URDP: General Framework for Direct CCA2 Security from any Lattice-Based PKE Scheme

Design efficient lattice-based cryptosystem secure against adaptive chosen ciphertext attack (IND-CCA2) is a challenge problem. To the date, full CCA2-security of all proposed lattice-based PKE schemes achieved by using a generic transformations such as either strongly unforgeable one-time signature schemes (SU-OT-SS), or a message authentication code (MAC) and weak form of commitment. The drawback of these schemes is that encryption requires "separate encryption". Therefore, the resulting encryption scheme is not sufficiently efficient to be used in practice and it is inappropriate for many applications such as small ubiquitous computing devices with limited resources such as smart cards, active RFID tags, wireless sensor networks and other embedded devices. In this work, for the first time, we introduce an efficient universal random data padding (URDP) scheme, and show how it can be used to construct a "direct" CCA2-secure encryption scheme from "any" worst-case hardness problems in (ideal) lattice in the standard model, resolving a problem that has remained open till date. This novel approach is a "black-box" construction and leads to the elimination of separate encryption, as it avoids using general transformation from CPA-secure scheme to a CCA2-secure one. IND-CCA2 security of this scheme can be tightly reduced in the standard model to the assumption that the underlying primitive is an one-way trapdoor function.Comment: arXiv admin note: text overlap with arXiv:1302.0347, arXiv:1211.6984; and with arXiv:1205.5224 by other author

Multilinear Maps in Cryptography

Multilineare Abbildungen spielen in der modernen Kryptographie eine immer bedeutendere Rolle. In dieser Arbeit wird auf die Konstruktion, Anwendung und Verbesserung von multilinearen Abbildungen eingegangen

A CCA2 Secure Variant of the McEliece Cryptosystem

The McEliece public-key encryption scheme has become an interesting alternative to cryptosystems based on number-theoretical problems. Differently from RSA and ElGa- mal, McEliece PKC is not known to be broken by a quantum computer. Moreover, even tough McEliece PKC has a relatively big key size, encryption and decryption operations are rather efficient. In spite of all the recent results in coding theory based cryptosystems, to the date, there are no constructions secure against chosen ciphertext attacks in the standard model - the de facto security notion for public-key cryptosystems. In this work, we show the first construction of a McEliece based public-key cryptosystem secure against chosen ciphertext attacks in the standard model. Our construction is inspired by a recently proposed technique by Rosen and Segev

A CCA2 secure Code based encryption scheme in the Standard Model

This paper proposes an encryption scheme secureagainst chosen cipher text attack, built on the Niederreiterencryption scheme. The security of the scheme is based on thehardness of the Syndrome Decoding problem and the Goppa CodeDistinguishability problem. The scheme uses the techniques providedby Peikert and Waters using the lossy trapdoor functions.Compared to the existing IND-CCA2 secure variants in standardmodel due to Dowsley et.al. and Freeman et. al. (using the repetition paradigm initiated by Rosen and Segev), this schemeis more efficient as it avoids repetitions

Correlation-Intractable Hash Functions via Shift-Hiding

A hash function family $\mathcal{H}$ is correlation intractable for a $t$-input relation $\mathcal{R}$ if, given a random function $h$ chosen from $\mathcal{H}$, it is hard to find $x_1,\ldots,x_t$ such that $\mathcal{R}(x_1,\ldots,x_t,h(x_1),\ldots,h(x_t))$ is true. Among other applications, such hash functions are a crucial tool for instantiating the Fiat-Shamir heuristic in the plain model, including the only known NIZK for NP based on the learning with errors (LWE) problem (Peikert and Shiehian, CRYPTO 2019). We give a conceptually simple and generic construction of single-input CI hash functions from shift-hiding shiftable functions (Peikert and Shiehian, PKC 2018) satisfying an additional one-wayness property. This results in a clean abstract framework for instantiating CI, and also shows that a previously existing function family (PKC 2018) was already CI under the LWE assumption. In addition, our framework transparently generalizes to other settings, yielding new results: - We show how to instantiate certain forms of multi-input CI under the LWE assumption. Prior constructions either relied on a very strong ``brute-force-is-best\u27\u27 type of hardness assumption (Holmgren and Lombardi, FOCS 2018) or were restricted to ``output-only\u27\u27 relations (Zhandry, CRYPTO 2016). - We construct single-input CI hash functions from indistinguishability obfuscation (iO) and one-way permutations. Prior constructions relied essentially on variants of fully homomorphic encryption that are impossible to construct from such primitives. This result also generalizes to more expressive variants of multi-input CI under iO and additional standard assumptions

Correlated Product Security from Any One-Way Function

It is well-known that the k-wise product of one-way functions remains one-way, but may no longer be when the k inputs are correlated. At TCC 2009, Rosen and Segev introduced a new notion known as Correlated Product secure functions. These functions have the property that a k-wise product of them remains one-way even under correlated inputs. Rosen and Segev gave a construction of injective trapdoor functions which were correlated product secure from the existence of Lossy Trapdoor Functions (introduced by Peikert and Waters in STOC 2008). The first main result of this work shows the surprising fact that a family of correlated prod-uct secure functions can be constructed from any one-way function. Because correlated product secure functions are trivially one-way, this shows an equivalence between the existence of these two cryptographic primitives. In the second main result of this work, we consider a natural decisional variant of correlated product security. Roughly, a family of functions are Decisional Correlated Product (DCP) secure if f1(x1),..., fk(x1) is indistinguishable from f1(x1),..., fk(xk) when x1,..., xk are chosen uniformly at random

On Homomorphic Encryption and Chosen-Ciphertext Security

Abstract. Chosen-Ciphertext (IND-CCA) security is generally consid-ered the right notion of security for a cryptosystem. Because of its central importance much effort has been devoted to constructing IND-CCA se-cure cryptosystems. In this work, we consider constructing IND-CCA secure cryptosystems from (group) homomorphic encryption. Our main results give natural and efficient constructions of IND-CCA secure cryptosystems from any homomorphic encryption scheme that satisfies weak cyclic properties, either in the plaintext, ciphertext or randomness space. Our results have the added benefit of being simple to describe and analyze

Cryptography based on the Hardness of Decoding

This thesis provides progress in the fields of for lattice and coding based cryptography. The first contribution consists of constructions of IND-CCA2 secure public key cryptosystems from both the McEliece and the low noise learning parity with noise assumption. The second contribution is a novel instantiation of the lattice-based learning with errors problem which uses uniform errors

Lossy Trapdoor Permutations with Improved Lossiness

Lossy trapdoor functions (Peikert and Waters, STOC 2008 and SIAM J. Computing 2011) imply, via black-box transformations, a number of interesting cryptographic primitives, including chosen-ciphertext secure public-key encryption. Kiltz, O\u27Neill, and Smith (CRYPTO 2010) showed that the RSA trapdoor permutation is lossy under the Phi-hiding assumption, but syntactically it is not a lossy trapdoor function since it acts on Z_N and not on strings. Using a domain extension technique by Freeman et al. (PKC 2010 and J. Cryptology 2013) it can be extended to a lossy trapdoor permutation, but with considerably reduced lossiness. In this work we give new constructions of lossy trapdoor permutations from the Phi-hiding assumption, the quadratic residuosity assumption, and the decisional composite residuosity assumption, all with improved lossiness. Furthermore, we propose the first all-but-one lossy trapdoor permutation from the Phi-hiding assumption. A technical vehicle used for achieving this is a novel transform that converts trapdoor functions with index-dependent domain into trapdoor functions with fixed domain