TY - GEN
T1 - Cryptography with constant computational overhead
AU - Ishai, Yuval
AU - Ostrovsky, Rafail
AU - Kushilevitz, Eyal
AU - Sahai, Amit
PY - 2008
Y1 - 2008
N2 - Current constructions of cryptographic primitives typically involve a large multiplicative computational overhead that grows with the desired level of security. We explore the possibility of implementing basic cryptographic primitives, such as encryption, authentication, signatures, and secure two-party computation, while incurring only a constant computational overhead compared to insecure implementations of the same tasks. Here we make the usual security requirement that the advantage of any polynomial-time attacker must be negligible in the input length. We obtain affirmative answers to this question for most central cryptographic primitives under plausible, albeit sometimes nonstandard, intractability assumptions. We start by showing that pairwise-independent hash functions can be computed by linear-size circuits, disproving a conjecture of Mansour, Nisan, andTiwari (STOC 1990). This construction does not rely on any unproven assumptions and is of independent interest. Our hash functions can be used to construct message authentication schemes with constant overhead from any one-way function. Under an intractability assumption that generalizes a previous assumption of Alekhnovich (FOCS 2003), we get (public and private key) encryption schemes with constant overhead. Using an exponentially strong version of the previous assumption, we get signature schemes of similar complexity. Assuming the existence of pseudorandom generators in NC̊ with polynomial stretch together with the existence of an (arbitrary) oblivious transfer protocol, we get similar results for the seemingly very complex task of secure two-party computation. More concretely, we get general protocols for secure two-party computation in the semi-honest model in which the two parties can be implemented by circuits whose size is a constant multiple of the size s of the circuit to be evaluated. In the malicious model, we get protocols whose communication complexity is a constant multiple of s and whose computational complexity is slightly super-linear in s. For natural relaxations of security in the malicious model that are still meaningful in practice, we can also keep the computational complexity linear in s. These results extend to the case of a constant number of parties, where an arbitrary subset of the parties can be corrupted. Our protocols rely on non-black-box techniques, and suggest the intriguing possibility that the ultimate efficiency in this area of cryptography can be obtained via such techniques.
AB - Current constructions of cryptographic primitives typically involve a large multiplicative computational overhead that grows with the desired level of security. We explore the possibility of implementing basic cryptographic primitives, such as encryption, authentication, signatures, and secure two-party computation, while incurring only a constant computational overhead compared to insecure implementations of the same tasks. Here we make the usual security requirement that the advantage of any polynomial-time attacker must be negligible in the input length. We obtain affirmative answers to this question for most central cryptographic primitives under plausible, albeit sometimes nonstandard, intractability assumptions. We start by showing that pairwise-independent hash functions can be computed by linear-size circuits, disproving a conjecture of Mansour, Nisan, andTiwari (STOC 1990). This construction does not rely on any unproven assumptions and is of independent interest. Our hash functions can be used to construct message authentication schemes with constant overhead from any one-way function. Under an intractability assumption that generalizes a previous assumption of Alekhnovich (FOCS 2003), we get (public and private key) encryption schemes with constant overhead. Using an exponentially strong version of the previous assumption, we get signature schemes of similar complexity. Assuming the existence of pseudorandom generators in NC̊ with polynomial stretch together with the existence of an (arbitrary) oblivious transfer protocol, we get similar results for the seemingly very complex task of secure two-party computation. More concretely, we get general protocols for secure two-party computation in the semi-honest model in which the two parties can be implemented by circuits whose size is a constant multiple of the size s of the circuit to be evaluated. In the malicious model, we get protocols whose communication complexity is a constant multiple of s and whose computational complexity is slightly super-linear in s. For natural relaxations of security in the malicious model that are still meaningful in practice, we can also keep the computational complexity linear in s. These results extend to the case of a constant number of parties, where an arbitrary subset of the parties can be corrupted. Our protocols rely on non-black-box techniques, and suggest the intriguing possibility that the ultimate efficiency in this area of cryptography can be obtained via such techniques.
KW - Constant computational overhead
KW - Cryptography
KW - Universal hashing
UR - http://www.scopus.com/inward/record.url?scp=57049124387&partnerID=8YFLogxK
U2 - 10.1145/1374376.1374438
DO - 10.1145/1374376.1374438
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:57049124387
SN - 9781605580470
T3 - Proceedings of the Annual ACM Symposium on Theory of Computing
SP - 433
EP - 442
BT - STOC'08
T2 - 40th Annual ACM Symposium on Theory of Computing, STOC 2008
Y2 - 17 May 2008 through 20 May 2008
ER -