Memory Lower Bounds of Reductions Revisited

In Crypto 2017, Auerbach et al. initiated the study on memory-tight reductions and proved two negative results on the memory-tightness of restricted black-box reductions from multi-challenge security to single-challenge security for signatures and an artificial hash function. In this paper, we revisit the results by Auerbach et al. and show that for a large class of reductions treating multi-challenge security, it is impossible to avoid loss of memory-tightness unless we sacrifice the efficiency of their running-time. Specifically, we show three lower bound results. Firstly, we show a memory lower bound of natural black-box reductions from the multi-challenge unforgeability of unique signatures to any computational assumption. Then we show a lower bound of restricted reductions from multi-challenge security to single-challenge security for a wide class of cryptographic primitives with unique keys in the multi-user setting. Finally, we extend the lower bound result shown by Auerbach et al. treating a hash function to one treating any hash function with a large domain.

[1]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2]  Tibor Jager,et al.  Tightly-Secure Authenticated Key Exchange , 2015, IACR Cryptol. ePrint Arch..

[3]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[4]  Thomas Holenstein,et al.  On the (Im)Possibility of Key Dependent Encryption , 2009, TCC.

[5]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[6]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[7]  Rafail Ostrovsky,et al.  Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract) , 1992, CRYPTO.

[8]  Bala Kalyanasundaram,et al.  The Probabilistic Communication Complexity of Set Intersection , 1992, SIAM J. Discret. Math..

[9]  David Cash,et al.  Memory-Tight Reductions , 2017, IACR Cryptol. ePrint Arch..

[10]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[11]  Tibor Jager,et al.  Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model , 2010, Public Key Cryptography.

[12]  Tibor Jager,et al.  Waters Signatures with Optimal Security Reduction , 2012, Public Key Cryptography.

[13]  Christoph Bader Efficient Signatures with Tight Real World Security in the Random-Oracle Model , 2014, CANS.

[14]  Tibor Jager,et al.  On the Impossibility of Tight Cryptographic Reductions , 2016, IACR Cryptol. ePrint Arch..

[15]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[16]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[17]  Hugo Krawczyk,et al.  Chameleon Signatures , 2000, NDSS.

[18]  Jonathan Katz Signature Schemes Based on the (Strong) RSA Assumption , 2010 .

[19]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[20]  Daniel Wichs,et al.  Barriers in cryptography with weak, correlated and leaky sources , 2013, ITCS '13.

[21]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[22]  Alexander A. Razborov,et al.  On the Distributional Complexity of Disjointness , 1992, Theor. Comput. Sci..

[23]  Saqib A. Kakvi,et al.  Optimal security proofs for full domain hash, revisited , 2012 .

[24]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .