Pub Date : 2024-07-01DOI: 10.56553/popets-2024-0078
Connor Bell, Saba Eskandarian
Private messaging platforms provide strong protection against platform eavesdropping, but malicious users can use privacy as cover for spreading abuse and misinformation. In an attempt to identify the sources of misinformation on private platforms, researchers have proposed mechanisms to trace back the source of a user-reported message (CCS '19,'21). Unfortunately, the threat model considered by initial proposals allowed a single user to compromise the privacy of another user whose legitimate content the reporting user did not like. More recent work has attempted to mitigate this side effect by requiring a threshold number of users to report a message before its origins can be identified (NDSS '22). However, the state of the art scheme requires the introduction of new probabilistic data structures and only achieves a "fuzzy" threshold guarantee. Moreover, false positives, where the source of an unreported message is identified, are possible. �� This paper introduces a new threshold source tracking technique that allows a private messaging platform, with the cooperation of a third-party moderator, to operate a threshold reporting scheme with exact thresholds and no false positives. Unlike prior work, our techniques require no modification of the message delivery process for a standard source tracking scheme, affecting only the abuse reporting procedure, and do not require tuning of probabilistic data structures.
{"title":"Anonymous Complaint Aggregation for Secure Messaging","authors":"Connor Bell, Saba Eskandarian","doi":"10.56553/popets-2024-0078","DOIUrl":"https://doi.org/10.56553/popets-2024-0078","url":null,"abstract":"Private messaging platforms provide strong protection against platform eavesdropping, but malicious users can use privacy as cover for spreading abuse and misinformation. In an attempt to identify the sources of misinformation on private platforms, researchers have proposed mechanisms to trace back the source of a user-reported message (CCS '19,'21). Unfortunately, the threat model considered by initial proposals allowed a single user to compromise the privacy of another user whose legitimate content the reporting user did not like. More recent work has attempted to mitigate this side effect by requiring a threshold number of users to report a message before its origins can be identified (NDSS '22). However, the state of the art scheme requires the introduction of new probabilistic data structures and only achieves a \"fuzzy\" threshold guarantee. Moreover, false positives, where the source of an unreported message is identified, are possible. \u0000\u0000 This paper introduces a new threshold source tracking technique that allows a private messaging platform, with the cooperation of a third-party moderator, to operate a threshold reporting scheme with exact thresholds and no false positives. Unlike prior work, our techniques require no modification of the message delivery process for a standard source tracking scheme, affecting only the abuse reporting procedure, and do not require tuning of probabilistic data structures.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"31 4","pages":"455"},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141693662","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-01DOI: 10.56553/popets-2024-0080
A. Choudhuri, Sanjam Garg, Aarushi Goel, Sruthi Sekar, Rohit Sinha
We propose SublonK --- a new succinct non-interactive argument of knowledge (SNARK). SublonK is the first SNARK that achieves both a constant proof size and prover runtime that grows only with the size of the ``active part'' of the executed circuit (i.e., *sub-linear* in the size of the entire circuit) while being *black-box in cryptography*. For instance, consider circuits encoding conditional execution, where only a fraction of the circuit is exercised by the input. For such circuits, the prover runtime in SublonK grows only with the exercised execution path. Our new construction builds on PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19], a popular state-of-the-art practical zkSNARK, and preserves all its great features --- constant size proofs, constant time proof verification, a circuit-independent universal setup, and support for custom gates and lookup gates. Our techniques are useful for a wide range of applications that involve a circuit executing k steps, where at each step, a (possibly different) s-sized segment is executed from a choice of n segments. Our prover cost for such circuits is O(ks(log (ks) + log(n))). Finally, we show that our improvements are not purely asymptotic. Specifically, we demonstrate the concrete efficiency of SublonK using zkRollups as an example application. Based on our implementation, for parameter choices derived from rollup contracts on Ethereum, n =8, k = 128, s= 2^{16}, the SublonK prover is approximately 4.8x faster than the PlonK prover, and proofs in SublonK are 2.4KB and can be verified in under 50ms.
{"title":"SublonK: Sublinear Prover PlonK","authors":"A. Choudhuri, Sanjam Garg, Aarushi Goel, Sruthi Sekar, Rohit Sinha","doi":"10.56553/popets-2024-0080","DOIUrl":"https://doi.org/10.56553/popets-2024-0080","url":null,"abstract":"We propose SublonK --- a new succinct non-interactive argument of knowledge (SNARK). SublonK is the first SNARK that achieves both a constant proof size and prover runtime that grows only with the size of the ``active part'' of the executed circuit (i.e., *sub-linear* in the size of the entire circuit) while being *black-box in cryptography*. For instance, consider circuits encoding conditional execution, where only a fraction of the circuit is exercised by the input. For such circuits, the prover runtime in SublonK grows only with the exercised execution path. Our new construction builds on PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19], a popular state-of-the-art practical zkSNARK, and preserves all its great features --- constant size proofs, constant time proof verification, a circuit-independent universal setup, and support for custom gates and lookup gates. Our techniques are useful for a wide range of applications that involve a circuit executing k steps, where at each step, a (possibly different) s-sized segment is executed from a choice of n segments. Our prover cost for such circuits is O(ks(log (ks) + log(n))). Finally, we show that our improvements are not purely asymptotic. Specifically, we demonstrate the concrete efficiency of SublonK using zkRollups as an example application. Based on our implementation, for parameter choices derived from rollup contracts on Ethereum, n =8, k = 128, s= 2^{16}, the SublonK prover is approximately 4.8x faster than the PlonK prover, and proofs in SublonK are 2.4KB and can be verified in under 50ms.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"66 1","pages":"902"},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141691041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-01DOI: 10.56553/popets-2024-0096
Eyal Kushnir, Guy Moshkowich, Hayim Shaul
Range searching is the problem of preprocessing a set of points P, such that given a query range gamma we can efficiently compute some function f(P cap gamma). For example, in a 1 dimensional range counting query, P is a set of numbers, gamma is a segment and we need to count how many numbers of P are in gamma. In higher dimensions, P is a set of d dimensional points and the query range is some volume in R^d. In general, we want to compute more than just counting, for example, the average of P cap gamma. Range searching has applications in databases where some SELECT queries can be translated to range queries. It had received a lot of attention in computational geometry where a data structure called partition tree was shown to solve range queries in time sub-linear in |P| using space only linear in |P|. In this paper we consider partition trees under FHE where we answer range queries without learning the value of the points or the parameters of the range. We show how partition trees can be securely traversed with O(t n^{1-1/d+epsilon} + n^{1+epsilon}) operations, where n=|P|, t is the number of operations needed to compare to gamma and epsilon>0 is a parameter. When the ranges are axis-parallel hyper-boxes the running time is O(t n^epsilon + n log^{d-1} n). As far as we know, this is the first non-trivial bound on range searching under FHE and it improves over the naive solution that needs O(t n) operations. Our algorithms are independent of the encryption scheme but as an example we implemented them using the CKKS FHE scheme. Our experiments show that for databases of sizes 2^{23} and 2^{25}, our algorithms run x2.8 and x4.7 (respectively) faster than the naive algorithm. The improvement of our algorithm comes from a method we call copy-and-recurse. With it we efficiently traverse a r-ary tree (where each inner node has r children) that also has the property that at most xi of them need to be recursed into when traversing the tree. We believe this method is interesting in its own and can be used to improve traversals in other tree-like structures.
