Formal Representation of Polynomial-Time

Algorithms and Security

Bruce KapronUniversity of Victoria

June 9, 2004

Poly-time Function(als) in Cryptography

• Probabilistic polynomial time (PPT) function(al)s play a central role in (asymptotic) complexity-based cryptography and security

• Appear in definition of: primitives, adversaries, reductions, verifiers, provers, simulators, …

PPT Functions in Cryptography

• Central concerns:– Defining PPT functions or functionals– Proving that these functions satisfy

appropriate properties

• What does this mean for formalization?– Explicit vs. implicit representations– At what level should we be reasoning

about PPT functions

Formalizing PPT Functions

• Do we really need to do this?– Useful for “low-level” arguments (e.g.

soundness proofs)– Can be directly applied in a “high-level”

setting, e.g. [MRST 2004]– Possibility of “bottom-up” formalization– Other payoffs: e.g., extraction of

reductions from proofs

Implicit vs. Explicit Reasoning

• E.g., reductions between primitives– Have a PPT mapping M taking any

instance f of X to an instance M(f) of Y– Security of f implies security of M(f)

• Can show this with a reduction, i.e., a PPT mapping S taking any adversary A breaking M(f) to an adversary S(A) breaking f

• Can we formulate proof systems which guarantee a reduction (do all proof systems do this?)

Formal representation of poly-time functions

• We typically use probabilistic TM’s in cryptographic arguments

• TM’s lack of structure make formal reasoning difficult

• One approach is to use models with an inductively defined syntax

Some History

• Beginning with [Cobham, 1964], there have been numerous function algebras proposed which characterize poly-time functions – outgrowth of earlier work in subrecursion

• Focus has been on deterministic computation without oracles

• Later work considers randomization [LMMS 2000], [IK 2004] and oracle computation [Constable 1972], [Mehlhorn 1976], [KC 1996]

Function Algebras

f1,f2,…,fk – collection of initial functions

S1,S2,…,Sl – collection of closure schemes

[f1,…,fk,S1,…,Sl] – smallest class containing f1,f2,…,fk and closed under S1,S2,…,Sl

Can we capture FPTIME, the class of all poly-time functions?

Recursion on Notation

• Use primitive recursion on binary notation of the recursion parameter to capture polynomial time

f(x,0)=g(x)f(x,s0(y))=h0(x,y,f(x,y))

f(x,s1(y))=h1(x,y,f(x,y))

Recursion on Notation

• Problem with this scheme: iterating a poly-time function a polynomial number of times can produce functions with exponential growth rate:

• Define: f(x)=x2, g(y)=f|y|(2)• Then: |g(y)|=2|y|

Bounded Recursion on Notation (BRN) [Cobham,

1964]

f(x,0)=g(x)f(x,s0(y))=h0(x,y,f(x,y))

f(x,s1(y))=h1(x,y,f(x,y))

|f(x,y)| · |k(x,y)|

Bounded Recursion on Notation and Poly-time

• Let si(x)=2x+i (i=0,1), #(x)=2|x|¦|x|, and I denote the set of all projection functions. f is defined from g,h by composition (COMP) if

f(x)=h(x,g(x))• Theorem [Cobham,1964]:

[0,s0,s1,#,I;COMP,BRN] = FPTIME

Drawbacks of BRN

• The need for an explicit size-bound in BRN is problematic in proofs

• In general, bounding is not decidable• Term definition requires a bounding

proof – circularity problem• One solution: modify BRN to only

allow hi with |hi(x,y,z)| · |ki(x,y)|+|z|

Safe Recursion on Notation [Bellantoni & Cook, 1992]

• Idea: only allow recursion to iterate functions which are not already defined by recursion.

• Requires a typing of function parameters as either safe or normal – operations on safe inputs do not increase length by more than an additive constant

Safe Composition and Recursion on Notation

• Composition scheme prevents safe inputs from being substituted into normal positions:

f(x;a)=h(r(x;);t(x;a))

normal safe no safeinput

Safe Recursion on Notation

f(0,x;a) = g(x;a)f(si(y),x;a) = hi(y,x;a,f(y,x;a))

• No external bound required – basis for purely type-theoretic characterization of poly-time [Hofmann 1999], later used by [LMMS 2000] to get a term algebra for probabilistic polynomial time

Full Concatenation Recursion on Notation (FCRN) [Ishihara

1999]• Based on CRN [Clote 1990], which

can be used to characterize AC0

f(x,0)=g(x)f(x,s0(y))=f(x,y) ± sg(h0(x,y,f(x,y)))

f(x,s1(y))=f(x,y) ± sg(h1(x,y,f(x,y)))

Equivalence

Let msp(x,y)=b x/2|y| c,

c(x,y,z)= if x mod 2=0 then y else z and

F1=[0,I,s0,s1,c,msp,#;COMP,FCRN]

F2=[0,I,s0,s,c,msp;SCOMP,SRN]

F3=[0,I,s0,s1,#;COMP,BRN] Then

FPTIME=F1=F ’2=F3

Proof Systems

• PV [Cook 1975] : Terms are built up from variables and function symbols re F3. formulas are equations between terms

• Defining equations for every term of F3 are included as axioms – need more initial functions

• Rules include reflexivity, symmetry and transitivity, rules for substitution and induction on notation

Induction on Notation

• Counterpart to definition by BRN:

f1(x,0)=g(x) f2(x,0)=g(x)

f1(x,si(y))=hi(x,y,f1(x,y)) f2(x,si(y))=hi(x,y,f2(x,y))

f1(x,y)=f2(x,y)

Beyond PV

• Extensions – PV1 [Cook 1975] - adds propositional

connectives– CPV, IPV [Cook Urquhart 1993] – adds

first-order logic

• Can obtain more natural induction rules, e.g. for appropriate

((0) Æ 8x((bx/2c) ! (x))) ! 8x(x)

Beyond PV

• Implicit formal systems also possible, e.g. S1

2 [Buss 1986] – poly-time functions are those definable in the system by a class of bounded formulas and provably total using limited induction on notation

• S12(PV) is conservative over PV

Adding Randomization

• [Impagliazzo Kapron 2004] takes the following approach: terms are PV terms or of the form

x ÃR {0,1}p(n).t

i ÃR [p(n)].t where t is a term• Formulas have the form u ¼ v (u,v closed)• Intended interpretation of formulas:

ensembles represented by u and v are computationally indistinguishable

“Induction” for Computational Indistinguishability

H-IND rule:

i ÃR [p(n)] .t(i) ¼ i ÃR [p(n)] .t(i+1)

t(0) ¼ t(p(n))

Other RulesPV ` t(x) = s(x)

x ÃR {0,1}p(n).t(x) ¼ x ÃR {0,1}p(n).s(x)UNIV

u ¼ v

t{u/x} ¼ t{v/x}

Also need EDIT rule for basic manipulation, e.g x,y ÃR {0,1}p(n).x ± y ¼ z ÃR {0,1}2p(n).z

SUB

A Methodology for Reduction Proofs

• Start with instance f of primitive X: introduce new function symbol, axioms expressing security property for X

• Obtain instance g of primitive Y in F3[f], prove that it satisfies security property for primitive Y using axioms for f

• What about reduction of adversaries? Implicit – follows from soundness

An Example

• Stretching the output of a PRG [Goldreich Micali ’89]

• Introduce a new function symbol f representing a PRG which stretches by 1 bit:

x à {0,1}n.f(x) ¼ x à {0,1}n+1.x

• Abbreviate: b(x)=f(x)1, r(x)=f(x){2,…,|x|}, so f(x) = b(x) ± r(x)

Example (contd)

• Define by BRN

r’(x,0)=x r’(x,i+1)=r(r’(x,i))

b’(x,0)=b’(x,i+1)=b’(x,i) ± b(r’(x,i))

Claim:

x ÃR {0,1}n.f’(x,n) ¼ x ÃR {0,1}2n.x

f’(x,i)=b’(x,i) ± r’(x,i)

Example (contd)• Need one lemma : PV ` f’(x,i+1) = b(x) ± f’(r(x),i)

(straightforward induction). By UNIV, x ÃR {0,1}n, i ÃR [n].f’(x,i+1)

¼ x ÃR {0,1}n, i ÃR [n].(b(x) ± f’(r(x),i))

Then from the definition of f, along with SUB and transitivity, we get

x ÃR {0,1}n, i ÃR [n].f’(x,i+1)

¼ x ÃR {0,1}n+1, i ÃR [n].(x1 ± f’(x{2…n+1},i))

Example (contd)

It then follows from SUB that x,z ÃR {0,1}n, i ÃR [n].(z{1…n-(i+1)} ± f’(x,i+1))

¼ z ÃR {0,1}n+1, x ÃR {0,1}n+1, i ÃR [n].

(z{1…n-(i+1)} ± x1 ± f’(x{2…n+1},i))

Define h(z,x,i)= z{1…n-i} ± f’(x,i).Then from the preceding, with several applications of EDIT and transitivity, we get:

x,z ÃR {0,1}n i ÃR [n].h(z,x,i)

¼ x,z ÃR {0,1}n i ÃR [n].h(z,x,i+1)

Example (contd)

By H-IND, we obtainx,z ÃR {0,1}n.h(z,x,0) ¼ x,z ÃR

{0,1}n.h(z,x,n)

Finally, several applications of UNIV (to the definition of h), along with EDIT and transitivity, yieldx ÃR {0,1}n.f(x,n) ¼ x ÃR {0,1}2n.x

The Full Example

• By running backwards through this proof, we automatically construct, for any A breaking f’, an A’ breaking f defined by:

A’(y)=zÃR {0,1}n, i ÃR [n].A(z{1…n-(i+1)}± y1 ±f’(y{2…|

y|},i))

Conclusions

• Formal reasoning about PPT functions in cryptographic settings is doable in a fairly direct way – still seems far from practical application

• Need to extend to more complex notions (e.g. pseudorandom functions, ZK) and arguments

• Look for extensions of function algebras (e.g. process calculi)

• Interesting theoretical questions (e.g. formalization of non-black-box arguments)