Moni Naor
Omer Reingold
Abstract
We describe efficient constructions for various cryptographic primitives in private-key as well as public-key cryptography. Our main results are two new constructions of pseudo-random functions. We prove the pseudo-randomness of one construction under the assumption that factoring (Blum integers) is hard while the other construction is pseudo-random if the decisional version of the Diffie--Hellman assumption holds. Computing the value of our functions at any given point involves two subset products. This is much more efficient than previous proposals. Furthermore, these functions have the advantage of being in TC0 (the class of functions computable by constant depth circuits consisting of a polynomial number of threshold gates). This fact has several interesting applications. The simple algebraic structure of the functions implies additional features such as a zero-knowledge proof for statements of the form "y = fs(x)" and "y ≠ fs(x)" given a commitment to a key s of a pseudo-random function fs.
- Angluin, D., and Kharitonov, M. 1995. When won't membership queries help?, J. Comput. Syst. Sci. 50, 336--355.]] Google Scholar
Digital Library
- Beame, P. W., Cook, S. A., and Hoover, H. J. 1986. Log depth circuits for division and related problems. SIAM J. Comput. 15, 994--1003.]] Google ScholarDigital Library
- Bellare, M., and Goldwasser, S. 1990. New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. In Proceedings of Advances in Cryptology--CRYPTO '89. Lecture Notes in Computer Science, Springer-Verlag, New York, 194--211.]] Google ScholarDigital Library
- Bellare, M., and Micali, S. 1990. Non-interactive oblivious transfer and applications. In Proceedings of Advances in Cryptology---CRYPTO '89. Lecture Notes in Computer Science, Springer-Verlag, New York, 547--557.]] Google ScholarDigital Library
- Biham, E. Boneh, D., and Reingold, O. 1997. Breaking generalized Diffie--Hellman modulo a composite is no easier than Factoring. Theory of Cryptography Library, Record 97-14 at: http://theory. lcs.mit.edu/ tcryptol/homepage.html]]Google Scholar
- Blum, L. Blum, M., and Shub, M. 1986. A simple secure unpredictable pseudo-random number generator. SIAM J. Comput. 15, 364--383.]] Google ScholarDigital Library
- Blum, M., Evans, W., Gemmell, P., Kannan, S., and Naor, M. 1994. Checking the correctness of memories. Algorithmica, 225--244.]]Google Scholar
- Blum, M., and Goldwasser, S. 1984. An efficient probabilistic public-key encryption scheme which hides all partial information. In Proceedings of Advances in Cryptology---CRYPTO '84. Lecture Notes in Computer Science, vol. 196. Springer-Verlag, New York, 289--302.]] Google ScholarDigital Library
- Blum, M., and Micali, S. 1984. How to generate cryptographically strong sequence of pseudo-random bits. SIAM J. Comput. 13, 850--864.]] Google ScholarDigital Library
- Boneh, D. 1998. The decision Diffie--Hellman problem. In Proceedings of the 3rd Algorithmic Number Theory Symposium. Lecture Notes in Computer Science, vol. 1423. Springer-Verlag, New York, 48--63.]] Google ScholarDigital Library
- Boneh, D., and Lipton, R. 1996. Algorithms for black-box fields and their application to cryptography. In Proceedings of the Advances in Cryptology---CRYPTO '96, Lecture Notes in Computer Science, vol. 1109. Springer-Verlag, New York, 283--297.]] Google ScholarDigital Library
- Boneh, D., and Venkatesan, R. 1996. Hardness of computing most significant bits in secret keys in Diffie--Hellman and related schemes. In Proceedings of Advances in Cryptology---CRYPTO '96. Lecture Notes in Computer Science, vol. 1109. Springer-Verlag, New York, 129--142.]] Google ScholarDigital Library
- Brands, S. 1993. An efficient off-line electronic cash system based on the representation problem. CWI Tech. Rep., CS-R9323.]] Google ScholarDigital Library
- Brassard, G. 1988. Modern cryptology. Lecture Notes in Computer Science, vol. 325. Springer-Verlag, New York.]] Google ScholarDigital Library
- Brickell, E. F., Gordon, D. M., McCurley, K. S., and Wilson, D. B. 1992. Fast exponentiation with precomputation. In Proceedings of Advances in Cryptology---EUROCRYPT '92. Lecture Notes in Computer Science, Springer-Verlag, New York, 200--207.]] Google ScholarDigital Library
- Canetti, R. 1997. Towards realizing random oracles: hash functions that hide all partial information. In Proceedings of Advances in Cryptology---CRYPTO '97. Lecture Notes in Computer Science. Springer-Verlag, New York, 455--469.]] Google ScholarDigital Library
- Canetti, R., Friedlander, J., and Shparlinski, I. 1997. On certain exponential sums and the distribution of Diffie--Hellman triples. Research report, IBM T. J. Watson Research Center, Number RC 20915 (92645), July.]]Google Scholar
- Chaum, D., and van Antwerpen, H. 1990. Undeniable signatures. In Proceedings of Advances in Cryptology---CRYPTO '89. Lecture Notes in Computer Science. Springer-Verlag, New York, 212--216.]] Google ScholarDigital Library
- Chor, B., Fiat, A., and Naor, M. 1994. Tracing traitors. In Proceedings of Advances in Cryptology---CRYPTO' 94. Lecture Notes in Computer Science, vol. 839. Springer-Verlag, 257--270.]] Google ScholarDigital Library
- Cramer, R., and Shoup, V. 1998. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Proceedings of Advances in Cryptology---CRYPTO '98. Lecture Notes in Computer Science, vol. 1462. Springer-Verlag, New York, 13--25.]] Google ScholarDigital Library
- De Santis, A., Desmedt, Y., Frankel, Y., and Yung, M. 1994. How to share a function securely. In Proceedings of the 26th ACM Symposium on Theory of Computing. ACM, New York, 522--533.]] Google ScholarDigital Library
- Diffie, W., and Hellman, M. 1976. New directions in cryptography. IEEE Trans. Inform. Theory 22, 6, 644--654.]]Google ScholarDigital Library
- El Gamal, T. 1985. A public-key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of Advances in Cryptology---CRYPTO '84. Lecture Notes in Computer Science, vol. 196. Springer-Verlag, New York, 10--18.]] Google ScholarDigital Library
- Franklin, M., and Haber, S. 1996. Joint encryption and message-efficient secure computation. J. Cryptology 9, 4, 217--232.]]Google ScholarDigital Library
- Gertner, Y., and Malkin, T. 1997. A PSRG based on the decision Diffie--Hellman assumption, preprint.]]Google Scholar
- Goldreich, O. 1987. Two remarks concerning the Goldwasser--Micali--Rivest signature scheme. In Proceedings of Advances in Cryptology---CRYPTO' 86. Lecture Notes in Computer Science, vol. 263. Springer-Verlag, New York, 104--110.]] Google ScholarDigital Library
- Goldreich, O. 1995. Foundations of Cryptography (fragments of a book). Electronic publication: http://www.eccc.uni-trier.de/eccc/info/ECCC-Books/eccc-books.html (Electronic Colloquium on Computational Complexity).]]Google Scholar
- Goldreich, O. 1998. Modern cryptography, probabilistic proofs and pseudo-randomness. Algorithms Combin. 17.]] Google ScholarDigital Library
- Goldreich, O., Goldwasser, S., and Micali, S. 1985. On the cryptographic applications of random functions. In Proceedings of Advances in Cryptology---CRYPTO '84. Lecture Notes in Computer Science, vol. 196. Springer-Verlag, New York, 276--288.]] Google ScholarDigital Library
- Goldreich, O., Goldwasser, S., and Micali, S. 1986. How to construct random functions. J. ACM 33, 792--807.]] Google ScholarDigital Library
- Goldreich, O., and Levin, L. 1989. A hard-core predicate for all one-way functions. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing. ACM, New York, 25--32.]] Google ScholarDigital Library
- Goldwasser, S., and Micali, S. 1984. Probabilistic encryption. J. Comput. Syst. Sci. 28, 2, 270--299.]]Google ScholarCross Ref
- Goldreich, O., and Ostrovsky, R. 1996. Software protection and simulation on oblivious RAMs. J. ACM 43, 3, 431--473.]] Google ScholarDigital Library
- Hastad, J., Impagliazzo, R., Levin, L. A., and Luby, M. 1999. Construction of a pseudo-random generator from any one-way function. SIAM J. Comput. 28, 4, 1364--1396.]] Google ScholarDigital Library
- Impagliazzo, R., and Naor, M. 1996. Efficient cryptographic schemes provably secure as subset sum. J. Crypt. 9, 199--216.]]Google ScholarDigital Library
- Impagliazzo, R., and Zuckerman, D. 1989. Recycling random bits. In Proceedings of the 30th IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., 248--253.]]Google Scholar
- Joux, A., and Nguyen, K. 2001. Separating decision Diffie--Hellman from Diffie--Hellman in cryptographic groups, Cryptology ePrint Archive, Report 2001/003, 2001. http://eprint.iacr.org.]]Google Scholar
- Kearns, M., and Valiant, L. 1994. Cryptographic limitations on learning Boolean formulae and finite automata. J. ACM 41, 1, 67--95.]] Google ScholarDigital Library
- Kharitonov, M. 1993. Cryptographic hardness of distribution-specific learning. In Proceedings of the 25th ACM Symposium on Theory of Computing. 372--381.]] Google ScholarDigital Library
- Krause, M., and Lucks, S. 2001. On the minimal hardware complexity of pseudorandom function generators. In Proceedings of the 18th Annual Symposium on Theoretical Aspects of Computer Science 419--430.]] Google ScholarDigital Library
- Langberg, M. 1998. An implementation of efficient pseudo-random functions. At: http://www.wisdom.weizmann.ac.il/∼naor/p_r_func/abs/abs.html.]]Google Scholar
- Linial, N. Mansour, Y., and Nisan, N. 1993. Constant depth circuits, Fourier transform, and learnability. J. ACM 40, 3, 607--620.]] Google ScholarDigital Library
- Luby, M. 1996. Pseudo-randomness and applications. Princeton University Press, Princeton, N.J.]] Google ScholarDigital Library
- Luby, M., and Rackoff, C. 1988. How to construct pseudorandom permutations and pseudorandom functions. SIAM J. Comput. 17, 373--386.]] Google ScholarDigital Library
- Maurer, U., and Wolf, S. 1999. Towards the equivalence of breaking the Diffie--Hellman protocol and computing discrete logarithms. SIAM J. Comput. 28, 5, 1689--1721.]] Google ScholarDigital Library
- McCurley, K. 1988. A key distribution system equivalent to factoring. J. Crypt. 1, 95--105.]] Google ScholarDigital Library
- McCurley, K. 1990. The discrete logarithm problem. In Cryptography and Computational Number Theory, Proceedings of the Symposium on Applied Mathematics. AMS Lecture Notes, vol. 42, 49--74.]]Google Scholar
- Naor, M., and Pinkas, B. 1998. Secure and efficient metering. In Proceedings of Advances in Cryptology---EUROCRYPT '98. Lecture Notes in Computer Science, vol. 1462. Springer-Verlag, New York.]]Google Scholar
- Naor, M., and Pinkas, B. 1999. Oblivious transfer with adaptive queries. In Proceedings of Advances in Cryptology---CRYPTO '99. Lecture Notes in Computer Science, vol. 1666, Springer-Verlag, New York. 573--590.]] Google ScholarDigital Library
- Naor, M., Pinkas, B., and Reingold, O. 1999. Distributed pseudo-random functions and KDCs. In Proceedings of Advances in Cryptology---Eurocrypt '99. Lecture Notes in Computer Science, vol. 1592. Springer-Verlag, New York, 327--346.]]Google Scholar
- Naor, M., and Reingold, O. 1997. Number-theoretic constructions of efficient pseudo-random functions. In Proceedings of the 38th IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., 458--467. (Full version at http://www.wisdom.weizmann.ac.il/9.7Enaor/PAPERS/gdh_abs.html.)]] Google ScholarDigital Library
- Naor, M., and Reingold, O. 1999a. On the construction of pseudo-random permutations: Luby--Rackoff revisited. J. Crypt. 12, 1, 29--66. (Preliminary version: STOC'97.)]] Google ScholarDigital Library
- Naor, M., and Reingold, O. 1999b. Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci. 58, 2, 336--375. (Preliminary version: FOCS'95.)]] Google ScholarDigital Library
- Naor, M., Reingold, O., and Rosen, A. 2000. Pseudo-random functions and factoring. In Proceedings of the 32nd ACM Symposium on Theory of Computing. ACM, New York.]] Google ScholarDigital Library
- Odlyzko, A. M. 1993. Discrete logarithms and smooth polynomials. Contemp. Math.]]Google Scholar
- Razborov, A., and Rudich, S. 1997. Natural proofs. J. Comput. Syst. Sci. 55, 1, 24--35.]] Google ScholarDigital Library
- Reif, J. 1987. On threshold circuits and polynomial computation. In Proceedings of the 2nd Conference on Structure in Complexity Theory. 118--123.]]Google Scholar
- Reif, J., and Tate, S. 1992. On threshold circuits and polynomial computation. SIAM J. Comput. 5, 896--908.]] Google ScholarDigital Library
- Shmuely, Z. 1985. Composite Diffie--Hellman public-key generating systems are hard to break, Tech. Rep. No. 356, Computer Science Dept., Technion, Technion City, Israel.]]Google Scholar
- Shoup, V. 1997. Lower bounds for discrete logarithms and related problems. In Proceedings of Advances in Cryptology---EUROCRYPT '97. Lecture Notes in Computer Science, vol. 1233. Springer-Verlag, New York, 256--266.]]Google Scholar
- Siu, K.-Y., Bruck, J., Kailath, T., and Hofmeister, T. 1993. Depth efficient neural network for division and related problems. IEEE Trans. Inform. Theory 39, 946--956.]]Google ScholarCross Ref
- Siu, K.-Y., and Roychowdhury, V. P. 1994. On optimal depth threshold circuits for multiplication and related problems. SIAM J. Disc. Math. 7, 2, 284--292.]] Google ScholarDigital Library
- Stadler, M. 1996. Publicly verifiable secret sharing. In Proceedings of Advances in Cryptology---EUROCRYPT '96, Lecture Notes in Computer Science, vol. 1070. Springer-Verlag, New York, 190--199.]]Google ScholarCross Ref
- Steiner, M., Tsudik, G., and Waidner, M. 1996. Diffie--Hellman key distribution extended to group communication. In Proceedings of the 3rd ACM Conference on Computer and Communications Security. ACM, New York, 31--37.]] Google ScholarDigital Library
- Valiant, L. G. 1984. A theory of the learnable. Commun. ACM 27, 1134--1142.]] Google ScholarDigital Library
- Yao, A. C. 1982. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science. ACM, New York, 80--91.]]Google ScholarDigital Library
Index Terms
- Number-theoretic constructions of efficient pseudo-random functions
Recommendations
Number-theoretic constructions of efficient pseudo-random functions
FOCS '97: Proceedings of the 38th Annual Symposium on Foundations of Computer ScienceWe describe efficient constructions for various cryptographic primitives (both in private-key and in public-key cryptography). We show these constructions to be at least as secure as the decisional version of the Diffie-Hellman assumption or as the ...
Hardness amplification proofs require majority
STOC '08: Proceedings of the fortieth annual ACM symposium on Theory of computingHardness amplification is the fundamental task of converting a δ-hard function f : (0, 1)n -> (0, 1) into a (1/2-ε)-hard function Amp(f), where f is γ-hard if small circuits fail to compute f on at least a γ fraction of the inputs. Typically, ε,δ are ...
Synthesizers and their application to the parallel construction of pseudo-random functions
FOCS '95: Proceedings of the 36th Annual Symposium on Foundations of Computer ScienceWe present a new cryptographic primitive called pseudo-random synthesizer and show how to use it in order to get a parallel construction of a pseudo-random function. We show an NC/sup 1/ implementation of pseudo-random synthesizers based on the RSA or ...
Reviews
Adrian Constantin Atanasiu
This paper describes efficient constructions for various cryptographic primitives, in private-key as well as public-key cryptography. The main results are two new constructions of pseudo-random functions. The pseudo-randomness of one construction is proven under the assumption that factoring (Blum integers) is hard, while the other construction is pseudo-random if the decisional version of the Diffie-Hellman (DDH) assumption holds. The authors base their constructions on two number theoretic assumptions: factoring (well known) and the DDH assumption. This second assumption is defined as follows: "There is no efficient algorithm that, given (p,q,g,g^a,g^b) , distinguishes between g {a-b} and g c with a nonnegligible advantage, where p,q are large prime numbers with q|p-1 , g (0 is a uniformly chosen element of order q , and a,b,c are uniformly chosen from Z q (all exponentiations are in Z p )." Section 2 of the paper describes the notation and conventions used. Section 2.2 describes some applications and constructions of pseudo-random functions. In section 3, the DDH assumption is considered. Section 4 is dedicated to the construction of pseudo-random functions based on the DDH assumption, to proving its security, and to some considerations regarding its complexity. In section 5, the generalized Diffie-Hellman (GDH) assumption is defined, and the second construction of pseudo-random function based on this assertion is developed. Section 5.4 proves that pseudo-random functions are at least as secure as factoring. Section 6 contains some possible features of these pseudo-random functions, and other directions for further research are suggested. The first pseudo-random function, defined in section 4, has a simple algebraic structure (for details, readers should consult the paper). In section 5, another related construction (based on the GDH assumption) is suggested. Namely, if N=pq is a Blum integer, g (0 is a uniformly distributed quadratic residue, a=(a 10, a 11, a 20, a 21, ..., a n0, a n1) is a uniformly distributed sequence of 2 n elements in {1,2,..,N} , and r is a uniformly distributed bit string of the same length as N , then the binary function f {N,g,a,r} is pseudo-random (the detailed form of this function can be found in the paper). Both of these pseudo-random functions have the advantage of being in TC 0 (the class of functions computable by constant depth circuits consisting of a polynomial number of threshold gates). This fact has several applications. The simple algebraic structure of the functions implies additional features, such as a zero-knowledge proof for statements of the form " y=f(x) " and " y<>f(x) " given a commitment to a key s of a pseudo-random function f . Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments