on the efficiency of 2 generic cryptographic constructions
DESCRIPTION
On the Efficiency of 2 Generic Cryptographic Constructions. Luca Trevisan U.C. Berkeley joint work with Rosario Gennaro (IBM). Generic Constructions. From a OWP of security S we can get a PRG of expansion k that evaluates the OWP O(k/log S) times [ BMY & GL ] - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/1.jpg)
On the Efficiency of 2 Generic Cryptographic
ConstructionsLuca Trevisan
U.C. Berkeley
joint work with Rosario Gennaro (IBM)
![Page 2: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/2.jpg)
Generic Constructions• From a OWP of security S we can get a
PRG of expansion kthat evaluates the OWP O(k/log S) times [BMY & GL]
• From the hardness of discrete log, we can get a length-doubling PRG that requires O(1) exponentiations
• Can we improve BMY or is there a genericity/efficiency trade-off?
![Page 3: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/3.jpg)
Generic Constructions (continued)
• UOWHF: family Hs: {0,1}m ->{0,1} m-k given random x, s, hard to find x’such that Hs(x)=Hs(x’)
• From a OWP of security S, can get a UOWHF of compression k that evaluates the OWP O(k/log S) times [NY & GL]
• Can we do better?
![Page 4: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/4.jpg)
What is the Question?
• Impossible to prove that “every construction of a PRG based on a OWP needs at least q evaluations of the OWP”
• Suppose we have a provably good PRG, then there is a construction of “PRG based on a OWP” that uses zero evaluations and has arbitrary expansion
![Page 5: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/5.jpg)
“Current Techniques”
• We can try to prove that
“every construction of a PRG based on OWP and analyzed using current techniques evaluates the OWP at least q times”
![Page 6: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/6.jpg)
Impagliazzo - Rudich
• Impagliazzo & Rudich face same problem when trying to prove that “there is no key-agreement (KA) construction based on OWP”
• If key agreement is possible, then key agreement is possible “using one-way permutations”
• They argue that there is no KA construction based on OWP that can be analyzed using “current techniques”
![Page 7: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/7.jpg)
How to Model Standard Crypto Reductions (1)
Weak black-box KA based on OWP:
Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.
Then there are PPT A,B such thatthere is no PPT E that breaks the KA protocol (Af,Bf) with noticeable prob.
![Page 8: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/8.jpg)
Comments
• In a weak BB construction we use that f is one-way but not that f has a poly-size circuit
• Weak BB captures all known constructions except some zero-knowledge based ones. (Notably, identification schemes)
• Mind-twister observation 1 [Reingold-T.-Vadhan]The statements “OWP imply KA” and “there is a weak black-box construction of KA based on OWP” are equivalent
![Page 9: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/9.jpg)
How to Model Standard Crypto Reductions (2)
Semi black-box KA based on OWP:
Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.
Then there are PPT A,B such thatthere is no PPT E such that Ef breaks the KA protocol (Af,Bf) with noticeable prob.
![Page 10: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/10.jpg)
Comments• In semi-BB do not use the fact that adversary for
construction has small size (but may use that is has small size relative to f)
• All known constructions (except id. protocols) are also semi-black box.
• Impagliazzo-Rudich: a semi-BB construction of KA from OWP implies P=/=NP
• Reingold-Vadhan: unconditionally impossible
![Page 11: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/11.jpg)
How to Model Standard Crypto Reductions (3)
Fully black-box KA based on OWP:
For every f there are PPT A,B,R such that
If E breaks the KA protocol (Af,Bf) with noticeable prob.
Then Pr[Rf,E(f(x))=x] > noticeable
![Page 12: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/12.jpg)
Comments
• All known reductions yada yada yada
• Impagliazzo-Rudich: unconditionally, there is no fully BB construction of KA based on OWP
(even if fully BB condition is satisfied only for most f instead of for every f)
![Page 13: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/13.jpg)
Relativizations
• Alternative approach:– Find an oracle relative to which KA is
impossible but OWP exist– Then no relativizing construction of KA
based on OWP can exist• Reingold-Vadhan: an unconditional
impossibility of semi-BB is equivalent to an oracle separation
![Page 14: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/14.jpg)
The Small Picture(on KA using OWP)
No semi-bb construction
Oracle separation
No fully-BB construction
No weakly-BB construction
![Page 15: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/15.jpg)
Previous Results on Efficiency
• Kim-Simon-Tetali: there is an oracle relative to which every construction of UOWHF of compression k based on OWP evaluates the OWP (k1/2) times.
• No negative result on PRG based on OWP
![Page 16: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/16.jpg)
Our Results (Gennaro-T00)• If there is a weakly-BB construction
of UOWHF based on OWPthat uses o(k/log S) evaluations, then one-way functions exist (and zero evaluations are enough)
(Also, unconditionally, no semi-BB construction with o(k/log S), and an oracle relative to which. . . )
• Same for PRG of expansion k
![Page 17: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/17.jpg)
Pseudorandom Generators
Suppose there were weak-BB construction of expansion k with q=o(k/logS) invocations
If f is one-way with security S, then output is pseudorandom
Weak-BB
PRG
seedm bits
f
outputm+k bits
![Page 18: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/18.jpg)
Hardness of Random Permutations
• If a permutation f: {0,1}t -> {0,1}t is picked at random, whp:– For every A of size < 2t/5
Prx[Af (f(x)) =x ] < 2-t/5
• Pick at random f:{0,1}5logS->{0,1}5logS Define g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),bThen g is whp one-way with hardness S
![Page 19: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/19.jpg)
Generator Works with Random g
• Pick g at random as above, pick seed at random, give seed and oracle access to g to PRG construction
• Output distribution is pseudorandom
Weak-BB
PRG
seedm bits
outputm+k bits
gq queries
![Page 20: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/20.jpg)
Simulation with no Oracle
• Output can be sampled with m + 5qlog S < m+k random bits.
• We have unconditionally a PRG
Weak-BB
PRGseedm+5qlog S bits
outputm+k bits
simulate q queries
![Page 21: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/21.jpg)
Hash Functions
• Suppose we have weak-BB UOWHF of compression k with q=o(k/logS) invocations
UOWHF
gx
m bits
Hs(x)
m-k bits
• Secure if g is one-way of hardness S
s
![Page 22: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/22.jpg)
Random g
• Pick at random f:{0,1}5logS->{0,1}5logS Define g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),b
• Modify construction so that the f part of oracle queries is given in output
• The construction is still compressing and secure
UOWHF Hs (x),f(a1),…,f(aq)
m-k+qlogS bits
gx
m bits
s
![Page 23: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/23.jpg)
Unconditional Construction
• Define Hs,r: on input x, simulate weak-BB
construction Hs on input x, use r to simulate
random oracle f
• Compresses m bits to m-k+5qlog S<m bits and is secure
![Page 24: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/24.jpg)
Conclusions
• Similar bounds for secure public key encryption and signatures (GKM)
• Stronger bounds for PRG constructions from OWF? (or, can we improve efficiency of HILL?)
– Mind twister observation 2 [Reingold-T-Vadhan]:There IS a weak-BB construction of PRG from OWF that makes O(k/log S) invocations
![Page 25: On the Efficiency of 2 Generic Cryptographic Constructions](https://reader035.vdocuments.site/reader035/viewer/2022062518/56814731550346895db46f6c/html5/thumbnails/25.jpg)
The weak-BB Construction• Suppose one-way functions exist:
then using HILL we can construct a “OWF-based” PRG that makes zero invocations
• Suppose one-way functions do not exist: then Gf(<h>,x) =<h>,h(f,x) where h is hash function mapping 2n bits into n+1 bits, satisfies def. of weak-BB construction.
• Using Levin’s universal one-way function, possible to come up with a single construction that is provably weak-BB and makes few invocations. (What does it mean?)