witness• Let g be the (Cook-Karp) reduction such that on a given y creates a
graph that is Hamiltonian iff y is in the support of D’1
• The distributions D0 and D1 are obtained by applying g to the output of D’0 and D’1
The non-blackbox part
D’0D’1
19
The Oblivious Transfer Protocol
Protocol:• Bob uses D0 and D1 to generate two graphs G0 and G1 such that Gb is
Hamiltonian and G1-b is non-Hamiltonian. – Sends the graphs G0 and G1 to Alice – remembers the cycle in Gb
• Alice runs the Hamiltonian secret sharing scheme twice, with secrets z0
and z1.– Sends to Bob the shares corresponding to the edges of G0 for the first instance and
G1 for the second one• Bob reconstructs the secret from the cycle he knows in Gb and obtains zb
Alice: •Input to Alice: {z0, z1}
•Alice does not learn b
Bob: •Input to Bob: b •Bob learns zb.•Bob doesn’t learn z1-b
Sufficient to come up with an honest-but-curious protocol •Can use the GMW transformation to obtain a protocol in a malicious environment
• a non-blackbox result
20
Why does it work?
Functionality: from the secret sharing
Protecting Alice: the shares of z1-b given to Bob do not yield useful information about it.
Protecting Bob: Alice cannot guess b, since this would mean that she can distinguish between D0 and D1
Similar scheme for all NP-Complete graph embedding type problems
Clique…
21
Is there hope for a perfect scheme for Hamiltonian?
Theorem: if there is a perfect (statistical) scheme for Hamiltonian, then NP µ Co-AM
Proof: show an AM proof system for the non-Hamiltonicity of a graph G
Verifier: – Pick a random secret x 2 {0,1} and generates shares for it.– Send the Prover the shares of the edges of G
Prover: – Come up with random coins r0 yielding the shares when x=0 and
random coins r1 yielding the shares when x=1
Actually: a public coins protocol
NP
Co-NP
Co-AM
22
Is there hope for a perfect scheme for Hamiltonian?
Perfect Hamiltonian secret sharing implies (honest verifier) perfect zero-knowledge protocol for Hamiltonicity:
Verifier: – Pick a random secret x 2R {0,1} and generates shares for it.– Send the Prover the shares of the edges of G
Prover: – Reconstructs the secret x
Recall: SZK = HVSZK µ AM Co-AM
Goldreich-Sahai-Vadahan Fortnow, Aiello-Hastad
23
Is there hope for a perfect scheme for Hamiltonian?
Question: can we show that one-way functions are necessary for a (computational) scheme for Hamiltonicity?,
• Existence of one-way functions equivalent to existence of a pair of (poly-time) distributions that are statistically far but computationally indistinguishable.
• This should be the case if the graph is Hamiltonian. • But the graph prevents the result from being fully constructive
– [Ostrovsky-Wigderson]: non trivial zk ~ implies one-way functions
24
Open Problems
• Perfect Secret-Sharing Scheme for Directed connectivity– How to cope with the fan-out
• Computational Secret Sharing Scheme for Matching – How to cope with negation
• A secret sharing scheme for Hamiltonicity based on heavy cryptographic machinery – just for feasibility purposes.
25
OWF
PRG
PRF
MAC ENC
COM
ZK
ID
UOWHF
SIG
TDP
PKE OT
SKECCA-PKE
CLAW-FREE
CF-HASH
Some Known Reductions
NIZK
26
A non-blackbox reduction
• NIZK + PKE yields CCA secure [NY, DDN]
• The reduction is non-blackbox: need to prove consistency of encryption
• Another nbb result: if one-way functions exist, then zero-knowledge identification is possible
Omer Reingold: while blackbox reduction do not assure efficiency
non-black box reductions assure inefficiency…
27
Compressing Instances
• Rather than solving a problem, we are interested in compressing it to be solved sometime in the future.
• Compression should be solution preserving rather than input preserving.
• For a language L we seek an efficient algorithm Z and a language L’ such that:
1. Z(x) L’ iff x L
2. |Z(x)| < xDo not require that x can be
restored from Z(x) !
28
Compressing NP Instances – Definition
The specific setting: an NP languages with short witnesses.We consider two parameters:• m – Instance length• n – Witness length
For every x of length m, if x L then it has a witness of length n.The interesting case: n << m
Compression for L: an efficient algorithm Z, a polynomial p(·, ·) and a language L’ such that for every x of length m:
1. Z(x) L’ iff x L2. |Z(x)| < p(n,logm)
29
Notes on the Definition
• Length of Z(x) is dominated by witness length• potentially, Z(x) can be significantly shorter than x.
• Compression does not necessarily imply an efficient solution to the problem.
• Why p(n, log m)? This may be relaxed:• For complexity study log m may be replaced by any sub-
polynomial function of m• For some applications a compression of m1-ε suffices.
• Definition is only interesting when n << m• E.g. 3-SAT is not an interesting problem for compression
Compression for L: An efficient algorithm Z a polynomial p(·, ·) and a language L’ such that for every x of length m:1. Z(x) L’ iff x L2. |Z(x)| < p(n,logm)
30
Talk overview
• Introduce and define compression of NP instances.
Motivation:• Cryptographic applications
• On CRH from one-way functions• On OT from one-way functions
Study of Compression:• Can all NP be compressed?
