Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

Published byDonna Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016."— Presentation transcript:

1 CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016

2 K-to-one functions Say f is K -to-1 if for every y, |f -1 (y)| = K Complexity of proof system grows linearly in K When say K = 2 n/2 this is exponential in n Can we do better?

3 INTERACTIVE PROOFS

4 Graph isomorphism is isomorphic to Claim: Proof:

5 Graph non-isomorphism is not isomorphic to Claim: Interactive proof: G0G0 G1G1 Verifier: Choose random bit b, permutation  Send graph G =  (G b ) Prover: Answer with b’ Verifier:If b’ = b, declare “probably not isomorphic”

6 Graph non-isomorphism Analysis: If G 0, G 1 not isomorphic, then prover knows for sure that G came from G b, so he can answer b If G 0, G 1 isomorphic, then G is equally likely to have come from G 0 / G 1, so he can guess b with prob 1/2 Is there a classical proof system for graph non-isomorphism?

7 Decision problems Recall SUBSET-SUM : Decision version L : L YES are those eqn that have a solution L NO are those eqn without a solution 13174331003415 x 1 + 17285145771356 x 2 + 19133308147607 x 3 + 20768399988658 x 4 + 22857403444525 x 5 + 27320889680330 x 6 + 32609413435035 x 7 + 33346249486015 x 8 + 36451703583100 x 9 + 44137263807532 x 10 + 44383378110073 x 11 + 46011207828303 x 12 = 40168796369884 Given eqn =, find a solution x in {0, 1} 12 (if it exists) Given x, decide if x is in L YES or in L NO

8 The class NP input z Verifier Prover efficient unbounded proof p YES/NO Completeness: If z ∈  L YES, then V P (z) = YES Soundness: If z ∈  L NO, then V P* (z) = NO for every P*

9 An(other) NP-complete problem: SAT Input: A set C ⊆ {0, 1} n specified by a circuit L YES : C is not empty L NO : C is empty C(x 1, x 2, x 3 ): y := x 1 and x 2 and x 3 z := y or ( not x 1 ) output z and ( not y) Prover: Send x ∈ C (if x in L YES ) Verifier: Accept if C(x) evaluates to 1.

10 Interactive proofs Given a (promise) decision problem L VerifierProverinput z randomized efficient unbounded q1q1 a2a2 q R-1 aRaR... YES/NO Completeness: If z ∈  L YES, Pr[V P (z) = YES] ≥ 3/4 Soundness: If z ∈  L NO, Pr[V P* (z) = YES] < 1/4 for every P*

11 Normal form for interactive proofs The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form a(z, r) Verifier Prover public randomness r There is a compiler for converting protocols into this form; we’ll do an example instead.

12 An “AM-complete” problem Input: A set C ⊆ {0, 1} n (specified by a circuit) A size estimate 0 < S < 2 n L YES : |C| ≥ S L NO : |C| < S/8 Verifier: Interactive proof: Send a random 2-universal hash function h: {0, 1} n → {0, 1} r where 2S ≤ 2 r < 4S Prover: Send x (and a proof that x ∈ C ) Verifier: Accept if x ∈ C and h(x) = 0.

13

14

15 The set size lower bound protocol Input: A set C ⊆ {0, 1} n A size estimate 0 < S < 2 n L YES : |C| ≥ S L NO : |C| < (1 –  )S An error parameter  > 0 Running time of verifier is linear in |C|/  Proof: Run original protocol on (C k, S k ), k = 3/ 

16 Graph non-isomorphism via set size Given G 0, G 1 we want a proof of non-isomorphism For simplicity we’ll assume G 0, G 1 have no automorphisms C = {  (G b ):  is a permutation, b is a bit } G 0, G 1 are isomorphic |C| = n! G 0, G 1 are not isomorphic |C| = 2∙n! Reduction to set size lower bound:

17 AM ≈ NP a(z, r) Verifier Prover public randomness r If we replace r by the output of a suitable pseudo- random generator, proof can be derandomized Under a plausible assumption in complexity theory, AM = NP.

18 BACK TO CRYPTOGRAPHY

19 Hardness of regular one-way functions Say f: {0, 1} n → {0, 1} n - k is 2 k -to- 1 Suppose we have a reduction R ? that, given an inverter I for f, solves L Verifier will emulate reduction Prover will emulate random inverter I Given a query b, return each a s.t. f(a) = b with probability 2 -k independently of previous queries and answers

20 Hardness of regular one-way functions b1b1 a 1 = I(b 1 )... Verifier Prover btbt a t = I(b t ) x ∈  L Pr r, I [R I (x; r) accepts] ≥ 2/3 x ∉  L Pr r, I [R I (x; r) accepts] < 1/3 |{(r, a 1, …, a t ) valid and accepting}| ≥ (2/3) 2 |r| + kt |{(r, a 1, …, a t ) valid and accepting}| < (1/3) 2 |r| + kt

21 Hardness of regular one-way functions y1y1 x 1 = I(y 1 )... Verifier Prover ytyt x t = I(y t ) x∈∉ Lx∈∉ L x ∈  L Pr r, I [R I (x; r) rejects] ≥ 2/3 x ∉  L Pr r, I [R I (x; r) rejects] < 1/3 |{(r, x 1, …, x t ) valid and rejecting}| ≥ (2/3) 2 |r| + kt |{(r, x 1, …, x t ) valid and rejecting}| < (1/3) 2 |r| + kt

22 What we did so far We sketched why security of “structured” one-way functions cannot be provably NP-hard (More complicated for arbitrary functions) It may be that there exist such NP-hard to break functions; if true this is not provable Next we show examples where breaking the crypto is (provably) not NP-hard

23 Indistinguishability obfuscation O C Ц Functionality: Ц ≡ C Security:If C ≡ C’ then random vars Ц and Ц’ are indistinguishable ( Ц(x) = C(x) for all x )

24 Kinds of indistinguishability Perfect X and X’ look identical to every (boolean) test Statistical no test can distinguish with advantage > 1% Computational no efficient test can distinguish with advantage > 1%

25 Indistinguishability obfuscation No statistically secure indistinguishability obfuscation exists* * Unless NP is in coAM O C Ц

26 STATISTICAL ZERO-KNOWLEDGE

27 Graph isomorphism is isomorphic to Claim: Proof: Verifier learns the isomorphism!

28 A zero-knowledge proof Input: Prover:Choose random H isomorphic to G 0 and G 1 Send H Verifier: Answer with b Prover:Reveal isomorphism between H and G b Two graphs G 0, G 1 (Assume isomorphic) Verifier: If H ≡ G b, say “ G 0, G 1 probably isomorphic” Otherwise say “ G 0, G 1 not isomorphic”

29 Zero-knowledge proofs If G 0, G 1 are isomorphic, verifier does not learn the isomorphism (or anything else) So graph isomorphism has zero-knowledge proofs The proof for non-isomorphism is also zero- knowledge! Every problem that has zero-knowledge proofs also has zero-knowledge refutations … or SZK ⊆ AM ∩ coAM

30 Statistical distance (SD) Input: Two random variables X, Y over {0, 1} n L NO : X and Y are 1% statistically indistinguishable L YES : (specified by samplers) X and Y are 99% statistically distinguishable SD has statistical zero-knowledge proofs (and is in fact SZK-complete)

31 BACK TO CRYPTO

32 Indistinguishability obfuscation No statistically secure iO exists unless NP has short interactive refutations Proof:Assume it did Let C be any set (circuit) …and Z be the empty set (zero circuit) If C empty, then C ≡ Z …so Ц and З are stat indistinguishable If C empty, then C(x) ≠ Z(x) for some x …so Ц and З are perfectly distinguishable

33 Indistinguishability obfuscation No statistically secure iO exists unless NP has short interactive refutations We just saw a reduction from SAT to SD (assuming statistically secure iO) Since SD has short refutations, so does SAT (and all of NP)

34 Public-key bit encryption SKPK Bob Alice b Enc PK (b) Dec SK ( ) b Enc PK (b) PK message indistinguishability (PK, Enc PK ( 0 )) and (PK, Enc PK ( 1 )) are computationally indistinguishable

35 El Gamal encryption g, h in some large cyclic group PK = ( g, h )g SK = h such that Enc PK (b) = ( g r, 2 b h r ) where r random Dec SK (x, y) = b such that x SK = 2 b y

36 Homomorphism of encryptions Enc PK (b) = ( g r, 2 b h r ) Enc PK (b) Enc PK (b’) and Enc PK (b + b’) are identically distributed Dec SK (Enc PK (b) Enc PK (b’)) = b + b’ strongly homomorphic weakly homomorphic

37 Breaking homomorphic encryption Homomorphic encryption for XOR is not NP-hard to break* … because it can be broken in statistical zero- knowledge (nothing special about XOR, true for “most” f ) * Unless NP is in coAM

38 Rerandomization The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key C = ( g r, 2 b h r ) PK = ( g, h )g SK = h such that Rer PK (C) = C ∙ ( g r’, h r’ ) El Gamal example is i.i.d with C

39 Rerandomization from evaluation strong homomorphic evaluator for XOR H Enc( 0 ) Enc(b) Enc( 0 ) Enc(b) Enc( 1 ) Rer

40 Rerandomization from evaluation H Enc( 0 ) To H, Enc( 0 ) indistinguishable from Enc( 0 ) so output of H must forget most of Enc( 0 )

41 Rerandomization from evaluation If H is a strong homomorphic evaluator for majority on k bits, then (Enc(b), Rer(Enc(b)) is √ c/k -close to a pair of independent encryptions of b. Lemma We prove a weaker version for weak homomorphic evaluators and any sensitive f.

42 Distinguishing rerandomizations Rerandomizable encryption can be broken in statistical zero-knowledge: Enc(b) Rer( ) Enc( 0 ) If b = 0, they are statistically close vs. If b = 1, they must be statistically far so they can be distinguished in SZK

43 Conclusion (and more) Complexity helps us understand certain (theoretical) limitations of cryptography Structured one-way functions aren’t provably NP-hard One-way permutations [Brassard, Goldreich-Goldwasser] 2-to-1 [Akavia-Goldreich-Goldwasser-Moshkovitz] K-to-1, size-verifiable [AGGM, B.-Brzuska] General OWFs under non-adaptive reductions [Feigenbaum-Fortnow, B.-Trevisan, AGGM] Hash functions, limited adaptivity [Haitner-Mahmoody-Xiao]

44 Conclusion (and more) Crypto that can be broken in SZK Homomorphic encryption [B.-Lee] Private information retrieval [Vaikutanathan-Liu] There is no statistically secure iO [Goldwasser-Rothblum]

Download ppt "CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016."

Similar presentations

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Similar presentations

Ads by Google