New Techniques for Public Key Encryption with Sender Recovery

In this paper, we consider a scenario where a sender transmits ciphertexts to multiple receivers using a public-key encryption scheme, and at a later point of time, wants to retrieve the plaintexts, without having to request the receivers\u27 help in decrypting the ciphertexts, and without having to locally store a separate recovery key for every receiver the sender interacts with. This problem, known as public key encryption with sender recovery has intuitive solutions based on hybrid encryption-based key encapsulation mechanism and data encapsulation mechanism (KEM/DEM) schemes. We propose a KEM/DEM-based solution that is CCA2-secure, allows for multiple receivers, only requires the receivers to be equipped with public/secret keypairs (the sender needs only a single symmetric recovery key), and uses an analysis technique called plaintext randomization that results in greatly simplified, clean, and intuitive proofs compared to prior work in this area. We instantiate our protocol for public key encryption with sender recovery with the Cramer-Shoup hybrid encryption scheme

Security-Performance Tradeoff in DAG-based Proof-of-Work Blockchain Protocols

Proof-of-work (PoW) blockchain protocols based on directed acyclic graphs (DAGs) have demonstrated superior transaction confirmation performance compared to their chain-based predecessors. However, it is uncertain whether their security deteriorates in high-throughput settings similar to their predecessors, because their acceptance of simultaneous blocks and complex block dependencies presents challenges for rigorous security analysis. We address these challenges by analyzing DAG-based protocols via a congestible blockchain model (CBM), a general model that allows case-by-case upper bounds on the block propagation delay, rather than a uniform upper bound as in most previous analyses. CBM allows us to capture two key phenomena of high-throughput settings: (1) simultaneous blocks increase each other\u27s propagation delay, and (2) a block can be processed only after receiving all the blocks it refers to. We further devise a reasonable adversarial block propagation strategy in CBM, called the late-predecessor attack, which exploits block dependencies to delay the processing of honest blocks. We then evaluate the security and performance of Prism and OHIE, two DAG-based protocols that aim to break the security-performance tradeoff, in the presence of an attacker capable of launching the late predecessor attack. Our results show that these protocols suffer from reduced security and extended latency in high-throughput settings similar to their chain-based predecessors

Public Key Encryption for the Forgetful

We investigate public key encryption that allows the originator of a ciphertext to retrieve a “forgotten ” plaintext from the ciphertext. This type of public key encryption with “backward recovery ” contrasts more widely analyzed public key encryption with “forward secrecy”. We advocate that together they form the two sides of a whole coin, whereby offering complementary roles in data security, especially in cloud computing, 3G/4G communications and other emerging computing and communication platforms. We formalize the notion of public key encryption with backward recovery, and present two construction methods together with formal analyses of their security. The first method embodies a generic public key encryption scheme with backward recovery using the “encrypt then sign ” paradigm, whereas the second method provides a more efficient scheme that is built on Hofheinz and Kiltz’s public key encryption in conjunction with target collision resistant hashing. Security of the first method is proved in a two-user setting, whereas the second is in a more general multi-user setting.

Related-key differential cryptanalysis of GMiMC used in post-quantum signatures

With the urgency of the threat imposed by quantum computers, there is a strong interest in making the signature schemes quantum resistant. As the promising candidates to ensure post-quantum security, symmetric-key primitives, in particular the recent MPC/FHE/ZK-friendly hash functions or block ciphers, are providing another choice to build efficient and secure signature schemes that do not rely on any assumed hard problems. However, considering the intended use cases, many of these novel ciphers for advanced cryptographic protocols do not claim the related-key security. In this paper, we initiate the study of the ignored related-key security of GMiMC proposed by Albrecht et al. at ESORICS 2019, some versions of which are optimized and designed to be used in post-quantum secure signatures. By investigating the potential threats of related-key attacks for GMiMC intended to be deployed as the underlying building block in post-quantum signature schemes, we then construct two kinds of iterative related-key differentials, from which not only do we explore its security margin against related-key attacks, but also collision attacks on its key space can be performed. For example, for GMiMC instance that beats the smallest signature size obtainable using LowMC, we can find its key collision using only about 2 10 key pairs. It worths noting that our current key collision attack is only applicable when the adversarial power is sufficiently strong (e.g., in the so-called multi-user setting), and it does not threaten the one-wayness of GMiMC. Furthermore, from the experiments of our related-key differentials, it can be observed that the differential clustering effect of GMiMC differs in both aspects: the choice of the finite field F being Fp or F2n, and the size of the finite field F.Submitted/Accepted versionThis research was funded by DFG Grant LU 608/9-1

Towards the links of cryptanalytic methods on MPC/FHE/ZK-friendly symmetric-key primitives

Symmetric-key primitives designed over the prime field Fp with odd characteristics, rather than the traditional Fn2, are becoming the most popular choice for MPC/FHE/ZK-protocols for better efficiencies. However, the security of Fp is less understood as there are highly nontrivial gaps when extending the cryptanalysis tools and experiences built on Fn2 in the past few decades to Fp. At CRYPTO 2015, Sun et al. established the links among impossible differential, zero-correlation linear, and integral cryptanalysis over Fn2 from the perspective of distinguishers. In this paper, following the definition of linear correlations over Fp by Baignères, Stern and Vaudenay at SAC 2007, we successfully establish comprehensive links over Fp, by reproducing the proofs and offering alternatives when necessary. Interesting and important differences between Fp and Fn2 are observed.-Zero-correlation linear hulls can not lead to integral distinguishers for some cases over Fp, while this is always possible over Fn2 proven by Sun et al..-When the newly established links are applied to GMiMC, its impossible differen-tial, zero-correlation linear hull and integral distinguishers can be increased by up to 3 rounds for most of the cases, and even to an arbitrary number of rounds for some special and limited cases, which only appeared in Fp. It should be noted that all these distinguishers do not invalidate GMiMC’s security claims. The development of the theories over Fp behind these links, and properties identified (be it similar or different) will bring clearer and easier understanding of security of primitives in this emerging Fp field, which we believe will provide useful guides for future cryptanalysis and design.Ministry of Education (MOE)Nanyang Technological UniversityNational Research Foundation (NRF)Published versionThis research is supported by the National Research Foundation, Singapore under its Strategic Capability Research Centres Funding Initiative, the Nanyang Technological University in Singapore under Start-up Grant 04INS000397C230, and Ministry of Education in Singapore under Grants RG91/20, the National Key Research and Development Program of China (Grant No. 2018YFA0704702), the National Natural Science Foundation of China(Grant No. 62032014), the Major Basic Research Project of Natural Science Foundation of Shandong Province, China (Grant No. ZR202010220025), the National Key R&D Program of China (Grant No. 2022YFB2701700), Shandong Provincial Natural Science Foundation(Grant No. ZR2020MF053) and the National Natural Science Foundation of China (Grant No. 62002202)