1 / 70

Complexity Theory Lecture 10

Complexity Theory Lecture 10. Lecturer: Moni Naor. Recap. Last week: IP=PSPACE Start with #P in PSPACE Public vs. Private Coins IP[k]=AM Mechanism for showing non NP-Completeness This Week: Statistical zero-knowledge AM protocol for VC dimension Hardness and Randomness.

kera
Download Presentation

Complexity Theory Lecture 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Complexity TheoryLecture 10 Lecturer:Moni Naor

  2. Recap Last week: IP=PSPACE Start with #P in PSPACE Public vs. Private Coins IP[k]=AM Mechanism for showing non NP-Completeness This Week: Statistical zero-knowledge AM protocol for VC dimension Hardness and Randomness

  3. Lack of certificate Bug or feature? Disadvantages clear, but: • Advantage: proof remains `property’ of prover and not automatically shared with verifier • Very important in cryptographic applications • Zero-knowledge • Many variants • Can be used to transform any protocol designed to work with benign players into one working with malicious ones • The computational variant is useful for this purpose • Can be used to obtain (plausible) deniability Honest verifier perfect zero-knowledge

  4. Perfect or Statistical Zero-Knowledge An interactive protocol for proving that x 2 L is honest verifier perfect zero-knowledge if for all x 2 L: there exists a probabilistic polynomial time simulator S such that S(x) generates an output identically distributed to the verifier’s view in a real execution: • transcript of (P,V) conversation • the random bits used by the verifier • assume no erasures, otherwise can get it trivially If the distributions are nearly identical – Statistical Zero-Knowledge Variation distance is negligible in program size Example: the protocol for GNI is honest verifier perfect zero-knowledge. The transcript consist of a graphHgraphand a bit r The simulator: given (G0, G1) Pick random c 2R {0,1} and 2R S|V| Output simulated view: transcript hH = (Gc), r=ci random string: hc,i The distribution is identical to the one generated by an honest verifier Some precautions need to be taken if the verifier might not be following the protocol

  5. Detour: Authentication One of the fundamental tasks of cryptography • Alice (sender) wants to send a message m to Bob(receiver). • They want to prevent Eve from interfering • Bob should be sure that the message he receives is indeed the message mAlice sent. Alice Bob Eve

  6. Authentication and Non-Repudiation • Key idea of modern cryptography [Diffie-Hellman]: can make authentication (signatures) transferable to third party - Non-repudiation. • Essential to contract signing, e-commerce… • Digital Signatures: last 25 years major effort in • Research • Notions of security • Computationally efficient constructions • Technology, Infrastructure (PKI), Commerce, Legal

  7. Isnon-repudiation always desirable? Not necessarily so: • Privacy of conversation, no (verifiable) record. • Do you want everything you ever said to be held against you? • If Bob pays for the authentication, shouldn't be able to transfer it for free • Perhaps can gain efficiency

  8. Deniable Authentication Setting: • Sender has a public key known to receiver • Want to come up with an (perhaps interactive) authentication scheme such that the receiver keeps no receipt of conversation. This means: • Any receiver could have generated the conversation itself. • There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. • Similar to Zero-Knowledge! • An example where zero-knowledge is theends, not the means! Proof of security consists of Unforgeability and Deniability

  9. Ring Signatures and Authentication Can we keep the senderanonymous? Idea: prove that the signer is a member of an ad hocset • Other members do not cooperate • Use their `regular’ public-keys • Encryption • Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

  10. Deniable Ring Authentication Completeness: a good sender and receiver complete the authentication on any message m Unforgeability Existential unforgeable against adaptive chosen message attack for any sequence of messagesm1, m2,… mk Adversarially chosen in an adaptive manner Even if sender authenticates all of m1, m2,… mk Probability forger convinces receiver to accept a m{m1, m2,… mk } is negligible Properties of an interactive authentication scheme

  11. Deniable Ring Authentication Deniability • For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate computationally indistinguishable conversations. • A more stringent requirement: statisticallyindistinguishable Source Hiding: • For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys • A more stringent requirement: statisticallyindistinguishable Source Hiding andDeniability – incomparable

