Iftach Haitner scite author profile

Abstract. We construct the first public-key encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, and for arbitrary but fixed polynomials L and N , we obtain a public-key encryption scheme that resists key-dependent message (KDM) attacks for up to N (k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security.We also observe that any fully homomorphic encryption scheme that additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that its algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain non-standard hardness assumptions.Finally, we extend an impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions if the proof makes only a black-box use of the query function and the adversary attacking the scheme. This shows that the non-black-box use of the query function in our proof of security is inherent.

show abstract

On the Power of the Randomized Iterate

Haitner¹,

Harnik²,

Reingold³

2011

SIAM J. Comput.

View full text Add to dashboard Cite

On the (Im)Possibility of Key Dependent Encryption

Haitner

Holenstein

2009

View full text Add to dashboard Cite

We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results that hold both in the private and in the public key settings:-Let H be the family of poly(n)-wise independent hash-functions. There exists no fully-black-box reduction from an encryption scheme secure against key-dependent messages to one-way permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H.-There exists no reduction from an encryption scheme secure against key-dependent messages to, essentially, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for an arbitrary g, as long as the reduction's proof of security treats both the adversary and the function g as black boxes.

show abstract

Efficiency Improvements in Constructing Pseudorandom Generators from One-Way Functions

Haitner¹,

Reingold²,

Vadhan³

2013

SIAM J. Comput.

View full text Add to dashboard Cite

Inaccessible entropy

Haitner

Reingold

Vadhan

et al. 2009

View full text Add to dashboard Cite

Statistically-hiding commitment from any one-way function

Haitner

Reingold

2007

View full text Add to dashboard Cite

We give a construction of statistically-hiding commitment schemes (ones where the hiding property holds information theoretically), based on the minimal cryptographic assumption that one-way functions exist. Our construction employs two-phase commitment schemes, recently constructed by Nguyen, Ong and Vadhan (FOCS '06), and universal oneway hash functions introduced and constructed by Naor and Yung (STOC '89) and Rompel (STOC '90).

show abstract

Finding Collisions in Interactive Protocols - A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments

Haitner¹,

Hoch²,

Reingold³

et al. 2007

View full text Add to dashboard Cite

Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function

Haitner¹,

Nguyen²,

Ong³

et al. 2009

SIAM J. Comput.

View full text Add to dashboard Cite

We give a construction of statistically hiding commitment schemes (those in which the hiding property holds against even computationally unbounded adversaries) under the minimal complexity assumption that one-way functions exist. Consequently, one-way functions suffice to give statistical zero-knowledge arguments for any NP statement (whereby even a computationally unbounded adversarial verifier learns nothing other than the fact that the assertion being proven is true, and no polynomial-time adversarial prover can convince the verifier of a false statement). These results resolve an open question posed by Naor et al. [by Nguyen and Vadhan [28]. 2 We then use this 2-phase commitment scheme together with universal one-way hash functions (whose existence is also implied by the existence of one-way functions [7]) to construct the desired statistically hiding commitment scheme.1.3.1. 2-phase commitments from any one-way function. 2-phase commitment schemes are commitment schemes with two phases, each consisting of a commit stage and a reveal stage. In the first phase, the sender commits to and reveals one value v 1 , and subsequently, in the second phase, the sender commits to and reveals a second value v 2 . We say that the 2-phase commitment is hiding if both phases are hiding and say that it is 1-out-of-2-binding, symbolically written as 2 1binding, if the following holds: with high probability, the sender will be forced to reveal the correct committed value in at least one of the phases (but which of the two phases can be determined dynamically by the malicious sender?). More specifically, with high probability after the first-phase commit, there is a single value such that if the sender decommits to any other value, then the second commitment is guaranteed to be binding (in the standard sense).Even though we draw upon [28] for the notion of 2-phase commitments, there are many differences between the contexts of the two works and their constructions of 2-phase commitments. In [28], the goal was to prove unconditional results about prover efficiency in zero-knowledge proofs (specifically, that one can transform zeroknowledge proofs with inefficient provers into ones with efficient provers). This was done by showing that every problem having a zero-knowledge proof has an "instancedependent" 2-phase commitment scheme, where the sender and receiver get an instance x of the problem as auxiliary input and we only require hiding to hold when x is a "yes instance" and binding when x is a "no instance." Here, we are giving conditional results (assuming the existence of one-way functions) and are obtaining standard (as opposed to instance-dependent) 2-phase commitments. Moreover, the focus in [28] is on statistically binding 2-phase commitments; thus here we need to develop new formulations to work with the computational binding property.Our initial construction, which gives a 2-phase commitment scheme satisfying a "weak hiding" property, is inspired by the construction of [28]. Indeed, the second phase in [28] was also in...

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Iftach Haitner

Bounded Key-Dependent Message Security

On the Power of the Randomized Iterate

On the (Im)Possibility of Key Dependent Encryption

Efficiency Improvements in Constructing Pseudorandom Generators from One-Way Functions

Inaccessible entropy

Statistically-hiding commitment from any one-way function

Finding Collisions in Interactive Protocols - A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments

Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function

Contact Info

Product

Resources

About