Formal Representation of PolynomialTime Algorithms and Security

1
Formal Representation of Polynomial-Time
Algorithms and Security

• Bruce Kapron
• University of Victoria
• June 9, 2004

2
Poly-time Function(als) in Cryptography

• Probabilistic polynomial time (PPT)
  function(al)s play a central role in (asymptotic)
  complexity-based cryptography and security
• Appear in definition of primitives, adversaries,
  reductions, verifiers, provers, simulators,

3
PPT Functions in Cryptography

• Central concerns
• Defining PPT functions or functionals
• Proving that these functions satisfy appropriate
  properties
• What does this mean for formalization?
• Explicit vs. implicit representations
• At what level should we be reasoning about PPT
  functions

4
Formalizing PPT Functions

• Do we really need to do this?
• Useful for low-level arguments (e.g. soundness
  proofs)
• Can be directly applied in a high-level
  setting, e.g. MRST 2004
• Possibility of bottom-up formalization
• Other payoffs e.g., extraction of reductions
  from proofs

5
Implicit vs. Explicit Reasoning

• E.g., reductions between primitives
• Have a PPT mapping M taking any instance f of X
  to an instance M(f) of Y
• Security of f implies security of M(f)
• Can show this with a reduction, i.e., a PPT
  mapping S taking any adversary A breaking M(f) to
  an adversary S(A) breaking f
• Can we formulate proof systems which guarantee a
  reduction (do all proof systems do this?)

6
Formal representation of poly-time functions

• We typically use probabilistic TMs in
  cryptographic arguments
• TMs lack of structure make formal reasoning
  difficult
• One approach is to use models with an inductively
  defined syntax

7
Some History

• Beginning with Cobham, 1964, there have been
  numerous function algebras proposed which
  characterize poly-time functions outgrowth of
  earlier work in subrecursion
• Focus has been on deterministic computation
  without oracles
• Later work considers randomization LMMS 2000,
  IK 2004 and oracle computation Constable
  1972, Mehlhorn 1976, KC 1996

8
Function Algebras

• f1,f2,,fk collection of initial functions
• S1,S2,,Sl collection of closure schemes
• f1,,fk,S1,,Sl smallest class containing
  f1,f2,,fk and closed under S1,S2,,Sl
• Can we capture FPTIME, the class of all poly-time
  functions?

9
Recursion on Notation

• Use primitive recursion on binary notation of the
  recursion parameter to capture polynomial time
• f(x,0)g(x)
• f(x,s0(y))h0(x,y,f(x,y))
• f(x,s1(y))h1(x,y,f(x,y))

10
Recursion on Notation

• Problem with this scheme iterating a poly-time
  function a polynomial number of times can produce
  functions with exponential growth rate
• Define f(x)x2, g(y)fy(2)
• Then g(y)2y

11
Bounded Recursion on Notation (BRN) Cobham, 1964

• f(x,0)g(x)
• f(x,s0(y))h0(x,y,f(x,y))
• f(x,s1(y))h1(x,y,f(x,y))
• f(x,y) k(x,y)

12
Bounded Recursion on Notation and Poly-time

• Let si(x)2xi (i0,1), (x)2xx, and I
  denote the set of all projection functions. f is
  defined from g,h by composition (COMP) if
• f(x)h(x,g(x))
• Theorem Cobham,1964 0,s0,s1,,ICOMP,BRN
  FPTIME

13
Drawbacks of BRN

• The need for an explicit size-bound in BRN is
  problematic in proofs
• In general, bounding is not decidable
• Term definition requires a bounding proof
  circularity problem
• One solution modify BRN to only allow hi with
  hi(x,y,z) ki(x,y)z

14
Safe Recursion on Notation Bellantoni Cook,
1992

• Idea only allow recursion to iterate functions
  which are not already defined by recursion.
• Requires a typing of function parameters as
  either safe or normal operations on safe inputs
  do not increase length by more than an additive
  constant

15
Safe Composition and Recursion on Notation

• Composition scheme prevents safe inputs from
  being substituted into normal positions
• f(xa)h(r(x)t(xa))

normal
safe
no safe input
16
Safe Recursion on Notation

• f(0,xa) g(xa)
• f(si(y),xa) hi(y,xa,f(y,xa))
• No external bound required basis for purely
  type-theoretic characterization of poly-time
  Hofmann 1999, later used by LMMS 2000 to get
  a term algebra for probabilistic polynomial time

17
Full Concatenation Recursion on Notation (FCRN)
Ishihara 1999

• Based on CRN Clote 1990, which can be used to
  characterize AC0
• f(x,0)g(x)
• f(x,s0(y))f(x,y) sg(h0(x,y,f(x,y)))
• f(x,s1(y))f(x,y) sg(h1(x,y,f(x,y)))

18
Equivalence

• Let
• msp(x,y)b x/2y c,
• c(x,y,z) if x mod 20 then y else z
• and
• F10,I,s0,s1,c,msp,COMP,FCRN
• F20,I,s0,s,c,mspSCOMP,SRN
• F30,I,s0,s1,COMP,BRN
• Then
• FPTIMEF1F 2F3

