D Exact vs. Almost Bounded Indistinguishability
Tải bản đầy đủ - 0trang
616
A. Bogdanov et al.
Repeating the adjustment ≤ nk times, we get two non-negative functions μ
and ν such that [μ − ν , I] = 0 for every I of size at most k, and x |μ(x) −
μ (x)| ≤ nk , and the same for ν , and also x |μ (x)| = x |ν (x)| = 1 + σ, for
some 0 ≤ σ ≤ nk .
Finally, let μ∗ = μ/(1 + σ) and ν ∗ = ν/(1 + σ). We have [μ∗ − ν ∗ , I] = 0 for
every I of size at most k. The distance of μ∗ from μ is ≤ (1 + σ)−1 ( x |μ(x) −
μ∗ (x)| + σ x μ(x)) ≤ 2 nk , and the same for ν.
References
1. Aaronson, S.: A counterexample to the generalized Linial-Nisan conjecture. Electronic Colloquium on Computational Complexity, Technical report 109 (2010)
2. Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element
distinctness problems. J. ACM 51(4), 595–605 (2004)
3. Ajtai, M.: Approximate counting with uniform constant-depth circuits. In:
Advances in Computational Complexity Theory, pp. 1–20 (1993)
4. Alon, N., Bruck, J., Naor, J., Naor, M., Roth, R.M.: Construction of asymptotically
good low-rate error-correcting codes through pseudo-random graphs. IEEE Trans.
Inf. Theor. 38(2), 509–516 (1992)
5. Alon, N., Goldreich, O., Mansour, Y.: Almost k-wise independence versus k-wise
independence. Inf. Process. Lett. 88(3), 107–110 (2003)
6. Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0 . SIAM J. Comput.
36(4), 845–888 (2006)
7. Bazzi, L.M.J.: Polylogarithmic independence can fool DNF formulas. SIAM J.
Comput. 38(6), 2220–2272 (2009)
8. Bogdanov, A., Ishai, Y., Viola, E., Williamson, C.: Bounded indistinguishability, the complexity of recovering secrets. Electronic Colloquium on Computational
Complexity (ECCC), vol. 22, p. 182 (2015)
9. Braverman, M.: Polylogarithmic independence fools AC0 circuits. J. ACM 57(5),
16 (2010)
10. Buhrman, H., Newman, I., Ră
ohrig, H., de Wolf, R.: Robust polynomials and quantum algorithms. Theor. Comput. Syst. 40(4), 379–395 (2007)
11. Bun, M., Thaler, J.: Dual lower bounds for approximate degree and MarkovBernstein inequalities. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D.
(eds.) ICALP 2013, Part I. LNCS, vol. 7965, pp. 303–314. Springer, Heidelberg
(2013)
12. Bun, M., Thaler, J.: Dual polynomials for collision and element distinctness (2015).
www.eccc.uni-trier.de/
13. Cascudo, I., Chen, H., Cramer, R., Xing, C.: Asymptotically good ideal linear
secret sharing with strong multiplication over any ﬁxed ﬁnite ﬁeld. In: Halevi, S.
(ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 466–486. Springer, Heidelberg (2009)
14. Chari, S., Rohatgi, P., Srinivasan, A.: Improved algorithms via approximations of
probability distributions. J. Comput. Syst. Sci. 61(1), 81–107 (2000)
15. Cimato, S., Prisco, R.D., Santis, A.D.: Probabilistic visual cryptography schemes.
Comput. J. 49, 97–107 (2006)
16. Cramer, R., Damg˚
ard, I.B., Dă
ottling, N., Fehr, S., Spini, G.: Linear secret sharing
schemes from error correcting codes and universal hash functions. In: Oswald, E.,
Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 313–336. Springer,
Heidelberg (2015)
Bounded Indistinguishability and the Complexity of Recovering Secrets
617
17. Damg˚
ard, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and
the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT
2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010)
18. Damg˚
ard, I., Ishai, Y., Krøigaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.)
CRYPTO 2008. LNCS, vol. 5157, pp. 241–261. Springer, Heidelberg (2008)
19. Diakonikolas, I., Gopalan, P., Jaiswal, R., Servedio, R.A., Viola, E.: Bounded independence fools halfspaces. SIAM J. Comput. 39(8), 3441–3462 (2010)
20. Diakonikolas, I., Kane, D., Nelson, J.: Bounded independence fools degree-2 threshold functions. In: Proceedings of 51st FOCS (2010)
21. Druk, E., Ishai, Y.: Linear-time encodable codes meeting the Gilbert-Varshamov
bound and their cryptographic applications. In: Proceedings of ITCS 2014, pp.
