CryptoDB
Kenji Yasunaga
Publications
Year
Venue
Title
2024
TCC
Bit-Security Preserving Hardness Amplification
Abstract
Hardness amplification is one of the important reduction techniques in cryptography, and it has been
extensively studied in the literature. The standard XOR lemma known in the literature evaluates the hardness
in terms of the probability of correct prediction; the hardness is amplified from mildly hard (close to $1$) to
very hard $1/2 + \varepsilon$ by inducing $\varepsilon^2$ multiplicative decrease of the circuit size.
Translating such a statement in terms of the bit-security framework introduced by Micciancio-Walter (EUROCRYPT 2018)
and Watanabe-Yasunaga (ASIACRYPT 2021), it may cause a bit-security loss of $\log(1/\varepsilon)$.
To resolve this issue, we derive a new variant of the XOR lemma in terms of the R\'enyi advantage, which directly
characterizes the bit security. In the course of proving this result, we prove a new variant of the hardcore lemma
in terms of the conditional squared advantage; our proof uses a boosting algorithm that may output the $\bot$ symbol
in addition to $0$ and $1$, which may be of independent interest.
2023
ASIACRYPT
Unified View for Notions of Bit Security
Abstract
We study the framework of Watanabe and Yasunaga (Asiacrypt 2021) that enables us to evaluate the bit security of cryptographic primitives/games with an operational meaning. First, we observe that their quantitative results preserve even if adversaries are allowed to output the failure symbol in games. With this slight modification, we show that the notion of bit security by Watanabe and Yasunaga is equivalent to that of Micciancio and Walter (Eurocrypt 2018) up to constant bits. Also, we demonstrate that several existing notions of advantages can be captured in a unified way. Based on this equivalence, we show that the reduction algorithm of Hast (J. Cryptology, 2004) gives a tight reduction of the Goldreich-Levin hard-core predicate to the hardness of one-way functions. These two results resolved open problems that remained.
We show that all games we need to care about in their framework are decision games. Namely, for every search game G, there is the corresponding decision game G′ such that G has λ-bit security if and only if G′ has λ-bit security. The game G′ consists of the real and the ideal games, where attacks in the ideal game are never approved. Such games often appear in game-hopping security proofs. The result justifies such security proofs because they lose no security. Finally, we provide a distribution replacement theorem. Suppose a game using distribution Q in a black-box manner is λ-bit secure, and two distributions P and Q are computationally λ-bit secure indistinguishable. In that case, the game where Q is replaced by P is also λ-bit secure.
2021
ASIACRYPT
Bit Security as Computational Cost for Winning Games with High Probability
📺
Abstract
We introduce a novel framework for quantifying the bit security of security games. Our notion is defined with an operational meaning that a $\lambda$-bit secure game requires a total computational cost of $2^\lambda$ for winning the game with high probability, e.g., 0.99. We define the bit security both for search-type and decision-type games. Since we identify that these two types of games should be structurally different, we treat them differently but define the bit security using the unified framework to guarantee the same operational interpretation. The key novelty of our notion of bit security is to employ two types of adversaries: inner adversary and outer adversary. While the inner adversary plays a ``usual'' security game, the outer adversary invokes the inner adversary many times to amplify the winning probability for the security game. We find from our framework that the bit security for decision games can be characterized by the information measure called the \emph{R\'enyi divergence} of order $1/2$ of the inner adversary. The conventional ``advantage,'' defined as the probability of winning the game, characterizes our bit security for search-type games. We present several security reductions in our framework for justifying our notion of bit security. Many of our results quantitatively match the results for the bit security notion proposed by Micciancio and Walter in 2018. In this sense, our bit security strengthens the previous notion of bit security by adding an operational meaning. A difference from their work is that, in our framework, the Goldreich-Levin theorem gives an optimal reduction only for ``balanced'' adversaries who output binary values in a balanced manner.
Coauthors
- Shun Watanabe (3)
- Kenji Yasunaga (3)