Journal of Cryptology最新文献

{"title":"Finding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness","authors":"Akinori Hosoyamada, Takashi Yamakawa","doi":"10.1007/s00145-024-09517-2","DOIUrl":"https://doi.org/10.1007/s00145-024-09517-2","url":null,"abstract":"<p>Since the celebrated work of Impagliazzo and Rudich (STOC 1989), a number of black-box impossibility results have been established. However, these works only ruled out classical black-box reductions among cryptographic primitives. Therefore, it may be possible to overcome these impossibility results by using quantum reductions. To exclude such a possibility, we have to extend these impossibility results to the quantum setting. In this paper, we study black-box impossibility in the quantum setting. We first formalize a quantum counterpart of fully black-box reduction following the formalization by Reingold, Trevisan and Vadhan (TCC 2004). Then we prove that there is no quantum fully black-box reduction from collision-resistant hash functions to one-way permutations (or even trapdoor permutations). We take both of classical and quantum implementations of primitives into account. This is an extension to the quantum setting of the work of Simon (Eurocrypt 1998) who showed a similar result in the classical setting.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"29 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177584","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Randomness Recoverable Secret Sharing Schemes","authors":"Mohammad Hajiabadi, Shahram Khazaei, Behzad Vahdani","doi":"10.1007/s00145-024-09515-4","DOIUrl":"https://doi.org/10.1007/s00145-024-09515-4","url":null,"abstract":"<p>It is well-known that randomness is essential for secure cryptography. The randomness used in cryptographic primitives is not necessarily recoverable even by the party who can, e.g., decrypt or recover the underlying secret/message. Several cryptographic primitives that support randomness recovery have turned out useful in various applications. In this paper, we study <i>randomness recoverable secret sharing schemes</i> (RR-SSS), in both information-theoretic and computational settings and provide two results. First, we show that while every access structure admits a perfect RR-SSS, there are very simple access structures (e.g., in monotone <span>(textsf{AC}^0)</span>) that do not admit efficient perfect (or even statistical) RR-SSS. Second, we show that the existence of efficient computational RR-SSS for certain access structures in monotone <span>(textsf{AC}^0)</span> implies the existence of one-way functions. This stands in sharp contrast to (non-RR) SSS schemes for which no such results are known. RR-SSS plays a key role in making advanced attributed-based encryption schemes randomness recoverable, which in turn have applications in the context of designated-verifier non-interactive zero knowledge.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"10 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177581","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Memory-Efficient Attacks on Small LWE Keys","authors":"Andre Esser, Arindam Mukherjee, Santanu Sarkar","doi":"10.1007/s00145-024-09516-3","DOIUrl":"https://doi.org/10.1007/s00145-024-09516-3","url":null,"abstract":"<p>Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length <i>n</i> we improve the best known time complexity for <i>polynomial memory</i> algorithms from <span>(2^{1.063n})</span> down-to <span>(2^{0.926n})</span>. We obtain even larger gains for LWE secrets in <span>({-m,ldots ,m}^n)</span> with <span>(m=2,3)</span> as found in Kyber and Dilithium. For example, for uniformly random keys in <span>({-2,ldots ,2}^n)</span> as is the case for Dilithium we improve the previously best time under polynomial memory restriction from <span>(2^{1.742n})</span> down-to <span>(2^{1.282n})</span>. Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"4 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of a Prevailing Assumption","authors":"Mihir Bellare, Anna Lysyanskaya","doi":"10.1007/s00145-024-09513-6","DOIUrl":"https://doi.org/10.1007/s00145-024-09513-6","url":null,"abstract":"<p>A two-input function is a dual PRF if it is a PRF when keyed by either of its inputs. Dual PRFs are assumed in the design and analysis of numerous primitives and protocols including HMAC, AMAC, TLS 1.3 and MLS. But, not only do we not know whether particular functions on which the assumption is made really are dual PRFs; we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain two specific symmetric and dual PRFs, the first assuming any collision-resistant hash function and the second assuming any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem.\u0000</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"43 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142177583","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The Price of Active Security in Cryptographic Protocols","authors":"Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss","doi":"10.1007/s00145-024-09509-2","DOIUrl":"https://doi.org/10.1007/s00145-024-09509-2","url":null,"abstract":"<p>We construct the first actively-secure Multi-Party Computation (MPC) protocols with an <i>arbitrary</i> number of parties in the dishonest majority setting, for an <i>arbitrary</i> field <span>({mathbb {F}})</span> with <i>constant communication overhead</i> over the “passive-GMW” protocol (Goldreich, Micali and Wigderson, STOC ‘87). Our protocols rely on passive implementations of Oblivious Transfer (OT) in the Boolean setting and Oblivious Linear function Evaluation (OLE) in the arithmetic setting. Previously, such protocols were only known over sufficiently large fields (Genkin et al. STOC ‘14) or a constant number of parties (Ishai et al. CRYPTO ‘08). Conceptually, our protocols are obtained via a new compiler from a passively-secure protocol for a distributed multiplication functionality <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span>, to an actively-secure protocol for general functionalities. Roughly, <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span> is parameterized by a linear-secret sharing scheme <span>({{{mathcal {S}}}})</span>, where it takes <span>({{{mathcal {S}}}})</span>-shares of two secrets and returns <span>({{{mathcal {S}}}})</span>-shares of their product. We show that our compilation is concretely efficient for sufficiently large fields, resulting in an overhead of 2 when securely computing natural circuits. Our compiler has two additional benefits: (1) It can rely on <i>any</i> passive implementation of <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span>, which, besides the standard implementation based on OT (for Boolean) and OLE (for arithmetic), allows us to rely on implementations based on threshold cryptosystems (Cramer et al. Eurocrypt ‘01), and (2) it can rely on weaker-than-passive (i.e., imperfect/leaky) implementations, which in some parameter regimes yield actively-secure protocols with overhead less than 2. Instantiating this compiler with an “honest-majority” implementation of <span>({{{mathcal {F}}}}_{scriptscriptstyle textrm{MULT}})</span>, we obtain the first honest-majority protocol (with up to one-third corruptions) for Boolean circuits with constant communication overhead over the best passive protocol (Damgård and Nielsen, CRYPTO ‘07). </p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"39 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141574259","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Lattice-Based Polynomial Commitments: Towards Asymptotic and Concrete Efficiency","authors":"Giacomo Fenzi, Hossein Moghaddas, Ngoc Khanh Nguyen","doi":"10.1007/s00145-024-09511-8","DOIUrl":"https://doi.org/10.1007/s00145-024-09511-8","url":null,"abstract":"<p>Polynomial commitments schemes are a powerful tool that enables one party to commit to a polynomial <i>p</i> of degree <i>d</i>, and prove that the committed function evaluates to a certain value <i>z</i> at a specified point <i>u</i>, i.e. <span>(p(u) = z)</span>, without revealing any additional information about the polynomial. Recently, polynomial commitments have been extensively used as a cryptographic building block to transform polynomial interactive oracle proofs (PIOPs) into efficient succinct arguments. In this paper, we propose a lattice-based polynomial commitment that achieves succinct proof size and verification time in the degree <i>d</i> of the polynomial. Extractability of our scheme holds in the random oracle model under a natural ring version of the BASIS assumption introduced by Wee and Wu (EUROCRYPT 2023). Unlike recent constructions of polynomial commitments by Albrecht et al. (CRYPTO 2022), and by Wee and Wu, we do not require any expensive preprocessing steps, which makes our scheme particularly attractive as an ingredient of a PIOP compiler for succinct arguments. We further instantiate our polynomial commitment, together with the <span>Marlin</span> PIOP (EUROCRYPT 2020), to obtain a publicly-verifiable trusted-setup succinct argument for Rank-1 Constraint System (R1CS). Performance-wise, we achieve <span>(17)</span>MB proof size for <span>(2^{20})</span> constraints, which is <span>(15)</span>X smaller than currently the only publicly-verifiable lattice-based SNARK proposed by Albrecht et al.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"78 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141574260","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes","authors":"David Derler, Kai Samelin, Daniel Slamanig","doi":"10.1007/s00145-024-09510-9","DOIUrl":"https://doi.org/10.1007/s00145-024-09510-9","url":null,"abstract":"<p>Chameleon-hash functions, introduced by Krawczyk and Rabin (NDSS’00), are trapdoor collision-resistant hash functions parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash function can be found efficiently. Chameleon-hash functions have prominent applications in the design of cryptographic primitives, such as lifting non-adaptively secure signatures to adaptively secure ones. Recently, this primitive also received a lot of attention as a building block in more complex cryptographic applications, ranging from editable blockchains to advanced signature and encryption schemes. We observe that, in latter applications, various different notions of collision-resistance are used, and it is not always clear if the respective notion really covers what seems intuitively required by the application. Therefore, we revisit existing collision-resistance notions in the literature, study their relations, and by means of selected applications discuss which practical impact different notions of collision-resistance might have. Moreover, we provide a stronger, and arguably more desirable, notion of collision-resistance than what is known from the literature (which we call full collision-resistance). Finally, we present a surprisingly simple, and efficient, black-box construction of chameleon-hash functions achieving this strong notion of full collision-resistance.\u0000</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"23 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141512674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Algebraically Structured LWE, Revisited","authors":"Chris Peikert, Zachary Pepin","doi":"10.1007/s00145-024-09508-3","DOIUrl":"https://doi.org/10.1007/s00145-024-09508-3","url":null,"abstract":"<p>In recent years, there has been a proliferation of <i>algebraically structured</i> Learning With Errors (LWE) variants, including Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, and Middle-Product LWE, and a web of reductions to support their hardness, both among these problems themselves and from related worst-case problems on structured lattices. However, these reductions are often difficult to interpret and use, due to the complexity of their parameters and analysis, and most especially their (frequently large) blowup and distortion of the error distributions. In this paper, we unify and simplify this line of work. First, we give a general framework that encompasses <i>all</i> proposed LWE variants (over commutative base rings) and in particular unifies all prior “algebraic” LWE variants defined over number fields. We then use this framework to give much simpler, more general, and tighter reductions from Ring-LWE to other algebraic LWE variants, including Module-LWE, Order-LWE, and Middle-Product LWE. In particular, all of our reductions have easy-to-analyze and frequently small error expansion; in most cases, they even leave the error unchanged. A main message of our work is that it is straightforward to use the hardness of the original Ring-LWE problem as a foundation for the hardness of all other algebraic LWE problems defined over number fields, via simple and rather tight reductions.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"162 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141506943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $$varvec{Sigma }$$ -Protocols","authors":"Lior Rotem, Gil Segev","doi":"10.1007/s00145-024-09506-5","DOIUrl":"https://doi.org/10.1007/s00145-024-09506-5","url":null,"abstract":"<p>The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order <i>p</i> where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known <i>t</i>-time attacks on the Schnorr identification and signature schemes have success probability <span>(t^2/p)</span>, whereas existing proofs of security only rule out attacks with success probabilities <span>((t^2/p)^{1/2})</span> and <span>((q_{textsf{H}} cdot t^2/p)^{1/2})</span>, respectively, where <span>(q_{textsf{H}})</span> denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from <span>(Sigma )</span>-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “<i>d</i>-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the <i>d</i>th moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any <i>t</i>-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most <span>((t^2/p)^{2/3})</span> and <span>((q_textsf{H}cdot t^2/p)^{2/3})</span>, respectively.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"27 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141551895","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Simple Constructions from (Almost) Regular One-Way Functions","authors":"Noam Mazor, Jiapeng Zhang","doi":"10.1007/s00145-024-09507-4","DOIUrl":"https://doi.org/10.1007/s00145-024-09507-4","url":null,"abstract":"<p>Two of the most useful cryptographic primitives that can be constructed from one-way functions are <i>pseudorandom generators</i> (PRGs) and <i>universal one-way hash functions</i> (UOWHFs). In order to implement them in practice, the efficiency of such constructions must be considered. The three major efficiency measures are: the <i>seed length</i>, the <i>call complexity</i> to the one-way function, and the <i>adaptivity</i> of these calls. Still, the optimal efficiency of these constructions is not yet fully understood: there exist gaps between the known upper bound and the known lower bound for black-box constructions. A special class of one-way functions called <i>unknown-regular</i> one-way functions is much better understood. Haitner, Harnik and Reingold (CRYPTO 2006) presented a PRG construction with semi-linear seed length and linear number of calls based on a method called <i>randomized iterate</i>. Ames, Gennaro and Venkitasubramaniam (ASIACRYPT 2012) then gave a construction of UOWHF with similar parameters and using similar ideas. On the other hand, Holenstein and Sinha (FOCS 2012) and Barhum and Holenstein (TCC 2013) showed an almost linear call-complexity lower bound for black-box constructions of PRGs and UOWHFs from one-way functions. Hence, Haitner et al. and Ames et al. reached <i>tight</i> constructions (in terms of seed length and the number of calls) of PRGs and UOWHFs from regular one-way functions. These constructions, however, are adaptive. In this work, we present non-adaptive constructions for both primitives which match the optimal call complexity given by Holenstein and Sinha and Barhum and Holenstein. Our constructions, besides being simple and non-adaptive, are robust also for <i>almost-regular</i> one-way functions.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"44 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141189453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}