590 likes | 696 Views
On necessary and sufficient cryptographic assumptions: the case of memory checking Lecture 4 : Lower bound on Memory Checking,. Lecturer: Moni Naor Weizmann Institute of Science. Web site of lectures : www.wisdom.weizmann.ac.il/~naor/COURSE/ens.html. Recap of Lecture 3.
E N D
On necessary and sufficient cryptographic assumptions: the case of memory checkingLecture 4 : Lower bound onMemory Checking, Lecturer:Moni Naor Weizmann Institute of Science Web site of lectures: www.wisdom.weizmann.ac.il/~naor/COURSE/ens.html
Recap of Lecture 3 • The memory checking problem • The online vs. offline versions • The relationship the Sub-linear authentication problem • A good offline protocol • based on hash function that can be computed on the fly • Small biased probability space • Hash functions for set equality • A good computational solution for the online problem, assuming one-way functions • Two solutions, both tree based • Using Pseudo-random tags • Using families of UOWHF • Small memory need be only reliable • The Consecutive Message Protocol model • Tight (sqrt(n)) bound for equality • t(n) ¢ s(n) is (n) • Similar to the simultaneous model • But: sublinear protocols exist iff one-way functions exist
The lecture • Learning Distributions • Static and adaptive case • Lower bounds on memory checking • Existence of sublinear protocols implies one-way functions
Learning Distributions We are Given many samples from a distribution D w1, w2, … wm • Would like to `learn’ D • What does that mean? • Large parts of statistics are devoted to this question… • In Computational Learning Theory two notions exist: • Learn by generation • should come up with a probabilistic circuit • The output has distribution D provided the inputs are random • Approximation possible • Learn by evaluation • Given x can compute (approximate) PrD[x] Distributed ~ D
Learning Distributions • Suppose D is determined by a string k of s `secret’ bits • Everything else is known If one-way functions exist: there are circuits C where it is computationally hard to learn the output distribution LetFk be a pseudo-random function C’s output is x ◦ FK(x) for a random x k C
Learning Adaptively Changing Distributions Learning to predict and imitate the distribution of probabilistic, adaptively changing processes. E.g.: the T-1000 Robot can: “imitate anything it touches … anything it samples”
Examples of adaptively changing distributions • Impersonation • Alice and Bob agree on a secret and engage in a sequence of identification sessions. • Eve want to learn to imitate one (or both) of the parties • How long should she wait • Classification of a changing bacteria • How long must the scientist observe before making the classification • Catching up: Sam and Sally are listening to a visiting professor’s lecture. Sam falls asleep for a while • How long would it take for Sam to catch up with Sally
Learning Adaptively Changing Distributions What happens if the generating circuit C changes in time and as a reaction to events and the environment • Secret state • Public state • Transition function D: Sp x Ss x R Sp x Ss Size of secret and public state are not restricted But size of initial secret is restricted to s bits. How long would it take us to learn the distribution the nextpublic state given the sequence of past public states First answer: may be impossible to learn Example: the next public state may be the current secret state The current secret state chosen at random So we want to be competitive with a party that knows the initial secret state Secret state chosen at random
Definition of Learning an Adaptively Changing Distribution Let D be an adaptively changing distribution (ACD) D: Sp x Ss x R Sp x Ss Then given public states P0, P1, ... Pk and the initial secret s0 there is the induced distribution Dk on the next public state Definition: A learning algorithm (,)-learns the ACD if • It always halts and outputs an hypothesis h • With probability and least 1- we have that (Dk, h) · probability is over the random secret and the randomness in the evolution of the state
Algorithm for learning ACDs Theorem: For any ε, δ > 0, for any ACD there is an algorithm that activates the system for O(s) rounds (,)-learns the ACD Repeat until success (or give up) If there is a very high weight subset of initial secret states A whose distributions are close: Close = distance less than ε High weight = 1- /2 Then can pick any h 2 A Else activate the ACD and obtain the next public state Claim: if the algorithm terminates in the loop, then with probability at least 1- /2 (Dk, h) · Conditioned on the public states seen so far
Analysis • Main parameter for showing that the algorithm advances: Entropy of the initial secret • Key lemma: If the high weight condition does not hold, then the expected entropy drop of the initial secret is high • At least 2/ • After O(s) iterations not much entropy left The (Shannon) entropy of X is H(X) = - ∑ x ΓPx (x) log Px (x) Constant depends on and
Efficiency of the Algorithm • Would like to be able to learn all ACD where D is an efficiently computable function Theorem: One-way functions exist iff there is an efficiently computable ACD D and some ε, δ > 0, for which it is (ε, δ)-hard to learn D
Connection to memory checking and authentication: learning the access pattern distribution Corollary from ACD Learning Theorem: For any ε, δ > 0, for any x, when: • E is activated on x, secret output sx • Adversary activates V at most O(s(n)/ε2δ2) times • Adversary learns secret encoding sL. px: The final public encoding reached. Dp(s): Access pattern distribution in the next activation on public p Randomness over activations of E, V. Guarantee: With probability at least 1–δ, the distributions Dpx(sx) and Dpx(sL) are ε -close (statistically).
t(n)bits s(n)bits Memory CheckersHow to check a large and unreliable memory • Store and retrieve requests to large adversarial memory • a vector in {0,1}n • Detects whether the answer to any retrieve was different than the laststore • Uses small, secret, reliable memory: space complexitys(n) • Makes its own store and retrieve requests:query complexityt(n) P public memory C memory checker U user S secret memory
Computational assumptions and memory checkers • For offline memory checkers no computational assumptions are needed: Probability of detecting errors: ε Query complexity: t(n)=O(1) (amortized) Space complexity: s(n)=O(log n + log 1/ε) • For online memory checkerswith computational assumptions, good schemes are known: Query complexity t(n)=O(log n) Space complexity s(n)=n (for any > 0) Probability of not detecting errors: negligible Main result: computational assumptions are necessary for sublinear schemes
Recall: Memory Checker Authenticator If there exists an online memory checker with • space complexity s(n) • query complexity t(n) then there exists an authenticator with • space complexity O(s(n)) • query complexity O(t(n)) Strategy in showing lower bound for memory checking: show it on authenticator
The Lower Bound Theorem 1 [Tight lower bound]: For any onlineMemory Checker (Authenticator)secure against a computational unbounded adversary s(n) x t(n) is(n)
Memory Checkers and One-Way Functions Breaking the lower bound implies one-way functions Theorem 2: If there exists an online memory checker (authenticator) • Working in polynomial time • Secure against polynomial time adversaries • With query and space complexity:s(n) x t(n) < c · n (for a specific c > 0) then there exist functions that are hard to invert for infinitely many input lengths (“almost one-way” functions)
Program for showing the lower bound: • Prove lower bound: • First a simple case • By a reduction to the consecutive message model • Then the generalized reduction
x {0,1}n ALICE mA f(x,y) CAROL mB BOB y {0,1}n Simultaneous Messages Protocols • For the equality function: • |mA| x |mB| = (n)[Babai Kimmel 1997]
ALICE BOB mA x {0,1}n f(x,y) mP CAROL y {0,1}n mB Consecutive Messages Protocols rp Theorem For any CM protocol that computes the equality function, If |mP| ≤ n/100then |mA| x |mB| = (n) s(n) t(n)
The Reduction Idea: Use an authenticator to construct a CM protocol for equality testing
s(n)bits reject accept V y secret encoding sx t(n)bits x x {0,1}n public encoding py public encoding px Recall: AuthenticatorsHow to authenticate a large and unreliable memory with a small and secret memory E D • sx=Esecret(x, r) • px= Epublic(x,r)
A Simple(r) Construction Simplifying Assumption: V chooses which indices of the public encoding to access independently of the secret encoding In particular: adversary knows the access pattern distribution
ALICE x {0,1}n sx BOB reject accept y secret encoding sx x x {0,1}n CAROL public encoding py public encoding px bits reject accept x {0,1}n y {0,1}n V E D
To show it works Must show • When x=y then the CM protocol accepts • Otherwise the authenticator will reject when no changes were made • How to translate • an adversary to the CM protocol that makes it accept when x≠y • into an adversary that cheats the verifier
Why It Works (1) Claim: If (E,D,V) is an authenticator then the CM protocol is good. Correctness when x=y: Alice and Bob should use same public encoding of x. To do this, use rpub use it as the randomness for the encoding
Why It Works (2) Security: suppose adversary for CM protocol breaks its Makes Carol accept when x≠y Want to show: can break the authentication as well • Tricky: “CM adversary” sees rpub! • Might leek information since sx is chosen as Esecret(x, rpub) • Solution:For sx Alice selects different realrandomness giving the same public encoding! • Choose r’ 2R Epublic-1(x, rpub) • Let sx = Esecret(x, r’) • Exactly the same information is available to the authenticator adversary in a regular execution • The public encoding px = Epublic(x, r) • Hence: probability of cheating is the same Conclusion: s(n) x t(n) is(n) Rerandomizing
The Rerandomizing Technique Always choose `at random’ the random coins consistent with the information you have
Why it doesn’t work always • What if the verifier uses the secret encoding to determine its access pattern distribution? • The simple lower bound applies tor “one-time” authenticators. • Where the adversary sees only a single verification • Is this true without simplifying assumption?
secret encoding accept x {0,1}n x public encoding E(x) “One-Time Authenticators” V • Space complexity: O(log(n)), Query Complexity: O(1) • Lesson: use the fact that V is secure when run many times. E D
Progess: • Prove lower bounds: • First a simple case • Then the generalized reduction • A discussion on one-way functions
Authenticators: Access Pattern Access Pattern: Indices accessed by V and bit values read. Access Pattern Distribution: distribution of the access pattern in V’s next activation, given: • E’s initial secret string • Past access patterns Randomness: over V’s coin tosses in all its activations. Want to be able to state: The adversary knows the access pattern distribution Even though he can’t see E’s secret output.
Access Pattern Distribution reject accept x {0,1}n x x x y given randomness secret sx secret secret E V V public public public public py D D D
Learning the Access Pattern Distribution • Important Lesson: if adversary doesn’t know the access pattern distribution, then V is “home free”. • In “one-time” example • V exposes the secret indices! • Lesson: • activate V many times, “learn” its distribution! Recall: learning adaptively changing distributions.
Connection to memory checking and authentication: learning the access pattern distribution Corollary from ACD Learning Theorem: For any ε, δ > 0, for any x, when: • E is activated on x, secret output sx • Adversary activates V at most O(s(n)/ε2δ2) times • Adversary learns secret encoding sL. px: The final public encoding reached. Dp(s): Access pattern distribution in the next activation on public p Randomness over activations of E, V. Guarantee: With probability at least 1–δ, the distributions Dpx(sx) and Dpx(sL) are ε -close (statistically).
ALICE x {0,1}n sx a, sL rpub BOB accept secret encoding sx x x {0,1}n CAROL sL public encoding px bits accept x {0,1}n V E D
Sampling by sL, simulating by sx Access pattern distributions by sL and sx are ε-close: Bob generates access patterna using sL Carol selects a random string r from those that give a on secret input sx • Rerandomziation Simulate V using the random string r Claim: the distribution of r is ε-close to uniform
Does it Work? Security? The adversary sees sL! Not a problem: could have learned this on its own What about y≠x?
Recap (1) Adversary wants to know access pattern distribution • Can learn access pattern distribution • Saw protocol that accepts when y=x • What about y≠x?
ALICE x {0,1}n sx a, sL rpub BOB ? y secret encoding sx x x {0,1}n CAROL public encoding py sL public encoding px bits ? y {0,1}n V E D
Does it Work? (2) • Will this also work when y≠x? • No! Big problem for the adversary: • it can learn access pattern distribution on correct and unmodified public encoding… • really wants the distribution on different modified encoding! • Distributions by sx and sL may be: • very close on unmodified encoding (px) • very far on any other (e.g. py) • Can’t hope to learn distribution on modified public encoding • Not enough information/iterations
Back to The Terminator: TERMINATOR: What's the dog's name? JOHN:Max. TERMINATOR: Hey, Janelle, what's wrong with Wolfy? I can hear him barking. Is he okay? T-1000 impersonating Janelle:Wolfy's fine, honey. Where are you? Terminator hangs up: Your foster parents are dead. Let's go.
Recap (2) Adversary wants to know access pattern distribution • Can learn access pattern distribution • Saw protocol that accepts when y=x • What about y≠x? • Big problem: can’t “learn” the access pattern distribution in this case!
Bait and Switch (1) • Intuition: If Carol knows sx and sL, and they give different distributions, then she can reject. • Concrete idea: Bob always uses sL to determine the access pattern, • Carol will check whether the distributions are close or far. • This is a “weakening” of the verifier. We need to show it is still secure.
Bait and Switch (2) • Give Carol access to sxand to sLAlso give her the previous access patterns (a) • Bob got public encoding p • Recall Dp(sx) and Dp(sL): • Access pattern distributions on public encoding p with sx and sL as initial private encodings
Access Pattern Distribution x {0,1}n x x given randomness secret sx secret secret E V V public public public public p D D
Bait and Switch (3) • If only Carol could compute Dp(sx) and Dp(sL)… Check whether they are ε-close: If far, then p cannot be the “real” public encoding! Reject If they are close, then: • use sL to determine access pattern • simulate V with sx and that access pattern
Bait and Switch (4) • Last problem: • V’ cannot compute the distributions Dp(sx) and Dp(sL) without reading all of p (V may be adaptive). • Observation: • V’ can compute the probability of any access pattern for which all the bits read from p are known. • Solution: • Sample O(1) access patterns by Dp(sL), use them to approximate the distance between the distributions. The only type of operation we have that is not random inverse
ALICE x {0,1}n sx accept close a, sL rpub BOB reject reject accept far y secret encoding sx x x {0,1}n CAROL public encoding py sL public encoding px bits reject x {0,1}n y {0,1}n V E D