范围搜索是对一组点 P 进行预处理的问题,在给定查询范围 gamma 的情况下,我们可以高效地计算出某个函数 f(P-cap-gamma)。例如,在一维范围计数查询中,P 是一组数字,gamma 是一个分段,我们需要计算 P 中有多少数字在 gamma 中。在更高维度中,P 是一组 d 维点,查询范围是 R^d 中的某个体积。一般来说,我们需要计算的不仅仅是计数,例如 P cap gamma 的平均值。范围搜索在数据库中也有应用,一些 SELECT 查询可以转化为范围查询。它在计算几何中受到了广泛关注,一种名为分区树的数据结构被证明可以在时间与 |P| 成亚线性关系的情况下,使用空间与 |P| 成线性关系的情况下,解决范围查询问题。在本文中,我们考虑了 FHE 下的分区树,在这种情况下,我们可以在不了解点的值或范围参数的情况下回答范围查询。我们展示了如何用 O(t n^{1-1/d+epsilon} + n^{1+epsilon})操作安全地遍历分区树,其中 n=|P|,t 是与 gamma 比较所需的操作次数,epsilon>0 是一个参数。当范围是轴平行超方框时,运行时间为 O(t n^epsilon + n log^{d-1} n)。据我们所知,这是 FHE 下范围搜索的第一个非微观约束,它比需要 O(t n) 次操作的天真解决方案有所改进。我们的算法与加密方案无关,但作为示例,我们使用 CKKS FHE 方案实现了这些算法。实验结果表明,对于大小为 2^{23} 和 2^{25} 的数据库,我们的算法比传统算法分别快 x2.8 和 x4.7。我们算法的改进来自于一种我们称之为复制和递归的方法。通过这种方法,我们可以高效地遍历一棵 rary 树(每个内部节点都有 r 个子节点),而且在遍历这棵树时,最多需要遍历 xi 个子节点。我们认为这种方法本身就很有趣,而且可以用来改进其他树状结构的遍历。
{"title":"Secure Range-Searching Using Copy-And-Recurse","authors":"Eyal Kushnir, Guy Moshkowich, Hayim Shaul","doi":"10.56553/popets-2024-0096","DOIUrl":"https://doi.org/10.56553/popets-2024-0096","url":null,"abstract":"Range searching is the problem of preprocessing a set of points P, such that given a query range gamma we can efficiently compute some function f(P cap gamma). For example, in a 1 dimensional range counting query, P is a set of numbers, gamma is a segment and we need to count how many numbers of P are in gamma. In higher dimensions, P is a set of d dimensional points and the query range is some volume in R^d. In general, we want to compute more than just counting, for example, the average of P cap gamma. Range searching has applications in databases where some SELECT queries can be translated to range queries. It had received a lot of attention in computational geometry where a data structure called partition tree was shown to solve range queries in time sub-linear in |P| using space only linear in |P|. In this paper we consider partition trees under FHE where we answer range queries without learning the value of the points or the parameters of the range. We show how partition trees can be securely traversed with O(t n^{1-1/d+epsilon} + n^{1+epsilon}) operations, where n=|P|, t is the number of operations needed to compare to gamma and epsilon>0 is a parameter. When the ranges are axis-parallel hyper-boxes the running time is O(t n^epsilon + n log^{d-1} n). As far as we know, this is the first non-trivial bound on range searching under FHE and it improves over the naive solution that needs O(t n) operations. Our algorithms are independent of the encryption scheme but as an example we implemented them using the CKKS FHE scheme. Our experiments show that for databases of sizes 2^{23} and 2^{25}, our algorithms run x2.8 and x4.7 (respectively) faster than the naive algorithm. The improvement of our algorithm comes from a method we call copy-and-recurse. With it we efficiently traverse a r-ary tree (where each inner node has r children) that also has the property that at most xi of them need to be recursed into when traversing the tree. We believe this method is interesting in its own and can be used to improve traversals in other tree-like structures.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"5 20","pages":"983"},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141699274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-06-13DOI: 10.1007/s12095-024-00722-1
Alessandro Budroni, Erik Mårtensson
{"title":"Further Improvements of the Estimation of Key Enumeration with Applications to Solving LWE","authors":"Alessandro Budroni, Erik Mårtensson","doi":"10.1007/s12095-024-00722-1","DOIUrl":"https://doi.org/10.1007/s12095-024-00722-1","url":null,"abstract":"","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"7 2","pages":"1547"},"PeriodicalIF":0.0,"publicationDate":"2024-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141347695","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-06-11DOI: 10.1088/2632-2153/ad56fb
José Luis Crespo, Javier González-Villa, Jaime Gutierrez, Angel Valle
� In this paper we address the use of Neural Networks (NN) for the assessment of the quality and hence safety of several Random Number Generators (RNGs), focusing both on the vulnerability of classical Pseudo Random Number Generators (PRNGs), such as Linear Congruential Generators (LCGs) and the RC4 algorithm, and extending our analysis to non-conventional data sources, such as Quantum Random Number Generators (QRNGs) based on Vertical-Cavity Surface-Emitting Laser (VCSEL). Among the results found, we have classified the generators based on the capability of the NN to distinguish between the RNG and a Golden Standard RNG (GSRNG). We show that sequences from simple PRNGs like LCGs and RC4 can be distinguished from the GSRNG. We also show that sequences from LCG on elliptic curves and VCSEL-based QRNG can not be distinguished from the GSRNG even with the biggest long-short term memory or convolutional neural networks that we have considered. We underline the fundamental role of design decisions in enhancing the safety of RNGs. The influence of network architecture design and associated hyper-parameters variations was also explored. We show that longer sequence lengths and convolutional neural networks are more effective for discriminating RNGs against the GSRNG. Moreover, in the prediction domain, the proposed model is able to deftly distinguish between the raw data of our QRNG and data from the GSRNG exhibiting a cross-entropy error of 0.52 on the test data-set used. All these findings reveal the potential of NNs to enhance the security of RNGs, while highlighting the robustness of certain QRNGs, in particular the VCSEL-based variants, for high-quality random number generation applications.
{"title":"Assessing the quality of Random Number Generators through Neural Networks","authors":"José Luis Crespo, Javier González-Villa, Jaime Gutierrez, Angel Valle","doi":"10.1088/2632-2153/ad56fb","DOIUrl":"https://doi.org/10.1088/2632-2153/ad56fb","url":null,"abstract":"\u0000 In this paper we address the use of Neural Networks (NN) for the assessment of the quality and hence safety of several Random Number Generators (RNGs), focusing both on the vulnerability of classical Pseudo Random Number Generators (PRNGs), such as Linear Congruential Generators (LCGs) and the RC4 algorithm, and extending our analysis to non-conventional data sources, such as Quantum Random Number Generators (QRNGs) based on Vertical-Cavity Surface-Emitting Laser (VCSEL). Among the results found, we have classified the generators based on the capability of the NN to distinguish between the RNG and a Golden Standard RNG (GSRNG). We show that sequences from simple PRNGs like LCGs and RC4 can be distinguished from the GSRNG. We also show that sequences from LCG on elliptic curves and VCSEL-based QRNG can not be distinguished from the GSRNG even with the biggest long-short term memory or convolutional neural networks that we have considered. We underline the fundamental role of design decisions in enhancing the safety of RNGs. The influence of network architecture design and associated hyper-parameters variations was also explored. We show that longer sequence lengths and convolutional neural networks are more effective for discriminating RNGs against the GSRNG. Moreover, in the prediction domain, the proposed model is able to deftly distinguish between the raw data of our QRNG and data from the GSRNG exhibiting a cross-entropy error of 0.52 on the test data-set used. All these findings reveal the potential of NNs to enhance the security of RNGs, while highlighting the robustness of certain QRNGs, in particular the VCSEL-based variants, for high-quality random number generation applications.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"10 5","pages":"578"},"PeriodicalIF":0.0,"publicationDate":"2024-06-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141359186","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-06-07DOI: 10.1007/s44007-024-00111-3
Hao Chen, Lynn Chua, K. Lauter, Yongsoo Song
{"title":"On the Concrete Security of LWE with Small Secret","authors":"Hao Chen, Lynn Chua, K. Lauter, Yongsoo Song","doi":"10.1007/s44007-024-00111-3","DOIUrl":"https://doi.org/10.1007/s44007-024-00111-3","url":null,"abstract":"","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"12 8","pages":"539"},"PeriodicalIF":0.0,"publicationDate":"2024-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141375527","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-03-01DOI: 10.46586/tosc.v2024.i1.35-70
Won-Seok Choi, Jooyoung Lee
A secure n-bit tweakable block cipher (TBC) using t-bit tweaks can be modeled as a tweakable uniform random permutation, where each tweak defines an independent random n-bit permutation. When an input to this tweakable permutation is fixed, it can be viewed as a perfectly secure t-bit random function. On the other hand, when a tweak is fixed, it can be viewed as a perfectly secure n-bit random permutation, and it is well known that the sum of two random permutations is pseudorandom up to 2n queries.A natural question is whether one can construct a pseudorandom function (PRF) beyond the block and the tweak length bounds using a small number of calls to the underlying tweakable permutations. A straightforward way of constructing a PRF from tweakable permutations is to xor the outputs from two tweakable permutations with c bits of the input to each permutation fixed. Using the multi-user security of the sum of two permutations, one can prove that the (t + n − c)-to-n bit PRF is secure up to 2n+c queries.In this paper, we propose a family of PRF constructions based on tweakable permutations, dubbed XoTPc, achieving stronger security than the straightforward construction. XoTPc is parameterized by c, giving a (t + n − c)-to-n bit PRF. When t < 3n and c = t/3 , XoTPt/3 becomes an (n + 2t/3 )-to-n bit pseudorandom function, which is secure up to 2n+2t/3 queries. It provides security beyond the block and the tweak length bounds, making two calls to the underlying tweakable permutations. In order to prove the security of XoTPc, we extend Mirror theory to q ≫ 2n, where q is the number of equations. From a practical point of view, our construction can be used to construct TBC-based MAC finalization functions and CTR-type encryption modes with stronger provable security compared to existing schemes.
