Cryptology ePrint Archive
Not a member yet
    24907 research outputs found

    A Note on P \neq NP

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    No full text
    The question of whether the complexity class P equals NP is a major unsolved problem in theoretical computer science. The key to proving that P \neq NP is to show that there is no efficient (polynomial time) algorithm for a language in NP. For a language in NP, it is impossible to prove that it is not in P, because we can only claim that no better algorithm has been found so far, and there is no way to guarantee (or prove) that a more efficient algorithm does not exist. It is impossible to prove P \neq NP rigorously, as any problem with size nn and solution space 2n2^n has certain structures and properties, and there is no way to prove that more efficient algorithms that take advantage of these structures or properties do not exist. In all attempts to prove P \neq NP, all we can do is try to provide the best clues or evidence for P \neq NP. In this paper, we introduce a new language, the Add/XNOR problem, which has the simplest structure and perfect randomness, by extending the subset sum problem. We conjecture that the square-root time complexity is required to solve the Add/XNOR problem, making it surpass the subset sum problem as the latter has algorithms that break the square-root complexity bound, a better evidence for P \neq NP. Furthermore, by giving up commutative and associative properties, we design a magma equipped with a permutation and successfully achieve Conjecture 2, which is the first problem with exponential complexity that is believed to require an exhaustive search to solve, by far the strongest evidence for P \neq NP

    BitGC: Garbled Circuits with 1 Bit per Gate

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    We present BitGC, a garbling scheme for Boolean circuits with 1 bit per gate communication based on either ring learning with errors (RLWE) or NTRU assumption, with key-dependent message security. The garbling consists of 1) a homomorphically encrypted seed that can be expanded to encryption of many pseudo-random bits and 2) one-bit stitching information per gate to reconstruct garbled tables from the expanded ciphertexts. By using low-complexity PRGs, both the garbling and evaluation of each gate require only O(1) homomorphic addition/multiplication operations without bootstrapping

    Worst-Case Lattice Sampler with Truncated Gadgets and Applications

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    Gadget-based samplers have proven to be a key component of several cryptographic primitives, in particular in the area of privacy-preserving mechanisms. Most constructions today follow the approach introduced by Micciancio and Peikert (MP) yielding preimages whose dimension linearly grows with that of the gadget. To improve performance, some papers have proposed to truncate the gadget but at the cost of an important feature of the MP sampler, namely the ability to invert arbitrary syndromes. Technically speaking, they replace the worst-case MP sampler by an average-case sampler that can only be used in specific contexts. Far from being a mere theoretical restriction, it prevents the main applications of gadget-based samplers from using truncated variants and thus from benefiting from the associated performance gains. In this paper, we solve this problem by describing a worst-case sampler that still works with truncated gadgets. Its main strength is that it retains the main characteristics of the MP sampler while providing flexibility in the choice of the truncation parameter. As a consequence, it can be used as a plug-in replacement for all applications relying on the MP sampler so far, leading to performance improvements up to 30% as illustrated by several examples in this paper. Our sampler is supported by a thorough security analysis that addresses the hurdles met by previous works and its practicality is demonstrated by a concrete implementation

    Distributed Differentially Private Data Analytics via Secure Sketching

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    We introduce the linear-transformation model, a distributed model of differentially private data analysis. Clients have access to a trusted platform capable of applying a public matrix to their inputs. Such computations can be securely distributed across multiple servers using simple and efficient secure multiparty computation techniques. The linear-transformation model serves as an intermediate model between the highly expressive central model and the minimal local model. In the central model, clients have access to a trusted platform capable of applying any function to their inputs. However, this expressiveness comes at a cost, as it is often prohibitively expensive to distribute such computations, leading to the central model typically being implemented by a single trusted server. In contrast, the local model assumes no trusted platform, which forces clients to add significant noise to their data. The linear-transformation model avoids the single point of failure for privacy present in the central model, while also mitigating the high noise required in the local model. We demonstrate that linear transformations are very useful for differential privacy, allowing for the computation of linear sketches of input data. These sketches largely preserve utility for tasks such as private low-rank approximation and private ridge regression, while introducing only minimal error, critically independent of the number of clients

    Key Guidance Invocation: A White-box Mode Enables Strong Space Hardness under Adaptively Chosen-Space Attacks

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    The notion of space hardness serves as a quantitative measure to characterize the resilience of dedicated white-box schemes against code-lifting attacks, making it a widely utilized metric in the field. However, achieving strong space hardness (SSH) under the adaptively chosen-space attack model (ACSAM) remains an unresolved challenge, as no existing white-box scheme has given SSH guarantees under ACSAM. \par To address the problem, we introduce a novel mode of operation tailored for white-box cryptography, termed the Key Guidance Invocation (KGI) mode. Our security analysis reveals that the KGI mode not only significantly strengthens the resistance to adaptively chosen-space attacks, but also ensures SSH under ACSAM. Moreover, we propose a dedicated white-box construction, RubikStone-(nn,ninn_{in},RR,ss), which directly leverages the concept of the lookup table pool. RubikStone offers enhanced flexibility in lookup table utilization compared to existing white-box constructions and is particularly well-suited to the KGI mode. \par Additionally, we instantiate RubikStone-(256,8,12,2162^{16}) with the KGI mode, resulting in RSKGI\mathsf{RS_{KGI}}-256, which delivers (T/4,127.99)(T/4,127.99)-SSH security guarantees under ACSAM. Remarkably, RSKGI\mathsf{RS_{KGI}}-256 also shows superior performance, surpassing the efficiency of white-box AES based on the CEJO framework by 27.1%27.1\% in real-world settings. Besides, we conduct a comprehensive statistical analysis of the operations in all existing white-box ciphers. Our findings indicate that RSKGI\mathsf{RS_{KGI}}-256 remains highly competitive in computational efficiency despite offering unprecedented security

    Deletions and Dishonesty: Probabilistic Data Structures in Adversarial Settings

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    Probabilistic data structures (PDS) are compact representations of high-volume data that provide approximate answers to queries about the data. They are commonplace in today\u27s computing systems, finding use in databases, networking and more. While PDS are designed to perform well under benign inputs, they are frequently used in applications where inputs may be adversarially chosen. This may lead to a violation of their expected behaviour, for example an increase in false positive rate. In this work, we focus on PDS that handle approximate membership queries (AMQ). We consider adversarial users with the capability of making adaptive insertions, deletions and membership queries to AMQ-PDS, and analyse the performance of AMQ-PDS under such adversarial inputs. We argue that deletions significantly empower adversaries, presenting a challenge to enforcing honest behaviour when compared to insertion-only AMQ-PDS. To address this, we introduce a new concept of an honest setting for AMQ-PDS with deletions. By leveraging simulation-based security definitions, we then quantify how much harm can be caused by adversarial users to the functionality of AMQ-PDS. Our resulting bounds only require calculating the maximal false positive probability and insertion failure probability achievable in our novel honest setting. We apply our results to Cuckoo filters and Counting filters. We show how to protect these AMQ-PDS at low cost, by replacing or composing the hash functions with keyed pseudorandom functions in their construction. This strategy involves establishing practical bounds for the probabilities mentioned above. Using our new techniques, we demonstrate that achieving security against adversarial users making both insertions and deletions remains practical

    Envelope Encryption in the Symmetric-Key Setting: A Formalization and Generic Constructions

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    Envelope encryption is a method to encrypt data with two distinct keys in its basic form. Data is first encrypted with a data-encryption key, and then the data-encryption key is encrypted with a key-encryption key. Despite its deployment in major cloud services, as far as we know, envelope encryption has not received any formal treatment. To address this issue, we first formalize the syntax and security requirements of envelope encryption in the symmetric-key setting. Then, we show that it can be constructed by combining encryptment and authenticated encryption with associated data (AEAD). Encryptment is one-time AEAD satisfying that a small part of a ciphertext works as a commitment to the corresponding secret key, message, and associated data. Finally, we show that the security of the generic construction is reduced to the security of the underlying encryptment and AEAD

    Towards Reliable Broadcast with Optimal Communication and Round Complexity

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    The reliable broadcast protocol with the best communication complexity for long messages to date is the MiniCast protocol of Locher & Shoup (2024). To reliably broadcast a message m to n parties, MiniCast has communication complexity ~ 1.5|m|n when the size |m| of m is large. However, the round complexity of MiniCast is 4, which is worse than the 3 rounds of the classical protocol of Bracha. We give a new reliable broadcast protocol whose communication complexity is essentially the same as that of MiniCast, but whose round complexity is just 3. For large |m|, the communication complexity of our new protocol is essentially optimal (for 3-round protocols with sufficiently well-balanced communication). Like MiniCast, our new protocol does not rely on any cryptography other than hash functions. We also give two new 2-round protocols that rely on signatures. The communication complexity of the first protocol is also ~ 1.5|m| n, unless the sender provably misbehaves, in which case its communication complexity may degrade to at most ~ 2|m|n. The communication complexity of the second protocol is ~ 1.5|m|n, even in the worst case, but (unlike our other protocols) the communication is unbalanced

    Cryptography from Lossy Reductions: Towards OWFs from ETH, and Beyond

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    One-way functions (OWFs) form the foundation of modern cryptography, yet their unconditional existence remains a major open question. In this work, we study this question by exploring its relation to lossy reductions, i.e., reductions RR for which it holds that I(X;R(X))nI(X;R(X)) \ll n for all distributions XX over inputs of size nn. Our main result is that either OWFs exist or any lossy reduction for any promise problem Π\Pi runs in time 2Ω(logτΠ/loglogn)2^{\Omega(\log\tau_\Pi / \log\log n)}, where τΠ(n)\tau_\Pi(n) is the infimum of the runtime of all (worst-case) solvers of Π\Pi on instances of size nn. More precisely, by having a reduction with a better runtime, for an arbitrary promise problem Π\Pi, and by using a non-uniform advice, we construct (a family of) OWFs. In fact, our result requires a milder condition, that RR is lossy for sparse uniform distributions (which we call mild-lossiness). It also extends to ff-reductions as long as ff is a non-constant permutation-invariant Boolean function, which includes And-, Or-, Maj-, Parity-\text{And-, Or-, Maj-, Parity-}, Modk\text{Mod}_k-, and Thresholdk\text{Threshold}_k-reductions. Additionally, we show that worst-case to average-case Karp reductions and randomized encodings are special cases of mild-lossy reductions and improve the runtime above as 2Ω(logτΠ)2^{\Omega(\log \tau_\Pi)} when these mappings are considered. Restricting to weak fine-grained OWFs, this runtime can be further improved as Ω(τΠ)\Omega(\tau_\Pi). Intuitively, the latter asserts that if weak fine-grained OWFs do not exist then any instance randomization of any Π\Pi has the same runtime (up to a constant factor) as the best worst-case solver of Π\Pi. Taking Π\Pi as kSatk\text{Sat}, our results provide sufficient conditions under which (fine-grained) OWFs exist assuming the Exponential Time Hypothesis (ETH). Conversely, if (fine-grained) OWFs do not exist, we obtain impossibilities on instance compressions (Harnik and Naor, FOCS 2006) and instance randomizations of kSatk\text{Sat} under the ETH. Moreover, the analysis can be adapted to studying such properties of any NP\text{NP}-complete problem. Finally, we partially extend these findings to the quantum setting; the existence of a pure quantum mildly-lossy reduction for Π\Pi within the runtime 2o(logτΠ/loglogn)2^{o(\log\tau_\Pi / \log\log n)} implies the existence of one-way state generators, where τΠ\tau_\Pi is defined with respect to quantum solvers

    Finding the Inverse of some Shift Invariant Transformations

    Author
    Publication venue
    International Association for Cryptologic Research (IACR)
    Publication date
    Field of study
    Full text link
    We study the problem of how to find the inverse of shift invariant (SI) transformations proposed in Daemen\u27s thesis. In particular, two of them have been used in practice: yi=xixi+1xi+2y_i=x_i\oplus \overline{x_{i+1}}x_{i+2} and yi=xixi+1xi+2xi+3y_i=x_i\oplus \overline{x_{i+1}}x_{i+2}x_{i+3}. The first one is the well-known χ\chi transformation used in \textsf{SHA-3}, \textsf{Subterranean 2.0} and \textsf{Rasta}, while the second one is used in a recently proposed ZK-friendly hash function called Monolith. While the concrete formula of the inverse of χ\chi of arbitrary size has been given and proved by Liu et al. at JoC 2022, it remains unknown how to deduce such a formula and how to systematically study other SI transformations. In this work, we aim to provide a general method and flow to find the inverse of SI transformations, though it is still limited to some specific types and it may not work for all such transformations. However, such a general method does shed new insight on how to find their inverse, as we can apply this method to several different SI transformations, including the one used in Monolith. We expect that this method can be further generalized and applied to more SI transformations

    23,634

    full texts

    24,907

    metadata records
    Updated in last 30 days.
    Cryptology ePrint Archive
    Access Repository Dashboard
    Do you manage Open Research Online? Become a CORE Member to access insider analytics, issue reports and manage access to outputs from your repository in the CORE Repository Dashboard! 👇