Results 1 
7 of
7
Lower bounds on the Efficiency of Generic Cryptographic Constructions
 41st IEEE Symposium on Foundations of Computer Science (FOCS), IEEE
, 2000
"... A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we ..."
Abstract

Cited by 61 (6 self)
 Add to MetaCart
A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentiallytight lower bounds on the best possible efficiency of any blackbox construction of some fundamental cryptographic tools from the most basic and widelyused cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal oneway hash functions, and digital signatures based on oneway permutations, as well as constructions of public and privatekey encryption schemes based on trapdoor permutations. In each case, we show that any blackbox construction beating our efficiency bound would yield the unconditional existence of a oneway function and thus, in particular, prove P = NP. 1
Limits on the Efficiency of OneWay PermutationBased Hash Functions
 In Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer Science
, 1999
"... Naor and Yung ([NY89]) show that a onebit compressing universal oneway hash function (UOWHF) can be constructed based on a oneway permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the oneway permutation. We show that thi ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
Naor and Yung ([NY89]) show that a onebit compressing universal oneway hash function (UOWHF) can be constructed based on a oneway permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the oneway permutation. We show that this construction is not far from optimal, in the following sense: there exists an oracle relative to which there exists a oneway permutation with inversion probability 2 \Gammap(n) (for any p(n) 2 !(log n)), but any construction of an "nbitcompressing UOWHF requires \Omega\Gamma p n=p(n)) invocations of the oneway permutation, on average. (For example, there exists in this relativized world a oneway permutation with inversion probability n \Gamma!(1) , but no UOWHF that invokes it fewer than \Omega\Gamma p n= log n) times.) Thus any proof that a more efficient UOWHF can be derived from a oneway permutation is necessarily nonrelativizing; in particular, no provable construction...
Key agreement from weak bit agreement
 In Proceedings of the Thirty Seventh Annual ACM Symposium on Theory of Computing
"... Assume that Alice and Bob, given an authentic channel, have a protocol where they end up with a bit SA and SB, respectively, such that with probability 1+ε 2 these bits are equal. Further assume that conditioned on the event SA = SB no polynomial time bounded algorithm can predict the bit better tha ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Assume that Alice and Bob, given an authentic channel, have a protocol where they end up with a bit SA and SB, respectively, such that with probability 1+ε 2 these bits are equal. Further assume that conditioned on the event SA = SB no polynomial time bounded algorithm can predict the bit better than with probability 1 − δ. Is it possible to 2 obtain key agreement from such a primitive? We show that for constant δ and ε the answer is yes if and only if δ> 1−ε 1+ε, both for uniform and nonuniform adversaries. The main computational technique used in this paper is a strengthening of Impagliazzo’s hardcore lemma to the uniform case and to a set size parameter which is tight (i.e., twice the original size). This may be of independent interest.
On hardness amplification of oneway functions
 In Proc. 2nd TCC
, 2005
"... Abstract. We continue the study of the efficiency of blackbox reductions in cryptography. We focus on the question of constructing strong oneway functions (respectively, permutations) from weak oneway functions (respectively, permutations). To make our impossibility results stronger, we focus on ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Abstract. We continue the study of the efficiency of blackbox reductions in cryptography. We focus on the question of constructing strong oneway functions (respectively, permutations) from weak oneway functions (respectively, permutations). To make our impossibility results stronger, we focus on the weakest type of constructions: those that start from a weak oneway permutation and define a strong oneway function. We show that for every “fully blackbox ” construction of a ɛ(n)secure function based on a (1 − δ(n))secure permutation, if q(n) is the number of oracle queries used in the construction and ℓ(n) is the input length of the new function, then we have q ≥ Ω ( 1 1 · log) and ℓ ≥ n + Ω(log 1/ɛ) − δ ɛ O(log q). This result is proved by showing that fully blackbox reductions of strong to weak oneway functions imply the existence of “hitters ” and then by applying known lower bounds for hitters. We also show a sort of reverse connection, and we revisit the construction of Goldreich et al. (FOCS 1990) in terms of this reverse connection. Finally, we prove that any “weakly blackbox ” construction with parameters q(n) and ℓ(n) better than the above lower bounds implies the unconditional existence of strong oneway functions (and, therefore, the existence of a weakly blackbox construction with q(n) = 0). This result, like the one for fully blackbox reductions, is proved by reasoning about the function defined by such a construction when using the identity permutation as an oracle. 1
About MachineReadable Travel Documents
"... Abstract. Passports are documents that help immigration officers to identify people. In order to strongly authenticate their data and to automatically identify people, they are now equipped with RFID chips. These contain private information, biometrics, and a digital signature by issuing authorities ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. Passports are documents that help immigration officers to identify people. In order to strongly authenticate their data and to automatically identify people, they are now equipped with RFID chips. These contain private information, biometrics, and a digital signature by issuing authorities. Although they substantially increase security at the border controls, they also come with new security and privacy issues. In this paper, we survey existing protocols and their weaknesses. 1
On the Power of Random Oracles
, 2012
"... In the random oracle model, the parties are given oracle access to a random member of a (typically huge) function family, and are assumed to have unbounded computational power (though they can only make a bounded number of oracle queries). This model provides powerful properties that allow proving t ..."
Abstract
 Add to MetaCart
In the random oracle model, the parties are given oracle access to a random member of a (typically huge) function family, and are assumed to have unbounded computational power (though they can only make a bounded number of oracle queries). This model provides powerful properties that allow proving the security of many protocols, even such that cannot be proved secure in the standard model (under any hardness assumption). The random oracle model is also used to show that a given cryptographic primitive cannot be used in a blackbox way to construct another primitive; in their seminal work, Impagliazzo and Rudich [STOC ’89] showed that in the random function model – when the function family is the set of all functions – it is impossible to construct (secure) keyagreement protocols, yielding that keyagreement cannot be blackbox reduced to oneway functions. Their work has a long line of followup works (Simon [EC ’98], Gertner et al. [STOC ’00] and Gennaro et al. [SICOMP ’05], to name a few), showing that given oracle access to a certain type of function family (e.g., the family that “implements ” publickey encryption) is not sufficient for building a given cryptographic primitive (e.g., oblivious transfer). Yet, in the more general sense, the following fundamental question remained open: What is the exact power of the random oracle model, and more specifically, of the random function model? We make progress towards answering the above question, showing that any (no private input) semihonest twoparty functionality that can be securely implemented in the random function model, can be securely implemented information theoretically (where parties are assumed to be all powerful, and no oracle is given). We further generalize the above result to function families that provide some natural combinatorial property. To exhibit the power of our result, we use the recent information theoretic impossibility result of McGregor et al. [FOCS ’10], to show the existence of functionalities (e.g., inner product) that cannot be computed both accurately and in a differentially private manner in the random function model; yielding that protocols for computing these functionalities cannot be blackbox reduced to the existence of oneway functions.
Limits on the Usefulness of Random Oracles
, 2013
"... In the random oracle model, parties are given oracle access to a random function (i.e., a uniformly chosen function from the set of all functions), and are assumed to have unbounded computational power (though they can only make a bounded number of oracle queries). This model provides powerful prope ..."
Abstract
 Add to MetaCart
In the random oracle model, parties are given oracle access to a random function (i.e., a uniformly chosen function from the set of all functions), and are assumed to have unbounded computational power (though they can only make a bounded number of oracle queries). This model provides powerful properties that allow proving the security of many protocols, even such that cannot be proved secure in the standard model (under any hardness assumption). The random oracle model is also used for showing that a given cryptographic primitive cannot be used in a blackbox way to construct another primitive; in their seminal work, Impagliazzo and Rudich [STOC ’89] showed that no keyagreement protocol exists in the random oracle model, yielding that keyagreement cannot be blackbox reduced to oneway functions. Their work has a long line of followup works (Simon [EC ’98], Gertner et al. [STOC ’00] and Gennaro et al. [SICOMP ’05], to name a few), showing that given oracle access to a certain type of function family (e.g., the family that “implements ” publickey encryption) is not sufficient for building a given cryptographic primitive (e.g., oblivious transfer). Yet, the following question remained open: