O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness. In Proc. 31st Annual Symposium on Foundations of Computer Science, pp. 318-- 326. IEEE, 1990.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....ingredients, explicit security parameters and carefully quantified security reductions, form the basis for what we call concrete security analysis. In the case of pseudorandom functions this study was initiated in [4, 3] Security preserving reductions are the subject of other works as well, e.g. [9, 11]. Following [4] we say that a function family G is (t; q; l; ffl) secure if a program that runs in time t (more precisely, the running time plus size of the description of the program, in some fixed RAM model of computation, must be bounded by t) given an oracle for a function E and allowed to ....

O. GOLDREICH, R. IMPAGLIAZZO, L. LEVIN, R. VENKATESAN, AND R. ZUCKERMAN,D., "Security Preserving Amplification of Hardness." Proceedings of the 31st Symposium on Foundations of Computer Science, IEEE, 1990.

....that a random integer n contains two large primefactors. i.e. if we pick n at random and e as a prime larger than n, then x ## x e modn is a weak trapdoor permutation over Z # n (relative to assumption 1. The same observation was used in [9] where they refer to general amplification results[21, 13] to obtain a collection of strong trapdoor permutations from this collection of weak ones. Here we apply an explicit amplification procedure, which is slightly more e#cient, and prove that it gives us a simulatable collection of trapdoor permutations. Let l be an amplification parameter, which we ....

....k ) log k ) and so is negligible. So we have: Theorem 5. Under assumption 1, the set SRSA = f i : D i # D i is a simulatable collection of trapdoor permutations. We note that ( 1 log k ) log k is only slightly below what is needed to be negligible. To obtain a security preserving[13] amplification we could use k k bit moduli. Another approach would be to remove the need for amplification by finding an invertible way to produce integers with two large primefactors and use just one such modulus for encryption. 6.2 Doing without Oblivious Index Generation We now proceed to ....

Oded Goldreich, Russell Impagliazzo, Leonid Levin, Ramarathnam Venkatesan, and David Zuckerman. Security preserving amplification of hardness. In 31st Annual Symposium on Foundations of Computer Science, volume I, pages 318-- 326, St. Louis, Missouri, 22--24 October 1990. IEEE.

....problem, and it is an open question whether such a PKC exists. If one does exist it is possible that an Algebraic Coded PKC might provide an example. Although such an example would not necessarily be practically secure, since NP complete problems can be almost always easy, there is some evidence[9] that NP security, once obtained, can be amplified to the required cryptographic security. 1.3 Gabidulin codes and the Gabidulin PKC Definition1. Let x be any q vector over GF (2 m ) The p Theta q Gabidulin matrix with generating vector x is the matrix whose first row is x, and whose i th row ....

GOLDREICH O., IMPAGLIAZZO R., LEVIN L., VENKATESAN R., and ZUCKERMAN D. "Security Preserving Amplification of Hardness." Proc. of the 31st Annual Symposium on the Foundations of Computer Science (FOCS), 1990.

....that a random integer n contains two large primefactors. i.e. if we pick n at random and e as a prime larger than n, then x ## x e modn is a weak trapdoor permutation over Z # n (relative to assumption 1. The same observation was used in [9] where they refer to general amplification results[21, 13] to obtain a collection of strong trapdoor permutations from this collection of weak ones. Here we apply an explicit amplification procedure, which is slightly more e#cient, and prove that it gives us a simulatable collection of trapdoor permutations. Let l be an amplification parameter, which we ....

....k ) log k ) and so is negligible. So we have: Theorem 5. Under assumption 1, the set SRSA = f i : D i # D i is a simulatable collection of trapdoor permutations. We note that ( 1 log k ) log k is only slightly below what is needed to be negligible. To obtain a security preserving[13] amplification we could use k k bit moduli. Another approach would be to remove the need for amplification by finding an invertible way to produce integers with two large primefactors and use just one such modulus for encryption. 6.2 Doing without Oblivious Index Generation We now proceed to ....

Oded Goldreich, Russell Impagliazzo, Leonid Levin, Ramarathnam Venkatesan, and David Zuckerman. Security preserving amplification of hardness. In 31st Annual Symposium on Foundations of Computer Science, volume I, pages 318-- 326, St. Louis, Missouri, 22--24 October 1990. IEEE.

