367 research outputs found
On Adaptive Security of Delayed-Input Sigma Protocols and Fiat-Shamir NIZKs
We study adaptive security of delayed-input Sigma protocols and non-interactive zero-knowledge (NIZK) proof systems in the common reference string (CRS) model. Our contributions are threefold:
- We exhibit a generic compiler taking any delayed-input Sigma protocol and returning a delayed-input Sigma protocol satisfying adaptive-input special honest-verifier zero-knowledge (SHVZK). In case the initial Sigma protocol also satisfies adaptive-input special soundness, our compiler preserves this property.
- We revisit the recent paradigm by Canetti et al. (STOC 2019) for obtaining NIZK proof systems in the CRS model via the Fiat-Shamir transform applied to so-called trapdoor Sigma protocols, in the context of adaptive security. In particular, assuming correlation-intractable hash functions for all sparse relations, we prove that Fiat- Shamir NIZKs satisfy either:
(i) Adaptive soundness (and non-adaptive zero-knowledge), so long as the challenge is obtained by hashing both the proverβs first round and the instance being proven;
(ii) Adaptive zero-knowledge (and non-adaptive soundness), so long as the challenge is obtained by hashing only the proverβs first round, and further assuming that the initial trapdoor Sigma protocol satisfies adaptive-input SHVZK.
- We exhibit a generic compiler taking any Sigma protocol and returning a trapdoor Sigma protocol. Unfortunately, this transform does not preserve the delayed-input property of the initial Sigma protocol (if any). To complement this result, we also give yet another compiler taking any delayed-input trapdoor Sigma protocol and returning a delayed-input trapdoor Sigma protocol with adaptive-input SHVZK.
An attractive feature of our first two compilers is that they allow obtaining efficient delayed-input Sigma protocols with adaptive security, and efficient Fiat-Shamir NIZKs with adaptive soundness (and non-adaptive zero-knowledge) in the CRS model. Prior to our work, the latter was only possible using generic NP reductions
On the Design of Cryptographic Primitives
The main objective of this work is twofold. On the one hand, it gives a brief
overview of the area of two-party cryptographic protocols. On the other hand,
it proposes new schemes and guidelines for improving the practice of robust
protocol design. In order to achieve such a double goal, a tour through the
descriptions of the two main cryptographic primitives is carried out. Within
this survey, some of the most representative algorithms based on the Theory of
Finite Fields are provided and new general schemes and specific algorithms
based on Graph Theory are proposed
Individual Simulations
We develop an individual simulation technique that explicitly makes use of particular properties/structures of a given adversary\u27s functionality. Using this simulation technique, we obtain the following results.
1. We construct the first protocols that \emph{break previous black-box barriers} of [Xiao, TCC\u2711 and Alwen et al., Crypto\u2705] under the standard hardness of factoring, both of which are polynomial time simulatable against all a-priori bounded polynomial size distinguishers:
-- Two-round selective opening secure commitment scheme.
-- Three-round concurrent zero knowledge and concurrent witness hiding argument for NP in the bare public-key model.
2. We present a simpler two-round weak zero knowledge and witness hiding argument for NP in the plain model under the sub-exponential hardness of factoring. Our technique also yields a significantly simpler proof that existing distinguisher-dependent simulatable zero knowledge protocols are also polynomial time simulatable against all distinguishers of a-priori bounded polynomial size.
The core conceptual idea underlying our individual simulation technique is an observation of the existence of nearly optimal extractors for all hard distributions: For any NP-instance(s) sampling algorithm, there exists a polynomial-size witness extractor (depending on the sampler\u27s functionality) that almost outperforms any circuit of a-priori bounded polynomial size in terms of the success probability
Recommended from our members
On Black-Box Complexity and Adaptive, Universal Composability of Cryptographic Tasks
Two main goals of modern cryptography are to identify the minimal assumptions necessary to construct secure cryptographic primitives as well as to construct secure protocols in strong and realistic adversarial models. In this thesis, we address both of these fundamental questions. In the first part of this thesis, we present results on the black-box complexity of two basic cryptographic primitives: non-malleable encryption and optimally-fair coin tossing. Black-box reductions are reductions in which both the underlying primitive as well as the adversary are accessed only in an input-output (or black-box) manner. Most known cryptographic reductions are black-box. Moreover, black-box reductions are typically more efficient than non-black-box reductions. Thus, the black-box complexity of cryptographic primitives is a meaningful and important area of study which allows us to gain insight into the primitive. We study the black box complexity of non-malleable encryption and optimally-fair coin tossing, showing a positive result for the former and a negative one for the latter. Non-malleable encryption is a strong security notion for public-key encryption, guaranteeing that it is impossible to "maul" a ciphertext of a message m into a ciphertext of a related message. This security guarantee is essential for many applications such as auctions. We show how to transform, in a black-box manner, any public-key encryption scheme satisfying a weak form of security, semantic security, to a scheme satisfying non-malleability. Coin tossing is perhaps the most basic cryptographic primitive, allowing two distrustful parties to flip a coin whose outcome is 0 or 1 with probability 1/2. A fair coin tossing protocol is one in which the outputted bit is unbiased, even in the case where one of the parties may abort early. However, in the setting where parties may abort early, there is always a strategy for one of the parties to impose bias of Omega(1/r) in an r-round protocol. Thus, achieving bias of O(1/r) in r rounds is optimal, and it was recently shown that optimally-fair coin tossing can be achieved via a black-box reduction to oblivious transfer. We show that it cannot be achieved via a black-box reduction to one-way function, unless the number of rounds is at least Omega(n/log n), where n is the input/output length of the one-way function. In the second part of this thesis, we present protocols for multiparty computation (MPC) in the Universal Composability (UC) model that are secure against malicious, adaptive adversaries. In the standard model, security is only guaranteed in a stand-alone setting; however, nothing is guaranteed when multiple protocols are arbitrarily composed. In contrast, the UC model, introduced by (Canetti, 2000), considers the execution of an unbounded number of concurrent protocols, in an arbitrary, and adversarially controlled network environment. Another drawback of the standard model is that the adversary must decide which parties to corrupt before the execution of the protocol commences. A more realistic model allows the adversary to adaptively choose which parties to corrupt based on its evolving view during the protocol. In our work we consider the the adaptive UC model, which combines these two security requirements by allowing both arbitrary composition of protocols and adaptive corruption of parties. In our first result, we introduce an improved, efficient construction of non-committing encryption (NCE) with optimal round complexity, from a weaker primitive we introduce called trapdoor-simulatable public key encryption (PKE). NCE is a basic primitive necessary to construct protocols secure under adaptive corruptions and in particular, is used to construct oblivious transfer (OT) protocols secure against semi-honest, adaptive adversaries. Additionally, we show how to realize trapdoor-simulatable PKE from hardness of factoring Blum integers, thus achieving the first construction of NCE from hardness of factoring. In our second result, we present a compiler for transforming an OT protocol secure against a semi-honest, adaptive adversary into one that is secure against a malicious, adaptive adversary. Our compiler achieves security in the UC model, assuming access to an ideal commitment functionality, and improves over previous work achieving the same security guarantee in two ways: it uses black-box access to the underlying protocol and achieves a constant multiplicative overhead in the round complexity. Combining our two results with the work of (Ishai et al., 2008), we obtain the first black-box construction of UC and adaptively secure MPC from trapdoor-simulatable PKE and the ideal commitment functionality
μμ μ»΄ν¨ν°μ λν μνΈνμ μκ³ λ¦¬μ¦
νμλ
Όλ¬Έ(λ°μ¬) -- μμΈλνκ΅λνμ : μμ°κ³Όνλν μ리과νλΆ, 2022. 8. μ΄νν¬.The advent of a quantum mechanical computer presents a clear threat to existing cryptography. On the other hand, the quantum computer also suggests the possibility of a new cryptographic protocol through the properties of quantum mechanics. These two perspectives, respectively, gave rise to a new field called post-quantum cryptography as a countermeasure against quantum attacks and quantum cryptography as a new cryptographic technology using quantum mechanics, which are the subject of this thesis.
In this thesis, we reconsider the security of the current post-quantum cryptography through a new quantum attack, model, and security proof. We present the fine-grained quantum security of hash functions as cryptographic primitives against preprocessing adversaries. We also bring recent quantum information theoretic research into cryptography, creating new quantum public key encryption and quantum commitment. Along the way, we resolve various open problems such as limitations of quantum algorithms with preprocessing computation, oracle separation problems in quantum complexity theory, and public key encryption using group action.μμμνμ μ΄μ©ν μ»΄ν¨ν°μ λ±μ₯μ μΌμ΄μ μκ³ λ¦¬μ¦ λ±μ ν΅ν΄ κΈ°μ‘΄ μνΈνμ λͺ
λ°±ν μνμ μ μνλ©°, μμμνμ μ±μ§μ ν΅ν μλ‘μ΄ μνΈνλ‘ν μ½μ κ°λ₯μ± λν μ μνλ€. μ΄λ¬ν λ κ°μ§ κ΄μ μ κ°κ° μ΄ νμ λ
Όλ¬Έμ μ£Όμ κ° λλ μμ곡격μ λν λμμ±
μΌλ‘μ¨μ λμμμνΈμ μμμνμ μ΄μ©ν μνΈκΈ°μ μΈ μμμνΈλΌκ³ λΆλ¦¬λ μλ‘μ΄ λΆμΌλ₯Ό λ°μμμΌ°λ€.
μ΄ νμ λ
Όλ¬Έμμλ νμ¬ λμμμνΈμ μμ μ±μ μλ‘μ΄ μμμνΈ κ³΅κ²© μκ³ λ¦¬μ¦κ³Ό λͺ¨λΈ, μμ μ± μ¦λͺ
μ ν΅ν΄ μ¬κ³ νλ€. νΉν μνΈνμ ν΄μ¬ν¨μμ μΌλ°©ν₯ν¨μ, μνΈνμ μμ¬λμμμ±κΈ°λ‘μμ λμμ μνΈ μμ μ±μ ꡬ체μ μΈ νκ°λ₯Ό μ μνλ€. λν μ΅κ·Ό μμμνμ μ°κ΅¬λ₯Ό μμμνΈμ λμ
ν¨μΌλ‘μ¨ μλ‘μ΄ μμ 곡κ°ν€μνΈμ μμ 컀λ°λ¨ΌνΈ λ±μ μλ‘μ΄ λ°κ²¬μ μ μνλ€. μ΄ κ³Όμ μμ μ μ²λ¦¬ κ³μ°μ ν¬ν¨ν μμμκ³ λ¦¬μ¦μ νκ³, μμ 볡μ‘κ³λ€μ μ€λΌν΄λΆλ¦¬ λ¬Έμ , κ΅°μ μμ©μ μ΄μ©ν 곡κ°ν€ μνΈ λ±μ μ¬λ¬ μ΄λ¦°λ¬Έμ λ€μ ν΄κ²°μ μ μνλ€.1 Introduction 1
1.1 Contributions 3
1.2 Related Works 11
1.3 Research Papers 13
2 Preliminaries 14
2.1 Quantum Computations 15
2.2 Quantum Algorithms 20
2.3 Cryptographic Primitives 21
I Post-Quantum Cryptography: Attacks, New Models, and Proofs 24
3 Quantum Cryptanalysis 25
3.1 Introduction 25
3.2 QROM-AI Algorithm for Function Inversion 26
3.3 Quantum Multiple Discrete Logarithm Problem 34
3.4 Discussion and Open problems 39
4 Quantum Random Oracle Model with Classical Advice 42
4.1 Quantum ROM with Auxiliary Input 44
4.2 Function Inversion 46
4.3 Pseudorandom Generators 56
4.4 Post-quantum Primitives 58
4.5 Discussion and Open Problems 59
5 Quantum Random Permutations with Quantum Advice 62
5.1 Bound for Inverting Random Permutations 64
5.2 Preparation 64
5.3 Proof of Theorem 68
5.4 Implication in Complexity Theory 74
5.5 Discussion and Open Problems 77
II Quantum Cryptography: Public-key Encryptions and Bit Commitments 79
6 Equivalence Theorem 80
6.1 Equivalence Theorem 81
6.2 Non-uniform Equivalence Theorem 83
6.3 Proof of Equivalence Theorem 86
7 Quantum Public Key Encryption 89
7.1 Swap-trapdoor Function Pairs 90
7.2 Quantum-Ciphertext Public Key Encryption 94
7.3 Group Action based Construction 99
7.4 Lattice based Construction 107
7.5 Discussion and Open Problems 113
7.6 Deferred Proof 114
8 Quantum Bit Commitment 119
8.1 Quantum Commitments 120
8.2 Efficient Conversion 123
8.3 Applications of Conversion 126
8.4 Discussion and Open Problems 137λ°
- β¦