Results 1  10
of
21
Lower bounds on the Efficiency of Generic Cryptographic Constructions
 41st IEEE Symposium on Foundations of Computer Science (FOCS), IEEE
, 2000
"... A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we ..."
Abstract

Cited by 61 (6 self)
 Add to MetaCart
A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentiallytight lower bounds on the best possible efficiency of any blackbox construction of some fundamental cryptographic tools from the most basic and widelyused cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal oneway hash functions, and digital signatures based on oneway permutations, as well as constructions of public and privatekey encryption schemes based on trapdoor permutations. In each case, we show that any blackbox construction beating our efficiency bound would yield the unconditional existence of a oneway function and thus, in particular, prove P = NP. 1
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 33 (11 self)
 Add to MetaCart
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
ChosenCiphertext Security via Correlated Products
"... We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction o ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction of publickey encryption schemes that are secure against chosenciphertext attacks (CCA). We show that any collection of injective trapdoor functions that is secure under very natural correlated products can be used to construct a CCAsecure publickey encryption scheme. The construction is simple, blackbox, and admits a direct proof of security. We provide evidence that security under correlated products is achievable by demonstrating that any collection of lossy trapdoor functions, a powerful primitive introduced by Peikert and Waters (STOC ’08), yields a collection of injective trapdoor functions that is secure under the above mentioned natural correlated products. Although we eventually base security under correlated products on lossy trapdoor functions, we argue that the former notion is potentially weaker as a general assumption. Specifically, there is no fullyblackbox construction of lossy trapdoor functions from trapdoor functions that are secure under correlated products.
On the (Im)Possibility of Key Dependent Encryption
"... We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduct ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduction from an encryption scheme secure against keydependent inputs to oneway permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H. • Let G be the family of polynomial sized circuits. There exists no reduction from an encryption scheme secure against keydependent inputs to, seemingly, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for g ∈ G, as long as the reduction’s proof of security treats both the adversary and the function g as black box. Keywords: Keydependent input security, blackbox separation 1
Hash Functions: From MerkleDamgård to Shoup
 EUROCRYPT
, 2001
"... In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these c ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these classes efficient (yielding short keys) composite schemes exist. Second, we prove that the schedule of the Shoup construction, which is the most efficient composition scheme for universal oneway hash functions known so far, is optimal.
Efficient Cryptographic Protocols Preventing “ManintheMiddle” Attacks
 COLUMBIA UNIVERSITY
, 2002
"... In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary inserts, deletes, or arbitrarily modifies messages sent from one user to another. Passive attacks are well characterized (the adversary’s choices are inherently limited) and techniques for achieving security against passive attacks are relatively well understood. Indeed, cryptographers have long focused on methods for countering passive eavesdropping attacks, and much work in the 1970’s and 1980’s has dealt with formalizing notions of security and providing provablysecure solutions for this setting. On the other hand, active attacks are not well characterized and precise modeling has been difficult. Few techniques exist for dealing with active attacks, and designing practical protocols secure against such attacks remains a challenge. This dissertation considers active attacks in a variety of settings and provides new, provablysecure protocols preventing such attacks. Proofs of security are in the standard cryptographic model and rely on wellknown cryptographic assumptions. The protocols presented here are efficient and
Lower Bounds on Signatures From Symmetric Primitives
, 2008
"... We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to 1 by a (computationally unbounded) adversary making 2 (1+o(1))q queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport’s onetime signatures (Lamport ’79) achieves 2 (0.812−o(1))q blackbox security using q queries to the oracle. Our result extends (with a loss of a constant factor in the number of queries) also to the random permutation and idealcipher oracles. Since the symmetric primitives (e.g. block ciphers, hash functions, and message authentication codes) can be constructed by a constant number of queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature schemes from symmetric primitives when the construction is blackbox. This can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives. 1
Blackbox composition does not imply adaptive security
 In Advances in Cryptology — EUROCRYPT ’04, volume 3027 of LNCS
, 2004
"... Abstract. In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure permutation generators, but where the composition of such generators fail to achieve security against adaptive adversaries. Thus, any proof of security for such a construction would need to be nonrelativizing. This result can be used to partially justify the lack of formal evidence we have that composition increases security, even though it is a belief shared by many cryptographers. 1
Bounds on the efficiency of “blackbox” commitment schemes
 32nd ICALP
, 2005
"... Constructions of cryptographic primitives based on general assumptions (e.g., oneway functions) tend to be less efficient than constructions based on specific (e.g., numbertheoretic) assumptions. This has prompted a recent line of research aimed at investigating the best possible efficiency of (bl ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Constructions of cryptographic primitives based on general assumptions (e.g., oneway functions) tend to be less efficient than constructions based on specific (e.g., numbertheoretic) assumptions. This has prompted a recent line of research aimed at investigating the best possible efficiency of (blackbox) cryptographic constructions based on general assumptions. Here, we present bounds on the efficiency of statisticallybinding commitment schemes constructed using blackbox access to oneway permutations; our bounds are tight for the case of perfectlybinding schemes. Our bounds hold in an extension of the ImpagliazzoRudich model: we show that any construction beating our bounds would imply the unconditional existence of a oneway function (from which a statisticallybinding commitment scheme could be constructed “from scratch”). Key words: Cryptography, commitment schemes
On the security of paddingbased encryption schemes (or: Why we cannot prove OAEP secure in the standard model)
 IN: EUROCRYPT ’09. LNCS
, 2009
"... We investigate the security of “paddingbased” encryption schemes in the standard model. This class contains all publickey encryption schemes where the encryption algorithm first applies some invertible public transformation to the message (the “padding”), followed by a trapdoor permutation. In par ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We investigate the security of “paddingbased” encryption schemes in the standard model. This class contains all publickey encryption schemes where the encryption algorithm first applies some invertible public transformation to the message (the “padding”), followed by a trapdoor permutation. In particular, this class contains OAEP and its variants. Our main result is a blackbox impossibility result showing that one cannot prove any such paddingbased scheme chosenciphertext secure even assuming the existence of ideal trapdoor permutations. The latter is a strong ideal abstraction of trapdoor permutations which inherits all security properties of uniform random permutations.