1 / 33

Formal Representation of Polynomial-Time Algorithms and Security

Formal Representation of Polynomial-Time Algorithms and Security. Bruce Kapron University of Victoria June 9, 2004. Poly-time Function(als) in Cryptography. Probabilistic polynomial time (PPT) function(al)s play a central role in (asymptotic) complexity-based cryptography and security

turi
Download Presentation

Formal Representation of Polynomial-Time Algorithms and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Representation of Polynomial-Time Algorithms and Security Bruce Kapron University of Victoria June 9, 2004

  2. Poly-time Function(als) in Cryptography • Probabilistic polynomial time (PPT)function(al)s play a central role in (asymptotic) complexity-based cryptography and security • Appear in definition of: primitives, adversaries,reductions, verifiers, provers, simulators, …

  3. PPT Functions in Cryptography • Central concerns: • Defining PPT functions or functionals • Proving that these functions satisfy appropriate properties • What does this mean for formalization? • Explicit vs. implicit representations • At what level should we be reasoning about PPT functions

  4. Formalizing PPT Functions • Do we really need to do this? • Useful for “low-level” arguments (e.g. soundness proofs) • Can be directly applied in a “high-level” setting, e.g. [MRST 2004] • Possibility of “bottom-up” formalization • Other payoffs: e.g., extraction of reductions from proofs

  5. Implicit vs. Explicit Reasoning • E.g., reductions between primitives • Have a PPT mapping M taking any instance f of X to an instance M(f) of Y • Security of f implies security of M(f) • Can show this with a reduction, i.e., a PPT mapping S taking any adversary A breaking M(f) to an adversary S(A) breaking f • Can we formulate proof systems which guarantee a reduction (do all proof systems do this?)

  6. Formal representation ofpoly-time functions • We typically use probabilistic TM’s in cryptographic arguments • TM’s lack of structure make formal reasoning difficult • One approach is to use models with an inductively defined syntax

  7. Some History • Beginning with [Cobham, 1964], there have been numerous function algebras proposed which characterize poly-time functions – outgrowth of earlier work in subrecursion • Focus has been on deterministic computation without oracles • Later work considers randomization [LMMS 2000], [IK 2004] and oracle computation [Constable 1972], [Mehlhorn 1976], [KC 1996]

  8. Function Algebras f1,f2,…,fk – collection of initial functions S1,S2,…,Sl– collection of closure schemes [f1,…,fk,S1,…,Sl] – smallest class containing f1,f2,…,fk and closed under S1,S2,…,Sl Can we capture FPTIME, the class of all poly-time functions?

  9. Recursion on Notation • Use primitive recursion on binary notation of the recursion parameter to capture polynomial time f(x,0)=g(x) f(x,s0(y))=h0(x,y,f(x,y)) f(x,s1(y))=h1(x,y,f(x,y))

  10. Recursion on Notation • Problem with this scheme: iterating a poly-time function a polynomial number of times can produce functions with exponential growth rate: • Define: f(x)=x2, g(y)=f|y|(2) • Then: |g(y)|=2|y|

  11. Bounded Recursion on Notation (BRN) [Cobham, 1964] f(x,0)=g(x) f(x,s0(y))=h0(x,y,f(x,y)) f(x,s1(y))=h1(x,y,f(x,y)) |f(x,y)| · |k(x,y)|

  12. Bounded Recursion on Notation and Poly-time • Let si(x)=2x+i (i=0,1),#(x)=2|x|¦|x|, and I denote the set of all projection functions. f is defined from g,h by composition (COMP) if f(x)=h(x,g(x)) • Theorem [Cobham,1964]: [0,s0,s1,#,I;COMP,BRN]= FPTIME

  13. Drawbacks of BRN • The need for an explicit size-bound in BRN is problematic in proofs • In general, bounding is not decidable • Term definition requires a bounding proof – circularity problem • One solution: modify BRN to only allow hi with |hi(x,y,z)| · |ki(x,y)|+|z|

  14. Safe Recursion on Notation [Bellantoni & Cook, 1992] • Idea: only allow recursion to iterate functions which are not already defined by recursion. • Requires a typing of function parameters as either safeornormal– operations on safe inputs do not increase length by more than an additive constant

  15. Safe Composition and Recursion on Notation • Composition scheme prevents safe inputs from being substituted into normal positions: f(x;a)=h(r(x;);t(x;a)) normal safe no safe input

  16. Safe Recursion on Notation f(0,x;a) = g(x;a) f(si(y),x;a) = hi(y,x;a,f(y,x;a)) • No external bound required – basis for purely type-theoretic characterization of poly-time [Hofmann 1999], later used by [LMMS 2000] to get a term algebra for probabilistic polynomial time

  17. Full Concatenation Recursion on Notation (FCRN) [Ishihara 1999] • Based on CRN[Clote 1990], which can be used to characterize AC0 f(x,0)=g(x) f(x,s0(y))=f(x,y) ± sg(h0(x,y,f(x,y))) f(x,s1(y))=f(x,y) ± sg(h1(x,y,f(x,y)))

  18. Equivalence Let msp(x,y)=b x/2|y|c, c(x,y,z)= if x mod 2=0 then y else z and F1=[0,I,s0,s1,c,msp,#;COMP,FCRN] F2=[0,I,s0,s,c,msp;SCOMP,SRN] F3=[0,I,s0,s1,#;COMP,BRN] Then FPTIME=F1=F ’2=F3

  19. Proof Systems • PV [Cook 1975] : Terms are built up from variables and function symbols re F3. formulasare equations between terms • Defining equations for every term of F3 are included as axioms – need more initial functions • Rules include reflexivity, symmetry and transitivity, rules for substitution and induction on notation

  20. Induction on Notation • Counterpart to definition by BRN: f1(x,0)=g(x) f2(x,0)=g(x) f1(x,si(y))=hi(x,y,f1(x,y)) f2(x,si(y))=hi(x,y,f2(x,y)) f1(x,y)=f2(x,y)

  21. Beyond PV • Extensions • PV1 [Cook 1975] - adds propositional connectives • CPV, IPV [Cook Urquhart 1993] – adds first-order logic • Can obtain more natural induction rules, e.g. for appropriate  ((0) Æ8x((bx/2c) ! (x))) !8x(x)

  22. Beyond PV • Implicit formal systems also possible, e.g. S12 [Buss 1986] – poly-time functions are those definable in the system by a class of bounded formulas and provably total using limited induction on notation • S12(PV) is conservative over PV

  23. Adding Randomization • [Impagliazzo Kapron 2004] takes the following approach: terms are PV terms or of the form x ÃR {0,1}p(n).t i ÃR [p(n)].t where t is a term • Formulas have the form u ¼ v (u,v closed) • Intended interpretation of formulas: ensembles represented by u and v are computationally indistinguishable

  24. “Induction” for Computational Indistinguishability H-IND rule: i ÃR [p(n)] .t(i) ¼ i ÃR [p(n)] .t(i+1) t(0) ¼ t(p(n))

  25. Other Rules PV ` t(x) = s(x) UNIV x ÃR {0,1}p(n).t(x) ¼ x ÃR {0,1}p(n).s(x) u ¼ v SUB t{u/x} ¼ t{v/x} Also need EDIT rule for basic manipulation, e.g x,y ÃR {0,1}p(n).x ± y ¼ z ÃR {0,1}2p(n).z

  26. A Methodology for Reduction Proofs • Start with instance f of primitive X: introduce new function symbol, axioms expressing security property for X • Obtain instance g of primitive Y in F3[f], prove that it satisfies security property for primitive Y using axioms for f • What about reduction of adversaries? Implicit – follows from soundness

  27. An Example • Stretching the output of a PRG [Goldreich Micali ’89] • Introduce a new function symbol f representing a PRG which stretches by 1 bit: x à {0,1}n.f(x) ¼ x à {0,1}n+1.x • Abbreviate: b(x)=f(x)1, r(x)=f(x){2,…,|x|},so f(x) = b(x) ± r(x)

  28. Example (contd) • Define by BRN r’(x,0)=x r’(x,i+1)=r(r’(x,i)) b’(x,0)= b’(x,i+1)=b’(x,i) ± b(r’(x,i)) f’(x,i)=b’(x,i) ± r’(x,i) Claim: x ÃR {0,1}n.f’(x,n) ¼ x ÃR {0,1}2n.x

  29. Example (contd) • Need one lemma : PV ` f’(x,i+1) = b(x) ± f’(r(x),i) (straightforward induction). By UNIV, x ÃR {0,1}n, i ÃR [n].f’(x,i+1) ¼ x ÃR {0,1}n, i ÃR [n].(b(x) ± f’(r(x),i)) Then from the definition of f, along with SUB and transitivity, we get x ÃR {0,1}n, i ÃR [n].f’(x,i+1) ¼ x ÃR {0,1}n+1, i ÃR [n].(x1± f’(x{2…n+1},i))

  30. Example (contd) It then follows from SUB that x,z ÃR {0,1}n, i ÃR [n].(z{1…n-(i+1)}± f’(x,i+1)) ¼ z ÃR {0,1}n+1, x ÃR {0,1}n+1, i ÃR [n]. (z{1…n-(i+1)}± x1± f’(x{2…n+1},i)) Define h(z,x,i)=z{1…n-i}± f’(x,i).Then from the preceding, with several applications of EDIT and transitivity, we get: x,z ÃR {0,1}n i ÃR [n].h(z,x,i) ¼ x,z ÃR {0,1}n i ÃR [n].h(z,x,i+1)

  31. Example (contd) By H-IND, we obtain x,z ÃR {0,1}n.h(z,x,0) ¼ x,z ÃR {0,1}n.h(z,x,n) Finally, several applications of UNIV (to the definition of h), along with EDIT and transitivity, yield x ÃR {0,1}n.f(x,n) ¼ x ÃR {0,1}2n.x

  32. The Full Example • By running backwards through this proof, we automatically construct, for any A breaking f’, an A’ breaking f defined by: A’(y)=zÃR {0,1}n, i ÃR [n].A(z{1…n-(i+1)}± y1±f’(y{2…|y|},i))

  33. Conclusions • Formal reasoning about PPT functions in cryptographic settings is doable in a fairly direct way – still seems far from practical application • Need to extend to more complex notions (e.g. pseudorandom functions, ZK) and arguments • Look for extensions of function algebras (e.g. process calculi) • Interesting theoretical questions (e.g. formalization of non-black-box arguments)

More Related