Results 1  10
of
30
Lossy Trapdoor Functions and Their Applications
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 80 (2007)
, 2007
"... We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we ..."
Abstract

Cited by 80 (18 self)
 Add to MetaCart
We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we develop a new approach for constructing many important cryptographic primitives, including standard trapdoor functions, CCAsecure cryptosystems, collisionresistant hash functions, and more. All of our constructions are simple, efficient, and blackbox. Taken all together, these results resolve some longstanding open problems in cryptography. They give the first known (injective) trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCAsecure cryptosystem based solely on worstcase lattice assumptions.
CircularSecure Encryption from Decision DiffieHellman
, 2008
"... Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingl ..."
Abstract

Cited by 48 (5 self)
 Add to MetaCart
Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingly, even strong notions of security such as chosenciphertext security appear to be insufficient for proving security in these settings. Since encryption cycles come up naturally in several applications, it is desirable to construct systems that remain secure in the presence of such cycles. Until now, all known constructions have only be proved secure in the random oracle model. We construct an encryption system that is circularsecure under the Decision DiffieHellman assumption, without relying on random oracles. Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of ski under pk j for all 0 ≤ i, j ≤ n. We also construct a circular counterexample: a oneway secure encryption scheme that becomes completely insecure if an encryption cycle of length 2 is published. 1
Converting PairingBased Cryptosystems from CompositeOrder Groups to PrimeOrder Groups
"... Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In p ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In particular, we define a generalized version of the subgroup decision problem and give explicit constructions of bilinear groups in which the generalized subgroup decision assumption follows from the decision DiffieHellman assumption, the decision linear assumption, and/or related assumptions in primeorder groups. We apply our framework and our primeorder group constructions to create more efficient versions of cryptosystems that originally required compositeorder groups. Specifically, we consider the BonehGohNissim encryption scheme, the BonehSahaiWaters traitor tracing system, and the KatzSahaiWaters attributebased encryption scheme. We give a security theorem for the primeorder group instantiation of each system, using assumptions of comparable complexity to those used in the compositeorder setting. Our conversion of the last two systems to primeorder groups answers a problem posed by Groth and Sahai.
version. The Twin DiffieHellman Problem and Applications
, 2008
"... We propose a new computational problem called the twin DiffieHellman problem. This problem is closely related to the usual (computational) DiffieHellman problem and can be used in many of the same cryptographic constructions that are based on the DiffieHellman problem. Moreover, the twin DiffieH ..."
Abstract

Cited by 27 (4 self)
 Add to MetaCart
We propose a new computational problem called the twin DiffieHellman problem. This problem is closely related to the usual (computational) DiffieHellman problem and can be used in many of the same cryptographic constructions that are based on the DiffieHellman problem. Moreover, the twin DiffieHellman problem is at least as hard as the ordinary DiffieHellman problem. However, we are able to show that the twin DiffieHellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the ordinary DiffieHellman problem. In particular, we show how to build a certain “trapdoor test ” that allows us to effectively answer such decision oracle queries without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary DiffieHellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s noninteractive key exchange protocol; a new variant of CramerShoup encryption, with a very simple proof in the standard model; a new variant of BonehFranklin identitybased encryption, with very short ciphertexts; a more robust version of a passwordauthenticated key exchange protocol of Abdalla and Pointcheval. 1
More constructions of lossy and correlationsecure trapdoor functions. Cryptology ePrint Archive, Report 2009/590
, 2009
"... We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC ’08), and correlationsecure trapdoor functions (Rosen and Segev, TCC ’09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as ..."
Abstract

Cited by 24 (8 self)
 Add to MetaCart
We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC ’08), and correlationsecure trapdoor functions (Rosen and Segev, TCC ’09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as follows: • Lossy trapdoor functions based on the quadratic residuosity assumption. Our construction relies on modular squaring, and whereas previous such constructions were based on seemingly stronger assumptions, we present the first construction that is based solely on the quadratic residuosity assumption. We also present a generalization to higher order power residues. • Lossy trapdoor functions based on the composite residuosity assumption. Our construction guarantees essentially any required amount of lossiness, where at the same time the functions are more efficient than the matrixbased approach of Peikert and Waters. • Lossy trapdoor functions based on the dLinear assumption. Our construction both simplifies the DDHbased construction of Peikert and Waters, and admits a generalization to the whole family of dLinear assumptions without any loss of efficiency. • Correlationsecure trapdoor functions related to the hardness of syndrome decoding. Keywords: Publickey encryption, lossy trapdoor functions, correlationsecure trapdoor functions. An extended abstract of this work appears in Public Key Cryptography — PKC 2010, Springer LNCS 6056
Practical Chosen Ciphertext Secure Encryption from Factoring
"... Abstract. We propose a practical publickey encryption scheme whose security against chosenciphertext attacks can be reduced in the standard model to the assumption that factoring is intractable. ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
Abstract. We propose a practical publickey encryption scheme whose security against chosenciphertext attacks can be reduced in the standard model to the assumption that factoring is intractable.
A new randomness extraction paradigm for hybrid encryption. Cryptology ePrint Archive, Report 2008/304
, 2008
"... We present a new approach to the design of INDCCA2 secure hybrid encryption schemes in the standard model. Our approach provides an efficient generic transformation from 1universal to 2universal hash proof systems. The transformation involves a randomness extractor based on a 4wise independent h ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
We present a new approach to the design of INDCCA2 secure hybrid encryption schemes in the standard model. Our approach provides an efficient generic transformation from 1universal to 2universal hash proof systems. The transformation involves a randomness extractor based on a 4wise independent hash function as the key derivation function. Our methodology can be instantiated with efficient schemes based on standard intractability assumptions such as Decisional DiffieHellman, Quadratic Residuosity, and Paillier’s Decisional Composite Residuosity. Interestingly, our framework also allows to prove INDCCA2 security of a hybrid version of 1991’s Damg˚ard’s ElGamal publickey encryption scheme under the DDH assumption. Keywords: Chosenciphertext security, hybrid encryption, randomness extraction, hash proof systems, ElGamal 1
A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model
, 2008
"... We show that a recently proposed construction by Rosen and Segev can be used for obtaining the first public key encryption scheme based on the McEliece assumptions which is secure against adaptive chosen ciphertext attacks in the standard model. ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
We show that a recently proposed construction by Rosen and Segev can be used for obtaining the first public key encryption scheme based on the McEliece assumptions which is secure against adaptive chosen ciphertext attacks in the standard model.
Efficient Pseudorandom Functions From the Decisional Linear Assumption and Weaker Variants
"... In this paper, we generalize Naor and Reingold’s construction of pseudorandom functions under the DDH Assumption to yield a construction of pseudorandom functions under the decisional kLinear Assumption, for each k ≥ 1. The decisional Linear Assumption was first introduced by Boneh, Boyen, and Shac ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In this paper, we generalize Naor and Reingold’s construction of pseudorandom functions under the DDH Assumption to yield a construction of pseudorandom functions under the decisional kLinear Assumption, for each k ≥ 1. The decisional Linear Assumption was first introduced by Boneh, Boyen, and Shacham as an alternative assumption for settings where the DDH problem is easy, such as bilinear groups. This assumption can be generalized to obtain the decisional kLinear Assumptions. Shacham and Hofheinz and Kiltz showed that the decisional (k + 1)Linear problem is hard for generic groups even when the decisional kLinear problem is easy. It is thus desirable to have constructions of cryptographic primitives based on the decisional kLinear Assumption instead of DDH. Not surprisingly, one must pay a small price for added security: as k increases, our constructed functions become slightly less efficient to compute and the key size increases (quadratically in k). 1
Efficient ChosenCiphertext Security via Extractable Hash
"... Abstract. We introduce the notion of an extractable hash proof system. Essentially, this is a special kind of noninteractive zeroknowledge proof of knowledge system where the secret keys may be generated in one of two modes to allow for either simulation or extraction. – We show how to derive effi ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. We introduce the notion of an extractable hash proof system. Essentially, this is a special kind of noninteractive zeroknowledge proof of knowledge system where the secret keys may be generated in one of two modes to allow for either simulation or extraction. – We show how to derive efficient CCAsecure encryption schemes via extractable hash proofs in a simple and modular fashion. Our construction clarifies and generalizes the recent factoringbased cryptosystem of Hofheinz and Kiltz (Eurocrypt ’09), and is reminiscent of an approach proposed by Rackoff and Simon (Crypto ’91). We show how to instantiate extractable hash proof system for hard search problems, notably factoring and computational DiffieHellman. Using our framework, we obtain the first CCAsecure encryption scheme based on CDH where the public key is a constant number of group elements and a more modular and conceptually simpler variant of the HofheinzKiltz cryptosystem (though less efficient). – We introduce adaptive trapdoor relations, a relaxation of the adaptive trapdoor functions considered by Kiltz, Mohassel and O’Neil (Eurocrypt ’10), but nonetheless imply CCAsecure encryption schemes. We show how to construct such relations using extractable hash proofs, which in turn yields realizations from hardness of factoring and CDH.