Tải bản đầy đủ - 0 (trang)

D Exact vs. Almost Bounded Indistinguishability

616

A. Bogdanov et al.

Repeating the adjustment ≤ nk times, we get two non-negative functions μ

and ν such that [μ − ν , I] = 0 for every I of size at most k, and x |μ(x) −

μ (x)| ≤ nk , and the same for ν , and also x |μ (x)| = x |ν (x)| = 1 + σ, for

some 0 ≤ σ ≤ nk .

Finally, let μ∗ = μ/(1 + σ) and ν ∗ = ν/(1 + σ). We have [μ∗ − ν ∗ , I] = 0 for

every I of size at most k. The distance of μ∗ from μ is ≤ (1 + σ)−1 ( x |μ(x) −

μ∗ (x)| + σ x μ(x)) ≤ 2 nk , and the same for ν.

References

1. Aaronson, S.: A counterexample to the generalized Linial-Nisan conjecture. Electronic Colloquium on Computational Complexity, Technical report 109 (2010)

2. Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element

distinctness problems. J. ACM 51(4), 595–605 (2004)

3. Ajtai, M.: Approximate counting with uniform constant-depth circuits. In:

Advances in Computational Complexity Theory, pp. 1–20 (1993)

4. Alon, N., Bruck, J., Naor, J., Naor, M., Roth, R.M.: Construction of asymptotically

good low-rate error-correcting codes through pseudo-random graphs. IEEE Trans.

Inf. Theor. 38(2), 509–516 (1992)

5. Alon, N., Goldreich, O., Mansour, Y.: Almost k-wise independence versus k-wise

independence. Inf. Process. Lett. 88(3), 107–110 (2003)

6. Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0 . SIAM J. Comput.

36(4), 845–888 (2006)

7. Bazzi, L.M.J.: Polylogarithmic independence can fool DNF formulas. SIAM J.

Comput. 38(6), 2220–2272 (2009)

8. Bogdanov, A., Ishai, Y., Viola, E., Williamson, C.: Bounded indistinguishability, the complexity of recovering secrets. Electronic Colloquium on Computational

Complexity (ECCC), vol. 22, p. 182 (2015)

9. Braverman, M.: Polylogarithmic independence fools AC0 circuits. J. ACM 57(5),

16 (2010)

10. Buhrman, H., Newman, I., Ră

ohrig, H., de Wolf, R.: Robust polynomials and quantum algorithms. Theor. Comput. Syst. 40(4), 379–395 (2007)

11. Bun, M., Thaler, J.: Dual lower bounds for approximate degree and MarkovBernstein inequalities. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D.

(eds.) ICALP 2013, Part I. LNCS, vol. 7965, pp. 303–314. Springer, Heidelberg

(2013)

12. Bun, M., Thaler, J.: Dual polynomials for collision and element distinctness (2015).

www.eccc.uni-trier.de/

13. Cascudo, I., Chen, H., Cramer, R., Xing, C.: Asymptotically good ideal linear

secret sharing with strong multiplication over any ﬁxed ﬁnite ﬁeld. In: Halevi, S.

(ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 466–486. Springer, Heidelberg (2009)

14. Chari, S., Rohatgi, P., Srinivasan, A.: Improved algorithms via approximations of

probability distributions. J. Comput. Syst. Sci. 61(1), 81–107 (2000)

15. Cimato, S., Prisco, R.D., Santis, A.D.: Probabilistic visual cryptography schemes.

Comput. J. 49, 97–107 (2006)

16. Cramer, R., Damg˚

ard, I.B., Dă

ottling, N., Fehr, S., Spini, G.: Linear secret sharing

schemes from error correcting codes and universal hash functions. In: Oswald, E.,

Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 313–336. Springer,

Heidelberg (2015)

Bounded Indistinguishability and the Complexity of Recovering Secrets

617

17. Damg˚

ard, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and

the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT

2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010)

18. Damg˚

ard, I., Ishai, Y., Krøigaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.)

CRYPTO 2008. LNCS, vol. 5157, pp. 241–261. Springer, Heidelberg (2008)

19. Diakonikolas, I., Gopalan, P., Jaiswal, R., Servedio, R.A., Viola, E.: Bounded independence fools halfspaces. SIAM J. Comput. 39(8), 3441–3462 (2010)

20. Diakonikolas, I., Kane, D., Nelson, J.: Bounded independence fools degree-2 threshold functions. In: Proceedings of 51st FOCS (2010)

21. Druk, E., Ishai, Y.: Linear-time encodable codes meeting the Gilbert-Varshamov

bound and their cryptographic applications. In: Proceedings of ITCS 2014, pp.

169–182 (2014)

22. Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks

to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS,

vol. 8441, pp. 423–440. Springer, Heidelberg (2014)

23. Even, G., Goldreich, O., Luby, M., Nisan, N., Velickovic, B.: Eﬃcient approximation of product distributions. Random Struct. Algorithms 13(1), 1–16 (1998)

24. H˚

astad, J.: On the correlation of parity and small-depth circuits. SIAM J. Comput.

43(5), 1699–1708 (2014)

25. Ishai, Y., Kushilevitz, E., Li, X., Ostrovsky, R., Prabhakaran, M., Sahai, A.,

Zuckerman, D.: Robust pseudorandom generators. In: Fomin, F.V., Freivalds, R.,

Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013, Part I. LNCS, vol. 7965, pp. 576–

588. Springer, Heidelberg (2013)

26. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Prabhakaran, M., Sahai, A.: Eﬃcient

non-interactive secure computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011.

LNCS, vol. 6632, pp. 406–425. Springer, Heidelberg (2011)

27. Ishai, Y., Sahai, A., Viderman, M., Weiss, M.: Zero knowledge LTCs and their

applications. In: Raghavendra, P., Raskhodnikova, S., Jansen, K., Rolim, J.D.P.

(eds.) RANDOM 2013 and APPROX 2013. LNCS, vol. 8096, pp. 607–622. Springer,

Heidelberg (2013)

28. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481.

Springer, Heidelberg (2003)

29. Kahn, J., Linial, N., Samorodnitsky, A.: Inclusion-exclusion: exact and approximate. Combinatorica 16(4), 465–477 (1996)

30. Krause, M., Simon, H.: Determining the optimal contrast for secret sharing schemes

in visual cryptography. Comb. Probab. Comput. 12(3), 285–299 (2003)

31. Kuwakado, H., Tanaka, H.: Image size invariant visual cryptography. IEICE Trans.

Fundam. Electron. Commun. Comput. Sci. 82(10), 2172–2177 (1999)

32. Linial, N., Nisan, N.: Approximate inclusion-exclusion. Combinatorica 10(4), 349–

365 (1990)

33. Minsky, M., Papert, S.: Perceptrons. MIT Press, Cambridge (1969)

34. Naor, M., Shamir, A.: Visual cryptography. In: De Santis, A. (ed.) EUROCRYPT

1994. LNCS, vol. 950, pp. 1–12. Springer, Heidelberg (1995)

35. Nisan, N., Szegedy, M.: On the degree of Boolean functions as real polynomials.

Comput. Complex. 4, 301–313 (1994)

36. O’Donnell, R.: Analysis of Boolean Functions. Cambridge University Press,

Cambridge (2014)

37. O’Donnell, R., Servedio, R.A.: New degree bounds for polynomial threshold functions. Combinatorica 30(3), 327–358 (2010)

618

A. Bogdanov et al.

38. Paturi, R.: On the degree of polynomials that approximate symmetric boolean

functions (preliminary version). In: Proceedings of STOC 1992, pp. 468–474 (1992)

39. Randriambololona, H.: Asymptotically good binary linear codes with asymptotically good self-intersection spans. IEEE Trans. Inf. Theor. 59(5), 3038–3045 (2013)

40. Razborov, A.A.: A simple proof of Bazzi’s theorem. ACM Trans. Comput. Theor.

(TOCT) 1(1), 1–4 (2009)

41. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

42. Sherstov, A.A.: The pattern matrix method. SIAM J. Comput. 40(6), 1969–2000

(2011)

43. Sherstov, A.A.: The power of asymmetry in constant-depth circuits. In: Proceedings of FOCS 2015 (2015)

44. Spalek, R.: A dual polynomial for OR (2008). CoRR, abs/0803.4516

45. Tal, A.: Tight bounds on The Fourier Spectrum of AC0 . Electronic Colloquium

on Computational Complexity, Technical report TR14-174 (2014). www.eccc.

uni-trier.de/

46. Viola, E.: On approximate majority and probabilistic time. Comput. Complex.

18(3), 337–375 (2009)

47. Viola, E.: The complexity of distributions. SIAM J. Comput. 41(1), 191–218 (2012)

48. Zuckerman, D.: Linear degree extractors and the inapproximability of max clique

and chromatic number. Theor. Comput. 3(1), 103–128 (2007)

Two-Message, Oblivious Evaluation

of Cryptographic Functionalities

Nico Dă

ottling1 , Nils Fleischhacker2(B) , Johannes Krupp2 ,

and Dominique Schră

oder2,3

1

University of California, Berkeley, USA

CISPA, Saarland University, Saarbră

ucken, Germany

fleischhacker@cs.uni-saarland.de

Friedrich-Alexander-University, Nuremberg, Germany

2

3

Abstract. We study the problem of two round oblivious evaluation of

cryptographic functionalities. In this setting, one party P1 holds a private

key sk for a provably secure instance of a cryptographic functionality F

and the second party P2 wishes to evaluate Fsk on a value x. Although

it has been known for 22 years that general functionalities cannot be

computed securely in the presence of malicious adversaries with only two

rounds of communication, we show the existence of a round optimal protocol that obliviously evaluates cryptographic functionalities. Our protocol

is provably secure against malicious receivers under standard assumptions

and does not rely on heuristic (setup) assumptions. Our main technical

contribution is a novel nonblack-box technique, which makes nonblackbox use of the security reduction of Fsk . Speciﬁcally, our proof of malicious receiver security uses the code of the reduction, which reduces the

security of Fsk to some hard problem, in order to break that problem

directly. Instantiating our framework, we obtain the ﬁrst two-round oblivious pseudorandom function that is secure in the standard model. This

question was left open since the invention of OPRFs in 1997.

1

Introduction

An oblivious evaluation protocol of a cryptographic functionality F, is a twoparty protocol in which one party P1 , called the sender, holds a function Fsk ∈ F

and the second party P2 , called the receiver, wishes to evaluate Fsk on x. Sender

security says that P1 remains oblivious of x while receiver security guarantees

that the security of Fsk is preserved, i.e., evaluating Fsk obliviously should be as

secure as having direct access to F, even if a malicious party deviates from the

protocol arbitrarily. Although it has been known for 22 years that general functionalities cannot be computed securely in the presence of malicious adversaries

with only two rounds (messages) of communication [29], we show the existence of

a two message protocol that obliviously evaluates cryptographic functionalities.

The functionalities covered by our framework have the following properties:

– There is a security experiment Exp that characterizes the security of F.

– The experiment Exp gives the adversary access to an oracle O.

c International Association for Cryptologic Research 2016

M. Robshaw and J. Katz (Eds.): CRYPTO 2016, Part III, LNCS 9816, pp. 619–648, 2016.

DOI: 10.1007/978-3-662-53015-3 22

620

N. Dă

ottling et al.

There is a black-box reduction B with certain properties that reduces the

security of Fsk to a hard problem π.

Our framework subsumes popular two-party protocols, such as blind signatures

and oblivious pseudorandom functions (OPRF). In fact, our framework yields

the ﬁrst OPRF with only two rounds of communication in the standard model

— a problem that has been open since their invention in 1997 [49].

Technical Contribution. Our main technical contribution is a nonblack-box

proof technique, which is nonblack-box in the reduction. To explain what being

nonblack-box means, consider an instance P of a cryptographic functionality F.

Assume further that this instance is provably secure, i.e., there is a reduction

B that turns any adversary A breaking the security of P into an algorithm

solving the underlying hard problem π. Our protocol then shows that P can be

evaluated securely. The corresponding proof of malicious receiver security makes

nonblack-box use of the underlying code of the reduction B. This proof does not

reduce the security to P but to the underlying hard problem exploiting the code

of B. To best of our knowledge, this is the ﬁrst result that shows how to make

nonblack-box use of the code of a given security reduction. We call this class of

reductions oblivious reductions.

1.1

Impossibility of Malicious Security and Induced Game-Based

Security

Ideally one would like to achieve the standard notion of simulation based security

against malicious adversaries. This notion says that the malicious receiver and

sender learn only f (x) (except what can trivially be learned from f (x)) and that

the private input of the other party remains hidden. Unfortunately, it is well

known that standard simulation based security notions cannot be achieved for

two-round secure function evaluation (SFE) [29]. In fact, if one uses black-box

techniques only, then at least ﬁve rounds of communication are necessary [36].

Since there is no hope in achieving malicious simulation-based security, we

propose an alternative deﬁnition of malicious security for the setting of secure

evaluation of cryptographic primitives: On a high-level, our security notions

for malicious receiver says that the security properties of the underlying cryptographic primitive is preserved even against malicious adversaries. More precisely,

we consider the secure evaluation of cryptographic functionalities, which are

equipped with a game-based security notion. In our formalization the adversary

in the corresponding security experiment has black-box access to the primitive.

Then, we deﬁne an induced security notion by replacing black-box calls to the

primitive in the security game with instances of the two-round SFE protocol.

I.e., instead of giving the adversary black-box access to the primitive, it acts as

a malicious receiver in an SFE session with the sender. Achieving this notion

and showing that the underlying security guarantees are preserved is non-trivial,

because the adversary is not semi-honest and may not follow the protocol.

Two-Message, Oblivious Evaluation of Cryptographic Functionalities

621

Regarding security against corrupted senders, we show that malicious sender

security and induced game-based security against malicious receivers cannot

be achieved under (standard) non-interactive assumptions. In fact, our result

is more general as it rules out protocols with three moves. Our impossibility

is constructive and shows that our notion captures the standard deﬁnition of

blind signatures. But for blind signatures it is well known that a large class

of three-move blind signture schemes cannot be proven secure in the standard

model under non-interactive assumptions [16]. Since our blind signature scheme

belongs to this class, it follows that achieving both notions of malicious security

is impossible. Thus, we also need to weakening the security against malicious

senders and we stick to the standard notion of semi-honest security.

1.2

Oblivious Reductions: A Nonblack-Box Proof Technique

We give a high-level overview of our protocol and proof strategy. Our starting point is an instance Fsk of some cryptographic functionality F (such as

the pseudorandom function functionality). The corresponding security proof is a

black-box reduction B to some underlying hard problem π. Our goal is to obliviously compute Fsk in a secure two-party protocol Π with only two rounds of

communication. Our protocol is simple and uses a certain type of homomorphic encryption and works as follows: The receiver encrypts its input x using

the homomorphic encryption scheme, it sends the ciphertext c ← Enc(x) to the

sender. The sender evaluates the function Fsk on c computing c ← Eval(c, Fsk )

and returns c to the receiver, who obtains Fsk (x) by simply decrypting c . Using

fully homomorphic encryption as the underlying encryption scheme, it is well

known that this protocol is secure against semi-honest adversaries [23].

However, we are interested in achieving malicious security and we achieve

our goal using a speciﬁc type of homomorphic encryption scheme in combination

with our novel nonblack-box proof technique. We provide an eﬃcient reduction

from the security of the homomorphically evaluated primitive to the underlying problem π directly using the code of the reduction B. Our proof technique

works for a large and natural class of black-box reductions that we call oblivious. Loosely speaking, a reduction is oblivious, if it only knows an upper bound

on the number of the oracle queries, but does neither learn the query nor the

answer. We give several examples of known oblivious reductions in Sect. 2.2 and

we sketch the basic ideas of this technique in the following.

In the ﬁrst step of our proof (see Fig. 1), we run a security experiment where

the malicious receiver A has oracle access to a homomorphically evaluated functionality Eval(c, Fsk ). In the second step, the experiment is transformed in the following way. First, the adversary’s oracle inputs are extracted via an unbounded

extractor, the functionality is evaluated on the extracted input, and ﬁnally the

output is encrypted (with the right distribution). Assuming that the homomorphic encryption is (statistically) circuit private, we show that this modiﬁcation

does not change the success probability of the adversary. While extracting an

input x from a ciphertext c is not possible in polynomial-time, it does not change

the success probability of A.

622

N. Dă

ottling et al.

Fig. 1. Oblivious reduction part 1 of 2.

In the third step (see right picture of Fig. 1), we move the extraction and

simulation procedures from the security experiment into the adversary itself,

obtaining an unbounded adversary A . That is, the modiﬁed attacker A runs

A as a black-box. Whenever A sends c to its oracle, then A extract x from c,

invokes its own oracle obtaining y ← F (x), and returns the encryption of y to

A. Obviously, the adversary A does not run in polynomial-time, but this does

not change its success probability, as we have only re-arranged the algorithms

from one machine into another, but the overall composed algorithm remained

the same.

Fig. 2. Oblivious reduction part 2 of 2.

Consider the three steps shown in Fig. 2. In the ﬁrst part, the unbounded

adversary is plugged into the oblivious black-box reduction B, which reduces

the security of F to some hard problem π. This step is legitimate because the

reduction only makes black-box use of the adversary. Observe that a black-box

reduction cannot tell the diﬀerence between a polynomial-time adversary and

an unbounded adversary, but only depends on the adversary’s advantage in the

security experiment. Thus, B A is an ineﬃcient adversary against the problem π.

In our next modiﬁcation we move the extraction and simulation algorithms from

the adversary A into the oracle-circuit. While this is just a bridging step, the

ineﬃcient algorithms for extraction and simulation are now part of the reduction.

That is, whenever A queries c to its oracle, then the reduction B ∗ ﬁrst extracts x

from c and runs the simulation of B afterwards in order to compute the simulated

answer y ← Fsk (x). Subsequently, B ∗ encrypts y as c and sends this answer to

A. As a result, we obtain an ineﬃcient reduction B ∗ that uses the code of the

underlying reduction.

## Advances in cryptology – CRYPTO 2016 part III

## B.2 UC Security of OT from 1CC

## 3 Special Case: The BCJL Bit-Commitment Scheme

## 1 Learning with Errors (LWE) and Multi-key FHE

## 3 Example: Flexible Revocation for Attribute-Based Credentials

## 3 Learning with Errors (LWE) and Small Integer Solutions (SIS)

## 4 Linear Transformations, Basis Changes and Composition

## A.1 Proof of Item 5 of Fact1

## 2 Other Related Work: Cryptography Against Bounded Adversaries

## 3 Application: 4-Round Searchable Encryption with No Search Pattern Leakage

## A.4 Proof of Security for the SSE scheme

Tài liệu liên quan

D Exact vs. Almost Bounded Indistinguishability