Public-key cryptography from different assumptions

This paper attempts to broaden the foundations of public-key cryptography. We construct new public-key encryption schemes based on new hardness-on-average assumptions for natural combinatorial NP-hard optimization problems. We consider the following assumptions: It is infeasible to solve a random set of sparse linear equations mod 2, of which a small fraction is noisy. It is infeasible to distinguish between a random unbalanced bipartite graph, and such a graph in which we "plant" at random in the large side a set S with only |S|/3 neighbors. There is a pseudorandom generator in NCz where every output depends on a random constant-size subset of the inputs. We obtain semantically secure public key encryption schemes based on several combinations of these assumptions with different parameters. In particular we obtain public key encryption from Assumption~1 on its own, yielding the first noisy-equations type public key scheme in which the noise rate is higher than one over the square root of the number of equations. We also obtain public-key encryption based on a combination of Assumptions~2 and~3. These are arguably of more "combinatorial"/"private-key" nature than any assumptions used before for public-key cryptography. Our proof involves novel "search to decision" and "search to prediction" reductions for sparse noisy linear equations. The strength of our assumptions raise new algorithmic and pseudorandomness questions (and new parameters for old ones). We give some evidence for these assumptions by studying their resistance to certain classes of natural algorithms, including semi-definite programs, ACO circuits, low-degree polynomials, and cycle counting. We also relate our assumptions to other problems such as planted clique and learning juntas.

[1]  Béla Bollobás,et al.  Random Graphs , 1985 .

[2]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[3]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[4]  Oded Goldreich,et al.  Candidate One-Way Functions Based on Expander Graphs , 2000, Studies in Complexity and Cryptography.

[5]  Russell Impagli A Personal View of Average-Case Complexity , 1995 .

[6]  Peter Bro Miltersen,et al.  On pseudorandom generators in NC 0 ⋆ , 2001 .

[7]  Dorit Aharonov,et al.  Lattice problems in NP ∩ coNP , 2005, JACM.

[8]  ApplebaumBenny,et al.  Cryptography in $NC^0$ , 2006 .

[9]  Noga Alon,et al.  Finding a large hidden clique in a random graph , 1998, SODA '98.

[10]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[11]  Amin Coja-Oghlan,et al.  Algorithmic Barriers from Phase Transitions , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[12]  Satyen Kale,et al.  Boosting and hard-core set constructions: a simplified approach , 2007, Electron. Colloquium Comput. Complex..

[13]  Peter Bro Miltersen,et al.  On Pseudorandom Generators in NC , 2001, MFCS.

[14]  Thomas Holenstein,et al.  One-Way Secret-Key Agreement and Applications to Circuit Polarization and Immunization of Public-Key Encryption , 2005, CRYPTO.

[15]  Noam Nisan,et al.  Approximate Inclusion-Exclusion , 1990, STOC '90.

[16]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[17]  Warren P. Adams,et al.  A hierarchy of relaxation between the continuous and convex hull representations , 1990 .

[18]  Russell Impagliazzo,et al.  Hard-core distributions for somewhat hard problems , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[19]  Mark Braverman,et al.  Poly-logarithmic Independence Fools AC^0 Circuits , 2009, 2009 24th Annual IEEE Conference on Computational Complexity.

[20]  A. Barbour Poisson convergence and random graphs , 1982 .

[21]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[22]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[23]  Noga Alon,et al.  Color-coding , 1995, JACM.

[24]  J. Davenport Editor , 1960 .

[25]  Aditya Bhaskara,et al.  Detecting high log-densities: an O(n¼) approximation for densest k-subgraph , 2010, STOC '10.

[26]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[27]  Avi Wigderson,et al.  Entropy waves, the zig-zag graph product, and new constant-degree expanders and extractors , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[28]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..

[29]  Ran Raz,et al.  Two Query PCP with Sub-Constant Error , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[30]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[31]  Hugo Krawczyk,et al.  On the Existence of Pseudorandom Generators , 1988, CRYPTO.

[32]  Yuval Ishai,et al.  On Pseudorandom Generators with Linear Stretch in NC0 , 2006, APPROX-RANDOM.

[33]  Youming Qiao,et al.  On the security of Goldreich’s one-way function , 2011, computational complexity.

[34]  Ralph C. Merkle,et al.  Secure communications over insecure channels , 1978, CACM.

[35]  Yuval Ishai,et al.  Cryptography in NC0 , 2004, SIAM J. Comput..

[36]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[37]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[38]  Johan Håstad,et al.  Some optimal inapproximability results , 2001, JACM.

[39]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, EUROCRYPT.

[40]  L. Bazzi Polylogarithmic Independence Can Fool DNF Formulas , 2007, FOCS 2007.

[41]  Kumar Panjwani An Experimental Evaluation of Goldreich ' s One-Way FunctionSaurabh , 2001 .

[42]  Ari Juels,et al.  Hiding Cliques for Cryptographic Security , 1998, SODA '98.

[43]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[44]  Ronitt Rubinfeld,et al.  On the learnability of discrete distributions , 1994, STOC '94.

[45]  Uriel Feige,et al.  Relations between average case complexity and approximation complexity , 2002, STOC '02.

[46]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[47]  Uriel Feige,et al.  The Dense k -Subgraph Problem , 2001, Algorithmica.

[48]  Cryptography with constant input locality , 2007, CRYPTO 2007.

[49]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[50]  JOEL FRIEDMAN,et al.  Recognizing More Unsatisfiable Random k-SAT Instances Efficiently , 2005, SIAM J. Comput..

[51]  Subhash Khot,et al.  On the power of unique 2-prover 1-round games , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[52]  Ge Xia,et al.  Tight lower bounds for certain parameterized NP-hard problems , 2004, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[53]  Avrim Blum,et al.  Relevant Examples and Relevant Features: Thoughts from Computational Learning Theory , 1994 .

[54]  Alan M. Frieze,et al.  Random graphs , 2006, SODA '06.

[55]  David P. Williamson,et al.  Improved approximation algorithms for maximum cut and satisfiability problems using semidefinite programming , 1995, JACM.

[56]  Alexander Schrijver,et al.  Cones of Matrices and Set-Functions and 0-1 Optimization , 1991, SIAM J. Optim..

[57]  Avi Wigderson,et al.  Deterministic simulation of probabilistic constant depth circuits , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[58]  Monique Laurent,et al.  A Comparison of the Sherali-Adams, Lovász-Schrijver, and Lasserre Relaxations for 0-1 Programming , 2003, Math. Oper. Res..

[59]  Noga Alon,et al.  Eigenvalues, Expanders and Superconcentrators (Extended Abstract) , 1984, FOCS.

[60]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[61]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[62]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[63]  Grant Schoenebeck,et al.  Linear Level Lasserre Lower Bounds for Certain k-CSPs , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[64]  Uriel Feige,et al.  Witnesses for non-satisfiability of dense random 3CNF formulas , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[65]  Jacques Stern,et al.  The Hardness of Approximate Optima in Lattices, Codes, and Systems of Linear Equations , 1997, J. Comput. Syst. Sci..

[66]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[67]  Luca Trevisan,et al.  Goldreich's One-Way Function Candidate and Myopic Backtracking Algorithms , 2009, TCC.

[68]  Eyal Kushilevitz,et al.  A Perfect Zero-Knowledge Proof for a Problem Equivalent to Discrete Logarithm , 1988, CRYPTO.

[69]  Jean B. Lasserre,et al.  An Explicit Exact SDP Relaxation for Nonlinear 0-1 Programs , 2001, IPCO.

[70]  Pat Langley,et al.  Selection of Relevant Features and Examples in Machine Learning , 1997, Artif. Intell..

[71]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[72]  Luca Trevisan,et al.  On epsilon-Biased Generators in NC0 , 2003, Electron. Colloquium Comput. Complex..

[73]  Yuval Ishai,et al.  Basing Weak Public-Key Cryptography on Strong One-Way Functions , 2008, TCC.

[74]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[75]  Mark Braverman Poly-logarithmic Independence Fools AC0 Circuits , 2009, Computational Complexity Conference.

[76]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[77]  Elchanan Mossel,et al.  On ε‐biased generators in NC0 , 2006, Random Struct. Algorithms.

[78]  Richard J. Lipton,et al.  Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[79]  Noga Alon,et al.  Eigenvalues and expanders , 1986, Comb..

[80]  Boaz Barak,et al.  Merkle Puzzles Are Optimal - An O(n2)-Query Attack on Any Key Exchange from a Random Oracle , 2009, CRYPTO.

[81]  Erez Petrank,et al.  Is code equivalence easy to decide? , 1997, IEEE Trans. Inf. Theory.

[82]  Hong Zhu Survey of Computational Assumptions Used in Cryptography Broken or Not by Shor’s Algorithm , 2002 .

[83]  Uriel Feige,et al.  On Limited versus Polynomial Nondeterminism , 1997, Chic. J. Theor. Comput. Sci..

[84]  Yuval Ishai,et al.  On Pseudorandom Generators with Linear Stretch in NC0 , 2006, computational complexity.

[85]  Sanjeev Arora,et al.  Computational complexity and information asymmetry in financial products , 2011, Commun. ACM.

[86]  P. Gács,et al.  Algorithms , 1992 .

[87]  Emanuele Viola,et al.  The Sum of D Small-Bias Generators Fools Polynomials of Degree D , 2008, 2008 23rd Annual IEEE Conference on Computational Complexity.

[88]  Rafail Ostrovsky,et al.  Cryptography with constant computational overhead , 2008, STOC.

[89]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[90]  Louay Bazzi,et al.  Polylogarithmic Independence Can Fool DNF Formulas , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[91]  Leslie G. Valiant,et al.  Cryptographic Limitations on Learning Boolean Formulae and Finite Automata , 1993, Machine Learning: From Theory to Applications.

[92]  Nicolas Sendrier,et al.  Finding the permutation between equivalent linear codes: The support splitting algorithm , 2000, IEEE Trans. Inf. Theory.

[93]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[94]  Subhash Khot Ruling Out PTAS for Graph Min-Bisection, Densest Subgraph and Bipartite Clique , 2004, FOCS.

[95]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 2003, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[96]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[97]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, Journal of Cryptology.

[98]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[99]  Omid Amini,et al.  Parameterized Complexity of the Smallest Degree-Constrained Subgraph Problem , 2008, IWPEC.

[100]  Uriel Feige,et al.  Resolution lower bounds for the weak pigeon hole principle , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[101]  Oded Goldreich,et al.  The bit extraction problem or t-resilient functions , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[102]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[103]  Emanuele Viola,et al.  Pseudorandom Bits for Polynomials , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[104]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .