computational complexity

, Volume 25, Issue 3, pp 607–666 | Cite as

Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments

  • Rafael Pass


We present barriers to provable security of two important cryptographic primitives, perfect non-interactive zero knowledge (NIZK) and non-interactive non-alleable commitments:
  1. Black-box reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statement to be proven is chosen as a function of the common reference string) of any statistical NIZK for NP based on any “standard” intractability assumptions.

  2. Black-box reductions cannot be used to demonstrate non-malleability of non-interactive, or even 2-message, commitment schemes based on any “standard” intractability assumptions.

We emphasize that the above separations apply even if the construction of the considered primitives makes a non-black-box use of the underlying assumption.

As an independent contribution, we suggest a taxonomy of game-based intractability assumptions.


Cryptography Black-box separations Non-malleable commitments Non-interactive zero-knowledge 

Subject classification



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Masayuki Abe & Serge Fehr (2007). Perfect NIZK with Adaptive Soundness. In Theory of Cryptography Conference, 118–136.Google Scholar
  2. Adi Akavia, Oded Goldreich, Shafi Goldwasser & Dana Moshkovitz (2006). On basing one-way functions on NP-hardness. In ACM Symposium on Theory of Computing Conference (STOC), 701–1657 710.Google Scholar
  3. Boaz Barak (2001). How to Go Beyond the Black-Box Simulation Barrier. In IEEE Symposium on Foundations of Computer Science (FOCS), 106–115.Google Scholar
  4. Boaz Barak (2002). Constant-Round Coin-Tossing with a Man in the Middle or Realizing the Shared Random String Model. In IEEE Symposium on Foundations of Computer Science (FOCS).Google Scholar
  5. Mihir Bellare, Chanathip Namprempre, David Pointcheval, Michael Semanko (2003) The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme. J. Cryptology 16(3): 185–215MathSciNetCrossRefzbMATHGoogle Scholar
  6. Mihir Bellare & Adriana Palacio (2002). GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks. In Advances in Cryptology (CRYPTO), 162–177.Google Scholar
  7. Mihir Bellare & Phillip Rogaway (1993). Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In ACM Conference on Computer and Communications Security, 62–73.Google Scholar
  8. Mihir Bellare, Moti Yung (1996) Certifying Permutations: Non interactive Zero-Knowledge Based on Any Trapdoor Permutation. J. Cryptology 9(3): 149–166MathSciNetCrossRefzbMATHGoogle Scholar
  9. Manuel Blum, Paul Feldman & Silvio Micali (1988). Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract). In ACM Symposium on Theory of Computing (STOC), 103–112.Google Scholar
  10. Manuel Blum, Silvio Micali (1984) How to Generate Crypto graphically Strong Sequences of Pseudo-Random Bits. SIAM Journal on Computing 13(4): 850–864MathSciNetCrossRefzbMATHGoogle Scholar
  11. Andrej Bogdanov & Luca Trevisan (2003). On Worst-Case to Average-Case Reductions for NP Problems. In IEEE Symposium on Foundations of Computer Science (FOCS), 308–317.Google Scholar
  12. Dan Boneh & Ramarathnam Venkatesan (1998). Breaking RSA May Not Be Equivalent to Factoring. In Advances in Cryptology (EuroCrypt), 59–71.Google Scholar
  13. Gilles Brassard (1983) Relativized cryptography. IEEE Transactions on Information Theory 29(6): 877–893MathSciNetCrossRefzbMATHGoogle Scholar
  14. Emmanuel Bresson, Jean Monnerat & Damien Vergnaud (2008). Separation Results on the ”One-More” Computational Problems. In RSA Conference Cryptographers’ Track, 71–87.Google Scholar
  15. Ran Canetti, Oded Goldreich, Shafi Goldwasser & Silvio Micali (2000). Resettable zero-knowledge. In ACM Symposium on Theory of Computing (STOC), 235–244. ISBN 1-58113-184-4.Google Scholar
  16. Ran Canetti, Oded Goldreich, Shai Halevi (2004) The random oracle methodology, revisited. J. ACM 51(4): 557–594MathSciNetCrossRefzbMATHGoogle Scholar
  17. Kai-min Chung, Huijia Lin, Mohammad Mahmoody & Rafael Pass (2013). On the Power of Non-uniform Proof of Security. In Innovations in Theoretical Computer Science.Google Scholar
  18. Kai-min Chung, Mohammad Mahmoody & Rafael Pass (2009). A Note on Black-Box Reductions. Manuscript.Google Scholar
  19. Giovanni Di Crescenzo, Yuval Ishai & Rafail Ostrovsky (1998). Non-Interactive and Non-Malleable Commitment. In ACM Symposium on Theory of Computing (STOC), 141–150.Google Scholar
  20. Ivan Damgård (1991). Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks. In Advances in Cryptology (CRYPTO), 445–456.Google Scholar
  21. Yevgeniy Dodis, Roberto Oliveira & Krzysztof Pietrzak (2005). On the Generic Insecurity of the Full Domain Hash. In Advances in Cryptology (CRYPTO), 449–466.Google Scholar
  22. Danny Dolev, Cynthia Dwork, Moni Naor (2000) Nonmal leable Cryptography. SIAM Journal on Computing 30(2): 391–437MathSciNetCrossRefzbMATHGoogle Scholar
  23. Uriel Feige, Dror Lapidot & Adi Shamir (1990). Multiple non interactive zero knowledge proofs based on a single random string. In IEEE Symposium on Foundations of Computer Science (FOCS), 308–317.Google Scholar
  24. Joan Feigenbaum, Lance Fortnow (1993) Random-self reducibility of complete sets. SIAM Journal on Computing 22(5): 994–1005MathSciNetCrossRefzbMATHGoogle Scholar
  25. Amos Fiat & Adi Shamir (1987). How to prove yourself: practical solutions to identification and signature problems. In Advances in cryptology (CRYPTO).Google Scholar
  26. Marc Fischlin & Dominique Schröder (2010). On the Impossibility of Three-Move Blind Signature Schemes. In Advances in Cryptology (EuroCrypt), 197–215.Google Scholar
  27. Craig Gentry & Daniel Wichs (2011). Separating succinct non-interactive arguments from all falsifiable assumptions. In ACM Symposium on Theory of Computing (STOC), 99–108.Google Scholar
  28. Oded Goldreich (2001). Foundations of Cryptography– Basic Tools. Cambridge University Press.Google Scholar
  29. Oded Goldreich, Shafi Goldwasser, Silvio Micali (1986) How to construct random functions. J. ACM 33(4): 792–807MathSciNetCrossRefGoogle Scholar
  30. Oded Goldreich & Hugo Krawczyk (1996) On the composition of zero-knowledge proof systems. SIAM Journal on Computing 25(1), 169–192. ISSN 0097-5397.Google Scholar
  31. Oded Goldreich & Leonid A. Levin (1989). A Hard-Core Predicate for all One-Way Functions. In ACM Symposium on Theory of Computing (STOC), 25–32.Google Scholar
  32. Oded Goldreich, Yair Oren (1994) Definitions and properties of zero-knowledge proof systems. Journal of Cryptology 7: 1–32MathSciNetzbMATHGoogle Scholar
  33. Oded Goldreich, Ron D Rothblum (2013) Enhancements of trapdoor permutations. Journal of cryptology 26(3): 484–512MathSciNetCrossRefzbMATHGoogle Scholar
  34. Shafi Goldwasser & Yael Tauman Kalai (2003). On the (In)security of the Fiat-Shamir Paradigm. In IEEE Symposium on Foundations of Computer Science (FOCS), 102–111.Google Scholar
  35. Shafi Goldwasser, Silvio Micali (1984) Probabilistic Encryption. J. Comput. Syst. Sci. 28(2): 270–299MathSciNetCrossRefzbMATHGoogle Scholar
  36. Shafi Goldwasser, Silvio Micali, Charles Rackoff (1989) The knowledge complexity of interactive proof systems. SIAM Journal on Computing 18(1): 186–208MathSciNetCrossRefzbMATHGoogle Scholar
  37. Shafi Goldwasser, Silvio Micali, Ronald L. Rivest (1988) A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput. 17(2): 281–308MathSciNetCrossRefzbMATHGoogle Scholar
  38. Vipul Goyal (2011). Constant round non-malleable protocols using one way functions. In ACM Symposium on Theory of Computing (STOC), 695–704.Google Scholar
  39. Jens Groth, Rafail Ostrovsky & Amit Sahai (2006). Perfect Non-interactive Zero Knowledge for NP. In Advances in Cryptology (EuroCrypt), 339–358.Google Scholar
  40. Iftach Haitner & Thomas Holenstein (2009). On the (Im)Possibility of Key Dependent Encryption. In Theory of Cryptography Conference, 202–219.Google Scholar
  41. Iftach Haitner, Alon Rosen & Ronen Shaltiel (2009). On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols. In TCC ’09, 220–237.Google Scholar
  42. Johan Håstad, Russell Impagliazzo, Leonid Levin, Michael Luby (1999) A pseudorandom generator from any one-way function. SIAM Journal on Computing 28: 12–24MathSciNetzbMATHGoogle Scholar
  43. Johan Håstad, Rafael Pass, Douglas Wikström & Krzysztof Pietrzak (2010). An Efficient Parallel Repetition Theorem. In TCC’10, 1–18.Google Scholar
  44. Russell Impagliazzo, Ragesh Jaiswal & Valentine Kabanets (2007). Chernoff-type direct product theorems. In CRYPTO ’07, 500–516.Google Scholar
  45. Russell Impagliazzo & Steven Rudich (1988). Limits on the Provable Consequences of One-way Permutations. In Advances in Cryptology (CRYPTO), 8–26.Google Scholar
  46. Huijia Lin & Rafael Pass (2009). Non-malleability amplification. In ACM Symposium on Theory of Computing (STOC), 189–198.Google Scholar
  47. Huijia Lin & Rafael Pass (2011). Constant-round non-malleable commitments from any one-way function. In ACM Symposium on Theory of Computing (STOC), 705–714.Google Scholar
  48. Huijia Lin, Rafael Pass & Muthuramakrishnan Venkitasubramaniam (2008). Concurrent Non-malleable Commitments from Any One-Way Function. In Theory of Cryptography Conference, 571–588.Google Scholar
  49. Moses Liskov, Anna Lysyanskaya, Silvio Micali, Leonid Reyzin & Adam Smith (2001). Mutually Independent Commitments. In Advances in Cryptology (Asiacrypt), 385–401.Google Scholar
  50. Moni Naor (2003). On Cryptographic Assumptions and Challenges. In Advances in Cryptology (CRYPTO), 96–109.Google Scholar
  51. Moni Naor & Moti Yung (1989). Universal One-Way Hash Functions and their Cryptographic Applications. In STOC, 33–43.Google Scholar
  52. Rafail Ostrovsky (1991). One-Way Functions, Hard on Average Problems, and Statistical Zero-Knowledge Proofs. In Structure in Complexity Theory Conference, 133–138.Google Scholar
  53. Rafail Ostrovsky & Avi Wigderson (1993). One-way functions are essential for non-trivial zero-knowledge. In Theory and Computing Systems, 1993, 3–17.Google Scholar
  54. Omkant Pandey, Rafael Pass & Vinod Vaikuntanathan (2008). Adaptive One-Way Functions and Applications. In Advances in Cryptology (CRYPTO), 57–74.Google Scholar
  55. Rafael Pass (2003). On Deniability in the Common Reference String and Random Oracle Model. In Advances in Cryptology (CRYPTO), 1807 316–337.Google Scholar
  56. Rafael Pass (2006). Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness. In IEEE Conference on Computational Complexity, 96–110.Google Scholar
  57. Rafael Pass (2011). Limits of provable security from standard as sumptions. In ACM Symposium on Theory of Computing (STOC), 109–118.Google Scholar
  58. Rafael Pass & Alon Rosen (2003). Bounded-Concurrent Secure Two-Party Computation in a Constant Number of Rounds. In IEEE Symposium on Foundations of Computer Science (FOCS), 404–413.Google Scholar
  59. Rafael Pass & Alon Rosen (2005a). Concurrent Non-Malleable Commitments. In IEEE Symposium on Foundations of Computer Science (FOCS), 563–572.Google Scholar
  60. Rafael Pass & Alon Rosen (2005b). New and improved constructions of non-malleable cryptographic protocols. In ACM Symposium on Theory of Computing (STOC), 533–542.Google Scholar
  61. Rafael Pass & Abhi Shelat (2005). Unconditional Characterizations of Non-interactive Zero-Knowledge. In Advances in Cryptology (CRYPTO), 118–134.Google Scholar
  62. Rafael Pass, Wei-Lung Dustin Tseng & Muthuramakrishnan Venkitasubramaniam (2011). Towards Non-Black-Box Lower Bounds in Cryptography. In Theory of Cryptography Conference, 579– 1829 596.Google Scholar
  63. Rafael Pass & Hoeteck Wee (2010). Constant-round Non-Malleable Commitment from Strong One-Way Functions. In Advances in Cryptology (Eurocrypt), 638–655.Google Scholar
  64. Omer Reingold, Luca Trevisan & Salil P. Vadhan (2004). Notions of Reducibility between Cryptographic Primitives. In Theory of Cryptography Conference, 1–20.Google Scholar
  65. John Rompel (1990). One-Way Functions are Necessary and Sufficient for Secure Signatures. In ACM Symposium on Theory of Computing (STOC), 387–394.Google Scholar
  66. Guy N. Rothblum & Salil P. Vadhan (2010). Are PCPs Inherent in Efficient Arguments? Computational Complexity 19(2), 265-304.Google Scholar
  67. Hoeteck Wee (2010). Black-Box, Round-Efficient Secure Computation via Non-Malleability Amplification. In IEEE Symposium on Foundations of Computer Science (FOCS), 531–540.Google Scholar

Copyright information

© Springer International Publishing 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceCornell UniversityNew YorkUSA

Personalised recommendations