Naor-Yung paradigm with shared randomness and applications

The Naor-Yung paradigm (Naor and Yung, STOC’90) allows to generically boost security under chosen-plaintext attacks (CPA) to security against chosen-ciphertext attacks (CCA) for public-key encryption (PKE) schemes. The main idea is to encrypt the plaintext twice (under independent public keys), and to append a non-interactive zero-knowledge (NIZK) proof that the two ciphertexts indeed encrypt the same message. Later work by Camenisch, Chandran, and Shoup (Eurocrypt’09) and Naor and Segev (Crypto’09 and SIAM J. Comput.’12) established that the very same techniques can also be used in the settings of key-dependent message (KDM) and key-leakage attacks (respectively). In this paper we study the conditions under which the two ciphertexts in the Naor-Yung construction can share the same random coins. We find that this is possible, provided that the underlying PKE scheme meets an additional simple property. The motivation for re-using the same random coins is that this allows to design much more efficient NIZK proofs. We showcase such an improvement in the random oracle model, under standard complexity assumptions including Decisional Diffie-Hellman, Quadratic Residuosity, and Subset Sum. The length of the resulting ciphertexts is reduced by 50%, yielding truly efficient PKE schemes achieving CCA security under KDM and key-leakage attacks. As an additional contribution, we design the first PKE scheme whose CPA security under KDM attacks can be directly reduced to (low-density instances of) the Subset Sum assumption. The scheme supports keydependent messages computed via any affine function of the secret ke

Improved bounds in the scaled Enflo type inequality for Banach spaces

It is shown that if (X,||.||_X) is a Banach space with Rademacher type p \ge 1, then for every integer n there exists an even integer m < Cn^{2-1/p}log n (C is an absolute constant), such that for every f:Z_m^n --> X, \Avg_{x,\e}[||f(x+ m\e/2)-f(x)}||_X^p] < C(p,X) m^p\sum_{j=1}^n\Avg_x[||f(x+e_j)-f(x)||_X^p], where the expectation is with respect to uniformly chosen x \in Z_m^n and \e \in \{-1,1\}^n, and C(p,X) is a constant that depends on p and the Rademacher type constant of X. This improves a bound of m < Cn^{3-2/p} that was obtained in [Mendel, Naor 2007]. The proof is based on an augmentation of the "smoothing and approximation" scheme, which was implicit in [Mendel, Naor 2007]

Permutation graphs, fast forward permutations, and sampling the cycle structure of a permutation

A permutation P on {1,..,N} is a_fast_forward_permutation_ if for each m the computational complexity of evaluating P^m(x)$ is small independently of m and x. Naor and Reingold constructed fast forward pseudorandom cycluses and involutions. By studying the evolution of permutation graphs, we prove that the number of queries needed to distinguish a random cyclus from a random permutation on {1,..,N} is Theta(N) if one does not use queries of the form P^m(x), but is only Theta(1) if one is allowed to make such queries. We construct fast forward permutations which are indistinguishable from random permutations even when queries of the form P^m(x) are allowed. This is done by introducing an efficient method to sample the cycle structure of a random permutation, which in turn solves an open problem of Naor and Reingold.Comment: Corrected a small erro

Low-distortion embeddings of graphs with large girth

The main purpose of the paper is to construct a sequence of graphs of constant degree with indefinitely growing girths admitting embeddings into $\ell_1$ with uniformly bounded distortions. This result answers the problem posed by N. Linial, A. Magen, and A. Naor (2002).Comment: Some confusing omissions are corrected in the second versio

Uniform nonextendability from nets

It is shown that there exist Banach spaces $X,Y$, a $1$-net $\mathscr{N}$ of $X$ and a Lipschitz function $f:\mathscr{N}\to Y$ such that every $F:X\to Y$ that extends $f$ is not uniformly continuous