.... been studied extensively, and have numerous applications in theoretical computer science, including space efficient algorithms for undirected connectivity [4, 8] derandomization [1] recycling of random bits [10, 15] approximation algorithms [6, 12, 17] efficient constructions in cryptography [14], and self stabilizing distributed computing [11, 16] Frequently (see, for example, Karger et al. 19] and Nisan et al. 20] we are interested in E[T (N ) the expected time before a simple random walk on an undirected connected graph, G, visits its N th distinct vertex, N n. The ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. I. Zuckerman, Security preserving amplification of hardness, in Proceedings 31st Annual Symposium on Foundations of Computer Science, St. Louis, MO, Oct. 1990, IEEE, pp. 318--326.

....Eigenvalues, Expander graphs, Induced subgraphs, Load balancing, Ramanujan graphs, Random walks, Selection networks. 1 Introduction Expander graphs are widely used in Theoretical Computer Science, in areas ranging from parallel computation [1, 7, 21, 28, 34] to complexity theory and cryptography [2, 8, 16, 35]. Given an XEROX Palo Alto Research Center, 3333 Coyote Hill Road, CA 94304. This work was done mostly when the author was at the Massachusetts Institute of Technology, and partly at DIMACS. This work was partially supported by the Defense Advanced Research Projects Agency under Contracts ....

....previously known bound [4] of 2 p k Gamma 1. Sections 3 5 contain our main results. In Section 6, we apply our techniques to obtain improved results on random walks on expanders. Random walks are often used in complexity theory and cryptography, and our bound improves upon previous results in [2, 16]. Applications to selection networks and extrovert graphs are described in Section 7. We conclude with some remarks in Section 8. Some of the results in this paper have appeared in an extended abstract form in [18, 19] and in a more detalied form in [20] 2 Notation, definitions, and background ....

[Article contains additional citation context not shown here]

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness. In Proceedings of the 31st Annual Symposium on Foundations of Computer Science, pages 318--326. IEEE Computer Society Press, 1990.

....cryptographic primitives can be made, including those related to public key cryptography. As particular examples of how the new definitions of reductions using public randomness work, we provide reductions that use public randomness from weak one way permutations to one way permutations. Following [1], our primary concern is the security preserving properties of the reduction, i.e. how much of the security of the weak one way permutation is transferred to the one way permutation. However, unlike [1] we consider the security as a function solely of the length of the private input, which does ....

....that use public randomness from weak one way permutations to one way permutations. Following [1] our primary concern is the security preserving properties of the reduction, i.e. how much of the security of the weak one way permutation is transferred to the one way permutation. However, unlike [1], we consider the security as a function solely of the length of the private input, which does not include the public random bits. We show reductions that preserve security in a very strong sense, which is stronger than that of the reduction due to [1] under the new definitions) We begin with a ....

[Article contains additional citation context not shown here]

Goldreich, O., Impagliazzo, R., Levin, L., Venketesan, R., Zuckerman, D., "Security Preserving Amplification of Hardness", Proceedings of the 31st IEEE Symposium on Foundations of Computer Science, pp. 318-326, 1990.

....the largest one, are equal. This case can be further reduced to the case where the state space consists of two elements. Random walks have been used in many areas of Computer Science, such as approximation algorithms [12, 17] See also [14] and references therein) complexity and cryptography [1, 8, 11], and distributed computing [15] The rest of the paper is organized as follows. Section 2 contains basic results and definitions. Section 3 contains the proof of our main result. We establish more explicit but weaker bounds in Section 4, and present an application to the leader election problem. ....

....[6] has subsequently shown that can be replaced by 1 in Eq. 7. Theorem 4.2 shows that the exponent in our bound always beats the one in Eq. 7 by at least a constant factor. For fixed fi, Theorem 4.1 shows that it beats it by a factor of Theta( A) Gamma1 ) when (A) is small. Following [1, 8], an improved bound on the probability that a random walk on a regular graph stays inside a given set was given in [13] The following theorem generalizes this result to any reversible reversible Markov Chain on a finite state space. The proof we use is similar. Theorem 4.3 The probability that X ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness. In Proceedings of the 31st Annual Symposium on Foundations of Computer Science, pages 318--326. IEEE Computer Society Press, 1990.

No context found.

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, and D. Zuckerman. Security Preserving Amplification of Hardness. In 31st FOCS, pages 318--326, 1990.

No context found.

Goldreich, O., Impagliazzo, R., Levin, L., Venketesan, R., Zuckerman, D., "Security Preserving Amplification of Hardness", Proceedings of the 31st IEEE Symposium on Foundations of Computer Science, pp. 318-326, 1990.

No context found.

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness. In 31st FOCS, pages 318--326, 1990. 25

....) 1 , G 2 (1 ) G(1 ) and extend f fi into g fi so that g fi (x) f fi (x) if x 2 D fi and g fi (x) x otherwise. This yields a collection of common domain permutations, fg fi : f0; 1g jfij 1 1 7 f0; 1g g, which are weakly one way. Employing amplification techniques (e.g. [Y, GILVZ]) we obtain a proper common domain system. In the sequel we refer to common domain trapdoor systems in a less formal way. We say that two oneway permutations, f a and f b , are a pair if they are both permutations over the same domain (i.e. a = ff; fi 1 ) and b = ff; fi 2 ) where the domain ....

....of N is not known. Let f N (x) x e (mod N) if x N and f N (x) x otherwise. With non negligible probability N is a product of two large primes. Thus, this construction yields a collection of common domain permutations which are weakly one way. Employing an amplification procedure (e.g. [Y, GILVZ]) we obtain a proper common domain system. This common domain trapdoor system can be used as described in Section 4.2. However, here the keygeneration stage can be simplified considerably. Observe that it is possible to choose a permutation from the above distribution without knowing its ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan and D. Zuckerman, "Security Preserving Amplification of Hardness", 31st FOCS, 1990, pp. 318--326.

....need to set the security parameter in the first case to the square of the one in the second case for the same level of security, so that the first algorithm effectively becomes O(k 6 ) where k is the security paramter. The efficiency of security reductions has been treated by Goldreich et al. [GILVZ] in the context of one way permutations. More recently, there has been much interest in this subject in the context of pseudorandom functions [BCK, BGK] The reason is that pseudorandom functions, introduced by [GGM] are a useful tool in cryptographic protocol design for both theoretical and ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan and D. Zuckerman. Security preserving amplification of hardness. Proceedings of the 31st Symposium on Foundations of Computer Science, IEEE, 1990.

No context found.

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman, "Security Preserving Amplification of Hardness." In Proceedings of the 31st Annual IEEE Symposium on Foundations of Computer Science, 1990, pp. 318-326.

....1 p(n) where the probability is over the random choices of x and the random tape of A. The above definition is of a strong one way function. Its existence is equivalent to the existence of weak one way function using Yao s amplification technique [37] or the more security preserving method of [15] which is applicable only to permutations or regular functions. A weak one way function has the same definition as above, but the hardness of inversion is smaller, i.e. its probability is inverse polynomially away from 1. If in addition f is 1 1 and length preserving then we say the f is a ....

....all numbers smaller than P where 2 n Gamma1 P 2 n , as is the case in the number theoretic constructions. Then we can construct from it a weak one way permutation f : f0; 1g n 7 f0; 1g n by taking f(x) f 0 (x) if x 2 S and f(x) x otherwise. Using the amplification techniques of [37, 15] we can then obtain a strong one way permutation on a domain f0; 1g n 0 for n 0 linear in n. The goal of this paper is to present a construction of perfectly secure computationally binding commitment from any one way permutation. 2.3 Perfect Zero Knowledge Arguments We now briefly discuss ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman, Security Preserving Amplification of Hardness, Proc. IEEE 31st Symp. on Foundations of Computer Science, 1990, pp. 318--326.

No context found.

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, and D. Zuckerman, Security Preserving Amplification of Hardness, Proc. of the 31st IEEE Symp. on Foundation of Computer Science (FOCS), 31st FOCS, pp. 318--326, 1990.

.... for any one way functions [67] ffl A plausibility result of Yao (commonly attributed to [120] by which any weak one way permutation can be transformed into an ordinary one way permutation was replaced by an efficient transformation of weak one way permutation into ordinary one way permutation [65]. ffl A plausibility result of [68] by which one may construct Verifiable Secret Sharing schemes (cf. 39] using any one way function, was replaced by an efficient construction the security of which is based on DLP [54] In general, many concrete problems which are solvable in principle (by the ....

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, and D. Zuckerman. Security Preserving Amplification of Hardness. In 31st IEEE Symposium on Foundations of Computer Science, pages 318--326, 1990. 29

.... for any one way functions [96] ffl A plausibility result of Yao (commonly attributed to [168] by which any weak one way permutation can be transformed into an ordinary one way permutation was replaced by an efficient transformation of weak one way permutation into ordinary one way permutation [93]. ffl A plausibility result of [97] by which one may construct Verifiable Secret Sharing schemes (cf. 49] using any one way function, was replaced by an efficient construction the security of which is based on DLP [76] In general, many concrete problems which are solvable in principle (by the ....

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, and D. Zuckerman. Security Preserving Amplification of Hardness. In 31st IEEE Symposium on Foundations of Computer Science, pages 318--326, 1990.

No context found.

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, and D. Zuckerman, "Security Preserving Amplification of Hardness", 31st FOCS, pp. 318--326, 1990.

....if f is a permutation on f0; 1g n ; n 0, then we say that f is a one way permutation. The above definition is of a strong one way function. Its existence is equivalent to the existence of the weak one way function [Y82] a stronger equivalence is possible in the case of permutations (see [GILVZ]) A weak one way function has the same definition as above, except the probability of successful inversion above is 1 Gamma 1=n c ; c 0. 3 Main Result We show that if there is any one way permutation, then honest verifier zero knowledge is in fact just as strong as zero knowledge. Theorem ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman, Security Preserving Amplification of Hardness, FOCS 90.

....p and all sufficiently large n, Pr[f(x) f(A(f(x) j x 2R f0; 1g n ] 1=p(n) The above definition is of a strong one way function. Its existence is equivalent to the existence of the weaker somewhat one way function using Yao s amplification technique [Y82] or the more efficient method of [GILVZ] (which is applicable only to permutations or regular functions) A somewhat one way function has the same definition as above, but the hardness of inversion is smaller, i.e. its probability is inverse polynomially away from 1. If in addition f is 1 1 then we say the f is a One Way Permutation. ....

....permutations. For practical purposes consider the data encryption standard (DES) Kon] Given a k regular [GKL] one way function (i.e. the number of pre images of a point is k and is k on a significant fraction) one can transform it into a one way function which is 1 1 almost everywhere [GILVZ]. We apply this to the function DES(k;m) y (k = key, m= message) where (actual used parameters are) k 2 f0; 1g 56 , m; y 2 f0; 1g 64 . Assuming that DES is not breakable on line (say in 10 seconds) then it is a good candidate for our scheme. We explore this further in the full version of ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman, Security Preserving Amplification of Hardness, FOCS 90.

No context found.

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, and D. Zuckerman, "Security Preserving Amplification of Hardness", 31st FOCS, pp. 318--326, 1990.

....density (within the vertex set) The importance of this discovery stems from the fact that a random walk on an expander can be generated using much fewer random coins than required for generating indepdendent samples in the vertex set. Precise formulations of the above discovery were given in [AKS87, CW89, GILVZ90] culminating in Kahale s optimal analysis [K91, Sec. 6] Theorem 1.1 (Expander Random Walk Theorem [K91, Cor. 6.1] Let G = V; E) be an expander graph of degree d and be an upper bound on the absolute value of all eigenvalues, save the biggest one, of the adjacency matrix of the graph. Let W ....

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, and D. Zuckerman, "Security Preserving Amplification of Hardness", 31st FOCS, pp. 318--326, 1990.

....the probability is over the random choices of x and the random tape of A. The above definition is of a strong one way function. Its existence is equivalent to the existence of the weaker somewhat one way function using Yao s amplification technique [30] or the more security preserving method of [10] (which is applicable only to permutations or regular functions) A somewhat one way function has the same definition as above, but the hardness of inversion is smaller, i.e. its probability is inverse polynomially away from 1. If in addition f is 1 1 and length preserving then we say the f is a ....

....numbers smaller than P where 2 n Gamma1 P 2 n , as is the case in the number theoretic constructions. Then we can construct from it a somewhat one way permutation f : f0; 1g n 7 f0; 1g n by taking f(x) f 0 (x) if x 2 S and f(x) x otherwise. Using the amplification techniques of [30, 10] we can then obtain a strong one way permutation on a domain f0; 1g n 0 for n 0 polynomial in n. 3 Perfectly Secure Simulatable Bit Commitment We present a perfectly secure bit commitment scheme and a proof of its security. To get the intuition, consider the following protocol: ffl The ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman, Security Preserving Amplification of Hardness, Proc. 31st Symp. on Foundations of Computer Science, 1990, pp. 318-- 326.

No context found.

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan and D. Zuckerman, "Security Preserving Amplification of Hardness ", FOCS 1990, pp. 318--326.

....n , G 2 (1 n ) G(1 n ) and extend f fi into g fi so that g fi (x) f fi (x) if x 2 D fi and g fi (x) x otherwise. This yields a collection of common domain permutations, fg fi : f0; 1g jfij 1 1 7 f0; 1g jfij g, which are weakly one way. Employing amplification techniques (e.g. [Y, GILVZ]) we obtain a proper common domain system. In the sequel we refer to common domain trapdoor systems in a less formal way. We say that two oneway permutations, f a and f b , are a pair if they are both permutations over the same domain (i.e. a = ff; fi 1 ) and b = ff; fi 2 ) where the domain is ....

....of N is not known. Let f N (x) x e (mod N) if x N and f N (x) x otherwise. With non negligible probability N is a product of two large primes. Thus, this construction yields a collection of common domain permutations which are weakly one way. Employing an amplification procedure (e.g. [Y, GILVZ]) we obtain a proper common domain system. This common domain trapdoor system can be used as described in Section 4.2. However, here the keygeneration stage can be simplified considerably. Observe that it is possible to choose a permutation from the above distribution without knowing its trapdoor. ....

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan and D. Zuckerman, "Security Preserving Amplification of Hardness", 31st FOCS, 1990, pp. 318--326.

No context found.

Goldreich, O., Impagliazzo, R., Levin, L., Venketesan, R., Zuckerman, D., "Security Preserving Amplification of Hardness", Proceedings of the 31st IEEE Symposium on Foundations of Computer Science, pp. 318-326, 1990.

....by using O(m) bits to specify a starting point and then using O(m) bits to choose a path of length O(m) starting at this point. With probability at least 1 Gamma 2 Gammam , at least one of these points specifies a sequence of m polynomials containing at least one irreducible polynomial (cf. [2, 13, 20, 17, 8]) This sampling requires O(m) bits. Call the resulting sample space Em . ffl A sample point in Em specifies O(m 2 ) polynomials and with overwhelming probability at least one of them is irreducible. Say we output the first irreducible polynomial among these m 2 polynomials. Remark 1 When ....

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan, D. Zuckerman, "Security Preserving Amplification of Hardness", 31st FOCS, 1990, pp. 318-326.

No context found.

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman, "Security Preserving Amplification of Hardness," 31st FOCS, 1990, pp. 318-326.

....F is only weakly one way. 2 Remark: The function f (constructed above) may be only weakly one way since it equals the identity transformation for a part of its domain and this part may have non negligible measure. To get a (strongly) one way function, one may apply the transformation in [4] to the function f . In fact, degenerate versions of the transformation in [4] suffice for this purpose. The above construction is stated with respect to the simplified definition of a family of one way permutations. Recall that in the non simplified version, the index selecting algorithm, S, is ....

....may be only weakly one way since it equals the identity transformation for a part of its domain and this part may have non negligible measure. To get a (strongly) one way function, one may apply the transformation in [4] to the function f . In fact, degenerate versions of the transformation in [4] suffice for this purpose. The above construction is stated with respect to the simplified definition of a family of one way permutations. Recall that in the non simplified version, the index selecting algorithm, S, is only required to have an output with non negligible probability (i.e. the ....

[Article contains additional citation context not shown here]

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan and D. Zuckerman, "Security Preserving Amplification of Hardness", 31st FOCS, 1990, pp. 318--326.

No context found.

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness. In Proc. 31st Annual Symposium on Foundations of Computer Science, pp. 318-- 326. IEEE, 1990.

No context found.

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman, Security Preserving Amplification of Hardness, FOCS 90.

No context found.

O. Goldreich, R. Impagliazzo, L. Levin, R. Venkatesan, and D. Zuckerman. Security preserving amplification of hardness. In Proc. 31st Annual Symposium on Foundations of Computer Science, pages 318--326. IEEE, 1990.

No context found.

Oded Goldreich, Russell Impagliazzo, Leonid Levin, Ramarathnam Venkatesan, and David Zuckerman. Security preserving amplification of hardness. In 31st Annual Symposium on Foundations of Computer Science, volume I, pages 318-- 326, St. Louis, Missouri, 22--24 October 1990. IEEE.

No context found.

Oded Goldreich, Russell Impagliazzo, Leonid Levin, Ramarathnam Venkatesan, and David Zuckerman. Security preserving amplification of hardness. In 31st Annual Symposium on Foundations of Computer Science, volume I, pages 318--326, St. Louis, Missouri, 22--24 October 1990. IEEE.

No context found.

O. Goldreich, R. Impagliazzo, L.A. Levin, R. Venkatesan and D. Zuckerman. Security preserving amplification of hardness, Proc. 31st Ann. Symp. on Foundations of Computer Science, (1990), 318--326.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC