Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Interactive Protocols with Weak Sources
References
All Topics
Computer Science
Cryptography

On the (Im)possibility of Cryptography with Imperfect Randomness

Profile image of Amit SahaiAmit Sahai

2004

Abstract

We investigate the feasibility of a variety of cryptographic tasks with imperfect randomness. The kind of imperfect randomness we consider are entropy sources, such as those considered by Santha and Vazirani, Chor and Goldreich, and Zuckerman. We show the following: ¯Certain cryptographic tasks like bit commitment, encryption, secret sharing, zero-knowledge, noninteractive zero-knowledge, and secure two-party computation for any non-trivial function are impossible to realize if parties have access to entropy sources with slightly less-than-perfect entropy, i.e., sources with imperfect randomness. These results are unconditional and do not rely on any unproven assumption. ¯On the other hand, based on stronger variants of standard assumptions, secure signature schemes are possible with imperfect entropy sources. As another positive result, we show (without any unproven assumption) that interactive proofs can be made sound with respect to imperfect entropy sources.

Related papers

Short Undeniable Signatures Without Random Oracles: The Missing Link
Hel Lynn

2005

We introduce a new undeniable signature scheme which is existentially unforgeable and anonymous under chosen message attacks in the standard model. The scheme is an embedding of Boneh and Boyen’s recent short signature scheme in a group where the decisional Diffie-Hellman problem is assumed to be difficult. The anonymity of our scheme relies on a decisional variant of the strong Diffie-Hellman assumption, while its unforgeability relies on the strong Diffie-Hellman assumption.

View PDFchevron_right
Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography
Ivan Damgård

Advances in Cryptology – EUROCRYPT 2010, 2010

We study the following two related questions:-What are the minimal computational resources required for general secure multiparty computation in the presence of an honest majority?-What are the minimal resources required for two-party primitives such as zero-knowledge proofs and general secure two-party computation? We obtain a nearly tight answer to the first question by presenting a perfectly secure protocol which allows n players to evaluate an arithmetic circuit of size s by performing a total of O(s log s log 2 n) arithmetic operations, plus an additive term which depends (polynomially) on n and the circuit depth, but only logarithmically on s. Thus, for typical largescale computations whose circuit width is much bigger than their depth and the number of players, the amortized overhead is just polylogarithmic in n and s. The protocol provides perfect security with guaranteed output delivery in the presence of an active, adaptive adversary corrupting a (1/3 − ε) fraction of the players, for an arbitrary constant ε > 0 and sufficiently large n. The best previous protocols in this setting could only offer computational security with a computational overhead of poly(k, log n, log s), where k is a computational security parameter, or perfect security with a computational overhead of O(n log n). We then apply the above result towards making progress on the second question. Concretely, under standard cryptographic assumptions, we obtain zero-knowledge proofs for circuit satisfiability with 2 −k soundness error in which the amortized computational overhead per gate is only polylogarithmic in k, improving over the ω(k) overhead of the best previous protocols. Under stronger cryptographic assumptions, we obtain similar results for general secure two-party computation.

View PDFchevron_right
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with a Counterexample
Willy Susilo

Lecture Notes in Computer Science, 2017

Optimal security reductions for unique signatures (Coron, Eurocrypt 2002) and their generalization, i.e., efficiently re-randomizable signatures (Hofheinz et al. PKC 2012 & Bader et al. Eurocrypt 2016) have been well studied in the literature. Particularly, it has been shown that under a non-interactive hard assumption, any security reduction (with or without random oracles) for a unique signature scheme or an efficiently re-randomizable signature scheme must loose a factor of at least qs in the security model of existential unforgeability against chosenmessage attacks (EU-CMA), where qs denotes the number of signature queries. Note that the number qs can be as large as 2 30 in practice. All unique signature schemes and efficiently re-randomizable signature schemes are concluded to be accompanied with loose reductions from these impossibility results. Somewhat surprisingly, in contrast to previous impossibility results (Coron, Eurocrypt 2002; Hofheinz et al. PKC 2012; Bader et al. Eurocrypt 2016), in this work we show that without changing the assumption type and security model, it is not always the case that any security reduction must loose a factor of at least qs. As a counterexample, we propose a unique signature scheme with a tight reduction in the EU-CMA security model under the Computational Diffie-Hellman (CDH) assumption. Precisely, in the random oracle model, we can program a security reduction with a loss factor of at most nq 1/n , where n can be any integer independent of the security parameter for the scheme construction and q is the number of hash queries to random oracles. The loss factor in our reduction can be very small. Considering n = 25 and q = 2 50 as an example, the loss factor is of at most nq 1/n = 100 and therefore our security reduction is tight. Notice that the previous impossibility results are derived from proofs via a so-called meta-reduction technique. We stress that instead of indicating any flaw in their meta-reduction proofs, our counterexample merely demonstrates that their given meta-reduction proofs fail to

View PDFchevron_right
Security of verifiably encrypted signatures and a construction without random oracles
Dominique Schröder

Pairing-Based Cryptography–Pairing 2009, 2009

In a verifiably encrypted signature scheme, signers encrypt their signature under the public key of a trusted third party and prove that they did so correctly. The security properties, due to Boneh et al. (Eurocrypt 2003), are unforgeability and opacity. This paper proposes two novel fundamental requirements for verifiably encrypted signatures, called extractability and abuse-freeness, and analyzes its effects on the established security model. Extractability ensures that the trusted third party is always able to extract a valid signature from a valid verifiably encrypted signature and abuse-freeness guarantees that a malicious signer, who cooperates with the trusted party, is not able to forge a verifiably encrypted signature. We further show that both properties are not covered by the model of Boneh et al. The second main contribution of this paper is a verifiably encrypted signature scheme, provably secure without random oracles, that is more efficient and greatly improves the public key size of the only other construction in the standard model by Lu et al. (Eurocrypt 2006). Moreover, we present strengthened definitions for unforgeability and opacity in the spirit of strong unforgeability of digital signature schemes.

View PDFchevron_right
On cryptography with auxiliary input
Shachar Lovett

Proceedings of the 41st annual ACM symposium on Symposium on theory of computing - STOC '09, 2009

We study the question of designing cryptographic schemes which are secure even if an arbitrary function f (sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more traditional setting, which assumes that some of information about the secret key sk may be leaked, but sk still has high min-entropy left. In particular, we deal with situations where f (sk) information-theoretically determines the entire secret key sk.

View PDFchevron_right
Simultaneous Amplification: The Case of Non-Interactive Zero-Knowledge
Aayush Jain

2019

In this work, we explore the question of simultaneous privacy and soundness amplification for non-interactive zero-knowledge argument systems (NIZK). We show that any \(\delta _s-\)sound and \(\delta _z-\)zero-knowledge NIZK candidate satisfying \(\delta _s+\delta _z=1-\epsilon \), for any constant \(\epsilon >0\), can be turned into a computationally sound and zero-knowledge candidate with the only extra assumption of a subexponentially secure public-key encryption.

View PDFchevron_right
Efficient Zero-Knowledge Proofs of Knowledge without Intractability Assumptions
Ivan Damgård

Public Key Cryptography, 2000

We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our result says that for relations that have a particular three-move honest-verifier zero-knowledge (HVZK) proof of knowledge, and which admit a particular three-move HVZK proof of knowledge for an associated commitment relation, perfect zero knowledge (against a general verifier) can be achieved essentially for free, even when proving statements on several instances combined under under monotone function composition. In addition, perfect zero-knowledge is achieved with an optimal 4-moves. Instantiations of our main protocol lead to efficient perfect ZK proofs of knowledge of discrete logarithms and RSA-roots, or more generally, q-one-way group homomorphisms. None of our results rely on intractability assumptions.

View PDFchevron_right
Additive Proofs of Knowledge - A New Notion for Non-Interactive Proofs
Amitabh Saxena

Security and Cryptography, 2007

In this paper, we study the opacity property of verifiably encrypted signatures (VES) of Boneh et al. (proposed in Eurocrypt 2003). Informally, opacity implies that although some given aggregate signatures can verified, no useful information about the individual signatures is leaked. However, the very fact that an aggregate signature can be verified leaks certain information - that the indi- vidual

View PDFchevron_right
Secure Computation Without Authentication
Ran Canetti

Journal of Cryptology, 2011

Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the uncorrupted parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticated-channel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in of itself, and also independent of the computation * An extended abstract of this paper appeared in the proceedings of CRYPTO 2005. † Work partially carried out while at IBM T.J. Watson. ‡ Work carried out while at IBM T.J. Watson. § Work partially carried out while at IBM T.J. Watson. ¶ Work partially carried out while at IBM T.J. Watson, and partially supported by an Akamai Presidential Fellowship. © International Association for Cryptologic Research 2010 Secure Computation Without Authentication 721

View PDFchevron_right
On Defining Proofs of Knowledge in the Bare Public-Key Model
Giovanni Di Crescenzo

Theoretical Computer Science - Proceedings of the 10th Italian Conference on ICTCS '07, 2007

One contribution provided by the groundbreaking concept of interactive proofs is the notion of proofs of knowledge, where a prover can convince a verifier that she knows a secret related to a public statement. This notion was formalized in the conventional complexity-theoretic model of interactive protocols and showed to be very useful for cryptographic applications, such as entity authentication schemes. Motivated by these applicability considerations, in this paper, we consider proofs of knowledge in a cryptographic model, called the bare public-key model (BPK model in short), where round-efficient interactive proofs with strong variants of security against provers (i.e., soundness) and security against verifiers (i.e., zero-knowledge) have been presented. We formally define notions of proofs of knowledge in the BPK model, and show that there are 4 distinct such notions for each of the previously studied four known notions of soundness. Finally, under the existence of any homomorphic one-way function family, (a generalization of) a 4-round argument system for all N P languages from the literature is a proof of knowledge that is secure against concurrent attacks from provers or verifiers.

View PDFchevron_right

References (49)