  12. Encryption Plaintext • Assume a public key encryption scheme E • Public key PK – knowing PK can encrypt message m • generate Y=E(PK , m, r) • With corresponding secret key PS, givenYcan retrieve m • m =D(PS , Y) • Encryption process is probabilistic Each message induces a distribution on the ciphertexts • Security of encryption scheme: • non-malleable against chosen ciphertext attacks in the post-processing mode. • In particular given Y=E(PK, m, r)hard to generateY’=E(PK, m’, r’)for a related message m’ • Example of a very malleable scheme: one-time pad Ciphertext

  13. A Public Key Authentication Protocol P has a public key PK of an encryption scheme E. To authenticate a message m: • V P: Choose x R {0,1}n. Send Y=E(PK, m°x, r) • P V: Verify that prefix of plaintext is indeed m. If yes - send x. V accepts if the receivedx’=x Is it Unforgeable? Is it Deniable?

  14. Security of the scheme Unforgeability: depends on the strength of E • Sensitive to malleability: • if given E(PK, m°x, r) can generate E(PK, m’°x’, r) where m’ is related to m andx’ is related to x then can forge. • The protocol allows a chosen ciphertext attack on E. • Even of the post-processing kind! • Can prove that any strategy for existential forgery can be translated into a CCA strategy on E • Works even against concurrent executions. Deniability: does Vretain a receipt?? • It does not retain one for an honestV • Need to prove knowledge of x

  15. Simulator for honest receiver Choose x R {0,1}n. Output: hY=E(PK, m°x, r), x, ri Has exactly the same distribution as a real conversation when the verifier is following the protocol Statistical indistinguishability Verifier might cheat by checking whether certain ciphertext have as a prefix m No known concrete way of doing harm this way

  16. Encryption: Implementation • Under any trapdoor permutation - rather inefficient [DDN]. • Cramer & Shoup: Under the Decisional DH assumption • Requires a few exponentiations. • With Random Oracles: several proposals • RSA with OAEP - same complexity as vanilla RSA [Crypto’2001] • Can use low exponent RSA/Rabin • With additional Interaction: J. Katz’s non malleable POKS?

  17. Encryption as Commitment When the public key PK is fixed and known Y=E(PK, x, r) can be seen as commitment tox Toopenxrevealr,the random bits used to create Y Perfect binding: from unique decryption For any Y there are no two different xandx’and r and r’ s.t. Y=E(PK, x, r) =E(PK, x’, r’) Secrecy: no information about xis leaked to thosenotknowing private key PS

  18. Deniable Protocol P has a public key K of an encryption scheme E. To authenticate message m: • V  P: Choose xr{0,1}n. Send Y=E(PK, m°x, r) • P V: SendE(PK, x, t) • V P: Sendx and r - opening Y=E(PK, m°x, r) • P V: Open E(PK, x, t)bysending t.

  19. Security of the scheme Unforgeability: as before - depends on the strength of E can simulate previous scheme (with access to D(PK , . )) Important property: E(PK, x, t) is a non-malleable commitment (wrt the encryption) to x. Deniability: can run simulator: • Extract xby running with E(PK, garbage, t) and rewinding • Expected polynomial time • Need the semantic security of E - it acts as a commitment scheme

  20. Ring Signatures and Authentication Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set • Other members do not cooperate • Use their `regular’ public-keys • Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

  21. Ring Authentication Setting • A ring is an arbitrary set of participants including the authenticator • Each memberiof the ring has a public encryption key PKi • Only iknows the corresponding secret key PSi • To run a ring authentication protocol both sides need to know PK1, PK2, …, PKn the public keys of the ring members ...

