Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments

  • Rafael Pass
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7785)


We present barriers to provable security of two fundamental (and well-studied) cryptographic primitives perfect non-interactive zero knowledge (NIZK), and non-malleable commitments:

  • Black-box reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statement to be proven is chosen as a function of the common reference string) of any statistical (and thus also perfect) NIZK for \({\cal NP}\) based on any “standard” intractability assumptions.

  • Black-box reductions cannot be used to demonstrate non-malleability of non-interactive, or even 2-message, commitment schemes based on any “standard” intractability assumptions.

We emphasize that the above separations apply even if the construction of the considered primitives makes a non-black-box use of the underlying assumption

As an independent contribution, we suggest a taxonomy of game-based intractability assumption based on 1) the security threshold, 2) the number of communication rounds in the security game, 3) the computational complexity of the game challenger, 4) the communication complexity of the challenger, and 5) the computational complexity of the security reduction.


Random Oracle Security Parameter Commitment Scheme Communication Round Reference String 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AF07]
    Abe, M., Fehr, S.: Perfect NIZK with Adaptive Soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. [AGGM06]
    Akavia, A., Goldreich, O., Goldwasser, S., Moshkovitz, D.: On basing one-way functions on NP-hardness. In: STOC 2006, pp. 701–710 (2006)Google Scholar
  3. [Bar02]
    Barak, B.: Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In: FOCS 2002: Proceedings of the 43rd Symposium on Foundations of Computer Science, pp. 345–355. IEEE Computer Society, Washington, DC (2002)CrossRefGoogle Scholar
  4. [BFM88]
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC, pp. 103–112 (1988)Google Scholar
  5. [BMV08]
    Bresson, E., Monnerat, J., Vergnaud, D.: Separation Results on the “One-More” Computational Problems. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 71–87. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. [BNPS03]
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme. J. Cryptology 16(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  7. [BP02]
    Bellare, M., Palacio, A.: GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  9. [Bra83]
    Brassard, G.: Relativized cryptography. IEEE Transactions on Information Theory 29(6), 877–893 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  10. [BT03]
    Bogdanov, A., Trevisan, L.: On worst-case to average-case reductions for np problems. In: FOCS, pp. 308–317 (2003)Google Scholar
  11. [BV98]
    Boneh, D., Venkatesan, R.: Breaking RSA May Not Be Equivalent to Factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. [BY96]
    Bellare, M., Yung, M.: Certifying permutations: Noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptology 9(3), 149–166 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  13. [CGH04]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  14. [CIO98]
    Di Crescenzo, G., Ishai, Y., Ostrovsky, R.: Non-interactive and non-malleable commitment. In: STOC, pp. 141–150 (1998)Google Scholar
  15. [CLMP12]
    Chung, K.-M., Lui, E., Mahmoody, M., Pass, R.: Unprovable security of two-message zero-knowledge (2012)Google Scholar
  16. [CLMP13]
    Chung, K.-M., Lin, H., Mahmoody, M., Pass, R.: On the power of non-uniform proof of security. In: ITCS 2013 (2013)Google Scholar
  17. [Dam91]
    Damgård, I.B.: Towards Practical Public Key Systems Secure against Chosen Ciphertext Attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)Google Scholar
  18. [DDN00]
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM Journal on Computing 30(2), 391–437 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  19. [DOP05]
    Dodis, Y., Oliveira, R., Pietrzak, K.: On the Generic Insecurity of the Full Domain Hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. [FF93]
    Feigenbaum, J., Fortnow, L.: Random-self-reducibility of complete sets. SIAM Journal on Computing 22(5), 994–1005 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  21. [FLS90]
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string. In: FOCS 1990, pp. 308–317 (1990)Google Scholar
  22. [FS87]
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  23. [FS10]
    Fischlin, M., Schröder, D.: On the Impossibility of Three-Move Blind Signature Schemes. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 197–215. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. [GK03]
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the fiat-shamir paradigm. In: FOCS 2003, pp. 102–111 (2003)Google Scholar
  25. [GOS06]
    Groth, J., Ostrovsky, R., Sahai, A.: Perfect Non-interactive Zero Knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. [Goy11]
    Goyal, V.: Constant round non-malleable protocols using one way functions. In: STOC, pp. 695–704 (2011)Google Scholar
  27. [GW11]
    Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108 (2011)Google Scholar
  28. [HH09]
    Haitner, I., Holenstein, T.: On the (Im)Possibility of Key Dependent Encryption. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 202–219. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. [HRS09]
    Haitner, I., Rosen, A., Shaltiel, R.: On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 220–237. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  30. [Imp95]
    Impagliazzo, R.: A personal view of average-case complexity. In: Structure in Complexity Theory 1995, pp. 134–147 (1995)Google Scholar
  31. [IR88]
    Impagliazzo, R., Rudich, S.: Limits on the Provable Consequences of One-Way Permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  32. [LLM+01]
    Liskov, M., Lysyanskaya, A., Micali, S., Reyzin, L., Smith, A.: Mutually Independent Commitments. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 385–401. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  33. [LP09]
    Lin, H., Pass, R.: Non-malleability amplification. In: STOC 2009, pp. 189–198 (2009)Google Scholar
  34. [LP11]
    Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: STOC, pp. 705–714 (2011)Google Scholar
  35. [LPV08]
    Lin, H., Pass, R., Venkitasubramaniam, M.: Concurrent Non-malleable Commitments from Any One-Way Function. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 571–588. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. [Nao03]
    Naor, M.: On Cryptographic Assumptions and Challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  37. [Pas03a]
    Pass, R.: On Deniability in the Common Reference String and Random Oracle Model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  38. [Pas03b]
    Pass, R.: Simulation in Quasi-Polynomial Time, and its Application to Protocol Composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  39. [Pas06]
    Pass, R.: Parallel repetition of zero-knowledge proofs and the possibility of basing cryptography on np-hardness. In: IEEE Conference on Computational Complexity, pp. 96–110 (2006)Google Scholar
  40. [Pas11]
    Pass, R.: Limits of provable security from standard assumptions. In: STOC, pp. 109–118 (2011)Google Scholar
  41. [PPV08]
    Pandey, O., Pass, R., Vaikuntanathan, V.: Adaptive One-Way Functions and Applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 57–74. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  42. [PR05a]
    Pass, R., Rosen, A.: Concurrent non-malleable commitments. In: FOCS 2005, pp. 563–572 (2005)Google Scholar
  43. [PR05b]
    Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. In: STOC 2005, pp. 533–542 (2005)Google Scholar
  44. [PTV11]
    Pass, R., Tseng, W.-L.D., Venkitasubramaniam, M.: Towards Non-Black-Box Lower Bounds in Cryptography. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 579–596. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  45. [PW10]
    Pass, R., Wee, H.: Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 638–655. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  46. [RTV04]
    Reingold, O., Trevisan, L., Vadhan, S.P.: Notions of Reducibility between Cryptographic Primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  47. [RV10]
    Rothblum, G.N., Vadhan, S.P.: Are pcps inherent in efficient arguments? Computational Complexity 19(2), 265–304 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  48. [Wee10]
    Wee, H.: Black-box, round-efficient secure computation via non-malleability amplification. In: FOCS 2010, pp. 531–540 (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Rafael Pass
    • 1
  1. 1.Cornell UniversityUSA

Personalised recommendations