notions of black box reductions revisited
play

Notions of Black-Box Reductions, Revisited ASIACRYPT 2013 Paul - PowerPoint PPT Presentation

Notions of Black-Box Reductions, Revisited ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Marc Fischlin Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and Center For Advanced Security Research


  1. Notions of Black-Box Reductions, Revisited ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Marc Fischlin Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and Center For Advanced Security Research Darmstadt (CASED)

  2. Introduction 1

  3. The Cryptographic Zoo PRP PKE PRF KA MAC MPC OWF OWP PRG CRHF COM SIG ZK • basic issues in cryptography • what can be built from what? • how (efficient)? 2

  4. A Typical Theorem in Cryptography constr. G [ f ] f e.g. OWP e.g. PRG Theorem: Let f be a P . Then construction G [ f ] is a Q . Question 1: what is G [ f ]? 3

  5. A Typical Theorem in Cryptography constr. G [ f ] f e.g. OWP e.g. PRG Theorem: Let f be a P . Then construction G [ f ] is a Q . Question 1: what is G [ f ]? • construction G uses f as an oracle ( G f ) • construction G uses f in some constricted way • construction G uses f ’s code • ??? 3

  6. A Typical Theorem in Cryptography constr. G [ f ] f e.g. OWP e.g. PRG Theorem: Let f be a P . Then construction G [ f ] is a Q . (corollary: if P exists, then Q exists.) Question 1: what is G [ f ]? • construction G uses f as an oracle ( G f ) • construction G uses f in some constricted way • construction G uses f ’s code • ??? 3

  7. Proving the Theorem constr. G [ f ] f S [ A , f ] A red. Theorem: Let f be a P . Then construction G [ f ] is a Q . • almost always: proof by reduction (show the contrapositive) • transform an attack on G into an attack on f • if algorithm A breaks G , then algorithm S [ A , f ] breaks f 4

  8. Proving the Theorem constr. G [ f ] f S [ A , f ] A red. Theorem: Let f be a P . Then construction G [ f ] is a Q . • almost always: proof by reduction (show the contrapositive) • transform an attack on G into an attack on f • if algorithm A breaks G , then algorithm S [ A , f ] breaks f • S [ A , f ] is the (constructive) reduction • Question 2: what is S [ A , f ]? • Question 3: what is S [ A , f ]? 4

  9. Why We Care About these Questions • very important for impossibility results / separations • i.e., much weaker versions of P exists �⇒ Q exists • what exactly is being ruled out? • . . . and what is left to try? • impossibility results are inspiring • enforces precise definitions of primitives • “we separate xyz from OWFs. . . ” • more black box, more efficient, more practical (usually) • better understanding of a fundamental technique in our field 5

  10. Notions of Reductions constr. G [ f ] f S [ A , f ] A red. • Defined by Reingold, Trevisan, and Vadhan (TCC ’04, [RTV04]) • three ∗ types of reductions: 6

  11. Notions of Reductions constr. G [ f ] f S [ A , f ] A red. • Defined by Reingold, Trevisan, and Vadhan (TCC ’04, [RTV04]) • three ∗ types of reductions: fully black box. ∃S∀A : if A breaks G f , then S A , f breaks f . 6

  12. Notions of Reductions constr. G [ f ] f S [ A , f ] A red. • Defined by Reingold, Trevisan, and Vadhan (TCC ’04, [RTV04]) • three ∗ types of reductions: fully black box. ∃S∀A : if A breaks G f , then S A , f breaks f . breaks G f , then S f if A f semi black box. ∀A∃S : breaks f . order switched f oracle no A oracle 6

  13. Notions of Reductions constr. G [ f ] f S [ A , f ] A red. • Defined by Reingold, Trevisan, and Vadhan (TCC ’04, [RTV04]) • three ∗ types of reductions: fully black box. ∃S∀A : if A breaks G f , then S A , f breaks f . semi black box. ∀A∃S : if A f breaks G f , then S f breaks f . breaks G f , then S f breaks f . weakly black box. ∀A∃S : if A no f oracle 6

  14. Notions of Reductions constr. G [ f ] f S [ A , f ] A red. • Defined by Reingold, Trevisan, and Vadhan (TCC ’04, [RTV04]) • three ∗ types of reductions: fully black box. ∃S∀A : if A breaks G f , then S A , f breaks f . semi black box. ∀A∃S : if A f breaks G f , then S f breaks f . weakly black box. ∀A∃S : if A breaks G f , then S f breaks f . 6

  15. In This Work • even more, fine-grained notions • . . . derived in a systematic way 7

  16. In This Work • even more, fine-grained notions • . . . derived in a systematic way • consider, for example, • reduction makes non-black-box use of primitive, but black-box use of adversary (think meta reductions) • efficient primitives and/or adversaries • black-box use, but partial information (run time, #queries, . . . ) • [RTV04] too coarse to capture such differences 7

  17. CAP 8

  18. Three Questions: A Short Encoding constr. G [ f ] f S [ A , f ] A red. Q1: what is G [ f ]? Q2: what is S [ A , f ]? Q3: what is S [ A , f ]? 9

  19. Three Questions: A Short Encoding constr. G [ f ] f S [ A , f ] A red. Q1: what is G [ f ]? C Q2: what is S [ A , f ]? Q3: what is S [ A , f ]? 9

  20. Three Questions: A Short Encoding constr. G [ f ] f S [ A , f ] A red. Q1: what is G [ f ]? Q2: what is S [ A , f ]? A C Q3: what is S [ A , f ]? 9

  21. Three Questions: A Short Encoding constr. G [ f ] f S [ A , f ] A red. Q1: what is G [ f ]? Q2: what is S [ A , f ]? A C P Q3: what is S [ A , f ]? 9

  22. Three Questions: A Short Encoding constr. G [ f ] f S [ A , f ] A red. Q1: what is G [ f ]? Q2: what is S [ A , f ]? A C P Q3: what is S [ A , f ]? • C , A , P ∈ { N , B } • Non black box / Black box 9

  23. Obtaining Actual Definitions constr. G [ f ] f S [ A , f ] A red. example: BBB 1. what is G [ f ]? B “ ∃ G ” ≺ “ ∀ f ” what is S [ A , f ]? B what is S [ A , f ]? B 10

  24. Obtaining Actual Definitions constr. G [ f ] f S [ A , f ] A red. example: BBB 1. what is G [ f ]? B “ ∃ G ” ≺ “ ∀ f ” what is S [ A , f ]? B “ ∃S ” ≺ “ ∀A ” what is S [ A , f ]? B “ ∃S ” ≺ “ ∀ f ” 2. “ ∃ G ”, “ ∃S ” ≺ “ ∀ f ”, “ ∀A ” 10

  25. Obtaining Actual Definitions constr. G [ f ] f S [ A , f ] A red. example: BBB 1. what is G [ f ]? B “ ∃ G ” ≺ “ ∀ f ” what is S [ A , f ]? B “ ∃S ” ≺ “ ∀A ” what is S [ A , f ]? B “ ∃S ” ≺ “ ∀ f ” 2. “ ∃ G ”, “ ∃S ” ≺ “ ∀ f ”, “ ∀A ” A f , G f breaks G f = ⇒ S A f , f breaks f 3. ∃ G , S ∀ f , A 10

  26. Obtaining Actual Definitions constr. G [ f ] f S [ A , f ] A red. example: NBB 1. what is G [ f ]? N “ ∀ f ” ≺ “ ∃ G ” what is S [ A , f ]? B “ ∃S ” ≺ “ ∀A ” what is S [ A , f ]? B “ ∃S ” ≺ “ ∀ f ” 2. “ ∃S ” ≺ “ ∀ f ” ≺ “ ∃ G ” and “ ∃S ” ≺ “ ∀A ” A f , G f breaks G f = ⇒ S A f , f breaks f 3. ∃S ∀ f ∃ G ∀A 10

  27. Obtaining Actual Definitions (cont’d) constr. G [ f ] f S [ A , f ] A red. Name Summary of definition (( G f , A f ) ⇒ ( f , S A , f )) BBB ∃ G ∃S ∀ f ∀A (( G f , A f ) ⇒ ( f , S A , f )) BNB ∃ G ∀A ∃S ∀ f (( G f , A f ) ⇒ ( f , S A , f )) BBN ∃ G ∀ f ∃S ∀A (( G f , A f ) ⇒ ( f , S A , f )) BNN ∃ G ∀ f ∀A ∃S (( G f , A f ) ⇒ ( f , S A , f )) NBB ∃S ∀ f ∃ G ∀A (( G f , A f ) ⇒ ( f , S A , f )) NBN ∀ f ∃ G ∃S ∀A (( G f , A f ) ⇒ ( f , S A , f )) NNN ∀ f ∃ G ∀A ∃S see page 305 of the proceedings (Part I) 11

  28. Basic Relations BBB implication (strict) BBN NBB 12

  29. Basic Relations BBB implication (strict) BBN BNB NBB BNN NBN NNB NNN 12

  30. Basic Relations BBB implication w.r.t. separations implication (strict) BBN BNB NBB BNN NBN NNB NNN 12

  31. There is More. . . • adversaries A can be PPT or inefficient • [RTV04]: mixed • here: inefficient up to now • all previous notions can be considered for efficient adversaries • shorthand: CAP a, restricted quantification ∀ PPT A 13

  32. Another Dimension BBB BBN BNB NBB BBBa BNN NBN NNB BBNa BNBa NBBa NNN BNNa NBNa NNBa NNNa 14

  33. Another Dimension fully relativizing BBB semi ∀∃ -semi weakly BBN BNB NBB BBBa ∀∃ -weakly free BNN NBN NNB BBNa BNBa NBBa NNN BNNa NBNa NNBa relativizing (e.g., [IR89]) NNNa 14

  34. Another Dimension BBB BBN BNB NBB BBBa BNN NBN NNB BBNa BNBa NBBa NNN BNNa NBNa NNBa relativizing (e.g., [IR89]) NNNa note: not all CAP a implications are strict 14

  35. Neither B nor N 15

  36. Parameterized Reductions BBB • consider the Goldreich–Levin hardcore bit [GL89] • reduction requires success BBN BNB NBB probability of adversary (but nothing else) BNN NBN NNB • black box? non black box? NNN 16

  37. Parameterized Reductions BBB • consider the Goldreich–Levin somewhere here? hardcore bit [GL89] • reduction requires success BBN BNB NBB probability of adversary (but nothing else) BNN NBN NNB • black box? non black box? NNN • parameterized reduction • here: par( A ) := success probability • BBB w/ param: A f , G f breaks G f = ⇒ S A f , f (par( A )) breaks f → parameters made explicit 16

  38. Summary • things I forgot to tell you • CAP p: efficient primitives • CAP ap: efficient adversaries and efficient primitives • careful when defining primitives 17

  39. Summary • things I forgot to tell you • CAP p: efficient primitives • CAP ap: efficient adversaries and efficient primitives • careful when defining primitives • things to remember • given any reduction/separation, ask three (five) questions • “impossibility” rarely means impossible • look for hidden parameters 17

Recommend


More recommend