cryptographic hardness other functionalities andrej bogdanov chinese university of hong kong macs...
DESCRIPTION
INTERACTIVE PROOFSTRANSCRIPT
![Page 1: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/1.jpg)
CRYPTOGRAPHIC HARDNESS
OTHER FUNCTIONALITIES
Andrej BogdanovChinese University of Hong Kong
MACS Foundations of Cryptography| January 2016
![Page 2: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/2.jpg)
K-to-one functions
Say f is K-to-1 if for every y, |f-1(y)| = K
Complexity of proof system grows linearly in K When say K = 2n/2 this is exponential in n
Can we do better?
![Page 3: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/3.jpg)
INTERACTIVE PROOFS
![Page 4: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/4.jpg)
Graph isomorphism
is isomorphic to
Claim:
Proof:
![Page 5: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/5.jpg)
Graph non-isomorphism
is not isomorphic to
Claim:
Interactive proof:G0
G1
Verifier:Choose random bit b, permutation pSend graph G = p(Gb)
Prover: Answer with b’Verifier:If b’ = b, declare “probably not isomorphic”
![Page 6: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/6.jpg)
Graph non-isomorphism
Analysis:If G0, G1 not isomorphic, then prover knows for surethat G came from Gb, so he can answer b If G0, G1 isomorphic, then G is equally likely to have come from G0 /G1, so he can guess b with prob 1/2
Is there a classical proof system for graph non-isomorphism?
![Page 7: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/7.jpg)
Decision problems
Recall SUBSET-SUM:
Decision version L:LYES are those eqn that have a solutionLNO are those eqn without a solution
13174331003415 x1 + 17285145771356 x2 + 19133308147607 x3 + 20768399988658 x4 + 22857403444525 x5 + 27320889680330 x6 + 32609413435035 x7 + 33346249486015 x8 + 36451703583100 x9 + 44137263807532 x10 + 44383378110073 x11 + 46011207828303 x12 = 40168796369884
Given eqn =
, find a solution x in {0, 1}12(if it exists)
Given x, decide if x is in LYES or in LNO
![Page 8: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/8.jpg)
The class NP
input zVerifier Proverefficient unboundedproof p
YES/NO
Completeness:If z ∈ LYES, then VP(z) = YESSoundness: If z ∈ LNO, then VP*(z) = NO
for every P*
![Page 9: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/9.jpg)
An(other) NP-complete problem: SAT
Input:
A set C ⊆ {0, 1}n specified by a circuit
LYES: C is not empty
LNO: C is empty
C(x1, x2, x3): y := x1 and x2 and x3
z := y or (not x1)output z and (not y)
Prover: Send x ∈ C (if x in LYES) Verifier:
Accept if C(x) evaluates to 1.
![Page 10: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/10.jpg)
Interactive proofs
Given a (promise) decision problem L
Verifier Proverinput zrandomized
efficientunboundedq1
a2
qR-1aR
. . .
YES/NO
Completeness:If z ∈ LYES, Pr[VP(z) = YES] ≥ 3/4Soundness: If z ∈ LNO, Pr[VP*(z) = YES] < 1/4
for every P*
![Page 11: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/11.jpg)
Normal form for interactive proofs
The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form
a(z, r)Verifier Proverpublic randomness r
There is a compiler for converting protocols into this form; we’ll do an example instead.
![Page 12: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/12.jpg)
An “AM-complete” problem
Input:
A set C ⊆ {0, 1}n (specified by a circuit) A size estimate 0 < S < 2n
LYES: |C| ≥ S
LNO: |C| < S/8
Verifier:
Interactive proof:Send a random 2-universal hash functionh: {0, 1}n → {0, 1}r where 2S ≤ 2r < 4S
Prover: Send x (and a proof that x ∈ C) Verifier:
Accept if x ∈ C and h(x) = 0.
![Page 13: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/13.jpg)
![Page 14: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/14.jpg)
![Page 15: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/15.jpg)
The set size lower bound protocol
Input:
A set C ⊆ {0, 1}n
A size estimate 0 < S < 2n
LYES: |C| ≥ S
LNO: |C| < (1 – e)S
An error parameter e > 0
Running time of verifier is linear in |C|/e
Proof:
Run original protocol on (Ck, Sk), k = 3/e
![Page 16: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/16.jpg)
Graph non-isomorphism via set size
Given G0, G1 we want a proof of non-isomorphism For simplicity we’ll assume G0, G1 have no automorphisms
C = {p(Gb): p is a permutation, b is a bit}
G0, G1 are isomorphic |C| = n!
G0, G1 are not isomorphic |C| = 2∙n!
Reduction to set size lower bound:
![Page 17: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/17.jpg)
AM ≈ NP
a(z, r)Verifier Proverpublic randomness r
If we replace r by the output of a suitable pseudo-random generator, proof can be derandomizedUnder a plausible assumption in complexity theory, AM = NP.
![Page 18: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/18.jpg)
BACK TO CRYPTOGRAPHY
![Page 19: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/19.jpg)
Hardness of regular one-way functions
Say f: {0, 1}n → {0, 1}n - k is 2k-to-1Suppose we have a reduction R? that, given an inverter I for f, solves L
Verifier will emulate reduction
Prover will emulate random inverter IGiven a query b, return each a s.t. f(a) = b with probability 2-k independently of previous queries and answers
![Page 20: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/20.jpg)
Hardness of regular one-way functions
b1
a1 = I(b1)
. . .
Verifier Prover
bt
at = I(bt)
x ∈ L Prr, I[RI (x; r) accepts] ≥ 2/3
x ∉ L Prr, I[RI (x; r) accepts] < 1/3
|{(r, a1, …, at) valid and accepting}| ≥ (2/3) 2|r| + kt
|{(r, a1, …, at) valid and accepting}| < (1/3) 2|r| + kt
![Page 21: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/21.jpg)
Hardness of regular one-way functions
y1
x1 = I(y1)
. . .
Verifier Prover
yt
xt = I(yt)x ∈/∉ L
x ∈ L Prr, I[RI (x; r) rejects] ≥ 2/3
x ∉ L Prr, I[RI (x; r) rejects] < 1/3
|{(r, x1, …, xt) valid and rejecting}| ≥ (2/3) 2|r| + kt
|{(r, x1, …, xt) valid and rejecting}| < (1/3) 2|r| + kt
![Page 22: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/22.jpg)
What we did so far
We sketched why security of “structured” one-way functions cannot be provably NP-hard
(More complicated for arbitrary functions)
It may be that there exist such NP-hard to break functions; if true this is not provable
Next we show examples where breaking the crypto is (provably) not NP-hard
![Page 23: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/23.jpg)
Indistinguishability obfuscation
OC Ц
Functionality:
Ц ≡ C
Security:
If C ≡ C’ then random vars Ц and Ц’ are indistinguishable
(Ц(x) = C(x) for all x)
![Page 24: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/24.jpg)
Kinds of indistinguishability
PerfectX and X’ look identical to every (boolean) testStatisticalno test can distinguish with advantage > 1% Computationalno efficient test can distinguish with advantage > 1%
![Page 25: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/25.jpg)
Indistinguishability obfuscation
No statistically secure indistinguishability obfuscation exists*
* Unless NP is in coAM
OC Ц
![Page 26: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/26.jpg)
STATISTICAL ZERO-KNOWLEDGE
![Page 27: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/27.jpg)
Graph isomorphism
is isomorphic to
Claim:
Proof:
Verifier learns the isomorphism!
![Page 28: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/28.jpg)
A zero-knowledge proof
Input:
Prover:Choose random H isomorphic to G0 and G1Send H
Verifier:Answer with bProver:Reveal isomorphism between H and Gb
Two graphs G0, G1
(Assume isomorphic)
Verifier:If H ≡ Gb, say “G0, G1 probably isomorphic”Otherwise say “G0, G1 not isomorphic”
![Page 29: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/29.jpg)
Zero-knowledge proofs
If G0, G1 are isomorphic, verifier does not learn the isomorphism (or anything else) So graph isomorphism has zero-knowledge proofsThe proof for non-isomorphism is also zero-knowledge!
Every problem that has zero-knowledge proofs also has zero-knowledge refutations
… or SZK ⊆ AM ∩ coAM
![Page 30: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/30.jpg)
Statistical distance (SD)
Input:
Two random variables X, Y over {0, 1}n
LNO: X and Y are 1% statistically indistinguishable
LYES:
(specified by samplers)
X and Y are 99% statistically distinguishable
SD has statistical zero-knowledge proofs (and is in fact SZK-complete)
![Page 31: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/31.jpg)
BACK TO CRYPTO
![Page 32: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/32.jpg)
Indistinguishability obfuscation
No statistically secure iO exists unless NP has short interactive refutations
Proof:
Assume it didLet C be any set (circuit) …and Z be the empty set (zero circuit) If C empty, then C ≡ Z…so Ц and З are stat indistinguishableIf C empty, then C(x) ≠ Z(x) for some x…so Ц and З are perfectly distinguishable
![Page 33: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/33.jpg)
Indistinguishability obfuscation
No statistically secure iO exists unless NP has short interactive refutations
We just saw a reduction from SAT to SD (assuming statistically secure iO)
Since SD has short refutations, so does SAT (and all of NP)
![Page 34: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/34.jpg)
Public-key bit encryption
SKPKBobAliceb
EncPK(b) DecSK( )
b
EncPK(b)PK
message indistinguishability(PK, EncPK(0)) and (PK, EncPK(1))
are computationally indistinguishable
![Page 35: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/35.jpg)
El Gamal encryption
g, h in some large cyclic group
PK = ( g, h ) gSK = hsuch that
EncPK(b) = ( gr, 2bhr )where r random
DecSK(x, y) = b such that xSK = 2b y
![Page 36: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/36.jpg)
Homomorphism of encryptions
EncPK(b) = ( gr, 2bhr )
EncPK(b) EncPK(b’) and EncPK(b + b’)are identically distributed
DecSK(EncPK(b) EncPK(b’)) = b + b’
strongly homomorphic
weakly homomorphic
![Page 37: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/37.jpg)
Breaking homomorphic encryption
Homomorphic encryption for XOR is not NP-hard to break*
… because it can be broken in statistical zero-knowledge(nothing special about XOR, true for “most” f )
* Unless NP is in coAM
![Page 38: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/38.jpg)
Rerandomization
The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key
C = ( gr, 2bhr )PK = ( g, h ) gSK = hsuch that
RerPK(C) = C ∙ ( gr’, hr’ )
El Gamal example
is i.i.d with C
![Page 39: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/39.jpg)
Rerandomization from evaluation
strong homomorphic evaluator for XOR
HEn
c(0)
Enc(b)
Enc(0)
Enc(0)
Enc(
b)
Enc(1)
Enc(1)
Enc(1)
Rer
![Page 40: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/40.jpg)
Rerandomization from evaluation
HEn
c(0)
Enc(0)
Enc(0)
Enc(0)
To H, Enc(0) indistinguishable from Enc(0)so output of H must forget most of Enc(0)
![Page 41: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/41.jpg)
Rerandomization from evaluation
If H is a strong homomorphic evaluator for majority on k bits,then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.
Lemma
We prove a weaker version for weak homomorphic evaluators and any sensitive f.
![Page 42: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/42.jpg)
Distinguishing rerandomizations
Rerandomizable encryption can be broken in statistical zero-knowledge:
Enc(b)Rer( ) Enc(0)If b = 0, they are statistically close
vs.
If b = 1, they must be statistically farso they can be distinguished in SZK
![Page 43: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/43.jpg)
Conclusion (and more)
Complexity helps us understand certain (theoretical) limitations of cryptographyStructured one-way functions aren’t provably NP-hard One-way permutations [Brassard, Goldreich-
Goldwasser]2-to-1 [Akavia-Goldreich-Goldwasser-Moshkovitz]K-to-1, size-verifiable [AGGM, B.-Brzuska]
General OWFs under non-adaptive reductions[Feigenbaum-Fortnow, B.-Trevisan, AGGM]
Hash functions, limited adaptivity[Haitner-Mahmoody-Xiao]
![Page 44: CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016](https://reader035.vdocuments.site/reader035/viewer/2022062600/5a4d1b3d7f8b9ab05999f634/html5/thumbnails/44.jpg)
Conclusion (and more)
Crypto that can be broken in SZKHomomorphic encryption [B.-Lee]Private information retrieval [Vaikutanathan-Liu]
There is no statistically secure iO[Goldwasser-Rothblum]