## CryptoDB

### Nils Fleischhacker

#### ORCID: 0000-0002-2770-5444

#### Publications

**Year**

**Venue**

**Title**

2024

ASIACRYPT

Jackpot: Non-Interactive Aggregatable Lotteries
Abstract

In proof-of-stake blockchains, liveness is ensured by repeatedly selecting random groups of parties as leaders, who are then in charge of proposing new blocks and driving consensus forward.
The lotteries that elect those leaders need to ensure that adversarial parties are not elected disproportionately often and that an adversary can not tell who was elected before those parties decide to speak, as this would potentially allow for denial-of-service attacks.
Whenever an elected party speaks, it needs to provide a winning lottery ticket, which proves that the party did indeed win the lottery.
Current solutions require all published winning tickets to be stored individually on-chain, which introduces undesirable storage overheads.
In this work, we introduce non-interactive aggregatable lotteries and show how these can be constructed efficiently.
Our lotteries provide the same security guarantees as previous lottery constructions, but additionally allow any third party to take a set of published winning tickets and aggregate them into one short digest.
We provide a formal model of our new primitive in the universal composability framework.
As one of our technical contributions, which may be of independent interest, we introduce aggregatable vector commitments with simulation-extractability and present a concretely efficient construction thereof in the algebraic group model in the presence of a random oracle.
We show how these commitments can be used to construct non-interactive aggregatable lotteries.
We have implemented our construction, called Jackpot, and provide benchmarks that underline its concrete efficiency.

2024

ASIACRYPT

Extractable Witness Encryption for KZG Commitments and Efficient Laconic OT
Abstract

We present a concretely efficient and simple extractable witness encryption scheme for KZG polynomial commitments.
It allows to encrypt a message towards a triple $(\mathsf{com}, \alpha, \beta)$, where $\mathsf{com}$ is a KZG commitment for some polynomial $f$.
Anyone with an opening for the commitment attesting $f(\alpha) = \beta$ can decrypt, but without knowledge of a valid opening the message is computationally hidden.
Our construction is simple and highly efficient. The ciphertext is only a single group element. Encryption and decryption both require a single pairing evaluation and a constant number of group operations.
Using our witness encryption scheme, we construct a simple and highly efficient laconic OT protocol, which significantly outperforms the state of the art in most important metrics.

2023

EUROCRYPT

How to Compress Encrypted Data
Abstract

We study the task of obliviously compressing a vector comprised of $n$ ciphertexts of size $\xi$ bits each, where at most $t$ of the corresponding plaintexts are non-zero.
This problem commonly features in applications involving encrypted outsourced storages, such as searchable encryption or oblivious message retrieval.
We present two new algorithms with provable worst-case guarantees, solving this problem by using only homomorphic additions and multiplications by constants.
Both of our new constructions improve upon the state of the art asymptotically and concretely.
Our first construction, based on sparse polynomials, is perfectly correct and the first to achieve an asymptotically optimal compression rate by compressing the input vector into $\bigO{t \xi}$ bits.
Compression can be performed homomorphically by performing $\bigO{n \log n}$ homomorphic additions and multiplications by constants.
The main drawback of this construction is a decoding complexity of $\Omega(\sqrt{n})$.
Our second construction is based on a novel variant of invertible bloom lookup tables and is correct with probability $1-2^{-\kappa}$.
It has a slightly worse compression rate compared to our first construction as it compresses the input vector into $\bigO{\xi\kappa t /\log t}$ bits, where $\kappa \geq \log t$.
In exchange, both compression and decompression of this construction are highly efficient.
The compression complexity is dominated by $\bigO{n \kappa/\log t}$ homomorphic additions and multiplications by constants.
The decompression complexity is dominated by $\bigO{\kappa t /\log t}$ decryption operations and equally many inversions of a pseudorandom permutation.

2022

TCC

Steganography-Free Zero-Knowledge
Abstract

We revisit the well-studied problem of preventing steganographic communication in multi-party communications. While this is known to be a provably impossible task, we propose a new model that allows circumventing this impossibility. In our model, the parties first publish a single message during an honest \emph{non-interactive} pre-processing phase and then later interact in an execution phase. We show that in this model, it is indeed possible to prevent any steganographic communication in zero-knowledge protocols. Our solutions rely on standard cryptographic assumptions.

2022

EUROCRYPT

Property-Preserving Hash Functions for Hamming Distance from Standard Assumptions
📺
Abstract

Property-preserving hash functions allow for compressing long inputs $x_0$ and $x_1$ into short hashes $h(x_0)$ and $h(x_1)$ in a manner that allows for computing a predicate $P(x_0, x_1)$ given only the two hash values without having access to the original data.
Such hash functions are said to be adversarially robust if an adversary that gets to pick $x_0$ and $x_1$ after the hash function has been sampled, cannot find inputs for which the predicate evaluated on the hash values outputs the incorrect result.
In this work we construct robust property-preserving hash functions for the hamming-distance predicate which distinguishes inputs with a hamming distance at least some threshold $t$ from those with distance less than $t$. The security of the construction is based on standard lattice hardness assumptions.
Our construction has several advantages over the best known previous construction by Fleischhacker and Simkin (Eurocrypt 2021).
Our construction relies on a single well-studied hardness assumption from lattice cryptography whereas the previous work relied on a newly introduced family of computational hardness assumptions.
In terms of computational effort, our construction only requires a small number of modular additions per input bit, whereas the work of Fleischhacker and Simkin required several exponentiations per bit as well as the interpolation and evaluation of high-degree polynomials over large fields.
An additional benefit of our construction is that the description of the hash function can be compressed to $\lambda$ bits assuming a random oracle.
Previous work has descriptions of length $\bigO{\ell \lambda}$ bits for input bit-length $\ell$.
We prove a lower bound on the output size of any property-preserving hash function for the hamming distance predicate.
The bound shows that the size of our hash value is not far from optimal.

2021

EUROCRYPT

Robust Property-Preserving Hash Functions for Hamming Distance and More
📺
Abstract

Robust property-preserving hash (PPH) functions, recently introduced by Boyle, Lavigne, and Vaikuntanathan [ITCS 2019], compress large inputs $x$ and $y$ into short digests $h(x)$ and $h(y)$ in a manner that allows for computing a predicate $P$ on $x$ and $y$ while only having access to the corresponding hash values. In contrast to locality-sensitive hash functions, a robust PPH function guarantees to correctly evaluate a predicate on $h(x)$ and $h(y)$ even if $x$ and $y$ are chosen adversarially \emph{after} seeing $h$.
Our main result is a robust PPH function for the exact hamming distance predicate
\[
\mathsf{HAM}^t(x, y) =
\begin{cases}
1 &\text{if } d( x, y) \geq t \\
0 & \text{Otherwise}\\
\end{cases}
\]
where $d(x, y)$ is the hamming-distance between $x$ and $y$.
Our PPH function compresses $n$-bit strings into $\mathcal{O}(t \lambda)$-bit digests, where $\lambda$ is the security parameter.
The construction is based on the q-strong bilinear discrete logarithm assumption.
Along the way, we construct a robust PPH function for the set intersection predicate
\[
\mathsf{INT}^t(X, Y) =
\begin{cases}
1 &\text{if } \vert X \cap Y\vert > n - t \\
0 & \text{Otherwise}\\
\end{cases}
\]
which compresses sets $X$ and $Y$ of size $n$ with elements from some arbitrary universe $U$ into $\mathcal{O}(t\lambda)$-bit long digests.
This PPH function may be of independent interest.
We present an almost matching lower bound of $\Omega(t \log t)$ on the digest size of any PPH function for the intersection predicate, which indicates that our compression rate is close to optimal.
Finally, we also show how to extend our PPH function for the intersection predicate to more than two inputs.

2021

PKC

On Publicly-Accountable Zero-Knowledge and Small Shuffle Arguments
📺
Abstract

Constructing interactive zero-knowledge arguments from simple assumptions with small communication complexity and good computational efficiency is an important, but difficult problem.
In this work, we study interactive arguments with noticeable soundness error in their full generality and for the specific purpose of constructing concretely efficient shuffle arguments.
To counterbalance the effects of a larger soundness error, we show how to transform such three-move arguments into publicly-accountable ones which allow the verifier to convince third parties of detected misbehavior by a cheating prover.
This may be particularly interesting for applications where a malicious prover has to balance the profits it can make from cheating successfully and the losses it suffers from being caught.
We construct interactive, public-coin, zero-knowledge arguments with noticeable soundness error for proving that a target vector of commitments is a pseudorandom permutation of a source vector.
Our arguments do not rely on any trusted setup and only require the existence of collision-resistant hash functions.
The communication complexity of our arguments is \emph{independent} of the length of the shuffled vector.
For a soundness error of $2^{-5}=1/32$, the communication cost is $153$ bytes without and $992$ bytes with public accountability, meaning that our arguments are shorter than shuffle arguments realized using Bulletproofs (IEEE S\&P 2018) and even competitive in size with SNARKs, despite only relying on simple assumptions.

2019

TCC

Interactive Non-malleable Codes
Abstract

Non-malleable codes (NMC) introduced by Dziembowski et al. [ICS’10] allow one to encode “passive” data in such a manner that when a codeword is tampered, the original data either remains completely intact or is essentially destroyed.In this work, we initiate the study of interactive non-malleable codes (INMCs) that allow for encoding “active communication” rather than passive data. An INMC allows two parties to engage in an interactive protocol such that an adversary who is able to tamper with the protocol messages either leaves the original transcript intact (i.e., the parties are able to reconstruct the original transcript) or the transcript is completely destroyed and replaced with an unrelated one.We formalize a tampering model for interactive protocols and put forward the notion of INMCs. Since constructing INMCs for general adversaries is impossible (as in the case of non-malleable codes), we construct INMCs for several specific classes of tampering functions. These include bounded state, split state, and fragmented sliding window tampering functions. We also obtain lower bounds for threshold tampering functions via a connection to interactive coding. All of our results are unconditional.

2019

JOFC

Feasibility and Infeasibility of Secure Computation with Malicious PUFs
Abstract

A recent line of work has explored the use of physically unclonable functions (PUFs) for secure computation, with the goals of (1) achieving universal composability without additional setup and/or (2) obtaining unconditional security (i.e., avoiding complexity-theoretic assumptions). Initial work assumed that all PUFs, even those created by an attacker, are honestly generated. Subsequently, researchers have investigated models in which an adversary can create malicious PUFs with arbitrary behavior. Researchers have considered both malicious PUFs that might be stateful , as well as malicious PUFs that can have arbitrary behavior but are guaranteed to be stateless . We settle the main open questions regarding secure computation in the malicious-PUF model: We prove that unconditionally secure oblivious transfer is impossible, even in the stand-alone setting, if the adversary can construct (malicious) stateful PUFs. We show that if the attacker is limited to creating (malicious) stateless PUFs, then universally composable two-party computation is possible, unconditionally.

2019

JOFC

On Tight Security Proofs for Schnorr Signatures
Abstract

The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin EUROCRYPT 2012 showed that under certain assumptions the non -tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern EUROCRYPT’96 is essentially optimal. All previous works in this direction rule out tight reductions from the (one-more) discrete logarithm problem. In this paper, we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements. Most reductions in state-of-the-art security proofs have this property. It is desirable, because then the reduction applies generically to any concrete instantiation of the group. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem $$\Pi $$ Π defined over algebraic groups to breaking Schnorr signatures, unless solving $$\Pi $$ Π is easy. In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model.

#### Program Committees

- TCC 2024
- TCC 2022
- Asiacrypt 2019

#### Coauthors

- Behzad Abdolmaleki (1)
- Zvika Brakerski (1)
- Chris Brzuska (1)
- Dana Dachman-Soled (2)
- Nico Döttling (1)
- Marc Fischlin (1)
- Nils Fleischhacker (17)
- Vipul Goyal (3)
- Mathias Hall-Andersen (2)
- Tibor Jager (2)
- Abhishek Jain (3)
- Jonathan Katz (2)
- Johannes Krupp (2)
- Kasper Green Larsen (2)
- Anna Lysyanskaya (2)
- Giulio Malavolta (2)
- Anat Paskin-Cherniavsky (1)
- Slava Radune (1)
- Jonas Schneider (1)
- Dominique Schröder (6)
- Mark Simkin (7)
- Benedikt Wagner (1)