23
COUNTEREXAMPLES TO HARDNESS AMPLIFICATION BEYOND NEGLIGIBLE Yevgeniy Dodis, Abhishek Jain, Tal Moran, Daniel Wichs

COUNTEREXAMPLES to Hardness Amplification beyond negligible

Embed Size (px)

DESCRIPTION

COUNTEREXAMPLES to Hardness Amplification beyond negligible. Yevgeniy Dodis , Abhishek Jain, Tal Moran, Daniel Wichs. Hardness Amplification. Go from “weak” security to “strong” security. 50% Defective. Strongly Secure. Weakly Secure. Hardness Amplification for OWFs. - PowerPoint PPT Presentation

Citation preview

Page 1: COUNTEREXAMPLES to Hardness Amplification beyond negligible

COUNTEREXAMPLESTO

HARDNESS AMPLIFICATION

BEYOND NEGLIGIBLE

Yevgeniy Dodis, Abhishek Jain, Tal Moran, Daniel Wichs

Page 2: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Hardness Amplification

Go from “weak” security to “strong” security.

Weakly Secure Strongly Secure

50% Defective

Page 3: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Hardness Amplification for OWFs

Security of One-Way Functions: A function is -secure if for all poly-time , . Standard OWF: secure for all . Weak OWF: secure for .

Page 4: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Hardness Amplification for OWFs

Direct Product: The k-wise direct product of is the function .

Direct-Product Theorem: [Yao82,Goldreich89]

If is a weak OWF, then is a OWF when .

Intuition: Attack fails on each with prob > ½ and are indep.

Problem: Attacker need not work independently.

Page 5: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Direct-Product Theorems

Direct-product theorems hold for:One-way functions, weakly verifiable puzzles, hard functions, signatures, MACs, public-coin interactive games, etc.

[Yao82,Lev87,Gold89,Imp95,GNW95,CHS05,PW07,PV07,IJK08,IJKW09,DIJK09,

Hait09,Jutla10,HPPW10,MT10,Hol11]

Direct-Product theorems do not hold in general for interactive games. [BIN97,PW07]

Page 6: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Direct-Product Theorems (Closer Look)

Direct-Product Theorem: [Yao82, Goldreich89]

If is a weak OWF, then is a OWF when .

How secure is ? Know: -secure for all . Optimistic: secure. Cautiously Optimistic: Can get or at least

security when is sufficiently large.

Call this “Dream” DP Theorem. [GNW 95]

Page 7: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Difficult to prove “dream” DP Theorem

Want to show -hardness of assuming ½-hardness of .

Reduction: Attacker A with advantage on Attacker B with advantage ½ on .

A may only respond on (random) -fraction of inputs. B is forced to run A at least times just to get an answer!

May be able to show -hardness for (all) polynomial , but not beyond that!

Can be formalized into a black-box separation.

[Rudich]

Page 8: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Is “dream” DP Theorem true?

This work: NO! First counterexamples to “dream” Direct-Product theorem.

Counterexample for OWFs: Construct an artificial weak OWF whose hardness does not amplify to . is -secure. In fact, will already be standard OWF. For all poly k, can break with advantage.

Relies on a non-standard assumption on hash functions.

Counterexample for Signatures. Standard assumptions.

Page 9: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Counterexample for OWFs

1. Construct a hard NP problem for which the -wise DP never amplifies security below .

2. Show how to embed this problem inside a OWF.

3. Modify parameters to get counterexample for .

Page 10: COUNTEREXAMPLES to Hardness Amplification beyond negligible

h

output

Extended Second-Preimage Resistance

Hard problem for hash function.

ESPR Problem: Attacker get challenge . Attacker wins if it finds:

A Merkle-path extending . A second preimage of this path.

ESPR implied by collision-resistance. Need ESPR to hold for a fixed

function . Holds in “RO model with advice”

[Unruh07]

𝒙𝟑

𝒙𝒙𝟏

𝒙𝟐

𝒙𝟒

h

preimage

h

h

: ss.t..t. ..

Page 11: COUNTEREXAMPLES to Hardness Amplification beyond negligible

ESPR Does Not Amplify

Get independent instances : Build Merkle-Tree. Single output , pre-image . Guess second preimage . Good with prob . If guess is good, can break all instances!

𝒙𝟏 𝒙𝟐

h

𝒙𝟑 𝒙𝟒

h

𝒙𝟓 𝒙𝟔

h

𝒙𝟕 𝒙𝟖

h

h h

h

z

𝑦

Page 12: COUNTEREXAMPLES to Hardness Amplification beyond negligible

ESPR Does Not Amplify

Get independent instances : Build Merkle-Tree. Single output , pre-image . Guess second preimage . Good with prob . If guess is good, can break all instances!

𝒙𝟓 𝒙𝟔

h

h

h

z

𝑦

h (𝒙𝟕 , 𝒙𝟖)

h (…)

Page 13: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Counterexample for OWFs

1. Construct a hard NP problem for which the -wise direct product never amplifies beyond .

2. Show how to embed this problem inside a OWF.

3. Modify parameters to get counterexample for .

Page 14: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Embed ESPR Problem in OWF

Let be a regular OWF.

Define:

On random input, w.o.p. To invert need to either:

Find or Find such that

Claim: is a OWF. Claim: is no more secure than -wise DP of ESPR

problem.

Page 15: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Counterexample for OWFs

1. Construct a hard NP problem for which the -wise direct product never amplifies beyond .

2. Show how to embed this problem inside a OWF.

3. Modify parameters to get counterexample for .

Page 16: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Counterexample for OWFs

Have function such that: is secure OWF. is not secure, for any .

Define : On security parameter , behaves like with security parameter . is still secure in standard sense. (poor exact

security) is not secure, for any .

Scale Down

Assume (time = , )-security.

Page 17: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Counterexample for OWFs

Theorem: Assuming exponential security of ESPR problem, there exists a (weak) OWF whose -wise DP does not amplify security to no matter how large is.

Page 18: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Counterexample for Signatures

Standard direct-product theorem holds for stateless signatures (weak standard security). [DIJK09]

Show: Dream DP theorem does not hold.

Main idea: embed a multi-party computation (MPC) protocol inside a signature scheme.

Page 19: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Toy Example: Stateful Signatures

Take any signature scheme, and a multi-party coin-tossing protocol .

Modify signature algorithm. On message m: Sign m using original scheme.

If m = “init_prot: parties=, role=” begin executing party protocol acting as party . (stateful) For future m, run on m and append output to the

signature. If terminates with output : output sk with signature.

Stand-alone scheme is secure. Attacker can’t cause execution of to output .

Page 20: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Toy Example: Stateful Signatures

To break -wise DP, pass messages between the signing oracles to execute a single (honest) instance of . With probability can break all instances!

𝑆𝑖𝑔𝑛𝑠 𝑘1(⋅) 𝑆𝑖𝑔𝑛𝑠 𝑘2

(⋅) 𝑆𝑖𝑔𝑛𝑠 𝑘𝑘(⋅)…

Page 21: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Stateful to Stateless Signatures

Use “stateless/resettable MPC” [CGGM00, Goyal-Maji 11] Parties are stateless. Attacker passes messages

between them to drive protocol execution. Attacker can only “reset” computation and try again.

For coin-tossing, attacker has poly tries to get output .

Theorem: Assuming stateless MPC for coin-tossing, there exist signature schemes whose -wise DP does not amplify security below no matter what is.

Page 22: COUNTEREXAMPLES to Hardness Amplification beyond negligible

Conclusions

In general, “direct product” may not amplify security beyond negligible, even to .

Open problems: Counterexample for OWFs under standard

assumptions. Counterexample for a natural OWF. Or

conjecture exponential amplification for a sub-class of OWFs?

Counterexample for XOR Lemma.

Page 23: COUNTEREXAMPLES to Hardness Amplification beyond negligible

THANK YOU