169–182 (2014)
22. Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks
to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS,
vol. 8441, pp. 423–440. Springer, Heidelberg (2014)
23. Even, G., Goldreich, O., Luby, M., Nisan, N., Velickovic, B.: Eﬃcient approximation of product distributions. Random Struct. Algorithms 13(1), 1–16 (1998)
24. H˚
astad, J.: On the correlation of parity and small-depth circuits. SIAM J. Comput.
43(5), 1699–1708 (2014)
25. Ishai, Y., Kushilevitz, E., Li, X., Ostrovsky, R., Prabhakaran, M., Sahai, A.,
Zuckerman, D.: Robust pseudorandom generators. In: Fomin, F.V., Freivalds, R.,
Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013, Part I. LNCS, vol. 7965, pp. 576–
588. Springer, Heidelberg (2013)
26. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Prabhakaran, M., Sahai, A.: Eﬃcient
non-interactive secure computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011.
LNCS, vol. 6632, pp. 406–425. Springer, Heidelberg (2011)
27. Ishai, Y., Sahai, A., Viderman, M., Weiss, M.: Zero knowledge LTCs and their
applications. In: Raghavendra, P., Raskhodnikova, S., Jansen, K., Rolim, J.D.P.
(eds.) RANDOM 2013 and APPROX 2013. LNCS, vol. 8096, pp. 607–622. Springer,
Heidelberg (2013)
28. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481.
Springer, Heidelberg (2003)
29. Kahn, J., Linial, N., Samorodnitsky, A.: Inclusion-exclusion: exact and approximate. Combinatorica 16(4), 465–477 (1996)
30. Krause, M., Simon, H.: Determining the optimal contrast for secret sharing schemes
in visual cryptography. Comb. Probab. Comput. 12(3), 285–299 (2003)
31. Kuwakado, H., Tanaka, H.: Image size invariant visual cryptography. IEICE Trans.
Fundam. Electron. Commun. Comput. Sci. 82(10), 2172–2177 (1999)
32. Linial, N., Nisan, N.: Approximate inclusion-exclusion. Combinatorica 10(4), 349–
365 (1990)
33. Minsky, M., Papert, S.: Perceptrons. MIT Press, Cambridge (1969)
34. Naor, M., Shamir, A.: Visual cryptography. In: De Santis, A. (ed.) EUROCRYPT
1994. LNCS, vol. 950, pp. 1–12. Springer, Heidelberg (1995)
35. Nisan, N., Szegedy, M.: On the degree of Boolean functions as real polynomials.
Comput. Complex. 4, 301–313 (1994)
36. O’Donnell, R.: Analysis of Boolean Functions. Cambridge University Press,
Cambridge (2014)
37. O’Donnell, R., Servedio, R.A.: New degree bounds for polynomial threshold functions. Combinatorica 30(3), 327–358 (2010)
618
A. Bogdanov et al.
38. Paturi, R.: On the degree of polynomials that approximate symmetric boolean
functions (preliminary version). In: Proceedings of STOC 1992, pp. 468–474 (1992)
39. Randriambololona, H.: Asymptotically good binary linear codes with asymptotically good self-intersection spans. IEEE Trans. Inf. Theor. 59(5), 3038–3045 (2013)
40. Razborov, A.A.: A simple proof of Bazzi’s theorem. ACM Trans. Comput. Theor.
(TOCT) 1(1), 1–4 (2009)
41. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
42. Sherstov, A.A.: The pattern matrix method. SIAM J. Comput. 40(6), 1969–2000
(2011)
43. Sherstov, A.A.: The power of asymmetry in constant-depth circuits. In: Proceedings of FOCS 2015 (2015)
44. Spalek, R.: A dual polynomial for OR (2008). CoRR, abs/0803.4516
45. Tal, A.: Tight bounds on The Fourier Spectrum of AC0 . Electronic Colloquium
on Computational Complexity, Technical report TR14-174 (2014). www.eccc.
