On the Efficiency of 2 Generic Cryptographic Constructions

Slides:



Advertisements
Similar presentations
Quantum Software Copy-Protection Scott Aaronson (MIT) |
Advertisements

On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.
On Black-Box Separations in Cryptography
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Coin Tossing With A Man In The Middle Boaz Barak.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Average-case Complexity Luca Trevisan UC Berkeley.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Hardness amplification proofs require majority Ronen Shaltiel University of Haifa Joint work with Emanuele Viola Columbia University June 2008.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
CS151 Complexity Theory Lecture 8 April 22, 2015.
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
Hardness amplification proofs require majority Emanuele Viola Columbia University Work done at Harvard, IAS, and Columbia Joint work with Ronen Shaltiel.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
List Decoding Using the XOR Lemma Luca Trevisan U.C. Berkeley.
Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University.
Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.
Constructing a PRG from a OWF requires roughly n/log(n) calls. Thomas Holenstein, Makrand Sinha Black Box Impossibility Summer School.
Bounded key-dependent message security
Efficient Leakage Resilient Circuit Compilers
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Topic 26: Discrete LOG Applications
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Modern symmetric-key Encryption
Digital signatures.
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Pseudorandomness when the odds are against you
Cryptography Lecture 19.
Digital Signature Schemes and the Random Oracle Model
Four-Round Secure Computation without Setup
Cryptography Lecture 6.
Pseudo-derandomizing learning and approximation
Topic 7: Pseudorandom Functions and CPA-Security
B504/I538: Introduction to Cryptography
Cryptography Lecture 7.
B504/I538: Introduction to Cryptography
Conditional Computational Entropy
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Umans Complexity Theory Lectures
Masayuki Fukumitsu Hokkaido Information University, Japan
Cryptographic Hash Functions Part I
Cryptography Lecture 5.
Cryptography Lecture 8.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 6.
Emanuele Viola Harvard University June 2005
Cryptography Lecture 7.
Impossibility of SNARGs
Cryptography Lecture 18.
Identity Based Encryption from the Diffie-Hellman Assumption
Oracle Separation of BQP and PH
Presentation transcript:

On the Efficiency of 2 Generic Cryptographic Constructions Luca Trevisan U.C. Berkeley joint work with Rosario Gennaro (IBM)

Generic Constructions From a OWP of security S we can get a PRG of expansion k that evaluates the OWP O(k/log S) times [BMY & GL] From the hardness of discrete log, we can get a length-doubling PRG that requires O(1) exponentiations Can we improve BMY or is there a genericity/efficiency trade-off?

Generic Constructions (continued) UOWHF: family Hs: {0,1}m ->{0,1} m-k given random x, s, hard to find x’ such that Hs(x)=Hs(x’) From a OWP of security S, can get a UOWHF of compression k that evaluates the OWP O(k/log S) times [NY & GL] Can we do better?

What is the Question? Impossible to prove that “every construction of a PRG based on a OWP needs at least q evaluations of the OWP” Suppose we have a provably good PRG, then there is a construction of “PRG based on a OWP” that uses zero evaluations and has arbitrary expansion

“Current Techniques” We can try to prove that “every construction of a PRG based on OWP and analyzed using current techniques evaluates the OWP at least q times”

Impagliazzo - Rudich Impagliazzo & Rudich face same problem when trying to prove that “there is no key-agreement (KA) construction based on OWP” If key agreement is possible, then key agreement is possible “using one-way permutations” They argue that there is no KA construction based on OWP that can be analyzed using “current techniques”

How to Model Standard Crypto Reductions (1) Weak black-box KA based on OWP: Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible. Then there are PPT A,B such that there is no PPT E that breaks the KA protocol (Af,Bf) with noticeable prob.

Comments In a weak BB construction we use that f is one-way but not that f has a poly-size circuit Weak BB captures all known constructions except some zero-knowledge based ones. (Notably, identification schemes) Mind-twister observation 1 [Reingold-T.-Vadhan] The statements “OWP imply KA” and “there is a weak black-box construction of KA based on OWP” are equivalent

How to Model Standard Crypto Reductions (2) Semi black-box KA based on OWP: Supose f is such that for every PPT I we have Pr[If(f(x))=x] < negligible. Then there are PPT A,B such that there is no PPT E such that Ef breaks the KA protocol (Af,Bf) with noticeable prob.

Comments In semi-BB do not use the fact that adversary for construction has small size (but may use that is has small size relative to f) All known constructions (except id. protocols) are also semi-black box. Impagliazzo-Rudich: a semi-BB construction of KA from OWP implies P=/=NP Reingold-Vadhan: unconditionally impossible

How to Model Standard Crypto Reductions (3) Fully black-box KA based on OWP: For every f there are PPT A,B,R such that If E breaks the KA protocol (Af,Bf) with noticeable prob. Then Pr[Rf,E(f(x))=x] > noticeable

Comments All known reductions yada yada yada Impagliazzo-Rudich: unconditionally, there is no fully BB construction of KA based on OWP (even if fully BB condition is satisfied only for most f instead of for every f)

Relativizations Alternative approach: Find an oracle relative to which KA is impossible but OWP exist Then no relativizing construction of KA based on OWP can exist Reingold-Vadhan: an unconditional impossibility of semi-BB is equivalent to an oracle separation

The Small Picture (on KA using OWP) No weakly-BB construction No semi-bb construction Oracle separation No fully-BB construction

Previous Results on Efficiency Kim-Simon-Tetali: there is an oracle relative to which every construction of UOWHF of compression k based on OWP evaluates the OWP W(k1/2) times. No negative result on PRG based on OWP

Our Results (Gennaro-T00) If there is a weakly-BB construction of UOWHF based on OWP that uses o(k/log S) evaluations, then one-way functions exist (and zero evaluations are enough) (Also, unconditionally, no semi-BB construction with o(k/log S), and an oracle relative to which. . . ) Same for PRG of expansion k

Pseudorandom Generators Suppose there were weak-BB construction of expansion k with q=o(k/logS) invocations If f is one-way with security S, then output is pseudorandom f Weak-BB PRG seed m bits output m+k bits

Hardness of Random Permutations If a permutation f: {0,1}t -> {0,1}t is picked at random, whp: For every A of size < 2t/5 Prx[Af (f(x)) =x ] < 2-t/5 Pick at random f:{0,1}5logS->{0,1}5logS Define g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),b Then g is whp one-way with hardness S

Generator Works with Random g Pick g at random as above, pick seed at random, give seed and oracle access to g to PRG construction Output distribution is pseudorandom g q queries Weak-BB PRG seed m bits output m+k bits

Simulation with no Oracle Output can be sampled with m + 5qlog S < m+k random bits. We have unconditionally a PRG simulate q queries Weak-BB PRG seed m+5qlog S bits output m+k bits

Hash Functions Suppose we have weak-BB UOWHF of compression k with q=o(k/logS) invocations g x m bits UOWHF Hs(x) m-k bits s Secure if g is one-way of hardness S

Hs (x),f(a1),…,f(aq) m-k+qlogS bits Random g Pick at random f:{0,1}5logS->{0,1}5logS Define g:{0,1}n -> g:{0,1}n as g(a,b)=f(a),b Modify construction so that the f part of oracle queries is given in output The construction is still compressing and secure g x m bits Hs (x),f(a1),…,f(aq) m-k+qlogS bits UOWHF s

Unconditional Construction Define Hs,r: on input x, simulate weak-BB construction Hs on input x, use r to simulate random oracle f Compresses m bits to m-k+5qlog S<m bits and is secure

Conclusions Similar bounds for secure public key encryption and signatures (GKM) Stronger bounds for PRG constructions from OWF? (or, can we improve efficiency of HILL?) Mind twister observation 2 [Reingold-T-Vadhan]: There IS a weak-BB construction of PRG from OWF that makes O(k/log S) invocations

The weak-BB Construction Suppose one-way functions exist: then using HILL we can construct a “OWF-based” PRG that makes zero invocations Suppose one-way functions do not exist: then Gf(<h>,x) =<h>,h(f,x) where h is hash function mapping 2n bits into n+1 bits, satisfies def. of weak-BB construction. Using Levin’s universal one-way function, possible to come up with a single construction that is provably weak-BB and makes few invocations. (What does it mean?)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.