310 likes | 437 Views
Does Privacy Require True Randomness?. Yevgeniy Dodis New York University. Joint work with Carl Bosley. Randomness is Important. Even in Everyday Life. Even in Cryptography…. Secret keys must have entropy Many primitives must be randomized (encryption, commitment, ZK)
E N D
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley
Randomness is Important IPAM Workshop
Even in Everyday Life IPAM Workshop
Even in Cryptography… • Secret keys must have entropy • Many primitives must be randomized (encryption, commitment, ZK) • Common abstraction: perfect randomness • strong assumption, hard to get right IPAM Workshop
Randomness is Hard to Get IPAM Workshop
Coins cannot be trusted too IPAM Workshop
Especially with Active Attackers IPAM Workshop
Perfect Randomness • Hard to get as we just saw • Do we really need perfect randomness? • Imperfect source: family of distributions satisfying some property (i.e., entropy)? • “Tolerate” imperfect source: have one scheme correctly working for any D in the source • Main Question: which imperfect sources are enough for Cryptography? IPAM Workshop
Extractable Sources • Sources permitting (deterministic) extraction of nearly perfect randomness • such sources suffice for (almost) anything perfect randomness is enough for • However, many sources non-extractable • E.g., entropy sources [SV86,CG89] • Are extractable sources the only “good” sources for cryptography??? • Depends on application… IPAM Workshop
Current Answers • Correctness/Soundness: NO • Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04] • Authentication/Unpredictability: NO • Quite weak sources enough for MACs [MW97] (& even weaker for interactive MACs [RW03]) • Enough for signatures as well, assuming “strong OWPs” [DOPS04] • General sources: separation between authentication and extraction [DS02] IPAM Workshop
Privacy/Indistinguishability Mixed indications: • All known techniques (pseudorandomness,…) critically rely on perfect randomness • Studied non-extractable sources are not enough for privacy as well [MP91, DOPS04] • 1-bit case [DS02,DPP06]: strict implications extractionencryption2−2secretsharing • What about the general, multi-bit case??? IPAM Workshop
Our Main Result • Nearly perfect randomness is inherent for inform.-theoretic private key encryption • Theorem 1: If n-bit source S admits a good b-bit encryption, where b > log n, then one can deterministically extract b nearly perfect bits from S! • Note: if Enc is efficient, then so is Ext • Theorem 2: There are non-extractable n-bit sources S admitting a perfect encryption of b (log n loglog n) bits IPAM Workshop
Interpretation • Theorem 1: to encryptb bits • Either the secret key length is exponential, or • S is extractable and, in fact, “perfect enough” to apply (an almost) b −bit one−time pad ! • Thus, if b is “non-trivial”, then • Cannot afford to sample exponentially long key • Must find a source capable of extracting almost b random bits to begin with • Might as well extract and use one−time pad • One−time pad is universal after all IPAM Workshop
Interpretation • Theorem 2: glimmer of hope • Encryption of up to (log n loglog n) bits does not imply extraction of even 1 bit • Non-trivially extends the 1-bit separation of [DS02] to (log n loglog n) bits • For encrypting very few bits true randomness is not inherent IPAM Workshop
Extensions • Computational security: implies extraction of bpseudorandom bits • In particular, at least 1 statistical bit! • Efficiency: poly-time encryption poly-time extraction (non-explicit ) • Other primitives: extends to public-key encryption, perfectly-binding commitments IPAM Workshop
Conclusions • One-time pad is universal for private-key encryption • Strong indication that (nearly) perfect randomness is inherent for privacy • Open questions: • De-randomize construction of extractor • Extend to other (all?) privacy applications • Classify crypto apps w.r.t. randomness IPAM Workshop
Details! Let the fun begin! IPAM Workshop
Deterministic Extraction • n-bitsourceS=familyof distributions {K} on {0,1}n • ℓ-bit extractor Ext for S: • Ext: {0,1}n {0,1}ℓ • Ext is -fair if for allKS, we have SD( Ext( K ), Uℓ) • S is (ℓ, )-extractable if there is an -fair extractor Ext for S IPAM Workshop
Private-Key Encryption • Alice & Bob share n-bit key k K, forKS • b-bit encryption scheme (Enc, Dec) for S: • Enc: {0,1}b {0,1}n C, Dec: C {0,1}n {0,1}b • For all m {0,1}b, k {0,1}n, Dec(Enc(m, k), k) =m • (Enc, Dec) is -secure if for allKS and m {0,1}b SD( Enc(m,K), Enc(Ub,K )) • S is (b, )-encryptable if there is a -secure b-bit encryption scheme (Enc, Dec) for S IPAM Workshop
Results Restated Theorem 1: Ifn-bitS is (b,)-encryptable and b > log n + 2log(1/),then S must be (b−2log(1/), + )-extractable Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where IPAM Workshop
Proof of Theorem 1 • Let S’ = { Enc(Ub, k) | k {0,1}n } • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact, Ext(k) = Ext’(Enc(0, k)) • Proof: take any KS. Then IPAM Workshop
Proof of Theorem 1 • Let S’ = { Enc(Ub, k) | k {0,1}n } • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact, Ext(k) = Ext’(Enc(0, k)) • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable IPAM Workshop
Proof of Theorem 1 • Let S’ = { Enc(Ub, k) | k {0,1}n } • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable • Say Xis b -flat if Xis uniform on 2bvalues • Note: all X S’ are b -flat (can decrypt!) • Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable • Implies Lemma 2 and Theorem 1 IPAM Workshop
Proof of Lemma 3 • Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable • Proof: Let ℓ=b−2log(1/), B = 2b, L=2ℓ=B2 • Pick randomf :C {0,1}ℓ • b -flat X S’, Chernoff + union bound • Another union bound over all X S’, IPAM Workshop
Observations • [TV00]: enough to pick n-wise independent f • Lemma 3’: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is efficiently (b−2log(1/)−log n,)-extractable • Corollary: If Enc is efficient so is Ext • Extends to computational setting • Extract pseudorandom bits • Perfect binding enough • Covers public−key encryption and perfectly−binding commitment IPAM Workshop
Proof of Theorem 2 Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where Theorem 2’: For b <log n−loglog n –1, there is a b-bit E = (Enc,Dec) for which Good(E) is not(1,)-extractable, where Good(E) = {K|E is Shannon-secure under K} IPAM Workshop
Proof of Theorem 2’ • Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1) • Note, N< SB, so S> N1/B(> Bfor our params) • M=[B], C=[S], K={all B-tuples of ciphertexts} K = { k = (c1…cB) | ci cj for i j } • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c • Take any Ext: [N] {0,1} • Case 1: have0-monochromatic perfect K • Fix Ext to 0 with K, done • Case 2: no such 0-monochromatic perfectK • [Lemma] perfect K’ s.t.Pr[Ext(K’) = 0] < B2/S IPAM Workshop
Proof of Main Lemma • Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1) • Note, N< SB, so S> N1/B(> Bfor our params) • M=[N], C=[S], K={all B-tuples of ciphertexts} K = { k = (c1…cB) | ci cj for i j } • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c • Main Lemma: if cannot fix Ext to 0, then perfect K s.t. Pr[Ext(K) = 0] < B2/S IPAM Workshop
Proof of Main Lemma Not to prove Theorem 2’ Not to prove Main Lemma IPAM Workshop
Thank You ! But don’t go, we need to prove main lemma !!! IPAM Workshop