Lower Bounds for Lattice-based Compact Functional Encryption

Functional encryption (FE) is a primitive where the holder of a master secret key can control which functions a user can evaluate on encrypted data. It is a powerful primitive that even implies indistinguishability obfuscation (iO), given sufficiently compact ciphertexts (Ananth-Jain, CRYPTO\u2715 and Bitansky-Vaikuntanathan, FOCS\u2715). However, despite being extensively studied, there are FE schemes, such as function-hiding inner-product FE (Bishop-Jain-Kowalczyk, AC\u2715, Abdalla-Catalano-Fiore-Gay-Ursu, CRYPTO’18) and compact quadratic FE (Baltico-Catalano-Fiore-Gay, Lin, CRYPTO’17), that can be only realized using pairings. This raises whether there are some mathematical barriers which hinder us from realizing these FE schemes from other assumptions. In this paper, we study the difficulty of constructing lattice-based compact FE. We generalize the impossibility results of Ünal (EC\u2720) for lattice-based function-hiding FE, and extend it to the case of compact FE. Concretely, we prove lower bounds for lattice-based compact FE schemes which meet some (natural) algebraic restrictions at encryption and decryption, and have messages and ciphertexts of constant dimensions. We see our results as important indications of why it is hard to construct lattice-based FE schemes for new functionalities, and which mathematical barriers have to be overcome

A2{^2}L: Anonymous Atomic Locks for Scalability in Payment Channel Hubs

Payment channel hubs (PCHs) constitute a promising solution to the inherent scalability problems of blockchain technologies, allowing for off-chain payments between sender and receiver through an intermediary, called the tumbler. While state-of-the-art PCHs provide security and privacy guarantees against a malicious tumbler, they do so by relying on the scripting-based functionality available only at few cryptocurrencies, and they thus fall short of fundamental properties such as backwards compatibility and efficiency. In this work, we present the first PCH protocol to achieve all aforementioned properties. Our PCH builds upon A${^2}$L, a novel cryptographic primitive that realizes a three-party protocol for conditional transactions, where the tumbler pays the receiver only if the latter solves a cryptographic challenge with the help of the sender, which implies the sender has paid the tumbler. We prove the security and privacy guarantees of A${^2}$L (which carry over to our PCH construction) in the Universal Composability framework and present a provably secure instantiation based on adaptor signatures and randomizable puzzles. We implemented A${^2}$L and compared it to TumbleBit, the state-of-the-art Bitcoin-compatible PCH. Asymptotically, A${^2}$L has a communication complexity that is constant, as opposed to linear in the security parameter like in TumbleBit. In practice, A${^2}$L requires $\sim33$x less bandwidth than TumleBit, while retaining the computational cost (or providing $2$x speedup with a preprocessing technique). This demonstrates that A${^2}$L (and thus our PCH construction) is ready to be deployed today. In theory, we demonstrate for the first time that it is possible to design a secure and privacy-preserving PCH while requiring only digital signatures and timelock functionality from the underlying scripting language. In practice, this result makes our PCH backwards compatible with virtually all cryptocurrencies available today, even those offering a highly restricted form of scripting language such as Ripple or Stellar. The practical appealing of our construction has resulted in a proof-of-concept implementation in the COMIT Network, a blockchain technology focused on cross-currency payments

(Inner-Product) Functional Encryption with Updatable Ciphertexts

We propose a novel variant of functional encryption which supports ciphertext updates, dubbed ciphertext-updatable functional encryption (CUFE). Such a feature further broadens the practical applicability of the functional-encryption paradigm and allows for fine-grained access control even after a ciphertext is generated. Updating ciphertexts is carried out via so-called update tokens which a dedicated party can use to convert ciphertexts. However, allowing update tokens requires some care for the security definition. Our contribution is three-fold: a) We define our new primitive with a security notion in the indistinguishability setting. Within CUFE, functional decryption keys and ciphertexts are labeled with tags such that only if the tags of the decryption key and the ciphertext match, then decryption succeeds. Furthermore, we allow ciphertexts to switch their tags to any other tag via update tokens. Such tokens are generated by the holder of the main secret key and can only be used in the desired direction. b) We present a generic construction of CUFE for any functionality as well as predicates different from equality testing on tags which relies on the existence of indistinguishability obfuscation (iO). c) We present a practical construction of CUFE for the inner-product functionality from standard assumptions (i.e., LWE) in the random-oracle model. On the technical level, we build on the recent functional-encryption schemes with fine-grained access control and linear operations on encrypted data (Abdalla et al., AC\u2720) and introduce an additional ciphertext-updatability feature. Proving security for such a construction turned out to be non-trivial, particularly when revealing keys for the updated challenge ciphertext is allowed. Overall, such construction enriches the set of known inner-product functional-encryption schemes with the additional updatability feature of ciphertexts

Foundations of Coin Mixing Services

Coin mixing services allow users to mix their cryptocurrency coins and thus enable unlinkable payments in a way that prevents tracking of honest users\u27 coins by both the service provider and the users themselves. The easy bootstrapping of new users and backwards compatibility with cryptocurrencies (such as Bitcoin) with limited support for scripts are attractive features of this architecture, which has recently gained considerable attention in both academia and industry. A recent work of Tairi et al. [IEEE S&P 2021] formalizes the notion of a coin mixing service and proposes A$^{2}$L, a new cryptographic protocol that simultaneously achieves high efficiency and interoperability. In this work, we identify a gap in their formal model and substantiate the issue by showing two concrete counterexamples: we show how to construct two encryption schemes that satisfy their definitions but lead to a completely insecure system. To amend this situation, we investigate secure constructions of coin mixing services. First, we develop the notion of blind conditional signatures (BCS), which acts as the cryptographic core for coin mixing services. We propose game-based security definitions for BCS and propose A$^{2}$L$^{+}$, a modified version of the protocol by Tairi et al. that satisfies our security definitions. Our analysis is in an idealized model (akin to the algebraic group model) and assumes the hardness of the one-more discrete logarithm problem. Finally, we propose A$^{2}$L$^\text{UC}$, another construction of BCS that achieves the stronger notion of UC-security (in the standard model), albeit with a significant increase in computation cost. This suggests that constructing a coin mixing service protocol secure under composition requires more complex cryptographic machinery than initially thought

Isogenies for Post-Quantum Cryptography

Public key cryptography plays a crucial role in securing our everyday communications. However, as Peter Shor showed, the public key cyptosystems that are being used today will be broken once a large scale quantum computer appears. There are public key cryptosystems that are based on relatively harder problems and are believed to remain secure even if a large scale quantum computer is built. One proposal in this area is supersingular isogeny-based cryptography, where the security is based on computing isogenies between supersingular elliptic curves. The most famous cryptosystem based on supersingular isogenies is the supersingular isogeny Diffie-Hellman (SIDH) key exchange by Jao and De Feo. The purpose of this thesis is to explain the theoretical background of supersingular isogeny-based cryptography, and evaluate the current status of SIDH key exchange in practice. Along the way we discuss how isogenies in SIDH give rise to non-backtracking walks in supersingular isogeny graphs, and we perform simulations to describe the behavior of these walks. We also provide an optimized and efficient software implementation of SIDH key exchange in Rust, and compare its performance with the currently available state-of-the-art implementations to assess its practicality.Public-Key Kryptographie spielt eine entscheidende Rolle bei der Sicherung unserer alltäglichen Kommunikation. Wie allerdings Peter Shor gezeigt hat, werden die heute verwendeten Public-Key Kryptosysteme gebrochen werden, sobald ein leistungsfähiger Quantencomputer verfügbar ist. Es wird allerdings angenommen, dass Public-Key Kryptosysteme existieren, die auf noch schwierigeren Problemen basieren als die heute verwendeten, diese sollten folglich auch dann sicher bleiben, wenn ein solcher Quantencomputer verfügbar wird. Ein Vorschlag in diesem Bereich ist die supersinguläre Isogenie-basierte Kryptographie, bei der die Sicherheit auf der Berechnung von Isogenien zwischen supersingulären elliptischen Kurven basiert. Das bekannteste Kryptosystem, welches auf supersingulären Isogenien basiert, ist der supersinguläre Isogenie Diffie-Hellman (SIDH) Schlüsselaustausch von Jao und De Feo. Ziel dieser Diplomarbeit ist es, den theoretischen Hintergrund der supersingulären Isogenie-basierten Kryptographie zu erklären und den aktuellen Stand des SIDH-Schlüsselaustausches in der Praxis zu evaluieren. Im Zuge dieses Arbeit diskutieren wir ebenso, wie Isogenien in SIDH zu nicht-zurückverfolgenden Wanderungen in supersingulären Isogenie-Graphen führen, und um das Verhalten dieser Wanderungen zu beschreiben, führen wir Simulationen durch. Ebenso bieten wir in dieser Arbeit eine optimierte und effiziente Softwareimplementierung des SIDH-Schlüsselaustausches in Rust und vergleichen ihre Leistung mit derzeit verfügbaren Implementierungen, um ihre Praktikabilität zu bewerten.submitted by Erkan Tairi, BScUniversität Linz, Masterarbeit, 2018(VLID)258185