39 research outputs found
Interactive Non-Malleable Codes Against Desynchronizing Attacks in the Multi-Party Setting
Interactive Non-Malleable Codes were introduced by Fleischhacker et al. (TCC 2019) in the two party setting with synchronous tampering. The idea of this type of non-malleable code is that it "encodes" an interactive protocol in such a way that, even if the messages are tampered with according to some class F of tampering functions, the result of the execution will either be correct, or completely unrelated to the inputs of the participating parties. In the synchronous setting the adversary is able to modify the messages being exchanged but cannot drop messages nor desynchronize the two parties by first running the protocol with the first party and then with the second party. In this work, we define interactive non-malleable codes in the non-synchronous multi-party setting and construct such interactive non-malleable codes for the class F^s_bounded of bounded-state tampering functions
Robust Property-Preserving Hash Functions for Hamming Distance and More
Robust property-preserving hash (PPH) functions, recently introduced by Boyle, Lavigne, and Vaikuntanathan [ITCS 2019], compress large inputs and into short digests and in a manner that allows for computing a predicate on and while only having access to the corresponding hash values. In contrast to locality-sensitive hash functions, a robust PPH function guarantees to correctly evaluate a predicate on and even if and are chosen adversarially after seeing .
Our main result is a robust PPH function for the exact hamming distance predicate
where is the hamming-distance between and .
Our PPH function compresses -bit strings into -bit digests, where is the security parameter.
The construction is based on the q-strong bilinear discrete logarithm assumption.
Along the way, we construct a robust PPH function for the set intersection predicate
which compresses sets and of size with elements from some arbitrary universe into -bit long digests.
This PPH function may be of independent interest.
We present an almost matching lower bound of on the digest size of any PPH function for the intersection predicate, which indicates that our compression rate is close to optimal.
Finally, we also show how to extend our PPH function for the intersection predicate to more than two inputs
On Publicly-Accountable Zero-Knowledge and Small Shuffle Arguments
Constructing interactive zero-knowledge arguments from simple assumptions with small communication complexity and good computational efficiency is an important, but difficult problem.
In this work, we study interactive arguments with noticeable soundness error in their full generality and for the specific purpose of constructing concretely efficient shuffle arguments.
To counterbalance the effects of a larger soundness error, we show how to transform such three-move arguments into publicly-accountable ones which allow the verifier to convince third parties of detected misbehavior by a cheating prover.
This may be particularly interesting for applications where a malicious prover has to balance the profits it can make from cheating successfully and the losses it suffers from being caught.
%In contrast to standard sequential repetition, our transformation increases the round and communication complexity by only a small additive factor.
We construct interactive, public-coin, zero-knowledge arguments with noticeable soundness error for proving that a target vector of commitments is a pseudorandom permutation of a source vector.
Our arguments do not rely on any trusted setup and only require the existence of collision-resistant hash functions.
The communication complexity of our arguments is \emph{independent} of the length of the shuffled vector.
For a soundness error of , the communication cost is bytes without and bytes with public accountability, meaning that our arguments are shorter than shuffle arguments realized using Bulletproofs (IEEE S\&P 2018) and even competitive in size with SNARKs, despite only relying on simple assumptions
Invertible Bloom Lookup Tables with Less Memory and Less Randomness
In this work we study Invertible Bloom Lookup Tables (IBLTs) with small
failure probabilities. IBLTs are highly versatile data structures that have
found applications in set reconciliation protocols, error-correcting codes, and
even the design of advanced cryptographic primitives. For storing elements
and ensuring correctness with probability at least , existing IBLT
constructions require space and
they crucially rely on fully random hash functions.
We present new constructions of IBLTs that are simultaneously more space
efficient and require less randomness. For storing elements with a failure
probability of at most , our data structure only requires
space and
-wise independent hash functions.
As a key technical ingredient we show that hashing keys with any -wise
independent hash function for some sufficiently large constant
guarantees with probability that at least keys
will have a unique hash value. Proving this is highly non-trivial as
approaches . We believe that the techniques used to prove this statement may
be of independent interest
Interactive Non-Malleable Codes Against Desynchronizing Attacks in the Multi-Party Setting
Interactive Non-Malleable Codes were introduced by Fleischhacker et al. (TCC 2019) in the two party setting with synchronous tampering.
The idea of this type of non-malleable code is that it encodes an interactive protocol in such a way that, even if the messages are tampered with according to some class of tampering functions, the result of the execution will either be correct, or completely unrelated to the inputs of the participating parties.
In the synchronous setting the adversary is able to modify the messages being exchanged but cannot drop messages nor desynchronize the two parties by first running the protocol with the first party and then with the second party.
In this work, we define interactive non-malleable codes in the non-synchronous multi-party setting and construct such interactive non-malleable codes for the class of bounded-state tampering functions.
The construction is applicable to any multi-party protocol with a fixed message topology
On Statistically Secure Obfuscation with Approximate Correctness
Goldwasser and Rothblum (TCC \u2707) prove that statistical indistinguishability obfuscation (iO) cannot exist if the obfuscator must maintain perfect correctness (under a widely believed complexity theoretic assumption: ). However, for many applications of iO, such as constructing public-key encryption from one-way functions (one of the main open problems in theoretical cryptography), approximate correctness is sufficient. It had been unknown thus far whether statistical approximate iO (saiO) can exist.
We show that saiO does not exist, even for a minimal correctness requirement, if , and if one-way functions exist. A simple complementary observation shows that if one-way functions do not exist, then average-case saiO exists. Technically, previous approaches utilized the behavior of the obfuscator on evasive functions, for which saiO always exists. We overcome this barrier by using a PRF as a baseline for the obfuscated program.
We broaden our study and consider relaxed notions of security for iO. We introduce the notion of correlation obfuscation, where the obfuscations of equivalent circuits only need to be mildly correlated (rather than statistically indistinguishable). Perhaps surprisingly, we show that correlation obfuscators exist via a trivial construction for some parameter regimes, whereas our impossibility result extends to other regimes. Interestingly, within the gap between the parameters regimes that we show possible and impossible, there is a small fraction of parameters that still allow to build public-key encryption from one-way functions and thus deserve further investigation
On Tight Security Proofs for Schnorr Signatures
The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin (Eurocrypt 2012) showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern (Eurocrypt 1996) is essentially optimal. All previous works in this direction rule out tight reductions from the (one-more) discrete logarithm problem.
In this paper we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements. Most reductions in state-of-the-art security proofs have this property. It is desirable, because then the reduction applies generically to any concrete instantiation of the group. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem defined over algebraic groups to breaking Schnorr signatures, unless solving is easy.
In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model
Squirrel: Efficient Synchronized Multi-Signatures from Lattices
The focus of this work are multi-signatures schemes in the synchronized setting. A multi-signature scheme allows multiple signatures for the same message but from independent signers to be compressed into one short aggregated signature, which allows verifying all of the signatures simultaneously. In the synchronized setting, the signing algorithm takes the current time step as an additional input. It is assumed that no signer signs more than one message per time step and we aim to aggregate signatures for the same message and same time step. This setting is particularly useful in the context of blockchains, where validators are naturally synchronized by the blocks they sign.
We present Squirrel, a concretely efficient lattice-based multi-signature scheme in the synchronized setting that works for a bounded number of time steps and allows for aggregating up to signatures at each step, where both and are public parameters upon which the efficiency of our scheme depends. Squirrel allows for non-interactive aggregation of independent signatures and is proven secure in the random oracle model in the presence of rogue-key attacks assuming the hardness of the short integer solution problem in a polynomial ring.
We provide a careful analysis of all parameters and show that Squirrel can be instantiated with good concrete efficiency. For and , a signer could sign a new message every 10 seconds for 5 years non-stop. Assuming the signer has a cache of 112 MB, signing takes 68 ms and verification of an aggregated signature takes 36 ms. The size of the public key is 1 KB, the size of an individual signature is 52 KB, and the size of an aggregated signature is 771 KB
Extractable Witness Encryption for KZG Commitments and Efficient Laconic OT
We present a concretely efficient and simple extractable witness encryption scheme for KZG polynomial commitments.
It allows to encrypt a message towards a triple , where is a KZG commitment for some polynomial .
Anyone with an opening for the commitment attesting can decrypt, but without knowledge of a valid opening the message is computationally hidden.
Our construction is simple and highly efficient. The ciphertext is only a single group element. Encryption and decryption both require a single pairing evaluation and a constant number of group operations.
Using our witness encryption scheme, we construct a simple and highly efficient laconic OT protocol, which significantly outperforms the state of the art in most important metrics