2,477 research outputs found

    Study on Optimal and Sliding Mode Guidance for an Interception Problem

    Get PDF

    Short Signatures from Diffie-Hellman, Revisited: Sublinear Public Key, CMA Security, and Tighter Reduction

    Get PDF
    Designing efficient signature scheme based on the standard assumption such as the Computational Diffie-Hellman (CDH) assumption is important both from a practical and a theoretical point of view. Currently, there are only three standard model CDH-based signature schemes with short signatures due to Waters (EUROCRYPT 2005), and Seo and Böhl et al. (the merged paper in EUROCRYPT 2013). The Waters signature scheme achieves the {\em Existentail UnForgeability against Chosen Message Attack (EUF-CMA)} with nearly optimal reduction. However, this scheme suffers from large public keys. To shorten public key size, Seo and Böhl et al. proposed new approaches, respectively, but each approach has a weak point rather than the Waters signature scheme; Seo\u27s approach could prove only a rather weak security, called the bounded CMA security, and Böhl et al.\u27s approach inherently accompanies a loose reduction. In this paper, we aim at stepping towards efficient CDH-based EUF-CMA secure signature scheme with tighter reduction. To this end, we revisit the Seo signature scheme and devise an alternative security proof. The resulting security proof leads \item {\em asymptotically} (almost) compact parameters; short signatures (two group elements and one exponent) and ω(1)\omega(1) public keys (e.g., loglogλ\log\log\lambda), where λ\lambda is the security parameter, and \item the standard EUF-CMA security with tighter reduction; O(λq)O(\lambda q) reduction loss, when ignoring negligible factors, which is less than O(λlogλq)O(\sqrt{\frac{\lambda}{\log}}\lambda q) of the original security proof and almost the same as that of the Water signature scheme

    On the (Im)possibility of Projecting Property in Prime-Order Setting

    Get PDF
    Projecting bilinear pairings have frequently been used for designing cryptosystems since they were first derived from composite order bilinear groups. There have been only a few studies on the (im)possibility of projecting bilinear pairings. Groth and Sahai (EUROCRYPT 2008) showed that projecting bilinear pairings can be achieved in a prime-order group setting. They constructed both projecting asymmetric bilinear pairings and projecting symmetric bilinear pairings, where a bilinear pairing ee is symmetric if it satisfies e(g,h)=e(h,g)e(g,h)=e(h,g) for any group elements gg and hh; otherwise, it is asymmetric. Subsequently, Freeman (EUROCRYPT 2010) generalized Groth-Sahai\u27s projecting asymmetric bilinear pairings. In this paper, we provide impossibility results on projecting bilinear pairings in a prime-order group setting. More precisely, we specify the lower bounds of 1. the image size of a projecting asymmetric bilinear pairing 2. the image size of a projecting symmetric bilinear pairing 3. the computational cost for a projecting asymmetric bilinear pairing 4. the computational cost for a projecting symmetric bilinear pairing in a prime-order group setting naturally induced from the kk-linear assumption, where the computational cost means the number of generic operations. Our lower bounds regarding a projecting asymmetric bilinear pairing are tight, i.e., it is impossible to construct a more efficient projecting asymmetric bilinear pairing than the constructions of Groth-Sahai and Freeman. However, our lower bounds regarding a projecting symmetric bilinear pairing differ from Groth and Sahai\u27s results regarding a symmetric bilinear pairing; We fill these gaps by constructing projecting symmetric bilinear pairings. In addition, on the basis of the proposed symmetric bilinear pairings, we construct more efficient instantiations of cryptosystems that essentially use the projecting symmetric bilinear pairings in a modular fashion. Example applications include new instantiations of the Boneh-Goh-Nissim cryptosystem, the Groth-Sahai non-interactive proof system, and Seo-Cheon round optimal blind signatures proven secure under the DLIN assumption. These new instantiations are more efficient than the previous ones, which are also provably secure under the DLIN assumption. These applications are of independent interest

    On the Security of Nova Recursive Proof System

    Get PDF
    Nova is a new type of recursive proof system that uses folding scheme as its core building block. This brilliant idea of folding relations can significantly reduce recursion overhead. In this paper, we study some issues related to Nova\u27s soundness proof that relies on the soundness of the folding scheme in a recursive manner. First, its proof strategy, due to its recursive nature, inevitably expands the running time of the recursive extractor polynomially for each additional recursive step. This constrains Nova\u27s soundness model to have only logarithmically bounded recursive steps, and so the soundness proof in this limited model does not guarantee the soundness for linear rounds in the security parameter, e.g., 128 rounds for 128 bit security. On the other hand, there are no known attacks on arbitrary depth recursion of Nova, leaving a gap between theoretical security guarantees and real-world attacks. We aim to bridge this gap in two opposite directions. In a negative direction, we present a recursive proof system that is unforgeable in a log-round model but forgeable if used in linear rounds. This shows that the soundness proof in the log-round model might tell nothing about real-world uses that require linearly long rounds. In a positive direction, we show that when Nova uses a specific group-based folding scheme, its knowledge soundness over polynomial rounds can be proven in the algebraic group model with our refinements. To the best of our knowledge, this is the first result to show Nova\u27s polynomial rounds soundness. Second, the folding scheme is converted non-interactively via the Fiat-Shamir transformation and then arithmetized into R1CS. Therefore, the soundness of Nova using the non-interactive folding scheme essentially relies on the heuristic random oracle instantiation in the standard model. In our new soundness proof for Nova in the algebraic group model, we replace this heuristics with a cryptographic hash function with special property. We view this hash function as an independent object of interest and expect it to help further understand the soundness of Nova

    TENET : Sublogarithmic Proof and Sublinear Verifier Inner Product Argument without a Trusted Setup

    Get PDF
    We propose a new inner product argument (IPA), called TENET, which features sublogarithmic proof size and sublinear verifier without a trusted setup. IPA is a core primitive for various advanced proof systems including range proofs, circuit satisfiability, and polynomial commitment, particularly where a trusted setup is hard to apply. At ASIACRYPT 2022, Kim, Lee, and Seo showed that pairings can be utilized to exceed the complexity barrier of the previous discrete logarithm-based IPA without a trusted setup. More precisely, they proposed two pairing-based IPAs, one with sublogarithmic proof size and the other one with sublinear verifier cost, but they left achieving both complexities simultaneously as an open problem. We investigate the obstacles for this open problem and then provide our solution TENET, which achieves both sublogarithmic proof size and sublinear verifier. We prove the soundness of TENET under the discrete logarithm assumption and double pairing assumption

    Fully Secure Anonymous Hierarchical Identity-Based Encryption with Constant Size Ciphertexts

    Get PDF
    Efficient and privacy-preserving constructions for search functionality on encrypted data is important issues for data outsourcing, and data retrieval, etc. Fully secure anonymous Hierarchical ID-Based Encryption (HIBE) schemes is useful primitives that can be applicable to searchable encryptions [4], such as ID-based searchable encryption, temporary searchable encryption [1], and anonymous forward secure HIBE [9]. We propose a fully secure anonymous HIBE scheme with constant size ciphertexts

    Efficient Zero-Knowledge Argument in Discrete Logarithm Setting: Sublogarithmic Proof or Sublinear Verifier

    Get PDF
    We propose three interactive zero-knowledge arguments for arithmetic circuit of size NN in the common random string model, which can be converted to be non-interactive by Fiat-Shamir heuristics in the random oracle model. First argument features O(logN)O(\sqrt{\log N}) communication and round complexities and O(N)O(N) computational complexity for the verifier. Second argument features O(logN)O(\log N) communication and O(N)O(\sqrt{N}) computational complexity for the verifier. Third argument features O(logN)O(\log N) communication and O(NlogN)O(\sqrt{N}\log N) computational complexity for the verifier. Contrary to first and second arguments, the third argument is free of reliance on pairing-friendly elliptic curves. The soundness of three arguments is proven under the standard discrete logarithm and/or the double pairing assumption, which is at least as reliable as the decisional Diffie-Hellman assumption

    Multilinear Map via Scale-Invariant FHE: Enhancing Security and Efficiency

    Get PDF
    Cryptographic multilinear map is a useful tool for constructing numerous secure protocols and Graded Encoding System (GES) is an {\em approximate} concept of multilinear map. In multilinear map context, there are several important issues, mainly about security and efficiency. All early stage candidate multilinear maps are recently broken by so-called zeroizing attack, so that it is highly required to develop reliable mechanisms to prevent zeroizing attacks. Moreover, the encoding size in all candidate multilinear maps grows quadratically in terms of multilinearity parameter κ\kappa and it makes them less attractive for applications requiring large κ\kappa. In this paper, we propose a new integer-based multilinear map that has several advantages over previous schemes. In terms of security, we expect that our construction is resistant to the zeroizing attack. In terms of efficiency, the bit-size of an encoding grows sublinearly with κ\kappa, more precisely O((log2κ)2)O((\log_2\kappa)^2). To this end, we essentially utilize a technique of the multiplication procedure in {\em scale-invariant} fully homomorphic encryption (FHE), which enables to achieve sublinear complexity in terms of multilinearity and at the same time security against the zeroizing attacks (EUROCRYPT 2015, IACR-Eprint 2015/934, IACR-Eprint 2015/941), which totally broke Coron, Lepoint, and Tibouchi\u27s integer-based construction (CRYPTO 2013, CRYPTO2015). We find that the technique of scale-invariant FHE is not very well harmonized with previous approaches of making GES from (non-scale-invariant) FHE. Therefore, we first devise a new approach for approximate multilinear maps, called {\em Ring Encoding System (RES)}, and prove that a multilinear map built via RES is generically secure. Next, we propose a new efficient scale-invariant FHE with special properties, and then construct a candidate RES based on a newly proposed scale-invariant FHE. It is worth noting that, contrary to the CLT multilinear map (CRYPTO 2015), multiplication procedure in our construction does not add hidden constants generated by ladders of zero encodings, but mixes randoms in encodings in non-linear ways without using ladders of zero encodings. This feature is obtained by using the scale-invariant FHE and essential to prevent the Cheon et al.\u27s zeroizing attack

    New Revocable IBE in Prime-Order Groups: Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters

    Get PDF
    Revoking corrupted users is a desirable functionality for cryptosystems. Since Boldyreva, Goyal, and Kumar (ACM CCS 2008) proposed a notable result for scalable revocation method in identity-based encryption (IBE), several works have improved either the security or the efficiency of revocable IBE (RIBE). Currently, all existing scalable RIBE schemes that achieve adaptively security against decryption key exposure resistance (DKER) can be categorized into two groups; either with long public parameters or over composite-order bilinear groups. From both practical and theoretical points of views, it would be interesting to construct adaptively secure RIBE scheme with DKER and short public parameters in prime-order bilinear groups. In this paper, we address this goal by using Seo and Emura\u27s technique (PKC 2013), which transforms the Waters IBE to the corresponding RIBE. First, we identify necessary requirements for the input IBE of their transforming technique. Next, we propose a new IBE scheme having several desirable properties; satisfying all the requirements for the Seo-Emura technique, constant-size public parameters, and using prime-order bilinear groups. Finally, by applying the Seo-Emura technique, we obtain the first adaptively secure RIBE scheme with DKER and constant-size public parameters in prime-order bilinear groups. We also discuss some extensions of the proposed RIBE scheme

    A New Approach for Practical Function-Private Inner Product Encryption

    Get PDF
    Functional Encryption (FE) is a new paradigm supporting restricted decryption keys of function ff that allows one to learn f(xj)f(x_j) from encryptions of messages xjx_j. A natural and practical security requirements for FE is to keep not only messages x1,,xqx_1,\ldots,x_q but also functions f1,fqf_1,\ldots f_q confidential from encryptions and decryptions keys, except inevitable information {fi(xj)}i,j[q]\{f_i(x_j)\}_{i,j\in[q]}, for any polynomial a-priori unknown number qq, where fif_i\u27s and xjx_j\u27s are adaptively chosen by adversaries. Such the security requirement is called {\em full function privacy}. In this paper, we particularly focus on function-private FE for inner product functionality in the {\em private key setting} (simply called Inner Product Encryption (IPE)). To the best of our knowledge, there are two approaches for fully function-private IPE schemes in the private key setting. One of which is to employ a general transformation from (non-function-private) FE for general circuits (Brakerski and Segev, TCC 2015). This approach requires heavy crypto tools such as indistinguishability obfuscation (for non-function-private FE for general circuits) and therefore inefficient. The other approach is relatively practical; it directly constructs IPE scheme by using {\em dual pairing vector spaces (DPVS)} (Bishop et al. ASIACRYPT 2015, Datta et al. PKC 2016, and Tomida et al. ISC 2016). \quad We present a new approach for practical function-private IPE schemes that does not employ DPVS but generalizations of Brakerski-Segev transformation. Our generalizations of Brakerski-Segev transformation are easily combinable with existing (non-function-private) IPE schemes as well as (non-function-private) FE schemes for general circuits in several levels of security. Our resulting IPE schemes achieve better performance in comparison with Bishop et al. IPE scheme as well as Datta et al. IPE scheme while preserving the same security notion under the same complexity assumption. In comparison with Tomida et al. IPE scheme, ours have comparable performance in the size of both ciphertext and decryption key, but better performance in the size of master key
    corecore