Results 1  10
of
54
Lossy Trapdoor Functions and Their Applications
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 80 (2007)
, 2007
"... We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we ..."
Abstract

Cited by 125 (21 self)
 Add to MetaCart
(Show Context)
We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we develop a new approach for constructing many important cryptographic primitives, including standard trapdoor functions, CCAsecure cryptosystems, collisionresistant hash functions, and more. All of our constructions are simple, efficient, and blackbox. Taken all together, these results resolve some longstanding open problems in cryptography. They give the first known (injective) trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCAsecure cryptosystem based solely on worstcase lattice assumptions.
Better key sizes (and attacks) for LWEbased encryption
 In CTRSA
, 2011
"... We analyze the concrete security and key sizes of theoretically sound latticebased encryption schemes based on the “learning with errors ” (LWE) problem. Our main contributions are: (1) a new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success ..."
Abstract

Cited by 68 (7 self)
 Add to MetaCart
We analyze the concrete security and key sizes of theoretically sound latticebased encryption schemes based on the “learning with errors ” (LWE) problem. Our main contributions are: (1) a new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff, which performs better than the simple distinguishing attack considered in prior analyses; (2) concrete parameters and security estimates for an LWEbased cryptosystem that is more compact and efficient than the wellknown schemes from the literature. Our new key sizes are up to 10 times smaller than prior examples, while providing even stronger concrete security levels.
More constructions of lossy and correlationsecure trapdoor functions. Cryptology ePrint Archive, Report 2009/590
, 2009
"... We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC ’08), and correlationsecure trapdoor functions (Rosen and Segev, TCC ’09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
(Show Context)
We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC ’08), and correlationsecure trapdoor functions (Rosen and Segev, TCC ’09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as follows: • Lossy trapdoor functions based on the quadratic residuosity assumption. Our construction relies on modular squaring, and whereas previous such constructions were based on seemingly stronger assumptions, we present the first construction that is based solely on the quadratic residuosity assumption. We also present a generalization to higher order power residues. • Lossy trapdoor functions based on the composite residuosity assumption. Our construction guarantees essentially any required amount of lossiness, where at the same time the functions are more efficient than the matrixbased approach of Peikert and Waters. • Lossy trapdoor functions based on the dLinear assumption. Our construction both simplifies the DDHbased construction of Peikert and Waters, and admits a generalization to the whole family of dLinear assumptions without any loss of efficiency. • Correlationsecure trapdoor functions related to the hardness of syndrome decoding. Keywords: Publickey encryption, lossy trapdoor functions, correlationsecure trapdoor functions. An extended abstract of this work appears in Public Key Cryptography — PKC 2010, Springer LNCS 6056
Lossy encryption: Constructions from general assumptions and efficient selective opening chosen ciphertext security
, 2009
"... In this paper, we present new and general constructions of lossy encryption schemes. By applying results from Eurocrypt ’09, we obtain new general constructions of cryptosystems secure against a Selective Opening Adversaries (SOA). Although it was recognized almost twenty years ago that SOA security ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
In this paper, we present new and general constructions of lossy encryption schemes. By applying results from Eurocrypt ’09, we obtain new general constructions of cryptosystems secure against a Selective Opening Adversaries (SOA). Although it was recognized almost twenty years ago that SOA security was important, it was not until the recent breakthrough works of Hofheinz and Bellare, Hofheinz and Yilek that any progress was made on this fundamental problem. The Selective Opening problem is as follows: suppose an adversary receives n commitments (or encryptions) of (possibly) correlated messages, and now the adversary can choose n/2 of the messages, and receive decommitments (or decryptions and the randomness used to encrypt them). Do the unopened commitments (encryptions) remain secure? A protocol achieving this type of security is called secure against a selective opening adversary (SOA). This question arises naturally in the context of Byzantine Agreement and Secure Multiparty Computation, where an active adversary is able to eavesdrop on all the wires, and then choose a subset of players to corrupt. Unfortunately, the traditional definitions of security (INDCPA, INDCCA) do not guarantee security in this setting. In this paper: • We formally define rerandomizable encryption and show that every rerandomizable encryption
Fully LeakageResilient Signatures
, 2010
"... A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosenmessage attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throu ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosenmessage attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of sidechannel attacks. One of the main challenges in constructing fully leakageresilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the randomoracle model. Moreover, even in the randomoracle model, known schemes are only resilient to leakage of less than half the length of their signing key. In this paper we construct the first fully leakageresilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1 − o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific numbertheoretic
Automorphic Signatures in Bilinear Groups and an Application to RoundOptimal Blind Signatures
"... We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairingproduct equations. These signatures make ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
(Show Context)
We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairingproduct equations. These signatures make a perfect counterpart to the powerful proof system by Groth and Sahai (Eurocrypt 2008). We provide practical instantiations of automorphic signatures under appropriate assumptions and use them to construct the first efficient roundoptimal blind signatures. By combining them with GrothSahai proofs, we moreover give practical instantiations of various other cryptographic primitives, such as fullysecure group signatures, noninteractive anonymous credentials and anonymous proxy signatures. To do so, we show how to transform signature schemes whose message space is a group to a scheme that signs arbitrarily many messages at once.
Standard Security Does Not Imply Security Against SelectiveOpening
, 2012
"... We show that no commitment scheme that is hiding andbindingaccordingtothestandarddefinition is semanticallysecure under selective opening attack (SOA), resolving a longstanding and fundamental open question about the power of SOAs. We also obtain the first examples of INDCPA encryption schemestha ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
We show that no commitment scheme that is hiding andbindingaccordingtothestandarddefinition is semanticallysecure under selective opening attack (SOA), resolving a longstanding and fundamental open question about the power of SOAs. We also obtain the first examples of INDCPA encryption schemesthatarenotsecureunderSOA, bothforsendercorruptionswhereencryptioncoinsare revealed and receiver corruptions where decryption keys are revealed. These results assume only the existence of collisionresistant hash functions.
Allbutmany lossy trapdoor functions
 In EUROCRYPT
, 2012
"... We put forward a generalization of lossy trapdoor functions (LTFs). Namely, allbutmany lossy trapdoor functions (ABMLTFs) are LTFs that are parametrized with tags. Each tag can either be injective or lossy, which leads to an invertible or a lossy function. The interesting property of ABMLTFs is ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
(Show Context)
We put forward a generalization of lossy trapdoor functions (LTFs). Namely, allbutmany lossy trapdoor functions (ABMLTFs) are LTFs that are parametrized with tags. Each tag can either be injective or lossy, which leads to an invertible or a lossy function. The interesting property of ABMLTFs is that it is possible to generate an arbitrary number of lossy tags by means of a special trapdoor, while it is not feasible to produce lossy tags without this trapdoor. Our definition and construction can be seen as generalizations of allbutone LTFs (due to Peikert and Waters) and allbutN LTFs (due to Hemenway et al.). However, to achieve ABMLTFs (and thus a number of lossy tags which is not bounded by any polynomial), we have to employ some new tricks. Concretely, we give two constructions that use “disguised” variants of the Waters, resp. BonehBoyen signature schemes to make the generation of lossy tags hard without trapdoor. In a nutshell, lossy tags simply correspond to valid signatures. At the same time, tags are disguised (i.e., suitably blinded) to keep lossy tags indistinguishable from injective tags. ABMLTFs are useful in settings in which there are a polynomial number of adversarial challenges (e.g., challenge ciphertexts). Specifically, building on work by Hemenway et al., we show that ABMLTFs can be used to achieve selective opening security against chosenciphertext attacks. One of our ABMLTF constructions thus yields the first SOCCA secure encryption scheme with compact ciphertexts (O(1) group elements) whose efficiency does not depend on the number of challenges. Our second ABMLTF construction yields an INDCCA (and in fact SOCCA) secure encryption scheme whose security reduction is independent of the number of challenges and decryption queries.
SemanticallySecure Functional Encryption: Possibility Results, Impossibility Results and the Quest for a General Definition
, 2012
"... This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones. To fill this gap and move us closer to the (laudable) goal of a general and achievable notion of FE security, we seek and provide two “sans SOAK ” definitions of FE security that we call SS2 and SS3. We prove various possibility results about these definitions. We view our work as a first step towards the challenging goal of a general, meaningful and achievable notion of FE security. 1
Constant Round NonMalleable Protocols using One Way Functions
"... We provide the first constant round constructions of nonmalleable commitment and zeroknowledge protocols based only one oneway functions. This improves upon several previous (incomparable) works which required either: (a) superconstant number of rounds, or, (b) nonstandard or subexponential ha ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
We provide the first constant round constructions of nonmalleable commitment and zeroknowledge protocols based only one oneway functions. This improves upon several previous (incomparable) works which required either: (a) superconstant number of rounds, or, (b) nonstandard or subexponential hardness assumptions, or, (c) nonblackbox simulation and collision resistant hash functions. These constructions also allow us to obtain the first constant round multiparty computation protocol by relying only on the existence of constant round oblivious transfer protocols. A simple modification of our commitment scheme gives a construction which makes use of the underlying oneway function in a blackbox way. The modified construction satisfies a slightly weaker (yet natural) notion of nonmalleability which still suffices to obtain a (fully) blackbox multiparty computation protocol. This allows us to obtain a constant round multiparty computation protocol making only a blackbox use of the standard cryptographic primitives with polynomialtime hardness. 0 1