does privacy require true randomness n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Does Privacy Require True Randomness? PowerPoint Presentation
Download Presentation
Does Privacy Require True Randomness?

Loading in 2 Seconds...

play fullscreen
1 / 30

Does Privacy Require True Randomness? - PowerPoint PPT Presentation


  • 137 Views
  • Uploaded on

Does Privacy Require True Randomness?. Yevgeniy Dodis New York University. Joint work with Carl Bosley. Randomness is Important. Even in Everyday Life. Even in Cryptography…. Secret keys must have entropy Many primitives must be randomized (encryption, commitment, ZK)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Does Privacy Require True Randomness?' - andralyn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
does privacy require true randomness

Does Privacy Require True Randomness?

Yevgeniy Dodis

New York University

Joint work with Carl Bosley

even in cryptography
Even in Cryptography…
  • Secret keys must have entropy
  • Many primitives must be randomized (encryption, commitment, ZK)
  • Common abstraction: perfect randomness
    • strong assumption, hard to get right

IPAM Workshop

perfect randomness
Perfect Randomness
  • Hard to get as we just saw
  • Do we really need perfect randomness?
  • Imperfect source: family of distributions satisfying some property (i.e., entropy)?
  • “Tolerate” imperfect source: have one scheme correctly working for any D in the source
  • Main Question: which imperfect sources are enough for Cryptography?

IPAM Workshop

extractable sources
Extractable Sources
  • Sources permitting (deterministic) extraction of nearly perfect randomness
    • such sources suffice for (almost) anything perfect randomness is enough for
  • However, many sources non-extractable 
    • E.g., entropy sources [SV86,CG89]
  • Are extractable sources the only “good” sources for cryptography???
    • Depends on application…

IPAM Workshop

current answers
Current Answers
  • Correctness/Soundness: NO 
    • Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04]
  • Authentication/Unpredictability: NO 
    • Quite weak sources enough for MACs [MW97] (& even weaker for interactive MACs [RW03])
    • Enough for signatures as well, assuming “strong OWPs” [DOPS04]
    • General sources: separation between authentication and extraction [DS02]

IPAM Workshop

privacy indistinguishability
Privacy/Indistinguishability

Mixed indications:

  • All known techniques (pseudorandomness,…) critically rely on perfect randomness
  • Studied non-extractable sources are not enough for privacy as well [MP91, DOPS04]
  • 1-bit case [DS02,DPP06]: strict implications extractionencryption2−2secretsharing
  • What about the general, multi-bit case???

IPAM Workshop

our main result
Our Main Result
  • Nearly perfect randomness is inherent for inform.-theoretic private key encryption
  • Theorem 1: If n-bit source S admits a good b-bit encryption, where b > log n, then one can deterministically extract b nearly perfect bits from S!
    • Note: if Enc is efficient, then so is Ext
  • Theorem 2: There are non-extractable n-bit sources S admitting a perfect encryption of b (log n loglog n) bits

IPAM Workshop

interpretation
Interpretation
  • Theorem 1: to encryptb bits
    • Either the secret key length is exponential, or
    • S is extractable and, in fact, “perfect enough” to apply (an almost) b −bit one−time pad !
  • Thus, if b is “non-trivial”, then
    • Cannot afford to sample exponentially long key
    • Must find a source capable of extracting almost b random bits to begin with 
    • Might as well extract and use one−time pad
    • One−time pad is universal after all 

IPAM Workshop

interpretation1
Interpretation
  • Theorem 2: glimmer of hope 
    • Encryption of up to (log n loglog n) bits does not imply extraction of even 1 bit
    • Non-trivially extends the 1-bit separation of [DS02] to (log n loglog n) bits
  • For encrypting very few bits true randomness is not inherent

IPAM Workshop

extensions
Extensions
  • Computational security: implies extraction of bpseudorandom bits
    • In particular, at least 1 statistical bit!
  • Efficiency: poly-time encryption  poly-time extraction (non-explicit )
  • Other primitives: extends to public-key encryption, perfectly-binding commitments

IPAM Workshop

conclusions
Conclusions
  • One-time pad is universal for private-key encryption
  • Strong indication that (nearly) perfect randomness is inherent for privacy
  • Open questions:
    • De-randomize construction of extractor
    • Extend to other (all?) privacy applications
    • Classify crypto apps w.r.t. randomness

IPAM Workshop

slide17

Details!

Let the fun begin!

IPAM Workshop

deterministic extraction
Deterministic Extraction
  • n-bitsourceS=familyof distributions {K} on {0,1}n
  • ℓ-bit extractor Ext for S:
    • Ext: {0,1}n {0,1}ℓ
  • Ext is -fair if for allKS, we have SD( Ext( K ), Uℓ)  
  • S is (ℓ, )-extractable if there is an -fair extractor Ext for S

IPAM Workshop

private key encryption
Private-Key Encryption
  • Alice & Bob share n-bit key k  K, forKS
  • b-bit encryption scheme (Enc, Dec) for S:
    • Enc: {0,1}b {0,1}n C, Dec: C  {0,1}n {0,1}b
    • For all m  {0,1}b, k  {0,1}n, Dec(Enc(m, k), k) =m
  • (Enc, Dec) is -secure if for allKS and m  {0,1}b SD( Enc(m,K), Enc(Ub,K ))  
  • S is (b, )-encryptable if there is a -secure b-bit encryption scheme (Enc, Dec) for S

IPAM Workshop

results restated
Results Restated

Theorem 1: Ifn-bitS is (b,)-encryptable and b > log n + 2log(1/),then S must be (b−2log(1/), + )-extractable

Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where

IPAM Workshop

proof of theorem 1
Proof of Theorem 1
  • Let S’ = { Enc(Ub, k) | k  {0,1}n }
  • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact,

Ext(k) = Ext’(Enc(0, k))

  • Proof: take any KS. Then

IPAM Workshop

proof of theorem 11
Proof of Theorem 1
  • Let S’ = { Enc(Ub, k) | k  {0,1}n }
  • Lemma 1: IfS’ is (ℓ, )-extractable, then Sis(ℓ, + )-extractable. In fact,

Ext(k) = Ext’(Enc(0, k))

  • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable

IPAM Workshop

proof of theorem 12
Proof of Theorem 1
  • Let S’ = { Enc(Ub, k) | k  {0,1}n }
  • Lemma 2: If b > log n + 2log(1/),then S’ is (b−2log(1/),)-extractable
  • Say Xis b -flat if Xis uniform on 2bvalues
  • Note: all X S’ are b -flat (can decrypt!)
  • Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable
    • Implies Lemma 2 and Theorem 1

IPAM Workshop

proof of lemma 3
Proof of Lemma 3
  • Lemma 3: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is (b−2log(1/),)-extractable
  • Proof: Let ℓ=b−2log(1/), B = 2b, L=2ℓ=B2
  • Pick randomf :C  {0,1}ℓ
  • b -flat X S’, Chernoff + union bound 
  • Another union bound over all X S’,

IPAM Workshop

observations
Observations
  • [TV00]: enough to pick n-wise independent f
  • Lemma 3’: If b > log n + 2log(1/),then any collection S’ of 2nb-flat distributions is efficiently (b−2log(1/)−log n,)-extractable
  • Corollary: If Enc is efficient  so is Ext
  • Extends to computational setting
    • Extract pseudorandom bits
  • Perfect binding enough
    • Covers public−key encryption and perfectly−binding commitment

IPAM Workshop

proof of theorem 2
Proof of Theorem 2

Theorem 2: For b <log n−loglog n –1, there is an n-bitS which is (b,0)-encryptable, but not(1,)-extractable, where

Theorem 2’: For b <log n−loglog n –1, there is a b-bit E = (Enc,Dec) for which Good(E) is not(1,)-extractable, where

Good(E) = {K|E is Shannon-secure under K}

IPAM Workshop

proof of theorem 21
Proof of Theorem 2’
  • Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1)
  • Note, N< SB, so S> N1/B(> Bfor our params)
  • M=[B], C=[S], K={all B-tuples of ciphertexts}

K = { k = (c1…cB) | ci cj for i  j }

  • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c
  • Take any Ext: [N]  {0,1}
  • Case 1: have0-monochromatic perfect K
    • Fix Ext to 0 with K, done
  • Case 2: no such 0-monochromatic perfectK
    • [Lemma]  perfect K’ s.t.Pr[Ext(K’) = 0] < B2/S

IPAM Workshop

proof of main lemma
Proof of Main Lemma
  • Let N = 2n; B = 2b; Ss.t. NS(S−1)…(S−B+1)
  • Note, N< SB, so S> N1/B(> Bfor our params)
  • M=[N], C=[S], K={all B-tuples of ciphertexts}

K = { k = (c1…cB) | ci cj for i  j }

  • Enc(m,(c1…cB))=cm, Dec(c,(c1…cB))=m s.t. cm = c
  • Main Lemma: if cannot fix Ext to 0, then  perfect K s.t. Pr[Ext(K) = 0] < B2/S

IPAM Workshop

proof of main lemma1
Proof of Main Lemma

Not to prove Theorem 2’

Not to prove Main Lemma

IPAM Workshop

slide30

Thank You !

But don’t go, we need to prove main lemma !!!

IPAM Workshop