1 / 29

Barriers in Cryptography and Complexity Theory

Barriers in Cryptography and Complexity Theory. Boaz Barak. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A A A A A A A A A A A A. What is a barrier?. What we know. Grand Goal. Family of known techniques. F :. Parity  AC 0.

baakir
Download Presentation

Barriers in Cryptography and Complexity Theory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Barriers in Cryptography and Complexity Theory Boaz Barak TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAAAAAAAAAAAAA

  2. What is a barrier? What we know Grand Goal Family of known techniques F: Parity AC0 P NP Barrier Result: Grand Goal can’t be achieved using F

  3. This Talk Part I: Black-Box Barrier in Cryptography • Description • Barrier results • Bypassing the barrier with applications to secure protocols in asynchronous networks. Part II: Natural Proofs Barrier in Explicit Constructions • Description • Example of bypassing barrier with application to Ramsey graph construction, compressed sensing. Part III: Battle of the Barriers • Fundamental barrier result: public key vs private key crypto • Pitting one barrier against the other.

  4. Main Results Survey/overview talk – few details/proofs • Bounded-concurrent secure zero knowledge protocol [B. 01] • Unbounded-concurrent secure* general multi-party computation protocol [B.-Sahai 05] • Construction of N=2n vertex Ramesy graph (matrix) G with ®(G),!(G) < 2no(1)[B.-Rao-Shaltiel-Wigderson 06] • Public key cryptography from “unstructured” assumptions[Applebaum-B.-Wigderson 08]

  5. This Talk Part I: Black-Box Barrier in Cryptography • Description • Barrier results • Bypassing the barrier with applications to secure protocols in asynchronous networks. Part II: Natural Proofs Barrier in Explicit Constructions • Description • Example of bypassing barrier with application to Ramsey graph construction, compressed sensing. Part III: Battle of the Barriers • Fundamental barrier result: public key vs private key crypto • Pitting one barrier against the other.

  6. Brief (dramatized) history of crypto Human ingenuity cannot concoct a cipher which human ingenuity cannot resolve. Edgar Allan Poe, 1841 We stand today on the brink of a revolution in cryptography Whitfield Diffie and Martin Hellman, 1976

  7. Brief (dramatized) history of crypto 1587: Mary queen of Scots ‘ cipher broken, convicted of treason 1863: Confederate cipher broken, arrests of northern allies. 1878: Democrat conspirators’ telegram broken, busting corruption scheme 1914: German codes broken, plans exposed, US joins WWI 1940: German Enigma codes broken, Churchill credits with winning war. 1976: Diffie&Hellman propose more ambitious public keycryptography. 1977: Rivest, Shamir & Adleman (RSA) propose another candidate. 1977-: Schemes attacked with unprecedented manpower and cycles. Still remain unbroken! 1980’s-: Even more ambitious schemes: CCA secure encryption, CMA secure signatures, zero knowledge, multi-party computation, private information retrieval, e-auctions, e-voting, e-cash,… Also unbroken! 2008: Breaking crypto not considered top cyber security threat.

  8. “Culprit”: Reductions Simple widely-believed conjecture Ambitious security goal Electronic voting Factoring is hard N=PQ P,Q Factoring Algorithm Components: 1. Precise definition of “X breaks security goal”. 2. Efficient algorithm that refutes conjecture givenany black-box X that breaks the security goal. Corollary: If there is an efficient way to break e-voting scheme, then there is efficient integer factorization algorithm

  9. In praise of reductions Simple widely-believed conjecture Ambitious security goal Electronic voting Factoring is hard • Reduce many complicated and subtle security goals to few simple, well-defined, and widely studied problems. • Compose, yielding equivalence results between cryptographic goals. • Extend to various computational models (uniform, non-uniform, exp-time, quantum?) “Black-Box Barrier” • Allow a “meta-theory”: proving that Goal A cannot be reduced to Problem B.

  10. The Black-Box Barrier Black-Box Barrier Results Known Black-Box Results Stand alonemulti-partycomputation[Goldreich-Micali-Wigderson87] Public keyfrom factoring[Rabin78,Goldwasser-Micali82] Multi-partycomp frompublic key[GKMRV00] Signaturesfrom Private Key [Naor-Yung90,Rompel 91] [B.-Sahai05] O*(log n)-roundconcurrent zero knowledge[RK98,KPR00,PRS04] Public Key from Private Key [Impagliazzo-Rudich89] Concurrent*multi-partycomputation See Part III… [B.01] [B.01] O(1)-roundpublic coinzero knowledge[Goldreich-Krawczyck86] O(1)-roundbounded-concurrentzero knowledge[KPR98, R00, CKPR01] O(1)-roundpublic coinzero knowledge O(1)-roundbounded-concurrentzero knowledge Collision-Resistant Hash fromPrivate Key[Simon98]

  11. Challenges of concurrent security Grandmasters attack Crypto version Random challenger2R{0,1}n Forward r Authenticate(r) Authenticate(r)

  12. Challenges of concurrent security Prove in zero knowledge that r chosen according to protocol Crypto version GMW Paradigm:Enforce correct behavior via zero knowledge proofs Random challenger2R{0,1}n Forward r Authenticate(r) Authenticate(r) [Goldreich-Micali-Wigderson87] Used to give stand-alone secure protocol for every functionality But known zero knowledge protocols break down in concurrent setting*… Needed new techniques!

