Results 1  10
of
31
Lower bounds on the Efficiency of Generic Cryptographic Constructions
 41ST IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE (FOCS), IEEE
, 2000
"... A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we ..."
Abstract

Cited by 76 (6 self)
 Add to MetaCart
A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentiallytight lower bounds on the best possible efficiency of any blackbox construction of some fundamental cryptographic tools from the most basic and widelyused cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal oneway hash functions, and digital signatures based on oneway permutations, as well as constructions of public and privatekey encryption schemes based on trapdoor permutations. In each case, we show that any blackbox construction beating our efficiency bound would yield the unconditional existence of a oneway function and thus, in particular, prove P != NP.
ChosenCiphertext Security via Correlated Products
"... We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction o ..."
Abstract

Cited by 43 (4 self)
 Add to MetaCart
(Show Context)
We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction of publickey encryption schemes that are secure against chosenciphertext attacks (CCA). We show that any collection of injective trapdoor functions that is secure under very natural correlated products can be used to construct a CCAsecure publickey encryption scheme. The construction is simple, blackbox, and admits a direct proof of security. We provide evidence that security under correlated products is achievable by demonstrating that any collection of lossy trapdoor functions, a powerful primitive introduced by Peikert and Waters (STOC ’08), yields a collection of injective trapdoor functions that is secure under the above mentioned natural correlated products. Although we eventually base security under correlated products on lossy trapdoor functions, we argue that the former notion is potentially weaker as a general assumption. Specifically, there is no fullyblackbox construction of lossy trapdoor functions from trapdoor functions that are secure under correlated products.
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
(Show Context)
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
On the (Im)Possibility of Key Dependent Encryption
"... We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduct ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
(Show Context)
We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduction from an encryption scheme secure against keydependent inputs to oneway permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H. • Let G be the family of polynomial sized circuits. There exists no reduction from an encryption scheme secure against keydependent inputs to, seemingly, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for g ∈ G, as long as the reduction’s proof of security treats both the adversary and the function g as black box. Keywords: Keydependent input security, blackbox separation 1
Towards a separation of semantic and cca security for public key encryption
, 2007
"... We address the question of whether or not semantically secure publickey encryption primitives imply the existence of chosen ciphertext attack (CCA) secure primitives. We show a blackbox separation, following the methodology introduced by Impagliazzo and Rudich [23], for a large nontrivial class o ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
We address the question of whether or not semantically secure publickey encryption primitives imply the existence of chosen ciphertext attack (CCA) secure primitives. We show a blackbox separation, following the methodology introduced by Impagliazzo and Rudich [23], for a large nontrivial class of constructions. In particular, we show that if the proposed CCA construction’s decryption algorithm does not query the semantically secure primitive’s encryption algorithm, then the proposed construction cannot be CCA secure.
Hash Functions: From MerkleDamgård to Shoup
 EUROCRYPT
, 2001
"... In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these c ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these classes efficient (yielding short keys) composite schemes exist. Second, we prove that the schedule of the Shoup construction, which is the most efficient composition scheme for universal oneway hash functions known so far, is optimal.
OneWay Permutations, Interactive Hashing and StatisticallyHiding Commitments
, 2007
"... We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n) lower bound on the log n round complexity of a computational form of interactive hashing, which has been used to constr ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n) lower bound on the log n round complexity of a computational form of interactive hashing, which has been used to construct statistically hiding commitments (and related primitives) from various classes of oneway functions, starting with the work of Naor, Ostrovsky, Venkatesan and Yung (J. Cryptology, 1998). Our lower bound matches the round complexity of the protocol studied by Naor et al.
Lower Bounds on Signatures From Symmetric Primitives
, 2008
"... We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to 1 by a (computationally unbounded) adversary making 2 (1+o(1))q queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport’s onetime signatures (Lamport ’79) achieves 2 (0.812−o(1))q blackbox security using q queries to the oracle. Our result extends (with a loss of a constant factor in the number of queries) also to the random permutation and idealcipher oracles. Since the symmetric primitives (e.g. block ciphers, hash functions, and message authentication codes) can be constructed by a constant number of queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature schemes from symmetric primitives when the construction is blackbox. This can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives. 1
Efficient Cryptographic Protocols Preventing “ManintheMiddle” Attacks
 COLUMBIA UNIVERSITY
, 2002
"... In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary inserts, deletes, or arbitrarily modifies messages sent from one user to another. Passive attacks are well characterized (the adversary’s choices are inherently limited) and techniques for achieving security against passive attacks are relatively well understood. Indeed, cryptographers have long focused on methods for countering passive eavesdropping attacks, and much work in the 1970’s and 1980’s has dealt with formalizing notions of security and providing provablysecure solutions for this setting. On the other hand, active attacks are not well characterized and precise modeling has been difficult. Few techniques exist for dealing with active attacks, and designing practical protocols secure against such attacks remains a challenge. This dissertation considers active attacks in a variety of settings and provides new, provablysecure protocols preventing such attacks. Proofs of security are in the standard cryptographic model and rely on wellknown cryptographic assumptions. The protocols presented here are efficient and
Blackbox composition does not imply adaptive security
 In EUROCRYPT
, 2004
"... In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure pe ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
In trying to provide formal evidence that composition has security increasing properties, we ask if the composition of nonadaptively secure permutation generators necessarily produces adaptively secure generators. We show the existence of oracles relative to which there are nonadaptively secure permutation generators, but where the composition of such generators fail to achieve security against adaptive adversaries. Thus, any proof of security for such a construction would need to be nonrelativizing. This result can be used to partially justify the lack of formal evidence we have that composition increases security, even though it is a belief shared by many cryptographers.