Results 1  10
of
10
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 33 (11 self)
 Add to MetaCart
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
On the Power of ClawFree Permutations
 Proceedings of SCN 2002, volume 2576 of LNCS
, 2002
"... Probabilistic Signature Scheme (PSS), Full Domain Hash (FDH) and several of their variants are widely used signature schemes, which can be formally analyzed in the random oracle model. These schemes output a signature of the form , where y somehow depends on the message signed (and pub) and f is som ..."
Abstract

Cited by 22 (8 self)
 Add to MetaCart
Probabilistic Signature Scheme (PSS), Full Domain Hash (FDH) and several of their variants are widely used signature schemes, which can be formally analyzed in the random oracle model. These schemes output a signature of the form , where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trapdoor permutations like RSA.
On hardness amplification of oneway functions
 In Proc. 2nd TCC
, 2005
"... Abstract. We continue the study of the efficiency of blackbox reductions in cryptography. We focus on the question of constructing strong oneway functions (respectively, permutations) from weak oneway functions (respectively, permutations). To make our impossibility results stronger, we focus on ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Abstract. We continue the study of the efficiency of blackbox reductions in cryptography. We focus on the question of constructing strong oneway functions (respectively, permutations) from weak oneway functions (respectively, permutations). To make our impossibility results stronger, we focus on the weakest type of constructions: those that start from a weak oneway permutation and define a strong oneway function. We show that for every “fully blackbox ” construction of a ɛ(n)secure function based on a (1 − δ(n))secure permutation, if q(n) is the number of oracle queries used in the construction and ℓ(n) is the input length of the new function, then we have q ≥ Ω ( 1 1 · log) and ℓ ≥ n + Ω(log 1/ɛ) − δ ɛ O(log q). This result is proved by showing that fully blackbox reductions of strong to weak oneway functions imply the existence of “hitters ” and then by applying known lower bounds for hitters. We also show a sort of reverse connection, and we revisit the construction of Goldreich et al. (FOCS 1990) in terms of this reverse connection. Finally, we prove that any “weakly blackbox ” construction with parameters q(n) and ℓ(n) better than the above lower bounds implies the unconditional existence of strong oneway functions (and, therefore, the existence of a weakly blackbox construction with q(n) = 0). This result, like the one for fully blackbox reductions, is proved by reasoning about the function defined by such a construction when using the identity permutation as an oracle. 1
Lower Bounds on Signatures From Symmetric Primitives
, 2008
"... We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to 1 by a (computationally unbounded) adversary making 2 (1+o(1))q queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport’s onetime signatures (Lamport ’79) achieves 2 (0.812−o(1))q blackbox security using q queries to the oracle. Our result extends (with a loss of a constant factor in the number of queries) also to the random permutation and idealcipher oracles. Since the symmetric primitives (e.g. block ciphers, hash functions, and message authentication codes) can be constructed by a constant number of queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature schemes from symmetric primitives when the construction is blackbox. This can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives. 1
Blackbox composition does not imply adaptive security
 In Advances in Cryptology — EUROCRYPT ’04, volume 3027 of LNCS
, 2004
"... Abstract. In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure permutation generators, but where the composition of such generators fail to achieve security against adaptive adversaries. Thus, any proof of security for such a construction would need to be nonrelativizing. This result can be used to partially justify the lack of formal evidence we have that composition increases security, even though it is a belief shared by many cryptographers. 1
A linear lower bound on the communication complexity of singleserver private information retreival (preliminary title
 In preparation
, 2008
"... We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypre ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypreserving construction that relies on trapdoor permutations. More specifically, our main result states that in such constructions Ω(n) bits must be communicated by the server, where n is the size of the server’s database. Therefore, in the very natural setting under consideration, the naive solution in which the user downloads the entire database turns out to be optimal up to constant multiplicative factors. Moreover, while singleserver PIR protocols with polylogarithmic communication complexity were shown to exist based on specific numbertheoretic assumptions, the lower bound we provide identifies a substantial gap between blackbox and nonblackbox constructions of singleserver PIR. Technically speaking, this paper consists of two main contributions from which our lower bound is obtained. First, we derive a tight lower bound on the number of bits communicated by the sender during the commit stage of any blackbox constructions of a statisticallyhiding commitment scheme from a family of trapdoor permutations. This lower bound asymptotically matches the upper bound provided by the scheme of Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). Second, we significantly improve the efficiency of the wellknown reduction of statisticallyhiding commitment schemes to nontrivial singleserver PIR, due to Beimel, Ishai, Kushilevitz and Malkin (STOC ’99). In particular, we present a reduction that essentially preserves both the communication complexity and the round complexity of the underlying singleserver PIR protocol.
Optimal StructurePreserving Signatures in Asymmetric Bilinear Groups
"... Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist n ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist nature structurepreserving signatures blend well with other pairingbased protocols. We show that structurepreserving signatures must consist of at least 3 group elements when the signer uses generic group operations. Usually, the generic group model is used to rule out classes of attacks by an adversary trying to break a cryptographic assumption. In contrast, here we use the generic group model to prove a lower bound on the complexity of digital signature schemes. We also give constructions of structurepreserving signatures that consist of 3 group elements only. This improves significantly on previous structurepreserving signatures that used 7 group elements and matches our lower bound. Our structurepreserving signatures have additional nice properties such as strong existential unforgeability and can sign multiple group elements at once. Keywords: StructurePreservation, Digital Signatures, Generic Group Model. 1
New Perspectives on the Complexity of Computational Learning, and Other Problems in Theoretical Computer Science
, 2009
"... In this thesis we present the following results. • Learning theory, and in particular PAC learning, was introduced by Valiant [CACM 1984] and has since become a major area of research in theoretical and applied computer science. One natural question that was posed at the very inception of the field ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In this thesis we present the following results. • Learning theory, and in particular PAC learning, was introduced by Valiant [CACM 1984] and has since become a major area of research in theoretical and applied computer science. One natural question that was posed at the very inception of the field is whether there are classes of functions that are hard to learn. PAC learning is hard under widely held conjectures such as the existence of oneway functions, and on the other hand it is known that if PAC learning is hard then P ̸ = NP. We further study sufficient and necessary conditions for PAC learning to be hard, and we prove that: 1. ZK ̸ = BPP implies that PAC learning is hard. 2. It is unlikely using standard techniques that one can prove that PAC learning is hard implies that ZK ̸ = BPP. 3. It is unlikely using standard techniques that one can prove that P ̸ = NP implies that ZK ̸ = BPP.
Black Boxes, Incorporated
, 2012
"... The term “Black Box ” often refers to a device whose functionality we understand, but whose inner workings we don’t, or choose to ignore. This term appears a lot in a large variety of contexts within theoretical computer science, and happens to be extremely convenient to capture computations with re ..."
Abstract
 Add to MetaCart
The term “Black Box ” often refers to a device whose functionality we understand, but whose inner workings we don’t, or choose to ignore. This term appears a lot in a large variety of contexts within theoretical computer science, and happens to be extremely convenient to capture computations with restricted knowledge about or access to certain information. In its most basic form, a black box (also called an oracle) encodes a function f, to which the computation may issue query x and get the response f(x). We have no knowledge (or interest) on the implementation of f in the black box – indeed, f itself may be computationally hard or even not computable. From a programming perspective, this viewpoint is convenient when solving a problem using a subroutine for f that someone else has implemented and we are given its inputoutput specification only. This simple idea is of wide use in almost any large software development project, as well as in algorithm design. From a theoretical perspective, the ability to efficiently solve a given computational problem g using an oracle to f may constitute a reduction
Studies in the Efficiency and (versus) Security of Cryptographic Tasks
"... In this thesis, we deal with the following questions: (1) How efficient a cryptographic algorithm can be while achieving a desired level of security? (2) Since mathematical conjectures like P = NP are necessary for the possibility of secure cryptographic primitives in the standard models of computa ..."
Abstract
 Add to MetaCart
In this thesis, we deal with the following questions: (1) How efficient a cryptographic algorithm can be while achieving a desired level of security? (2) Since mathematical conjectures like P = NP are necessary for the possibility of secure cryptographic primitives in the standard models of computation: (a) Can we base cryptography solely based on the widely believed assumption of P = NP, or do we need stronger assumptions? (b) Which alternative nonstandard models offer us provable security unconditionally, while being implementable in real life? First we study the question of security vs. efficiency in publickey cryptography and prove tight bounds on the efficiency of blackbox constructions of keyagreement and (publickey) digital signatures that achieve a desired level of security using “randomlike ” functions. Namely, we prove that any keyagreement protocol in the random oracle model where the parties ask at most n oracle queries can be broken by an adversary who asks at most O(n 2) oracle queries and finds the key with high probability. This improves upon the previous Õ(n 6)query attack of Impagliazzo and Rudich [98] and proves that a simple keyagreement protocol due to Merkle [118] is optimal. We also prove that any signature scheme in the