Does Privacy Require True Randomness?
description
Transcript of Does Privacy Require True Randomness?
![Page 1: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/1.jpg)
Does Privacy Does Privacy Require True Require True Randomness?Randomness?
Yevgeniy DodisYevgeniy Dodis
New York New York UniversityUniversity
Joint work with Carl Bosley
![Page 2: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/2.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 3
Randomness is Important
![Page 3: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/3.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 4
Even in Everyday Life
![Page 4: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/4.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 5
Even in Cryptography…• Secret keys Secret keys mustmust have entropy have entropy
• Many primitives Many primitives mustmust be randomized be randomized
(encryption, commitment, ZK)(encryption, commitment, ZK)
• Common abstraction: Common abstraction: perfect perfect
randomnessrandomness
– strong assumption, hard to get rightstrong assumption, hard to get right
![Page 5: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/5.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 6
Randomness is Hard to Get
![Page 6: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/6.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 7
Coins cannot be trusted too
![Page 7: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/7.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 8
Especially with Active Attackers
![Page 8: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/8.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 9
Perfect Randomness• Hard to get as we just sawHard to get as we just saw
• Do we really need perfect randomness?Do we really need perfect randomness?
• Imperfect sourceImperfect source: family of distributions : family of distributions
satisfying some property (i.e., entropy)?satisfying some property (i.e., entropy)?
• ““Tolerate” imperfect source: have Tolerate” imperfect source: have oneone
scheme correctly working for scheme correctly working for anyany D in the D in the
sourcesource
• Main QuestionMain Question: : which imperfect sources are which imperfect sources are
enough for Cryptographyenough for Cryptography??
![Page 9: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/9.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 10
Extractable Sources• Sources permitting (deterministic) Sources permitting (deterministic)
extraction of nearly perfect randomness extraction of nearly perfect randomness – such sources suffice for (almost) anything such sources suffice for (almost) anything
perfect randomness is enough forperfect randomness is enough for
• However, However, many sources non-extractable many sources non-extractable – E.g., entropy sources [SV86,CG89]E.g., entropy sources [SV86,CG89]
• Are extractable sources the Are extractable sources the onlyonly “good” “good” sources for cryptography???sources for cryptography???– Depends on application…Depends on application…
![Page 10: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/10.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 12
Current Answers• Correctness/Soundness:Correctness/Soundness: NO NO
– Can base BPP/IP on very weak sources Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04]DOPS04]
• Authentication/Unpredictability: Authentication/Unpredictability: NO NO – Quite weak sources enough for MACs [MW97] Quite weak sources enough for MACs [MW97]
(& even weaker for interactive MACs [RW03])(& even weaker for interactive MACs [RW03])
– Enough for signatures as well, assuming Enough for signatures as well, assuming “strong OWPs” [DOPS04]“strong OWPs” [DOPS04]
– General sources: separation between General sources: separation between authentication and extraction [DS02]authentication and extraction [DS02]
![Page 11: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/11.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 13
Privacy/Indistinguishability
Mixed indications:Mixed indications:
−All known techniques (pseudorandomness,All known techniques (pseudorandomness,
…) critically rely on …) critically rely on perfectperfect randomness randomness
−StudiedStudied non-extractable sources are not non-extractable sources are not
enough for privacy as well [MP91, DOPS04]enough for privacy as well [MP91, DOPS04]
+1-bit1-bit case [DS02,DPP06]: case [DS02,DPP06]: strictstrict implications implications
extractionextraction encryptionencryption 2−22−2 secretsecret sharingsharing
What about the general, multi-bit case???What about the general, multi-bit case???
