Discrete Morse theory for the collapsibility of supremum sections

The Dushnik-Miller dimension of a poset $\le$ is the minimal number $d$ of linear extensions $\le_1, \ldots , \le_d$ of $\le$ such that $\le$ is the intersection of $\le_1, \ldots , \le_d$. Supremum sections are simplicial complexes introduced by Scarf and are linked to the Dushnik-Miller as follows: the inclusion poset of a simplicial complex is of Dushnik-Miller dimension at most $d$ if and only if it is included in a supremum section coming from a representation of dimension $d$. Collapsibility is a topoligical property of simplicial complexes which has been introduced by Whitehead and which resembles to shellability. While Ossona de Mendez proved in that a particular type of supremum sections are shellable, we show in this article that supremum sections are in general collapsible thanks to the discrete Morse theory developped by Forman

Internal Compression of Protocols to Entropy

We study internal compression of communication protocols to their internal entropy, which is the entropy of the transcript from the players\u27 perspective. We provide two internal compression schemes with error. One of a protocol of Feige et al. for finding the first difference between two strings. The second and main one is an internal compression with error epsilon > 0 of a protocol with internal entropy H^{int} and communication complexity C to a protocol with communication at most order (H^{int}/epsilon)^2 * log(log(C)). This immediately implies a similar compression to the internal information of public-coin protocols, which provides an exponential improvement over previously known public-coin compressions in the dependence on C. It further shows that in a recent protocol of Ganor, Kol and Raz, it is impossible to move the private randomness to be public without an exponential cost. To the best of our knowledge, No such example was previously known

On the Inner Product Predicate and a Generalization of Matching Vector Families

Motivated by cryptographic applications such as predicate encryption, we consider the problem of representing an arbitrary predicate as the inner product predicate on two vectors. Concretely, fix a Boolean function P and some modulus q. We are interested in encoding x to x_vector and y to y_vector so that P(x,y) = 1 = 0 mod q, where the vectors should be as short as possible. This problem can also be viewed as a generalization of matching vector families, which corresponds to the equality predicate. Matching vector families have been used in the constructions of Ramsey graphs, private information retrieval (PIR) protocols, and more recently, secret sharing. Our main result is a simple lower bound that allows us to show that known encodings for many predicates considered in the cryptographic literature such as greater than and threshold are essentially optimal for prime modulus q. Using this approach, we also prove lower bounds on encodings for composite q, and then show tight upper bounds for such predicates as greater than, index and disjointness

Hybrid Quantum Cryptography from Communication Complexity

We introduce an explicit construction for a key distribution protocol in the Quantum Computational Timelock (QCT) security model, where one assumes that computationally secure encryption may only be broken after a time much longer than the coherence time of available quantum memories. Taking advantage of the QCT assumptions, we build a key distribution protocol called HM-QCT from the Hidden Matching problem for which there exists an exponential gap in one-way communication complexity between classical and quantum strategies. We establish that the security of HM-QCT against arbitrary i.i.d. attacks can be reduced to the difficulty of solving the underlying Hidden Matching problem with classical information. Legitimate users, on the other hand, can use quantum communication, which gives them the possibility of sending multiple copies of the same quantum state while retaining an information advantage. This leads to an everlasting secure key distribution scheme over $n$ bosonic modes. Such a level of security is unattainable with purely classical techniques. Remarkably, the scheme remains secure with up to $\mathcal{O}\big( \frac{\sqrt{n}}{\log(n)}\big)$ input photons for each channel use, extending the functionalities and potentially outperforming QKD rates by several orders of magnitudes.Comment: 25 pages, 5 figure

On Security Proofs of Existing Equivalence Class Signature Schemes

Equivalence class signatures (EQS), introduced by Hanser and Slamanig (AC\u2714), sign vectors of elements from a bilinear group. Signatures can be ``adapted\u27\u27, meaning that anyone can transform a signature on a vector to a (random) signature on any multiple of that vector. (Signatures thus authenticate equivalence classes.) A transformed signature/message pair is then indistinguishable from a random signature on a random message. EQS have been used to efficiently instantiate (delegatable) anonymous credentials, (round-optimal) blind signatures, ring and group signatures and anonymous tokens. The original EQS construction (J.Crypto\u2719) is only proven in the generic group model, while the first construction from standard assumptions (PKC\u2718) only yields security guarantees insufficient for most applications. Two works (AC\u2719, PKC\u2722) propose applicable schemes which assume the existence of a common reference string for the anonymity notion. Their unforgeability is argued via a security proof from standard (or non-interactive) assumptions. In this work we show that their security proof is flawed and explain the subtle issue

Discrete Morse theory for the collapsibility of supremum sections

International audienceThe Dushnik-Miller dimension of a poset $\le$ is the minimal number $d$ of linear extensions $\le_1, \ldots , \le_d$ of $\le$ such that $\le$ is the intersection of $\le_1, \ldots , \le_d$. Supremum sections are simplicial complexes introduced by Scarf and are linked to the Dushnik-Miller as follows: the inclusion poset of a simplicial complex is of Dushnik-Miller dimension at most $d$ if and only if it is included in a supremum section coming from a representation of dimension $d$. Collapsibility is a topoligical property of simplicial complexes which has been introduced by Whitehead and which resembles to shellability. While Ossona de Mendez proved in that a particular type of supremum sections are shellable, we show in this article that supremum sections are in general collapsible thanks to the discrete Morse theory developped by Forman

The One-More Discrete Logarithm Assumption in the Generic Group Model

The one more-discrete logarithm assumption (OMDL) underlies the security analysis of identification protocols, blind signature and multi-signature schemes, such as blind Schnorr signatures and the recent MuSig2 multi-signatures. As these schemes produce standard Schnorr signatures, they are compatible with existing systems, e.g. in the context of blockchains. OMDL is moreover assumed for many results on the impossibility of certain security reductions. Despite its wide use, surprisingly, OMDL is lacking any rigorous analysis; there is not even a proof that it holds in the generic group model (GGM). (We show that a claimed proof is flawed.) In this work we give a formal proof of OMDL in the GGM. We also prove a related assumption, the one-more computational Diffie-Hellman assumption, in the GGM. Our proofs deviate from prior proofs in the GGM and replace the use of the Schwartz-Zippel Lemma by a new argument

Transferable E-cash: A Cleaner Model and the First Practical Instantiation

Transferable e-cash is the most faithful digital analog of physical cash, as it allows users to transfer coins between them in isolation, that is, without interacting with a bank or a “ledger”. Appropriate protection of user privacy and, at the same time, providing means to trace fraudulent behavior (double-spending of coins) have made instantiating the concept notoriously hard. Baldimtsi et al. (PKC\u2715) gave a first instantiation, but, as it relies on a powerful cryptographic primitive, the scheme is not practical. We also point out a flaw in their scheme. In this paper we revisit the model for transferable e-cash and propose simpler yet stronger security definitions. We then provide the first concrete construction, based on bilinear groups, give rigorous proofs that it satisfies our model, and analyze its efficiency in detail

Fine-Grained Non-Interactive Key Exchange, Revisited

We revisit the construction of multiparty non-interactive key-exchange protocols with fine-grained security, which was recently studied in (Afshar et al., Eurocrypt 2023). Their work introduced a 4-party non-interactive key exchange with quadratic hardness, and proved it secure in Shoup\u27s generic group model. This positive result was complemented with a proof that $n$-party non-interactive key exchange with superquadratic security cannot exist in Maurer\u27s generic group model, for any $n\geq 3$. Because Shoup\u27s model is stronger than Maurer\u27s model, this leaves a gap between the positive and the negative result, and their work left as an open question the goal of closing this gap, and of obtaining fine-grained non-interactive key exchange without relying on idealized models. In this work, we make significant progress on both questions. We obtain two main results: A 4-party non-interactive key exchange protocol with quadratic security gap, assuming the existence of exponentially secure injective pseudorandom generators, and the subexponential hardness of the computational Diffie-Hellman assumption. In addition, our scheme is conceptually simpler, and can be generalized to other settings (with more parties or from other assumptions). Assuming the existence of non-uniformly secure injective pseudorandom generators with exponential hardness, we further show that our protocol is secure in Maurer\u27s model, albeit with a smaller hardness gap (up to $N^{1.6}$), making progress on filling the gap between the positive and the negative result of (Afshar et al., Eurocrypt 2023). Somewhat intriguingly, proving the security of our scheme in Maurer\u27s idealized model turns out to be significantly harder than proving its security in the standard model

The Uber-Knowledge Assumption: A Bridge to the AGM

The generic-group model (GGM) and the algebraic-group model (AGM) have been immensely successful in proving the security of many classical and modern cryptosystems. These models, however, come coupled with standard-model uninstantiability results, raising the question whether the schemes analyzed under them can be based on firmer standard-model footing. We formulate the uber-knowledge (UK) assumption, a standard-model assumption that naturally extends the uber-assumption family to knowledge assumptions. We justify the soundness of the UK in both the bilinear GGM and bilinear AGM. Along the way we extend these models to incorporate hashing into groups, an adversarial capability that is available in many concrete groups. (In contrast to standard assumptions, hashing may affect the validity of knowledge assumptions.) These results, in turn, enable a modular approach to security in GGM and AGM. As example applications, we use the UK to prove knowledge-soundness of Groth16 and KZG polynomial commitments in the standard model, where for the former we reuse the existing AGM proof without hashing