Results 1  10
of
12
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
(Show Context)
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
Towards a separation of semantic and cca security for public key encryption. Cryptology ePrint Archive
, 2006
"... Abstract. We address the question of whether or not semantically secure publickey encryption primitives imply the existence of chosen ciphertext attack (CCA) secure primitives. We show a blackbox separation, following the methodology introduced by Impagliazzo and Rudich [23], for a large nontr ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We address the question of whether or not semantically secure publickey encryption primitives imply the existence of chosen ciphertext attack (CCA) secure primitives. We show a blackbox separation, following the methodology introduced by Impagliazzo and Rudich [23], for a large nontrivial class of constructions. In particular, we show that if the proposed CCA construction’s decryption algorithm does not query the semantically secure primitive’s encryption algorithm, then the proposed construction cannot be CCA secure. 1
On the Power of ClawFree Permutations
 Proceedings of SCN 2002, volume 2576 of LNCS
, 2002
"... Probabilistic Signature Scheme (PSS), Full Domain Hash (FDH) and several of their variants are widely used signature schemes, which can be formally analyzed in the random oracle model. These schemes output a signature of the form , where y somehow depends on the message signed (and pub) and f is som ..."
Abstract

Cited by 23 (8 self)
 Add to MetaCart
Probabilistic Signature Scheme (PSS), Full Domain Hash (FDH) and several of their variants are widely used signature schemes, which can be formally analyzed in the random oracle model. These schemes output a signature of the form , where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trapdoor permutations like RSA.
Optimal StructurePreserving Signatures in Asymmetric Bilinear Groups
"... Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist n ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist nature structurepreserving signatures blend well with other pairingbased protocols. We show that structurepreserving signatures must consist of at least 3 group elements when the signer uses generic group operations. Usually, the generic group model is used to rule out classes of attacks by an adversary trying to break a cryptographic assumption. In contrast, here we use the generic group model to prove a lower bound on the complexity of digital signature schemes. We also give constructions of structurepreserving signatures that consist of 3 group elements only. This improves significantly on previous structurepreserving signatures that used 7 group elements and matches our lower bound. Our structurepreserving signatures have additional nice properties such as strong existential unforgeability and can sign multiple group elements at once. Keywords: StructurePreservation, Digital Signatures, Generic Group Model. 1
Lower Bounds on Signatures From Symmetric Primitives
, 2008
"... We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to 1 by a (computationally unbounded) adversary making 2 (1+o(1))q queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport’s onetime signatures (Lamport ’79) achieves 2 (0.812−o(1))q blackbox security using q queries to the oracle. Our result extends (with a loss of a constant factor in the number of queries) also to the random permutation and idealcipher oracles. Since the symmetric primitives (e.g. block ciphers, hash functions, and message authentication codes) can be constructed by a constant number of queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature schemes from symmetric primitives when the construction is blackbox. This can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives. 1
On hardness amplification of oneway functions
 In Proc. 2nd TCC
, 2005
"... Abstract. We continue the study of the efficiency of blackbox reductions in cryptography. We focus on the question of constructing strong oneway functions (respectively, permutations) from weak oneway functions (respectively, permutations). To make our impossibility results stronger, we focus on ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We continue the study of the efficiency of blackbox reductions in cryptography. We focus on the question of constructing strong oneway functions (respectively, permutations) from weak oneway functions (respectively, permutations). To make our impossibility results stronger, we focus on the weakest type of constructions: those that start from a weak oneway permutation and define a strong oneway function. We show that for every “fully blackbox ” construction of a ɛ(n)secure function based on a (1 − δ(n))secure permutation, if q(n) is the number of oracle queries used in the construction and ℓ(n) is the input length of the new function, then we have q ≥ Ω ( 1 1 · log) and ℓ ≥ n + Ω(log 1/ɛ) − δ ɛ O(log q). This result is proved by showing that fully blackbox reductions of strong to weak oneway functions imply the existence of “hitters ” and then by applying known lower bounds for hitters. We also show a sort of reverse connection, and we revisit the construction of Goldreich et al. (FOCS 1990) in terms of this reverse connection. Finally, we prove that any “weakly blackbox ” construction with parameters q(n) and ℓ(n) better than the above lower bounds implies the unconditional existence of strong oneway functions (and, therefore, the existence of a weakly blackbox construction with q(n) = 0). This result, like the one for fully blackbox reductions, is proved by reasoning about the function defined by such a construction when using the identity permutation as an oracle. 1
On the impossibility of basing identity based encryption on trapdoor permutations
 In FOCS
, 2008
"... We ask whether an Identity Based Encryption (IBE) system can be built from simpler publickey primitives. We show that there is no blackbox construction of IBE from Trapdoor Permutations (TDP) or even from Chosen Ciphertext Secure Public Key Encryption (CCAPKE). These blackbox separation result ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
We ask whether an Identity Based Encryption (IBE) system can be built from simpler publickey primitives. We show that there is no blackbox construction of IBE from Trapdoor Permutations (TDP) or even from Chosen Ciphertext Secure Public Key Encryption (CCAPKE). These blackbox separation results are based on an essential property of IBE, namely that an IBE system is able to compress exponentially many publickeys into a short public parameters string. 1.
Blackbox composition does not imply adaptive security
 In EUROCRYPT
, 2004
"... In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure pe ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure permutation generators, but where the composition of such generators fail to achieve security against adaptive adversaries. Thus, any proof of security for such a construction would need to be nonrelativizing. This result can be used to partially justify the lack of formal evidence we have that composition increases security, even though it is a belief shared by many cryptographers.
A linear lower bound on the communication complexity of singleserver private information retrieval
 IN PREPARATION
, 2008
"... We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypre ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypreserving construction that relies on trapdoor permutations. More specifically, our main result states that in such constructions Ω(n) bits must be communicated by the server, where n is the size of the server’s database. Therefore, in the very natural setting under consideration, the naive solution in which the user downloads the entire database turns out to be optimal up to constant multiplicative factors. Moreover, while singleserver PIR protocols with polylogarithmic communication complexity were shown to exist based on specific numbertheoretic assumptions, the lower bound we provide identifies a substantial gap between blackbox and nonblackbox constructions of singleserver PIR. Technically speaking, this paper consists of two main contributions from which our lower bound is obtained. First, we derive a tight lower bound on the number of bits communicated by the sender during the commit stage of any blackbox constructions of a statisticallyhiding commitment scheme from a family of trapdoor permutations. This lower bound asymptotically matches the upper bound provided by the scheme of Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). Second, we significantly improve the efficiency of the wellknown reduction of statisticallyhiding commitment schemes to nontrivial singleserver PIR, due to Beimel, Ishai, Kushilevitz and Malkin (STOC ’99). In particular, we present a reduction that essentially preserves both the communication complexity and the round complexity of the underlying singleserver PIR protocol.
New Perspectives on the Complexity of Computational Learning, and Other Problems in Theoretical Computer Science
, 2009
"... In this thesis we present the following results. • Learning theory, and in particular PAC learning, was introduced by Valiant [CACM 1984] and has since become a major area of research in theoretical and applied computer science. One natural question that was posed at the very inception of the field ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this thesis we present the following results. • Learning theory, and in particular PAC learning, was introduced by Valiant [CACM 1984] and has since become a major area of research in theoretical and applied computer science. One natural question that was posed at the very inception of the field is whether there are classes of functions that are hard to learn. PAC learning is hard under widely held conjectures such as the existence of oneway functions, and on the other hand it is known that if PAC learning is hard then P ̸ = NP. We further study sufficient and necessary conditions for PAC learning to be hard, and we prove that: 1. ZK ̸ = BPP implies that PAC learning is hard. 2. It is unlikely using standard techniques that one can prove that PAC learning is hard implies that ZK ̸ = BPP. 3. It is unlikely using standard techniques that one can prove that P ̸ = NP implies that ZK ̸ = BPP.