#### DMCA

## Lossy Trapdoor Functions and Their Applications (2007)

### Cached

### Download Links

Citations: | 125 - 21 self |

### Citations

3888 | A method for obtaining digital signatures and public-key cryptosystems - Rivest, Shamir, et al. - 1978 |

3531 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ity) [44, 52, 23]. Trapdoor functions, which (informally) are hard to invert unless one possesses some secret ‘trapdoor’ information, conceptually date back to the seminal paper of Diffie and Hellman =-=[21]-=- and were first realized in the RSA function of Rivest, Shamir, and Adelman [55]. Chosen-ciphertext security, which (again informally) guarantees confidentiality of encrypted messages even in the pres... |

1637 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...message under the retrieved randomness, and comparing the result to the original ciphertext. Until now, witness-recovering CCA-secure cryptosystems were known to exist only in the random oracle model =-=[8, 27]-=-. Our approach has two main benefits: first, the cryptosystem uses its underlying primitive (lossy TDFs) as a “black-box,” making it more efficient and technically simpler than those that follow the g... |

1379 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...cally demonstrated via indistinguishability arguments over a scheme’s public key, as opposed to its outputs. For encryption, this style of argument goes back the seminal work of Goldwasser and Micali =-=[35]-=-, and recently has been identified as an important notion (called “message-lossy” [49] or “meaningful/meaningless” [40] encryption) in its own right. The style is inherent to cryptosystems based on la... |

1127 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1985
(Show Context)
Citation Context ...ut messages encrypted under the lossy key are statistically hidden. Another interesting comparison is to the techniques used to construct CCA-secure cryptosystems from identity-based encryption (IBE) =-=[60]-=- that were introduced by Canetti, Halevi, and Katz [17] and improved in later work [15, 16, 14]. Our construction and simulation share some techniques with these works, but also differ in important wa... |

1006 | Public-Key Cryptosystems Based on Composite Degree Residue Classes
- Paillier
- 1999
(Show Context)
Citation Context ... Fehr, and O’Neill [12] independently have described simple, compact constructions of lossy and ABO TDFs under the decisional composite residuosity assumption, using the trapdoor function of Paillier =-=[45]-=-. (The preliminary version of this work [50] constructed somewhat more complex lossy and ABO TDFs under a variant of Paillier’s assumption.) Boldyreva et al. [12] have constructed CCA-secure determini... |

858 | A pseudorandom generator from any one-way function
- Håstad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...age must be essentially the same if f is replaced with a lossy function f ′ . In this case, the value of x is statistically well-hidden given f ′ (x). By a suitable version of the leftover hash lemma =-=[37, 22]-=-, h is a strong randomness extractor, so it follows that h(x) is statistically close to uniform over {0, 1} ℓ given f ′ (x) and h. Therefore, even an unbounded adversary has negligible distinguishing ... |

656 |
How to generate cryptographically strong sequences of pseudo-random bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...distinguishable from G(x), where x ← {0, 1} n is chosen uniformly at random. Hard-core predicates (and hard-core functions) have played an integral role in the construction of pseudorandom generators =-=[11, 62, 37]-=-. In particular, H˚astad et al. [37] constructed pseudorandom generators from any one-way function; their construction is much simpler (and the security reduction is tighter) when the one-way function... |

630 |
How to play any mental game or a completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...tors, collisionresistant hash functions, and oblivious transfer (OT) protocols, in a black-box manner and with simple and tight security reductions. Using standard (but non-black box) transformations =-=[34, 35]-=-, our OT protocols additionally imply general secure multiparty computation for malicious adversaries. 1.1 Trapdoor Functions and Witness-Recovering Decryption Trapdoor functions are certainly a power... |

594 | A randomized protocol for signing contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ...ed in the context of trapdoor functions or chosen-ciphertext security. The present approach can be contrasted with the (1-out-of-2) oblivious transfer (OT) construction of Even, Goldreich, and Lempel =-=[25]-=-. They construct (semi-honest) oblivious transfer protocols from any public key cryptosystem in which a public key can be sampled ‘obliviously,’ i.e., without knowing a corresponding decryption key. I... |

535 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...n the standard model) based on all the types of assumptions described above. Using NIZK proofs, CCA-secure cryptosystems have been constructed based on problems related to factoring and discrete logs =-=[44, 23, 57, 19, 20]-=-, but not lattices. For trapdoor functions, the state of the art is even less satisfactory: though TDFs are widely viewed as a general primitive, they have so far been realized only from problems rela... |

535 | A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data
- Dodis, Ostrovsky, et al.
- 2008
(Show Context)
Citation Context ...age must be essentially the same if f is replaced with a lossy function f ′ . In this case, the value of x is statistically well-hidden given f ′ (x). By a suitable version of the leftover hash lemma =-=[38, 22]-=-, h is a strong randomness extractor, so it follows that h(x) is statistically close to uniform over {0, 1} ℓ given f ′ (x) and h. Therefore, even an unbounded adversary has negligible distinguishing ... |

439 | A Hard Predicate for All One-way Functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ... imply standard injective TDFs, we can construct a CPA-secure cryptosystem by standard techniques. For instance, a well-known folklore construction uses the generic GoldreichLevin hard-core predicate =-=[32]-=- for f(x) to conceal a message bit, and uses the trapdoor in decryption to invert f and recover the bit. However, it is instructive (and a useful warm-up for our CCA-secure construction) to see that l... |

417 |
New Hash Functions and Their Use in Authentication and Set
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...i : D → R} from a domain D to range R is said to be universal if, for every distinct x, x ′ ∈ D, Prh←H[h(x) = h(x ′ )] = 1/ |R|. Universal hash functions admit very simple and efficient constructions =-=[61]-=-.) Lemma 2.3 ([22, Lemma 2.4]). Let X, Y be random variables such that X ∈ {0, 1} n and ˜ H∞(X|Y ) ≥ k. Let H be a family of universal hash functions from {0, 1} n to {0, 1} ℓ , where ℓ ≤ k − 2 lg(1/ɛ... |

380 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...pollinate and advance cryptography as a whole. In public-key cryptography in particular, two important notions are trapdoor functions (TDFs) and security under chosen ciphertext attack (CCA security) =-=[44, 52, 23]-=-. Trapdoor functions, which (informally) are hard to invert unless one possesses some secret ‘trapdoor’ information, conceptually date back to the seminal paper of Diffie and Hellman [21] and were fir... |

361 |
Digitalized signatures and public key functions as intractable as factoring
- Rabin
- 1979
(Show Context)
Citation Context ...s. For trapdoor functions, the state of the art is even less satisfactory: though TDFs are widely viewed as a general primitive, they have so far been realized only from problems related to factoring =-=[55, 51, 45]-=-. In this paper, we make the following contributions: • We introduce a new general primitive called lossy trapdoor functions, and give realizations based on the conjectured hardness of the decisional ... |

361 | On Lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2009
(Show Context)
Citation Context ...nefficient, as they are inherently non-black-box and require NIZK proofs for general NP statements. Second, while CPA-secure public key cryptosystems based on worst-case lattice assumptions are known =-=[2, 53, 54]-=-, there are still no known CCA-secure systems, because it is unknown how to realize NIZKs for all of NP (or even for appropriate specific lattice problems) under such assumptions. 1.2 The Power of Los... |

284 | Public-key cryptosystems provably secure against chosen ciphertext attacks - Naor, Yung - 1990 |

279 | Chosen-ciphertext security from identity-based encryption
- Boneh, Canetti, et al.
(Show Context)
Citation Context ... comparison is to the techniques used to construct CCA-secure cryptosystems from identity-based encryption (IBE) [60] that were introduced by Canetti, Halevi, and Katz [17] and improved in later work =-=[15, 16, 14]-=-. Our construction and simulation share some techniques with these works, but also differ in important ways. In the constructions based on IBE, the simulator is able to acquire secret keys for all ide... |

246 | A public-key cryptosystem with worst case/average case equivalence - Ajtai, Dwork - 1997 |

237 | The decisional diffie-hellman problem.
- Boneh
- 1998
(Show Context)
Citation Context ...ific numbertheoretic problems. 2 We also note that while NIZK proofs for certain lattice problems are known [48], they do not appear to suffice for CCA security. 3the decisional Diffie-Hellman (DDH) =-=[13]-=- and decisional composite residuosity [45] problems. However, the NIZK approach has two significant drawbacks. First, the constructions from general assumptions are inefficient, as they are inherently... |

231 | Efficient oblivious transfer protocols. - Naor, Pinkas - 2001 |

214 | Robust Noninteractive Zero Knowledge
- Santis, Crescenzo, et al.
- 2001
(Show Context)
Citation Context ...all rely upon the particular algebraic properties of the functions. For CCA security, the main construction paradigm in the existing literature relies upon noninteractive zero-knowledge (NIZK) proofs =-=[10, 26]-=- (either for general NP statements or for specific number-theoretic problems). Such proofs allow the decryption algorithm to check that a ciphertext is ‘well-formed,’ and (informally speaking) force t... |

209 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
(Show Context)
Citation Context ...nd GapSVP problems appear to be quite hard in the worst case (even for quantum algorithms): to obtain a poly(d) approximation factor, known algorithms require time and space that are exponential in d =-=[4]-=-; known polynomial-time algorithms obtain approximation factors that are only slightly subexponential in d [41, 58]. We define our lossy and ABO functions in terms of the LWE problem, without explicit... |

192 |
Generating hard instances of lattice problems.
- Ajtai
- 2004
(Show Context)
Citation Context ... 23, 57]. 1 Second, it yields the first known CCA-secure cryptosystem based entirely on (worst-case) lattice assumptions, resolving a problem that has remained open since the pioneering work of Ajtai =-=[1]-=- and Ajtai and Dwork [2]. 2 • We further demonstrate the utility of lossy TDFs by constructing pseudorandom generators, collisionresistant hash functions, and oblivious transfer (OT) protocols, in a b... |

188 | V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption
- Cramer, Shoup
- 2002
(Show Context)
Citation Context ...n the standard model) based on all the types of assumptions described above. Using NIZK proofs, CCA-secure cryptosystems have been constructed based on problems related to factoring and discrete logs =-=[44, 23, 57, 19, 20]-=-, but not lattices. For trapdoor functions, the state of the art is even less satisfactory: though TDFs are widely viewed as a general primitive, they have so far been realized only from problems rela... |

184 | Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security
- Sahai
- 1999
(Show Context)
Citation Context ...n the standard model) based on all the types of assumptions described above. Using NIZK proofs, CCA-secure cryptosystems have been constructed based on problems related to factoring and discrete logs =-=[47, 23, 60, 19, 20]-=-, but not lattices. For trapdoor functions, the state of the art is even less satisfactory: though TDFs are widely viewed as a general primitive, they have so far been realized only from problems rela... |

183 |
Multiple Non-Interactive Zero-Knowledge Proofs Under General Assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...all rely upon the particular algebraic properties of the functions. For CCA security, the main construction paradigm in the existing literature relies upon noninteractive zero-knowledge (NIZK) proofs =-=[10, 26]-=- (either for general NP statements or for specific number-theoretic problems). Such proofs allow the decryption algorithm to check that a ciphertext is ‘well-formed,’ and (informally speaking) force t... |

165 | Noise-tolerant learning, the parity problem, and the statistical query model.
- Blum, Kalai, et al.
- 2003
(Show Context)
Citation Context ...i larger than 2. 4 The LWE problem can be seen as an average-case bounded-distance decoding problem on a certain natural family of random lattices, and appears to be quite hard (the best known attack =-=[9]-=- requires exponential time and space). Moreover, Regev gave a reduction showing that LWE is indeed hard on the average if standard approximation problems on lattices are hard in the worst case for qua... |

159 | Recent developments in explicit constructions of extractors - Shaltiel - 2002 |

152 | Public-key cryptosystems from the worst-case shortest vector problem
- Peikert
- 2009
(Show Context)
Citation Context ... Quantum algorithms are not known to have any advantage over classical algorithms for the worst-case lattice problems in question. In addition, following the initial publication of this work, Peikert =-=[47]-=- has shown that LWE is as hard as certain worst-case lattice problems via a classical reduction. 1.4 Lossy Trapdoors in Context It is informative to consider lossy trapdoors in the context of previous... |

146 |
Moni Naor. Nonmalleable cryptography
- Dolev, Dwork
(Show Context)
Citation Context ...pollinate and advance cryptography as a whole. In public-key cryptography in particular, two important notions are trapdoor functions (TDFs) and security under chosen ciphertext attack (CCA security) =-=[44, 52, 23]-=-. Trapdoor functions, which (informally) are hard to invert unless one possesses some secret ‘trapdoor’ information, conceptually date back to the seminal paper of Diffie and Hellman [21] and were fir... |

146 |
A hierarchy of polynomial time lattice basis reduction algorithm, Theor
- Schnorr
- 1987
(Show Context)
Citation Context ...) approximation factor, known algorithms require time and space that are exponential in d [4]; known polynomial-time algorithms obtain approximation factors that are only slightly subexponential in d =-=[41, 58]-=-. We define our lossy and ABO functions in terms of the LWE problem, without explicitly taking into account the connection to lattices (or the hypotheses on the parameters required by Proposition 6.1)... |

142 | Generating hard instances of lattice problems (extended abstract - Ajtai - 1996 |

137 |
Avi Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority
- Goldreich, Micali
- 1987
(Show Context)
Citation Context ...tors, collisionresistant hash functions, and oblivious transfer (OT) protocols, in a black-box manner and with simple and tight security reductions. Using standard (but non-black box) transformations =-=[33, 34]-=-, our OT protocols additionally imply general secure multiparty computation for malicious adversaries. 1.1 Trapdoor Functions and Witness-Recovering Decryption Trapdoor functions are certainly a power... |

120 |
Theory and applications of trapdoor functions (extended abstract).
- Yao
- 1982
(Show Context)
Citation Context ...distinguishable from G(x), where x ← {0, 1} n is chosen uniformly at random. Hard-core predicates (and hard-core functions) have played an integral role in the construction of pseudorandom generators =-=[11, 62, 37]-=-. In particular, H˚astad et al. [37] constructed pseudorandom generators from any one-way function; their construction is much simpler (and the security reduction is tighter) when the one-way function... |

119 | A framework for efficient and composable oblivious transfer.
- PEIKERT, VAIKUNTANATHAN, et al.
- 2008
(Show Context)
Citation Context ...pposed to its outputs. For encryption, this style of argument goes back the seminal work of Goldwasser and Micali [35], and recently has been identified as an important notion (called “message-lossy” =-=[49]-=- or “meaningful/meaningless” [40] encryption) in its own right. The style is inherent to cryptosystems based on lattices [2, 53, 54], but to our knowledge it has never been employed in the context of ... |

94 |
Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert
- 2008
(Show Context)
Citation Context ...ion schemes are secure under “selective-opening attacks,” resolving a longstanding open problem. Trapdoors for lattices. Using very different techniques from ours, Gentry, Peikert, and Vaikuntanathan =-=[28]-=- recently constructed two different types of trapdoor functions that are secure under worst-case lattice assumptions. One collection consists of injective functions that can be shown secure under corr... |

89 | Improved efficiency for CCA-secure cryptosystems built using identity-based encryption
- Boneh, Katz
- 2005
(Show Context)
Citation Context ... comparison is to the techniques used to construct CCA-secure cryptosystems from identity-based encryption (IBE) [60] that were introduced by Canetti, Halevi, and Katz [17] and improved in later work =-=[15, 16, 14]-=-. Our construction and simulation share some techniques with these works, but also differ in important ways. In the constructions based on IBE, the simulator is able to acquire secret keys for all ide... |

83 | Direct Chosen Ciphertext Security from Identity-Based Techniques
- Boyen, Mei, et al.
- 2005
(Show Context)
Citation Context ... comparison is to the techniques used to construct CCA-secure cryptosystems from identity-based encryption (IBE) [60] that were introduced by Canetti, Halevi, and Katz [17] and improved in later work =-=[15, 16, 14]-=-. Our construction and simulation share some techniques with these works, but also differ in important ways. In the constructions based on IBE, the simulator is able to acquire secret keys for all ide... |

65 | Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract - Blum, Feldman, et al. - 1988 |

65 | Collision-free hashing from lattice problems - Goldreich, Goldwasser, et al. - 1996 |

62 | On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles.
- Boldyreva, Fehr, et al.
- 2008
(Show Context)
Citation Context ... concepts. Additional constructions and variations. One area of interest has been in finding additional realizations of lossy trapdoor functions. Rosen and Segev [56] and Boldyreva, Fehr, and O’Neill =-=[12]-=- independently have described simple, compact constructions of lossy and ABO TDFs under the decisional composite residuosity assumption, using the trapdoor function of Paillier [45]. (The preliminary ... |

58 | Possibility and impossibility results for encryption and commitment secure under selective opening.
- Bellare, Hofheinz, et al.
- 2009
(Show Context)
Citation Context ...kert, Vaikuntanathan, and Waters [49] have constructed efficient, universally composable oblivious transfer protocols based on certain “message-lossy” encryption schemes. Bellare, Hofheinz, and Yilek =-=[7]-=- proved that message-lossy encryption schemes are secure under “selective-opening attacks,” resolving a longstanding open problem. Trapdoors for lattices. Using very different techniques from ours, Ge... |

57 |
New lattice-based cryptographic constructions
- Regev
- 2004
(Show Context)
Citation Context ...nefficient, as they are inherently non-black-box and require NIZK proofs for general NP statements. Second, while CPA-secure public key cryptosystems based on worst-case lattice assumptions are known =-=[2, 53, 54]-=-, there are still no known CCA-secure systems, because it is unknown how to realize NIZKs for all of NP (or even for appropriate specific lattice problems) under such assumptions. 1.2 The Power of Los... |

55 | Secure hybrid encryption from weakened key encapsulation
- Hofheinz, Kiltz
- 2007
(Show Context)
Citation Context ...assumption.) More recently, Freeman, Goldreich, Kiltz, Rosen and Segev [27] produced more constructions of lossy TDFs, from the quadratic residuosity assumption and the family of k-linear assumptions =-=[39, 62]-=- (which are potentially weaker generalizations of the DDH assumption). Boyen and Waters gave a technique to ‘compress’ the public key of our matrix construction down to O(n) group elements in a ‘pairi... |

42 | Chosen-Ciphertext Security via Correlated Products
- Rosen, Segev
- 2009
(Show Context)
Citation Context ...n lossy trapdoor functions and related concepts. Additional constructions and variations. One area of interest has been in finding additional realizations of lossy trapdoor functions. Rosen and Segev =-=[56]-=- and Boldyreva, Fehr, and O’Neill [12] independently have described simple, compact constructions of lossy and ABO TDFs under the decisional composite residuosity assumption, using the trapdoor functi... |

41 | On the Impossibility of Basing Trapdoor Functions on Trapdoor Predicates
- Gertner, Malkin, et al.
- 2001
(Show Context)
Citation Context ... function fpk(x) = E ′ (x; x) is simply the identity function, which is trivial to invert. While the above is just a contrived counterexample for one particular attempt, Gertner, Malkin, and Reingold =-=[30]-=- demonstrated a black-box separation between injective (or even poly-to-one) trapdoor functions and CPA-secure encryption. Intuitively, the main difference is that inverting a trapdoor function requir... |

38 | More constructions of lossy and correlation-secure trapdoor functions
- Freeman, Goldreich, et al.
- 2010
(Show Context)
Citation Context ...]. (The preliminary version of this work [53] constructed somewhat more complex lossy and ABO TDFs under a variant of Paillier’s assumption.) More recently, Freeman, Goldreich, Kiltz, Rosen and Segev =-=[27]-=- produced more constructions of lossy TDFs, from the quadratic residuosity assumption and the family of k-linear assumptions [39, 62] (which are potentially weaker generalizations of the DDH assumptio... |

36 | A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. IACR Cryptology ePrint Archive
- Shacham
(Show Context)
Citation Context ...assumption.) More recently, Freeman, Goldreich, Kiltz, Rosen and Segev [27] produced more constructions of lossy TDFs, from the quadratic residuosity assumption and the family of k-linear assumptions =-=[39, 62]-=- (which are potentially weaker generalizations of the DDH assumption). Boyen and Waters gave a technique to ‘compress’ the public key of our matrix construction down to O(n) group elements in a ‘pairi... |

35 |
László Lovász, “Factoring polynomials with rational coefficients
- Lenstra, Lenstra
(Show Context)
Citation Context ...) approximation factor, known algorithms require time and space that are exponential in d [4]; known polynomial-time algorithms obtain approximation factors that are only slightly subexponential in d =-=[41, 58]-=-. We define our lossy and ABO functions in terms of the LWE problem, without explicitly taking into account the connection to lattices (or the hypotheses on the parameters required by Proposition 6.1)... |

33 | Moni Naor. Non-Malleable Cryptography (Extended Abstract - Dolev, Dwork - 1991 |

27 | L.: Finding collisions on a public road, or do secure hash functions need secret coins
- Hsiao, Reyzin
- 2004
(Show Context)
Citation Context ...ruction should therefore be considered “private-coin,” in contrast to a “public-coin” one for which it must remain hard to find a collision even given the random coins of the function generator. (See =-=[38]-=- for a detailed study of these two notions.) We point out that the alternate construction using Sloss also may not be public-coin, because knowing the random coins of Sloss may also make it easy to fi... |

24 | Foundations of Cryptography, volume - Goldreich - 2004 |

24 | Semi-honest to malicious oblivious transfer - the black-box way
- Haitner
- 2008
(Show Context)
Citation Context ...ocol secure against malicious adversaries can be constructed using the zeroknowledge “compiler” paradigm of Goldreich, Micali, and Wigderson [33] or using a recent black-box transformation of Haitner =-=[36]-=-, and secure multiparty computation can be obtained using the (non-black-box) compilation paradigm of Goldreich, Micali, and Wigderson [34]. However, these constructions are inefficient and primarily ... |

22 | Towards a separation of semantic and CCA security for public key encryption
- Gertner, Malkin, et al.
- 2007
(Show Context)
Citation Context ...input message, but not necessarily the encryption randomness. For similar reasons, there is also some evidence that achieving CCA security from CPA security (in a black-box manner) would be difficult =-=[29]-=-. Perhaps for these reasons, constructions of CCA-secure encryption in the standard model [44, 23, 57, 19, 20] have followed a different approach. As explained in [24], all the techniques used so far ... |

20 | Multi-bit cryptosystems based on lattice problems - Kawachi, Tanaka, et al. - 2007 |

19 | On the amortized complexity of zero-knowledge protocols
- Cramer, Damgård
- 2009
(Show Context)
Citation Context ...h every nonzero matrix in the family has full rank (i.e., its rows are linearly independent). The construction of such a family involves a simple linear encoding trick (a variant of which was used in =-=[18]-=- for different purposes) that maps a vector v ∈ Zw to a matrix V ∈ Zw×w q such that V = 0 when v = 0, and V 37is full-rank whenever v ̸= 0. 9 The full-rank property allows us to (efficiently) recover... |

19 | Limits on the hardness of lattice problems in ℓp norms
- Peikert
(Show Context)
Citation Context ... any lattice of dimension d, approximate the Euclidean length of a shortest nonzero lattice vector to within a Õ(d/α) factor. Proposition 6.1 has since been strengthened by Peikert in two ways: first =-=[46]-=-, it also applies to the SIVP and GapSVP problems in any ℓp norm, 2 < p ≤ ∞, for essentially the same Õ(d/α) approximation factors. Second [47], for αq ≥ √ d log d there is also a classical (non-quant... |

15 | Many-toone trapdoor functions and their ralation to public-key cryptosystems
- Bellare, Halevi, et al.
- 1998
(Show Context)
Citation Context ...-secure) cryptosystems that are witness-recovering, it is tempting to think that they might also yield efficient CCA-secure encryption via witness recovery. Indeed, this approach has borne some fruit =-=[6, 8, 27]-=-, but so far only with the aid of the random oracle heuristic. A related long-standing question is whether it is possible to construct (a collection of) trapdoor functions from any cryptosystem that i... |

13 |
Avi Wigderson. How to prove all np-statements in zeroknowledge, and a methodology of cryptographic protocol design
- Goldreich, Micali
- 1986
(Show Context)
Citation Context ...tors, collisionresistant hash functions, and oblivious transfer (OT) protocols, in a black-box manner and with simple and tight security reductions. Using standard (but non-black box) transformations =-=[33, 34]-=-, our OT protocols additionally imply general secure multiparty computation for malicious adversaries. 1.1 Trapdoor Functions and Witness-Recovering Decryption Trapdoor functions are certainly a power... |

13 | Efficient lossy trapdoor functions based on the composite residuosity assumption. Cryptology ePrint Archive, Report 2008/134 - Rosen, Segev - 2008 |

12 | A Unified Methodology For Constructing Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack. Available at http://eprint.iacr.org/2002/042 - Elkind, Sahai |

10 | Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions
- Mol, Yilek
(Show Context)
Citation Context ...s.” Rosen and Segev [59] introduced a relaxation of lossiness, called security under “correlated inputs,” and constructed a witness-recovering CCA-secure cryptosystem using that notion. Mol and Yilek =-=[44]-=- recently solved an open problem from an earlier version of this work, by constructing a CCA-secure encryption scheme from any lossy TDF that loses only a noticeable fraction of a bit. Trapdoors for l... |

8 |
Yiming Zhao. Generic transformation to strongly unforgeable signatures
- Huang, Wong
- 2007
(Show Context)
Citation Context ...igible advantage in the above game. Strongly unforgeable one-time signatures can be constructed from any one-way function [32, Chapter 6], and more efficiently from collision-resistant hash functions =-=[41]-=-. As we show later, both of these primitives have black-box constructions from lossy trapdoor functions. 2.3 Randomness Extraction The min-entropy of a random variable X over a domain S is the negativ... |

8 |
Generating hard instances of lattice problems. Quaderni di Matematica, 13:1–32, 2004. Preliminary version in STOC
- Ajtai
- 1996
(Show Context)
Citation Context ... 23, 60]. 1 Second, it yields the first known CCA-secure cryptosystem based entirely on (worst-case) lattice assumptions, resolving a problem that has remained open since the pioneering work of Ajtai =-=[1]-=- and Ajtai and Dwork [2]. 2 • We further demonstrate the utility of lossy TDFs by constructing pseudorandom generators, collisionresistant hash functions, and oblivious transfer (OT) protocols, in a b... |

6 | The first and fourth public-key cryptosystems with worstcase/average-case equivalence
- Ajtai, Dwork
(Show Context)
Citation Context ...uct OT in a similar way, but the security properties are reversed: one can sample a lossy public key that is only computationally 4 Concurrently with the initial version of this work, Ajtai and Dwork =-=[3]-=- improved their original cryptosystem to include a lifting argument that also appears amenable to our framework. 8indistinguishable from a ‘real’ one, but messages encrypted under the lossy key are s... |

5 |
and Moni Naor. Cryptography and game theory: Designing protocols for exchanging information
- Kol
- 2008
(Show Context)
Citation Context ...tion, this style of argument goes back the seminal work of Goldwasser and Micali [35], and recently has been identified as an important notion (called “message-lossy” [49] or “meaningful/meaningless” =-=[40]-=- encryption) in its own right. The style is inherent to cryptosystems based on lattices [2, 53, 54], but to our knowledge it has never been employed in the context of trapdoor functions or chosen-ciph... |

4 |
Multirecipient encryption schemes: How to save on bandwidth and computation without sacrificing security
- Bellare, Boldyreva, et al.
- 1998
(Show Context)
Citation Context ... concrete constructions of lossy TDFs under the DDH assumption, which generate a matrix whose rows lie in a small subspace, are technically similar to the ElGamal-like cryptosystems of Bellare et al. =-=[5]-=- that reuse randomness for efficiency, and to constructions of pseudorandom functions (via intermediate objects called “synthesizers”) by Naor and Reingold [45]. The novelty in our constructions is in... |

3 |
Peikert and Vinod Vaikuntanathan. Noninteractive statistical zero-knowledge proofs for lattice problems
- Chris
- 2008
(Show Context)
Citation Context ...mer and Shoup [19, 20] gave efficient CCA-secure constructions based on NIZK proofs for specific numbertheoretic problems. 2 We also note that while NIZK proofs for certain lattice problems are known =-=[48]-=-, they do not appear to suffice for CCA security. 3the decisional Diffie-Hellman (DDH) [13] and decisional composite residuosity [45] problems. However, the NIZK approach has two significant drawback... |

1 | Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and symmetric encryption schemes - Malkin, Myers - 1999 |