  1. M. Ajtai and N. Linial. The influence of large coalitions. Combinatorica, 13(2):129-145, 1993.
  2. L. Babai and S. Moran. Arthur-Merlin games: A random- ized proof system and a hierarchy of complexity classes. J. Comput. Syst. Sci., 36(2):254-276, 1988.
  3. B. Barak, R. Impagliazzo, and A. Wigderson. Extracting ran- domness from few independent sources. In Proc. 45th FOCS, 2004.
  4. A. Beimel, T. Malkin, and S. Micali. The all-or-nothing na- ture of two-party secure computation. In Proc. CRYPTO '99, pages 80-97, 1999.
  5. M. Bellare, O. Goldreich, and S. Goldwasser. Randomness in interactive proofs. Comput. Complex., 3(4):319-354, 1993.
  6. M. Bellare and J. Rompel. Randomness-efficient oblivious sampling. In Proc. 35th FOCS, pages 276-287, 1994.
  7. M. Ben-Or, O. Goldreich, S. Goldwasser, J. Hȧstad, J. Kil- ian, S. Micali, and P. Rogaway. Everything provable is prov- able in zero-knowledge. In Proc. CRYPTO '88, pages 37-56, 1988.
  8. C. H. Bennett, G. Brassard, and J.-M. Robert. Privacy ampli- fication by public discussion. SIAM J. Comput., 17(2):210- 229, 1988.
  9. M. Blum. Independent unbiased coin flips from a correlated biased source-a finite state Markov chain. Combinatorica, 6(2):97-108, 1986.
  10. M. Blum, P. Feldman, and S. Micali. Non-interactive zero- knowledge and its applications. In Proc. 20th STOC, pages 103-112, 1988.
  11. R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz, and A. Sa- hai. Exposure-resilient functions and all-or-nothing trans- forms. In Proc. EUROCRYPT '00, pages 453-469, 2000.
  12. B. Chor and O. Goldreich. Unbiased bits from sources of weak randomness and probabilistic communication com- plexity. SIAM J. Comput., 17(2):230-261, 1988.
  13. B. Chor, O. Goldreich, J. Hastad, J. Friedman, S. Rudich, and R. Smolensky. The bit extraction problem of t-resilient func- tions. In Proc. 26th FOCS, pages 396-407. IEEE, 1985.
  14. Y. Dodis, A. Elbaz, R. Oliveira, and R. Raz. Improved ran- domness extraction from two independent sources. In Proc. RANDOM '04, 2004.
  15. Y. Dodis and R. Oliveira. On extracting private randomness over a public channel. In Proc. RANDOM '03, pages 252- 263, 2003.
  16. Y. Dodis, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Proc. EUROCRYPT '04, pages 523-540, 2004.
  17. Y. Dodis, A. Sahai, and A. Smith. On perfect and adaptive security in exposure-resilient cryptography. In Proc. EURO- CRYPT '01, pages 301-324, 2001.
  18. Y. Dodis and J. Spencer. On the (non)universality of the one- time pad. In Proc. 43rd FOCS, pages 376-388, 2002.
  19. P. Elias. The efficient construction of an unbiased random sequence. Ann. Math. Stat., 43(2):865-870, 1972.
  20. U. Feige, D. Lapidot, and A. Shamir. Multiple non- interactive zero knowledge proofs under general assump- tions. SIAM J. Comput., 29(1):1-28, 1999.
  21. O. Goldreich. Foundations of cryptography, volume 2. Cam- bridge University Press, Cambridge, 2004. Basic applica- tions.
  22. O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. In Proc. 19th STOC, pages 218-229, 1987.
  23. O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their validity or all languages in NP have zero- knowledge proof systems. J. ACM, 38(1):691-729, 1991.
  24. O. Goldreich and Y. Oren. Definitions and properties of zero- knowledge proof systems. J. Cryptology, 7(1):1-32, 1994.
  25. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM J. Comput., 18(1):186-208, 1989.
  26. S. Goldwasser and M. Sipser. Private coins versus public coins in interactive proof systems. Advances in Computing Research, 5:73-90, 1989.
  27. R. Impagliazzo and M. Yung. Direct minimum-knowledge computations. In Proc. CRYPTO '87, pages 40-51, 1987.
  28. J. Kamp and D. Zuckerman. Deterministic extractors for bit- fixing sources and exposure-resilient cryptography. In Proc. 35th FOCS, pages 92-101, 2003.
  29. T. Koshiba. A new aspect for security notions: Secure ran- domness in public-key encryption schemes. In Proc. 4th PKC, pages 87-103, 2001.
  30. T. Koshiba. On sufficient randomness for secure public-key cryptosystems. In Proc. 5th PKC, pages 34-47, 2002.
  31. D. Lichtenstein, N. Linial, and M. Saks. Some extremal problems arising from discrete control processes. Combi- natorica, 9(3):269-287, 1989.
  32. C.-J. Lu, O. Reingold, S. Vadhan, and A. Wigderson. Ex- tractors: optimal up to constant factors. In Proc. 35th STOC, pages 602-611, 2003.
  33. C. Lund, L. Fortnow, H. Karloff, and N. Nisan. Algebraic methods for interactive proof systems. J. ACM, 39(4):859- 868, 1992.
  34. U. Maurer and S. Wolf. Privacy amplification secure against active adversaries. In Proc. CRYPTO '97, pages 307-321, 1997.
  35. J. L. McInnes and B. Pinkas. On the impossibility of pri- vate key cryptography with weakly random keys. In Proc. CRYPTO '90, pages 421-436, 1991.
  36. M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In Proc. 21th STOC, pages 33-43, 1988.
  37. N. Nisan and D. Zuckerman. Randomness is linear in space. J. Comput. Syst. Sci., 52(1):43-52, 1996.
  38. O. Reingold, S. Vadhan, and A. Wigderson. A note on ex- tracting randomness from Santha-Vazirani sources. Unpub- lished manuscript, 2004.
  39. R. Renner and S. Wolf. Unconditional authenticity and pri- vacy from an arbitrarily weak secret. In Proc. CRYPTO '03, pages 78-95, 2003.
  40. M. Santha and U. V. Vazirani. Generating quasi-random se- quences from semi-random sources. J. Comput. Syst. Sci., 33(1):75-87, 1986.
  41. A. Shamir. How to share a secret. Commun. ACM, 22(11):612-613, 1979.
  42. A. Shamir. IP = PSPACE. J. ACM, 39(4):869-877, 1992.
  43. L. Trevisan and S. Vadhan. Extracting randomness from samplable distributions. In Proc. 41st FOCS, pages 32-42, 2000.
  44. U. V. Vazirani. Efficiency considerations in using semi- random sources. In Proc. 19th STOC, pages 160-168, 1987.
  45. U. V. Vazirani. Strong communication complexity or gen- erating quasirandom sequences from two communicating semirandom sources. Combinatorica, 7(4):375-392, 1987.
  46. U. V. Vazirani and V. V. Vazirani. Random polynomial time is equal to slightly-random polynomial time. In Proc. 26th FOCS, pages 417-428, 1985.
  47. J. von Neumann. Various techniques used in connection with random digits. National Bureau of Standards, Applied Math- ematics Series, 12:36-38, 1951.
  48. D. Zuckerman. Simulating BPP using a general weak ran- dom source. Algorithmica, 16(4/5):367-391, 1996.
  49. D. Zuckerman. Randomness-optimal oblivious sampling. Random. Struct. Algor., 11(4):345-367, 1997.

