Journal of Cryptology最新文献

{"title":"Compact NIZKs from Standard Assumptions on Bilinear Maps","authors":"Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, Takashi Yamakawa","doi":"10.1007/s00145-024-09503-8","DOIUrl":"https://doi.org/10.1007/s00145-024-09503-8","url":null,"abstract":"<p>A non-interactive zero-knowledge (NIZK) protocol enables a prover to convince a verifier of the truth of a statement without leaking any other information by sending a single message. The main focus of this work is on exploring short pairing-based NIZKs for all <span>({{textbf {NP}}})</span> languages based on standard assumptions. In this regime, the seminal work of Groth, Ostrovsky, and Sahai (J.ACM’12) (GOS-NIZK) is still considered to be the state-of-the-art. Although fairly efficient, one drawback of GOS-NIZK is that the proof size is <i>multiplicative</i> in the circuit size computing the <span>({{textbf {NP}}})</span> relation. That is, the proof size grows by <span>(O(|C|kappa ))</span>, where <i>C</i> is the circuit for the <span>({{textbf {NP}}})</span> relation and <span>(kappa )</span> is the security parameter. By now, there have been numerous follow-up works focusing on shortening the proof size of pairing-based NIZKs, however, thus far, all works come at the cost of relying either on a non-standard knowledge-type assumption or a non-static <i>q</i>-type assumption. Specifically, improving the proof size of the original GOS-NIZK under the same standard assumption has remained as an open problem. Our main result is a construction of a pairing-based NIZK for all of <span>({{textbf {NP}}})</span> whose proof size is <i>additive</i> in |<i>C</i>|, that is, the proof size only grows by <span>(|C| +textsf{poly}(kappa ))</span>, based on the computational Diffie-Hellman assumption over specific pairing-free groups and decisional linear (DLIN) assumption. As by-products of our main result, we also obtain the following two results: (1) We construct a <i>perfectly zero-knowledge</i> NIZK (NIPZK) for <span>({{textbf {NP}}})</span> relations computable in <span>({{textbf {NC}}}^1)</span> with proof size <span>(|w| cdot textsf{poly}(kappa ))</span> where |<i>w</i>| is the witness length based on the DLIN assumption. This is the first pairing-based NIPZK for a non-trivial class of <span>({{textbf {NP}}})</span> languages whose proof size is independent of |<i>C</i>| based on a standard assumption. (2) We construct a universally composable (UC) NIZK for <span>({{textbf {NP}}})</span> relations computable in <span>({{textbf {NC}}}^1)</span> in the erasure-free adaptive setting whose proof size is <span>(|w| cdot textsf{poly}(kappa ))</span> from the DLIN assumption. This is an improvement over the recent result of Katsumata, Nishimaki, Yamada, and Yamakawa (CRYPTO’19), which gave a similar result based on a non-static <i>q</i>-type assumption. The main building block for all of our NIZKs is a constrained signature scheme with <i>decomposable online-offline efficiency</i>. This is a property which we newly introduce in this paper and construct from the DLIN assumption. We believe this construction is of an independent interest.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"43 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-05-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140941163","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Watermarking PRFs and PKE Against Quantum Adversaries","authors":"Fuyuki Kitagawa, Ryo Nishimaki","doi":"10.1007/s00145-024-09500-x","DOIUrl":"https://doi.org/10.1007/s00145-024-09500-x","url":null,"abstract":"<p>We initiate the study of software watermarking against quantum adversaries. A quantum adversary generates a <i>quantum state</i> as a pirate software that potentially removes an embedded message from a <i>classical</i> marked software. Extracting an embedded message from quantum pirate software is difficult since measurement could irreversibly alter the quantum state. In software watermarking against classical adversaries, a message extraction algorithm crucially uses the (input–output) behavior of a classical pirate software to extract an embedded message. Even if we instantiate existing watermarking PRFs with quantum-safe building blocks, it is not clear whether they are secure against quantum adversaries due to the quantum-specific property above. Thus, we need entirely new techniques to achieve software watermarking against quantum adversaries.</p><p>In this work, we define secure watermarking PRFs and PKE for quantum adversaries (unremovability against quantum adversaries). We also present two watermarking PRFs and one watermarking PKE as follows.</p><ul>\u0000<li>\u0000<p>We construct a privately extractable watermarking PRF against quantum adversaries from the quantum hardness of the learning with errors (LWE) problem. The marking and extraction algorithms use a public parameter and a private extraction key, respectively. The watermarking PRF is unremovable even if adversaries have (the public parameter and) access to the extraction oracle, which returns a result of extraction for a queried quantum circuit.</p>\u0000</li>\u0000<li>\u0000<p>We construct a publicly extractable watermarking PRF against quantum adversaries from indistinguishability obfuscation and the quantum hardness of the LWE problem. The marking and extraction algorithms use a public parameter and a public extraction key, respectively. The watermarking PRF is unremovable even if adversaries have the extraction key (and the public parameter).</p>\u0000</li>\u0000<li>\u0000<p>We construct a publicly extractable watermarking PKE against quantum adversaries from standard PKE. The marking algorithm can directly generate a marked decryption from a decryption key, and the extraction algorithm uses a public key of the PKE scheme for extraction.</p>\u0000</li>\u0000</ul><p> We develop a quantum extraction technique to extract information (a classical string) from a quantum state without destroying the state too much. We also introduce the notions of extraction-less watermarking PRFs and PKE as crucial building blocks to achieve the results above by combining the tool with our quantum extraction technique.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"23 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-04-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140805502","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cryptographic Primitives with Hinting Property","authors":"Navid Alamati, Sikhar Patranabis","doi":"10.1007/s00145-024-09502-9","DOIUrl":"https://doi.org/10.1007/s00145-024-09502-9","url":null,"abstract":"<p>A <i>hinting</i> pseudorandom generator (PRG) is a potentially stronger variant of PRG with a “deterministic” form of circular security with respect to the seed of the PRG (Koppula and Waters, in: Boldyreva and Micciancio (eds) CRYPTO 2019, Part II, volume 11693 of LNCS, pp 671-700, Springer, Heidelberg, 2019). Hinting PRGs enable many cryptographic applications, most notably CCA-secure public-key encryption and trapdoor functions. In this paper, we study cryptographic primitives with the hinting property, yielding the following results:</p><ul>\u0000<li>\u0000<p>We present a novel and conceptually simpler approach for designing hinting PRGs from certain decisional assumptions over cyclic groups or isogeny-based group actions, which enables simpler security proofs as compared to the existing approaches for designing such primitives. We also show that the same design approach yields a generic construction of hinting PRGs from a simple cryptographic primitive with algebraic structure, namely a key-homomorphic weak PRF.</p>\u0000</li>\u0000<li>\u0000<p>We introduce <i>hinting</i> pseudorandom functions (PRFs) and <i>hinting</i> weak PRFs, which are natural extensions of the hinting property to PRFs and weak PRFs. We show how to realize circular/KDM-secure symmetric-key encryption from any hinting weak PRF. We demonstrate that our simple approach for building hinting PRGs can be extended to realize hinting weak PRFs from the same set of decisional assumptions. We also show a generic construction of hinting (weak) PRF from any hinting PRG with certain structural properties, thus yielding the first constructions of symmetric-key encryption with full-fledged circular/KDM-security from such hinting PRGs.</p>\u0000</li>\u0000<li>\u0000<p>We propose a stronger version of the hinting property, which we call the <i>functional</i> hinting property, that guarantees security even in the presence of hints about functions of the secret seed/key. We show how to instantiate functional hinting PRGs/weak PRFs for certain (families of) functions by building upon our simple techniques for realizing plain hinting PRGs/weak PRFs. We also demonstrate the applicability of a functional hinting weak PRF with certain algebraic properties in realizing KDM-secure public-key encryption in a black-box manner.</p>\u0000</li>\u0000<li>\u0000<p>We show the first black-box separation between hinting PRFs (and hence, hinting PRGs) from public-key encryption using simple realizations of these primitives given only a random oracle.</p>\u0000</li>\u0000</ul>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"32 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140805508","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Analysis of Multivariate Encryption Schemes: Application to Dob and $${C}^{*}$$","authors":"Morten Øygarden, Patrick Felke, Håvard Raddum","doi":"10.1007/s00145-024-09501-w","DOIUrl":"https://doi.org/10.1007/s00145-024-09501-w","url":null,"abstract":"<p>A common strategy for constructing multivariate encryption schemes is to use a central map that is easy to invert over an extension field, along with a small number of modifications to thwart potential attacks. In this work, we study the effectiveness of these modifications, by deriving estimates for the number of degree fall polynomials. After developing the necessary tools, we focus on encryption schemes using the <span>(C^*)</span> and Dobbertin central maps, with the internal perturbation (<i>ip</i>), and <span>(Q_+)</span> modifications. For these constructions, we are able to accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree 5 for the Dob encryption scheme and four for <span>(C^*)</span>. The predictions remain accurate even when fixing variables. Based on this new theory, we design a novel attack on Dob, which completely recovers the secret key for the parameters suggested by its designers. Due to the generality of the presented techniques, we also believe that they are of interest to the analysis of other big-field schemes.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"51 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140627756","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Optimizing Rectangle and Boomerang Attacks: A Unified and Generic Framework for Key Recovery","authors":"Qianqian Yang, Ling Song, Nana Zhang, Danping Shi, Libo Wang, Jiahao Zhao, Lei Hu, Jian Weng","doi":"10.1007/s00145-024-09499-1","DOIUrl":"https://doi.org/10.1007/s00145-024-09499-1","url":null,"abstract":"<p>The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance varies from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we delve into the rectangle key recovery and propose a unified and generic key recovery algorithm, which supports any possible attacking parameters. Not only does it encompass the four existing rectangle key recovery algorithms, but it also reveals five new types of attacks that were previously overlooked. Further, we put forward a counterpart for boomerang key recovery attacks, which supports any possible attacking parameters as well. Along with these new key recovery algorithms, we propose a framework to automatically determine the best parameters for the attack. To demonstrate the efficiency of the new key recovery algorithms, we apply them to <span>Serpent</span>, <span>AES</span>-192, <span>CRAFT</span>, <span>SKINNY</span>, and <span>Deoxys-BC</span>-256 based on existing distinguishers, yielding a series of improved attacks.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"55 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140568912","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Bitcoin as a Transaction Ledger: A Composable Treatment","authors":"Christian Badertscher, Ueli Maurer, Daniel Tschudi, Vassilis Zikas","doi":"10.1007/s00145-024-09493-7","DOIUrl":"https://doi.org/10.1007/s00145-024-09493-7","url":null,"abstract":"<p>Bitcoin is one of the most prominent examples of a distributed cryptographic protocol that is extensively used in reality. Nonetheless, existing security proofs are property-based, and as such they do not support composition. In this work, we put forth a universally composable treatment of the Bitcoin protocol. We specify the goal that Bitcoin aims to achieve as an instance of a parameterizable ledger functionality and present a UC abstraction of the Bitcoin blockchain protocol. Our ideal functionality is weaker than the first proposed candidate by Kiayias, Zhou, and Zikas [EUROCRYPT’16], but unlike the latter suggestion, which is arguably not implementable by the UC Bitcoin protocol, we prove that the one proposed here is securely UC-realized by the protocol assuming access to a global clock, to model time-based executions, a random oracle, to model hash functions, and an idealized network, to model message dissemination. We further show how known property-based approaches can be cast as special instances of our treatment and how their underlying assumptions can be cast in UC as part of the setup functionalities and without restricting the environment or the adversary.\u0000</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"10 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140569038","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"(Continuous) Non-malleable Codes for Partial Functions with Manipulation Detection and Light Updates","authors":"Aggelos Kiayias, Feng-Hao Liu, Yiannis Tselekounis","doi":"10.1007/s00145-024-09498-2","DOIUrl":"https://doi.org/10.1007/s00145-024-09498-2","url":null,"abstract":"<p>Non-malleable codes were introduced by Dziembowski et al. (in: Yao (ed) ICS2010, Tsinghua University Press, 2010), and its main application is the protection of cryptographic devices against tampering attacks on memory. In this work, we initiate a comprehensive study on non-malleable codes for the class of partial functions, that read/write on an arbitrary subset of codeword bits with specific cardinality. We present two constructions: the first one is in the CRS model and allows the adversary to selectively choose the subset of codeword bits, while the latter is in the standard model and adaptively secure. Our constructions are efficient in terms of information rate, while allowing the attacker to access asymptotically almost the entire codeword. In addition, they satisfy a notion which is stronger than non-malleability, that we call non-malleability with manipulation detection, guaranteeing that any modified codeword decodes to either the original message or to <span>(bot )</span>. We show that our primitive implies All-Or-Nothing Transforms (AONTs), and as a result our constructions yield efficient AONTs under standard assumptions (only one-way functions), which, to the best of our knowledge, was an open question until now. Furthermore, we construct a notion of continuous non-malleable codes (CNMC), namely CNMC with light updates, that avoids the full re-encoding process and only uses shuffling and refreshing operations. Finally, we present a number of additional applications of our primitive in tamper resilience.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"40 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140568731","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Bandwidth-Hard Functions: Reductions and Lower Bounds","authors":"Jeremiah Blocki, Peiyuan Liu, Ling Ren, Samson Zhou","doi":"10.1007/s00145-024-09497-3","DOIUrl":"https://doi.org/10.1007/s00145-024-09497-3","url":null,"abstract":"<p>Memory Hard Functions (MHFs) have been proposed as an answer to the growing inequality between the computational speed of general purpose CPUs and ASICs. MHFs have seen widespread applications including password hashing, key stretching and proofs of work. Several metrics have been proposed to quantify the memory hardness of a function. Cumulative memory complexity (CMC) quantifies the cost to acquire/build the hardware to evaluate the function repeatedly at a given rate. By contrast, bandwidth hardness quantifies the energy costs of evaluating this function. Ideally, a good MHF would be both bandwidth hard and have high CMC. While the CMC of leading MHF candidates is well understood, little is known about the bandwidth hardness of many prominent MHF candidates. Our contributions are as follows: First, we provide the first reduction proving that, in the parallel random oracle model (pROM), the bandwidth hardness of a data-independent MHF (iMHF) is described by the red-blue pebbling cost of the directed acyclic graph associated with that iMHF. Second, we show that the goals of designing an MHF with high CMC/bandwidth hardness are well aligned. Any function (data-independent or not) with high CMC also has relatively high bandwidth costs. Third, we prove that in the pROM the prominent iMHF candidates such as Argon2i, aATSample and DRSample are maximally bandwidth hard. Fourth, we prove the first unconditional tight lower bound on the bandwidth hardness of a prominent data-dependent MHF called Scrypt in the pROM. Finally, we show the problem of finding the minimum cost red–blue pebbling of a directed acyclic graph is NP-hard.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"33 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140116355","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The COLM Authenticated Encryption Scheme","authors":"","doi":"10.1007/s00145-024-09492-8","DOIUrl":"https://doi.org/10.1007/s00145-024-09492-8","url":null,"abstract":"<h3>Abstract</h3> <p>In this work we present the COLM authenticated encryption (AE) scheme which is the second of the two winners in the <em>defense in depth</em> category of the CAESAR competition. COLM realizes a nonce-based authenticated encryption with associated data and uses the popular AES blockcipher as its underlying primitive. We propose two possible blockcipher instantiations (with key of length 128 or 256 bits). We also define two COLM modes of operation variants: a primary COLM<span> <span>(_0)</span> </span> mode for general purpose applications, and a COLM<span> <span>(_{tau })</span> </span> variant with intermediate tag generation/verification geared to support low-end devices and applications where frequent verification is required. COLM is designed with security, simplicity, and efficiency in mind. The main design goal of COLM is <em>high security</em>: a primary feature of the defense in depth CAESAR category. COLM provides security beyond the traditional AE security. First, COLM is <em>secure against nonce misuse</em>, namely, it enables security in adversarial settings where the nonce inputs to the AE scheme repeat. In contrast to standardized and popular AE algorithms, such as GCM and OCB1-3 modes, whose AE security trivially breaks down when the nonce is repeated, COLM ensures both confidentiality and authenticity (AE) security with repeated nonces. Second, our COLM<span> <span>(_{tau })</span> </span> variant enables increased security levels in situations where <em>release of unverified ciphertext</em> (RUP) occurs due to its ability to limit a potential leakage by frequent verifications. In this work we prove COLM secure with respect to both confidentiality and authenticity (AE) security under nonce misuse in the well-known provable security framework. Our proofs show that COLM maintains <em>n</em>/2-bit security levels for block sizes of <em>n</em> bits. Furthermore, due to the inherent parallelism on both mode and primitive levels, our software performance results show that the price paid for enhanced security does come at the cost of minimal efficiency losses. More concretely, we implement GCM, COLM, and Deoxys-II on the Kaby Lake and Coffee lake Intel platforms. Compared to the other winner in the defense in depth category Deoxys-II, our AE design COLM<span> <span>(_0)</span> </span> performs 10–20% faster for the 128-bit key version. Regarding the 256-bit key versions COLM<span> <span>(_0)</span> </span> is around 5% faster for short and 2% slower than Deoxys-II for the longer messages.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"88 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-03-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140076460","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Collision Resistance from Multi-collision Resistance","authors":"","doi":"10.1007/s00145-024-09495-5","DOIUrl":"https://doi.org/10.1007/s00145-024-09495-5","url":null,"abstract":"<h3>Abstract</h3> <p>Collision-resistant hash functions (<span> <span>(textsf{CRH})</span> </span>) are a fundamental and ubiquitous cryptographic primitive. Several recent works have studied a relaxation of <span> <span>(textsf{CRH})</span> </span> called <em>t</em><em>-way multi-collision-resistant hash functions</em> (<span> <span>(ttext {-}textsf{MCRH})</span> </span>). These are families of functions for which it is computationally hard to find a <em>t</em>-way collision, even though such collisions are abundant (and even <span> <span>((t-1))</span> </span>-way collisions may be easy to find). The case of <span> <span>(t=2)</span> </span> corresponds to standard <span> <span>(textsf{CRH})</span> </span>, but it is natural to study <em>t</em>-<span> <span>(textsf{MCRH})</span> </span> for larger values of <em>t</em>. Multi-collision resistance seems to be a qualitatively weaker property than standard collision resistance. Nevertheless, in this work we show a <em>non-blackbox</em> transformation of any moderately shrinking <em>t</em>-<span> <span>(textsf{MCRH})</span> </span>, for <span> <span>(t in {3,4})</span> </span>, into an (infinitely often secure) <span> <span>(textsf{CRH})</span> </span>. This transformation is non-constructive—we can prove the existence of a <span> <span>(textsf{CRH})</span> </span> but cannot explicitly point out a construction. Our result partially extends to larger values of <em>t</em>. In particular, we show that for suitable values of <span> <span>(t&gt;t')</span> </span>, we can transform a <em>t</em>-<span> <span>(textsf{MCRH})</span> </span> into a <span> <span>(t')</span> </span>-<span> <span>(textsf{MCRH})</span> </span>, at the cost of reducing the shrinkage of the resulting hash function family and settling for infinitely often security. This result utilizes the list-decodability properties of Reed–Solomon codes.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"11 1","pages":""},"PeriodicalIF":3.0,"publicationDate":"2024-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140056047","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}