uni-trier.de/
46. Viola, E.: On approximate majority and probabilistic time. Comput. Complex.
18(3), 337–375 (2009)
47. Viola, E.: The complexity of distributions. SIAM J. Comput. 41(1), 191–218 (2012)
48. Zuckerman, D.: Linear degree extractors and the inapproximability of max clique
and chromatic number. Theor. Comput. 3(1), 103–128 (2007)
Two-Message, Oblivious Evaluation
of Cryptographic Functionalities
Nico Dă
ottling1 , Nils Fleischhacker2(B) , Johannes Krupp2 ,
and Dominique Schră
oder2,3
1
University of California, Berkeley, USA
CISPA, Saarland University, Saarbră
ucken, Germany
fleischhacker@cs.uni-saarland.de
Friedrich-Alexander-University, Nuremberg, Germany
2
3
Abstract. We study the problem of two round oblivious evaluation of
cryptographic functionalities. In this setting, one party P1 holds a private
key sk for a provably secure instance of a cryptographic functionality F
and the second party P2 wishes to evaluate Fsk on a value x. Although
it has been known for 22 years that general functionalities cannot be
computed securely in the presence of malicious adversaries with only two
rounds of communication, we show the existence of a round optimal protocol that obliviously evaluates cryptographic functionalities. Our protocol
is provably secure against malicious receivers under standard assumptions
and does not rely on heuristic (setup) assumptions. Our main technical
contribution is a novel nonblack-box technique, which makes nonblackbox use of the security reduction of Fsk . Speciﬁcally, our proof of malicious receiver security uses the code of the reduction, which reduces the
security of Fsk to some hard problem, in order to break that problem
directly. Instantiating our framework, we obtain the ﬁrst two-round oblivious pseudorandom function that is secure in the standard model. This
question was left open since the invention of OPRFs in 1997.
1
Introduction
An oblivious evaluation protocol of a cryptographic functionality F, is a twoparty protocol in which one party P1 , called the sender, holds a function Fsk ∈ F
and the second party P2 , called the receiver, wishes to evaluate Fsk on x. Sender
security says that P1 remains oblivious of x while receiver security guarantees
that the security of Fsk is preserved, i.e., evaluating Fsk obliviously should be as
secure as having direct access to F, even if a malicious party deviates from the
protocol arbitrarily. Although it has been known for 22 years that general functionalities cannot be computed securely in the presence of malicious adversaries
with only two rounds (messages) of communication [29], we show the existence of
a two message protocol that obliviously evaluates cryptographic functionalities.
The functionalities covered by our framework have the following properties:
– There is a security experiment Exp that characterizes the security of F.
– The experiment Exp gives the adversary access to an oracle O.
c International Association for Cryptologic Research 2016
M. Robshaw and J. Katz (Eds.): CRYPTO 2016, Part III, LNCS 9816, pp. 619–648, 2016.
DOI: 10.1007/978-3-662-53015-3 22
620
N. Dă
ottling et al.
There is a black-box reduction B with certain properties that reduces the
security of Fsk to a hard problem π.
Our framework subsumes popular two-party protocols, such as blind signatures
and oblivious pseudorandom functions (OPRF). In fact, our framework yields
the ﬁrst OPRF with only two rounds of communication in the standard model
— a problem that has been open since their invention in 1997 [49].
Technical Contribution. Our main technical contribution is a nonblack-box
proof technique, which is nonblack-box in the reduction. To explain what being
nonblack-box means, consider an instance P of a cryptographic functionality F.
Assume further that this instance is provably secure, i.e., there is a reduction
B that turns any adversary A breaking the security of P into an algorithm
solving the underlying hard problem π. Our protocol then shows that P can be
evaluated securely. The corresponding proof of malicious receiver security makes
nonblack-box use of the underlying code of the reduction B. This proof does not
reduce the security to P but to the underlying hard problem exploiting the code
of B. To best of our knowledge, this is the ﬁrst result that shows how to make
nonblack-box use of the code of a given security reduction. We call this class of
reductions oblivious reductions.
1.1
Impossibility of Malicious Security and Induced Game-Based
Security
Ideally one would like to achieve the standard notion of simulation based security
against malicious adversaries. This notion says that the malicious receiver and
sender learn only f (x) (except what can trivially be learned from f (x)) and that
the private input of the other party remains hidden. Unfortunately, it is well
known that standard simulation based security notions cannot be achieved for
two-round secure function evaluation (SFE) [29]. In fact, if one uses black-box
techniques only, then at least ﬁve rounds of communication are necessary [36].
Since there is no hope in achieving malicious simulation-based security, we
propose an alternative deﬁnition of malicious security for the setting of secure
evaluation of cryptographic primitives: On a high-level, our security notions
for malicious receiver says that the security properties of the underlying cryptographic primitive is preserved even against malicious adversaries. More precisely,
we consider the secure evaluation of cryptographic functionalities, which are
equipped with a game-based security notion. In our formalization the adversary
in the corresponding security experiment has black-box access to the primitive.
Then, we deﬁne an induced security notion by replacing black-box calls to the
primitive in the security game with instances of the two-round SFE protocol.
I.e., instead of giving the adversary black-box access to the primitive, it acts as
a malicious receiver in an SFE session with the sender. Achieving this notion
and showing that the underlying security guarantees are preserved is non-trivial,
because the adversary is not semi-honest and may not follow the protocol.
Two-Message, Oblivious Evaluation of Cryptographic Functionalities
621
Regarding security against corrupted senders, we show that malicious sender
security and induced game-based security against malicious receivers cannot
be achieved under (standard) non-interactive assumptions. In fact, our result
is more general as it rules out protocols with three moves. Our impossibility
is constructive and shows that our notion captures the standard deﬁnition of
blind signatures. But for blind signatures it is well known that a large class
of three-move blind signture schemes cannot be proven secure in the standard
model under non-interactive assumptions [16]. Since our blind signature scheme
belongs to this class, it follows that achieving both notions of malicious security
is impossible. Thus, we also need to weakening the security against malicious
senders and we stick to the standard notion of semi-honest security.
1.2
Oblivious Reductions: A Nonblack-Box Proof Technique
We give a high-level overview of our protocol and proof strategy. Our starting point is an instance Fsk of some cryptographic functionality F (such as
the pseudorandom function functionality). The corresponding security proof is a
black-box reduction B to some underlying hard problem π. Our goal is to obliviously compute Fsk in a secure two-party protocol Π with only two rounds of
communication. Our protocol is simple and uses a certain type of homomorphic encryption and works as follows: The receiver encrypts its input x using
the homomorphic encryption scheme, it sends the ciphertext c ← Enc(x) to the
sender. The sender evaluates the function Fsk on c computing c ← Eval(c, Fsk )
and returns c to the receiver, who obtains Fsk (x) by simply decrypting c . Using
fully homomorphic encryption as the underlying encryption scheme, it is well
known that this protocol is secure against semi-honest adversaries [23].
However, we are interested in achieving malicious security and we achieve
our goal using a speciﬁc type of homomorphic encryption scheme in combination
with our novel nonblack-box proof technique. We provide an eﬃcient reduction
from the security of the homomorphically evaluated primitive to the underlying problem π directly using the code of the reduction B. Our proof technique
works for a large and natural class of black-box reductions that we call oblivious. Loosely speaking, a reduction is oblivious, if it only knows an upper bound
on the number of the oracle queries, but does neither learn the query nor the
answer. We give several examples of known oblivious reductions in Sect. 2.2 and
we sketch the basic ideas of this technique in the following.
In the ﬁrst step of our proof (see Fig. 1), we run a security experiment where
the malicious receiver A has oracle access to a homomorphically evaluated functionality Eval(c, Fsk ). In the second step, the experiment is transformed in the following way. First, the adversary’s oracle inputs are extracted via an unbounded
extractor, the functionality is evaluated on the extracted input, and ﬁnally the
output is encrypted (with the right distribution). Assuming that the homomorphic encryption is (statistically) circuit private, we show that this modiﬁcation
does not change the success probability of the adversary. While extracting an
input x from a ciphertext c is not possible in polynomial-time, it does not change
the success probability of A.
622
N. Dă
ottling et al.
Fig. 1. Oblivious reduction part 1 of 2.
In the third step (see right picture of Fig. 1), we move the extraction and
simulation procedures from the security experiment into the adversary itself,
obtaining an unbounded adversary A . That is, the modiﬁed attacker A runs
A as a black-box. Whenever A sends c to its oracle, then A extract x from c,
invokes its own oracle obtaining y ← F (x), and returns the encryption of y to
A. Obviously, the adversary A does not run in polynomial-time, but this does
not change its success probability, as we have only re-arranged the algorithms
from one machine into another, but the overall composed algorithm remained
the same.
Fig. 2. Oblivious reduction part 2 of 2.
Consider the three steps shown in Fig. 2. In the ﬁrst part, the unbounded
adversary is plugged into the oblivious black-box reduction B, which reduces
the security of F to some hard problem π. This step is legitimate because the
reduction only makes black-box use of the adversary. Observe that a black-box
reduction cannot tell the diﬀerence between a polynomial-time adversary and
an unbounded adversary, but only depends on the adversary’s advantage in the
security experiment. Thus, B A is an ineﬃcient adversary against the problem π.
In our next modiﬁcation we move the extraction and simulation algorithms from
the adversary A into the oracle-circuit. While this is just a bridging step, the
ineﬃcient algorithms for extraction and simulation are now part of the reduction.
That is, whenever A queries c to its oracle, then the reduction B ∗ ﬁrst extracts x
from c and runs the simulation of B afterwards in order to compute the simulated
answer y ← Fsk (x). Subsequently, B ∗ encrypts y as c and sends this answer to
A. As a result, we obtain an ineﬃcient reduction B ∗ that uses the code of the
underlying reduction.