FOC-2 Cryptography with Low Complexity: 2 Benny Applebaum and Iftach Haitner Tel-Aviv University Reminder: Local Functions Function fG,Q defined by: • (m,n,d) graph G • single predicate Q:{0,1}d{0,1} Fm,n,Q collection {fG,Q} where G is random (m,n,d) graph yi= Q(x1,x2,x5) y1 ym OUTPUT INPUT X1 Xn Goldreich’s Assumption [ECCC ‘00] Conjecture: for random Q ,(single) and expander G, m=n Use expander graph predicate + “good” predicate inversion takes exp((n))-time • First candidate for optimal one-way function • Random local function is whp exp-hard to invert • Constraint Satisfaction Problems are cryptographically-hard yi= Q(x1,x2,x5) OUTPUT expander: every set of n/3 outputs touch 2n/3 inputs INPUT X X Generalization to Long Output OW-Conjecture: for properly chosen predicate Q, any graph G inversion complexity is exponential in the expansion of G Params: output length m, predicate Q, locality d, expansion quality • Larger m easier to attack security requires more “robust” predicates • Weaker variant: for random graphs no poly-time inversion • Strong variant confirmed for many classes of attacks [CEMT09,ABW10,A12,ABR12,BR11,BQ12,OW14,FPV15,AL16, KMOW16] yi= Q(x1,x2,x5) y1 ym See survey [A15] OUTPUT INPUT X X PRG variant PRG conjecture: for most graphs and properly chosen predicate Q, the resulting function is a pseudorandom generator Parameters: output length m, predicate Q, locality d Q: For output length m=ns, which predicates satisfy conjecture? Call such predicates s-pseudorandom yi= Q(x1,x2,x5) y1 ym OUTPUT INPUT X1 Xn Known Necessary Conditions [MST03,…] To achieve s-pseudorandommness Q must have • Resiliency of k=2s-1 [O’DonnelWitmer14] • Q is uncorrelated with parities of k-subsets of the input • Equivalently, Q is an extractor for bit fixing source Q(x1,x2,x5) y1 ym OUTPUT INPUT X1 Xn Known Necessary Conditions [MST03,…] To achieve s-pseudorandommness Q must have • Resiliency of 2s-1 [O’DonnelWitmer14] • Algebraic degree of s over the binary field • Otherwise, attack based on linearization + Gaussian elimination yi= XOR(x1,x2,x5) y1 ym OUTPUT INPUT X1 Xn Degree+Resiliency Psdrandomness? Intuition: Resiliency defeats all local attacks • Sub-exponential AC0 circuits [ABogdanovRosen12] • Semidefinite programs [O’DonnelWitmer14] • Statistical algorithms [FeldmanPerkinsVempala15] except for Gaussian Elimination which is defeated by degree Q1: large degree & resiliency s-psdrandomness ? • Conjectured by [FPV15] for planted CSP • Candidate [OW14, A14]: (W1… W2k) (W2k+1… W3k) is k-psd Evidence: Hardness against Linear Tests Q1: large degree & resiliency s-psdrandomness ? Thm [ABR12]: deg,res≥2 1.24-psd. against linear attacks y6 … y11 y1 ym OUTPUT INPUT X1 Xn Evidence: Hardness against Linear Tests Q1: large degree & resiliency s-psdrandomness ? Thm [ABR12]: deg,res≥2 1.24-psd. against linear attacks • f is low-bias generator (for most graphs) • Linear tests require both resiliency and degree • Capture most known attacks (local/global) • [OW14] Extended to s=1.5 for XOR-AND predicate Today (part 1) 1. Power of Linear Attacks for longer outputs 2. Power of Algebraic Attacks Refute the above conjecture & provide fixes Characterization of Security against Linear Tests Thm 1: Q is s-psd against Linear Tests Q is k-resilient & r-bit fixing degree e for k,r,e=(s). after fixing r inputs deg(Q) e Characterization of Security against Linear Tests Thm 1: Q is s-psd against Linear Tests Q is k-resilient & r-bit fixing degree e for k,r,e=(s). • Works for arbitrarily long outputs Cor 1: d-local low-bias generators with output n(d) Cor 2: degree+resiliency NOT imply pseudorandomness • (W1… W2k) (W2k+1… W3k) is not 2-psd against linear tests • Negative answer to Q1 Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests For 1-o(1) fraction of graphs G, exists linear test L s.t. biasL(fG,P)=|Prx[L(fG,Q(x)=1]-Pr[L(U)=1]| is positive constant Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests • Assume deg(Q|w1,..,wr =0)=e • S=set of outputs whose first r-inputs are x1,..,xr OUTPUT |S|=ns/nr>2ne INPUT X1 Xr Xn Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests • Conditioned on x1=…=xr=0 all S-outputs are deg-e poly’s many linear dependencies over these polynomials Pr[L1(yS)=0 &… & Lr+1(yS)=0]>Pr[x1=…=xr=0]=2-r • The r.v’s L1,…,Lr+1 are (1)-far from uniform OUTPUT |S|=ns/nr>2ne INPUT X1 Xr Xn Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests • Conditioned on x1=…=xr=0 all S-outputs are deg-e poly’s many linear dependencies over these polynomials Pr[L1(yS)=0 &… & Lr+1(yS)=0]>Pr[x1=…=xr=0]=2-r • The r.v’s L1,…,Lr+1 are (1)-far from uniform • Linear test over y’s with constant bias OUTPUT |S|=ns/nr>2ne INPUT X1 Xr Xn Bit-fixing degree+Resiliency low-bias y1 ym OUTPUT INPUT X1 Xn Bit-fixing degree+Resiliency low-bias Proof plan • “Short test” handled by resiliency+expansion [ABR12] • “Long test” is handled by large fixing-degree + expansion y1 ym OUTPUT INPUT X1 Xn Bit-fixing degree+Resiliency low-bias OUTPUT INPUT X1 Xn More Details (long tests) A OUTPUT INPUT More Details (long tests) A OUTPUT K INPUT More Details (long tests) OUTPUT INPUT Proof Step 1: Handling frequent inputs & their neighbors. Fix all “frequent inputs” of degree>2d/t |A|. • By Markov, at most t/2 such nodes. OUTPUT INPUT Proof OUTPUT INPUT Proof OUTPUT INPUT Proof Step 2: Finding pairwise disjoint outputs Fix all inputs which do not touch a green output (potential leader) OUTPUT INPUT Proof OUTPUT INPUT Proof OUTPUT INPUT Algebraic Attacks Beyond Bit-Fixing Degree • The predicate Q=ORXOR has (k-1)-bit fixing degree of k • But Q(w)=0 implies XOR(w1,..,wd)=0 OR k k Beyond Bit-Fixing Degree • The predicate Q=ORXOR has (k-1)-bit fixing degree of k • But Q(w)=0 implies XOR(w1,..,wd)=0 • Q is insecure: replace 0-outputs with low-degree equations • New attack (is not captured by a linear distinguisher) How to analyze this attack? How to model it? Can we resist it? 0= XOR(x1,x2,x5) 0= Q(x1,x2,x5) y1 ym OUTPUT INPUT k Algebraic Attacks [Shannon49, Patarin95,…] Goal: Given y=f(x) recover hidden vars x=(x1,…,xn) • Write y=f(x) as a system of polynomial equations f1(x)-y1=0,…., fm(x)-ym=0 • The system is further manipulated and extended - e.g., by multiplying the polynomials by some low-degree polynomial • Eventually a solution is found - e.g., via linearization & Gaussian elimination, or by Grobner basis • Well studied in the cryptanalysis literature (e.g., for LFSR-based ciphers) [Courtois01-03, CMeier03, CourtoisKlimovPatarinShamir00, Faugere99-02] • Attacks & counter measures typically lack formal analysis • No formal model of such attacks Formalizing Algebraic Attacks We formalize algebraic attacks via the Polynomial Calculus Proof system [CleggEdmondsImpagliazzo96] Goal: Given y=f(x) recover hidden vars x=(x1,…,xn) 1. Initialize system of polynomial equations S={f1(x)-y1=0,…., fm(x)-ym=0} 2. “Scheduler” extends S by adding either • xi*P(x)=0 for some xi and some PS or • P(x)+R(x)=0 for some P,R S 3. Terminate with solution b if S contains xi-bi=0 for all i[n] 4. Else goto 2 • Scheduler can be arbitrary • Covers known algebraic attacks • Complexity: list size or degree Algebraic Refutation Attacks Goal: Given y=f(x) show that there’s no valid solution x=(x1,…,xn) 1. Initialize system of polynomial equations S={f1(x)-y1=0,…., fm(x)-ym=0} 2. “Scheduler” extends S by adding either • xi*P(x)=0 for some xi and some PS or • P(x)+R(x)=0 for some P,R S 3. Terminate with “un-sat” if S contains 1=0 4. Else goto 2 • Transcript of successful attack yields a proof for unsatifiability • The proof is in Polynomial Calculus Algebraic Attacks Thm 2: Q is s-psd against Algebraic Attacks Q has rational degree of (s). Rational degree = minimal r s.t Q(w)=b deg-r relation P(w)=0 • Ex: Implies e-bit fixing degree of r-e for every e<r. Lower-bound holds against sub-exp time inversion/refutation and all outputs y Similar criteria appear in cryptanalysis literature for LFSR’s with no proofs (cf. [Carlet10]) Cor 3: psd against linear attacks NOT imply general psd. • s Q which is s-psd against linear attacks but NOT 2.01-psd in general. Proof of Corollary The predicate Q=ORXOR+XOR • has (k-1)-bit fixing degree of k • has k-resiliency But rational degree of 2 OR k k Q Necessity of Rational Degree Lem: r-rational degree Alg. refutation w/p 1-o(1) for m=nr Assume Q(w)=0 R(w)=0 where deg(R)=r Naïve Attempt: certify that a random y is not in the image • Replace each equation Q(xS)=0 with R(xS)=0 • Linearize and try to solve • If no solution output “y is NOT in the image” R(x1,x2,x5) 0= Q(x OUTPUT INPUT Necessity of Rational Degree Lem: r-rational degree Alg. refutation w/p 1-o(1) for m=nr Assume Q(w)=0 R(w)=0 where deg(R)=r • This attack can be implemented as algebraic refutation attack • But completely fails! - R(w1,w2,w3)=w1w2w3+w1w2+w2w3+w1w3 - Linearized eq’s of the form Xijk+Xij+Xik+Xjk=0 - Always exists (fake) solution Fix: identify fake solutions by using (some) original Q-equations Necessity of Rational Degree Certificate that y is not in the image • Set A of 2d “disjoint” outputs • d-subset S Input(A), the eq. R(xS)=0 derived via linearization • yA is balanced Show: certify unsatisfiability & exists whp & yields algebraic attack OUTPUT INPUT Rational Degree defeats Algebraic Attacks • Lower-bound against Polynomial-Calculus [AlekRazb01] (strong) security against algebraic refutation attacks security against algebraic inversion attacks for log space functions

© Copyright 2024 Paperzz