A note on (non-)uniform reductions

Created on 26 February 2019, last modified on 22 June 2019✏ 22 Jun 2019Gee Law
Hero image: circuitsHero image: circuitsHero image: circuitsHero image: circuits
Hero image: circuits

I learnt how to write uniform hybrid reductions in my rudimentary cryptography course, which are beasty beauties that wrap an adversary, trying break each of the many underlying cryptographic assumptions simultaneously. However, those constructions are less easy to write and read than using the transitivity of computational indistinguishability up to polynomially many times. The latter involves writing out the (perhaps polynomially many) hybrids and arguing that adjacent hybrids are indistinguishable. I also learnt non-uniform reductions, noticeably the technique to only work with deterministic adversaries. I’m writing a proof using hybrid argument lately, and I asked my advisor about whether I should write out the beast or just the list of hybrids, she says she prefers just writing the list of hybrids.

I recall the first time I see people using the transitivity of computational indistinguishability up to polynomially many times is when I took Ivan Damgård’s Kryptologisk protokolteori (Cryptologic Protocol Theory) course. I remember clearly Ivan mentioned the indistinguishability of polynomially many commitments could be proven by ‘replacing the commitments one by one and using the transitivity’. I was surprised because the proof I had been writing until then were ‘uniform’, which I shall explain below. Of course, now I have understood that those are different flavours of reductions.

(Non-)uniform adversaries

There are two models of computational security in cryptography. Both require some distributions (views, etc.) to be indistinguishable for efficient adversaries. The nuance is the definition of ‘efficient’. In the uniform model, the efficient adversaries are modelled as probabilistic polynomial-time Turing machines, where as in the non-uniform model, they are modelled as polynomially-sized families of circuits. In idealised models, one also considers security against adversaries that make polynomially many oracle queries and have unbounded resources otherwise, but let’s put that aside for now.

Equivalently, non-uniform adversaries can also be modelled as: 1) deterministic (or probabilistic) polynomial-time Turing machines with families of polynomially long advice; 2) families of deterministic (or probabilistic) polynomial-time Turing machines of polynomial-sized descriptions.

Semantic/CPA security for PKE

Let λ\lambda be the security parameter. Defined the CPA security game CPAPKEA(b)\CPA_\PKE^\mathcal{A}\left(b\right) for bit bb, PKE scheme PKE=(KeyGen,Enc,Dec)\PKE=\left({\KeyGen,\Enc,\Dec}\right) and adversary A\mathcal{A} to be the following procedure:

  1. Let (pk,sk)KeyGen(1λ)\left({\pk,\sk}\right)\leftarrow\KeyGen\left(1^\lambda\right).
  2. Send pk\pk to A\mathcal{A}.
  3. Let A\mathcal{A} choose as many pairs of messages (mi(0),mi(1))\left({m_i^{\left(0\right)},m_i^{\left(1\right)}}\right) as it wants, and for each pair, return Enc(1λ,pk,mi(b))\Enc\left({1^\lambda,\pk,m_i^{\left(b\right)}}\right).
  4. A\mathcal{A} outputs a bit bb', which becomes the outcome of the game.

We say PKE\PKE is CPA secure if for all efficient A\mathcal{A}, the distinguishing advantage DistCPAPKEA=Pr[CPAPKEA(0)=1]Pr[CPAPKEA(1)=1]\DistCPA_\PKE^\mathcal{A}=\Pr\left[{\CPA_\PKE^\mathcal{A}\left(0\right)=1}\right]-\Pr\left[{\CPA_\PKE^\mathcal{A}\left(1\right)=1}\right] is negligible in λ\lambda. Note that the distinguishing advantage might be negative here, which is the convention I followed when I first learnt cryptography. Following the convention, we say the adversary talks to a challenger, which is just the procedure executing the game.

The semantic security game is the same as that for CPA security, except that the adversary must submit exactly one pair of messages. Semantic security of a PKE scheme is defined similarly.

One of the first propositions a learner in public-key cryptography proves is that semantic security implies CPA security (for public-key schemes). The reason behind that is the distributions of ciphertexts in the two worlds are both efficiently sampleable, since the adversary is given the public key. Having more samples from efficiently sampleable indistinguishable distributions doesn’t make it much easier to distinguish.

Let’s prove it in two different ways.

Uniform reduction

Let A\mathcal{A} be any efficient adversary playing the CPA game against a semantically secure PKE\PKE. Since A\mathcal{A} is efficient, it makes at most polynomially many queries, say Q(λ)Q\left(\lambda\right) ones. We create the following adversary A\mathcal{A}' playing the semantic security game against PKE\PKE:

  1. Pick t${1,2,,Q(λ)}t\takerandom\left\{{1,2,\dots,Q\left(\lambda\right)}\right\}.
  2. Run A\mathcal{A} and interface it as the challenger, i.e., process all its communication.
  3. Receive pk\pk and send it to A\mathcal{A}.
  4. For the first t1t-1 queries from A\mathcal{A}, answer it with Enc(1λ,pk,mi(0))\Enc\left({1^\lambda,\pk,m_i^{\left(0\right)}}\right).
  5. For the tt query from A\mathcal{A}, send the query to the challenger and answer A\mathcal{A} with whatever the challenger returns.
  6. For any subsequent queries from A\mathcal{A}, answer it with Enc(1λ,pk,mi(1))\Enc\left({1^\lambda,\pk,m_i^{\left(1\right)}}\right).
  7. Output whatever A\mathcal{A} outputs.

It is fairly easy to show DistCPAPKEA=Q(λ)DistSSPKEA.\DistCPA_\PKE^\mathcal{A}=Q\left(\lambda\right)\DistSS_\PKE^{\mathcal{A}'}. Since A\mathcal{A}' is efficient, its advantage must be negligible, thus proving the negligibility of A\mathcal{A}’s advantage.

‘Listing the hybrids’

Let’s take a two-query CPA adversary for example. Consider the (hybrid) games:

  • Enc(1λ,pk,m1(0)),Enc(1λ,pk,m2(0))\Enc\left({1^\lambda,\pk,m_1^{\left({\color{red}0}\right)}}\right),\Enc\left({1^\lambda,\pk,m_2^{\left({\color{red}0}\right)}}\right)
  • Enc(1λ,pk,m1(1)),Enc(1λ,pk,m2(0))\Enc\left({1^\lambda,\pk,m_1^{\left({\color{red}1}\right)}}\right),\Enc\left({1^\lambda,\pk,m_2^{\left({\color{red}0}\right)}}\right)
  • Enc(1λ,pk,m1(1)),Enc(1λ,pk,m2(1))\Enc\left({1^\lambda,\pk,m_1^{\left({\color{red}1}\right)}}\right),\Enc\left({1^\lambda,\pk,m_2^{\left({\color{red}1}\right)}}\right)

The first pair of games are indistinguishable, because given the public key, the adversary could just create the second ciphertext itself and pretend it came from the challenger. The second pair of games are indistinguishable for a similar reason. Since the sum of two negligible functions is still negligible, the first and the third games are indistinguishable, which is what we want. Note that the indistinguishability of adjacent games still involves a computational reduction.

However, when we apply this technique to adversaries that makes ω(1)\omega\left(1\right) queries, something iffy appears. The first mistake to avoid in elementary calculus is assuming the sum of infinitely (or rather indefinitely) many infinitesimals is infinitesimal. For example, 1n+i0(n,i,1in),\frac{1}{n+i}\to 0\quad\left({n,i\to\infty,1\leq i\leq n}\right), but i=1n1n+i01dx1+x=log2(n).\sum_{i=1}^{n}{\frac{1}{n+i}}\to\int_0^1{\frac{\operatorname{d}\!x}{1+x}}=\log 2\quad\left({n\to\infty}\right). Similarly, we might have concerns on adding up a bunch of negligible functions that ‘begin to be really negligible’ too slowly, so slowly that the sum becomes non-negligible. This concern is indeed valid for the uniform model, and the problem is known to be superficial only in the non-uniform model (I said ‘known’ because we technically do not know whether P?=NP\mathsf{P}\mathrlap{\:\:?}{{}={}}\mathsf{NP}).

In the non-uniform model, it is enough to list the hybrids and prove the adjacent hybrids are indistinguishable. For the sake of completeness, let’s formally do the non-uniform reduction. Writing out the reduction circuits explicitly helps understand where non-uniformity comes in.

