250 likes | 434 Views
On the Efficiency of 2 Generic Cryptographic Constructions. Luca Trevisan U.C. Berkeley joint work with Rosario Gennaro (IBM). Generic Constructions. From a OWP of security S we can get a PRG of expansion k that evaluates the OWP O(k/log S) times [ BMY & GL ]
E N D
On the Efficiency of 2 Generic Cryptographic Constructions Luca Trevisan U.C. Berkeley joint work with Rosario Gennaro (IBM)
Generic Constructions • From a OWP of security S we can get a PRG of expansion kthat evaluates the OWPO(k/log S) times [BMY & GL] • From the hardness of discrete log, we can get a length-doublingPRG that requires O(1) exponentiations • Can we improve BMY or is there a genericity/efficiency trade-off?
Generic Constructions (continued) • UOWHF: family Hs: {0,1}m ->{0,1} m-kgiven random x, s, hard to find x’such that Hs(x)=Hs(x’) • From a OWP of security S, can get a UOWHF of compression kthat evaluates the OWPO(k/log S) times [NY & GL] • Can we do better?
What is the Question? • Impossible to prove that “every construction of a PRG based on a OWP needs at least q evaluations of the OWP” • Suppose we have a provably good PRG, then there is a construction of “PRG based on a OWP” that uses zero evaluations and has arbitrary expansion
“Current Techniques” • We can try to prove that “every construction of a PRG based on OWP and analyzed using current techniques evaluates the OWP at least q times”
Impagliazzo - Rudich • Impagliazzo & Rudich face same problem when trying to prove that “there is no key-agreement (KA) construction based on OWP” • If key agreement is possible, then key agreement is possible “using one-way permutations” • They argue that there is no KA construction based on OWP that can be analyzed using “current techniques”
How to Model Standard Crypto Reductions (1) Weak black-box KA based on OWP:Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.Then there are PPT A,B such thatthere is no PPT E that breaks the KA protocol (Af,Bf) with noticeable prob.
Comments • In a weak BB construction we use that f is one-way but not that f has a poly-size circuit • Weak BB captures all known constructions except some zero-knowledge based ones. (Notably, identification schemes) • Mind-twister observation 1 [Reingold-T.-Vadhan]The statements “OWP imply KA” and “there is a weak black-box construction of KA based on OWP” are equivalent
How to Model Standard Crypto Reductions (2) Semi black-box KA based on OWP:Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible.Then there are PPT A,B such thatthere is no PPT E such that Ef breaks the KA protocol (Af,Bf) with noticeable prob.
Comments • In semi-BB do not use the fact that adversary for construction has small size (but may use that is has small size relative to f) • All known constructions (except id. protocols) are also semi-black box. • Impagliazzo-Rudich: a semi-BB construction of KA from OWP implies P=/=NP • Reingold-Vadhan: unconditionally impossible
How to Model Standard Crypto Reductions (3) Fully black-box KA based on OWP:For every f there are PPT A,B,R such thatIf E breaks the KA protocol (Af,Bf) with noticeable prob.Then Pr[Rf,E(f(x))=x] > noticeable
Comments • All known reductions yada yada yada • Impagliazzo-Rudich: unconditionally, there is no fully BB construction of KA based on OWP(even if fully BB condition is satisfied only for mostf instead of for everyf)
Relativizations • Alternative approach: • Find an oracle relative to which KA is impossible but OWP exist • Then no relativizing construction of KA based on OWP can exist • Reingold-Vadhan: an unconditional impossibility of semi-BB is equivalent to an oracle separation
The Small Picture(on KA using OWP) Oracle separation No weakly-BB construction No semi-bb construction No fully-BB construction
Previous Results on Efficiency • Kim-Simon-Tetali: there is an oracle relative to which every construction of UOWHF of compression k based on OWP evaluates the OWPW(k1/2) times. • No negative result on PRG based on OWP
Our Results (Gennaro-T00) • If there is a weakly-BB constructionof UOWHF based on OWPthat uses o(k/log S) evaluations, then one-way functions exist (and zero evaluations are enough)(Also, unconditionally, no semi-BB construction with o(k/log S), and an oracle relative to which. . . ) • Same for PRG of expansion k
Pseudorandom Generators Suppose there were weak-BB construction of expansion k with q=o(k/logS) invocations If f is one-way with security S, then output is pseudorandom f Weak-BB PRG seed m bits output m+k bits
Hardness of Random Permutations • If a permutation f: {0,1}t -> {0,1}t is picked at random, whp: • For every A of size < 2t/5Prx[Af (f(x)) =x ] < 2-t/5 • Pick at random f:{0,1}5logS->{0,1}5logSDefine g:{0,1}n -> g:{0,1}n asg(a,b)=f(a),bThen g is whp one-way with hardness S
Generator Works with Random g • Pick g at random as above, pick seed at random, give seed and oracle access to g to PRG construction • Output distribution is pseudorandom g q queries Weak-BB PRG seed m bits output m+k bits
Simulation with no Oracle • Output can be sampled with m + 5qlog S < m+k random bits. • We have unconditionally a PRG simulate q queries Weak-BB PRG seed m+5qlog S bits output m+k bits
Hash Functions • Suppose we have weak-BB UOWHF of compression k with q=o(k/logS) invocations g xm bits UOWHF Hs(x)m-k bits s • Secure if g is one-way of hardness S
Random g • Pick at random f:{0,1}5logS->{0,1}5logSDefine g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),b • Modify construction so that the f part of oracle queries is given in output • The construction is still compressing and secure g xm bits Hs (x),f(a1),…,f(aq)m-k+qlogS bits UOWHF s
Unconditional Construction • Define Hs,r: on input x, simulate weak-BB construction Hs on input x, use r to simulate random oracle f • Compresses m bits to m-k+5qlog S<m bits and is secure
Conclusions • Similar bounds for secure public key encryption and signatures (GKM) • Stronger bounds for PRG constructions from OWF? (or, can we improve efficiency of HILL?) • Mind twister observation 2 [Reingold-T-Vadhan]:There IS a weak-BB construction of PRG from OWF that makes O(k/log S) invocations
The weak-BB Construction • Suppose one-way functions exist: then using HILL we can construct a “OWF-based” PRG that makes zero invocations • Suppose one-way functions do not exist:then Gf(<h>,x) =<h>,h(f,x) where h is hash function mapping 2n bits into n+1 bits, satisfies def. of weak-BB construction. • Using Levin’s universal one-way function, possible to come up with a single construction that is provably weak-BB and makes few invocations. (What does it mean?)