The Cost of Adaptivity in Security Games on Graphs

The security of cryptographic primitives and protocols against adversaries that are allowed to make adaptive choices (e.g., which parties to corrupt or which queries to make) is notoriously difficult to establish. A broad theoretical framework was introduced by Jafargholi et al. [Crypto’17] for this purpose. In this paper we initiate the study of lower bounds on loss in adaptive security for certain cryptographic protocols considered in the framework. We prove lower bounds that almost match the upper bounds (proven using the framework) for proxy re-encryption, prefix-constrained PRFs and generalized selective decryption, a security game that captures the security of certain group messaging and broadcast encryption schemes. Those primitives have in common that their security game involves an underlying graph that can be adaptively built by the adversary. Some of our lower bounds only apply to a restricted class of black-box reductions which we term “oblivious” (the existing upper bounds are of this restricted type), some apply to the broader but still restricted class of non-rewinding reductions, while our lower bound for proxy re-encryption applies to all black-box reductions. The fact that some of our lower bounds seem to crucially rely on obliviousness or at least a non-rewinding reduction hints to the exciting possibility that the existing upper bounds can be improved by using more sophisticated reductions. Our main conceptual contribution is a two-player multi-stage game called the Builder-Pebbler Game. We can translate bounds on the winning probabilities for various instantiations of this game into cryptographic lower bounds for the above-mentioned primitives using oracle separation techniques. ∗Most of the work was done while the author was at Northeastern University, supported by the IARPA grant IARPA/2019-19-020700009, and Charles University, funded by project PRIMUS/17/SCI/9. †Funded by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 TOCNeT).

[1]  Allison Bishop,et al.  Why Proving HIBE Systems Secure Is Difficult , 2014, EUROCRYPT.

[2]  Aloni Cohen What about Bob? The Inadequacy of CPA Security for Proxy Reencryption , 2017, IACR Cryptol. ePrint Arch..

[3]  Richard Barnes,et al.  The Messaging Layer Security (MLS) Protocol , 2019 .

[4]  Moni Naor,et al.  Pebbling and Proofs of Work , 2005, CRYPTO.

[5]  Susan Hohenberger,et al.  Key-Private Proxy Re-encryption , 2009, CT-RSA.

[6]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 2000, TNET.

[7]  Joël Alwen,et al.  High Parallel Complexity Graphs and Memory-Hard Functions , 2015, IACR Cryptol. ePrint Arch..

[8]  Aggelos Kiayias,et al.  Delegatable pseudorandom functions and applications , 2013, IACR Cryptol. ePrint Arch..

[9]  Luca Trevisan,et al.  Lower bounds on the efficiency of generic cryptographic constructions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[10]  Daniel Wichs,et al.  Adaptive Security of Yao's Garbled Circuits , 2016, TCC.

[11]  Ahmed Obied,et al.  Broadcast Encryption , 2008, Encyclopedia of Multimedia.

[12]  Ilan Komargodski,et al.  Be Adaptive, Avoid Overcommitting , 2017, CRYPTO.

[13]  Georg Fuchsbauer,et al.  Adaptive Security of Constrained PRFs , 2014, IACR Cryptol. ePrint Arch..

[14]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[15]  Rafail Ostrovsky,et al.  Adaptive Garbled RAM from Laconic Oblivious Transfer , 2018, IACR Cryptol. ePrint Arch..

[16]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[17]  Silvio Micali,et al.  On the Cryptographic Applications of Random Functions , 1984, CRYPTO.

[18]  John E. Savage,et al.  Models of computation - exploring the power of computing , 1998 .

[19]  Sanjam Garg,et al.  Adaptively Secure Garbling with Near Optimal Online Complexity , 2018, IACR Cryptol. ePrint Arch..

[20]  Rafael Pass Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments , 2013, TCC.

[21]  Ryo Nishimaki,et al.  Compact NIZKs from Standard Assumptions on Bilinear Maps , 2020, IACR Cryptol. ePrint Arch..

[22]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[23]  Yevgeniy Dodis,et al.  On the Price of Concurrency in Group Ratcheting Protocols , 2020, IACR Cryptol. ePrint Arch..

[24]  Daniel R. Simon,et al.  Limits on the efficiency of one-way permutation-based hash functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[25]  Tal Malkin,et al.  On the impossibility of basing trapdoor functions on trapdoor predicates , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[26]  Yevgeniy Dodis,et al.  Security Analysis and Improvements for the IETF MLS Standard for Group Messaging , 2020, IACR Cryptol. ePrint Arch..

[27]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[28]  Ming Li,et al.  Reversible simulation of irreversible computation , 1996, Proceedings of Computational Complexity (Formerly Structure in Complexity Theory).

[29]  Hoeteck Wee,et al.  Compact Adaptively Secure ABE for \mathsf NC^1 from k-Lin , 2019, EUROCRYPT.

[30]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[31]  Georg Fuchsbauer,et al.  Adaptively Secure Proxy Re-encryption , 2019, IACR Cryptol. ePrint Arch..

[32]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[33]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[34]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[35]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[36]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[37]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[38]  Stephen M. Rudich,et al.  Limits on the provable consequences of one-way functions , 1983, STOC 1983.

[39]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[40]  Richard Královic Time and Space Complexity of Reversible Pebbling , 2001, SOFSEM.

[41]  Charles H. Bennett Time/Space Trade-Offs for Reversible Computation , 1989, SIAM J. Comput..

[42]  Jakob Nordstr,et al.  New Wine into Old Wineskins: A Survey of Some Pebbling Classics with Supplemental Results , 2015 .

[43]  Rafail Ostrovsky,et al.  Adaptively Secure Garbled Circuits from One-Way Functions , 2016, CRYPTO.

[44]  Rafael Pass,et al.  Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments , 2013, computational complexity.

[45]  Daniel Wichs,et al.  Limits on the Adaptive Security of Yao's Garbling , 2021, IACR Cryptol. ePrint Arch..

[46]  Hoeteck Wee,et al.  Compact Adaptively Secure ABE for NC1 from k-Lin , 2019, IACR Cryptol. ePrint Arch..

[47]  Michael Krivelevich,et al.  Positional Games , 2014, 1404.2731.

[48]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[49]  Fan Chung Graham,et al.  Combinatorics for the East Model , 2001, Adv. Appl. Math..

[50]  Christos H. Papadimitriou,et al.  Games against nature , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[51]  Ilia Markov,et al.  Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[52]  Jack B. Dennis Record of the Project MAC conference on concurrent systems and parallel computation , 1970 .

[53]  D. Micciancio,et al.  Optimal Communication Complexity of Generic Multicast Key Distribution , 2004, IEEE/ACM Transactions on Networking.

[54]  Mihir Bellare,et al.  Adaptively Secure Garbling with Applications to One-Time Programs and Secure Outsourcing , 2012, ASIACRYPT.

[55]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[56]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[57]  Saurabh Panjwani,et al.  Tackling Adaptive Corruptions in Multicast Encryption Protocols , 2007, TCC.

[58]  Stefan Dziembowski,et al.  One-Time Computable Self-erasing Functions , 2011, TCC.

[59]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[60]  Georg Fuchsbauer,et al.  A Quasipolynomial Reduction for Generalized Selective Decryption on Trees , 2015, CRYPTO.

[61]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[62]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.