Results 1 - 10
of
15
On the (Im)Possibility of Key Dependent Encryption
"... We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)-wise independent hash-functions. There exists no fully-black-box reduct ..."
Abstract
-
Cited by 33 (2 self)
- Add to MetaCart
(Show Context)
We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)-wise independent hash-functions. There exists no fully-black-box reduction from an encryption scheme secure against key-dependent inputs to one-way permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H. • Let G be the family of polynomial sized circuits. There exists no reduction from an encryption scheme secure against key-dependent inputs to, seemingly, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for g ∈ G, as long as the reduction’s proof of security treats both the adversary and the function g as black box. Keywords: Key-dependent input security, black-box separation 1
Parallel repetition of computationally sound protocols revisited
- IN 4TH TCC, SPRINGER, LECTURE NOTES IN COMPUTER SCIENCE
, 2007
"... Parallel repetition is well known to reduce the error probability at an exponential rate for single- and multi-prover interactive proofs. Bellare, Impagliazzo and Naor (1997) show that this is also true for protocols where the soundness only holds against computationally bounded provers (e.g. inte ..."
Abstract
-
Cited by 20 (2 self)
- Add to MetaCart
(Show Context)
Parallel repetition is well known to reduce the error probability at an exponential rate for single- and multi-prover interactive proofs. Bellare, Impagliazzo and Naor (1997) show that this is also true for protocols where the soundness only holds against computationally bounded provers (e.g. interactive arguments) if the protocol has at most three rounds. On the other hand, for four rounds they give a protocol where this is no longer the case: the error probability does not decrease below some constant even if the protocol is repeated a polynomial number of times. Unfortunately, this protocol is not very convincing as the communication complexity of each instance of the protocol grows linearly with the number of repetitions, and for such protocols the error does not even decrease for some types of interactive proofs. Noticing this, Bellare et al. construct (a quite artificial) oracle relative to which a four round protocol exists whose communication complexity does not depend on the number of parallel repetitions. This shows that there is no “black-box” error reduction theorem for four round protocols. In this paper we give the first computationally sound protocol where k-fold parallel repetition does not decrease the error probability below some constant for any polynomial k (and where the communication complexity does not depend on k). The protocol has eight rounds and uses the universal arguments of Barak and Goldreich (2001). We also give another four round protocol relative to an oracle, unlike the artificial oracle of Bellare et al., we just need a generic group. This group can then potentially be instantiated with some real group satisfying some well defined hardness assumptions (we do not know of any candidate for such a group at the moment). 1
Uniform direct product theorems: Simplified, unified and derandomized
, 2007
"... The classical Direct-Product Theorem for circuits says that if a Boolean function f: {0, 1} n → {0, 1} is somewhat hard to compute on average by small circuits, then the corresponding k-wise direct product function f k (x1,..., xk) = (f(x1),..., f(xk)) (where each xi ∈ {0, 1} n) is significantly ha ..."
Abstract
-
Cited by 19 (4 self)
- Add to MetaCart
The classical Direct-Product Theorem for circuits says that if a Boolean function f: {0, 1} n → {0, 1} is somewhat hard to compute on average by small circuits, then the corresponding k-wise direct product function f k (x1,..., xk) = (f(x1),..., f(xk)) (where each xi ∈ {0, 1} n) is significantly harder to compute on average by slightly smaller circuits. We prove a fully uniform version of the Direct-Product Theorem with information-theoretically optimal parameters, up to constant factors. Namely, we show that for given k and ɛ, there is an efficient randomized algorithm A with the following property. Given a circuit C that computes f k on at least ɛ fraction of inputs, the algorithm A outputs with probability at least 3/4 a list of O(1/ɛ) circuits such that at least one of the circuits on the list computes f on more than 1 − δ fraction of inputs, for δ = O((log 1/ɛ)/k); moreover, each output circuit is an AC 0 circuit (of size poly(n, k, log 1/δ, 1/ɛ)), with oracle access to the circuit C. Using the Goldreich-Levin decoding algorithm [GL89], we also get a fully uniform version of Yao’s XOR Lemma [Yao82] with optimal parameters, up to constant factors. Our results simplify and improve those in [IJK06]. Our main result may be viewed as an efficient approximate, local, list-decoding algorithm for
Constructive proofs of concentration bounds
- In Proceedings of the 13th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems and 14th International Workshop on Randomization and Computation (APPROX-RANDOM ’10
, 2010
"... We give a simple combinatorial proof of the Chernoff-Hoeffding concentration bound [Che52, Hoe63], which says that the sum of independent {0, 1}-valued random variables is highly con-centrated around the expected value. Unlike the standard proofs, our proof does not use the method of higher moments, ..."
