Simpler Constructions of Asymmetric Primitives from Obfuscation

We revisit constructions of asymmetric primitives from obfuscation and give simpler alternatives. We consider public-key encryption, (hierarchical) identity-based encryption ((H)IBE), and predicate encryption. Obfuscation has already been shown to imply PKE by Sahai and Waters (STOC\u2714) and full-fledged functional encryption by Garg et al. (FOCS\u2713). We simplify all these constructions and reduce the necessary assumptions on the class of circuits that the obfuscator needs to support. Our PKE scheme relies on just a PRG and does not need any puncturing. Our IBE and bounded HIBE schemes convert natural key-delegation mechanisms from (recursive) applications of puncturable PRFs to IBE and HIBE schemes. Our most technical contribution is an unbounded HIBE, which uses (public-coin) differing-inputs obfuscation for circuits and whose proof relies on a recent pebbling-based hybrid argument by Fuchsbauer et al. (ASIACRYPT\u2714). All our constructions are anonymous, support arbitrary inputs, and have compact keys and ciphertexts

Cumulatively All-Lossy-But-One Trapdoor Functions from Standard Assumptions

International audienceChakraborty, Prabhakaran, and Wichs (PKC'20) recently introduced a new tag-based variant of lossy trapdoor functions, termed cumulatively all-lossy-but-one trapdoor functions (CALBO-TDFs). Informally, CALBO-TDFs allow defining a public tag-based function with a (computationally hidden) special tag, such that the function is lossy for all tags except when the special secret tag is used. In the latter case, the function becomes injective and efficiently invertible using a secret trapdoor. This notion has been used to obtain advanced constructions of signatures with strong guarantees against leakage and tampering, and also by Dodis, Vaikunthanathan, and Wichs (EUROCRYPT'20) to obtain constructions of randomness extractors with extractor-dependent sources. While these applications are motivated by practical considerations, the only known instantiation of CALBO-TDFs so far relies on the existence of indistinguishability obfuscation. In this paper, we propose the first two instantiations of CALBO-TDFs based on standard assumptions. Our constructions are based on the LWE assumption with a sub-exponential approximation factor and on the DCR assumption, respectively, and circumvent the use of indistinguishability obfuscation by relying on lossy modes and trapdoor mechanisms enabled by these assumptions

A Detailed Analysis of Fiat-Shamir with Aborts

Lyubashevky\u27s signatures are based on the Fiat-Shamir with Aborts paradigm. It transforms an interactive identification protocol that has a non-negligible probability of aborting into a signature by repeating executions until a loop iteration does not trigger an abort. Interaction is removed by replacing the challenge of the verifier by the evaluation of a hash function, modeled as a random oracle in the analysis. The access to the random oracle is classical (ROM), resp. quantum (QROM), if one is interested in security against classical, resp. quantum, adversaries. Most analyses in the literature consider a setting with a bounded number of aborts (i.e., signing fails if no signature is output within a prescribed number of loop iterations), while practical instantiations (e.g., Dilithium) run until a signature is output (i.e., loop iterations are unbounded). In this work, we emphasize that combining random oracles with loop iterations induces numerous technicalities for analyzing correctness, run-time, and security of the resulting schemes, both in the bounded and unbounded case. As a first contribution, we put light on errors in all existing analyses. We then provide two detailed analyses in the QROM for the bounded case, adapted from Kiltz et al. [EUROCRYPT\u2718] and Grilo et al. [ASIACRYPT\u2721]. In the process, we prove the underlying $\Sigma$-protocol to achieve a stronger zero-knowledge property than usually considered for $\Sigma$-protocols with aborts, which enables a corrected analysis. A further contribution is a detailed analysis in the case of unbounded aborts, the latter inducing several additional subtleties

Constrained Pseudorandom Functions from Homomorphic Secret Sharing

We propose and analyze a simple strategy for constructing 1-key constrained pseudorandom functions (CPRFs) from homomorphic secret sharing. In the process, we obtain the following contributions. First, we identify desirable properties for the underlying HSS scheme for our strategy to work. Second, we show that (most) recent existing HSS schemes satisfy these properties, leading to instantiations of CPRFs for various constraints and from various assumptions. Notably, we obtain the first (1-key selectively secure, private) CPRFs for inner-product and (1-key selectively secure) CPRFs for NC 1 from the DCR assumption, and more. Lastly, we revisit two applications of HSS, equipped with these additional properties, to secure computation: we obtain secure computation in the silent preprocessing model with one party being able to precompute its whole preprocessing material before even knowing the other party, and we construct one-sided statistically secure computation with sublinear communication for restricted forms of computation

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More

International audienceNon-interactive zero-knowledge proofs (NIZKs) are important primitives in cryptography. A major challenge since the early works on NIZKs has been to construct NIZKs with a statistical zero-knowledge guarantee against unbounded verifiers. In the common reference string (CRS) model, such "statistical NIZK arguments" are currently known from k-Lin in a pairing-group and from LWE. In the (reusable) designated-verifier model (DV-NIZK), where a trusted setup algorithm generates a reusable verification key for checking proofs, we also have a construction from DCR. If we relax our requirements to computational zero-knowledge, we additionally have NIZKs from factoring and CDH in a pairing group in the CRS model, and from nearly all assumptions that imply public-key encryption (e.g., CDH, LPN, LWE) in the designated-verifier model. Thus, there still remains a gap in our understanding of statistical NIZKs in both the CRS and the designated-verifier models. In this work, we develop new techniques for constructing statistical NIZK arguments. First, we construct statistical DV-NIZK arguments from the k-Lin assumption in pairing-free groups, the QR assumption, and the DCR assumption. These are the first constructions in pairing-free groups and from QR that satisfy statistical zero-knowledge. All of our constructions are secure even if the verification key is chosen maliciously (i.e., they are "malicious-designated-verifier" NIZKs), and moreover, they satisfy a "dual-mode" property where the CRS can be sampled from two computationally indistinguishable distributions: one distribution yields statistical DV-NIZK arguments while the other yields computational DV-NIZK proofs. We then show how to adapt our k-Lin construction in a pairing group to obtain new publicly-verifiable statistical NIZK arguments from pairings with a qualitatively weaker assumption than existing constructions of pairing-based statistical NIZKs. Our constructions follow the classic paradigm of Feige, Lapidot, and Shamir (FLS). While the FLS framework has traditionally been used to construct computational (DV)-NIZK proofs, we newly show that the same framework can be leveraged to construct dual-mode (DV)-NIZKs

Caractérisations algébriques pour les fonctions pseudo-aléatoires

In this thesis, we study the algebraic structure underlying number-theoretic pseudorandom functions. Specifically, we define an algebraic framework that translates the pseudorandomness of a particular form of functions into a simple algebraic property. The resulting generic framework encompasses most of existing constructions and naturally extends to related primitives, such as related-key secure, aggregate, and multilinear pseudorandom functions. This framework holds under a family of MDDH assumptions, that contains especially different classical assumptions, such as DDH, DLin, or k-Lin. Therefore, setting accordingly the parameters in the constructions, our framework can be used to construct secure pseudorandom functions (or related primitives) whose security holds under these assumptions. Finally, we also study more specifically the case of related-key security. On the one hand, we propose a fix and some extensions to the Bellare-Cash framework and then build pseudorandom functions secure against larger classes of attacks. On the other hand, we construct the first pseudorandom function provably secure against XOR attacks. The latter construction relies on the existence of a weak form of multilinear maps.Dans cette thèse, nous étudions la structure algébrique sous-jacente aux fonctions pseudo-aléatoires basées sur la théorie des nombres. Précisément, nous montrons que le caractère pseudo-aléatoire de fonctions d’une forme particulière est équivalent au fait que ces fonctions vérifient une propriété algébrique simple. Cette caractérisation algébrique s’applique à la plupart des constructions connues et s’étend naturellement aux généralisations des fonctions pseudo-aléatoires, par exemple aux fonctions pseudo-aléatoires sûres contre les attaques par clés liées, multilinéaires ou supportant l’agrégation. Cette caractérisation repose sur une famille d’hypothèses MDDH, qui contient en particulier différentes hypothèses classiques, comme DDH, DLin, ou k-Lin. Ainsi, en choisissant les paramètres des constructions selon, ce résultat permet de construire des fonctions pseudo-aléatoires (ou leurs généralisations) prouvées sûres sous ces différentes hypothèses. Enfin, nous étudions également plus précisément le cas de la sécurité contre les attaques par clés liées. D’une part, nous corrigeons et étendons la transformation proposée par Bellare et Cash pour ensuite construire de nouvelles fonctions pseudo-aléatoires sûres contre des attaques par clés liées plus puissantes. D’autre part, nous construisons la première fonction pseudo-aléatoire prouvée sûre contre des attaques par XOR. Cette construction repose sur l’existence d’une forme faible d’applications multilinéaires