On Black-Box Separations in Cryptography

Omer Reingold

Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and

Salil Vadhan

Crypto - The Merry “Old” DaysCrypto - The Merry “Old” Days

IdentificationDigital

Signatures

Cryptographic Protocols, Cryptographic Protocols, Primitives, and AssumptionsPrimitives, and Assumptions

EncryptionElectronic

Voting

ElectronicCommerce

One-WayFunctions

Pseudo-RandomGenerators

TrapdoorPermutations

Factoring

RSA

DDH

ObliviousTransfer

Strong RSADense Crypto

System

HomomorphicEncryptionUOWHFs ID Based

EncryptionPIRs

Determining The Relationships Among Different Primitives

Most tasks in complexity-based crypto imply PNP (or even OWF).

• Simplify our conception of the world.• Construct protocols with as strong security

guarantee as possible.

Reductions: Given any implementation of primitive A,

construct implementation of primitive B.

OWF

PRG

PRF

MAC ENC

COM

ZK

ID

UOWHF

SIG

TDP

PKE OT

KACCA-PKE

CLAW-FREE

CF-HASH

Some Known Reductions

NIZK

Are All Crypto Primitives Equivalent?

• If so: either no cryptography or Cryptomania!

• But some tasks seem “significantly harder” than others (e.g. private key vs. public key encryption).

• In what sense can we claim that primitive A does not imply primitive B if we believe that both exist?

After all, a reduction of B to A can ignore A and build B from scratch ...

Black-Box Separations – Where it Begun

Impagliazzo-Rudich [89]

While not clear how to formalize/show non-implications in general can do that wrt black-box reductions.

(Fully) Black-Box Reductions

Given a black-box implementation for primitive A, construct implementation of primitive B.

AB

Usually, still not structured enoughto rule out: Need black-box proof of security (several flavors).

Adv. for B

Adv. for A

A

Such fully black-box reductions relativize (hold relative to every oracle).

What's not Black Box?

• No idea … ask Boaz …• Oh well … Cook-Levin reduction is used in:

OWF “ZK proofs for all NP” [GMW91] Non–BB carries on to applications:– Semi-honest OT malicious OT [GMW87]

– OWF ID schemes [FFS88]

• Similarly, circuit of f used in secure computation of f. [Yao86,GMW87]– [Beaver96] Few OTs + OWF -> Many OTs

• Barak’s Non-BB ZK and subsequent results. Use both old and new non-bb techniques.

What do Black-Box Separations Mean?

• This talk will concentrate on mathematical rather than philosophical meaning. Still …

• Few Non black-box techniques (and in limited settings). Inherent limitation on efficiency.

• Therefore, black-box separations are explanation/indication for the hardness of finding reduction (esp. efficient ones).

• BB-reductions more robust – work wrt. “physical implementations” of primitives.

What do Black-Box Separations Mean?

• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)

Analogy from complexity:• A Cook/Karp reduction of problem A

to problem B is a black-box proof that B P A P.

• SAT P QBF2 P true but inherently non-BB (QBF2 is “quantified Boolean formula with 2 alternations”).

What do Black-Box Separations Mean?

• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)

Examples from cryptography:• TDP seems to be of different

complexity than OWF. [IR89] supports.• Collision resistant hashing might have

seemed similar in nature to OWFs. [Simon98] challenged (this is consistentwith recent cryptanalysis attacks against popular hash functions).

What do Black-Box Separations Mean?

• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)

Guidance for black-box constructions? • Particular construction cannot be proved

in BB? May be easier to change the construction than overcome the obstacle.

• Examples: – Want to reduce Stat-Commit to OWF? Probably not a

good approach: Stat-Commit -> OWP -> OWF.– [Myers 04], shows no BB proof for one particular

natural construction (static to adaptive security).

What do Black-Box Separations Mean?

• Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)

Word of warning:• Potentially, a non black-box proof may

follow a black-box approach most of the way with a “small” non black-box fix.

Black-Box and Oracle Separations

• [IR89] there exists an oracle relative to which one-way function exists but key-agreement does not:

No fully black-box reduction of key-agreement to one-way function.

• Many other BB separations/lower bounds[Rud91,Sim98,KST99,KSS00,GKM+00,GT00,GMR01,CHL02,...]– Various notions of BB reductions, in

particular not always implying oracle separation (e.g. [GMR01]).

Crypto After IR (Impagliazzo’s Worlds)

Trapdoor Permutation

Public Key Encryption

Key Agreement

Secure Multi-PartyComputation (OT)

Private Key Encryption

One Way Functions

Digital Sig.

Pseudorandom Generators

Algoritmica, Heuristica, Pessiland

Not even an hierarchy of problems [GKMVR00]

This Talk

• [IR89]: The separation, its proof and interpretation of results.

• As many separations and proof intuitions. Focus on techniques and subtleties.

Beware: some cheating involved

The Impagliazzo-Rudich Results• Thm: If P=NP, Key Agreement (KA) is impossible in

the Random Oracle model:

KA (Alice,Bob) Eve, for random permutation f, Evef breaks (Alicef,Bobf)

• Cor 1: There is an oracle relative to which OWP exists and KA does not.

The oracle: (f, PSPACE) since PPSPACE=NPPSPACE

• Cor 2: There is no fully-BB reduction from KA to OWP.

• Cor 3: …

[IR89] - Why f is OWP• Intuitively obvious: when trying to invert f on some

y=f(x), have no chance unless accidentally query f on x.

• With q queries chances for that < 2q/2n

More formally: M making q queries, n-bit y

Prf[Mf(y) = f-1(y)] < (2q+2)/2n

• Fix n, by Markov Prf { Pry [Mf(y) = f-1(y)] > n2(2q+2)/2n } < 1/n2

M, with prob. 1 over f Pry [Mf(y) = f-1(y)] > n2(2q+2)/2n

only finitely often ….• With prob. 1 over f, M …

Why f is OWP Against Circuits• Too many circuit families for uniform argument (not

enumerable).• [GT00]: f is exponentially hard even against circuits.• High level idea: Consider C that makes q queries and

-inverts f. • C gives some non-trivial information on f

a compact description of f, relative to C. • Loosely, the description of f contains two carefully

chosen subsets X and Y and f|{0,1}n\X

– f(X)=Y.– Y contains ≥ 1/q frac. of y’s on which C inverts.

– X and Y allow reconstruction of f|X.

• Setting parameters correctly: #descriptions << (2n)! C only -invert exp. small fraction of the f’s.

[IR89] – How Eve Finds the Secret

• Recall, we assume P=NP, and want to show that Evef breaks (Alicef,Bobf).

• P=NP implies that without f no cryptographic hardness. In particular, no KA !

• In fact, for the purpose of oracle separation, we can essentially assume Eve, Alice and Bob are all powerful and only bounded by number of queries to f.

• In this setting, a clear characterization of

“knowledge”: The queries made to f and its answers.

[IR89] – How Eve Finds the Secret Cont.

• If s is the key agreed by Alice and Bob, assume wlog that both parties query f on s. Therefore s is an “intersection query”. Enough that Eve finds all “likely” intersection queries.

Eve’s algorithm (over simplified):• Let T be the transcript of (Alicef,Bobf), let L be a

list of queries and answers to f (initially empty). Repeat polynomial number of times: – Simulate: sample a random view of Alice which is

consistent with T and L. – Update: Repeat all the “simulated queries” Alice makes,

but this time to real f. Insert to L.

• Output a random query from L.

[IR89] – How Eve Finds the Secret Cont.

Eve’s algorithm (over simplified):• Let T be the transcript of (Alicef,Bobf), let L be a list

of queries and answers to f (initially empty). Repeat polynomial number of times: – Simulate: sample a random view of Alice which is

consistent with T and L. – Update: Repeat all the “simulated queries” Alice makes,

but this time to real f. Insert to L.

• Output a random query from L.Intuition: • Whenever simulated Alice is consistent with real

Bob’s view, simulated Alice has a fair chance to query s.

• Any inconsistency reveals one of Bob’s queries. This can happen only polynomial number of times.

[IR89] Results – Revisited• Thm: If P=NP, Key Agreement (KA) is impossible in

the Random Oracle model.

• Cannot get a more natural and meaningful separation.

• How can a reduction overcome this separation?• Traditional interpretation: to overcome the separation

the construction of KA must use code of OWP.

• [RTV04] shows that there is no limitation in using OWP as a black box in construction of KA. Separation might be overcome using code of adversary in proof of security (as in [Bar01,Bar02]).

Taxonomy of Black-Box Reductions I (the case OWF ) KA) [RTV04]

Black-box implementation:

eff. (Alice, Bob) s.t. OWF f (Alicef,Bobf) is a secure KA. Proof of security: Eve breaking (Alicef,Bobf) ) Adv inverting f

Fully-BB reduction: eff. Adv Eve (even not eff)

[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]

Semi-BB reduction: eff Eve eff. Adv

[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]

[IR89] No relativizing, thus also No Fully; If P=NP no Semi

f (Alice,Bob)

Semi-BB vs. Relativizing

Fully-BB reduction: eff. Adv Eve (even not eff)

[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ] Semi-BB reduction: eff Eve eff. Adv

[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]

[IR89] No relativizing, thus also No Fully; If P=NP no Semi

Semi: BB implementation with arbitrary pf of security? No - [RTV04] No relativizing ) No Semi

•Pf idea: can embed into f an arbitrary oracle, in particular can embed Eve. “Embedding technique” due to [Sim98]

Semi-BB vs. Relativizing

Semi-BB reduction: eff Eve eff. Adv

[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]

[RTV04] No relativizing ) No Semi

Pf sketch:– Let O be oracle s.t. 9 OWF g and no KA

– Define

– Every (Alicef,Bobf) can be broken in PPTf, but f cannot be inverted in PPTf ) no semi-BB reduction

Taxonomy II – BB Implementation with Free Proof of Security

Fully-BB reduction: eff. Adv Eve (even not eff)

[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ] Semi-BB reduction: eff Eve eff. Adv

[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]

Mildly-BB reduction: eff Eve eff. Adv

[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]

Now Eve is really efficient.

Fully-BB Relativizing Semi-BB Mildly-BB FreeFully-BB Relativizing Semi-BB Mildly-BB Free

The Power of Mildly-BB

Mildly-BB reduction: eff Eve eff. Adv

[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]

• Only Mildly-BB separations are about efficiency of reductions [GT00,GGK03].

• Thm: 9 OWF ) 9 KA if and only if there is a mildly-BB reduction from KA to OWF.

• Conclusion: the restriction is in BB proof of security rather than in BB implementation.

Fully-BB Relativizing Semi-BB Mildly-BB Free

The Power of Mildly-BB

Mildly-BB reduction: eff Eve eff. Adv

[ Eve breaks (Alicef,Bobf) ) Advf inverts f ] • Thm: 9 OWF ) 9 KA if and only if there is a

mildly-BB reduction from KA to OWF.

• Pf sketch: Given OWF oracle f (against PPTf ), construct secure KA (against PPT).

Case I: 9 KA

– Construction ignores oracle, just executes secure KA

Fully-BB Relativizing Semi-BB Mildly-BB Free

The Power of Mildly-BB

Mildly-BB reduction: eff Eve eff. Adv

[ Eve breaks (Alicef,Bobf) ) Advf inverts f ] • Thm: 9 OWF ) 9 KA if and only if there is a

mildly-BB reduction from KA to OWF.

• Pf sketch: Given OWF oracle f (against PPTf ), construct secure KA (against PPT).

Case II: No KA and therefore no OWF

– Every function easy to compute is easy to invert.) Oracle-OWF f must be hard to compute.

– KA protocol: Alice sends random (x,r), agree on hf(x),ri

Fully-BB Relativizing Semi-BB Mildly-BB Free

OWF vs. OWP• [IR,KSS00] Random Oracle separates OWF from

OWP.• A much simpler argument for weaker result:Thm. Gf is a permutation for every function f For all f

can invert Gf (using a PSPACE-complete oracle). Adv algorithm on input y= Gf(x):• Let L be a list of queries and answers to f (initially

empty). Repeat polynomial number of times: – Simulate: generate some f’ and x’ such that f’ is consistent

with L and y= Gf’(x’). – Update: Repeat all the “simulated queries” of Gf’(x’) but

this time to real f. Insert to L.

• Output last x’.

Correctness: If x’ x then the evaluations Gf(x) and Gf’(x’) must reveal a new inconsistency of f and f’.

OWF vs. OWP Cont.Where is the weakness? To argue that G is insecure

we assumed it is correct: Gf is a permutation for every function f.

Is this legitimate?

More on Relatevizing vs. BB Reductions

• In some scenarios (e.g. KA -> OWF),

No relativizing reduction , No fully-BB reduction.

• Not always: Consider the construction of Trapdoor (poly-1) Functions from PKE. – [BHSV98] gives a construction in the random oracle

model. Hard to come up with an oracle separation (as the oracle

may potentially be used for BHSV-transformation).– [GMR01] solves it by showing for any particular

construction an oracle that foils it (rather than giving one oracle that foils all constructions).

• [Myers04] takes it further, considers one specific (but very natural) construction and gives an oracle that foils it.

Are we happy/unhappy with this?

[Rudich91]: Hard to Reduce Interaction

• [Rud 91] Separate k-message KA from (k-1)-message KA.

For k=3 oracle O contains: f1, f2, f3, length tripling random functions, R defined below, П - PSPACE complete.

3 KA :

On an “incorrect” input R outputs a random string.

Bob s

Alicez,r

z = R (s,m3)

m1 =f1 (z,r)

m2 =f2 (s,m1)

m3 =f3 (z,r,m2)

z

[Rud91]: No 2-KA ( PKE) relative to O

•Without R no KA [IR89]•Let (Alice’,Bob’) be two message protocol.•Assume Alice’ makes a useful query R (s,m3).

– (s,m3) is a “correct” input to R must have been created by 3 “correct” consecutive invocations either Alice’ or Bob’ must already know z,r,s.

– If its Alice’, R is not needed. – Otherwise, Eve can also know (s,m3) and apply R.

Bob s

Alicez,r

z = R (s,m3)

m1 =f1 (z,r)

m2 =f2 (s,m1)

m3 =f3 (z,r,m2)

z

How do we define BB access to a protocol?

• In [Rudich91] and most subsequent works this means black-box access to the message and output functions of the parties.

• Can consider a more restricted notion where the access is to a third party implementing the functionality. (Closer in spirit to a physical implementation).

• May make arguments much simpler but need to be careful. For example OT in this model does not imply OWF.

• Other possible formalizations in between [HKNRR05]

OWF vs. Collision Resistant Hashing• [Simon98] gives an oracle separating the two.• Here “Simon Light”: In particular, consider only

regular hash functions (every image has the same number of preimages). – Regular coll. resistant implied by claw-free

permutations.

• Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows:

If Cg is regular for every function g then Q outputs uniformly selected x and x’ such that Cf(x) = Cf(x’).

Note: relative to this oracle may have collision-resistant hash functions (using Q itself). [Simon98] handles this case as well.

OWF vs. Collision Resistant Hashing Cont.

• Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows:

If Cg is regular for every function g then Q outputs uniformly selected x and x’ such that Cf (x) = Cf

(x’).

Proof intuition: Assume want to find f-1(y).• Due to universal regularity, the only information

given by x and x’ are the values of f queried by the evaluations Cf(x), and Cf(x’).

• As long as none of these queries is f-1(y) not much help.

• By regularity, x and x’ are each uniformly distributed (though they are correlated).

• By union bound, only negligible chance to encounter f-1(y).

Limitation On Efficiency

• This line considers the most efficient (black-box) construction (rather than the minimal assumption necessary) [KST99,GT00, GGK03].

• Example: OWP PRG.

• Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP).

PRGseedm bits

f

outputm+k bits

Limitation On Efficiency Cont.

• Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP).

• Idea: Define f(w,z)=g(w),z,where w is O(s)-bit long and g is random Each invocation only gives O(s) bits of randomness Can simulate f using randomness from the seed.

PRGseedm bits

f

outputm+k bits

Concluding Remarks

• Many more beautiful arguments we did not touch!

• BB separations - a useful research tool. • The extent to which the proof of security

is black-box plays a major role.

• Definitions are subtle, need to make sure we understand the mathematical/philosophical meaning of what we prove.

Some Open Problems

• More Non black-box techniques.

• Can we “Razborov-Rudich” Impagliazzo-Rudich ?

• Power of reductions that use code of primitive but are BB wrt adversary?

[GKMVR00] incomparability of PKE and OT

OT PKE by an extension of [Rud91].PKE OT by oracle containing: f1, f2, R, П, (similar to [Rud91]) to allow PKE. But with a small twist…

Bob z,s

Alicer

z

m1 =f1 (r)

m2 =f2 (z,s,m1)

z = R (r,m2)

Important: define f2 and R to output on “incorrect” inputs (sort of validity tests) Prevent this specific key agreement from being “fakable”, and turns out to be sufficient.