使用 t 位调整的安全 n 位可调整块密码(TBC)可建模为可调整均匀随机排列,其中每个调整定义了一个独立的 n 位随机排列。当这种可调整排列的输入固定不变时,它可以被视为一个完全安全的 t 位随机函数。众所周知,两个随机排列之和在 2n 次查询之前都是伪随机的。一个自然的问题是,我们是否可以使用少量对底层可调整排列的调用,构建一个超越块和调整长度界限的伪随机函数 (PRF)。利用可调整排列组合构建 PRF 的一种直接方法是对两个可调整排列组合的输出进行 xor 处理,每个排列组合的输入固定为 c 位。利用两个排列组合之和的多用户安全性,我们可以证明 (t + n - c)-to-n bit PRF 在 2n+c 查询中是安全的。在本文中,我们提出了一个基于可调整排列组合的 PRF 构造系列,命名为 XoTPc,它比直接构造具有更强的安全性。XoTPc 以 c 为参数,给出了 (t + n - c)-to-n bit PRF。当 t < 3n 和 c = t/3 时,XoTPt/3 变成了 (n + 2t/3 )-to-n 位伪随机函数,它在 2n+2t/3 查询时是安全的。通过两次调用底层可调整排列组合,它提供了超越块和调整长度界限的安全性。为了证明 XoTPc 的安全性,我们将 Mirror 理论扩展到 q ≫ 2n,其中 q 是等式数。从实用的角度来看,我们的构造可用于构建基于 TBC 的 MAC 最终确定函数和 CTR 类型加密模式,与现有方案相比具有更强的可证明安全性。
{"title":"Building PRFs from TPRPs: Beyond the Block and the Tweak Length Bounds","authors":"Won-Seok Choi, Jooyoung Lee","doi":"10.46586/tosc.v2024.i1.35-70","DOIUrl":"https://doi.org/10.46586/tosc.v2024.i1.35-70","url":null,"abstract":"A secure n-bit tweakable block cipher (TBC) using t-bit tweaks can be modeled as a tweakable uniform random permutation, where each tweak defines an independent random n-bit permutation. When an input to this tweakable permutation is fixed, it can be viewed as a perfectly secure t-bit random function. On the other hand, when a tweak is fixed, it can be viewed as a perfectly secure n-bit random permutation, and it is well known that the sum of two random permutations is pseudorandom up to 2n queries.A natural question is whether one can construct a pseudorandom function (PRF) beyond the block and the tweak length bounds using a small number of calls to the underlying tweakable permutations. A straightforward way of constructing a PRF from tweakable permutations is to xor the outputs from two tweakable permutations with c bits of the input to each permutation fixed. Using the multi-user security of the sum of two permutations, one can prove that the (t + n − c)-to-n bit PRF is secure up to 2n+c queries.In this paper, we propose a family of PRF constructions based on tweakable permutations, dubbed XoTPc, achieving stronger security than the straightforward construction. XoTPc is parameterized by c, giving a (t + n − c)-to-n bit PRF. When t < 3n and c = t/3 , XoTPt/3 becomes an (n + 2t/3 )-to-n bit pseudorandom function, which is secure up to 2n+2t/3 queries. It provides security beyond the block and the tweak length bounds, making two calls to the underlying tweakable permutations. In order to prove the security of XoTPc, we extend Mirror theory to q ≫ 2n, where q is the number of equations. From a practical point of view, our construction can be used to construct TBC-based MAC finalization functions and CTR-type encryption modes with stronger provable security compared to existing schemes.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"33 5","pages":"918"},"PeriodicalIF":0.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140084180","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-03-01DOI: 10.46586/tosc.v2024.i1.497-528
Patrick Struck, Maximiliane Weishäupl
The main goal of this work is to construct authenticated encryption (AE) hat is both committing and leakage-resilient. As a first approach for this we consider generic composition as a well-known method for constructing AE schemes. While the leakage resilience of generic composition schemes has already been analyzed by Barwell et al. (Asiacrypt’17), for committing security this is not the case. We fill this gap by providing a separate analysis of the generic composition paradigms with respect to committing security, giving both positive and negative results: By means of a concrete attack, we show that Encrypt-then-MAC is not committing. Furthermore, we prove that Encrypt-and-MAC is committing, given that the underlying schemes satisfy security notions we introduce for this purpose. We later prove these new notions achievable by providing schemes that satisfy them. MAC-then-Encrypt turns out to be more difficult due to the fact that the tag is not outputted alongside the ciphertext as it is done for the other two composition methods. Nevertheless, we give a detailed heuristic analysis of MAC-then-Encrypt with respect to committing security, leaving a definite result as an open task for future work. Our results, in combination with the fact that only Encrypt-then-MAC yields leakage-resilient AE schemes, show that one cannot obtain AE schemes that are both committing and leakage-resilient via generic composition. As a second approach for constructing committing and leakage-resilient AE, we develop a generic transformation that turns an arbitrary AE scheme into one that fulfills both properties. The transformation relies on a keyed function that is both binding, i.e., it is hard to find key-input pairs that result in the same output, and leakage-resilient pseudorandom.
这项工作的主要目标是构建既能承诺又能防止泄密的认证加密(AE)。作为实现这一目标的第一种方法,我们将通用组合视为构建 AE 方案的一种著名方法。虽然 Barwell 等人(Asiacrypt'17)已经分析了通用组合方案的抗泄漏性,但对于提交安全性来说,情况并非如此。我们填补了这一空白,对通用组合范式的承诺安全性进行了单独分析,给出了正反两方面的结果:通过具体的攻击,我们证明了 "先加密后 MAC "不符合承诺安全。此外,我们还证明,如果底层方案满足我们为此引入的安全概念,那么 "加密-然后-MAC "就是符合要求的。稍后,我们将通过提供满足这些概念的方案来证明这些新概念的可实现性。先 MAC 后加密 "变得更加困难,因为标签不会像其他两种组合方法那样与密文一起输出。尽管如此,我们还是从提交安全性的角度对 "MAC-then-Encrypt "进行了详细的启发式分析,并将确定结果作为未来工作的一项开放任务。我们的结果,再加上只有 "先加密后 MAC "能产生抗泄漏的 AE 方案这一事实,表明我们无法通过通用组合方法获得既能保证提交安全性又能抗泄漏的 AE 方案。作为构建提交和防泄漏自动验证的第二种方法,我们开发了一种通用转换,可将任意自动验证方案转换为同时满足这两种特性的方案。这种转换依赖于一个密钥函数,它既具有约束力(即很难找到输出结果相同的密钥输入对),又具有防泄漏伪随机性。
{"title":"Constructing Committing and Leakage-Resilient Authenticated Encryption","authors":"Patrick Struck, Maximiliane Weishäupl","doi":"10.46586/tosc.v2024.i1.497-528","DOIUrl":"https://doi.org/10.46586/tosc.v2024.i1.497-528","url":null,"abstract":"The main goal of this work is to construct authenticated encryption (AE) hat is both committing and leakage-resilient. As a first approach for this we consider generic composition as a well-known method for constructing AE schemes. While the leakage resilience of generic composition schemes has already been analyzed by Barwell et al. (Asiacrypt’17), for committing security this is not the case. We fill this gap by providing a separate analysis of the generic composition paradigms with respect to committing security, giving both positive and negative results: By means of a concrete attack, we show that Encrypt-then-MAC is not committing. Furthermore, we prove that Encrypt-and-MAC is committing, given that the underlying schemes satisfy security notions we introduce for this purpose. We later prove these new notions achievable by providing schemes that satisfy them. MAC-then-Encrypt turns out to be more difficult due to the fact that the tag is not outputted alongside the ciphertext as it is done for the other two composition methods. Nevertheless, we give a detailed heuristic analysis of MAC-then-Encrypt with respect to committing security, leaving a definite result as an open task for future work. Our results, in combination with the fact that only Encrypt-then-MAC yields leakage-resilient AE schemes, show that one cannot obtain AE schemes that are both committing and leakage-resilient via generic composition. As a second approach for constructing committing and leakage-resilient AE, we develop a generic transformation that turns an arbitrary AE scheme into one that fulfills both properties. The transformation relies on a keyed function that is both binding, i.e., it is hard to find key-input pairs that result in the same output, and leakage-resilient pseudorandom.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"81 24","pages":"190"},"PeriodicalIF":0.0,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140085082","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: