## Bounds on the efficiency of “blackbox” commitment schemes (2005)

Venue: | 32nd ICALP |

Citations: | 8 - 0 self |

### BibTeX

@INPROCEEDINGS{Horvitz05boundson,

author = {Omer Horvitz and Jonathan Katz},

title = {Bounds on the efficiency of “blackbox” commitment schemes},

booktitle = {32nd ICALP},

year = {2005},

pages = {128--139}

}

### OpenURL

### Abstract

Constructions of cryptographic primitives based on general assumptions (e.g., one-way functions) tend to be less efficient than constructions based on specific (e.g., number-theoretic) assumptions. This has prompted a recent line of research aimed at investigating the best possible efficiency of (black-box) cryptographic constructions based on general assumptions. Here, we present bounds on the efficiency of statistically-binding commitment schemes constructed using black-box access to one-way permutations; our bounds are tight for the case of perfectly-binding schemes. Our bounds hold in an extension of the Impagliazzo-Rudich model: we show that any construction beating our bounds would imply the unconditional existence of a one-way function (from which a statisticallybinding commitment scheme could be constructed “from scratch”). Key words: Cryptography, commitment schemes

### Citations

1227 | Probabilistic Encryption - Goldwasser, Micali - 1984 |

747 | A pseudo-random generator from any one-way function
- Håstad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...ndom s ∈ {0, 1} n and sends G(s) if b = 0 and G(s) ⊕ r if b = 1. This scheme is binding with εb < 2 2n /2 n+k = 2 n−k . Although a pseudorandom generator G can be constructed from any oneway function =-=[HILL99]-=-, we examine the efficiency of the above scheme when G is based on an S-hard one-way permutation π : {0, 1} n → {0, 1} n so as to compare the efficiency of the scheme to our bound. In this case, evalu... |

699 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...ng can be done in time polynomial in m: (1) selecting a function h ∈ H uniformly at random; and (2) given h ∈ H and x ∈ {0, 1} m , evaluating h(x). We say that H is a pairwise-independent hash family =-=[CW79]-=- if for any distinct x1, x2 ∈ {0, 1} m and any y1, y2 ∈ {0, 1} m′ we have: Pr h∈H [h(x1) = y1 ∧ h(x2) = y2] = 2 −2m′ . Constructions satisfying the above requirements are well known. 5s3 Lower Boundin... |

654 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

618 | How to generate cryptographically strong sequences of pseudo-random bits - Blum, Micali - 1984 |

525 | Theory and applications of trapdoor functions - Yao - 1982 |

463 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
(Show Context)
Citation Context ...a number of non-black-box constructions do exist. As an example, all known constructions of publickey encryption schemes secure against chosen-ciphertext attacks based on trapdoor permutations (e.g., =-=[DDN00]-=-) are non black-box. (See [GGKT05] for additional examples.) Nevertheless, a blackbox impossibility result is useful in that it indicates the techniques necessary to achieve a particular result. Furth... |

321 | Universal one-way hash functions and their cryptographic applications - Naor, Yung - 1990 |

242 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ...om generators (PRGs) [BM84, Yao82, GL89, HILL99], universal one-way hash functions (UOWHFs) and digital signature schemes [NY89, Rom90], private-key encryption schemes [GGM85], and commitment schemes =-=[Naor91]-=-. Unfortunately, all of the constructions just referenced are notoriously inefficient, and no constructions (based on one-way functions) improving upon the efficiency of these solutions are known. On ... |

202 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...dern cryptography has been to identify the minimal assumptions needed for the construction of various cryptographic tools and protocols. We now know, for example, that one-way functions are necessary =-=[IL89, Rom90]-=- and sufficient for the construction of pseudorandom generators (PRGs) [BM84, Yao82, GL89, HILL99], universal one-way hash functions (UOWHFs) and digital signature schemes [NY89, Rom90], private-key e... |

196 |
Foundations of Cryptography
- Goldreich
- 2000
(Show Context)
Citation Context ...d from one-way permutations using the approach of Blum [Blu83] along with the GoldreichLevin hard-core function paradigm [GL89]. Specifically, let h : {0, 1} n → {0, 1} ℓ be a hard-core function (see =-=[Gol01]-=-) for a one-way permutation π : {0, 1} n → {0, 1} n . To commit to a message M ∈ {0, 1} m , the sender first divides M into t = ⌈m/ℓ⌉ blocks N1, . . . , Nt, each of length ℓ. Then, for each block Ni t... |

168 | Limits on the Provable Consequences of OneWay Permutations - Impagliazzo, Rudich - 1989 |

115 |
Coin flipping by telephone: a protocol for solving impossible problems
- Blum
- 1982
(Show Context)
Citation Context .... For perfectly-binding schemes, our bound shows that Ω(m/ log S) invocations of the one-way permutation are needed; our bound in this case matches the efficiency achieved by the construction of Blum =-=[Blu83]-=-, instantiated using the Goldreich-Levin hard-core bits of a one-way permutation [GL89]. This is discussed further in Section 4, where we also compare our bounds to known constructions of statisticall... |

74 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions - Simon - 1998 |

73 |
Hard-Core Predicate for Any One-Way Function
- Goldreich, Levin, et al.
- 1989
(Show Context)
Citation Context ...nd translates to Ω(m/ log S); our bound in this case matches the efficiency achieved by the construction of Blum [Blu83], instantiated using the GoldreichLevin hard-core bits of a one-way permutation =-=[GL89]-=-. This is discussed further in Section 4, where we also compare our bounds to known constructions of statistically-binding schemes. We remark that (a natural adaptation of) our bounds applies also to ... |

64 | Notions of reducibility between cryptographic primitives
- Reingold, Trevisan, et al.
- 2004
(Show Context)
Citation Context ...by Impagliazzo and Rudich [IR89, Rud88] in the context of proving the impossibility of certain constructions, and much additional work in this vein followed [Rud91, Sim98, G + 00, GMR01, Fis02]. (See =-=[RTV04]-=- for rigorous formal definitions of the Impagliazzo-Rudich model, as well as some variants that have been used.) Kim, Simon, and Tetali [KST99] were the first to use this model as a means of studying ... |

63 | Lower Bounds on the Efficiency of Generic Cryptographic Constructions
- Gennaro, Trevisan
- 2000
(Show Context)
Citation Context ...n terms of the number of oracle calls made by the construction. They show non-tight bounds on the efficiency of constructing UOWHFs from one-way permutations. Extending their results, Gennaro, et al. =-=[GGKT05]-=- show that known constructions of UOWHFs based on one-way permutations are in fact optimal; they also show efficiency bounds for the case of PRGs, private-key encryption schemes, and digital signature... |

55 | The relationship between public key encryption and oblivious transfer - Gertner, Kannan, et al. - 2000 |

55 |
On the cryptographic applications of random functions
- Goldreich, Goldwasser, et al.
- 1984
(Show Context)
Citation Context ...r the construction of pseudorandom generators (PRGs) [BM84, Yao82, GL89, HILL99], universal one-way hash functions (UOWHFs) and digital signature schemes [NY89, Rom90], private-key encryption schemes =-=[GGM85]-=-, and commitment schemes [Naor91]. Unfortunately, all of the constructions just referenced are notoriously inefficient, and no constructions (based on one-way functions) improving upon the efficiency ... |

51 |
Coin Flipping by Phone
- Blum
- 1982
(Show Context)
Citation Context ...ur bound would also imply a proof that P �= N P. For perfectly-binding schemes, our bound translates to Ω(m/ log S); our bound in this case matches the efficiency achieved by the construction of Blum =-=[Blu83]-=-, instantiated using the GoldreichLevin hard-core bits of a one-way permutation [GL89]. This is discussed further in Section 4, where we also compare our bounds to known constructions of statistically... |

36 | On the impossibility of basing trapdoor functions on trapdoor predicates - Gertner, Malkin, et al. - 2001 |

32 | Limits on the Provable Consequences of One-Way Functions - Rudich - 1989 |

29 |
One-Way Functions are Essential for Complexity-Based Cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ...itionally). For εb = 0, we show a similar result but where the implication holds unless S alone makes Ω (m/ log Sp) queries to its oracle. In either case, by applying a result of Impagliazzo and Luby =-=[IL89]-=- (cf. also Lemma 3.1 below) this implies the unconditional existence of a one-way function, which in turn can be used to give an unconditional construction of a commitment scheme [Naor91]. We describe... |

28 | Limits on the Efficiency of One-Way Permutation-Based Hash Functions
- Kim, Simon, et al.
- 1999
(Show Context)
Citation Context ...vein followed [Rud91, Sim98, G + 00, GMR01, Fis02]. (See [RTV04] for rigorous formal definitions of the Impagliazzo-Rudich model, as well as some variants that have been used.) Kim, Simon, and Tetali =-=[KST99]-=- were the first to use this model as a means of studying the efficiency ∗ Dept. of Computer Science, University of Maryland. horvitz@cs.umd.edu. Supported by U.S. Army Research Office award DAAD19-01-... |

23 | On the Impossibility of Constructing Non-interactive Statistically-Secret Protocols from Any Trapdoor One-Way Function - Fischlin - 2002 |

18 |
Foundations of Cryptography, vol. 1: Basic Tools
- Goldreich
- 2001
(Show Context)
Citation Context ... from one-way permutations using the approach of Blum [Blu83] along with the Goldreich-Levin hard-core function paradigm [GL89]. Specifically, let h : {0, 1} n → {0, 1} ℓ be a hard-core function (see =-=[Gol01]-=-) for a one-way permutation π : {0, 1} n → {0, 1} n . To commit to a message M ∈ {0, 1} m , the sender first divides M into t = ⌈m/ℓ⌉ blocks N1, . . . , Nt, each of length ℓ. Then, for each block Ni t... |

3 |
Bit commitment using pseudorandomness, J. of Cryptology 4(2
- Naor
- 1991
(Show Context)
Citation Context ...om generators (PRGs) [BM84, Yao82, GL89, HILL99], universal one-way hash functions (UOWHFs) and digital signature schemes [NY89, Rom90], private-key encryption schemes [GGM85], and commitment schemes =-=[Naor91]-=-. Unfortunately, all the constructions just referenced are notoriously inefficient, and no constructions (based on one-way functions) improving upon the efficiency of these solutions Email addresses: ... |

2 | The Use of Interaction in Public Cryptosystems. Adv - Rudich - 1992 |