New Techniques for Public Key Encryption with Sender Recovery

In this paper, we consider a scenario where a sender transmits ciphertexts to multiple receivers using a public-key encryption scheme, and at a later point of time, wants to retrieve the plaintexts, without having to request the receivers\u27 help in decrypting the ciphertexts, and without having to locally store a separate recovery key for every receiver the sender interacts with. This problem, known as public key encryption with sender recovery has intuitive solutions based on hybrid encryption-based key encapsulation mechanism and data encapsulation mechanism (KEM/DEM) schemes. We propose a KEM/DEM-based solution that is CCA2-secure, allows for multiple receivers, only requires the receivers to be equipped with public/secret keypairs (the sender needs only a single symmetric recovery key), and uses an analysis technique called plaintext randomization that results in greatly simplified, clean, and intuitive proofs compared to prior work in this area. We instantiate our protocol for public key encryption with sender recovery with the Cramer-Shoup hybrid encryption scheme

Security-Performance Tradeoff in DAG-based Proof-of-Work Blockchain Protocols

Proof-of-work (PoW) blockchain protocols based on directed acyclic graphs (DAGs) have demonstrated superior transaction confirmation performance compared to their chain-based predecessors. However, it is uncertain whether their security deteriorates in high-throughput settings similar to their predecessors, because their acceptance of simultaneous blocks and complex block dependencies presents challenges for rigorous security analysis. We address these challenges by analyzing DAG-based protocols via a congestible blockchain model (CBM), a general model that allows case-by-case upper bounds on the block propagation delay, rather than a uniform upper bound as in most previous analyses. CBM allows us to capture two key phenomena of high-throughput settings: (1) simultaneous blocks increase each other\u27s propagation delay, and (2) a block can be processed only after receiving all the blocks it refers to. We further devise a reasonable adversarial block propagation strategy in CBM, called the late-predecessor attack, which exploits block dependencies to delay the processing of honest blocks. We then evaluate the security and performance of Prism and OHIE, two DAG-based protocols that aim to break the security-performance tradeoff, in the presence of an attacker capable of launching the late predecessor attack. Our results show that these protocols suffer from reduced security and extended latency in high-throughput settings similar to their chain-based predecessors

On the Field-Based Division Property: Applications to MiMC, Feistel MiMC and GMiMC (Full Version)

Recent practical applications using advanced cryptographic protocols such as multi-party computations (MPC) and zero-knowledge proofs (ZKP) have prompted a range of novel symmetric primitives described over large finite fields, characterized as arithmetization-oriented AO ciphers. Such designs, aiming to minimize the number of multiplications over fields, have a high risk of being vulnerable to algebraic attacks, especially to the higher-order differential attack. Thus, it is significant to carefully evaluate the growth of their algebraic degree. However, the degree estimation for AO ciphers has been a challenge for cryptanalysts due to the lack of general and accurate methods. In this paper, we extend the division property, a state-of-the-art framework for finding the upper bound of the algebraic degree over binary fields, to the scope of $\mathbb{F}_{2^n}$. It is a generic method to detect the algebraic degree for AO ciphers, even applicable to Feistel ciphers which have no better bounds than the trivial exponential one. In this general division property, our idea is to evaluate whether the polynomial representation of a block cipher contains some specific monomials. With a deep investigation of the arithmetical feature, we introduce the propagation rules of monomials for field-based operations, which can be efficiently modeled using the bit-vector theory of SMT. Then the new searching tool for degree estimation can be constructed due to the relationship between the algebraic degree and the exponents of monomials. We apply our new framework to some important AO ciphers, including Feistel MiMC, GMiMC, and MiMC. For Feistel MiMC, we show that the algebraic degree grows significantly slower than the native exponential bound. For the first time, we present a secret-key higher-order differential distinguisher for up to 124 rounds, much better than the 83-round distinguisher for Feistel MiMC permutation proposed at CRYPTO 2020. We also exhibit a full-round zero-sum distinguisher with a data complexity of $2^{251}$. Our method can be further extended for the general Feistel structure with more branches and exhibit higher-order differential distinguishers against the practical instance of GMiMC for up to 50 rounds. For MiMC in SP-networks, our results correspond to the exact algebraic degree proved by Bouvier et al. We also point out that the number of rounds in MiMC\u27s specification is not sufficient to guarantee the security against the higher-order differential attack for MiMC-like schemes with different exponents. The investigation of different exponents provides some guidance on the cipher design

Resumable Zero-Knowledge for Circuits from Symmetric Key Primitives

Consider the scenario that the prover and the verifier perform the zero-knowledge (ZK) proof protocol for the same statement multiple times sequentially, where each proof is modeled as a session. We focus on the problem of how to resume a ZK proof efficiently in such scenario. We introduce a new primitive called resumable honest verifier zero-knowledge proof of knowledge (resumable HVZKPoK) and propose a general construction of the resumable HVZKPoK for circuits based on the ``MPC-in-the-head paradigm, where the complexity of the resumed session is less than that of the original ZK proofs. To ensure the knowledge soundness for the resumed session, we identify a property called extractable decomposition. Interestingly, most block ciphers satisfy this property and the cost of resuming session can be reduced dramatically when the underlying circuits are implemented with block ciphers. As a direct application of our resumable HVZKPoK, we construct a post quantum secure stateful signature scheme, which makes Picnic3 suitable for blockchain protocol. Using the same parameter setting of Picnic3, the sign/verify time of our subsequent signatures can be reduced to 3.1%/3.3% of Picnic3 and the corresponding signature size can be reduced to 36%. Moreover, by applying a parallel version of our method to the well known Cramer, Damgaard and Schoenmakers (CDS) transformation, we get a compressed one-out-of-$N$ proof for circuits, which can be further used to construct a ring signature from symmetric key primitives only. When the ring size is less than $2^4$, the size of our ring signature scheme is only about 1/3 of Katz et al.\u27s construction

Adaptive Security of Broadcast Encryption, Revisited

We provide a strong security notion for broadcast encryption, called adaptive security in the multichallenge setting (MA-security), where the adversary can adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge). The adversary specially can query for the challenge ciphertexts on different target user sets adaptively, which generalizes the attacks against broadcast encryptions in the real world setting. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of q in the MA setting, where q is the maximum number of encryption queries. In order to construct tighter MA-secure broadcast encryptions, we investigate Gentry and Water’s transformation and show that their transformation can preserve MA-security at the price of reduction loss on the advantage of the underlying symmetric key encryption. Furthermore, we remove the q-type assumption in Gentry and Water’s semistatically secure broadcast encryption by using Hofheinz-Koch-Striecks techniques. The resulting scheme instantiated in a composite order group is MA-secure with constant-size ciphertext header

Public Key Encryption for the Forgetful

We investigate public key encryption that allows the originator of a ciphertext to retrieve a “forgotten ” plaintext from the ciphertext. This type of public key encryption with “backward recovery ” contrasts more widely analyzed public key encryption with “forward secrecy”. We advocate that together they form the two sides of a whole coin, whereby offering complementary roles in data security, especially in cloud computing, 3G/4G communications and other emerging computing and communication platforms. We formalize the notion of public key encryption with backward recovery, and present two construction methods together with formal analyses of their security. The first method embodies a generic public key encryption scheme with backward recovery using the “encrypt then sign ” paradigm, whereas the second method provides a more efficient scheme that is built on Hofheinz and Kiltz’s public key encryption in conjunction with target collision resistant hashing. Security of the first method is proved in a two-user setting, whereas the second is in a more general multi-user setting.

Optimal pairing revisited

Vercauteren [27] introduced a notion of optimal pairings. Up to know the only known optimal pairing is the optimal Ate pairing. In this paper, we give some properties of optimal pairing and provide an algorithm for finding an optimal pairing if there exists one which is defined on the given elliptic curve. Applying the cyclotomic polynomial, we construct some new optimal pairings and provide a construction method of pairingfriendly elliptic curves on which the optimal pairing can be defined. Our algorithm is explicit and works for arbitrary embedding degree k and large prime subgroup orders r

Towards the Links of Cryptanalytic Methods on MPC/FHE/ZK-Friendly Symmetric-Key Primitives

Symmetric-key primitives designed over the prime field Fp with odd characteristics, rather than the traditional Fn2 , are becoming the most popular choice for MPC/FHE/ZK-protocols for better efficiencies. However, the security of Fp is less understood as there are highly nontrivial gaps when extending the cryptanalysis tools and experiences built on Fn2 in the past few decades to Fp.At CRYPTO 2015, Sun et al. established the links among impossible differential, zero-correlation linear, and integral cryptanalysis over Fn2 from the perspective of distinguishers. In this paper, following the definition of linear correlations over Fp by Baignères, Stern and Vaudenay at SAC 2007, we successfully establish comprehensive links over Fp, by reproducing the proofs and offering alternatives when necessary. Interesting and important differences between Fp and Fn2 are observed.- Zero-correlation linear hulls can not lead to integral distinguishers for some cases over Fp, while this is always possible over Fn2proven by Sun et al..- When the newly established links are applied to GMiMC, its impossible differential, zero-correlation linear hull and integral distinguishers can be increased by up to 3 rounds for most of the cases, and even to an arbitrary number of rounds for some special and limited cases, which only appeared in Fp. It should be noted that all these distinguishers do not invalidate GMiMC’s security claims.The development of the theories over Fp behind these links, and properties identified (be it similar or different) will bring clearer and easier understanding of security of primitives in this emerging Fp field, which we believe will provide useful guides for future cryptanalysis and design

Related-key differential cryptanalysis of GMiMC used in post-quantum signatures

With the urgency of the threat imposed by quantum computers, there is a strong interest in making the signature schemes quantum resistant. As the promising candidates to ensure post-quantum security, symmetric-key primitives, in particular the recent MPC/FHE/ZK-friendly hash functions or block ciphers, are providing another choice to build efficient and secure signature schemes that do not rely on any assumed hard problems. However, considering the intended use cases, many of these novel ciphers for advanced cryptographic protocols do not claim the related-key security. In this paper, we initiate the study of the ignored related-key security of GMiMC proposed by Albrecht et al. at ESORICS 2019, some versions of which are optimized and designed to be used in post-quantum secure signatures. By investigating the potential threats of related-key attacks for GMiMC intended to be deployed as the underlying building block in post-quantum signature schemes, we then construct two kinds of iterative related-key differentials, from which not only do we explore its security margin against related-key attacks, but also collision attacks on its key space can be performed. For example, for GMiMC instance that beats the smallest signature size obtainable using LowMC, we can find its key collision using only about 2 10 key pairs. It worths noting that our current key collision attack is only applicable when the adversarial power is sufficiently strong (e.g., in the so-called multi-user setting), and it does not threaten the one-wayness of GMiMC. Furthermore, from the experiments of our related-key differentials, it can be observed that the differential clustering effect of GMiMC differs in both aspects: the choice of the finite field F being Fp or F2n, and the size of the finite field F.Submitted/Accepted versionThis research was funded by DFG Grant LU 608/9-1