Uniqueness is a Different Story: Impossibility of Verifiable Random Functions from Trapdoor Permutations

Verifiable random functions (VRFs) are pseudorandom functions with the additional property that the owner of the seed SK can issue publicly-verifiable proofs for the statements "f(SK,x)=y", for any input x. Moreover, the output of VRFs is guaranteed to be unique, which means that y=f(SK,x) is the only image that can be proven to map to x. Despite their popularity, constructing VRFs seems to be a challenging task and only a few constructions based on specific number-theoretic problems are known. Basing a scheme on general assumptions is still an open problem. Towards this direction, Brakerski et al. showed that verifiable random functions cannot be constructed from one-way permutations in a black-box way. In this paper we continue the study of the relationship between VRFs and well-established cryptographic primitives. Our main result is a separation of VRFs and adaptive trapdoor permutations (ATDPs) in a black-box manner. This result sheds light on the nature of VRFs and is interesting for at least three reasons: — First, the separation result of Brakerski et al. gives the impression that VRFs belong to the "public-key world", and thus their relationship with other public-key primitives is interesting. Our result, however, shows that VRFs are strictly stronger and cannot be constructed (in a black-box way) form primitives like e.g., public-key encryption (even CCA-secure), oblivious transfer, and key-agreement. — Second, the notion of VRFs is closely related to weak verifiable random functions and verifiable pseudorandom generators which are both implied by TDPs. Dwork and Naor (FOCS 2000) asked whether there are transformation between the verifiable primitives similar to the case of "regular" PRFs and PRGs. Here, we give a negative answer to this problem showing that the case of verifiable random functions is essentially different. — Finally, our result also shows that unique signatures cannot be instantiated from ATDPs. While it is well known that standard signature schemes are equivalent to OWFs, we essentially show that the uniqueness property is crucial to change the relations between primitives.

[1]  Leonid Reyzin,et al.  Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins? , 2004, CRYPTO.

[2]  Tal Malkin,et al.  On the impossibility of basing trapdoor functions on trapdoor predicates , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[3]  Yael Tauman Kalai,et al.  A Framework for Efficient Signatures, Ring Signatures and Identity Based Encryption in the Standard Model , 2010, IACR Cryptol. ePrint Arch..

[4]  Steven Myers,et al.  Towards a Separation of Semantic and CCA Security for Public Key Encryption , 2007, TCC.

[5]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[6]  Yevgeniy Dodis,et al.  Feistel Networks Made Public, and Applications , 2007, EUROCRYPT.

[7]  Daniel R. L. Brown,et al.  Irreducibility to the One-More Evaluation Problems: More May Be Less , 2007, IACR Cryptol. ePrint Arch..

[8]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[9]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[10]  Jonathan Katz,et al.  A study of separations in cryptography: new results and new models , 2011 .

[11]  Jorge Luis Villar,et al.  Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption , 2006, ASIACRYPT.

[12]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[13]  Silvio Micali,et al.  Soundness in the Public-Key Model , 2001, CRYPTO.

[14]  Moni Naor,et al.  Synthesizers and Their Application to the Parallel Construction of Pseudo-Random Functions , 1999, J. Comput. Syst. Sci..

[15]  Silvio Micali,et al.  Transitive Signature Schemes , 2002, CT-RSA.

[16]  Dario Fiore,et al.  Verifiable Random Functions from Identity-Based Key Encapsulation , 2009, EUROCRYPT.

[17]  Sampath Kannan,et al.  The relationship between public key encryption and oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[18]  Moses D. Liskov Updatable Zero-Knowledge Databases , 2005, ASIACRYPT.

[19]  Periklis A. Papakonstantinou,et al.  On the Impossibility of Basing Identity Based Encryption on Trapdoor Permutations , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[20]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[21]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[22]  Yevgeniy Dodis,et al.  Efficient Construction of (Distributed) Verifiable Random Functions , 2003, Public Key Cryptography.

[23]  Rafail Ostrovsky,et al.  Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract) , 1992, CRYPTO.

[24]  Gil Segev,et al.  Chosen-Ciphertext Security via Correlated Products , 2009, SIAM J. Comput..

[25]  Ueli Maurer,et al.  A Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security , 2007, EUROCRYPT.

[26]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[27]  Jonathan Katz,et al.  Impossibility of Blind Signatures from One-Way Permutations , 2011, TCC.

[28]  Adam O'Neill,et al.  Adaptive Trapdoor Functions and Chosen-Ciphertext Security , 2010, EUROCRYPT.

[29]  Jonathan Katz,et al.  Limits on the Power of Zero-Knowledge Proofs in Cryptographic Constructions , 2011, TCC.

[30]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[31]  Guy N. Rothblum,et al.  Weak Verifiable Random Functions , 2009, TCC.

[32]  Brent Waters,et al.  Constructing Verifiable Random Functions with Large Input Spaces , 2010, EUROCRYPT.

[33]  Yevgeniy Dodis,et al.  On the Generic Insecurity of the Full Domain Hash , 2005, CRYPTO.

[34]  Marc Fischlin,et al.  On the Impossibility of Three-Move Blind Signature Schemes , 2010, EUROCRYPT.

[35]  Moni Naor,et al.  Zaps and Their Applications , 2007, SIAM J. Comput..

[36]  Yevgeniy Vahlis,et al.  Two Is a Crowd? A Black-Box Separation of One-Wayness and Security under Correlated Inputs , 2010, TCC.

[37]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[38]  Rafael Pass,et al.  Limits of provable security from standard assumptions , 2011, STOC '11.

[39]  Emmanuel Bresson,et al.  Separation Results on the "One-More" Computational Problems , 2008, CT-RSA.

[40]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[41]  Vitaly Shmatikov,et al.  Handcuffing Big Brother: an Abuse-Resilient Transaction Escrow Scheme , 2004, EUROCRYPT.