Project-Team:ARIC

Inria | Raweb 2017 | Presentation of the Project-Team ARIC | ARIC Web Site


	PDF	e-Pub

Previous |

Home | Next next

Section: New Results

Lattices: algorithms and cryptology

All-But-Many Lossy Trapdoor Functions and Selective Opening Chosen-Ciphertext Security from LWE

In cryptography, selective opening (SO) security refers to adversaries that receive a number of ciphertexts and, after having corrupted a subset of the senders (thus obtaining the plaintexts and the senders' random coins), aim at breaking the security of remaining ciphertexts. So far, very few public-key encryption schemes are known to provide simulation-based selective opening (SIM-SO-CCA2) security under chosen-ciphertext attacks and most of them encrypt messages bit-wise. The only exceptions to date rely on all-but-many lossy trapdoor functions (as introduced by Hofheinz; Eurocrypt'12) and the Composite Residuosity assumption. In a paper [43] published at Crypto 2017, the team describes the first all-but-many lossy trapdoor function with security relying on the presumed hardness of the Learning-With-Errors problem (LWE) with standard parameters. The new construction exploits homomorphic computations on lattice trapdoors for lossy LWE matrices. By carefully embedding a lattice trapdoor in lossy public keys, the paper is able to prove SIM-SO-CCA2 security under the LWE assumption. As a result of independent interest, the paper describes a variant of our scheme whose multi-challenge CCA2 security tightly relates to the hardness of LWE and the security of a pseudo-random function.

Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash

This paper [41] deals with cryptographic pseudorandom functions from lattice assumptions and their use in e-cash systems. Beyond their security guarantees under well-studied assumptions, algebraic pseudo-random functions are motivated by their compatibility with efficient zero-knowledge proof systems, which is useful in a number of privacy applications like digital cash. The paper considers the problem of proving the correct evaluation of lattice-based PRFs based on the Learning-With-Rounding (LWR) problem introduced by Banerjee et al. (Eurocrypt'12). Namely, the paper provides zero-knowledge arguments of knowledge of triples $(y, k, x)$ such that $y = F_{k} (x)$ is the correct evaluation of a PRF for a secret input $x$ and a committed key $k$ . While analogous statements admit efficient zero-knowledge protocols in the discrete logarithm setting, they have never been addressed in lattices so far. The paper provides such arguments for the key homomorphic PRF of Boneh et al. (Crypto'13) and the generic PRF implied by the LWR-based pseudo-random generator. As an application, the paper describes the first compact e-cash system based on lattice assumptions.

Adaptive Oblivious Transfer with Access Control from Lattice Assumptions

Adaptive oblivious transfer (OT) is a cryptographic protocol where a sender initially commits to a database ${M_{i}}_{i = 1}^{N}$ . Then, a receiver can query the sender up to $k$ times with private indexes $ρ_{1}, ..., ρ_{k}$ so as to obtain $M_{ρ_{1}}, ..., M_{ρ_{k}}$ and nothing else. Moreover, for each $i \in [k]$ , the receiver's choice $ρ_{i}$ may depend on previously obtained messages. Oblivious transfer with access control (OT-AC) is a flavor of adaptive OT where database records are protected by distinct access control policies that specify which credentials a receiver should obtain in order to access each $M_{i}$ . So far, all known OT-AC protocols only support access policies made of conjunctions or rely on ad hoc assumptions in pairing-friendly groups (or both). The paper [40] provides an OT-AC protocol where access policies may consist of any branching program of polynomial length, which is sufficient to realize any access policy in NC1. The security of the protocol is proved under the Learning-with-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a result of independent interest, the paper provides protocols for proving the correct evaluation of a committed branching program on a committed input.

Encoding-Free ElGamal-Type Encryption Schemes on Elliptic Curves

At PKC 2006, Chevallier-Mames, Paillier, and Pointcheval proposed a very elegant technique over cyclic subgroups of $𝔽_{p}$ eliminating the need to encode the message as a group element in the ElGamal encryption scheme. Unfortunately, it is unclear how to adapt their scheme over elliptic curves. In a previous attempt, Virat suggested an adaptation of ElGamal to elliptic curves over the ring of dual numbers as a way to address the message encoding issue. Advantageously the resulting cryptosystem does not require encoding messages as points on an elliptic curve prior to their encryption. Unfortunately, it only provides one-wayness and, in particular, it is not (and was not claimed to be) semantically secure. The paper revisits Virat's cryptosystem and extends the Chevallier-Mames et al.'s technique to the elliptic curve setting. The paper [35] considers elliptic curves over the ring $ℤ / (p^{2} ℤ)$ and defines the underlying class function. This yields complexity assumptions whereupon new ElGamal-type encryption schemes are built. The so-obtained schemes are proved semantically secure and make use of a very simple message encoding: messages being encrypted are viewed as elements in the range $[0, p - 1]$ . Further, the new schemes come equipped with a partial ring-homomorphism property: anyone can add a constant to an encrypted message –or– multiply an encrypted message by a constant. This can prove helpful as a blinding method in a number of applications. Finally, in addition to practicability, the proposed schemes also offer better performance in terms of speed, memory, and bandwidth.

Structure-Preserving Chosen-Ciphertext Security with Shorter Verifiable Ciphertexts

Structure-preserving cryptography is a world where messages, signatures, ciphertexts and public keys are entirely made of elements of a group over which a bilinear map is efficiently computable. This property makes the primitives compatible with the Groth-Sahai non-interactive proof systems in the design of higher-level privacy-preserving protocols. While structure-preserving signatures have received much attention the last 6 years, structure-preserving encryption schemes have undergone slower development. In particular, the best known structure-preserving cryptosystems with chosen-ciphertext (IND-CCA2) security either rely on symmetric pairings or require long ciphertexts comprised of hundreds of group elements or do not provide publicly verifiable ciphertexts. The paper [42] provides a publicly verifiable construction based on the SXDH assumption in asymmetric bilinear groups $e : G_{1} \times G_{2} \to G_{T}$ , which features relatively short ciphertexts. For typical parameters, the ciphertext size amounts to less than 40 elements of $G$ . As a second contribution, the paper provides a structure-preserving encryption scheme with perfectly randomizable ciphertexts and replayable chosen-ciphertext security. The new RCCA-secure system significantly improves upon the best known system featuring similar properties in terms of ciphertext size.

Tightly Secure IBE under Constant-size Master Public Key

This paper is about identity-based encryption (IBE). Chen and Wee (Crypto 2013) proposed the first almost tightly and adaptively secure IBE in the standard model and left two open problems which called for a tightly secure IBE with (1) constant-size master public key and/or (2) constant security loss. This paper proposes an IBE scheme with constant-size master public key and tighter security reduction. This (partially) solves Chen and Wee's first open problem and makes progress on the second one. Technically, the new IBE scheme is built based on Wee's petit IBE scheme (TCC 2016) in composite-order bilinear groups whose order is product of four primes. The sizes of master public key, ciphertexts, and secret keys are not only constant but also nearly optimal as Wee's petit IBE. The paper [33] proves its adaptive security in the multi-instance, multi-ciphertext setting (PKC 2015) based on the decisional subgroup assumption and a subgroup variant of DBDH assumption. The security loss is $O (log q)$ where $q$ is the upper bound of the total number of secret keys and challenge ciphertexts revealed to adversary in each single IBE instance. It is much smaller than those for all known adaptively secure IBE schemes in a concrete sense.

ABE with Tag Made Easy: Concise Framework and New Instantiations in Prime-order Groups

Among all existing identity-based encryption (IBE) schemes in bilinear groups, Wat-IBE proposed by Waters (CRYPTO 2009) and JR-IBE proposed by Jutla and Roy (Asiacrypt 2013) are quite special. A secret key and/or ciphertext in these two schemes consists of several group elements and an integer which is usually called tag. A series of prior work was devoted to extending them towards more advanced attribute-based encryption (ABE) including inner-product encryption (IPE), hierarchical IBE (HIBE). Recently, Kim et al. (SCN 2016) introduced the notion of tag-based encoding and presented a generic framework for extending Wat-IBE. We may call these ABE schemes ABE with tag or tag-based ABE. Typically, a tag-based ABE construction is more efficient than its counterpart without tag. However, the research on tag-based ABE severely lags: we do not know how to extend JR-IBE in a systematic way and there is no tag-based ABE for Boolean span program even with Kim et al.'s generic framework.

This paper [32] proposes a generic framework for tag-based ABE which is based on JR-IBE and compatible with Chen et al.'s (attribute-hiding) predicate encoding (Eurocrypt 2015). The adaptive security in the standard model relies on the $k$ -linear assumption in asymmetric prime-order bilinear groups. This is the first framework showing how to extend JR-IBE systematically. In fact, the framework and its simple extension are able to cover most concrete tag-based ABE constructions in previous literature. Furthermore, since Chen et al.'s predicate encoding supports a large number of predicates including boolean span program, the paper can give the first (both key-policy and ciphertext-policy) tag-based ABE for boolean span program in the standard model. Technically, the new framework is based on a simplified version of JR-IBE. Both the description and its proof are quite similar to the prime-order IBE derived from Chen et al.'s framework. This not only allows us to work with Chen et al.'s predicate encoding but also provides a clear explanation of the JR-IBE scheme and its proof technique.

Hardness of $k$ -LWE and Applications in Traitor Tracing

The paper introduces the $k$ -LWE problem, a Learning With Errors variant of the $k$ -SIS problem. The Boneh-Freeman reduction from SIS to $k$ -SIS suffers from an exponential loss in $k$ . The paper [24] improves and extend it to an LWE to $k$ -LWE reduction with a polynomial loss in $k$ , by relying on a new technique involving trapdoors for random integer kernel lattices. Based on this hardness result, the paper presents the first algebraic construction of a traitor tracing scheme whose security relies on the worstcase hardness of standard lattice problems. The proposed LWE traitor tracing is almost as efficient as the LWE encryption. Further, it achieves public traceability, i.e., allows the authority to delegate the tracing capability to trusted parties. To this aim, the paper introduces the notion of projective sampling family in which each sampling function is keyed and, with a projection of the key on a well chosen space, one can simulate the sampling function in a computationally indistinguishable way. The construction of a projective sampling family from $k$ -LWE allows us to achieve public traceability, by publishing the projected keys of the users.

Middle-Product Learning With Errors

The paper [45] introduces a new variant MPLWE of the Learning With Errors problem (LWE) making use of the Middle Product between polynomials modulo an integer $q$ . It exhibits a reduction from the Polynomial-LWE problem (PLWE) parametrized by a polynomial $f$ , to MPLWE which is defined independently of any such $f$ . The reduction only requires $f$ to be monic with constant coefficient coprime with $q$ . It incurs a noise growth proportional to the so-called expansion factor of $f$ . The paper also describes a public-key encryption scheme with quasi-optimal asymptotic efficiency (the bit-sizes of the keys and the run-times of all involved algorithms are quasi-linear in the security parameter), which is secure against chosen plaintext attacks under the MPLWE hardness assumption. The scheme is hence secure under the assumption that PLWE is hard for at least one polynomial $f$ of degree $n$ among a family of $f$ 's which is exponential in $n$ .

Efficient Public Trace and Revoke from Standard Assumptions

The paper [27] provides efficient constructions for trace-and-revoke systems with public traceability in the black-box confirmation model. The constructions achieve adaptive security, are based on standard assumptions and achieve significant efficiency gains compared to previous constructions. The constructions rely on a generic transformation from inner product functional encryption (IPFE) schemes to trace-and-revoke systems. The proposed transformation requires the underlying IPFE scheme to only satisfy a very weak notion of security the attacker may only request a bounded number of random keys in contrast to the standard notion of security where she may request an unbounded number of arbitrarily chosen keys. The paper exploits the much weaker security model to provide a new construction for bounded collusion and random key IPFE from the learning with errors assumption (LWE), which enjoys improved efficiency compared to the scheme of Agrawal et al. [CRYPTO'16]. Together with IPFE schemes from Agrawal et al., the paper obtains trace and revoke from LWE, Decision Diffie Hellman and Decision Quadratic Residuosity.

New Techniques for Structural Batch Verification in Bilinear Groups with Applications to Groth-Sahai Proofs

Bilinear groups form the algebraic setting for a multitude of important cryptographic protocols including anonymous credentials, e-cash, e-voting, e-coupon, and loyalty systems. It is typical of such crypto protocols that participating parties need to repeatedly verify that certain equations over bilinear groups are satisfied, e.g., to check that computed signatures are valid, commitments can be opened, or non-interactive zero-knowledge proofs verify correctly. Depending on the form and number of equations this part can quickly become a performance bottleneck due to the costly evaluation of the bilinear map.

To ease this burden on the verifier, batch verification techniques have been proposed that allow to combine and check multiple equations probabilistically using less operations than checking each equation individually. The paper [34] revisits the batch verification problem and existing standard techniques. It introduces a new technique which, in contrast to previous work, allows to fully exploit the structure of certain systems of equations. Equations of the appropriate form naturally appear in many protocols, e.g., due to the use of Groth–Sahai proofs.

The beauty of the new technique is that the underlying idea is pretty simple: the paper observes that many systems of equations can alternatively be viewed as a single equation of products of polynomials for which probabilistic polynomial identity testing following Schwartz–Zippel can be applied. Comparisons show that the new approach can lead to significant improvements in terms of the number of pairing evaluations. Indeed, for the BeleniosRF voting system presented at CCS 2016, it is possible to reduce the number of pairings (required for ballot verification) from $4 k + 140$ , as originally reported by Chaidos et al., to $k + 7$ . As the implementation and benchmarks demonstrate, this may reduce the verification runtime to only 5% to 13% of the original runtime.

Encryption Switching Protocols Revisited: Switching Modulo $p$

At CRYPTO 2016, Couteau, Peters and Pointcheval introduced a new primitive called Encryption Switching Protocols (ESP), allowing to switch ciphertexts between two encryption schemes. If such an ESP is built with two schemes that are respectively additively and multiplicatively homomorphic, it naturally gives rise to a secure 2-party computation protocol. It is thus perfectly suited for evaluating functions, such as multivariate polynomials, given as arithmetic circuits. Couteau et al. built an ESP to switch between Elgamal and Paillier encryptions which do not naturally fit well together. Consequently, they had to design a clever variant of Elgamal over $𝐙 / n 𝐙$ with a costly shared decryption.

In [31], we first present a conceptually simple generic construction for encryption switching protocols. We then give an efficient instantiation of our generic approach that uses two well-suited protocols, namely a variant of Elgamal in $𝐙 / p 𝐙$ and the Castagnos-Laguillaumie encryption which is additively homomorphic over $𝐙 / p 𝐙$ . Among other advantages, this allows to perform all computations modulo a prime p instead of an RSA modulus. Overall, our solution leads to significant reductions in the number of rounds as well as the number of bits exchanged by the parties during the interactive protocols. We also show how to extend its security to the malicious setting.