298 research outputs found
A New Approach for Non-Interactive Zero-Knowledge from Learning with Errors
We put forward a new approach for achieving non-interactive zero-knowledge proofs (NIKZs) from the learning with errors (LWE) assumption (with subexponential modulus to noise ratio). We provide a LWE-based construction of a hidden bits generator that gives rise to a NIZK via the celebrated hidden bits paradigm. A noteable feature of our construction is its simplicity. Our construction employs lattice trapdoors, but beyond that uses only simple operations. Unlike prior solutions we do not rely on a correlation intractability argument nor do we utilize fully homomorphic encryption techniques. Our solution provides a new methodology that adds to the diversity of techniques for solving this fundamental problem
Efficient Identity-Based Encryption Without Random Oracles
We present the first efficient Identity-Based Encryption
(IBE) scheme that is fully secure without random
oracles. We first present our IBE construction and reduce the
security of our scheme to the decisional Bilinear Diffie-Hellman
(BDH) problem. Additionally, we show that our techniques can be used
to build a new signature scheme that is secure under the
computational Diffie-Hellman assumption without random oracles
Short and Stateless Signatures from the RSA Assumption
We present the first signature scheme which is \u27\u27short\u27\u27, stateless and secure under the RSA assumption in the standard model. Prior short, standard model signatures in the RSA setting required either a strong complexity assumption such as Strong RSA or (recently) that the signer maintain state. A signature in our scheme is comprised of one element in ZN* and one integer. The public key is also short, requiring only the modulus N, one element of ZN*, one integer, one PRF seed and some short chameleon hash parameters.
To design our signature, we employ the known generic construction of fully-secure signatures from weakly-secure signatures and a chameleon hash. We then introduce a new proof technique for reasoning about weakly-secure signatures. This technique enables the simulator to predict a prefix of the message on which the adversary will forge and to use knowledge of this prefix to embed the challenge. This technique has wider applications beyond RSA.
We also use it to provide an entirely new analysis of the security of the Waters signatures: the only short, stateless signatures known to be secure under the Computational Diffie-Hellman assumption in the standard model
How to Use Indistinguishability Obfuscation: Deniable Encryption, and More
We introduce a new technique, that we call punctured programs,
to apply indistinguishability obfuscation towards cryptographic
problems. We use this technique to carry out a systematic study of
the applicability of indistinguishability obfuscation to a variety of
cryptographic goals. Along the way, we resolve the 16-year-old open
question of Deniable Encryption, posed by Canetti, Dwork, Naor,
and Ostrovsky in 1997: In deniable encryption, a sender who is forced
to reveal to an adversary both her message and the randomness she used
for encrypting it should be able to convincingly provide ``fake\u27\u27
randomness that can explain any alternative message that she would
like to pretend that she sent. We resolve this question by giving the
first construction of deniable encryption that does not require
any pre-planning by the party that must later issue a denial.
In addition, we show the generality of our punctured programs
technique by also constructing a variety of core cryptographic objects
from indistinguishability obfuscation and one-way functions (or close
variants). In particular we obtain: public key encryption, short
``hash-and-sign\u27\u27 selectively secure signatures, chosen-ciphertext
secure public key encryption, non-interactive zero knowledge proofs
(NIZKs), injective trapdoor functions, and oblivious transfer. These
results suggest the possibility of indistinguishability
obfuscation becoming a ``central hub\u27\u27 for cryptography
Attribute-Based Encryption with Fast Decryption
Attribute-based encryption (ABE) is a vision of public key encryption that allows users to encrypt and decrypt messages based on user attributes. This functionality comes at a cost. In a typical implementation, the size of the ciphertext is proportional to the number of attributes associated with it and the decryption time is proportional to the number of attributes used during decryption. Specifically, many practical ABE implementations require one pairing operation per attribute used during decryption.
This work focuses on designing ABE schemes with fast decryption algorithms. We restrict our attention to expressive systems without system-wide bounds or limitations, such as placing a limit on the number of attributes used in a ciphertext or a private key. In this setting, we present the first key-policy ABE system where ciphertexts can be decrypted with a constant number of pairings. We show that GPSW ciphertexts can be decrypted with only 2 pairings by increasing the private key size by a factor of X, where X is the set of distinct attributes that appear in the private key. We then present a generalized construction that allows each system user to independently tune various efficiency tradeoffs to their liking on a spectrum where the extremes are GPSW on one end and our very fast scheme on the other. This tuning requires no changes to the public parameters or the encryption algorithm. Strategies for choosing an individualized user optimization plan are discussed. Finally, we discuss how these ideas can be translated into the ciphertext-policy ABE setting at a higher cost
How to Sample a Discrete Gaussian (and more) from a Random Oracle
The random oracle methodology is central to the design of many practical
cryptosystems. A common challenge faced in several systems is the need to have
a random oracle that outputs from a structured distribution , even though most
heuristic implementations such as SHA-3 are best suited for outputting bitstrings.
Our work explores the problem of sampling from discrete Gaussian (and related) distributions in a manner that they can be programmed into random oracles. We make the following contributions:
-We provide a definitional framework for our results. We say that a sampling algorithm for a distribution is explainable if there exists an algorithm where, for a in the domain, we have that such that . Moreover, if is sampled from the explained distribution is statistically close to choosing uniformly at random. We consider a variant of this definition that allows the statistical closeness to be a precision parameter\u27\u27 given to the algorithm. We show that sampling algorithms which satisfy our `explainability\u27 property can be programmed as a random oracle.
-We provide a simple algorithm for explaining \emph{any} sampling algorithm that works over distributions with polynomial sized ranges. This includes discrete Gaussians with small standard deviations.
-We show how to transform a (not necessarily explainable) sampling algorithm for a distribution into a new that is explainable. The requirements for doing this is that (1) the probability density function is efficiently computable (2) it is possible to efficiently uniformly sample from all elements that have a probability density above a given threshold , showing the equivalence of random oracles to these distributions and random oracles to uniform bitstrings. This includes a large class of distributions, including all discrete Gaussians.
-A potential drawback of the previous approach is that the transformation requires an additional computation of the density function. We provide a more customized approach that shows the Miccancio-Walter discrete Gaussian sampler is explainable as is. This suggests that other discrete Gaussian samplers in a similar vein might also be explainable as is
Realizing Chosen Ciphertext Security Generically in Attribute-Based Encryption and Predicate Encryption
We provide generic and black box transformations from any chosen plaintext secure Attribute-Based Encryption (ABE) or One-sided Predicate Encryption system into a chosen ciphertext secure system.
Our transformation requires only the IND-CPA security of the original ABE scheme coupled with a pseudorandom generator (PRG) with a special security property.
In particular, we consider a PRG with an bit input and bit output where each is an bit string. Then for a randomly chosen the following two distributions should be computationally indistinguishable. In the first distribution and is chosen randomly for .
In the second distribution all are chosen randomly for
On the CCA Compatibility of Public-Key Infrastructure
In this work, we study the compatibility of any key generation or setup algorithm. We focus on the specific case of encryption, and say that a key generation algorithm KeyGen is X-compatible (for X \in {CPA, CCA1, CCA2}) if there exist encryption and decryption algorithms that together with KeyGen, result in an X-secure public-key encryption scheme.
We study the following question: Is every CPA-compatible key generation algorithm also CCA-compatible? We obtain the following answers:
- Every sub-exponentially CPA-compatible KeyGen algorithm is CCA1-compatible, assuming the existence of hinting PRGs and sub-exponentially secure keyless collision resistant hash functions.
- Every sub-exponentially CPA-compatible KeyGen algorithm is also CCA2-compatible, assuming the existence of non-interactive CCA2 secure commitments, in addition to sub-exponential security of the assumptions listed in the previous bullet.
Here, sub-exponentially CPA-compatible KeyGen refers to any key generation algorithm for which there exist encryption and decryption algorithms that result in a CPA-secure public-key encryption scheme {\em against sub-exponential adversaries}.
This gives a way to perform CCA secure encryption given any public key infrastructure that has been established with only (sub-exponential) CPA security in mind. The resulting CCA encryption makes black-box use of the CPA scheme and all other underlying primitives
Decentralizing Attribute-Based Encryption
We propose a Multi-Authority Attribute-Based Encryption (ABE) system.
In our system, any party can become an authority and there is no
requirement for any global coordination other than the creation of an
initial set of common reference parameters. A party can simply act as
an ABE authority by creating a public key and issuing private keys to
different users that reflect their attributes. A user can encrypt
data in terms of any boolean formula over attributes issued from any
chosen set of authorities. Finally, our system does not require any
central authority.
In constructing our system, our largest technical hurdle is to make it collusion resistant. Prior Attribute-Based Encryption systems achieved collusion resistance when the ABE system authority ``tied\u27\u27 together different components (representing different attributes) of a user\u27s private key by randomizing the key. However, in our system each component will come from a potentially different authority, where we assume no coordination between such authorities. We create new techniques to tie key components together and prevent collusion attacks between users with different global identifiers.
We prove our system secure using the recent dual system encryption
methodology where the security proof works by first converting the
challenge ciphertexts and private keys to a semi-functional form and
then arguing security. We follow a recent variant of the dual system
proof technique due to Lewko and Waters and build our system using
bilinear groups of composite order. We prove security under similar
static assumptions to the LW paper in the random oracle model
Lossy Trapdoor Functions and Their Applications
We propose a new general primitive called lossy trapdoor
functions (lossy TDFs), and realize it under a variety of different
number theoretic assumptions, including hardness of the decisional
Diffie-Hellman (DDH) problem and the worst-case hardness of
standard lattice problems.
Using lossy TDFs, we develop a new approach for constructing many
important cryptographic primitives, including standard trapdoor
functions, CCA-secure cryptosystems, collision-resistant hash
functions, and more. All of our constructions are simple, efficient,
and black-box.
Taken all together, these results resolve some long-standing open
problems in cryptography. They give the first known (injective)
trapdoor functions based on problems not directly related to integer
factorization, and provide the first known CCA-secure cryptosystem
based solely on worst-case lattice assumptions
- β¦