counterexamples to hardness amplification beyond negligible
DESCRIPTION
COUNTEREXAMPLES to Hardness Amplification beyond negligible. Yevgeniy Dodis , Abhishek Jain, Tal Moran, Daniel Wichs. Hardness Amplification. Go from “weak” security to “strong” security. 50% Defective. Strongly Secure. Weakly Secure. Hardness Amplification for OWFs. - PowerPoint PPT PresentationTRANSCRIPT
COUNTEREXAMPLESTO
HARDNESS AMPLIFICATION
BEYOND NEGLIGIBLE
Yevgeniy Dodis, Abhishek Jain, Tal Moran, Daniel Wichs
Hardness Amplification
Go from “weak” security to “strong” security.
Weakly Secure Strongly Secure
50% Defective
Hardness Amplification for OWFs
Security of One-Way Functions: A function is -secure if for all poly-time , . Standard OWF: secure for all . Weak OWF: secure for .
Hardness Amplification for OWFs
Direct Product: The k-wise direct product of is the function .
Direct-Product Theorem: [Yao82,Goldreich89]
If is a weak OWF, then is a OWF when .
Intuition: Attack fails on each with prob > ½ and are indep.
Problem: Attacker need not work independently.
Direct-Product Theorems
Direct-product theorems hold for:One-way functions, weakly verifiable puzzles, hard functions, signatures, MACs, public-coin interactive games, etc.
[Yao82,Lev87,Gold89,Imp95,GNW95,CHS05,PW07,PV07,IJK08,IJKW09,DIJK09,
Hait09,Jutla10,HPPW10,MT10,Hol11]
Direct-Product theorems do not hold in general for interactive games. [BIN97,PW07]
Direct-Product Theorems (Closer Look)
Direct-Product Theorem: [Yao82, Goldreich89]
If is a weak OWF, then is a OWF when .
How secure is ? Know: -secure for all . Optimistic: secure. Cautiously Optimistic: Can get or at least
security when is sufficiently large.
Call this “Dream” DP Theorem. [GNW 95]
Difficult to prove “dream” DP Theorem
Want to show -hardness of assuming ½-hardness of .
Reduction: Attacker A with advantage on Attacker B with advantage ½ on .
A may only respond on (random) -fraction of inputs. B is forced to run A at least times just to get an answer!
May be able to show -hardness for (all) polynomial , but not beyond that!
Can be formalized into a black-box separation.
[Rudich]
Is “dream” DP Theorem true?
This work: NO! First counterexamples to “dream” Direct-Product theorem.
Counterexample for OWFs: Construct an artificial weak OWF whose hardness does not amplify to . is -secure. In fact, will already be standard OWF. For all poly k, can break with advantage.
Relies on a non-standard assumption on hash functions.
Counterexample for Signatures. Standard assumptions.
Counterexample for OWFs
1. Construct a hard NP problem for which the -wise DP never amplifies security below .
2. Show how to embed this problem inside a OWF.
3. Modify parameters to get counterexample for .
h
output
Extended Second-Preimage Resistance
Hard problem for hash function.
ESPR Problem: Attacker get challenge . Attacker wins if it finds:
A Merkle-path extending . A second preimage of this path.
ESPR implied by collision-resistance. Need ESPR to hold for a fixed
function . Holds in “RO model with advice”
[Unruh07]
𝒙𝟑
𝒙𝒙𝟏
𝒙𝟐
𝒙𝟒
h
preimage
h
h
: ss.t..t. ..
ESPR Does Not Amplify
Get independent instances : Build Merkle-Tree. Single output , pre-image . Guess second preimage . Good with prob . If guess is good, can break all instances!
𝒙𝟏 𝒙𝟐
h
𝒙𝟑 𝒙𝟒
h
𝒙𝟓 𝒙𝟔
h
𝒙𝟕 𝒙𝟖
h
h h
h
z
𝑦
ESPR Does Not Amplify
Get independent instances : Build Merkle-Tree. Single output , pre-image . Guess second preimage . Good with prob . If guess is good, can break all instances!
𝒙𝟓 𝒙𝟔
h
h
h
z
𝑦
h (𝒙𝟕 , 𝒙𝟖)
h (…)
Counterexample for OWFs
1. Construct a hard NP problem for which the -wise direct product never amplifies beyond .
2. Show how to embed this problem inside a OWF.
3. Modify parameters to get counterexample for .
Embed ESPR Problem in OWF
Let be a regular OWF.
Define:
On random input, w.o.p. To invert need to either:
Find or Find such that
Claim: is a OWF. Claim: is no more secure than -wise DP of ESPR
problem.
Counterexample for OWFs
1. Construct a hard NP problem for which the -wise direct product never amplifies beyond .
2. Show how to embed this problem inside a OWF.
3. Modify parameters to get counterexample for .
Counterexample for OWFs
Have function such that: is secure OWF. is not secure, for any .
Define : On security parameter , behaves like with security parameter . is still secure in standard sense. (poor exact
security) is not secure, for any .
Scale Down
Assume (time = , )-security.
Counterexample for OWFs
Theorem: Assuming exponential security of ESPR problem, there exists a (weak) OWF whose -wise DP does not amplify security to no matter how large is.
Counterexample for Signatures
Standard direct-product theorem holds for stateless signatures (weak standard security). [DIJK09]
Show: Dream DP theorem does not hold.
Main idea: embed a multi-party computation (MPC) protocol inside a signature scheme.
Toy Example: Stateful Signatures
Take any signature scheme, and a multi-party coin-tossing protocol .
Modify signature algorithm. On message m: Sign m using original scheme.
If m = “init_prot: parties=, role=” begin executing party protocol acting as party . (stateful) For future m, run on m and append output to the
signature. If terminates with output : output sk with signature.
Stand-alone scheme is secure. Attacker can’t cause execution of to output .
Toy Example: Stateful Signatures
To break -wise DP, pass messages between the signing oracles to execute a single (honest) instance of . With probability can break all instances!
𝑆𝑖𝑔𝑛𝑠 𝑘1(⋅) 𝑆𝑖𝑔𝑛𝑠 𝑘2
(⋅) 𝑆𝑖𝑔𝑛𝑠 𝑘𝑘(⋅)…
Stateful to Stateless Signatures
Use “stateless/resettable MPC” [CGGM00, Goyal-Maji 11] Parties are stateless. Attacker passes messages
between them to drive protocol execution. Attacker can only “reset” computation and try again.
For coin-tossing, attacker has poly tries to get output .
Theorem: Assuming stateless MPC for coin-tossing, there exist signature schemes whose -wise DP does not amplify security below no matter what is.
Conclusions
In general, “direct product” may not amplify security beyond negligible, even to .
Open problems: Counterexample for OWFs under standard
assumptions. Counterexample for a natural OWF. Or
conjecture exponential amplification for a sub-class of OWFs?
Counterexample for XOR Lemma.
THANK YOU