Journal of Cryptology最新文献

英文中文

Lattice-Based Programmable Hash Functions and Applications 基于格子的可编程哈希函数及其应用

IF 3 3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-11-29 DOI: 10.1007/s00145-023-09488-w

Jiang Zhang, Yu Chen, Zhenfeng Zhang

Driven by the open problem raised by Hofheinz and Kiltz (J Cryptol 25(3):484–527, 2012), we study the formalization of lattice-based programmable hash function (PHF) and give three types of concrete constructions by using several techniques such as a novel combination of cover-free sets and lattice trapdoors. Under the inhomogeneous small integer solution (ISIS) assumption, we show that any (non-trivial) lattice-based PHF is a collision-resistant hash function, which gives a direct application of this new primitive. We further demonstrate the power of lattice-based PHF by giving generic constructions of signature and identity-based encryption (IBE) in the standard model, which not only provide a way to unify several previous lattice-based schemes using the partitioning proof techniques, but also allow us to obtain new short signature schemes and IBE schemes from (ideal) lattices. Specifically, by instantiating the generic constructions with our Type-II and Type-III PHF constructions, we immediately obtain two short signatures and two IBE schemes with asymptotically much shorter keys. A major downside which inherits from our Type-II and Type-III PHF constructions is that we can only prove the security of the new signatures and IBEs in the bounded security model that the number Q of the adversary’s queries is required to be known in advance. Another downside is that the computational time of our new signatures and IBEs is a linear function of Q, which is large for typical parameters. To overcome the above limitations, we also give a refined way of using Type-II and Type-III PHFs to construct lattice-based short signatures with short verification keys in the full security model. In particular, our methods depart from the confined guessing technique of Böhl et al. (Eurocrypt’13) that was used to construct previous standard model short signature schemes with short verification keys by Ducas and Micciancio (Crypto’14) and by Alperin-Sheriff (PKC’15) and allow us to achieve much tighter security from weaker hardness assumptions.

在Hofheinz和Kiltz (J Cryptol 25(3): 484-527, 2012)提出的开放问题的驱动下，我们研究了基于格的可编程哈希函数(PHF)的形式化，并通过使用几种技术(如无盖集和格子活门的新组合)给出了三种类型的具体结构。在非齐次小整数解(ISIS)假设下，我们证明了任何(非平凡的)基于格的PHF都是一个抗碰撞哈希函数，它给出了这个新原语的直接应用。通过在标准模型中给出签名和基于身份的加密(IBE)的一般结构，我们进一步证明了基于格的PHF的强大功能，它不仅提供了一种使用分区证明技术统一先前几种基于格的方案的方法，而且还允许我们从(理想)格中获得新的短签名方案和基于身份的加密方案。具体来说，通过用我们的Type-II和Type-III PHF结构实例化泛型结构，我们立即获得了两个短签名和两个具有渐近短得多密钥的IBE方案。从我们的Type-II和Type-III PHF结构继承的一个主要缺点是，我们只能在有界安全模型中证明新签名和ibe的安全性，即需要事先知道对手查询的数量Q。另一个缺点是，我们的新签名和ibe的计算时间是Q的线性函数，对于典型参数来说，它是很大的。为了克服上述限制，我们还给出了在完全安全模型中使用Type-II和Type-III phf构造具有短验证密钥的基于格的短签名的改进方法。特别是，我们的方法脱离了Böhl等人(Eurocrypt ' 13)的有限猜测技术，该技术被Ducas和Micciancio (Crypto ' 14)以及Alperin-Sheriff (PKC ' 15)用于构建具有短验证密钥的先前标准模型短签名方案，并允许我们从较弱的硬度假设中实现更严格的安全性。

{"title":"Lattice-Based Programmable Hash Functions and Applications","authors":"Jiang Zhang, Yu Chen, Zhenfeng Zhang","doi":"10.1007/s00145-023-09488-w","DOIUrl":"https://doi.org/10.1007/s00145-023-09488-w","url":null,"abstract":"Driven by the open problem raised by Hofheinz and Kiltz (J Cryptol 25(3):484–527, 2012), we study the formalization of lattice-based programmable hash function (PHF) and give three types of concrete constructions by using several techniques such as a novel combination of cover-free sets and lattice trapdoors. Under the inhomogeneous small integer solution (ISIS) assumption, we show that any (non-trivial) lattice-based PHF is a collision-resistant hash function, which gives a direct application of this new primitive. We further demonstrate the power of lattice-based PHF by giving generic constructions of signature and identity-based encryption (IBE) in the standard model, which not only provide a way to unify several previous lattice-based schemes using the partitioning proof techniques, but also allow us to obtain new short signature schemes and IBE schemes from (ideal) lattices. Specifically, by instantiating the generic constructions with our Type-II and Type-III PHF constructions, we immediately obtain two short signatures and two IBE schemes with asymptotically much shorter keys. A major downside which inherits from our Type-II and Type-III PHF constructions is that we can only prove the security of the new signatures and IBEs in the bounded security model that the number Q of the adversary’s queries is required to be known in advance. Another downside is that the computational time of our new signatures and IBEs is a linear function of Q, which is large for typical parameters. To overcome the above limitations, we also give a refined way of using Type-II and Type-III PHFs to construct lattice-based short signatures with short verification keys in the full security model. In particular, our methods depart from the confined guessing technique of Böhl et al. (Eurocrypt’13) that was used to construct previous standard model short signature schemes with short verification keys by Ducas and Micciancio (Crypto’14) and by Alperin-Sheriff (PKC’15) and allow us to achieve much tighter security from weaker hardness assumptions.\u0000","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2023-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138515794","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Masking the GLP Lattice-Based Signature Scheme at Any Order 屏蔽任意阶的GLP格签名方案

IF 3 3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-11-29 DOI: 10.1007/s00145-023-09485-z

Gilles Barthe, Sonia Belaïd, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, Mehdi Tibouchi

Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly nonlinear and typically involve randomness) has not been considered until now. In this paper, we describe the first masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distributions would be prohibitively inefficient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the efficiency of the proposed countermeasure.

最近，许多针对基于格的方案的物理攻击已经被证明，通常利用其独特的特性，如对高斯分布的依赖，拒绝采样和基于fft的多项式乘法。随着对后量子加密的具体实现和部署的需求变得更加迫切，防范这些攻击是一个重要的问题。然而，迄今为止，很少有人提出对策。特别是，掩蔽已经应用于一些基于格的加密方案的解密过程，但是更困难的签名情况(高度非线性且通常涉及随机性)到目前为止还没有考虑到。在本文中，我们描述了基于格的签名方案的第一个掩码实现。由于掩盖高斯采样和其他涉及人为概率分布的过程将会非常低效，我们将重点放在g neysu, Lyubashevsky和Pöppelmann (CHES 2012)的GLP方案上。我们展示了如何在Ishai-Sahai-Wagner模型(CRYPTO 2003)中以相对有效的方式以任何顺序可证明地屏蔽它，使用Coron等人的技术扩展在算术和布尔屏蔽之间进行转换。我们的证明依赖于支持公共输出概念的探测安全性的温和泛化。我们还提供了一个概念验证实现来评估所建议对策的效率。

{"title":"Masking the GLP Lattice-Based Signature Scheme at Any Order","authors":"Gilles Barthe, Sonia Belaïd, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, Mehdi Tibouchi","doi":"10.1007/s00145-023-09485-z","DOIUrl":"https://doi.org/10.1007/s00145-023-09485-z","url":null,"abstract":"Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly nonlinear and typically involve randomness) has not been considered until now. In this paper, we describe the first masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distributions would be prohibitively inefficient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the efficiency of the proposed countermeasure.","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":3.0,"publicationDate":"2023-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138515779","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 48

BLEACH: Cleaning Errors in Discrete Computations Over CKKS 在CKKS上离散计算的清理错误

3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-11-01 DOI: 10.1007/s00145-023-09483-1

Nir Drucker, Guy Moshkowich, Tomer Pelleg, Hayim Shaul

引用次数: 6

Breaking the $$O(sqrt{n})$$-Bit Barrier: Byzantine Agreement with Polylog Bits Per Party 打破$$O(sqrt{n})$$ -Bit障碍:与Polylog Bits Per Party的拜占庭协议

3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-10-27 DOI: 10.1007/s00145-023-09484-0

E. Boyle, R. Cohen, A. Goel

引用次数: 0

Beyond the Csiszár–Körner Bound: Best-Possible Wiretap Coding via Obfuscation 超越Csiszár-Körner界限:通过混淆实现最佳窃听编码

3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-10-18 DOI: 10.1007/s00145-023-09482-2

Yuval Ishai, Alexis Korb, Paul Lou, Amit Sahai

Abstract A wiretap coding scheme (Wyner in Bell Syst Tech J 54(8):1355–1387, 1975) enables Alice to reliably communicate a message m to an honest Bob by sending an encoding c over a noisy channel $$textsf{ChB}$$ ChB , while at the same time hiding m from Eve who receives c over another noisy channel $$textsf{ChE}$$ ChE . Wiretap coding is clearly impossible when $$textsf{ChB}$$ ChB is a degraded version of $$textsf{ChE}$$ ChE , in the sense that the output of $$textsf{ChB}$$ ChB can be simulated using only the output of $$textsf{ChE}$$ ChE . A classic work of Csiszár and Korner (IEEE Trans Inf Theory 24(3):339–348, 1978) shows that the converse does not hold. This follows from their full characterization of the channel pairs $$(textsf{ChB},textsf{ChE})$$ ( ChB , ChE ) that enable information-theoretic wiretap coding. In this work, we show that in fact the converse does hold when considering computational security ; that is, wiretap coding against a computationally bounded Eve is possible if and only if $$textsf{ChB}$$ ChB is not a degraded version of $$textsf{ChE}$$ ChE . Our construction assumes the existence of virtual black-box obfuscation of specific classes of “evasive” functions that generalize fuzzy point functions and can be heuristically instantiated using indistinguishability obfuscation. Finally, our solution has the appealing feature of being universal in the sense that Alice’s algorithm depends only on $$textsf{ChB}$$ ChB and not on $$textsf{ChE}$$ ChE .

一种窃听编码方案(Wyner in Bell system Tech J 54(8): 1355-1387, 1975)使Alice能够通过噪声信道$$textsf{ChB}$$ ChB发送编码c，从而可靠地将消息m传递给诚实的Bob，同时将m隐藏给Eve, Eve通过另一个噪声信道$$textsf{ChE}$$ ChE接收到c。当$$textsf{ChB}$$ ChB是$$textsf{ChE}$$ ChE的降级版本时，窃听编码显然是不可能的，因为只能使用$$textsf{ChE}$$ ChE的输出来模拟$$textsf{ChB}$$ ChB的输出。Csiszár和Korner的经典著作(IEEE Trans Inf Theory 24(3):339 - 348,1978)表明，相反的情况并不成立。这源于他们对信道对$$(textsf{ChB},textsf{ChE})$$ (ChB, ChE)的完整描述，这些信道对使信息论窃听编码成为可能。在这项工作中，我们表明，事实上，在考虑计算安全性时，相反的情况确实成立;也就是说，当且仅当$$textsf{ChB}$$ ChB不是$$textsf{ChE}$$ ChE的降级版本时，针对计算受限的Eve进行窃听编码是可能的。我们的构造假设存在特定类别的“回避”函数的虚拟黑箱混淆，这些函数概括了模糊点函数，并且可以使用不可区分混淆进行启发式实例化。最后，我们的解决方案具有吸引人的通用性，因为Alice的算法仅依赖于$$textsf{ChB}$$ ChB而不依赖于$$textsf{ChE}$$ ChE。

{"title":"Beyond the Csiszár–Körner Bound: Best-Possible Wiretap Coding via Obfuscation","authors":"Yuval Ishai, Alexis Korb, Paul Lou, Amit Sahai","doi":"10.1007/s00145-023-09482-2","DOIUrl":"https://doi.org/10.1007/s00145-023-09482-2","url":null,"abstract":"Abstract A wiretap coding scheme (Wyner in Bell Syst Tech J 54(8):1355–1387, 1975) enables Alice to reliably communicate a message m to an honest Bob by sending an encoding c over a noisy channel $$textsf{ChB}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChB</mml:mi> </mml:math> , while at the same time hiding m from Eve who receives c over another noisy channel $$textsf{ChE}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChE</mml:mi> </mml:math> . Wiretap coding is clearly impossible when $$textsf{ChB}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChB</mml:mi> </mml:math> is a degraded version of $$textsf{ChE}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChE</mml:mi> </mml:math> , in the sense that the output of $$textsf{ChB}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChB</mml:mi> </mml:math> can be simulated using only the output of $$textsf{ChE}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChE</mml:mi> </mml:math> . A classic work of Csiszár and Korner (IEEE Trans Inf Theory 24(3):339–348, 1978) shows that the converse does not hold. This follows from their full characterization of the channel pairs $$(textsf{ChB},textsf{ChE})$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mrow> <mml:mo>(</mml:mo> <mml:mi>ChB</mml:mi> <mml:mo>,</mml:mo> <mml:mi>ChE</mml:mi> <mml:mo>)</mml:mo> </mml:mrow> </mml:math> that enable information-theoretic wiretap coding. In this work, we show that in fact the converse does hold when considering computational security ; that is, wiretap coding against a computationally bounded Eve is possible if and only if $$textsf{ChB}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChB</mml:mi> </mml:math> is not a degraded version of $$textsf{ChE}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChE</mml:mi> </mml:math> . Our construction assumes the existence of virtual black-box obfuscation of specific classes of “evasive” functions that generalize fuzzy point functions and can be heuristically instantiated using indistinguishability obfuscation. Finally, our solution has the appealing feature of being universal in the sense that Alice’s algorithm depends only on $$textsf{ChB}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChB</mml:mi> </mml:math> and not on $$textsf{ChE}$$ <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"> <mml:mi>ChE</mml:mi> </mml:math> .","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135825274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Rinocchio: SNARKs for Ring Arithmetic 瑞诺乔:环算的陷阱

3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-10-01 DOI: 10.1007/s00145-023-09481-3

Chaya Ganesh, Anca Nitulescu, Eduardo Soria-Vazquez

引用次数: 26

Non-malleable Vector Commitments via Local Equivocability 基于局部模糊性的不可延展性向量承诺

3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-09-26 DOI: 10.1007/s00145-023-09480-4

Lior Rotem, Gil Segev

引用次数: 1

Topology-Hiding Communication from Minimal Assumptions 最小假设下的拓扑隐藏通信

3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-09-12 DOI: 10.1007/s00145-023-09473-3

Marshall Ball, Elette Boyle, Ran Cohen, Lisa Kohl, Tal Malkin, Pierre Meyer, Tal Moran

引用次数: 3

Revisiting Mutual Information Analysis: Multidimensionality, Neural Estimation and Optimality Proofs 修正互信息分析：多维性、神经估计和最优性证明

IF 3 3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-08-23 DOI: 10.1007/s00145-023-09476-0

Valence Cristiani, Maxime Lecomte, P. Maurine

引用次数: 6

Fiat–Shamir Transformation of Multi-Round Interactive Proofs (Extended Version) 多轮交互证明的Fiat-Shamir变换(扩展版)

IF 3 3区计算机科学 Q1 Mathematics

Journal of Cryptology

Pub Date : 2023-08-08 DOI: 10.1007/s00145-023-09478-y

T. Attema, S. Fehr, Michael Klooß

引用次数: 39

首页上一页

下一页尾页

类型

全部化学•材料生命科学医学物理工程技术环境•农林材料科学地球科学法学管理学化学环境科学与生态学计算机科学教育学经济学农林科学人文科学生物学数学物理与天体物理心理学综合性期刊其他工业工程理学历史学农学文学信息工程

数据库

全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley

期刊

Journal of Cryptology

全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.

﹀