TY - GEN
T1 - A new sampling protocol and applications to basing cryptographic primitives on the hardness of NP
AU - Haitner, Iftach
AU - Mahmoody, Mohammad
AU - Xiao, David
PY - 2010
Y1 - 2010
N2 - We investigate the question of what languages can be decided efficiently with the help of a recursive collision-finding oracle. Such an oracle can be used to break collision-resistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Samd where d is the recursion depth, is based on the identically-named oracle defined in the work of Haitner et al. (FOCS '07). Our main result is a constant-round public-coin protocol "AM-Sam" that allows an efficient verifier to emulate a Samd oracle for any constant depth d = O(1) with the help of a BPPNP prover. AM-Sam allows us to conclude that if L is decidable by a k-adaptive randomized oracle algorithm with access to a SamO(1) oracle, then L ∈ AM[k] ∩ coAM[k]. The above yields the following corollary: assume there exists an O(1)-adaptive reduction that bases constant-round statistically hiding commitment on NP-hardness, then NP ⊆ coAM and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by SamO(1) including collision-resistant hash functions and O(1)-round oblivious transfer where security holds statistically for one of the parties. We also obtain non-trivial (though weaker) consequences for k-adaptive reductions for any k = poly(n). Prior to our work, most results in this research direction either applied only to non-adaptive reductions (Bogdanov and Trevisan, SIAM J. of Comp. '06 and Akavia et al., FOCS '06) or to one-way permutations (Brassard FOCS '79). The main technical tool we use to prove the above is a new constant-round public-coin protocol (SampleWithSize), which we believe to be of interest in its own right, that guarantees the following: given an efficient function f on n bits, let D be the output distribution D = f(Un), then SampleWithSize allows an efficient verifier Arthur to use an all-powerful prover Merlin's help to sample a random y ← D along with a good multiplicative approximation of the probability py = Pr y′←D[y′ = y]. The crucial feature of SampleWithSize is that it extends even to distributions of the form D = f(US), where US is the uniform distribution on an efficiently decidable subset S ⊆ {0, 1}n (such D are called efficiently samplable with post-selection), as long as the verifier is also given a good approximation of the value |S|.
AB - We investigate the question of what languages can be decided efficiently with the help of a recursive collision-finding oracle. Such an oracle can be used to break collision-resistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Samd where d is the recursion depth, is based on the identically-named oracle defined in the work of Haitner et al. (FOCS '07). Our main result is a constant-round public-coin protocol "AM-Sam" that allows an efficient verifier to emulate a Samd oracle for any constant depth d = O(1) with the help of a BPPNP prover. AM-Sam allows us to conclude that if L is decidable by a k-adaptive randomized oracle algorithm with access to a SamO(1) oracle, then L ∈ AM[k] ∩ coAM[k]. The above yields the following corollary: assume there exists an O(1)-adaptive reduction that bases constant-round statistically hiding commitment on NP-hardness, then NP ⊆ coAM and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by SamO(1) including collision-resistant hash functions and O(1)-round oblivious transfer where security holds statistically for one of the parties. We also obtain non-trivial (though weaker) consequences for k-adaptive reductions for any k = poly(n). Prior to our work, most results in this research direction either applied only to non-adaptive reductions (Bogdanov and Trevisan, SIAM J. of Comp. '06 and Akavia et al., FOCS '06) or to one-way permutations (Brassard FOCS '79). The main technical tool we use to prove the above is a new constant-round public-coin protocol (SampleWithSize), which we believe to be of interest in its own right, that guarantees the following: given an efficient function f on n bits, let D be the output distribution D = f(Un), then SampleWithSize allows an efficient verifier Arthur to use an all-powerful prover Merlin's help to sample a random y ← D along with a good multiplicative approximation of the probability py = Pr y′←D[y′ = y]. The crucial feature of SampleWithSize is that it extends even to distributions of the form D = f(US), where US is the uniform distribution on an efficiently decidable subset S ⊆ {0, 1}n (such D are called efficiently samplable with post-selection), as long as the verifier is also given a good approximation of the value |S|.
KW - Blackbox lower bounds
KW - Collision-resistant hash functions
KW - Constant-round statistically hiding commitments
KW - Sampling protocols
UR - http://www.scopus.com/inward/record.url?scp=77955251759&partnerID=8YFLogxK
U2 - 10.1109/CCC.2010.17
DO - 10.1109/CCC.2010.17
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:77955251759
SN - 9780769540603
T3 - Proceedings of the Annual IEEE Conference on Computational Complexity
SP - 76
EP - 87
BT - Proceedings - 25th Annual IEEE Conference on Computational Complexity, CCC 2010
PB - IEEE Computer Society
T2 - 25th Annual IEEE Conference on Computational Complexity, CCC 2010
Y2 - 9 June 2010 through 11 June 2010
ER -