1 / 25

On the Efficiency of 2 Generic Cryptographic Constructions

On the Efficiency of 2 Generic Cryptographic Constructions. Luca Trevisan U.C. Berkeley joint work with Rosario Gennaro (IBM). Generic Constructions. From a OWP of security S we can get a PRG of expansion k that evaluates the OWP O(k/log S) times [ BMY & GL ]

candra
Download Presentation

On the Efficiency of 2 Generic Cryptographic Constructions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Efficiency of 2 Generic Cryptographic Constructions Luca Trevisan U.C. Berkeley joint work with Rosario Gennaro (IBM)

  2. Generic Constructions • From a OWP of security S we can get a PRG of expansion kthat evaluates the OWPO(k/log S) times [BMY & GL] • From the hardness of discrete log, we can get a length-doublingPRG that requires O(1) exponentiations • Can we improve BMY or is there a genericity/efficiency trade-off?

  3. Generic Constructions (continued) • UOWHF: family Hs: {0,1}m ->{0,1} m-kgiven random x, s, hard to find x’such that Hs(x)=Hs(x’) • From a OWP of security S, can get a UOWHF of compression kthat evaluates the OWPO(k/log S) times [NY & GL] • Can we do better?

  4. What is the Question? • Impossible to prove that “every construction of a PRG based on a OWP needs at least q evaluations of the OWP” • Suppose we have a provably good PRG, then there is a construction of “PRG based on a OWP” that uses zero evaluations and has arbitrary expansion

  5. “Current Techniques” • We can try to prove that “every construction of a PRG based on OWP and analyzed using current techniques evaluates the OWP at least q times”

  6. Impagliazzo - Rudich • Impagliazzo & Rudich face same problem when trying to prove that “there is no key-agreement (KA) construction based on OWP” • If key agreement is possible, then key agreement is possible “using one-way permutations” • They argue that there is no KA construction based on OWP that can be analyzed using “current techniques”

  7. How to Model Standard Crypto Reductions (1) Weak black-box KA based on OWP:Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.Then there are PPT A,B such thatthere is no PPT E that breaks the KA protocol (Af,Bf) with noticeable prob.

  8. Comments • In a weak BB construction we use that f is one-way but not that f has a poly-size circuit • Weak BB captures all known constructions except some zero-knowledge based ones. (Notably, identification schemes) • Mind-twister observation 1 [Reingold-T.-Vadhan]The statements “OWP imply KA” and “there is a weak black-box construction of KA based on OWP” are equivalent

  9. How to Model Standard Crypto Reductions (2) Semi black-box KA based on OWP:Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.Then there are PPT A,B such thatthere is no PPT E such that Ef breaks the KA protocol (Af,Bf) with noticeable prob.

  10. Comments • In semi-BB do not use the fact that adversary for construction has small size (but may use that is has small size relative to f) • All known constructions (except id. protocols) are also semi-black box. • Impagliazzo-Rudich: a semi-BB construction of KA from OWP implies P=/=NP • Reingold-Vadhan: unconditionally impossible

  11. How to Model Standard Crypto Reductions (3) Fully black-box KA based on OWP:For every f there are PPT A,B,R such thatIf E breaks the KA protocol (Af,Bf) with noticeable prob.Then Pr[Rf,E(f(x))=x] > noticeable

  12. Comments • All known reductions yada yada yada • Impagliazzo-Rudich: unconditionally, there is no fully BB construction of KA based on OWP(even if fully BB condition is satisfied only for mostf instead of for everyf)

  13. Relativizations • Alternative approach: • Find an oracle relative to which KA is impossible but OWP exist • Then no relativizing construction of KA based on OWP can exist • Reingold-Vadhan: an unconditional impossibility of semi-BB is equivalent to an oracle separation

  14. The Small Picture(on KA using OWP) Oracle separation No weakly-BB construction No semi-bb construction No fully-BB construction

  15. Previous Results on Efficiency • Kim-Simon-Tetali: there is an oracle relative to which every construction of UOWHF of compression k based on OWP evaluates the OWPW(k1/2) times. • No negative result on PRG based on OWP

  16. Our Results (Gennaro-T00) • If there is a weakly-BB constructionof UOWHF based on OWPthat uses o(k/log S) evaluations, then one-way functions exist (and zero evaluations are enough)(Also, unconditionally, no semi-BB construction with o(k/log S), and an oracle relative to which. . . ) • Same for PRG of expansion k

  17. Pseudorandom Generators Suppose there were weak-BB construction of expansion k with q=o(k/logS) invocations If f is one-way with security S, then output is pseudorandom f Weak-BB PRG seed m bits output m+k bits

  18. Hardness of Random Permutations • If a permutation f: {0,1}t -> {0,1}t is picked at random, whp: • For every A of size < 2t/5Prx[Af (f(x)) =x ] < 2-t/5 • Pick at random f:{0,1}5logS->{0,1}5logSDefine g:{0,1}n -> g:{0,1}n asg(a,b)=f(a),bThen g is whp one-way with hardness S

  19. Generator Works with Random g • Pick g at random as above, pick seed at random, give seed and oracle access to g to PRG construction • Output distribution is pseudorandom g q queries Weak-BB PRG seed m bits output m+k bits

  20. Simulation with no Oracle • Output can be sampled with m + 5qlog S < m+k random bits. • We have unconditionally a PRG simulate q queries Weak-BB PRG seed m+5qlog S bits output m+k bits

  21. Hash Functions • Suppose we have weak-BB UOWHF of compression k with q=o(k/logS) invocations g xm bits UOWHF Hs(x)m-k bits s • Secure if g is one-way of hardness S

  22. Random g • Pick at random f:{0,1}5logS->{0,1}5logSDefine g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),b • Modify construction so that the f part of oracle queries is given in output • The construction is still compressing and secure g xm bits Hs (x),f(a1),…,f(aq)m-k+qlogS bits UOWHF s

  23. Unconditional Construction • Define Hs,r: on input x, simulate weak-BB construction Hs on input x, use r to simulate random oracle f • Compresses m bits to m-k+5qlog S<m bits and is secure

  24. Conclusions • Similar bounds for secure public key encryption and signatures (GKM) • Stronger bounds for PRG constructions from OWF? (or, can we improve efficiency of HILL?) • Mind twister observation 2 [Reingold-T-Vadhan]:There IS a weak-BB construction of PRG from OWF that makes O(k/log S) invocations

  25. The weak-BB Construction • Suppose one-way functions exist: then using HILL we can construct a “OWF-based” PRG that makes zero invocations • Suppose one-way functions do not exist:then Gf(<h>,x) =<h>,h(f,x) where h is hash function mapping 2n bits into n+1 bits, satisfies def. of weak-BB construction. • Using Levin’s universal one-way function, possible to come up with a single construction that is provably weak-BB and makes few invocations. (What does it mean?)

More Related