scws3 6764

Download Report

Transcript scws3 6764 

Does Privacy Require
True Randomness?
Yevgeniy Dodis
New York University
Joint work with Carl Bosley
Randomness is Important
Yevgeniy Dodis. New York University
IPAM Workshop
3
Even in Everyday Life
Yevgeniy Dodis. New York University
IPAM Workshop
4
Even in Cryptography…
• Secret keys must have entropy
• Many primitives must be randomized
(encryption, commitment, ZK)
• Common abstraction: perfect randomness
– strong assumption, hard to get right
Yevgeniy Dodis. New York University
IPAM Workshop
5
Randomness is Hard to Get
Yevgeniy Dodis. New York University
IPAM Workshop
6
Coins cannot be trusted too
Yevgeniy Dodis. New York University
IPAM Workshop
7
Especially with Active Attackers
Yevgeniy Dodis. New York University
IPAM Workshop
8
Perfect Randomness
• Hard to get as we just saw
• Do we really need perfect randomness?
• Imperfect source: family of distributions
satisfying some property (i.e., entropy)?
• “Tolerate” imperfect source: have one scheme
correctly working for any D in the source
• Main Question: which imperfect sources are
enough for Cryptography?
Yevgeniy Dodis. New York University
IPAM Workshop
9
Extractable Sources
• Sources permitting (deterministic)
extraction of nearly perfect randomness
– such sources suffice for (almost) anything
perfect randomness is enough for
• However, many sources non-extractable 
– E.g., entropy sources [SV86,CG89]
• Are extractable sources the only “good”
sources for cryptography???
– Depends on application…
Yevgeniy Dodis. New York University
IPAM Workshop
10
Current Answers
• Correctness/Soundness: NO 
– Can base BPP/IP on very weak sources
[VV85, SV86, CG88, Zuc96, ACRT99, DOPS04]
• Authentication/Unpredictability: NO 
– Quite weak sources enough for MACs [MW97]
(& even weaker for interactive MACs [RW03])
– Enough for signatures as well, assuming
“strong OWPs” [DOPS04]
– General sources: separation between
authentication and extraction [DS02]
Yevgeniy Dodis. New York University
IPAM Workshop
12
Privacy/Indistinguishability
Mixed indications:
− All known techniques (pseudorandomness,…)
critically rely on perfect randomness
− Studied non-extractable sources are not
enough for privacy as well [MP91, DOPS04]
+ 1-bit case [DS02,DPP06]: strict implications
extraction  encryption  2−2 secret sharing
 What about the general, multi-bit case???
Yevgeniy Dodis. New York University
IPAM Workshop
13
Our Main Result
• Nearly perfect randomness is inherent for
inform.-theoretic private key encryption
• Theorem 1: If n-bit source S admits a
good b-bit encryption, where b > log n, then
one can deterministically extract  b
nearly perfect bits from S!
– Note: if Enc is efficient, then so is Ext
• Theorem 2: There are non-extractable
n-bit sources S admitting a perfect
encryption of b  (log n  loglog n) bits
Yevgeniy Dodis. New York University
IPAM Workshop
15
Interpretation
• Theorem 1: to encrypt b bits
– Either the secret key length is exponential, or
– S is extractable and, in fact, “perfect enough”
to apply (an almost) b−bit one−time pad !
• Thus, if b is “non-trivial”, then
– Cannot afford to sample exponentially long key
– Must find a source capable of extracting
almost b random bits to begin with 
– Might as well extract and use one−time pad
– One−time pad is universal after all 
Yevgeniy Dodis. New York University
IPAM Workshop
16
Interpretation
• Theorem 2: glimmer of hope 
– Encryption of up to (log n  loglog n) bits
does not imply extraction of even 1 bit
– Non-trivially extends the 1-bit separation
of [DS02] to (log n  loglog n) bits
• For encrypting very few bits true
randomness is not inherent
Yevgeniy Dodis. New York University
IPAM Workshop
17
Extensions
• Computational security: implies
extraction of  b pseudorandom bits
– In particular, at least 1 statistical bit!
• Efficiency: poly-time encryption 
poly-time extraction (non-explicit )
• Other primitives: extends to publickey encryption, perfectly-binding
commitments
Yevgeniy Dodis. New York University
IPAM Workshop
18
Conclusions
• One-time pad is universal for privatekey encryption
• Strong indication that (nearly) perfect
randomness is inherent for privacy
• Open questions:
– De-randomize construction of extractor
– Extend to other (all?) privacy applications
– Classify crypto apps w.r.t. randomness
Yevgeniy Dodis. New York University
IPAM Workshop
19
Let the fun begin!
Yevgeniy Dodis. New York University
IPAM Workshop
20
Deterministic Extraction
• n-bit source S = family of distributions
{K} on {0,1}n
• ℓ-bit extractor Ext for S:
– Ext: {0,1}n  {0,1}ℓ
• Ext is -fair if for all KS, we have
SD( Ext( K ), Uℓ )  
• S is (ℓ, )-extractable if there is an
-fair extractor Ext for S
Yevgeniy Dodis. New York University
IPAM Workshop
21
Private-Key Encryption
• Alice & Bob share n-bit key k  K, for KS
• b-bit encryption scheme (Enc, Dec) for S:
– Enc: {0,1}b  {0,1}n  C, Dec: C  {0,1}n  {0,1}b
– For all m  {0,1}b, k  {0,1}n, Dec(Enc(m, k), k) = m
• (Enc, Dec) is -secure if for all KS and
m  {0,1}b  SD( Enc(m, K ), Enc(Ub , K ) )  
• S is (b, )-encryptable if there is a -secure
b-bit encryption scheme (Enc, Dec) for S
Yevgeniy Dodis. New York University
IPAM Workshop
22
Results Restated
Theorem 1: If n-bit S is (b, )-encryptable
and b > log n + 2 log(1/), then S must be
(b − 2 log(1/) ,  + )-extractable
Theorem 2: For b < log n − loglog n – 1, there
is an n-bit S which is (b, 0)-encryptable,
but not (1, )-extractable, where
Yevgeniy Dodis. New York University
IPAM Workshop
23
Proof of Theorem 1
• Let S’ = { Enc(Ub, k) | k  {0,1}n }
• Lemma 1: If S’ is (ℓ, )-extractable, then S
is (ℓ,  + )-extractable. In fact,
Ext(k) = Ext’(Enc(0, k))
• Proof: take any KS. Then
Yevgeniy Dodis. New York University
IPAM Workshop
24
Proof of Theorem 1
• Let S’ = { Enc(Ub, k) | k  {0,1}n }
• Lemma 1: If S’ is (ℓ, )-extractable, then S
is (ℓ,  + )-extractable. In fact,
Ext(k) = Ext’(Enc(0, k))
• Lemma 2: If b > log n + 2 log(1/), then S’ is
(b − 2 log(1/) , )-extractable
Yevgeniy Dodis. New York University
IPAM Workshop
25
Proof of Theorem 1
• Let S’ = { Enc(Ub, k) | k  {0,1}n }
• Lemma 2: If b > log n + 2 log(1/), then S’ is
(b − 2 log(1/) , )-extractable
• Say X is b-flat if X is uniform on 2b values
• Note: all X  S’ are b-flat (can decrypt!)
• Lemma 3: If b > log n + 2 log(1/), then any
collection S’ of 2n b-flat distributions is
(b − 2 log(1/) , )-extractable
– Implies Lemma 2 and Theorem 1
Yevgeniy Dodis. New York University
IPAM Workshop
26
Proof of Lemma 3
• Lemma 3: If b > log n + 2 log(1/), then any
collection S’ of 2n b-flat distributions is
(b − 2 log(1/) , )-extractable
• Proof: Let ℓ = b − 2 log(1/), B = 2b, L = 2ℓ = B2
• Pick random f :C  {0,1}ℓ
•  b-flat X  S’, Chernoff + union bound 
• Another union bound over all X  S’,
Yevgeniy Dodis. New York University
IPAM Workshop
27
Observations
• [TV00]: enough to pick n-wise independent f
• Lemma 3’: If b > log n + 2 log(1/), then any
collection S’ of 2n b-flat distributions is
efficiently (b − 2 log(1/) − log n , )extractable
• Corollary: If Enc is efficient  so is Ext
• Extends to computational setting
– Extract pseudorandom bits
• Perfect binding enough
– Covers public−key encryption and
perfectly−binding commitment
Yevgeniy Dodis. New York University
IPAM Workshop
28
Proof of Theorem 2
Theorem 2: For b < log n − loglog n – 1, there
is an n-bit S which is (b, 0)-encryptable,
but not (1, )-extractable, where
Theorem 2’: For b < log n − loglog n – 1,
there is a b-bit E = (Enc,Dec) for which
Good(E) is not (1, )-extractable, where
Good(E) = {K|E is Shannon-secure under K}
Yevgeniy Dodis. New York University
IPAM Workshop
29
Proof of Theorem 2’
• Let N = 2n; B = 2b ; S s.t. N  S(S−1)…(S−B+1)
• Note, N < SB, so S > N 1/B (> B for our params)
• M=[B], C=[S], K={all B-tuples of ciphertexts}
K = { k = (c1…cB) | ci  cj for i  j }
• Enc(m,(c1…cB)) = cm , Dec(c,(c1…cB)) = m s.t. cm =
c
• Take any Ext: [N]  {0,1}
• Case 1: have 0-monochromatic perfect K
– Fix Ext to 0 with K, done
• Case 2: no such 0-monochromatic perfect K
Yevgeniy
Dodis. New York
University
IPAM Workshop
30
– [Lemma]
 perfect
K’ s.t. Pr[Ext(K’)
= 0] < B2/S
Proof of Main Lemma
• Let N = 2n; B = 2b ; S s.t. N  S(S−1)…(S−B+1)
• Note, N < SB, so S > N 1/B (> B for our params)
• M=[N], C=[S], K={all B-tuples of ciphertexts}
K = { k = (c1…cB) | ci  cj for i  j }
• Enc(m,(c1…cB)) = cm , Dec(c,(c1…cB)) = m s.t. cm =
c
• Main Lemma: if cannot fix Ext to 0, then
 perfect K s.t. Pr[Ext(K) = 0] < B2/S
Yevgeniy Dodis. New York University
IPAM Workshop
31
Proof of Main Lemma
Yevgeniy Dodis. New York University
IPAM Workshop
32
But don’t go, we need to prove main lemma !!!
Yevgeniy Dodis. New York University
IPAM Workshop
33