Basing Weak Public-Key Cryptography on Strong One-Way Functions

In one of the pioneering papers on public-key cryptography, Ralph Merkle suggested a heuristic protocol for exchanging a secret key over an insecure channel by using an idealized private-key encryption scheme. Merkle's protocol is presumed to remain secure as long as the gap between the running time of the adversary and that of the honest parties is at most quadratic (rather than super-polynomial). In this work, we initiate an effort to base similar forms of public-key cryptography on well-founded assumptions. We suggest a variant of Merkle's protocol whose security can be based on the one-wayness of the underlying primitive. Specifically, using a one-way function of exponential strength, we obtain a key agreement protocol resisting adversaries whose running time is nearly quadratic in the running time of the honest parties. This protocol gives the adversary a small (but non-negligible) advantage in guessing the key. We show that the security of the protocol can be amplified by using a one-way function with a strong form of a hard-core predicate, whose existence follows from a conjectured "dream version" of Yao's XOR lemma. On the other hand, we show that this type of hard-core predicate cannot be based on (even exponentially strong) one-wayness by using a black-box construction. In establishing the above results, we reveal interesting connections between the problem under consideration and problems from other domains. In particular, we suggest a paradigm for converting (unconditionally) secure protocols in Maurer's bounded storage model into (computationally) secure protocols in the random oracle model, translating storage advantage into computational advantage. Our main protocol can be viewed as an instance of this paradigm. Finally, we observe that a quantum adversary can completely break the security of our protocol (as well as Merkle's heuristic protocol) by using the quadratic speedup of Grover's quantum search algorithm. This raises a speculation that there might be a closer relation between (classical) public-key cryptography and quantum computing than is commonly believed.

[1]  Noam Nisan,et al.  On Yao's XOR-Lemma , 1995, Electron. Colloquium Comput. Complex..

[2]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[3]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[4]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[5]  Stephen M. Rudich,et al.  Limits on the provable consequences of one-way functions , 1983, STOC 1983.

[6]  Hoeteck Wee,et al.  On obfuscating point functions , 2005, STOC '05.

[7]  Ralph C. Merkle,et al.  Secure communications over insecure channels , 1978, CACM.

[8]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[9]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[10]  Yuval Ishai,et al.  On the randomness complexity of efficient sampling , 2006, STOC '06.

[11]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[12]  Omer Reingold,et al.  Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions , 2006, ICALP.

[13]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[14]  Peter W. Shor Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1999 .

[15]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[16]  Ueli Maurer Conditionally-perfect secrecy and a provably-secure randomized cipher , 2004, Journal of Cryptology.

[17]  Ronen Shaltiel,et al.  Constant-Round Oblivious Transfer in the Bounded Storage Model , 2004, Journal of Cryptology.

[18]  Thomas Holenstein,et al.  Pseudorandom Generators from One-Way Functions: A Simple Construction for Any Hardness , 2006, TCC.

[19]  Sampath Kannan,et al.  The relationship between public key encryption and oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[20]  Moni Naor,et al.  Timed Commitments , 2000, CRYPTO.

[21]  Thomas Holenstein,et al.  Key agreement from weak bit agreement , 2005, STOC '05.

[22]  Ueli Maurer,et al.  Unconditional Security Against Memory-Bounded Adversaries , 1997, CRYPTO.

[23]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[24]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[25]  Amos Fiat,et al.  Rigorous Time/Space Trade-offs for Inverting Functions , 1999, SIAM J. Comput..

[26]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[27]  Leonid A. Levin,et al.  One-way functions and pseudorandom generators , 1985, STOC '85.

[28]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.