## Lower bounds on the Efficiency of Generic Cryptographic Constructions (2000)

### Cached

### Download Links

- [www.cs.umd.edu]
- [www.cs.berkeley.edu]
- [eprint.iacr.org]
- [www.cs.columbia.edu]
- [www.cs.umd.edu]
- [www.cs.berkeley.edu]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Proceedings of the 40th IEEE Symposium on Foundations of Computer Science |

Citations: | 67 - 6 self |

### BibTeX

@INPROCEEDINGS{Gennaro00lowerbounds,

author = {Rosario Gennaro and Yael Gertner and Jonathan Katz and Luca Trevisan},

title = {Lower bounds on the Efficiency of Generic Cryptographic Constructions},

booktitle = { Proceedings of the 40th IEEE Symposium on Foundations of Computer Science},

year = {2000},

pages = {305--313},

publisher = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

A central focus of modern cryptography is the construction of efficient, "high-level" cryptographic tools (e.g., encryption schemes) from weaker, "low-level" cryptographic primitives (e.g., one-way functions). Of interest are both the existence of such constructions, and also their efficiency. Here, we show essentially-tight lower bounds on the best possible efficiency that can be achieved by any black-box construction of some fundamental cryptographic tools from the most basic and widely-used cryptographic primitives. Our results concern constructions of pseudorandom generators, universal one-way hash functions, private-key encryption schemes, and digital signatures based on one-way permutations, as well as constructions of public-key encryption schemes based on trapdoor permutations. Our proofs are in the model introduced by Impagliazzo and Rudich: in each case, we show that any black-box construction beating our efficiency bound would yield the unconditional existence of a one-way function and thus, in particular, prove P

### Citations

1241 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... notion of “interaction”. We also explore the efficiency of 2-party protocols, including those used in a “public-key” setting. A public-key encryption scheme for m-bit messages is semantically-secure =-=[25]-=- if for any two messages M0, M1 ∈ {0, 1} m the distribution over encryptions of M0 is computationally 3indistinguishable from the distribution over encryptions of M1, even when given the public key a... |

869 | Rivest: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...∈ {0, 1} m , sign r using SK1, sign r ⊕ M using SK2, and output both signatures). Of course, lower bounds on one-time schemes immediately extend to schemes satisfying stronger definitions of security =-=[26]-=-. We show that in any semi black-box construction of a one-time signature scheme for messages of length m based on a one-way permutation, the verification algorithm must evaluate the one-way permutati... |

756 | Construction of Pseudorandom Generator from any One-Way Function
- Impagliazzo, Yung
- 1993
(Show Context)
Citation Context ...f a stronger primitive. The first of these approaches has been immensely successful; for example, the existence of one-way functions is known to be sufficient for constructing pseudorandom generators =-=[8, 42, 22, 27]-=-, pseudorandom functions [21], ∗ This work appeared in preliminary form as [15, 14]. † rosario@watson.ibm.com. IBM T.J. Watson Research Center. ‡ ygertner@uiuc.edu. Department of Psychology, Universit... |

665 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...se approaches has been immensely successful; for example, the existence of one-way functions is known to be sufficient for constructing pseudorandom generators [8, 42, 22, 27], pseudorandom functions =-=[21]-=-, ∗ This work appeared in preliminary form as [15, 14]. † rosario@watson.ibm.com. IBM T.J. Watson Research Center. ‡ ygertner@uiuc.edu. Department of Psychology, University of Illinois at Urbana-Champ... |

623 |
How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...f a stronger primitive. The first of these approaches has been immensely successful; for example, the existence of one-way functions is known to be sufficient for constructing pseudorandom generators =-=[8, 42, 22, 27]-=-, pseudorandom functions [21], ∗ This work appeared in preliminary form as [15, 14]. † rosario@watson.ibm.com. IBM T.J. Watson Research Center. ‡ ygertner@uiuc.edu. Department of Psychology, Universit... |

597 |
to generate and exchange secrets
- Yao, How
- 1986
(Show Context)
Citation Context ... known. 4 The examples of which we are aware occur in two ways: due to the use of generic zeroknowledge proofs (of knowledge) [23, 12, 4] or due to the use of generic protocols for secure computation =-=[43, 24]-=-. As an illustrative example: let Lf denote the image of a function f; i.e., Lf def = {y|y = f(x)}. A cryptographic protocol which utilizes a zero-knowledge proof that y ∈ Lf (for f a one-way function... |

538 |
How to Play Any Mental Game, or: A completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ... known. 4 The examples of which we are aware occur in two ways: due to the use of generic zeroknowledge proofs (of knowledge) [23, 12, 4] or due to the use of generic protocols for secure computation =-=[43, 24]-=-. As an illustrative example: let Lf denote the image of a function f; i.e., Lf def = {y|y = f(x)}. A cryptographic protocol which utilizes a zero-knowledge proof that y ∈ Lf (for f a one-way function... |

529 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...f a stronger primitive. The first of these approaches has been immensely successful; for example, the existence of one-way functions is known to be sufficient for constructing pseudorandom generators =-=[8, 42, 22, 27]-=-, pseudorandom functions [21], ∗ This work appeared in preliminary form as [15, 14]. † rosario@watson.ibm.com. IBM T.J. Watson Research Center. ‡ ygertner@uiuc.edu. Department of Psychology, Universit... |

482 | A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack - Cramer, Shoup - 1998 |

473 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...on one-way functions [12], a signature scheme based on non-interactive zero-knowledge [5], and all known constructions of chosen-ciphertext-secure encryption schemes from trapdoor permutations (e.g., =-=[11]-=-). Furthermore, protocols for distributed computation (without honest majority) tolerating computationally-bounded, malicious adversaries [24, 43] are themselves non-black-box6 (this is in contrast to... |

390 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...s, however, that a number of non-black-box cryptographic constructions are known. 4 The examples of which we are aware occur in two ways: due to the use of generic zeroknowledge proofs (of knowledge) =-=[23, 12, 4]-=- or due to the use of generic protocols for secure computation [43, 24]. As an illustrative example: let Lf denote the image of a function f; i.e., Lf def = {y|y = f(x)}. A cryptographic protocol whic... |

386 | A hard-core predicate for all one-way functions - Goldreich, Levin - 1989 |

326 |
Zero knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...s, however, that a number of non-black-box cryptographic constructions are known. 4 The examples of which we are aware occur in two ways: due to the use of generic zeroknowledge proofs (of knowledge) =-=[23, 12, 4]-=- or due to the use of generic protocols for secure computation [43, 24]. As an illustrative example: let Lf denote the image of a function f; i.e., Lf def = {y|y = f(x)}. A cryptographic protocol whic... |

322 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ... Computer Science Division, UC Berkeley. Work done while at Columbia University. This research was supported by NSF grant CCR 9984703. 1universal one-way hash functions and digital signature schemes =-=[36, 38]-=-, private-key encryption schemes and message-authentication codes [20], and commitment schemes [35]. In each of these cases one-way functions are also known to be necessary [30, 38], thus exactly char... |

271 | New directions in cryptography - Die, Hellman - 1976 |

247 | Bit commitment using pseudorandomness - Naor - 1991 |

225 | How to go beyond the black-box simulation barrier
- Barak
- 2001
(Show Context)
Citation Context ...ack-box use 4 We focus here on constructions making non-black-box use of an underlying function f, rather than on constructions whose security analysis makes non-black-box use of the adversary (as in =-=[1, 2]-=-). 5 Note that constructions of zero-knowledge proofs for NP (e.g., [23]) are themselves black-box in their usage of primitives such as one-way functions. The issue is that a proof for the language of... |

206 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...to construct from SIG a one-way function which does not access any oracle. Note that this one-way function could then be used to construct an secure signature scheme (which requires no oracle access) =-=[38]-=-. We start with an informal overview of our proof technique. As a first attempt to construct a one-way function from the verification algorithm, one might define F1(P K, M, σ) = P K‖Vrfy (·) (P K, M, ... |

171 | Limits on the provable consequences of one-way permutations - Impagliazzo, Rudich - 1989 |

143 | Foundations of Cryptography (Fragments of a Book). Available at http://www.wisdom.weizmann.ac.il/home/oded/public_html/frag.html Exposure-Resilient Functions and All-or-Nothing Transforms 469 - Goldreich |

112 |
Constructing digital signatures from a one-way function
- Lamport
- 1979
(Show Context)
Citation Context ... verification. We briefly observe some upper bounds on the efficiency of verification for one-time signatures (satisfying the notion of security considered here) on m-bit messages. The Lamport scheme =-=[34]-=- requires m invocations of a one-way permutation to verify a signature. Instead of signing bit-by-bit, the scheme can be modified to sign block-by-block. When basing the construction on an S-hard one-... |

75 |
A Hard-Core Predicate for any One-Way Function
- Goldreich, Levin
- 1989
(Show Context)
Citation Context |

75 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions
- Simon
- 1998
(Show Context)
Citation Context ...for the existence of certain black-box cryptographic constructions (see Section 1.3 for further discussion). Following their work, a number of additional black-box impossibility results have appeared =-=[40, 41, 16, 32, 17, 13]-=-. Kim, Simon, and Tetali [33] initiated work focused on bounding the efficiency of black-box cryptographic constructions (rather than their existence), and their work provided the original inspiration... |

73 | Constant-round coin-tossing with a man in the middle or realizing the shared random string model
- Barak
(Show Context)
Citation Context ...ack-box use 4 We focus here on constructions making non-black-box use of an underlying function f, rather than on constructions whose security analysis makes non-black-box use of the adversary (as in =-=[1, 2]-=-). 5 Note that constructions of zero-knowledge proofs for NP (e.g., [23]) are themselves black-box in their usage of primitives such as one-way functions. The issue is that a proof for the language of... |

67 | Notions of Reducibility between Cryptographic Primitives
- Reingold, Trevisan, et al.
- 2004
(Show Context)
Citation Context ...old for any choice of S). In this work, we consider two types of black-box constructions, described informally now and discussed in more detail in Section 1.3. Following the terminology introduced in =-=[37]-=-, a semi black-box construction (based on a one-way permutation) is an oracle procedure P (·) such that, for any one-way permutation f given as an oracle, (1) P f has the desired functionality and (2)... |

56 |
The relationship between public key encryption and oblivious transfer
- Gertner, Kannan, et al.
- 2000
(Show Context)
Citation Context ...for the existence of certain black-box cryptographic constructions (see Section 1.3 for further discussion). Following their work, a number of additional black-box impossibility results have appeared =-=[40, 41, 16, 32, 17, 13]-=-. Kim, Simon, and Tetali [33] initiated work focused on bounding the efficiency of black-box cryptographic constructions (rather than their existence), and their work provided the original inspiration... |

56 |
On the cryptographic applications of random functions
- Goldreich, Goldwasser, et al.
- 1985
(Show Context)
Citation Context ...rsity. This research was supported by NSF grant CCR 9984703. 1universal one-way hash functions and digital signature schemes [36, 38], private-key encryption schemes and message-authentication codes =-=[20]-=-, and commitment schemes [35]. In each of these cases one-way functions are also known to be necessary [30, 38], thus exactly characterizing the feasibility of these constructs. Unfortunately, progres... |

49 |
New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs
- BELLARE, GOLDWASSER
- 1989
(Show Context)
Citation Context ...ions where zero-knowledge proofs of this sort are used include a construction of an identification protocol based on one-way functions [12], a signature scheme based on non-interactive zero-knowledge =-=[5]-=-, and all known constructions of chosen-ciphertext-secure encryption schemes from trapdoor permutations (e.g., [11]). Furthermore, protocols for distributed computation (without honest majority) toler... |

38 | On the impossibility of basing trapdoor functions on trapdoor predicates
- Gertner, Malkin, et al.
- 2001
(Show Context)
Citation Context ...for the existence of certain black-box cryptographic constructions (see Section 1.3 for further discussion). Following their work, a number of additional black-box impossibility results have appeared =-=[40, 41, 16, 32, 17, 13]-=-. Kim, Simon, and Tetali [33] initiated work focused on bounding the efficiency of black-box cryptographic constructions (rather than their existence), and their work provided the original inspiration... |

38 |
Bit Commitment using Pseudorandom Generators
- Naor
- 1991
(Show Context)
Citation Context ...orted by NSF grant CCR 9984703. 1universal one-way hash functions and digital signature schemes [36, 38], private-key encryption schemes and message-authentication codes [20], and commitment schemes =-=[35]-=-. In each of these cases one-way functions are also known to be necessary [30, 38], thus exactly characterizing the feasibility of these constructs. Unfortunately, progress on the second approach — i.... |

36 | One-way functions are necessary and su±cient for secure signatures - Rompel - 1990 |

33 | Foundations of Cryptography, vol. 2: Basic Applications - Goldreich |

32 |
Correlated pseudorandomness and the complexity of private computations
- Beaver
- 1996
(Show Context)
Citation Context ...n which the parties share the trapdoor for inverting a single member of this family) would inherently make non-black-box use of the underlying circuit(s) for F . Another example is a result of Beaver =-=[3]-=- which makes non-black-box use 4 We focus here on constructions making non-black-box use of an underlying function f, rather than on constructions whose security analysis makes non-black-box use of th... |

32 | Limits on the Provable Consequences of One-Way Functions
- Rudich
- 1989
(Show Context)
Citation Context ...gnature schemes essentially meeting our lower bound; see Section 4.5 for further discussion. 1.2 Overview of Our Techniques We prove our results in an extension of the model of Impagliazzo and Rudich =-=[31, 39]-=-. Among other things, Impagliazzo and Rudich prove that a semi black-box construction of a secure key-exchange protocol based on a one-way permutation would inherently yield a proof that P = NP , and... |

30 | The discrete logarithm modulo a composite hides o(n) bits
- Håstad, Schrift, et al.
- 1993
(Show Context)
Citation Context ...l” functions of this form to prove our lower bounds.) But specific one-way permutations and trapdoor permutations with Θ(n) hard-core bits are known under suitable number-theoretic assumptions (e.g., =-=[28, 9]-=-). Given such functions, we know how to construct PRGs and semantically-secure private- and public-key encryption schemes with improved efficiency. It remains open, however, whether such functions can... |

30 |
One-Way Functions Are Essential for Complexity-Based Cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ... signature schemes [36, 38], private-key encryption schemes and message-authentication codes [20], and commitment schemes [35]. In each of these cases one-way functions are also known to be necessary =-=[30, 38]-=-, thus exactly characterizing the feasibility of these constructs. Unfortunately, progress on the second approach — i.e., improving the efficiency of these constructions — has been much less successfu... |

30 | Limits on the efficiency of one-way permutationbased hash functions - Kim, Simon, et al. - 1999 |

26 | Proofs that Yield Nothing but their Validity - Goldreich, Micali, et al. - 1988 |

24 | On the impossibility of constructing non-interactive statistically-secret protocols from any trapdoor one-way function
- Fischlin
- 2002
(Show Context)
Citation Context |

19 |
Very strong one-way functions and pseudo-random generators exist relative to a random oracle. (manuscript
- Impagliazzo
- 1996
(Show Context)
Citation Context ... even against non-uniform adversaries. For the related case of random functions, a similar result has been proven by Impagliazzo and Rudich [31] in the (much simpler) uniform case, and by Impagliazzo =-=[29]-=- in the non-uniform case. 2 We also show a similar result for the case of trapdoor permutations. Using this result, we now describe the intuition behind our lower bound using the case of PRGs as an ex... |

18 | Foundations of Cryptography, vol. 1: Basic Tools - Goldreich - 2001 |

18 | A dual version of reimer’s inequality and a proof of rudich’s conjecture
- Kahn, Saks, et al.
(Show Context)
Citation Context |

14 | Many-to-one trapdoor functions and their ralation to public-key cryptosystems - Bellare, Halevi, et al. - 1998 |

13 | The use of interaction in public cryptosystems - Rudich - 1991 |

7 | Paillier’s trapdoor function hides up to () bits
- Catalano, Gennaro, et al.
(Show Context)
Citation Context ...l” functions of this form to prove our lower bounds.) But specific one-way permutations and trapdoor permutations with Θ(n) hard-core bits are known under suitable number-theoretic assumptions (e.g., =-=[28, 9]-=-). Given such functions, we know how to construct PRGs and semantically-secure private- and public-key encryption schemes with improved efficiency. It remains open, however, whether such functions can... |

4 |
An Efficient Probabilistic Encryption Scheme Hiding All Partial Information. Crypto-1982
- Blum, Goldwasser
(Show Context)
Citation Context ...n given the public key as input. A similar definition (but with no public key) holds for the case of private-key encryption. Public-key encryption schemes constructed using the hard-core bit paradigm =-=[8, 7, 22, 42]-=- require Θ(m/ log S) invocations of a trapdoor permutation to encrypt an mbit message. Similarly, private-key encryption schemes constructed using this paradigm require Θ( m−k log S ) invocations of a... |

4 | Universal Hash Functions and their Cryptographic Applications - Naor, Yung - 1989 |

3 |
Threshold Cryptosystems. Adv
- Desmedt, Frankel
- 1990
(Show Context)
Citation Context ...ve inputs x1, x2 want to evaluate y = f(x1 ⊕ x2) without revealing any more information about their inputs than what is revealed by y itself). Thus, a generic construction of a threshold cryptosystem =-=[10]-=- based on a family F of trapdoor permutations (in which the parties share the trapdoor for inverting a single member of this family) would inherently make non-black-box use of the underlying circuit(s... |

3 | Draft of a Chapter on Cryptographic Protocols - Goldreich - 2003 |

2 |
The Use of Interaction in Public Cryptosystems. Adv
- Rudich
- 1992
(Show Context)
Citation Context |