information theoretic cryptography introduction
TRANSCRIPT
![Page 1: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/1.jpg)
Information Theoretic Cryptography
Introduction
Benny Applebaum
Tel Aviv University
BIU Winter-School of Information-Theoretic Cryptography
February 2020
![Page 2: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/2.jpg)
Communication and Computation in the presence of adversary
Honest party Honest party
Adversary
Computational Cryptography
![Page 3: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/3.jpg)
• Encryption
• Authentication
Honest party Honest party
Adversary
Computational Cryptography
![Page 4: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/4.jpg)
• Commitments
• Coin Tossing
• ZK-Proofs
• Secure Computation
Adversary
Computational Cryptography
![Page 5: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/5.jpg)
Exploit computational limitation to achieve privacy/authenticity/…
AdversaryPoly-bounded
Computational Cryptography
![Page 6: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/6.jpg)
Information-Theoretic Cryptography
Exploit information gaps to achieve privacy/authenticity/…
AdversaryComputationally unbounded
![Page 7: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/7.jpg)
Exploit information gaps to achieve privacy/authenticity/…
AdversaryComputationally unbounded
Information-Theoretic Cryptography
![Page 8: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/8.jpg)
AdversaryComputationally unbounded
Exploit information gaps to achieve privacy/authenticity/…
Information-Theoretic Cryptography
![Page 9: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/9.jpg)
(Shallow) Comparison
Computational Cryptography
• Comp-limited adversary
• Unproven assumptions
• Composability issues
• Complicated def’s
• Allows magic (PRG/PKC/OT/)
• Short keys
• May be comp. expensive
IT Cryptography
• Comp-unbounded adversary
• Unconditional (no assumptions)
• Good closure properties
• Easy to define and work with (concretely)
• No magic (useless w/o information gaps)
• Long keys/large communication
• Typically fast (for short messages)
![Page 10: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/10.jpg)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto TowerAssumption
![Page 11: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/11.jpg)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto Tower
One-time pad
AES
RSA
OT
Obfuscation
Time (per-bit)
![Page 12: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/12.jpg)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto Tower: Realistic View
![Page 13: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/13.jpg)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The Crypto Tower: Realistic View
GGMGLHILL
DDH-KARSA-OAEPFDH-RSA
GMW-MPC GMW-ZK Yao-GC
MMAPS-based obfuscation
![Page 14: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/14.jpg)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The best of all worlds
Problem
![Page 15: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/15.jpg)
Obfustopia
Secure Computation
Public-Key
Symmetric
Information Theoretic
The best of all worlds
Problem
Problem
![Page 16: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/16.jpg)
Two Case Studies:
Perfect Encryption & Error Correcting Codes
Image credits:
Photo: CC BY SA 4.0, by DobriZheglov, https://commons.wikimedia.org/wiki/File:Claude_Shannon_1776.jpgAli Baba's cave: CC BY 2.5, by Dake, https://commons.wikimedia.org/wiki/File:Zkip_alibaba{1,2,3}.png
![Page 17: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/17.jpg)
Case Study 1: Perfect Encryption [Shannon 48]
Alice Bob
Message 𝑀 ∈ 0,1 𝑛
![Page 18: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/18.jpg)
Case Study 1: Perfect Encryption [Shannon 48]
Secrecy: For every 𝑋, 𝑌 ∈ 0,1 𝑛 EK(𝑋) ≡ EK(𝑌)
where 𝐾 ∈𝑅 𝑲
𝑀 ∈ 0,1 𝑛
Private key 𝐾 ∈ 𝑲
Ciphertext EK(𝑀)Encryption Decryption
Private key 𝐾 ∈ 𝑲
𝑀 ∈ 0,1 𝑛
![Page 19: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/19.jpg)
Perfect SecrecySecrecy: For every 𝑋, 𝑌 ∈ 0,1 𝑛 EK(𝑋) ≡ EK(𝑌)
where 𝐾 ∈𝑅 𝑲
∀ 𝐶, Pr𝐾𝐸𝐾 𝑋 = 𝐶 = Pr
𝐾𝐸𝐾 𝑌 = 𝐶
![Page 20: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/20.jpg)
Statistical SecrecySecrecy: For every 𝑋, 𝑌 ∈ 0,1 𝑛 EK(𝑋) ≈ EK(𝑌)
where 𝐾 ∈𝑅 𝑲
∀ set of ciphertexts 𝑆, Pr𝐾𝐸𝐾 𝑋 ∈ 𝑆 ≈𝛿 Pr
𝐾𝐸𝐾 𝑌 ∈ 𝑆
![Page 21: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/21.jpg)
Statistical SecrecySecrecy: For every 𝑋, 𝑌 ∈ 0,1 𝑛 EK(𝑋) ≈ EK(𝑌)
where 𝐾 ∈𝑅 𝑲
∀ unbounded 𝐴𝑑𝑣, Pr𝐾𝐴𝑑𝑣 𝐸𝐾 𝑋 = 1 − Pr
𝐾𝐴𝑑𝑣 𝐸𝐾 𝑌 = 1 ≤ 𝛿
![Page 22: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/22.jpg)
Computational Secrecy [GM’82]Secrecy: For every 𝑋, 𝑌 ∈ 0,1 𝑛 EK(𝑋) ≈ EK(𝑌)
where 𝐾 ∈𝑅 𝑲
∀ comp − bounded 𝐴𝑑𝑣, Pr𝐾𝐴𝑑𝑣 𝐸𝐾 𝑋 = 1 − Pr
𝐾𝐴𝑑𝑣 𝐸𝐾 𝑌 = 1 ≤ 𝛿
![Page 23: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/23.jpg)
One-Time Pad is Perfectly Secure
Message 𝑀 ∈ 0,1 𝑛
Private key 𝐾 ∈𝑅 0,1 𝑛Private key 𝐾 ∈𝑅 0,1 𝒏
EK 𝑀 = 𝐾⊕𝑀
∀𝑋, 𝑌, EK(𝑋) ≡ EK(𝑌)
DK 𝐶 = 𝐶 ⊕𝐾𝑮
𝑮 𝑮
+
−Encryption Decryption
![Page 24: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/24.jpg)
Proof∀𝑋, 𝑌, EK(𝑋) ≡ EK(𝑌)
Claim: ∀ 𝑋, 𝐶, Pr𝐾𝐸𝐾 𝑋 = 𝐶 = 1/|𝐺|
Pr𝐾𝐾 +𝑀 = 𝐶 = Pr
𝐾𝐾 = 𝐶 −𝑀 = 1/|𝐺|
Put differently: For every 𝑋 the mapping 𝐾 ↦ 𝐸𝐾 𝑋
is a bijection from randomness space to ciphertext space
In fact, non-degenerate linear mapping
![Page 25: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/25.jpg)
Efficiency Measures
Alice Bob
Message 𝑀 ∈ 0,1 𝑛
Private key 𝐾 ∈𝑅 0,1 𝑛 Private key 𝐾 ∈ 0,1 𝒏
EK 𝑀 = 𝐾⊕𝑀 DK 𝐶 = 𝐶 ⊕𝐾+ −
Communication, Randomness, Round complexity
• OTP: Optimal !
![Page 26: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/26.jpg)
Riddle: Broadcast Encryption [Fiat-Naor94]
Alice
Bob1
Message 𝑀 ∈ {0,1}Subset 𝑆
Keys 𝐾1, … , 𝐾𝑁
key 𝐾1
EK 𝑀, 𝑆
Bob N
key 𝐾𝑁
Subset S Can decrypt iff𝒊 ∈ 𝑺Bob 𝒊
…
…
key 𝐾𝑖
![Page 27: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/27.jpg)
Riddle: Broadcast Encryption [Fiat-Naor94]
Alice
Bob1
Message 𝑀 ∈ {0,1}Subset 𝑆
Keys 𝐾1, … , 𝐾𝑁
key 𝐾1
EK 𝑀, 𝑆
Communication?
Randomness (length of each key)?
Best tradeoffs?
Bob N
key 𝐾𝑁
Subset S Can decrypt iff𝒊 ∈ 𝑺Bob 𝒊
…
…
key 𝐾𝑖
![Page 28: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/28.jpg)
Case Study 2: Error Correction/Detection [Hamming47, Shannon48]
Codeword 𝐶 = (𝐶1, … , 𝐶𝑁)
Encode Decode 𝑀 ∈ 0,1 𝑛𝑀 ∈ 0,1 𝑘
Can tamper (erase/corrupt)
up to 𝜹-fraction of symbols
or ⊥
Shannon: Solutions with optimal communication overhead
• Random linear mapping is optimal [Varshamov]
• Later efficient constructions
![Page 29: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/29.jpg)
Unified view: Distributed Storage
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐶1
Bob N
𝐶𝑁
Encoding
…
𝐶𝑖
Coding setting:
Adv. actively corrupts/erase servers
Decoding𝑀 ∈ 0,1 𝑘
![Page 30: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/30.jpg)
Unified view: Distributed Storage
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐶1
Bob N
𝐶𝑁
Encoding
…
𝐶𝑖
Secrecy setting:
Adversary passively corrupts servers
Decoding𝑀 ∈ 0,1 𝑘
![Page 31: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/31.jpg)
Unified view: Distributed Storage
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐾
𝐸𝐾 𝑀 = 𝐾 +𝑀
Encoding
Secrecy setting:
Adversary passively corrupts servers
Decoding𝑀 ∈ 0,1 𝑘
![Page 32: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/32.jpg)
Unified view: Distributed Storage
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐾1
Bob N
𝑀 +𝐾1 +⋯+ 𝐾𝑁
Encoding
…
𝐾𝑖
Secrecy setting:
Adversary passively corrupts servers
Decoding𝑀 ∈ 0,1 𝑘
![Page 33: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/33.jpg)
Can we achieve privacy & resiliency?
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐾1
Bob N
𝑀 +𝐾1 +⋯+ 𝐾𝑁
Encoding
…
𝐾𝑖
Secrecy setting:
Adversary passively corrupts servers
Decoding𝑀 ∈ 0,1 𝑘
![Page 34: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/34.jpg)
Secret-Sharing (Gilad’s talk)
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐶1
Bob N
𝐶𝑁
Encoding
…
𝐶𝑖
Threshold setting:
Corruption bounds 𝑇𝑎𝑐𝑡𝑖𝑣𝑒 , 𝑇𝑒𝑟𝑎𝑠𝑢𝑟𝑒 , 𝑇𝑝𝑎𝑠𝑠𝑖𝑣𝑒
Decoding𝑀 ∈ 0,1 𝑘
![Page 35: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/35.jpg)
Secret-Sharing (Gilad’s talk)
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐶1
Bob N
𝐶𝑁
Encoding
…
𝐶𝑖
Threshold setting:
Corruption bounds 𝑇𝑎𝑐𝑡𝑖𝑣𝑒 , 𝑇𝑒𝑟𝑎𝑠𝑢𝑟𝑒 , 𝑇𝑝𝑎𝑠𝑠𝑖𝑣𝑒
Decoding𝑀 ∈ 0,1 𝑘
![Page 36: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/36.jpg)
General Secret-Sharing (Benny’s talk)
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐶1
Bob N
𝐶𝑁
Encoding
…
𝐶𝑖
General corruption patterns:
• Related to Broadcast encryption problem
• Huge gaps between LBs and UBs
Decoding𝑀 ∈ 0,1 𝑘
![Page 37: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/37.jpg)
Private Information Retrieval (Yuval+Klim)
Alice
Message 𝑀 ∈ 0,1 𝑘
𝐶1
Bob N
𝐶𝑁
Encoding
…
𝐶𝑖 Decoding𝑀 ∈ 0,1 𝑘
![Page 38: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/38.jpg)
Private Information Retrieval (Yuval+Klim)
Bob N
…
𝑀
Alice
Decoding
![Page 39: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/39.jpg)
Private Information Retrieval (Yuval+Klim)
𝑀
Bob N
𝑀
…
𝑀
𝑀[𝑖]
Alice
index 𝑖 ∈ {1,… , 𝑘}
Hide access pattern i
![Page 40: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/40.jpg)
Private Information Retrieval (Yuval+Klim)
Bob N
…
𝑀[𝑖]
Alice
index 𝑖
Hide access pattern i
• Power of non-linearity
• Huge gaps between LBs and UPs
![Page 41: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/41.jpg)
Computation: Beyond Storage
𝑥1
𝑥2 𝑥3
𝑥4
𝑥5
𝑥6
TrustedParty
![Page 42: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/42.jpg)
Consensus (Ittai’s talk) Achieving Agreement at the presence of failures/corruptions/delays
1
56
3
2
4
Only correctness requirement No privacy requirements
1
1
1
1
![Page 43: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/43.jpg)
General Secure Computation (Yuval’s talk)Compute joint function of the parties inputs
𝑥1
𝑥2 𝑥3
𝑥4
𝑥5
𝑥6
𝐹(𝑥1, … , 𝑥5)
Passive adversaries
• Privacy
Active adversaries
• Correctness & Privacy
General Functions
![Page 44: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/44.jpg)
General Secure Computation (Yuval’s talk)Compute joint function of the parties inputs
𝑥1
𝑥2 𝑥3
𝑥4
𝑥5
𝑥6
𝑥1 +⋯+ 𝑥5
Challenge:
Design 1-private protocol for sum over G
![Page 45: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/45.jpg)
Proofs in Non-Interactive Setting (Niv’s Talk)
𝑥1
𝑥2 𝑥3
𝑥4
𝑥5
𝑥6
𝐹(𝑥1, … , 𝑥5)=1
prover
verifiers
![Page 46: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/46.jpg)
𝑥1
𝑥2 𝑥3
𝑥4
𝑥5
𝑥6
𝐹(𝑥1, … , 𝑥5)
receiver
senders
Randomized Encoding & Constant-Round MPC (Benny’s Talk)
![Page 47: Information Theoretic Cryptography Introduction](https://reader030.vdocuments.site/reader030/viewer/2022012804/61bd300961276e740b10337d/html5/thumbnails/47.jpg)
Summary: Information Theoretic Cryptography
• Cool questions
• Exciting connections with• Coding, Information-theory, Communication Complexity,
Computational complexity, Theory of Computation
• Relevant to computational crypto as well
• Many open problems
• New conference: ITC 2020, June 17-19, 2020 in Boston• PC: Daniel Wichs, General Chairs: Adam Smith & Yael Kalai
Have a Good Time!