Progress in Cryptology – INDOCRYPT 2020: 21st International Conference on Cryptology in India, Bangalore, India, December 13–16, 2020, Proceedings [1st ed.] 9783030652760, 9783030652777

This book constitutes the refereed proceedings of the 21st International Conference on Cryptology in India, INDOCRYPT 20

549 46 32MB

English Pages XX, 906 [912] Year 2020

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Front Matter ....Pages i-xx
Front Matter ....Pages 1-1
Delayed Authentication: Preventing Replay and Relay Attacks in Private Contact Tracing (Krzysztof Pietrzak)....Pages 3-15
Proof-of-Reputation Blockchain with Nakamoto Fallback (Leonard Kleinrock, Rafail Ostrovsky, Vassilis Zikas)....Pages 16-38
Transciphering, Using FiLIP and TFHE for an Efficient Delegation of Computation (Clément Hoffmann, Pierrick Méaux, Thomas Ricosset)....Pages 39-61
Encrypted Key-Value Stores (Archita Agarwal, Seny Kamara)....Pages 62-85
Front Matter ....Pages 87-87
Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts (Cheng Shi, Kazuki Yoneyama)....Pages 89-106
Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time Verification (José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Vincent Laporte, Tiago Oliveira)....Pages 107-127
Protocol Analysis with Time (Damián Aparicio-Sánchez, Santiago Escobar, Catherine Meadows, José Meseguer, Julia Sapiña)....Pages 128-150
Verifpal: Cryptographic Protocol Analysis for the Real World (Nadim Kobeissi, Georgio Nicolas, Mukesh Tiwari)....Pages 151-202
Front Matter ....Pages 203-203
On the Worst-Case Side-Channel Security of ECC Point Randomization in Embedded Devices (Melissa Azouaoui, François Durvaux, Romain Poussier, François-Xavier Standaert, Kostas Papagiannopoulos, Vincent Verneuil)....Pages 205-227
Efficient Hardware Implementations for Elliptic Curve Cryptography over Curve448 (Mojtaba Bisheh Niasar, Reza Azarderakhsh, Mehran Mozaffari Kermani)....Pages 228-247
Extending the Signed Non-zero Bit and Sign-Aligned Columns Methods to General Bases for Use in Cryptography (Abhraneel Dutta, Aaron Hutchinson, Koray Karabina)....Pages 248-270
Front Matter ....Pages 271-271
Cryptanalysis of the Permutation Based Algorithm SpoC (Liliya Kraleva, Raluca Posteuca, Vincent Rijmen)....Pages 273-293
More Glimpses of the RC4 Internal State Array (Pranab Chakraborty, Subhamoy Maitra)....Pages 294-311
Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box (Lorenzo Grassi, Markus Schofnegger)....Pages 312-331
Counting Active S-Boxes is not Enough (Orr Dunkelman, Abhishek Kumar, Eran Lambooij, Somitra Kumar Sanadhya)....Pages 332-344
Computing Expected Differential Probability of (Truncated) Differentials and Expected Linear Potential of (Multidimensional) Linear Hulls in SPN Block Ciphers (Maria Eichlseder, Gregor Leander, Shahram Rasoolzadeh)....Pages 345-369
Front Matter ....Pages 371-371
Quantum Cryptanalysis on Contracting Feistel Structures and Observation on Related-Key Settings (Carlos Cid, Akinori Hosoyamada, Yunwen Liu, Siang Meng Sim)....Pages 373-394
Evaluation of Quantum Cryptanalysis on SPECK (Ravi Anand, Arpita Maitra, Sourav Mukhopadhyay)....Pages 395-413
Front Matter ....Pages 415-415
Making the BKW Algorithm Practical for LWE (Alessandro Budroni, Qian Guo, Thomas Johansson, Erik Mårtensson, Paul Stankovski Wagner)....Pages 417-439
On a Dual/Hybrid Approach to Small Secret LWE (Thomas Espitau, Antoine Joux, Natalia Kharchenko)....Pages 440-462
Front Matter ....Pages 463-463
Adaptively Secure Threshold Symmetric-Key Encryption (Pratyay Mukherjee)....Pages 465-487
Vetted Encryption (Martha Norberg Hovd, Martijn Stam)....Pages 488-507
Security of Public Key Encryption Against Resetting Attacks (Juliane Krämer, Patrick Struck)....Pages 508-528
The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures (Mihir Bellare, Wei Dai)....Pages 529-552
Skipping the q in Group Signatures (Olivier Blazy, Saqib A. Kakvi)....Pages 553-575
Incremental Cryptography Revisited: PRFs, Nonces and Modular Design (Vivek Arte, Mihir Bellare, Louiza Khati)....Pages 576-598
Front Matter ....Pages 599-599
Gadget-Based iNTRU Lattice Trapdoors (Nicholas Genise, Baiyu Li)....Pages 601-623
Lattice-Based IBE with Equality Test Supporting Flexible Authorization in the Standard Model (Giang Linh Duc Nguyen, Willy Susilo, Dung Hoang Duong, HuyQuoc Le, Fuchun Guo)....Pages 624-643
Efficient Attribute-Based Proxy Re-Encryption with Constant Size Ciphertexts (Arinjita Paul, S. Sharmila Deva Selvi, C. Pandu Rangan)....Pages 644-665
Adaptive-Secure Identity-Based Inner-Product Functional Encryption and Its Leakage-Resilience (Linru Zhang, Xiangning Wang, Yuechen Chen, Siu-Ming Yiu)....Pages 666-690
CCA-Secure ABE Using Tag and Pair Encoding (Olivier Blazy, Sayantan Mukherjee)....Pages 691-714
Simpler Constructions of Asymmetric Primitives from Obfuscation (Pooya Farshim, Georg Fuchsbauer, Alain Passelègue)....Pages 715-738
Front Matter ....Pages 739-739
Adaptive Security of Practical Garbling Schemes (Zahra Jafargholi, Sabine Oechsner)....Pages 741-762
Constructive t-secure Homomorphic Secret Sharing for Low Degree Polynomials (Kittiphop Phalakarn, Vorapong Suppakitpaisarn, Nuttapong Attrapadung, Kanta Matsuura)....Pages 763-785
Perfectly-Secure Asynchronous MPC for General Adversaries (Extended Abstract) (Ashish Choudhury, Nikhil Pappu)....Pages 786-809
Improving the Efficiency of Optimally-Resilient Statistically-Secure Asynchronous Multi-party Computation (Ashish Choudhury)....Pages 810-831
High Throughput Secure MPC over Small Population in Hybrid Networks (Extended Abstract) (Ashish Choudhury, Aditya Hegde)....Pages 832-855
Front Matter ....Pages 857-857
Dual-Mode NIZKs: Possibility and Impossibility Results for Property Transfer (Vivek Arte, Mihir Bellare)....Pages 859-881
On Black-Box Extension of a Non-Interactive Zero-Knowledge Proof System for Secret Equality (Kyosuke Yamashita, Mehdi Tibouchi, Masayuki Abe)....Pages 882-904
Back Matter ....Pages 905-906
Recommend Papers

Progress in Cryptology – INDOCRYPT 2020: 21st International Conference on Cryptology in India, Bangalore, India, December 13–16, 2020, Proceedings [1st ed.]
 9783030652760, 9783030652777

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

LNCS 12578

Karthikeyan Bhargavan Elisabeth Oswald Manoj Prabhakaran (Eds.)

Progress in Cryptology – INDOCRYPT 2020 21st International Conference on Cryptology in India Bangalore, India, December 13–16, 2020 Proceedings

Lecture Notes in Computer Science Founding Editors Gerhard Goos Karlsruhe Institute of Technology, Karlsruhe, Germany Juris Hartmanis Cornell University, Ithaca, NY, USA

Editorial Board Members Elisa Bertino Purdue University, West Lafayette, IN, USA Wen Gao Peking University, Beijing, China Bernhard Steffen TU Dortmund University, Dortmund, Germany Gerhard Woeginger RWTH Aachen, Aachen, Germany Moti Yung Columbia University, New York, NY, USA

12578

More information about this subseries at http://www.springer.com/series/7410

Karthikeyan Bhargavan Elisabeth Oswald Manoj Prabhakaran (Eds.) •



Progress in Cryptology – INDOCRYPT 2020 21st International Conference on Cryptology in India Bangalore, India, December 13–16, 2020 Proceedings

123

Editors Karthikeyan Bhargavan Inria Paris Paris, France

Elisabeth Oswald University of Klagenfurt Klagenfurt, Austria

Manoj Prabhakaran Department of Computer Science and Engineering Indian Institute of Technology Bombay Mumbai, Maharashtra, India

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-030-65276-0 ISBN 978-3-030-65277-7 (eBook) https://doi.org/10.1007/978-3-030-65277-7 LNCS Sublibrary: SL4 – Security and Cryptology © Springer Nature Switzerland AG 2020 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

It is with great pleasure that we present the proceedings of the 21st International Conference on Cryptology (INDOCRYPT 2020) held in India during December 13– 16, 2020, as a virtual conference. INDOCRYPT is an international cryptography conference held every year in December, under the aegis of the Cryptology Research Society of India (CRSI). In the two decades since the inaugural edition in 2000, INDOCRYPT has established itself as a reputable international venue for publishing cryptology research, as well as a valuable resource for promoting research in India. It is currently organized in cooperation with the International Association for Cryptologic Research (IACR). This year's virtual conference was organized by a team centered at the International Institute of Information Technology Bangalore (IIITB). Originally planned to be held at the IIITB campus, the event was transformed into a virtual event to facilitate participation amidst the current pandemic. Past editions of INDOCRYPT were held in various cities in India: Kolkata (2000, 2006, 2012, 2016), Chennai (2001, 2004, 2007, 2011, 2017), Hyderabad (2002, 2010, 2019), New Delhi (2003, 2009, 2014, 2018), Bangalore (2005, 2015), Kharagpur (2008), and Mumbai (2013). The Program Committee (PC) for INDOCRYPT 2020 consisted of 61 experts from around the world. About 36% of the PC (including two of the chairs) was based in Europe, 28% in the USA, 23% in India (including one chair), and the rest from other countries in Asia and from New Zealand. The conference attracted 104 submissions. Of these, 20 papers were rejected by the PC chairs for not meeting the submission guidelines. The remaining 84 papers were reviewed by the PC, with most papers receiving 3 independent reviews (3 papers each received 1, 2, and 4 reviews). The double-blind reviews were carried out by the PC, with the help of 77 external reviewers, using the EasyChair conference management system. We take this opportunity to thank all the PC members and the external reviewers for a tremendous job! Despite the short review period, on the whole, the reviews were rigorous and detailed. In a handful of submissions, the reviews uncovered subtle errors; at the discretion of the PC, the authors were given a chance to respond, often resulting in fixes or withdrawal of those submissions. At the end of the review phase, 39 papers were selected for publication in these proceedings, 9 of which went through a shepherding process to ensure that various concerns raised by the reviewers were addressed before publication. As usual, the final uploaded versions were not reviewed by the PC, and the authors bear the full responsibility for their contents. The 104 submissions received involved 270 authors from 33 countries. Among the accepted papers, European authors had a share of about 42%, North American authors about 22%, Indian authors about 17%, authors from the rest of Asia about 16%, and Australian authors about 3%; the top 4 countries contributing to this list were the USA (21%), India (17%), France, and Japan (9% each).

vi

Preface

The program also included three invited talks by Ran Canetti (Boston University, USA), Véronique Cortier (CNRS, France), and Carmela Troncoso (EPFL, Switzerland), a tutorial on “Constructive Cryptography” led by Ueli Maurer (ETH Zürich, Switzerland), and a Rump Session to announce new results and works in progress. Apart from its traditional focus on areas in applied and theoretical cryptology, this year INDOCRYPT solicited papers in the area of Formal Methods for Cryptographic Systems. While this is an area which has the same high-level goal as cryptology – namely, providing information security guarantees – the avenues for interaction between these two areas have been limited. It is to mend this gap, and to work towards a future when the tools and techniques from these two areas would be developed and deployed synergistically, that INDOCRYPT 2020 has expanded its scope this year. These proceedings carry a short but interesting section on this theme featuring four papers. Two of the invited talks also fit this theme. In addition, a two-day long preconference workshop called “VeriCrypt: An Introduction to Tools for Verified Cryptography” provided students and practitioners of cryptography with a unique opportunity to learn about verified cryptography from the leading experts in the area. Altogether, we hope that these would intrigue and inspire many cryptographers to engage with Formal Methods. Conversely, we hope that the participants at INDOCRYPT 2020 from the Formal Methods community would be exposed to a wealth of new questions and concepts developed in the Cryptography community. We would like to thank CRSI for entrusting us with putting together the program for INDOCRYPT 2020. Thanks to the authors of all the submissions and the contribution of the entire PC, we have ended up with a rich and exciting program. We would also like to acknowledge the major contribution of the organizers, headed by the general chairs Prof. S. Sadagopan (Director, IIITB) and Dr. Vishal Saraswat (RBEI/ESY). In particular, we thank the organizing chair, Prof. Srinivas Vivek (IIITB) and his efficient team for helping us in a range of tasks, including putting together the conference webpage with all the relevant information and instructions for the authors, implementing replacements for features not included in the free license of EasyChair, and assembling the proceedings. We also thank Springer for continuing to support INDOCRYPT by publishing the proceedings as part of the LNCS series. Finally, we thank all the participants in the conference, including the authors of all the submissions, the attendees and the presenters, for their enthusiastic participation. We hope you find INDOCRYPT 2020 and these proceedings to be valuable and enjoyable! December 2020

Karthikeyan Bhargavan Elisabeth Oswald Manoj Prabhakaran

Organization

General Chairs S. Sadagopan Vishal Saraswat

IIIT Bangalore, India Robert Bosch Engineering and Business Solutions Pvt. Ltd., India

Program Committee Chairs Karthikeyan Bhargavan Elisabeth Oswald Manoj Prabhakaran

Inria Paris, France University of Klagenfurt, Austria Indian Institute of Technology Bombay, India

Program Committee Shweta Agrawal Shashank Agrawal Saikrishna Badrinarayanan Manuel Barbosa Mihir Bellare Davide Bellizia Begül Bilgin Bruno Blanchet Chris Brzuska Nishanth Chandran Ran Cohen Cas Cremers Apoorvaa Deshpande Maria Eichlseder Pooya Farshim Chaya Ganesh Deepak Garg Vipul Goyal Clémentine Gritti Divya Gupta Carmit Hazay James Howe Abhishek Jain Bhavana Kanukurthi Dakshita Khurana Markulf Kohlweiss

Indian Institute of Technology Madras, India Western Digital, USA Visa Research, USA HASLab - INESC TEC, Portugal University of California, San Diego, USA Université catholique de Louvain, Belgium Université catholique de Louvain, Belgium Inria Paris, France Aalto University, Finland Microsoft Research, India Northeastern University, USA CISPA Helmholtz Center for Information Security, Germany Snap Inc., USA IAIK TU Graz, Austria University of York, UK Indian Institute of Science, India Max Planck Institute for Software Systems, Germany Carnegie Mellon University, USA University of Canterbury, New Zealand Microsoft Research, India Bar-Ilan University, Israel PQShield, UK Johns Hopkins University, USA Indian Institute of Science, India University of Illinois at Urbana-Champaign, USA The University of Edinburgh, UK

viii

Organization

Venkata Koppula Steve Kremer Ralf Küsters N. V. Narendra Kumar Patrick Longa Bart Mennink Aikaterini Mitrokotsa Pratyay Mukherjee Debdeep Mukhopadhyay Prasad Naldurg Ryo Nishimaki Adam O’Neill Sabine Oechsner Anat Paskin-Cherniavsky Arpita Patra Raphael C.-W. Phan Romain Poussier Sanjiva Prasad R. Ramanujam Aseem Rastogi Mike Rosulek Arnab Roy Alessandra Scafuro Peter Schwabe Sourav Sen Gupta Akshayaram Srinivasan Pierre-Yves Strub S. P. Suresh Ni Trieu Prashant Vasudevan Bo-Yin Yang Santiago Zanella-Béguelin

Indian Institute of Technology Delhi, India Inria Paris, France University of Stuttgart, Germany IDRBT Hyderabad, India Microsoft Research Redmond, USA Radboud University Nijmegen, The Netherlands Chalmers University of Technology, Sweden Visa Research, USA Indian Institute of Technology Kharagpur, India Inria Paris, France NTT, Japan University of Massachusetts, USA Aarhus University, Denmark Ariel University, Israel Indian Institute of Science, India Monash University, Malaysia Nanyang Technological University, Singapore Indian Institute of Technology Delhi, India Institute of Mathematical Sciences Chennai, India Microsoft Research, India Oregon State University, USA University of Klagenfurt, Austria North Carolina State University, USA Max Planck Institute for Security and Privacy, Germany, and Radboud University, The Netherlands Nanyang Technological University, Singapore University of California, Berkeley, USA École Polytechnique, France Chennai Mathematical Institute, India Arizona State University, USA University of California, Berkeley, USA Academia Sinica, Taiwan Microsoft Research, USA

Organizing Committee Chair Srinivas Vivek

IIIT Bangalore, India

Organizing Committee Anju Alexander Janvi Chhabra Hemanth Chitti Aditya Hegde Deepak K. Shyam S. M.

IIIT Bangalore, India IIIT Bangalore, India IIIT Bangalore, India IIIT Bangalore, India National Institute of Technology Karnataka, India IIIT Bangalore, India

Organization

Girisha Shankar Santosh Upadhyaya Annapurna Valiveti Vivek Yadav

IISc Bengaluru, India IIIT Bangalore, India IIIT Bangalore, India IIIT Bangalore, India

Additional Reviewers Aayush Jain Abida Haque Aditya Hegde Amit Singh Bhati Anna Guinet Arpan Jati Ashwin Jha Bei Liang Benedikt Bunz Bhavana Obbattu Chen-Da Liu-Zhang Chetan Surana Damien Stehlé Daniel Coggia Daniel Masny Debapriya Basu Roy Deevashwer Rathee Divya Ravi Gayathri Garimella Georgia Tsaloli Gustavo Banegas Ian McQuoid Jack Doerner James Bartusek Julian Liedtke Kolin Paul Laasya Bangalore Lauren De Meyer Lorenzo Grassi Lukasz Chmielewski Madhavan Mukund Manaar Alam Mang Zhao Marc Rivinius Marco Baldi Markus Schofnegger Mayank Rathee Meenakshi Kansal

Michael Hamburg Michael Tunstall Michael Walter Miruna Rosca Monosij Maitra Nilanjan Datta Nishant Kumar Nishat Koti Paulo Barreto Pedram Hosseyni Pierrick Meaux Pratik Sarkar Rachit Garg Rafaël Del Pino Rishabh Bhadauria Rogério Pontes Ron Steinfeld Sarah McCarthy Satrajit Ghosh Satyanarayana Vusirikala Sebastian Hasler Shai Halevi Shivam Bhasin Shreyas Gupta Sikhar Patranabis Sogol Mazaheri Sruthi Sekar Subhamoy Maitra Subodh Sharma Søren Eller Thomsen Tahina Ramananandro Tapas Pal Vaishnavi Sundararajan Varsha Bhat Veronika Kuchta Yilei Chen Yoo-Seung Won Zhengzhong Jin

ix

x

Organization

Jointly Organized By

Under the Aegis of

In Cooperation with

Abstracts of Invited Talks

Can We Have Truly Secure Information Systems? Combining Formal Analysis and Cryptography is Key Ran Canetti1

Abstract. We constantly hear about new vulnerabilities in information systems. Beyond the direct harm caused by each vulnerability and exploit, the constant stream of exposed flaws, which range from small programming bugs to largescale design errors, undermine our general trust in information systems. This lack of trust, in turn, undermines our ability to fully realize the potential societal benefits that information systems carry—in particular their ability to preserve the privacy of sensitive data, while allowing controlled use of this data along with accountability for such use. This talk will argue that this unfortunate state of affairs is far from being inherent, and that if we combine technology and thinking from a number of communities, most prominently Programming Languages, Cryptography, and System design, it will indeed be possible to build large scale information systems that truly satisfy even intricate security and functionality requirements. We will survey some of the work done in this direction and will outline a potential road ahead. Key tools include: (a) developing techniques for using PL methodology and techniques to specify and assert higher-level security properties of multi-component systems, and (b) enabling security-preserving modular design and analysis of complex systems from simple building blocks. Key application areas will also be discussed.

1

Boston University. Member of the CPIIS. Supported by NSF Awards 1931714, 1801564, 1414119, and DARPA awards HR00112020021 and HR00112020023.

Electronic Voting: How Formal Methods Can Help Véronique Cortier1 CNRS, Université de Lorraine, Inria, LORIA, F-54000 Nancy, France [email protected] Abstract. Electronic voting is now used in many countries and in many elections, from small elections such as parents representatives in schools, to politically binding elections. Electronic voting facilitates counting and enables a wide variety of elections, such as preferential voting where voters rank their candidates by order of preference. In such a case, counting the votes by hand can be a very complex task that can, in contrast, easily be handled by a computer. Another advantage of electronic voting is that voters may vote from anywhere and it can last several weeks if needed. It is often used at least as a replacement of postal voting. However, electronic voting also comes with security threats and has been subject to severe attacks. For example, the Washington, D.C., Internet voting system has been attacked [7], during a trial just before the election. Recently, Switzerland has stopped temporarily using electronic voting after a public penetration test that has revealed severe weaknesses [6]. Ideally, electronic voting should offer the same guarantees that traditional paper-based election. In particular, it should guarantee vote privacy (no one should know how I voted) and verifiability: anyone should be able to check that the votes are accurately counted and correspond to the voters intent. In this talk, we will present the Belenios voting protocol [4] that has been used in more than 500 elections in 2020, through its voting platform1. We will discuss its security properties as well as its limitations. As for security protocols in general, the design of electronic voting systems is error-prone and it is hard to assess whether a protocol ensures the required security properties. For these reasons, a common good practice is to design a protocol together with a formal security analysis, as it has been done in the context of TLS1.3 [5] for example. The Swiss Chancellerie requires both computational and formal proofs of security before the deployment of an electronic voting system [1]. We will explain how the tools developed for the automated analysis of security protocols, like ProVerif [3], can help gaining a better confidence in e-voting protocols. One particular issue in the context of voting is that the formalization of security properties is still an on-going work, even for crucial properties like vote secrecy [2]. Hence electronic voting still raises many challenges for our research community.

1

https://belenios.loria.fr/admin

Electronic Voting: How Formal Methods Can Help

xv

References 1. Exigences techniques et administratives applicables au vote électronique. Chancel-lerie fédérale ChF, 2014. Swiss recommendation on e-voting. 2. Bernhard, D., Cortier, V., Galindo, D., Pereira, O., Warinschi, B.: A comprehensive analysis of game-based ballot privacy definitions. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P 2015), San Jose, CA, USA, pp. 499–516. IEEE Computer Society Press, May 2015 3. Blanchet, B.: Automatic verification of security protocols in the symbolic model: the verifier proverif. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2013, FOSAD 2012. LNCS, pp. 54–87, vol. 8604. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10082-1_3 4. Cortier, V., Gaudry, P., Glondu, S.: Belenios: a simple private and verifiable electronic voting system. In: Guttman, J., Landwehr, C., Meseguer, J., Pavlovic, D. (eds.) Foundations of Security, Protocols, and Equational Reasoning. LNCS, vol. 11565, pp. 214–238. Springer, Cham (2019) . https://doi.org/10.1007/978-3-030-19052-1_14 5. Delignat-Lavaud, A., et al.: Implementing and proving the TLS 1.3 record layer. In: IEEE Symposium on Security and Privacy (Oakland), pp. 463–482 (2017) 6. Lewis, S.J., Pereira, O., Teague, V.: Trap-door commitments in the SwissPost e-voting shuffle proof (2019). https://people.eng.unimelb.edu.au/vjteague/SwissVote 7. Wolchok, S., Wustrow, E., Isabel, D., Halderman, J.A.: Attacking the Washington, D.C. Internet voting system. In: Financial Cryptography and Data Security (FC 2012) (2012)

Engineering Privacy in Contact Tracing Apps

Carmela Troncoso EPFL/SPRING Lab carmela.troncoso@epfl.ch Abstract. A key measure to mitigate and slow down virical disease is contact tracing. Contact tracers traditionally relies on time-consuming activities performed by human contact tracers: interview positive patients to identify potential infected contacts, and communicate with those contacts to ensure they take precautions (e.g., self-isolate or take a test). As the number of cases increases, human contact tracers cannot timely perform their activities, decreasing their effectiveness at breaking transmission chains and hence at slowing down the virus spread. This situation prompted institutions and governments to seek help from technology to be able to scale mitigation measures. During 2020 we have witnessed the appearance of a number of Digital Proximity Tracing proposals which have three main goals: notifying contacts in a timely manner, notifying close contacts that may not be identified by manual contact tracing, and operating even when manual contact tracers cannot scale to the number of positive cases. These proposals typically rely on smartphones to gather proximity information that serves to identify contacts. In this talk we will present the Decentralized Privacy-Preserving Proximity Tracing protocol (DP3T) [1], that inspired Google and Apple's Exposure Notification and is now the basis of dozens of proximity tracing mobile apps around the world. We will discuss the requirements and constraints that drove the protocol design, and the security and privacy trade-offs that we had to confront. The protocol, however, is only a small part of a Digital Proximity tracing system which includes communication with the server and integration with health services. This talk will also summarize our experience designing and implementing these mechanisms under time pressure and continuous changes in the underlying libraries.

Reference 1. Troncoso, C., et al.: Decentralized Privacy-Preserving Proximity Tracing, 25 May 2020. https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf

Contents

Applications Delayed Authentication: Preventing Replay and Relay Attacks in Private Contact Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Krzysztof Pietrzak Proof-of-Reputation Blockchain with Nakamoto Fallback . . . . . . . . . . . . . . . Leonard Kleinrock, Rafail Ostrovsky, and Vassilis Zikas Transciphering, Using FiLIP and TFHE for an Efficient Delegation of Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clément Hoffmann, Pierrick Méaux, and Thomas Ricosset Encrypted Key-Value Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Archita Agarwal and Seny Kamara

3 16

39 62

Formal Methods Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts . . . . Cheng Shi and Kazuki Yoneyama Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Vincent Laporte, and Tiago Oliveira

89

107

Protocol Analysis with Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Damián Aparicio-Sánchez, Santiago Escobar, Catherine Meadows, José Meseguer, and Julia Sapiña

128

Verifpal: Cryptographic Protocol Analysis for the Real World . . . . . . . . . . . Nadim Kobeissi, Georgio Nicolas, and Mukesh Tiwari

151

Implementing Elliptic Curve Cryptography On the Worst-Case Side-Channel Security of ECC Point Randomization in Embedded Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Melissa Azouaoui, François Durvaux, Romain Poussier, François-Xavier Standaert, Kostas Papagiannopoulos, and Vincent Verneuil

205

xviii

Contents

Efficient Hardware Implementations for Elliptic Curve Cryptography over Curve448 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mojtaba Bisheh Niasar, Reza Azarderakhsh, and Mehran Mozaffari Kermani Extending the Signed Non-zero Bit and Sign-Aligned Columns Methods to General Bases for Use in Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . Abhraneel Dutta, Aaron Hutchinson, and Koray Karabina

228

248

Ciphers and Cryptanalysis Cryptanalysis of the Permutation Based Algorithm SpoC . . . . . . . . . . . . . . . Liliya Kraleva, Raluca Posteuca, and Vincent Rijmen

273

More Glimpses of the RC4 Internal State Array . . . . . . . . . . . . . . . . . . . . . Pranab Chakraborty and Subhamoy Maitra

294

Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lorenzo Grassi and Markus Schofnegger Counting Active S-Boxes is not Enough . . . . . . . . . . . . . . . . . . . . . . . . . . Orr Dunkelman, Abhishek Kumar, Eran Lambooij, and Somitra Kumar Sanadhya Computing Expected Differential Probability of (Truncated) Differentials and Expected Linear Potential of (Multidimensional) Linear Hulls in SPN Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maria Eichlseder, Gregor Leander, and Shahram Rasoolzadeh

312 332

345

Quantum Cryptanalysis Quantum Cryptanalysis on Contracting Feistel Structures and Observation on Related-Key Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Carlos Cid, Akinori Hosoyamada, Yunwen Liu, and Siang Meng Sim Evaluation of Quantum Cryptanalysis on SPECK . . . . . . . . . . . . . . . . . . . . Ravi Anand, Arpita Maitra, and Sourav Mukhopadhyay

373 395

Learning with Errors Making the BKW Algorithm Practical for LWE . . . . . . . . . . . . . . . . . . . . . Alessandro Budroni, Qian Guo, Thomas Johansson, Erik Mårtensson, and Paul Stankovski Wagner

417

On a Dual/Hybrid Approach to Small Secret LWE . . . . . . . . . . . . . . . . . . . Thomas Espitau, Antoine Joux, and Natalia Kharchenko

440

Contents

xix

Encryption and Signatures Adaptively Secure Threshold Symmetric-Key Encryption . . . . . . . . . . . . . . . Pratyay Mukherjee

465

Vetted Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martha Norberg Hovd and Martijn Stam

488

Security of Public Key Encryption Against Resetting Attacks . . . . . . . . . . . . Juliane Krämer and Patrick Struck

508

The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures . . . . . . . Mihir Bellare and Wei Dai

529

Skipping the q in Group Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Olivier Blazy and Saqib A. Kakvi

553

Incremental Cryptography Revisited: PRFs, Nonces and Modular Design . . . . Vivek Arte, Mihir Bellare, and Louiza Khati

576

Functional Encryption Gadget-Based iNTRU Lattice Trapdoors . . . . . . . . . . . . . . . . . . . . . . . . . . Nicholas Genise and Baiyu Li Lattice-Based IBE with Equality Test Supporting Flexible Authorization in the Standard Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Giang Linh Duc Nguyen, Willy Susilo, Dung Hoang Duong, HuyQuoc Le, and Fuchun Guo

601

624

Efficient Attribute-Based Proxy Re-Encryption with Constant Size Ciphertexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Arinjita Paul, S. Sharmila Deva Selvi, and C. Pandu Rangan

644

Adaptive-Secure Identity-Based Inner-Product Functional Encryption and Its Leakage-Resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Linru Zhang, Xiangning Wang, Yuechen Chen, and Siu-Ming Yiu

666

CCA-Secure ABE Using Tag and Pair Encoding. . . . . . . . . . . . . . . . . . . . . Olivier Blazy and Sayantan Mukherjee

691

Simpler Constructions of Asymmetric Primitives from Obfuscation . . . . . . . . Pooya Farshim, Georg Fuchsbauer, and Alain Passelègue

715

xx

Contents

Secure Multi-party Computation Adaptive Security of Practical Garbling Schemes . . . . . . . . . . . . . . . . . . . . Zahra Jafargholi and Sabine Oechsner Constructive t-secure Homomorphic Secret Sharing for Low Degree Polynomials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kittiphop Phalakarn, Vorapong Suppakitpaisarn, Nuttapong Attrapadung, and Kanta Matsuura

741

763

Perfectly-Secure Asynchronous MPC for General Adversaries (Extended Abstract). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ashish Choudhury and Nikhil Pappu

786

Improving the Efficiency of Optimally-Resilient Statistically-Secure Asynchronous Multi-party Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . Ashish Choudhury

810

High Throughput Secure MPC over Small Population in Hybrid Networks (Extended Abstract). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ashish Choudhury and Aditya Hegde

832

Non-interactive Zero-Knowledge Proofs Dual-Mode NIZKs: Possibility and Impossibility Results for Property Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vivek Arte and Mihir Bellare

859

On Black-Box Extension of a Non-Interactive Zero-Knowledge Proof System for Secret Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kyosuke Yamashita, Mehdi Tibouchi, and Masayuki Abe

882

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

905

Applications

Delayed Authentication: Preventing Replay and Relay Attacks in Private Contact Tracing Krzysztof Pietrzak(B) IST Austria, Klosterneuburg, Austria [email protected]

Abstract. Currently several projects aim at designing and implementing protocols for privacy preserving automated contact tracing to help fight the current pandemic. Those proposal are quite similar, and in their most basic form basically propose an app for mobile phones which broadcasts frequently changing pseudorandom identifiers via (low energy) Bluetooth, and at the same time, the app stores IDs broadcast by phones in its proximity. Only if a user is tested positive, they upload either the beacons they did broadcast (which is the case in decentralized proposals as DP-3T, east and west coast PACT or Covid watch) or received (as in Popp-PT or ROBERT) during the last two weeks or so. Vaudenay [eprint 2020/399] observes that this basic scheme (he considers the DP-3T proposal) succumbs to relay and even replay attacks, and proposes more complex interactive schemes which prevent those attacks without giving up too many privacy aspects. Unfortunately interaction is problematic for this application for efficiency and security reasons. The countermeasures that have been suggested so far are either not practical or give up on key privacy aspects. We propose a simple non-interactive variant of the basic protocol that – (security) Provably prevents replay and (if location data is available) relay attacks. – (privacy) The data of all parties (even jointly) reveals no information on the location or time where encounters happened. – (efficiency) The broadcasted message can fit into 128 bits and uses only basic crypto (commitments and secret key authentication). Towards this end we introduce the concept of “delayed authentication”, which basically is a message authentication code where verification can be done in two steps, where the first doesn’t require the key, and the second doesn’t require the message.

1

Introduction

Automated contact tracing aims to simplify and accelerate the process of identifying people who have been in contact with the SARS-CoV-2 virus. There are several This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 TOCNeT). c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 3–15, 2020. https://doi.org/10.1007/978-3-030-65277-7_1

4

K. Pietrzak

similar projects, including east [CKL+20] and west coast PACT [CGH+20], Covid Watch [CW20], DP-3T [TPH+20], Robert [Rob20] or Pepp-PT [Pep20]. For concreteness, in this paper we’ll use the basic DP-3T protocol to illustrate the concept and issues with those proposals. The acronym stands for Decentralized PrivacyPreserving Proximity Tracing.

Advertising app //

EphID is current ephemeral id

(basic DP-3T)

Receiving app

EphID locally store EphID

Fig. 1. The basic DP-3T protocol. If at some point a user is reported sick the app will learn (the keys required to recompute) their EphID’s of the last 14 d. If it locally stored one of those EphID’s this means they were likely close to an infected user.

In the DP-3T proposal users are assumed to have a mobile phone or another Bluetooth capable device with their application installed. At setup the app samples a random key SK0 . This key is updated every day as SKi = H(SKi−1 ) using a cryptographic hash function H. Each key defines n Ephemeral IDentifiers (EphID) derived from SKi using a pseudorandom generator and function as EphID1 EphID2  . . . EphIDn := Prg(Prf(SKi , “broadcast key”)) Those EphID’s are used in a random order during the day, each for 24 · 60/n minutes (say 30 min if we set n = 48). The current EphID is broadcast using Bluetooth in regular intervals to potential users in its proximity. Phones locally store the EphID’s they receive as well as their own SKi ’s of the last 14 days. If a user tests positive they can upload their key SKi from 14 days ago to the backend server, which will distribute it to all users. From this key, one can recompute all the EphID’s the infected user broadcasted in the last 14 d. So all other users can check if there’s a match with any of their locally stored EphID’s. If yes, it means they’ve presumably been in proximity to an infected person in the last two weeks and thus should take action (get tested, self isolate). This description is oversimplifying several aspects that are not relevant for this work. This is a more decentralized approach, which apart from DP-3T is followed by both PACTs and Covid Watch from the above mentioned proposals. In Pepp-PT or Robert the infected user uploads the EphID’s he received (not broadcasted), and the server (which here must know the secret keys and contact details of all users) contacts the senders of those EphID’s. Important aspects of this protocol are its simplicity, in particular the fact that the protocol is non-interactive as illustrated in Fig. 1, and its privacy properties: Even the combined information stored by all honest users reveals

Delayed Authentication: Preventing Replay and Relay Attacks

5

which encounters happened, but no location or time (apart from the day). Some privacy and security properties have been formally analyzed [DDL+20], but once we take into account malicious actors, this scheme has serious issues with its privacy and robustness properties.

2

Replay and Relay Attacks

Many papers including [ABIV20,KBS20,BDF+20] discuss privacy issues with DP-3T like protocols. Vaudenay [Vau20a,Vau20b] and Gvili [Gvi20] also discusses robustness of this scheme including replay and relay attacks. As an illustration of a replay attack consider an adversary who collects EphID’s in an environment where it’s likely infections will occur (like a hospital), and then broadcast those EphID’s to users at another location, say a competing company it wants to hurt. Later, when a user from the high risk location gets tested positive, the people in the company will be instructed to self isolate.

Advertising app // k, EphID are current // emphemeral key and

[Vau20a] replay-secure id

Receiving app

EphID pick challenge

challenge tag ← Mac(k, challenge)

tag locally store (EphID, challenge, tag)

Fig. 2. Vaudenay’s protocol secure against replay attacks. Apart from ephemeral IDs EphID (as in DP-3T) also ephemeral keys k are generated from SK. When later the user of the receiving app gets keys of infected users they will check for every tuple (k, EphID ) derived from those keys if they locally store a triple (EphID, challenge, tag) ?

with EphID = EphID . If yes, they will check whether tag = Mac(k, challenge) and only if this check verifies, assume they were close to an infected party.

Vaudenay suggest an extension of the basic DP-3T protocol, shown in Fig. 2, which is secure against replay attacks, but it comes at the prize of using interaction. For efficiency and security reasons, the current DP-3T proposal uses Bluetooth low energy beacons, which makes interaction problematic (we refer to [TPH+20] for more details). To see that this protocol is secure against a replay attack consider an adversary who re-sends the received EphID at a later time-point. The receiving party will send a random challenge which is almost certainly different from all the challenge values that were send when EphID was originally broadcast. The standard security notion for message authentication codes implies that the adversary, who does not know k, will almost certainly not

6

K. Pietrzak

be able to compute the right tag Mac(k, challenge ) for this challenge. Should the adversary still answer with a authenticator tag , the receiving user will reject the triple (EphID, challenge, tag ) once it learns k as tag = Mac(k, challenge ). A relay attack is a more sophisticated attack (than a replay attack). Here the adversary relays the messages from one location (e.g., the hospital) to another (e.g., the company it wants to hurt) in real time. The protocol from Fig. 2 is not secure against relay attacks. Vaudenay also suggests a protocol which thwarts relay attacks assuming both devices know their location (using GPS) and with an additional round of interaction. Our relay secure protocol also requires location data, but achieves security against relay attacks without interaction. Replay and relay attacks are listed as one of the main security aspects in the Mobile applications to support contact tracing in the EU’s fight against COVID19 document [eu20]. Identifier relay/replay prevention safeguards should be implemented to prevent those attacks, meaning that User A should not be able to record an identifier of User B and, afterwards, send User B’s identifier as his/her own. 2.1

Inverse-Sybil Attacks

This submission only deals with replay and relay attacks, but there’s at least one other attack by which one can launch false positives on a large scale in protocols including DP-3T; A group of users (malicious or with hacked devices) can use the same initial key on many devices. Should this key then be uploaded to the backend server, all users that were in proximity with one of those many devices would get an alert. This attack is one of the “terrorist attacks” described in [Vau20b] and called “inverse-sybil” attack in [AKP+20], this latter work proposes protocols that harden the app against this attack by making the broadcasted values unpredictable (concretely, either dependent on past encounters or location) and chaining them, so that later the chains of the individual devices cannot be merged, and thus only one device is allowed to uploads its encounters. Like in this work, the protocols in [AKP+20] only use simple crypto, everything can be done using just a hash function, but they have to assume collision resistance (for the chaining property), while in this work universal hashing is sufficient. A related attack discussed in [Vau20b] considers bribing infected users to upload tokens, the feasibility of such an attack using smart contracts has been analyzed in [AFV20].

3 3.1

Simple Solutions A Simple Solution Without Privacy

If one doesn’t care about storing the time of encounters, there’s a straight forward non-interactive protocol secure against replay and even relay attacks: take Vaudenay’s protocol as shown in Fig. 2 but replace challenge with the current

Delayed Authentication: Preventing Replay and Relay Attacks

7

time t, so the sender just broadcasts (EphID, tag = Mac(k, t)). The receiving app will store each such received tuple together with the coarse current time t . If the sender later reports sick and their ephemeral ID/key pairs (EphID, k) become public, the receiver checks for every such pair and every locally stored ? entry (EphID , tag, t ) where EphID = EphID if tag = Mac(k, t ). Note that this  check verifies iff t = t , i.e., the claimed time of the sender matches the time of the receiver. If the check fails the recipient rejects that tuple as a replay attack might have taken place. In centralized schemes (like Robert or Pepp-PT) the server, who knows all keys, can do this verification. This protocol has terrible privacy properties for sender and receiver as the time of encounters are locally stored by the receiving parties. Replay attacks are also not completely ruled out, but are still possible within one unit of time, which must be measured sufficiently coarse in this protocol to allow for some latency and asynchrony of clocks of sending and receiving party. Setting it to a second should be sufficient. By additionally authenticating the location, e.g. using coarse GPS coordinates, one can also prevent relay attacks. 3.2

A Simple Solution Using Digital Signatures

Using digital signatures instead of a message authentication code one can solve the privacy problem of the protocol above. Consider the protocol from above, but where using the ephemeral key k one first samples a signature public/secret key pair (sk, pk) ← keygen(k) using k as randomness. Instead of the MAC, we now broadcast the public key and a signature of the current time, i.e., (EphID, sign(sk, t), pk). Upon receiving a tuple (EphID, σ, pk) the recipient retrieves its time t and then runs the signature verification algorithm ? accept = verify(pk, σ, t ) to check if σ is a valid signature for the current time t under pk. If no, the tuple is ignored, otherwise it stores (EphID, pk), but not the signature itself! If later ephemeral ID/key pairs (EphID, k) of infected parties become known, it checks for every such tuple and every locally stored (EphID , pk) where EphID = EphID if pk is derived from k (i.e., pk = pk where (pk , sk ) ← keygen(k)). Only if all checks pass it assumes it was close to an infected party. As to security, it’s not hard to show that a successful relay attacks requires the adversary to forge a signature. While for privacy we observe that the tuple (EphID, pk) stored by the receiver is independent of the time at which the encounter happened. This protocol is less efficient than the previous construction simply because signatures are computationally more expensive than MACs, and already for this reason might not be acceptable for a tracing app. There’s also no chance to fit the message (a signature and public-key) into a 128 bits Bluetooth beacon as used by the current proposals.

8

3.3

K. Pietrzak

Our Contribution

We propose a construction which basically combines the best features of the two simple constructions outlined above. That is, a simple non-interactive scheme using symmetric cryptography that prevents replay (and if we assume location data is available, also relay) attacks, does not leak any time (or location) information and where the broadcasted value fits into a 128 bit beacon.

4

Delayed Authentication

The main tool in our protocols is the concept of “delayed authentication”. By combining a (weak) commitment scheme commit : M × R → Y and a standard message authentication code Mac : K × M → T (where Y ⊆ M ) we get a new (randomized) message authentication code DelayMac : K × M × R → T which allows for a two step authentication process, where the first doesn’t require the key, and the second is independent of the authenticated message. We need the following security from commit (weak, computationally) binding: It must be hard to find a tuple of message/randomness pairs (m, ρ),(m , ρ ) where m = m but commit(m , ρ ) = commit(m, ρ). This is the standard (computationally) binding property for commitment schemes, but we’ll actually just need a weaker binding property, where the adversary first must choose an m and gets a random ρ. And for this pair (m, ρ) must output a (m , ρ ) where m = m but commit(m , ρ ) = commit(m, ρ). In Sect. 6 we’ll exploit the fact that just this weaker notion is required to reduce communication. (statistically) hiding: For any m ∈ M and a uniformly random ρ ←$ R the commitment commit(m, ρ) is close to uniform (or some other fixed distribution) given m. In practice we can expect a well designed cryptographic hash function H to satdef isfy the above, i.e., use commit(m, ρ) = H(mρ), if the range of H is sufficiently smaller than the length |ρ| of ρ. We define the following randomized message authentication code DelayMac (ρ, Mac(k, σ)) ← DelayMac(k, m) where ρ ←$ R, σ := commit(m, ρ) We can verify such a message/tag pair m, (ρ, tag) in two steps. 1. Compute σ := commit(m, ρ), then store (σ, tag) and delete m, ρ. Note that this step does not require k, we call (σ, tag) the delayed tag. 2. Later, should the key k become available, authenticate the delayed tag check? ing tag = Mac(k, σ). We will require two security properties from DelayMac. First, it must satisfy the standard security notion for message authentication codes. Second, we want the delayed tag (σ, tag) together with k to statistically hide the authenticated message m. Both properties are easy to prove.

Delayed Authentication: Preventing Replay and Relay Attacks

9

Lemma 1. DelayMac is existentially unforgeable under chosen message attacks. Proof. Consider an adversary ADelayMac(k,·) who can request tags (ρi , tagi ) for messages mi of its choice (for a secret random key k), and finally outputs a forgery, i.e., a message tag/pair (m∗ , (ρ∗ , tag∗ )) for an m∗ on which it did not query the oracle and which passes verification. We will show that this forgery can either be turned into a forgery for Mac or to break the (weak) binding property of commit. As assuming Mac and commit are secure means both those events have negligible probability, we can conclude that every efficient A will only be able to find such a forgery with negligible probability (and thus DelayMac is secure as stated in the lemma). Let σi = commit(mi , ρi ), then if def

∀i : σi = σ ∗ = commit(m∗ , ρ∗ ) the forgery (m∗ , (ρ∗ , tag∗ )) for DelayMac can be turned into a forgery (σ ∗ , tag∗ ) for Mac. Otherwise, for some i it holds that commit(m∗ , ρ∗ ) = commit(mi , ρi )

and

m∗ = mi

and thus we broke the binding property of commit. In fact, as the ρi were chosen uniformly at random by the oracle, this already breaks the weak binding property (the simple reduction showing this is omitted).

Lemma 2. The delayed tag (σ, tag) = (commit(m, ρ), Mac(k, σ)) together with k statistically hides m. Proof. As we assume commit is statistically hiding, there exists some distribution X such that for any m and a uniform ρ, the commitment σ = commit(m, ρ) is  close to X. As k is independent of (m, ρ) and thus σ, by the data processing inequality also (σ, tag = Mac(k, σ), k) is  close to some fixed distribution Y (concretely, to the distribution Y ∼ (X, Mac(k, X), k)). In terms of indistinguishability, this means that even a computationally unbounded distinguisher who can choose two messages m0 , m1 , and then gets the delayed tag for mb for a random b ∈ {0, 1}, will not be able to guess b better than with probability 1/2 + /2. If commit is only computationally hiding, such indistinguishability only holds against computationally bounded distinguishers.



5

Our Protocol

Let us illustrate how we use delayed authentication in our protocol which is given in Fig. 3. As in [Vau20a], apart from the EphID’s, EphID1 EphID2  . . . EphIDn := Prg(Prf(SKi , “broadcast key”)) the app additionally computes an ephemeral secret key ki with each EphIDi k1 k2  . . . kn = Prg(Prf(SKi , “secret key”))

10

K. Pietrzak our protocol

Advertising app // k, EphID current emph. key,id // got coarse time and location (x, y) ← get GPS-coordinates t ← get current time // (ρ, tag) ← DelayMac(k, (t, x, y)) ρ ←$ R σ := commit((t, x, y), ρ) tag := Mac(k, σ)

ρ, tag, EphID t|1 , x|1 , y|1

Receiving app

(x , y  ) ← get GPS-coordinates t ← get current time round t , x , y  so their least significant bit matches the bits t|1 , x|1 , y|1 σ  := commit((t , x , y  ), ρ) locally store (σ  , tag, EphID)

Fig. 3. Our non-interactive contact tracing protocol that is secure against relay attacks. By ignoring the blue text we get a protocol that is only secure against replay attacks but doesn’t require location data, which might not always be available or due to security reasons not desired. If later a user gets sick and the app gets its (k, EphID ) pairs, it will check if it has stored a triple (σ, tag, EphID) with EphID = EphID , and if so, finish verification by checking the ?

delayed tag Mac(k, σ) = tag to detect potential replay or relay attacks.

Our protocol will use the current time, which must be measured rather coarse so that the advertizing and receiving applications have the same time, or are at most off by one unit (one or a few seconds seem reasonable for one unit of time). The replay secure protocol now works as follows – (broadcast). In regular intervals a message is broadcast which is computed as follows. Let EphID, k be the current ephemeral ID and key and t denote the coarse current time. Compute (ρ, tag) ← DelayMac(k, t) and broadcast (ρ, tag), EphID, t|1 where t|1 is the least significant bit of t. – (receive broadcast message). If the app receives a message (ρ, tag), EphID, t|1 it gets its current time t . If t|1 = t|1 then round t to the nearest value so the least significant bit matches t|1 . Compute σ  := commit(t , ρ) and locally store (σ  , tag, EphID). Note that the stored σ  will match the σ used by the sender if their measured times are off by at most one unit. – (receive message from backend server). If the app learns ephemeral ID/key tuples (EphID , k) of infected parties from the backend server, it checks if it stored a tuple (σ  , tag, EphID) where EphID = EphID . For every such tuple ?

it checks if Mac(k, σ  ) = tag, and only if the check passes, it assumes it was close to an infected party.

Delayed Authentication: Preventing Replay and Relay Attacks

11

Replay Security: To see how this approach prevents replay attacks, consider an adversary who records a broadcasted message (ρ, tag, EphID) at time t that was computed by the sender using its (at this point secret) ephemeral key k. At a later time t∗ > t+1 the adversary send a potentially altered message (ρ∗ , tag∗ , EphID) to a receiver. The receiving party will reject this tuple after learning the key k (i.e., when the originally broadcasting party reports sick) unless tag∗ = Mac(k, σ ∗ ) where σ ∗ = commit(t∗ , ρ∗ ) But this is a forgery for DelayMac, and as stated in Lemma 1, hard to find. Relay Security: If we additionally authenticate the location like this, as shown in blue in Fig. 3, we achieve security against relay attacks. Again the location must be coarse enough so that the sending and receiving parties x and y coordinates are off by at most one unit, while they shouldn’t be too coarse as a replay attack within neighbouring coordinates is possible. What an appropriate choice is depends on how precise GPS works, units of 50 m seems reasonable. Privacy: The tuple (σ, tag, EphID) stored by the receiver hides (in fact, is independent) of the time (and if used, also location) in which the encounter happened by Lemma 2. This only holds if the sender correctly computed the tag, we discuss malicious senders later in Sect. 7.2. Of course the receiving app needs to be careful how it stores such tuples, as e.g. simply storing them in the order as they were received would leak an ordering.

6

Fitting the Broadcast Message into 128 Bits

In the current DP-3T proposal the ephemeral identifiers EphID which are broadcast are 128 bits long, in this section we outline how our protocol can potentially achieve reasonable security and robustness while also just broadcasting 128 bits, but having more wiggle room would certainly be better. We need 3 bits for the time and location least significant bits t|1 , x|1 , y|1 , and distribute the remaining 125 bits by setting the length of the remaining 3 broadcasted values to |ρ| = 80, |tag| = 35, |EphID| = 10 In a nutshell, that gives us |ρ| = 80 bits computational security for the commitment, |tag| = 35 bits of statistical security for the authenticator while the probability of a false positive for a locally stored encounter with a reported key/identifier is 2−|tag|−|EphID| = 2−45 , we elaborate on this below. |ρ| = 80 (security of commit): We suggest to implement the commitment using a standard cryptographic hash function def

commit(m, ρ) = H(mρ) .

12

K. Pietrzak

It is important to specify how long the commitment should be, i.e., where we truncate the output of H. A conservative choice would be a length of |H(mρ)| = 256 bits, but then the hiding property of the commitment would only be computational (while the binding would be statistical). In practice this means a computationally unbounded adversary can break privacy (by finding the message/randomness in the locally stored commitment). If statistical hiding is required (due to legal or other reasons), we need to send the output length to 80 bits (or slightly shorter). Due to birthday attacks, that would be way too √ short to achieve binding as a collision for commit could be found with just 280 = 240 queries. As discussed in Sect. 4, we only need to satisfy a weak binding property where the adversary must find a preimage for a given output not just any collision, and for this notion we can get 80 bits security even with short 80 bit commitments. When doing this, one should harden the scheme against multi-instance attacks, where an adversary tries to find a ρ∗ s.t. σi = commit((t, x, y), ρ∗ ) for one from many previously intercepted σ1 , . . . , σn ’s in order to replay it. This can be done by adding the EphID to the commitment, i.e., specify that it’s computed as σ := commit((EphID, t, x, y), ρ) . This way only broadcast messages with the same EphID can be simultaneously attacked. |tag| = 35 (security of Mac): While we can choose strong ephemeral keys k for the Mac, say 128 bit keys, the fact that tag is only 35 bits means a random tag will verify with probability one in 235 ≈ 34 billions. This seems good enough to discourage replay or relay attack attempts. |EphID| + |tag| = 45 (probability of false positives): A stored encounter (σ  , tag, EphID) will match a unrelated identifier/key (k∗ , EphID∗ ) pair from the backend server by pure chance if EphID = EphID∗ and tag = Mac(k∗ , σ  ), which happens with probability 2−(|k|+|EphID|) = 2−45 . If we assume that EphID’s are rotated every 30 min, so we have 48 per day, the probability of a false positive for encounters in any given day, assuming we have n users of which m will be reported sick in the next 14 d, is m·n·48 2−45 . For 10 million users and 10000 cases that’s one false positive per week in total. |EphID| = 10 (efficiency of verifying messages from backend server): The discussion so far suggests one should set |EphID| = 0 and instead use those 10 bits to increase |tag|. The reason to keep a non-empty EphID is for efficiency reasons. For every locally stored encounter (σ  , tag, EphID) and every identifier/key (k∗ , EphID∗ ) (computed from keys received) from the backend server we need to compute the tag = Mac(k∗ , σ  ) whenever EphID = EphID∗ , thus for a 2−|EphID| fraction of such pairs. With |EphID| = 10 the unnecessary computation due to such identifier collisions should be small compared to the computation required to expand the keys received from the backendserver to the identifier/key pairs.

Delayed Authentication: Preventing Replay and Relay Attacks

7

13

Digital Evidence

The main design goal the presented protocol is security against replay and relay attacks, but there are also other issues with CP3T and similar protocols discussed in [TPH+20] and [Vau20a] which our scheme does not solve. There also is at least one privacy aspect that is aggravated by our protocol compared to the basic CP3T: for parties deviating from the protocol, it’s easier to produce digital evidence when and where an encounter took place. While we feel this is a minor issue compared to replay and relay attacks, one needs to be aware of such trade-offs. 7.1

Malicious Receiver

A malicious receiver can produce digital evidence about the advertizing user. This is also the case for Vaudenay’s protocols (and already mentioned in [Vau20a]). As a concrete example, the receiver can put a hash of the entire transcript (for our protocol that would mean the broadcast message, time and location) on a blockchain to timestamp it. Later, should the advertizing user test positive and his keys being released, this transcript serves as evidence about when and where the encounter took place. Timestamping is necessary here, as once the keys are released everyone can produce arbitrary transcripts. To actually break privacy of an individual, one of course also needs to somehow link the released keys to that person. 7.2

Malicious Sender

If the sending party stores the randomness ρ it broadcasts (together with the current location and time), it can later prove that it met a receiving user at time t and location (x, y) by providing the opening information (t, x, y, ρ) for a commitment σ = commit((t, x, y), ρ) stored by the receiver. Note that unlike in the malicious receiver case discussed above, the commitments σ are never supposed to leave the phone, even if the receiving user reports being sick. Thus this privacy break requires a successful attack on the receiver’s phone or the receiver must be forced to reveal this data.

8

Conclusions, Apple and Google

We propose a contact tracing protocol which is almost as simple and efficient as the basic versions of the DP-3T, PACT, Covid watch etc. proposals, but which also provides security against replay attacks. And if location data is available, even against relay attacks. Apple and Google [app20] recently announced an exposure notification API for iOS and Android which addresses two major problems one faces when implementing such protocols (1) by allowing to sync rotations of the Bluetooth’s MAC addresses and ephemeral keys one prevents tracing a device even as the key is

14

K. Pietrzak

rotated (2) using the API the app can run in the background, saving battery and adding convenience. Unfortunately, instead of allowing the community to invent and implement decentralized/privacy-preserving/robust tracing apps using these great tools, they decided to implement a tracing protocol on top of it, and the only way to use those features is via this particular protocol, leaving few choices to the actual protocol designers. Many, if not most, of the suggestions made by the community, including in this work, simply cannot be build on top of their solution. The Apple-Google protocol is basically the “simple solution without privacy” outlined in Subsect. 3.1. They chose very coarse time units of 10 min, which means replay attacks are still possible within a 10 min windows, while the time of encounters is stored to a precision of 10 min. While 10 min are way too short to give meaningful privacy guarantees, it’s certainly long enough for substantial replay attacks.1 Such attacks, even if detected, would seriously hurt the trust and deployment of the app. Another concern is the possibility of voter suppression using such attacks [GKK]. It would also give strong arguments to proponents of centralized solutions, preventing which seems to be a main motivation of Apple and Google for not allowing direct access to those features in the first place. We hope they will reconsider their stance on the issue and allow the community to again contribute towards coming up with the best tracking solutions.

References [ABIV20] Avitabile, G., Botta, V., Iovino, V., Visconti, I.: Towards defeating mass surveillance and SARS-CoV-2: The pronto-C2 fully decentralized automatic contact tracing system. Cryptology ePrint Archive, Report 2020/493 (2020). https://eprint.iacr.org/2020/493 [AFV20] Avitabile, G., Friolo, D., Visconti, I.: TEnK-U: terrorist attacks for fake exposure notifications in contact tracing systems. Cryptology ePrint Archive, Report 2020/1150 (2020). https://eprint.iacr.org/2020/1150 [AKP+20] Auerbach, B., et al.: Inverse-sybil attacks in automated contact tracing. Cryptology ePrint Archive, Report 2020/670 (2020). https://eprint.iacr. org/2020/670 [app20] Privacy-preserving contact tracing (2020). https://www.apple.com/ covid19/contacttracing [BDF+20] Baumg¨ artner, L., et al.: Mind the gap: security and privacy risks of contact tracing apps (2020) 1

Consider an app by which malicious covidiots can collect Bluetooth beacons, share them amongst each other, and then re-broadcast the beacons they jointly collected in the last 10 min, leading to many false positives. This attack arguably even works with fairly short (say 1 s) time windows as used in this paper. To really prevent such attacks it seems one either needs location data (as shown in this work using coarse GPS locations), interaction as in Vaudenay’s protocol [Vau20a] or public-key crypto [ABIV20, LAY+20, WL20, CKL+20].

Delayed Authentication: Preventing Replay and Relay Attacks

15

[CGH+20] Chan, J., et al.: PACT: privacy sensitive protocols and mechanisms for mobile contact tracing. CoRR, abs/2004.03544 (2020) [CKL+20] Canetti, R., et al.: Privacy-preserving automated exposure notification. Cryptology ePrint Archive, Report 2020/863 (2020). https://eprint.iacr. org/2020/863 [CW20] COVID watch (2020). https://www.covid-watch.org/ [DDL+20] Danz, N., Derwisch, O., Lehmann, A., Puenter, W., Stolle, M., Ziemann, J.: Security and privacy of decentralized cryptographic contact tracing. Cryptology ePrint Archive, Report 2020/1309 (2020). https://eprint.iacr. org/2020/1309 [eu20] Mobile applications to support contact tracing in the EU’s fight against COVID-19 (2020). https://ec.europa.eu/health/sites/health/files/ ehealth/docs/covid-19 apps en.pdf. Version 1.0, 15 Apr 2020 [GKK] Gennaro, R., Krellenstein, A., Krellenstein, J.: Exposure notification system may allow for large-scale voter suppression [Gvi20] Gvili, Y.: Security analysis of the COVID-19 contact tracing specifications by Apple inc. and Google inc. Cryptology ePrint Archive, Report 2020/428 (2020). https://eprint.iacr.org/2020/428 [KBS20] Kuhn, C., Beck, M., Strufe, T.: COVID notions: towards formal definitions - and documented understanding - of privacy goals and claimed protection in proximity-tracing services. CoRR, abs/2004.07723 (2020) [LAY+20] Liu, J.K., et al.: Privacy-preserving COVID-19 contact tracing app: a zeroknowledge proof approach. Cryptology ePrint Archive, Report 2020/528 (2020). https://eprint.iacr.org/2020/528 [Pep20] PEPP-PT: Pan-European privacy-preserving proximity tracing (2020). https://www.pepp-pt.org/ [Rob20] ROBERT: ROBust and privacy-presERving proximity Tracing (2020). https://github.com/ROBERT-proximity-tracing [TPH+20] Troncoso, C., et al.: DP3T: decentralized privacy-preserving proximity tracing (2020). https://github.com/DP-3T [Vau20a] Vaudenay, S.: Analysis of DP3T. Cryptology ePrint Archive, Report 2020/399 (2020). https://eprint.iacr.org/2020/399 [Vau20b] Vaudenay, S.: Centralized or decentralized? The contact tracing dilemma. Cryptology ePrint Archive, Report 2020/531 (2020). https://eprint.iacr. org/2020/531 [WL20] Wan, Z., Liu, X.: ContactChaser: a simple yet effective contact tracing scheme with strong privacy. Cryptology ePrint Archive, Report 2020/630 (2020). https://eprint.iacr.org/2020/630

Proof-of-Reputation Blockchain with Nakamoto Fallback Leonard Kleinrock1 , Rafail Ostrovsky1 , and Vassilis Zikas2(B) 1

2

Computer Science Department, UCLA, Los Angeles, USA {lk,rafail}@cs.ucla.edu School of Informatics, University of Edinburgh, Edinburgh, UK [email protected]

Abstract. Reputation is a major component of trustworthy systems. However, the subjective nature of reputation, makes it tricky to base a system’s security on it. In this work, we describe how to leverage reputation to establish a highly scalable and efficient blockchain. Our treatment puts emphasis on reputation fairness as a key feature of reputation-based protocols. We devise a definition of reputation fairness that ensures fair participation while giving chances to newly joining parties to participate and potentially build reputation. We also describe a concrete lottery in the random oracle model which achieves this definition of fairness. Our treatment of reputation-fairness can be of independent interest. To avoid potential safety and/or liveness concerns stemming from the subjective and volatile nature of reputation, we propose a hybrid design that uses a Nakamoto-style ledger as a fallback. To our knowledge, our proposal is the first cryptographically secure design of a proof-ofreputation-based (in short PoR-based) blockchain that fortifies its PoRbased security by optimized Nakamoto-style consensus. This results in a ledger protocol which is provably secure if the reputation system is accurate, and preserves its basic safety properties even if it is not, as long as the fallback blockchain does not fail. Keywords: Blockchain

1

· Proof of reputation · Byzantine agreement

Introduction

Many decisions taken in modern society are based on reputation: Fans are likely to follow suggestions from their idols, social network followers are likely to adopt suggestions of the friends and groups, and people often use publicly available ranking systems such as E-Bay, Yelp, AirBnB, Amazon, etc. to make decisions regarding online-shopping, choice of vacation, accommodation, eating out, insurances, investment, medical, etc. In this work we leverage the power of reputation to establish a reliable, permissionless blockchain. Our design assumes that certain parties in the system have a reputation-rank, which is recorded on the blockchain itself. Similar to public ranking systems as above, where the “stars” of a party are interpreted as a prediction of the quality of its offered services, the interpretation of our reputation-ranks is that the higher a party’s reputation c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 16–38, 2020. https://doi.org/10.1007/978-3-030-65277-7_2

Proof-of-Reputation Blockchain with Nakamoto Fallback

17

the higher are the chances that the party will behave honestly in maintaining the blockchain. In a nutshell, our design goals are two-fold: (1) To rely on the reputation system to build a simple, scalable decentralized ledger with optimized finality, communication, and computation, and with a formal proof that relates the security of the protocol to the quality of the reputation system; importantly, our PoR-blockchain aims to satisfy a new intuitive notion of participation fairness that promotes inclusivity. (2) To address the subjectivity of reputation as a resource, by backing our blockchain’s safety and liveness with a fallback mechanism that ensures that even if the reputation estimate is severely flawed, our protocol does not create long forks. Our Results. We devise a hybrid blockchain-ledger design which is primarily based on reputation but uses a Nakamoto ledger as fallback. We use the term Nakamoto ledger similar to [3] to refer to blockchain-based ledger protocols that follow the eventual consensus paradigm (e.g., Bitcoin, Ouroboros, etc.) and realize a ledger as described in [2,4]. For the purpose of exposition, in this work, we focus on the fallback ledger being proof-of-stake-based and tune our analysis accordingly—we refer to this paradigm as PoR/PoS-hybrid. design However, our treatment can be extended to other types of fallback blockchains (even those that do not follow the Nakamoto paradigm) under their respective assumptions. In the following we provide an overview of our design and discuss its properties in comparison to existing approaches. PoR-Blockchain. We assume a (dynamically updatable) set P of parties where a subset Pˆ ⊆ P of them are special parties called reputation parties. The parties wish to leverage the reputation of the reputation parties to securely maintain a ledger containing a sequence of blocks, each block containing a collection of messages that can represent arbitrary data (throughout this paper, we refer to this data as transactions).1 Informally, a reputation system for a party set Pˆ is similar to a probabilistic adversary structure [15]: It assigns to each subset of Pˆ a probability that this subset is corrupted by the adversary—we consider active, aka Byzantine, corruption. In its simplest form, which we refer to as static correlation-free, a ˆ independent boolean ranreputation system can be described by a vector of |P| dom variables. The probability that the ith variable is 1 is the probability that ˆ the i-th party in P—in a given canonical ordering, e.g., using the party-IDs—is honest. This is similar to independent reputation systems investigated in [1]. We also extend this notion by allowing the reputation to evolve as rounds advance, yielding a dynamic reputation system. The update happens in an epoch-based manner, where an epoch consists of a fixed number of rounds. To capture feasibility of PoR-based consensus, we introduce the notion of a feasible reputation 1

We do not specify here how this data is efficiently encoded into a block, e.g., so that they can be updated and addressed in an efficient manner; however, one can use the standard Merkle-tree approach used in many common blockchains, e.g., Bitcoin, Ethereum, Ouroboros, Algorand, etc.

18

L. Kleinrock et al.

system (cf. Definition 2) which for static reputation systems requires that there is a party-sampling algorithm, such that the probability that a super-majority of the selected parties is honest is overwhelming. (This is analogous to the feasibility condition from [1].) Our ledger protocol proceeds in rounds. Each block is associated with a slot, where a slot lasts a predefined number of rounds. We use the reputation system as follows (we restrict the discussion here to static correlation-free reputation): The contents of the genesis block—which is assumed to be available to any party joining the protocol and includes the (initial) reputation system along with a random nonce—are hashed to generate common randomness used in the first epoch. Since every party is assumed access to the genesis block, every party can locally run a lottery which is “biased” by the parties’ reputation using these coins to choose a committee for each slot. (For dynamic reputation, the contents of an epoch are used to extracts coins for the following epoch.) i for each slot i, The above implicit lottery is used to elect a slot committee CBA which is responsible for gathering all known transactions at the beginning of the slot that have not yet been inserted in the blockchain, and proposing the block corresponding to this slot along with evidence to enable all parties to agree on i of this block. More concretely, in every slot, every party in a random subset CBC i CBA pools all new and valid transactions received by the blockchain users into a i , by means of a byzantine broadcast protocol. set, and broadcasts this set to CBA i is then signed by every member The union of the tractions broadcasted by CBC i of CBA and circulated to the whole party set P who accept it if and only if it i i |/2 signatures from parties in CBA . As long as for each of the has at least |CBA slot committees the majority of its members is honest—a property which will be induced by an accurate and feasible reputation system—the above consensus protocol will achieve agreement on the proposed block. Of prime importance in our construction, and a novelty of our PoR-ledger, is a mechanism which ensures an intuitive notion of inclusivity. For clarity, we focus our description and analysis on static correlation-free reputation systems. Different ways to extend our result to dynamic and correlated adversaries are discussed in [21]. As proved in [1], for any feasible static correlation-free reputation system, the following sampler, denoted as Amax , outputs a committee with honest majority: Order the parties according to their reputation and choose a sufficient number (cf. [1]) of reputation parties with the highest reputations. The above simple Amax algorithm is optimal (up to negligible error) for minimizing the risk of electing a dishonest-majority committee, but it suffers from the following issues: First, if some malicious party establishes (e.g., by behaving honestly) a high reputation, then this party will be included in almost every committee. Second, the approach lacks a natural fairness property which would give all parties voting power according to their reputation (even to parties with low reputation). Such a fairness property is important for sustainable decentralization, as it does not deter participation of parties with low reputation making

Proof-of-Reputation Blockchain with Nakamoto Fallback

19

the overall system more inclusive.2 We propose and instantiate an appropriate notion of reputation fairness, termed PoR-fairness, which addresses the above concerns. The idea behind PoR-fairness is that every reputation party should i . Defining such a get a “fair” chance to be part of each slot-i committee CBA notion turns out to be non-trivial (cf. Sect. 3.1). Intuitively, a reputation-based lottery (i.e., committee selection protocol) is reputation-fair, if, (1) on average, the representation of parties on the selected committee becomes higher, the more likely those parties are to be honest (according to their reputation); (2) this representation increases as the ratio of parties with higher over parties with lower reputation increases; and (3) the probabilities of parties included in the lottery increase proportionally to their reputation. Realizing such a reputation-fair lottery also turns out to be a challenging task and a core technical contribution of our work. The Nakamoto Fallback. Arguably, reputation is a subjective and manipulable resource. For instance, the way reputation of new parties is assigned might be flawed or a malicious party might act honestly to build up its reputation, and then use its earned trust to attack the system. We address this in the following way: We back our PoR-blockchain with a light-weight use of a Nakamoto-style blockchain3 which will ensure that if the reputation system fails to provide security, this will be observed and agreed upon on the Nakamoto-chain. This ensures that reputation parties, who try to actively cheat (e.g., sign conflicting messages) or abstain to hurt liveness or safety, will be exposed on the fallback chain. The idea for our fallback is as follows: Parties report on the fallback chain (an appropriate hash of) their view of the PoR-blockchain. If any party observes an inconsistency of this with its own view, it contest the reported view, by posting an accusation along with appropriate evidence (signatures and hash-pointers). The original reporting party is then expected to respond to this accusation by the contents and signatures of the disputed block. Once the accusation is answered, it will either expose one of the two disputing parties as a cheater, or it will expose a misbehavior on the PoR-chain (e.g., signing conflicting messages). In either case the exposed party gets its reputation zeroed out and is excluded from the system. This fallback mechanism fortifies the security of the blockchain under an independent backup assumption, e.g., majority of honest stake. Note that the fallback blockchain is not used for communicating transactions, but only digests (hashes) of blocks from the main, reputation chain as discussed below. Furthermore, it does not need to run in a synchronized manner with the main PoR-chain. This allows a very light-weight use of the fallback chain, which as it is a blackbox use, can even be outsourced to an existing Nakamoto-style chain. We refer 2 3

For instance, one can consider a mechanism which rewards honest behavior by increasing the parties’ reputation. As discussed above, here we focus on a proof-of-stake Nakamoto-style blockchain, e.g., [20], but our fallback uses the Nakamoto blockchain in a blackbox manner and can therefore be instantiated using any blockchain that realizes a Bitcoin-style transaction ledger [4].

20

L. Kleinrock et al.

to this type of blockchain design as a PoR/PoS-Hybrid Blockchain. We remark that the generic fallback mechanism allows to recover from safety attacks. By an additional assumption on the quality of the reputation system we can also prevent liveness attacks as discussed in Sect. 5. Properties of Our Construction. The proposed reputation-based blockchain takes advantage of the nature of the reputation-system to improve on several properties of existing constructions as discussed below. Provided that the reputation is accurate, the parties will enjoy such improvements. As is the case with any assumption on resources, it is impossible to know a priori if the underlying assumption, in our case accuracy of the reputation, is true. However, unlike constructions which completely fail when their core assumption is false (e.g., dishonest majority of stake in PoS) our fallback mechanism will ensure that even if our primary assumption, i.e., accuracy of the reputation, is violated, still the basic security properties are not (or any violation is swiftly detected) as long as the secondary, fallback assumption holds. This yields a natural optimistic mechanism for use of resources as discussed below. In the following we discuss the advantages that our protocol in this optimistic mode, i.e., under the primary assumption that the reputation system is accurate. Efficiency and Scalability: A reputation system induces probabilities that a parties behaves maliciously, which, technically, provides information to the protocol designer (and parties) on the corruption capabilities of the adversary. This allows us to avoid the need for communication- and setup-heavy adaptive security tools, e.g., compute and communicate proofs of verifiable random functions.4 Additionally, it allows us to associate reputation parties with public keys and public physical IDs, e.g., public IP address, which means they can communicate through direct point-to-point channels rather than diffusion/gossip network. This yields both concrete and asymptotic improvements. First, depending on the network topology, this can improve the overall concrete message complexity and yield denial-of-service (DoS) attack protection in practice—open diffusion networks are more susceptible to DoS. Additionally, as most communication occurs only among the (polylogarithmic) size slot committees and between these committees and the player set, even ignoring the overhead of gossiping, the overall message complexity per slot is O(n log n) as opposed to the Ω(n2 ) complexity of standard blockchains relying solely on flooding. High Throughput (Transaction-Liveness): Existing solutions implicitly assign to each block one effective-block proposer [2,12,17,20]—multiple parties might win the lottery but only the proposal of one is adopted. Instead, in our PoR-blockchain a (small) committee CBC of proposers is chosen in each slot, and the union of their transactions-views is included. To ensure that honest transactions are included in a block it suffices that any of the block proposers in the corresponding CBC is honest. This will be true with probability at least 4

As a side note, our blockchain does address concerns about adaptivity in corruptions through its fallback mechanism, which can be adaptively secure.

Proof-of-Reputation Blockchain with Nakamoto Fallback

21

1 − 1/2L , where L is the size of CBC , as we are choosing L parties out of CBA which has honest majority. In comparison, in systems that choose one proposer per block, this probability is upper-bounded by (roughly) t/n, where t is the number of corrupted parties/resources (e.g., the amount of adversarially owned stake) and n is the total amount of resources. The above discrepancy can be impactful in situations where the transaction-submitting mechanism has high latency—e.g., due to bad/restricted access to the blockchain network, or some points to the blockchain network are unreliable. Finality: Since the parties decide on the next block by means of a Byzantine broadcast protocol, agreement is achieved instantly by the end of the slot. This is similar to standard synchronous BFT-based blockchains, and is in contrast to Nakamoto-style blockchains [7,20,24] which achieve eventual consistency, aka the common prefix property [16,26]. We stress that this is the case assuming the reputation system is accurate. One can argue that this might be an insufficient guarantee as to get full confidence and some users might want to wait for the situation to settle also on the fallback chain—i.e., ensure that no honest party contests their view. Nonetheless, it allows for a tiered use of the assumptions, which naturally fits situations where different transactions have different degree of importance, as is for example the case in cryptocurrencies: For small-amount transactions the users can trust the PoR-blockchain and consider the transaction settled as soon as it is finalized there. The more risk-averse users (or users with high-stake transactions) can wait for the backup chain to confirm that there is no accusation. The above mode is the natural blockchain analog of how reputation is used in reality: If a service or an investment is recommended by a highly reputable source, then it typically enjoys higher trust. However, for risky actions, the actors usually seek further assurances that might take longer time. Related Literature. Asharov et al. [1] defined reputation systems for multiparty computation (MPC) and proved necessary and sufficient conditions on a static reputation system for the existence of fair MPC—in particular, for the existence of an algorithm for selecting a committee where the majority of the participants is honest. To our knowledge, ours is the first work which puts forth a rigorous specification, protocol, model, and treatment of reputation-system-based blockchains. Attempts to combine consensus with reputation were previously made in the context of blockchains and cryptocurrencies. None of these attempts addresses the subjective nature of the reputation systems, i.e., if the reputation system is inaccurately estimated, their security fails. This is in contrast to our fallback guarantee which allows us to preserve basic safety (unforkability) properties which are essential in blockchains and cryptocurrencies. Additionally many of these works lack a protocol specification, security model and proofs, and often even a credible security argument [14], and/or rely on complicated reputation mechanisms and exogenous limitations on the adversary’s corruption power [9]. Alternative approaches, use the proof-of-work (bitcoin) paradigm to assign reputation, by considering miners more reputable if they allocate, over a long period, more hashing-power to their protocol [28].

22

L. Kleinrock et al.

Notably, [6] proposed a reputation-module which can build a scalable blockchain on top of a BFT-style consensus protocol, e.g., PBFT or Honey Badger [23]. The idea is that this reputation module can be used by the parties to select smaller next round committees. In addition to lacking a security proof, the entire module needs to operate over a broadcast channel created by the original BFT consensus protocol, as it uses a global view of the computation to accurately readjust the reputations. Hence, its security relies on the security of the underlying consensus protocol, even if reputation is accurate. Instead our PoR-blockchain construction is secure under the assumptions of accuracy of the reputation system, irrespective of the properties of the fallback blockchain. The result from [6] also proposed a notion of reputation-fairness, which renders a reputation-based lottery more fair the closer its outcome is to a uniform sample. This notion of fairness seems unsuitable for our goals, as it is unclear why low distance from uniform is a desirable property. Why should it be considered fair that a large set of parties with low reputation has better relative representation in the output than a small set with higher reputation? And how would this incentivize parties to build up their reputation? Our fairness definition addresses this concern, at a very low overhead. Hybrid blockchains which use an alternative consensus mechanism as a fallback were also previously used in Thunderella [27] and Meshcash [5]. Their protocols rely on smart refinements of the proof-of-work and/or proof-of-space-time paradigms, and uses novel methods to accelerate the blockchain and improve scalability and finality when a higher amount of the underlying resource is in honest hands while ensuring safety even under weaker guarantees. Finally, Afgjort [22] devises a finality layer module on top of a proof-of-stake blockchain. Their construction achieves fast finality under the combination of the assumptions underlying the PoS-blockchain—typically, honest majority of stake—and the assumption supporting the security of the finality layer. In contrast, our PoR/PoS-hybrid blockchain is secure as long as the reputation-system is accurate irrespective of the security of the underlying PoS-blockchain. Preliminaries. We use the standard definition of negligible and overwhelming: A function μ : N → R+ is negligible if for any polynomial p(k): μ(k) = O(1/p(k)); We say that a function f : N → [0, 1] is overwhelming if f (k) = 1 − μ(k) for some negligible function μ. Many of our statements and definitions assume an (often implicit) security parameter k. For two strings s1 , s2 ∈ {0, 1}∗ we denote by s1 ||s2 the concatenation of s1 and s2 . For some n ∈ N we will denote by [n] the set [n] = {1, . . . , n}. For a string s ∈ {0, 1}k and for some D ≤ k we will say that T (s) ≥ D if s has at least D leading zeros, i.e., s is of the form s = 0D ||s for some s ∈ {0, 1}k−D . Organization of the Remainder of the Paper. After discussing our model in Sect. 2, in Sect. 3 we define and instantiate a reputation-fair lottery. Section 4 describes a PoR-based blockchain-ledger protocol for static reputation systems, and Sect. 5 describes the hybrid PoR/PoS ledger protocol. Due to space limitations detailed proofs are deferred to the full version [21].

Proof-of-Reputation Blockchain with Nakamoto Fallback

2

23

The Model

Our ledger protocol is among a set of parties P = {P1 , . . . , Pn }. A subset Pˆ of the parties, called reputation parties, have a distinguished role in the protocol, and are tasked with proposing and confirming blocks to be added in the blockchain. To avoid overcomplicating our description, we describe our protocol here for a static set of parties; in [21] we discuss how this set can be dynamically updatable, similar to the dynamic participation of [2,20]. As is common in the blockchain literature, our statements are in the random oracle model, where a hash function is assumed to behave as a random function. As a setup, we assume that all parties have the genesis block which includes sufficient initial randomness and the reference reputation-system. In terms of cryptographic assumptions we will assume existentially unforgeable digital signatures [18] along with pseudorandom function. Efficient (and even post-quantum) variants of these primitives are known to exist under standard complexity assumptions, namely, existence of one-way functions or hardness of lattice problems. Communication and Synchrony. We assume synchronous communication, where messages sent by honest parties in some round are delivered by the beginning of the following round, and a rushing adversary [8]. The protocol timeline which is divided into slots, where each slot consists of a fixed number of rounds. An epoch consist of a predefined number of slots. We assume a cryptographic adversary who gets to actively corrupt parties—i.e., takes full control over them. Parties have two means of communicating. (1) A diffusion (multicast) network available to everyone in P, build by means of a standard flooding/gossiping protocol over a (potentially incomplete but) connected communication graph of unicast channels [4]—this is similar to [4,24], Ethereum [7], Cardano/Ouroboros [2,20], Algorand [17], Thunderella [27], etc. For simplicity, we abstract this network by means of a zero-delay multi-cast primitive (cf. [4]): When an honest party multicasts a message, this message is delivered to all (honest) parties in the network by the beginning of the following round.5 We note that one can use techniques from the blockchain literature [2,17,17] to relax this perfect synchrony assumption—at the cost of a stricter feasibility condition on the reputation system. A discussion of such a relaxation is included in [21]. (2) The second type of communication is among reputation parties. These parties have known physical identities (e.g., IP addresses) and can communicate through direct channels, without flooding (e.g., via TCP/IP). We remark that existence of such channels is not necessary for our security analysis—if they are there, they can be used otherwise, communication via the diffusion network is sufficient for security. However, if they do exist and are used then can considerably reduce the traffic and yield a more scalable/efficient solution, as discussed in the introduction. 5

Observe that the adversary might send a message to a subset of parties, but if any honest party is instructed by the protocol to forward it, then the message will be delivered (to all other honest parties) in the round when this forwarding occurs.

24

L. Kleinrock et al.

Reputation Systems. A reputation system Rep for m = O(k) reputation parties from a set Pˆ = {Pˆ1 , . . . , Pˆm } is a family of probability distributions (parameterized by m) over binary reputation vectors of length m, i.e., vectors of the type (h1 , . . . , hm ) ∈ {0, 1}m .6 Each hi is an indicator bit which takes the value 1 if Pˆi is honest and 0, otherwise. For example, Pr[(h1 , . . . , hm ) = (0, . . . , 0, 1)] = 0.6 means that with probability 0.6 every reputation party except Pˆm is dishonest. We consider two types of reputation systems: A static reputation system is a probability distribution as discussed above. This is similar to the reputation system considered in [1]. A dynamic reputation system instead is a sequence (ensemble) Rep = {Repρ }ρ∈N of distributions, where each Repρ is a static reputation system for a set Pˆρ of mρ ∈ N reputation parties. Such dynamic reputation systems are useful in an evolving and reactive primitive such as a ledger protocol, where the reputation of parties might change depending on their behavior in the system and/or other exogenous factors. We focus on the setting where each hi corresponds to the output of an independent indicator random variable Hi , i.e., whether or not a reputation party Pˆi behaves honestly does not depend on what other reputation parties do. In this case, a static reputation system can be described by a vector of m numbers between 0 and 1, i.e., Rep = (R1 , . . . , Rm ) ∈ [0, 1]m , where the interpretation of Rep is that with probability equal to Ri the party Pˆi will play honestly (i.e., Pr[Hi = 1] = Ri ).7 We then say that Ri is the reputation of party Pˆi . We refer to such a reputation system as a correlation-free reputation system. In the following we provide more details of the corruption capabilities that a correlation-free reputation system (static or dynamic) gives to the adversary. The adversary’s corruption capabilities are specified by the reputation system. A static reputation-bounded adversary for reputation system Rep, also referred to as a static Rep-adversary, corrupts the set of parties at the beginning of the protocol according to Rep, and sticks to this choice. In particular, given a reputation system Rep for m reputation parties, corruption with a static adversary occurs as follows: A vector (h1 , . . . , hm ) ∈ {0, 1}m is sampled according to the distribution defined in Rep, and for each hi = 0 the reputation party Pˆi ∈ Pˆ is corrupted by the adversary. For dynamic reputation systems, a stronger type of adversary, which we call epoch-resettable adversary corrupts a completely new set of parties at the beginning of each epoch, according to the reputation system at the beginning of that epoch—this is similarly to mobile adversaries [25]. Here we focus our analysis to the static case; an extension to epoch-resettable adversaries is discussed in [21].

6 7

For notational simplicity, we often refer to Rep as a probability distribution rather than an ensemble, i.e., we omit the explicit reference to the parameter m. Adaptive correlation-free reputation systems are described, analogously, as an ensemble of static reputation systems.

Proof-of-Reputation Blockchain with Nakamoto Fallback

3

25

Reputation-Based Lotteries

At the heart of our construction is a lottery that chooses a (sublinear) set of parties according to their reputation. To demonstrate the idea, let us first consider two extreme scenarios: Scenario 1: No reputation party Pˆi has Ri > 0.5. Scenario 2: All reputation parties Pˆi have (independent) reputation Ri > 0.5 +  for a constant , e.g., Ri > 0.51. In Scenario 1, one can prove that users cannot use the recommendation of the reputation parties to agree on a sequence of transactions. Roughly, the reason is that with good probability, the majority of the reputation parties might be dishonest and try to split the network of users, so that they accept conflicting transaction sequences. In Scenario 2, on the other hand, the situation is different. Here, by choosing a polylogarithmic random committee we can guarantee (except with negligible probability)8 that the majority of those parties will be honest (recall that we assume independent reputations), and we can therefore employ a consensus protocol to achieve agreement on each transaction (block). ˆ Definition 1. For a reputation system Rep for parties from a reputation set P, ˆ and a (possibly probabilistic) algorithm A for sampling a subset of parties from P, an Rep-adversary A, we say that Rep is (, A)-feasible for A if, with overwhelming probability,9 A outputs a set of parties such that at most a 1/2 −  fraction of these parties is corrupted by A. In the above definition, the corrupted parties are chosen according to Rep ˆ and independently of the coins of A. from the entire reputation-party set P, (Indeed, otherwise it would be trivial to corrupt a majority.) Definition 2. We say that a reputation system is -feasible for Rep-adversary A, if there exists a probabilistic polynomial-time (PPT) sampling algorithm A such that Rep is (, A)-feasible for A. It is easy to verify that to maximize the (expected) number of honest parties in the committee it suffices to always choose the parties with the highest reputation. In fact, [1] generalized this to arbitrary correlation-free reputation systems by proving that for any -feasible reputation system Rep (i.e., for any Rep-adversary A) the algorithm which orders that parties according to their reputation chooses sufficiently many (see. [1]) parties with the highest reputation induces a set which has honest majority. We denote this algorithm by Amax . Lemma 1 ([1]). A correlation-free reputation system is -feasible for a Repadversary A if and only if it is (, Amax )-feasible for A. As discussed in the introduction, despite yielding a maximally safe lottery, Amax has issues with fairness which renders it suboptimal for use in a blockchain ledger protocol. In the following we introduce an appropriate notion of reputation-fairness for lotteries and an algorithm for achieving it. 8 9

All our security statements here involve a negligible probability of error. For brevity we at times omit this from the statement. The probability is taken over the coins associated with the distribution of the reputation system, and the coins of A and A.

26

3.1

L. Kleinrock et al.

PoR-Fairness

As a warm up, let us consider a simple case, where all reputations parties can be partitioned in two subsets: Pˆ1 consisting of parties with reputation at least 0.76, and Pˆ2 consisting of parties with reputation between 0.51 and 0.75. Let ˆ = α1 + α2 ) |Pˆ1 | = α1 and |Pˆ2 | = α2 . We want to sample a small (sublinear in |P| number y of parties in total. Recall that we want to give every reputation party a chance (to be part of the committee) while ensuring that, the higher the reputation, the better his relative chances. A first attempt would be to first sample a set where each party Pˆi is sampled according to his reputation (i.e., with probability Ri ) and then reduce the size of the sampled set by randomly picking the desired number of parties. This seemingly natural idea suffers from the fact that if there are many parties with low reputation—this is not the case in our above example where everyone has reputation at least 0.51, but it might be the case in reality—then it will not yield an honest majority committee even when the reputation system is feasible. A second attempt is the following. Observe that per our specification of the above tiers, the parties in Pˆ1 are about twice more likely to be honest than parties in Pˆ2 . Hence we can try to devise a lottery which selects (on expectation) twice as many parties from Pˆ1 as the number of parties selected from Pˆ2 . This will make the final set sufficiently biased towards high reputations (which can ensure honest majorities) but has the following side-effect: The chances of a party being selected diminish with the number of parties in his reputation tier. This effectively penalizes large sets of high-reputation parties; but formation of such sets should be a desideratum for a blockchain protocol. To avoid this situation we tune our goals to require that when the higher-reputation set |Pˆ1 | is much larger than |Pˆ2 |, then we want to start shifting the selection towards Pˆ1 . This leads to the following informal fairness goal: Goal (Informal): We want to randomly select x1 parties from Pˆ1 and x2 parties from Pˆ2 so that: 1. x1 + x2 = y 1 2. x1 = 2 max{1, α α2 }x2 (representation fairness) 3. For each i ∈ {1, 2} : No party in Pˆi has significantly lower probability of getting picked than other parties in Pˆi (non-discrimination), but parties in Pˆ1 are twice as likely to be selected as parties in Pˆ2 (selection fairness). Assuming α1 and α2 are sufficiently large, the above goal can be achieved by the following sampler: For appropriately chosen numbers 1 and 2 ≥ 0 with 1 + 2 = y, sample 1 parties from Pˆ1 , and then sample 2 parties from Pˆ1 ∪ Pˆ2 (where if you sample a party from Pˆ1 twice, replace him with a random, upsampled party from Pˆ1 ). As it will become clear in the following general analysis, by carefully choosing 1 and 2 we can ensure that the conditions of the above goal are met. For the interested reader, we analyze the above lottery

Proof-of-Reputation Blockchain with Nakamoto Fallback

27

in [21]. Although this is a special case of the general lottery which follows, going over that simpler analysis might be helpful to a reader, who wishes to ease into our techniques and design choices. Our PoR-Fairness Definition and Lottery. We next discuss how to turn the above informal fairness goals into a formal definition, and generalize the above lottery mechanism to handle more than two reputation tiers and to allow for arbitrary reputations. To this direction we partition, as in the simple example, the reputations in m = O(1) tiers10 as follows: For a given small δ > 0, the first tier includes parties with reputation between m−1 m + δ and 1, the second + δ and m−1 tier includes parties with reputation between m−2 m m + δ, and so on. 11 Parties with reputation 0 are ignored. We refer to the above partitioning of the reputations as an m-tier partition. The main differences of the generalized reputation-fairness notion from the above informal goal, is that (1) we parameterize the relation between the representation of different ties by a parameter c (in the above informal goal c = 2) and (2) we do not only require an appropriate relation on the expectations of the numbers of parties from the different tiers but require that these numbers are concentrated around numbers that satisfy this relation. The formal reputation fairness definition follows. Definition 3. Let Pˆ1 , . . . , Pˆm be a partition of the reputation-party set Pˆ into m tiers as above (where the parties in Pˆ1 have the highest reputation) and let L be a lottery which selects xi parties from each Pˆi . For some c ≥ 1, we say that L is c-reputation-fair, or simply, c-fair if it satisfies the following properties: 1. (c-Representation Fairness): For j = 1, . . . , m, let cj = max{c, c ·

ˆj | |P ˆj+1 | }. |P

Then L is c-fair if for each j ∈ {0, . . . , m−1} and for every constant  ∈ (0, c): Pr [(cj − ) xj+1 ≤ xj ≤ (cj + ) xj+1 ] ≥ 1 − μ(k),

for some negligible function μ. ˆ 2. (c-Selection Fairness): For any pj ∈ ∪m i=1 Pi , let Memberj denote the indicator (binary) random variable which is 1 if pj is selected by the lottery and 0 otherwise. The L is c-selection-fair if for any i ∈ {1, . . . , m − 1}, for any pair (Pˆi1 , Pˆi2 ) ∈ Pˆi × Pˆi+1 , and any constant c < c: Pr[Memberi1 = 1] ≥ c − μ(k) Pr[Memberi2 = 1] for some negligible function μ. 10

11

This is analogous to the rankings of common reputation/recommendation systems, e.g., in Yelp, a party might have reputation represented by a number of stars from 0 to 5, along with their midpoints, i.e., 0.5, 1.5, 2.5, etc. This also gives us a way to effectively remove a reputation party—e.g., in case it is publicly caught cheating.

28

L. Kleinrock et al.

3. (Non-Discrimination): Let Memberi defined as above. The L is nondiscriminatory if for any Pˆi1 , Pˆi2 in the same Pˆi : Memberi1 ≈ Memberi2 , where ≈ in the above equation means that the random variables are computationally indistinguishable. At a high level the lottery for the m-tier case is similar in spirit to the twotier case: First we sample a number of 1 parties from the highest reputation set Pˆ1 , then we sample 2 parties from the union of second-highest and the ˆ ∪ Pˆ2 , then we sample 3 parties from the union of the three highest highest P1 reputation tiers Pˆ1 ∪ Pˆ2 ∪ Pˆ3 , and so on. As we prove, the values 1 , 2 , 3 etc. can be carefully chosen so that the above fairness goal is reached whenever there are sufficiently many parties in the different tiers. We next detail our generalized sampling mechanism and prove its security properties. We start by describing two standard methods for sampling a size-t subset of a party set P—where each party P ∈ P is associated with a unique identifier pid12 —which will both be utilized in our fair sampling algorithm. Intuitively, the first sampler samples the set with replacement and the second without. The first method, denoted by Rand, takes as input/parameters the set P, the size of the target set t—where naturally t < |P|—and a nonce r. It also makes use of a hash function h which we will assume behaves as a random oracle.13 In order to sample the set, for each party with ID pid, the sampler evaluates the random oracle on input (pid, r) and if the output has more than log |P| t tailing 0’s the party is added to the output set. By a simple Chernoff bound, the size of the output set P¯ will be concentrated around t. The second sampler denoted by RandSet is the straight-forward way to sample a random subset of t parties from P without replacement: Order the parties according to the output of h on input (pid, r) and select the ones with the highest value (where the output h is taken as the standard binary representation of integers). It follows directly from the fact that h behaves as a random oracle—and, therefore, assigns to each Pi ∈ P a random number from {0, . . . , 2k − 1}—that the above algorithm uniformly samples a set P¯ ⊂ P of size t out of all the possible size-t subsets of P. For completeness we have included detailed description of both samplers in [21]. Given the above two samplers, we can provide the formal description of our PoR-fair lottery, see Fig. 1. Theorem 1 states the achieved security. Theorem 1 (Reputation-Fair Lottery for m = O(1)-tiers). In the above ˆ Rep, (c1 , . . . , cm ), δ, , r), let , δ > 0 be strictly positive constants, lottery L(P, and for each i ∈ {1, . . . , m = O(1)}, let Xi be the random variable (r.v.) corresponding to the number of parties in the final committee that are from set Pˆi ; 12 13

In our blockchain construction, pid will the P ’s public key. In the random oracle model, r can be any unique nonce; however, for the epochresettable-adversary extension of our lottery we will need r to be a sufficiently fresh random value. Although most of our analysis here is in the static setting, we will still have r be such a random value to ensure compatibility with dynamic reputation.

Proof-of-Reputation Blockchain with Nakamoto Fallback

29

ˆ Rep, (c1 , . . . , cm = 1), δ, , r) L(P, 1. Divide the reputation parties into m tiers Pˆ1 , . . . , Pˆm as follows,a : For i = 0 . . . , m − 1, define Pˆm−i to be the set of parties in Pˆ with reputation Repj ∈ i (m + δ, i+1 + δ]. m 2. Initialize P¯i := ∅ for each i ∈ [m]. 3. For each i = 1, . . . , m: αi := |Pˆi |. 4. For each i = 1, . . . , m − 1: Let  m i αi+1 m j=1 αj j=i cj − αi j=i+1 cj log1+ n i = m m c α α q i+1 i j=1 q=j and let

m j=1 αj m := m m j=1

1 log1+ n c α q m q=j

5. For each i = 1, . . . , m − 1 do the following: – If | ∪ij=1 Pˆj | ≥ i : (a) Invoke Rand(∪ij=1 Pˆj , i ; (r||i)) to choose a set Qi of parties uniformly at random from ∪ij=1 Pˆj . ¯ ¯ ¯ ˆ (b) For each j ∈ [i] compute Qcol i,j := Qi ∩ Pj and update Pj := Pj ∪(Qi ∩ Pj ). (c) For each j ∈ [i] if Qcol i,j = ∅, then i. if |Pˆj \ P¯j | < |Qcol i,j | then reset the lottery and select Psel as the output of Amax . ii. Else + • Invoke RandSet(Pˆj \ P¯j , |Qcol i,j |; (r||i||j)) to choose a set Qi,j ; + ¯ ¯ • For each j ∈ [i] update Pj := Pj ∪ Qi,j . + m iii. Set Q+ i := ∪j=1 Qi,j i – Else (i.e., | ∪j=1 Pˆj | < i ): Reset the lottery and select (and output) Psel as the output of Amax for choosing log1+ n. ¯ 6. If the lottery was not reset in any of the above steps, then set Psel := ∪m j=1 Pj (= + ∪m (Q ∪ Q )) and output P . i sel i=1 i a

Where δ can be an arbitrary small constant.

Fig. 1. c-fair reputation-based lottery for m = O(1) tiers

ˆ

and for each i ∈ [m] let ci = max{c, c |Pˆ|Pi | | } where c = O(1) such that for i+1

1 ≤ m−2 some constant ξ ∈ (0, 1) : cm−1 2m − ξ. If for some constant f ∈ (0, 1/2) the reputation system Rep is f -feasible for a static Rep-bounded adversary A, then for the set Psel of parties selected by L the following properties hold with overwhelming probability (in the security parameter k):

1. |Psel | = Θ(log1+ n) 2. for some constant δ > 0 adversary A corrupts at most an 1/2 − δ fraction of the parties in Psel 3. If every set Pˆi has at least γ · log1+ n parties for some γ > 1, then the lottery is c-fair.

30

L. Kleinrock et al.

The complete proof can be found in [21]. In the following we included a sketch of the main proof ideas. Proof (sketch). We consider two cases: Case 1: L noes not reset, and Case 2: L resets. In Case 1, The lottery is never reset. This case is the bulk of the proof. First, using a combination of Chernoff bounds we prove that the random variable Xi corresponding to the number of parties from Pˆi selected in the lottery is concentrated around the (expected) value: xi := Exp(Xi ) = αi ·

m  j=i

j

j

q=1

(1)

αq

i.e., for any constant λi ∈ (0, 1): Pr [|(1 − λi )xi ≤ Xi ≤ (1 + λi )xi ] ≥ 1 − μi (k),

(2)

Hence, by inspection of the protocol one can verify that the xi ’s and the j ’s satisfy the following system of linear equations: (x1 , . . . , xm )T = B · (1 , . . . , m )T

(3)

Where B is an m × m matrix with the (i, j) position being  Bi,j =

j

αi

q=1

αq

, if i ≥ j

0, otherwise

The above system of m equations has 2 m unknowns. To solve it we add the following m equations which are derived from the desired reputation fairness: For each i ∈ [m − 1] : (4) xi := ci · xi+1 and

m 

xi = log1+ k

(5)

i=1

This yields 2 m linear equations. By solving the above system of equations we can compute: i

i =

j=1 αj m j j=1 q=1 cq

for each i ∈ [m − 1], and

αi+1

m

j=i cj

− αi

m

j=i+1 cj

αi+1 αi m

j=1 αj m := m m j=1

1 log1+ n. α c m q q=j

log1+ n,

Proof-of-Reputation Blockchain with Nakamoto Fallback

31

This already explains some of the mystery around the seemingly complicated choice of the i ’s in the protocol. m Next we observe that for each j ∈ [m] : i=1 Bi,j = 1 which implies that m 

j =

j=1

m 

Eq. 5

xi = log1+ k

(6)

i=1

Because in each round we choose parties whose number is from a distribution centered around  i , the above implies that the sum of the parties we sample is m centered around j=1 j = log1+ k which proves Property 1. Property 2 is proven by a delicate counting of the parties which are corrupted, using Chernoff bounds for bounding the number of corrupted parties selected by Rand (which selects with replacement) and Hoeffding’s inequality for bounding the number of parties selected by RandSet (which selects without replacement). The core idea of the argument is that because the reputation in different tiers reduces in a linear manner but the representation to the output of the lottery reduces in an exponential manner, even if the adversary corrupts for free all the selected parties from the lowest half reputation tiers, still the upper half will have a strong super-majority to compensate so that overall the majority is honest. Finally, the c-fairness (Property 3) is argued as follows: – The c-Representation Fairness follows directly from Eqs. 1, 2 and 4. – The non-discrimination property follows from the fact that our lottery picks each party in every Pˆi with exactly the same probability as any other party. – The c-Selection Fairness is proved by using the fact that the nondiscrimination property mandates that each party in Psel ∩ Pˆi is selected ˆi | ∩P . By using our counting of the sets’ cardinaliwith probability pi = |Psel ˆi | |P pi ties computed above we can show that for any constant c < c: pi+1 ≥ c . In Case 2, The lottery is reset and the output Psel is selected by means of invocation of algorithm Amax . This is the simpler case since Lemma 1 ensures that if the reputation system is f -feasible, then a fraction 1/2 + f of the parties in Psel will be honest except with negligible probability. Note that Amax is only invoked if a reset occurs, i.e., if in some step there are no sufficiently many parties to select from; this occurs only if any every set Pˆi does not have sufficiently many parties to choose from. But the above analysis, for δ < γ − 1, the sampling algorithms choose at most (1 + δ) log1+ n with overwhelming probability. Hence when each Pˆi has size at least γ · log1+ n, with overwhelming probability no reset occurs. In this case, by inspection of the protocol one can verify that the number of selected parties is |Psel | = log1+ n.

4

The PoR-Blockchain

We next describe how a PoR-fair lottery can be used to obtain a PoR-blockchain. The ground truth of the blockchain is recorded on the genesis block which

32

L. Kleinrock et al.

includes the (initial) set of reputation parties, their public keys, and the corresponding reputation vector. We assume a canonical way of validating transactions submitted in the same round, e.g., if two received transactions which have not-yet been inserted into a block would contradict each other (e.g., correspond to double-spending), a default rule of ignoring both can be adopted. We abstract this by means of a predicate Validate, that takes as input a sequence T (of transactions) along with a current vector TH of transaction history—composed by concatenating the transactions in the blockchain, and outputs a subset T  ⊆ T such that TH ||T  is a valid sequence of transactions. The idea of the protocol for proposing and agreeing on the block of any given slot is as follows: A small (i.e., polylogarithmic) slot-committee CBA is chosen using our above lottery—recall that the lottery will guarantee that the majority in CBA is honest and therefore it can run Byzantine agreement protocols (Consensus and Broadcast). From CBA a smaller (constant-size) committee CBC is randomly chosen to broadcast its transactions to everyone. Note that whenever in our protocol we say that a party P broadcasts a message, we mean that a Byzantine broadcast protocol is executed with P as sender; to avoid confusion we will signify this by saying that the message is broadcasted by means of protocol Broadcast. We will use multicasting to refer to the process of sending a message through the diffusion network to all parties. Using Broadcast to communicate the transactions known to CBC allows us to agree on the union of all transactions known to these parties. However, broadcasting to the whole player set has a big communication and round overhead. To avoid the overhead we use the following idea: Recall that the parties in CBA are all reputation parties and can therefore communicated directly. Thus, instead of directly broadcasting to the whole party set P the parties in CBC broadcast to the parties in CBA .14 The security of the broadcast protocol ensures that the parties in CBA agree on the broadcasted messages and therefore also on the union. What remains is to extend this agreement to the whole player set. This can be easily done since the majority of the parties in CBA is honest: Every party in CBA signs the union of the received broadcasted messages and sends it to every party in P. The fact that CBA has honest majority implies that the only message that might be accepted is this agreed upon union. Hence, once any P ∈ P receives such a majority-supported set, he can adopt it as the contents of this slot’s block. The above approach brings an asymptotic reduction on the communication complexity of the protocol from Ω(n2 ) down to O(n log n), for some constant  > 1. (The worst-case round complexity also has an asymptotic reduction but this depends on the actual reputation system and the choice of protocol Broadcast.) Additionally, the fact that reputation parties communicate 14

For clarity in our description we will use a deterministic broadcast protocol for Broadcast, e.g., the Dolev-Strong broadcast protocol [13] for which we know the exact number of rounds. However, since our lottery will ensure honest majority in CBA , using the techniques by Cohen et al. [10, 11], we can replace the roundexpensive Dolev-Strong broadcast protocol by an randomized, expected-constant round broadcast protocol for honest majorities, e.g., [19].

Proof-of-Reputation Blockchain with Nakamoto Fallback

33

over point-to-point (rather than gossiping) network is likely to further to improve the concrete communication complexity, at least for certain network topologies. A remaining question is: Where does the randomness for the selection of CBA and CBC come from? For the static reputation-restricted adversary considered here, we extract the randomness for choosing each CBA by repeated calls to the random oracle. In [21] we discuss how we can extend our treatment using standard techniques to tolerate epoch-resettable adversaries. The formal description of the protocol for announcing and agreeing on the next block can be found in Fig. 2. The proof of the following theorem follows the above line of argument and can also be found in [21].

ˆ P, Rep, Bρ−1 , ρ, δ, , L = O(1)): BlockAnnounce(P, 1. Each party in P locally runs the reputation-fair lottery ˆ Rep, (c1 , . . . , cm ), δ, , h(ρ||0)), where the cj s are as in Theorem 1, to sample L(P, a set CBA ⊂ Pˆ (of size polylog(n)); out of this set, the parties choose a random subset CBC of constant size L = O(1) by invoking RandSet(CBA , L; h(ρ||1)). 2. Each party Pˆi ∈ CBC acts as sender in an invocation of Broadcast with receivers the parties in CBA and input Pˆi ’s current transaction pool Ti ; Pˆi removes the broadcasted transactions from its local transaction pool. 3. All parties in CBA compute Tˆ = Validate(TH , T ) for T = ∪pi ∈CBC Ti . If some party Pˆj ∈ CBC did not broadcast a valid message in the previous round of the protocol, then all parties in CBA set Tj = {(abort, j)}. 4. Every Pˆj ∈ CBA signs h(Tˆ, h = h(Bρ−1 ), ρ), where Bρ−1 is the previous block,a and sends it to every party in CBC . 5. Each Pˆi ∈ CBC : If Pˆi receives at least |CBA |/2 signatures from parties in CBA on some (Tˆ, h), where ρ is the current slot and h = h(Bρ−1 ) is a valid hash pointer to the previous block, then Pˆi multicasts (Tˆ, h, ρ) along with all the corresponding signatures to all parties in P. 6. Each Pi ∈ P: Upon receiving any (Tˆ, h, ρ) along with signatures on it from at least |CBA |/2 parties from CBA , create a block consisting of (Tˆ, h, ρ) and the related signatures and add this block to the local (blockchain) ledger state as the current slot’s block and mark the current slot as completed. a

As is common in blockchains assuming a compact representation of the block, e.g., a Merkle-tree will allow for more efficiency by signing just the root.

Fig. 2. Block announcing protocol for Slot ρ

Theorem 2. Let Rep be a reputation system,  and δ be small positive constants, L denote our sampling algorithm (lottery) discussed in the previous section used for choosing CBA according to Rep, and the ci ’s be as in Theorem 1. If for a static adversary A, Rep is -feasible, and all parties in Pˆρ participate in slot ρ then in protocol BlockAnnounce, every node in P adds the same block on his local blockchain for slot ρ. Moreover, this block will include the union of all transactions known to parties in CBC at the beginning of round ρ.

34

L. Kleinrock et al.

Using BlockAnnounce it is straightforward to build a blockchain-based ledger: In each round parties collect all valid transactions they know and execute BlockAnnounce. For completeness, we provide a description of this simple reputation-based blockchain ledger protocol in [21]. Its security follows directly from the above theorem. We remark that although the above theorem is proven for static reputations and adversaries, its proof can be extended, using standard techniques, to dynamic reputation systems with epoch-resettable adversaries. This extension will also extend the corresponding PoR-based blockchain protocol to that setting.

5

The PoR/PoS-Hybrid Blockchain

As discussed in the introduction, a purely PoR-based blockchain protocol can be insecure if the reputation system is inaccurate. To fortify our ledger against such a situation we do the following: In parallel to the PoR-based blockchain above, we run an independent (and potentially slower) Nakamoto-style ledger protocol. As discussed, we focus our description on Proof-of-Stake-based blockchain (in short, PoS-blockchain) but our treatment can be applied to proof-of-work or even iterated-BFT ledger protocols [3]. As long as the majority of the stake is in honest hands the back-up PoS-blockchain will ensure that an inaccurate (or manipulated) reputation system does not result in an insecure ledger. More concretely, our PoR/PoS-hybrid design ensures the following: If the reputation system is accurate, i.e., it reflect the actual probabilities that the parties behave honestly, then our protocol will be secure and achieve the claimed efficiency. If the reputation is inaccurate and, as a result, a fork is created, but the honest majority of stake assumption holds, then parties will be able to detect the fork—and agree on this fact—within a small number of rounds. We stress that our design uses the assumptions in a tired manner: as long as the reputation system is accurate, the backup blockchain can neither yield false detection positives nor slow down the progress of the PoR-blockchain, even if the majority stake in the system has shifted to malicious parties (in which case the back-up PoS-blockchain might fork). However, if both accuracy of reputation and honest majority of stake fail, the security of the system cannot be guaranteed as with any construction based on assumptions. Here is how our hybrid ledger works: In every round the reputation parties post to the backup PoS-blockchain, the current slot’s hash pointers. This way every party will be able to efficiently verify their local view by comparing their local hashes to the ones posted on the backup blockchain. If any honest party observes a discrepancy, then she can complain by posting the block in his local PoR-chain, which is inconsistent with the pointer seen on the backup PoS-blockchain, along with the supporting set of signatures. We refer to this complaint as an accusation and to the party that posts it as an accuser. If the accuser fails to present a valid view (i.e., a block with sufficient signatures from the corresponding slot committee) then the accusation is considered invalid and the dispute is resolved in favor of the reputation party that had initially posted

Proof-of-Reputation Blockchain with Nakamoto Fallback

35

the disputed hash pointer, hereafter referred to as the accused party. Otherwise, the accused party will need to respond by posting (as a transaction on the backup PoS-blockchain) his own view of the disputed block. If this party fails, then the dispute is considered resolved in favor of the accuser. Otherwise, if both the accuser and the accused party post support on their claims, every party will be able to observe this fact and detect that the PoR-chain forked. In either case, any such accusation will result in detecting a malicious party: either the accuser, or the accused or some party that issued conflicting signatures on the PoR blockchain. (The detected party’s reputation will be then reduced to 0 and the party will be excluded from the protocol.) The detailed specification of our PoR/PoS-hybrid protocol ΠBC PoR/PoS is provided in [21] along with the proof of the following theorem, where we say that the reputation system is accurate if it reflects, within a negligible error the actual probabilities that the reputation parties are honest: Theorem 3. Let, , δ, c and L be as in Theorem 2. The following properties hold with overwhelming probability assuming that the reputation system is f feasible for some constant f ∈ (0, 1): If the PoR-system is accurate, then protocol ΠBC PoR/PoS satisfies the following properties except with negligible probability in the presence of a static Rep-adversary: – Safety (with Finality): At the end of every block-slot, all reputation parties have the same view of the blockchain. – Block Liveness: A new block is added to each local chain held by any reputation party at the end of each slot. – Transaction Liveness: Assuming all honest reputation parties receive a transaction, this transaction will be added to the blockchain within  slots except with probability 2−|CBC | . Furthermore, even if the reputation system is faulty (e.g., inaccurate) but the majority of the stake is held by honest parties, then if safety is violated, ΠBC PoR/PoS will publicly detect it (i.e., agreement on this fact will be reached among all parties) within 2k blocks of the PoS-blockchain. Note that since all honest (non-reputation) parties are connected with the reputation parties via a diffusion network, all that above guarantees will also be offered to them with a delay equal to the maximum delay for any message from a reputation party to reach a non-reputation party in the network. Detecting Liveness Attacks. The above design detects safety violations, i.e., forks, but does not detect the following attack on liveness: A flawed reputation system might allow the attacker controlling a majority of slot committee members to prevent the blockchain from advancing, by not issuing a block signed with sufficiently many signatures. Nonetheless, a mild additional assumption on the accuracy of the reputation system, i.e., that within a polylogarithmic number of rounds an honest-majority committee will be elected, allows to break this deadlock and detect such an attack. In a nutshell, to make sure the above attack

36

L. Kleinrock et al.

to liveness is exposed we employ the following mechanism: In every round, if a reputation party does not receive any block with majority support from the current committee in the last round of BlockAnnounce, then it issues a complaint on the fallback chain. If for any upcoming round ρ there have been complaints posted on the main chain by a majority of the members of CBA corresponding to round ρ, then the parties decide that the PoR-blockchain has halted. This ensure that at the latest when the next honest majority committee is elected, the above liveness attack will be exposed. We refer to [21] for a more detailed discussion.

6

Conclusions and Open Problems

Reputation has the potential to yield a highly scalable decentralized ledger. However, one needs to be careful in using it as it is a manipulable and subjective resource. We put forth and proved the security of a hybrid design which enjoys efficiency and scalability benefits by using reputation, while fortifying its security with a fallback blockchain relying on standard assumption such as honest majority of stake. Central in our treatment is a new (reputation-)fairness notion which aims to facilitate inclusivity of the resulting system. Our work establishes the basic security principles and the core distributed protocol of such a fair PoR/PoS-hybrid blockchain ledger. We believe that our treatment will seed a further investigation of reputation as a venue for scalable decentralization. To this direction, in addition to the various extensions pointed to throughout the paper and discussed in [21], there are two important research directions: (1) A rational analysis and associated mechanism that add economic robustness to the arguments and demonstrate the decentralization forces, and (2) a reliable mechanism for assigning reputation of the parties, e.g. using AI, and adjusting it according to their behavior both in the protocol, as well as potentially on the external recommendation systems. Acknowledgements. This research was supported by Sunday Group, Inc. A full version of this work can be found on the Cryptology ePrint Archive [21]. The authors would like to thank Yehuda Afek for useful discussions.

References 1. Asharov, G., Lindell, Y., Zarosim, H.: Fair and efficient secure multiparty computation with reputation systems. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 201–220. Springer, Heidelberg (2013). https://doi.org/ 10.1007/978-3-642-42045-0 11 2. Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 913–930. ACM Press (2018) 3. Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Consensus redux: distributed ledgers in the face of adversarial supremacy. Cryptology ePrint Archive, Report 2020/1021 (2020). https://eprint.iacr.org/2020/1021

Proof-of-Reputation Blockchain with Nakamoto Fallback

37

4. Badertscher, C., Maurer, U., Tschudi, D., Zikas, V.: Bitcoin as a transaction ledger: a composable treatment. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 324–356. Springer, Cham (2017). https://doi.org/10.1007/978-3319-63688-7 11 5. Bentov, I., Hub´ aˇcek, P., Moran, T., Nadler, A.: Tortoise and hares consensus: the meshcash framework for incentive-compatible, scalable cryptocurrencies. IACR Cryptology ePrint Archive 2017/300 (2017) 6. Biryukov, A., Feher, D., Khovratovich, D.: Guru: universal reputation module for distributed consensus protocols. Cryptology ePrint Archive, Report 2017/671 (2017). http://eprint.iacr.org/2017/671 7. Buterin, V.: A next-generation smart contract and decentralized application platform (2013). https://github.com/ethereum/wiki/wiki/White-Paper 8. Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000) 9. Chow, S.S.M.: Running on karma – P2P reputation and currency systems. In: Bao, F., Ling, S., Okamoto, T., Wang, H., Xing, C. (eds.) CANS 2007. LNCS, vol. 4856, pp. 146–158. Springer, Heidelberg (2007). https://doi.org/10.1007/9783-540-76969-9 10 10. Cohen, R., Coretti, S., Garay, J., Zikas, V.: Probabilistic termination and composability of cryptographic protocols. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 240–269. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-53015-3 9 11. Cohen, R., Coretti, S., Garay, J.A., Zikas, V.: Round-preserving parallel composition of probabilistic-termination cryptographic protocols. In: Chatzigiannakis, I., Indyk, P., Kuhn, F., Muscholl, A. (eds.) ICALP 2017, LIPIcs, vol. 80, pp. 37:1– 37:15. Schloss Dagstuhl (2017) 12. David, B., Gaˇzi, P., Kiayias, A., Russell, A.: Ouroboros Praos: an adaptivelysecure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8 3 13. Dolev, D., Strong, H.R.: Authenticated algorithms for byzantine agreement. SIAM J. Comput. 12(4), 656–666 (1983) 14. Gai, F., Wang, B., Deng, W., Peng, W.: A reputation-based consensus protocol for peer-to-peer network. In: DASFAA, Proof of Reputation (2018) 15. Garay, J., Ishai, Y., Ostrovsky, R., Zikas, V.: The price of low communication in secure multi-party computation. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 420–446. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-63688-7 14 16. Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/9783-662-46803-6 10 17. Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: scaling byzantine agreements for cryptocurrencies. Cryptology ePrint Archive, Report 2017/454 (2017). http://eprint.iacr.org/2017/454 18. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) 19. Katz, J., Koo, C.-Y.: On expected constant-round protocols for byzantine agreement. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 445–462. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175 27

38

L. Kleinrock et al.

20. Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-63688-7 12 21. Kleinrock, L., Ostrovsky, R., Zikas, V.: A por/pos-hybrid blockchain: proof of reputation with nakamoto fallback. Cryptology ePrint Archive, Report 2020/381 (2020). https://eprint.iacr.org/2020/381 22. Magri, B., Matt, C., Nielsen, J.B., Tschudi, D.: Afgjort - a semi-synchronous finality layer for blockchains. IACR Cryptology ePrint Archive, 2019/504 (2019) 23. Miller, A., Xia, Y., Croman, K., Shi, E., Song, D.: The honey badger of BFT protocols. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 31–42. ACM Press (2016) 24. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). http://bitcoin. org/bitcoin.pdf 25. Ostrovsky, R., Yung, M.: How to withstand mobile virus attacks (extended abstract). In: Logrippo, L. (ed.) Proceedings of the 10th ACM PODC, pp. 51– 59. ACM (1991) 26. Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-56614-6 22 27. Pass, R., Shi, E.: Thunderella: blockchains with optimistic instant confirmation. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 3–33. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8 1 28. Yu, J., Kozhaya, D., Decouchant, J., Esteves-Verissimo, P.: RepuCoin: your reputation is your power. IEEE Trans. Comput. 68(8), 1225–1237 (2019)

Transciphering, Using FiLIP and TFHE for an Efficient Delegation of Computation Cl´ement Hoffmann1(B) , Pierrick M´eaux1(B) , and Thomas Ricosset2(B) 1

ICTEAM/ELEN/Crypto Group, Universit´e catholique de Louvain, Louvain la neuve, Belgium {clement.hoffmann,Pierrick.meaux}@uclouvain.be 2 Thales, Gennevilliers, France [email protected] Abstract. Improved filter permutators are designed to build stream ciphers that can be efficiently evaluated homomorphically. So far the transciphering with such ciphers has been implemented with homomorphic schemes from the second generation. In theory the third generation is more adapted for the particular design of these ciphers. In this article we study how suitable it is in practice. We implement the transciphering of different instances of the stream cipher family FiLIP with homomorphic encryption schemes of the third generation using the TFHE library. We focus on two kinds of filter for FiLIP. First we consider the direct sum of monomials, already evaluated using HElib and we show the improvements on these results. Then we focus on the XOR-threshold filter, we develop strategies to efficiently evaluate any symmetric Boolean function in an homomorphic way, allowing us to give the first timings for such filters. We investigate different approaches for the homomorphic evaluation: using the leveled homomorphic scheme TGSW, an hybrid approach combining TGSW and TLWE schemes, and the gate boostrapping approach. We discuss the costs in time and memory and the impact on delegation of computation of these different approaches, and we perform a comparison with others transciphering schemes. Keywords: Homomorphic encryption · TFHE · Improved filter permutator · Transciphering

1 Introduction Fully homomorphic encryption (FHE) enables to perform computations over encrypted data without decryption nor learning information on the data. Since the first construction due to Gentry [21] in 2009, FHE is considered as the main solution to conceive a secure delegation of computation. The principle is the following: the delegating party, say Alice, encrypts her data using a FHE scheme and sends it to the computing party, say Bob. He evaluates the functions asked by Alice on her encrypted data, and sends back the encrypted results, without learning the values of the data sent by Alice. Two main efficiency problems arise with this framework: the FHE ciphers are costly to compute for Alice, and the expansion factor between the plaintext size and the ciphertext size is prohibitive. Instead, an efficient framework to delegate computations is obtained with C. Hoffmann—This work has been done during an internship at Thales. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 39–61, 2020. https://doi.org/10.1007/978-3-030-65277-7_3

40

C. Hoffmann et al.

an hybrid scheme, combining symmetric encryption (SE) and homomorphic encryption [31]. In this framework, Alice uses a classic symmetric scheme to encrypt her data before sending it to the server. The advantages of the SE schemes are the computation by devices with limited computational power or storage, and the optimal expansion factor: the ciphertext size is exactly the data size. Then, Bob transciphers these SE ciphertexts: he homomorphically evaluates the SE decryption to get homomorphic ciphertexts of Alice’s data. Finally, Bob performs the computations required by Alice on the encrypted data and sends back the encrypted results, as in the initial framework. With such hybrid framework, an efficient transciphering gives an efficient delegation of computation. Fully homomorphic encryption allows to evaluate any function, then the efficiency of this evaluation depends on how the function can be expressed in the native operations of the FHE scheme. Following Gentry’s blueprint, FHE schemes are based on a somewhat encryption scheme and a bootstrapping. The somewhat (or leveled) scheme allows to perform a limited amount of two different operations, for example XOR and AND. In an homomorphic ciphertext the message is masked by a quantity of noise, and this noise is increasing during the operations, more or less importantly depending on the operation nature. The bootstrapping is the key technique that resets a ciphertext to be used again in the somewhat encryption scheme. The different costs in time (and storage) between the homomorphic operations and the bootstrapping depend on the FHE scheme, usually1 there is the following hierarchy of cost: one operation is more efficient than the other, and the bootstrapping is way more costly than the operations. Therefore, an efficient transciphering is obtained by a SE scheme which decryption function is fitting with the FHE cost hierarchy. State-of-the-Art. The so-called second generation (2G) of FHE which is represented by the schemes [5, 6, 20, 26] has been widely used to implement transcipherings, using open-source libraries such as HElib [24] and SEAL [10]. In these schemes the multiplication increases the noise way more than the addition and the bootstrapping is very costly. Therefore, when evaluating a function as a circuit, the multiplicative depth dictates the efficiency. The SE schemes considered for transciphering have been standard schemes with low multiplicative depth such as: AES [15, 22], Simon [25], Prince [17] and Trivium [8]. More recent SE schemes are designed for advanced primitive such as multi-party computation, zero-knowledge and FHE and share the property of having a low multiplicative depth, and they give the most efficient transciherings so far. It is the case of the block-cipher LowMC [3, 4], and the stream-ciphers Kreyvium [8], FLIP [30], Rasta [16], and FiLIP [29]. The third generation (3G), beginning with GSW scheme [23] has a very different cost hierarchy. The multiplication is still more costly than the addition, but the error growth is asymmetric in the two operands, then long chains of multiplications can be evaluated without bootstrapping. The multiplicative depth does not dictate the efficiency in this case, and other SE schemes could give a better transciphering. This generation also allows the gate-bootstraping [11, 18], to evaluate a Boolean gate and perform the bootstrapping at the same time, as quick as 13 ms [12] over the TFHE library [14]. The 3G is promising for transciphering but none has been realized so far. The main reasons were the crippling sizes of the original ciphertexts in comparison with the 2G, and the difficulty to adapt a SE scheme to this particular cost hierarchy. 1

The situation is different for FHE schemes that apply a bootstraping at each gate.

