Abstract
We define a framework for analyzing the security of cryptographic protocols that makes minimal assumptions about what a “realistic model of computation is”. In particular, whereas classical models assume that the attacker is a (perhaps non-uniform) probabilistic polynomial-time algorithm, and more recent definitional approaches also consider quantum polynomial-time algorithms, we consider an approach that is more agnostic to what computational model is physically realizable.
Our notion of universal reductions models attackers as PPT algorithms having access to some arbitrary unbounded stateful Nature that cannot be rewound or restarted when queried multiple times. We also consider a more relaxed notion of universal reductions w.r.t. time-evolving, k-window, Natures that makes restrictions on Nature—roughly speaking, Nature’s behavior may depend on number of messages it has received and the content of the last \(k(\lambda )\)-messages (but not on “older” messages).
We present both impossibility results and general feasibility results for our notions, indicating to what extent the extended Church-Turing hypotheses are needed for a well-founded theory of Cryptography.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Without getting too deep into Philosophy, it seems reasonable to argue that the Extended Church-Turing Hypothesis does not pass Popper’s falsifiability test [Pop05], as we do not have “shared ways of systematically determining” whether a probabilistic Turing machine cannot perform some task (as testified by the fact that the \(\textsf{P}\) v.s. \(\textsf{NP}\) problem is still open). As such, the statement of the hypothesis is no different from the classic example of “All men are mortal”, which according to Popper’s theory is not scientific as we do not have systematic procedures for deducing whether a person is immortal. This is in contrast to assumptions such as “Factoring products of random 1000-bit primes is hard for all physically realizable computation devices”, as we do have a systematic way of determining whether some such device manages to complete the task—simply run it.
- 2.
For concreteness, and to simplify notation, we will model attackers as Turing machines so technically we are still relying on the (more reasonable) non-extended Church-Turing hypothesis. But we highlight that nothing in our treatment requires doing so and none of our results would change if we instead allowed any, even non-computable, attackers. See Sect. 3 for more discussion.
- 3.
This model clearly oversimplifies as, say, \(n^{100}\) computation is not actually feasible. But we start off with a standard asymptotic treatment to get a model that is easy to work with. In practice, a more concrete treatment is desirable, but we leave this for future work.
- 4.
We refer to such reductions as “universal” because they are agnostic to the computational resources of an attacker (and thus can be “universally” applied, independent of the attacker’s computational power). Additionally, on a technical level, and as we discuss in more detail shortly, considering security relative to a stateful entity is related to how security is defined in the framework for Universal Composability of Canetti [Can01].
- 5.
Nevertheless, we note that all our results also hold if restricting the length of \(\rho \) to be polynomial.
- 6.
We emphasize that Theorem 4 is ruling out also so-called “parameter-aware” black-box reductions [BBF13], where the reduction may depend on the success probability a of the attacker; note that Yao’s original reduction is parameter dependent—more specifically, the number of repetitions is required to be superlinear in the adversary’s success probability, and as shown in [LTW05] a dependency on the attackers success probability is inherent for black-box reductions. Theorem 4 rules out also such parameter-aware universal reductions and indeed rules out universal reductions that increase the success probability of the adversary even if assuming that the original attackers success probability is, say, \(\frac{1}{2}\).
- 7.
There is a small subtlety here. Robustness is defined with respect to all previous transcripts, even exponentially long ones, so naively implementing this approach will not work since eventually we can include all possible strings y in the transcripts. Rather, the way we formalize this argument is to consider a \(\textsf{Nat}\) that only has “polynomial memory” and checks for repeated strings y in the most recent part of the transcript it is fed.
- 8.
Again, we highlight that Theorem 5 rules out also “parameter-aware” reductions that depend on the success probability of the attacker—in fact, it rules out also reductions that only work if the underlying attacker’s success probability is 0.99. (As noted in [BBF13], Goldreich-Levin’s standard reduction is parameter-aware, and this is inherent as shown in [LTW05].).
- 9.
In the definition of robust winning above, we require that the augmented adversary win a security game for every prefix \({\rho }\) that \(\textsf{Nat}\) may have previously seen, even those containing exponentially many messages. A natural alternative is to consider a notion of robust winning that considers only those prefixes with \(\textrm{poly}(\lambda )\) many messages; indeed our impossibilities and feasibilities can both be made to work in that setting, but at the expense of definitional complexity.
References
Adcock, M., Cleve, R.: A quantum Goldreich-Levin Theorem with cryptographic applications. In: Alt, H., Ferreira, A. (eds.) STACS 2002. LNCS, vol. 2285, pp. 323–334. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45841-7_26
Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In 2014 IEEE 55th Annual Symposium on Foundations of Computer Science, pp. 474–483. IEEE (2014)
Baecher, P., Brzuska, C., Fischlin, M.: Notions of black-box reductions, revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 296–315. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_16
Bitansky, N., Brakerski, Z., Kalai, Y.T.: Constructive post-quantum reductions. IACR Cryptol. ePrint Archive, p. 298 (2022)
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Barak, B., Goldreich, O.: Universal arguments and their applications. SIAM J. Comput. 38(5), 1661–1694 (2008)
Bitansky, N., Shmueli, O.: Post-quantum zero knowledge in constant rounds. In: Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, pp. 269–279 (2020)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)
Chan, B., Freitag, C., Pass, R.: Universal reductions: Reductions relative to stateful oracles (2022). https://ia.cr/2022/156
Chiesa, A., Ma, F., Spooner, N., Zhandry, M.: Post-quantum succinct arguments: breaking the quantum rewinding barrier. In: FOCS, pp. 49–58. IEEE (2021)
Dieks, D.G.B.J.: Communication by EPR devices. Phys. Lett. A 92(6), 271–272 (1982)
Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)
Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Proceedings of the Twenty-second Annual ACM Symposium on Theory of Computing, pp. 416–426 (1990)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 25–32 (1989)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity for all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)
Goldreich, O.: Foundations of Cryptography, vol. 1, Basic Tools. Cambridge University Press, Cambridge (2007)
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)
Hofheinz, D.: Possibility and impossibility results for selective decommitments. J. Cryptol. 24(3), 470–516 (2011)
Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the Twenty-first Annual ACM Symposium on Theory of Computing, pp. 44–61 1989 (1995)
Lamport, L.: Constructing digital signatures from a one-way function. Technical report (1979)
Lin, H., Trevisan, L., Wee, H.: On hardness amplification of one-way functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 34–49. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_3
Mahadev, U.: Classical verification of quantum computations. In: FOCS, pp. 259–267. IEEE Computer Society (2018)
Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_8
Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_3
Maurer, U., Pietrzak, K.: Composition of random systems: when two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_23
Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_8
Maurer, U., Renner, R.: Abstract cryptography. In: Innovations in Computer Science, Citeseer (2011)
Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991). https://doi.org/10.1007/BF00196774
Popper, K.: The Logic of Scientific Discovery. Routledge, London (2005)
Rogaway, P.: Formalizing human ignorance. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11958239_14
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)
Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_10
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18
Watrous, J.: Zero-knowledge against quantum attacks. SIAM J. Comput. 39(1), 25–58 (2009)
Wootters, W.K., Zurek, W.H.: A single quantum cannot be cloned. Nature 299(5886), 802–803 (1982)
Yao, A.C.: Theory and application of trapdoor functions. In: 23rd Annual Symposium on Foundations of Computer Science (SFCS 1982), pp. 80–91. IEEE (1982)
Zhandry, M.: How to construct quantum random functions. In: FOCS, pp. 679–687. IEEE Computer Society (2012)
Acknowledgements.
This work is supported in part by NSF CNS-2149305, NSF Award SATC-1704788, NSF Award RI-1703846, CNS-2128519, AFOSR Award FA9550-18-1-0267, and a JP Morgan Faculty Award. This material is based upon work supported by DARPA under Agreement No. HR00110C0086. Cody Freitag’s work was done partially during an internship at NTT Research, and he is also supported in part by the National Science Foundation Graduate Research Fellowship under Grant No. DGE-2139899. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF, the United States Government, or DARPA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chan, B., Freitag, C., Pass, R. (2022). Universal Reductions: Reductions Relative to Stateful Oracles. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13749. Springer, Cham. https://doi.org/10.1007/978-3-031-22368-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-22368-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22367-9
Online ISBN: 978-3-031-22368-6
eBook Packages: Computer ScienceComputer Science (R0)