Example of compression: Vertex Cover• Complexity study
• W-reductions• The VC hierarchy
• Further Issues…
31
Collision Resistant Hash
• A collection of collision resistant hash functions (CRH) is a family H of hash functions s.t. for a random hH it is hard to find a “collision”.
A pair xx’ s.t. h(x)=h(x’)
Length reducing functions
For a PPTM hx
x’
• Important primitive with wide range of cryptographic applications (e.g. [K92,M94,B01]).
32
One-way functions• A one-way function (OWF) is a function f that is
easy to compute but hard to invert.– f(x) computable in poly-time– No PPTM can find an inverse to f(x) for a random x
• OWFs are the most fundamental building block in computationally based crypto. – Necessary for most crypto tasks.– Sufficient for many others (shared key encryption).
CRH and OWFs:• CRH implies OWFs• OWF not known to imply CRH
– No “black box” construction of CRH from OWF [Simon98]
33
Cj,s,xCj,sCj,sCj,sCj,sCj,s,x Cm,s,x
CRH from OWF?• Theorem: There exists a language L s.t. if there is an
errorless compression of L then there exists a construction of CRH from any OWF.
There exists a family of such languages, e.g. SAT,
Clique…
Proof:• Input to hash: an m bit string x• Let s be a commitment to an index
i[m]
• For every j, define the circuit Cj,s,x to be a circuit that is satisfiable iff s is a commitment to j and x(j)=1
• Define the circuit Cs,x to be the OR of all Cj,s,x for every j [m]
Cs,x is satisfiable iff x(i)=1
x
m
OR
Cs,x is the OR of m circuits, each of size n
Can actually tolerate an error of up to 2-Ω(m)
Commitment Scheme:• The digital analogue of a locked box.• Sender generates a string s that hides a value i and
sends it to the receiver.– Binding: s can only be “opened” to the value i.– Hiding: A computationally bounded receiver learns nothing
about the value i.
• Commitments can be based on any OWF [N89], [HILL90].
Can Generate Cj,s,x without knowing the value i
34
CRH from OWF cont.• Let Z be a algorithm compression algorithm for the circuit Cs,x
• Takes as input a circuit C and randomness r• Every h H is described by a commitment s and randomness r for Z
hs,r(x) = Zr(Cs,x)
• h is indeed shrinking due to the compression.
• Let xx’ be s.t. hs,r(x) = hs,r(x’).
• If s is a commitment to i then it must be that x(i)=x’(i).
• If x and x’ differ in the jth bit, then we can deduce that s is not a commitment to the value j !!
x
m
Cj,s
OR
An adversary that can find a collision can deduce information about s contradicting the hiding of the commitment
Cj,sCj,sCj,sCj,sCj,s,x Cm,s,x
Notes about the construction:• The construction is inherently non-black-box.
– Uses the code of the OWF via the commitment.
• The compressed problem is never actually solved…
35
Talk overview
• Introduce and define compression of NP instances.
Motivation:• Cryptographic applications
• On CRH from one-way functions• On OT from one-way functions
Study of Compression:• Can all NP be compressed?
Example of compression: Vertex Cover• Complexity study
• W-reductions• The VC hierarchy
• Further Issues…
36
Oblivious Transfer• Impagliazzo (95) describes 5 possible worlds
based on different computational assumptions. • The top two worlds:
– Minicrypt – OWFs exist, some of crypto possible (shared key encryption, commitments, signatures…)
– Cryptomania – Oblivious Transfer (OT) exists, almost anything possible.
Alice
Bob
c
sc
OT protocol:• Bob gets sc.• Bob doesn’t learn s1-c.• Alice does not learn c.
s0,s1
Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica
Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica• OWFs not known to imply OT• Impagliazzo and Rudich (89) prove that there is no black
box construction of OT from OWF.
OT is complete for Secure Computation !General framework that captures many
cryptographic tasks (e.g. public key crypto, auctions, voting, e-commerce…)
37
OT from OWF?• Theorem: There exists a language L such that
if there is a witness retrievable compression of L then Minicrypt = Cryptomania
• Suppose instance x L with witness wx.
• The compressed instance y=Z(x) has witness wy to y L’.
• Compression is witness retrievable if it is possible to obtain wy in poly-time from y and wx.
x
wx wy
yZ
E.g., SAT, Clique…
38
OT from OWF?
Proof:
• Construct a Private Information Retrieval (PIR) protocol. PIR implies OT [DMO00].
• Input: Database x of m bits.
• Given a commitment s to an index i[m], define the circuit Cs,x (as in the CRH case).– Cs,x is satisfiable iff x(i)=1
– Cs,x is the OR of m circuits, each of size n
x
m
Cj,sCj,sCj,sCj,sCj,sCj,s,x Cm,s,x
OR
Alice
Bobi[m]
x(i)
x{0,1}m
• Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania
PIR protocol:• Alice holds m bit database x.• Bob holds index i.
• Bob learns x(i).– Alice does not learn i.– Total communication is less than m bits!
39
• Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania
OT from OWF, cont.
Proof:• Bob creates a commitment s to his choice
index i[m]. Sends s to Alice.
• Alice generates the circuit Cs,x based on x and s.
• Alice sends Z(Cs,x) to Bob.
• Z(Cs,x) contains the information about the bit x(i).
• Bob can retrieve it using the witness retrieval property.
• Security: – Bob’s i is hidden by the commitment – total communication is low.
Alice
Bob
ixs
Z(Cs,x)
x(i)Generates a 2-message PIR: Sufficient also for Public Key Encryption from any OWF!
