Results 1  10
of
15
On the (Im)Possibility of Key Dependent Encryption
"... We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduct ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
(Show Context)
We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduction from an encryption scheme secure against keydependent inputs to oneway permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H. • Let G be the family of polynomial sized circuits. There exists no reduction from an encryption scheme secure against keydependent inputs to, seemingly, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for g ∈ G, as long as the reduction’s proof of security treats both the adversary and the function g as black box. Keywords: Keydependent input security, blackbox separation 1
Parallel repetition of computationally sound protocols revisited
 IN 4TH TCC, SPRINGER, LECTURE NOTES IN COMPUTER SCIENCE
, 2007
"... Parallel repetition is well known to reduce the error probability at an exponential rate for single and multiprover interactive proofs. Bellare, Impagliazzo and Naor (1997) show that this is also true for protocols where the soundness only holds against computationally bounded provers (e.g. inte ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
Parallel repetition is well known to reduce the error probability at an exponential rate for single and multiprover interactive proofs. Bellare, Impagliazzo and Naor (1997) show that this is also true for protocols where the soundness only holds against computationally bounded provers (e.g. interactive arguments) if the protocol has at most three rounds. On the other hand, for four rounds they give a protocol where this is no longer the case: the error probability does not decrease below some constant even if the protocol is repeated a polynomial number of times. Unfortunately, this protocol is not very convincing as the communication complexity of each instance of the protocol grows linearly with the number of repetitions, and for such protocols the error does not even decrease for some types of interactive proofs. Noticing this, Bellare et al. construct (a quite artificial) oracle relative to which a four round protocol exists whose communication complexity does not depend on the number of parallel repetitions. This shows that there is no “blackbox” error reduction theorem for four round protocols. In this paper we give the first computationally sound protocol where kfold parallel repetition does not decrease the error probability below some constant for any polynomial k (and where the communication complexity does not depend on k). The protocol has eight rounds and uses the universal arguments of Barak and Goldreich (2001). We also give another four round protocol relative to an oracle, unlike the artificial oracle of Bellare et al., we just need a generic group. This group can then potentially be instantiated with some real group satisfying some well defined hardness assumptions (we do not know of any candidate for such a group at the moment). 1
Uniform direct product theorems: Simplified, unified and derandomized
, 2007
"... The classical DirectProduct Theorem for circuits says that if a Boolean function f: {0, 1} n → {0, 1} is somewhat hard to compute on average by small circuits, then the corresponding kwise direct product function f k (x1,..., xk) = (f(x1),..., f(xk)) (where each xi ∈ {0, 1} n) is significantly ha ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
The classical DirectProduct Theorem for circuits says that if a Boolean function f: {0, 1} n → {0, 1} is somewhat hard to compute on average by small circuits, then the corresponding kwise direct product function f k (x1,..., xk) = (f(x1),..., f(xk)) (where each xi ∈ {0, 1} n) is significantly harder to compute on average by slightly smaller circuits. We prove a fully uniform version of the DirectProduct Theorem with informationtheoretically optimal parameters, up to constant factors. Namely, we show that for given k and ɛ, there is an efficient randomized algorithm A with the following property. Given a circuit C that computes f k on at least ɛ fraction of inputs, the algorithm A outputs with probability at least 3/4 a list of O(1/ɛ) circuits such that at least one of the circuits on the list computes f on more than 1 − δ fraction of inputs, for δ = O((log 1/ɛ)/k); moreover, each output circuit is an AC 0 circuit (of size poly(n, k, log 1/δ, 1/ɛ)), with oracle access to the circuit C. Using the GoldreichLevin decoding algorithm [GL89], we also get a fully uniform version of Yao’s XOR Lemma [Yao82] with optimal parameters, up to constant factors. Our results simplify and improve those in [IJK06]. Our main result may be viewed as an efficient approximate, local, listdecoding algorithm for
Constructive proofs of concentration bounds
 In Proceedings of the 13th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems and 14th International Workshop on Randomization and Computation (APPROXRANDOM ’10
, 2010
"... We give a simple combinatorial proof of the ChernoffHoeffding concentration bound [Che52, Hoe63], which says that the sum of independent {0, 1}valued random variables is highly concentrated around the expected value. Unlike the standard proofs, our proof does not use the method of higher moments, ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
We give a simple combinatorial proof of the ChernoffHoeffding concentration bound [Che52, Hoe63], which says that the sum of independent {0, 1}valued random variables is highly concentrated around the expected value. Unlike the standard proofs, our proof does not use the method of higher moments, but rather uses a simple and intuitive counting argument. In addition, our proof is constructive in the following sense: if the sum of the given random variables is not concentrated around the expectation, then we can efficiently find (with high probability) a subset of the random variables that are statistically dependent. As simple corollaries, we also get the concentration bounds for [0, 1]valued random variables and Azuma’s inequality for martingales [Azu67]. We interpret the ChernoffHoeffding bound as a statement about Direct Product Theorems. Informally, a Direct Product Theorem says that the complexity of solving all k instances of a hard problem increases exponentially with k; a Threshold Direct Product Theorem says that it is exponentially hard in k to solve even a significant fraction of the given k instances of a hard problem. We show the equivalence between optimal Direct Product Theorems and optimal Threshold Direct Product Theorems. As an application of this connection, we get the Chernoff bound for expander walks [Gil98] from the (simpler to prove) hitting property [AKS87], as well as an optimal (in a certain range of parameters) Threshold Direct Product Theorem for weakly verifiable puzzles from the optimal Direct Product Theorem [CHS05]. We also get a simple constructive proof of Unger’s result [Ung09] saying that XOR Lemmas imply Threshold Direct
On the Composition of PublicCoin ZeroKnowledge Protocols
 In CYPTO, Springer LNCS 5677
, 2009
"... Abstract. We show that only languages in BPP have publiccoin, blackbox zeroknowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any setup) and in the Bare PublicKey Model (where the prover and the v ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We show that only languages in BPP have publiccoin, blackbox zeroknowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any setup) and in the Bare PublicKey Model (where the prover and the verifier have registered public keys). We complement this result by showing the existence of a publiccoin blackbox zeroknowledge proof that remains secure under any apriori bounded number of concurrent executions. 1
Efficient stringcommitment from weak bitcommitment and fullspectrum theorem for puzzles. Unpublished manuscript
, 2009
"... Abstract. We study security amplification for commitment schemes and improve the efficiency of blackbox security amplification in the computational setting, where the security holds against PPT active adversaries. We show that ω(log s) blackbox calls to a weak bitcommitment scheme with constant s ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We study security amplification for commitment schemes and improve the efficiency of blackbox security amplification in the computational setting, where the security holds against PPT active adversaries. We show that ω(log s) blackbox calls to a weak bitcommitment scheme with constant security is sufficient to construct a commitment scheme with standard negligible security, where s denotes the security parameter and ω(log s) denotes any superlogarithmic function of s. Furthermore, the resulting scheme is a string commitment scheme that can commit to O(log s)bit strings. This improves on previous work of Damg˚ard et al. [DKS99] and Halevi and Rabin [HR08], whose transformations require ω(log 2 s) blackbox calls to commit a single bit. As a byproduct of our analysis, we also improve the efficiency of security amplification for message authentication codes, digital signatures, and pseudorandom functions studied in [DIJK09]. This is from an improvement of the “Chernofftype Theorems ” of dynamic weaklyverifiable puzzles of [DIJK09]. 1
Distinguishing Distributions Using Chernoff Information
"... Abstract. In this paper, we study the soundness amplification by repetition of cryptographic protocols. As a tool, we use the Chernoff Information. We specify the number of attempts or samples required to distinguish two distributions efficiently in various protocols. This includes weakly verifiable ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we study the soundness amplification by repetition of cryptographic protocols. As a tool, we use the Chernoff Information. We specify the number of attempts or samples required to distinguish two distributions efficiently in various protocols. This includes weakly verifiable puzzles such as CAPTCHAlike challengeresponse protocols, interactive arguments in sequential composition scenario and cryptanalysis of block ciphers. As our main contribution, we revisit computational soundness amplification by sequential repetition in the threshold case, i.e when completeness is not perfect. Moreover, we outline applications to the Leftover Hash Lemma and iterative attacks on block ciphers.