Related papers

Randomizable Proofs and Delegatable Anonymous Credentials
Jan Camenisch

Lecture Notes in Computer Science, 2009

We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to compute it) is O(Lk), where k is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general non-interactive proofs for NP-complete languages of size kΩ(2 L ). We revise the entire approach to constructing anonymous credentials and identify randomizable zero-knowledge proof of knowledge systems as the key building block. We formally define the notion of randomizable non-interactive zero-knowledge proofs, and give the first instance of controlled rerandomization of non-interactive zero-knowledge proofs by a third-party. Our construction uses Groth-Sahai proofs (Eurocrypt 2008).

View PDFchevron_right
Attainable Unconditional Security for Shared-Key Cryptosystems
Thomas Given-Wilson

Preserving the privacy of private communication is a fundamental concern of computing addressed by encryption. Information-theoretic reasoning models unconditional security where the strength of the results is not moderated by computational hardness or unproven results. Perfect secrecy is often considered the ideal result for a cryptosystem, where knowledge of the ciphertext reveals no information about the message or key, however often this is impossible to achieve in practice. An alternative measure is the equivocation, intuitively the average number of message/key pairs that could have produced a given ciphertext. We show a theoretical bound on equivocation called max-equivocation and show that this generalizes perfect secrecy when achievable, and provides an alternative measure when perfect secrecy is not. We derive bounds for max-equivocation, and show that max-equivocation is achieved when the entropy of the ciphertext is minimized. We consider encryption functions under this new perspective, and show that in general the theoretical best is unachievable, and that some popular approaches such as Latin squares or Quasigroups are also not optimal. We present some algorithms for generating encryption functions that are practical and achieve 90-95% of the theoretical best, improving with larger message spaces.

