Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions

KDM$[\mathcal{F}]$-CCA secure public-key encryption (PKE) protects the security of message $f(sk)$, with $f \in \mathcal{F}$, that is computed directly from the secret key, even if the adversary has access to a decryption oracle. An efficient KDM$[\mathcal{F}_{\text{aff}}]$-CCA secure PKE scheme for affine functions was proposed by Lu, Li and Jia (LLJ, EuroCrypt2015). We point out that their security proof cannot go through based on the DDH assumption. In this paper, we introduce a new concept _Authenticated Encryption with Auxiliary-Input_ $\mathsf{AIAE}$ and define for it new security notions dealing with related-key attacks, namely _IND-RKA security_ and _weak INT-RKA security_. We also construct such an $\mathsf{AIAE}$ w.r.t. a set of restricted affine functions from the DDH assumption. With our $\mathsf{AIAE}$, -- we construct the first efficient KDM$[\mathcal{F}_{\text{aff}}]$-CCA secure PKE w.r.t. affine functions with compact ciphertexts, which consist only of a constant number of group elements; -- we construct the first efficient KDM$[\mathcal{F}_{\text{poly}}^d]$-CCA secure PKE w.r.t. polynomial functions of bounded degree $d$ with almost compact ciphertexts, and the number of group elements in a ciphertext is polynomial in $d$, independent of the security parameter. Our PKEs are both based on the DDH & DCR assumptions, free of NIZK and free of pairing

Efficient public-key cryptography with bounded leakage and tamper resilience

We revisit the question of constructing public-key encryption and signature schemes with security in the presence of bounded leakage and tampering memory attacks. For signatures we obtain the first construction in the standard model; for public-key encryption we obtain the first construction free of pairing (avoiding non-interactive zero-knowledge proofs). Our constructions are based on generic building blocks, and, as we show, also admit efficient instantiations under fairly standard number-theoretic assumptions. The model of bounded tamper resistance was recently put forward by Damgård et al. (Asiacrypt 2013) as an attractive path to achieve security against arbitrary memory tampering attacks without making hardware assumptions (such as the existence of a protected self-destruct or key-update mechanism), the only restriction being on the number of allowed tampering attempts (which is a parameter of the scheme). This allows to circumvent known impossibility results for unrestricted tampering (Gennaro et al., TCC 2010), while still being able to capture realistic tampering attack

A Framework for Achieving KDM-CCA Secure Public-Key Encryption

We propose a framework for achieving a public-key encryption (PKE) scheme that satisfies key dependent message security against chosen ciphertext attacks (KDM-CCA security) based on projective hash function. Our framework can be instantiated under the decisional diffie-hellman (DDH), quadratic residuosity (QR), and decisional composite residuosity (DCR) assumptions. The constructed schemes are KDM-CCA secure with respect to affine functions and compatible with the amplification method shown by Applebaum (EUROCRYPT 2011). Thus, they lead to PKE schemes satisfying KDM-CCA security for all functions computable by a-priori bounded size circuits. They are the first PKE schemes satisfying such a security notion in the standard model using neither non-interactive zero knowledge proof nor bilinear pairing. The above framework based on projective hash function captures only KDM-CCA security in the single user setting. However, we can prove the KDM-CCA security in the multi user setting of our concrete instantiations by using their algebraic structures explicitly. Especially, we prove that our DDH based scheme satisfies KDM-CCA security in the multi user setting with the same parameter setting as in the single user setting

Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle

We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents. For GIFT-COFB, we show an attack using $q_e$ encryption queries and no decryption query to break privacy (IND-CPA). The success probability is $O(q_e/2^{n/2})$ for $n$-bit block while the claimed bound contains $O(q^2_e/2^{n})$. This positively solves an open question posed in~[Khairallah, ePrint~2021/648 (also accepted at FSE~2022)]. For Photon-Beetle, we show an attack using $q_e$ encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is $O(q^2_e/2^{b})$ for a $b$-bit block permutation, and it is significantly larger than what the claimed bound tells, which is independent of the number of encryption queries. We also show a simple tag guessing attack that violates the INT-CTXT bound when the rate $r=32$. Then, we analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers~[Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint~2019/1475]. As a side result of our security analysis of Photon-Beetle, we point out that a simple and efficient forgery attack is possible in the related-key setting. We emphasize that our results do not contradict the claimed ``bit security\u27\u27 in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is $(n/2 - \log n)$-bit secure for $n=128$, and Photon-Beetle is $(b/2 - \log b/2)$-bit secure for $b=256$ and $r=128$, where $r$ is a rate. We also note that the security against related-key attacks is not included in the security requirements of NIST LwC, and is not claimed by the designers

Generic Constructions of Robustly Reusable Fuzzy Extractor

Robustly reusable Fuzzy Extractor (rrFE) considers reusability and robustness simultaneously. We present two approaches to the generic construction of rrFE. Both of approaches make use of a secure sketch and universal hash functions. The first approach also employs a special pseudo-random function (PRF), namely unique-input key-shift (ui-ks) secure PRF, and the second uses a key-shift secure auxiliary-input authenticated encryption (AIAE). The ui-ks security of PRF (resp. key-shift security of AIAE), together with the homomorphic properties of secure sketch and universal hash function, guarantees the reusability and robustness of rrFE. Meanwhile, we show two instantiations of the two approaches respectively. The first instantiation results in the first rrFE from the LWE assumption, while the second instantiation results in the first rrFE from the DDH assumption over non-pairing groups

Careful with Composition: Limitations of Indifferentiability and Universal Composability

We exhibit a hash-based storage auditing scheme which is provably secure in the random-oracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any cryptosystem. We characterize the uncovered limitation of the indifferentiability framework by show- ing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic public-key encryption (PKE), password-based cryptography, hash function nonmalleability, key-dependent message security, and more. We formalize a stronger notion, reset indifferentiability, that enables an indifferentiability- style composition theorem covering such multi-stage security notions, but then show that practical hash constructions cannot be reset indifferentiable. We discuss how these limitations also affect the universal composability framework. We finish by showing the chosen-distribution attack security (which requires a multi-stage game) of some important public-key encryption schemes built using a hash construction paradigm introduced by Dodis, Ristenpart, and Shrimpton

ZEBRA: SNARK-based Anonymous Credentials for Practical, Private and Accountable On-chain Access Control

Restricting access to certified users is not only desirable for many blockchain applications, it is also legally mandated for decentralized finance (DeFi) applications to counter malicious actors. Existing solutions, however, are either (i) non-private, i.e., they reveal the link between users and their wallets to the authority granting credentials, or (ii) they introduce additional trust assumptions by relying on a decentralized oracle to verify anonymous credentials (ACs). To remove additional trust in the latter approach, we propose verifying credentials on-chain in this work. We find that this approach has impractical costs with prior AC schemes, and propose a new AC scheme ZEBRA that crucially relies on zkSNARKs to provide efficient on-chain verification for the first time. In addition to the standard unlinkability property that provides privacy for users, ZEBRA also supports auditability, revocation, traceability, and theft detection, which adds accountability for malicious users and convenience for honest users to our access control solution. Even with these properties, ZEBRA reduces the gas cost incurred on the Ethereum Virtual Machine (EVM) by 14.3x when compared to Coconut [NDSS 2019], the state-of-the-art AC scheme for blockchains that only provides unlinkability. This improvement translates to a reduction in transaction fees from 176 USD to 12 USD on Ethereum in May 2023. Since 12 USD is still high for most applications, ZEBRA further drives down credential verification costs through batched verification. For a batch of 512 layer-1 and layer-2 wallets, the transaction fee on Ethereum is reduced to just 0.44 USD and 0.02 USD, respectively, which is comparable to the minimum transaction costs on Ethereum

Efficient KDM-CCA Secure Public-Key Encryption via Auxiliary-Input Authenticated Encryption

KDM[F]-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages f(sk) which are closely related to the secret key sk, where f∈F, even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM[Faff]-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM[Fpolyd]-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free