Abstract
-
Cited by 14 (0 self)
- Add to MetaCart
(Show Context)
We give a simple combinatorial proof of the Chernoff-Hoeffding concentration bound [Che52, Hoe63], which says that the sum of independent {0, 1}-valued random variables is highly con-centrated around the expected value. Unlike the standard proofs, our proof does not use the method of higher moments, but rather uses a simple and intuitive counting argument. In addi-tion, our proof is constructive in the following sense: if the sum of the given random variables is not concentrated around the expectation, then we can efficiently find (with high probability) a subset of the random variables that are statistically dependent. As simple corollaries, we also get the concentration bounds for [0, 1]-valued random variables and Azuma’s inequality for martingales [Azu67]. We interpret the Chernoff-Hoeffding bound as a statement about Direct Product Theorems. Informally, a Direct Product Theorem says that the complexity of solving all k instances of a hard problem increases exponentially with k; a Threshold Direct Product Theorem says that it is exponentially hard in k to solve even a significant fraction of the given k instances of a hard problem. We show the equivalence between optimal Direct Product Theorems and optimal Threshold Direct Product Theorems. As an application of this connection, we get the Chernoff bound for expander walks [Gil98] from the (simpler to prove) hitting property [AKS87], as well as an optimal (in a certain range of parameters) Threshold Direct Product Theorem for weakly verifiable puzzles from the optimal Direct Product Theorem [CHS05]. We also get a simple constructive proof of Unger’s result [Ung09] saying that XOR Lemmas imply Threshold Direct
On the Composition of Public-Coin Zero-Knowledge Protocols
- In CYPTO, Springer LNCS 5677
, 2009
"... Abstract. We show that only languages in BPP have public-coin, blackbox zero-knowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any set-up) and in the Bare Public-Key Model (where the prover and the v ..."
Abstract
-
Cited by 13 (7 self)
- Add to MetaCart
(Show Context)
Abstract. We show that only languages in BPP have public-coin, blackbox zero-knowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any set-up) and in the Bare Public-Key Model (where the prover and the verifier have registered public keys). We complement this result by showing the existence of a public-coin black-box zero-knowledge proof that remains secure under any a-priori bounded number of concurrent executions. 1
Efficient stringcommitment from weak bit-commitment and full-spectrum theorem for puzzles. Unpublished manuscript
, 2009
"... Abstract. We study security amplification for commitment schemes and improve the efficiency of black-box security amplification in the computational setting, where the security holds against PPT active adversaries. We show that ω(log s) black-box calls to a weak bit-commitment scheme with constant s ..."
Abstract
-
Cited by 8 (5 self)
- Add to MetaCart
(Show Context)
Abstract. We study security amplification for commitment schemes and improve the efficiency of black-box security amplification in the computational setting, where the security holds against PPT active adversaries. We show that ω(log s) black-box calls to a weak bit-commitment scheme with constant security is sufficient to construct a commitment scheme with standard negligible security, where s denotes the security parameter and ω(log s) denotes any super-logarithmic function of s. Furthermore, the resulting scheme is a string commitment scheme that can commit to O(log s)-bit strings. This improves on previous work of Damg˚ard et al. [DKS99] and Halevi and Rabin [HR08], whose transformations require ω(log 2 s) black-box calls to commit a single bit. As a byproduct of our analysis, we also improve the efficiency of security amplification for message authentication codes, digital signatures, and pseudorandom functions studied in [DIJK09]. This is from an improvement of the “Chernoff-type Theorems ” of dynamic weakly-verifiable puzzles of [DIJK09]. 1
Distinguishing Distributions Using Chernoff Information
"... Abstract. In this paper, we study the soundness amplification by repetition of cryptographic protocols. As a tool, we use the Chernoff Information. We specify the number of attempts or samples required to distinguish two distributions efficiently in various protocols. This includes weakly verifiable ..."
Abstract
-
Cited by 8 (3 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we study the soundness amplification by repetition of cryptographic protocols. As a tool, we use the Chernoff Information. We specify the number of attempts or samples required to distinguish two distributions efficiently in various protocols. This includes weakly verifiable puzzles such as CAPTCHA-like challenge-response protocols, interactive arguments in sequential composition scenario and cryptanalysis of block ciphers. As our main contribution, we revisit computational soundness amplification by sequential repetition in the threshold case, i.e when completeness is not perfect. Moreover, we outline applications to the Leftover Hash Lemma and iterative attacks on block ciphers.
Security Amplification for Interactive Cryptographic Primitives
, 2009
"... Security amplification is an important problem in Cryptography: starting with a “weakly secure” variant of some cryptographic primitive, the goal is to build a “strongly secure” variant of the same primitive. This question has been successfully studied for a variety of important cryptographic primit ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
Security amplification is an important problem in Cryptography: starting with a “weakly secure” variant of some cryptographic primitive, the goal is to build a “strongly secure” variant of the same primitive. This question has been successfully studied for a variety of important cryptographic primitives, such as one-way functions, collision-resistant hash functions, encryption schemes and weakly verifiable puzzles. However, all these tasks were non-interactive. In this work we study security amplification of interactive cryptographic primitives, such as message authentication codes (MACs), digital signatures (SIGs) and pseudorandom functions (PRFs). In particular, we prove direct product theorems for MACs/SIGs and an XOR lemma for PRFs, therefore obtaining nearly optimal security amplification for these primitives. Our main technical result is a new Chernoff-type theorem for what we call Dynamic Weakly Verifiable Puzzles, which is a generalization of ordinary Weakly Verifiable Puzzles which we introduce in this paper.
An efficient parallel repetition theorem
"... We present a general parallel-repetition theorem with an efficient reduction. As a corollary of this theorem we establish that parallel repetition reduces the soundness error at an exponential rate in any public-coin argument, and more generally, any argument where the verifier’s messages, but not ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
We present a general parallel-repetition theorem with an efficient reduction. As a corollary of this theorem we establish that parallel repetition reduces the soundness error at an exponential rate in any public-coin argument, and more generally, any argument where the verifier’s messages, but not necessarily its decision to accept or reject, can be efficiently simulated with noticeable probability.
Lower bounds on the query complexity of non-uniform and adaptive reductions showing hardness amplification
, 2012
"... Hardness amplification results show that for every Boolean function f there exists a Boolean function Amp(f) such that the following holds: if every circuit of size s computes f correctly on at most a 1 − δ fraction of inputs, then every circuit of size s ′ computes Amp(f) correctly on at most a 1/2 ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
Hardness amplification results show that for every Boolean function f there exists a Boolean function Amp(f) such that the following holds: if every circuit of size s computes f correctly on at most a 1 − δ fraction of inputs, then every circuit of size s ′ computes Amp(f) correctly on at most a 1/2+ϵ fraction of inputs. All hardness amplification results in the literature suffer from “size loss ” meaning that s ′ ≤ ϵ · s. In this paper we show that proofs using “non-uniform reductions ” must suffer from such size loss. To the best of our knowledge, all proofs in the literature are by non-uniform reductions. Our result is the first lower bound that applies to non-uniform reductions that are adaptive. A reduction is an oracle circuit R (·) such that when given oracle access to any function D that computes Amp(f) correctly on a 1/2 + ϵ fraction of inputs, R D computes f correctly on a 1 − δ fraction of inputs. A non-uniform reduction is allowed to also receive a short advice string that may depend on both f and D in an arbitrary way. The well known connection between hardness amplification and list-decodable error-correcting codes implies that reductions showing hardness amplification cannot be uniform for δ, ϵ < 1/4. A reduction is non-adaptive if it makes non-adaptive queries to its oracle. Shaltiel and Viola (SICOMP 2010) showed lower bounds on the number of queries made by nonuniform
