does privacy require true randomness?

Does Privacy Does Privacy Require True Require True Randomness?Randomness?

Yevgeniy DodisYevgeniy Dodis

New York New York UniversityUniversity

Joint work with Carl Bosley

Yevgeniy Dodis. New York University IPAM Workshop 3

Randomness is Important


Even in Everyday Life


Even in Cryptography…• Secret keys Secret keys mustmust have entropy have entropy

• Many primitives Many primitives mustmust be randomized be randomized

(encryption, commitment, ZK)(encryption, commitment, ZK)

• Common abstraction: Common abstraction: perfect perfect

randomnessrandomness

– strong assumption, hard to get rightstrong assumption, hard to get right


Randomness is Hard to Get


Coins cannot be trusted too


Especially with Active Attackers


Perfect Randomness• Hard to get as we just sawHard to get as we just saw

• Do we really need perfect randomness?Do we really need perfect randomness?

• Imperfect sourceImperfect source: family of distributions : family of distributions

satisfying some property (i.e., entropy)?satisfying some property (i.e., entropy)?

• ““Tolerate” imperfect source: have Tolerate” imperfect source: have oneone

scheme correctly working for scheme correctly working for anyany D in the D in the

sourcesource

• Main QuestionMain Question: : which imperfect sources are which imperfect sources are

enough for Cryptographyenough for Cryptography??


Extractable Sources• Sources permitting (deterministic) Sources permitting (deterministic)

extraction of nearly perfect randomness extraction of nearly perfect randomness – such sources suffice for (almost) anything such sources suffice for (almost) anything

perfect randomness is enough forperfect randomness is enough for

• However, However, many sources non-extractable many sources non-extractable – E.g., entropy sources [SV86,CG89]E.g., entropy sources [SV86,CG89]

• Are extractable sources the Are extractable sources the onlyonly “good” “good” sources for cryptography???sources for cryptography???– Depends on application…Depends on application…


Current Answers• Correctness/Soundness:Correctness/Soundness: NO NO

– Can base BPP/IP on very weak sources Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04]DOPS04]

• Authentication/Unpredictability: Authentication/Unpredictability: NO NO – Quite weak sources enough for MACs [MW97] Quite weak sources enough for MACs [MW97]

(& even weaker for interactive MACs [RW03])(& even weaker for interactive MACs [RW03])

– Enough for signatures as well, assuming Enough for signatures as well, assuming “strong OWPs” [DOPS04]“strong OWPs” [DOPS04]

– General sources: separation between General sources: separation between authentication and extraction [DS02]authentication and extraction [DS02]


Privacy/Indistinguishability

Mixed indications:Mixed indications:

−All known techniques (pseudorandomness,All known techniques (pseudorandomness,

…) critically rely on …) critically rely on perfectperfect randomness randomness

−StudiedStudied non-extractable sources are not non-extractable sources are not

enough for privacy as well [MP91, DOPS04]enough for privacy as well [MP91, DOPS04]

+1-bit1-bit case [DS02,DPP06]: case [DS02,DPP06]: strictstrict implications implications

extractionextraction encryptionencryption 2−22−2 secretsecret sharingsharing

What about the general, multi-bit case???What about the general, multi-bit case???


Our Main Result• Nearly perfect randomness is Nearly perfect randomness is inherentinherent

for inform.-theoretic private key for inform.-theoretic private key encryptionencryption

• Theorem 1Theorem 1: If : If nn-bit source -bit source SS admits a admits a good good bb-bit encryption, where -bit encryption, where b b > log > log nn, then one can , then one can deterministicallydeterministically extract extract bb nearly perfect bits from nearly perfect bits from SS !!– Note: if Enc is Note: if Enc is efficientefficient, then so is Ext, then so is Ext

• Theorem 2Theorem 2: There are : There are non-extractable non-extractable nn-bit sources -bit sources SS admitting a admitting a perfectperfect encryption of encryption of b b ( (log log nn loglog loglog n n)) bits bits


Interpretation• Theorem 1Theorem 1: to encrypt: to encrypt b b bits bits

– Either the secret key length is exponential, orEither the secret key length is exponential, or

– S S is extractable and, in fact, “perfect enough” is extractable and, in fact, “perfect enough” to apply (an almost) to apply (an almost) b b −bit one−time pad !−bit one−time pad !

• Thus, if Thus, if b b is “non-trivial”, then is “non-trivial”, then– Cannot affordCannot afford to sample exponentially long to sample exponentially long

keykey

– Must find a source capable of extracting Must find a source capable of extracting almost almost b b random bits to begin with random bits to begin with

– Might as well extract and use one−time padMight as well extract and use one−time pad

– One−time pad is One−time pad is universaluniversal after all after all


Interpretation

• Theorem 2Theorem 2: glimmer of hope : glimmer of hope

– Encryption of up to Encryption of up to ((log log nn loglog loglog n n)) bits bits

does does notnot imply extraction of even 1 bit imply extraction of even 1 bit

– Non-trivially extends the 1-bit Non-trivially extends the 1-bit

separation of [DS02] to separation of [DS02] to ((log log nn loglog loglog n n))

bitsbits

• For encrypting For encrypting very fewvery few bits true bits true

randomness is randomness is not inherentnot inherent


Extensions• Computational securityComputational security: implies : implies

extraction of extraction of bb pseudorandompseudorandom bitsbits– In particular, at least 1 In particular, at least 1 statisticalstatistical bit! bit!

• EfficiencyEfficiency: : poly-timepoly-time encryption encryption poly-timepoly-time extraction (non-explicit extraction (non-explicit ))

• Other primitivesOther primitives: extends to public-: extends to public-key encryption, perfectly-binding key encryption, perfectly-binding commitmentscommitments


Conclusions• One-time pad is universal for private-One-time pad is universal for private-

key encryptionkey encryption

• Strong indication that (nearly) perfect Strong indication that (nearly) perfect randomness is inherent for privacyrandomness is inherent for privacy

• Open questions: Open questions: – De-randomize construction of extractorDe-randomize construction of extractor

– Extend to other (all?) privacy Extend to other (all?) privacy applicationsapplications

– Classify crypto apps w.r.t. randomnessClassify crypto apps w.r.t. randomness


Let the fun begin!


Deterministic Extraction

• nn-bit-bit sourcesource SS == familyfamily of of distributions distributions {{KK} } on on {0,1}{0,1}nn

• ℓℓ-bit extractor -bit extractor Ext Ext for for SS: : – Ext: {0,1}Ext: {0,1}nn {0,1} {0,1}ℓℓ

• ExtExt is is -fair-fair if for if for allall KKSS, we have , we have SDSD( Ext(( Ext( K K ), ), UUℓℓ ) )

• SS is is ((ℓℓ, , )-extractable)-extractable if there is an if there is an -fair extractor -fair extractor ExtExt for for SS


Private-Key Encryption• Alice & Bob share Alice & Bob share nn-bit key -bit key k k K K, , forfor KKSS

• bb-bit encryption scheme (-bit encryption scheme (Enc, Enc, DecDec) for ) for SS: :

– Enc: {0,1}Enc: {0,1}bb {0,1} {0,1}nn C C, , Dec: C Dec: C {0,1} {0,1}nn {0,1} {0,1}bb

– For allFor all m m {0,1} {0,1}bb, , k k {0,1} {0,1}nn, , DecDec((EncEnc((mm, , kk), ), kk) ) == mm

• ((Enc, Enc, DecDec) is ) is -secure-secure if for if for allall KKSS and and m m

{0,1}{0,1}b b SDSD( Enc(( Enc(mm,, KK ), Enc(), Enc(UUbb ,, K K )) ) )

• SS is is ((bb, , )-encryptable)-encryptable if there is a if there is a -secure -secure bb--

bit encryption scheme (bit encryption scheme (Enc, Enc, DecDec) for ) for SS


Results RestatedTheorem 1Theorem 1: If: If nn-bit-bit SS is ( is (bb,, )-encryptable )-encryptable

and and b b > log > log n n + + 22 log(1log(1//)),, then then SS must must

be (be (bb −− 22 log(1log(1//)) ,, + + )-extractable)-extractable

Theorem 2Theorem 2: For : For b b << log log n n −− loglog loglog n n

–– 1,1, there is an there is an nn-bit-bit SS which is ( which is (bb,, 00)-)-

encryptable, but encryptable, but notnot ((11,, )-extractable, )-extractable,

wherewhere


Proof of Theorem 1• Let Let S’ = { Enc(S’ = { Enc(UUbb, , kk) | ) | k k {0,1} {0,1}nn } }

• Lemma 1Lemma 1: If: If S’S’ is ( is (ℓℓ, , )-extractable, then )-extractable, then SS isis ((ℓℓ,, + + )-extractable. In fact,)-extractable. In fact,

Ext(Ext(kk) = Ext’(Enc(0, ) = Ext’(Enc(0, kk))))• Proof: take any Proof: take any KKSS. Then. Then



• Lemma 1Lemma 1: If: If S’S’ is ( is (ℓℓ, , )-extractable, then )-extractable, then SS isis ((ℓℓ,, + + )-extractable. In fact,)-extractable. In fact,

Ext(Ext(kk) = Ext’(Enc(0, ) = Ext’(Enc(0, kk))))• Lemma 2Lemma 2: If : If b b > log > log n n + + 22 log(1log(1//)),, then then

S’S’ is ( is (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable



• Lemma 2Lemma 2: If : If b b > log > log n n + + 22 log(1log(1//)),, then then S’S’ is (is (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable

• Say Say XX is is b b -flat-flat if if XX is uniform on is uniform on 22bb valuesvalues

• Note: all Note: all XX S’ S’ are are b b -flat (can decrypt!)-flat (can decrypt!)• Lemma 3Lemma 3: If : If b b > log > log n n + + 22 log(1log(1//)),, then then

anyany collection collection S’S’ of of 22nn bb-flat distributions is -flat distributions is ( (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable– Implies Lemma 2 and Theorem 1Implies Lemma 2 and Theorem 1


Proof of Lemma 3• Lemma 3Lemma 3: If : If b b > log > log n n + + 22 log(1log(1//)),, then then

anyany collection collection S’S’ of of 22nn bb-flat distributions -flat distributions is (is (bb −− 22 log(1log(1//)) ,, )-extractable)-extractable

• ProofProof: Let : Let ℓℓ == bb −− 22 log(1log(1//)), , B B = 2= 2bb, , LL == 22ℓℓ ==

BB22

• Pick Pick randomrandom f f :C :C {0,1} {0,1}ℓℓ

b b -flat -flat XX S’, Chernoff + union S’, Chernoff + union bound bound

• Another union bound over all Another union bound over all XX S’ S’, ,


Observations• [TV00]: enough to pick [TV00]: enough to pick nn-wise -wise

independent independent ff• Lemma 3Lemma 3’: If ’: If b b > log > log n n + + 22 log(1log(1//)),, then then

anyany collection collection S’S’ of of 22nn bb-flat distributions is -flat distributions is efficientlyefficiently ( (bb −− 22 log(1log(1//)) −− log log nn ,, )-)-extractableextractable

• CorollaryCorollary: If : If EncEnc is is efficientefficient so is so is ExtExt• Extends to computational settingExtends to computational setting

– Extract Extract pseudorandompseudorandom bits bits• Perfect bindingPerfect binding enough enough

– Covers public−key encryption and Covers public−key encryption and perfectly−binding commitmentperfectly−binding commitment


Proof of Theorem 2Theorem 2Theorem 2: For : For b b << log log n n −− loglog loglog n n

–– 1,1, there is an there is an nn-bit-bit SS which is ( which is (bb,, 00)-)-encryptable, but encryptable, but notnot ((11,, )-extractable, )-extractable, wherewhere

Theorem 2Theorem 2’: For ’: For b b << log log n n −− loglog loglog n n –– 1,1,

there is a there is a bb-bit -bit E E = (Enc,Dec)= (Enc,Dec) for which for which Good(Good(EE)) is is notnot ((11,, )-extractable, where)-extractable, where

Good(Good(EE) = {) = {KK||EE is Shannon-secure under is Shannon-secure under KK}}


Proof of Theorem 2’• Let Let NN = 2 = 2nn; ; BB = 2 = 2bb ; ; SS s.t. s.t. NN SS((SS−−1)…(1)…(SS−−BB+1)+1)• Note, Note, NN < S< SBB, so , so SS > N> N 1/1/BB ((> B> B for our params)for our params)• M=[M=[BB]], , C=[C=[SS]], , K={all K={all BB-tuples of -tuples of

ciphertexts}ciphertexts}

K = K = {{ k k = (= (cc11……ccBB) | ) | ccii ccjj for for i i jj } }• Enc(Enc(m,m,((cc11…c…cBB)))) == ccmm , , Dec(Dec(c,c,((cc11…c…cBB)))) == mm s.t. s.t. ccm m = c= c• Take any Take any ExtExt: : [[NN] ] {0,1} {0,1}• Case 1Case 1: : have have 00-monochromatic perfect -monochromatic perfect KK

– Fix Fix ExtExt to to 00 with with KK, done, done

• Case 2Case 2: : no such no such 00-monochromatic perfect-monochromatic perfect KK– [Lemma] [Lemma] perfect perfect K’K’ s.t. s.t. Pr[Ext(Pr[Ext(K’K’) = 0] < ) = 0] < BB22//SS


Proof of Main Lemma• Let Let NN = 2 = 2nn; ; BB = 2 = 2bb ; ; SS s.t. s.t. NN SS((SS−−1)…(1)…(SS−−BB+1)+1)

• Note, Note, NN < S< SBB, so , so SS > N> N 1/1/BB ((> B> B for our for our params)params)

• M=[M=[NN]], , C=[C=[SS]], , K={all K={all BB-tuples of -tuples of ciphertexts}ciphertexts}

K = K = {{ k k = (= (cc11……ccBB) | ) | ccii ccjj for for i i jj } }

• Enc(Enc(m,m,((cc11…c…cBB)))) == ccmm , , Dec(Dec(c,c,((cc11…c…cBB)))) == mm s.t. s.t. ccm m = c= c

• Main LemmaMain Lemma: if cannot fix : if cannot fix ExtExt to 0, then to 0, then perfect perfect KK s.t. s.t. Pr[Ext(Pr[Ext(KK) = 0] < ) = 0] < BB22//SS


Proof of Main Lemma

Not to prove Theorem

2’Not to prove Main

Lemma


But don’t go, we need to prove main lemma !!!

does privacy require true randomness?

Documents