Algebraic Restriction Codes and Their Applications

Consider the following problem: You have a device that is supposed to compute a linear combination of its inputs, which are taken from some finite field. However, the device may be faulty and compute arbitrary functions of its inputs. Is it possible to encode the inputs in such a way that only linear functions can be evaluated over the encodings? I.e., learning an arbitrary function of the encodings will not reveal more information about the inputs than a linear combination. In this work, we introduce the notion of algebraic restriction codes (AR codes), which constrain adversaries who might compute any function to computing a linear function. Our main result is an information-theoretic construction AR codes that restrict any class of function with a bounded number of output bits to linear functions. Our construction relies on a seed which is not provided to the adversary. While interesting and natural on its own, we show an application of this notion in cryptography. In particular, we show that AR codes lead to the first construction of rate-1 oblivious transfer with statistical sender security from the Decisional Diffie-Hellman assumption, and the first-ever construction that makes black-box use of cryptography. Previously, such protocols were known only from the LWE assumption, using non-black-box cryptographic techniques. We expect our new notion of AR codes to find further applications, e.g., in the context of non-malleability, in the future

Algebraic Restriction Codes and their Applications

Consider the following problem: You have a device that is supposed to compute a linear combination of its inputs, which are taken from some finite field. However, the device may be faulty and compute arbitrary functions of its inputs. Is it possible to encode the inputs in such a way that only linear functions can be evaluated over the encodings? I.e., learning an arbitrary function of the encodings will not reveal more information about the inputs than a linear combination. In this work, we introduce the notion of algebraic restriction codes (AR codes), which constrain adversaries who might compute any function to computing a linear function. Our main result is an information-theoretic construction AR codes that restrict any class of function with a bounded number of output bits to linear functions. Our construction relies on a seed which is not provided to the adversary. While interesting and natural on its own, we show an application of this notion in cryptography. In particular, we show that AR codes lead to the first construction of rate-1 oblivious transfer with statistical sender security from the Decisional Diffie-Hellman assumption, and the first-ever construction that makes black-box use of cryptography. Previously, such protocols were known only from the LWE assumption, using non-black-box cryptographic techniques. We expect our new notion of AR codes to find further applications, e.g., in the context of non-malleability, in the future

SoK: Privacy-Preserving Signatures

Modern security systems depend fundamentally on the ability of users to authenticate their communications to other parties in a network. Unfortunately, cryptographic authentication can substantially undermine the privacy of users. One possible solution to this problem is to use privacy-preserving cryptographic authentication. These protocols allow users to authenticate their communications without revealing their identity to the verifier. In the non-interactive setting, the most common protocols include blind, ring, and group signatures, each of which has been the subject of enormous research in the security and cryptography literature. These primitives are now being deployed at scale in major applications, including Intel\u27s SGX software attestation framework. The depth of the research literature and the prospect of large-scale deployment motivate us to systematize our understanding of the research in this area. This work provides an overview of these techniques, focusing on applications and efficiency

Cascading Four Round LRW1 is Beyond Birthday Bound Secure

In CRYPTO\u2702, Liskov et al. have introduced a new symmetric key primitive called tweakable block cipher. They have proposed two constructions of designing a tweakable block cipher from block ciphers. The first proposed construction is called $\mathsf{LRW1}$ and the second proposed construction is called $\mathsf{LRW2}$. Although, $\mathsf{LRW2}$ has been extended in later works to provide beyond birthday bound security (e.g., cascaded $\mathsf{LRW2}$ in CRYPTO\u2712 by Landecker et al.), but extension of the $\mathsf{LRW1}$ has received no attention until the work of Bao et al. in EUROCRYPT\u2720, where the authors have shown that one round extension of $\mathsf{LRW1}$, i.e., masking the output of $\mathsf{LRW1}$ with the given tweak and then re-encrypting it with the same block cipher, gives security up to $2^{2n/3}$ queries. Recently, Khairallah has shown a birthday bound distinguishing attack on the construction and hence invalidated the security claim of Bao et al. This has led to the open research question, that {\em how many round are required for cascading $\mathsf{LRW1}$ to achieve beyond birthday bound security ?} In this paper, we have shown that cascading $\mathsf{LRW1}$ up to four rounds is sufficient for ensuring beyond the birthday bound security. In particular, we have shown that $\mathsf{CLRW1}^4$ provides security up to $2^{3n/4}$ queries. Security analysis of our construction is based on the recent development of the mirror theory technique for tweakable random permutations under the framework of the Expectation Method

Cascading Four Round LRW1 is Beyond Birthday Bound Secure

In CRYPTO’02, Liskov et al. introduced the concept of a tweakable block cipher, a novel symmetric key primitive with promising applications. They put forth two constructions for designing such tweakable block ciphers from conventional block ciphers: LRW1 and LRW2. While subsequent efforts extended LRW2 to achieve security beyond the birthday bound (e.g., cascaded LRW2 in CRYPTO’12 by Landecker et al.), the extension of LRW1 remained unexplored until Bao et al.’s work in EUROCRYPT’20 that considered cascaded LRW1, a one-round extension of LRW1 - entailing masking the LRW1 output with the given tweak and re-encrypting it with the same block cipher. They showed that CLRW1 offers security up to 22n/3 queries. However, this result was challenged by Khairallah’s recent birthday bound distinguishing attack on cascaded LRW1, effectively refuting the security claim of Bao et al. Consequently, a pertinent research question emerges: How many rounds of cascaded LRW1 are required to obtain security beyond the birthday bound? This paper addresses this question by establishing that cascading LRW1 for four rounds suffices to ensure security beyond the birthday bound. Specifically, we demonstrate that 4 rounds of CLRW1 guarantees security for up to 23n/4 queries. Our security analysis is based from recent advancements in the mirror theory technique for tweakable random permutations, operating within the framework of the Expectation Method

SoK: Privacy-Preserving Smart Contract

The privacy concern in smart contract applications continues to grow, leading to the proposal of various schemes aimed at developing comprehensive and universally applicable privacy-preserving smart contract (PPSC) schemes. However, the existing research in this area is fragmented and lacks a comprehensive system overview. This paper aims to bridge the existing research gap on PPSC schemes by systematizing previous studies in this field. The primary focus is on two categories: PPSC schemes based on cryptographic tools like zero-knowledge proofs, as well as schemes based on trusted execution environments. In doing so, we aim to provide a condensed summary of the different approaches taken in constructing PPSC schemes. Additionally, we also offer a comparative analysis of these approaches, highlighting the similarities and differences between them. Furthermore, we shed light on the challenges that developers face when designing and implementing PPSC schemes. Finally, we delve into potential future directions for improving and advancing these schemes, discussing possible avenues for further research and development

A Practical-Quantum Differential Attack on Block Ciphers

Differential attack is a basic cryptanalysis method for block ciphers that exploits the high probability relations between the input and output differences. The existing work in quantum differential cryptanalysis of block ciphers focuses on resource estimation to recover the last round subkeys on the basis of existing relations constructed on classical computers. To find such relations using quantum computer, we propose a method to search the high probability differential and impossible differential characteristics using quantum computer. The method explores all possible input and output difference pairs simultaneously using superposition of qubits. The proposed method is used to design the quantum circuit to search the differential characteristics for a toy cipher smallGIFT. The branch-and-bound based method is used to validate differential and impossible differential characteristics obtained using proposed method

Tight Security Analysis of the Public Permutation-Based PMAC_Plus

Yasuda proposed a variable input-length PRF in CRYPTO 2011, called \textsf{PMAC_Plus}, based on an $n$-bit block cipher. \textsf{PMAC_Plus} is a rate-$1$ construction and inherits the well-known $\textsf{PMAC}$ parallel network with a low additional cost. However, unlike $\textsf{PMAC}$, \textsf{PMAC_Plus} is secure roughly up to $2^{2n/3}$ queries. Zhang et al. proposed \textsf{3kf9} in ASIACRYPT 2012, Naito proposed \textsf{LightMAC_Plus} in ASIACRYPT 2017, and Iwata et al. proposed \textsf{GCM-SIV2} in FSE 2017 -- all of them secure up to around $2^{2n/3}$ queries. Their structural designs and corresponding security proofs were unified by Datta et al. in their framework {\em Double-block Hash-then-Sum} (\textsf{DbHtS}). Leurent et al. in CRYPTO 2018 and then Lee et al. in EUROCRYPT 2020 established a tight security bound of $2^{3n/4}$ on \textsf{DbHtS}. That \textsf{PMAC_Plus} provides security for roughly up to $2^{3n/4}$ queries is a consequence of this result. In this paper, we propose a public permutation-based variable input-length PRF called {\textsf{pPMAC_Plus}}. We show that {\textsf{pPMAC_Plus}} is secure against all adversaries that make at most $2^{2n/3}$ queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of {\textsf{pPMAC_Plus}} with the two-round iterated Even-Mansour cipher can yield a beyond the birthday bound secure PRF based on public permutations. Altogether, the solution incurs $(2\ell + 4)$ permutation calls, whereas our proposal requires only $(\ell+2)$ permutation calls, $\ell$ being the maximum number of message blocks

SIDH-sign: an efficient SIDH PoK-based signature

We analyze and implement the SIDH PoK-based construction from De Feo, Dobson, Galbraith, and Zobernig. We improve the SIDH-PoK built-in functions to allow an efficient constant-time implementation. After that, we combine it with Fiat-Shamir transform to get an SIDH PoK-based signature scheme that we short label as SIDH-sign. We suggest SIDH-sign-p377, SIDH-sign-p546, and SIDH-sign-p697 as instances that provide security compared to NIST L1, L3, and L5. To the best of our knowledge, the three proposed instances provide the best performance among digital signature schemes based on isogenies

Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields

Consider the problem of efficiently evaluating isogenies $\phi: E \to E/H$ of elliptic curves over a finite field $\mathbb{F}_q$, where the kernel $H = \langle G\rangle$ is a cyclic group of odd (prime) order: given $E$, $G$, and a point (or several points) $P$ on $E$, we want to compute $\phi(P)$. This problem is at the heart of efficient implementations of group-action- and isogeny-based post-quantum cryptosystems such as CSIDH. Algorithms based on V{\'e}lu's formulae give an efficient solution to this problem when the kernel generator $G$ is defined over $\mathbb{F}_q$. However, for general isogenies, $G$ is only defined over some extension $\mathbb{F}_{q^k}$, even though $\langle G\rangle$ as a whole (and thus $\phi$) is defined over the base field $\mathbb{F}_q$; and the performance of V{\'e}lu-style algorithms degrades rapidly as $k$ grows. In this article we revisit the isogeny-evaluation problem with a special focus on the case where $1 \le k \le 12$. We improve V{\'e}lu-style isogeny evaluation for many cases where $k = 1$ using special addition chains, and combine this with the action of Galois to give greater improvements when $k > 1$