  22. An almost Good Ring Authentication Protocol Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate messagemwith jth decryption key PSj: V  P: Choose x {0,1}n. SendE(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PKn, m°x, rn) P V: Decrypt E(PKj, m°x, rj), using PSjand SendE(PK1, x, t1), E(PK2, x, t2), …, E(PKn, x, tn) V P: open all the E(PKi, m°x, ri) by Sendx andr1, r2 ,…rn P V: Verify consistency and open allE(PKi, x, ti) by Sendt1, t2 ,…tn Problem: what if not all suffixes (x‘s) are equal

  23. The Ring Authentication Protocol Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate messagemwith jth decryption key PSj: V  P: Choose x {0,1}n. SendE(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PK1, m°x, rn) P V: Decrypt E(PKj, m°x, rj), using PSjand SendE(PK1, x1, t1), E(PK2, x2, t2), …, E(PKn, xn, tn) Where x=x1+x2 +  xn V P: open all the E(PKi, m°x, ri) by Sendx andr1, r2 ,…rn P V: Verify consistency and open allE(PKi, x, ti) by Sendt1, t2 ,…tn and x1, x2 ,…, xn

  24. Complexity of the scheme Sender: single decryption, n encryptions and nencryption verifications Receiver:n encryptions and n encryption verifications Communication Complexity: O(n) public-key encryptions

  25. Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn) where x=x1+x2 + L xn is a non-malleable commitment to x Source Hiding: which key was used (among well chosen keys) is • Computationally indistinguishable during protocol • Statistically indistinguishableafter protocol • If ends successfully Deniability: Can run simulator `as before’

  26. Promise Problems A promise problem L is similar to a language recognition problem except that there is a set A • if x 2 A then should report correctly whether x 2 L or not • if x 2 A then do not care how algorithm responds Example: unique sat A={|either  is not statisfiable or  has a unique satisfying assumption} If A={0,1}n, then this is the usual language recognition problem O satisfying assignments 1 satisfying assignment

  27. Statistical Zero-Knowledge So if statistical zero-knowledge is so good, why not use it all the time? Definition: L is a promise problem SZK={L|L has a statistical zero-knowledgeprotocol} HVSZK={L|L has an honest verifier statistical zero-knowledgeprotocol} Clearly: SZK µ HVSZK since any protocol good against all verifiers is good against honest ones as well

  28. The surprising world of Statistical Zero-Knowledge • There are complete problems for HVSZK • Entropy Difference (ED): given two circuits generating distributions D1 and D2 distinguish between the cases H(D1) ¸ H(D2)+1 and H(D2) ¸ H(D1)+1 Any promise problem in HVSZK problem is Karp reducible to ED • ED has an honest verifier public-coins statistical zero-knowledgeprotocol in constant number of rounds • VD(,) is also complete • Conclusions: • All languages and promise problems in HVSZK have public coins protocols • HVSZK is closed under complementation • If a promise problem L has a public coins statistical zero-knowledge proof system then it has one with good against general verifier • Conclusions: • SZK is closed under complementation • SZK 2 AM Å Co-AM H(D)=x PrD[x] log PrD[x]

  29. Homework • Show an AM protocol for Entropy Difference when the two distribution are promised also to be flat • For x and x’ such that Pr[x] ≠ 0 and Pr[x’] ≠ 0 we have Pr[x] = Pr[x’] Is the protocol SZK or HVSZK?

  30. Statistical Zero-Knowledge Theorem: if a language L has a statistical zero-knowledge proof system, then L 2 AM Å Co-AM Conclusion: if interested in zero-knowledge proofs for all languages in NP need to either • Relax notion of proof: argument • Prover is assumed to be a polynomial time machine • Having access to some secret information • Such protocols exists assuming a certain kind of commitment exists • Based on one-way permutations • Another possible relaxation of proof: assume that there are two provers who do not exchange information during the execution of the protocol • Relax notion of zero-knowledge: computational • There exists a simulator which generates computationally indistinguishable distributions • Such protocols exists for all of IP assuming one-way function exist This led to PCP

  31. Sources for Statistical Zero-Knowledge • Salil Vadhan Thesis: www.eecs.harvard.edu/~salil/papers/phdthesis-abs.html • Results are due to Goldreich, Sahai and Vadhan • Building on • Fortnow and Aiello and Hastad: SZK µ AM Å Co-AM • Okamoto: SZK is closed under complementation

  32. VC Dimension Let T=(U,S) be a set system • Each s 2 S is a subset of ground set U We say that X µ U is shattered by T if 8X’ µ X there is an s 2 S is such that X’=s Å X The VC-Dimension of T [Vapnik Chervonenkis]: the maximum cardinality of any set X shattered by a T The complexity of determining the VC-Dimension of T=(U,S): If (U,S) is given explicitly, then since VC(U,S) · log |S| Can determine in |U| log |S| time Known to be at as hard as solving sat with log2 n variables If (U,S) is given implicitly, by a circuit C. For j 2 U and 1 · i · |S| the value C(i,j)=1 iff j 2 siand 0 otherwise The problem of determining VC(C) is complete for 3P Will see that showing an approximate lower bound on VC is in AM

  33. AM Protocol for 2-approximating the VC Dimension • Large collections have a lower bound on the VC dimension • Lemma is also due to Perles and Shelah Conditions for large VC-dimension Sauer’s Lemma: in any set T=(U,S) such that i=0m (|U|i ) · |S| we have that m+1 · VC(U,S). Idea for protocol: Merlin gives the set X that is shattered by the set system encoded in circuit C. If X is `mostly’ shattered, For more than half of X’ µ X there is an s 2 S is such that X’=s Å X then there must be a large Y µ X that is fully shattered: Consider T’=(X,S’) where each s’ 2 S’ is equal to s Å X for some s2S If |S’| is large - at least ½2|X| ¸i=0|X|/2 (|X|i ) after removing duplicates, then Sauer’s Lemma implies that VC(T’) ¸ |X|/2

  34. The protocol Input: circuit C encoding set system (U,S) and promise that • Either VC(U,S)¸ k • Arthur should always accept if Merlin follows the protocol • or VC(U,S)· k/2 • Arthur should reject with reasonable probability The protocol: Merlin: send set X µ U that is shattered by the set system encoded in C. Arthur: Pick a randomX’ µ X and send it Merlin: send index 1 · i · |S| such that X’ = siÅ X where si={j|C(i,j)=1} Arthur: verify that X’ = siÅ X by running C on all j 2 X We know that VC(U,S) · log |S|

  35. Open Problems • Many problems can be formulated as • For a fixed huge graph • E.g. nodes correspond to permutations • Given two nodes, what is the length of the shortest path between them • Is it possible to apply the AM approach to show that various problems of finding distances in huge graphs are not NP-Hard. • Either exact version or approximate Examples: • Pancake Problem • Given n pancakes of various sizes in an arbitrary order what is the minimum number of flips to sort them Genome Rearrangement problems: • Sorting by transpositions • Sorting by translocation

  36. Idea for protocol Verifier • Pick at random one of the two nodes as a starting point • Make a random work of certain length and give prover end point Prover: • Determine the which node is the starting point

  37. References • See Tzvika Hartman’s PhD thesis (Weizmann Institute) The diameter of the Pancake Graph Program • Bill Gates and Christos Papadimitriou: Bounds For Sorting By Prefix Reversal. Discrete Mathematics, vol 27, pp. 47-57, 1979. • H. Heydari and H. I. Sudborough: On the Diameter of the Pancake Network. Journal of Algorithms, 1997

  38. What’s next Natural development of Interactive Proofs: • PCP: Probabilistically Checkable Proofs • The prover sends the a polynomial sized proof • The verifier checks only small parts of it A new characterization of NP Can reduce any problem • Main applications: • Inapproximability of many optimization problems • Low communication cryptographic protocols Get back to it towards end of course

  39. Derandomization A major research question: • How to make the construction of • Small Sample space `resembling’ large one • Hitting sets Efficient. Successful approach: randomness from hardness • (Cryptographic) pseudo-random generators • Complexity oriented pseudo-random generators

  40. Recall: Derandomization I Collection that should resemble probability of success on ALL inputs Theorem: any f 2BPP has a polynomial size circuit Simulating large sample spaces • Want to find a small collection of strings on which the PTM behaves as on the large collection • If the PTM errs with probability at most , then should err on at most + of the small collection • Choose m random strings • For input x event Ax is more than (+) of the m strings fail the PTM Pr[Ax] · e-22m < 2-2n Pr[[x Ax] ·x Pr[Ax] <2n 2-2n=1 Bad  Good 1- Chernoff

  41. Pseudo-random generators • Would like to stretch a short secret (seed) into a long one • The resulting long string should be usable in any case where a long string is needed • In particular: cryptographic application as a one-time pad • Important notion: Indistinguishability Two probability distributions that cannot be distinguished • Statistical indistinguishability: distances between probability distributions • New notion: computational indistinguishability

  42. Computational Indistinguishability Definition: two sequences of distributions {Dn} and {D’n} on {0,1}nare computationally indistinguishable if for every polynomial p(n) for every probabilistic polynomial time adversary A for sufficiently large n If A receives input y  {0,1}n and tries to decide whether y was generated by Dn or D’n then |Prob[A=‘0’ | Dn ] - Prob[A=‘0’ | D’n ] | < 1/p(n) Without restriction on probabilistic polynomial tests: equivalent to variation distance being negligible ∑β  {0,1}n|Prob[ Dn = β] - Prob[ D’n = β]| < 1/p(n) advantage

  43. Pseudo-random generators Definition: a function g:{0,1}* → {0,1}* is said to be a (cryptographic) pseudo-random generator if • It is polynomial time computable • It stretches the input |g(x)|>|x| • denote by ℓ(n) the length of the output on inputs of length n • If the input (seed) is random, then the output is indistinguishable from random For any probabilistic polynomial time adversary A that receives input y of length ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1}ℓ(n)for any polynomial p(n) and sufficiently large n |Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| yR {0,1}ℓ(n)] | < 1/p(n) Want to use the output a pseudo-random generator whenever long random strings are used Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin. J. von Neumann

  44. Pseudo-random generators Definition: a function g:{0,1}* → {0,1}* is said to be a (cryptographic) pseudo-random generator if • It is polynomial time computable • It stretches the input g(x)|>|x| • denote by ℓ(n) the length of the output on inputs of length n • If the input is random the output is indistinguishable from random For any probabilistic polynomial time adversary A that receives input y of length ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1}ℓ(n)for any polynomial p(n) and sufficiently large n |Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| yR {0,1}ℓ(n)] | < 1/p(n) Important issues: • Why is the adversary bounded by polynomial time? • Why is the indistinguishability not perfect?

  45. Pseudo-Random Generators and Derandomization All possible strings of length k A pseudo-random generator mapping k bits to n bits strings Any input should see roughly the same fraction of accept and rejects The result is a derandomization of a BPP algorithm by taking majority

  46. Complexity of Derandomization • Need to go over all 2k possible input string • Need to compute the pseudo-random generator on those points • The generator has to be secure against non-uniform distinguishers: • The actual distinguisher is the combination of the algorithm and the input • If we want it to work for all inputs we get the non-uniformity

  47. Construction of pseudo-random generatorsrandomness from hardness • Idea: for any given a one-way function there must be a hard decision problem hidden there • If balanced enough: looks random • Such a problem is a hardcore predicate • Possibilities: • Last bit • First bit • Inner product

  48. Hardcore Predicate Definition: let f:{0,1}* → {0,1}* be a function. We say that h:{0,1}* → {0,1} is a hardcore predicate for f if • It is polynomial time computable • For any probabilistic polynomial time adversary A that receives input y=f(x) and tries to compute h(x) for any polynomial p(n) and sufficiently large n |Prob[A(y)=h(x)] - 1/2| < 1/p(n) where the probability is over the choice y and the random coins of A • Sources of hardcoreness: • not enough information about x • not of interest for generating pseudo-randomness • enough information about x but hard to compute it

  49. Single bit expansion • Let f:{0,1}n → {0,1}n be a one-way permutation • Let h:{0,1}n → {0,1} be a hardcore predicate for f Consider g:{0,1}n → {0,1}n+1 where g(x)=(f(x), h(x)) Claim: g is a pseudo-random generator Proof: can use a distinguisher for g to guess h(x) f(x), h(x)) f(x), 1-h(x))

  50. From single bit expansion to many bit expansion Internal Configuration Input Output • Can make r and f(m)(x) public • But not any other internal state • Can make m as large as needed r x f(x) h(x,r) h(f(x),r) f(2)(x) f(3)(x) h(f(2)(x),r) f(m)(x) h(f(m-1)(x),r)

More Related