Cryptography from Sunspots: How to Use an Imperfect Reference String

The common reference string (CRS) model equips all protocol participants with a common string that is sampled from a pre-specified distribution, say the uniform distribution. This model enables otherwise-impossible cryptographic goals such as removing interaction from protocols and guaranteeing composable security. However, knowing the precise distribution of the reference string seems crucial for all known protocols in this model, in the sense that current security analyses fail when the actual distribution of the reference string is allowed to differ from the specified one even by a small amount. This fact rules out many potential implementations of the CRS model, such as measurements of physical phenomena (like sunspots), or alternatively using random sources that might be adversarially influenced. We study the possibility of obtaining universally composable (UC) security in a relaxed variant of the CRS model, where the reference string it taken from an adversarially specified distribution that's unknown to the protocol. On the positive side, we demonstrate that UC general secure computation is obtainable even when the reference string is taken from an arbitrary, adversarially chosen distribution, as long as (a) this distribution has some minimal min-entropy, (b) it has not too long a description, (c) it is efficiently samplable, and (d) the sampling algorithm is known to the adversary (and simulator). On the negative side, we show that if any one of these four conditions is removed then genera! UC secure computation becomes essentially impossible.

[1]  Stephen A. Cook,et al.  Storage Requirements for Deterministic Polynomial Time Recognizable Languages , 1976, J. Comput. Syst. Sci..

[2]  Robert E. Tarjan,et al.  The Pebbling Problem is Complete in Polynomial Space , 1980, SIAM J. Comput..

[3]  Friedhelm Meyer auf der Heide,et al.  A Comparison of two Variations of a Pebble Game on Graphs , 1981, Theor. Comput. Sci..

[4]  Robert E. Wilber White pebbles help , 1985, STOC '85.

[5]   Françoise Forges,et al.  Can sunspots replace a mediator , 1987 .

[6]  Bala Kalyanasundaram,et al.  On the power of white pebbles , 1991, STOC '88.

[7]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[8]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[9]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[10]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[11]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[12]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[13]  Silvio Micali,et al.  CS proofs , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[14]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[15]  Luca Trevisan,et al.  Extracting randomness from samplable distributions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[16]  Jacobo Torán,et al.  Space Bounds for Resolution , 2001, Inf. Comput..

[17]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[18]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[19]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[20]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[21]  Michael Alekhnovich,et al.  Space Complexity in Propositional Calculus , 2002, SIAM J. Comput..

[22]  Oded Goldreich,et al.  Universal arguments and their applications , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[23]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation without Set-up Assumptions , 2003, EUROCRYPT.

[24]  Rafael Pass,et al.  Bounded-concurrent secure multi-party computation with a dishonest majority , 2004, STOC '04.

[25]  Amit Sahai,et al.  On the (im)possibility of cryptography with imperfect randomness , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[26]  Yehuda Lindell,et al.  Lower Bounds for Concurrent Self Composition , 2004, TCC.

[27]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[28]  Yehuda Lindell,et al.  Strict Polynomial-Time in Simulation and Extraction , 2004, SIAM J. Comput..

[29]  Jakob Nordström,et al.  Narrow proofs may be spacious: separating space and width in resolution , 2006, STOC '06.

[30]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[31]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.