ABSTRACT
Current constructions of cryptographic primitives typically involve a large multiplicative computational overhead that grows with the desired level of security. We explore the possibility of implementing basic cryptographic primitives, such as encryption, authentication, signatures, and secure two-party computation, while incurring only a constant computational overhead compared to insecure implementations of the same tasks. Here we make the usual security requirement that the advantage of any polynomial-time attacker must be negligible in the input length.
We obtain affirmative answers to this question for most central cryptographic primitives under plausible, albeit sometimes nonstandard, intractability assumptions. We start by showing that pairwise-independent hash functions can be computed by linear-size circuits, disproving a conjecture of Mansour, Nisan, and Tiwari (STOC 1990). This construction does not rely on any unproven assumptions and is of independent interest. Our hash functions can be used to construct message authentication schemes with constant overhead from any one-way function. Under an intractability assumption that generalizes a previous assumption of Alekhnovich (FOCS 2003), we get (public and private key) encryption schemes with constant overhead. Using an exponentially strong version of the previous assumption, we get signature schemes of similar complexity. Assuming the existence of pseudorandom generators in NC z with polynomial stretch together with the existence of an (arbitrary) oblivious transfer protocol, we get similar results for the seemingly very complex task of secure two-party computation. More concretely, we get general protocols for secure two-party computation in the semi-honest model in which the two parties can be implemented by circuits whose size is a constant multiple of the size s of the circuit to be evaluated. In the malicious model, we get protocols whose communication complexity is a constant multiple of s and whose computational complexity is slightly super-linear in s. For natural relaxations of security in the malicious model that are still meaningful in practice, we can also keep the computational complexity linear in s. These results extend to the case of a constant number of parties, where an arbitrary subset of the parties can be corrupted.
Our protocols rely on non-black-box techniques, and suggest the intriguing possibility that the ultimate efficiency in this area of cryptography can be obtained via such techniques.
- M. Alekhnovich. More on average case vs approximation complexity. In Proc. 44th FOCS, pages 298--307, 2003.]] Google ScholarDigital Library
- . Alon, J. Bruck, J. Naor, M. Naor, and R. M. Roth. Construction of asymptotically good low-rate error-correcting codes through pseudo-random graphs. IEEE Transactions on Information Theory 38(2) (1992).]]Google Scholar
- B. Applebaum, Y. Ishai, and E. Kushilevitz. Cryptography in NC0. SIAM J. Comput., 36(4):845--888, 2006. Earlier versionin FOCS 2004.]] Google ScholarDigital Library
- B. Applebaum, Y. Ishai, and E. Kushilevitz. Computationally private randomizing polynomials and their applications. Computional Complexity, 15(2):115--162, 2006. Earlier version in CCC 2005.]] Google ScholarDigital Library
- B. Applebaum, Y. Ishai, and E. Kushilevitz. On pseudorandom generators with linear stretch in mathrmNC0. In Proc. 10th Random, 2006.]] Google ScholarDigital Library
- B. Applebaum, Y. Ishai, and E. Kushilevitz. Cryptography with Constant Input Locality. In Proc. of Crypto, 2007.]] Google ScholarDigital Library
- Y. Aumann and Yehuda Lindell. Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries. In Proc. TCC 2007, pages 137--156.]] Google ScholarDigital Library
- D. Beaver. Precomputing oblivious transfer. In CRYPTO, pages 97--109, 1995.]] Google ScholarDigital Library
- D. Beaver. Correlated pseudorandomness and the complexity of private computations. In 28th STOC, pages 479--488, 1996.]] Google ScholarDigital Library
- M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proc. of 20th STOC, pages 1--10, 1988.]] Google ScholarDigital Library
- A. Blum, A. Kalai, and H. Wasserman. Noise-tolerant learning, the parity problem, and the statistical query model. In Proc. of 32nd STOC, pages 435--440, 2000.]] Google ScholarDigital Library
- M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput., 13:850--864, 1984. Preliminary version in FOCS 82.]] Google ScholarDigital Library
- . L. Bordewijk. Inter-reciprocity applied to electrical networks. Applied Scientific Research B: Electrophysics, Acoustics, Optics, Mathematical Methods, 6: 1--74, 1956.]]Google Scholar
- R. Canetti. Security and composition of multipartycryptographic protocols. In J. of Cryptology, 13(1), 2000.]]Google ScholarDigital Library
- R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz, and A. Sahai. Exposure-Resilient Functions and All-or-Nothing Transforms. In Proc EUROCRYPT 2000, pages 453--469.]] Google ScholarDigital Library
- M. R. Capalbo, O. Reingold, S. P. Vadhan, and A. Wigderson. Randomness conductors and constant-degree lossless expanders. In Proc. STOC 2002, pages 659--668.]] Google ScholarDigital Library
- L. Carter and M. N. Wegman. Universal Classes of Hash Functions. J. Comput. Syst. Sci. 18(2): 143--154 (1979).]]Google ScholarCross Ref
- B. Chor, O. Goldreich, J. Haastad, J. Friedman, S. Rudich, and R. Smolensky.The Bit Extraction Problem of t-Resilient Functions (Preliminary Version) In Proc. FOCS 1985, pages 396--407.]] Google ScholarDigital Library
- M. Cryan and P. B. Miltersen. On pseudorandom generators in mathrmNC0. In Proc. 26th MFCS, 2001.]] Google ScholarDigital Library
- R. L. Dobrushin, S. I. Gelfand, and M. S. Pinsker. On complexity of coding. In Proc. 2nd Internat. Symp. on Information Theory, pages 174-184, 1973.]]Google Scholar
- D. Dolev, C. Dwork and M. Naor. Non-malleable Cryptography. SIAM Journal of Computing, 30(2):391--437, 2000.]] Google ScholarDigital Library
- S. Even, O. Goldreich, and A. Lempel. A randomized protocol for signing contracts. Communications of the ACM, 28(6):637--647, 1985.]] Google ScholarDigital Library
- U. Feige, J. Killian, and M. Naor. A minimal model for secure computation (extended abstract). In Proc. of the 26th STOC, pages 554--563, 1994.]] Google ScholarDigital Library
- M. J. Freedman, K. Nissim, and B. Pinkas. Efficient Private Matching and Set Intersection. In EUROCRYPT 2004, pages 1-19.]]Google Scholar
- O. Goldreich. Foundations of Cryptography: Basic Tools. Cambridge University Press, 2001.]] Google ScholarCross Ref
- O. Goldreich. Foundations of Cryptography: Basic Applications. Cambridge University Press, 2004.]] Google ScholarCross Ref
- O. Goldreich. Candidate one-way functions based on expander graphs. Electronic Colloquium on Computational Complexity (ECCC), 7(090), 2000.]]Google Scholar
- O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. J. ACM 33(4): 792--807, 1986.]] Google ScholarDigital Library
- S. Goldwasser, S. Micali, and P. Tong. Why and How to Establish a Private Code on a Public Network. In FOCS 1982, pages 134-144.]] Google ScholarDigital Library
- O. Goldreich, S. Micali, and A. Wigderson.How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design. In CRYPTO 1986, pages 171-185.%]] Google ScholarDigital Library
- O. Goldreich and R. Vainish. How to solve any protocol problem - an efficiency improvement. In CRYPTO ’87, LNCS, volume 293, pages 73--86. Springer, 1987.]] Google ScholarDigital Library
- . Guruswami and P. Indyk. Expander-Based Constructions of Efficiently Decodable Codes. In Proc. FOCS 2001, pages 658-667.]] Google ScholarDigital Library
- R. Impagliazzo, L. A. Levin, and M. Luby. Pseudo-random generation from one-way functions. In Proc. STOC 1989, pages 12-24.]] Google ScholarDigital Library
- Y. Ishai and E. Kushilevitz. Perfect constant-round secure computation via perfect randomizing polynomials. In Proc. 29th ICALP, pages 244--256, 2002.]] Google ScholarDigital Library
- Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai. Zero-Knowledge from Secure Multiparty Computation. In Proc. STOC 2007.]] Google ScholarDigital Library
- J. Kilian. Founding cryptography on oblivious transfer. In 20th STOC, pages 20--31, 1988.]] Google ScholarDigital Library
- V. Lyubashevsky. The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem. In Proc. APPROX-RANDOM 2005, pages 378--389.]] Google ScholarDigital Library
- Y. Mansour, N. Nisan, and P. Tiwari. The Computational Complexity of Universal Hashing. In Proc. STOC 1990, pages 235--243.]] Google ScholarDigital Library
- E. Mossel, A. Shpilka, and L. Trevisan. On ε-biased generators in $\mathrmNC^0$. In Proc. 44th FOCS, pages 136--145, 2003.]] Google ScholarDigital Library
- J. Naor and M. Naor. Small-bias probability spaces: Efficient constructions and applications. SIAM J. Comput., 22(4):838--856, 1993.%\full Preliminary version in Proc. STOC ’90.]] Google ScholarDigital Library
- M. Naor and K. Nissim. Communication preserving protocols for secure function evaluation. In Proc. 33rd STOC, pages 590--599, 2001.]] Google ScholarDigital Library
- Moni Naor, Moti Yung. Universal One-Way Hash Functions and their Cryptographic Applications. In Proc. STOC 1989, pages 33-43.]] Google ScholarDigital Library
- M.O. Rabin. How to exchange secrets by oblivious transfer. TR-81, Harvard, 1981.]]Google Scholar
- M. Sipser and D. A. Spielman. Expander Codes. In Proc. FOCS 1994, pages 566-576.]] Google ScholarDigital Library
- W. D. Smith. 1. AES seems weak. 2. Linear time secure cryptography. Cryplology ePrint report 2007/248.]]Google Scholar
- D. A. Spielman. Linear-time encodable and decodable error-correcting codes. STOC 1995: 388-397]] Google ScholarDigital Library
- A. C. Yao. Theory and application of trapdoor functions. In Proc. 23rd FOCS, pages 80--91, 1982.]] Google ScholarCross Ref
- A. C. Yao. How to generate and exchange secrets. In Proc. 27th FOCS, pages 162--167, 1986.]] Google ScholarDigital Library
Index Terms
- Cryptography with constant computational overhead
Recommendations
Nonmalleable Cryptography
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext ...
Nonmalleable Cryptography
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so ...
Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IDesign a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Comments