Let Aλ\mathcal{A}_\lambda be an adversarial family of circuits playing the CPA game making at most (polynomial) Q(λ)Q\left(\lambda\right) queries. For each λ\lambda, we consider the hybrid games Hi\mathsf{H}_i for i=0,,Q(λ)i=0,\dots,Q\left(\lambda\right), where Hi\mathsf{H}_i answers the first ii queries with ciphertexts of the first messages and the rest with those of the second ones. Let the distinguishing advantage of Aλ\mathcal{A}_\lambda between Hi1,Hi\mathsf{H}_{i-1},\mathsf{H}_i be did_i, then DistCPAPKEAλi=1Q(λ)di.\left|\DistCPA_\PKE^{\mathcal{A}_\lambda}\right|\leq\sum_{i=1}^{Q\left(\lambda\right)}{\left|d_i\right|}. Now let iλargmaxidii^\star_\lambda\in\operatorname{argmax}_{i}{\left|d_i\right|}, we then create an adversarial family of circuits Aλ\mathcal{A}_\lambda', whose λ\lambda member uses Aλ\mathcal{A}_\lambda by putting the challenge in the iλi^\star_\lambda slot. This new family clearly has polynomial size. By the choice of ii^\star, we have DistCPAPKEAλQ(λ)DistSSPKEAλ,\left|\DistCPA_\PKE^{\mathcal{A}_\lambda}\right|\leq Q\left(\lambda\right)\left|\DistSS_\PKE^{\mathcal{A}_\lambda'}\right|, and since Aλ\mathcal{A}_\lambda' have negligible advantage, so must Aλ\mathcal{A}_\lambda.

The non-uniformity is introduced in the highlighted part. The sequence ii^\star might not be efficiently computable. Non-uniformity is also introduced by (conveniently) assuming the adversaries are deterministic, where non-uniformity allows us to hardwire the best random tape.

Exercise

In one discussion with my advisor, I felt I was lacking practice of hybrid argument so we agreed that I do an exercise on reducing matrix DDH to the usual DDH. I did this and somehow recovered my muscle.

Try to prove the indistinguishability of (g,ga1,,gan,gb1,,gbm,ga1b1,ga1b2,,ganbm),ai,bj$ZG\left({g,g^{a_1},\dots,g^{a_n},g^{b_1},\dots,g^{b_m},g^{a_1b_1},g^{a_1b_2},\dots,g^{a_nb_m}}\right),\quad a_i,b_j\takerandom\mathbb{Z}_{\left|G\right|} and (g,ga1,,gan,gb1,,gbm,gc11,gc12,,gcnm),ai,bj,cij$ZG\left({g,g^{a_1},\dots,g^{a_n},g^{b_1},\dots,g^{b_m},g^{c_{11}},g^{c_{12}},\dots,g^{c_{nm}}}\right),\quad a_i,b_j,c_{ij}\takerandom\mathbb{Z}_{\left|G\right|} for polynomial n,mn,m by reducing it to the DDH assumption in group G=gG=\left\langle g\right\rangle.

More…

Knife used by Swiss Armed Forces
Knife used by Swiss Armed Forces

While just writing out the hybrids is easier than producing the gigantic beast, I still appreciate the uniform reduction. It’s like building a Swiss Army knife (the difference is that not all tasks are accomplished). One factor is the inertia from my rudimentary course. The other thing is that uniform reductions produce stronger results, namely that security of the underlying assumptions against uniform adversaries implies security of the construction against uniform adversaries, and that against non-uniform ones implies that against non-uniform ones (whereas a non-uniform reduction only produces security based on assumptions against non-uniform adversaries). Nevertheless, in most cases, having written out the hybrids, it just requires some additional labour to convert the list into the gigantic beast, and I personally ponder the proofs by using transitivity (of course I don’t create the beasts in my mind when I’m still trying to coming up with a proof [or a disproof]).

I think people can also consider non-uniform cryptographic schemes. While that might be theoretically interesting, all the constructions I know are uniform schemes. It is also reasonable to assume the adversary is ‘stronger than the scheme’ (and desirable to have systems secure in such situation), in the sense that the schemes are uniform and the adversaries are non-uniform.

Updated on 22 June. There is a very neat paper by Oded Goldreich and Bernd Meyer that separates uniform/non-uniform indistinguishabilities (in a very perfect sense) via some very pathetic ensembles.

Computer ScienceCryptography

Please enable JavaScript to view the comments powered by Disqus.