International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-10-12
15:17 [Forum]

Galindo & Cortier (private communication) have shown that our original presentation of ballot secrecy (ESORICS\'13) is incompatible with verifiability and revision https://eprint.iacr.org/2013/235/20141010:082554 overcomes this limitation. From: 2014-12-10 13:35:30 (UTC)

03:17 [Pub][ePrint]

In an Attribute-Based Encryption (ABE) a ciphertext, encrypting message $\\mu$, is associated with a public attribute vector $\\vecx$ and a secret key $\\sk_P$ is associated with a predicate $P$. The decryption returns $\\mu$ if and only if $P(\\vecx) = 1$. ABE provides efficient and simple mechanism for data sharing supporting fine-grained access control. Moreover, it is used as a critical component in constructions of succinct functional encryption, reusable garbled circuits, token-based obfuscation and more.

In this work, we describe a new efficient ABE scheme for a family of branching programs with short secret keys over a small ring. In particular, in our constriction the size of the secret key for a branching program $P$ is $|P| + \\poly(\\secp)$, where $\\secp$ is the security parameter. Our construction is secure assuming $n^{\\omega(1)}$-hardness of standard Learning With Errors (LWE) problem, resulting in small ring modulo. Previous constructions relied on $n^{O(\\log n)}$-hardness of LWE (resulting in large ring modulo) or had large secret keys of size $|P| \\times \\poly(\\secp)$. We rely on techniques developed by Boneh et al. (EUROCRYPT\'14) and Brakerski et al. (ITCS\'14) in the context of ABE for circuits and fully-homomorphic encryption.

03:17 [Pub][ePrint]

Functional encryption, as introduced by Boneh, Sahai, and Waters (TCC\'11),

generalizes public-key encryption systems to include functional decryption

capabilities. Recently, Boyle et al. as well as Bellare and

Fuchsbauer (both PKC\'14) formalized analogous notions for signature schemes. Here

we discuss that both their notions are limited in terms of expressiveness in the

sense that they cannot cast known signature schemes supporting operations on

data in their frameworks. We therefore propose a notion of what we call, for

sake of distinctiveness, operational signature schemes which captures

functional signatures, policy-based signatures, sanitizable signatures, P-homomorphic signatures, ring

signatures, aggregate signatures etc., and also their message authentication code counterparts.

We discuss possible instantiations for operational signatures.

We give some positive result about achieving our general notion of operational signatures presenting a

compact construction that relies on a new combination of indistinguishability

obfuscation and random oracles. We then indicate that it is unlikely to be able to instantiate

operational signature schemes in general using one-wayness and, under some

circumstances, even using specific non-interactive\'\' assumptions like RSA.

03:17 [Pub][ePrint]

Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs~\\cite{DPW10}, provide a useful message integrity guarantee in situations where traditional error-correction (and even error-detection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value\'\'. Although such codes do not exist if the family of tampering functions\'\' $\\cF$ allowed to modify the original codeword is completely unrestricted, they are known to exist for many broad tampering families $\\cF$.

The family which received the most attention~\\cite{DPW10,LL12,DKO13,ADL14,CG14a,CG14b} is the family of tampering functions in the so called {\\em split-state} model: here the message $x$ is encoded into two shares $L$ and $R$,

and the attacker is allowed to {\\em arbitrarily} tamper with each $L$ and $R$ {\\em individually}.

Despite this attention, the following problem remained open:

\\begin{center}

{\\em Build efficient, information-theoretically secure non-malleable codes in the split-state model with constant encoding rate}: $|L|=|R|=O(|x|)$.

\\end{center}

In this work, we resolve this open problem. Our technique for getting our main result is of independent interest. We

\\begin{itemize}

\\item[(a)] develop a generalization of non-malleable codes, called {\\em non-malleable reductions};

\\item[(b)] show simple composition theorem for non-malleable reductions;

\\item[(c)] build a variety of such reductions connecting various (independently interesting) tampering families $\\cF$ to each other; and

\\item[(d)] construct our final, constant-rate, non-malleable code in the split-state model by applying the composition theorem to a series of easy to understand reductions.

\\end{itemize}

03:17 [Pub][ePrint]

This letter proposes a formal definition of ballot secrecy in the computational model of cryptography. The definition builds upon and strengthens earlier definitions by Bernhard et al. (ASIACRYPT\'12, ESORICS\'11 & ESORICS\'13). The new definition is intended to ensure that ballot secrecy is preserved in the presence of malicious bulletin boards, whereas earlier definitions by Bernhard et al. only consider honest bulletin boards.

