mohammad mahmoody rafael pass modern cryptography and one
play

+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way - PowerPoint PPT Presentation

Dec 02, 2023 •432 likes •686 views

+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way Functions Modern Cryptography is based on computational assumptions. [Shannon 1950s] easy OWFs, a central player: f {0,1} n {0,1} n Easy to compute f(x) Hard to find x

  1. + Mohammad Mahmoody Rafael Pass

  2. + Modern Cryptography and One-Way Functions  Modern Cryptography is based on computational assumptions. [Shannon 1950s] easy  OWFs, a central player: f {0,1} n {0,1} n Easy to compute f(x) Hard to find x 2 f -1 (U n ) hard 1 . Almost all crypto “needs” one -way-ness [Impaliazzo- Luby’ 89] 2. We can do great things with it (Encryption, Signatures, etc).

  3. + A Success Story: OWF vs OWP easy  One-Way Permutation f: f f is OWF + it is a permutation {0,1} n {0,1} n (e.g. discrete logarithm). hard  Success Story : To do something: 1) Build it using one-way Permutations. 2) Get rid of the structure: use injective, then regular, then…. Eventually use any one-way function!  Examples : Pseudorandom Generators [BM82, Yao82, Lev87, GKL93, GL89, HILL99] Statistical Zero Knowledge [BCC88, GMR88, BCY91, NOVY98, GK96, DPP98, HHKKMS05, NOV06, HR07, HNORV07, HRVW09] Signatures, etc.  Interestingly: we know OWF  OWP [BI87, HH87, Tar87, Rud88]

  4. + Question 1: Can we always use OWFs instead of OWPs in Natural Cryptographic Tasks? Is there any natural task Q such that OWP  Q but OWF  Q ? Black-Box Separation

  5. + Black-Box Constructions (Separation: No Const. Exists) Primitive Primitive Task Task Black-Box Non -Black-Box Black-Box Constructions  The (perhaps inefficient) primitive is used only as an “oracle”.  Captures most known techniques  Usually more efficient  Can incorporate “physical” implementations and attacks

  6. + Another Success Story (from Non-Black-Box to Black-Box) Primitive Primitive By the time... Task Task Non-Black-Box Black-Box  For many Cryptographic Constructions : Start from a non-black-box const.  make it black-box. [HIKLP’ 11 , CDSMW’ 09 , WeePass’ 08 ,Wee’ 10 ,Goyal’ 10 ,…]  Our Focus: Implementation (not the security reduction) Different from setting of [GK’ 90] vs [Barak’ 05].

  7. + Question 2: Can we always make non-black- box implementations black-box? Any natural task Q and assumption A known that: A  Q black-box but A  Q non-black-box

  8. + Our Results  NIC = Non-Interactive Commitments 1) OWP  NIC but OWF  NIC 2) There is a crypto assumption A such that: NIC can be based on A using a non -black-box NIC can not use A only as a black-box.

  9. + (Non-Interactive) Commitments  digital analogue of a vault: b b bit: b Commit Receiver Sender rand rand = password Decommit • Hiding : Receiver can’t guess bit b in commit phase. • Binding : Sender can’t decommit to both 0 and 1 in decommit phase. • Non-Interactive : Commit without interaction with receiver. • Application : ZK, coin tossing, publicly verifiable secret predictions, etc… • Blum- Micali’ 81 + Yao’ 82 : One-Way Permutations  NIC

  10. + Plan  Black-Box Separation of NIC from OWF  An inherently non-black-box assumption for NIC  Extensions and Open Questions

  11. + Plan  Black-Box Separation of NIC from OWF  An inherently non-black-box assumption for NIC  Extensions and Open Questions

  12. + A General Technique for Separation from OWF [IR’86]  To get Black-Box Separation: 1. Use Random Oracle instead of OWF in construction of NIC 2. Break NIC with poly(n) queries to Random Oracle.  Why it works? Such attack against NIC + Security Reduction for NIC:  invert Random Oracle with poly(n) queries (impossible).

  13. + Applying the General Technique?  Hope: “break’’ any NIC with ``few queries’’ in the random oracle model.  But: relative to RO injective OWFs exist ! (still sufficient for NIC).  We will use a partially-fixed random oracles O: Fixed (with collisions) on poly(n) points, random elsewhere.

  14. + High Level of Proof  Theorem There is no black-box construction of NICs from OWFs  Proof : Either of the following holds: 1) Receiver can guess b in Rand Oracle by poly(n) queries. (Learn queries “likely” asked by Sender, then guess b). 2) If the cheating Receiver FAILS: Sender can decommit into b = 0 and 1 using a partially-fixed Random Oracle (fixed on poly(n) points, random elsewhere).

  15. + Cheating Sender’s Partially-Fixed Random Oracle Fixed Parts based on $$$$$$$$$$$ Receiver fail $$$$$$$$$$ to cheat $$$ $$$ Commit to 0 Commit to 1 Oracle fixed only over poly(n) points and random elsewhere. So the oracle is strongly one-way. Yet, the sender can open the commitment C into both 0 and 1 consistent with the oracle.

  16. + Theorem [this work] There is no black-box construction of NIC from OWFs. Answers our first question: OWP is indeed more useful than OWF to get NIC.

  17. + Plan  Black-Box Separation of NIC from OWF  An inherently non-black-box assumption for NIC  Extensions and Open Questions

  18. + Black-Box vs Non-Black-Box Use of OWF – a Conditional Separation Theorem [this work] There is no black-box construction of NIC from OWFs. Theorem [BOV’ 05] . Assuming certain (believable) circuit lower bounds: There is a non -black-box construction of NIC from OWFs (derandomize Naor’s two-message protocol). Conclusion: Assuming the same circuit lower bounds: NIC can be based on OWFs only by non-black-box construction.

  19. + Black-Box vs Non-Black-Box Use of OWF – Unconditional Separation ? Theorem [this work] There is no black-box construction of NIC from OWFs. even if it is a “ hitting ” OWF. Theorem [ implicit in BOV ’ 05] . There is a non -black-box construction of NIC from hitting OWFs (no circuit lower-bound assumption!) Conclusion : NIC can be based on Hitting OWFs only through a non-black-box construction.

  20. + Hitting Functions f is Hitting if {f(1),f(2),…f(n 2 )} intersects “accepting inputs” of all poly(n)-sized non-deterministic circuits that accept most of their input. Easy to show: Random Oracle is hitting with high probability. How about our partially fixed random oracle? Fixed Parts based on $$$$$$$$$$$ Receiver fail $$$$$$$$$$ to cheat $$$ $$$ Commit to 0 Commit to 1 Need technical tools: new concentration bounds using anti-concentration.

  21. + Plan  Black-Box Separation of NIC from OWF  An inherently non-black-box assumption for NIC  Extensions and Open Questions

  22. + 3-Message Zero-Knowledge Proofs  NIC used for 3-message Honest-Verifier Zero-Knowledge  Theorem. Use OWF as a black-box to get “certain” 3 -message HVZK for NP  NP is “checkable” [BK’89 ] Same barrier as in [H M X10, M X10,GWXY10]  Idea: Construct a proof system for co-NP with prover in BPP NP

  23. + Open Questions  Prove that NP is checkable based on any black-box construction of 3-message HVZK for NP from OWFs.  Other natural pairs of cryptographic primitives that inherently require non-black-box constructions?

  24. + Thank You !

Recommend

Special Topics in Cryptography Mohammad Mahmoody Logistics Most submitted PS3. If you have

Special Topics in Cryptography Mohammad Mahmoody Logistics Most submitted PS3. If you have

Special Topics in Cryptography Mohammad Mahmoody Logistics Most submitted PS3. If you have not you will get delay, but email it to me ASAP. Deadline for project reports/drafts + slides : This Thursday 5pm. There will be a collab post for

348 views • 19 slides
Cryptography Mohammad Mahmoody Last time Secrecy based on (unproven) computational

Cryptography Mohammad Mahmoody Last time Secrecy based on (unproven) computational

Special Topics in Cryptography Mohammad Mahmoody Last time Secrecy based on (unproven) computational assumptions Pseudorandom generators How to encrypt longer messages in an ind-secure way using a PRG Today How to make PRGs

501 views • 16 slides
Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security + MACS: Security against active attacks CCA secure private-key encryption Today Public-key encryption and key-agreement RSA (PKE) and

358 views • 14 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
Ho Far Can Robust Learning Go? Mohammad Mahmoody based on joint works from NeurIPS-18, AAAI-19,

Ho Far Can Robust Learning Go? Mohammad Mahmoody based on joint works from NeurIPS-18, AAAI-19,

Ho Far Can Robust Learning Go? Mohammad Mahmoody based on joint works from NeurIPS-18, AAAI-19, ALT-19 with Dimitrios Diochnos Saeed Mahloujifar 1 2 Success of Machine Learning Machine learning (ML) has changed our lives Health

669 views • 32 slides
Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Asymmetric cryptography Diffie-Hellman key exchange (last time) Pubic key: RSA Pretty Good Privacy (PGP) Digital signing Public

682 views • 26 slides
Rafael Pass Based on [P-Seeman-Shelat] and [P-Shi] Traditional distributed systems: The

Rafael Pass Based on [P-Seeman-Shelat] and [P-Shi] Traditional distributed systems: The

Analysis and Design of Blockchains Rafael Pass Rafael Pass Based on [P-Seeman-Shelat] and [P-Shi] Traditional distributed systems: The Permissioned Model Consistency Liveness Paxos/PBFT Traditional distributed systems: The

757 views • 53 slides
In the Random Oracle Model Mohammad Mahmoody, Tal Moran , Salil Vadhan Time-Lock Puzzles

In the Random Oracle Model Mohammad Mahmoody, Tal Moran , Salil Vadhan Time-Lock Puzzles

Time-Lock Puzzles In the Random Oracle Model Mohammad Mahmoody, Tal Moran , Salil Vadhan Time-Lock Puzzles Sending an encrypted message to the future shouldnt be revealed before some future date no safe storage for secrets

318 views • 14 slides
Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but hard-to-solve problems were discovered. Computational Complexity, by Fu Yuxi Cryptography 1 / 75 Cryptography is closely related to some

785 views • 76 slides
Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed

Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed

Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed Multi-Party Learning Distributions Data Providers 1 1 Model Multi-Party Learning (Round j) Distributions

540 views • 20 slides
Cryptography MELISSA CHASE, MSR Modern Cryptography the scientific study of techniques for

Cryptography MELISSA CHASE, MSR Modern Cryptography the scientific study of techniques for

Cryptography MELISSA CHASE, MSR Modern Cryptography the scientific study of techniques for securing digital information, transactions, and distributed computations Katz and Lindell 07 Authentication Verifiable elections

351 views • 20 slides
Hybrid Consensus: Efficient Consensus in the Permissionless Model Rafael Pass and Elaine Shi

Hybrid Consensus: Efficient Consensus in the Permissionless Model Rafael Pass and Elaine Shi

Hybrid Consensus: Efficient Consensus in the Permissionless Model Rafael Pass and Elaine Shi IC3 1 Blockchains Satoshi Nakamoto, 2009 Public database Shared & maintained between network participants Blockchain agreement protocol

296 views • 15 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 15ws 1 / 72 Outline Cryptography

903 views • 88 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 14ss 1 Outline Cryptography

780 views • 54 slides
Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography

Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography

Related textbooks Main reference: Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman & Hall/CRC, 2nd ed., 2014 Further reading: Markus Kuhn Christof Paar, Jan Pelzl: Understanding

794 views • 27 slides
Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size & speed

1.39k views • 97 slides
Analysis of the Blockchain Protocol in Asynchronous Networks Rafael Pass Lior Seeman abhi

Analysis of the Blockchain Protocol in Asynchronous Networks Rafael Pass Lior Seeman abhi

Analysis of the Blockchain Protocol in Asynchronous Networks Rafael Pass Lior Seeman abhi shelat Cornell Tech Uber Northeastern Traditional distributed systems: The Permissioned Model Consistency Liveness Paxos/PBFT The

636 views • 42 slides
FruitChains: A Fair Bloc ockchain Authors: Rafael Pass, Elaine Shi presented by Han Zhang

FruitChains: A Fair Bloc ockchain Authors: Rafael Pass, Elaine Shi presented by Han Zhang

FruitChains: A Fair Bloc ockchain Authors: Rafael Pass, Elaine Shi presented by Han Zhang Nakamotos Blockchain A sequence of (mined) blocks = Assumption: Majority of the computing power is controlled by ( %& , , ,

379 views • 9 slides
Course Information Cryptography usage CSE 107 Introduction to Modern Cryptography

Course Information Cryptography usage CSE 107 Introduction to Modern Cryptography

Course Information Cryptography usage CSE 107 Introduction to Modern Cryptography Instructor: Mihir Bellare Did you use any cryptography today? Website: http://cseweb.ucsd.edu/~mihir/cse107 Mihir Bellare UCSD 1 Mihir Bellare UCSD 2

166 views • 12 slides
Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Secure MPC Goal: Allow a set

1.11k views • 98 slides
iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 16ss 1 / 38 Outline

504 views • 46 slides
All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 17ss 1 / 34

705 views • 44 slides
Instant Confirmation Rafael Pass and Elaine Shi Cornell Tech & Cornell University

Instant Confirmation Rafael Pass and Elaine Shi Cornell Tech & Cornell University

Thunderella: Blockchains with Optimistic Instant Confirmation Rafael Pass and Elaine Shi Cornell Tech & Cornell University State-machine replication ( a.k.a. linearly ordered log, consensus, blockchain) State-machine replication ( a.k.a.

628 views • 49 slides
Blind Certificate Authorities Liang Wang 1 , Gilad Asharov 2 , Rafael Pass 2 , Thomas Ristenpart

Blind Certificate Authorities Liang Wang 1 , Gilad Asharov 2 , Rafael Pass 2 , Thomas Ristenpart

Blind Certificate Authorities Liang Wang 1 , Gilad Asharov 2 , Rafael Pass 2 , Thomas Ristenpart 2 , abhi shelat 3 1 Princeton University 2 Cornell Tech 3 Northeastern University Motivation Certificate Authorities (CA) issue certificates

454 views • 30 slides

More recommend