A New Sampling Protocol and Applications to Basing Cryptographic Primitives on the Hardness of NP

2010 IEEE 25th Annual Conference on Computational Complexity Pub Date : 2010-06-01 DOI:10.1109/CCC.2010.17

Iftach Haitner, Mohammad Mahmoody, David Xiao

{"title":"A New Sampling Protocol and Applications to Basing Cryptographic Primitives on the Hardness of NP","authors":"Iftach Haitner, Mohammad Mahmoody, David Xiao","doi":"10.1109/CCC.2010.17","DOIUrl":null,"url":null,"abstract":"We investigate the question of what languages can be decided efficiently with the help of a recursive collision-finding oracle. Such an oracle can be used to break collision-resistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, $\\Sam_d$ where $d$ is the recursion depth, is based on the identically-named oracle defined in the work of Haitner et al. (FOCS '07). Our main result is a constant-round public-coin protocol ``$\\AMSam$'' that allows an efficient verifier to emulate a $\\Sam_d$ oracle for any constant depth $d = O(1)$ with the help of a $\\BPP^\\NP$ prover. $\\AMSam$ allows us to conclude that if $L$ is decidable by a $k$-adaptive randomized oracle algorithm with access to a $\\Sam_{O(1)}$ oracle, then $L \\in \\AM[k] \\cap \\coAM[k]$. The above yields the following corollary: assume there exists an $O(1)$-adaptive reduction that bases constant-round statistically hiding commitment on $\\NP$-hardness, then $\\NP \\subseteq \\coAM$ and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by $\\Sam_{O(1)}$ including collision-resistant hash functions and $O(1)$-round oblivious transfer where security holds statistically for one of the parties. We also obtain non-trivial (though weaker) consequences for $k$-adaptive reductions for any $k = \\poly(n)$. Prior to our work, most results in this research direction either applied only to non-adaptive reductions (\\citeauthor{BogdanovT06}, SIAM J. of Comp. '06 and \\citeauthor{AkaviaGGM06}, FOCS '06) or to one-way permutations (\\citeauthor{Brassard79} FOCS '79). The main technical tool we use to prove the above is a new constant-round public-coin protocol ($\\SWS$), which we believe to be of interest in its own right, that guarantees the following: given an efficient function $f$ on $n$ bits, let $D$ be the output distribution $D = f(U_n)$, then $\\SWS$ allows an efficient verifier Arthur to use an all-powerful prover Merlin's help to sample a random $y \\getsr D$ along with a good multiplicative approximation of the probability $p_y = \\Pr_{y' \\getsr D}[y' = y]$. The crucial feature of $\\SWS$ is that it extends even to distributions of the form $D = f(U_\\cs)$, where $U_\\cs$ is the uniform distribution on an efficiently decidable subset $\\cs \\subseteq \\zo^n$ (such $D$ are called efficiently samplable with \\emph{post-selection}), as long as the verifier is also given a good approximation of the value $|\\cs|$.","PeriodicalId":328781,"journal":{"name":"2010 IEEE 25th Annual Conference on Computational Complexity","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"23","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 IEEE 25th Annual Conference on Computational Complexity","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCC.2010.17","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 23

Abstract

We investigate the question of what languages can be decided efficiently with the help of a recursive collision-finding oracle. Such an oracle can be used to break collision-resistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, $\Sam_d$ where $d$ is the recursion depth, is based on the identically-named oracle defined in the work of Haitner et al. (FOCS '07). Our main result is a constant-round public-coin protocol ``$\AMSam$'' that allows an efficient verifier to emulate a $\Sam_d$ oracle for any constant depth $d = O(1)$ with the help of a $\BPP^\NP$ prover. $\AMSam$ allows us to conclude that if $L$ is decidable by a $k$-adaptive randomized oracle algorithm with access to a $\Sam_{O(1)}$ oracle, then $L \in \AM[k] \cap \coAM[k]$. The above yields the following corollary: assume there exists an $O(1)$-adaptive reduction that bases constant-round statistically hiding commitment on $\NP$-hardness, then $\NP \subseteq \coAM$ and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by $\Sam_{O(1)}$ including collision-resistant hash functions and $O(1)$-round oblivious transfer where security holds statistically for one of the parties. We also obtain non-trivial (though weaker) consequences for $k$-adaptive reductions for any $k = \poly(n)$. Prior to our work, most results in this research direction either applied only to non-adaptive reductions (\citeauthor{BogdanovT06}, SIAM J. of Comp. '06 and \citeauthor{AkaviaGGM06}, FOCS '06) or to one-way permutations (\citeauthor{Brassard79} FOCS '79). The main technical tool we use to prove the above is a new constant-round public-coin protocol ($\SWS$), which we believe to be of interest in its own right, that guarantees the following: given an efficient function $f$ on $n$ bits, let $D$ be the output distribution $D = f(U_n)$, then $\SWS$ allows an efficient verifier Arthur to use an all-powerful prover Merlin's help to sample a random $y \getsr D$ along with a good multiplicative approximation of the probability $p_y = \Pr_{y' \getsr D}[y' = y]$. The crucial feature of $\SWS$ is that it extends even to distributions of the form $D = f(U_\cs)$, where $U_\cs$ is the uniform distribution on an efficiently decidable subset $\cs \subseteq \zo^n$ (such $D$ are called efficiently samplable with \emph{post-selection}), as long as the verifier is also given a good approximation of the value $|\cs|$.

查看原文本刊更多论文

一种新的抽样协议及基于NP硬度的密码原语的应用

我们研究了在递归冲突发现预言器的帮助下，哪些语言可以被有效地决定。这样的oracle可以用来破坏抗冲突哈希函数，或者更一般地说，在统计上隐藏承诺。我们考虑的oracle, $\Sam_d$，其中$d$是递归深度，是基于Haitner等人(FOCS '07)的工作中定义的同名oracle。我们的主要成果是一个恒定轮的公共货币协议“$\AMSam$”，它允许一个有效的验证者在$\BPP^\NP$证明者的帮助下模拟任何恒定深度$d = O(1)$的$\Sam_d$ oracle。$\AMSam$允许我们得出结论，如果$L$可以通过访问$\Sam_{O(1)}$ oracle的$k$自适应随机oracle算法确定，则$L \in \AM[k] \cap \coAM[k]$。以上得出以下推论:假设存在一个$O(1)$ -自适应约简，它基于$\NP$ -硬度上的常轮统计隐藏承诺，那么$\NP \subseteq \coAM$和多项式层次结构崩溃。同样的结果适用于任何可以被$\Sam_{O(1)}$破坏的原语，包括抗碰撞哈希函数和$O(1)$轮无关传输，其中一方的安全性在统计上保持不变。我们还获得了$k$的重要(尽管较弱)结果-任何$k = \poly(n)$的自适应减少。在我们的工作之前，这个研究方向的大多数结果要么只适用于非适应性还原(\citeauthor{BogdanovT06}, Comp.的SIAM J.)。'06和\citeauthor{AkaviaGGM06}, FOCS '06)或单向排列(\citeauthor{Brassard79} FOCS '79)。我们用来证明上述内容的主要技术工具是一个新的恒轮公共货币协议($\SWS$)，我们认为它本身就很有趣，它保证了以下几点:给定$n$位上的有效函数$f$，让$D$为输出分布$D = f(U_n)$，然后$\SWS$允许有效的验证者Arthur使用全能的证明者Merlin的帮助来随机采样$y \getsr D$以及概率$p_y = \Pr_{y' \getsr D}[y' = y]$的良好乘法近似值。$\SWS$的关键特征是它甚至扩展到$D = f(U_\cs)$形式的分布，其中$U_\cs$是有效可确定子集$\cs \subseteq \zo^n$上的均匀分布(这样的$D$被称为具有\emph{后选择}的有效采样)，只要验证者也获得了$|\cs|$值的良好近近值。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2010 IEEE 25th Annual Conference on Computational Complexity

自引率

0.00%

发文量