Published on *Computer Science Department at Princeton University* (https://www.cs.princeton.edu)

In this thesis, we deal with the following questions: (1) How efficient a cryptographic algorithm can be while achieving a desired level of security? (2) Since mathematical conjectures like P ‚ NP are necessary for the possibility of secure cryptographic primitives in the standard models of computation: (a) Can we base cryptography solely based on the widely believed assumption of P ‚ NP, or do we need stronger assumptions? (b) Which alternative nonstandard models offer us provable security unconditionally, while being implementable in real life?

First we study the question of security vs. efficiency in public-key cryptography and prove tight bounds on the efficiency of black-box constructions of key-agreement and (public-key) digital signatures that achieve a desired level of security using "random-like" functions. Namely, we prove that any key-agreement protocol in the random oracle model where the parties ask at most n oracle queries can be broken by an adversary who asks at most O(n2) oracle queries and finds the key with high probability. This improves upon the previous eO(n6)-query attack of Impagliazzo and

Rudich [98] and proves that a simple key-agreement protocol due to Merkle [118] is optimal. We also prove that any signature scheme in the random oracle model where the parties ask at most q oracle queries can be broken by an adversary who forges a signature by asking at most 2O(q) oracle queries. This implies that a simple (one-time secure) signature scheme of Lamport [112] is optimal.Next, we study the possibility of basing the security of cryptographic tasks on

the (necessary) assumption that NP ‚ BPP. We show that any (black-box) reduction for basing the security of a one-way function on (worst-case) hardness of NP implies that SAT is checkable. Whether SAT is checkable or not has been open for more than two decades since the notion of checkability was introduced by Blum and Kannan [23]. Then we study the possibility of basing the security of specific cryptographic tasks/primitive on the hardness of NP. We show that doing so for the tasks of collision resistant hashing (or other primitives such as constant-round statistical commitment) implies that co-NP has a (single-prover) proof system with prover complexity BPPNP (which implies the checkability of SAT).Finally, we study the possibility of achieving statistical security (without relying on computational assumptions) through the alternative model of interaction in which parties can exchange tamper-proof hardware tokens. We focus on the case where the tokens only encapsulate efficient circuits (and does not need to keep any state). The stateless property of the tokens gives advantage to the protocol both from a security perspective and also at the implementation level. We show that using stateless tokens one can not perform statistically secure oblivious transfer, but it is possible to achieve

statistically hiding and binding commitment schemes and statistically secure zeroknowledge proof systems for NP with an efficient prover. Our protocols are secure even against malicious parties who might use stateful tokens during the execution of the protocol.

**Links**

[1] https://www.cs.princeton.edu/research/techreps/author/534

[2] ftp://ftp.cs.princeton.edu/techreports/2010/882.pdf