From Attack on Feige-Shamir to Construction of Oblivious Transfer

  • Jingyue Yu
  • Yi Deng
  • Yu Chen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10726)


Following the work of [Deng, Eurocrypt 2017], under the assumption of the existence of injective one way function, we prove that at least one of the following statements is true:
  • (Infinitely-often) Oblivious transfer exists.

  • For every inverse polynomial \(\epsilon \), the 4-round Feige-Shamir protocol is \(\epsilon \)-distributional concurrent zero knowledge for any hard distribution over sparse OR-relation.

Both these statements have been shown to be unprovable [Gertner et al. FOCS 2000; Canetti et al. STOC 2001] via black-box reductions.

We show how to transform the magic adversary who breaks the \(\epsilon \)-distributional concurrent zero knowledge of the classic Feige-Shamir protocols into oblivious transfer under the existence of injective one way function. As a key ingredient, we introduce the concept of distributional witness encryption to achieve the encryption scheme in which “public keys” can be sampled separately of “private keys”, and show that if there exists a magic adversary breaking the \(\epsilon \)-distributional concurrent zero knowledge of Feige-Shamir protocols over a hard distribution, it can be transformed to an (infinitely-often) distributional witness encryption based on injective one way function.


Concurrent zero knowledge Feige-Shamir protocol Oblivious transfer (Distributional) witness encryption Black-box separations 



We thank Yanyan Liu, Shunli Ma, Hailong Wang for discussions and careful proofreading. We also thank the anonymous reviewers and editors for helpful comments.

The first and second authors were supported in part by the National Natural Science Foundation of China (Grant No. 61379141). The third author was supported in part by the National Key Research and Development Plan (Grant No. 2016YFB0800403), the National Natural Science Foundation of China (Grant No. 61772522) and Youth Innovation Promotion Association CAS. All authors were also supported by Key Research Program of Frontier Sciences, CAS (Grant No. QYZDB-SSW-SYS035), and the Open Project Program of the State Key Laboratory of Cryptology.


  1. 1.
    Abusalah, H., Fuchsbauer, G., Pietrzak, K.: Offline witness encryption. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 285–303. Springer, Cham (2016). Google Scholar
  2. 2.
    Badrinarayanan, S., Garg, S., Ishai, Y., Sahai, A., Wadia, A.: Two-message witness indistinguishability and secure computation in the plain model from new assumptions. In: Advances in Cryptology - ASIACRYPT 2017 (2017, to appear)Google Scholar
  3. 3.
    Barak, B.: How to go beyond the black-box simulation barrier. In: Proceedings of the 42th Annual IEEE Symposium on Foundations of Computer Science - FOCS 2001, pp. 106–115. IEEE Computer Society (2001)Google Scholar
  4. 4.
    Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of International Congress of Mathematicians - ICM 1986 (1986)Google Scholar
  5. 5.
    Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zero-knowledge requires omega(log n) rounds. In: Proceedings of the 33rd Annual ACM Symposium Theory of Computing - STOC 2001, pp. 570–579. ACM Press (2001)Google Scholar
  6. 6.
    Chen, Y., Zhang, Z., Lin, D., Cao, Z.: Generalized (identity-based) hash proof system and its applications. Secur. Commun. Netw. 9(12), 1698–1716 (2016)CrossRefGoogle Scholar
  7. 7.
    Chung, K.-M., Lin, H., Pass, R.: Constant-round concurrent zero-knowledge from indistinguishability obfuscation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 287–307. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  8. 8.
    Chung, K.-M., Lui, E., Pass, R.: From weak to strong zero-knowledge and applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 66–92. Springer, Heidelberg (2015). Google Scholar
  9. 9.
    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  10. 10.
    Deng, Y.: Magic adversaries versus individual reduction: science wins either way. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 351–377. Springer, Cham (2017). CrossRefGoogle Scholar
  11. 11.
    Derler, D., Slamanig, D.: Practical witness encryption for algebraic languages and how to reply an unknown whistleblower. IACR Cryptology ePrint Arch. 2015, 1073 (2015)Google Scholar
  12. 12.
    Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. J. ACM 50(6), 852–921 (2003)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: Proceedings of the 30rd Annual ACM Symposium Theory of Computing- STOC 1998, pp. 409–418. ACM Press (1998)Google Scholar
  14. 14.
    Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, New York (1990). CrossRefGoogle Scholar
  15. 15.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 467–476. ACM (2013)Google Scholar
  17. 17.
    Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: 2000 Proceedings of the 41st Annual Symposium on Foundations of Computer Science, pp. 325–335. IEEE (2000)Google Scholar
  18. 18.
    Goldreich, O.: A uniform-complexity treatment of encryption and zero-knowledge. J. Cryptology 6(1), 21–53 (1993)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP. J. Cryptology 9(3), 167–190 (1996)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the 21th Annual ACM Symposium on the Theory of Computing - STOC 1989, pp. 44–61. ACM Press (1989)Google Scholar
  21. 21.
    Ishai, Y., Kushilevitz, E., Lindell, Y., Petrank, E.: Black-box constructions for secure computation. In: Proceedings of the Thirty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (2006)Google Scholar
  22. 22.
    Jain, A., Kalai, Y.T., Khurana, D., Rothblum, R.: Distinguisher-dependent simulation in two rounds and its applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 158–189. Springer, Cham (2017). CrossRefGoogle Scholar
  23. 23.
    Lindell, A.Y.: Efficient fully-simulatable oblivious transfer. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 52–70. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  24. 24.
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  25. 25.
    Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity. In: Proceedings of the 43th Annual IEEE Symposium on Foundations of Computer Science - FOCS 2002, pp. 366–375. IEEE Computer Society (2002)Google Scholar
  26. 26.
    Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). Google Scholar
  27. 27.
    Zhandry, M.: How to avoid obfuscation using witness PRFs. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 421–448. Springer, Heidelberg (2016). CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  3. 3.State Key Laboratory of CryptologyBeijingChina

Personalised recommendations