Chun Guo,Yaobin Shen,Lei Wang,Dawu Gu

DOI: https://doi.org/10.1007/s10623-018-0528-8

IF: 1.4

2018-01-01

Designs Codes and Cryptography

Abstract:This paper revisits the fundamental cryptographic problem of building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We prove that, SUMPIP, i.e. \(P \oplus P^{-1}\), the sum of a PRP and its inverse, and EDMDSP, the single-permutation variant of the “dual” of the Encrypted Davies–Meyer scheme introduced by Mennink and Neves (CRYPTO 2017), are secure PRFs up to \(2^{2n/3}/n\) adversarial queries. To our best knowledge, SUMPIP is the first parallelizable, single-permutation-based, domain-preserving, beyond-birthday secure PRP-to-PRF conversion method.

GuoChun,ShenYaobin,WangLei,GuDawu

2019-01-01

Abstract:This paper revisits the fundamental cryptographic problem of building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We prove that, SUMPIP, i.e. $$P \oplus P^{-1}$$P?P-1, the ...

Jiehui Nan,Mengce Zheng,Honggang Hu

DOI: https://doi.org/10.1007/978-981-15-0818-9_9

2019-01-01

Abstract:Pseudorandom functions (PRFs) serve as a fundamental cryptographic primitive that is essential for encryption, identification and authentication. The concept of PRFs first formalized by Goldreich, Goldwasser, and Micali (JACM 1986), and their construction is based on length-doubling pseudorandom generators (PRGs) by using the tree-extention technique. Subsequently, Naor and Reingold proposed a construction based on synthesizers (JACM 2004) which can be instantiated from factoring and the Diffie-Hellman assumption. Recently, some efficient constructions were proposed in the post-quantum background. Banerjee, Peikert, and Rosen (Eurocrypt 2012) constructed relatively more efficient PRFs based on "learning with error" (LWE). Soon afterwards, Yu and Steinberger (Eurocrypt 2016) proposed two efficient constructions of randomized PRFs (with public coin as a parameter) from "learning parity with noise" (LPN). In this paper, we construct standard and randomized PRFs via Mersenne prime assumptions which were proposed by Aggarwal et al. (Crypto 2018) as new post-quantum candidate hardness assumptions. In contrast with Yu and Steinberger's constructions, our first construction could have the same parameters to their second construction but not needs extra public coin and our second construction has a smaller public coin and key size comparing with their first construction.

Jiehui Nan,Honggang Hu,Ping Zhang,Yiyuan Luo

DOI: https://doi.org/10.1007/s11128-022-03774-5

IF: 1.965

2022-01-01

Quantum Information Processing

Abstract:Since the seminal work of Chen et al. to construct pseudorandom functions (PRFs) from the public random permutations, a series of designs of beyond-birthday-bound secure PRFs or message authentication codes(MACs) have been proposed, like $$\textsf{pEDM}$$ , $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ , $$\textsf{PDM}\text {* }\textsf{MAC}$$ , and $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ , etc. These constructions were classically proved to be secure at least up to $$O(2^{2n/3})$$ queries. In this paper, we consider to attack these constructions in the quantum setting. In particular, we show the key-recovery attack against $$\textsf{pEDM}$$ and $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ with $$O(n\cdot 2^{n/2})$$ quantum queries by using Grover-meets-Simon algorithm. Moreover, a forgery attack is given against the constructions $$\textsf{PDM}\text {* }\textsf{MAC}$$ and $$\textsf{nEHtM}_p$$ with O(n) quantum complexity, and under the same query complexity, we can even recover the key of $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ .

Hong-Wei Sun,Bin-Bin Cai,Su-Juan Qin,Qiao-Yan Wen,Fei Gao

DOI: https://doi.org/10.1016/j.physa.2023.129047

2023-07-18

Abstract:In this paper, we investigate the security of several recent MAC constructions with provable security beyond the birthday bound (called BBB MACs) in the quantum setting. On the one hand, we give periodic functions corresponding to targeted MACs (including PMACX, PMAC with parity, HPxHP, and HPxNP), and we can recover secret states using Simon algorithm, leading to forgery attacks with complexity O(n) . This implies our results realize an exponential speedup compared with the classical algorithm. Note that our attacks can even break some optimally secure MACs, such as mPMAC+-f, mPMAC+-p1, mPMAC+-p2, mLightMAC+-f, etc. On the other hand, we construct new hidden periodic functions based on SUM-ECBC-like MACs: SUM-ECBC, PolyMAC, GCM-SIV2, and 2K-ECBC − Plus, where periods reveal the information of the secret key. Then, by applying Grover-meets-Simon algorithm to specially constructed functions, we can recover full keys with O(2n/2n) or O(2m/2n) quantum queries, where n is the message block size and m is the length of the key. Considering the previous best quantum attack, our key-recovery attacks achieve a quadratic speedup.

physics, multidisciplinary

Shi-Feng Sun,Shuai Han,Dawu Gu,Shengli Liu

DOI: https://doi.org/10.1049/iet-ifs.2015.0195

2016-01-01

IET Information Security

Abstract:The authors present a new general construction of public key encryption (PKE) based on the restricted subset membership (RSM) assumption, which can achieve the bounded-memory leakage resilient security and the auxiliary-input leakage resilient security simultaneously. The construction is BHHO-type, as Brakerski et al. work, but the message space is much larger and the proof is more concise benefiting from the RSM assumption. Instantiating the construction with the QR assumption, the authors get the first QR-based auxiliary-input secure PKE with a larger message space than {0,1}. Moreover, the authors generalise the Goldreich-Levin theorem to large rings. This theorem helps to improve the construction to achieve the same security level with fewer public parameters and shorter ciphertexts compared with Brakerski et al. work. For the bounded-memory leakage resilient security, the construction can achieve leakage rate of 1-o(1) and avoid the dependence between the message length and the amount of leakage. Based on the general construction, the authors also can achieve both bounded-memory leakage resilient chosen ciphertext attack (CCA) security and the auxiliary-input leakage resilient CCA security via the well-known Naor-Yung paradigm.

Xin Wang,Shimin Li,Rui Xue

DOI: https://doi.org/10.1007/978-3-030-41579-2_27

2020-01-01

Abstract:In this paper, we are interested in constructing Puncturable Pseudorandom Functions (PPRFs), a special class of constrained PRFs. While selectively secure PPRFs can be constructed from GGM tree-based PRFs, the adaptive counterpart is tricky to deal with. Inspired by previous works, we investigate on the possibility of directly obtaining adaptively-secure PPRF from Puncturable Identity-based Key Encapsulation Mechanism (PIB-KEM). Our contributions can be summarized as follows: (i) we show that one could derive adaptively-secure PPRFs very naturally originating from PIB-KEM satisfying two necessary conditions. (ii) we define t-puncturable IB-KEM (t-PIBKEM) and show its existence by an efficient conversion basing on Hierarchical IB-KEM (HIB-KEM). Furthermore, we demonstrate its application to constructing t-puncturable PRFs, a generalized notion of PPRFs.

Mark Zhandry

DOI: https://doi.org/10.48550/arXiv.1611.05564

2016-11-22

Abstract:We show how to construct pseudorandom permutations (PRPs) that remain secure even if the adversary can query the permutation on a quantum superposition of inputs. Such PRPs are called \emph{quantum-secure}. Our construction combines a quantum-secure pseudorandom \emph{function} together with constructions of \emph{classical} format preserving encryption. By combining known results, we obtain the first quantum-secure PRP in this model whose security relies only on the existence of one-way functions. Previously, to the best of the author's knowledge, quantum security of PRPs had to be assumed, and there were no prior security reductions to simpler primitives, let alone one-way functions.

Cryptography and Security,Computational Complexity,Quantum Physics

Minki Hhan,Shogo Yamada

2024-11-05

Abstract:Recent active studies have demonstrated that cryptography without one-way functions (OWFs) could be possible in the quantum world. Many fundamental primitives that are natural quantum analogs of OWFs or pseudorandom generators (PRGs) have been introduced, and their mutual relations and applications have been studied. Among them, pseudorandom function-like state generators (PRFSGs) [Ananth, Qian, and Yuen, Crypto 2022] are one of the most important primitives. PRFSGs are a natural quantum analogue of pseudorandom functions (PRFs), and imply many applications such as IND-CPA secret-key encryption (SKE) and EUF-CMA message authentication code (MAC). However, only known constructions of (many-query-secure) PRFSGs are ones from OWFs or pseudorandom unitaries (PRUs). In this paper, we construct classically-accessible adaptive secure PRFSGs in the invertible quantum Haar random oracle (QHRO) model which is introduced in [Chen and Movassagh, Quantum]. The invertible QHRO model is an idealized model where any party can access a public single Haar random unitary and its inverse, which can be considered as a quantum analog of the random oracle model. Our PRFSG constructions resemble the classical Even-Mansour encryption based on a single permutation, and are secure against any unbounded polynomial number of queries to the oracle and construction. To our knowledge, this is the first application in the invertible QHRO model without any assumption or conjecture. The previous best construction in the idealized model is PRFSGs secure up to o({\lambda}/ log {\lambda}) queries in the common Haar state model [Ananth, Gulati, and Lin, TCC 2024].

Quantum Physics

Shaoxuan Zhang,Chun Guo,Qingju Wang

DOI: https://doi.org/10.1049/2024/9991841

2024-09-15

IET Information Security

Abstract:We study quantum superposition attacks against permutation‐based pseudorandom cryptographic schemes. We first extend Kuwakado and Morii's attack against the Even–Mansour cipher and exhibit key recovery attacks against a large class of pseudorandom schemes based on a single call to an n‐bit permutation, with polynomial O(n) (or O(n2), if the concrete cost of Hadamard transform is also taken in) quantum steps. We then consider TPPR schemes, namely, two permutation‐based pseudorandom cryptographic schemes. Using the improved Grover‐meet‐Simon method, we show that the keys of a wide class of TPPR schemes can be recovered with O(n) superposition queries (the complexity of the original is O(n2n/2)) and O(n2n/2) quantum steps. We also exhibit subclasses of "degenerated" TPPR schemes that lack certain internal operations and exhibit more efficient key recovery attacks using either the Simon's algorithm or collision searching algorithm. Further, using the all‐subkeys‐recovery idea of Isobe and Shibutani, our results give rise to key recovery attacks against several recently proposed permutation‐based PRFs, as well as the two‐round Even–Mansour ciphers with generic key schedule functions and their tweakable variants. From a constructive perspective, our results establish new quantum Q2 security upper bounds for two permutation‐based pseudorandom schemes as well as sound design choices.

computer science, information systems, theory & methods

Yaobin Shen,Francois-Xavier Standaert,Lei Wang

DOI: https://doi.org/10.1007/978-981-99-8727-6_6

2023-01-01

Abstract:At CRYPTO'18, Datta et al. proposed nPolyMAC and proved the security up to 2(2n/3) authentication queries and 2(n) verification queries. At EUROCRYPT'19, Dutta et al. proposed CWC+ and showed the security up to 2(2n/3) queries. At FSE'19, Datta et al. proposed PolyMAC and its key-reduced variant 2k-PolyMAC, and showed the security up to 2(2n/3) queries. This security bound was then improved by Kim et al. (EUROCRYPT'20) and Datta et al. (FSE'23) respectively to 2(3n/4) and in the multi-user setting. At FSE'20, Chakraborti et al. proposed PDM*MAC and 1k-PDM*MAC, and showed the security up to 2(2n/3) queries. Recently, Chen et al. proposed nEHtM(p)(+) and showed the security up to 2(2n/3) queries. In this paper, we show forgery attacks on nPolyMAC, CWC+, PolyMAC, 2k-PolyMAC, PDM* MAC, 1k-PDM*MAC and nEHtM(p)(+). Our attacks exploit some vulnerability in the underlying polynomial hash function Poly, and (i) require only one authentication query and one verification query; (ii) are nonce-respecting; (iii) succeed with probability 1. Thus, our attacks disprove the provable high security claims of these schemes. We then revisit their security analyses and identify what went wrong. Finally, we propose two solutions that can restore the beyond-birthday-bound security.

Feng-Hao Liu,Chi-Jen Lu,Bo-Yin Yang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-540-88403-3_13

2008-01-01

Abstract:Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the one-wayness of multivariate quadratic polynomial systems over F-2.The original BGP proof only worked for F-2 and left a gap to general F-q. We show that the result can be generalized to any arbitrary finite field F-q, and thus produces a stream cipher with alphabets in F-q.Further, we generalize the underlying hardness assumption to specialized systems in F-q (including F-2) that can be evaluated more efficiently. Barring breakthroughs in the current state-of-the-art for system-solving, a rough implementation of a provably secure instance of our new PRNG is twice as fast and takes 1/10 the storage of an instance of QUAD with the same level of provable security.Recent results on specialization on security are also examined. And we conclude that our ideas axe consistent with these new developments and complement them. This gives a clue that we may build secure primitives based on specialized polynomial maps which axe more efficient.

William He,Ryan O'Donnell

2024-07-04

Abstract:We study pseudorandomness properties of permutations on $\{0,1\}^n$ computed by random circuits made from reversible $3$-bit gates (permutations on $\{0,1\}^3$). Our main result is that a random circuit of depth $n \cdot \tilde{O}(k^2)$, with each layer consisting of $\approx n/3$ random gates in a fixed nearest-neighbor architecture, yields almost $k$-wise independent permutations. The main technical component is showing that the Markov chain on $k$-tuples of $n$-bit strings induced by a single random $3$-bit nearest-neighbor gate has spectral gap at least $1/n \cdot \tilde{O}(k)$. This improves on the original work of Gowers [Gowers96], who showed a gap of $1/\mathrm{poly}(n,k)$ for one random gate (with non-neighboring inputs); and, on subsequent work [HMMR05,BH08] improving the gap to $\Omega(1/n^2k)$ in the same setting. From the perspective of cryptography, our result can be seen as a particularly simple/practical block cipher construction that gives provable statistical security against attackers with access to $k$~input-output pairs within few rounds. We also show that the Luby--Rackoff construction of pseudorandom permutations from pseudorandom functions can be implemented with reversible circuits. From this, we make progress on the complexity of the Minimum Reversible Circuit Size Problem (MRCSP), showing that block ciphers of fixed polynomial size are computationally secure against arbitrary polynomial-time adversaries, assuming the existence of one-way functions (OWFs).

Computational Complexity,Cryptography and Security,Probability

Prabhanjan Ananth,Aditya Gulati,Luowen Qian,Henry Yuen

2023-06-10

Abstract:Pseudorandom quantum states (PRS) are efficiently constructible states that are computationally indistinguishable from being Haar-random, and have recently found cryptographic applications. We explore new definitions, new properties and applications of pseudorandom states, and present the following contributions: 1. New Definitions: We study variants of pseudorandom function-like state (PRFS) generators, introduced by Ananth, Qian, and Yuen (CRYPTO'22), where the pseudorandomness property holds even when the generator can be queried adaptively or in superposition. We show feasibility of these variants assuming the existence of post-quantum one-way functions. 2. Classical Communication: We show that PRS generators with logarithmic output length imply commitment and encryption schemes with classical communication. Previous constructions of such schemes from PRS generators required quantum communication. 3. Simplified Proof: We give a simpler proof of the Brakerski--Shmueli (TCC'19) result that polynomially-many copies of uniform superposition states with random binary phases are indistinguishable from Haar-random states. 4. Necessity of Computational Assumptions: We also show that a secure PRS with output length logarithmic, or larger, in the key length necessarily requires computational assumptions.

Quantum Physics,Computational Complexity,Cryptography and Security

Yasir Nawaz,Lei Wang

DOI: https://doi.org/10.3390/sym11121485

2019-01-01

Symmetry

Abstract:Designing a secure construction has always been a fascinating area for the researchers in the field of symmetric key cryptography. This research aimed to make contributions to the design of secure block cipher in the ideal cipher model whose underlying primitive is a family of n − b i t to n − b i t random permutations indexed by secret key. Our target construction of a secure block ciphers denoted as E [ s ] is built on a simple XOR operation and two block cipher invocations, under the assumptions that the block cipher in use is a pseudorandom permutation. One out of these two block cipher invocations produce a subkey that is derived from the secret key. It has been accepted that at least two block cipher invocations with XOR operations are required to achieve beyond birthday bound security. In this paper, we investigated the E [ s ] instances with the advanced proof technique and efficient block cipher constructions that bypass the birthday-bound up to 2 n provable security was achieved. Our study provided new insights to the block cipher that is beyond birthday bound security.

Minier, Marine

DOI: https://doi.org/10.1007/s12095-024-00743-w

2024-09-21

Cryptography and Communications

Abstract:Permutations mostly in the form of sboxes are very efficient components largely present in cryptographic artifacts either hardware or software. They have been well studied as an individual component and have a large body of knowledge. Here we look at the properties of tiny transformations employing permutations and a few field operations. That gives functions with few components, which can be safely used either as PRG building blocks or as a component in lightweight ciphers. At the end, we propose a PRG implementation with those components. Lastly, we formalize a key assumption over the system functions and give a theorem for the equivalence of some system instances.

computer science, theory & methods,mathematics, applied

Yaobin Shen,Lei Wang,Dawu Gu,Jian Weng

DOI: https://doi.org/10.1007/978-3-030-84252-9_11

2021-01-01

Abstract:Double-block Hash-then-Sum (DbHtS) MACs are a class of MACs that aim for achieving beyond-birthday-bound security, including SUM-ECBC, PMAC Plus, 3kf9 and LightMAC Plus. Recently Datta et al. (FSE'19), and then Kim et al. (Eurocrypt'20) prove that DbHtS constructions are secure beyond the birthday bound in the single-user setting. However, by a generic reduction, their results degrade to (or even worse than) the birthday bound in the multi-user setting.In this work, we revisit the security of DbHtS MACs in the multi-user setting. We propose a generic framework to prove beyond-birthday-bound security for DbHtS constructions. We demonstrate the usability of this framework with applications to key-reduced variants of DbHtS MACs, including 2k-SUM-ECBC, 2k-PMAC_Plus and 2k-LightMAC_Plus. Our results show that the security of these constructions will not degrade as the number of users grows. On the other hand, our results also indicate that these constructions are secure beyond the birthday bound in both single-user and multi-user setting without additional domain separation, which is used in the prior work to simplify the analysis.Moreover, we find a critical flaw in 2kf9, which is proved to be secure beyond the birthday bound by Datta et al. (FSE'19). We can successfully forge a tag with probability 1 without making any queries. We go further to show attacks with birthday-bound complexity on several variants of 2kf9.

Mohammed Barhoush,Amit Behera,Lior Ozer,Louis Salvail,Or Sattath

2024-08-05

Abstract:Different flavors of quantum pseudorandomness have proven useful for various cryptographic applications, with the compelling feature that these primitives are potentially weaker than post-quantum one-way functions. Ananth, Lin, and Yuen (2023) have shown that logarithmic pseudorandom states can be used to construct a pseudo-deterministic PRG: informally, for a fixed seed, the output is the same with $1-1/poly$ probability. In this work, we introduce new definitions for $\bot$-PRG and $\bot$-PRF. The correctness guarantees are that, for a fixed seed, except with negligible probability, the output is either the same (with probability $1-1/poly$) or recognizable abort, denoted $\bot$. Our approach admits a natural definition of multi-time PRG security, as well as the adaptive security of a PRF. We construct a $\bot$-PRG from any pseudo-deterministic PRG and, from that, a $\bot$-PRF. Even though most mini-crypt primitives, such as symmetric key encryption, commitments, MAC, and length-restricted one-time digital signatures, have been shown based on various quantum pseudorandomness assumptions, digital signatures remained elusive. Our main application is a (quantum) digital signature scheme with classical public keys and signatures, thereby addressing a previously unresolved question posed in Morimae and Yamakawa's work (Crypto, 2022). Additionally, we construct CPA secure public-key encryption with tamper-resilient quantum public keys.

Cryptography and Security

Vipin Singh Sehrawat,Yvo Desmedt

DOI: https://doi.org/10.1007/978-3-030-31578-8_1

2020-08-21

Abstract:We define a pseudorandom function (PRF) $F: \mathcal{K} \times \mathcal{X} \rightarrow \mathcal{Y}$ to be bi-homomorphic when it is fully Key homomorphic and partially Input Homomorphic (KIH), i.e., given $F(k_1, x_1)$ and $F(k_2, x_2)$, there is an efficient algorithm to compute $F(k_1 \oplus k_2, x_1 \ominus x_2)$, where $\oplus$ and $\ominus$ are (binary) group operations. The homomorphism on the input is restricted to a fixed subset of the input bits, i.e., $\ominus$ operates on some pre-decided $m$-out-of-$n$ bits, where $|x_1| = |x_2| = n$, and the remaining $n-m$ bits are identical in both inputs. In addition, the output length, $\ell$, of the operator $\ominus$ is not fixed and is defined as $n \leq \ell \leq 2n$, hence leading to Homomorphically induced Variable input Length (HVL) as $n \leq |x_1 \ominus x_2| \leq 2n$. We present a learning with errors (LWE) based construction for a HVL-KIH-PRF family. Our construction is inspired by the key homomorphic PRF construction due to Banerjee and Peikert (Crypto 2014). An updatable encryption scheme allows rotations of the encryption key, i.e., moving existing ciphertexts from old to new key. These updates are carried out via \emph{update tokens}, which can be used by an untrusted party since the update procedure does not involve decryption of the ciphertext. We use our novel PRF family to construct an updatable encryption scheme, named QPC-UE-UU, which is quantum-safe, post-compromise secure and supports unidirectional ciphertext updates, i.e., the update tokens can be used to perform ciphertext updates but they cannot be used to undo already completed updates. Our PRF family also leads to the first left/right key homomorphic constrained-PRF family with HVL.

Cryptography and Security

Surendra Ghentiyala,Venkatesan Guruswami

2024-09-12

Abstract:Introduced in [CG24], pseudorandom error-correcting codes (PRCs) are a new cryptographic primitive with applications in watermarking generative AI models. These are codes where a collection of polynomially many codewords is computationally indistinguishable from random, except to individuals with the decoding key. In this work, we examine the assumptions under which PRCs with robustness to a constant error rate exist. 1. We show that if both the planted hyperloop assumption introduced in [BKR23] and security of a version of Goldreich's PRG hold, then there exist public-key PRCs for which no efficient adversary can distinguish a polynomial number of codewords from random with better than $o(1)$ advantage. 2. We revisit the construction of [CG24] and show that it can be based on a wider range of assumptions than presented in [CG24]. To do this, we introduce a weakened version of the planted XOR assumption which we call the weak planted XOR assumption and which may be of independent interest. 3. We initiate the study of PRCs which are secure against space-bounded adversaries. We show how to construct secret-key PRCs of length $O(n)$ which are $\textit{unconditionally}$ indistinguishable from random by $\text{poly}(n)$ time, $O(n^{1.5-\varepsilon})$ space adversaries.

Cryptography and Security,Computational Complexity