Stephan Verbücheln

DOI: https://doi.org/10.48550/arXiv.1501.00447

2015-01-03

Abstract:ECDSA has become a popular choice as lightweight alternative to RSA and classic DL based signature algorithms in recent years. As standardized, the signature produced by ECDSA for a pair of a message and a key is not deterministic. This work shows how this non-deterministic choice can be exploited by an attacker to leak private information through the signature without any side channels, an attack first discovered by Young and Yung for classic DL-based cryptosystems in 1997, and how this attack affects the application of ECDSA in the Bitcoin protocol.

Cryptography and Security

A. Beygelzimer,L. A. Hemaspaandra,C. M. Homan,J. Rothe

DOI: https://doi.org/10.48550/arXiv.cs/9911007

1999-11-15

Computational Complexity

Abstract:We survey recent developments in the study of (worst-case) one-way functions having strong algebraic and security properties. According to [RS93], this line of research was initiated in 1984 by Rivest and Sherman who designed two-party secret-key agreement protocols that use strongly noninvertible, total, associative one-way functions as their key building blocks. If commutativity is added as an ingredient, these protocols can be used by more than two parties, as noted by Rabi and Sherman [RS93] who also developed digital signature protocols that are based on such enhanced one-way functions. Until recently, it was an open question whether one-way functions having the algebraic and security properties that these protocols require could be created from any given one-way function. Recently, Hemaspaandra and Rothe [HR99] resolved this open issue in the affirmative, by showing that one-way functions exist if and only if strong, total, commutative, associative one-way functions exist. We discuss this result, and the work of Rabi, Rivest, and Sherman, and recent work of Homan [Hom99] that makes progress on related issues.

Dima Grigoriev,Vladimir Shpilrain

DOI: https://doi.org/10.48550/arXiv.1301.5069

2013-01-22

Abstract:We show that some problems in information security can be solved without using one-way functions. The latter are usually regarded as a central concept of cryptography, but the very existence of one-way functions depends on difficult conjectures in complexity theory, most notably on the notorious "$P \ne NP$" conjecture. In this paper, we suggest protocols for secure computation of the sum, product, and some other functions, without using any one-way functions. A new input that we offer here is that, in contrast with other proposals, we conceal "intermediate results" of a computation. For example, when we compute the sum of $k$ numbers, only the final result is known to the parties; partial sums are not known to anybody. Other applications of our method include voting/rating over insecure channels and a rather elegant and efficient solution of Yao's "millionaires' problem". Then, while it is fairly obvious that a secure (bit) commitment between two parties is impossible without a one-way function, we show that it is possible if the number of parties is at least 3. We also show how our (bit) commitment scheme for 3 parties can be used to arrange an unconditionally secure (bit) commitment between just two parties if they use a "dummy" (e.g., a computer) as the third party. We explain how our concept of a "dummy" is different from a well-known concept of a "trusted third party". We also suggest a protocol, without using a one-way function, for "mental poker", i.e., a fair card dealing (and playing) over distance. We also propose a secret sharing scheme where an advantage over Shamir's and other known secret sharing schemes is that nobody, including the dealer, ends up knowing the shares owned by any particular player. It should be mentioned that computational cost of our protocols is negligible to the point that all of them can be executed without a computer.

Cryptography and Security,Information Theory

Andrew C. Yao

DOI: https://doi.org/10.1109/sfcs.1982.38

1982-01-01

Abstract:giving away any information about the values of their own variables? The millionaires'problem corresponds to the case when m = 2 and f (x1, x2) = 1 if x1 < x2, and 0 otherwise. In this paper, we will give precise formu-lation of this general problem and describe three ways of solving it by use of one-way functions (i. e., functions which are easy to evaluate but hard to invert). These results have applications to secret voting, private query-ing of database, oblivious negotiation, playing mental poker, etc. We will also discuss the complexity question "How many bits need to be exchanged for the computa-tion", and describe methods to prevent participants from cheating. Finally, we study the question "What cannot be accomplished with one-way functions". Before describing these results, we would like to put this work in perspective by first considering a unified view of secure computation in the next section.

Hua-Lei Yin

2024-08-24

Abstract:One-way functions are fundamental to classical cryptography and their existence remains a longstanding problem in computational complexity theory. Recently, a provable quantum one-way function has been identified, which maintains its one-wayness even with unlimited computational resources. Here, we extend the mathematical definition of functions to construct a generalized one-way function by virtually measuring the qubit of provable quantum one-way function and randomly assigning the corresponding measurement outcomes with identical probability. Remarkably, using this generalized one-way function, we have developed an unconditionally secure key distribution protocol based solely on classical data processing, which can then utilized for secure encryption and signature. Our work highlights the importance of information in characterizing quantum systems and the physical significance of the density matrix. We demonstrate that probability theory and randomness are effective tools for countering adversaries with unlimited computational capabilities.

Quantum Physics,Computational Complexity,Cryptography and Security,Information Theory

Shafi Goldwasser,Silvio Micali,Andrew Chi-chih Yao

DOI: https://doi.org/10.1007/978-1-4757-0602-4_20

1982-01-01

Abstract:The design of cryptographic protocols using trapdoor and one-way functions has received considerable attention in the past few years [1–8]. More recently, attention has been paid to provide rigorous correctness proofs based on simple mathematical assumptions, for example, in coin flipping (Blum [1]), mental poker (Goldwasser and Micali [4]). It is perhaps reasonable to speculate at this time that all cryptographic protocols can eventually be designed to be provably secure under simple assumptions, such as factoring large numbers or inverting RSA functions are computationally intractable in the appropriate sense.

Tejas Nareddy,Abhishek Mishra

2024-11-15

Abstract:We say that a function is rare-case hard against a given class of algorithms (the adversary) if all algorithms in the class can compute the function only on an $o(1)$-fraction of instances of size $n$ for large enough $n$. Starting from any NP-complete language, for each $k > 0$, we construct a function that cannot be computed correctly on even a $1/n^k$-fraction of instances for polynomial-sized circuit families if NP $\not \subset$ P/POLY and by polynomial-time algorithms if NP $\not \subset$ BPP - functions that are rare-case hard against polynomial-time algorithms and polynomial-sized circuits. The constructed function is a number-theoretic polynomial evaluated over specific finite fields. For NP-complete languages that admit parsimonious reductions from all of NP (for example, SAT), the constructed functions are hard to compute on even a $1/n^k$-fraction of instances by polynomial-time algorithms and polynomial-sized circuit families simply if $P^{\#P} \not \subset$ BPP and $P^{\#P} \not \subset$ P/POLY, respectively. We also show that if the Randomized Exponential Time Hypothesis (RETH) is true, none of these constructed functions can be computed on even a $1/n^k$-fraction of instances in subexponential time. These functions are very hard, almost always. While one may not be able to efficiently compute the values of these constructed functions themselves, in polynomial time, one can verify that the evaluation of a function, $s = f(x)$, is correct simply by asking a prover to compute $f(y)$ on targeted queries.

Computational Complexity

Akinori Kawachi,Tomoyuki Yamakami

DOI: https://doi.org/10.48550/arXiv.quant-ph/0602088

2009-06-30

Abstract:Hardcore functions have been used as a technical tool to construct secure cryptographic systems; however, little is known on their quantum counterpart, called quantum hardcore functions. With a new insight into fundamental properties of quantum hardcores, we present three new quantum hardcore functions for any (strong) quantum one-way function. We also give a "quantum" solution to Damgard's question (CRYPTO'88) on a classical hardcore property of his pseudorandom generator, by proving its quantum hardcore property. Our major technical tool is the new notion of quantum list-decoding of "classical" error-correcting codes (rather than "quantum" error-correcting codes), which is defined on the platform of computational complexity theory and computational cryptography (rather than information theory). In particular, we give a simple but powerful criterion that makes a polynomial-time computable classical block code (seen as a function) a quantum hardcore for all quantum one-way functions. On their own interest, we construct efficient quantum list-decoding algorithms for classical block codes whose associated quantum states (called codeword states) form a nearly phase-orthogonal basis.

Quantum Physics,Computational Complexity

Salim Ali Altug,Yilei Chen

DOI: https://doi.org/10.48550/arXiv.1810.00022

2019-05-15

Abstract:We initiate the study of computational problems on elliptic curve isogeny graphs defined over RSA moduli. We conjecture that several variants of the neighbor-search problem over these graphs are hard, and provide a comprehensive list of cryptanalytic attempts on these problems. Moreover, based on the hardness of these problems, we provide a construction of groups with infeasible inversion, where the underlying groups are the ideal class groups of imaginary quadratic orders. Recall that in a group with infeasible inversion, computing the inverse of a group element is required to be hard, while performing the group operation is easy. Motivated by the potential cryptographic application of building a directed transitive signature scheme, the search for a group with infeasible inversion was initiated in the theses of Hohenberger and Molnar (2003). Later it was also shown to provide a broadcast encryption scheme by Irrer et al. (2004). However, to date the only case of a group with infeasible inversion is implied by the much stronger primitive of self-bilinear map constructed by Yamakawa et al. (2014) based on the hardness of factoring and indistinguishability obfuscation (iO). Our construction gives a candidate without using iO.

Number Theory,Cryptography and Security,Algebraic Geometry

Mihir Bellare,Anna Lysyanskaya

DOI: https://doi.org/10.1007/s00145-024-09513-6

2024-08-22

Journal of Cryptology

Abstract:A two-input function is a dual PRF if it is a PRF when keyed by either of its inputs. Dual PRFs are assumed in the design and analysis of numerous primitives and protocols including HMAC, AMAC, TLS 1.3 and MLS. But, not only do we not know whether particular functions on which the assumption is made really are dual PRFs; we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain two specific symmetric and dual PRFs, the first assuming any collision-resistant hash function and the second assuming any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Simran Tinani,Carlo Matteotti,Joachim Rosenthal

2023-10-08

Abstract:In the recently emerging field of nonabelian group-based cryptography, a prominently used one-way function is the Conjugacy Search Problem (CSP), and two important classes of platform groups are polycyclic and matrix groups. In this paper, we discuss the complexity of the conjugacy search problem (CSP) in these two classes of platform groups using the three protocols in [10], [26], and [29] as our starting point. We produce a polynomial time solution for the CSP in a finite polycyclic group with two generators, and show that a restricted CSP is reducible to a DLP. In matrix groups over finite fields, we usedthe Jordan decomposition of a matrix to produce a polynomial time reduction of an A-restricted CSP, where A is a cyclic subgroup of the general linear group, to a set of DLPs over an extension of Fq. We use these general methods and results to describe concrete cryptanalysis algorithms for these three systems. In particular, we show that in the group of invertible matrices over finite fields and in polycyclic groups with two generators, a CSP where conjugators are restricted to a cyclic subgroup is reducible to a set of O(n2) discrete logarithm problems. Using our general results, we demonstrate concrete cryptanalysis algorithms for each of these three schemes. We believe that our methods and findings are likely to allow for several other heuristic attacks in the general case.

Cryptography and Security,Computational Complexity

Nir Bitansky

DOI: https://doi.org/10.1007/s00145-019-09331-1

2019-09-04

Journal of Cryptology

Abstract:<span><em class="EmphasisTypeItalic">Verifiable random functions</em> (VRFs) are pseudorandom functions where the owner of the seed, in addition to computing the function's value <em class="EmphasisTypeItalic">y</em> at any point <em class="EmphasisTypeItalic">x</em>, can also generate a non-interactive proof <span class="InlineEquation">\(\pi \)</span> that <em class="EmphasisTypeItalic">y</em> is correct, without compromising pseudorandomness at other points. Being a natural primitive with a wide range of applications, considerable efforts have been directed toward the construction of such VRFs. While these efforts have resulted in a variety of algebraic constructions (from bilinear maps or the RSA problem), the relation between VRFs and other general primitives is still not well understood. We present new constructions of VRFs from general primitives, the main one being <em class="EmphasisTypeItalic">non-interactive witness-indistinguishable proofs</em> (NIWIs). This includes: (1) a selectively secure VRF assuming NIWIs and non-interactive commitments. As usual, the VRF can be made adaptively secure assuming subexponential hardness of the underlying primitives. (2) An adaptively secure VRF assuming (polynomially hard) NIWIs, non-interactive commitments, and (<em class="EmphasisTypeItalic">single-key</em>) <em class="EmphasisTypeItalic">constrained pseudorandom functions</em> for a restricted class of constraints. The above primitives can be instantiated under various standard assumptions, which yields corresponding VRF instantiations, under different assumptions than were known so far. One notable example is a non-uniform construction of VRFs from subexponentially hard trapdoor permutations, or more generally, from <em class="EmphasisTypeItalic">verifiable pseudorandom generators</em> (the construction can be made uniform under a standard derandomization assumption). This partially answers an open question by Dwork and Naor (FOCS '00). The construction and its analysis are quite simple. Both draw from ideas commonly used in the context of <em class="EmphasisTypeItalic">indistinguishability obfuscation</em>.</span>

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Luowen Qian,Justin Raizes,Mark Zhandry

2024-10-07

Abstract:Although one-way functions are well-established as the minimal primitive for classical cryptography, a minimal primitive for quantum cryptography is still unclear. Universal extrapolation, first considered by Impagliazzo and Levin (1990), is hard if and only if one-way functions exist. Towards better understanding minimal assumptions for quantum cryptography, we study the quantum analogues of the universal extrapolation task. Specifically, we put forth the classical$\rightarrow$quantum extrapolation task, where we ask to extrapolate the rest of a bipartite pure state given the first register measured in the computational basis. We then use it as a key component to establish new connections in quantum cryptography: (a) quantum commitments exist if classical$\rightarrow$quantum extrapolation is hard; and (b) classical$\rightarrow$quantum extrapolation is hard if any of the following cryptographic primitives exists: quantum public-key cryptography (such as quantum money and signatures) with a classical public key or 2-message quantum key distribution protocols. For future work, we further generalize the extrapolation task and propose a fully quantum analogue. We show that it is hard if quantum commitments exist, and it is easy for quantum polynomial space.

Quantum Physics

Dakshita Khurana,Kabir Tomer

2024-01-30

Abstract:One-way functions are central to classical cryptography. They are both necessary for the existence of non-trivial classical cryptosystems, and sufficient to realize meaningful primitives including commitments, pseudorandom generators and digital signatures. At the same time, a mounting body of evidence suggests that assumptions even weaker than one-way functions may suffice for many cryptographic tasks of interest in a quantum world, including bit commitments and secure multi-party computation. This work studies one-way state generators [Morimae-Yamakawa, CRYPTO 2022], a natural quantum relaxation of one-way functions. Given a secret key, a one-way state generator outputs a hard to invert quantum state. A fundamental question is whether this type of quantum one-wayness suffices to realize quantum cryptography. We obtain an affirmative answer to this question, by proving that one-way state generators with pure state outputs imply quantum bit commitments and secure multiparty computation. Along the way, we build an intermediate primitive with classical outputs, which we call a (quantum) one-way puzzle. Our main technical contribution is a proof that one-way puzzles imply quantum bit commitments.

Quantum Physics,Cryptography and Security

Alex B. Grilo,Or Sattath,Quoc-Huy Vu

2023-06-21

Abstract:It is an important question to find constructions of quantum cryptographic protocols which rely on weaker computational assumptions than classical protocols. Recently, it has been shown that oblivious transfer and multi-party computation can be constructed from one-way functions, whereas this is impossible in the classical setting in a black-box way. In this work, we study the question of building quantum public-key encryption schemes from one-way functions and even weaker assumptions. Firstly, we revisit the definition of IND-CPA security to this setting. Then, we propose three schemes for quantum public-key encryption from one-way functions, pseudorandom function-like states with proof of deletion and pseudorandom function-like states, respectively.

Cryptography and Security,Quantum Physics

D DOLEV,AC YAO

DOI: https://doi.org/10.1109/tit.1983.1056650

IF: 2.5

1983-01-01

IEEE Transactions on Information Theory

Abstract:Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.

Jaouhar Fattahi,Mohamed Mejri

DOI: https://doi.org/10.1109/ECAI.2015.7301205

2018-01-05

Abstract:In this paper, we use the witness-functions to analyze cryptographic protocols for secrecy under nonempty equational theories. The witness-functions are safe metrics used to compute security. An analysis with a witness-function consists in making sure that the security of every atomic message does not decrease during its lifecycle in the protocol. The analysis gets more difficult under nonempty equational theories. Indeed, the intruder can take advantage of the algebraic properties of the cryptographic primitives to derive secrets. These properties arise from the use of mathematical functions, such as multiplication, addition, exclusive-or or modular exponentiation in the cryptosystems and the protocols. Here, we show how to use the witness-functions under nonempty equational theories and we run an analysis on the Needham-Schroeder-Lowe protocol under the cipher homomorphism. This analysis reveals that although this protocol is proved secure under the perfect encryption assumption, its security collapses under the homomorphic primitives. We show how the witness-functions help to illustrate an attack scenario on it and we propose an amended version to fix it.

Cryptography and Security

Lijie Chen,Roei Tell

DOI: https://doi.org/10.1137/22m1475491

2024-12-05

SIAM Journal on Computing

Abstract:SIAM Journal on Computing, Ahead of Print. We propose a new approach to the hardness-to-randomness framework and to the [math] conjecture. Classical results rely on nonuniform hardness assumptions to construct derandomization algorithms that work in the worst case, or rely on uniform hardness assumptions to construct derandomization algorithms that work only in the average case. In both types of results, the derandomization algorithm is "black-box" and uses the standard approach based on pseudorandom generators (PRGs). In this work we present results that closely relate new and natural uniform hardness assumptions to worst-case derandomization of [math], where the algorithms underlying the latter derandomization are non-black-box. In our main result, we show that [math] if the following holds: There exists a multi-output function computable by logspace-uniform circuits of polynomial size and depth [math] that cannot be computed by uniform probabilistic algorithms in time [math], for some universal constant [math], on almost all inputs. The required failure on "almost all inputs" is stronger than the standard requirement of failing on one input of each length; however, the same assumption without the depth restriction on [math] is necessary for the conclusion. This suggests a potential equivalence between worst-case derandomization of [math] of any form (i.e., not necessarily by a black-box algorithm) and the existence of efficiently computable functions that are hard for probabilistic algorithms on almost all inputs. In our second result, we introduce a new and uniform hardness-to-randomness tradeoff for the setting of superfast average-case derandomization; prior to this work, superfast average-case derandomization was known only under nonuniform hardness assumptions. In an extreme instantiation of our new tradeoff, under appealing uniform hardness assumptions and if one-way functions exist, we show that for every polynomial [math] and constant [math] it holds that [math], where the "[math]" prefix means that no polynomial-time algorithm can find, with nonnegligible probability, an input on which the deterministic simulation errs. Technically, our approach is to design targeted PRGs and hitting-set generators (HSGs), as introduced by Goldreich [In a world of [math], in Studies in Complexity and Cryptography, Lecture Notes in Comput. Sci. 6650, Springer, 2011, pp. 191–232]. Our targeted PRGs/HSGs "produce randomness from the input," as suggested by Goldreich and Wigderson [Proceedings of the 6th International Workshop on Randomization and Approximation Techniques in Computer Science (RANDOM), 2002, pp. 209–223], and our analysis of these targeted PRGs/HSGs relies on non-black-box versions of the reconstruction procedure of Impagliazzo and Wigderson [Proceedings of the 39th Annual IEEE Symposium on Foundations of Computer Science (FOCS), 1998, pp. 734–743]. Our main reconstruction procedure crucially relies on the ideas underlying the proof system of Goldwasser, Kalai, and Rothblum [J. ACM, 62 (2015), 27].

computer science, theory & methods,mathematics, applied

Chris Brzuska,Geoffroy Couteau

DOI: https://doi.org/10.1007/s00145-024-09518-1

2024-12-06

Journal of Cryptology

Abstract:Constructing one-way functions from average-case hardness is a long-standing open problem. A positive result would exclude Pessiland (Impagliazzo '95) and establish a highly desirable win–win situation: either (symmetric) cryptography exists unconditionally, or all problems can be solved efficiently on the average. Motivated by the lack of progress on this seemingly very hard question, we initiate the investigation of weaker yet meaningful candidate win–win results of the following type: either there are fine-grained one-way functions (FGOWF), or non-trivial speedups can be obtained for all problems on the average. FGOWFs only require a fixed polynomial gap (as opposed to superpolynomial) between the running time of the function and the running time of an inverter. We obtain three main results: Construction. We show that if there is an language having a very strong form of average-case hardness, which we call block finding hardness , then FGOWF exist. We provide heuristic support for this very strong average-case hardness notion by showing that it holds for a random language. Then, we study whether weaker (and more natural) forms of average-case hardness could already suffice to obtain FGOWF and obtain two negative results: Separation I. We provide a strong oracle separation for the implication ( exponentially average-case hard language FGOWF). Separation II. We provide a second strong negative result for an even weaker candidate win–win result. Namely, we rule out a relativizing proof for the implication ( exponentially average-case hard language whose hardness amplifies optimally through parallel repetitions FGOWF). This separation forms the core technical contribution of our work.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Tomoyuki Morimae,Takashi Yamakawa

2024-05-08

Abstract:The existence of one-way functions is one of the most fundamental assumptions in classical cryptography. In the quantum world, on the other hand, there are evidences that some cryptographic primitives can exist even if one-way functions do not exist. We therefore have the following important open problem in quantum cryptography: What is the most fundamental element in quantum cryptography? In this direction, Brakerski, Canetti, and Qian recently defined a notion called EFI pairs, which are pairs of efficiently generatable states that are statistically distinguishable but computationally indistinguishable, and showed its equivalence with some cryptographic primitives including commitments, oblivious transfer, and general multi-party computations. However, their work focuses on decision-type primitives and does not cover search-type primitives like quantum money and digital signatures. In this paper, we study properties of one-way state generators (OWSGs), which are a quantum analogue of one-way functions. We first revisit the definition of OWSGs and generalize it by allowing mixed output states. Then we show the following results. (1) We define a weaker version of OWSGs, weak OWSGs, and show that they are equivalent to OWSGs. (2) Quantum digital signatures are equivalent to OWSGs. (3) Private-key quantum money schemes (with pure money states) imply OWSGs. (4) Quantum pseudo one-time pad schemes imply both OWSGs and EFI pairs. (5) We introduce an incomparable variant of OWSGs, which we call secretly-verifiable and statistically-invertible OWSGs, and show that they are equivalent to EFI pairs.

Quantum Physics,Cryptography and Security