Results 1 
9 of
9
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
(Show Context)
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
On the (Im)Possibility of Key Dependent Encryption
"... We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduct ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduction from an encryption scheme secure against keydependent inputs to oneway permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H. • Let G be the family of polynomial sized circuits. There exists no reduction from an encryption scheme secure against keydependent inputs to, seemingly, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for g ∈ G, as long as the reduction’s proof of security treats both the adversary and the function g as black box. Keywords: Keydependent input security, blackbox separation 1
OneWay Permutations, Interactive Hashing and StatisticallyHiding Commitments
 In S. Vadhan (Ed.): Theory of Cryptography (TCC) 2007, LNCS 4392
, 2007
"... Abstract. We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n logn) lower bound on the round complexity of a computational form of interactive hashing, which has been used t ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
Abstract. We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n logn) lower bound on the round complexity of a computational form of interactive hashing, which has been used to construct statistically hiding commitments (and related primitives) from various classes of oneway functions, starting with the work of Naor, Ostrovsky, Venkatesan and Yung (J. Cryptology, 1998). Our lower bound matches the round complexity of the protocol studied by Naor et al.
A linear lower bound on the communication complexity of singleserver private information retrieval
 IN PREPARATION
, 2008
"... We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypre ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypreserving construction that relies on trapdoor permutations. More specifically, our main result states that in such constructions Ω(n) bits must be communicated by the server, where n is the size of the server’s database. Therefore, in the very natural setting under consideration, the naive solution in which the user downloads the entire database turns out to be optimal up to constant multiplicative factors. Moreover, while singleserver PIR protocols with polylogarithmic communication complexity were shown to exist based on specific numbertheoretic assumptions, the lower bound we provide identifies a substantial gap between blackbox and nonblackbox constructions of singleserver PIR. Technically speaking, this paper consists of two main contributions from which our lower bound is obtained. First, we derive a tight lower bound on the number of bits communicated by the sender during the commit stage of any blackbox constructions of a statisticallyhiding commitment scheme from a family of trapdoor permutations. This lower bound asymptotically matches the upper bound provided by the scheme of Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). Second, we significantly improve the efficiency of the wellknown reduction of statisticallyhiding commitment schemes to nontrivial singleserver PIR, due to Beimel, Ishai, Kushilevitz and Malkin (STOC ’99). In particular, we present a reduction that essentially preserves both the communication complexity and the round complexity of the underlying singleserver PIR protocol.
EXPRESSIVENESS OF DEFINITIONS AND EFFICIENCY OF CONSTRUCTIONS IN COMPUTATIONAL CRYPTOGRAPHY
, 2007
"... The computational treatment of cryptography, and indeed any scientific treatment of a problem, is marked by its definitional side and by it constructive side. Results in this thesis better our understanding of both: on one side, they characterize the extent to which computational definitions capture ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
The computational treatment of cryptography, and indeed any scientific treatment of a problem, is marked by its definitional side and by it constructive side. Results in this thesis better our understanding of both: on one side, they characterize the extent to which computational definitions capture the security of the basic task of symmetric encryption; on the other, they provide explicit bounds on the efficiency of commitment and secure twoparty computation constructions. Specifically: • We relate the formal and computational treatments of symmetric encryption, obtaining a precise characterization of computational schemes whose computational semantics imply their formal semantics. We prove that this characterization is strictly weaker than previouslyidentified notions, and show how it may be realized in a simpler, more efficient manner. • We provide lowerbounds on the number of times a oneway permutation needsto be invoked (as a “blackbox”) in order to construct statisticallybinding commitments. Our bounds are tight for the case of perfectlybinding schemes. • We show that the secure computation of any twoparty functionality can be performed in an optimal two rounds of communication even in a setting that accounts for concurrent execution with other protocols (i.e., the Universal Composability framework). Here, we rely on the assumption that parties have access to a common reference string; some sort of setup is known to be necessary.
(Efficient) Universally Composable Oblivious Transfer Using a Minimal Number of Stateless Tokens
, 2013
"... We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamperproof hardware for universally composable secure computation. As our main result, we show an efficient oblivioustransfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then ..."
Abstract
 Add to MetaCart
(Show Context)
We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamperproof hardware for universally composable secure computation. As our main result, we show an efficient oblivioustransfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then run an unbounded number of OTs. Our result yields what we believe is the most practical and efficient known approach for oblivious transfer based on tamperproof tokens, and implies that the parties can perform (repeated) secure computation of arbitrary functions without exchanging additional tokens. Motivated by this result, we investigate the minimal number of stateless tokens needed for universally composable OT / secure computation. We prove that our protocol is optimal in this regard for constructions making blackbox use of the tokens (in a sense we define). We also show that nonblackbox techniques can be used to obtain a construction using only a single stateless token.
University of California,
"... Abstract. We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n) lower bound on the log n round complexity of a computational form of interactive hashing, which has been used ..."
Abstract
 Add to MetaCart
Abstract. We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n) lower bound on the log n round complexity of a computational form of interactive hashing, which has been used to construct statistically hiding commitments (and related primitives) from various classes of oneway functions, starting with the work of Naor, Ostrovsky, Venkatesan and Yung (J. Cryptology, 1998). Our lower bound matches the round complexity of the protocol studied by Naor et al.
BlackBox Complexity of Encryption and Commitment
, 2007
"... Copyright © 2007, by the author(s). ..."
The Curious Case of NonInteractive Commitments
, 2012
"... It is wellknown that oneway permutations (and even onetoone oneway functions) imply the existence of noninteractive commitments. Furthermore the construction is blackbox (i.e., the underlying oneway function is used as an oracle to implement the commitment scheme, and an adversary attacking ..."
Abstract
 Add to MetaCart
(Show Context)
It is wellknown that oneway permutations (and even onetoone oneway functions) imply the existence of noninteractive commitments. Furthermore the construction is blackbox (i.e., the underlying oneway function is used as an oracle to implement the commitment scheme, and an adversary attacking the commitment scheme is used as an oracle in the proof of security). We rule out the possibility of blackbox constructions of noninteractive commitments from general (possibly not onetoone) oneway functions. As far as we know, this is the first result showing a natural cryptographic task that can be achieved in a blackbox way from oneway permutations but not from oneway functions. We next extend our blackbox separation to constructions of noninteractive commitments from a stronger notion of oneway functions, which we refer to as hitting oneway functions. Perhaps surprisingly, Barak, Ong, and Vadhan (Siam JoC ’07) showed that there does exist a nonblackbox construction of noninteractive commitments from hitting oneway functions. As far as we know, this is the first result to establish a “separation ” between the power of blackbox and nonblackbox use of a primitive to implement a natural cryptographic task.