Results 1  10
of
19
On the compressibility of NP instances and cryptographic applications
 In Electronic Colloquium on Computational Complexity (ECCC
, 2006
"... We initiate the study of compression that preserves the solution to an instance of a problem rather than preserving the instance itself. Our focus is on the compressibility of NP decision problems. We consider NP problems that have long instances but relatively short witnesses. The question is, can ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
(Show Context)
We initiate the study of compression that preserves the solution to an instance of a problem rather than preserving the instance itself. Our focus is on the compressibility of NP decision problems. We consider NP problems that have long instances but relatively short witnesses. The question is, can one efficiently compress an instance and store a shorter representation that maintains the information of whether the original input is in the language or not. We want the length of the compressed instance to be polynomial in the length of the witness rather than the length of original input. Such compression enables to succinctly store instances until a future setting will allow solving them, either via a technological or algorithmic breakthrough or simply until enough time has elapsed. We give a new classification of NP with respect to compression. This classification forms a stratification of NP that we call the VC hierarchy. The hierarchy is based on a new type of reduction called Wreduction and there are compressioncomplete problems for each class. Our motivation for studying this issue stems from the vast cryptographic implications compressibility has. For example, we say that SAT is compressible if there exists a polynomial p(·, ·) so that given a formula consisting of m clauses over n variables it is possible to come up with an equivalent (w.r.t satisfiability) formula of size at most p(n, logm). Then given a compression algorithm for SAT we provide a construction of collision resistant hash functions from any oneway function. This task was shown to be impossible via blackbox reductions [57], and indeed the construction presented is inherently nonblackbox. Another application of SAT compressibility is a cryptanalytic result concerning the limitation of everlasting security in the bounded storage model when mixed with (time) complexity based cryptography. In addition, we study an approach to constructing an Oblivious Transfer Protocol from any oneway function. This approach is based on compression for SAT that also has a property that we call witness retrievability. However, we mange to prove severe limitations on the ability to achieve witness retrievable compression of SAT. 1
Efficient Arguments without Short PCPs
"... Current constructions of efficient argument systems combine a short (polynomial size) PCP with a cryptographic hashing technique. We suggest an alternative approach for this problem that allows to simplify the underlying PCP machinery using a stronger cryptographic technique. More concretely, we pre ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
Current constructions of efficient argument systems combine a short (polynomial size) PCP with a cryptographic hashing technique. We suggest an alternative approach for this problem that allows to simplify the underlying PCP machinery using a stronger cryptographic technique. More concretely, we present a direct method for compiling an exponentially long PCP which is succinctly described by a linear oracle function π: F n → F into an argument system in which the verifier sends to the prover O(n) encrypted field elements and receives O(1) encryptions in return. This compiler can be based on an arbitrary homomorphic encryption scheme. Applying our general compiler to the exponential size Hadamard code based PCP of Arora et al. (JACM 1998) yields a simple argument system for NP in which the communication from the prover to the verifier only includes a constant number of short encryptions. The main tool we use is a new cryptographic primitive which allows to efficiently commit to a linear function and later open the output of the function on an arbitrary vector. Our efficient implementation of this primitive is independently motivated by cryptographic applications.
A New Sampling Protocol and Applications to Basing Cryptographic Primitives on the Hardness of NP
, 2009
"... We investigate the question of what languages can be decided efficiently with the help of a recursive collisionfinding oracle. Such an oracle can be used to break collisionresistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Samd where d is the rec ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
We investigate the question of what languages can be decided efficiently with the help of a recursive collisionfinding oracle. Such an oracle can be used to break collisionresistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Samd where d is the recursion depth, is based on the identicallynamed oracle defined in the work of Haitner et al. (FOCS ’07). Our main result is a constantround publiccoin protocol “AM−Sam” that allows an efficient verifier to emulate a Samd oracle for any constant depth d = O(1) with the help of a BPP NP prover. AM−Sam allows us to conclude that if L is decidable by a kadaptive randomized oracle algorithm with access to a Sam O(1) oracle, then L ∈ AM[k] ∩ coAM[k]. The above yields the following corollary: assume there exists an O(1)adaptive reduction that bases constantround statistically hiding commitment on NPhardness, then NP ⊆ coAM and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by Sam O(1) including collisionresistant hash functions and O(1)round oblivious transfer where security holds statistically for one of the parties. We also obtain nontrivial (though weaker) consequences for kadaptive reductions for any k = poly(n). Prior to our work, most results in
A linear lower bound on the communication complexity of singleserver private information retrieval
 IN PREPARATION
, 2008
"... We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypre ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypreserving construction that relies on trapdoor permutations. More specifically, our main result states that in such constructions Ω(n) bits must be communicated by the server, where n is the size of the server’s database. Therefore, in the very natural setting under consideration, the naive solution in which the user downloads the entire database turns out to be optimal up to constant multiplicative factors. Moreover, while singleserver PIR protocols with polylogarithmic communication complexity were shown to exist based on specific numbertheoretic assumptions, the lower bound we provide identifies a substantial gap between blackbox and nonblackbox constructions of singleserver PIR. Technically speaking, this paper consists of two main contributions from which our lower bound is obtained. First, we derive a tight lower bound on the number of bits communicated by the sender during the commit stage of any blackbox constructions of a statisticallyhiding commitment scheme from a family of trapdoor permutations. This lower bound asymptotically matches the upper bound provided by the scheme of Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). Second, we significantly improve the efficiency of the wellknown reduction of statisticallyhiding commitment schemes to nontrivial singleserver PIR, due to Beimel, Ishai, Kushilevitz and Malkin (STOC ’99). In particular, we present a reduction that essentially preserves both the communication complexity and the round complexity of the underlying singleserver PIR protocol.
A Survey of SingleDatabase PIR: Techniques and Applications
"... In this paper we survey the notion of SingleDatabase Private Information Retrieval (PIR). The first SingleDatabase PIR was constructed in 1997 by Kushilevitz and Ostrovsky and since then SingleDatabase PIR has emerged as an important cryptographic primitive. For example, SingleDatabase PIR turne ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In this paper we survey the notion of SingleDatabase Private Information Retrieval (PIR). The first SingleDatabase PIR was constructed in 1997 by Kushilevitz and Ostrovsky and since then SingleDatabase PIR has emerged as an important cryptographic primitive. For example, SingleDatabase PIR turned out to be intimately connected to collisionresistant hash functions, oblivious transfer and publickey encryptions with additional properties. In this survey, we give an overview of many of the constructions for SingleDatabase PIR (including an abstract construction based upon homomorphic encryption) and describe some of the connections of PIR to other primitives.
Limits on the power of indistinguishability obfuscation and functional encryption. Cryptology ePrint Archive
"... Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a \central hub " for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving longstanding and foundational open problems. However, construct ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a \central hub " for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving longstanding and foundational open problems. However, constructions based on indistinguishability obfuscation almost always rely on nonblackbox techniques, and thus the extent to which it can be used as a building block has been completely unexplored so far. We present a framework for proving meaningful negative results on the power of indistinguishability obfuscation. By considering indistinguishability obfuscation for oracleaided circuits, we capture the common techniques that have been used so far in constructions based on indistinguishability obfuscation. These include, in particular, nonblackbox techniques such as the punctured programming approach of Sahai and Waters (STOC '14) and its variants, as well as subexponential security assumptions. Within our framework we prove the rst negative results on the power of indistinguishability obfuscation and of the tightly related notion of functional encryption. Our results are as follows:
Hash Functions from Sigma Protocols and Improvements to VSH
, 2008
"... We present a general way to get a provably collisionresistant hash function from any (suitable) Σprotocol. This enables us to both get new designs and to unify and improve previous work. In the first category, we obtain, via a modified version of the FiatShamir protocol, the fastest known hash fu ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We present a general way to get a provably collisionresistant hash function from any (suitable) Σprotocol. This enables us to both get new designs and to unify and improve previous work. In the first category, we obtain, via a modified version of the FiatShamir protocol, the fastest known hash function that is provably collisionresistant based on the standard factoring assumption. In the second category, we provide a modified version VSH * of VSH which is faster when hashing short messages. (Most Internet packets are short.) We also show that Σhash functions are chameleon, thereby obtaining several new and efficient chameleon hash functions with applications to online/offline
Communication Complexity in Algebraic TwoParty Protocols
, 2008
"... In cryptography, there has been tremendous success in building various twoparty protocols with small communication complexity out of homomorphic semanticallysecure encryption schemes, using their homomorphic properties in a blackbox way. A few notable examples of such primitives include items lik ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
In cryptography, there has been tremendous success in building various twoparty protocols with small communication complexity out of homomorphic semanticallysecure encryption schemes, using their homomorphic properties in a blackbox way. A few notable examples of such primitives include items like single database Private Information Retrieval (PIR) schemes (introduced in [15]) and private database update with small communication (introduced in [5]). In this paper, we illustrate a general methodology for determining what types of protocols can and cannot be implemented with small communication by using homomorphic encryption in a blackbox way. We hope that this work will provide a simple “litmus test ” of feasibility for blackbox use of known homomorphic encryption schemes by other cryptographic researchers attempting to develop new protocols with low communication. Additionally, a precise mathematical language for reasoning about such problems is developed in this work, which may be of independent interest. We stress that the class of algebraic structures for which we prove communication complexity lower bounds is large, and covers practically all known semanticallysecure homomorphic cryptosystems (including those based upon bilinear maps). Finally, we show the following equivalence which relates group homomorphic encryption and a major open question of designing a socalled fullyhomomorphic cryptosystem: a fully homomorphic encryption scheme (over a nonzero ring) exists if and only if there exists homomorphic encryption over any finite nonabelian simple group. This result somewhat generalizes results of Barrington [1] (to any group containing a finite nonabelian simple subgroup) and of Maurer and Rhodes [18], and in fact gives a constructive proof of the 1974 result Werner [28]. (This also answers an open question posed by Rappe in [23], who in 2004 proved a special case of this result.
Electronic Colloquium on Computational Complexity, Report No. 22 (2007) Algebraic Lower Bounds for Computing on Encrypted Data
"... In cryptography, there has been tremendous success in building primitives out of homomorphic semanticallysecure encryption schemes, using homomorphic properties in a blackbox way. A few notable examples of such primitives include items like private information retrieval schemes and collisionresis ..."
Abstract
 Add to MetaCart
(Show Context)
In cryptography, there has been tremendous success in building primitives out of homomorphic semanticallysecure encryption schemes, using homomorphic properties in a blackbox way. A few notable examples of such primitives include items like private information retrieval schemes and collisionresistant hash functions (e.g. [14, 6, 13]). In this paper, we illustrate a general methodology for determining what types of protocols can be implemented in this way and which cannot. This is accomplished by analyzing the computational power of various algebraic structures which are preserved by existing cryptosystems. More precisely, we demonstrate lower bounds for algebraically generating generalized characteristic vectors over certain algebraic structures, and subsequently we show how to directly apply this abstract algebraic results to put lower bounds on algebraic constructions of a number of cryptographic protocols, including PIRwriting and private keyword search protocols. We hope that this work will provide a simple “litmus test ” of feasibility for use by other cryptographic researchers attempting to develop new protocols that require computation on encrypted data. Additionally, a precise mathematical language for reasoning about such problems is developed in this work, which may be of independent interest. 1
Algebraic Lower Bounds for Computing on Encrypted Data
"... In cryptography, there has been tremendous success in building primitives out of homomorphic semanticallysecure encryption schemes, using homomorphic properties in a blackbox way. A few notable examples of such primitives include items like private information retrieval schemes and collisionresist ..."
Abstract
 Add to MetaCart
(Show Context)
In cryptography, there has been tremendous success in building primitives out of homomorphic semanticallysecure encryption schemes, using homomorphic properties in a blackbox way. A few notable examples of such primitives include items like private information retrieval schemes and collisionresistant hash functions (e.g. [14, 6, 13]). In this paper, we illustrate a general methodology for determining what types of protocols can be implemented in this way and which cannot. This is accomplished by analyzing the computational power of various algebraic structures which are preserved by existing cryptosystems. More precisely, we demonstrate lower bounds for algebraically generating generalized characteristic vectors algebraic results to put lower bounds on algebraic constructions of a number of cryptographic protocols, including PIRwriting and private keyword search protocols. We hope that this work will provide a simple “litmus test ” of feasibility for use by other cryptographic researchers attempting to develop new protocols that require computation on encrypted data. Additionally, a precise mathematical language for reasoning about such problems is developed in this work, which may be of independent interest. 1