3,207 research outputs found
Fully leakage-resilient signatures revisited: Graceful degradation, noisy leakage, and construction in the bounded-retrieval model
We construct new leakage-resilient signature schemes. Our schemes remain unforgeable against an adversary leaking arbitrary (yet bounded) information on the entire state of the signer (sometimes known as fully leakage resilience), including the random coin tosses of the signing algorithm. The main feature of our constructions is that they offer a graceful degradation of security in situations where standard existential unforgeability is impossible
Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes
We present here a new family of trapdoor one-way Preimage Sampleable
Functions (PSF) based on codes, the Wave-PSF family. The trapdoor function is
one-way under two computational assumptions: the hardness of generic decoding
for high weights and the indistinguishability of generalized -codes.
Our proof follows the GPV strategy [GPV08]. By including rejection sampling, we
ensure the proper distribution for the trapdoor inverse output. The domain
sampling property of our family is ensured by using and proving a variant of
the left-over hash lemma. We instantiate the new Wave-PSF family with ternary
generalized -codes to design a "hash-and-sign" signature scheme which
achieves existential unforgeability under adaptive chosen message attacks
(EUF-CMA) in the random oracle model. For 128 bits of classical security,
signature sizes are in the order of 15 thousand bits, the public key size in
the order of 4 megabytes, and the rejection rate is limited to one rejection
every 10 to 12 signatures.Comment: arXiv admin note: text overlap with arXiv:1706.0806
Random Oracles in a Quantum World
The interest in post-quantum cryptography - classical systems that remain
secure in the presence of a quantum adversary - has generated elegant proposals
for new cryptosystems. Some of these systems are set in the random oracle model
and are proven secure relative to adversaries that have classical access to the
random oracle. We argue that to prove post-quantum security one needs to prove
security in the quantum-accessible random oracle model where the adversary can
query the random oracle with quantum states.
We begin by separating the classical and quantum-accessible random oracle
models by presenting a scheme that is secure when the adversary is given
classical access to the random oracle, but is insecure when the adversary can
make quantum oracle queries. We then set out to develop generic conditions
under which a classical random oracle proof implies security in the
quantum-accessible random oracle model. We introduce the concept of a
history-free reduction which is a category of classical random oracle
reductions that basically determine oracle answers independently of the history
of previous queries, and we prove that such reductions imply security in the
quantum model. We then show that certain post-quantum proposals, including ones
based on lattices, can be proven secure using history-free reductions and are
therefore post-quantum secure. We conclude with a rich set of open problems in
this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a
related paper by Boneh and Zhandr
Classical Verification of Quantum Computations
We present the first protocol allowing a classical computer to interactively
verify the result of an efficient quantum computation. We achieve this by
constructing a measurement protocol, which enables a classical verifier to use
a quantum prover as a trusted measurement device. The protocol forces the
prover to behave as follows: the prover must construct an n qubit state of his
choice, measure each qubit in the Hadamard or standard basis as directed by the
verifier, and report the measurement results to the verifier. The soundness of
this protocol is enforced based on the assumption that the learning with errors
problem is computationally intractable for efficient quantum machines
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
A CCA2 Secure Variant of the McEliece Cryptosystem
The McEliece public-key encryption scheme has become an interesting
alternative to cryptosystems based on number-theoretical problems. Differently
from RSA and ElGa- mal, McEliece PKC is not known to be broken by a quantum
computer. Moreover, even tough McEliece PKC has a relatively big key size,
encryption and decryption operations are rather efficient. In spite of all the
recent results in coding theory based cryptosystems, to the date, there are no
constructions secure against chosen ciphertext attacks in the standard model -
the de facto security notion for public-key cryptosystems. In this work, we
show the first construction of a McEliece based public-key cryptosystem secure
against chosen ciphertext attacks in the standard model. Our construction is
inspired by a recently proposed technique by Rosen and Segev
Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model
Strongly unforgeable signature schemes provide a more stringent security
guarantee than the standard existential unforgeability. It requires that not
only forging a signature on a new message is hard, it is infeasible as well to
produce a new signature on a message for which the adversary has seen valid
signatures before. Strongly unforgeable signatures are useful both in practice
and as a building block in many cryptographic constructions.
This work investigates a generic transformation that compiles any
existential-unforgeable scheme into a strongly unforgeable one, which was
proposed by Teranishi et al. and was proven in the classical random-oracle
model. Our main contribution is showing that the transformation also works
against quantum adversaries in the quantum random-oracle model. We develop
proof techniques such as adaptively programming a quantum random-oracle in a
new setting, which could be of independent interest. Applying the
transformation to an existential-unforgeable signature scheme due to Cash et
al., which can be shown to be quantum-secure assuming certain lattice problems
are hard for quantum computers, we get an efficient quantum-secure strongly
unforgeable signature scheme in the quantum random-oracle model.Comment: 15 pages, to appear in Proceedings TQC 201
Constructing Permutation Rational Functions From Isogenies
A permutation rational function is a rational function
that induces a bijection on , that is, for all
there exists exactly one such that . Permutation
rational functions are intimately related to exceptional rational functions,
and more generally exceptional covers of the projective line, of which they
form the first important example.
In this paper, we show how to efficiently generate many permutation rational
functions over large finite fields using isogenies of elliptic curves, and
discuss some cryptographic applications. Our algorithm is based on Fried's
modular interpretation of certain dihedral exceptional covers of the projective
line (Cont. Math., 1994)
- …