Non-Black-Box Techniques in Cryptography
Total Page:16
File Type:pdf, Size:1020Kb
Non-Black-Box Techniques in Cryptography Thesis for the Ph.D. Degree by Boaz Barak Under the Supervision of Professor Oded Goldreich Department of Computer Science and Applied Mathematics The Weizmann Institute of Science Submitted to the Feinberg Graduate School of the Weizmann Institute of Science Rehovot 76100, Israel January 6, 2004 To my darling Ravit Abstract The American Heritage dictionary defines the term “Black-Box” as “A device or theoretical construct with known or specified performance characteristics but unknown or unspecified constituents and means of operation.” In the context of Computer Science, to use a program as a black-box means to use only its input/output relation by executing the program on chosen inputs, without examining the actual code (i.e., representation as a sequence of symbols) of the program. Since learning properties of a program from its code is a notoriously hard problem, in most cases both in applied and theoretical computer science, only black-box techniques are used. In fact, there are specific cases in which it has been either proved (e.g., the Halting Problem) or is widely conjectured (e.g., the Satisfiability Problem) that there is no advantage for non-black-box techniques over black-box techniques. In this thesis, we consider several settings in cryptography, and ask whether there actually is an advantage in using non-black-box techniques over black-box techniques in these settings. Somewhat surprisingly, our answer is mainly positive. That is, we show that in several contexts in cryptog- raphy, there is a difference between the power of black-box and non-black-box techniques. Using non-black-box techniques we are able to solve some problems in cryptography that were previously unsolved. In fact, some of these problems were previously proven to be unsolvable using black-box techniques. The main results of this thesis are the following: Software Obfuscation Informally speaking, an obfuscator is a compiler that takes a program P as input and produces a new program P 0 that has the same functionality as P , and yet is “unintelligible” in some sense. Ideally, a software obfuscator should ensure that the only information leaked about P from the program P 0, is information that can be derived by using only black-box access to P . Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice’s theorem. In this thesis, we discuss how to formally define obfuscators, and whether or not such objects exist. Our main result in this context is that even very weak forms of obfuscators do not exist. Zero-Knowledge The simulation paradigm, introduced by Goldwasser, Micali and Rackoff, has had fundamental impact on cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Loosely speaking, the existence of such a simulator demonstrates that the adversary did not gain any knowledge about the honest party’s input. v vi Almost all previously known simulators used the adversary’s algorithm as a black-box. We present the first constructions of non-black-box simulators. Using these new non-black-box techniques we obtain several results that were previously shown to be impossible to obtain using black-box simulators. Specifically, assuming the existence of collision-resistant hash functions, we construct a new constant-round zero-knowledge argument system for NP that satisfies the following properties: 1. It remains zero knowledge even when composed concurrently n times, where n is the security parameter. 2. It is an Arthur-Merlin (public coins) protocol. 3. It has a simulator that runs in strict probabilistic polynomial-time, rather than in ex- pected probabilistic polynomial-time. It is impossible to obtain a constant-round zero-knowledge argument (for a non-trivial lan- guage) satisfying either Property 1 or Property 2 using black-box simulation (Canetti et al., 2001), (Goldreich and Krawczyk, 1996). We show that it is also impossible to obtain a constant-round zero-knowledge argument satisfying Property 3 using black-box simulation. We use this protocol to obtain other new results in cryptography. These include a con- struction of constant-round zero-knowledge proof of knowledge with a strict polynomial-time knowledge extractor, a zero-knowledge resettably sound argument for NP, and a resettable zero-knowledge argument of knowledge for NP. We show that all these applications are impossible to obtain when restricted to black-box techniques. Non-Malleability We construct the first constant round non-malleable commitment scheme and the first constant-round non-malleable zero-knowledge argument system, as defined by Dolev, Dwork and Naor (Siam J. Computing, 2000). Previous constructions either used a non- constant number of rounds, or were only secure under stronger setup assumptions (such as the availability of a public string that was chosen at random and published by a trusted third party). We obtain this result by using a non-black-box proof of security. That is, our proof uses the code of the adversary in the security reduction. As an intermediate step we define and construct a constant-round non-malleable coin tossing protocol. This coin-tossing protocol may be of independent interest. To summarize, in this thesis we show that, somewhat unintuitively, non-black-box techniques sometimes have a significant advantage over black-box techniques in cryptography. From the point of view of cryptographers, this result has both negative and positive applications. On the one hand, it further stresses the point that it is unsafe to rely on the assumption that an adversary attacking our schemes will use only black-box techniques. On the other hand, it means that when designing and analyzing cryptographic schemes, we can use these non-black-box techniques to obtain useful and important security goals that cannot be obtained using black-box techniques. Origin of the term “Black-Box” The term “black-box” has two common interpretations. One is a flight recorder on an airplane, that records all information regarding the flight, and helps discover the reasons for a crash.1 Another interpretation, which is the one we are interested in, is “A device or theoretical construct with known or specified performance characteristics but unknown or unspecified constituents and means of operation” [Ame00]. It seems that both interpretations have the same origin. In the second world war, “black-box” was a slang word among the pilots of the British Royal Air-Force (RAF) for radar instruments [Par90, Has03]. One reason was simply that these instruments were indeed enclosed in black boxes. There are also sources that suggest that the pilots, who didn’t know how these instruments operated (and in fact were not allowed to know this, since it was classified information) joked that they operated on “black magic”.2 Indeed, this is probably the reason this term came to describe any piece of mysterious electronics, which its users know (or at least have some clue as to) what it does, but have no idea how it does it. Although all sources seem to agree that the term originated from the RAF, there are earlier examples of mysterious devices being placed in black boxes (c.f. [Vas96]). Perhaps the most notable of these was the Oscilloclast (also called the ERA), invented by Dr. Albert Abrams in the beginning of the 20th century (see [Sch01, Edw00, Vle99, Abr16]). The Oscilloclast was a black box that was supposed to cure all sorts of various diseases. 3500 practitioners were using the Oscilloclast at the height of its popularity in 1923. As in the case of modern software “black boxes”, the Oscilloclast, which was leased for $200 down and $5 per month, was sealed and the lessee had to sign a contract not to open it. Thousands of patients were diagnosed and cured by Abrams of bovine syphilis, a disease whose existence was never established to the satisfaction of the medical profession. In addition, when a blood sample from a healthy guinea-pig was sent to Abrams, it was diagnosed as suffering general cancer and tuberculosis of the genito-urinary tract, another diagnosis of a drop of sheeps blood came back as hereditary syphilis with an offer of a cure for $250. When physicists and engineers opened the devices they found them to be essentially a jungle of electric wires. Thanks to justaskscott-ga from the Google Answers website. 1Today these recorders are usually painted in a bright orange color. 2For example consider this quote from an RAF fighter pilot John Cunnigham expressing his frustration with the early radar systems: “The magician was still kneeling on his prayer mat of blankets muttering to himself, the green glow from the CRT flickered on his face. A witch doctor, I thought, a witch doctor and black magic – and just about as useful.”. See http://www.vectorsite.net/ttwiz2.html. vii viii Acknowledgements First and foremost, I want to thank my advisor, Oded Goldreich. Although it was certainly not always easy, I think that I have evolved in the last four years, both as a scientist and as a person. Oded, more than any other person, was instrumental in this evolution. It was mainly through interaction with Oded that I shaped my understanding of my subject, of Computer Science at large, and of being a scientist. (Although, of course, any errors in the end result are my responsibility...) I feel very lucky to have had Oded as an advisor, and look forward to having more opportunities to learn from and work with him in the future.