Yiyuan Luo,Xuejia Lai,Zheng Gong

DOI: https://doi.org/10.1016/j.ipl.2010.10.012

IF: 0.851

2010-01-01

Information Processing Letters

Abstract:In this paper we find that the two-round (extended) Lai–Massey scheme is not pseudorandom and three-round (extended) Lai–Massey scheme is not strong pseudorandom. Combined with previous work, we prove that three rounds are necessary and sufficient for the pseudorandomness and four rounds are necessary and sufficient for the strong pseudorandomness.

Yiyuan Luo,Xuejia Lai,Zheng Gong,Zhongming Wu

2009-01-01

Abstract:At Asiacrypt’99, Vaudenay modified the structure in the IDEA cipher to a new scheme, which they called as the Lai-Massey scheme. It is proved that 3-round Lai-Massey scheme is sufficient for pseudorandomness and 4-round Lai-Massey scheme is sufficient for strong pseudorandomness. But the author didn’t point out whether three rounds and four rounds are necessary for the pseudorandomness and strong pseudorandomness of the Lai-Massey Scheme. In this paper we find a tworound pseudorandomness distinguisher and a three-round strong pseudorandomness distinguisher, thus prove that three rounds is necessary for the pseudorandomness and four rounds is necessary for the strong pseudorandomness.

Yiyuan Luo,Xuejia Lai,Yujie Zhou

DOI: https://doi.org/10.1007/s10623-016-0235-2

IF: 1.4

2016-01-01

Designs Codes and Cryptography

Abstract:In this paper we present generic attacks on the Lai–Massey scheme inspired by Patarin’s attacks on the Feistel scheme. For bijective round functions, the attacking results are better than non-bijective round functions for the 3, 4-round Lai–Massey scheme. Our results show that there are some security differences of these two schemes against known attacks. The generic attacks on the 4-round and 5-round Lai–Massey scheme require more complexity than the 4-round and 5-round Feistel scheme respectively. Through the analysis we believe the Lai–Massey scheme has some advantage than the Feistel scheme within 5 rounds.

Chun Guo,Yiyuan Luo,Chenyu Xiao,Xiao, Chenyu

DOI: https://doi.org/10.1007/s10623-024-01361-6

IF: 1.4

2024-02-18

Designs Codes and Cryptography

Abstract:We study the Lai–Massey construction defined over bit strings w.r.t. the notion of sequential indifferentiability, which was introduced by Mandal et al. (in: Cramer (ed) TCC 2012, LNCS, Springer, Heidelberg, vol 7194, pp 285–302, 2012) and formalized known-key security of blockcipher structures. We first exhibit a sequential distinguisher against 5-round Lai–Massey structure when the underlying orthomorphism is linear. This enhances a 2011 result of Aumasson. As our main result, we (for the first time) prove sequential indifferentiability for 6-round Lai–Massey constructions (on bit strings) using six independent random round functions.

mathematics, applied,computer science, theory & methods

Wenling Wu,Wentao Zhang,Dongdai Lin

2006-01-01

Abstract:This paper studies the security against difierential/linear cryptanalysis and the pseudorandomness for a class of generalized Feis- tel scheme with SP round function called GFSP. We consider the mini- mum number of active s-boxes in some consecutive rounds of GFSP,i.e., in four, eight and sixteen consecutive rounds, which provide the up- per bound of the maximum difierential/linear probabilities of 16-round GFSP scheme, in order to evaluate the strength against difierential/linear cryptanalysis. Furthermore, We investigate the pseudorandomness of GFSP, point out 7-round GFSP is not pseudorandom for non-adaptive adversary, by using some distinguishers, and prove that 8-round GFSP is pseudorandom for any adversaries.

Le Dong,Danxun Zhang,Wenya Li,Wenling Wu

DOI: https://doi.org/10.1007/s10623-024-01408-8

IF: 1.4

2024-05-08

Designs Codes and Cryptography

Abstract:In this study, we present the first yoyo attack to recover the secret round function of the 4-round Lai-Massey scheme with an affine orthomorphism. We first perform a yoyo attack on 3-round Lai-Massey scheme. However, the original method for constructing plaintext equations is not sufficiently effective. To solve this problem, we partition the ciphertext and plaintext spaces into subsets, which provides a fresh perspective on our yoyo attack. From this perspective, our study presents two improvements. One is that we devise an improved yoyo game in which the established ciphertext pool significantly narrows the search of good pairs compared with random selection, and the inserted filter can eliminate all wrong pairs using simple XOR calculations. Consequently, the yoyo game is advantageous for reducing the complexity of seeking good pairs, and we can avoid the complexity involved in solving equations generated using wrong pairs. The other is that we present a valid method for solving equations, which helps to reduce the number of yoyos required to recover the first-round function. After removing the first round, the look-up tables of the remaining two round functions of the 3-round Lai-Massey scheme can be retrieved by selecting the inputs and accessing the outputs. On the basis of this attack, we mount a yoyo attack on the 4-round Lai-Massey scheme to recover the fourth-round function and then apply the above attack to the remaining three rounds. In general, the complete recovery of the 4-round Lai-Massey scheme requires time complexity O and memory O , where .

mathematics, applied,computer science, theory & methods

Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-24316-5_17

2011-01-01

Abstract:Various information-theoretically secure Multi-Party Computation (MPC) schemes have been proposed over some finite field \(\mathbb{F}\) or some finite ring ℝ. A function f that can be evaluated on MPC is usually represented by boolean or arithmetic circuits. In general, the function class that have constant-depth arithmetic circuit is studied. Additionally, some literatures show that one can represent any formulas and branching program by low-degree randomizing polynomials, which can be evaluated in constant rounds. However, these approaches have their limitations, and it is not easy to construct the optimal branching program for a complex function. Therefore, it is not obvious how to efficiently perform oblivious sort in constant rounds, but oblivious sort is one of the most important primitive protocols for MPC in practice. In this paper, we are going to show several constant-round 0-error oblivious sorting algorithms, together with some useful applications.

Shuai Han,Shengli Liu,Lin Lyu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-26951-7_15

2019-01-01

Abstract:We propose the concept of quasi-adaptive hash proof system (QAHPS), where the projection key is allowed to depend on the specific language for which hash values are computed. We formalize leakage-resilient(LR)-ardency for QAHPS by defining two statistical properties, including LR-< L-0, L-1 >-universal and LR-< L-0, L-1 >-key-switching. We provide a generic approach to tightly leakage-resilient CCA (LR-CCA) secure public-key encryption (PKE) from LR-ardent QAHPS. Our approach is reminiscent of the seminal work of Cramer and Shoup (Eurocrypt'02), and employ three QAHPS schemes, one for generating a uniform string to hide the plaintext, and the other two for proving the well-formedness of the ciphertext. The LR-ardency of QAHPS makes possible the tight LR-CCA security. We give instantiations based on the standard k-Linear (k-LIN) assumptions over asymmetric and symmetric pairing groups, respectively, and obtain fully compact PKE with tight LR-CCA security. The security loss is O(log Q(e)) where Q(e) denotes the number of encryption queries. Specifically, our tightly LR-CCA secure PKE instantiation from SXDH has only 4 group elements in the public key and 7 group elements in the ciphertext, thus is the most efficient one.

Chun Guo,Ling Song

DOI: https://doi.org/10.1007/s10623-024-01394-x

IF: 1.4

2024-03-25

Designs Codes and Cryptography

Abstract:Feistel constructions using contracting round functions were introduced in 1990s and generalized by Yun et al. (Des Codes Cryptogr 58(1):45–72, 2011) to a quasigroup-based definition. To our knowledge, the minimal number of rounds sufficient for CCA security remains elusive. We bridge this gap: for the general quasigroup-based contracting Feistel construction using round functions , , we prove CCA security at rounds. This matches the attacked rounds of Patarin et al. (in: Lai, Chen (ed) ASIACRYPT, Springer, Heidelberg, 2006). Interestingly, this means 4 rounds are already sufficient for CCA security of the case , which is the same as the balanced Feistel.

mathematics, applied,computer science, theory & methods

Alexander Russell,Qiang Tang,Jiadong Zhu

2024-04-15

Abstract:The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks -- that is, adversarial subversion -- of the component round functions. Specifically, we establish that a Feistel-based construction with more than $2000n/\log(1/\epsilon)$ rounds can transform a subverted random function -- which disagrees with the original one at a small fraction (denoted by $\epsilon$) of inputs -- into an object that is \emph{crooked-indifferentiable} from a random permutation, even if the adversary is aware of all the randomness used in the transformation. We also provide a lower bound showing that the construction cannot use fewer than $2n/\log(1/\epsilon)$ rounds to achieve crooked-indifferentiable security.

