Advances in cryptology – CRYPTO 2016 part III

653 272 0
Advances in cryptology – CRYPTO 2016 part III

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

LNCS 9816 Matthew Robshaw Jonathan Katz (Eds.) Advances in Cryptology CRYPTO 2016 36th Annual International Cryptology Conference Santa Barbara, CA, USA, August 14–18, 2016 Proceedings, Part III 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zürich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 9816 More information about this series at http://www.springer.com/series/7410 Matthew Robshaw Jonathan Katz (Eds.) • Advances in Cryptology CRYPTO 2016 36th Annual International Cryptology Conference Santa Barbara, CA, USA, August 14–18, 2016 Proceedings, Part III 123 Editors Matthew Robshaw Impinj, Inc Seattle, WA USA Jonathan Katz University of Maryland College Park, MD USA ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-662-53014-6 ISBN 978-3-662-53015-3 (eBook) DOI 10.1007/978-3-662-53015-3 Library of Congress Control Number: 2016945783 LNCS Sublibrary: SL4 Security and Cryptology © International Association for Cryptologic Research 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer-Verlag GmbH Berlin Heidelberg Preface The 36th International Cryptology Conference (Crypto 2016) was held at UCSB, Santa Barbara, CA, USA, during August 14–18, 2016 The workshop was sponsored by the International Association for Cryptologic Research Crypto continues to grow This year the Program Committee evaluated a record 274 submissions out of which 70 were chosen for inclusion in the program Each paper was reviewed by at least three independent reviewers, with papers from Program Committee members receiving at least five reviews Reviewers with potential conflicts of interest for specific papers were excluded from all discussions about those papers, and this policy was extended to the program chairs as well The 44 members of the Program Committee were aided in this complex and time-consuming task by many external reviewers We would like to thank them all for their service, their expert opinions, and their spirited contributions to the review process It was a tremendously difficult task to choose the program for this conference, as the quality of the submissions was very high It was even harder to identify a single best paper, but our congratulations go to Elette Boyle, Niv Gilboa, and Yuval Ishai from IDC Herzliya, Ben Gurion University, and the Technion, respectively, whose paper “Breaking the Circuit Size Barrier for Secure Computation Under DDH” was awarded Best Paper Our congratulations also go to Mark Zhandry of MIT and Princeton University who won the award for the Best Student Paper “The Magic of ELFs.” The invited speakers at Crypto 2016 were Brian Sniffen, Chief Security Architect at Akamai Technologies, Inc., and Paul Kocher, founder of Cryptography Research Brian’s presentation cast a fascinating light on the issues of real-world cryptographic deployment while Paul’s presentation, a joint invitation from the program co-chairs of both Crypto 2016 and CHES 2016, marked 20 years since his publication of the first paper on side-channel attacks at Crypto 1996 We are, of course, indebted to Brian LaMacchia, the general chair, as well as the local Organizing Committee, who together proved ideal liaisons for establishing the layout of the program and for supporting the speakers Our job as program co-chairs was made much easier by the excellent tools developed by Shai Halevi; both Shai and Brian were always available at short notice to answer our queries Finally, we would like to thank all the authors who submitted their work to Crypto 2016 Without you the conference would not exist August 2016 Matthew Robshaw Jonathan Katz Crypto 2016 The 36th IACR International Cryptology Conference University of California, Santa Barbara, CA, USA August 14–18, 2016 Sponsored by the International Association for Cryptologic Research General Chair Brian LaMacchia Microsoft Program Chairs Matthew Robshaw Jonathan Katz Impinj, USA University of Maryland, USA Program Committee Alex Biryukov Anne Canteaut Dario Catalano Nishanth Chandran Melissa Chase Joan Daemen Martin Van Dijk Itai Dinur Pierre-Alain Fouque Steven Galbraith Sanjam Garg S Dov Gordon Jens Groth Sorina Ionica Tetsu Iwata Aggelos Kiayias Gregor Leander Shengli Liu Alexander May Willi Meier Payman Mohassel University of Luxembourg, Luxembourg Inria, France Università di Catania, Italy Microsoft Research, India Microsoft Research, USA STMicroelectronics, Belgium and Radboud University, The Netherlands University of Connecticut, USA Ben-Gurion University, Israel Université Rennes 1, France Auckland University, New Zealand University of California, Berkeley, USA George Mason University, USA University College London, UK Université de Picardie, France Nagoya University, Japan National and Kapodistrian University of Athens, Greece Ruhr Universität Bochum, Germany Shanghai Jiao Tong University, China Ruhr Universität Bochum, Germany FHNW, Switzerland Visa Research, USA VIII Crypto 2016 Elke De Mulder Steven Myers Phong Nguyen Kaisa Nyberg Kenny Paterson Thomas Peyrin Benny Pinkas David Pointcheval Manoj Prabhakaran Bart Preneel Mariana Raykova Christian Rechberger Mike Rosulek Rei Safavi-Naini Alessandra Scafuro Patrick Schaumont Dominique Schröder Jae Hong Seo Yannick Seurin Abhi Shelat Nigel Smart Ron Steinfeld Mehdi Tibouchi Cryptographic Research, France Indiana University, USA Inria, France and CNRS/JFLI and University of Tokyo, Japan Aalto University, Finland Royal Holloway University of London, UK Nanyang Technological University, Singapore Bar-Ilan University, Israel École Normale Supérieure, France University of Illinois, USA KU Leuven, Belgium Yale University, USA TU-Graz, Austria and DTU, Denmark Oregon State University, USA University of Calgary, Canada Boston University and Northeastern University, USA Virginia Tech, USA Saarland University, Germany Myongji University, Korea ANSSI, France University of Virginia, USA University of Bristol, UK Monash University, Australia NTT Secure Platform Laboratories, Japan Additional Reviewers Michel Abdalla Masayuki Abe Arash Afshar Shashank Agrawal Shweta Agrawal Ayo Akinyele Martin Albrecht Gergely Alpar Jacob Alperin-Sheriff Elena Andreeva Daniel Apon Gilad Asharov Gilles Van Assche Nuttapong Attrapadung Saikrishna Badrinarayanan Josep Balasch Foteini Baldimtsi Paulo Barreto Gilles Barthe Lejla Batina Christof Beierle Mihir Bellare Fabrice Benhamouda Sanjay Bhattacherjee Jean-Francois Biasse Begul Bilgin Gaetan Bisson Nir Bitansky Simon Blackburn Olivier Blazy Matthieu Bloch Céline Blondeau Andrej Bogdanov Dan Boneh Jonathan Bootle Raphael Bost Christina Boura Florian Bourse Cyril Bouvier Elette Boyle Zvika Brakerski Lus Brandão Anne Broadbent Christina Brzuska Christian Cachin Ran Canetti Angelo De Caro Guilhem Castagnos Andrea Cerulli Pyrros Chaidos Crypto 2016 André Chailloux Jie Chen Céline Chevalier Chongwon Cho Seung Geol Choi Ashish Choudhury Sherman Chow Kai-Min Chung Michele Ciampi Michael Clear Ran Cohen Geoffroy Couteau Dana Dachman-Soled Deepesh Data Jean Paul Degabriele David Derler Daniel Dinu Christoph Dobraunig Yevgeniy Dodis Nico Döttling Natnatee Dokmai Leo Ducas Tuyet Duong Keita Emura Frederic Ezerman Pooya Farshim Sebastian Faust Dario Fiore Marc Fischlin Joe Fitzsimons Nils Fleischhacker Emmanuel Fouotsa Georg Fuchsbauer Eiichiro Fujisaki Martin Gagne Franỗois Le Gall Chaya Ganesh Juan Garay Christina Garman Romain Gay Essam Ghadafi Benedikt Gierlichs Niv Gilboa Vipul Goyal Frédéric Grosshans Aurore Guillevic Divya Gupta Felix Günther Shai Halevi Mike Hamburg Shuai Han Helena Handschuh Christian Hanser Carmit Hazay Ethan Heilman Ryan Henry Gottfried Herold Felix Heuer Viet Tung Hoang Dennis Hofheinz Ziyuan Hu Yan Huang Michael Hutter Malika Izabachene Håkon Jacobsen Mahavir Jhawar Dingding Jia Keting Jia Thomas Johansson Aaron Johnson Kimmo Järvinen Yael Tauman Kalai Bhavana Kanukurthi Petteri Kaski Marcel Keller Nathan Keller Carmen Kempka Iordanis Kerenidis Dmitry Khovratovich Dakshita Khurana Eike Kiltz Jinsu Kim Taechan Kim Paul Kirchner Elena Kirshanova Susumu Kiyoshima Simon Knellwolf Stefan Koelbl Vlad Kolesnikov Takeshi Koshiba Luke Kowalczyk Thorsten Kranz IX Daniel Kraschewski Anna Krasnova Hugo Krawczyk Fernando Krell Stephan Krenn Ranjit Kumaresan Alptekin Kupcu Fabien Laguillaumie Virginie Lallemand Enrique Larraia Changmin Lee Hyung Tae Lee Kwangsu Lee Nikos Leonardos Tancrède Lepoint Anthony Leverrier Benoit Libert Fuchun Lin Rachel Lin Yehuda Lindell Feng-Hao Liu Yi-Kai Liu Patrick Longa Steve Lu Stefan Lucks Atul Luykx Anna Lysyanskaya Lin Lyu Vadim Lyubashevsky Mohammad Mahmoody Hemanta Maji Giulio Malavolta Tal Malkin Alex Malozemoff Mark Marson Daniel Masny Takahiro Matsuda Florian Mendel Bart Mennink Thyla van der Merwe Peihan Miao Christof Michel Ian Miers Andrew Miller Brice Minaud Kazuhiko Minematsu X Crypto 2016 Ilya Mironov Ameer Mohammad Amir Moradi Tal Moran Nicky Mouha Pratyay Mukherjee Jörn Müller-Quade Valérie Nachef Michael Naehrig Maria Naya-Plasencia Soheil Nemati Khoa Nguyen Ivica Nikolic Ventzi Nikov Ryo Nishimaki Anca Nitulescu Adam O’Neill Miyako Ohkubo Go Ohtake Tatsuaki Okamoto Ozgur Oksuz Cristina Onete Claudio Orlandi Elisabeth Oswald Léo Paul Perrin Jiaxin Pan Giorgos Panagiotakos Omkant Pandey Kostas Pappagiannopoulos Anat Paskin-Cherniavsky Rafael Pass Valerio Pastro Arpita Patra Souradyuti Paul Christopher Peikert Rene Peralta Trevor Perrin Giuseppe Persiano Christophe Petit Rafael Del Pino Oxana Poburinnaya Antigoni Polychroniadou Orazio Puglisi Baodong Qin Max Rabkin Carla Rafols Srinivasan Raghuraman Vanishree Rao Manuel Reinert Oscar Reparaz Silas Richelson Thomas Ristenpart Damien Robert Alon Rosen Adeline Roux-Langlois Arnab Roy Tim Ruffing Hansol Ryu Sondre Rønjom Akshayaram Srinivasan Amin Sakzad Katerina Samari Ruediger Schack Christian Schaffner John Schanck Thomas Schneider Peter Scholl Peter Schwabe Sven Schäge Adam Sealfon Setareh Sharifian Tom Shrimpton Sandeep Shukla Siang Meng Sim Luisa Siniscalchi Daniel Slamanig Yongsoo Song Kannan Srinathan Akshayaram Srinivasan Douglas Stebila Damien Stehlé John Steinberger Marc Stevens Valentin Suder Willy Susilo Björn Tackmann Katsuyuki Takashima Qiang Tang Stefano Tessaro Aishwarya Thiruvengadam Jean-Pierre Tillich Yosuke Todo Yiannis Tselekounis Michael Tunstall Himanshu Tyagi Aleksei Udovenko Jon Ullman Dominique Unruh Prashant Vasudevan Vesselin Velichkov Muthu Venkitasubramaniam Frederik Vercauteren Damien Vergnaud Jorge Villar Dhinakaran Vinayagamurthy Ivan Visconti Michael Walter Pengwei Wang Qingju Wang Xiao Wang Hoeteck Wee Mor Weiss Yunhua Wen Carolyn Whitnall Daniel Wichs Xiaodi Wu Keita Xagawa Sophia Yakoubov Shota Yamada Kan Yasuda Arkady Yerukhimovich Ouyang Yingkai Thomas Zacharias Mark Zhandry Bingsheng Zhang Liang Feng Zhang Xiao Zhang Yupeng Zhang Hong-Sheng Zhou Vassilis Zikas Dionysis Zindros Two-Message, Oblivious Evaluation of Cryptographic Functionalities 637 Remark We remark several points First, if a simulator Sim is non-trivial by construction, we can omit the second oracle of the distinguisher Basically, the only property we need to ensure non-triviality is that if the simulator gets messages from an honest receiver, then this composed system actually implements in the random function H Formally, this requirement can be written as SimH , R(·) ≡ H(·), i.e., if an honest receiver interacts with a simulator Sim with access to H, then this protocol implements H If this is guaranteed, then the oracles S(k), · and SimH (·) are sufficient: Given such an oracle OA (which is either of the two), the distinguisher D can simulate the honest oracle by OA, R(·) In our construction the simulator Sim will be canonical: It extracts the first message, sends the extracted input to the random function H, and uses the output to simulate the senders message This simulator is non-trivial by construction, and thus giving the distinguisher access to a single oracle will be sufficient Moreover, while Definition 10 allows the simulator Sim to depend on the distinguisher D, our canonic simulator will be universal in the sense that it works for any PPT distinguisher D Pseudorandom Functions with Oblivious Black-Box Reductions To apply the technique developed in Sect 3, we require a pseudorandom function with an oblivious black-box reduction Most constructions of PRFs in the literature not possess such a reduction In particular, most reductions need to program the distinguishers oracle adaptively depending on prior oracle inputs of the distinguisher For example, the security reduction of the construction of Goldreich, Goldwasser and Micali [25], which reduces the security of the PRF on that of the underlying pseudorandom generator is based on a hybrid argument and needs to keep a list of the distinguisher’s distinct oracle queries to be able to answer oracle queries consistently This however contradicts our notion of obliviousness Fortunately, there are constructions of pseudorandom functions with oblivious black-box reductions to their underlying hard problems One example of such a PRF is the Naor Reingold PRF [49] While the security reduction provided in [49] is not oblivious, there is simple way of converting this reduction into an oblivious black-box reduction using q-wise independent functions (Appendix A) More generally, there is a recent line of work that aims at constructing largedomain pseudorandom functions from small-domain pseudorandom functions via oblivious black-box reductions [8,14] The baseline of these results is that large domain PRFs can be constructed by combining several small-domain (i.e., polysized domain) PRFs in a suitable way The pseudorandomness of large domain PRFs is established by replacing one of the small-domain PRFs (depending on the query bound of the adversary) with a random function in a single shot Since the small-domain PRF has a domain of just polynomial size, the reduction can (non-adptively) query its oracle on all inputs and retrieve the entire function table Thus, there is no need of adaptively programming the distinguishers oracle based on previous queries In order to use the framework we developed in Sect 3, it will be convenient to use an alternative definition of pseudorandom 638 N Dă ottling et al functions In Denition 9, the distinguishers goal is to distinguish the PRF from a truly random function However, if we not know any bound on the distinguisher’s number of queries in advance, the only (known) way to simulate a random function is by evaluating the random function lazily: Every time the distinguisher queries the random function on a new input, the simulation samples a random image and adds it into a table of input and output values If a certain input has been queried before, it’s image is retrieved from the table However, such a simulation is necessarily stateful To overcome this, we use an equivalent definition of pseudorandom functions which takes into account that a every PPT distinguisher has a polynomial upper bound on the number of its oracle queries Once such a bound q is known, we can simulate a random function statelessly with an efficient q-wise independent function Definition 11 (q-Wise Independent Function) Let F be an efficiently computable two argument function that takes a seed s and an input x We say that F is a q-wise independent functions, if it holds for all pairwise distinct x1 , , xq that F (s, x1 ), , F (s, xq ) are distributed independently and uniformly random over the choice of the seed s There are various constructions of efficient q-wise independent functions, such as the classical construction of Wegman and Carter [57] which is based on random degree q polynomials in large finite fields Definition 12 (Pseudorandom Functions, Equivalent Definition) An efficiently computable two-argument function P RF is called pseudorandom function, if there exists a family {Fq }q of functions, where Fq is q-wise independent, such that the following holds For every q = poly(λ) and every PPT distinguisher D that queries its oracle at most q times it holds that Adv(D) = | Pr[DP RF (k,·) = 1] − Pr[DFq (s,·) = 1]| ≤ negl(λ), where k is a randomly chosen key for P RF and s is a randomly chosen seed for Fq Theorem [8, 14, 49] Under various standard hardness assumptions (pseudorandom generators, DDH, LWE) there exist pseudorandom functions with oblivious black-box reduction to their underlying hardness assumption Construction The construction is expectably simple We combine Construction with a pseudorandom function that possesses an oblivious black-box reduction to some hard problem π, which is provided by Theorem For this instantiation, we need to instantiate Construction with a maliciously circuit private fully homomorphic encryption scheme (such as provided by Theorem 2), as there is no a priori upper bound on the size of the circuits that implement q-wise independent functions For convenience, we write down the protocol as follows Let P RF be a pseudorandom function and HE be a fully homomorphic encryption scheme The OPRF protocol Π is given as follows Two-Message, Oblivious Evaluation of Cryptographic Functionalities 639 Protocol ΠOPRF Setup S0 (1λ ): Choose a random key k for P RF Query R1 (x) (ek , sk) ← Kg(1λ ) c ← Enc(ek , x) Send (ek , c) to S S(k, (ek , c)): c ← Eval(ek , P RF (k, ·), x) Send c to R R2 (c ): y ← Dec(sk, c ) Output y We can now prove the main theorem of this section Theorem Let HE be an IND-CPA secure maliciously circuit private fully homomorphic encryption scheme with perfect completeness (as provided by Theorem 2) and P RF be a pseudorandom function with an oblivious black-box reduction to hard problem π Then the protocol ΠOPRF is an OPRF protocol with security against semi-honest senders and malicious receivers Proof We begin with the proof of security against malicious receivers defining the universal simulator Sim Let ExtHE and SimHE be the extractor and simulator for the statistical circuit privacy of HE Simulator Sim is given as follows Simulator SimH (ek , c) Has oracle access to a function H x ← ExtHE (ek , c) y ← H(x) c ← SimHE (ek , y, c) return c Now, let D be a PPT distinguisher that makes at most q = poly(λ) oracle queries and has non-negligible advantage against the malicious receiver security experiment of ΠOPRF , i.e., | Pr[D S(k),· , S(k),R(·) = 1] − Pr[DSim H (·),H(·) = 1]| ≥ First of all, notice that since D makes at most q queries to its oracles, we can efficiently (and statelessly) simulate the random function H by an efficiently computable q-wise independent function Fq , i.e., we get | Pr[D S(k),· , S(k),R(·) = 1] − Pr[DSim Fq (s,·) (·),Fq (s,·) = 1]| ≥ Our proof strategy will now be as follows We will use D to construct a = − negl(λ) against the induced security distinguisher D with advantage 640 N Dă ottling et al experiment for PRF under the homomorphic encryption HE (c.f Definition 5) Recall that the pseudorandom function P RF possesses an oblivious black-box reduction B to some hard problem π Thus, Theorem yields an efficient reducD has non-negligible advantage against π, contradicting its tion B such that B hardness We will now consider the induced security experiment for P RF Therefore, we will first define a sender algorithm S Basically, S homomorphically evaluates the q-wise independent function Fq S (s, (ek , c)) c ← Eval(ek , Fq (s, ·), c) return c Thus, while S homomorphically evaluates the pseudorandom function P RF , S homomorphically evaluates the q-wise independent function Fq Thus, the induced security experiment of the experiment given in Definition 12 asks to distinguish the oracles S(k), · and S (s), · We will now construct a distinguisher D against the induced security experiment of P RF using the distinguisher D D is given as follows Distinguisher D (1λ ) Has access to oracle OA1 out ← DOA1 (·),OA2 (·) (1λ ) Return out Oracle OA2 (x) y ← OA1 , R(x) Return y We claim that | Pr[D S(k),· = 1] − Pr[D S (s),· = 1]| ≥ − negl(λ), (1) i.e., D has non-negligible advantage − negl(λ) against the induced security experiment of P RF S(k),· We claim that if OA1 = S(k), · , then the output of D (1λ ) is identiS(k),· , S(k),R(·) λ (1 ) To see this, note that the cally distributed to the output D oracle OA2 implemented by D is precisely S(k), R(·) in this case On the other hand, if OA1 = S (s), · , then we claim that the output of Fq S (s),· is distributed statistically close to the output of DSim (·),Fq (·) (1λ ) To D see this, note first that in this case the oracle OA2 provided by D to D can be expressed as follows OA2 (x) (ek , sk) ← Kg(1λ ) c ← Enc(ek , x) c ← Eval(ek , Fq (s, ·), c) y ← Dec(sk, c ) return y Two-Message, Oblivious Evaluation of Cryptographic Functionalities 641 It follows immediately from the perfect completeness of HE that OA2 implements exactly Fq (s, ·) It remains to show that the oracles S (s), · and SimFq (·) are statistically close However, as S (s) homomorphically evaluates Fq , it follows from the malicious circuit privacy of HE that both oracles produce distributions that are statistically close, even given Fq Thus, we can use a standard q-step hybrid Fq S (s),· and DSim (·),Fq (·) (1λ ) argument over the queries of D to establish that D are statistically close Thus, (1) follows and we can apply Theorem to arrive at a contradiction Security against semi-honest senders follows directly from Theorem 4, which concludes the proof Impossibility of Malicious Sender Security In this section, we show that malicious receiver security (w.r.t our notion of induced game-based security) and malicious sender security cannot be achieved simultaneously Our impossibility result is constructive in the sense that we show that our framework covers the standard security notion of blind signatures However, Fischlin and Schră oder showed that a large class of three-move blind signature schemes cannot be proven secure under standard assumptions [16] Since our framework falls into this class, the impossibility result follows Blind Signatures Blind signatures [11] implement a carbon copy envelope allowing a signer to issue signatures for messages such that the signer’s signature on the envelope is imprinted onto the message in the sealed envelope In particular, the signer remains oblivious about the message (blindness), but at the same time no additional signatures without the help of the signer can be created (unforgeability) Constructing round-optimal blind signature schemes in the standard model has been a long standing open question Fischlin and Schră oder showed that all previously known schemes having at most three rounds of communication, cannot be proven secure under non-interactive assumptions in the standard model via black-box reductions [16] Subsequently, several works used a technique called “complexity leveraging” to circumvent this impossibility result [19,20] and recently, Fuchsbauer, Hanser, Slamanig suggested a round optimal blind signature scheme that is secure in the generic group model [18] In fact, it is still unknown if round optimal blind signatures, based on standard assumptions, exist in the standard model By applying our technique to the oblivious computation of signatures, we obtain a round optimal blind signature scheme without complexity leveraging and whose security can be based on standard cryptographic assumptions Since our scheme belongs to the class characterized by Fischlin and Schră oder it is not possible to prove blindness w.r.t malicious adversaries Security Definition for Blind Signatures We recall the unforgeability definition of blind signatures [35,53] that can be expressed within our formalization of a cryptographic experiment 642 N Dă ottling et al Definition 13 (Unforgeability) An interactive signature scheme BS = (KG, S, U , Vf) is called unforgeable if for any efficient algorithm A (the malicious user) the probability that experiment ForgeBS A (λ) evaluates to is negligible (as a function of λ) where Experiment ForgeBS A (λ) (sk, pk) ← KG(1λ ) ∞ ∗ )) ← A S(sk),· (pk) ((m∗1 , σ1∗ ), , (m∗k+1 , σk+1 Return iff m∗i = m∗j for all i, j with i = j, and Vf(pk, m∗i , σi∗ ) = for all i, and S has returned ok in at most k interactions The corresponding definition of blindness says that it should be infeasible for a malicious signer S ∗ to decide which of two messages m0 and m1 has been signed first in two executions with an honest user U If one of these executions has returned ⊥ then the signer is not informed about the other signature (Otherwise the signer could trivially identify one session by making the other abort.) If one restricts this definition the semi-honest adversaries, then this definition is immediately implied by Definition Construction Our construction instantiates our general framework as defined in Construction with a signature scheme DS = (KgSig , Sig, Vf) that has an oblivious black-box reduction to some underlying hard problem π For this instantiation, we need maliciously circuit private homomorphic encryption for logarithmic depth circuits that can be achieved by combining information-theoretic garbled circuits (aka randomized encodings) [2,33,38] with two-message oblivious transfer [1,30,48] as provided by Theorem Moreover, we need a digital signature scheme that can computed via a logarithmic depth circuit Such a signature scheme can be obtained by using the non-apaptively secure signature scheme by Applebaum et al [2] However, this scheme is only non-adaptively secure, which means the adversary has to commit to all messages before learning the public-key and the signature Using the standard transformation based on chameleon hash functions [31,40] one can convert any non-adaptively secure signature scheme into one that is adaptively secure Here we actually deal with two reductions One that deals with adversaries that find collisions of the chameleon hash function and one that deals with adversaries that not find hash collisions, but still manage to forge signatures The first reduction is easily seen to be obliviously black-box, as the reduction possesses the signing key for the signature scheme an hash collisions can be easily recovered from the adversary’s output Here the signing circuit is the same as in the real experiment The second reduction has the following structure If q is the query bound of the adversary, the reduction computes chameleon hashes on q random values and has them (non-adaptively) signed by the signing oracle Each time the adversary queries its signing oracle, the reduction uses up one of the precomputed signatures of the chameleon hashes by computing a hash collision with the adversary’s query and returning Two-Message, Oblivious Evaluation of Cryptographic Functionalities 643 the corresponding signature to the adversary Note that since the reduction is allowed to reprogram the signing circuit after each query, we only need to hardwire a single hash value and trapdoor at a time into the signing oracle circuit Since chameleon hash functions can easily be obtained from the discrete logarithm assumption involving only two modular exponentiations and a multiplication [40], this transformation can also be computed by a circuit of logarithmic depth Thus we obtain an oblivious black-box reduction to the non-adaptive unforgeability of the signature scheme where every circuit used by the reduction has a most an a priori known logarithmic depth We obtain the following theorem Theorem Let HE be an IND-CPA secure maliciously circuit private homomorphic encryption scheme with perfect completeness for circuits of logarithmic depth and let DS be a signature scheme compute by a circuit of logarithmic depth and with an oblivious black-box reduction to hard problem π Then the protocol ΠBS defined above is a blind signature protocol with security against semi-honest senders and malicious receivers Given this theorem, we obtain our impossibility result in the following corollary Corollary (Impossibility of Malicious Sender Security, Informal) There exists no two-move secure evaluation protocol for cryptographic functionalities that is secure against malicious receivers and senders based on standard assumptions Acknowledgement Nico Dă ottling gratefully acknowledges support by the DAAD (German Academic Exchange Service) under the postdoctoral program (57243032) This work was in part supported by European Research Council Starting Grant 279447 Research supported in part from a DARPA/ARL SAFEWARE award, AFOSR Award FA9550-15-1-0274, and NSF CRII Award 1464397 The views expressed are those of the author and not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S Government Nils Fleischhacker, Johannes Krupp and Dominique Schră oder were supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA www.cispa-security.org) and the project PROMISE Moreover, it was supported by the Initiative for Excellence of the German federal and state governments through funding for the Saarbră ucken Graduate School of Computer Science and the DFG MMCI Cluster of Excellence Part of this work was also supported by the German research foundation (DFG) through funding for the collaborative research center 1223 and by the DAAD PPP USA program (57129666) We would like to thank the anonymous reviewers of CRYPTO 2016 for their helpful comments A An Oblivious Black-Box Reduction for Naor-Reingold PRF Lemma The Naor-Reingold PRF is secure under the DDH assumption and the reduction is oblivious 644 N Dă ottling et al Proof Given an adversary A who can distinguish the Naor-Reingold PRF with non-negligible probability (λ) from a truly random function making at most q queries to its oracle, consider the following oblivious reduction B against DDH: B gets as input a DDH instance (g, g a , g b , g c˜), where either c˜ = a · b or not We restrict the reduction to the case where a, b, c˜ = (otherwise it is trivial $ to tell whether c˜ = a · b) B will choose a random j ← {1, , λ} and pick $ a random q-wise independent function F ← F q It will then sample values $ (aj+1 , , aλ ) ← Zp and program the oracle OA for A as follows: OA(x): x xj xλ = x, where x is the (j − 1)-bit prefix of x α = F (x) If xj = 0: x Return else gb α λ k=j+1 akk Return g c˜ α λ k=j+1 akk x The reduction B will invoke AOA and output exactly whenever AOA does If c˜ = a · b, then for j = the oracle perfectly simulates the Naor-Reingold PRF PRFa with key a = (bα, a, a2 , , aλ ) (since x will be the empty string, α will be constant) Furthermore, if c˜ = a · b, then for j = λ the oracle perfectly simulates a q-wise independent function f (observed as truly random by A): Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = = Prob APRFa (1λ ) = Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = λ = Prob Af (1λ ) = Since g c˜ is independent of g b in case of c˜ = a · b it holds that Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = i = Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = i + And therefore Prob B A (g, g a , g b , g c˜) = c˜ = a · b − Prob B A (g, g a , g b , g c˜) = c˜ = a · b λ = · Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = i λ i=1 λ − = = · Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = i λ i=1 Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = λ − Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = λ 1 (λ) Prob APRFa (1λ ) = − Prob Af (1λ ) = ≥ λ λ Two-Message, Oblivious Evaluation of Cryptographic Functionalities 645 Thus this reduction will break the DDH assumption with non-negligible probability As the reduction does not see the queries A makes to the oracle OA, it is oblivious according to Definition This concludes the proof References Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods In: Pfitzmann, B (ed.) EUROCRYPT 2001 LNCS, vol 2045, p 119 Springer, Heidelberg (2001) 3.1, 1, Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0 In: 45th Annual Symposium on Foundations of Computer Science, pp 166–175 IEEE Computer Society Press, October 2004 3.1, 1, Bar-Ilan, J., Beaver, D.: Non-cryptographic fault-tolerant computing in constant number of rounds of interaction In: Proceedings of the Eighth Annual ACM Symposium on Principles of Distributed Computing, pp 201–209 ACM (1989) 1.4 Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract) In: 22nd Annual ACM Symposium on Theory of Computing, pp 503–513 ACM Press, May 1990 1.4 Bellare, M., Jakobsson, M., Yung, M.: Round-optimal zero-knowledge arguments based on any one-way function In: Fumy, W (ed.) EUROCRYPT 1997 LNCS, vol 1233, pp 280–305 Springer, Heidelberg (1997) 1.4 Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs In: Vaudenay, S (ed.) EUROCRYPT 2006 LNCS, vol 4004, pp 409–426 Springer, Heidelberg (2006) 2, 2.1 Bendlin, R., Damg˚ ard, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation In: Paterson, K.G (ed.) EUROCRYPT 2011 LNCS, vol 6632, pp 169–188 Springer, Heidelberg (2011) 1.4 Berman, I., Haitner, I.: From non-adaptive to adaptive pseudorandom functions In: Cramer, R (ed.) TCC 2012 LNCS, vol 7194, pp 357–368 Springer, Heidelberg (2012) 4, Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols In: 42nd Annual Symposium on Foundations of Computer Science, pp 136–145 IEEE Computer Society Press, October 2001 10 Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zeroknowledge requires omega (log n) rounds In: 33rd Annual ACM Symposium on Theory of Computing, pp 570–579 ACM Press, July 2001 1.4 11 Chaum, D.: Blind signature system In: Advances in Cryptology - CRYPTO 1983, p 153 Plenum Press, New York (1983) 1.4, 12 Cramer, R., Damg˚ ard, I.B.: Secure distributed linear algebra in a constant number of rounds In: Kilian, J (ed.) CRYPTO 2001 LNCS, vol 2139, p 119 Springer, Heidelberg (2001) 1.4 13 Damg˚ ard, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 643–662 Springer, Heidelberg (2012) 1.4 14 Dă ottling, N., Schră oder, D.: Ecient pseudorandom functions via on-the-fly adaptation In: Gennaro, R., Robshaw, M.J.B (eds.) CRYPTO 2015 LNCS, vol 9215, pp 329–350 Springer, Heidelberg (2015) 4, 15 Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds In: Brassard, G (ed.) CRYPTO 1989 LNCS, vol 435, pp 526–544 Springer, Heidelberg (1990) 1.4 646 N Dă ottling et al 16 Fischlin, M., Schră oder, D.: On the impossibility of three-move blind signature schemes In: Gilbert, H (ed.) EUROCRYPT 2010 LNCS, vol 6110, pp 197–215 Springer, Heidelberg (2010) 1.1, 1.4, 5, 17 Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions In: Kilian, J (ed.) TCC 2005 LNCS, vol 3378, pp 303– 324 Springer, Heidelberg (2005) 1.4, 18 Garg, S., Rao, V., Sahai, A., Schră oder, D., Unruh, D.: Round optimal blind signatures In: Rogaway, P (ed.) CRYPTO 2011 LNCS, vol 6841, pp 630–648 Springer, Heidelberg (2011) 1.4, 19 Garg, S., Gupta, D.: Efficient round optimal blind signatures In: Nguyen, P.Q., Oswald, E (eds.) EUROCRYPT 2014 LNCS, vol 8441, pp 477–495 Springer, Heidelberg (2014) 1.4, 20 Garg, S., Rao, V., Sahai, A., Schră oder, D., Unruh, D.: Round optimal blind signatures In: Rogaway, P (ed.) CRYPTO 2011 LNCS, vol 6841, pp 630–648 Springer, Heidelberg (2011) 1.4, 21 Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: The round complexity of verifiable secret sharing and secure multicast In: 33rd Annual ACM Symposium on Theory of Computing, pp 580–589 ACM Press, July 2001 1.4 22 Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: On 2-round secure multiparty computation In: Yung, M (ed.) CRYPTO 2002 LNCS, vol 2442, p 178 Springer, Heidelberg (2002) 1.4 23 Gentry, C.: Fully homomorphic encryption using ideal lattices In: Mitzenmacher, M., (ed.) 41st Annual ACM Symposium on Theory of Computing, pp 169–178 ACM Press, May/June 2009 1.2, 3.1, 3.1 24 Goldreich, O.: Foundations of Cryptography: Volume 2, Basic Applications Cambridge University Press, New York (2004) 2.3 25 Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract) In: 25th Annual Symposium on Foundations of Computer Science, pp 464–479 IEEE Computer Society Press, October 1984 26 Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP J Cryptology 9(3), 167–190 (1996) 1.4 27 Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems SIAM J Comput 25(1), 169–192 (1996) 1.4 28 Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority In: Aho, A (ed.) 19th Annual ACM Symposium on Theory of Computing, pp 218–229 ACM Press, May 1987 1.4 29 Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems J Cryptol 7(1), 1–32 (1994) 1, 1.1, 1.4, 2.3 30 Halevi, S., Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer J Cryptol 25(1), 158–193 (2012) 3.1, 1, 31 Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption In: Halevi, S (ed.) CRYPTO 2009 LNCS, vol 5677, pp 654–670 Springer, Heidelberg (2009) 32 Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-efficient secure computation In: 41st Annual Symposium on Foundations of Computer Science, pp 294–304 IEEE Computer Society Press, November 2000 1.4 33 Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data In: Vadhan, S.P (ed.) TCC 2007 LNCS, vol 4392, pp 575–594 Springer, Heidelberg (2007) 3.1, 1, Two-Message, Oblivious Evaluation of Cryptographic Functionalities 647 34 Jarecki, S., Liu, X.: Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection In: Reingold, O (ed.) TCC 2009 LNCS, vol 5444, pp 577–594 Springer, Heidelberg (2009) 1.4, 35 Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures In: Kaliski Jr., B.S (ed.) CRYPTO 1997 LNCS, vol 1294, pp 150–164 Springer, Heidelberg (1997) 36 Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation In: Franklin, M (ed.) CRYPTO 2004 LNCS, vol 3152, pp 335–354 Springer, Heidelberg (2004) 1.1, 1.4 37 Katz, J., Ostrovsky, R., Smith, A.: Round efficiency of multi-party computation with a dishonest majority In: Biham, E (ed.) EUROCRYPT 2003 LNCS, vol 2656, pp 578–595 Springer, Heidelberg (2003) 1.4 38 Kilian, J.: Founding cryptography on oblivious transfer In: 20th Annual ACM Symposium on Theory of Computing, pp 20–31 ACM Press, May 1988 3.1, 1, 39 Kilian, J., Petrank, E.: Concurrent and resettable zero-knowledge in polyloalgorithm rounds In: 33rd Annual ACM Symposium on Theory of Computing, pp 560–569 ACM Press, July 2001 1.4 40 Krawczyk, H., Rabin, T.: Chameleon signatures In: ISOC Network and Distributed System Security Symposium - NDSS 2000 The Internet Society, February 2000 41 Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation In: Kilian, J (ed.) CRYPTO 2001 LNCS, vol 2139, p 171 Springer, Heidelberg (2001) 1.4 42 Lindell, Y.: Bounded-concurrent secure two-party computation without setup assumptions In: 35th Annual ACM Symposium on Theory of Computing, pp 683–692 ACM Press, June 2003 1.4 43 Lindell, Y.: Lower bounds for concurrent self composition In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 203–222 Springer, Heidelberg (2004) 1.4 44 Lindell, Y., Pinkas, B.: Secure two-party computation via cut-and-choose oblivious transfer J Cryptology 25(4), 680–722 (2012) 1.4 45 Naor, M.: On cryptographic assumptions and challenges In: Boneh, D (ed.) CRYPTO 2003 LNCS, vol 2729, pp 96–109 Springer, Heidelberg (2003) 2.2 46 Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation In: 31st Annual ACM Symposium on Theory of Computing, pp 245–254 ACM Press, May 1999 1.4 47 Naor, M., Pinkas, B.: Oblivious transfer with adaptive queries In: Wiener, M (ed.) CRYPTO 1999 LNCS, vol 1666, p 573 Springer, Heidelberg (1999) 1.4 48 Naor, M., Pinkas, B.: Efficient oblivious transfer protocols In: Kosaraju, S.R (ed.) 12th Annual ACM-SIAM Symposium on Discrete Algorithms, pp 448–457 ACMSIAM, January 2001 3.1, 1, 49 Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions In: 38th Annual Symposium on Foundations of Computer Science, pp 458–467 IEEE Computer Society Press, October 1997 1, 1.4, 4, 50 Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case In: Yung, M (ed.) CRYPTO 2002 LNCS, vol 2442, p 111 Springer, Heidelberg (2002) 51 Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 681–700 Springer, Heidelberg (2012) 1.4 52 Ostrovsky, R., Paskin-Cherniavsky, A., Paskin-Cherniavsky, B.: Maliciously circuit-private FHE In: Garay, J.A., Gennaro, R (eds.) CRYPTO 2014, Part I LNCS, vol 8616, pp 536–553 Springer, Heidelberg (2014) 3.1, 648 N Dă ottling et al 53 Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures J Cryptol 13(3), 361–396 (2000) 54 Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity In: 43rd Annual Symposium on Foundations of Computer Science, pp 366–375 IEEE Computer Society Press, November 2002 1.4 55 Reingold, O., Trevisan, L., Vadhan, S.P.: Notions of reducibility between cryptographic primitives In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 1–20 Springer, Heidelberg (2004) 2.2 56 Richardson, R., Kilian, J.: On the concurrent composition of zero-knowledge proofs In: Stern, J (ed.) EUROCRYPT 1999 LNCS, vol 1592, p 415 Springer, Heidelberg (1999) 1.4 57 Wegman, M.N., Carter, L.: New classes and applications of hash functions In: 20th Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 29–31 October 1979, pp 175–182 (1979) 58 Yao, A.C.C.: Protocols for secure computations (extended abstract) In: 23rd Annual Symposium on Foundations of Computer Science, pp 160–164 IEEE Computer Society Press, November 1982 1.4 Author Index Abe, Masayuki III-387 Agrawal, Shweta III-333 Alamati, Navid II-659 Albrecht, Martin I-153 Alwen, Joël II-241 Ananth, Prabhanjan II-491 Applebaum, Benny III-449 Bai, Shi I-153 Barbulescu, Razvan I-543 Bar-On, Achiya I-435 Baum, Carsten III-478 Beierle, Christof I-625, II-123 Bellare, Mihir I-247, I-373 Ben-Zvi, Adi I-179 Bin-Noon, Hod II-521 Biryukov, Alex II-93 Blackburn, Simon R I-179 Blocki, Jeremiah II-241 Bogdanov, Andrej III-593 Boura, Christina I-654 Bourse, Florian II-62 Boyle, Elette I-509 Brakerski, Zvika I-190, II-551, III-363 Brzuska, Christina II-551 Camenisch, Jan III-208 Canteaut, Anne I-654 Carmer, Brent III-416 Cascudo, Ignacio III-179 Chase, Melissa III-499 Chen, Yu III-303 Ciampi, Michele III-270 Cogliati, Bent I-121 Cohen, Ran III-240 Coretti, Sandro III-240 Coron, Jean-Sébastien II-607 Costello, Craig I-572 Couteau, Geoffroy I-308 Dai, Yuanxi I-95 Damgård, Ivan II-459, III-179, III-478 David, Bernardo III-179 Degabriele, Jean Paul I-403 Degwekar, Akshay III-533 Del Pino, Rafaël II-62 Derbez, Patrick II-157 Dinur, Itai II-185 Dodis, Yevgeniy I-341, III-93 Döttling, Nico III-179, III-619 Dubovitskaya, Maria III-208 Ducas, Léo I-153 Dulek, Yfke III-3 Dunkelman, Orr II-185 Dupuis, Frédéric III-33 Duval, Sébastien I-457 Dwork, Cynthia III-123 Dziembowski, Stefan II-272 Faust, Sebastian II-272 Fehr, Serge III-33 Fischlin, Marc II-521 Fleischhacker, Nils II-551, III-619 Fouque, Pierre-Alain II-157 Gagliardoni, Tommaso III-60 Ganesh, Chaya III-499 Garay, Juan III-240 Garg, Sanjam II-579, III-563 Gilboa, Niv I-509 Güneysu, Tim II-302 Guo, Jian I-605 Halevi, Shai III-93 Hanaoka, Goichiro II-3 Hazay, Carmit II-397 Hemenway, Brett III-149 Herold, Gottfried II-272 Herzberg, Amir II-521 Hirt, Martin II-335 Hoang, Viet Tung I-3 Hoshino, Fumitaka III-387 Hülsing, Andreas III-60 Ishai, Yuval I-509, II-430, III-593 Jafargholi, Zahra III-149 Jain, Aayush II-491 650 Author Index Paterson, Kenneth G I-403 Peikert, Chris II-659 Perlman, Renen I-190 Perrin, Léo II-93 Peters, Thomas I-308 Peyrin, Thomas I-33, II-123 Pointcheval, David I-308 Polychroniadou, Antigoni II-459 Prabhakaran, Manoj II-430 Jean, Jérémy II-123 Journault, Anthony II-272 Kane, Daniel I-373 Kaplan, Marc II-207 Keller, Nathan I-435, II-185 Kiltz, Eike II-33 Kim, Taechan I-543 Kölbl, Stefan II-123 Koppula, Venkata II-681 Kranz, Thorsten I-625 Krupp, Johannes III-619 Kumaresan, Ranjit II-366 Kunihiro, Noboru II-3 Kushilevitz, Eyal II-430 Qu, Longjiang Lallemand, Virginie I-457 Lamontagne, Philippe III-33 Larsen, Kasper Green III-478 Leander, Gregor I-625, II-123 Lee, Moon Sung II-607 Lepoint, Tancrède II-607 Leurent, Gaëtan II-207 Leverrier, Anthony II-207 Libert, Bent III-333 Liu, Meicheng I-605 Longa, Patrick I-572 Masny, Daniel II-33, II-272 Maurer, Ueli II-335 Mennink, Bart I-64 Miles, Eric II-629 Minelli, Michele II-62 Mironov, Ilya I-341 Mohassel, Payman III-499, III-563 Moradi, Amir II-123, II-302 Naehrig, Michael I-572 Naor, Moni II-491, III-123 Naya-Plasencia, María II-207 Nielsen, Jesper Buus II-459, III-179 Nielsen, Michael III-478 Ohkubo, Miyako III-387 Ostrovsky, Rafail III-149, III-270 Pan, Jiaxin II-33 Pandey, Omkant II-579 Papamanthou, Charalampos III-563 I-605 Raghuraman, Srinivasan II-366 Raskin, Michael II-459 Raykov, Pavel III-449 Rial, Alfredo III-208 Rijmen, Vincent I-605 Rogaway, Phillip I-373 Rosulek, Mike III-416 Rotella, Yann I-457 Rothblum, Guy N III-123 Rothblum, Ron D III-93 Sahai, Amit II-430, II-491, II-629 Salvail, Louis III-33 Sasaki, Yu II-123 Sasdrich, Pascal II-123 Scafuro, Alessandra III-149 Schaffner, Christian III-3, III-60 Schneider, Tobias II-302 Schröder, Dominique III-619 Schuldt, Jacob C.N I-403 Sealfon, Adam II-366 Seurin, Yannick I-33, I-121 Shamir, Adi II-185 Shrimpton, Thomas I-277 Shulman, Haya II-521 Sim, Siang Meng II-123 Siniscalchi, Luisa III-270 Speelman, Florian III-3 Srinivasan, Akshayaram II-579 Stam, Martijn I-277 Standaert, Franỗois-Xavier II-272 Stehlộ, Damien III-333 Steinberger, John I-95 Stephens-Davidowitz, Noah I-341 Sun, Bing I-605 Tackmann, Björn I-247 Tessaro, Stefano I-3 Author Index Tibouchi, Mehdi II-607 Tsaban, Boaz I-179 Tschudi, Daniel II-335 Udovenko, Aleksei Wee, Hoeteck II-62 Wichs, Daniel III-93, III-149 Williamson, Christopher III-593 Woodage, Joanne I-403 II-93 Vaikuntanathan, Vinod III-363, III-533 Vasudevan, Prashant Nalini III-533 Venkitasubramaniam, Muthuramakrishnan II-397 Viola, Emanuele III-593 Visconti, Ivan III-270 Warinschi, Bogdan I-277 Waters, Brent II-681 Yamada, Shota II-3 Yamakawa, Takashi II-3 Yogev, Eylon II-491 Yu, Ching-Hua II-430 Yu, Yu I-214 Zhandry, Mark I-479, II-629 Zhang, Jiang I-214, III-303 Zhang, Zhenfeng III-303 Zikas, Vassilis II-335, III-240 651 ... in Cryptology – CRYPTO 2016 36th Annual International Cryptology Conference Santa Barbara, CA, USA, August 1 4–1 8, 2016 Proceedings, Part III 123 Editors Matthew Robshaw Impinj, Inc Seattle, WA... Berlin Heidelberg Preface The 36th International Cryptology Conference (Crypto 2016) was held at UCSB, Santa Barbara, CA, USA, during August 1 4–1 8, 2016 The workshop was sponsored by the International... that quantum computing will not be available c International Association for Cryptologic Research 2016 M Robshaw and J Katz (Eds.): CRYPTO 2016, Part III, LNCS 9816, pp 3–3 2, 2016 DOI: 10.1007/978-3-662-53015-3

Ngày đăng: 14/05/2018, 11:33

Từ khóa liên quan

Mục lục

  • Preface

  • Crypto 2016 The 36th IACR International Cryptology Conference

  • Contents -- Part III

  • Quantum Techniques

  • Quantum Homomorphic Encryption for Polynomial-Sized Circuits

    • 1 Introduction

      • 1.1 Our Contributions

      • 1.2 Related Work

      • 1.3 Structure of the Paper

    • 2 Preliminaries

      • 2.1 Quantum Computation

      • 2.2 Homomorphic Encryption

      • 2.3 Garden-Hose Complexity

    • 3 The TP Scheme

      • 3.1 Gadget

      • 3.2 Key Generation

      • 3.3 Encryption

      • 3.4 Circuit Evaluation

      • 3.5 Decryption

    • 4 Security of TP

      • 4.1 Circuit Privacy

    • 5 Constructing the Gadgets

      • 5.1 For Log-Depth Decryption Circuits

      • 5.2 For Log-Space Computable Decryption Functions

      • 5.3 Constructing Gadgets Using Limited Quantum Resources

    • 6 Conclusion

      • 6.1 Future Work

    • References

  • Adaptive Versus Non-Adaptive Strategies in the Quantum Setting with Applications

    • 1 Introduction

    • 2 Preliminaries

      • 2.1 Basic Notation

      • 2.2 Quantum States and More

      • 2.3 Entropy and Privacy Amplification

      • 3 Main Result

      • 4 Application 1: 1CC Is Universal

        • 4.1 Background

        • 4.2 The Protocol

        • 4.3 Security Proofs

        • 4.4 Universality of 1CC

    • 5 Application 2: On the Security of BCJL Commitment Scheme

      • 5.1 Setting up the Stage

      • 5.2 The General Reduction

      • 5.3 Special Case: The BCJL Bit-Commitment Scheme

    • A Additional proofs

    • B UC-Completeness of 1CC

      • B.1 The UC Model

      • B.2 UC Security of OT from 1CC

      • References

  • Semantic Security and Indistinguishability in the Quantum World

    • 1 Introduction

    • 2 Preliminaries

      • 2.1 Classical Security Notions: IND-CPA and SEM-CPA

      • 2.2 Previous Notions of Security in the Quantum World

    • 3 New Notions of Quantum Indistinguishability

      • 3.1 The `Security Tree'

      • 3.2 Analysis of the Models

      • 3.3 qIND

    • 4 New Notions of Quantum Semantic Security

      • 4.1 Classical Semantic Security Under Quantum CPA

      • 4.2 Quantum Semantic Security

    • 5 Relations

    • 6 Impossibility and Achievability Results

      • 6.1 Impossibility Result

      • 6.2 Secure Construction

      • 6.3 Length Extension

    • 7 Conclusions and Further Directions

    • References

  • Spooky Encryption

  • Spooky Encryption and Its Applications

    • 1 Introduction

      • 1.1 Technical Overview

      • 1.2 Related Work

    • 2 Definitions

      • 2.1 Local, No-Signaling, and Spooky Relations

      • 2.2 Spooky Encryption

      • 2.3 Additive-Function-Sharing Spooky Encryption

    • 3 LWE-Based Spooky Encryption

      • 3.1 Learning with Errors (LWE) and Multi-key FHE

      • 3.2 LWE-Based AFS Spooky Encryption

      • 3.3 Beyond AFS-2-Spooky Encryption

    • 4 piO Based Spooky Encryption

      • 4.1 Tools

      • 4.2 Two-Key Spooky Encryption from piO

      • 4.3 piO Based Multi-key Spooky Encryption

    • 5 From 2-Input to n-Input AFS-Spooky

    • 6 Applications of Spooky Encryption

      • 6.1 Counter Example for the [ABOR00] Heuristic

      • 6.2 2-Round MPC from AFS-Spooky Encryption

      • 6.3 Function Secret Sharing

    • 7 Spooky-Free Encryption

    • References

  • Spooky Interaction and Its Discontents: Compilers for Succinct Two-Message Argument Systems

    • 1 Introduction

      • 1.1 Background

      • 1.2 Our Results

    • 2 Definitions and Basic Properties

      • 2.1 Interactive Protocols

      • 2.2 FHE

      • 2.3 PIR

    • 3 Detailed Description of the Compiler

      • 3.1 The Compiler: FHE Variant

      • 3.2 The Compiler: PIR Variant

    • 4 The Negative Result: A Protocol that Does Not Compile Well

      • 4.1 The Protocol (PIP,VIP)

      • 4.2 The Compiled Protocol

    • 5 Positive Results

      • 5.1 Security of the Compiler

      • 5.2 Succinct Two-Message Arguments

      • 5.3 Application to Exhaustive Search

    • References

  • Secure Computation and Protocols II

  • Adaptively Secure Garbled Circuits from One-Way Functions

    • 1 Introduction

      • 1.1 Prior Approaches to Adaptive Security

      • 1.2 Our Results

      • 1.3 Applications of Our Results

      • 1.4 Our Techniques

    • 2 Preliminaries

    • 3 Garbling Scheme

    • 4 Somewhere Equivocal Symmetric-Key Encryption

    • 5 Adaptively Secure Garbling Scheme and Simulator

      • 5.1 Construction

      • 5.2 Adaptive Simulator

    • 6 Hybrid Games

      • 6.1 Template for Defining Hybrid Games

      • 6.2 Rules for Indistinguishable Hybrids

    • 7 Pebbling and Sequences of Hybrid Games

      • 7.1 Pebbling Strategies

    • 8 Conclusions

    • References

  • Rate-1, Linear Time and Additively Homomorphic UC Commitments

    • 1 Introduction

      • 1.1 Previous Work

      • 1.2 Our Contribution

    • 2 Preliminaries

      • 2.1 Notation

      • 2.2 Coding Theory

      • 2.3 Universal Composability

    • 3 Interactive Proximity Testing

    • 4 Linear Time Primitives

      • 4.1 Linear Time Almost Universal Hashing with Short Seeds

      • 4.2 Linear Time Rate-1 Codes

    • 5 Linear Time and Rate 1 Additive Commitments

      • 5.1 Computational Complexity and Rate

    • A Universal Composability

    • B Implementing FROT

    • C Committing to Arbitrary Messages

    • References

  • UC Commitments for Modular Protocol Design and Applications to Revocation and Attribute Tokens

    • 1 Introduction

      • 1.1 UC Non-interactive Commitments for Hybrid Protocols

      • 1.2 Modular Protocol Design in FNIC-Hybrid Model

      • 1.3 Example: Flexible Revocation for Attribute-Based Credentials

      • 1.4 Paper Organization

    • 2 Universally Composable Security

      • 2.1 Notation

      • 2.2 Conventions

    • 3 UC Non-interactive Commitments

      • 3.1 Ideal Functionalities FNIC and FENIC for Non-interactive Commitments

      • 3.2 Binding and Hiding Properties of FNIC and FENIC

      • 3.3 Using FNIC in Conjunction with Other Functionalities

      • 3.4 Construction of UC Non-interactive Commitments

    • 4 The Ideal Functionalities FREV and FAT

      • 4.1 Ideal Functionality for Revocation FREV

      • 4.2 Ideal Functionality for Anonymous Attribute Tokens FAT

    • 5 Anonymous Attribute Tokens with Revocation

      • 5.1 Ideal Functionality FTR of Anonymous Attribute Tokens with Revocation

      • 5.2 Construction of Anonymous Attribute Tokens with Revocation

    • 6 Conclusion and Future Work

    • References

  • Probabilistic Termination and Composability of Cryptographic Protocols

    • 1 Introduction

    • 2 Model

    • 3 Secure Computation with Probabilistic Termination

      • 3.1 Canonical Synchronous Functionalities

      • 3.2 Probabilistic Termination in UC

    • 4 (Fast) Composition of PT Protocols

      • 4.1 Composition with Deterministic Termination

      • 4.2 Composition with Probabilistic Termination

      • 4.3 Wrapping Secure Channels

    • 5 Applications of Our Fast Composition Theorem

      • 5.1 Fast and Perfectly Secure Byzantine Agreement

      • 5.2 Fast and Perfectly Secure Parallel Broadcast

      • 5.3 Fast and Perfectly Secure SFE

    • References

  • Concurrent Non-Malleable Commitments (and More) in 3 Rounds

    • 1 Introduction

      • 1.1 Towards 3-Round (Concurrent) NM Commitments

      • 1.2 Results of This Work

    • 2 Notation, Definitions and Tools

      • 2.1 Commitment Schemes

      • 2.2 Non-Malleable Commitment Schemes

      • 2.3 3-Round One-One NM Commitment Scheme

      • 2.4 The LS Proof of Knowledge and NMWI Argument Systems

    • 3 3-Round Concurrent Non-Malleable Commitments

    • 4 More Protocols Against Concurrent MiM Attacks

      • 4.1 Non-Malleable WI Arguments of Knowledge

      • 4.2 Identification Schemes

    • 5 Concurrent Malleability of

    • References

  • IBE, ABE, and Functional Encryption

  • Programmable Hash Functions from Lattices: Short Signatures and IBEs with Small Key Sizes

    • 1 Introduction

      • 1.1 Our Contributions

      • 1.2 Techniques

      • 1.3 Short Signatures

      • 1.4 Identity-Based Encryptions

      • 1.5 Other Related Work

      • 1.6 Roadmap

    • 2 Preliminaries

      • 2.1 Notation

      • 2.2 Lattices and Gaussian Distributions

      • 2.3 Learning with Errors (LWE) and Small Integer Solutions (SIS)

    • 3 Programmable Hash Functions from Lattices

      • 3.1 Type-I Construction

      • 3.2 Type-II Construction

      • 3.3 Collision-Resistance and High Min-Entropy

      • 3.4 Programmable Hash Function from Ideal Lattices

    • 4 Short Signature Schemes from Lattice-Based PHFs

      • 4.1 A Short Signature Scheme with Short Verification Key

      • 4.2 An Improved Short Signature Scheme from Weaker Assumption

    • 5 Identity-Based Encryptions from Lattice-Based PHFs

      • 5.1 An Identity-Based Encryption with Short Master Public Key

      • 5.2 Extensions

    • References

  • Fully Secure Functional Encryption for Inner Products, from Standard Assumptions

    • 1 Introduction

      • 1.1 Overview of Techniques

    • 2 Background

    • 3 Fully Secure Functional Encryption for Inner Products from DDH

    • 4 Full Security Under the LWE Assumption

      • 4.1 Integer Inner Products of Short Integer Vectors

      • 4.2 Inner Products Modulo a Prime p

      • 4.3 Hardness of Multi-hint Extended-LWE

    • 5 Constructions Based on Paillier

      • 5.1 Computing Inner Products over Z

      • 5.2 A Construction for Inner Products over ZN

    • 6 Bootstrapping Linear FE to Efficient Bounded FE for All Circuits

    • A Definitions for Functional Encryption

    • References

  • Circuit-ABE from LWE: Unbounded Attributes and Semi-adaptive Security

    • 1 Introduction

      • 1.1 Overview of Our Techniques

    • 2 Preliminaries

      • 2.1 Bounded Distributions and Swallowing

      • 2.2 Pseudorandom Functions

      • 2.3 KP-ABE with Unbounded Attribute Length

    • 3 LWE, Trapdoors, Homomorphism

    • 4 Our Scheme

      • 4.1 Correctness

      • 4.2 Security

      • 4.3 Conclusion

    • References

  • Automated Tools and Synthesis

  • Design in Type-I, Run in Type-III: Fast and Scalable Bilinear-Type Conversion Using Integer Programming

    • 1 Introduction

      • 1.1 Background

      • 1.2 Our Contribution

      • 1.3 Related Works

    • 2 Conversion Based on Dependency Graphs

      • 2.1 Overview

      • 2.2 Dependency Graph

      • 2.3 Valid Split

    • 3 Finding Optimal Valid Split with IP

      • 3.1 Users' Preferences

      • 3.2 IPConv Procedure

      • 3.3 Optimality of the Output

    • 4 Performance

      • 4.1 Processing Time for Real Schemes

      • 4.2 Scalability

    • 5 Using Conversion in Cryptographic Design

      • 5.1 Fine-Tuned GS Proof of Correct Commitment via Conversion

      • 5.2 AHO Signature + GSZK

      • 5.3 Automorphic Blind Signature Scheme

    • 6 Conclusion

    • A Converted GSZK for AHO Signature

    • B Converted Automorphic Blind Signature Scheme

    • References

  • Linicrypt: A Model for Practical Cryptography

    • 1 Introduction

      • 1.1 Overview of Our Results

      • 1.2 Related Work and Inspiration

    • 2 Linicrypt

      • 2.1 Basic Model

      • 2.2 Mixed Linicrypt Programs and Modelling Real-World Primitives

      • 2.3 Algebraic Representation

      • 2.4 Linear Transformations, Basis Changes and Composition

      • 2.5 Indistinguishability vs. Unpredictability

      • 2.6 Normalization

      • 2.7 Main Characterization

    • 3 Synthesizing Linicrypt Garbled Circuits

      • 3.1 Gate-Garbling

      • 3.2 Synthesis Approach

      • 3.3 Implementation Results

    • References

  • Zero Knowledge

  • On the Relationship Between Statistical Zero-Knowledge and Statistical Randomized Encodings

    • 1 Introduction

      • 1.1 Our Results

    • 2 Our Techniques

      • 2.1 A Broader Perspective

    • 3 Preliminaries

    • 4 NISZK and SRE

    • 5 NISZKpub = 1RE

      • 5.1 Equivalence of 1RE and D1RE

      • 5.2 From NISZKpub to 1RE

      • 5.3 From 1RE to NISZK pub

    • 6 If SRE Is Non-trivial Then One-Way Functions Exist

    • 7 If PRE Is Hard on the Average Then CRH Exist

    • A Omitted Proofs

      • A.1 Proof of Item 5 of Fact1

    • References

  • How to Prove Knowledge of Small Secrets

    • 1 Introduction

      • 1.1 Contributions and Techniques

      • 1.2 Related Work

    • 2 Homomorphic OWFs and Zero-Knowledge Proofs

      • 2.1 Proving Knowledge of Preimage

    • 3 Proofs of Preimage

      • 3.1 The Imperfect Proof of Knowledge

      • 3.2 The Full Proof of Knowledge

    • 4 Applications

      • 4.1 Encryption as ivOWFs

      • 4.2 Refining the Proof Technique

    • References

  • Efficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials

    • 1 Introduction

    • 2 Preliminaries

      • 2.1 Simulation-Based Security

      • 2.2 Commitment Scheme

      • 2.3 Committing OT

      • 2.4 Garbled Circuits

      • 2.5 Zero-Knowledge Proofs

      • 2.6 ZK Proof Based on Garbled Circuits

    • 3 Proving Non-algebraic Statements on Algebraic Commitments

      • 3.1 First Instantiation

      • 3.2 Second Instantiation

      • 3.3 Efficiency Comparison and Optimizations

      • 3.4 Secure Computation on Committed/Signed Inputs

    • 4 Building Blocks for Privacy-Preserving Signature Verification

      • 4.1 Proving that a Committed Value Is the Hash of Another Committed Value

      • 4.2 Proof of Equality of Committed Values in Different Groups

      • 4.3 Proof of Equality of Discrete Logarithm of a Committed Value and Another Committed Value

    • 5 Privacy-Preserving FDH-RSA Signature Verification

      • 5.1 Proof of Knowledge of RSA Signatures

      • 5.2 Proof of Security

    • 6 Privacy-Preserving (EC)DSA Signature Verification

      • 6.1 Proof of Knowledge of DSA Signatures

      • 6.2 Proof of Security

      • 6.3 Proof of Knowledge of ECDSA Signatures

    • References

  • Theory

  • Fine-Grained Cryptography

    • 1 Introduction

      • 1.1 Our Results and Techniques

      • 1.2 Other Related Work: Cryptography Against Bounded Adversaries

    • 2 Preliminaries

      • 2.1 Notation

      • 2.2 Constant-Depth Circuits

      • 2.3 Sparse Matrices and Linear Codes

      • 2.4 Adversaries

      • 2.5 Primitives Against Bounded Adversaries

      • 2.6 Randomized Encodings

    • 3 OWFs from Worst-Case Assumptions

    • 4 PKE Against NC1 from Worst-Case Assumptions

      • 4.1 Collision Resistant Hashing

    • 5 Cryptography Without Assumptions

      • 5.1 High-Stretch Pseudo-Random Generators

      • 5.2 Weak Pseudo-Random Functions

      • 5.3 Symmetric Key Encryption

      • 5.4 Collision Resistant Hash Functions

      • 5.5 Candidate Public Key Encryption Scheme

    • References

  • TWORAM: Efficient Oblivious RAM in Two Rounds with Applications to Searchable Encryption

    • 1 Introduction

      • 1.1 Existing Round-Optimal ORAM Protocols

      • 1.2 TWORAM's Technical Highlights

      • 1.3 Application: 4-Round Searchable Encryption with No Search Pattern Leakage

      • 1.4 Other Related Work

    • 2 Definitions for Garbled Circuits and Oblivious RAM

      • 2.1 Garbled Circuits

      • 2.2 Oblivious RAM

    • 3 TWORAM Construction

      • 3.1 Notation

      • 3.2 Path-ORAM Abstraction

      • 3.3 From logn Rounds to Two Rounds

      • 3.4 Protocols SETUP and OBLIVIOUSACCESS of our construction

      • 3.5 Optimizations

    • 4 Searchable Encryption Construction Using TWORAM

      • 4.1 Hash Table Definition

      • 4.2 Searchable Encryption Definition

      • 4.3 SSE from any ORAM

      • 4.4 SSE from Path-ORAM

    • A More Details on Path ORAM

      • A.1 Path ORAM Abstraction Algorithms

      • A.2 Path ORAM Protocols with logn Rounds of Interaction Using the Abstraction

      • A.3 Proof of Security for TWORAM

      • A.4 Proof of Security for the SSE scheme

    • References

  • Bounded Indistinguishability and the Complexity of Recovering Secrets

    • 1 Introduction

      • 1.1 Secret Sharing Schemes

      • 1.2 Visual Cryptography

      • 1.3 Additional Cryptographic Applications

    • 2 Secret Sharing

      • 2.1 Sampling the Shares in AC0

      • 2.2 Trading Alphabet Size for Secrecy

      • 2.3 Reconstruction by a Subset of the Parties

      • 2.4 Limitations

    • 3 Additional Cryptographic Applications

      • 3.1 Leakage-Resilience of Secret Sharing Schemes

      • 3.2 Private Circuits

    • A Parameters for Visual Scheme

    • B Useful Properties of Approximate Degree

    • C Sharing in AC0 with Perfect Secrecy

    • D Exact vs. Almost Bounded Indistinguishability

    • References

  • Two-Message, Oblivious Evaluation of Cryptographic Functionalities

    • 1 Introduction

      • 1.1 Impossibility of Malicious Security and Induced Game-Based Security

      • 1.2 Oblivious Reductions: A Nonblack-Box Proof Technique

      • 1.3 Our Contribution

      • 1.4 Related Work

      • 1.5 Outlook

    • 2 Secure Computation of Cryptographic Functionalities

      • 2.1 Cryptographic Security Experiment

      • 2.2 Oblivious Black-Box Reductions

      • 2.3 Secure Function Evaluation for Cryptographic Primitives

    • 3 2-Round SFE via 1-Hop Homomorphic Encryption

      • 3.1 1-Hop Homomorphic Encryption

      • 3.2 Construction

    • 4 Round-Optimal Oblivious Pseudorandom Functions

    • 5 Impossibility of Malicious Sender Security

    • A An Oblivious Black-Box Reduction for Naor-Reingold PRF

    • References

  • Author Index

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan