Results 1  10
of
13
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
(Show Context)
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
Reducing complexity assumptions for statisticallyhiding commitment
 In EUROCRYPT
, 2005
"... We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize one ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
(Show Context)
We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize oneway function. These are oneway functions for which it is possible to efficiently approximate the number of preimages of a given output. A special case is the class of regular oneway functions where all points in the image of the function have the same number of preimages. We also prove two additional results related to statisticallyhiding commitment. First, we prove a (folklore) parallel composition theorem showing, roughly speaking, that the statistical hiding property of any such commitment scheme is amplified exponentially when multiple independent parallel executions of the scheme are carried out. Second, we show a compiler which transforms any commitment scheme which is statistically hiding against an honestbutcurious receiver into one which is statistically hiding even against a malicious receiver. 1
Inaccessible Entropy
"... We put forth a new computational notion of entropy, which measures the (in)feasibility of sampling high entropy strings that are consistent with a given protocol. Specifically, we say that the i’th round of a protocol (A, B) has accessible entropy at most k, if no polynomialtime strategy A ∗ can ge ..."
Abstract

Cited by 16 (8 self)
 Add to MetaCart
We put forth a new computational notion of entropy, which measures the (in)feasibility of sampling high entropy strings that are consistent with a given protocol. Specifically, we say that the i’th round of a protocol (A, B) has accessible entropy at most k, if no polynomialtime strategy A ∗ can generate messages for A such that the entropy of its message in the i’th round has entropy greater than k when conditioned both on prior messages of the protocol and on prior coin tosses of A ∗. We say that the protocol has inaccessible entropy if the total accessible entropy (summed over the rounds) is noticeably smaller than the real entropy of A’s messages, conditioned only on prior messages (but not the coin tosses of A). As applications of this notion, we • Give a much simpler and more efficient construction of statistically hiding commitment schemes from arbitrary oneway functions. • Prove that constantround statistically hiding commitments are necessary for constructing constantround zeroknowledge proof systems for NP that remain secure under parallel composition (assuming the existence of oneway functions). Categories and Subject Descriptors: F.0 [Theory of Computation]: General.
Statistically Hiding Commitments and Statistical ZeroKnowledge Arguments from Any OneWay Function
, 2007
"... We give a construction of statistically hiding commitment schemes (ones where the hiding property holds against even computationally unbounded adversaries) under the minimal complexity assumption that oneway functions exist. Consequently, oneway functions suffice to give statistical zeroknowledge ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
(Show Context)
We give a construction of statistically hiding commitment schemes (ones where the hiding property holds against even computationally unbounded adversaries) under the minimal complexity assumption that oneway functions exist. Consequently, oneway functions suffice to give statistical zeroknowledge arguments for any NP statement (whereby even a computationally unbounded adversarial verifier learns nothing other than the fact the assertion being proven is true, and a polynomialtime adversarial prover cannot convince the verifier of a false statement). These results resolve an open question posed by Naor, Ostrovsky, Venkatesan, and Yung (CRYPTO ‘92, J. Cryptology ‘98).
On the BlackBox Complexity of OptimallyFair Coin Tossing
"... Abstract. A fair twoparty coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
Abstract. A fair twoparty coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in the presence of failstop adversaries (Cleve, FOCS 1986). In fact, Cleve showed that for every coin tossing protocol running for r rounds, an efficient failstop adversary can bias the output by Ω(1/r). Since this is the best possible, a protocol that limits the bias of any adversary to O(1/r) is called optimallyfair. The only optimallyfair protocol that is known to exist relies on the existence of oblivious transfer, because it uses general secure computation (Moran, Naor and Segev, TCC 2009). However, it is possible to achieve a bias of O(1 / √ r)inr rounds relying only on the assumption that there exist oneway functions. In this paper we show that it is impossible to achieve optimallyfair coin tossing via a blackbox construction from oneway functions for r that is less than O(n / log n), where n is the input/output length of the oneway function used. An important corollary of this is that it is impossible to construct an optimallyfair coin tossing protocol via a blackbox construction from oneway functions whose round complexity is independent of the security parameter n determining the security of the oneway function being used. Informally speaking, the main ingredient of our proof is to eliminate the randomoracle from “secure ” protocols with “low roundcomplexity” and simulate the protocol securely against semihonest adversaries in the plain model. We believe our simulation lemma to be of broader interest.
A linear lower bound on the communication complexity of singleserver private information retrieval
 IN PREPARATION
, 2008
"... We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypre ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
We study the communication complexity of singleserver Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a blackbox manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomiallypreserving construction that relies on trapdoor permutations. More specifically, our main result states that in such constructions Ω(n) bits must be communicated by the server, where n is the size of the server’s database. Therefore, in the very natural setting under consideration, the naive solution in which the user downloads the entire database turns out to be optimal up to constant multiplicative factors. Moreover, while singleserver PIR protocols with polylogarithmic communication complexity were shown to exist based on specific numbertheoretic assumptions, the lower bound we provide identifies a substantial gap between blackbox and nonblackbox constructions of singleserver PIR. Technically speaking, this paper consists of two main contributions from which our lower bound is obtained. First, we derive a tight lower bound on the number of bits communicated by the sender during the commit stage of any blackbox constructions of a statisticallyhiding commitment scheme from a family of trapdoor permutations. This lower bound asymptotically matches the upper bound provided by the scheme of Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). Second, we significantly improve the efficiency of the wellknown reduction of statisticallyhiding commitment schemes to nontrivial singleserver PIR, due to Beimel, Ishai, Kushilevitz and Malkin (STOC ’99). In particular, we present a reduction that essentially preserves both the communication complexity and the round complexity of the underlying singleserver PIR protocol.
1 SIMPL Systems as a Keyless Cryptographic and Security Primitive
"... Abstract—We discuss a recent cryptographic primitive termed ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract—We discuss a recent cryptographic primitive termed
Computational Verifiable Secret Sharing Revisited
 In Advances in Cryptology—ASIACRYPT
, 2011
"... Verifiable secret sharing (VSS) is an important primitive in distributed cryptography that allows a dealer to share a secret among n parties in the presence of an adversary controlling at most t of them. In the computational setting, the feasibility of VSS schemes based on commitments was establishe ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Verifiable secret sharing (VSS) is an important primitive in distributed cryptography that allows a dealer to share a secret among n parties in the presence of an adversary controlling at most t of them. In the computational setting, the feasibility of VSS schemes based on commitments was established over two decades ago. Interestingly, all known computational VSS schemes rely on the homomorphic nature of these commitments or achieve weaker guarantees. As homomorphism is not inherent to commitments or to the computational setting in general, a closer look at its utility to VSS is called for. In this paper, we demonstrate that homomorphism of commitments is not a necessity for computational VSS in the synchronous or in the asynchronous communication setting. We present new VSS schemes based only on the definitional properties of commitments that are almost as good as existing VSS schemes based homomorphic commitments. Furthermore, they have significantly lower communication complexities than their (statistical or perfect) unconditional counterparts. Considering the feasibility of commitments from any clawfree permutation, oneway function or collisionresistant hash function, our schemes can be an excellent alternative to unconditional VSS in the future.
NonInteractive StatisticallyHiding Quantum Bit Commitment from Any Quantum OneWay Function
"... iv ..."