Rafael Pass Cornell University

Rafael PassCornell University

Unprovable Security

(how to use meta reductions)

1. Precisely define security goal (e.g., commitment scheme)

2. Precisely stipulate computational intractability assumption (e.g., hardness of factoring)

3. Security Reduction: prove that any attacker A that break security of scheme π can be used to violate the intractability assumption.

Modern Cryptography

An Example:Commitments from OWPs [GL,Blum]

• Task: Commitment Scheme– Binding + Hiding– Non-interactive

• Intractability Assumption: existence of OWP f– f is easy to compute but hard to invert

• Security reduction [Goldreich-Levin]: Comf , PPT R s. t. for every algorithm A that breaks hiding of Comf, RA

inverts f– Reduction R only uses attacker A as a black-box– In this case also the construction is black-boc

rC RA

Security reduction: RA breaks C whenever A breaks commitment

f(r)

Reduction R may rewind and restart A.

Turing Reductions

Our Focus: R is PPT(later, mention nuPPT)

Provable Security

• In the last three decades, lots of amazing tasks have been securely realized under well-studied intractability assumptions

– Key Exchange, Public-Key Encryption, Secure Computation, Zero-Knowledge, PIR, Secure Voting, Identity based encryption, Fully homomorphic Encryption, Leakage-resilient Encryption…

• But: several tasks/schemes have resisted security reductions under well-studied intractability assumptions.

Unprovable Security

We have candidate constructions of primitives that we cannot reduce to some “natural” intractability assumption.

– Schnorr’s identification protocol– Commitment secure against selective opening– One-more inversion problems– Blind signatures– Witness Hiding of GMW/BlumHC

– SNARGs– Statistical NIZK– Non-interactive non-malleable commitments

– Indistinguishability obfuscation

WHY?

TYPE 1: [P11]

TYPE 2: [GW11],[P13]

Don’t know

Unprovability Results

• Tasks can be proven secure using an (arbitrary) black-box security reductions, based on any “standard” intractability assumption.

• Any security reduction R itself must constitute an attack on the intractability assumption

• Rules out also non-black-box constructions: only security reduction needs to be black-box

Common Proof Approach Meta-reduction [BV’99,(Bra’79)]

p,qC RA

1. Design a particular attacker A that breaks scheme2. Show how to “indistinguishably” emulate attacker in poly-time.

N=pq

Note: most “meta reductions” (e.g., [BV’99,AF’07,HH’09,HRS’09,FS’10]) only work for “restricted” types of R (e.g., algebraic)

Today: unrestricted reductions, R is any PPT[P’06,PTV’10, P’11,GW’11,P’13,CMLP’13]:

Intractability Assumptions

• Following [Naor’03], we model an intractability assumption as a interaction between a Challenger C and an attacker A.

– The goal of A is to make C accept– C may be computationally unbounded (different from [Naor’03])

rC Af(r)

Intractability assumption (C,t) : “no PPT A can make C output 1 w.p significantly above t”

A breaks (C,t) if A makes C(1^n) output 1 w.p t +1/poly(n)

Intractability Assumptions

• Following [Naor’03], we model an intractability assumption as a interaction between a Challenger C and an attacker A.

rC Af(r)

• 2-round: f is a OWF, Factoring, G is a PRG, DDH, Factoring, …

• O(1)-round: Enc is semantically secure (FHE), (P,V) is WH

• O(1)-round with unbounded C: (P,V) is sound

• Unbounded round: F is a PRF, Sig is a GMR-secure, Enc is CCA-secure, (P,V) is sequentially witness hiding, one more discrete log,…

Two classes of intractability assumptions

• Bounded-round Assumptions– TYPE I primitives are not themselves bounded-round assumptions– We separate them from such assumptions

• Efficient Challenger (falsifiable) Assumptions– TYPE II primitives are not themselves efficient-challenger

assumption– We separate them from such assumptions

Part I – Separations From Bounded-Round Assumptions

SchnorrSelective openingOne-more InversionBlind SignaturesWitness Hiding

Schnorr’s Identification Scheme [Sch’89]

• One of the most famous and widely employed identification schemes (e.g., Blackberry router protocol)

• Secure under a passive “eaves-dropper” attack based on the discrete logarithm assumption

• What about active attacks?– [BP’02] proven it secure under a new type of “one-more” inversion

assumption– Can we based security on more standard assumptions?

(Non-interactive) Commitment Schemes under Selective Opening [DNRS’99]

• A commits to n values v1, …, vn

• B adaptively asks A to open up, say, half of them.• Security: Unopened commitments remain “hidden”

– Problem originated in the distributed computing literature over 25 years ago

• Can we base selective opening security of non-interactive commitments on any standard assumption?

One-More Inversion Assumptions [BNPS’02]

• You get n target points y1,…, yn in group G with generator g.• Can you find the discrete logarithm to all n of them if you may make n-

1 queries to a discrete logarithm oracle (for G and g)

• One-more DLOG assumption states that no PPT algorithm can succeed with non-negligible probability– [BNPS] and follow-up work: Very useful for proving security of practical schemes

• Can the one-more DLOG assumption be based on more standard assumptions?– What about if we weaken the assumption and only give the attacker n^eps

queries?

Unique Non-interative Blind Signatures [Chaum’82]

• Signature Scheme where a user U may ask the signer S to sign a message m, while keeping m hidden from S.– Futhermore, there only exists a single valid signature per message– Chaum provided a first implementation in 1982; very useful in e.g.,

E-cash– [BNPS] give a proof of security in the Random Oracle Model based

on a one-more RSA assumption.

• Can we base security of Chaum’s scheme, or any other unique blind signature scheme, on any standard assumption?

Sequential Witness Hiding of O(1)-round public-coin protocols

• Take any of the classic O(1)-round public-coin ZK protocols (e.g., GMR,GMW, Blum)

• Repeat them in parallel to get negligible soundness error.• Do they suddenly leak the witness to the statement

proved? [Feige’90]– Sequential WH: No verifier can recover the witness after

sequentially participating in polynomially many proofs.

• Can sequential WH of those protocols be based on any standard assumption?

Theorem

Let (C,t) be a k(.)-round intractability assumption where k is a polynomial. If there exists a PPT reduction R for basing security (of any of previously mentioned schemes) on the hardness of (C,t), then there exists a PPT attacker B that breaks (C,t)

Note: restriction on C being bounded-round is necessary; otherwise we include the assumptions that the schemes are secure!

Related Work

• Several earlier lower bounds:– One-more inversion assumptions [BMV’08]– Selective opening [BHY’09]– Witness Hiding [P’06,HRS’09,PTV’10]– Blind Signatures [FS’10]

• But they only consider restricted types of reductions (a la [FF’93,BT’04]), or (restricted types of) black-box constructions (a la [IR’88])– Only exceptions [P’06,PTV’10] provide conditional lower-bounds

on constructions of certain types of WH proofs based on OWF

• Our result applies to ANY Turing security reduction and also non-black-box constructions.

Proof Outline

1. Sequential Witness Hiding is “complete”– A positive answer to any of the questions implies the existence of a

“special” O(1)-round sequential WH proof/argument for a language with unique witnesses.

2. Sequential WH of “special” O(1)-round proofs/arguments for languages with unique witnesses cannot be based on poly-round intractability assumptions using a Turing reduction.

Special-sound proofs [CDS,Bl]

X is true X is true

a a

b0

c0

b1

c1

Can extract a witness w

b0, b1 R {0,1}n

Relaxations:• multiple rounds• computationally sound protocols (a.k.a. arguments)• need p(n) transcripts (instead of just 2) to extract w

Generalized special-sound

“slot”

Main Lemma

• Let (C,t) be a k(.)-round intractability assumption where k is a polynomial. Let (P,V) be a O(1)-round generalized special-sound proof of a language L with unique witnesses.

• If there exists a PPT reduction R for basing sequential WH of (P,V) on the hardness of (C,t), then there exists a PPT attacker B that breaks (C,t)

Main Lemma

• Let q(n) = ω(n+2k(n)+1). Assume there exists a PPT reduction R and a polynomial p s.t., for every attacker A that completely recovers the (unique) witness to every statement x after receiving q(|x|) sequential proofs of x, RA breaks (C,t) with probability 1/p(n) for infinitely many n.

• Then there exist some polynomial p’ and a PPT B such that B breaks (C,t) with probability 1/p’(n) for infinitely many n.

• Let (C,t) be a k(.)-round intractability assumption where k is a polynomial. Let (P,V) be a O(1)-round generalized special-sound proof of a language L with unique witnesses.

Proof Idea

rC RA

Assume RA breaks C whenever A completely recovers witness of any statement x it hears sufficiently many sequential proofs of.

f(r)

Goal: Emulate in PPT a successful A for R thus break C in PPT(the idea goes back to [BV’99] “meta-reduction”, and even earlier [Bra’79])

Proof Idea

rC RA

Assume RA breaks C whenever A completely recovers witness of any statement x it hears sufficiently many sequential proofs of.

f(r)

Two steps: 1. Design a particular attacker A that breaks sequential WH.2. Show how to perfectly emulate A for R.

Proof Idea

rC R

f(r)

Assume reduction R is “nice” [BMV’08,HRS’09,FS’10] : only asks a single query to its oracle (or asks queries sequentially)

x

w

Unique witness requirement crucial to ensure we actually emulate A(c.f., [Bra’79], [AGGM’05])

Step 1: Let A act as an honest receiver of a single proof of x, and thensimply output a witness w for x (using brute-force)

Step 2: To emulate A for R, simply “rewind” R feeding it a new “challenge” and extract witness

General Reductions: Problem I

R

x1

Problem: R might nest its oracle calls. “naïve extraction” requires exponential time (c.f., Concurrent ZK [DNS’99])

Solution: If we require R to provide many sequential proofs, then we can find(recursively) find one “slot” where nesting depth is “small” : • require A to only output a witness after hearing many proofs

Use Techniques reminiscent of Concurrent ZK a la [RK’99], [CPS’10]

x2

x3rewinding here:

redo work of nested sessions

w2

w3

w1

General Reductions: Problem II

Problem: R might not only nest its oracle calls, but may also rewind its oracle 1. R might notice that it is being rewound 2. Special-soundness might no longer hold under such rewindings.

Solution: Let A generate its messages by applying a random function to the transcript of messages

Use Techniques reminiscent of Black-box ZK lower-bound of [GK’90],[P’06]

O(1)-round restriction on (P,V) is here cruicial

General Reductions: Problem III

C R

x

w

Problem: Oracle calls may be intertwined with interaction with C

Solution: If we require R to provide many sequential proofs, then at least one proof (“slot”) is guaranteed not to intertwine

Specifying the Attacker A

Upon receiving a statement x from the reduction:

• Wait until receiving q(n) = ω(n + 2k(n)+1) sequential proofs of x

• Generate messages in each proof by applying RO to transcript

• After hearing q(n) proofs of x, recover a witness w using brute force and return it

x

Specifying the Meta Reduction B

B externally interacts with C and internally with R:

High-level idea

Honestly emulate A for R but attempt to extract a witness wfor every statement x proved by R by appropriately rewinding R at some “slot”

x

C R

x

Rewind slot if: 1. No external message to C inside2. # other slots inside is “small”

x3

w3


B externally interacts with C and internally with R

• Honestly emulate A for R until reaching the “closing” of a slot such that

1. No messages with C are exchanged inside the slot2. The number of slots inside it is “small”

• Rewind the slot (using new challenges) until a witness has been extracted; cut off each rewinding if R tries to senda message to C, or number of slots inside is “big”

• Expected number of rewinding is <= 1

x


Recursive procedure: we may perform rewindins inside the rewindings.

“Small” at depth d : M/n^d where m = runtime of R

=> Recursive depth is bounded by constant c=> Expected running-time is bounded

x

The crux is to show that extraction always succeeds:1. Once we start rewinding we continue until we another

accepting transcript.2. Need to show:

• for every statement x, there exist some recursive depth and some slot for x that will be rewound.

• Special-soundness rarely fails

Claim: For every proof, at least k+1 slots will be rewound at some depth d

1. There are only a constant number of depths.

2. Since we have ω(n+2k+1) slots, there must exists some depth d during which at least n+2k slots are executed.

3. But on depth d, there can be at most M/nd slotsSo at least 2k+1 slots have at most M/nd+1 slots inside it.

4. So for at least k+1 of them there are no “external” message

If C is efficient 1 suffices; otherwise not.

Overkill? (why not enough with just 1?)

Proof Outline

1. Sequential Witness Hiding is “complete”– A positive answer to any of the questions implies the existence of a

“special” O(1)-round sequential WH proof/argument for a language with unique witnesses.

2. Sequential WH of “special” O(1)-round proofs/arguments for languages with unique witnesses cannot be based on poly-round intractability assumptions using a Turing reduction.

Completing step 1

1. If Schnorr is not WH it cannot be an ID scheme; it doesn’t have unique witnesses (for malformed public-keys) but can be easily modified to have a unique witness.

2. Commitment secure against selective opening => GMW G3C is “weakly” sequentially witness hiding

3. One-more inversion and Blind Sigs are slightly more complicated

Part II – Separations from Falsifiable Assumptions non-malleable commitmentsstatistical NIZK(succint non-interactive arguments [GW])

Non-malleability: if then, v’ is “independent” of vi j• Original work of DDN: O(log n) round from OWF• Later work: [B’02,P’04,PR’05,…,LP’11,G’11]: O(1)-round from OWF

Non-interactive (or even 2 message)?• Useful in both theory and practice• Partial positive results : based on adaptive OWP [OPV’09]• Easy in the RO Model

Non-Malleable Commitments [Dolev Dwork Naor’91]

Receiver/Sender

MIM

Sender Receiver

i j Ci(v) Cj(v’)

Recall, meta-reduction approach

p,qC RA

1. Design a particular attacker A that breaks scheme2. Show how to “indistinguishably” emulate attacker in poly-time.

N=pq

Since we are tired by now: Assume R only makes a single query(the approach we describe extends to many queries.)

p,qC RN=pq

C0(v)A

C1(v)

Strong attacker A :• Receives C0(v)• Breaks it in Exp Time• Returns C1(v)

Emulator A’ :• Receives C0(v)• Does not breaks• Returns C1(0)

Proof Idea: NM Commitments

p,qC RN=pq

A’



C0(v) C1(0)


p,qC RN=pq

A’

By indistinguishability of C1(v) and C1(0), R still factors N!

Rules out even “one-sided” non-malleability [LLMRS’01]

But: only works as long as R is PPTNeeded: [LLMRS’01] provide a construction based on subexp OWP!



C0(v) C1(0)



p,qC RN=pq

A’

Can we rule out subexp R for “full-fledged” (two-sided) NM?Idea:1. Either RA’ factors N (in which case we are done)2. Or R can “distinguish” C1(1) and C1(0)

Use R to construct successful attacker A’’



C0(v) C1(0)

A’’ C1(v) C0(v’)


p,qC RN=pq

A’

Can we rule out subexp R for “full-fledged” (two-sided) NM?

In essence, either RA’ or RR factors N!



C0(v) C1(0)

NIZK for NP [Blum Feldman Micali’88]

Statistical of Perfect NIZK for NP?• [GOS’06]: Perfect NIZK for NP; only sound for static statements• Adaptive statements?

- partial positive result : based on “Knowledge of Exponent” [AF’07] - partial negative result: ruling out “direct BB reductions” [AF’07]- Easy in the RO model.

VerifierProver

X= G is 3-colorableThank you Alice, I believe X is true. But I don’t know why!

X, π

0101011101010101011001101ρ =

• Static statements [BFM’88]: X is chosen independently of ρ• Adaptive chosen statements [FLS’90]: X is chosen as a function of ρ• [BFM] based on QR, [FLS’90,BY’96] based on TDP, …

p,qC RN=pq

ρ

A

x, π

Strong attacker A :• Receives ρ• Find r s.t. Sr(1n) = ρ [Exp Time]• Pick random false x• Let π = Sr(1n,x)

Proof Idea: Perfect NIZK in URS model

Emulator A’ :• Receives ρ• • Pick random true x,w• Let π = P(1n,x,w)

Why is A a valid attacker?Why is the emulation good?

Idea (similar to AF’07,GW’11): If L is hard on average, neither V nor R can tell apart whether we use a true or false statement.

Problem: A is Exp time! Rely on non-uniform hardness of L

Thm 1: Assume non-uniformly secure OWF. If there exists a PPT reduction R for basing soundness of a statistical NIZK for NP on the hardness of an efficient-challenger assumption (C,t), then there exists a PPT attacker B that breaks (C,t).

Thm 2: If there exists a PPT reduction R for basing non-malleability of a 2-round commitment on the hardness of an efficient-challenger assumption (C,t), then there exists a PPT attacker B that breaks (C,t).

1. Security of several “classic” cryptographic tasks/schemes---which are believed to be secure---cannot be proven secure (using BB reductions) based on “standard” intractability assumptions.

2. Only dealt with uniform (PPT) reductions[CMLP13] extends these results also to nuPPT reductions

In Sum

The GOOD:Provably secure under standard assumptions

The BAD:broken

The ANNOYING : not broken, not provably secure*…but very efficient

Ways Around It?

Super Polynomial Security Reductions: • Basing security on “super-poly” intractability assumptions• Possible to overcome some, but not all, lower-bounds

Non-black-box security reductions:• Allow R to look at the code of A• Lower-bound do NOT apply

Possible to overcome the WH lemma [B’01,PR’06]

PPT Turing security reductions provide stronger security guarantees:any attacker---even if I don’t know the description of his brain---with reproducible behavior can be be efficiently used to break challenge

New types of assumptions? Instead of intractability, tractability [W’10]?“knowledge”-assumptions? Hard to “falsify” [Naor’03]

A Taxonomy of Cryptographic Hardness

Framework of [Impagliazzo-Rudich] provides an elegant way of studying the relative strength of various hardness assumptions:

– PK Enc is a stronger than OWF [IR]– CRH is stronger than OWF [Simon,HRS]– …

BUT: only applies to “fully” black-box” constructions– many many classical crypto protocols (e.g., GMW, FeSh, etc) are non-black in

the construction.– Maybe black-box separations extend also to non-BB constructions?

• No [MP’11]!

Can we get a taxonomy w.r.t. non-black-box constructions?

A Different Taxonomy

C RAp,q

N = pqComplexity of Ccomputation# of rounds,communication

Complexity of R computationuniformity

Polytime v.s. Exptime• OWF v.s. soundness of proof

Bounded v.s. unbounded rounds• OWF v.s. secure identification

Bounded v.s. unbounded comm.• OWF v.s. LWE

Polytime v.s. Subexp• OWF v.s. subexp hard OWF

Uniform v.s. non-uniform• OWF v.s. non-unform hard OWF

[SNARG],[SNIZK]

[Schnorr]

OPEN?

[WH],..

[some commitment]

Do all major result in Crypto involve quantitative or qualitative “jump” in taxonomy? (PK Encryption, Signatures, PRG, PRF, ZK certainly do)

Thank You

Rafael Pass Cornell University

Documents

Transcript of Rafael Pass Cornell University