![Page 12: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/12.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 15
Our Main Result• Nearly perfect randomness is Nearly perfect randomness is inherentinherent
for inform.-theoretic private key for inform.-theoretic private key encryptionencryption
• Theorem 1Theorem 1: If : If nn-bit source -bit source SS admits a admits a good good bb-bit encryption, where -bit encryption, where b b > log > log nn, then one can , then one can deterministicallydeterministically extract extract bb nearly perfect bits from nearly perfect bits from SS !!– Note: if Enc is Note: if Enc is efficientefficient, then so is Ext, then so is Ext
• Theorem 2Theorem 2: There are : There are non-extractable non-extractable nn-bit sources -bit sources SS admitting a admitting a perfectperfect encryption of encryption of b b ( (log log nn loglog loglog n n)) bits bits
![Page 13: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/13.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 16
Interpretation• Theorem 1Theorem 1: to encrypt: to encrypt b b bits bits
– Either the secret key length is exponential, orEither the secret key length is exponential, or
– S S is extractable and, in fact, “perfect enough” is extractable and, in fact, “perfect enough” to apply (an almost) to apply (an almost) b b −bit one−time pad !−bit one−time pad !
• Thus, if Thus, if b b is “non-trivial”, then is “non-trivial”, then– Cannot affordCannot afford to sample exponentially long to sample exponentially long
keykey
– Must find a source capable of extracting Must find a source capable of extracting almost almost b b random bits to begin with random bits to begin with
– Might as well extract and use one−time padMight as well extract and use one−time pad
– One−time pad is One−time pad is universaluniversal after all after all
![Page 14: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/14.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 17
Interpretation
• Theorem 2Theorem 2: glimmer of hope : glimmer of hope
– Encryption of up to Encryption of up to ((log log nn loglog loglog n n)) bits bits
does does notnot imply extraction of even 1 bit imply extraction of even 1 bit
– Non-trivially extends the 1-bit Non-trivially extends the 1-bit
separation of [DS02] to separation of [DS02] to ((log log nn loglog loglog n n))
bitsbits
• For encrypting For encrypting very fewvery few bits true bits true
randomness is randomness is not inherentnot inherent
![Page 15: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/15.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 18
Extensions• Computational securityComputational security: implies : implies
extraction of extraction of bb pseudorandompseudorandom bitsbits– In particular, at least 1 In particular, at least 1 statisticalstatistical bit! bit!
• EfficiencyEfficiency: : poly-timepoly-time encryption encryption poly-timepoly-time extraction (non-explicit extraction (non-explicit ))
• Other primitivesOther primitives: extends to public-: extends to public-key encryption, perfectly-binding key encryption, perfectly-binding commitmentscommitments
![Page 16: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/16.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 19
Conclusions• One-time pad is universal for private-One-time pad is universal for private-
key encryptionkey encryption
• Strong indication that (nearly) perfect Strong indication that (nearly) perfect randomness is inherent for privacyrandomness is inherent for privacy
• Open questions: Open questions: – De-randomize construction of extractorDe-randomize construction of extractor
– Extend to other (all?) privacy Extend to other (all?) privacy applicationsapplications
– Classify crypto apps w.r.t. randomnessClassify crypto apps w.r.t. randomness
![Page 17: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/17.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 20
Let the fun begin!
![Page 18: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/18.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 21