19
Proof Systems

• PV Cook 1975 Terms are built up from
  variables and function symbols re F3. formulas
  are equations between terms
• Defining equations for every term of F3 are
  included as axioms need more initial functions
• Rules include reflexivity, symmetry and
  transitivity, rules for substitution and
  induction on notation

20
Induction on Notation

• Counterpart to definition by BRN
• f1(x,0)g(x)
  f2(x,0)g(x)
• f1(x,si(y))hi(x,y,f1(x,y))
  f2(x,si(y))hi(x,y,f2(x,y))

f1(x,y)f2(x,y)
21
Beyond PV

• Extensions
• PV1 Cook 1975 - adds propositional connectives
• CPV, IPV Cook Urquhart 1993 adds first-order
  logic
• Can obtain more natural induction rules, e.g. for
  appropriate ?
• (?(0) Æ 8x(?(bx/2c) ! ?(x))) ! 8x?(x)

22
Beyond PV

• Implicit formal systems also possible, e.g. S12
  Buss 1986 poly-time functions are those
  definable in the system by a class of bounded
  formulas and provably total using limited
  induction on notation
• S12(PV) is conservative over PV

23
Adding Randomization

• Impagliazzo Kapron 2004 takes the following
  approach terms are PV terms or of the form
• x ÃR 0,1p(n).t
• i ÃR p(n).t
• where t is a term
• Formulas have the form u ¼ v (u,v closed)
• Intended interpretation of formulas ensembles
  represented by u and v are computationally
  indistinguishable

24
Induction for Computational Indistinguishability

• H-IND rule
• i ÃR p(n) .t(i) ¼ i ÃR p(n) .t(i1)

t(0) ¼ t(p(n))
25
Other Rules

• PV t(x) s(x)

UNIV
x ÃR 0,1p(n).t(x) ¼ x ÃR 0,1p(n).s(x)
u ¼ v
SUB
tu/x ¼ tv/x
Also need EDIT rule for basic manipulation, e.g
x,y ÃR 0,1p(n).x y ¼ z ÃR 0,12p(n).z
26
A Methodology for Reduction Proofs

• Start with instance f of primitive X introduce
  new function symbol, axioms expressing security
  property for X
• Obtain instance g of primitive Y in F3f, prove
  that it satisfies security property for primitive
  Y using axioms for f
• What about reduction of adversaries?
• Implicit follows from soundness

27
An Example

• Stretching the output of a PRG Goldreich Micali
  89
• Introduce a new function symbol f representing a
  PRG which stretches by 1 bit
• x à 0,1n.f(x) ¼ x à 0,1n1.x
• Abbreviate b(x)f(x)1, r(x)f(x)2,,x, so
  f(x) b(x) r(x)

28
Example (contd)

• Define by BRN

r(x,0)x r(x,i1)r(r(x,i))
b(x,0)?
b(x,i1)b(x,i) b(r(x,i))
f(x,i)b(x,i) r(x,i)
Claim x ÃR 0,1n.f(x,n) ¼ x ÃR 0,12n.x
29
Example (contd)

• Need one lemma
• PV f(x,i1) b(x) f(r(x),i)
• (straightforward induction). By UNIV,
• x ÃR 0,1n, i ÃR n.f(x,i1)
• ¼ x ÃR 0,1n, i ÃR n.(b(x)
  f(r(x),i))
• Then from the definition of f, along with SUB
  and transitivity, we get
• x ÃR 0,1n, i ÃR n.f(x,i1)
• ¼ x ÃR 0,1n1, i ÃR n.(x1
  f(x2n1,i))

30
Example (contd)

• It then follows from SUB that
• x,z ÃR 0,1n, i ÃR n.(z1n-(i1)
  f(x,i1))
• ¼ z ÃR 0,1n1, x ÃR 0,1n1, i ÃR n.
• (z1n-(i1) x1 f(x2n1,i))
• Define h(z,x,i) z1n-i f(x,i).Then from the
  preceding, with several applications of EDIT and
  transitivity, we get
• x,z ÃR 0,1n i ÃR n.h(z,x,i)
• ¼ x,z ÃR 0,1n i ÃR
  n.h(z,x,i1)

31
Example (contd)

• By H-IND, we obtain
• x,z ÃR 0,1n.h(z,x,0) ¼ x,z ÃR 0,1n.h(z,x,n)
• Finally, several applications of UNIV (to the
  definition of h), along with EDIT and
  transitivity, yield
• x ÃR 0,1n.f(x,n) ¼ x ÃR 0,12n.x

32
The Full Example

• By running backwards through this proof, we
  automatically construct, for any A breaking f,
  an A breaking f defined by
• A(y)zÃR 0,1n, i ÃR n.A(z1n-(i1) y1
  f(y2y,i))

33
Conclusions

• Formal reasoning about PPT functions in
  cryptographic settings is doable in a fairly
  direct way still seems far from practical
  application
• Need to extend to more complex notions (e.g.
  pseudorandom functions, ZK) and arguments
• Look for extensions of function algebras (e.g.
  process calculi)
• Interesting theoretical questions (e.g.
  formalization of non-black-box arguments)