03:17 [Pub][ePrint]

Noisy channels are a powerful resource for cryptography as they can be used to obtain

information-theoretically secure key agreement, commitment and oblivious transfer protocols, among others. Oblivious transfer (OT) is a fundamental primitive since it is complete for secure multi-party computation, and the OT capacity characterizes how efficiently a channel can be used for obtaining string oblivious transfer. Ahlswede and Csisz\\\'{a}r (\\emph{ISIT\'07}) presented upper and lower bounds on the OT capacity of generalized erasure channels (GEC) against passive adversaries. In the case of GEC with erasure probability at least 1/2, the upper and lower bounds match and therefore the OT capacity was determined. It was later proved by Pinto et al. (\\emph{IEEE Trans. Inf. Theory 57(8)}) that in this case there is also a protocol against malicious adversaries achieving the same lower bound, and hence the OT capacity is identical for passive and malicious adversaries. In the case of GEC with erasure probability smaller than 1/2, the known lower bound against passive adversaries that was established by Ahlswede and Csisz\\\'{a}r does not

match their upper bound and it was unknown whether this OT rate could be achieved against malicious adversaries as well. In this work we show that there is a protocol against malicious adversaries achieving the same OT rate that was obtained against passive adversaries.

In order to obtain our results we introduce a novel use of interactive hashing that is suitable for dealing with the case of low erasure probability ($p^* 03:17 [Pub][ePrint] Demands for lawful access to encrypted data are a long standing obstacle to integrating cryptographic protections into communication systems. A common approach is to allow a trusted third party (TTP) to gain access to private data. However, there is no way to verify that this trust is well place as the TTP may open all messages indiscriminately. Moreover, existing approaches do not scale well when, in addition to the content of the conversation, one wishes to hide ones identity. Given the importance of metadata this is a major problem. We propose a new signature scheme as an accountable replacement for group signatures, accountable forward and backward tracing signatures. 03:17 [Pub][ePrint] We propose a new algorithm to solve the Implicit Factorization Problem, which was introduced by May and Ritzenhofen at PKC\'09. In 2011, Sarkar and Maitra (IEEE TIT 57(6): 4002-4013, 2011) improved May and Ritzenhofen\'s results by making use of the technique for solving multivariate approximate common divisors problem. In this paper, based on the observation that the desired root of the equations that derived by Sarkar and Maitra contains large prime factors, which are already determined by some known integers, we develop new techniques to acquire better bounds. We show that our attack is the best among all known attacks, and give experimental results to verify the correctness. Additionally, for the first time, we can experimentally handle the implicit factorization for the case of balanced RSA moduli. 03:17 [Pub][ePrint] We initiate the study of a novel class of group-theoretic intractability problems. Inspired by the theory of learning in presence of errors [Regev, STOC\'05] we ask if noise in the exponent amplifies intractability. We put forth the notion of Learning with Errors in the Exponent (LWEE) and rather surprisingly show that various attractive properties known to exclusively hold for lattices carry over. Most notably are worst-case hardness and post-quantum resistance. In fact, LWEE\'s duality is due to the reducibility to two seemingly unrelated assumptions: learning with errors and the representation problem [Brands, Crypto\'93] in finite groups. For suitable parameter choices LWEE superposes properties from each individual intractability problem. The argument holds in the classical and quantum model of computation. We give the very first construction of a semantically secure public-key encryption system in the standard model. The heart of our construction is an error recovery\'\' technique inspired by [Joye-Libert, Eurocrypt\'13] to handle critical propagations of noise terms in the exponent. 03:17 [Pub][ePrint] We consider interactive proof systems over adversarial communication channels. We show that the seminal result that$\\ip = \\pspace\$ still holds when the communication channel is malicious, allowing even a constant fraction of the communication to be arbitrarily corrupted.

00:17 [Pub][ePrint]

We present a lattice-based stateless signature scheme provably secure in the standard model. Our

scheme has a constant number of matrices in the public key and a single lattice vector (plus a tag) in the

signatures. The best previous lattice-based encryption schemes were the scheme of Ducas and Micciancio

(CRYPTO 2014), which required a logarithmic number of matrices in the public key and that of Bohl et.

al (J. of Cryptology 2014), which required a logarithmic number of lattice vectors in the signature. Our

main technique involves using fully homomorphic computation to compute a degree d polynomial over

the tags hidden in the matrices in the public key. In the scheme of Ducas and Micciancio, only functions

linear over the tags in the public key matrices were used, which necessitated having d matrices in the

public key.

As a matter of independent interest, we extend Wichs\' (eprint 2014) recent construction of homomorphic

trapdoor functions into a primitive we call puncturable homomorphic trapdoor functions (PHTDFs).

This primitive abstracts out most of the properties required in many different lattice-based cryptographic

constructions. We then show how to combine a PHTDF along with a function satisfying certain properties

(to be evaluated homomorphically) to give an eu-scma signature scheme.