DOCSLIB.ORG

NTT Technical Review, Jan. 2008, Vol. 6, No. 1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
NTT Technical Review, Jan. 2008, Vol. 6, No. 1 Selected Papers: Research Activities in Laboratories of New Fellows Part II New Paradigm for Practical Cryptosystems without Random Oracles Tatsuaki Okamoto† Abstract This paper introduces a new paradigm for making various types of cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman assumption, target collision resistant hash functions, and a class of pseudo- random functions. It describes a new two-pass authenticated key exchange (AKE) protocol (based on the public key infrastructure model) that is comparable in efficiency to the most efficient of the existing protocols and secure (under these assumptions), whereas existing efficient two-pass AKE protocols are secure in the random oracle model. This protocol is shown to be secure in the (currently) strongest secu- rity definition, the extended Canetti-Krawczyk (eCK) security definition. This paper also describes a key encapsulation mechanism (KEM) that is secure against adaptive chosen ciphertext attacks (i.e., CCA- secure) under these assumptions and almost as efficient as the Kurosawa-Desmedt KEM. The schemes presented this paper are validity-check-free, which implies that combining them with validity-check-free symmetric encryption (data encryption mechanism) will yield validity-check-free (e.g., free of message authentication code) CCA-secure hybrid encryption. 1. Introduction The most common paradigm for designing practi- cal public-key cryptosystems that are secure in the The concept of public-key cryptosystems was standard model is to combine a trapdoor function introduced by Diffie and Hellman in 976 to solve the (e.g., Diffie-Hellman or RSA (Rivest, Shamir, Adle- key agreement problem over insecure networks (like man) function) and target collision resistance (TCR) the Internet). The standard security notion of a pub- hash functions, where the security is proven under a lic-key cryptosystem (encryption) is security against trapdoor function assumption (e.g., DDH (decisional adaptive chosen ciphertext attacks (i.e., CCA-securi- Diffie-Hellman) or strong RSA assumption) and the ty), and there are two major methodologies for TCR hash function assumption [3]–[5]. This paper designing practical CCA-secure public-key encryp- introduces a new paradigm for designing practical tion: one is based on the random oracle model and the public-key cryptosystems, where a class of pseudo- other on the standard model. A CCA-secure scheme random functions (PRFs) PRFs with pairwise-inde- in the standard model provides a real security guaran- pendent random sources (πPRFs), is used in addition tee, whereas a CCA-secure scheme in the random to a trapdoor function (Diffie-Hellman function) and oracle model is guaranteed to be secure under unreal- TCR hash function. istic idealization of a hash function as an ideal ran- The concept of a PRF was introduced by Goldreich, dom function. One of the most important topics for Goldwasser, and Micali [6]. The PRF has been shown the last ten years has been to design a truly practical to exist if and only if a one-way function exists [6], public-key cryptosystems in the standard model*. [7]. Therefore, the existence of a PRF is one of the weakest assumptions, so it is one of the most funda- † NTT Information Sharing Platform Laboratories Musashino-shi, 80-8585 Japan * For a general explanation of the standard model and random ora- Email: [email protected] cle model, see for example [], [2]. NTT Technical Review Selected Papers: Research Activities in Laboratories of New Fellows Part II mental primitives in cryptography*2. 2. Preliminaries Since a TCR hash function (and the slightly more general concept of the universal one-way hash func- 2.1 Notation − tion) has also been shown to exist if and only if a is the set of natural numbers and is the set of one-way function exists [9], [0], the TCR hash func- real numbers. denotes a null string. − tion and PRF are on the same level as (the most) A function f : → is negligible in k, if for every fundamental primitives in cryptography. In practice, constant c > 0, there exists integer n such that f(k) < a well-designed efficient hash function can be k−c for all k > n. assumed to be a TCR hash function, and such a hash If A is a probabilistic machine or algorithm, A( ) function with a random seed as part of the input (or a denotes the random variable of A’s output on input . keyed hash function) can be assumed to be a PRF Then, ← A( ) denotes that is randomly selected (and a πPRF). from A( ) according to its distribution. If a is a value, Authenticated key exchange (AKE) protocols have A( ) → a denotes the event that A outputs a on input been extensively studied to enhance the security of . If A is a set, ← A denotes that is uniformly the Diffie-Hellman (DH) key exchange protocol, selected from A. If A is a value, ← A denotes that which was proposed in 976, because the DH proto- is set to A. col is not secure against the man-in-the-middle In this paper, the underlying machines are consid- attack[]–[7]. ered to be uniform Turing machines, but the results This paper presents a two-pass AKE protocol that can easily be extended to non-uniform Turing has the following properties. machines. It is comparable in efficiency to MQV [6], HMQV [4], and CMQV [7] (the scheme’s 2.2 Decisional Diffie-Hellman (DDH) assump- message size for one party is that of MQV plus tion the size of three group elements, and the compu- Let k be a security parameter and be a group with tational complexity for a session of this scheme security parameter k, where the order of is prime p is around 3.7 group exponentiations, while that and |p| = k. Let { }k be the set of groups with secu- of MQV is around 2.2 group exponentiations). rity parameter k. 2. The assumption and model for its proof of secu- For all k∈ , we define the sets and as fol- rity are three assumptions (DDH, TCR hash lows: 2 function, and πPRF) and the standard model (not (k)←{( , , 2, , 2) | ← { }k, ( , 2) ← , the random oracle model). ← p} 3. Its underlying security definition is (currently) (k)←{( , , 2, , 2) | ← { }k, ( , 2, , 2) the strongest one: the extended Canetti-Krawc- ← 4}. zyk (eCK) security definition introduced by Let be a probabilistic polynomial-time machine. LaMacchia, Lauter and Mityagin [5]. For all k ∈ , we define the DDH advantage of as 4. Its security proof reduction efficiency is better (k) ← | Pr [ (k, )→| ← (k)] − Pr than those of previous protocols in the random [ (k, ) → | ← (k)] |. oracle model. The DDH assumption for { }k∈ is: For any proba- This paper also presents a CCA-secure (i.e., secure bilistic polynomial-time adversary , (k) against adaptive chosen ciphertext attacks) key is negligible in k. encapsulation mechanism (KEM) under these assumptions that is almost as efficient as the Kuro- 2.3 Pseudo-random Function (PRF) sawa-Desmedt KEM [5]. Let k ∈ be a security parameter. A PRF family The schemes presented in this paper are validity- associated with { k}k∈ , { k}k∈ and { k}k∈ check-free, which implies validity-check-free (e.g., specifies two items: free of message authentication code (MAC-free)) – A family of random seeds { k}k∈ . CCA-secure hybrid encryption if they are combined – A family of PRFs indexed by k, ← k, ← with validity-check-free CCA-secure symmetric , ← k, and ← k, where each such encryption (data encryption mechanism (DEM)). function k, , , maps an element of to an ele- Therefore, their ciphertexts can be decrypted with no validity-check. *2 For a general explanation of cryptographic primitives, see for ex- ample [8]. Vol. 6 No. 1 Jan. 2008 2 Selected Papers ment of . There must exist a deterministic poly- { k}k∈ specifies two items: nomial-time algorithm that on input k, , and , – A family of key spaces indexed by k. Each such outputs k, , , ( ). key space is a probability space of bit strings O Let be a probabilistic polynomial-time machine denoted by k. There must exist a probabilistic with oracle access to O. For all k, we define polynomial-time algorithm whose output distri- F k RF k k , (k) ←|Pr [ ( , , )→] − Pr[ ( , bution on input is equal to k. , ) → ]|, – A family of hash functions indexed by k, h ← k, where ← k, ← , ← k, ← k, F ← ← k, and ← k, where each such func- k, , , k, , , and RF : → is a truly random function tion h maps an element of to an element of (∀ ∈ RF( ) ← ). There must exist a deterministic polynomial- is a PRF family if, for any probabilistic polyno- time algorithm that on input k, h, and , outputs k, , mial-time adversary , , (k) is negligible h ( ). in k. Let be a probabilistic polynomial-time machine. For all k, we define * k , , 2.4 Pseudo-random function with pairwise-inde- , (k)←Pr [ ∈ =/ h k, , * k * pendent random sources (πPRF) ( ) = h ( )| ← ( , , h, , )], * Here, we introduce a specific class of PRFs, where ← k, ← k, ← and h ← k. πPRFs. is a TCR hash function family if for any probabilistic Let k∈ be a security parameter and be a PRF polynomial-time adversary , , (k) is family associated with { k}k∈ , { k}k∈ , and negligible in k. { k}k∈ . We then define a πPRF family for . 2.6 PKI-based authenticated key exchange Let ← k, ← k, ← k, and RF: (AKE) and eCK security definition → be a truly random function (∀ ∈ RF( ) ← ). This section outlines the eCK security definition Let I be a set of indices regarding such that [6] for two-pass AKE protocols based on the public there exists a deterministic polynomial-time algo- key infrastructure (PKI) model and follows the rithm, f : I → , that on input i ∈I , outputs i ∈ description in [7].
Load more

Recommended publications
  • Mihir Bellare Curriculum Vitae Contents
    Mihir Bellare Curriculum vitae August 2018 Department of Computer Science & Engineering, Mail Code 0404 University of California at San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404, USA. Phone: (858) 534-4544 ; E-mail: [email protected] Web Page: http://cseweb.ucsd.edu/~mihir Contents 1 Research areas 2 2 Education 2 3 Distinctions and Awards 2 4 Impact 3 5 Grants 4 6 Professional Activities 5 7 Industrial relations 5 8 Work Experience 5 9 Teaching 6 10 Publications 6 11 Mentoring 19 12 Personal Information 21 2 1 Research areas ∗ Cryptography and security: Provable security; authentication; key distribution; signatures; encryp- tion; protocols. ∗ Complexity theory: Interactive and probabilistically checkable proofs; approximability ; complexity of zero-knowledge; randomness in protocols and algorithms; computational learning theory. 2 Education ∗ Massachusetts Institute of Technology. Ph.D in Computer Science, September 1991. Thesis title: Randomness in Interactive Proofs. Thesis supervisor: Prof. S. Micali. ∗ Massachusetts Institute of Technology. Masters in Computer Science, September 1988. Thesis title: A Signature Scheme Based on Trapdoor Permutations. Thesis supervisor: Prof. S. Micali. ∗ California Institute of Technology. B.S. with honors, June 1986. Subject: Mathematics. GPA 4.0. Class rank 4 out of 227. Summer Undergraduate Research Fellow 1984 and 1985. ∗ Ecole Active Bilingue, Paris, France. Baccalauréat Série C, June 1981. 3 Distinctions and Awards ∗ PET (Privacy Enhancing Technologies) Award 2015 for publication [154]. ∗ Fellow of the ACM (Association for Computing Machinery), 2014. ∗ ACM Paris Kanellakis Theory and Practice Award 2009. ∗ RSA Conference Award in Mathematics, 2003. ∗ David and Lucille Packard Foundation Fellowship in Science and Engineering, 1996. (Twenty awarded annually in all of Science and Engineering.) ∗ Test of Time Award, ACM CCS 2011, given for [81] as best paper from ten years prior.
    [Show full text]
  • Cryptography for Efficiency: New Directions In
    Abstract of \Cryptography for Efficiency: New Directions in Authenticated Data Structures" by Charalampos Papamanthou, Ph.D., Brown University, May 2011. Cloud computing has emerged as an important new computational and storage medium and is increasingly being adopted both by companies and individuals as a means of reducing operational and maintenance costs. However, remotely-stored sensitive data may be lost or modified and third-party computations may not be performed correctly due to errors, op- portunistic behavior, or malicious attacks. Thus, while the cloud is an attractive alternative to local trusted computational resources, users need integrity guarantees in order to fully adopt this new paradigm. Specifically, they need to be assured that uploaded data has not been altered and outsourced computations have been performed correctly. Tackling the above problems requires the design of protocols that, on the one hand, are provably secure and at the same time remain highly efficient, otherwise the main purpose of adopting cloud computing, namely efficiency and scalability, is defeated. It is therefore essential that expertise in cryptography and efficient algorithmics be combined to achieve these goals. This thesis studies techniques allowing the efficient verification of data integrity and computations correctness in such adversarial environments. Towards this end, several new authenticated data structures for fundamental algorithmics and computation problems, e.g., hash table queries and set operations, are proposed. The main novelty of this work lies in employing advanced cryptography such as lattices and bilinear maps, towards achieving high efficiency, departing from traditional hash-based primitives. As such, the proposed techniques lead to efficient solutions that introduce minimal asymptotic overhead and at the same time enable highly-desirable features such as optimal verification mechanisms and par- allel authenticated data structures algorithms.
    [Show full text]
  • Stronger Security Notions for Trapdoor Functions and Applications
    STRONGER SECURITY NOTIONS FOR TRAPDOOR FUNCTIONS AND APPLICATIONS A Thesis Presented to The Academic Faculty by Adam O'Neill In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the College of Computing Georgia Institute of Technology December 2010 STRONGER SECURITY NOTIONS FOR TRAPDOOR FUNCTIONS AND APPLICATIONS Approved by: Professor Alexandra Boldyreva, Professor Chris Peikert Advisor College of Computing College of Computing Georgia Institute of Technology Georgia Institute of Technology Professor Mihir Bellare Professor Dana Randall Computer Science and Engineering College of Computing University of California, San Diego Georgia Institute of Technology Professor Richard Lipton Professor Patrick Traynor College of Computing College of Computing Georgia Institute of Technology Georgia Institute of Technology Date Approved: 9 August 2010 To my parents, John (Chuck) and Phyllis O'Neill, and my sister Katie, for their unconditional support. iii ACKNOWLEDGEMENTS My Ph.D. studies have been a significant undertaking, which would not have been possible without the help and guidance of many people (please forgive any omissions). First of all, I'd like to thank my parents, for encouraging me to pursue higher education and giving me the opportunity to do so. My intellectual development was greatly fostered during my time as an undergrad- uate at UCSD, and for that I have many friends and teaching assistants to thank. I would especially like to thank Daniel Bryant for helping me during my freshman year, and Derek Newland for inviting me to do an independent study with him. I would also like to thank Mihir Bellare for taking the time to help undergraduates find out about graduate school and encouraging them to take graduate-level courses.
    [Show full text]
  • Part V Public-Key Cryptosystems, I. Key Exchange, Knapsack
    Part V Public-key cryptosystems, I. Key exchange, knapsack, RSA CHAPTER 5: PUBLIC-KEY CRYPTOGRAPHY I. RSA The main problem of secret key (or symmetric) cryptography is that in order to send securely A secret message we need to send at first securely a secret key and therefore secret key cryptography is clearly not a sufficiently good tool for massive communication capable to protect secrecy, privacy and anonymity. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 2/67 SECURE ENCRYPTION - a PRACTICAL POINT OF VIEW From practical point of view encryptions by a cryptosystem can be considered as secure if they cannot be broken by many (thousands) superomputeers with exaflop performance working for some years. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 3/67 CONTENT In this chapter we describe the birth of public key cryptography, that can better manage key distribution problem, and three of its cryptosystems, especially RSA. The basic idea of a public key cryptography: In a public key cryptosystem not only the encryption and decryption algorithms are public, but for each user U also the key eU for encrypting messages (by anyone) for U is public. Moreover, each user U keeps secret another (decryption) key, dU , that can be used for decryption of messages that were addressed to him and encrypted with the help of the public encryption key eU . Encryption and decryption keys could (and should) be different - we can therefore speak also about asymmetric cryptography. Secret key cryptography, that has the same key for encryption and for decryption is also called symmetric cryptography.
    [Show full text]
  • Short Group Signatures
    An extended abstract of this paper is to appear in Advances in Cryptology—CRYPTO 2004, Springer-Verlag. Short Group Signatures Dan Boneh∗ Xavier Boyen Hovav Shacham [email protected] [email protected] [email protected] Abstract We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1 Introduction Group signatures, introduced by Chaum and van Heyst [17], provide anonymity for signers. Any member of the group can sign messages, but the resulting signature keeps the identity of the signer secret. Often there is a third party that can undo the signature anonymity (trace) using a special trapdoor [17, 2]. Some systems support revocation [14, 4, 35, 19], where group membership can be selectively disabled without affecting the signing ability of unrevoked members. Currently, the most efficient constructions [2, 14, 4] are based on the Strong-RSA assumption introduced by Baric and Pfitzmann [5]. These signatures are usually much longer than RSA signatures of comparable security. A number of recent projects require properties provided by group signatures. One such project is the Trusted Computing effort [34] that, among other things, enables a desktop PC to prove to a remote party what software it is running via a process called attestation.
    [Show full text]
  • The Cramer-Shoup Strong-RSA Signature Scheme Revisited
    The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/ Abstract. We discuss a modification of the Cramer-Shoup strong-RSA signature scheme. Our proposal also presumes the strong RSA assump- tion (and a collision-intractable hash function for long messages), but |without loss in performance| the size of a signature is almost halved compared to the original scheme. We also show how to turn the signature scheme into a \lightweight" anonymous (but linkable) group identifica- tion protocol without random oracles. 1 Introduction Cramer and Shoup [CS00] have presented a signature scheme which is secure against adaptive chosen-message attacks under the strong RSA (aka. flexible RSA) assumption, and which does not rely on the random oracle model. For a 1024-bit RSA modulus and a 160-bit (hash value of a) message a signature has about 2200 bits. Cramer and Shoup also discuss a variation of their scheme which, in addition to the strong RSA assumption, requires the discrete-log as- sumption and which produces signatures of roughly half the length (about 1350 bits). Here, we show that we can achieve the same signature size under the strong RSA assumption only, even with a slightly improved performance than in the original strong-RSA-only case or the discrete-log & strong-RSA case. Our signature scheme also has the feature that for short messages, e.g., of 120 bits, a collision-intractable (or universal one-way) hash function becomes obsolete.
    [Show full text]
  • Solving NTRU Challenges Using the New Progressive BKZ Library
    Solving NTRU Challenges Using the New Progressive BKZ Library Erik Mårtensson Department of Electrical and Information Technology Lund University Advisors: Professor Thomas Johansson and Qian Guo 2016-08-24 Printed in Sweden E-huset, Lund, 2016 Abstract NTRU is a public-key cryptosystem, where the underlying mathematical problem is currently safe against large-scale quantum computer attacks. The system is not as well investigated, as for example RSA and the company behind NTRU has created the NTRU Challenges, to remedy this. These challenges consist of 27 different public keys of increasing size, where the task in each challenge is to calculate (something similar to) the private key. The goal of this thesis was to examine different attacks against the NTRU Challenges and solve as many challenges as possible. By lattice reduction attacks, using a recently published new progressive BKZ algorithm, the first five challenges were solved, while the current biggest solved challenge by any researcher is challenge number seven. Keywords: NTRU Challenge, Progressive BKZ , BDD, Enumeration, SVP i ii Acknowledgements I would like to thank my main supervisor Professor Thomas Johansson for all his help and feedback during the project, for introducing me to the lattice-based cryptography area and last but not least for pointing out the necessity of solving a small problem correctly before tackling a big problem. I would like to thank my assistant supervisor Qian Guo for all his help and feed- back during the project and for introducing me to the progressive BKZ algorithm that turned out to become the focus of this thesis. I would like to thank all the researchers that patiently answered my many ques- tions during this project, with special thanks to Yoshinori Aono, Léo Ducas and Zhenfei Zhang for answering questions regarding the progressive BKZ algorithm and library, the BKZ plus BDD enumeration strategy for attacking NTRU and the NTRU Challenges respectively.
    [Show full text]
  • How to Strengthen Ntruencrypt to Chosen-Ciphertext Security in the Standard Model
    NTRUCCA: How to Strengthen NTRUEncrypt to Chosen-Ciphertext Security in the Standard Model Ron Steinfeld1?, San Ling2, Josef Pieprzyk3, Christophe Tartary4, and Huaxiong Wang2 1 Clayton School of Information Technology Monash University, Clayton VIC 3800, Australia [email protected] 2 Div. of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, 637371 lingsan,[email protected] 3 Centre for Advanced Computing - Algorithms and Cryptography, Dept. of Computing, Macquarie University, Sydney, NSW 2109, Australia [email protected] 4 Institute for Theoretical Computer Science, Tsinghua University, People's Republic of China [email protected] Abstract. NTRUEncrypt is a fast and practical lattice-based public-key encryption scheme, which has been standardized by IEEE, but until re- cently, its security analysis relied only on heuristic arguments. Recently, Stehlé and Steinfeld showed that a slight variant (that we call pNE) could be proven to be secure under chosen-plaintext attack (IND-CPA), assum- ing the hardness of worst-case problems in ideal lattices. We present a variant of pNE called NTRUCCA, that is IND-CCA2 secure in the standard model assuming the hardness of worst-case problems in ideal lattices, and only incurs a constant factor overhead in ciphertext and key length over the pNE scheme. To our knowledge, our result gives the rst IND- CCA2 secure variant of NTRUEncrypt in the standard model, based on standard cryptographic assumptions. As an intermediate step, we present a construction for an All-But-One (ABO) lossy trapdoor function from pNE, which may be of independent interest. Our scheme uses the lossy trapdoor function framework of Peik- ert and Waters, which we generalize to the case of (k −1)-of-k-correlated input distributions.
    [Show full text]
  • One-Time Trapdoor One-Way Functions
    One-Time Trapdoor One-Way Functions Julien Cathalo?1 and Christophe Petit??2 1 Smals Avenue Fonsny 20, 1060 Bruxelles, Belgium 2 UCL Crypto Group Universit´ecatholique de Louvain, Place du Levant 3, 1348 Louvain-la-Neuve, Belgium Abstract. Trapdoors are widely used in cryptography, in particular for digital signatures and public key encryption. In these classical applica- tions, it is highly desirable that trapdoors remain secret even after their use. In this paper, we consider positive applications of trapdoors that do not remain secret when they are used. We introduce and formally de- fine one-time trapdoor one-way functions (OTTOWF), a primitive simi- lar in spirit to classical trapdoor one-way functions, with the additional property that its trapdoor always becomes public after use. We provide three constructions of OTTOWF. Two of them are based on factoring assumptions and the third one on generic one-way functions. We then consider potential applications of our primitive, and in particular the fair exchange problem. We provide two fair exchange protocols using OTTOWF, where the trapdoor is used to provide some advantage to one of the parties, whereas any (abusive) use of this trapdoor will make the advantage available to the other party as well. We compare our proto- cols with well-established solutions for fair exchange and describe some scenarios where they have advantageous characteristics. These results demonstrate the interest of one-time trapdoor one-way functions, and suggest looking for further applications of them. Keywords Cryptographic primitive, trapdoor one-way function, fair exchange 1 Introduction In cryptography, a trapdoor is a secret piece of information that provides its holder with some special power or advantage.
    [Show full text]
  • Short Group Signatures
    An extended abstract of this paper is to appear in Advances in Cryptology—CRYPTO 2004, Springer-Verlag. Short Group Signatures Dan Boneh∗ Xavier Boyen Hovav Shacham [email protected] [email protected] [email protected] Abstract We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1 Introduction Group signatures, introduced by Chaum and van Heyst [14], provide anonymity for signers. Any member of the group can sign messages, but the resulting signature keeps the identity of the signer secret. In some systems there is a third party that can trace the signature, or undo its anonymity, using a special trapdoor. Some systems support revocation [12, 4, 30, 15] where group membership can be selectively disabled without affecting the signing ability of unrevoked members. Currently, the most efficient constructions [2, 12, 4] are based on the Strong-RSA assumption introduced by Baric and Pfitzman [5]. In the last two years a number of projects have emerged that require the properties of group signatures. The first is the Trusted Computing effort [29] that, among other things, enables a desktop PC to prove to a remote party what software it is running via a process called attestation.
    [Show full text]
  • Practical Lattice-Based Digital Signature Schemes J
    Practical Lattice-based Digital Signature Schemes J. Howe1, T. Pöppelmann2, M. O’Neill1, E. O’Sullivan1, T. Güneysu2 1 Centre for Secure Information Technologies (CSIT), Queen’s University Belfast, UK 2Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany Abstract: Among the various post-quantum techniques that exist (such as multivariate, code or hash-based), the most promising is lattice-based cryptography, which has become a very viable alternative to number-theoretic cryptography. Its main advantage is that it allows for extended functionality and is, at the same time, more efficient for the basic primitives of public-key encryption and digital signatures. The focus of this presentation will be to survey recent developments in lattice-based digital signature schemes and in particular practical schemes that have been shown to improve upon the performance of equivalent RSA designs. Propositions for future research areas that are essential for the continued development of lattice-based cryptography will also be discussed. 1 Introduction With the onset of quantum computers ever looming, the computational power it could provide would cause instant insecurity to many of today’s universally used cryptographic schemes by virtue of Shor’s [1] algorithm. Specifically, schemes based on the discrete-logarithm problem or number-theoretic hard problems, which subsume almost all public-key encryption schemes used on the Internet, including elliptic-curve cryptography (ECC), RSA and DSA would be vulnerable. Accordingly, this has motivated the post-quantum era of cryptography, which refers to the construction of cryptographic algorithms to withstand quantum reductions. Amongst many important areas in post-quantum research (such as multivariate, code or hash-based) lattice-based cryptography is disputably the most auspicious.
    [Show full text]
  • How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE
    How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin∗ Sara Krehbiely Chris Peikertz Abstract We develop secure threshold protocols for two important operations in lattice cryptography, namely, generating a hard lattice Λ together with a “strong” trapdoor, and sampling from a discrete Gaussian distribution over a desired coset of Λ using the trapdoor. These are the central operations of many crypto- graphic schemes: for example, they are exactly the key-generation and signing operations (respectively) for the GPV signature scheme, and they are the public parameter generation and private key extraction operations (respectively) for the GPV IBE. We also provide a protocol for trapdoor delegation, which is used in lattice-based hierarchical IBE schemes. Our work therefore directly transfers all these systems to the threshold setting. Our protocols provide information-theoretic (i.e., statistical) security against adaptive corruptions in the UC framework, and they are private and robust against an optimal number of semi-honest or malicious parties. Our Gaussian sampling protocol is both noninteractive and efficient, assuming either a trusted setup phase (e.g., performed as part of key generation) or a sufficient amount of interactive but offline precomputation, which can be performed before the inputs to the sampling phase are known. ∗Department of Computer Science, Aarhus University. Email: [email protected]. Supported by the Danish National Research Foundation and The National Science Foundation of China (under the grant 61061130540) for the Sino-Danish Center for the Theory of Interactive Computation, within which part of this work was performed; and also from the CFEM research center (supported by the Danish Strategic Research Council).
    [Show full text]