Pub Date : 2024-08-20DOI: 10.1007/s00145-024-09517-2
Akinori Hosoyamada, Takashi Yamakawa
Since the celebrated work of Impagliazzo and Rudich (STOC 1989), a number of black-box impossibility results have been established. However, these works only ruled out classical black-box reductions among cryptographic primitives. Therefore, it may be possible to overcome these impossibility results by using quantum reductions. To exclude such a possibility, we have to extend these impossibility results to the quantum setting. In this paper, we study black-box impossibility in the quantum setting. We first formalize a quantum counterpart of fully black-box reduction following the formalization by Reingold, Trevisan and Vadhan (TCC 2004). Then we prove that there is no quantum fully black-box reduction from collision-resistant hash functions to one-way permutations (or even trapdoor permutations). We take both of classical and quantum implementations of primitives into account. This is an extension to the quantum setting of the work of Simon (Eurocrypt 1998) who showed a similar result in the classical setting.
{"title":"Finding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness","authors":"Akinori Hosoyamada, Takashi Yamakawa","doi":"10.1007/s00145-024-09517-2","DOIUrl":"https://doi.org/10.1007/s00145-024-09517-2","url":null,"abstract":"<p>Since the celebrated work of Impagliazzo and Rudich (STOC 1989), a number of black-box impossibility results have been established. However, these works only ruled out classical black-box reductions among cryptographic primitives. Therefore, it may be possible to overcome these impossibility results by using quantum reductions. To exclude such a possibility, we have to extend these impossibility results to the quantum setting. In this paper, we study black-box impossibility in the quantum setting. We first formalize a quantum counterpart of fully black-box reduction following the formalization by Reingold, Trevisan and Vadhan (TCC 2004). Then we prove that there is no quantum fully black-box reduction from collision-resistant hash functions to one-way permutations (or even trapdoor permutations). We take both of classical and quantum implementations of primitives into account. This is an extension to the quantum setting of the work of Simon (Eurocrypt 1998) who showed a similar result in the classical setting.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177584","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-20DOI: 10.1007/s00145-024-09515-4
Mohammad Hajiabadi, Shahram Khazaei, Behzad Vahdani
It is well-known that randomness is essential for secure cryptography. The randomness used in cryptographic primitives is not necessarily recoverable even by the party who can, e.g., decrypt or recover the underlying secret/message. Several cryptographic primitives that support randomness recovery have turned out useful in various applications. In this paper, we study randomness recoverable secret sharing schemes (RR-SSS), in both information-theoretic and computational settings and provide two results. First, we show that while every access structure admits a perfect RR-SSS, there are very simple access structures (e.g., in monotone (textsf{AC}^0)) that do not admit efficient perfect (or even statistical) RR-SSS. Second, we show that the existence of efficient computational RR-SSS for certain access structures in monotone (textsf{AC}^0) implies the existence of one-way functions. This stands in sharp contrast to (non-RR) SSS schemes for which no such results are known. RR-SSS plays a key role in making advanced attributed-based encryption schemes randomness recoverable, which in turn have applications in the context of designated-verifier non-interactive zero knowledge.
{"title":"Randomness Recoverable Secret Sharing Schemes","authors":"Mohammad Hajiabadi, Shahram Khazaei, Behzad Vahdani","doi":"10.1007/s00145-024-09515-4","DOIUrl":"https://doi.org/10.1007/s00145-024-09515-4","url":null,"abstract":"<p>It is well-known that randomness is essential for secure cryptography. The randomness used in cryptographic primitives is not necessarily recoverable even by the party who can, e.g., decrypt or recover the underlying secret/message. Several cryptographic primitives that support randomness recovery have turned out useful in various applications. In this paper, we study <i>randomness recoverable secret sharing schemes</i> (RR-SSS), in both information-theoretic and computational settings and provide two results. First, we show that while every access structure admits a perfect RR-SSS, there are very simple access structures (e.g., in monotone <span>(textsf{AC}^0)</span>) that do not admit efficient perfect (or even statistical) RR-SSS. Second, we show that the existence of efficient computational RR-SSS for certain access structures in monotone <span>(textsf{AC}^0)</span> implies the existence of one-way functions. This stands in sharp contrast to (non-RR) SSS schemes for which no such results are known. RR-SSS plays a key role in making advanced attributed-based encryption schemes randomness recoverable, which in turn have applications in the context of designated-verifier non-interactive zero knowledge.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177581","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-20DOI: 10.1007/s00145-024-09516-3
Andre Esser, Arindam Mukherjee, Santanu Sarkar
Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length n we improve the best known time complexity for polynomial memory algorithms from (2^{1.063n}) down-to (2^{0.926n}). We obtain even larger gains for LWE secrets in ({-m,ldots ,m}^n) with (m=2,3) as found in Kyber and Dilithium. For example, for uniformly random keys in ({-2,ldots ,2}^n) as is the case for Dilithium we improve the previously best time under polynomial memory restriction from (2^{1.742n}) down-to (2^{1.282n}). Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).
{"title":"Memory-Efficient Attacks on Small LWE Keys","authors":"Andre Esser, Arindam Mukherjee, Santanu Sarkar","doi":"10.1007/s00145-024-09516-3","DOIUrl":"https://doi.org/10.1007/s00145-024-09516-3","url":null,"abstract":"<p>Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length <i>n</i> we improve the best known time complexity for <i>polynomial memory</i> algorithms from <span>(2^{1.063n})</span> down-to <span>(2^{0.926n})</span>. We obtain even larger gains for LWE secrets in <span>({-m,ldots ,m}^n)</span> with <span>(m=2,3)</span> as found in Kyber and Dilithium. For example, for uniformly random keys in <span>({-2,ldots ,2}^n)</span> as is the case for Dilithium we improve the previously best time under polynomial memory restriction from <span>(2^{1.742n})</span> down-to <span>(2^{1.282n})</span>. Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-19DOI: 10.1007/s00145-024-09513-6
Mihir Bellare, Anna Lysyanskaya
A two-input function is a dual PRF if it is a PRF when keyed by either of its inputs. Dual PRFs are assumed in the design and analysis of numerous primitives and protocols including HMAC, AMAC, TLS 1.3 and MLS. But, not only do we not know whether particular functions on which the assumption is made really are dual PRFs; we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain two specific symmetric and dual PRFs, the first assuming any collision-resistant hash function and the second assuming any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem.�
{"title":"Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of a Prevailing Assumption","authors":"Mihir Bellare, Anna Lysyanskaya","doi":"10.1007/s00145-024-09513-6","DOIUrl":"https://doi.org/10.1007/s00145-024-09513-6","url":null,"abstract":"<p>A two-input function is a dual PRF if it is a PRF when keyed by either of its inputs. Dual PRFs are assumed in the design and analysis of numerous primitives and protocols including HMAC, AMAC, TLS 1.3 and MLS. But, not only do we not know whether particular functions on which the assumption is made really are dual PRFs; we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain two specific symmetric and dual PRFs, the first assuming any collision-resistant hash function and the second assuming any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem.\u0000</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177583","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-10DOI: 10.1007/s00145-024-09509-2
Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss
We construct the first actively-secure Multi-Party Computation (MPC) protocols with an arbitrary number of parties in the dishonest majority setting, for an arbitrary field ({mathbb {F}}) with constant communication overhead over the “passive-GMW” protocol (Goldreich, Micali and Wigderson, STOC ‘87). Our protocols rely on passive implementations of Oblivious Transfer (OT) in the Boolean setting and Oblivious Linear function Evaluation (OLE) in the arithmetic setting. Previously, such protocols were only known over sufficiently large fields (Genkin et al. STOC ‘14) or a constant number of parties (Ishai et al. CRYPTO ‘08). Conceptually, our protocols are obtained via a new compiler from a passively-secure protocol for a distributed multiplication functionality ({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}}), to an actively-secure protocol for general functionalities. Roughly, ({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}}) is parameterized by a linear-secret sharing scheme ({{{mathcal {S}}}}), where it takes ({{{mathcal {S}}}})-shares of two secrets and returns ({{{mathcal {S}}}})-shares of their product. We show that our compilation is concretely efficient for sufficiently large fields, resulting in an overhead of 2 when securely computing natural circuits. Our compiler has two additional benefits: (1) It can rely on any passive implementation of ({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}}), which, besides the standard implementation based on OT (for Boolean) and OLE (for arithmetic), allows us to rely on implementations based on threshold cryptosystems (Cramer et al. Eurocrypt ‘01), and (2) it can rely on weaker-than-passive (i.e., imperfect/leaky) implementations, which in some parameter regimes yield actively-secure protocols with overhead less than 2. Instantiating this compiler with an “honest-majority” implementation of ({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}}), we obtain the first honest-majority protocol (with up to one-third corruptions) for Boolean circuits with constant communication overhead over the best passive protocol (Damgård and Nielsen, CRYPTO ‘07).
{"title":"The Price of Active Security in Cryptographic Protocols","authors":"Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss","doi":"10.1007/s00145-024-09509-2","DOIUrl":"https://doi.org/10.1007/s00145-024-09509-2","url":null,"abstract":"<p>We construct the first actively-secure Multi-Party Computation (MPC) protocols with an <i>arbitrary</i> number of parties in the dishonest majority setting, for an <i>arbitrary</i> field <span>({mathbb {F}})</span> with <i>constant communication overhead</i> over the “passive-GMW” protocol (Goldreich, Micali and Wigderson, STOC ‘87). Our protocols rely on passive implementations of Oblivious Transfer (OT) in the Boolean setting and Oblivious Linear function Evaluation (OLE) in the arithmetic setting. Previously, such protocols were only known over sufficiently large fields (Genkin et al. STOC ‘14) or a constant number of parties (Ishai et al. CRYPTO ‘08). Conceptually, our protocols are obtained via a new compiler from a passively-secure protocol for a distributed multiplication functionality <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span>, to an actively-secure protocol for general functionalities. Roughly, <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span> is parameterized by a linear-secret sharing scheme <span>({{{mathcal {S}}}})</span>, where it takes <span>({{{mathcal {S}}}})</span>-shares of two secrets and returns <span>({{{mathcal {S}}}})</span>-shares of their product. We show that our compilation is concretely efficient for sufficiently large fields, resulting in an overhead of 2 when securely computing natural circuits. Our compiler has two additional benefits: (1) It can rely on <i>any</i> passive implementation of <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span>, which, besides the standard implementation based on OT (for Boolean) and OLE (for arithmetic), allows us to rely on implementations based on threshold cryptosystems (Cramer et al. Eurocrypt ‘01), and (2) it can rely on weaker-than-passive (i.e., imperfect/leaky) implementations, which in some parameter regimes yield actively-secure protocols with overhead less than 2. Instantiating this compiler with an “honest-majority” implementation of <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span>, we obtain the first honest-majority protocol (with up to one-third corruptions) for Boolean circuits with constant communication overhead over the best passive protocol (Damgård and Nielsen, CRYPTO ‘07). </p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141574259","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Polynomial commitments schemes are a powerful tool that enables one party to commit to a polynomial p of degree d, and prove that the committed function evaluates to a certain value z at a specified point u, i.e. (p(u) = z), without revealing any additional information about the polynomial. Recently, polynomial commitments have been extensively used as a cryptographic building block to transform polynomial interactive oracle proofs (PIOPs) into efficient succinct arguments. In this paper, we propose a lattice-based polynomial commitment that achieves succinct proof size and verification time in the degree d of the polynomial. Extractability of our scheme holds in the random oracle model under a natural ring version of the BASIS assumption introduced by Wee and Wu (EUROCRYPT 2023). Unlike recent constructions of polynomial commitments by Albrecht et al. (CRYPTO 2022), and by Wee and Wu, we do not require any expensive preprocessing steps, which makes our scheme particularly attractive as an ingredient of a PIOP compiler for succinct arguments. We further instantiate our polynomial commitment, together with the Marlin PIOP (EUROCRYPT 2020), to obtain a publicly-verifiable trusted-setup succinct argument for Rank-1 Constraint System (R1CS). Performance-wise, we achieve (17)MB proof size for (2^{20}) constraints, which is (15)X smaller than currently the only publicly-verifiable lattice-based SNARK proposed by Albrecht et al.
{"title":"Lattice-Based Polynomial Commitments: Towards Asymptotic and Concrete Efficiency","authors":"Giacomo Fenzi, Hossein Moghaddas, Ngoc Khanh Nguyen","doi":"10.1007/s00145-024-09511-8","DOIUrl":"https://doi.org/10.1007/s00145-024-09511-8","url":null,"abstract":"<p>Polynomial commitments schemes are a powerful tool that enables one party to commit to a polynomial <i>p</i> of degree <i>d</i>, and prove that the committed function evaluates to a certain value <i>z</i> at a specified point <i>u</i>, i.e. <span>(p(u) = z)</span>, without revealing any additional information about the polynomial. Recently, polynomial commitments have been extensively used as a cryptographic building block to transform polynomial interactive oracle proofs (PIOPs) into efficient succinct arguments. In this paper, we propose a lattice-based polynomial commitment that achieves succinct proof size and verification time in the degree <i>d</i> of the polynomial. Extractability of our scheme holds in the random oracle model under a natural ring version of the BASIS assumption introduced by Wee and Wu (EUROCRYPT 2023). Unlike recent constructions of polynomial commitments by Albrecht et al. (CRYPTO 2022), and by Wee and Wu, we do not require any expensive preprocessing steps, which makes our scheme particularly attractive as an ingredient of a PIOP compiler for succinct arguments. We further instantiate our polynomial commitment, together with the <span>Marlin</span> PIOP (EUROCRYPT 2020), to obtain a publicly-verifiable trusted-setup succinct argument for Rank-1 Constraint System (R1CS). Performance-wise, we achieve <span>(17)</span>MB proof size for <span>(2^{20})</span> constraints, which is <span>(15)</span>X smaller than currently the only publicly-verifiable lattice-based SNARK proposed by Albrecht et al.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141574260","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-02DOI: 10.1007/s00145-024-09510-9
David Derler, Kai Samelin, Daniel Slamanig
Chameleon-hash functions, introduced by Krawczyk and Rabin (NDSS’00), are trapdoor collision-resistant hash functions parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash function can be found efficiently. Chameleon-hash functions have prominent applications in the design of cryptographic primitives, such as lifting non-adaptively secure signatures to adaptively secure ones. Recently, this primitive also received a lot of attention as a building block in more complex cryptographic applications, ranging from editable blockchains to advanced signature and encryption schemes. We observe that, in latter applications, various different notions of collision-resistance are used, and it is not always clear if the respective notion really covers what seems intuitively required by the application. Therefore, we revisit existing collision-resistance notions in the literature, study their relations, and by means of selected applications discuss which practical impact different notions of collision-resistance might have. Moreover, we provide a stronger, and arguably more desirable, notion of collision-resistance than what is known from the literature (which we call full collision-resistance). Finally, we present a surprisingly simple, and efficient, black-box construction of chameleon-hash functions achieving this strong notion of full collision-resistance.�
{"title":"Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes","authors":"David Derler, Kai Samelin, Daniel Slamanig","doi":"10.1007/s00145-024-09510-9","DOIUrl":"https://doi.org/10.1007/s00145-024-09510-9","url":null,"abstract":"<p>Chameleon-hash functions, introduced by Krawczyk and Rabin (NDSS’00), are trapdoor collision-resistant hash functions parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash function can be found efficiently. Chameleon-hash functions have prominent applications in the design of cryptographic primitives, such as lifting non-adaptively secure signatures to adaptively secure ones. Recently, this primitive also received a lot of attention as a building block in more complex cryptographic applications, ranging from editable blockchains to advanced signature and encryption schemes. We observe that, in latter applications, various different notions of collision-resistance are used, and it is not always clear if the respective notion really covers what seems intuitively required by the application. Therefore, we revisit existing collision-resistance notions in the literature, study their relations, and by means of selected applications discuss which practical impact different notions of collision-resistance might have. Moreover, we provide a stronger, and arguably more desirable, notion of collision-resistance than what is known from the literature (which we call full collision-resistance). Finally, we present a surprisingly simple, and efficient, black-box construction of chameleon-hash functions achieving this strong notion of full collision-resistance.\u0000</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141512674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-01DOI: 10.1007/s00145-024-09512-7
O. Dunkelman, Nathan Keller, Eyal Ronen, Adi Shamir
{"title":"The Retracing Boomerang Attack, with Application to Reduced-Round AES","authors":"O. Dunkelman, Nathan Keller, Eyal Ronen, Adi Shamir","doi":"10.1007/s00145-024-09512-7","DOIUrl":"https://doi.org/10.1007/s00145-024-09512-7","url":null,"abstract":"","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141712957","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-06-13DOI: 10.1007/s00145-024-09508-3
Chris Peikert, Zachary Pepin
In recent years, there has been a proliferation of algebraically structured Learning With Errors (LWE) variants, including Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, and Middle-Product LWE, and a web of reductions to support their hardness, both among these problems themselves and from related worst-case problems on structured lattices. However, these reductions are often difficult to interpret and use, due to the complexity of their parameters and analysis, and most especially their (frequently large) blowup and distortion of the error distributions. In this paper, we unify and simplify this line of work. First, we give a general framework that encompasses all proposed LWE variants (over commutative base rings) and in particular unifies all prior “algebraic” LWE variants defined over number fields. We then use this framework to give much simpler, more general, and tighter reductions from Ring-LWE to other algebraic LWE variants, including Module-LWE, Order-LWE, and Middle-Product LWE. In particular, all of our reductions have easy-to-analyze and frequently small error expansion; in most cases, they even leave the error unchanged. A main message of our work is that it is straightforward to use the hardness of the original Ring-LWE problem as a foundation for the hardness of all other algebraic LWE problems defined over number fields, via simple and rather tight reductions.
{"title":"Algebraically Structured LWE, Revisited","authors":"Chris Peikert, Zachary Pepin","doi":"10.1007/s00145-024-09508-3","DOIUrl":"https://doi.org/10.1007/s00145-024-09508-3","url":null,"abstract":"<p>In recent years, there has been a proliferation of <i>algebraically structured</i> Learning With Errors (LWE) variants, including Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, and Middle-Product LWE, and a web of reductions to support their hardness, both among these problems themselves and from related worst-case problems on structured lattices. However, these reductions are often difficult to interpret and use, due to the complexity of their parameters and analysis, and most especially their (frequently large) blowup and distortion of the error distributions. In this paper, we unify and simplify this line of work. First, we give a general framework that encompasses <i>all</i> proposed LWE variants (over commutative base rings) and in particular unifies all prior “algebraic” LWE variants defined over number fields. We then use this framework to give much simpler, more general, and tighter reductions from Ring-LWE to other algebraic LWE variants, including Module-LWE, Order-LWE, and Middle-Product LWE. In particular, all of our reductions have easy-to-analyze and frequently small error expansion; in most cases, they even leave the error unchanged. A main message of our work is that it is straightforward to use the hardness of the original Ring-LWE problem as a foundation for the hardness of all other algebraic LWE problems defined over number fields, via simple and rather tight reductions.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141506943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-06-06DOI: 10.1007/s00145-024-09506-5
Lior Rotem, Gil Segev
The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability (t^2/p), whereas existing proofs of security only rule out attacks with success probabilities ((t^2/p)^{1/2}) and ((q_{textsf{H}} cdot t^2/p)^{1/2}), respectively, where (q_{textsf{H}}) denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from (Sigma )-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the dth moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most ((t^2/p)^{2/3}) and ((q_textsf{H}cdot t^2/p)^{2/3}), respectively.
施诺尔识别和签名方案是过去 30 年来最具影响力的加密协议之一。遗憾的是,尽管对这两种方案最著名的攻击是通过离散对数计算进行的,但将其安全性建立在离散对数问题硬度基础上的已知方法却遇到了 "平方根障碍"。特别是,在任何阶数为 p 的组中,如果认为 Shoup 对离散对数问题的通用硬度结果成立(并因此用于设置具体的安全参数),那么对施诺尔识别和签名方案的最著名的 t 时间攻击的成功概率为 (t^2/p)、而现有的安全证明只排除了成功概率分别为 ((t^2/p)^{1/2}) 和 ((q_{textsf{H}} cdot t^2/p)^{1/2}) 的攻击,其中 (q_{textsf{H}} 表示攻击者发出的随机神谕查询的次数。我们为识别和签名方案建立了更严密的安全保证,这些方案是由(Sigma )协议产生的,具有基于其基础关系硬度的特殊健全性,特别是基于离散对数问题的硬度的施诺尔方案。我们通过引入经典分叉阶式的高时刻广义,并假设底层关系是 "d时刻硬",从而规避了平方根障碍:任何算法在为随机实例生成见证的任务中的成功概率,都受算法运行时间第 d 个时刻的支配。在离散对数问题的具体情境中,Shoup 的原始证明已经表明,离散对数问题在一般组模型中是 2 矩难的,因此,我们的假设可以看作是离散对数假设在任何目前还不知道比一般算法更好的组中的一个非常可信的加强。在这种情况下应用我们的高时刻分叉lemma就会发现,假设离散对数问题具有2时刻硬度,那么任何t时间攻击者破坏施诺识别和签名方案的安全性的概率分别为((t^2/p)^{2/3})和((q_textsf{H}cdot t^2/p)^{2/3})。
{"title":"Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $$varvec{Sigma }$$ -Protocols","authors":"Lior Rotem, Gil Segev","doi":"10.1007/s00145-024-09506-5","DOIUrl":"https://doi.org/10.1007/s00145-024-09506-5","url":null,"abstract":"<p>The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order <i>p</i> where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known <i>t</i>-time attacks on the Schnorr identification and signature schemes have success probability <span>(t^2/p)</span>, whereas existing proofs of security only rule out attacks with success probabilities <span>((t^2/p)^{1/2})</span> and <span>((q_{textsf{H}} cdot t^2/p)^{1/2})</span>, respectively, where <span>(q_{textsf{H}})</span> denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from <span>(Sigma )</span>-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “<i>d</i>-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the <i>d</i>th moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any <i>t</i>-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most <span>((t^2/p)^{2/3})</span> and <span>((q_textsf{H}cdot t^2/p)^{2/3})</span>, respectively.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2024-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141551895","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号