View PDFchevron_right
Randomness-ecient NonInteractive Zero-Knowledge
Amit Sahai

1997

Abstract. Non-Interactive Zero Knowledge (NIZK), introduced by Blum, Feldman, and Micali in 1988, is a fundamental cryptographic primitive which has attracted considerable attention in the last decade and has been used throughout modern cryptography in several essen-tial ways. For example, NIZK plays a central role in building provably secure public-key cryptosystems based on general complexity-theoretic assumptions that achieve security against chosen ciphertext attacks. In essence, in a multi-party setting, given a xed common random string of polynomial size which is visible to all parties, NIZK allows an arbitrary polynomial number of Provers to send messages to polynomially many Veri ers, where each message constitutes an NIZK proof for an arbitrary polynomial-size NP statement. In this paper, we take a closer look at NIZK in the multi-party setting. First, we consider non-malleable NIZK, and generalizing and substan-tially strengthening the results of Sahai, we give the rst con...

View PDFchevron_right
A Generic Approach to Constructing and Proving Verifiable Random Functions
rishab goyal

Theory of Cryptography, 2017

Verifiable Random Functions (VRFs) as introduced by Micali, Rabin and Vadhan are a special form of Pseudo Random Functions (PRFs) wherein a secret key holder can also prove validity of the function evaluation relative to a statistically binding commitment. Prior works have approached the problem of constructing VRFs by proposing a candidate under a specific number theoretic setting -mostly in bilinear groups -and then grappling with the challenges of proving security in the VRF environments. These constructions achieved different results and tradeoffs in practical efficiency, tightness of reductions and cryptographic assumptions. In this work we take a different approach. Instead of tackling the VRF problem as a whole, we demonstrate a simple and generic way of building Verifiable Random Functions from more basic and narrow cryptographic primitives. Then we can turn to exploring solutions to these primitives with a more focused mindset. In particular, we show that VRFs can be constructed generically from the ingredients of: (1) a 1-bounded constrained pseudo random function for a functionality that is "admissible hash friendly", (2) a non-interactive statistically binding commitment scheme (without trusted setup) and (3) non-interactive witness indistinguishable proofs or NIWIs. The first primitive can be replaced with a more basic puncturable PRF constraint if one is willing to settle for selective security or assume sub-exponential hardness of assumptions. In the second half of our work, we support our generic approach by giving new constructions of the underlying primitives. We first provide new constructions of perfectly binding commitments from the Learning with Errors (LWE) and Learning Parity with Noise (LPN) assumptions. Second, we give two new constructions of 1-bounded constrained PRFs for admissible hash friendly constructions. Our first construction is from the n-powerDDH assumption. The next is from the φ hiding assumption.

View PDFchevron_right
On the Power of Correlated Randomness in Secure Computation
Anat Paskin-Cherniavsky

Lecture Notes in Computer Science, 2013

We investigate the extent to which correlated secret randomness can help in secure computation with no honest majority. It is known that correlated randomness can be used to evaluate any circuit of size s with perfect security against semi-honest parties or statistical security against malicious parties, where the communication complexity grows linearly with s. This leaves open two natural questions: (1) Can the communication complexity be made independent of the circuit size? (2) Is it possible to obtain perfect security against malicious parties? We settle the above questions, obtaining both positive and negative results on unconditionally secure computation with correlated randomness. Concretely, we obtain the following results. Minimizing communication. Any multiparty functionality can be realized, with perfect security against semi-honest parties or statistical security against malicious parties, by a protocol in which the number of bits communicated by each party is linear in its input length. Our protocol uses an exponential number of correlated random bits. We give evidence that super-polynomial randomness complexity may be inherent. Perfect security against malicious parties. Any finite "senderreceiver" functionality, which takes inputs from a sender and a receiver and delivers an output only to the receiver, can be perfectly realized given correlated randomness. In contrast, perfect security is generally impossible for functionalities which deliver outputs to both parties. We also show useful functionalities (such as string equality) for which there are efficient perfectly secure protocols in the correlated randomness model.

View PDFchevron_right

Related topics

  • Mathematics
  • Computer Science
  • Cryptography
  • Theoretical Computer Science
  • Zero-Knowledge Proofs
  • Secret Sharing
  • Signature Scheme
  • Mathematical Foundations of Comp...
  • Secure Two-party Computation
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved