A new sampling protocol and applications to basing cryptographic primitives on the hardness of NP

Iftach Haitner*, Mohammad Mahmoody, David Xiao

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


We investigate the question of what languages can be decided efficiently with the help of a recursive collision-finding oracle. Such an oracle can be used to break collision-resistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Samd where d is the recursion depth, is based on the identically-named oracle defined in the work of Haitner et al. (FOCS '07). Our main result is a constant-round public-coin protocol "AM-Sam" that allows an efficient verifier to emulate a Samd oracle for any constant depth d = O(1) with the help of a BPPNP prover. AM-Sam allows us to conclude that if L is decidable by a k-adaptive randomized oracle algorithm with access to a SamO(1) oracle, then L ∈ AM[k] ∩ coAM[k]. The above yields the following corollary: assume there exists an O(1)-adaptive reduction that bases constant-round statistically hiding commitment on NP-hardness, then NP ⊆ coAM and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by SamO(1) including collision-resistant hash functions and O(1)-round oblivious transfer where security holds statistically for one of the parties. We also obtain non-trivial (though weaker) consequences for k-adaptive reductions for any k = poly(n). Prior to our work, most results in this research direction either applied only to non-adaptive reductions (Bogdanov and Trevisan, SIAM J. of Comp. '06 and Akavia et al., FOCS '06) or to one-way permutations (Brassard FOCS '79). The main technical tool we use to prove the above is a new constant-round public-coin protocol (SampleWithSize), which we believe to be of interest in its own right, that guarantees the following: given an efficient function f on n bits, let D be the output distribution D = f(Un), then SampleWithSize allows an efficient verifier Arthur to use an all-powerful prover Merlin's help to sample a random y ← D along with a good multiplicative approximation of the probability py = Pr y′←D[y′ = y]. The crucial feature of SampleWithSize is that it extends even to distributions of the form D = f(US), where US is the uniform distribution on an efficiently decidable subset S ⊆ {0, 1}n (such D are called efficiently samplable with post-selection), as long as the verifier is also given a good approximation of the value |S|.

Original languageEnglish
Title of host publicationProceedings - 25th Annual IEEE Conference on Computational Complexity, CCC 2010
PublisherIEEE Computer Society
Number of pages12
ISBN (Print)9780769540603
StatePublished - 2010
Externally publishedYes
Event25th Annual IEEE Conference on Computational Complexity, CCC 2010 - Cambridge, MA, United States
Duration: 9 Jun 201011 Jun 2010

Publication series

NameProceedings of the Annual IEEE Conference on Computational Complexity
ISSN (Print)1093-0159


Conference25th Annual IEEE Conference on Computational Complexity, CCC 2010
Country/TerritoryUnited States
CityCambridge, MA


  • Blackbox lower bounds
  • Collision-resistant hash functions
  • Constant-round statistically hiding commitments
  • Sampling protocols


Dive into the research topics of 'A new sampling protocol and applications to basing cryptographic primitives on the hardness of NP'. Together they form a unique fingerprint.

Cite this