## Abstract

We investigate the question of what languages can be decided efficiently with the help of a recursive collision-finding oracle. Such an oracle can be used to break collision-resistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Sam_{d} where d is the recursion depth, is based on the identically-named oracle defined in the work of Haitner et al. (FOCS '07). Our main result is a constant-round public-coin protocol "AM-Sam" that allows an efficient verifier to emulate a Samd oracle for any constant depth d = O(1) with the help of a BPP^{NP} prover. AM-Sam allows us to conclude that if L is decidable by a k-adaptive randomized oracle algorithm with access to a SamO(1) oracle, then L ∈ AM[k] ∩ coAM[k]. The above yields the following corollary: assume there exists an O(1)-adaptive reduction that bases constant-round statistically hiding commitment on NP-hardness, then NP ⊆ coAM and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by Sam_{O(1)} including collision-resistant hash functions and O(1)-round oblivious transfer where security holds statistically for one of the parties. We also obtain non-trivial (though weaker) consequences for k-adaptive reductions for any k = poly(n). Prior to our work, most results in this research direction either applied only to non-adaptive reductions (Bogdanov and Trevisan, SIAM J. of Comp. '06 and Akavia et al., FOCS '06) or to one-way permutations (Brassard FOCS '79). The main technical tool we use to prove the above is a new constant-round public-coin protocol (SampleWithSize), which we believe to be of interest in its own right, that guarantees the following: given an efficient function f on n bits, let D be the output distribution D = f(U_{n}), then SampleWithSize allows an efficient verifier Arthur to use an all-powerful prover Merlin's help to sample a random y ← D along with a good multiplicative approximation of the probability p_{y} = Pr _{y′←D}[y′ = y]. The crucial feature of SampleWithSize is that it extends even to distributions of the form D = f(U_{S}), where U_{S} is the uniform distribution on an efficiently decidable subset S ⊆ {0, 1}^{n} (such D are called efficiently samplable with post-selection), as long as the verifier is also given a good approximation of the value |S|.

Original language | English |
---|---|

Title of host publication | Proceedings - 25th Annual IEEE Conference on Computational Complexity, CCC 2010 |

Publisher | IEEE Computer Society |

Pages | 76-87 |

Number of pages | 12 |

ISBN (Print) | 9780769540603 |

DOIs | |

State | Published - 2010 |

Externally published | Yes |

Event | 25th Annual IEEE Conference on Computational Complexity, CCC 2010 - Cambridge, MA, United States Duration: 9 Jun 2010 → 11 Jun 2010 |

### Publication series

Name | Proceedings of the Annual IEEE Conference on Computational Complexity |
---|---|

ISSN (Print) | 1093-0159 |

### Conference

Conference | 25th Annual IEEE Conference on Computational Complexity, CCC 2010 |
---|---|

Country/Territory | United States |

City | Cambridge, MA |

Period | 9/06/10 → 11/06/10 |

## Keywords

- Blackbox lower bounds
- Collision-resistant hash functions
- Constant-round statistically hiding commitments
- Sampling protocols