Cryptography and Security

Liu, Feng-Hao

DOI: https://doi.org/10.1007/s10623-024-01523-6

IF: 1.4

2024-11-25

Designs Codes and Cryptography

Abstract:Achieving tight security is a fundamental task in cryptography. While one of the most important purposes of this task is to improve the overall efficiency of a construction (by allowing smaller security parameters), many current lattice-based instantiations do not completely achieve the goal. Particularly, a super-polynomial modulus seems to be necessary in all prior work for (almost) tight schemes that allow the adversary to conduct queries, such as PRF, IBE, and Signatures. As the super-polynomial modulus would affect the noise-to-modulus ratio and thus increase the parameters, this might cancel out the advantages (in efficiency) brought from the tighter analysis. To determine the full power of tight security/analysis in lattices, it is necessary to determine whether the super-polynomial modulus restriction is inherent. In this work, we remove the super-polynomial modulus restriction for many important primitives—PRF, IBE, all-but-many Lossy Trapdoor Functions, and Signatures. The crux relies on an improvement over the framework of Boyen and Li (Asiacrypt 16), and an almost tight reduction from LWE to LWR, which improves prior work by Alwen et al. (Eurocrypt 13), Bogdanov et al. (TCC 16), and Bai et al. (Asiacrypt 15). By combining these two advances, we are able to derive these almost tight schemes under LWE with a polynomial modulus.

mathematics, applied,computer science, theory & methods

Ignacio Cascudo Pueyo,Hao Chen,Ronald Cramer,Chaoping Xing

DOI: https://doi.org/10.1007/978-3-642-03356-8_28

2009-01-01

Abstract:This work deals with "MPC-friendly" linear secret sharing schemes (LSSS), a mathematical primitive upon which secure multi-party computation (MPC) can be based and which was introduced by Cramer, Damgaard and Maurer (EUROCRYPT 2000). Chen and Cramer proposed a special class of such schemes that is constructed from algebraic geometry and that enables efficient secure multi-party computation over fixed finite fields (CRYPTO 2006). We extend this in four ways. First, we propose an abstract coding-theoretic framework in which this class of schemes and its (asymptotic) properties can be cast and analyzed. Second, we show that for every finite field ${\mathbb F}_q$, there exists an infinite family of LSSS over ${\mathbb F}_q$ that is asymptotically good in the following sense: the schemes are "ideal," i.e., each share consists of a single ${\mathbb F}_q$-element, and the schemes have t-strong multiplication on n players, where the corruption tolerance $\frac{3t}{n-1}$ tends to a constant 驴(q) with 0 驴(q) n tends to infinity. Moreover, when $|{\mathbb F}_q|$ tends to infinity, 驴(q) tends to 1, which is optimal. This leads to explicit lower bounds on $\widehat{\tau}(q)$, our measure of asymptotic optimal corruption tolerance. We achieve this by combining the results of Chen and Cramer with a dedicated field-descent method. In particular, in the ${\mathbb F}_2$-case there exists a family of binary t-strongly multiplicative ideal LSSS with $\frac{3t}{n-1}\approx 2.86\%$ when n tends to infinity, a one-bit secret and just a one-bit share for every player. Previously, such results were shown for ${\mathbb F}_q$ with q 驴 49 a square. Third, we present an infinite family of ideal schemes with t-strong multiplication that does not rely on algebraic geometry and that works over every finite field ${\mathbb F}_q$. Its corruption tolerance vanishes, yet still $\frac{3t}{n-1}= \Omega(1/(\log\log n)\log n)$. Fourth and finally, we give an improved non-asymptotic upper bound on corruption tolerance.

Jiahong Wu,Nan Liu,Wei Kang

2023-12-10

Abstract:In this paper, we consider the case that sharing many secrets among a set of participants using the threshold schemes. All secrets are assumed to be statistically independent and the weak secure condition is focused on. Under such circumstances we investigate the infimum of the (average) information ratio and the (average) randomness ratio for any structure pair which consists of the number of the participants and the threshold values of all secrets. For two structure pairs such that the two numbers of the participants are the same and the two arrays of threshold values have the subset relationship, two leading corollaries are proved following two directions. More specifically, the bound related to the lengths of shares, secrets and randomness for the complex structure pair can be truncated for the simple one; and the linear schemes for the simple structure pair can be combined independently to be a multiple threshold scheme for the complex one. The former corollary is useful for the converse part and the latter one is helpful for the achievability part. Three new bounds special for the case that the number of secrets corresponding to the same threshold value $ t $ is lager than $ t $ and two novel linear schemes modified from the Vandermonde matrix for two similar cases are presented. Then come the optimal results for the average information ratio, the average randomness ratio and the randomness ratio. We introduce a tiny example to show that there exists another type of bound that may be crucial for the information ratio, to which we only give optimal results in three cases.

Information Theory

Hongfei Zhu,Yu-an Tan,Xiaosong Zhang,Liehuang Zhu,Changyou Zhang,Jun Zheng

DOI: https://doi.org/10.1016/j.future.2017.01.031

IF: 7.307

2017-01-01

Future Generation Computer Systems

Abstract:To process rapidly growing Big Data, many organizations migrate their data and services such as e-voting and e-payment systems to the cloud. In these two systems, blind signature has become an essential cryptographic primitive since it allows the signer to sign a message without learning what he signs. Thus, it can guarantee trustworthy of Big Data. However, most blind signature schemes based on factoring and discrete logarithm problems cannot resist quantum computer attacks. The alternative blind signature schemes are based on lattice. Here, we present a round-optimal lattice-based blind signature scheme constructed on the closest vector problem using infinity norm. Firstly, our scheme is proven blind and one-more unforgeable, and is resistant to brute-force attacks, theoretical-timing attacks, and Nguyen–Regev attacks. Secondly, our scheme outperforms the RSA, the Schnorr, and the ECC blind signature schemes in terms of efficiency and security. Also, it outperforms the Rückert’s blind signature in terms of signature length, moves, and security. Finally, our scheme outperforms the Rückert’s blind signature in terms of communication and computation energy costs. Additionally, it outperforms the RSA blind signature in terms of communication energy cost.

Xiao Zhang,Shengli Liu,Jiaxin Pan,Dawu Gu

DOI: https://doi.org/10.1016/j.tcs.2019.07.015

IF: 1.002

2019-01-01

Theoretical Computer Science

Abstract:In this paper, we study how to construct tightly secure signature scheme against adaptive chosen message attacks in the multi-user setting (i.e., tightly euf-m-cma secure signature) from the learning with errors (LWE) assumptions. More precisely, we propose a modular framework of euf-m-cma secure signature from a weak partial one-time signature (POS) scheme that is secure only against random message attacks in the multi-user setting (i.e., euf-m-rma secure) and possesses imperfect correctness. By instantiating the weak POS with the LWE assumption, we obtain the first LWE-based tightly euf-m-cma secure signature scheme in the multi-user setting. Moreover, we also present an instantiation of the weak POS based on the Subset Sum (SS) assumption, and again we obtain the first almost tightly euf-cma secure signature scheme from the SS assumption in the single-user setting. All our security reductions are tight and without random oracles.

Shaoxuan Zhang,Chun Guo,Qingju Wang

DOI: https://doi.org/10.1049/2024/9991841

2024-09-15

IET Information Security

Abstract:We study quantum superposition attacks against permutation‐based pseudorandom cryptographic schemes. We first extend Kuwakado and Morii's attack against the Even–Mansour cipher and exhibit key recovery attacks against a large class of pseudorandom schemes based on a single call to an n‐bit permutation, with polynomial O(n) (or O(n2), if the concrete cost of Hadamard transform is also taken in) quantum steps. We then consider TPPR schemes, namely, two permutation‐based pseudorandom cryptographic schemes. Using the improved Grover‐meet‐Simon method, we show that the keys of a wide class of TPPR schemes can be recovered with O(n) superposition queries (the complexity of the original is O(n2n/2)) and O(n2n/2) quantum steps. We also exhibit subclasses of "degenerated" TPPR schemes that lack certain internal operations and exhibit more efficient key recovery attacks using either the Simon's algorithm or collision searching algorithm. Further, using the all‐subkeys‐recovery idea of Isobe and Shibutani, our results give rise to key recovery attacks against several recently proposed permutation‐based PRFs, as well as the two‐round Even–Mansour ciphers with generic key schedule functions and their tweakable variants. From a constructive perspective, our results establish new quantum Q2 security upper bounds for two permutation‐based pseudorandom schemes as well as sound design choices.

computer science, information systems, theory & methods

William He,Ryan O'Donnell

2024-07-04

Abstract:We study pseudorandomness properties of permutations on $\{0,1\}^n$ computed by random circuits made from reversible $3$-bit gates (permutations on $\{0,1\}^3$). Our main result is that a random circuit of depth $n \cdot \tilde{O}(k^2)$, with each layer consisting of $\approx n/3$ random gates in a fixed nearest-neighbor architecture, yields almost $k$-wise independent permutations. The main technical component is showing that the Markov chain on $k$-tuples of $n$-bit strings induced by a single random $3$-bit nearest-neighbor gate has spectral gap at least $1/n \cdot \tilde{O}(k)$. This improves on the original work of Gowers [Gowers96], who showed a gap of $1/\mathrm{poly}(n,k)$ for one random gate (with non-neighboring inputs); and, on subsequent work [HMMR05,BH08] improving the gap to $\Omega(1/n^2k)$ in the same setting. From the perspective of cryptography, our result can be seen as a particularly simple/practical block cipher construction that gives provable statistical security against attackers with access to $k$~input-output pairs within few rounds. We also show that the Luby--Rackoff construction of pseudorandom permutations from pseudorandom functions can be implemented with reversible circuits. From this, we make progress on the complexity of the Minimum Reversible Circuit Size Problem (MRCSP), showing that block ciphers of fixed polynomial size are computationally secure against arbitrary polynomial-time adversaries, assuming the existence of one-way functions (OWFs).

Computational Complexity,Cryptography and Security,Probability

Xianping Mao,Kefei Chen,Liangliang Wang,Yu Long

DOI: https://doi.org/10.1109/incos.2014.41

2014-01-01

Abstract:Fair exchange is essential in E-commerce, and concurrent signature realizes the fair exchange of digital signatures with removing the requirement of a trusted third party. Multi-party concurrent signature is an extension to the multi-user scenario. The security of existing multi-party concurrent signatures is mostly based on traditional hard problems that could be solved efficiently with quantum algorithms in a post-quantum world. Meanwhile, the lattice-based cryptography is considered to be resistant to quantum attack. Wang et al. proposed a lattice-based multi-party concurrent signature. We give the analysis of their proposed signature scheme and find that it is not secure since an inside adversary can forge the signature. Moreover, the initial signer can produce any signatures, instead of a signature on the original messages, if he is malicious.

Baodong Qin,Shengli Liu,Kefei Chen

DOI: https://doi.org/10.1049/iet-ifs.2013.0173

2014-01-01

IET Information Security

Abstract:A leakage-resilient public-key encryption (PKE) scheme provides security even if an adversary obtains some information on the secret key. In recent years, much attention has been focused on designing provably secure PKE in the presence of key-leakage and almost all the constructions rely on an important building block namely hash proof system (HPS). However, in the setting of adaptive chosen-ciphertext attacks (CCA2), there are not many HPS-based leakage-resilient PKE schemes available. Moreover, most of them have an unsatisfactory leakage rate. In this study, the authors propose a new method of constructing leakage-resilient CCA2-secure PKE scheme from any tag-based strongly universal(2) HPS. The striking advantage of the authors scheme is the leakage rate, which is the best one among all known HPS-based indistinguishability key leakage CCA2-secure constructions. In particular, they present an instantiation under the n-linear assumption. In the cases of n = 1 (resp. n = 2), they actually obtain a decisional Diffie-Hellman (DDH)-based [resp. decisional linear (DLIN)-based] PKE scheme, where the leakage rate can be made to 1/4 (resp. 1/6). The authors DDH-based scheme achieves the best leakage rate among all known DDH-based (Cramer-Shoup-type) schemes. Their DLIN-based scheme is the first one that can achieve leakage of L/6 bits without pairing, where L is the length of the secret key.

Ramakant Kumar,Sahadeo Padhye

DOI: https://doi.org/10.1007/s40009-024-01583-1

2024-12-07

National Academy Science Letters

Abstract:Kansal and Dutta proposed a lattice-based round optimal multi-signature scheme in AFRICA-CRYPT 2020. They achieved signature compression and public key aggregation with only one round of signature generation. They showed that their scheme is unforgeable under the hardness of the short integer solution problem. In 2023, Liu et al. showed that forgery is possible in this scheme. They showed that an adversary with sufficient message-signature pairs could find the signer's secret key in polynomial time. In this paper, we propose a flaw in the design of the Kansal-Dutta multi-signature scheme. We show that with the help of only one valid message-signature pair, an adversary can generate forged multi-signature even without computing the secret keys of the signers. We also give suggestions to overcome the proposed attack.

multidisciplinary sciences