Deterministic Extraction
• nn-bit-bit sourcesource SS == familyfamily of of distributions distributions {{KK} } on on {0,1}{0,1}nn
• ℓℓ-bit extractor -bit extractor Ext Ext for for SS: : – Ext: {0,1}Ext: {0,1}nn {0,1} {0,1}ℓℓ
• ExtExt is is -fair-fair if for if for allall KKSS, we have , we have SDSD( Ext(( Ext( K K ), ), UUℓℓ ) )
• SS is is ((ℓℓ, , )-extractable)-extractable if there is an if there is an -fair extractor -fair extractor ExtExt for for SS
![Page 19: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/19.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 22
Private-Key Encryption• Alice & Bob share Alice & Bob share nn-bit key -bit key k k K K, , forfor KKSS
• bb-bit encryption scheme (-bit encryption scheme (Enc, Enc, DecDec) for ) for SS: :
– Enc: {0,1}Enc: {0,1}bb {0,1} {0,1}nn C C, , Dec: C Dec: C {0,1} {0,1}nn {0,1} {0,1}bb
– For allFor all m m {0,1} {0,1}bb, , k k {0,1} {0,1}nn, , DecDec((EncEnc((mm, , kk), ), kk) ) == mm
• ((Enc, Enc, DecDec) is ) is -secure-secure if for if for allall KKSS and and m m
{0,1}{0,1}b b SDSD( Enc(( Enc(mm,, KK ), Enc(), Enc(UUbb ,, K K )) ) )
• SS is is ((bb, , )-encryptable)-encryptable if there is a if there is a -secure -secure bb--
bit encryption scheme (bit encryption scheme (Enc, Enc, DecDec) for ) for SS
![Page 20: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/20.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 23
Results RestatedTheorem 1Theorem 1: If: If nn-bit-bit SS is ( is (bb,, )-encryptable )-encryptable
and and b b > log > log n n + + 22 log(1log(1//)),, then then SS must must
be (be (bb −− 22 log(1log(1//)) ,, + + )-extractable)-extractable
Theorem 2Theorem 2: For : For b b << log log n n −− loglog loglog n n
–– 1,1, there is an there is an nn-bit-bit SS which is ( which is (bb,, 00)-)-
encryptable, but encryptable, but notnot ((11,, )-extractable, )-extractable,
wherewhere
![Page 21: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/21.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 24
Proof of Theorem 1• Let Let S’ = { Enc(S’ = { Enc(UUbb, , kk) | ) | k k {0,1} {0,1}nn } }
• Lemma 1Lemma 1: If: If S’S’ is ( is (ℓℓ, , )-extractable, then )-extractable, then SS isis ((ℓℓ,, + + )-extractable. In fact,)-extractable. In fact,
Ext(Ext(kk) = Ext’(Enc(0, ) = Ext’(Enc(0, kk))))• Proof: take any Proof: take any KKSS. Then. Then
![Page 22: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/22.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 25
Proof of Theorem 1• Let Let S’ = { Enc(S’ = { Enc(UUbb, , kk) | ) | k k {0,1} {0,1}nn } }
• Lemma 1Lemma 1: If: If S’S’ is ( is (ℓℓ, , )-extractable, then )-extractable, then SS isis ((ℓℓ,, + + )-extractable. In fact,)-extractable. In fact,
Ext(Ext(kk) = Ext’(Enc(0, ) = Ext’(Enc(0, kk))))• Lemma 2Lemma 2: If : If b b > log > log n n + + 22 log(1log(1//)),, then then
S’S’ is ( is (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable
![Page 23: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/23.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 26
Proof of Theorem 1• Let Let S’ = { Enc(S’ = { Enc(UUbb, , kk) | ) | k k {0,1} {0,1}nn } }
• Lemma 2Lemma 2: If : If b b > log > log n n + + 22 log(1log(1//)),, then then S’S’ is (is (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable
• Say Say XX is is b b -flat-flat if if XX is uniform on is uniform on 22bb valuesvalues
• Note: all Note: all XX S’ S’ are are b b -flat (can decrypt!)-flat (can decrypt!)• Lemma 3Lemma 3: If : If b b > log > log n n + + 22 log(1log(1//)),, then then
anyany collection collection S’S’ of of 22nn bb-flat distributions is -flat distributions is ( (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable– Implies Lemma 2 and Theorem 1Implies Lemma 2 and Theorem 1
![Page 24: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/24.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 27
Proof of Lemma 3• Lemma 3Lemma 3: If : If b b > log > log n n + + 22 log(1log(1//)),, then then
