Results 1 
9 of
9
Chernofftype Direct Product Theorems
 In Proceeding of the TwentySeventh Annual International Cryptology Conference (CRYPTO’07
, 2007
"... Abstract. Consider a challengeresponse protocol where the probability of a correct response is at least α for a legitimate user, and at most β < α for an attacker. One example is a CAPTCHA challenge, where a human should have a significantly higher chance of answering a single challenge (e.g., u ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Consider a challengeresponse protocol where the probability of a correct response is at least α for a legitimate user, and at most β < α for an attacker. One example is a CAPTCHA challenge, where a human should have a significantly higher chance of answering a single challenge (e.g., uncovering a distorted letter) than an attacker; another example is an argument system without perfect completeness. A natural approach to boost the gap between legitimate users and attackers is to issue many challenges, and accept if the response is correct for more than a threshold fraction, for the threshold chosen between α and β. We give the first proof that parallel repetition with thresholds improves the security of such protocols. We do this with a very general result about an attacker’s ability to solve a large fraction of many independent instances of a hard problem, showing a Chernofflike convergence of the fraction solved incorrectly to the probability of failure for a single instance.
On the Composition of PublicCoin ZeroKnowledge Protocols
 In CYPTO, Springer LNCS 5677
, 2009
"... Abstract. We show that only languages in BPP have publiccoin, blackbox zeroknowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any setup) and in the Bare PublicKey Model (where the prover and the v ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We show that only languages in BPP have publiccoin, blackbox zeroknowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any setup) and in the Bare PublicKey Model (where the prover and the verifier have registered public keys). We complement this result by showing the existence of a publiccoin blackbox zeroknowledge proof that remains secure under any apriori bounded number of concurrent executions. 1
A parallel repetition theorem for any interactive argument
 ECCC, TR09027 (Revision 1), Tech. Rep., 2009, eCCC, TR09027, Revision 1
"... Abstract — The question of whether or not parallel repetition reduces the soundness error is a fundamental question in the theory of protocols. While parallel repetition reduces (at an exponential rate) the error in interactive proofs and (at a weak exponential rate) in special cases of interactive ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Abstract — The question of whether or not parallel repetition reduces the soundness error is a fundamental question in the theory of protocols. While parallel repetition reduces (at an exponential rate) the error in interactive proofs and (at a weak exponential rate) in special cases of interactive arguments (e.g., 3message protocols — Bellare, Impagliazzo and Naor [FOCS ’97], and publiccoin protocols — H˚astad, Pass, Pietrzak and Wikström [Manuscript ’08]), Bellare et al. gave an example of interactive arguments for which parallel repetition does not reduce the soundness error at all. We show that by slightly modifying any interactive argument, in a way that preserves its completeness and only slightly deteriorates its soundness, we get a protocol for which parallel repetition does reduce the error at a weak exponential rate. In this modified version,
Distinguishing Distributions Using Chernoff Information
"... Abstract. In this paper, we study the soundness amplification by repetition of cryptographic protocols. As a tool, we use the Chernoff Information. We specify the number of attempts or samples required to distinguish two distributions efficiently in various protocols. This includes weakly verifiable ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we study the soundness amplification by repetition of cryptographic protocols. As a tool, we use the Chernoff Information. We specify the number of attempts or samples required to distinguish two distributions efficiently in various protocols. This includes weakly verifiable puzzles such as CAPTCHAlike challengeresponse protocols, interactive arguments in sequential composition scenario and cryptanalysis of block ciphers. As our main contribution, we revisit computational soundness amplification by sequential repetition in the threshold case, i.e when completeness is not perfect. Moreover, we outline applications to the Leftover Hash Lemma and iterative attacks on block ciphers.
Security Amplification for Interactive Cryptographic Primitives
, 2009
"... Security amplification is an important problem in Cryptography: starting with a “weakly secure” variant of some cryptographic primitive, the goal is to build a “strongly secure” variant of the same primitive. This question has been successfully studied for a variety of important cryptographic primit ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Security amplification is an important problem in Cryptography: starting with a “weakly secure” variant of some cryptographic primitive, the goal is to build a “strongly secure” variant of the same primitive. This question has been successfully studied for a variety of important cryptographic primitives, such as oneway functions, collisionresistant hash functions, encryption schemes and weakly verifiable puzzles. However, all these tasks were noninteractive. In this work we study security amplification of interactive cryptographic primitives, such as message authentication codes (MACs), digital signatures (SIGs) and pseudorandom functions (PRFs). In particular, we prove direct product theorems for MACs/SIGs and an XOR lemma for PRFs, therefore obtaining nearly optimal security amplification for these primitives. Our main technical result is a new Chernofftype theorem for what we call Dynamic Weakly Verifiable Puzzles, which is a generalization of ordinary Weakly Verifiable Puzzles which we introduce in this paper.
An efficient parallel repetition theorem
"... We present a general parallelrepetition theorem with an efficient reduction. As a corollary of this theorem we establish that parallel repetition reduces the soundness error at an exponential rate in any publiccoin argument, and more generally, any argument where the verifier’s messages, but not ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
We present a general parallelrepetition theorem with an efficient reduction. As a corollary of this theorem we establish that parallel repetition reduces the soundness error at an exponential rate in any publiccoin argument, and more generally, any argument where the verifier’s messages, but not necessarily its decision to accept or reject, can be efficiently simulated with noticeable probability.
Tight Parallel Repetition Theorems for Publiccoin Arguments
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 109
, 2009
"... Following Hastad et al. [HPPW08], we study parallel repetition theorems for publiccoin interactive arguments and their generalizations. We obtain the following results: 1. We show that the reduction of Hastad et al. [HPPW08] actually gives a tight direct product theorem for publiccoin interactive ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Following Hastad et al. [HPPW08], we study parallel repetition theorems for publiccoin interactive arguments and their generalizations. We obtain the following results: 1. We show that the reduction of Hastad et al. [HPPW08] actually gives a tight direct product theorem for publiccoin interactive arguments. That is, nfold parallel repetition reduces the soundness error from δ to δ n. The crux of our improvement is a new analysis that avoid using Raz’s Sampling Lemma, which is the key to the previous results. 2. We give a new reduction to strengthen the direct product theorem of Hastad et al. for arguments with extendable and simulatable verifiers. We show that nfold parallel repetition reduces the soundness error from δ to δ n/2, which is almost tight. In particular, we remove the dependency on the number of rounds in the bound, and as a consequence, extend the “concurrent ” repetition theorem of Wikström [Wik09] to this model. 3. We give a simple and generic reduction which shows that tight direct product theorems imply almosttight Chernofftype theorems. The reduction extends our results to Chernofftype theorems, and gives an alternative proof to the Chernofftype theorem of Impagliazzo et al. [IJK07] for weaklyverifiable puzzles. 4. As an additional contribution, we observe that the reduction of Pass and Venkitasubramaniam [PV07] for constantround publiccoin arguments gives tight parallel repetition theorems for threshold verifiers, who accept when more than a certain number of repetition accepts.
Counterexamples to Hardness Amplification Beyond Negligible
, 2012
"... If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the “direct product”; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated on ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the “direct product”; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated ones. Interestingly, proving that the direct product amplifieshardnessisoftenhighlynontrivial,andinsomecasesmaybefalse. Forexample, it is known that the direct product (i.e. “parallel repetition”) of general interactive games may not amplify hardness at all. On the other hand, positive results show that the direct product does amplify hardness for many basic primitives such as oneway functions/relations, weaklyverifiable puzzles, and signatures. Even when positive direct product theorems are shown to hold for some primitive, the parameters are surprisingly weaker than what we may have expected. For example, if we start with a weak oneway function that no polytime attacker can break with probability> 1, then the direct product provably amplifies hardness to some negligible probability. 2 Naturally, we would expect that we can amplify hardness exponentially, all the way to 2−n probability, or at least to some fixed/known negligible such as n−logn in the security parameter n, just by taking sufficiently many instances of the weak primitive. Although it is known that such parameters cannot be proven via blackbox reductions, they may seem like reasonable conjectures, and, to the best of our knowledge, are widely believed to hold. In fact, a conjecture along these lines was introduced in a survey of Goldreich, Nisan and Wigderson (ECCC ’95). In this work, we show that such conjectures are false by providing simple but surprising counterexamples. In particular, we construct weakly secure signatures and oneway functions, for which standard hardness amplification results are known to hold, but for which hardness does not amplify beyond just negligible. That is, for any negligible function ε(n), we instantiate these primitives so that the direct product can always be broken with probability ε(n), no matter how many copies we take. 1
An efficient concurrent repetition theorem
, 2009
"... H˚astad et al. (2008) prove, using Raz’s lemma (STOC ’95) the first efficient parallel repetition theorem for protocols with a nonconstant number of rounds, for a natural generalization of publiccoin protocols. They show that a parallel prover that convinces a fraction 1 − γ of the embedded verifi ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
H˚astad et al. (2008) prove, using Raz’s lemma (STOC ’95) the first efficient parallel repetition theorem for protocols with a nonconstant number of rounds, for a natural generalization of publiccoin protocols. They show that a parallel prover that convinces a fraction 1 − γ of the embedded verifiers of a kwise repeated mmessage verifier can be turned into a prover with error probability 1 − γ − O(m √ − log (ɛ) /k). This improves previous results of Impagliazzo et al. (Crypto 2007) and Pass and Venkitasubramaniam (STOC 2007) that studies the constant round case. We prove a generalization of Raz’s Lemma to random processes that allows us to improve the analysis of the reduction of H˚astad et al. in the publiccoin case to 1 − γ − O ( √ − log (ɛ) /k), i.e., we remove the dependence on the number rounds completely, and thus the restriction to settings where k> m2. An important implication of the strengthened parallel repetition theorem is the first efficient concurrent repetition theorem for protocols with a nonconstant number of rounds. In concurrent repetition, the verifiers execute completely independently and only report their final decision, i.e., the prover chooses arbitrarily in which order it interacts with the individual verifiers. This should be contrasted with parallel repetition where the verifiers are synchronized in each round. 1