Publicly Evaluable Pseudorandom Functions and Their Applications

We put forth the notion of \emph{publicly evaluable} pseudorandom functions (PEPRFs), which can be viewed as a counterpart of standard pseudorandom functions (PRFs) in the public-key setting. Briefly, PEPRFs are defined over domain $X$ containing a language $L$ associated with a hard relation $\mathsf{R}_L$, and each secret key $sk$ is associated with a public key $pk$. For any $x \in L$, in addition to evaluate $\mathsf{F}_{sk}(x)$ using $sk$ as standard PRFs, one is also able to evaluate $\mathsf{F}_{sk}(x)$ with $pk$, $x$ and a witness $w$ for $x \in L$. We consider two security notions for PEPRFs. The basic one is weak pseudorandomness which stipulates a PEPRF cannot be distinguished from a real random function on uniformly random chosen inputs. The strengthened one is adaptive weak pseudorandomness which requires a PEPRF remains weak pseudorandom even when an adversary is given adaptive access to an evaluation oracle. We conduct a formal study of PEPRFs, focusing on applications, constructions, and extensions. We show how to construct chosen-plaintext secure (CPA) and chosen-ciphertext secure (CCA) public-key encryption (PKE) schemes from (adaptive) PEPRFs. The construction is simple, black-box, and admits a direct proof of security. We provide evidence that (adaptive) PEPRFs exist by showing constructions from injective trapdoor functions, hash proof systems, extractable hash proof systems, as well as a construction from puncturable PRFs with program obfuscation. We introduce the notion of publicly sampleable PRFs (PSPRFs), which is a relaxation of PEPRFs, but nonetheless imply PKE. We show (adaptive) PSPRFs are implied by (adaptive) trapdoor relations. This helps us to unify and clarify many PKE schemes from seemingly unrelated general assumptions and paradigms under the notion of PSPRFs. We explore similar extension on recently emerging constrained PRFs, and introduce the notion of publicly evaluable constrained PRFs, which, as an immediate application, implies attribute-based encryption. We propose a twist on PEPRFs, which we call publicly evaluable and verifiable functions (PEVFs). Compared to PEPRFs, PEVFs have an additional promising property named public verifiability while the best possible security degrades to unpredictability. We justify the applicability of PEVFs by presenting a simple construction of ``hash-and-sign\u27\u27 signatures, both in the random oracle model and the standard model

Position-Verification in Multi-Channel Models

We propose an collusion-attack-resistant position-verification protocol in a new model called multi-channel model. In the multi-channel model, there are lots of communication channels. When a player picks a random channel and sends a short message over it, the message might slip by an adversary with high probability if the adversary does not know the channel beforehand. This idea is motivated from the spread spectrum communication techniques. We adopt it to solve the position-verification task. Adding different constraints into the multi-channel model, we make three sub-models: receiving-constrained multi-channel model, sending-constrained multi-channel model and cover-constrained multi-channel model. Our position-verification protocol is secure under all of these sub-models with appropriate parameters

Proof-Carrying Data from Multi-folding Schemes

Proof-carrying data (PCD) is a powerful cryptographic primitive that allows mutually distrustful parties to perform distributed computation defined on directed acyclic graphs in an efficiently verifiable manner. Important efficiency parameters include prover\u27s cost at each step and the recursion overhead that measures the additional cost apart from proving the computation. In this paper, we construct a PCD scheme having the smallest prover\u27s cost and recursion overhead in the literature. Specifically, the prover\u27s cost at each step is dominated by only one $O(|C|)$-sized multi-scalar multiplication (MSM), and the recursion overhead is dominated by only one $2r$-sized MSM, where $|C|$ is the computation size and $r$ is the number of incoming edges at certain step. In contrast, the state-of-the-art PCD scheme requires $4r+12$ $O(|C|)$-sized MSMs w.r.t. the prover\u27s cost and six $2r$-sized MSMs, one $6r$-sized MSM w.r.t. the recursion overhead. In addition, our PCD scheme supports more expressive constraint system for computations—customizable constraint system (CCS) that supports high-degree constraints efficiently, in contrast with rank-1 constraint system (R1CS) that supports only quadratic constraints used in existing PCD schemes. Underlying our PCD scheme is a multi-folding scheme that reduces the task of checking multiple instances into the task of checking one. We generalize existing construction to support arbitrary number of instances

Adaptive Security of Concurrent Non-Malleable Zero-Knowledge

A zero-knowledge protocol allows a prover to convince a verifier the correctness of a statement without disclosing any other information to the verifier. It is a basic tool and widely used in many other cryptographic applications. However, when stand-alone zero-knowledge protocols are used in complex environments, e.g., the Internet, the basic properties may not be sufficient. This is why researchers considered security of zero-knowledge protocols under concurrent composition and man-in-the-middle attacks. Moreover, it is more likely that an adversary might break computers that run the protocol and get internal information of the parties. It is thus very necessary to take account of the security of zero-knowledge protocols when adaptive corruptions are allowed. Previous adaptively secure zero-knowledge protocols work either in a stand-alone setting, or in a concurrent setting with trusted setup assumptions. In this paper, we study adaptive security of zero-knowledge protocols under both concurrent self composition and man-in-the-middle attacks in the plain model (i.e., without any set-up assumptions). We provide a construction of adaptively secure concurrent non-malleable zero-knowledge proof/argument for every language in NP

Sakai-Ohgishi-Kasahara Identity-Based Non-Interactive Key Exchange Revisited and More

Identity-based non-interactive key exchange (IB-NIKE) is a powerful but a bit overlooked primitive in identity-based cryptography. While identity-based encryption and signature have been extensively investigated over the past three decades, IB-NIKE has remained largely unstudied. Currently, there are only few IB-NIKE schemes in the literature. Among them, Sakai-Ohgishi-Kasahara (SOK) scheme is the first efficient and secure two-party IB-NIKE scheme, which has great influence on follow-up works. However, the SOK scheme required its identity mapping function to be modeled as a random oracle to prove security. Moreover, its existing security proof heavily relies on the ability of programming the random oracle. It is unknown whether such reliance is inherent. In this work, we intensively revisit the SOK IB-NIKE scheme, and present a series of possible and impossible results in the random oracle model and the standard model. In the random oracle model, we first improve previous security analysis for the SOK IB-NIKE scheme by giving a tighter reduction. We then use meta-reduction technique to show that the SOK scheme is unlikely proven to be secure based on the computational bilinear Diffie-Hellman (CBDH) assumption without programming the random oracle. In the standard model, we show how to instantiate the random oracle in the SOK scheme with a concrete hash function from admissible hash functions (AHFs) and indistinguishability obfuscation. The resulting scheme is adaptively secure based on the decisional bilinear Diffie-Hellman inversion (DBDHI) assumption. To the best of our knowledge, this is the first adaptively secure IB-NIKE scheme in the standard model that does not explicitly require multilinear maps. Previous schemes in the standard model either have merely selective security or require programmable hash functions in the multilinear setting. At the technical heart of our scheme, we generalize the definition of AHFs, and propose a generic construction which enables AHFs with previously unachieved parameters, which might be of independent interest. In addition, we present some new results about IB-NIKE. On the first place, we present a generic construction of multiparty IB-NIKE from extractable witness PRFs and existentially unforgeable signatures. On the second place, we investigate the relation between semi-adaptive security and adaptive security for IB-NIKE. Somewhat surprisingly, we show that these two notions are polynomially equivalent

Development of novel AMP-based absorbents for efficient CO2 capture with low energy consumption through modifying the electrostatic potential

The global deployment of aqueous amine absorbents for carbon dioxide (CO2) capture is hindered by their high energy consumption. A potential solution to this challenge lies in the utilization of non-aqueous amine systems, which offer energy-efficient alternatives. However, they are prone to form precipitation during CO2 absorption process, which limits their application. Combining experimental and theoretical studies, we found that the electrostatic potential of carbamate, instead of van der Waals force, is a major factor controlling the precipitation, and hydrogen bonds can effectively reduce the electrostatic potential of carbamate and prevent precipitation. Single solvent screening experiments have also demonstrated that the absorption rate is closely related to the viscosity of the organic solvent and the affinity of the functional group for CO2. The polar solvents (Dimethylformamide (DMF), Dimethyl sulfoxide (DMSO), and N-Methylformamide (NMF)) exhibit higher absorption rates, but suffer from issues of precipitation. Hydroxyl group riched solvents (Ethylene glycol (EG) and Glycerol) exhibit lower absorption rate, but they don’t have the issue of precipitation. Based on these findings, several novel 2-Amino-2-methyl-1-propanol (AMP)-based non-aqueous absorbents have been developed aiming at reducing the energy penalty, and improving CO2 absorption and desorption performance. Among these absorbents, AMP-EG-DMF (4–3) exhibits maximum CO2 absorption rate and absorption capacity of 9.91 g-CO2/(kg-soln.·min.) and 122 g-CO2/(kg-soln.), respectively, which are 64.1% and 28.4% higher than those of 30 wt% AMP aqueous solution, respectively. Additionally, compared to 30 wt% MEA, the energy consumption of AMP-EG-DMF (4–3) shows 46.30% reduction. The addition of EG effectively improves the electrostatic solubility of AMP-carbamate by increasing the number and strength of hydrogen bonds, thus avoiding the generation of precipitation. The final product species and reaction mechanism were analysed by using 13C and 1H NMR, In-situ ATR-FTIR, and quantum chemical calculation. The combination of theoretical and experimental results indicates that bi-solvent AMP-based absorbents can serve as a promising alternative for low-energy CO2 capture

How to Obtain Fully Structure-Preserving (Automorphic) Signatures from Structure-Preserving Ones

In this paper, we bridge the gap between structure-preserving signatures (SPSs) and fully structure-preserving signatures (FSPSs). In SPSs, all the messages, signatures, and verification keys consist only of group elements, while in FSPSs, even signing keys are required to be a collection of group elements. To achieve our goal, we introduce two new primitives called trapdoor signature and signature with auxiliary key, both of which can be derived from SPSs. By carefully combining both primitives, we obtain generic constructions of FSPSs from SPSs. Upon instantiating the above two primitives, we get many instantiations of FSPS with unilateral and bilateral message spaces. Different from previously proposed FSPSs, many of our instantiations also have the automorphic property, i.e., a signer can sign his own verification key. As by-product results, one of our instantiations has the shortest verification key size, signature size, and lowest verification cost among all previous constructions based on standard assumptions, and one of them is the first FSPS scheme in the type I bilinear groups