Security Amplification for Interactive Cryptographic Primitives
, 2009
"... Security amplification is an important problem in Cryptography: starting with a “weakly secure” variant of some cryptographic primitive, the goal is to build a “strongly secure” variant of the same primitive. This question has been successfully studied for a variety of important cryptographic primit ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Security amplification is an important problem in Cryptography: starting with a “weakly secure” variant of some cryptographic primitive, the goal is to build a “strongly secure” variant of the same primitive. This question has been successfully studied for a variety of important cryptographic primitives, such as oneway functions, collisionresistant hash functions, encryption schemes and weakly verifiable puzzles. However, all these tasks were noninteractive. In this work we study security amplification of interactive cryptographic primitives, such as message authentication codes (MACs), digital signatures (SIGs) and pseudorandom functions (PRFs). In particular, we prove direct product theorems for MACs/SIGs and an XOR lemma for PRFs, therefore obtaining nearly optimal security amplification for these primitives. Our main technical result is a new Chernofftype theorem for what we call Dynamic Weakly Verifiable Puzzles, which is a generalization of ordinary Weakly Verifiable Puzzles which we introduce in this paper.
An efficient parallel repetition theorem
"... We present a general parallelrepetition theorem with an efficient reduction. As a corollary of this theorem we establish that parallel repetition reduces the soundness error at an exponential rate in any publiccoin argument, and more generally, any argument where the verifier’s messages, but not ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
We present a general parallelrepetition theorem with an efficient reduction. As a corollary of this theorem we establish that parallel repetition reduces the soundness error at an exponential rate in any publiccoin argument, and more generally, any argument where the verifier’s messages, but not necessarily its decision to accept or reject, can be efficiently simulated with noticeable probability.
Lower bounds on the query complexity of nonuniform and adaptive reductions showing hardness amplification
, 2012
"... Hardness amplification results show that for every Boolean function f there exists a Boolean function Amp(f) such that the following holds: if every circuit of size s computes f correctly on at most a 1 − δ fraction of inputs, then every circuit of size s ′ computes Amp(f) correctly on at most a 1/2 ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Hardness amplification results show that for every Boolean function f there exists a Boolean function Amp(f) such that the following holds: if every circuit of size s computes f correctly on at most a 1 − δ fraction of inputs, then every circuit of size s ′ computes Amp(f) correctly on at most a 1/2+ϵ fraction of inputs. All hardness amplification results in the literature suffer from “size loss ” meaning that s ′ ≤ ϵ · s. In this paper we show that proofs using “nonuniform reductions ” must suffer from such size loss. To the best of our knowledge, all proofs in the literature are by nonuniform reductions. Our result is the first lower bound that applies to nonuniform reductions that are adaptive. A reduction is an oracle circuit R (·) such that when given oracle access to any function D that computes Amp(f) correctly on a 1/2 + ϵ fraction of inputs, R D computes f correctly on a 1 − δ fraction of inputs. A nonuniform reduction is allowed to also receive a short advice string that may depend on both f and D in an arbitrary way. The well known connection between hardness amplification and listdecodable errorcorrecting codes implies that reductions showing hardness amplification cannot be uniform for δ, ϵ < 1/4. A reduction is nonadaptive if it makes nonadaptive queries to its oracle. Shaltiel and Viola (SICOMP 2010) showed lower bounds on the number of queries made by nonuniform