  13. Non-Black-Box Zero Knowledge [B.01] Goal: Prove S is true, while provably giving no new knowledge to verifier. Tool: “OR-Trick” (WI): can prove SÇS’ is True, s.t. verifier has no idea which one holds. [Feige-Shamir90] Protocol: ENCRYPT(hello_world.c) r2R{0,1}n Verifier Prover OR-Trick proof that either1) S is true or 2) Encrypted program outputs r

  14. Non-Black-Box Zero Knowledge [B.01] ENCRYPT(hello_world.c) Soundness: Pr[ program predicts r ] · 2-n r2R{0,1}n Verifier Prover OR-Trick proof that either1) S is true or 2) Encrypted program outputs r This technique + lot of work yields: Thm [B-Sahai05] : Under standard assumptions,8 crypto task T, 9protocol Ps.t. “Analysis”: 8 attacker A, particpating in poly many asynchronous executions of P in arbitrary environment, A can be simulated in 2k time, for k=!(log n) (Relaxed UC security) [Prabhakaran-Sahai05] Zero Knowledge: • ENCRYPT(hello_world.c)¼ENCRYPT(verifier.c) Cor: If Factoring is hard for subexp algorithms, 9 secure concurrent protocols for auctions, elections,… • Proof using 2) doesn’t give any knowledge on S. Note: Real protocol uses program(encryption), PCP encoding

  15. This Talk Part I: Black-Box Barrier in Cryptography • Description • Barrier results • Bypassing the barrier with applications to secure protocols in asynchronous networks. Part II: Natural Proofs Barrier in Explicit Constructions • Description • Example of bypassing barrier with application to Ramsey graph construction, compressed sensing. Part III: Battle of the Barriers • Fundamental barrier result: public key vs private key crypto • Pitting one barrier against the other.

  16. The Probabilistic Method [Erdös47] Goal: Show object O with desired property P exists. Method: Show randomO has P with high probability. Pros: Sometimes bypass “understanding” P. Cons: Sometimes bypass “understanding” P. Examples: Error-correcting codes, Ramsey graphs, expander graphs, high complexity functions, … 0 1 0 1 1 0 1 01 1 0 0 1 0 0 10 1 1 0 0 0 1 11 0 0 0 0 0 0 11 1 0 0 0 0 1 00 1 0 1 1 0 1 1 Thm: W.h.p random N£N 0/1 matrix A has no constant submatrix of size À2log(N) Pf: # k-submatrix ·N2k = 22k logNPr[ fixed k-submatrix all zeroes] = 2-k2 Challenge: Find explicit deterministic such A Motivation: Math interest, CS applications.

  17. “Natural” Explicit Constructions [Razborov-Rudich 94],[Alekhnovich03] Thm: W.h.p random N£N 0/1 matrix A has no constant submatrix of size À2log(N) Natural approach: Find “understandable” sufficient condition 0 1 0 1 1 0 1 01 1 0 0 1 0 0 10 1 1 0 0 0 1 11 0 0 0 0 0 0 11 1 0 0 0 0 1 00 1 0 1 1 0 1 1 Challenge: Find explicit deterministic such A Random matrices - “good” Hadamard Explicit matrix passing T “Bad” matrices ¸2(A) ·2N T: Polytime test Example: If¸2(A)·2N then largest constant submatrix ·10N

  18. “Natural” Explicit Constructions [Razborov-Rudich 94],[Alekhnovich03] Natural approach to construct A with small constant submatrices: First, find efficiently checkable test TK such that: • Pr[ TK(A)=1] > 0.99 • TK(A)=0 for all A’s with >K constant submatrix Then, use understanding to find explicit A s.t. T(A)=1 Hadamard matrix obtained by this approach, has K=N Finding TK Solving planted K-clique problem Observation: Best algorithm handles K=(N) [Alon-Krivelevich-Sudakov98] “Natural Proofs Barrier” Corollary: If planted o(N)-clique problem is hardthen can’t beat Hadamard with “Natural” construction!

  19. Natural Proofs Barrier “Barrier Results” Known Natural Constructions [Capalbo-Reingold-Vadhan-Wigderson02] 0.51d expanders Error CorrectingCodes[Shannon49,Hamming50,Muller54,Reed54,Reed-Solomon60,…] Expanders/Ramanujan graphs[Margulis74,Lubotzky-Phillips-Sarnak86] P NP [Razborov-Rudich94] Parity AC0 [Furst-Saks-Sipser81,Ajtai83] unbalanced expanders [B.-Kindler-Shaltiel-Sudakov-Wigderson05,B.-Shaltiel-Rao-Wigderson06] [Frankl-Wilson81] Rigid Matrix o(N )-RamseyMatrix o(N )-RamseyGraph o(N )-RamseyMatrix [Alekhnovich03]

  20. “Unnatural” Ramsey Matrices [B.-Kindler-Shaltiel-Sudakov-Wigderson05][B.-Shaltiel-Rao-Wigderson06] Goal: Construct N1/3-Ramsey Matrix Naïve Idea: Use hashing to increase relative set size Have: N1/2-Ramsey Matrix (Hadamard) N Obvious Problem: 0 1 0 1 1 0 1 01 1 0 0 1 0 0 10 1 1 0 0 0 1 11 0 0 0 0 0 0 11 1 0 0 0 0 1 00 1 0 1 1 0 1 1 One hash can’t work for all sets. Main Insight: With (a lot of) work, it’s OK to use few (i.e. constant) number of hashes. M¿N1/3 N New Goal: M Hadamard matrix:No M mono rect

  21. New Condenser [B.-Kindler-Shaltiel-Sudakov-Wigderson05] Goal: Theorem: Proof Idea: Additive combinatorics techniques yield “un-natural” constructions. Applications to hardness of approximations, Euclidean subspaces of L1 and compressed sensing. [Zuckerman06,Guruswami-Lee-Razborov08]

  22. This Talk Part I: Black-Box Barrier in Cryptography • Description • Barrier results • Bypassing the barrier with applications to secure protocols in asynchronous networks. Part II: Natural Proofs Barrier in Explicit Constructions • Description • Example of bypassing barrier with application to Ramsey graph construction, compressed sensing. Part III: Battle of the Barriers • Fundamental barrier result: public key vs private key crypto • Pitting one barrier against the other.

  23. Private Key Cryptography (2000BC-1970’s) Secret key Public Key Cryptography (1976-…)

  24. Public Key Crypto Private Key Crypto Talk Securely w/o sharing a key Share key and then talk securely Beautiful algebraicconstructions “Unstructured” combinatorial constructions Discrete Logarithm[Diffie-Hellman76,Miller85,Koblitz87,…] DES[Feistel+76] MD5[Rivest91] Integer Factorization[Rivest-Shamir-Adleman77,Rabin79,…] Error Correcting Codes[McEliece78,Alekhnovich03,Regev05] SHA1[NIST95] Lattices[Ajtai-Dwork96,…] AES[RijmenDaemen98]

  25. Security of private vs. public key crypto Factorization of n bit integers Trial Division ~exp(n/2) Quadratic Sieve~exp(n1/2) Shor’sAlg~poly*(n) Continued Fraction~exp(n1/2) 800 600 400 300BC 1974 1975 1977 1985 1990 1994 200 Pollard’s Alg~exp(n/4) RSAinvented Number Field Sieve~exp(n1/3) Cryptanalysis of DES Trivial 256 attack DESinvented Linear Cryptanalysis243time+examples 70 50 1976 1993

  26. Public Key from Private Key Major Goal: Construct public key crypto from everyprivate key scheme. Impossible with black-box techniques! [Impagliazzo-Rudich89] Non-Black-Box Approach: Public-key crypto from hardness on avgof NP-complete problem: 3SAT, Clique, etc… Step 1: Assume natural well-studied variants of above: random 3SAT, planted clique,… Step ½: Assume natural but not so well-studied variants. [Alekhnovich03],[Applebaum-B.-Wigderson08] Cons: Huge gap between handling natural distribution and any distribution Pros: Necessary first step to major goal New schemes may be less susceptible to algebraic attacks.

  27. Approach: Natural Proofs as a guide Natural Proofs: No efficient test ) hard to construct Suggestion: Hard to construct ) no efficient test Example: No known construction of highly unbalanced bipartite expander graphs. Conjecture *: No test can distinguish between (1) random unbalanced bipartite graphs, and (2) graphs with a planted non-expanding set. Thm: There is public key encryption scheme that is secure givenConjecture * + Conjecture on hardness of certain random CSP. [Applebaum-B.-Wigderson08] New scheme is arguably “more combinatorial” than all previous ones. In retrospect, [Alekhnovich03] follows similar approach with matrix rigidity.

  28. “Combinatorial” Public Key Crypto [Applebaum-B.-Wigderson08] Conjecture *: No test can distinguish between (1) random unbalanced bipartite graphs, and (2) graphs with a planted non-expanding set. Idea: Consider random CSP problem Becomes easy if we plant a shrinking set Thm: There is public key encryption scheme that is secure givenConjecture * + Conjecture on hardness of certain random CSP. Secret key = shrinking set [Applebaum-B.-Wigderson08] Variables Constraints

  29. Conclusions • Similar barriers arise in different areas of Computer Science • Techniques to breach barrier in one area may be useful in another. • Other barriers: relativization, algebrization,… • Study of barriers can lead to new insights. • Right now Natural Proofs  Black-Box connection superficial, believe more significant connections await.

More Related