Cryptographic Pairings: Efficiency and DLP security

This thesis studies two important aspects of the use of pairings in cryptography, efficient algorithms and security. Pairings are very useful tools in cryptography, originally used for the cryptanalysis of elliptic curve cryptography, they are now used in key exchange protocols, signature schemes and Identity-based cryptography. This thesis comprises of two parts: Security and Efficient Algorithms. In Part I: Security, the security of pairing-based protocols is considered, with a thorough examination of the Discrete Logarithm Problem (DLP) as it occurs in PBC. Results on the relationship between the two instances of the DLP will be presented along with a discussion about the appropriate selection of parameters to ensure particular security level. In Part II: Efficient Algorithms, some of the computational issues which arise when using pairings in cryptography are addressed. Pairings can be computationally expensive, so the Pairing-Based Cryptography (PBC) research community is constantly striving to find computational improvements for all aspects of protocols using pairings. The improvements given in this section contribute towards more efficient methods for the computation of pairings, and increase the efficiency of operations necessary in some pairing-based protocol

LCPR: High Performance Compression Algorithm for Lattice-Based Signatures

Many lattice-based signature schemes have been proposed in recent years. However, all of them suffer from huge signature sizes as compared to their classical counterparts. We present a novel and generic construction of a lossless compression algorithm for Schnorr-like signatures utilizing publicly accessible randomness. Conceptually, exploiting public randomness in order to reduce the signature size has never been considered in cryptographic applications. We illustrate the applicability of our compression algorithm using the example of a current state-of-the-art signature scheme due to Gentry et al. (GPV scheme) instantiated with the efficient trapdoor construction from Micciancio and Peikert. This scheme benefits from increasing the main security parameter $n$, which is positively correlated with the compression rate measuring the amount of storage savings. For instance, GPV signatures admit improvement factors of approximately $\lg n$ implying compression rates of about $65$\% at a security level of about 100 bits without suffering loss of information or decrease in security, meaning that the original signature can always be recovered from its compressed state. As a further result, we propose a multi-signer compression strategy in case more than one signer agree to share the same source of public randomness. Such a strategy of bundling compressed signatures together to an aggregate has many advantages over the single signer approach

信頼性の高い仮定に基づいた証明可能安全性を持つ軽量な集約署名方式の提案

集約署名は、複数署名者により生成される異なる文書における個別署名を、小さいサイズの署名に集約可能な暗号技術である。集約署名の概念はBonehらによって提案された。同時に彼らはペアリングという特殊な代数構造を基にした集約署名方式を提案した。この方式は定数サイズ署名長を達成可能であり、署名者間通信なしに集約可能である。一方で、安全性の基となる計算困難性の仮定は、実用化された多くの暗号技術で用いられる離散対数仮定より強い仮定であり、実用時は少々大きいパラメタを取る必要がある。またペアリング計算は計算コストが高い。このようにペアリングにはいくつかの欠点が存在する。Zhaoは初めてのペアリングフリー集約署名方式をビットコイン向けのアプリケーションとして提案した。この方式は、署名長が署名者数に線形に依存するが、軽い計算のみで構成されており、鍵設定に特に仮定を必要しない。しかし、安全性は新しく提案された計算困難性の仮定を基にしている。以上より、ペアリングフリーかつ信頼性の高い仮定に基づく安全性を担保可能な集約署名方式の構築は重要な課題である。本稿では、主に3つの研究成果について述べる。1つ目は、Zhao方式に対する任意の文書における偽装を生成可能な準指数時間攻撃者を提案する。準指数時間であるため、理論的には致命的ではないが、実装時のパラメタ設定に影響を与える。具体的には、我々の攻撃者の存在により、当初Zhaoが想定したパラメタより大きいパラメタが必要であることが明らかとなり、これはZhao方式の利点を弱める。2つ目は、新たな枠組みとして事前通信を用いる集約署名を提案し、離散対数仮定を基にした安全性を担保可能な事前通信モデルにおけるペアリングフリー集約署名方式を提案する。署名集約には署名者集約者間の通信が必要であるが、比較的小さい通信コストを達成可能である。一方で、鍵設定では各署名者が正当に鍵を生成したことを証明する必要があり、署名長は署名者数に線形に依存するが、Zhao方式より小さいサイズを達成できる。また提案方式がDrijversらの不可能性に抵触しないことの議論も行う。3つ目は、One-Time集約方式の提案である。この方式は、一度の鍵生成で一度の集約署名生成が可能な方式である。提案方式の安全性はOne-More離散対数仮定に基づいており、理論的な世界でしか存在しないランダムオラクルを用いずに安全性を証明可能である。署名長は定数サイズを達成可能であるが、信頼できる鍵生成が必要である。電気通信大学202

Research Philosophy of Modern Cryptography

Proposing novel cryptography schemes (e.g., encryption, signatures, and protocols) is one of the main research goals in modern cryptography. In this paper, based on more than 800 research papers since 1976 that we have surveyed, we introduce the research philosophy of cryptography behind these papers. We use ``benefits and ``novelty as the keywords to introduce the research philosophy of proposing new schemes, assuming that there is already one scheme proposed for a cryptography notion. Next, we introduce how benefits were explored in the literature and we have categorized the methodology into 3 ways for benefits, 6 types of benefits, and 17 benefit areas. As examples, we introduce 40 research strategies within these benefit areas that were invented in the literature. The introduced research strategies have covered most cryptography schemes published in top-tier cryptography conferences

More Efficient Two-Round Multi-Signature Scheme with Provably Secure Parameters

In this paper, we propose the first two-round multi-signature scheme that can guarantee 128-bit security under a standardized EC in concrete security without using the Algebraic Group Model (AGM). To construct our scheme, we introduce a new technique to tailor a certain special homomorphic commitment scheme for the use with the Katz-Wang DDH-based signature scheme. We prove that an EC with at least a 321-bit order is sufficient for our scheme to have the standard 128-bit security. This means that it is easy for our scheme to implement in practice because we can use the NIST-standardized EC P-384 for 128-bit security. The signature size of our proposed scheme under P-384 is 1152 bits, which is the smallest size among the existing schemes without using the AGM. Our experiment on an ordinary machine shows that for signing and verification, each can be completed in about 65 ms under 100 signers. This shows that our scheme has sufficiently reasonable running time in practice

Squirrel: Efficient Synchronized Multi-Signatures from Lattices

The focus of this work are multi-signatures schemes in the synchronized setting. A multi-signature scheme allows multiple signatures for the same message but from independent signers to be compressed into one short aggregated signature, which allows verifying all of the signatures simultaneously. In the synchronized setting, the signing algorithm takes the current time step as an additional input. It is assumed that no signer signs more than one message per time step and we aim to aggregate signatures for the same message and same time step. This setting is particularly useful in the context of blockchains, where validators are naturally synchronized by the blocks they sign. We present Squirrel, a concretely efficient lattice-based multi-signature scheme in the synchronized setting that works for a bounded number of $2^{\tau}$ time steps and allows for aggregating up to $\rho$ signatures at each step, where both $\tau$ and $\rho$ are public parameters upon which the efficiency of our scheme depends. Squirrel allows for non-interactive aggregation of independent signatures and is proven secure in the random oracle model in the presence of rogue-key attacks assuming the hardness of the short integer solution problem in a polynomial ring. We provide a careful analysis of all parameters and show that Squirrel can be instantiated with good concrete efficiency. For $\tau = 24$ and $\rho = 4096$, a signer could sign a new message every 10 seconds for 5 years non-stop. Assuming the signer has a cache of 112 MB, signing takes 68 ms and verification of an aggregated signature takes 36 ms. The size of the public key is 1 KB, the size of an individual signature is 52 KB, and the size of an aggregated signature is 771 KB

A Primer on Cryptographic Multilinear Maps and Code Obfuscation

The construction of cryptographic multilinear maps and a general-purpose code obfuscator were two long-standing open problems in cryptography. It has been clear for a number of years that constructions of these two primitives would yield many interesting applications. This thesis describes the Coron-Lepoint-Tibouchi candidate construction for multilinear maps, as well as new candidates for code obfuscation. We give an overview of current multilinear and obfuscation research, and present some relevant applications. We also provide some examples and warnings regarding the inefficiency of the new constructions. The presentation is self-contained and should be accessible to the novice reader