anyany collection collection S’S’ of of 22nn bb-flat distributions -flat distributions is (is (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable
• ProofProof: Let : Let ℓℓ == bb −− 22 log(1log(1//)), , B B = 2= 2bb, , LL == 22ℓℓ ==
BB22
• Pick Pick randomrandom f f :C :C {0,1} {0,1}ℓℓ
b b -flat -flat XX S’, Chernoff + union S’, Chernoff + union bound bound
• Another union bound over all Another union bound over all XX S’ S’, ,
![Page 25: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/25.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 28
Observations• [TV00]: enough to pick [TV00]: enough to pick nn-wise -wise
independent independent ff• Lemma 3Lemma 3’: If ’: If b b > log > log n n + + 22 log(1log(1//)),, then then
anyany collection collection S’S’ of of 22nn bb-flat distributions is -flat distributions is efficientlyefficiently ( (bb −− 22 log(1log(1//)) −− log log nn ,, )-)-extractableextractable
• CorollaryCorollary: If : If EncEnc is is efficientefficient so is so is ExtExt• Extends to computational settingExtends to computational setting
– Extract Extract pseudorandompseudorandom bits bits• Perfect bindingPerfect binding enough enough
– Covers public−key encryption and Covers public−key encryption and perfectly−binding commitmentperfectly−binding commitment
![Page 26: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/26.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 29
Proof of Theorem 2Theorem 2Theorem 2: For : For b b << log log n n −− loglog loglog n n
–– 1,1, there is an there is an nn-bit-bit SS which is ( which is (bb,, 00)-)-encryptable, but encryptable, but notnot ((11,, )-extractable, )-extractable, wherewhere
Theorem 2Theorem 2’: For ’: For b b << log log n n −− loglog loglog n n –– 1,1,
there is a there is a bb-bit -bit E E = (Enc,Dec)= (Enc,Dec) for which for which Good(Good(EE)) is is notnot ((11,, )-extractable, where)-extractable, where
Good(Good(EE) = {) = {KK||EE is Shannon-secure under is Shannon-secure under KK}}
![Page 27: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/27.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 30
Proof of Theorem 2’• Let Let NN = 2 = 2nn; ; BB = 2 = 2bb ; ; SS s.t. s.t. NN SS((SS−−1)…(1)…(SS−−BB+1)+1)• Note, Note, NN < S< SBB, so , so SS > N> N 1/1/BB ((> B> B for our params)for our params)• M=[M=[BB]], , C=[C=[SS]], , K={all K={all BB-tuples of -tuples of
ciphertexts}ciphertexts}
K = K = {{ k k = (= (cc11……ccBB) | ) | ccii ccjj for for i i jj } }• Enc(Enc(m,m,((cc11…c…cBB)))) == ccmm , , Dec(Dec(c,c,((cc11…c…cBB)))) == mm s.t. s.t. ccm m = c= c• Take any Take any ExtExt: : [[NN] ] {0,1} {0,1}• Case 1Case 1: : have have 00-monochromatic perfect -monochromatic perfect KK
– Fix Fix ExtExt to to 00 with with KK, done, done
• Case 2Case 2: : no such no such 00-monochromatic perfect-monochromatic perfect KK– [Lemma] [Lemma] perfect perfect K’K’ s.t. s.t. Pr[Ext(Pr[Ext(K’K’) = 0] < ) = 0] < BB22//SS
![Page 28: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/28.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 31
Proof of Main Lemma• Let Let NN = 2 = 2nn; ; BB = 2 = 2bb ; ; SS s.t. s.t. NN SS((SS−−1)…(1)…(SS−−BB+1)+1)
• Note, Note, NN < S< SBB, so , so SS > N> N 1/1/BB ((> B> B for our for our params)params)
• M=[M=[NN]], , C=[C=[SS]], , K={all K={all BB-tuples of -tuples of ciphertexts}ciphertexts}
K = K = {{ k k = (= (cc11……ccBB) | ) | ccii ccjj for for i i jj } }
• Enc(Enc(m,m,((cc11…c…cBB)))) == ccmm , , Dec(Dec(c,c,((cc11…c…cBB)))) == mm s.t. s.t. ccm m = c= c
• Main LemmaMain Lemma: if cannot fix : if cannot fix ExtExt to 0, then to 0, then perfect perfect KK s.t. s.t. Pr[Ext(Pr[Ext(KK) = 0] < ) = 0] < BB22//SS
![Page 29: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/29.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 32
Proof of Main Lemma
Not to prove Theorem
2’Not to prove Main
Lemma
![Page 30: Does Privacy Require True Randomness?](https://reader030.fdocuments.us/reader030/viewer/2022020319/568138cd550346895da086aa/html5/thumbnails/30.jpg)
Yevgeniy Dodis. New York University IPAM Workshop 33
But don’t go, we need to prove main lemma !!!