    Robust Property-Preserving Hash Functions for Hamming Distance and More

    Robust property-preserving hash (PPH) functions, recently introduced by Boyle, Lavigne, and Vaikuntanathan [ITCS 2019], compress large inputs xx and yy into short digests h(x)h(x) and h(y)h(y) in a manner that allows for computing a predicate PP on xx and yy while only having access to the corresponding hash values. In contrast to locality-sensitive hash functions, a robust PPH function guarantees to correctly evaluate a predicate on h(x)h(x) and h(y)h(y) even if xx and yy are chosen adversarially after seeing hh. Our main result is a robust PPH function for the exact hamming distance predicate HAMt(x,y)={1if d(x,y)t0Otherwise\mathsf{HAM}^t(x, y) = \begin{cases}1 &\text{if } d( x, y) \geq t \\0 & \text{Otherwise}\\\end{cases} where d(x,y)d(x, y) is the hamming-distance between xx and yy. Our PPH function compresses nn-bit strings into O(tλ)\mathcal{O}(t \lambda)-bit digests, where λ\lambda is the security parameter. The construction is based on the q-strong bilinear discrete logarithm assumption. Along the way, we construct a robust PPH function for the set intersection predicate INTt(X,Y)={1if XY>nt0Otherwise \mathsf{INT}^t(X, Y) = \begin{cases} 1 &\text{if } \vert X \cap Y\vert > n - t \\ 0 & \text{Otherwise}\\ \end{cases} which compresses sets XX and YY of size nn with elements from some arbitrary universe UU into O(tλ)\mathcal{O}(t\lambda)-bit long digests. This PPH function may be of independent interest. We present an almost matching lower bound of Ω(tlogt)\Omega(t \log t) on the digest size of any PPH function for the intersection predicate, which indicates that our compression rate is close to optimal. Finally, we also show how to extend our PPH function for the intersection predicate to more than two inputs

    On Publicly-Accountable Zero-Knowledge and Small Shuffle Arguments

    Constructing interactive zero-knowledge arguments from simple assumptions with small communication complexity and good computational efficiency is an important, but difficult problem. In this work, we study interactive arguments with noticeable soundness error in their full generality and for the specific purpose of constructing concretely efficient shuffle arguments. To counterbalance the effects of a larger soundness error, we show how to transform such three-move arguments into publicly-accountable ones which allow the verifier to convince third parties of detected misbehavior by a cheating prover. This may be particularly interesting for applications where a malicious prover has to balance the profits it can make from cheating successfully and the losses it suffers from being caught. %In contrast to standard sequential repetition, our transformation increases the round and communication complexity by only a small additive factor. We construct interactive, public-coin, zero-knowledge arguments with noticeable soundness error for proving that a target vector of commitments is a pseudorandom permutation of a source vector. Our arguments do not rely on any trusted setup and only require the existence of collision-resistant hash functions. The communication complexity of our arguments is \emph{independent} of the length of the shuffled vector. For a soundness error of 25=1/322^{-5}=1/32, the communication cost is 153153 bytes without and 992992 bytes with public accountability, meaning that our arguments are shorter than shuffle arguments realized using Bulletproofs (IEEE S\&P 2018) and even competitive in size with SNARKs, despite only relying on simple assumptions

    Invertible Bloom Lookup Tables with Less Memory and Less Randomness

    In this work we study Invertible Bloom Lookup Tables (IBLTs) with small failure probabilities. IBLTs are highly versatile data structures that have found applications in set reconciliation protocols, error-correcting codes, and even the design of advanced cryptographic primitives. For storing nn elements and ensuring correctness with probability at least 1δ1 - \delta, existing IBLT constructions require Ω(n(log(1/δ)log(n)+1))\Omega(n(\frac{\log(1/\delta)}{\log(n)}+1)) space and they crucially rely on fully random hash functions. We present new constructions of IBLTs that are simultaneously more space efficient and require less randomness. For storing nn elements with a failure probability of at most δ\delta, our data structure only requires O(n+log(1/δ)loglog(1/δ))\mathcal{O}(n + \log(1/\delta)\log\log(1/\delta)) space and O(log(log(n)/δ))\mathcal{O}(\log(\log(n)/\delta))-wise independent hash functions. As a key technical ingredient we show that hashing nn keys with any kk-wise independent hash function h:U[Cn]h:U \to [Cn] for some sufficiently large constant CC guarantees with probability 12Ω(k)1 - 2^{-\Omega(k)} that at least n/2n/2 keys will have a unique hash value. Proving this is highly non-trivial as kk approaches nn. We believe that the techniques used to prove this statement may be of independent interest

    Interactive Non-Malleable Codes Against Desynchronizing Attacks in the Multi-Party Setting

    Interactive Non-Malleable Codes were introduced by Fleischhacker et al. (TCC 2019) in the two party setting with synchronous tampering. The idea of this type of non-malleable code is that it encodes an interactive protocol in such a way that, even if the messages are tampered with according to some class F\mathcal{F} of tampering functions, the result of the execution will either be correct, or completely unrelated to the inputs of the participating parties. In the synchronous setting the adversary is able to modify the messages being exchanged but cannot drop messages nor desynchronize the two parties by first running the protocol with the first party and then with the second party. In this work, we define interactive non-malleable codes in the non-synchronous multi-party setting and construct such interactive non-malleable codes for the class Fboundeds\mathcal{F}^{s}_{\textsf{bounded}} of bounded-state tampering functions. The construction is applicable to any multi-party protocol with a fixed message topology

    On Statistically Secure Obfuscation with Approximate Correctness

    Goldwasser and Rothblum (TCC \u2707) prove that statistical indistinguishability obfuscation (iO) cannot exist if the obfuscator must maintain perfect correctness (under a widely believed complexity theoretic assumption: NP⊈SZKAMcoAM\mathcal{NP} \not\subseteq \mathcal{SZK}\subseteq\mathcal{AM}\cap\mathbf{co}\mathcal{AM}). However, for many applications of iO, such as constructing public-key encryption from one-way functions (one of the main open problems in theoretical cryptography), approximate correctness is sufficient. It had been unknown thus far whether statistical approximate iO (saiO) can exist. We show that saiO does not exist, even for a minimal correctness requirement, if NP⊈AMcoAM\mathcal{NP} \not\subseteq \mathcal{AM}\cap\mathbf{co}\mathcal{AM}, and if one-way functions exist. A simple complementary observation shows that if one-way functions do not exist, then average-case saiO exists. Technically, previous approaches utilized the behavior of the obfuscator on evasive functions, for which saiO always exists. We overcome this barrier by using a PRF as a baseline for the obfuscated program. We broaden our study and consider relaxed notions of security for iO. We introduce the notion of correlation obfuscation, where the obfuscations of equivalent circuits only need to be mildly correlated (rather than statistically indistinguishable). Perhaps surprisingly, we show that correlation obfuscators exist via a trivial construction for some parameter regimes, whereas our impossibility result extends to other regimes. Interestingly, within the gap between the parameters regimes that we show possible and impossible, there is a small fraction of parameters that still allow to build public-key encryption from one-way functions and thus deserve further investigation

    On Tight Security Proofs for Schnorr Signatures

    The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin (Eurocrypt 2012) showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern (Eurocrypt 1996) is essentially optimal. All previous works in this direction rule out tight reductions from the (one-more) discrete logarithm problem. In this paper we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements. Most reductions in state-of-the-art security proofs have this property. It is desirable, because then the reduction applies generically to any concrete instantiation of the group. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem Π\Pi defined over algebraic groups to breaking Schnorr signatures, unless solving Π\Pi is easy. In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model

    Squirrel: Efficient Synchronized Multi-Signatures from Lattices

    The focus of this work are multi-signatures schemes in the synchronized setting. A multi-signature scheme allows multiple signatures for the same message but from independent signers to be compressed into one short aggregated signature, which allows verifying all of the signatures simultaneously. In the synchronized setting, the signing algorithm takes the current time step as an additional input. It is assumed that no signer signs more than one message per time step and we aim to aggregate signatures for the same message and same time step. This setting is particularly useful in the context of blockchains, where validators are naturally synchronized by the blocks they sign. We present Squirrel, a concretely efficient lattice-based multi-signature scheme in the synchronized setting that works for a bounded number of 2τ2^{\tau} time steps and allows for aggregating up to ρ\rho signatures at each step, where both τ\tau and ρ\rho are public parameters upon which the efficiency of our scheme depends. Squirrel allows for non-interactive aggregation of independent signatures and is proven secure in the random oracle model in the presence of rogue-key attacks assuming the hardness of the short integer solution problem in a polynomial ring. We provide a careful analysis of all parameters and show that Squirrel can be instantiated with good concrete efficiency. For τ=24\tau = 24 and ρ=4096\rho = 4096, a signer could sign a new message every 10 seconds for 5 years non-stop. Assuming the signer has a cache of 112 MB, signing takes 68 ms and verification of an aggregated signature takes 36 ms. The size of the public key is 1 KB, the size of an individual signature is 52 KB, and the size of an aggregated signature is 771 KB

    Extractable Witness Encryption for KZG Commitments and Efficient Laconic OT

    We present a concretely efficient and simple extractable witness encryption scheme for KZG polynomial commitments. It allows to encrypt a message towards a triple (com,α,β)(\mathsf{com}, \alpha, \beta), where com\mathsf{com} is a KZG commitment for some polynomial ff. Anyone with an opening for the commitment attesting f(α)=βf(\alpha) = \beta can decrypt, but without knowledge of a valid opening the message is computationally hidden. Our construction is simple and highly efficient. The ciphertext is only a single group element. Encryption and decryption both require a single pairing evaluation and a constant number of group operations. Using our witness encryption scheme, we construct a simple and highly efficient laconic OT protocol, which significantly outperforms the state of the art in most important metrics