Transciphering, Using FiLIP and TFHE

41

In this work we realize a transciphering with a FHE scheme of third generation. The SE scheme we consider is FiLIP [29], a stream-cipher designed for homomorphic evaluation. The principle of this stream cipher is to restrict the homomorphic computation to the evaluation of its filter: only one Boolean function f . For the security point of view, the filter needs to fulfill various cryptographic criteria on Boolean functions to resist known attacks up to a fixed level of security. If this filter can be evaluated appropriately with the homomorphic cost hierarchy, then the whole transciphering is efficient. We implement the transciphering using the TFHE library [14], offering different HE schemes of the third generation. We focus primarily on a version of the TGSW scheme, a variant of GSW [23] over the torus. Contributions. We analyse the homomorphic evaluation of FiLIP with the TGSW scheme, we implement the transcipherings with two families of filters, using three homomorphic schemes of the third generation. We study the homomorphic error growth of FiLIP with TGSW for two kinds of filters: direct sum of monomials (DSM) [29] and XOR-threshold functions suggested in [28]. For the DSM filter the bound on the error generalizes the bound of [30] on FLIP functions with GSW. To analyze the error growth of the second filter we show how to efficiently evaluate any symmetric Boolean function in 3G, and more particularly threshold functions. Then we bound the ciphertext error for XOR-threshold filters, confirming that a function with high multiplicative depth can be efficiently evaluated. We implement the two different kinds of filters for instances designed for 128 bitsecurity with TGSW. We analyse the noise in practice and the timings of this transciphering, which gives a latency of less than 2 s for the whole transciphering. We give a comparison with transcipherings from former works using the second homomorphic generation (on HElib for instance). For an equivalent resulting noise and security level, the latency of our transciphering is better than for the ones already existing. Finally, we implement the same variants of FiLIP with an a hybrid TGSW/TLWE scheme and with the gate-bootstrapping FHE of [12], reaching a latency of 1.0s for an only-additive homomorphic scheme. We provide comparisons between the three evaluations of FiLIP we implemented and the evaluation over HElib in [29]. Roadmap. In Sect. 2, we remind definitions and properties from the TFHE scheme and FiLIP and describe the TGSW scheme we will use. In Sect. 3, we study the homomorphic evaluation of FiLIP filters and give a theoretical bound the noise after the transciphering. Finally, we present our practical results (resulting noises and timings) in Sect. 4 and compare our implementations to the ones already existing.

2 Preliminaries We use the following notations: – B denotes the set {0, 1}, and [n] the set of integers from 1 to n. $

– x← − S means that x is uniformly randomly chosen in a set S. – T denotes the real torus R/Z, i.e. the real numbers modulo 1. – TN [X] denotes R[X]/(X N + 1) (mod 1), R denotes the ring of polynomials Z[X]/(X N + 1) and BN [X] denotes B[X]/(X N + 1).

42

C. Hoffmann et al.

– Vectors and matrices are denoted in bold (e.g. v, A). Mm,n (S) refers to the space of m × n dimensional matrices with coefficients in S. – wH denotes the Hamming weight of a binary vector. – MUX refers to the multiplexer: for binary variables MUX(x1 , x2 , x3 ) gives x2 if x1 = 0 and x3 if x1 = 1. We call x1 the control bit, x2 the value at 0 and x3 the value at 1. 2.1

Homomorphic Encryption and TFHE

In this section, we start by introducing definitions and properties from [11] on homomorphic encryption schemes and operations implemented in the TFHE library [14]. In a second time we describe the leveled homomorphic encryption scheme we will use for transciphering based on the TFHE definitions. TFHE Toolbox. The TFHE library [14] implements a gate-by-gate bootstrapping based on [11–13]. Different homomorphic encryption schemes are combined for this bootstrapping: LWE, TLWE and TGSW. We present only definitions and properties needed for the evaluation of the TGSW leveled encryption scheme we will use in this work, and refer to [11] for more details. Definition 1 (LWE samples). Let k ∈ N a dimension parameter, α ∈ R+ a noise parameter, s a uniformly distributed secret in some bounded set S ⊂ Zn . A LWE sample under the key s with noise parameter α is a couple (a, b) ∈ Tn × T where b − s, a follows a Gaussian distribution of standard deviation α. Definition 2 (TLWE samples). Let k ≥ 1, N a power of 2, α a noise parameter, $ s← − BN [X]k a TLWE secret key. A fresh TLWE sample of a message μ ∈ TN [X] with noise parameter α under the key s is a couple (a, b) ∈ TN [X]k × TN [X], where a is uniformly chosen in TN [X]k and b − s, a follows a Gaussian distribution of standard deviation α centered in μ. The scheme introduced in [11] gives a gate-bootstrapping of LWE ciphers. Instead, we focus on the homomorphic properties of TLWE: TLWE samples can be used to encrypt messages μ ∈ P ⊂ TN [X] as c = (a, b) ∈ TN [X]k × TN [X], where b = a, s + μ + e ∈ TN [X]. This variant of Regev’s secret key encryption scheme is additively homomorphic as far as each coefficient of e is smaller than half the minimal distance between the coefficients of two possible messages. The introduction of TGSW ciphers with a decomposition of TLWE ciphers gives us a multiplicative homomorphic scheme. Definition 3 (Gadget decomposition). For Bg ∈ N, let define the gadget matrix H ∈ M(k+1)·,k+1 (TN [X]) as:

Transciphering, Using FiLIP and TFHE



1/Bg ⎜ .. ⎜ . ⎜ ⎜ 1/Bg ⎜ ⎜ H = ⎜ ... ⎜ ⎜ 0 ⎜ ⎜ . ⎝ .. 0

43

⎞ ... 0 . ⎟ .. . .. ⎟ ⎟ ... 0 ⎟ ⎟ . ⎟ .. . .. ⎟ ⎟ . . . 1/Bg ⎟ ⎟ .. ⎟ .. . . ⎠ . . . 1/Bg

Decomph,β, (v) is a decomposition algorithm on the gadget H with quality β and precision  if and only if, for any TLWE sample v ∈ TN [X]k+1 , it efficiently and publicly outputs a small vector u ∈ R(k+1) such that ||u||∞ ≤ β and ||u×H−v||∞ ≤ . Furthermore, the expectation of u × H − v must be 0 when v is uniformly distributed in TN [X]k+1 . B

Such a decomposition with β = 2g and  = in [11]. It allows to define TGSW samples:

1 2Bg

exists and an example is described

Definition 4 (TGSW samples). Let  and k ≥ 1 two integers, α ≥ 0 a noise parameter and H the gadget matrix. Let s ∈ BN [X]k a TLWE key, then C ∈ M(k+1),k+1 (TN [X]) is a fresh TGSW sample of μ ∈ R such that μ · H = 0 with noise parameter α if and only if C = Z + μ · H where each row of Z ∈ M(k+1),k+1 (TN [X]) is a TLWE cipher of 0 with noise parameter α. Note that the product between μ and H is the R-module product, which means that each coefficient of H is multiplied by μ. TGSW ciphers remain homomorphically additive, and we can now introduce the homomorphic multiplications: Definition 5 (External and internal products). Let define the external product  and internal product  as:  : TGSW × TLWE → TLWE (A, b) → A  b = DecompH,β, (b) · A  : TGSW × TGSW → TGSW



⎜ (A, B) → A  B = ⎝

A  b1 .. .

⎞ ⎟ ⎠

A  b(k+1) where ∀i ∈ {1, . . . , (k + 1)}, bi corresponds to the i-th line of B. A TGSW Somewhat Homomorphic Scheme. We describe a version of TGSW as a somewhat homomorphic encryption scheme, allowing to perform a bounded number of additions and multiplications. We consider a secret key scheme with plaintext space P = {0, 1}.

44

C. Hoffmann et al.

Definition 6 (TGSW leveled homomorphic encryption scheme). Let k, N ∈ N∗ , N a power of 2 the dimension parameters. Let , Bg ∈ N the decomposition parameters. Let α ∈ R+ the noise parameter. $

− BN [X]k . – KeyGen(k, N ). From dimension parameters k, N , output sk ← k – Enc(sk, μ, , Bg , α). Using as inputs sk ∈ BN [X] , μ ∈ {0, 1}, , Bg decomposition parameters, and α the noise parameter: $ • Pick A ← − M(k+1),k (TN [X]). • Compute e = (ei )i∈[(k+1)] ∈ TN [X](k+1) where each ei follows a centered Gaussian distribution of standard deviation α. ⎞ ⎛ a1 , sk + e1 ⎟ ⎜ .. • Compute Z = ⎝ A ⎠ ∈ M(k+1),k+1 (TN [X]). . a(k+1) , sk + e(k+1) • Output C = Z + μ · H. – Dec(sk, C, , Bg ). Using as inputs the secret key sk, and a ciphertext C, • Denote (a, b) ∈ TN [X]k × TN [X] the (k + 1)th line of C, compute ϕ = b − sk, a ∈ TN [X]. • Round up the constant coefficient of ϕ to the closest Big ∈ T where i ∈ N, im . denoted B g • Output m ∈ {0, 1} the parity of im . – The Eval algorithm consists in iterating the homomorphic operations Add and Mul. • Add(C1 , C2 ) : C+ = C1 + C2 . • Mul(C1 , C2 , Bg , ) : C× = C1  C2 .

With this scheme, a TGSW ciphertext remains valid as far as the error terms are lower than 2B1 g . To follow the noise evolution with the homomorphic computations we use a worst case bound on the error coefficients (infinite norm), or an average bound on the variance of these coefficients, using the independence assumption formalized in [11]. To relate the error norm and the variance we use the Markov’s inequality applied on subgaussians as in [11], it allows to estimate the maximal variance that can be tolerated for a fixed decryption failure. Assumption 1 (Independence Heuristic ([11] Assumption 3.6, [13] Assumption 3.11)). All the coefficients of the error of TLWE or TGSW samples that occur in all the operations we consider are independent and concentrated. More precisely, they are σ-subgaussian where σ is the square-root of their variance. Proposition 1 (Markov’s inequality on subgaussians [11]). Let X be a σt2

subgaussian then ∀t > 0, P (|X| > t) ≤ 2e− 2σ2 . We summarize the noise evolution during the homomorphic evaluation proven in [11]. The equations are simplified since μ ∈ {0, 1}: since the plaintexts are binary, they directly appear in the noise formula.

Transciphering, Using FiLIP and TFHE

45

Proposition 2 (TGSW noise evolution, adapted form [11]). Using the notations of Definition 6, for i ∈ [3] let Ci be a TGSW cipher of μi with error noise variance Vi and infinite norm εi . We denote by V+ and ε+ the error variance and infinite norm of C1 +C2 , by V× and ε× the error variance and infinite norm of C1 C2 , by VM and εM the error variance and infinite norm of MUX(C1 , C2 , C3 ) = C1  (C3 − C2 ) + C2 . Then: ⎧ V+ ≤ V 1 + V 2 , ⎨ ε+ ≤ ε1 + ε 2 , V× ≤ c3 V1 + μ1 (c4 + V2 ) , ε× ≤ c1 e1 + μ1 (c2 + e2 ) , ⎩ εM ≤ max(ε2 , ε3 ) + c1 e1 + c2 , VM ≤ max(V2 , V3 ) + c3 V1 + c4 , where c1 = (k + 1)N (Bg /2), c2 = (1 + kN )/(2Bg ), c3 = (k + 1)N (Bg /2)2 , c4 = (1 + kN )/(2Bg )2 . The variances bounds are obtained assuming Assumption 1. 2.2 Boolean Functions and FiLIP We recall the definitions of a Boolean function, their common representation, and some families of functions. Definition 7 (Boolean function). A Boolean function f with n variables is a function from Fn2 to F2 . Definition 8 (Algebraic Normal Form (ANF)). We call Algebraic Normal Form of a Boolean function f its n-variable polynomial representation over F2 : 

aI xi = aI xI , f (x) = I⊆[n]

i∈I

I⊆[n]

where aI ∈ F2 . • The algebraic  degree of f equals the global degree max{I | aI =1} |I| of its ANF. • Any term i∈I xi in such an ANF is called a monomial and its degree equals |I|. Definition 9 (Direct sum of monomials & direct sum vector [30]). Let f be a Boolean function of n variables, we call f a Direct Sum of Monomials (or DSM) if the following holds for its ANF: ∀(I, J) such that aI = aJ = 1, I ∩ J ∈ {∅, I ∪ J}. Let f a DSM, we define its direct sum vector: mf = [m1 , m2 , . . . , mk ] of length k = deg(f ), where mi is the number of monomials of degree i of f : for i > 0, mi = |{aI = 1, such that |I| = i}|. Note that DSM corresponds to functions where each variable appears at most once in the ANF. Definition 10 (Threshold function). Let n ∈ N∗ , for any positive integers d ≤ n + 1 we define the Boolean function Td,n as:  1 if wH (x) ≥ d, ∀x = (x1 , . . . , xn ) ∈ Fn2 , Td,n (x) = 0 otherwise.

46

C. Hoffmann et al.

Definition 11 (XOR − THR function). For any positive integers k, d and n such that as: d ≤ n + 1 we define XTHRk,d,n for all z = (x1 , . . . , xk , y1 , . . . , yn ) ∈ Fk+n 2 XTHRk,d,n (z) = x1 + · · · + xk + Td,n (y1 , . . . , yn ) = XORk (x) + Td,n (y). The symmetric encryption schemes we will evaluate are binary streamciphers following the improved filter permutator construction [29], illustrated in Fig. 1. The encryption process is the following: denoting by N the size of the key, n the size of the input of the filtering function (n ≤ N ) and f the n-variables filtering function: – The forward secure PRNG outputs the subset, the permutation and the whitening at each clock cycle, – the subset Si is chosen as a subset of n elements over N , – the permutation Pi from n to n elements is chosen, – the whitening wi ∈ Fn2 is chosen, – the key-stream bit is computed as si = f (Pi (Si (K)) + wi ).

Fig. 1. Improved filter permutator constructions.

The streamcipher family FiLIP is an instantiation of the improved filter permutator paradigm where the PRNG is a variant of AES in counter mode, and the wire-cross permutations are generated by the Knuth shuffle. We will focus on 3 candidates proposed for 128-bit security: – FiLIP-1216 [29], DSM filter, mf = [128, 64, 0, 80, 0, 0, 0, 80], n = 1216, N = 214 , – FiLIP-1280 [29], DSM filter, mf = [128, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64], n = 1280, N = 212 , – FiLIP-144 [28], XOR-THR filter, f = XTHR81,32,63 , n = 144, N = 214 .

Transciphering, Using FiLIP and TFHE

47

3 Homomorphic Evaluation of FiLIP During the transciphering with FiLIP only the filter evaluation has an impact on the ciphertexts’ noise. Indeed, as explained in [29] the subset selection and wire-cross permutation are performed in clear. The whitening gives indexes where a homomorphic NOT needs to be applied, which can be realized without increasing the noise. In this section we study how to evaluate FiLIP filters efficiently with TGSW. First we give a Boolean circuit to compute any symmetric Boolean functions with few gates. This circuit improves the homomorphic evaluation for several FHE schemes, but its design is primarily based on optimizing GSW-like FHE evaluation. It will be the core of the evaluation of XOR-THR filters. Then we specify which representation and therefore which circuit we use for the two kinds of filters, giving a lower bound on the Boolean gates to homomorphically evaluate in each case. Finally we give an upper bound on the noise in the TGSW ciphertext obtained after evaluating the different filters. 3.1 Evaluation of Symmetric Boolean Functions In this part we focus on efficiently evaluating threshold functions. Since they are symmetric Boolean functions (the result does not depend on the order of the n inputs), they can be evaluated in different ways. The ANF of such functions is characterized in [27]; when n ≥ 2log d all the monomials of this degree appear in the ANF, which seems prohibitive for any evaluation. Nevertheless, evaluating branching programs [7] or finite automata [11] has been shown to be very promising with the third generation. Hence, we consider the evaluation of thresholds function, or other symmetric Boolean function, with MUX gates (multiplexers) rather than based on the ANF representation. Definition 12 (Circuit for symmetric functions). Let n ∈ N, n ≥ 2, we define the Boolean circuit Cn with n inputs x1 to xn and n + 1 outputs y0 to yn with the following gates: – n NOT gates N1 to Nn , where for i ∈ [n] each Ni has input xi . – 2(n − 1) AND gates Ai,0 and Ai,i for i ∈ [2, n], where: • the inputs of A2,0 are N1 and N2 , and for i ∈ [3, n] the inputs of Ai,0 are Ni and Ai−1,0 , • the inputs of A2,2 are x1 and x2 , and for i ∈ [3, n] the inputs of Ai,i are xi and   Ai−1,i−1 . – n2 MUX gates Mi,j where i ∈ [2, n] and j ∈ [i − 1], where: • the inputs of M2,1 are x2 for the control bit, x1 for the value at 0, and N1 for the value at 1, • the inputs of Mi,1 for i ∈ [3, n] are xi for the control bit, Mi−1,1 for the value at 0, and Ai−1,0 for the value at 1, • the inputs of Mi,i−1 for i ∈ [3, n] are xi for the control bit, Ai−1,i−1 for the value at 0, and Mi−1,i−2 for the value at 1, • the inputs of Mi,j for i ∈ [4, n] and j ∈ [2, i − 2] are xi for the control bit, Mi−1,j for the value at 0, and Mi−1,j−1 for the value at 1. The outputs are given by An,0 , Mn,1 , . . . , Mn,n−1 , An,n .

48

C. Hoffmann et al.

To illustrate we give the example of C7 in Fig. 2. The principle of this multi-output circuit is to compute the Hamming weight of the vector of inputs, as formalized in the following proposition: Proposition 3. Let n ∈ N, n ≥ 2, ∀x ∈ Fn2 the vector of outputs of Cn gives 1 at index wH (x) and 0 elsewhere. Proof. We do the proof by induction. We show that ∀i ∈ [2, n] only one of the gates Ai,j or Mi,j (where j ∈ [0, i]) gives 1. The index j of this gate corresponds the Hamming weight of the i-th-length prefix of x: (x1 , . . . , xi ). Note that the statements always neglect the NOT gates. For the initialization step we exhaust the four cases, the values for (x1 , x2 ) ∈ F22 of (A2,0 , M2,1 , A2,2 ) are: (0, 0; 1, 0, 0), (1, 0; 0, 1, 0), (0, 1; 0, 1, 0), and (1, 1; 0, 0, 1). For the four cases only one of the three gates of level 2 gives 1, the one with index j = wH (x1 , x2 ), which validates the initialization. Let assume for one i ∈ [2, n − 1] that only the gate of index j = wH (x1 , . . . , xi ) outputs 1 and all the others at level i give 0. Note that at level i + 1 the AND gate Ai+1,0 could by written as a MUX gate with control bit xi+1 , the output of Ai,0 for value at 0 and 0 for value at 1. Similarly, the AND gate Ai+1,i+1 could by written as a MUX gate with control bit xi+1 , the output of Ai,i for value at 1 and 0 for value at 0. Consequently, the i + 2 gates at level i + 1 correspond to MUX gates: they all output their value at 0 (i.e. value of their right parent) if xi+1 = 0, or value at 0 (i.e. left parent) if xi+1 = 1. Therefore, the vector of outputs at level i + 1 is the one of level i with a 0 appended on the right if xi+1 = 0 or on the left if xi+1 = 1. It guarantees that there is only one 1 at level i + 1, the index being wH (x1 , . . . , xi ) if xi+1 = 0 and wH (x1 , . . . , xi ) + 1 if xi+1 = 1, in both cases it corresponds to wH (x1 , · · · , xi+1 ). This proves the induction step, and allows to conclude the induction. Since the property applies for i = n the outputs y0 , · · · , yn of Cn for x ∈ Fn2 are such that ywH (x) = 1 and the others are equal to 0.   The interest of the circuit Cn is to compute symmetric Boolean functions with a low number of gates. Note that for i ∈ [0, n] the output yi gives the result of the indicator function of the set {x ∈ Fn2 | wH (x) = i}. Since these functions form a basis of the symmetric n-variable Boolean functions, any symmetric n-variable Boolean function can be computed by xoring outputs of Cn . For the threshold function Td,n it would consist in xoring the outputs from yd to yn . Nevertheless, computing Cn and xoring some of the outputs involves unnecessary computations, therefore we will prefer a simplified circuit for Td,n which has around twice less gates. To simplify the description we introduce a new Boolean gate, used instead of some MUX gates in Cn . Definition 13 (Modified MUX gate). Let x1 , x2 , x3 ∈ Fn2 , the modified MUX gate WUX is defined as WUX(x1 , x2 , x3 ) = x1 x3 + x2 , where by analogy with the MUX x1 is called the control bit, x2 the value at 0, and x3 the value at 1. Note that the only difference with the classic gate is that x3 is x3 + x2 in the MUX gate, and the WUX gate is simply computed with one AND and one XOR. The simpler circuit to compute Td,n is obtained by two modifications. First, we delete the gates only

Transciphering, Using FiLIP and TFHE

49

Fig. 2. Boolean circuit C7 . The control bit of each level of MUX is the input xi on the left side, the left arrow (→) in input of a MUX corresponds to the input for a control bit equal to 0 and the right arrow (→) for the value at 1.

used to compute the yi such that i < d (it corresponds to delete An−d+1,0 and all the gates depending on its value). Then, we subside the parts leading to yi such that i > d by sums as soon as possible in the computation using WUX gates (it corresponds to delete Ad+1,d+1 and all the gates depending on its value, and converting the MUX gates depending on the value of Ad,d into WUX gates). We formalize the obtained circuit in Definition 14, illustrate it with the example of T4,7 in Fig. 3, and assess its property in the following proposition. Definition 14 (Threshold circuit). Let d, n ∈ N, n ≥ 4, 2 ≤ d ≤ n − 2, we define the Boolean circuit Td,n with n inputs x1 to xn and one output with the following gates: – n − d NOT gates N1 to Nn−d , where for i ∈ [n − d] each Ni has input xi . – n − 2 AND gates Ai,0 for i ∈ [2, n − d] and Ai,i for i ∈ [2, d], where: • the inputs of A2,0 are N1 and N2 , and for i ∈ [3, n − d] the inputs of Ai,0 are Ni and Ai−1,0 , • the inputs of A2,2 are x1 and x2 , and for i ∈ [3, d] the inputs of Ai,i are xi and Ai−1,i−1 . – (n − d)(d − 1) MUX gates Mi,j for i ∈ [2, n − 1], j ∈ [max(1, i − (n − d)), min(i − 1, d − 1)], where: • the inputs of M2,1 are x2 for the control bit, x1 for the value at 0, and N1 for the value at 1, • the inputs of Mi,1 for i ∈ [3, n − d + 1] are xi for the control bit, Mi−1,1 for the value at 0, and Ai−1,0 for the value at 1,

50

C. Hoffmann et al.

• the inputs of Mi,i−1 for i ∈ [3, d] are xi for the control bit, Ai−1,i−1 for the value at 0, and Mi−1,i−2 for the value at 1, • the inputs of Mi,j for i ∈ [4, n−1] and j ∈ [max(1, i−(n−d)), min(i−1, d−1)] are xi for the control bit, Mi−1,j for the value at 0, and Mi−1,j−1 for the value at 1. – (n − d) WUX gates Wi,d for i ∈ [d + 1, n] where: • the inputs of Wd+1,d are xd+1 for the control bit, Ad,d for the value at 0, and Md,d−1 for the value at 1, • the inputs of Wi,d for i ∈ [d + 2, n] are xi for the control bit, Wi−1,d for the value at 0, and Mi−1,d−1 for the value at 1. The output is given by Wn,d .

Fig. 3. Boolean circuit T4,7 . The control bit of each level of MUX is the input xi on the left side, the left arrow (→) in input of a MUX (or WUX) corresponds to the input for a control bit equal to 0 and the right arrow (→) for the value at 1.

Proposition 4. Let d, n ∈ N, n ≥ 4, 2 ≤ d ≤ n − 2, ∀x ∈ Fn2 the Boolean circuit Td,n computes Td,n (x). Proof. By construction Td,n is obtained from Cn by two main transformations: deleting An−d+1,0 and the gates depending on its output (plus the d NOT gates such that i > n − d), and merging the gates depending on Ad,d into one WUX gate at each level i for i ∈ [d + 1, n]. We will first prove by induction that in the circuit obtained from Cn by

Transciphering, Using FiLIP and TFHE

51

merging the gates depending on Ad,d in n − d WUX gates Wi,d , the following property holds: Wi,d gives 1 if and only if wH (x1 , . . . , xi ) ≥ d. Then we will show that deleting all the part depending on An−d+1,0 does not impact the computation of Wn,d which gives the output. We define the Boolean circuit Cd,n as Cn where for i ∈ [d + 1, n] the AND gate Ai,i and the MUX gates Mi,j for j ∈ [d, i − 1] are merged into the WUX gate Wi,d . Wd+1,d has control bit xd+1 , Ad,d as value at 0 and Md,d−1 as value at 1. For i ∈ [d+2, n], Wi,d has control bit xi , Wi,d as value at 0 and Mi,d−1 as value at 1. We show by induction that ∀i ∈ [d + 1, n] Wi,d gives 1 if and only if wH (x1 , . . . , xi ) ≥ d, and only one of the gates Ai,0 , Wi,d , Mi,j for j ∈ [d − 1] gives 1. For the initialization step, i = d + 1, Cd,n up to the level d is exactly Cd , therefore using Proposition 3 Md,d−1 gives 1 if and only if wH (x1 , . . . , xd ) = d − 1 and Ad,d gives 1 if and only if wH (x1 , . . . , xd ) = d. We consider the three possible cases: both gates give 0, Md,d−1 gives 1, and Ad,d gives 1. In the first case the value of Wi,d is xd+1 ·0+0 = 0 and since wH (x1 , . . . , xd ) < d−1 we get wH (x1 , . . . , xd+1 ) < d. In the second case the value of Wi,d is xd+1 · 1 + 0 = xd+1 and since wH (x1 , . . . , xd ) = d − 1 we get wH (x1 , . . . , xd+1 ) = d if xd+1 = 1 and wH (x1 , . . . , xd+1 ) = d − 1 if xd+1 = 0. In the third case the value of Wi,d is xd+1 · 0 + 1 = 1 and since wH (x1 , . . . , xd ) = d we get wH (x1 , . . . , xd+1 ) ≥ d. Summarizing the three cases Wd+1,d gives 1 if and only if wH (x1 , . . . , xd+1 ) ≥ d. Note that the gates Ad+1,0 and Md+1,j for j ∈ [d − 1] are computed exactly as in Cd+1 . Hence, from Proposition 3 only one of them gives 1 if wH (x1 , . . . , xd+1 ) < d and none if wH (x1 , . . . , xd+1 ) ≥ d. Therefore only one of the gates Ad+1,0 , Wd+1,d , Md+1,j for j ∈ [d − 1] gives 1, which validates the initialization. Let assume that for one i ∈ [d+2, n] Wi,d gives 1 if and only if wH (x1 , . . . , xi ) ≥ d, and only one of the gates Ai,0 , Wi,d , Mi,j for j ∈ [d − 1] outputs 1. Note that the gates Ai+1,0 , Mi+1,j for j ∈ [d − 1] are computed exactly as in Ci+1 , therefore Proposition 3 guarantees that at most one outputs 1: if its index j = wH (x1 , . . . , xi+1 ). We consider the three possible cases: Wi,d and Mi,d−1 both give 0, Mi,d−1 gives 1, and Wi,d gives 1. In the first case the value computed by Wi+1,d is 0, since wH (x1 , . . . , xi ) < d − 1 (Wi,d and Mi,d−1 both null) then wH (x1 , . . . , xi+1 ) < d, and only one of the gates Ai+1,0 , Mi+1,j for j ∈ [d − 1] gives 1. In the second case the value computed by Wi+1,d is xi+1 , therefore if xi+1 = 0 then wH (x1 , . . . , xi+1 ) = wH (x1 , . . . , xi ) = d − 1 and Mi+1,d−1 is the only gate at level i + 1 giving 1. If xi+1 = 1 then wH (x1 , . . . , xi+1 ) = wH (x1 , . . . , xi ) + 1 = d, none of the gates Ai+1,0 , Mi+1,j for j ∈ [d − 1] gives 1, hence Wi+1,d is the only one giving 1. In the last case the value computed by Wi+1,d is 1, wH (x1 , . . . , xi ) ≥ d so wH (x1 , . . . , xi+1 ) ≥ d and only the gate Wi+1,d gives 1 at level i+1. Summarizing the different cases Wi+1,d gives 1 if and only if wH (x1 , . . . , xi+1 ) ≥ d, and only one of the gates Ai+1,0 , Wi+1,d , Mi+1,j for j ∈ [d − 1] outputs 1, which allows to conclude the induction. To finalize the proof, note that the output of Cd,n given by Wn,d , that we call zd , gives the value of Td,n (x). None of the gates depending on An−d+1,0 nor Ni for i ∈ [n − d + 1, n] are evaluated in the path leading to zd . Hence zd can be computed by the circuit modified from Cd,n by removing all these gates. It corresponds to the circuit Td,n , concluding the proof.  

52

C. Hoffmann et al.

Remark 1. The restrictions d ≥ 2 and n − d ≥ 2 come from the circuit description: always having AND gates on the left and right side. Valid circuits for the remaining values can be obtained by removing some of these gates (changing the general description): the Ai,0 gates are unnecessary for d ≥ n − 2 and the Ai,i gates are unnecessary for d ≤ 2. 3.2

Evaluating FiLIP Filters

For the homomorphic evaluation the filter needs to be computed without knowing the value in the input ciphertexts, hence using the same Boolean circuit for the 2n possible inputs. A circuit to evaluate a Boolean function f can be derived from its ANF: each monomial can be computed as the AND of the variables of this monomial, and the sum over all the monomials in the ANF can be performed with XOR gates. It is the strategy we use to evaluate DSM since they have a very sparse ANF (at most n monomials over 2n ). The situation is different for XOR-THR functions, the threshold part has a dense ANF. The threshold function we consider for FiLIP-144: T32,63 belongs to  t+1  the subfamily T2t ,2t+1 −1 and therefore its ANF consists in the 2 2t−1 monomials of degree 2t (see e.g. [27] Theorem 1). In this case the circuit based on the ANF would lead to XOR around 9 · 1017 AND of 32 terms. Instead we will use the circuit Td,n of Sect. 3.1. In the following proposition we give the number (and nature) of Boolean gates required to homomorphically compute the different filters. Proposition 5 (FiLIP’s filter evaluation). Let f be the filter function of FiLIP, f can be computed with at most the following number of Boolean gates: – f is the DSM with direct sum vector m  f = [m1 , . . . , mk ]: 0 NOT, m − 1 XOR, and k n − m AND where m = m i . i=1 – f is the XOR-threshold function XTHRk,d,n : n − d NOT, (n − d)(2d − 1) + k XOR, and (n − d)d + n − 2 AND. Proof. For a DSM, since each variable appears only once in the ANF, the result can be computed in n − 1 XOR and AND gates. The number of monomials being m, m − 1 XOR are needed, which also gives the number of AND. For a XOR-THR function, using Proposition 4 the Boolean circuit Td,n computes Td,n , which gives the number of NOT, AND, MUX, and WUX gates to evaluate it. Counting that a MUX can be computed with 2XOR and 1AND, and 1XOR and 1AND for a WUX, and that k XOR are necessary to sum the XORk part leads to the final number of gates.   3.3

Noise Evolution with TGSW

In this part we bound the error infinite norm and variance of the ciphers after transciphering in term of error parameters of the initial ciphers. Each XOR is evaluated by Add, each AND by Mul and NOT gate by subtracting the ciphertext to H.

Transciphering, Using FiLIP and TFHE

53

Proposition 6 (FiLIP error-growth). Let f be the filter function of FiLIP, let Ci , i ∈ [n], fresh TGSW ciphertexts with error variance and infinite norm V and ε, and Cf the ciphertext obtained by homomorphically evaluating f with error variance and infinite norm Vf and εf . The following bounds apply: – if f is the DSM with direct sum vector mf = [m1 , . . . , mk ] then: εf ≤ (n − m)(c1 ε + c2 ) + mε, and Vf ≤ (n − m)(c3 V + c4 ) + mV, – if f is the XOR-threshold function XTHRk,d,n then: εf ≤

(n + d − 2)(n − d + 1) (c1 ε + c2 ) + (n − d + k + 1)ε, and 2

Vf ≤

(n + d − 2)(n − d + 1) (c3 V + c4 ) + (n − d + k + 1)V, 2

where the variance bounds assume the independence heuristic Assumption 1. Proof. We refer to noise parameters for the two quantities error infinite norm and variance. The results on the error variance assume Assumption 1, not the ones on the error infinite norm. We begin the proof by considering the DSM filter. Using Proposition 2, the noise parameters associated to a product of i ∈ N∗ fresh ciphertexts (the noisiest ciphertext always taken as the second operand) are εΠi ≤ (i − 1)(c1 ε + c2 ) + ε and VΠi ≤ (i − 1)(c3 ε + c4 ) + V . It gives the noise parameters of the ciphertexts corresponding to the monomial of degree i. We use the noise formulas for the addition on the mi products of i ciphertexts (for i ∈ [k]) and then for the sum of these k ciphertexts. It finally gives: εf ≤

k i=1



k i=1

mi εΠi ≤

k

mi ((i − 1)(c1 ε + c2 ) + ε)

i=1

imi (c1 ε + c2 ) +

k

mi (ε − (c1 ε + c2 )) = (n − m)(c1 ε + c2 ) + mε,

i=1

where m is the number of monomials of f and n its number of variables. Similarly, Vf ≤ (n − m)(c3 V + c4 ) + mV . For the XOR-threshold function we start with the noise parameters for the evaluation of Td,n using the circuit Td,n . We bound the noise parameters of each ciphertext of the binary value obtained at each gate of the circuit since the ciphertext of Td,n is the output of the circuit. for readability we write noise parameters of the gate for the noise parameters of the ciphertext obtained after the evaluation of the circuit up to this gate. We proceed by studying separately the NOT, AND, MUX, and WUX gates, and we refer to their level in the circuit (the index i in Definition 14). First, the noise parameters of NOT gates is the same as its input. Then, the AND gates are obtained by products of fresh ciphertexts then the noise parameters of Ai,j are εΠi and VΠi . For the MUX gates we show by induction on the level i ∈ [2, n − 1] that all MUX of level i have noise

54

C. Hoffmann et al.

parameters εMi ≤ (i − 1)(c1 ε + c2 ) + ε and VMi ≤ (i − 1)(c3 V + c4 ) + V (the same bounds as for εΠi and VΠi ). For the initialization step, i = 2, the only MUX gate is computed as MUX(C2 , C1 , H − Ci ). Thereafter, the noise formula of the MUX in Proposition 2 gives εM2 ≤ ε + c1 ε + c2 , validating the initialization. For the induction step, we assume that at level i we have the bound εMi ≤ ε + (i − 1)(c1 ε + c2 ). By definition of Td,n each MUX gate at level i + 1 has input control bit xi+1 and the two other inputs are AND or MUX gates of the level i. From the induction hypothesis the error infinite norm relative to both these inputs is lower than or equal to ε + (i − 1)c1 ε + c2 . Hence, the noise formula for the MUX gives εMi+1 ≤ ε+(i−1)(c1 ε+c2 )+c1 ε+c2 , validating the induction step. The proof for VMi follows similar arguments, which allows to conclude the induction proof for the MUX gates. Finally, for the WUX gates we show by induction on k ∈ [n − d] that the WUX gate Wd+k,d has noise parameters εWd+k ≤ (2d + k − 2)(k + 1)(c1 ε + c2 )/2 + (k + 1)ε and similarly VWd+k ≤ (2d + k − 2)(k + 1)(c3 V + c3 )/2 + (k + 1)V assuming the independence heuristic. Note that k (2d+k−2)(k+1)(c1 ε+c2 )/2+(k+1)ε = i=0 ((d−1+i)(c1 ε+c2 )+ε) which is the formula we will use for the induction. For the initialization step, k = 1, the WUX gate Wd+1,d is computed as XOR(AND(xd+1 , Md,d−1 ), Ad,d ). Thereafter, the noise formulas of Mul and Add of Proposition 2 give εWd+1 ≤ d(c1 ε+c2 )+ε+(d−1)(c1 ε+c2 )+ε, 1 which is equivalent to i=0 ((d − 1 + i)(c1 ε + c2 ) + ε), validating the initialization. For the induction step, we assume that for one value of k in [n − d − 1] we have k εWd+k ≤ i=0 ((d − 1 + i)(c1 ε + c2 ) + ε). By definition of Td,n the WUX gate at level d + k + 1 has control bit xd+k+1 and the two other inputs are a MUX and the WUX of level k + d. Then, we know the noise parameters of the MUX from the precedent part and the error infinite norm of the WUX gate in input from the induction hypothesis. Hence, the product and addition noise formulas allow to conclude k+1 εWd+k+1 ≤ i=0 ((d−1+i)(c1 ε+c2 )+ε), validating the induction step. The proof for VWd+k follows similar arguments, which allows to conclude the induction proof for the MUX gates. The last WUX gate (Wn,d ) corresponds to the ciphertext of Td,n , therefore its noise parameters are εTd,n ≤ (n + d − 2)(n − d + 1)(c1 ε + c2 )/2 + (n − d + 1)ε and VTd,n ≤ (n + d − 2)(n − d + 1)(c3 V + c4 )/2 + (n − d + 1)V . Finally, the XTHRk,d,n filter is evaluated by performing k Add of fresh ciphertexts to the ciphertext corresponding to Td,n . Using the precedent part of the proof and the noise formulas of Proposition 2 for the addition we obtain εf ≤ (n + d − 2)(n − d + 1)(c1 ε + c2 )/2 + (n − d + 1 + k)ε and Vf ≤ (n + d − 2)(n − d + 1)(c3 ε + c4 )/2 + (n − d + 1 + k)V .   Remark 2. The homomorphic evaluation of Td,n can also be based on the circuit Cn , adding the last n−d output ciphertexts. It would lead to an infinite error norm εTd,n such that εTd,n ≤ (n − d + 1)((n − 1)(c1 ε + c2 ) + ε). With the same strategy, any n-variable symmetric Boolean function f can be evaluated with εf ≤ (n+1)((n−1)(c1 ε+c2 )+ε). Also, multiplying the outputs yi by xi for i ∈ [n] of Cn and summing these n products allows to compute the Hidden Weighted Bit Function (HWBF), which is known to have good cryptographic properties [32]. The corresponding evaluation would lead to εf ≤ n(n(c1 ε + c2 ) + ε).

Transciphering, Using FiLIP and TFHE

55

4 Implementation of FiLIP with TGSW In this section we present our implemention of the transciphering of FiLIP with the TGSW scheme. First, we precise our selection of parameters and the settings of our implementation. Then, we analyze the noise obtained during the evaluation of FiLIP, and we compare it to the limit bound at which the decryption fails. We give the timings of the transciphering for the different filter choices, and compare these results with the transciphering from other works. Finally, we implement two evaluations of FiLIP with other 3G schemes implemented in TFHE, and compare the different options. 4.1 Selection of Parameters Since the SE scheme has a bit-security of 128 we select the parameters to ensure the same security for the homomorphic scheme. Furthermore, we decide to fix the maximum probability of failure for the decryption at 2−128 , which is more restrictive that the usual choices in homomorphic evaluation. It is more coherent with the SE scheme which decryption is always correct, and it thwarts attacks using low decryption failure [19]. We use the estimator [2] for the concrete security of the LWE problem to fix the parameters k, N and α (α being the noise of a fresh cipher). More precisely for the TGSW scheme we estimate that the modulo for LWE (i.e. the coefficient ring) is equal to 232 , since the TFHE library represents elements x ∈ T as the integers 232 x encoded on 32 bits. Fixing k = 1 the scheme relies more precisely on RLWE, but since there is no known attacks that are more efficient against RLWE than against LWE, we believe that this estimator is accurate for this scheme. Accordingly, we use the following parameters: k = 1, N = 1024 and α = 1e−9, which ensures 128-bit security. Then we choose two sets of decomposition parameters  and Bg : – Set 1: k = 1, N = 1024, α = 1e−9, Bg = 25 ,  = 6. – Set 2: k = 1, N = 1024, α = 1e−9, Bg = 2,  = 20. Using Proposition 1 we can determine the maximal variance allowed with these param2 −1 eters: 2e(8Bg Vmax ) = 2−128 ⇐⇒ Vmax = (1032Bg2 ln(2))−1 . It gives Vmax = 1.37e−6 for the Set 1 and for the Set 2, Vmax = 3.49e−5. As we will see in the following subsections, the first set of parameters gives better results in term of noise and speed, but the second one is useful for the comparison with the hybrid TGSW/TLWE scheme in Sect. 4.4. 4.2 Noise Evolution in Practice We experimentally study the noise of the transciphering, it allows to compare it with the theoretical upper bounds of Proposition 6 which does not take into account the rounding error inhenrent in the representation of real numbers. In order to evaluate the concrete noise of the transciphering output ciphertexts, we implement a function that computes the noise of a ciphertext. This function behaves like the decryption one, except it does not round up to the closest message but compare to what a noiseless ciphertext would

56

C. Hoffmann et al.

be: It starts by isolating the coefficient in which we retrieve the message (the constant coefficient of the polynomial obtained by computing a scalar product with the (k+1)th line). It then outputs the difference between this value and the closest Big , which would be the message in the decryption algorithm. We compute the average noises and variance noises over samples of at least 100 independent ciphertexts (we do not gain much precision on the variance with more samples). We give the resulting ciphertexts noise in Table 1, where the average noises are given normalized to the decryption limit (i.e. divided by 2B1 g , since decryption fails if the noise exceeds this limit). We do not present the evaluation of FiLIP-144 with the Set 2 because the noise variance growth is too important. We could get around this issue by allowing a slightly higher probability of decryption failure or by finding a better inequality to bound subgaussians variance. However the Set 2 is mainly presented to compare to the hybrid TLWE/TGSW scheme (which use this set of parameters), and we only implemented this hybrid scheme with DSM filters since they are more efficient. Table 1. Transciphering noises of FiLIP over TGSW, comparison with different filters and sets of parameters for 128 bits security. The average noise represents the ciphertexts noise normalized  denotes the measured variance and Vmax denotes the by the maximum decryption noise. Vem maximum variance defined above. Filter

 Parameters Average noise Vem

Vmax

FiLIP-1280 Set 1 FiLIP-1216 FiLIP-144

1.17e−3 2.18e−3 3.26e−3

1.34e−10 1.37e−6 2.88e−10 7.19e−10

FiLIP-1280 Set 2 FiLIP-1216

9.22e−2 1.75e−1

7.41e−6 1.62e−5

3.49e−5

With this HE scheme, the noise evolution during the homomorphic product is asymmetrical, and as long as one of the operand is a fresh ciphertext the noise remains small. Unfortunately, when performing transciphering, we loose the ability to use fresh ciphertexts as operands. This limits the number of multiplications we can perform with our resulting ciphertexts (without bootstrapping) with these sets of parameters, allowing only operations over the R-module. Allowing more multiplications directly would require to increase the LWE modulus in order to get a better exit noise, which is not possible without in-depth changes to the TFHE library [14]. 4.3

Performance and Comparisons

We provide the timings for the transciphering of FiLIP, for instances of DSM filter and XOR-threshold filter with the TGSW scheme. The timings in this section were obtained with a personal laptop with processor Intel(R) Core(TM) i5-6600K CPU @ 3.50 GHz. We summarize the results in Table 2, the latency corresponds to the homomorphic evaluation of FiLIP with TGSW, and the key size refers to the FiLIP secret key encrypted

Transciphering, Using FiLIP and TFHE

57

with TGSW. One can notice that the key size is not a limiting factor since it is only used by the party doing the homomorphic computations, and is reasonable for this context. Since FiLIP is a stream-cipher, its latency is the time per bit necessary to evaluate the decryption. For the DSM filters, FiLIP-1216 has the best latency: less than 2 s/bit for a transciphering of 128 bits security, FiLIP-1280 is slower but allows to use a smaller symmetric key. The XOR-Threshold filter has a competitive latency with the two DSM filters, which shows that other filters than DSM can be used for a similar efficiency. We give a comparison of the transciphering we implemented and former ones. The other works were all evaluated with a 2G scheme [5] on the HElib [24] library. We consider SE schemes of 128 bits security, using homomorphic parameters guaranteeing at least the same security. The transcipherings we compare correspond to the fastest variants: having the smallest ciphertexts allowing a correct decryption after transciphering. We summarize the results in Table 3. The security parameter in the table comes from the HElib library estimator for the first part of the schemes (source [29]), but the real security would be lower [1]. We did not find the security parameters for these timings of Kreyvium but we assume it is more than 128 bits, and the ones for our evaluations come from the estimation in Sect. 4.1. Table 2. Transciphering timings of FiLIP over TGSW, comparison with 2 DSM filters (FiLIP1280 and FiLIP-1216) and a XOR-threshold filter (FiLIP-144), with 2 sets of parameters for 128 bits security. Filter

Set 1 Set 2 Latency (s) Key size (Mo) Latency (s) Key size (Mo)

FiLIP-1280 2.2

200

22.7

800

FiLIP-1216 1.9

800

20.0

2680

FiLIP-144

800





2.5

Our transciphering has a better latency than all the existing implementations with a neat gain: homomorphic FiLIP-1216 decryption is 10 times faster than previous transcipherings. It shows that 3G implementation can lead to a very competitive latency. However, since TGSW does not support message batching yet, it has a way lower throughput than other transcipherings implemented on HElib, which are able to take advantage of homomorphic batching techniques to decrypt hundreds of bits at once, thus compensating the latency. Indeed, homomorphic batching consists in encrypting up to N plaintexts into a single homomorphic ciphertext. After batching encryption, the resulting ciphertext allows only homomorphic evaluation in an SIMD fashion, i.e. homomorphic operations perform the corresponding componentwise operations over the plaintext vector. As a consequence, transcipherings have a better bit-rate when batching is supported, but using it limits homomorphic evaluations to vectorized operations and rotations via the Frobenius endomorphism.

58

C. Hoffmann et al.

Table 3. Performances for minimal FHE parameters, 128 bits security. The latency refers to the time in seconds required to obtained the first homomorphic ciphertext, λ is the estimated security parameter of the HE scheme, and Source refers to the article presenting these timings.

4.4

Cipher

Latency (s) λ

LowMCv2(14, 63, 256) FLIP-1394 Agrasta (129, 4) Rasta (525, 5) Rasta (351, 6) FiLIP-1216 FiLIP-1280

1629.3 26.53 20.26 277.24 195.40 24.37 26.59

Kreyvium-12

1547.0

FiLIP-1216 FiLIP-144

1.9 2.5

Source

132.1 [29] 146.8 134.7 128.9 128.9 186.3 146.8 [9] 157 157

This work

Different Homomorphic Evaluations of FiLIP

We implement two other evaluations of FiLIP with 3G schemes. First we use the gatebootstrapping of TFHE. In this scheme since the noise in not important anymore due to the bootstrapping at each computation the efficiency of a computation can be inferred by the number of gates in its circuit. The other scheme we implement is inspired by the automata circuit in [11]. The idea is to start the FiLIP evaluation with TGSW ciphertexts and a set of parameters such that Bg = 2, and switch to TLWE ciphertexts when evaluating the filter. Indeed, the two evaluations of Sect. 3.2 are possible with at most one of the operands being a TGSW at each step of the evaluation. The main idea is to extract a TLWE ciphertext at the beginning of the filter evaluation, and perform external product to get the resulting ciphertext. The transciphering outputs a TLWE ciphers, which means we have a simply homomorphic scheme, we cannot perform products between two such ciphers. This method guarantees good timings since it reduces the number of external products performed, but a bootstrapping to a leveled scheme is necessary for further computations. We compare the timings of these different approaches, and the evaluation of FiLIP with HElib in Table 4. Evaluating FiLIP-1280 with this scheme gives cipher with the same noise as in the TGSW scheme with the second set of parameters. This scheme allows us to compute transciphering with our best timings: 1018 ms/b. It is around twice better than with the TGSW but does not allow as many operations, a bootstrapping could be used to compensate it but the final timing would be less competitive. The timing we present for the FHE scheme provided by the TFHE library [14] comes from an implementation we wrote to verify that our leveled scheme is faster in practice. We measured that the average time to compute a gate with bootstrapping on our computer is about 20 ms instead of the 13 ms in [13], which is coherent with the total evaluation time. This approach gives a similar latency as the evaluation on HElib, therefore we can conclude from these timings that the TGSW scheme alone or with TLWE are more

Transciphering, Using FiLIP and TFHE

59

efficient to transcipher FiLIP cipher with a DSM filter. However, using TFHE gives us fully homomorphic ciphers on which we can perform any operation. Table 4. Transciphering timings of FiLIP over different HE schemes. HE scheme

FiLIP-1280 FiLIP-1216

TGSW 2.2 TGSW/TLWE 1.2 25.8 TFHE

1.9 1.0 22.7

BGV(HElib)

24.4

26.7

5 Conclusion In this paper, we presented the first implementation of transciphering with a third generation homomorphic scheme, and give a transciphering with the smallest latency so far: less than 2 s. We have also implemented for the first time the XOR-threshold filter variant of FiLIP, showing competitive timings with the DSM variant. We compared FiLIP evaluation with three different HE schemes which showed that the TGSW scheme was more appropriate in this case. Despite a large improvement for the latency, the throughput is not competitive with transciphers implemented on HElib which compensate by the number of bits batched in each ciphertext. A possible improvement would be to batch messages by encoding them in all the coefficients of our message polynomial. This would mean we could store N bits of message in a ciphertext instead of 1, which would be a huge gain. In order to implement batching, one could look on the strategies developed in [12] that describes different batching methods for a leveled HE, and try to adapt it for Boolean functions such as the filters we consider. Acknowledgments. This work has been funded in part by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701), and by the French RISQ project (BPI-France, grant P141580). This work has been funded in part by the European Union (EU) and the Walloon Region through the FEDER project USERMedia (convention number 501907-379156). This work has been funded in part by the European Union (EU) through the ERC project 724725 (acronym SWORD). Pierrick M´eaux is funded by a F.R.S. Incoming PostDoc Fellowship.

References 1. Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6 4 2. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015)

60

C. Hoffmann et al.

3. Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5 17 4. Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. IACR Crypt. ePrint Arch. 687 (2016) 5. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) ITCS 2012, pp. 309–325. ACM, January 2012 6. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 97–106. IEEE Computer Society Press, October 2011 7. Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Naor, M. (ed.) ITCS 2014, pp. 1–12. ACM, January 2014 8. Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 313–333. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5 16 9. Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. J. Cryptol. 31, 885–916 (2018) 10. Chen, H., Laine, K., Player, R.: Simple encrypted arithmetic library - seal v2.1. Cryptology ePrint Archive, Report 2017/224 (2017) 11. Chillotti, I., Gama, N., Georgieva, M., Izabach`ene, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3662-53887-6 1 12. Chillotti, I., Gama, N., Georgieva, M., Izabach`ene, M.: Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 377–408. Springer, Cham (2017). https://doi.org/10. 1007/978-3-319-70694-8 14 13. Chillotti, I., Gama, N., Georgieva, M., Izabach`ene, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33, 34–91 (2020). https://doi.org/10.1007/s00145-01909319-x 14. Chillotti, I., Gama, N., Georgieva, M., Izabach`ene, M.: TFHE: fast fully homomorphic encryption library, August 2016. https://tfhe.github.io/tfhe/ 15. Coron, J.-S., Lepoint, T., Tibouchi, M.: Scale-invariant fully homomorphic encryption over the integers. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 311–328. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0 18 16. Dobraunig, C., et al.: Rasta: a cipher with low ANDdepth and few ANDs per bit. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 662–692. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1 22 17. Dor¨oz, Y., Shahverdi, A., Eisenbarth, T., Sunar, B.: Toward practical homomorphic evaluation of block ciphers using prince. In: B¨ohme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014. LNCS, vol. 8438, pp. 208–220. Springer, Heidelberg (2014). https://doi.org/10. 1007/978-3-662-44774-1 17 18. Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617– 640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5 24 19. D’Anvers, J.-P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 565–598. Springer, Cham (2019). https://doi. org/10.1007/978-3-030-17259-6 19 20. Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144 (2012)

Transciphering, Using FiLIP and TFHE

61

21. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 169–178. ACM Press, May/June 2009 22. Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5 49 23. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https:// doi.org/10.1007/978-3-642-40041-4 5 24. Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/ 978-3-662-44371-2 31 25. Lepoint, T., Naehrig, M.: A comparison of the homomorphic encryption schemes FV and YASHE. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 318–335. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06734-6 20 26. L´opez-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Karloff, H.J., Pitassi, T. (eds.) 44th ACM STOC, ACM Press, May 2012 27. M´eaux, P.: On the fast algebraic immunity of majority functions. In: Schwabe, P., Th´eriault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 86–105. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7 5 28. M´eaux, P., Carlet, C., Journault, A., Standaert, F.: Improved filter permutators: combining symmetric encryption design, Boolean functions, low complexity cryptography, and homomorphic encryption, for private delegation of computations. Cryptology ePrint Archive, Report 2019/483 (2019) 29. M´eaux, P., Carlet, C., Journault, A., Standaert, F.-X.: Improved filter permutators for efficient FHE: better instances and implementations. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 68–91. Springer, Cham (2019). https://doi.org/ 10.1007/978-3-030-35423-7 4 30. M´eaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3662-49890-3 13 31. Naehrig, M., Lauter, K.E., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Proceedings of the 3rd ACM Cloud Computing Security Workshop, CCSW 2011, Chicago, IL, USA, 21 October 2011, pp. 113–124 (2011) 32. Wang, Q., Carlet, C., Stˇanicˇa, P., Tan, C.H.: Cryptographic properties of the hidden weighted bit function. Discret. Appl. Math. 174, 1–10 (2014)

Encrypted Key-Value Stores Archita Agarwal(B) and Seny Kamara Brown University, Providence, USA {archita agarwal,seny kamara}@brown.edu Abstract. Distributed key-value stores (KVS) are distributed databases that enable fast access to data distributed across a network of nodes. Prominent examples include Amazon’s Dynamo, Facebook’s Cassandra, Google’s BigTable and LinkedIn’s Voldemort. The design of secure and private key-value stores is an important problem because these systems are being used to store an increasing amount of sensitive data. Encrypting data at rest and decrypting it before use, however, is not enough because each decryption exposes the data and increases its likelihood of being stolen. End-to-end encryption, where data is kept encrypted at all times, is the best way to ensure data confidentiality. In this work, we study end-to-end encryption in distributed KVSs. We introduce the notion of an encrypted KVS and provide formal security definitions that capture the properties one would desire from such a system. We propose and analyze a concrete encrypted KVS construction which can be based on any unencrypted KVS. We first show that this construction leaks at most the operation equality (i.e., if and when two unknown queries are for the same search key) which is standard for similar schemes in the non-distributed setting. However, we also show that if the underlying KVS satisfies read your writes consistency, then the construction only leaks the operation equality of search keys that are handled by adversarially corrupted nodes—effectively showing that a certain level of consistency can improve the security of a system. In addition to providing the first formally analyzed end-to-end encrypted key-value store, our work identifies and leverages new and interesting connections between distributed systems and cryptography.

1

Introduction

A distributed key-value store (KVS) is a distributed storage system that stores label/value1 pairs and supports get and put queries. KVSs provide one of the simplest data models but have become fundamental to modern systems due to their high performance, scalability and availability. For example, some of the largest social networks, e-commerce websites, cloud services and community forums depend on key-value stores for their storage needs. Prominent examples of distributed KVSs include Amazon’s Dynamo [25], Facebook’s Cassandra [43], Google’s BigTable [22], LinkedIn’s Voldemort [54], Redis [5], MemcacheDB [4] and Riak [55]. 1

In this work we use the term label and reserve the term key to denote cryptographic keys.

c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 62–85, 2020. https://doi.org/10.1007/978-3-030-65277-7_4

Encrypted Key-Value Stores

63

Distributed KVSs are closely related to distributed hash tables (DHT) and, in fact, most are built on top of a DHT. However, since DHTs do not necessarily guarantee fault-tolerance, KVSs use various techniques to achieve availability in the face of node failures. The simplest approach is to replicate each label/value pair on multiple nodes and to use a replica control protocol to guarantee some form of consistency. End-to-End Encryption in KVSs. As an increasing amount of data is being stored and managed by KVSs, their security has become an important problem. Encryption is often proposed as a solution, but encrypting data in transit and at rest and decrypting it before use is not enough since each decryption exposes the data and increases its likelihood of being stolen. A better way to protect data is to use end-to-end encryption where a data owner encrypts its data with its own secret key (that is never shared). End-to-end encryption guarantees that data is encrypted at all times—even in use—which ensures data confidentiality. Our Contributions. In this work, we formally study the use of end-to-end encryption in KVSs. In particular, we extend the recently proposed framework of Agarwal and Kamara [7] from DHTs to KVSs. We formalize the goals of encryption in KVSs by introducing the notion of an encrypted key-value store (EKVS) and propose formal syntax and security definitions for these objects. The simplest way to design an EKVS is to store label/value pairs (, v) as (FK1 (), EncK2 (v)) in a standard/plaintext KVS, where F is a pseudo-random function and Enc is a symmetric encryption scheme. The underlying KVS will then replicate the encrypted pair, store the replicas on different storage nodes, handle routing, node failures and consistency. Throughout, we will refer to this approach as the standard scheme and we will use our framework to formally study its security properties. We make the following contributions: – formalizing KVSs: we provide an abstraction of KVSs that enables us to isolate and analyze several important properties of standard/plaintext KVSs that impact the security of the standard EKVS. More precisely, we find that the way a KVS distributes its data and the extent to which it load balances have a direct effect on what information an adversary can infer about a client’s queries. – distributed leakage analysis: an EKVS can be viewed as a distributed version of an encrypted dictionary which is a fundamental building block in the design of sub-linear encrypted search algorithms (ESA). All sub-linear ESAs leak some information—whether they are built from property-preserving encryption, structured encryption or oblivious RAMs—so our goal is to identify and prove the leakage profile of the standard scheme. Leakage analysis in the distributed setting is particularly challenging because the underlying distributed system (in our case the underlying KVS) can create very subtle correlations between encrypted data items and queries. As we will see, replication makes this even more challenging. We consider two cases: the single-user case where the EKVS stores the datasets of multiple clients but each dataset can only be read and updated by its owner; and the multi-user case where each dataset can be read and updated by multiple users.

64

A. Agarwal and S. Kamara

– leakage in the multi-user case: We show that in the multi-user setting, the standard scheme leaks the operation equality (i.e., if and when get and put operations are for the same label) over all operations; even operations that are not handled by corrupted nodes.2 This may seem surprising since it is not clear a-priori why an adversary would learn anything about data that it never “sees”. – leakage in the single-user case: In the single-user scenario, we show that, if the standard scheme’s underlying KVS achieves read your write (RYW) consistency, then it only leaks the operation equality over operations that are handled by corrupted nodes. This is particularly interesting as it suggests that stronger consistency guarantees improve the security of end-to-end encrypted KVSs. – comparison with DHTs: As mentioned earlier, the main difference between a DHT and a KVS is that the latter replicate data on multiple nodes. To ensure a consistent view of this data, KVSs need to implement some consistency model. Achieving strong consistency, however, is very costly so almost all practical systems achieve weaker notions which cannot guarantee that a unique value will always be associated to a given label. In particular, the value that will be returned will depend on factors such as network delay, synchronization policy and the ordering of concurrent operations. Therefore, an adversary that controls one or more of these factors can affect the outputs of a KVS. It therefore becomes crucial to understand and analyze this correlation when considering the security of an encrypted KVS. In contrast, this is not needed in the case of encrypted DHTs since they do not maintain replicas and hence consistency is not an issue. – concrete instantiations: We use our framework to study two concrete instantiations of the standard scheme. The first uses a KVS based on consistenthashing with zero-hop routing whereas the second uses a KVS based on consistent hashing with multi-hop routing.

2

Related Work

Key-Value Stores. NoSQL databases were developed as an alternative to relational databases to satisfy the performance and scalability requirements of large Internet companies. KVSs are the simplest kind of NoSQL databases. Even though such databases had already existed, they gained popularity when Amazon developed Dynamo [25], a KVS for its internal use. Since then many KVSs have been developed both in industry and academia. Most prominent ones are Facebook’s Cassandra [43], Google’s BigTable [22], LinkedIn’s Voldemort [54], Redis [5], MemcacheDB [4] and Riak [55]. All of them are eventually consistent but some of them can be tuned to provide strong consistency [5,43,55]. There have also been efforts to develop KVSs with stronger consistency such as causal consistency [11,44,45,56], and strong consistency [1–3,6]. 2

Note that the operation equality is a common leakage pattern in practical ESAs.

Encrypted Key-Value Stores

65

Encrypted Search. An encrypted search algorithm (ESA) is a search algorithm that operates on encrypted data. ESAs can be built from various cryptographic primitives including oblivious RAM (ORAM) [33], fully-homomorphic encryption (FHE) [31], property-preserving encryption (PPE) [8,12,14,46,50] and structured encryption (STE) [23] which is a generalization of searchable symmetric encryption [51]. Each of these approaches achieves different tradeoffs between efficiency, expressiveness and security/leakage. For large datasets, structured encryption seems to provide the best tradeoffs between these three dimensions: achieving sub-linear (and even optimal) search times and rich queries while leaking considerably less than PPE-based solutions and either the same as [39] or slightly more than ORAM-based solutions. Various aspects of STE have been extensively studied in the cryptographic literature including dynamism [15,16,19,28,32,41,42,52], locality [9,10,21,26,27], expressiveness [20,23,29,30,36,37,40,48,49,57] and leakage [13,18,34,38,39]. Encrypted keyvalue stores can be viewed as a form of distributed STE scheme. Such schemes were first considered by Agarwal and Kamara in [7] where they studied encrypted distributed hash tables.

3

Preliminaries

Notation. The set of all binary strings of length n is denoted as {0, 1}n , and the set of all finite binary strings as {0, 1}∗ . [n] is the set of integers {1, . . . , n}, and 2[n] is the corresponding power set. We write x ← χ to represent an element x $ being sampled from a distribution χ, and x ← X to represent an element x being sampled uniformly at random from a set X. The output x of an algorithm A is denoted by x ← A. If S is a set then |S| refers to its cardinality. If s is a string then |s| refers to its bit length. We denote by Ber(p) the Bernoulli distribution with parameter p. Dictionaries. A dictionary structure DX of capacity n holds a collection of n label/value pairs {(i , vi )}i≤n and supports get and put operations. We write vi := DX[i ] to denote getting the value associated with label i and DX[i ] := vi to denote the operation of associating the value vi in DX with label i . Leakage Profiles. Many cryptographic primitives and protocols leak information. Examples include encryption schemes, which reveal the length of the plaintext; secure multi-party computation protocols, which (necessarily) reveal about the parties’ inputs whatever can be inferred from the output(s); order-preserving encryption schemes, which reveal implicit and explicit bits of the plaintext; structured encryption schemes which reveal correlations between queries; and oblivious algorithms which reveal their runtime and the volume of data they read. Leakage-parameterized security definitions [23,24] extend the standard provable security paradigm used in cryptography by providing adversaries (and simulators) access to leakage over plaintext data. This leakage is formally and precisely captured by a leakage profile which can then be analyzed through cryptanalysis

66

A. Agarwal and S. Kamara

and further theoretical study. Leakage profiles can themselves be functions of one or several leakage patterns. Here, the only pattern we will consider is the operation equality which reveals if and when two (unknown) operations are for the same label. Consistency Guarantees. The consistency guarantee of a distributed system specifies the set of acceptable responses that a read operation can output. There are multiple consistency guarantees studied in the literature, including linearizability, sequential consistency, causal consistency and eventual consistency. Though strong consistency notions like linearizability are desirable, the Consistency, Availability, and Partition tolerance (CAP) Theorem states that strong consistency and availability cannot be achieved simultaneously in the presence of network partitions. Therefore, many practical systems settle for weaker consistency guarantees like sequential consistency, causal consistency and eventual consistency. We note that all these weaker consistency guarantees—with the exception of eventual consistency—all satisfy what is known as “Read Your Writes” (RYW) consistency which states that all the writes performed by a single client are visible to its subsequent reads. Many practical systems [1,2,5,44,45] guarantee RYW consistency.

4

Key-Value Stores

Here we extend the formal treatment of encrypted DHTs given by Agarwal and Kamara [7] to key-value stores. A key-value store is a distributed storage system that provides a key-value interface and that guarantees resiliency against node failures. It does so by replicating label/value pairs on multiple nodes. Similar to DHTs, there are two kinds of KVSs: perpetual and transient. Perpetual KVSs are composed of a fixed set of nodes that are all known at setup time. Transient KVSs, on the other hand, are designed for settings where nodes are not known a-priori and can join and leave at any time. Perpetual KVSs are suitable for “permissioned” settings like the backend infrastructure of large companies whereas transient KVSs are better suited to “permissionless” settings like peer-to-peer networks and permissionless blockchains. In this work, we study the security of perpetual KVSs. Perpetual KVSs. We formalize KVSs as a collection of six algorithms KVS = (Overlay, Alloc, FrontEnd, Daemon, Put, Get). The first three algorithms, Overlay, Alloc and FrontEnd are executed only once by the entity responsible for setting up the system. Overlay takes as input an integer n ≥ 1, and outputs a parameter ω from a space Ω. Alloc takes as input parameters ω, n and an integer ρ ≥ 1, and outputs a parameter ψ from a space Ψ . FrontEnd takes as input parameters ω and n and outputs a parameter φ from space Φ. Intuitively, the parameter φ will be used to determine a front end node for each label. These front end nodes will serve as the clients’ entry points in the network whenever they need

Encrypted Key-Value Stores

67

perform an operation on a label. We refer to ω, ψ, φ as the KVS parameters and represent them by Γ = (ω, ψ, φ). Each KVS has an address space A and the KVS parameters in Γ define different components of the KVS over this address space. For example, ω maps node names to addresses in A, ψ maps labels to addresses in A, φ determines the address of a front-end node (or starting node). The fourth algorithm, Daemon, takes Γ and n as input and is executed by every node in the network. Daemon is halted only when a node wishes to leave the network and it is responsible for setting up its calling node’s state for routing messages and for storing and retrieving label/value pairs from the node’s local storage. The fifth algorithm, Put, is executed by a client to store a label/value pair on the network. Put takes as input Γ and a label/value pair  and v, and outputs nothing. The sixth algorithm, Get, is executed by a client to retrieve the value associated to a given label from the network. Get takes as input Γ and a label  and outputs a value v. Since all KVS algorithms take Γ as input we sometimes omit it for visual clarity. Abstracting KVSs. To instantiate a KVS, the parameters ω and ψ must be chosen together with a subset C ⊆ N of active nodes (i.e., the nodes currently in the network) and an active set of labels K ⊆ L (i.e., the labels stored in the KVS). Once a KVS is instantiated, we describe KVSs using a tuple of function families (addr, replicas, route, fe) that are all parameterized by a subset of parameters in Γ . These functions are defined as addrω : N → A

replicasω,ψ : L → 2A

routeω : A × A → 2A ,

feφ : L → A

where addrω maps node names from a name space N to addresses from an address space A, replicasω,ψ maps labels from a label space L to the set of addresses of ρ nodes that store it, routeω maps two addresses to the addresses of the nodes on the route between them, and feφ maps labels to node addresses who forward client requests to the rest of the network.3 For visual clarity we abuse notation and represent the path between two addresses by a set of addresses instead of as a sequence of addresses, but we stress that paths are sequences. Given an address a and set of addresses S, we also sometimes write routeω (a, S) to represent the set of routes from a to all the addresses in S. Note that this is an abstract representation of a KVS that will be particularly useful to us to define random variables we need for our probabilistic analysis but, in practice, the overlay network, including its addressing and routing functions, are implemented by the Daemon algorithm. We sometimes refer to a pair (ω, C) as an overlay and to a pair (ψ, K) as an allocation. Abstractly speaking, we can think of an overlay as an assignment from active nodes to addresses and of an allocation as an assignment of active

3

For KVSs that allow their clients to connect directly to the replicas and do not use front end nodes, the abstraction can drop the fe mapping and be adjusted in the natural way.

68

A. Agarwal and S. Kamara

labels to addresses. In this sense, overlays and allocations are determined by a pair (ω, C) and (ψ, K), respectively.4 Visible Addresses. As in [7], a very useful notion for our purposes will be that of visible addresses. For a fixed overlay (ω, C) and a fixed replication parameter ρ, an address a ∈ A is s-visible to a node N ∈ C if there exists a label  ∈ L such that if ψ allocates  to a, then either: (1) addrω (N ) ∈ replicasω,ψ (); or (2) addrω (N ) ∈ routeω (s, replicasω,ψ ()). The intuition behind this is that if a label  is mapped to an address in Vis(s, N ) then N either stores the label  or routes it when the operation for  starts at address s. We point out that the visibility of a node changes as we change the starting address s. For example, the node maybe present on the path to one of the addresses if s was the starting address but not on the path if some other address s was the starting address. Throughout we assume the set of visible addresses to be efficiently computable. Since the set of s-visible addresses depends on parameters ω and ρ, and the set C of nodes that are currently active, we subscript Visω,C,ρ (s, N ) with all these parameters. Finally, as in [7], we also extend the notion to the set of svisible addresses Visω,C,ρ (s, S) for a set of nodes S ⊆ C which is defined simply as Visω,C,ρ (s, S) = ∪N ∈S Visω,C,ρ (s, N ). Again, for visual clarity, we will drop the subscripts wherever they are clear from the context. Front-End Distribution. As in [7], another important notion in our analysis is that of a label’s front-end distribution which is the probability distribution that governs the address of an operation’s “entry point” into the KVS network. It is captured by the random variable feφ (), where φ is sampled by the algorithm FrontEnd. In this work we assume front-end distributions to be label-independent in the sense that every label’s front-end node distribution is the same. We therefore simply refer to this distribution as the KVS’s front-end distribution. Allocation Distribution. The next notion important to our analysis is what we refer to as a label’s allocation distribution which is the probability distribution that governs the address at which a label is allocated. More precisely, this is captured by the random variable ψ(), where ψ is sampled by the algorithm Alloc. In this work, we assume allocation distributions are label-independent in the sense that every label’s allocation distribution is the same. We refer to this distribution as the KVS’s allocation distribution.5 Given a KVS’s allocation distribution, we also consider a distribution Δ(S) that is parameterized by a set of addresses S ⊆ A. This distribution is over S and has probability mass function Pr [ ψ() = a ] fψ (a) = , f (a) Pr [ ψ() ∈ S ] ψ a∈S

fΔ(S) (a) =  4

5

Note that for simplicity, we assume that ψ maps labels to a single address. This however can be extended in a straightforward way where ψ maps a label to multiple addresses. This would be required to model KVSs where replicas of a label are independent of each other. This is true for every KVS we are aware of [25, 43, 54, 55].

Encrypted Key-Value Stores

69

where fψ is the probability mass function of the KVS’s allocation distribution. Non-committing Allocations. As we will see in Sect. 6, our EKVS construction can be based on any KVS but the security of the resulting scheme will depend on certain properties of the underlying KVS. We describe these properties here. The first property that we require of a KVS is that the allocations it produces be non-committing in the sense that it supports a form of equivocation. More precisely, for some fixed overlay (ω, C) and allocation (ψ, K), there should exist some efficient mechanism to arbitrarily change/program ψ. In other words, there should exist a polynomial-time algorithm Program such that, for all (ω, C) and (ψ, K), given a label  ∈ L and an address a ∈ A, Program(, a) modifies the KVS so that ψ() = a. For the special case of consistent hashing based KVSs, which we study in Sect. 7, this can be achieved by modeling one of its hash functions as a random oracle. Balanced Overlays. The second property is related to how well the KVS load balances the label/value pairs it stores. While load balancing is clearly important for storage efficiency we will see, perhaps surprisingly, that it also has an impact on security. Intuitively, we say that an overlay (ω, C) is balanced if for all labels , that any set of θ nodes sees  is not too large. Definition 1 (Balanced overlays). Let ω ∈ Ω be an overlay parameter, C ⊆ N be a set of active nodes, and ρ ≥ 1 be a replication parameter. We say that an overlay (ω, C) is (ε, θ)-balanced if for all  ∈ L, and for all S ⊆ C with |S| = θ,   Pr replicasω,ψ () ∩ Visω,C,ρ (feφ (), S) = ∅ ≤ ε, where the probability is over the coins of Alloc and FrontEnd, and where ε can depend on θ. Definition 2 (Balanced KVS). We say that a key-value store KVS = (Overlay, Alloc, FrontEnd, Daemon, Put, Get) is (ε, δ, θ)-balanced if for all C ⊆ N, the probability that an overlay (ω, C) is (ε, θ)-balanced is at least 1 − δ over the coins of Overlay and where ε and δ can depend on C and θ.

5

Encrypted Key-Value Stores

In this Section, we formally define encrypted key-value stores. An EKVS is an end-to-end encrypted distributed system that instantiates a replicated dictionary data structure. 5.1

Syntax and Security Definitions

Syntax. We formalize EKVSs as a collection of seven algorithms EKVS = (Gen, Overlay, Alloc, FrontEnd, Daemon, Put, Get). The first algorithm Gen is executed by a client and takes as input a security parameter 1k and outputs a secret

70

A. Agarwal and S. Kamara

L Fig. 1. FKVS : The KVS functionality parameterized with leakage function L.

key K. All the other algorithms have the same syntax as before (See Sect. 4), with the difference that Get and Put also take the secret key K as input. Security. The definition is roughly the same as the one in [7] and is based on the real/ideal-world paradigm. This approach consists of defining two probabilistic experiments Real and Ideal where the former represents a real-world execution of the protocol where the parties are in the presence of an adversary, and the latter represents an ideal-world execution where the parties interact with a trusted functionality shown in Fig. 1. The protocol is secure if no environment can distinguish between the outputs of these two experiments. To capture the fact that a protocol could leak information to the adversary, we parameterize the definition with a leakage profile that consists of a leakage function L that captures the information leaked by the Put and Get operations. Our motivation for making the leakage explicit is to highlight its presence. Due to space constraints, we detail both the experiments more formally in the full version of the paper. Definition 3 (L-security). We say that an encrypted key-value store EKVS = (Gen, Overlay, Alloc, FrontEnd, Daemon, Put, Get) is L-secure, if for all ppt adversaries A and all ppt environments Z, there exists a ppt simulator Sim such that for all z ∈ {0, 1}∗ , | Pr[RealA,Z (k) = 1] − Pr[IdealSim,Z (k) = 1]| ≤ negl(k). Correctness. In the real/ideal-world paradigm, the security of a protocol is tied to its correctness. It is therefore important that our ideal functionality capture the correctness of the KVS as well. What this means is that the functionality should produce outputs that follow the same distribution as the outputs from a KVS. Unfortunately, in a setting with multiple clients sharing the data, even with the strongest consistency guarantees (e.g., linearizability), there are multiple possible responses for a read, and the one which the KVS actually outputs depends on behaviour of the network. Since the network behaviour is non-deterministic, the distribution over the possible outputs is also non-deterministic and hence

Encrypted Key-Value Stores

71

the functionality cannot model the distribution over outputs correctly without modelling the network inside it. However, if we restrict to a single client setting, RYW property ensures that a Get always outputs the latest value written to the KVS. Therefore the functionality FKVS models the correct distribution over the outputs: on a Get(), it outputs the last value written to DX[], and on a Put(, v), it updates the DX[] to v.

6

The Standard EKVS Scheme in the Single-User Setting

We now describe the standard approach to storing sensitive data on a KVS. This approach relies on simple cryptographic primitives and a non-committing and balanced KVS. Overview. The scheme EKVS = (Gen, Overlay, Alloc, FrontEnd, Daemon, Put, Get) is described in detail in Fig. 2 and, at a high level, works as follows. It makes black-box use of a key-value store KVS = (Overlay, Alloc, FrontEnd, Daemon, Put, Get), a pseudo-random function F and a symmetric-key encryption scheme SKE = (Gen, Enc, Dec). The Gen algorithm takes as input a security parameter 1k and uses it to generate a key K1 for the pseudo-random function F and a key K2 for the symmetric encryption scheme SKE. It then outputs a key K = (K1 , K2 ). The Overlay, Alloc, FrontEnd and Daemon algorithms respectively execute KVS.Overlay, KVS.Alloc, KVS.FrontEnd and KVS.Daemon to generate and output the parameters ω, ψ and φ. The Put algorithm takes as input the secret key K and a label/value pair (, v). It first computes t := FK1 () and e ← Enc(K2 , v) and then executes KVS.Put(t, e). The Get algorithm takes as input the secret key K and a label . It computes t := FK1 () and executes e ← KVS.Get(t). It then outputs SKE.Dec(K, e). Security. We now describe the leakage of EKVS. Intuitively, it reveals to the adversary the times at which a label is stored or retrieved with some probability. More formally, it is defined with the following stateful leakage function – Lε (DX, (op, , v)): 1. if  has never been seen (a) sample and store b ← Ber(ε) 2. if b = 1 (a) if op = put output (put, opeq()) (b) else if op = get output (get, opeq()) 3. else if b = 0 (a) output ⊥ where opeq is the operation equality pattern which reveals if and when a label was queried or put in the past. Discussion. We now explain why the leakage function is probabilistic and why it depends on the balance of the underlying KVS. Intuitively, one expects that the

72

A. Agarwal and S. Kamara

Fig. 2. The standard EKVS scheme

adversary’s view is only affected by get and put operations on labels that are either: (1) allocated to a corrupted node; or (2) allocated to an uncorrupted node whose path includes a corrupted node. In such a case, the adversary’s view would not be affected by all operations but only a subset of them. Our leakage function captures this intuition precisely and it is probabilistic because, in the real world, the subset of operations that affect the adversary’s view is determined by the choice of overlay, allocation and front-end function—all of which are chosen at random. The way this is handled in the leakage function is by sampling a bit b with some probability and revealing leakage on the current operation if b = 1. This determines the subset of operations whose leakage will be visible to the adversary. Now, for the simulation to go through, the operations simulated by the simulator need to be visible to the adversary with the same probability as in the real execution. But these probabilities depend on ω, ψ and φ which are not known to the leakage function. Note that this implies a rather strong definition in the sense that the scheme hides information about the overlay, the allocation and front-end function of the KVS.

Encrypted Key-Value Stores

73

Since ω, ψ and φ are unknown to the leakage function, the leakage function can only guess as to what they could be. But because the KVS is guaranteed to be (ε, δ, θ)-balanced, the leakage function can assume that, with probability at least 1 − δ, the overlay will be (ε, θ)-balanced which, in turn, guarantees that the probability that a label is visible to any adversary with at most θ corruptions is at most ε. Therefore, in our leakage function, we can set the probability that b = 1 to be ε in the hope that simulator can “adjust” the probability internally to be in accordance to the ω that it sampled. Note that the simulator can adjust the probability only if for its own chosen ω, the probability that a query is visible to the adversary is less than ε. But this will happen with probability at least 1 − δ so the simulation will work with probability at least 1 − δ. We are now ready to state our main security Theorem whose proof is in the full version of the paper. Theorem 1. If |I| ≤ θ and if KVS is RYW consistent, (ε, δ, θ)-balanced, has non-committing allocations and has label-independent allocation and front-end distributions, then EKVS is Lε -secure with probability at least 1 − δ − negl(k). Efficiency. The standard scheme does not add any overhead to time, round, communication and storage complexities of the underlying KVS.

7

A Concrete Instantiation Based on Consistent Hashing

In this section, we analyze the security of the standard EKVS when its underlying KVS is instantiated with a consistent hashing based KVS (CH-KVS). We first give a brief overview of consistent hashing and then show that: (1) it has noncommitting allocations in the random oracle model; and (2) it is balanced under two commonly used routing protocols. Setting Up a CH-KVS. For CH-KVSs, the space Ω is the set of all hash functions H1 from N to A = {0, . . . , 2m − 1}. Overlay samples a hash function H1 uniformly at random from H1 and outputs ω = H1 . The map addrω is the hash function itself so CH-KVSs assign to each active node N ∈ C an address H1 (N ) in A. We call the set χC = {H1 (N1 ), . . . , H1 (Nn )} of addresses assigned to active nodes a configuration. The parameter space Ψ is the set of all hash functions H2 from L to A = {0, . . . , 2m − 1}. Alloc samples a hash function H2 uniformly at random from H2 and outputs ψ = H2 . The map replicasω,ψ maps every label  in L to the addresses of ρ active nodes that follow H2 () in clockwise direction. More formally, replicasω,ψ is the mapping (succχC ◦ H2 , . . . , succρχC ◦ H2 ), where succχC is the successor function that assigns each address in A to its least upper bound in χC . Here, {0, . . . , 2m − 1} is viewed as a “ring” in the sense that the successor of 2m−1 is 0. CH-KVSs allow their clients to choose any node as the front-end node to issue its operations. Moreover, they do not restrict them to connect to the same node feφ (), everytime the client wants to query the same . This means that for

74

A. Agarwal and S. Kamara

CH-KVSs, feφ is not necessarily a function but can be a one-to-many relation. Unfortunately we cannot prove CH-KVSs to be balanced for arbitrary feφ s. We therefore modify CH-KVSs and model their space Φ as the set of all hash functions H3 from L to addresses of active nodes. FrontEnd samples a hash function H3 uniformly at random from H3 and outputs φ = H3 . The map feφ is the hash function H3 itself so it assigns a front-end node with address H3 () to each label . Routing Protocols. There are two common routing protocols with CH-KVSs; each with trade-offs in storage and efficiency. – Multi-hop routing. Based on H1 , the Daemon algorithm constructs a routing table by storing the addresses of the node’s 2i th successors where 0 ≤ i ≤ log n (we refer the reader to [53] for more details). Note that a routing table contains at most log n other nodes. The routing protocol is fairly simple: given a message destined to a node Nd , a node N checks if N = Nd . If not, the node forwards the message to the node N  in its routing table with an address closest to Nd . Note that the routeω map is deterministic given a fixed set of active nodes and it guarantees that any two nodes have a path of length at most log n. – Zero-hop routing. Based on H1 , the Daemon algorithm constructs a routing table by storing the addresses of all the other nodes in the routing table. Routing is then straightforward: given a message for Nd , simply forward it to the address of Nd . In short, for any two addresses s and d, routeω (s, d) = {s, d}. Storing and Retrieving. When a client wants to execute a Get/Put operation on a label , it forwards the operation to the front-end node of . The frontend node executes the operation on the client’s behalf as follows. It computes replicas() and forwards the operation to one of them. This replica is called the coordinator node. The coordinator then sends the operation to all (or a subset) the other replicas which then either update their state (on Put) or return a response back to the coordinator (on Get). In case more than one value is returned to the coordinator, it decides which value(s) is to be returned to the front-end. The choice of the coordinator node for a label  varies from KVS to KVS. It can be a fixed node or a different node between requests for label . Either way, it is always a node chosen from the set of replicas. This guarantees that the visibility of a label (and hence the leakage) does not change between requests. KVSs also employ different synchronization mechanisms, like Merkle trees and read repairs to synchronize divergent replicas. Non-committing Allocation. Given a label  and an address a, the allocation (H2 , K) can be changed by programming the random oracle H2 to output a when it is queried on . Allocation Distribution. We now describe the allocation distribution of CHKVSs. Since CH-KVSs assign labels to addresses using a random oracle H2 , it follows that for all overlays (H1 , C), all labels  ∈ L and addresses a ∈ A,

Encrypted Key-Value Stores

fH2 (a) = Pr [ H2 () = a ] =

75

1 , |A|

which implies that CH-KVSs have label-independent allocations. From this it also follows that Δ(S) has a probability mass function fΔ(S) (a) = 

 −1 1 |S| fψ (a) 1 = . = f (a) |A| |A| |S| a∈S ψ

Before describing the visibility of nodes in CH-KVSs and analyzing their balance under zero-hop and multi-hop routing protocols, we define notation that will be useful in our analysis. Notation. The arc of a node N is the set of addresses in A between N ’s predecessor and itself. Note that the arc of a node depends on a configuration χ. More formally, we write arcχ (N ) = (predχ (H1 (N )), . . . , H1 (N )], where predχ (N ) is the predecessor function which assigns each address in A to its largest lower bound in χ. We extend the notion of arc of a node to ρ-arcs of a node. A ρ-arc of a node N is the set of addresses between N ’s ρth predecessor and itself. More formally, we write arcρχ (N ) = (predρχ (H1 (N )), . . . , H1 (N )], where predρχ (H1 (N )) represents the predecessor function applied ρ times on H1 (N ). Intuitively, if H2 hashes a label  anywhere in ρ-arc of N , then N becomes one of the ρ replicas of . We denote by maxareas(χ, x), the sum of the lengths (sizes) of x largest arcs in configuration χ. The maximum area of a configuration χ is equal to maxareas(χ, ρθ). As we will later see, the maximum area is central to analyzing the balance of CH-KVSs. 7.1

Zero-Hop CH-KVSs

In this section, we analyse the visibility and balance of zero-hop CH-KVSs. Visible Addresses. Given a fixed overlay (H1 , C), an address s ∈ A and a node N ∈ C, if the starting address is s = H1 (N ), then VisχC (s, N ) = A. This is because H1 (N ) lies on routeχC (s, a) for all a ∈ A. Now for an address s ∈ A such that s = H1 (N ), we have   ρ   arcρχC (N ) VisχC (s, N ) = arcχC (N ) : H1 (N ) ∈ routeχC (s, H1 (N ))   ρ   arcρχC (N ) = arcχC (N ) : H1 (N ) ∈ {s, H1 (N )}   ρ   arcρχC (N ) = arcχC (N ) : H1 (N ) = H1 (N ) = arcρχC (N ) where the second equality follows from the fact that routeχC (s, H1 (N  )) = {s, H1 (N  )}, the third follows from the assumption that H1 (N ) = s, and the

76

A. Agarwal and S. Kamara

fourth from the fact that arcρχC (N ) = arcρχC (N  ) if H1 (N ) = H1 (N  ). Finally, for any set S ⊆ C, Visω,C (s, S) = ∪N ∈S Visω,C (s, N ). Balance of Zero-Hop CH-KVSs. Before analyzing the balance of CH-KVSs, we first recall a Lemma from Agarwal and Kamara [7] that upper bounds the sum of the lengths of the x largest arcs in a configuration χ in Chord. The sum is denoted by maxareas(χ, x). Since Chord is also based on consistent hashing, we use the corollary to bound the maximum area of CH-KVSs by substituting x = ρθ. Lemma 1 [7]. Let C ⊆ N be a set of active nodes. Then, for x ≤ |C|/e,

√ |C| 6|A|x 1 log − (e− |C| · log |C|). ≥1− Pr maxareas(χC , x) ≤ 2 |C| x |C| We are now ready to analyze the balance of zero-hop CH-KVSs. Theorem 2. Let C ⊆ N be a set of active nodes. If maxareas(χC , ρθ) ≤ λ, then χC is (ε, θ)-balanced with ε=

λ θ + |C| |A|

The proof of Theorem 2 is in the full version of the paper. Corollary 1. Let C be a set of active nodes. For all ρθ ≤ |C|/e, a zero-hop CH-KVS is (ε, δ, θ)-balanced for    √ |C| θ 1 − |C| ε= + (e · log |C|) 1 + 6ρ log and δ = |C| ρθ |C|2 The proof of Corollary 1 is in the full version of the paper. Remark. It follows from Corollary 1 that    |C| ρθ log ε=O |C| ρθ and δ = O(1/|C|2 ). Note that assigning labels uniformly at random to ρ nodes would achieve ε = ρθ/|C| so zero-hop CH-KVSs balance data fairly well. The Security of a Zero-Hop CH-KVS Based EKVS. In the following Corollary, we formally state the security of the standard scheme when its underlying KVS is instantiated with a zero-hop CH-KVS. Corollary 2. If |L| = Θ(2k ), |I| ≤ |C|/(ρe), and if EKVS is instantiated with a 2 RYW √ zero-hop CH-KVS, then it is Lε -secure with probability at least 1−1/|C| − (e− |C| · log |C|) − negl(k) in the random oracle model, where    |C| |I| ε= 1 + 6ρ log . |C| ρ|I|

Encrypted Key-Value Stores

77

The proof of Corollary 2 is in the full version of the paper. From the discussion of Corollary 1, we know,    |C| ρ|I| log ε=O |C| ρ|I| and δ = O(1/|C|2 ). Setting |I| = |C|/(ρα), for some α ≥ e, we have ε = O(log(α)/α). Recall that, on each query, the leakage function leaks the operation equality with probability at most ε. So intuitively this means that the adversary can expect to learn the operation equality of an O(log(α)/α) fraction of client operations if ρ|I| = |C|/α. Note that this confirms the intuition that distributing data suppresses its leakage. 7.2

Multi-hop CH-KVSs

In this section, we analyse the visibility and balance of multi-hop CH-KVSs. Since most of the details are similar to what was in the last section, we keep the description high level. Visible Addresses. Given a fixed overlay (H1 , C), an address s ∈ A and a node N ∈ C, if the starting address is s = H1 (N ), then VisχC (s, N ) = A. For an address s ∈ A such that s = H1 (N ), we have   ρ   arcρχC (N ) VisχC (s, N ) = arcχC (N ) : H1 (N ) ∈ routeχC (s, H1 (N )) Finally, for any set S ⊆ C, Visω,C (s, S) = ∪N ∈S Visω,C (s, N ). Balance of Multi-hop CH-KVSs. We now analyze the balance of multi-hop CH-KVSs. Theorem 3. Let C ⊆ N be a set of active nodes. If maxareas(χC , ρθ) ≤ λ, then χC is (ε, θ)-balanced with ε=

λ ρθ log |C| + |C| |A|

The proof of Theorem 3 is in the full version of the paper. Corollary 3. Let C be a set of active nodes. For all ρθ ≤ |C|/(e log |C|), a multi-hop CH-KVS is (ε, δ, θ)-balanced for    √ |C| ρθ 1 − |C| ε= + (e · log |C|) log |C| + 6 log and δ = |C| ρθ |C|2 The Corollary follows directly from Corollary 1 and Theorem 3. Notice that multi-hop CH-KVSs are not only less balanced than zero-hop CH-KVSs but also tolerate a lesser number of corruptions. This is the case because in a multi-hop CH-KVS there is a higher chance that an adversary sees a label since the routes are larger.

78

A. Agarwal and S. Kamara

Remark. It follows from Corollary 3 that   ρθ log |C| ε=O |C| and δ = O(1/|C|2 ). As discussed earlier, the optimal balance is ε = ρθ/|C|, which is achieved when labels are assigned uniformly at random to ρ nodes. Note that balance of multi-hop CH-KVSs is only log |C| factor away from optimal balance which is very good given that the optimal balance is achieved with no routing at all. The Security of a Multi-hop CH-KVS Based EKVS. In the following Corollary, we formally state the security of the standard scheme when its underlying KVS is instantiated with a multi-hop CH-KVS. Corollary 4. If |L| = Θ(2k ), |I| ≤ |C|/(ρe log |C|), and if EKVS is instantiated with a RYW multi-hop CH-KVS, then it is Lε -secure with probability at least √ − |C| 2 · log |C|) − negl(k) in the random oracle model, where 1 − 1/|C| − (e    |C| ρ|I| ε= log |C| + 6 log . |C| ρ|I| From the discussion of Theorem 3, we know that,   ρ|I| log |C| ε=O |C| and δ = O(1/|C|2 ). Setting |I| = |C|/(ρα log |C|), for some α ≥ e, we have ε = O(1/α), which intuitively means that the adversary can expect to learn the operation equality of an O(1/α) fraction of client operations.

8

The Standard EKVS Scheme in the Multi-user Setting

We now analyze the security of the standard scheme in a more general setting, i.e., where we no longer require the underlying KVS to satisfy RYW and where we no longer assume that a single client operates on the data. We call this setting the multi-user setting where multiple clients operate on the same data concurrently. We start by extending our security definition to the multi-user setting and then analyze the security of the standard scheme (from Fig. 2) in this new setting. The Ideal Multi-user KVS Functionality. The ideal multi-user KVS funcL is described in Fig. 3. The functionality stores all the values tionality FmKVS that were ever written to a label. It also associates a time τ with every value indicating when the value was written. On a Get operation, it sends leakage to the simulator which returns a time τ  . The functionality then returns the value associated with τ  to the client. Notice that, unlike single-user ideal functionality L , the multi-user ideal functionality can be influenced by the simulator. FKVS

Encrypted Key-Value Stores

79

L Fig. 3. FmKVS : The ideal multi-user KVS functionality parameterized with leakage function L.

Security Definition. The real and ideal experiments are the same as in Sect. 5 with the following differences. First, the experiments are executed not with a single client but with c clients C1 . . . Cc ; second, the environment adaptively sends operations to all these clients; and third, the ideal functionality of Fig. 1 is replaced with the ideal functionality described in Fig. 3. 8.1

Security of the Standard Scheme

We now analyze the security of the standard scheme when its underlying KVS is instantiated with a KVS that does not necessarily satisfy RYW consistency. We start by describing its stateful leakage function. – L(DX, (op, , v)): 1. if op = put output (put, opeq()) 2. else if op = get output (get, opeq()) where opeq is the operation equality pattern which reveals if and when a label was queried or put in the past. Single-User vs. Multi-user Leakage. Notice that the leakage profile achieved in the multi-user setting is a function of all the labels whereas the leakage profile achieved in the single-user setting was only a function of the labels that were (exclusively) stored and routed by the corrupted nodes. In particular, this implies that the multi-user leakage is worse than the single-user leakage and equivalent to the leakage achieved by standard (non-distributed) schemes. In following, we will refer to the labels stored and routed exclusively by honest nodes as “honest labels” and to all the other labels as “corrupted labels”. The reason that the single-user leakage is independent of the honest labels is because of the RYW consistency of the underlying KVS. More precisely, RYW consistency guarantees that for a given label, the user will read the latest value that it stored. This implies that the value it reads will be independent of any

80

A. Agarwal and S. Kamara

other label, including the corrupted labels. This is not the case, however, in the multi-user setting where RYW consistency does not guarantee that the honest labels will be independent of the corrupted labels. To see why, consider the following example. Let 1 be a corrupted label and let 2 be an honest label. Assume that both 1 and 2 initially have the value 0. Now consider the two sequences of operations executed by clients C1 and C2 shown in Fig. 4. Notice that both sequences are RYW consistent (this is the case because they satisfy a stronger consistency guarantee called sequential consistency). However, in sequence 1, Get(2 ) can output both 0 or 1 whereas, in sequence 2, if Get(1 ) outputs a 0, then Get(2 ) can only output 1. This example points out that operations on corrupted labels can impact operations on honest labels. Capturing exactly how operations on one label can effect operations on other labels for different consistency guarantees is challenging but might be helpful in designing solutions with better leakage profiles. We leave this as an open problem. Alternatively, it would be interesting to know if there is some consistency notion one could assume (in the multi-user setting) under which a better leakage profile could be achieved.

Fig. 4. Sequence 1 is on the left and Sequence 2 is on the right.

Security. We now state our security theorem, the proof of which is in the full version of the paper. Theorem 4. EKVS is L-secure with probability at least 1 − negl(k).

9

Conclusions and Future Work

In this work, we study end-to-end encryption in the context of KVSs. We formalize the security properties of the standard scheme in both the single-user and multi-user settings. We then use our framework to analyze the security of the standard scheme when its underlying KVS is instantiated with consistent hashing based KVS (with zero-hop and multi-hop routing). We see our work as an important step towards designing provably-secure end-to-end encrypted distributed systems like off-chain networks, distributed storage systems, distributed databases and distributed caches. Our work motivates several open problems and directions for future work.

Encrypted Key-Value Stores

81

Relationship Between Consistency Guarantees and Leakage. Recall that the standard scheme leaks the operation equality of all the labels in the multiuser setting (with no assumption on the consistency guarantees). However, if the underlying KVS satisfies RYW consistency, the scheme only leaks the operation equality of a subset of labels but in a single-user setting. The most immediate question is whether the leakage can be improved in the multi-user setting by assuming a stronger consistency guarantee. We however believe that even assuming linearizability, which is much stronger than RYW consistency, the standard scheme would still leak more in the multiuser setting than what it would in the single-user setting with RYW consistency. The question then is to find a lower bound on leakage in the multi-user setting. Beyond CH-KVS. Another direction is to study the security of the standard EKVS when it is instantiated with a KVS that is not based on consistent hashing or on the two routing schemes that we described. Instantiations based on Kademlia [47] and Koorde [35] would be particularly interesting due to the former’s popularity in practice and the latter’s theoretical efficiency. Because Koorde uses consistent hashing in its structure (though its routing is different and based on De Bruijn graphs) the bounds we introduce in this work to study CH-KVS’s balance might find use in analyzing Koorde. Kademlia, on the other hand, has a very different structure than CH-KVSs so it is likely that new custom techniques and bounds are needed to analyze its balance. New EKVS Constructions. A third direction is to design new EKVS schemes with better leakage profiles. Here, a “better” profile could be the same profile Lε achieved in this work but with a smaller ε than what we show. Alternatively, it could be a completely different leakage profile. This might be done, for example, by using more sophisticated techniques from structured encryption and oblivious RAMs. EKVSs in the Transient Setting. Another important direction of immediate practical interest is to study the security of EKVSs in the transient setting. As mentioned in Sect. 4, in transient setting, nodes are not known a-priori and can join and leave at any time. This setting is particularly suited to peer-topeer networks and permissionless blockchains. Agarwal and Kamara [7] study DHTs in the transient setting and it would be interesting to extend their work to transient KVSs as well. Stronger Adversarial Models. Our security definitions are in the standalone model and against an adversary that makes static corruptions. Extending our work to handle arbitrary compositions (e.g., using universal composability [17]) and adaptive corruptions would be very interesting.

82

A. Agarwal and S. Kamara

References 1. 2. 3. 4. 5. 6. 7. 8.

9.

10.

11.

12.

13. 14.

15. 16.

17.

18.

19.

20.

Apache ignite. https://ignite.apache.org/ Couchbase. https://www.couchbase.com/ FoundationDB. https://www.foundationdb.org/ MemcacheDB. https://github.com/LMDB/memcachedb/ Redis. https://redis.io/ XAP. https://www.gigaspaces.com/ Agarwal, A., Kamara, S.: Encrypted distributed hash tables. Cryptology ePrint Archive, Report 2019/1126 (2019). https://eprint.iacr.org/2019/1126 Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: ACM SIGMOD International Conference on Management of Data, pp. 563–574 (2004) Asharov, G., Naor, M., Segev, G., Shahaf, I.: Searchable symmetric encryption: optimal locality in linear space via two-dimensional balanced allocations. In: ACM Symposium on Theory of Computing, STOC 2016, pp. 1101–1114. ACM, New York (2016) Asharov, G., Segev, G., Shahaf, I.: Tight tradeoffs in searchable symmetric encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 407–436. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1 14 Bailis, P., Ghodsi, A., Hellerstein, J.M., Stoica, I.: Bolt-on causal consistency. In: Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data, pp. 761–772 (2013) Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5 30 Blackstone, L., Kamara, S., Moataz, T.: Revisiting leakage abuse attacks. In: Network and Distributed System Security Symposium (NDSS 2020) (2020) Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9 13 Bost, R.: Sophos - forward secure searchable encryption. In: ACM Conference on Computer and Communications Security (CCS 2016) (2016) Bost, R., Minaud, B., Ohrimenko, O.: Forward and backward private searchable encryption from constrained cryptographic primitives. In: ACM Conference on Computer and Communications Security (CCS 2017) (2017) Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001) Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: ACM Conference on Communications and Computer Security (CCS 2015), pp. 668–679. ACM (2015) Cash, D., et al.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: Network and Distributed System Security Symposium (NDSS 2014) (2014) Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Ro¸su, M.-C., Steiner, M.: Highlyscalable searchable symmetric encryption with support for boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4 20

Encrypted Key-Value Stores

83

21. Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5 20 22. Chang, F., et al.: BigTable: a distributed storage system for structured data. ACM Trans. Comput. Syst. (TOCS) 26(2), 4 (2008) 23. Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8 33 24. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: ACM Conference on Computer and Communications Security (CCS 2006), pp. 79–88. ACM (2006) 25. DeCandia, G., et al.: Dynamo: amazon’s highly available key-value store. ACM SIGOPS Oper. Syst. Rev. 41, 205–220 (2007) 26. Demertzis, I., Papadopoulos, D., Papamanthou, C.: Searchable encryption with optimal locality: achieving sublogarithmic read efficiency. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 371–406. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1 13 27. Demertzis, I., Papamanthou, C.: Fast searchable encryption with tunable locality. In: ACM International Conference on Management of Data, SIGMOD 2017, pp. 1053–1067. ACM, New York (2017) 28. Etemad, M., K¨ up¸cu ¨, A., Papamanthou, C., Evans, D.: Efficient dynamic searchable encryption with forward privacy. PoPETs 2018(1), 5–20 (2018) 29. Faber, S., Jarecki, S., Krawczyk, H., Nguyen, Q., Rosu, M., Steiner, M.: Rich queries on encrypted data: beyond exact matches. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 123–145. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7 7 30. Fisch, B.A., et al.: Malicious-client security in blind seer: a scalable private DBMS. In: IEEE Symposium on Security and Privacy, pp. 395–410. IEEE (2015) 31. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: ACM Symposium on Theory of Computing (STOC 2009), pp. 169–178. ACM Press (2009) 32. Goh, E.-J.: Secure indexes. Technical report 2003/216, IACR ePrint Cryptography Archive (2003). http://eprint.iacr.org/2003/216 33. Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996) 34. Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification, attack and mitigation. In: Network and Distributed System Security Symposium (NDSS 2012) (2012) 35. Kaashoek, M.F., Karger, D.R.: Koorde: a simple degree-optimal distributed hash table. In: Kaashoek, M.F., Stoica, I. (eds.) IPTPS 2003. LNCS, vol. 2735, pp. 98– 107. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45172-3 9 36. Kamara, S., Moataz, T.: Boolean searchable symmetric encryption with worst-case sub-linear complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 94–124. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-56617-7 4 37. Kamara, S., Moataz, T.: SQL on structurally-encrypted databases. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 149–180. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2 6 38. Kamara, S., Moataz, T.: Computationally volume-hiding structured encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 183–213. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3 7

84

A. Agarwal and S. Kamara

39. Kamara, S., Moataz, T., Ohrimenko, O.: Structured encryption and leakage suppression. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 339–370. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-968841 12 40. Kamara, S., Moataz, T., Zdonik, S., Zhao, Z.: An optimal relational database encryption scheme. Cryptology ePrint Archive, Report 2020/274 (2020). https:// eprint.iacr.org/2020/274 41. Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 258–274. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1 22 42. Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: ACM Conference on Computer and Communications Security (CCS 2012). ACM Press (2012) 43. Lakshman, A., Malik, P.: Cassandra: a decentralized structured storage system. ACM SIGOPS Oper. Syst. Rev. 44(2), 35–40 (2010) 44. Lloyd, W., Freedman, M.J., Kaminsky, M., Andersen, D.G.: Don’t settle for eventual: scalable causal consistency for wide-area storage with COPS. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 401– 416 (2011) 45. Lloyd, W., Freedman, M.J., Kaminsky, M., Andersen, D.G.: Stronger semantics for low-latency geo-replicated storage. In: Presented as Part of the 10th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 2013), pp. 313–328 (2013) 46. Macedo, R., et al.: A practical framework for privacy-preserving NoSQL databases. In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 11– 20. IEEE (2017) 47. Maymounkov, P., Mazi`eres, D.: Kademlia: a peer-to-peer information system based on the XOR metric. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 53–65. Springer, Heidelberg (2002). https://doi.org/10. 1007/3-540-45748-8 5 48. Meng, X., Kamara, S., Nissim, K., Kollios, G.: GRECS: graph encryption for approximate shortest distance queries. In: ACM Conference on Computer and Communications Security (CCS 2015) (2015) 49. Pappas, V., et al.: Blind seer: a scalable private DBMS. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 359–374. IEEE (2014) 50. Poddar, R., Boelter, T., Popa, R.A.: Arx: an encrypted database using semantically secure encryption. Proc. VLDB Endow. 12(11), 1664–1678 (2019) 51. Song, D., Wagner, D., Perrig, A.: Practical techniques for searching on encrypted data. In: IEEE Symposium on Research in Security and Privacy, pp. 44–55. IEEE Computer Society (2000) 52. Stefanov, E., Papamanthou, C., Shi, E.: Practical dynamic searchable encryption with small leakage. In: Network and Distributed System Security Symposium (NDSS 2014) (2014) 53. Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: a scalable peer-to-peer lookup service for internet applications. ACM SIGCOMM Comput. Commun. Rev. 31(4), 149–160 (2001) 54. Sumbaly, R., Kreps, J., Gao, L., Feinberg, A., Soman, C., Shah, S.: Serving largescale batch computed data with project Voldemort. In: Proceedings of the 10th USENIX conference on File and Storage Technologies, p. 18. USENIX Association (2012)

Encrypted Key-Value Stores

85

55. Basho Technologies: Riak. https://docs.basho.com/riak/kv/2.2.2/learn/dynamo/ 56. Wu, Z., Butkiewicz, M., Perkins, D., Katz-Bassett, E., Madhyastha, H.V.: SPANStore: cost-effective geo-replicated storage spanning multiple cloud services. In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, pp. 292–308 (2013) 57. Zheng, W., Li, F., Popa, R.A., Stoica, I., Agarwal, R.: MiniCrypt: reconciling encryption and compression for big data stores. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 191–204 (2017)

Formal Methods

Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts Cheng Shi and Kazuki Yoneyama(B) Ibaraki University, 4-12-1, Nakanarusawa, Hitachi-shi, Ibaraki, Japan [email protected]

Abstract. Smart contracts are protocols that can automatically execute a transaction including an electronic contract when a condition is satisfied without a trusted third party. In a representative use-case, a smart contract is executed when multiple parties fairly trade on a blockchain asset. On blockchain systems, a smart contract can be regarded as a system participant, responding to the information received, receiving and storing values, and sending information and values outwards. Also, a smart contract can temporarily keep assets, and always perform operations in accordance with prior rules. Many cryptocurrencies have implemented smart contracts. At POST2018, Atzei et al. give formulations of seven fair exchange protocols using smart contract on Bitcoin: oracle, escrow, intermediated payment, timed commitment, micropayment channels, fair lotteries, and contingent payment. However, they only give an informal discussion on security. In this paper, we verify the fairness of their seven protocols by using the formal verification tool ProVerif. As a result, we show that five protocols (the oracle, intermediated payment, timed commitment, micropayment channels and fair lotteries protocols) satisfy fairness, which were not proved formally. Also, we re-find known attacks to break fairness of two protocols (the escrow and contingent payment protocols). For the escrow protocol, we formalize the two-party scheme and the three-party scheme with an arbitrator, and show that the two-party scheme does not satisfy fairness as Atzei et al. showed. For the contingent payment protocol, we formalize the protocol with the non-interactive zero-knowledge proof (NIZK), and re-find the attack shown by Campanelli et al. at CCS 2017. Also, we show that a countermeasure with subversion NIZK against the attack works properly while it is not formally proved. Keywords: Formal methods

1 1.1

· Smart contracts · Fairness · ProVerif

Introduction Background

Szabo [37] proposed the concept of smart contracts. It is a protocol that can automatically execute a transaction including an electronic contract without C. Shi—Presently with Panasonic Corporation. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 89–106, 2020. https://doi.org/10.1007/978-3-030-65277-7_5

90

C. Shi and K. Yoneyama

a trusted third party when the conditions are satisfied. Recently, implementations of smart contracts using distributed ledger technology and blockchain have attracted attention. A user who wants to execute a contract sends an appropriate transaction to a node in a peer-to-peer (P2P) network. Each user’s transaction is taken into the blockchain as an unprocessed transaction, and is executed when the transactions satisfy the contract conditions. For example, in the case of a contract representing a transaction on Bitcoin, if the contract is established, the transaction corresponds to the transfer of a specified amount of bitcoins. An important feature of smart contracts is that they can guarantee that contracts can be executed correctly without a centralized trusted authority. Also, the nodes that process transactions are considered mutually untrusted. Atzei et al. [11] proposed a formal framework for Bitcoin transactions. By using the framework, they introduce various types of fair exchange protocols [10] (oracle, escrow, intermediated payment, timed commitment, micropayment channels, fair lotteries, and contingent payment). These protocols represent several situations of transfer of bitcoins. For example, the escrow protocol provides that a specified amount of bitcoins is transferred from a buyer to a seller if the contract condition is satisfied, and the deposited bitcoins of the buyer is refunded otherwise. Since nodes are not trusted, we must consider the case that a malicious buyer or seller is included. Hence, these protocols must guarantee fairness such that the protocol never terminates in a situation that one participant unilaterally loses. In the case of the escrow protocol, the protocol must terminate in either of following situations; one is that bitcoins are transferred and the contract condition is satisfied, and the other is that bitcoins are refunded and the contract condition is not satisfied. Though it is well known that general fair exchange with two parties is impossible without a trusted third party [27], in their protocols blockchain works instead of the trusted third party. However, since they do not provide any formal security proof or formal verification, it is not clear that their scheme satisfies the desired fairness. Generally, it is difficult to evaluate security by hand because it is easy to make mistakes when the protocol is complicated. On the other hand, formal methods are known to be useful to verify security of cryptographic protocols easily and rigorously. Several automated security verification tools have been developed. ProVerif [5] is one of the most famous security verification tools, which can capture various security requirements such as confidentiality, authenticity, and indistinguishability. Thus, ProVerif has been used to verify many cryptographic protocols [8,9,15,19,29,31,32,35]. 1.2

Related Work

There have been various studies about security verification of cryptographic protocols with formal methods. ProVerif and CryptoVerif [17] have been used to verify standardized protocols such as ZRTP [19], SNMPv3 [9], mutual authentication protocol for GSM [8], LTE [29], OpenID Connect protocol [32], Google’s QUIC [35], TLS 1.3 [15], Signal [31], and others. Cremers and Horvat [25] verified 30 key exchange protocols standardized in ISO/IEC 11770-2 [3] and ISO/IEC

Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts

91

11770-3 [4] with automated security verification tool Scyther [21], and found some spoofing attacks. Scyther and Tamarin Prover [36] have been also used to verify other standardized protocols such as IKEv1/v2 in IPsec [22], entity authentication protocols in ISO/IEC 9798 [13], TLS 1.3 [26], 5G-AKA [23] and smart grid authentication protocol SAv5 in IEEE 1815-2012 [24] and others. Backes et al. [12] verified fairness of several protocols (ASW, GJM and Secure Conversation Protocol) by using the notion of liveness. The contingent payment protocol on Bitcoin using non-interactive zeroknowledge proof (NIZK) is originally proposed by Maxwell [34] (called zeroknowledge contingent payment), and concretely implemented by using pay-tosudoku [18]. Campanelli et al. [20] show an attack on the contingent payment protocol by a malicious seller. Their attack uses the property that information of the witness of NIZK is leaked if the malicious seller generates an arbitrary common reference string (CRS). Also, they give some countermeasures against their attack, and one of them is based on subversion NIZK because subversion NIZK is resilient to malicious CRSs. There are some previous works formally verifying security of smart contracts. Luu et al. [33] introduce a symbolic execution tool Oyente to find potential security bugs of smart contracts for the existing Ethereum system. However, Oyente is neither sound nor complete because it can result in several false alarms even in trivial contracts. Bhargavan et al. [16] propose a framework to formally verify Ethereum smart contracts written in Solidity which is a language for implementing smart contracts. Their framework cannot deal with important constructs such as loops. Kalra et al. [30] introduce a framework, ZEUS, for automatic formal verification of smart contracts using abstract interpretation and symbolic model checking. It is shown that fairness of several representative contracts can be verified by ZEUS. Specifically, CrowdFundDao [1], DiceRoll [2], StandardToken [6], Wallet [7] and Common policy are verified. These tools aim to verify Ethereum smart contracts and cannot be straightforwardly applied to Bitcoin smart contracts. 1.3

Our Contribution

In this paper, we formalize Atzei et al.’s seven fair exchange protocols [10] and verify fairness of these protocols by using ProVerif [5]. Our key idea to formalize fairness is using a combination of verifications of reachability and correspondence assertion in the ProVerif functionality. Reachability means that there is a process reaching an event. Correspondence assertion means that an event (postevent) always occurs if another event (pre-event) occurs. We use reachability to formalize if the event of transferring or refunding bitcoins occurs, and use correspondence assertion to formalize if the event of transferring (resp. refunding) bitcoins always occurs in the case of satisfying (resp. failing) the contract condition. The verification of reachability is necessary because correspondence assertion is always true if the post-event (i.e., transferring or refunding bitcoins) never occurs in the process. Also, we use correspondence assertion in the contingent payment protocol to formalize if the event of transferring bitcoins from

92

C. Shi and K. Yoneyama

a seller to a buyer always occurs in the case that the seller gets a secret of the buyer. As far as we know, this is the first result to formalize and verify fairness of fair exchange protocols by ProVerif. As the verification result, we firstly show that five protocols (the oracle, the intermediated payment, the timed commitment, the micropayment channels, and the fair lotteries protocols) satisfy fairness. Since there was no security proof for these five protocols, it is the first result to formally verify security of them. On the other hand, we also show that other two protocols (the escrow and the contingent payment protocols) do not satisfy fairness; it means that ProVerif finds concrete attacks. Specifically, the escrow protocol has two settings; one is the two-party setting and the other is the three-party setting with an arbitrator, and an attack is re-found for the two-party setting as already shown in [10]. The attack causes situations such that a malicious buyer does not transfer bitcoins to a seller even if the contract condition is satisfied, or bitcoins are not refunded even if the contract condition is not satisfied. Also, we find an attack against the contingent payment protocol, which is the same as Campanelli et al.’s one [20]. Thus, ProVerif is useful to find attacks caused by a misuse of NIZK. Moreover, we examine the verification of the contingent payment protocol with the countermeasure by using subversion NIZK. As a result, we show that no attack is found; thus, the countermeasure correctly works. It is also meaningful because any formal security proof is not shown in [20]. Paper Organization. Section 2 shows some preliminaries including Bitcoin transactions and scripts, the formal model of smart contracts on Bitcoin and ProVerif. Section 3 shows our formalization and verification of the escrow protocol. Section 4 shows our formalization and verification of the contingent payment protocol. Note that we cannot show formalizations and verifications of all protocols due to the space limitation. Verification results of the oracle, the intermediated payment, the timed commitment, the micropayment channels and the fair lotteries protocols are omitted. We will give verification results of these protocols in the full version of this paper.

2 2.1

Preliminaries Bitcoin Transactions

Here, we briefly recall the formulation of the Bitcoin transaction. For details, please see [11]. Transactions represent transfers of bitcoins. The balance of a user is determined by the amount of unspent bitcoins through one or more transactions. Coinbase transactions T0 can generate fresh bitcoins. Each transaction has three fields: in, wit and out. in points to another transaction, and wit specifies a witness which makes the script within ‘out’ of the pointed transaction in ‘in’ evaluate to true. T0 .in and T0 .wit are set to ⊥ because T0 does not point backwards to any other transaction (since T0 is the first one on the blockchain). For example, when T0 .out is set to (λx.x < 51, 1BTC), then it means that for the script λx.x < 51

Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts

93

that given as input a value x, if x < 51 holds, then 1BTC can be transferred to other transactions. Then, we consider transaction TA which has TA .in : T0 , TA .wit : 42 and TA .out : (λx.versigkA (x), 1BTC). To redeem from there 1BTC, A must provide a witness which makes the script within T0 .out evaluate to true. In this case, the witness is 42, hence the redeem succeeds, and T0 is spent. The script within TA .out is the popular one in Bitcoin such that it verifies the signature x with A’s public key. The message against which the signature is verified is the transaction which attempts to redeem TA . 2.2

Bitcoin Scripts

A witness such that the script evaluate to “true” can redeem the bitcoins retained in the associated (unspent) output. In the abstract model, scripts are terms of the form λz.e, where z is a sequence of variables occurring in e, and e is an expression with the following syntax. e ::= x | k | e + e | e − e | e = e | e < e | if e then e else e | |e| | H(e) | versigk (e) | absAfter t : e | relAfter t : e x means variables, k means constants, and (+, −, =, z’ = z is true” and the verification of reachability outputs “RESULT not table(block(T, b, z’)) is false”, then fairness of the transferring case is satisfied. Fairness of the refunding case is similarly verified. This formalization is somewhat theoretically interesting because previous techniques for security requirements by applying reachability (e.g., confidentiality) verify that an adversarial event does not occur (i.e., if ProVerif outputs “RESULT not attacker(s) is true”, then the protocol satisfies confidentiality for secret s.). On the other hand, in our verification, we use reachability to verify if a successful event occurs. 1 2 3

(* case of transferring *) query T:transaction, b:host, z’:bitcoin; table(block(T,b,z’)). query T:transaction, b:host, z’:bitcoin; table(block(T,b,z’)) ==> z’=z.

4 5 6 7

(* case of refunding *) query T:transaction, a:host, z’:bitcoin; table(block(T,a,z’)). query T:transaction, a:host, z’:bitcoin; table(block(T,a,z’)) ==> z’=z.

Formalize Participants and Blockchain. The buyer and seller subprocesses are easily defined as the protocol specification. We formalize the blockchain as a participant in the system. The role of the blockchain is verifying signatures for each transaction and multi-signatures, and operating the table (i.e., transfer of bitcoins). In order to manage transactions, the blockchain has the table tran. Here, we show the blockchain subprocess according to the case that the transaction is completed (transferring). 1 2 3 4 5 6 7 8

let blockchain(T:transaction,Asignpu:verkey,T’B:transaction, Bsignpu:verkey)= in(c,(signAtoblock’:bitstring)); if Schecksign(signAtoblock’,Asignpu,T) then insert tran(T); in(c,(signAtoB’’:bitstring,signBtoblock’:bitstring)); if Mchecksign(signAtoB’’,signBtoblock’,Asignpu,Bsignpu,T’B) then insert tran(T’B); insert block(T’B,b,z’).

In the three-party protocol, arbitrator C sends a signature if an unfair situation occurs. Here, we show the arbitrator subprocess according to the case that the transaction is completed (transferring).

100

C. Shi and K. Yoneyama Table 3. Verification results of escrow protocol Two-party setting w/o arbitrator Transferring

Refunding

Honest buyer Malicious buyer Honest seller Malicious seller 

×



×

Three-party setting with arbitrator Transferring

Refunding

Malicious buyer

Malicious seller

   means that fairness is satisfied. × means that fairness is not satisfied. 1 2 3 4

3.3

let C(T:transaction,T’B:transaction,Csignpr:sigkey)= get tran(=T) in let signCtoB=sign(T’B,Csignpr) in out(c,(signCtoB)).

Verification Result

Here, we show the verification result for the escrow protocol as Table 3. For the two-party setting, if both the buyer and the seller are honest, fairness is satisfied. However, if the buyer or the seller is malicious, fairness is not satisfied. For the three-party setting, even if the buyer or the seller is malicious, fairness is satisfied.

4

Formalization and Verification of Contingent Payment

In this section, we give our formalization of the contingent payment protocol and the verification result with ProVerif. 4.1

Non-interactive Zero-Knowledge Proof

First, we recall the notion of NIZK and subversion NIZK. A NIZK scheme Π for relation R contains the following polynomial time algorithms. crs ← Π.Pg(1λ ) generates a common reference string crs. π ← Π.P(1λ , crs, x, w) for an honest prover, given statement x and witness w ∈ R(x), generates a proof π such that x ∈ L(R) (relation R defining the language L(R) ∈ N P ). d ← Π.V(1λ , crs, x, π) for a verifier generates a decision d ∈ {true, f alse} indicating whether π is a valid proof that x ∈ L(R). In NIZK schemes, zero-knowledge must be satisfied for an honestly generated CRS. Zero-knowledge intuitively means that no information of the witness w is leaked from proof π. In the ordinary definition of zero-knowledge, there is no guarantee if the CRS is not generated by a trusted party (e.g., the verifier can know the randomness when generating the CRS).

Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts

101

Bellare et al. [14] proposed the notion of subversion NIZK. In the subversion NIZK, zero-knowledge is preserved even when the verifier chooses the CRS. Note that due to known impossibility results [28], zero-knowledge obtained in this case is somewhat weak. 4.2

Protocol Description

Next, we recall the contingent payment protocol with NIZK (called zeroknowledge contingent payment). In the contingent payment protocol, the seller proves that he/she certainly has the secret, and the buyer pays bitcoins if the proof is valid. The seller B knows a secret s and generates a fresh key k. Then, B encrypts secret s using key k such that Enck (s) = c. B also computes hk such that SHA256(k) = hk . B then sends c and hk together with a zero-knowledge proof that c is encryption of s under the key k and that SHA256(k) = hk (i.e., The witness is (k, s).) to the buyer A. To eliminate the need for a trusted third party, buyer A generates the CRS to serve as the trusted third party. Once A has verified the proof, A puts a transaction to the blockchain such that A pays bitcoins and specifies that B can only redeem it if B provides a value k  such that SHA256(k  ) = hk . B then publishes k and claims the redemption. A having learned k can now decrypt c, and hence A learns s. The Bitcoin script supports checking if a value k is the preimage of h such that h = SHA256(k). The contingent payment protocol uses the transactions shown in Table 4. in : (TA ,1) indicates that A’s bitcoins are being deposited. Transaction Tcp (h) checks the signature of B and that the content is SHA256(k) = hk calculated by B (non-timeout situation). If no solution is provided by the deadline t, Tcp (h) allows A to refund bitcoins by using the transaction Trefund (h) (timeout situation). In transaction Topen (h), B provides a value k  such that SHA256(k  ) = hk . A’s process PA is as follows: PA = B?(c, hk , z).P + τ P = if verif y(c, hk , z) then put Tcp (hk ){wit → sigkaaA (Tcp (hk ))}.P  else 0 P  = ask Topen (hk ) as x.P  (Dgetk (x) (c)) + put Trefund (kk ){wit → sigkaaA (Trefund (hk ))}

Upon receiving c, hk , and the proof z the buyer verifies z. If the verification succeeds, A puts Tcp (hk ) on the blockchain. Then, A waits for Topen , from which A can retrieve the key k, and use the solution Dgetk (x) (c) in P ”. In this way, B can redeem n bitcoin. If B does not put Topen after t time units A can get A’s deposit back through Trefund .

102

C. Shi and K. Yoneyama Table 4. Transactions of contingent payment protocol Tcp (h) in : (TA ,1) wit : ⊥ out : (λxζ.(versigkB (ζ) and SHA256(x) = h) or relAfter t : versigkA (ζ), nBTC) Trefund (h) in : (Tcp (h),1) wit : ⊥ out : (λζ.versigkA (ζ), nBTC) relLock : t

4.3

Topen (h) in : (Tcp (h),1) wit : ⊥ out : (λζ.versigkB (ζ),nBTC)

Our Formalization

Here, we show our formalization of the contingent payment protocol. We give separate ProVerif verification codes for the non-timeout and timeout situations. Also, we show a formalization of the countermeasure with subversion NIZK. As the escrow protocol, we just explain distinguished points of codes and omit trivial points. Formalize NIZK and Subversion NIZK. Since NIZK does not guarantee zero-knowledge if the CRS is generated by the buyer, we define an adversarial function subvert1 and subvert2 for subverting the witness from the proof and knowledge of the randomness when generating the CRS. The reason why we need two functions subvert1 and subvert2 is that is cannot be defined in ProVerif to output two terms. Hence, we separately define subvert1 as the subverting function of the first witness (i.e., hash key k) and subvert2 as the subverting function of the second witness (i.e., secret s). An honest buyer does not use subvert1 and subvert2. Also, if the randomness when generating the CRS is not known, function prove does not leak any information of witness s. Our formalization of NIZK is as follows: 1 2 3

4

5

6

type pi. (* type of proof *) fun crsgen(bitstring):bitstring. (* function of generating CRS from randomness *) fun prove(bitstring,bitstring,bitstring,key,bitstring):pi. (* function of generating proof from CRS, hash value, ciphertext, hash key and secret *) reduc forall k:key,s:bitstring,rnd:bitstring; subvert1(rnd,prove( crsgen(rnd),Hash(k),senc(k,s),k,s)) = k. (* function of subverting 1st witness *) reduc forall k:key,s:bitstring,rnd:bitstring; subvert2(rnd,prove( crsgen(rnd),Hash(k),senc(k,s),k,s)) = s. (* function of subverting 2nd witness *) reduc forall k:key,s:bitstring,rnd:bitstring; verify(crsgen(rnd), Hash(k),senc(k,s),prove(crsgen(rnd),Hash(k),senc(k,s),k,s))= true. (* function of verification *)

Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts

103

In subversion NIZK, even if the CRS is generated by the buyer, no information of witness s is leaked. Hence, we can formalize subversion NIZK by deleting function subvert. Formalize Fairness. Fairness in the contingent payment protocol must guarantee that bitcoins always are transferred from a buyer to a seller if the buyer obtains the seller’s secret (non-timeout), and the deposited bitcoins of the buyer is always refunded otherwise (timeout). The timeout situation is almost the same as the escrow protocol; thus, we can formalize fairness by using the combination of reachability and correspondence assertions. In the non-timeout situation, we formalize fairness as block(Topen,b,z) is always added to table block when the malicious buyer obtains secret s (In ProVerif, this event is represented as attacker(s)). We use correspondence assertion to verify whether the event of adding to table block always occurs if attacker(s) occurs. Since ProVerif does not allow us to contain event block(Topen,b,z) directly for correspondence assertion, we define event payment such that it occurs if and only if block(Topen,b,z) occurs. 1 2 3

(* case of timeout *) query T:transaction, a:host, z’:bitcoin; table(block(T,a,z’)). query T:transaction, a:host, z’:bitcoin; table(block(T,a,z’)) ==> z’=z.

4 5 6

4.4

(* case of non-timeout *) query x:transaction; attacker(s)==>event(payment(x)).

Verification Result

Here, we show the verification result for the contingent payment protocol as Table 5. With ordinary NIZK, fairness is satisfied in the timeout situation. However, fairness is not satisfied in the non-timeout situation because ProVerif finds an attack. With subversion NIZK, fairness is satisfied even in the non-timeout situation. Found Attack. We describe the found attack against the protocol with ordinary NIZK in the non-timeout situation. A malicious buyer generates randomness rnd’. By using function crsgen, the buyer generates crs’ with randomness rnd’. The buyer sets crs’ as the CRS. The seller generates hash key k, encrypts secret s with k to ciphertext c and computes hash value hk of k. By using crs’, hk, c, k and s, the seller also generates proof zk where (k, s) is the witness. 5. The seller sends hash value hk, ciphertext c and proof zk to the buyer. 6. By using randomness rnd’, proof zk and function subvert2, the buyer can obtain secret s.

1. 2. 3. 4.

This attack is essentially the same as the attack by Campanelli et al. [20]. Thus, we can re-find their attack by ProVerif.

104

C. Shi and K. Yoneyama Table 5. Verification results of contingent payment protocol Using ordinary NIZK Using subversion NIZK Non-timeout Timeout Non-timeout Timeout ×     means that fairness is satisfied. × means that fairness is not satisfied.

5

Conclusion

In this paper, we verified fairness of seven fair exchange protocols formulated in [10] by using an automated verification tool, ProVerif. We showed that the escrow and the contingent payment protocol do not satisfy fairness while other protocols satisfy that. Concretely, for the escrow protocol, we examined the twoparty setting and the three-party setting with an arbitrator and showed that the two-party setting does not satisfy fairness for a malicious buyer or seller. Also, for the contingent payment protocol, we re-found the attack shown by Campanelli et al. [20], and showed that their countermeasure using subversion NIZK correctly works. In a theoretical sense, we give the first formalization of the notion of fairness of fair exchange protocols in ProVerif. It will be useful to formalize and verify other cryptographic protocols that need some kind of fairness.

References 1. CrowdFundDAO. https://live.ether.camp/account/9b37508b5f859682382d8cb646 7a5c7fc5d02e9c/contract 2. DiceRoll. https://ropsten.etherscan.io/address/0xb95bbe8ee98a21b5ef7778ec1bb 5910ea843f8f7 3. ISO/IEC 11770-2:2018 - IT Security techniques - Key management - Part 2: Mechanisms using symmetric techniques. https://www.iso.org/standard/73207.html 4. ISO/IEC 11770-3:2015 - Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques. https://www.iso.org/ standard/60237.html 5. ProVerif 2.00. http://prosecco.gforge.inria.fr/personal/bblanche/proverif 6. StandardToken. https://git.io/vFAlg 7. Wallet. https://etherscan.io/address/0xab7c74abc0c4d48d1bdad5dcb26153fc8780 f83e 8. Ammayappan, K.: Seamless interoperation of LTE-UMTS-GSM requires flawless UMTS and GSM. In: International Conference on Advanced Computing, Networking and Security, pp. 169–174 (2013) 9. Asadi, S., Shahhoseini, H.S.: Formal security analysis of authentication in SNMPv3 protocol by an automated tool. In: IST 2012, pp. 306–313 (2012) 10. Atzei, N., Bartoletti, M., Cimoli, T., Lande, S., Zunino, R.: SoK: unraveling bitcoin smart contracts. In: Bauer, L., K¨ usters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 217–242. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6 9

Formal Verification of Fair Exchange Based on Bitcoin Smart Contracts

105

11. Atzei, N., Bartoletti, M., Lande, S., Zunino, R.: A formal model of Bitcoin transactions. In: Meiklejohn, S., Sako, K. (eds.) FC 2018. LNCS, vol. 10957, pp. 541–560. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6 29 12. Backes, M., Dreier, J., Kremer, S., K¨ unnemann, R.: A novel approach for reasoning about liveness in cryptographic protocols and its application to fair exchange. In: Euro S&P 2017, pp. 76–91 (2017) 13. Basin, D., Cremers, C., Meier, S.: Provably repairing the ISO/IEC 9798 standard for entity authentication. J. Comput. Secur. 21(6), 817–846 (2013) 14. Bellare, M., Fuchsbauer, G., Scafuro, A.: NIZKs with an untrusted CRS: security in the face of parameter subversion. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 777–804. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-53890-6 26 15. Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: IEEE Symposium on Security and Privacy 2017, pp. 483–502 (2017) 16. Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: PLAS@CCS 2016, pp. 91–96 (2016) 17. Blanchet, B.: CryptoVerif: cryptographic protocol verifier in the computational model. https://prosecco.gforge.inria.fr/personal/bblanche/cryptoverif/ 18. Bowe, S.: Pay-to-sudoku (2016). https://github.com/zcash/pay-to-sudoku 19. Bresciani, R., Butterfield, A.: ProVerif analysis of the ZRTP protocol. Int. J. Infonom. (IJI) 3(3), 1060–1064 (2010) 20. Campanelli, M., Gennaro, R., Goldfeder, S., Nizzardo, L.: Zero-knowledge contingent payments revisited: attacks and payments for services. In: ACM Conference on Computer and Communications Security 2017, pp. 229–243 (2017) 21. Cremers, C.: The Scyther Tool. https://people.cispa.io/cas.cremers/scyther/ 22. Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2 18 23. Cremers, C., Dehnel-Wild, M.: Component-based formal analysis of 5G-AKA: channel assumptions and session confusion. In: NDSS 2019 (2019) 24. Cremers, C., Dehnel-Wild, M., Milner, K.: Secure authentication in the grid: a formal analysis of DNP3: SAv5. J. Comput. Secur. 27(2), 203–232 (2019) 25. Cremers, C., Horvat, M.: Improving the ISO/IEC 11770 standard for key management techniques. Int. J. Inf. Secur. 15(6), 659–673 (2015). https://doi.org/10. 1007/s10207-015-0306-9 26. Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: CCS 2017, pp. 1773–1788 (2017) 27. Garbinato, B., Rickebusch, I.: Impossibility results on fair exchange. In: IICS 2010, pp. 507–518 (2010) 28. Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994) 29. Ben Henda, N., Norrman, K.: Formal analysis of security procedures in LTE a feasibility study. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 341–361. Springer, Cham (2014). https://doi.org/10.1007/ 978-3-319-11379-1 17 30. Kalra, S., Goel, S., Dhawan, M., Sharma, S.: ZEUS: analyzing safety of smart contracts. In: NDSS 2018 (2018) 31. Kobeissi, N., Bhargavan, K., Blanchet, B.: Automated verification for secure messaging protocols and their implementations: a symbolic and computational approach. In: Euro S&P 2017, pp. 435–450 (2017)

106

C. Shi and K. Yoneyama

32. Lu, J., Zhang, J., Li, J., Wan, Z., Meng, B.: Automatic verification of security of OpenID connect protocol with ProVerif. 3PGCIC 2016. LNDECT, vol. 1, pp. 209–220. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-49109-7 20 33. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: ACM Conference on Computer and Communications Security 2016, pp. 254–269 (2016) 34. Maxwell, G.: Zero knowledge contingent payment (2011). https://en.bitcoin.it/ wiki/Zero Knowledge Contingent Payment 35. Sakurada, H., Yoneyama, K., Hanatani, Y., Yoshida, M.: Analyzing and fixing the QACCE security of QUIC. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 1–31. Springer, Cham (2016). https://doi.org/10.1007/9783-319-49100-4 1 36. Schmidt, B., Meier, S., Cremers, C., Basin, D.: Tamarin prover. http://tamarinprover.github.io/ 37. Szabo, N.: Formalizing and securing relationships on public networks. First Monday, 1 September (1997). http://firstmonday.org/ojs/index.php/fm/article/view/ 548/469

Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time Verification Jos´e Bacelar Almeida1 , Manuel Barbosa2 , Gilles Barthe3 , Vincent Laporte4 , and Tiago Oliveira2(B) 2

1 INESC TEC, Universidade do Minho, Braga, Portugal INESC TEC and FCUP, Universidade do Porto, Porto, Portugal [email protected] 3 Max Planck Institute for Security and Privacy, IMDEA Software Institute, Madrid, Spain 4 Universit´e de Lorraine, CNRS, Inria, LORIA, Nancy, France

Abstract. We present a new tool for the generation and verification of high-assurance high-speed machine-level cryptography implementations: a certified C compiler supporting instruction extensions to the x86. We demonstrate the practical applicability of our tool by incorporating it into supercop: a toolkit for measuring the performance of cryptographic software, which includes over 2000 different implementations. We show i. that the coverage of x86 implementations in supercop increases significantly due to the added support of instruction extensions via intrinsics and ii. that the obtained verifiably correct implementations are much closer in performance to unverified ones. We extend our compiler with a specialized type system that acts at pre-assembly level; this is the first constant-time verifier that can deal with extended instruction sets. We confirm that, by using instruction extensions, the performance penalty for verifiably constant-time code can be greatly reduced. Keywords: Certified compiler

1

· simd · supercop · Constant-time

Introduction

A key challenge in building secure software systems is to develop good implementations of cryptographic primitives like encryption schemes, hash functions, and signatures. Because these primitives are so-highly relied on, it is important that their implementations achieve maximal efficiency, functional correctness, and protection against side-channel attacks. Unfortunately, it is difficult to achieve these goals: severe security vulnerabilities are exposed in many implementations despite heavy scrutiny [1,2,40]. Computer-aided cryptography is an area of research that aims to address the challenges in creating high-assurance cryptography designs and implementations, by creating domain-specific formal verification techniques and tools [10]. This work extends the range of tools that can be used for computer-aided cryptography. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 107–127, 2020. https://doi.org/10.1007/978-3-030-65277-7_6

108

J. B. Almeida et al.

There are many paths to achieve high-assurance cryptography for assemblylevel implementations. The most direct path is naturally to prove functional correctness and side-channel protection directly at assembly level. This is the approach taken in [21] for proving functional correctness of Curve25519 and more recently in [18,26] for proving functional correctness of several implementations. However, verifying assembly programs is less intuitive, for instance due to the unstructured control flow, and there choice of verification tools is more limited. An alternative, and popular, approach is to verify source-level programs. This approach is taken for instance in [41], where Zinzindohoue et al. develop functionally verified implementations of popular cryptographic algorithms. The benefits are two-fold: there is a broader choice of verification tools. Second, the verification can benefit from the high-level abstractions enforced at source level. However, this approach introduces the question of trust in the compiler. Indeed, formal guarantees can be undermined by incorrect compilers. For instance, bugs in optimization passes can generate functionally-incorrect assembly code from functionally-correct source code [29,36,39]. Worse yet, since compiler optimizations do not generally even purport to preserve security [23], compilers can generate assembly code vulnerable to side-channel attacks from carefully scrutinized source code. The prevailing approach to eliminate trust in the compiler is to use certified compilation, see e.g. [30]. Informally, a certified compiler is a compiler in which each compiler pass is augmented with a formal proof asserting that it preserves the behavior of programs. This entails that functionally-correct source code is compiled into functionally-correct assembly. While certified compilation is a promising approach to guarantee functional correctness, it entails key limitations described next. These limitations are particularly-relevant for cryptographic code, where sub-optimal execution time can be a deal-breaker for code deployment. First, the optimizations supported by currently-available certified compilers do not produce code competitive with that produced by the most-aggressively-optimizing (non-certifying) compilers. Indeed, the certification requirement limits the set of optimizations that can currently be performed. For example, global value numbering is an optimization that is missing from most compilers; see however [13]. The preeminent certified compiler, CompCert [30], generates code whose performance typically lies between GCC’s -O1 and -O2 optimization levels. While this is an impressive achievement, and arguably a small price to pay for provably-correct optimizations, the efficiency requirements on implementations of cryptographic primitives may necessitate more aggressive optimizations. Second, the current certified compilers do not apply to the most efficient implementations. This is primarily due to two factors: the presence of special compiler intrinsics and inline assembly code, and the incompleteness of automatic assembly-level verification. For example, many implementations invoke compiler intrinsics corresponding to sse bit-wise and word-shuffling instructions. Therefore, a last line of work is to develop certified compilers for high speed cryptography. Contributions. In this paper we further develop the route of obtaining competitive high-assurance cryptography implementations via general-purpose certified compilers. We present a new version of CompCert that significantly narrows the

Certified Compilation for Cryptography

109

measured performance gap and implements a static analysis capable of verifying constant-time for CompCert-generated pre-assembly code. This new certified compiler comes with the ability to handle the special compiler intrinsics used in implementations of cryptographic implementations. To generate performance measurements, we consider the supercop benchmarking framework, which includes an extensive repository of implementations of cryptographic primitives. We pose that the performance penalty incurred by formal verification should be measured with respect to the fastest known implementations, even if these are hand-crafted directly at the assembly level and validated using heuristic means. Thus for each cryptographic primitive P we consider the performance penalty of a given compiler C to be the ratio of the performance of the best-performing implementation of P which is actually able to be compiled with C against by the best-performing implementation of P compiled with any compiler. In particular these ratios can grow either because C produces less-optimal code than some other compiler, or because C cannot process a given implementation, e.g., due to special compiler intrinsics or inlined assembly. Our findings are that the average performance penalties due to certified compilation lie between factors of 16 and 21, depending on the version of CompCert. For several primitives, we observe penalties in the range between two and three orders of magnitude, although the majority of implementations compensates for these degenerate cases. Next, we turn to side-channel protection. The gold standard for cryptographic implementations is the constant-time property, whereby programs’ memory access behaviors are independent from secret data—for both code and data memory. In other words, for fixed public data such as input length, the memory locations accessed by loads and stores, including instruction loads, is fixed. The constant-time property is a countermeasure against timing-attacks, whereby attackers learn secrets by measuring execution time variations, e.g. due to cache behavior. While this verification traditionally amounted to manual scrutiny of the generated assembly code by cryptographic engineers, recent work has shown progress in automatic verification to alleviate this burden [3,6,7,20,22,38]. The prevailing trend in this line of work is to carry verification of side-channel protection and this is typically performed towards the end of the compilation chain or directly on the generated assembly code. This is because even certified compilers may not preserve countermeasures against side-channel attacks – a notable exception being the CompCertCT compiler that has been formally proved to preserve these countermeasures [12]. Following this trend, our version of CompCert includes an intrinsics-aware constant-time verifier, following the type-checking approach at Mach level of [11]. The reason for focusing on the Mach intermediate language is that, although it is very close to assembly, is more suitable for analysis. The type system is described as a data-flow analysis, which keeps track of secret-dependent data and rejects programs that potentially use this data to violate the constanttime property. Because our type system is able to check programs that rely on instruction extensions, we are able to compile C code into functionally correct and verifiably constant-time implementations offering unprecedented efficiency. As an example, we can verify an implementation of aez relying on aes-ni that executes

110

J. B. Almeida et al.

100 times faster than the fastest implementation that could be compiled with the original version of CompCert.

2

Related Work

Our work follows prior work in verified compilers and computer-aided cryptography. We refer the interested reader to [10] for an extensive recent review of the state of the art in computer-aided cryptography, namely the different techniques and tools for functional correctness and constant-time verification. We focus here on closely related works on (secure) verified compilation to cryptography. The earlier applications of verified compilers to cryptographic implementations were inspired by CompCert [30], a moderately optimizing verified compiler for a significant fragment of Almeida et al. [4] leverage the correctness theorem of CompCert to derive both functional correctness and side-channel resistance (in the program counter model [32]) for an implementation of rsa-oaep encryption scheme as standardized in pkcs#1 v2.1. In a subsequent, related work, Barthe et al. [11] build a verified static analysis at pre-assembly level for cryptographic constant-time, ensuring that programs which pass the analysis do not branch on secrets and do not perform secret-dependent memory accesses, guaranteeing that such implementations are protected (to some extent) against cache-based side-channel attacks; moreover, they use their static analysis to validate several implementations from the NaCl library. Our work builds on this development. More recently, Almeida et al. [5] propose a general methodology for carrying provable security of algorithmic descriptions of cryptographic constructions and functional correctness of source-level implementations to assembly-level implementations, and for proving that assembly-level implementations are constanttime; moreover, they apply their methodology to an implementation of mee-cbc. In parallel, Appel et al. [8,9] have developed general-purpose program logics to reason about functional properties of source-level programs, and applied these program logics to prove functional correctness of a realistic sha-256 implementation; in a follow-up work, Beringer et al. [15] combine the Foundational Cryptography Framework of [33] to build a machine-checked proof of the (elementary) reductionist argument for hmac. Fiat-Crypto [24] is a recently proposed framework for the development of high-speed functionally correct implementations of arithmetic libraries for cryptography. Certified compilation is used to convert a high-level algebraic specification of the library functionality into C code that can subsequently be compiled into executable code. Our approach is complementary to Fiat-Crypto, in that our verified compiler can be used to compile the generated C code, carrying the functional correctness and constant-time guarantees to low level code, including code that relies on intrinsics. Hacl∗ [41] is a library of formally verified, high-speed implementations. Hacl∗ is included in recent versions of Mozilla Firefox’s NSS security engine. It has recently been extended to vectorized implementations [34]. F∗ programs from Hacl∗ library can be compiled into C code using KreMLin [35] and then compiled into assembly, for instance, using CompCert. Kremlin is a high-assurance

Certified Compilation for Cryptography

111

compiler/extractor tool that generates provably correct C code from F∗ specifications. Additionally KreMLin is the tool used to generate the TLS1.3 code verified in Project Everest.1 Again, our verified compiler can be used to compile C code relying on intrinsics generated by KreMLin with the guarantee that functional correctness is preserved. Finally, we mention work on Jasmin [3,6], a new pre-assembly language for the implementation of high-assurance crypto code. Jasmin comes with a verified compiler that is guaranteed to preserve, not only functional correctness but also source-level constant-time properties [12,14] The Jasmin language also supports intrinsics and has been shown to give rise to competitive assembly implementations of cryptographic libraries. Our work provides an alternative to Jasmin, and indeed direct assembly verification using e.g., Vale [18], when functionally correct implementations are generated at C level. Very recently, Fromherz et al. [25] demonstrated the feasibility of formally verifying C code with inlined assembly. These lines of work are complementary to our own.

3

Background on x86 Instruction Extensions

x86 is a family of instruction sets that dates back to the Intel 8086/8088 processors launched of the late 70s. Throughout the years, successor Intel processors (and compatible models from other manufacturers, namely amd) evolved from 16-bit to 32-bit architectures. The x86 designation is typically used to refer to instruction sets that are backward compatible with this family of processors. In this paper we will use x86 to (loosely) refer to the set of instructions that is supported transparently by most compilers that claim to support x86-compatible 32-bit architectures. We will use amd64 to refer to x86 extensions for 64-bit architectures, which we do not address specifically in this paper (although we present some data that permits evaluating what is lost by imposing this restriction). In addition to the core x86 instructions, some architectures support additional domain-specific instruction sets, so-called instruction extensions. We will describe the instruction extensions introduced by Intel in the x86 architecture, since these are the ones that we target in this work. Intel introduced mmx in 1997, which included eight 64-bit registers (called mmx0-mmx7) in 32-bit machines and allowed for single instruction, multiple data (simd) operations over these registers for integer values of sizes 8 to 64. A simd instruction permits computing the same operation simultaneously over several values, e.g., by seeing a 64-bit register as two 32-bit values. In mmx the new 64-bit registers were overlapped with floating-point registers, which was a limitation. The Streaming simd Extensions (sse) introduced in 1999 removed this limitation by introducing eight 128-bit registers (xmm0-xmm7) that could be used as four single-precision floating point registers in the simd style. The sse2 improvement introduced in 2001 provided a better alternative to the original mmx extension2 by allowing the xmm registers to be also used to process integer 1 2

https://project-everest.github.io. In some cases relying on mmx in parallel to sse can give a performance advantages.

112

J. B. Almeida et al.

data of various sizes. For this reason we do not consider the original mmx extensions in our tools. Subsequent sse3 and sse4 extensions increased the number of operations that can be performed over the xmm registers. More recently, Intel launched the Advanced Vector Extensions (avx and avx2) that introduced 256-bit registers and instructions to allow simd computations over these registers. Our tools do not yet provide support for the avx extensions. Another important class of instruction extensions are those associated with cryptographic computations. Intel added support for hardware-assisted aes computations in 2011 (aes-ni), and announced extensions for the sha hash function family in 2013.3 Intrinsics. Instruction extensions are usually domain-specific, and they provide relatively complex operations that should be directly available to the programmer, even if the programmer is using a high-level language such as C. For this reason, compilers typically provide a special mechanism to allow a programmer to specifically request the usage of an extended instruction; this mechanism is typically called an intrinsic. Intrinsics in C compilers such as gcc and clang are simply special function names and data types that are handled by the compiler in a different way to normal function declarations/definitions; for the most part, usage of these special functions is passed transparently through various compiler passes, and eventually translated into a single assembly instruction.

4

Adding x86 Instruction Extensions to CompCert

Our extension to CompCert was adapted from the 2.2 distribution of CompCert,4 and it focuses only on the part of the distribution that targets the ia32 architecture. There is no particular reason for our choice of CompCert version, except that this was the most recent release when our project started. Equivalent enhancements can be made to more recent versions of CompCert with some additional development effort. Relevant CompCert features. The architecture of CompCert is depicted in Fig. 1. We follow [30] in this description. The source language of CompCert is called CompCertC, which covers most of the iso C 99 standard and some features of iso C 2011 such as the Alignof and Alignas attributes. Some features of C not directly supported in CompCertC v2.2, such as structreturning functions, are supported via rewriting from the C source during parsing. The semantics of CompCertC is formalized in Coq and it makes precise many behaviors unspecified or undefined in the C standard, whilst assigning other undefined behaviours as “bad”. Memory is modeled as a collection of byteaddressable disjoint blocks, which permits formalizing in detail pointer arithmetic and pointer casts. CompCert gradually converts the CompCertC input down to assembly going through several intermediate languages. Parts of CompCert are not implemented 3 4

We did not have access to a machine running sha instruction extensions. http://compcert.inria.fr/.

Certified Compilation for Cryptography

113

Fig. 1. CompCert architecture.

directly in Coq. These include the non-certified translator from C to CompCertC and the pretty-printer of the assembly output file. Additionally, some internal transformations of the compiler, notably register allocation, are implemented outside of Coq, but then subject to a translation validation step that guarantees that the transformation preserves the program semantics. The front-end of the compiler comprises the translations down to Cminor: this is a typeless version of C, where side-effects have been removed from expressionevaluation; local variables are independent from the memory model; memory loads/stores and address computations are made explicit; and a simplified control structure (e.g. a single infinite loop construct with explicit block exit statements). The backend starts by converting the Cminor program into one that uses processor specific instructions, when these are recognized as beneficial, and then converted into a standard Register Transfer Language (RTL) format, where the control-flow is represented using a Control Flow Graph (cfg): each node contains a machine-level instruction operating over pseudo-registers. Optimizations including constant propagation and common sub-expression elimination are then carried out in the RTL format, before the register allocation phase that produces what is called a LTL program: here pseudo-registers are replaced with hardware registers or abstract stack locations. The transformation to Linear format linearizes the CFG, introducing labels and explicit branching. The remaining transformation steps comprise the Mach format that deals with the layout of stack frames in accordance to the function calling conventions, and the final Asm language modeling the target assembly language.

114

J. B. Almeida et al.

The generation of the executable file is not included in the certified portion of CompCert – instead, the Asm abstract syntax is pretty-printed and the resulting programs is assembled/linked using standard system tools. Semantic preservation. CompCert is proven to ensure the classical notion of correctness for compilers known as semantic preservation. Intuitively, this property guarantees that, for any given source program S, the compiler will produce a compiled program T that operates consistently with the semantics of S. Consistency is defined based on a notion of observable behaviour of a program, which captures the interaction between the program’s execution and the environment. Let us denote the evaluation of a program P over inputs p, resulting in outputs o and observable behaviour B as P ( p) ⇓ (o, B). Then, semantic preservation can thus be written as ∀B, p, o, T ( p) ⇓ (o, B)

=⇒

S( p) ⇓ (o, B)

meaning that any observable behaviour of the target program is an admissible observable behaviour of the source program. Observable behaviours in CompCert are possibly infinite sequence of events that model interactions of the program with the outside world, such as accesses to volatile variables, calls to system libraries, or user defined events (so called annotations). High-level view of our CompCert extension. Our extension to CompCert is consistent with the typical treatment of instruction extensions in widely used compilers such as gcc: instruction extensions appear as intrinsics, i.e., specially named functions at source level. Calls to intrinsics are preserved during the first stages of the compilation, and eventually they are mapped into (typically) one assembly instruction at the end of the compilation. Intrinsic-specific knowledge is added to the compiler infrastructure only when this is strictly necessary, e.g., to deal with special register allocation restrictions; so transformations and optimizations treat intrinsic calls as black-box operations. We have extended CompCert with generic intrinsics configuration files. Our current configuration was automatically generated from the gcc documentation5 and the machine-readable x86 assembly documentation from x86asm.net.6 This configuration file allows the CompCert parser to recognize gcc-like intrinsics as a new class of built-in functions that were added to the CompCert semantics. For this, we needed to extend the core libraries of CompCert with a new integer type corresponding to 128-bit integers; in turn this implies introducing matching changes to the various intermediate languages and compiler passes to deal with 128-bit registers and memory operations (e.g., a new set of alignment constraints; calling conventions; etc.). The new built-ins associated with intrinsics are similar to other CompCert builtins, apart from the fact that they will be recognized by their name, and they may carry immediate arguments (i.e., constant arguments that must be known at compile-time, and are mapped directly to the generated assembly code). These extended built-in operations are propagated down 5 6

http://gcc.gnu.org/onlinedocs/gcc/x86-Built-in-Functions.html. http://ref.x86asm.net.

Certified Compilation for Cryptography

115

to assembly level, and are replaced with the corresponding assembly instructions at the pretty-printing pass. All changes were made so as to be, as much as possible, intrinsics-agnostic, which means that new instruction extensions can be added simply by modifying the configuration file. Overall, the development modified/added approx. 6.3k lines of Coq and ML, spread among 87 files from the CompCert distribution. We now present our modifications to CompCert in more detail. Modifications to the CompCert front-end. Modifications at the compiler front-end are generally dedicated to making sure that the use of intrinsics in the source file are recognized and adequately mapped into the CompCertC abstract syntax tree, and that they are subsequently propagated down to the Cminor level. This includes modifications and extension to the C parser to recognize the gccstyle syntax extensions for simd vector types (e.g., the vector size attribute), as well as adapted versions of intrinsics header files giving a reasonable support for source-level compatibility between both compilers. These header files trigger the generation of the added builtins, whose specification is included on the configuration file. For each new builtin, the following data is specified: – the function identifier that is used to recognized the intrinsic by name; – the signature of the intrinsic, i.e., the types of the input parameters and return type; – an instruction class identifier that is used to group different intrinsics into different sets that can be activated/deactivated for recognition in different platforms (this is linked to a set of command-line option switches); – the assembly instruction(s) that should be used when pretty-printing an assembly file in which that particular built-in operation appears; – a Boolean value indicating whether the associated assembly instruction is two-address, which is relevant for register allocation later on. Translation into CompCertC maps all vector types/values into a new 128-bit scalar type. Subsequent transformations were extended to support this data type. Modifications to the CompCert backend. The most intrusive modifications to CompCert were done at the back-end level, most prominently in the register allocation stage. CompCert uses a non-verified graph-coloring algorithm to compute a candidate register allocation, whose output is then checked within Coq for correctness. We added the eight 128-bit xmm register-bank to the machine description, taking into account that floating point operations in CompCert were already using 64-bit half of these registers. This implied extending the notion of interference used during register allocation and adapting the corresponding proof of correctness. During the constructions of the stack-frame layout, the calling convention for vector parameters/return-values was implemented supporting up to 4 parameters and the return-value passed on registers. The final component of our extensions was the addition to the assembly pretty-printer, supporting a flexible specification of the code to be produced by each built-in. Consequences for semantics preservation. Our new version of CompCert comes with an extended semantics preservation theorem that has essentially

116

J. B. Almeida et al.

the same statement as the original one. The difference resides in the fact that the machine model now explicitly allows built-in functions to manipulate 128-bit values. Note that, although we did not add a detailed formalization of the semantics of all instruction extensions, this is not a limitation when it comes to the correctness of the compiler itself: indeed, our theorem says that, whatever semantics are associated by a machine architecture to a particular extended instruction, these will have precisely the same meaning at source level. This is a powerful statement, since it allows us to deal with arbitrary instruction extensions in a uniform way. Such detailed semantics would be important if one wished to reason about the meaning of a program at source level, e.g., to prove that it computes a particular function. In these cases a formal semantics can be given just for the relevant instructions.

5 5.1

Experimental Results Coverage

supercop (System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives) is a toolkit for measuring the performance of cryptographic software. In this work we looked at version 20170105 of the toolkit. supercop evaluates cryptographic primitives according to several criteria, the most prominent of which for the purpose of this work is execution time. A supercop release contains all the machinery required to carry out performance evaluation in a specific computer; any computer can be used as a representative for a particular architecture and collected data can be submitted to a central repository of collected benchmarks. The implementations contained in a supercop release are organized in three hierarchical levels. At the top level reside so-called operations these correspond to the algorithms that constitute an abstract interface to a cryptographic component; for example, for digital signatures the operations comprise key generation, signature generation and signature verification. For each cryptographic component there can be many instantiations. These are called primitives in supercop. Different primitives will provide different tradeoffs; for examples some primitives may rely on standardised components such as aes, which may be a requirement for some applications, whereas other primitives may offer better performance by relying on custom-designed stream ciphers. Finally, for each primitive there may be many implementations, e.g., targetting different architectures, with different side-channel countermeasures, or simply adopting different implementation strategies. In total, the supercop release we considered contained 2153 such implementations for 593 primitives. In Table 1 we present a more detailed summary of these counts, focusing on some interesting categories for this work. In particular, we detail the following successive refinements of the original implementation set: i. the number of implementations that target the x86-32 architecture (x86), which we identified by excluding all implementations that explicitly indicate a different target architecture; ii. how many of the above implementations remain (x86-C) if we exclude those that are given (even partially) in languages other than C, such as assembly; and iii. how many of these use instruction extensions

Certified Compilation for Cryptography

117

Table 1. supercop implementation histogram. Operations

x86

x86-C x86-ext amd64

aead

644

548

118

660

auth

19

19

6

19

box

2

2

0

2

core

25

25

0

29

123

17

11

185

dh encrypt hash hashblocks

13

11

4

13

550

464

144

664

16

15

5

21

onetimeauth

9

2

0

11

scalarmult

7

5

0

14

secretbox

2

2

0

2

sign stream verify Total count

62

47

11

65

168

95

31

228

3

3

0

3

1643 1255

330

1916

(x86-ext) such as those described in Sect. 3. Additionally, we give an implementation count that extends the x86 one by including also implementations that explicitly target 64-bit architectures (amd64); this gives an idea of how much coverage is lost by restricting attention to 32-bit architectures. One can see that 330 implementations resorting to x86 instruction extensions can be found in supercop, corresponding to 168 primitives—out of a total of 576 primitives that come equipped with a x86 implementation. This set of primitives represents the universe over which the new formal verification tools that we put forth in this work will provide benefits over pre-existing tools. Before moving to this detailed analysis, we conclude this sub-section with a high-level view of the data we collected in supercop that permits comparing certified compilers to general-purpose compilers. This statistic is a byproduct of our work and we believe it may be of independent interest, as it gives us an indication of what the state-of-the-art in certified compilation implies for cryptography. Table 2 gives coverage statistics, i.e., how many implementations each compiler was able to successfully convert into executable code accepted by supercop in the machine we used for benchmarking. This machine has the following characteristics: Intel Core i7-4600U processor, clocked at 2.1 GHz, with 8 Gb of RAM, running Ubuntu version 16.04. We note that supercop exhaustively tries many possible compilation strategies for each compiler in a given machine. The baseline here corresponds to implementations in the set tagged as x86-C in Table 1 that were successfully compiled with gcc version 5.4.0 or clang version 3.8.0. The apparent discrepancy (1020 versus 1643) to the number of possible

118

J. B. Almeida et al. Table 2. supercop coverage statistics for various compilers. Architecture operations x86-32

amd64

Baseline ccomp-2.2 ccomp-ext ccomp-3.0 Baseline ccomp-3.0 aead

343

258

290

178

506

269

auth

16

10

10

8

19

10

box

2

2

2

2

2

2

core

21

25

25

25

29

25

dh

2

2

2

2

7

3

encrypt

4

5

1

5

5

6

471

323

356

239

562

380

hash hashblocks

12

8

8

8

16

11

onetimeauth

5

5

5

6

7

7

scalarmult

6

6

6

6

13

9

secretbox

2

2

2

2

2

2

sign stream verify Total count

12

0

0

2

18

3

121

91

114

91

152

19

3

3

3

3

3

3

1020

740

824

577

1341

749

x86 implementations indicated in Table 1 is justified by the fact that some implementations omit the target architecture and incompatibility with x86 is detected only at compile-time.7 In the table, ccomp refers to CompCert and ccomp-ext refers to the CompCert extension we presented in Sect. 4. One important conclusion we draw from this table is that, at the moment, the version of CompCert we present in this paper has the highest coverage out of all certified compiler versions, due to its support for intrinsics. Nevertheless, we still do not have full coverage of all intrinsics, which justifies the coverage gap to the baseline. In particular, we do not support the m64 mmx type nor avx operations, as mentioned in Sect. 3. Furthermore, we do not use any form of syntactic sugar to hide the use of intrinsics, e.g., allowing xor operations (ˆ) over 128-bit values, which is assumed by some implementations fine-tuned for specific compilers. 5.2

Methodology for Performance Evaluation

We will be measuring and comparing performance penalties incurred by using a particular compiler. These penalties originate in two types of limitations: i. the compiler does not cover the most efficient implementations, i.e., it simply does not compile them; or ii. intrinsic limitations in the optimization capabilities of the compiler. In particular, we will evaluate the trade-off between assurance and performance when compiling cryptographic code written in C for different versions of CompCert. Our metric will be based on average timing ratios 7

The degenerate red value in the table is caused by implementations that use macros to detect intrinsic support; ccomp-ext activates these macros, but then launches an error in a gcc-specific cast.

Certified Compilation for Cryptography

119

with respect to a baseline measurement. In all cases, the timing ratio is always reported to the fastest implementation overall, often given in assembly, as compiled by a non-verified optimizing compiler in the best possible configuration selected by supercop. We now detail how we compute our metrics. Performance Metrics. We consider each supercop operation separately, so let us fix an arbitrary one called o ∈ O, where O is the set of all operations in supercop. Let C be the set of compilation tools activated in supercop and P (o) a set of primitives that realize o. Denote I(p) as the set of all implementations provided for primitive p ∈ P (o). Let also tpC denote the fastest timing value reported by supercop over all implementations i ∈ I(p), for primitive p ∈ P (o), when compiled with all of the compilers in C. Note that, if such a value tpC has been reported by supercop, then this means that at least one implementation i ∈ I(p) was correctly compiled by at least one of the configured compilers in C. Furthermore, tpC corresponds to the target code that runs faster over all the implementations given for p, and over all compilation options that were exhaustively attempted over C. To establish a baseline, we have configured supercop with gcc version 5.4.0 and clang version 3.8.0 and collected measurements for all primitives. Let us denote this set of compilers by C ∗ . We then independently configured and executed supercop with different singleton sets of compilers corresponding to different versions of CompCert. Let us designate these by C2.2 , C3.0 and C2.2-ext , where the last one corresponds to our extension to CompCert described in Sect. 4. Again we collected information for all primitives in supercop. For a given operation o ∈ O we assess a compiler configuration C by computing average ratio: 1  tpC o · = , RC |P | tpC ∗ p∈P

where we impose that tpC and tpC ∗ have both been reported by supercop, i.e., that at least one implementation in I(p) was successfully compiled via C and one (possibly different) implementation in I(p) was successfully compiled by C ∗ . When we compare two compiler configurations C1 and C2 we simply compute o o and RC . However, in this case we first filter out any primiindependently RC 1 2 tives for which either C1 or C2 did not successfully compile any implementations. The same principle is applied when more than two compiler configurations are compared; hence, as we include more compiler versions, the number of primitives considered in the rations tends to decrease. In all tables we report the number of primitives |P | considered in the reported ratios. Finally, since we are evaluating the penalty for using certified compilers, we introduced an extra restriction on the set of selected primitives: we want to consider only the performance of implementations covered by the correctness theorems. Our approach was heuristic here: if supercop reports that the most efficient implementation compiled by a CompCert version (including our new one) includes assembly snippets, we treat this primitive as if no implementation was successfully compiled.

120

J. B. Almeida et al.

The cost of certified compilation. If one looks at the performance penalty per operation for CompCert version 2.2 and version 3.0, as detailed above, and take the average over all operations, the we obtain a factor of 3.34 and 2.58, respectively. Note that, in primitives such as AES-GCM, the timing ratio is huge and can reach 700-fold because baseline implementations use AES-NI, while CompCert is generating code for AES. Nevertheless, these findings are consistent with what is usually reported for other application domains, and it does show that CompCert version 3.0 has significantly reduced the performance penalty when compared to previous versions. Note, however, that this is at the cost of a reduction in coverage (cf. Table 2). More recent versions of CompCert that we have benchmarked using a different set-up confirm a gradual improvement in the optimization capabilities of the compiler. 5.3

Performance Boost from Certified Intrinsics-Aware Compilation

In this section we measure the performance improvements achieved by our new version of CompCert supporting instruction extensions. Table 3 shows two views of the collected results: the top table compares three versions of CompCert, whereas the bottom table compares only the vanilla version of CompCert 2.2 with our extended version of it. In the bottom table we list only the lines where the set of considered primitives differs from the top table. The results speak for themselves: for operations where a significant number of primitives come equipped with an intrinsics-relying implementation, the performance penalty falls by a factor of 5 when comparing to CompCert 2.2, and a factor above 3 when comparing to CompCert 3.0. In Table 3 we are including primitives for which no implementation relying on instruction extensions is given. In that case our new version of CompCert does not give an advantage, and so the performance gain is diluted. To give a better idea of the impact for primitives where instruction extensions are considered, we present in Table 4 the average ratios that result from restricting the analysis to primitives where instruction extensions are used. These results show that, as would be expected, intrinsics-based implementations allow a huge speed-up when compared to implementations in plain C. The most significant improvements are visible in the aead operations, where one important contributing factor is the enormous speed boost that comes with relying on an aes hardware implementation, rather than a software one.

6

An Intrinsics-Aware Constant-Time Checker

We now address two limitations of existing approaches to verifying constanttime implementations. The first limitation is the lack of support for instruction extensions. The second limitation is that, if one is looking to use a certified compiler that is not guaranteed to preserve the constant-time property, then using a constant-time verifier at source level does not guarantee constant-time at the target level. We integrated a new constant-time verification tool into the

Certified Compilation for Cryptography

121

Table 3. Performance ratios aggregated by instantiated operation.

extended version of CompCert that we introduced in Sect. 4 and it follows the type-checking approach at Mach level of [11]. The reason for focusing on the Mach intermediate language is that, although it is very close to assembly, is more suitable for analysis. The checker operates in three steps. First a value analysis computes an overapproximation of the values of the pointers: this is key for the precision of the checker when the program to verify stores sensitive data into memory. Then, a type system infers what are the run-time values that may depend on sensitive data. Finally, the policy checker validates that neither the control-flow nor the memory accesses depend on sensitive data. Type system overview. The type system assigns a security level at each program point and in each calling context to each register and memory location— collectively called locations. Here, a calling context is a stack of call sites. Security levels are taken in the usual security lattice with two points High and Low. Locations are labeled High at a particular program point and calling context if they may hold a value that depends on secret data whenever execution reaches

122

J. B. Almeida et al.

Table 4. Performance ratios aggregated by instantiated operation, restricted to primitives including at least one implementation relying on instruction extensions.

that point in that context. The ones that are labeled Low are guaranteed to always hold values derived from public data only. The type system is described as a data-flow analysis. Typing rules describe how the type information evolves when executing a single instruction. For instance, for an arithmetic operation like x = y + z; the corresponding rule mandates that the security level of x, after the execution of this instruction, should be, at least, the least upper bound of the security levels of y and z. Finally, rules for instructions that manipulate the memory rely on an external points-to information to resolve the targets of pointers. As an example, the rule for instruction x = *p; states that the security level of x after the instruction is above the security levels of all memory cells that may be targeted by pointer p. Note that the type-system applies to whole programs, rather than to individual functions; therefore a typing derivation actually unfolds the call-graph and it cannot be used in the presence of recursion. The implementation of this type system relies on the generic implementation of Kildall’s algorithm in CompCert [30]. Once a typing derivation is found for a function, we check that the inferred type is consistent with the constant-time policy. For instance, the type information before a branch if(b) . . . else . . . should be such that all locations involved in condition b have security level Low. Furthermore, the security level of all pointers that are used in memory accesses are required to be Low. Program analysis required for type-checking. Our type-system relies on a general purpose value analysis that is targeted to the inference of pointsto information. It builds a flow-sensitive and context-sensitive approximation of the targets of pointers. However, in low-level languages, the boundary between pointer arithmetic and other computations is blurred. We thus need an analysis that can precisely cope with bit-vector arithmetic so as to infer precise approximations of the pointer offsets. Our implementation builds on the ideas present in

Certified Compilation for Cryptography

123

the Verasco static analyzer [28]. On one hand, we reuse one of its non-relational numerical abstract domains that is suitable for the analysis of pointer offsets [16]. On the other hand, we implemented a memory abstract domain similar to Verasco’s [17]. The result of the analysis is computed by iterating the abstract semantics of the program until a fixed point is found. It uses Bourdoncle algorithm [19] to build, for each function, an iteration strategy; when encountering a function call, the called function is analyzed in the current state through a recursive call of the analyzer, effectively unfolding the call-graph, for maximal precision. Between the memory abstract domain and the iterator, we squeezed in a trace partitioning domain [31,37] that is dedicated to the full unrolling of array initialisation loops. This domain is driven by annotations in the source code: the programmer must indicate that the loop should be fully unrolled in order to take advantage of the added precision of this analysis. Support for intrinsics. Handling the intrinsic instructions in the analyses needs special care. To keep the analyses general (i.e., not tied to a specific instruction set), the type-system relies on an external oracle that classifies every built-in call in one of the following categories: pure, memory load, and memory store. This oracle is trusted and is built on the configuration files described in Sect. 4. A call to a built-in is pure when it has no effect beyond explicitly writing to some registers. Moreover, the security level of the result is the least upper bound of the levels of its arguments. For instance the call y = mm and si128(x, mask); which computes the bitwise logical AND of its 128bit arguments, is pure: its effect is limited to writing to the y variable. Also, the content of the y variable will be considered public only if the two arguments are public. The builtins that belong to the memory load category are the ones which treat one of their arguments as a pointer and read memory through it. They need to be treated as a memory load in the constant-time analysis. For instance, the call v = mm loadu si128(p); is classified as a load through pointer p. Therefore, to comply with the constant-time policy, the value of this pointer must have the Low security level. Finally, the built-ins in the memory store category are the ones that write to the memory, and must be treated as such in both analyses. For instance, the call mm storeu si128(p, x); is classified as a memory store of the value of x to the address targeted by p. Enhancements with respect to [11]. This work improves the checker for constant-time of Barthe et al. [11] in several ways. First the value analysis is much more precise than their alias type-system: not only it is inter-procedural and context-sensitive, but it also finely analyzes the pointer offsets, so that the typesystem for constant-time can cope with memory blocks that hold high and low data at the same time (in disjoint regions of the block). In particular, this means that local variables that may hold sensitive data need not be promoted to global variables. Second, our checker is inter-procedural, therefore can analyze programs with functions without a complete inlining prior to the analysis. Finally, our analyses soundly and precisely handle compiler intrinsics.

124

J. B. Almeida et al.

An example aez. [27] is an authenticated encryption scheme that was designed with the use of hardware support for aes computations in mind. The implementations for aez included in supercop comprise both reference code written purely in C, and high-speed code relying on aes-ni extensions. Our experiments in running CompCert 2.2 and CompCert with intrinsics support over aez indicates that the ratio with respect to the non-verified baseline compilation is over 700 in the case of the former and drops to roughly 7 when intrinsics support is added. We ran our new type-system over the aez implementation, and we found a constant-time violation, albeit a benevolent one. The code causing the violation is the following: if (d&& !is zero(vandnot(loadu(pad+abytes), final0))) return -1; This is part of the AEZCore implementation for the decryption operation: it checks whether the correct padding has been returned upon decryption and immediately exits the function if the check fails. Strictly speaking this is a violation of the constant-time policy, as the inverted value depends on the secret key. However, this violation can be justified down to the fact that the result of the check will be made publicly available anyway. Rather than doing this, we modified the aez implementation so as to store the result of the check and return it only after all subsequent operations are carried out. The modified code was accepted by our type-checker. As a result, we obtain a verifiably correct and verifiably constant-time implementation of aez. The combined level of assurance and speed of this implementation is unprecedented and is only possible due to the guarantees provided by the tools presented in this paper.

7

Conclusions and Upcoming Developments

Our work initiates a systematic study of the coverage of formal methods tools for cryptographic implementations, and develops generalizations of the CompCert verified compiler and of a constant-time static analysis to accommodate intrinsics. The statistics are encouraging, but there is significant room for achieving further coverage. The development is available at https://github.com/haslab/ccomp-simd. We are currently porting our work to version 3.7 of CompCert, which will allow us to benefit from numerous new features that have been added since. Most notably, support to 64 bit architectures (in particular amd64), which by itself widens the applicability of the tool, and opens the way to support intrinsics for new vector extensions such as avx, avx2 and avx-512. Finally, we are also updating our benchmarking set-up to the most recent versions of supercop, GCC and clang. We do not expect the main conclusions to change, but the number of assessed implementations will grow significantly. Acknowledgements. This work is financed by National Funds through the FCT Funda¸ca ˜o para a Ciˆencia e a Tecnologia (Portuguese Foundation for Science and Technology) within the project PTDC/CCI-INF/31698/2017, and by the Norte Portugal

Certified Compilation for Cryptography

125

Regional Operational Programme (NORTE 2020) under the Portugal 2020 Partnership Agreement, through the European Regional Development Fund (ERDF) and also by national funds through the FCT, within project NORTE-01-0145-FEDER-028550 (REASSURE).

References 1. Albrecht, M.R., Paterson, K.G.: Lucky microseconds: a timing attack on Amazon’s s2n implementation of TLS. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 622–643. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-49890-3 24 2. AlFardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 526–540. IEEE Computer Society (2013) 3. Almeida, J.B., et al.: Jasmin: high-assurance and high-speed cryptography. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 1807–1823. ACM (2017) 4. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In: ACM CCS (2013) 5. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 163–184. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5 9 6. Almeida, J.B., et al.: The last mile: high-assurance and high-speed cryptographic implementations. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020, pp. 965–982. IEEE (2020) 7. Almeida, J.C.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In: 25th USENIX Security Symposium (USENIX Security 2016), Austin, TX, August 2016. USENIX Association (2016) 8. Appel, A.W.: Program Logics - For Certified Compilers. Cambridge University Press, Cambridge (2014) 9. Appel, A.W.: Verification of a cryptographic primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37(2), 7:1–7:31 (2015) 10. Barbosa, M., et al.: SoK: computer-aided cryptography. In: IEEE Symposium on Security and Privacy (SP). IEEE (2021). https://oaklandsok.github.io/papers/ barbosa2021.pdf 11. Barthe, G., Betarte, G., Campo, J.D., Luna, C., Pichardie, D.: System-level noninterference for constant-time cryptography. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2014. ACM (2014) 12. Barthe, G., et al.: Formal verification of a constant-time preserving C compiler. Proc. ACM Program. Lang. 4(POPL), 7:1–7:30 (2020) 13. Barthe, G., Demange, D., Pichardie, D.: Formal verification of an SSA-based middle-end for CompCert. ACM Trans. Program. Lang. Syst. (TOPLAS) 36(1), 4 (2014) 14. Barthe, G., Gr´egoire, B., Laporte, V.: Secure compilation of side-channel countermeasures: the case of cryptographic “constant-time”. In: 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, 9–12 July 2018, pp. 328–343. IEEE Computer Society (2018)

126

J. B. Almeida et al.

15. Beringer, L., Petcher, A., Ye, K.Q., Appel, A.W.: Verified correctness and security of OpenSSL HMAC. In: Jung, J., Holz, T. (eds.) 24th USENIX Security Symposium, USENIX Security 2015, Washington, D.C., USA, 12–14 August 2015, pp. 207–221. USENIX Association (2015) 16. Blazy, S., Laporte, V., Maroneze, A., Pichardie, D.: Formal verification of a C value analysis based on abstract interpretation. In: Logozzo, F., F¨ ahndrich, M. (eds.) SAS 2013. LNCS, vol. 7935, pp. 324–344. Springer, Heidelberg (2013). https://doi.org/ 10.1007/978-3-642-38856-9 18 17. Blazy, S., Laporte, V., Pichardie, D.: An abstract memory functor for verified C static analyzers. In: Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming, (ICFP), pp. 325–337 (2016) 18. Bond, B., et al.: Vale: verifying high-performance cryptographic assembly code. In: Proceedings of the 26th USENIX Conference on Security Symposium, SEC 2017, USA, pp. 917-934. USENIX Association (2017) 19. Bourdoncle, F.: Efficient chaotic iteration strategies with widenings. In: Bjørner, D., Broy, M., Pottosin, I.V. (eds.) FMP&TA 1993. LNCS, vol. 735, pp. 128–141. Springer, Heidelberg (1993). https://doi.org/10.1007/BFb0039704 20. Cauligi, S., et al.: FaCT: a DSL for timing-sensitive computation. In: McKinley, K.S., Fisher, K. (eds.) Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, AZ, USA, 22–26 June 2019, pp. 174–189. ACM (2019) 21. Chen, Y., et al.: Verifying curve25519 software. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 299–309. ACM (2014) 22. Daniel, L.-A., Bardin, S., Rezk, T.: BINSEC/REL: efficient relational symbolic execution for constant-time at binary level. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020, pp. 1021–1038. IEEE (2020) 23. D’Silva, V., Payer, M., Song, D.X.: The correctness-security gap in compiler optimization. In: 2015 IEEE Symposium on Security and Privacy Workshops, SPW 2015, San Jose, CA, USA, 21–22 May 2015, pp. 73–87. IEEE Computer Society (2015) 24. Erbsen, A., Philipoom, J., Gross, J., Sloan, R., Chlipala, A.: Simple high-level code for cryptographic arithmetic - with proofs, without compromises. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, 19–23 May 2019, pp. 1202–1219. IEEE (2019) 25. Fromherz, A., Giannarakis, N., Hawblitzel, C., Parno, B., Rastogi, A., Swamy, N.: A verified, efficient embedding of a verifiable assembly language. In: Principles of Programming Languages (POPL 2019). ACM (2019) 26. Fu, Y., Liu, J., Shi, X., Tsai, M., Wang, B., Yang, B.: Signed cryptographic program verification with typed CryptoLine. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019, pp. 1591–1606. ACM (2019) 27. Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). https://doi.org/10.1007/ 978-3-662-46800-5 2

Certified Compilation for Cryptography

127

28. Jourdan, J.-H., Laporte, V., Blazy, S., Leroy, X., Pichardie, D.: A formally-verified C static analyzer. In: Proceedings of the 42th Symposium on Principles of Programming Languages (POPL). ACM (2015) 29. Le, V., Afshari, M., Su, Z.: Compiler validation via equivalence modulo inputs. In: O’Boyle, M.F.P., Pingali, K. (eds.) ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2014, Edinburgh, United Kingdom, 09–11 June 2014, pp. 216–226. ACM (2014) 30. Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107– 115 (2009) 31. Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 5–20. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31987-0 2 32. Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727 14 33. Petcher, A., Morrisett, G.: The foundational cryptography framework. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 53–72. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46666-7 4 34. Polubelova, M., et al.: HACL×N: verified generic SIMD crypto (for all your favorite platforms). IACR Cryptology ePrint Archive, 2020:572 (2020) 35. Protzenko, J., et al.: Verified low-level programming embedded in f* . CoRR, abs/1703.00053 (2017) 36. Regehr, J., Chen, Y., Cuoq, P., Eide, E., Ellison, C., Yang, X.: Test-case reduction for C compiler bugs. In: Vitek, J., Lin, H., Tip, F. (eds.) ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2012, Beijing, China, 11–16 June 2012, pp. 335–346. ACM (2012) 37. Rival, X., Mauborgne, L.: The trace partitioning abstract domain. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(5), 1–44 (2007) 38. Rodrigues, B., Pereira, F., Aranha, D.: Sparse representation of implicit flows with applications to side-channel detection. In: Proceedings of Compiler Construction (2016) 39. Sun, C., Le, V., Zhang, Q., Su, Z.: Toward understanding compiler bugs in GCC and LLVM. In: Zeller, A., Roychoudhury, A. (eds.) Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, Saarbr¨ ucken, Germany, 18–20 July 2016, pp. 294–305. ACM (2016) 40. Yarom, Y., Genkin, D., Heninger, N.: CacheBleed: a timing attack on OpenSSL constant time RSA. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 346–367. Springer, Heidelberg (2016). https://doi.org/10.1007/9783-662-53140-2 17 41. Zinzindohou´e, J.-K., Bhargavan, K., Protzenko, J., Beurdouche, B.: HACL*: a verified modern cryptographic library. In: SIGSAC Conference on Computer and Communications Security, pp. 1789–1806 (2017)

Protocol Analysis with Time Dami´ an Aparicio-S´ anchez1 , Santiago Escobar1 , Catherine Meadows2(B) , na1 Jos´e Meseguer3 , and Julia Sapi˜ 1

3

VRAIN, Universitat Polit`ecnica de Val`encia, Valencia, Spain {daapsnc,jsapina}@upv.es, [email protected] 2 Naval Research Laboratory, Washington DC, USA [email protected] University of Illinois at Urbana-Champaign, Champaign, IL, USA [email protected]

Abstract. We present a framework suited to the analysis of cryptographic protocols that make use of time in their execution. We provide a process algebra syntax that makes time information available to processes, and a transition semantics that takes account of fundamental properties of time. Additional properties can be added by the user if desirable. This timed protocol framework can be implemented either as a simulation tool or as a symbolic analysis tool in which time references are represented by logical variables, and in which the properties of time are implemented as constraints on those time logical variables. These constraints are carried along the symbolic execution of the protocol. The satisfiability of these constraints can be evaluated as the analysis proceeds, so attacks that violate the laws of physics can be rejected as impossible. We demonstrate the feasibility of our approach by using the Maude-NPA protocol analyzer together with an SMT solver that is used to evaluate the satisfiability of timing constraints. We provide a sound and complete protocol transformation from our timed process algebra to the Maude-NPA syntax and semantics, and we prove its soundness and completeness. We then use the tool to analyze Mafia fraud and distance hijacking attacks on a suite of distance-bounding protocols.

1

Introduction

Time is an important aspect of many cryptographic protocols, and there has been increasing interest in the formal analysis of protocols that use time. Model checking of protocols that use time can be done using either an explicit time model, or by using an untimed model and showing it is sound and complete with respect to a timed model. The former is more intuitive for the user, but the latter is often chosen because not all cryptographic protocol analysis tools This paper was partially supported by the EU (FEDER) and the Spanish MCIU under grant RTI2018-094403-B-C32, by the Spanish Generalitat Valenciana under grant PROMETEO/2019/098 and APOSTD/2019/127, by the US Air Force Office of Scientific Research under award number FA9550-17-1-0286, and by ONR Code 311. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 128–150, 2020. https://doi.org/10.1007/978-3-030-65277-7_7

Protocol Analysis with Time

129

support reasoning about time. In this paper we describe a solution that combines the advantages of both approaches. An explicit timed specification language is developed with a timed syntax and semantics, and is automatically translated to an existing untimed language. The user however writes protocol specifications and queries in the timed language. In this paper we describe how such an approach has been applied to the Maude-NPA tool by taking advantage of its built-in support for constraints. We believe that this approach can be applied to other tools that support constraint handling as well. There are a number of security protocols that make use of time. In general, there are two types: those that make use of assumptions about time, most often assuming some sort of loose synchronization, and those that guarantee these assumptions. The first kind includes protocols such as Kerberos [18], which uses timestamps to defend against replay attacks, the TESLA protocol [23], which relies on loose synchronization to amortize digital signatures, and blockchain protocols, which use timestamps to order blocks in the chain. The other kind provides guarantees based on physical properties of time: for example, distance bounding, which guarantees that a prover is within a certain distance of a verifier, and secure time synchronization, which guarantees that the clocks of two different nodes are synchronized within a certain margin of error. In this paper, we concentrate on protocols using distance bounding, both because it has been well-studied, and because the timing constraints are relatively simple. A number of approaches have been applied to the analysis of distance bounding protocols. In [15], an epistemic logic for distance bounding analysis is presented where timing is captured by means of timed channels, which are described axiomatically. Time of sending and receiving messages can be deduced by using these timed channel axioms. In [2], Basin et al. define a formal model for reasoning about physical properties of security protocols, including timing and location, which they formalize in Isabelle/HOL and use it to analyze several distance bounding protocols, by applying a technique similar to Paulson’s inductive approach [22]. In [8], Debant et al. develop a timing model for AKiSS, a tool for verifying protocol equivalence in the bounded session model, and use it to analyze distance bounding protocols. In [21], Nigam et al. develop a model of timing side channels in terms of constraints and use it to define a timed version of observational equivalence for protocols. They have developed a tool for verifying observational equivalence that relies on SMT solvers. Other work concentrates on simplifying the problem so it can be more easily analyzed by a model checker, but proving that the simple problem is sound and complete with respect to the original problem so that the analysis is useful. In this regard, Nigam et al. [20] and Debant et al. [9] show that it is safe to limit the size and complexity of the topologies, and Mauw et al. [14] and Chothia et al. [5] develop timed and untimed models and show that analysis in the untimed model is sound and complete with respect to the timed model. In this paper we illustrate our approach by developing a timed protocol semantics suitable for the analysis of protocols that use constraints on time and distance, such as distance bounding, and that can be implemented as either

130

D. Aparicio-S´ anchez et al.

a simulation tool for generating and checking concrete configurations, or as a symbolic analysis tool that allows the exploration of all relevant configurations. We realize the timed semantics by translating it into the semantics of the Maude-NPA protocol analysis tool, in which timing properties are expressed as constraints. The constraints generated during the Maude-NPA search are then checked using an SMT solver. There are several things that help us. One is that we consider a metric space with distance constraints. Many tools support constraint handling, e.g., MaudeNPA [10] and Tamarin [16]. Another is that time can be naturally added to a process algebra. Many tools support processes, e.g., Maude-NPA [27] and AKISS [8]. The rest of this paper is organized as follows. In Sect. 2, we recall the BrandsChaum protocol, which is used as the running example throughout the paper. In Sect. 3, we present the timed process algebra with its intended semantics. In Sect. 4, we present a sound and complete protocol transformation from our timed process algebra to an untimed process algebra. In Sect. 5, we show how our timed process algebra can be transformed into Maude-NPA strand notation. In Sect. 6, we present our experiments. We conclude in Sect. 7.

2

The Brands-Chaum Distance Bounding Protocol

In the following, we recall the Brands-Chaum distance bounding protocol of [3], which we will use as the running example for the whole paper. Example 1. The Brands-Chaum protocol specifies communication between a verifier V and a prover P. P needs to authenticate itself to V, and also needs to prove that it is within a distance “d” of it. X;Y denotes concatenation of two messages X and Y , commit(N, Sr) denotes commitment of secret Sr with a nonce N , open(N, Sr, C) denotes opening a commitment C using the nonce N and checking whether it carries the secret Sr, ⊕ is the exclusive-or operator, and sign(A, M ) denotes A signing message M . A typical interaction between the prover and the verifier is as follows: P → V : commit(NP , SP ) //The prover sends his name and a commitment V → P : NV //The verifier sends a nonce //and records the time when this message was sent P → V : NP ⊕ N V //The verifier checks the answer of this exclusive-or //message arrives within two times a fixed distance P → V : SP //The prover sends the committed secret //and the verifier checks open(NP , SP , commit(NP , SP )) P → V : sign P (NV ; NP ⊕ NV ) //The prover signs the two rapid exchange messages

Protocol Analysis with Time

131

The previous informal Alice&Bob notation can be naturally extended to include time. We consider wireless communication between the participants located at an arbitrary given topology (participants do not move from their assigned locations) with distance constraints, where time and distance are equivalent for simplification and are represented by a real number. We assume a metric space with a distance function d : A × A → Real from a set A of participants such that d(A, A) = 0, d(A, B) = d(B, A), and d(A, B) ≤ d(A, C) + d(C, B). Then, time information is added to the protocol. First, we add the time when a message was sent or received as a subindex Pt1 → Vt2 . Second, time constraints associated to the metric space are added: (i) the sending and receiving times of a message differ by the distance between them and (ii) the time difference between two consecutive actions of a participant must be greater or equal to zero. Third, the distance bounding constraint of the verifier is represented as an arbitrary distance d. Time constraints are written using quantifier-free formulas in linear real arithmetic. For convenience, in linear equalities and inequalities (with or ≥), we ˙ = if y < x then x − y else 0 allow both 2 ∗ x = x + x and the monus function x−y as definitional extensions. In the following timed sequence of actions, a vertical bar is included to differentiate between the process and some constraints associated to the metric space. We remove the constraint open(NP , SP , commit(NP , SP )) for simplification. Pt1 → Vt1 : Vt2 → Pt2 : Pt3 → Vt3 : V : Pt4 → Vt4 : Pt5 → Vt5 :

commit(NP , SP ) | t1 NV | t2 NP ⊕ NV | t3  ˙ t3 − t2 ≤ 2 ∗ d SP | t4 sign P (NV ; NP ⊕ NV ) | t5

= t1 + d(P, V ) = t2 + d(P, V ) ∧ t2 ≥ t1 = t3 + d(P, V ) ∧ t3 ≥ t2 = t4 + d(P, V ) ∧ t4 ≥ t3 ∧ t4 ≥ t3 = t5 + d(P, V ) ∧ t5 ≥ t4 ∧ t5 ≥ t4

The Brands-Chaum protocol is designed to defend against mafia frauds, where an honest prover is outside the neighborhood of the verifier (i.e., d(P, V ) > d) but an intruder is inside (i.e., d(I, V ) ≤ d), pretending to be the honest prover. The following is an example of an attempted mafia fraud, in which the intruder simply forwards messages back and forth between the prover and the verifier. We write I(P ) to denote an intruder pretending to be an honest prover P . : commit(NP , SP ) | t2 = t1 + d(P, I) Pt1 →It2 : commit(NP , SP ) | t3 = t2 + d(V, I) I(P )t2 →Vt3 | t4 = t3 + d(V, I) Vt3 →I(P )t4 : NV : NV | t5 = t4 + d(P, I) It4 →Pt5 : NP ⊕ N V | t6 = t5 + d(P, I) Pt5 →It6 : NP ⊕ N V | t7 = t6 + d(V, I) I(P )t6 →Vt7 ˙ 3 ≤2∗d V : t7 −t : SP | t9 = t8 + d(P, I) ∧ t8 ≥ t5 Pt8 →It9 I(P )t10 →Vt11 : SP | t11 = t10 + d(V, I) ∧ t11 ≥ t7 I(P )t12 →Vt13 : signP (NV ; NP ⊕ NV )| t13 = t12 + d(V, I) ∧ t13 ≥ t11 Note that, in order for this trace to be consistent with the metric space, it would require that 2 ∗ d(V, I) + 2 ∗ d(P, I) ≤ 2 ∗ d, which is unsatisfiable by

132

D. Aparicio-S´ anchez et al.

d(V, P ) > d > 0 and the triangular inequality d(V, P ) ≤ d(V, I) + d(P, I), which implies that the attack is not possible. However, a distance hijacking attack is possible (i.e., the time and distance constraints are satisfiable) where an intruder located outside the neighborhood of the verifier (i.e., d(V, I) > d) succeeds in convincing the verifier that he is inside the neighborhood by exploiting the presence of an honest prover in the neighborhood (i.e., d(V, P ) ≤ d) to achieve his goal. The following is an example of a successful distance hijacking, in which the intruder listens to the exchanges messages between the prover and the verifier but builds the last message. Pt1 → Vt2 Vt2 → Pt3 , It3 Pt3 → Vt4 , It4 V Pt5 → Vt6 I(P )t7 → Vt8

3

: : : : : :

commit(NP , SP ) | t2 NV | t3 NP ⊕ N V | t4 ˙ t2 ≤ 2 ∗ d t4 − SP | t6 sign I (NV ; NP ⊕ NV ) | t8

= t1 + d(P, V ) = t2 + d(P, V ) ∧ t3 = t2 + d(I, V ) = t3 + d(P, V ) ∧ t4 = t3 + d(I, V ) = t5 + d(P, V ) ∧ t5 ≥ t3 ∧ t6 ≥ t4 = t7 + d(I, V ) ∧ t7 ≥ t4 ∧ t8 ≥ t6

A Timed Process Algebra

In this section, we present our timed process algebra and its intended semantics. We restrict ourselves to a semantics that can be used to reason about time and distance. We discuss how this could be extended in Sect. 7. To illustrate our approach, we use Maude-NPA’s process algebra and semantics described in [27], extending it with a global clock and time information. 3.1

New Syntax for Time

In our timed protocol process algebra, the behaviors of both honest principals and the intruders are represented by labeled processes. Therefore, a protocol is specified as a set of labeled processes. Each process performs a sequence of actions, namely sending (+m) or receiving (−m) a message m, but without knowing who actually sent or received it. Each process may also perform deterministic or non-deterministic choices. We define a protocol P in the timed protocol process algebra, written PTPA , as a pair of the form PTPA = ((ΣT P AP , ETPAP ), PTPA ), where (ΣT P AP , ETPAP ) is the equational theory specifying the equational properties of the cryptographic functions and the state structure, and PTPA is a ΣT P AP -term denoting a well-formed timed process. The timed protocol process algebra’s syntax ΣTPA is parameterized by a sort Msg of messages. Moreover, time is represented by a new sort Real, since we allow conditional expressions on time using linear arithmetic for the reals. Similar to [27], processes support four different kinds of choice: (i) a process expression P ? Q supports explicit non-deterministic choice between P and Q; (ii) a choice variable X? appearing in a send message expression +m supports implicit non-deterministic choice of its value, which can furthermore be an unbounded non-deterministic choice if X? ranges over an infinite set; (iii) a

Protocol Analysis with Time

133

conditional if C then P else Q supports explicit deterministic choice between P and Q determined by the result of its condition C; and (iv) a receive message expression −m(X1 , ..., Xn ) supports implicit deterministic choice about accepting or rejecting a received message, depending on whether or not it matches the pattern m(X1 , ..., Xn ). This deterministic choice is implicit, but it could be made explicit by replacing −m(X1 , ..., Xn ) · P by the semantically equivalent conditional expression −X. if X = m(X1 , ..., Xn ) then P else nilP · P , where X is a variable of sort Msg, which therefore accepts any message. The timed process algebra has the following syntax, also similar to that of [27] plus the addition of the suffix @Real to the sending and receiving actions: ProcConf ::= LProc | ProcConf & ProcConf | ∅ ProcId ::= (Role, Nat) LProc ::= (ProcId , Nat) Proc Proc ::= nilP | + (Msg@Real ) | − (Msg@Real ) | Proc · Proc | Proc ? Proc | if Cond then Proc else Proc – ProcConf stands for a process configuration, i.e., a set of labeled processes, where the symbol & is used to denote set union for sets of labeled processes. – ProcId stands for a process identifier, where Role refers to the role of the process in the protocol (e.g., prover or verifier) and Nat is a natural number denoting the identity of the process, which distinguishes different instances (sessions) of a process specification. – LProc stands for a labeled process, i.e., a process Proc with a label (ProcId , J). For convenience, we sometimes write (Role, I, J), where J indicates that the action at stage J of the process (Role, I) will be the next one to be executed, i.e., the first J − 1 actions of the process for role Role have already been executed. Note that the I and J of a process (Role, I, J) are omitted in a protocol specification. – Proc defines the actions that can be executed within a process, where +Msg@T , and −Msg@T respectively denote sending out a message or receiving a message Msg. Note that T must be a variable where the underlying metric space determines the exact sending or receiving time, which can be used later in the process. Moreover, “Proc · Proc” denotes sequential composition of processes, where symbol . is associative and has the empty process nilP as identity. Finally, “Proc ? Proc” denotes an explicit nondeterministic choice, whereas “if Cond then Proc else Proc” denotes an explicit deterministic choice, whose continuation depends on the satisfaction of the constraint Cond . Note that choice is explicitly represented by either a non-deterministic choice between P1 ? P2 or by the deterministic evaluation of a conditional expression if Cond then P1 else P2 , but it is also implicitly represented by the instantiation of a variable in different runs. In all process specifications we assume four disjoint kinds of variables, similar to the variables of [27] plus time variables:

134

D. Aparicio-S´ anchez et al.

– fresh variables: each one of these variables receives a distinct constant value from a data type Vfresh , denoting unguessable values such as nonces. Throughout this paper we will denote this kind of variables as f, f1 , f2 , . . .. – choice variables: variables first appearing in a sent message +M , which can be substituted by any value arbitrarily chosen from a possibly infinite domain. A choice variable indicates an implicit non-deterministic choice. Given a protocol with choice variables, each possible substitution of these variables denotes a possible run of the protocol. We always denote choice variables by letters postfixed with the symbol “?” as a subscript, e.g., A? , B? , . . .. – pattern variables: variables first appearing in a received message −M . These variables will be instantiated when matching sent and received messages. Implicit deterministic choices are indicated by terms containing pattern variables, since failing to match a pattern term leads to the rejection of a message. A pattern term plays the implicit role of a guard, so that, depending on the different ways of matching it, the protocol can have different continuations. Pattern variables are written with uppercase letters, e.g., A, B, NA , . . .. – time variables: a process cannot access the global clock, which implies that a time variable T of a reception or sending action +(M @T ) can never appear in M but can appear in the remaining part of the process. Also, given a receiving action −(M1 @t1 ) and a sending action +(M2 @t2 ) in a process of the form P1 ·−(M1 @t1 )·P2 ·+(M2 @t2 )·P3 , the assumption that timed actions are performed from left to right forces the constraint t1 ≤ t2 . Time variables are always written with a (subscripted) t, e.g., t1 , t1 , t2 , t2 , . . .. These conditions about variables are formalized by the function wf : Proc → Bool defined in Fig. 1, for well-formed processes. The definition of wf uses an auxiliary function shVar : Proc → VarSet, which is defined in Fig. 2. wf (P · +(M @T )) = wf (P ) if (Vars(M ) ∩ Vars(P )) ⊆ shVar (P ) ∧ T ∈ / Vars(M ) ∪ Vars(P ) wf (P · −(M @T )) = wf (P ) if (Vars(M ) ∩ Vars(P )) ⊆ shVar (P ) ∧ T ∈ / Vars(M ) ∪ Vars(P ) wf (P · (if T then Q else R)) = wf (P · Q) ∧ wf (P · R) if P = nilP and Q = nilP and Vars(T ) ⊆ shVar (P ) wf (P · (Q ? R)) = wf (P · Q) ∧ wf (P · R)

if Q = nilP orR = nilP

wf (P · nilP ) = wf (P ) wf (nilP ) = True.

Fig. 1. The well-formed function

Protocol Analysis with Time

135

shVar (+(M @T ) · P ) = Vars(M ) ∪ shVar (P ) shVar (−(M @T ) · P ) = Vars(M ) ∪ shVar (P ) shVar ((if T then P else Q) · R) = Vars(T ) ∪ (shVar (P ) ∩ shVar (Q)) ∪ shVar (R) shVar ((P ? Q) · R) = (shVar (P ) ∩ shVar (Q)) ∪ shVar (R) shVar (nilP ) = ∅

Fig. 2. The shared variables auxiliary function

Example 2. Let us specify the Brands and Chaum protocol of Example 1, where variables are distinct between processes. A nonce is represented as n(A? , f ), whereas a secret value is represented as s(A? , f ). The identifier of each process is represented by a choice variable A? . Recall that there is an arbitrary distance d > 0. (Verifier ) : −(Commit@t1 ) · +(n(V? , f1 )@t2 ) · −((n(V? , f1 ) ⊕ NP )@t3 ) · ˙ 2 ≤2∗d if t3 −t then −(SP @t4 ) · if open(NP , SP , Commit) then −(sign(P, n(V? , f1 ); NP ⊕ n(V? , f1 ))@t5 ) else nilP else nilP (Prover ) : +(commit(n(P? , f1 ), s(P? , f2 ))@t1 ) · −(NV @t2 ) · +((NV ⊕ n(P? , f1 ))@t3 ) · +(s(P? , f2 )@t4 ) · +(sign(P? , NV ; n(P? , f2 ) ⊕ NV )@t5 ) 3.2

Timed Intruder Model

The active Dolev-Yao intruder model is followed, which implies an intruder can intercept, forward, or create messages from received messages. However, intruders are located. Therefore, they cannot change the physics of the metric space, e.g., cannot send messages from a different location or intercept a message that it is not within range. In our timed intruder model, we consider several located intruders, modeled by the distance function d : ProcId × ProcId → Real , each with a family of capabilities (concatenation, deconcatenation, encryption, decryption, etc.), and each capability may have arbitrarily many instances. The combined actions of two intruders requires time, i.e., their distance; but a single intruder can perform many actions in zero time. Adding time cost to single-intruder actions could be done with additional time constraints, but is outside the scope of this paper. Note that, unlike in the standard Dolev-Yao model, we cannot assume just one

136

D. Aparicio-S´ anchez et al.

intruder, since the time required for a principal to communicate with a given intruder is an observable characteristic of that intruder. Thus, although the Mafia fraud and distance hijacking attacks considered in the experiments presented in this paper only require configurations with just one prover, one verifier and one intruder, the framework itself allows general participant configurations with multiple intruders. Example 3. In our timed process algebra, the family of capabilities associated to an intruder k are also described as processes. For instance, concatenating two received messages is represented by the process (where time variables t1 , t2 , t3 are not actually used by the process) (k .Conc) : −(X@t1 ) · −(Y @t2 ) · +(X; Y @t3 ) and extracting one of them from a concatenation is described by the process (k .Deconc) : −(X; Y @t1 ) · +(X@t2 ) Roles of intruder capabilities include the identifier of the intruder, and it is possible to combine several intruder capabilities from the same or from different intruders. For example, we may say that the +(X; Y @T ) of a process I1 .Conc associated to an intruder I1 may be synchronized with the −(X; Y @T  ) of a process I2 .Deconc associated to an intruder I2. The metric space fixes T  = T + d(I1, I2), where d(I1, I2) > 0 if I1 = I2 and d(I1, I2) = 0 if I1 = I2. A special forwarding intruder capability, not considered in the standard Dolev-Yao model, has to be included in order to take into account the time travelled by a message from an honest participant to the intruder and later to another participant, probably an intruder again. (k .Forward ) : −(X@t1 ) · +(X@t2 ) 3.3

Timed Process Semantics

A state of a protocol P consists of a set of (possibly partially executed) labeled processes, a set of terms in the network {N et}, and the global clock. That is, a state is a term of the form {LP1 & · · · & LPn | {Net} | t¯}. In the timed process algebra, the only time information available to a process is the variable T associated to input and output messages M @T . However, once these messages have been sent or received, we include them in the network Net with extra information. When a message M @T is sent, we store M @ (A : t → ∅) denoting that message M was sent by process A at the global time clock t, and propagate T → t within the process A. When this message is received by an action M  @T  of process B (honest participant or intruder) at the global clock time t , M is matched against M  modulo the cryptographic functions, T  → t is propagated within the process B, and B : t is added to the stored message, following the general pattern M @ (A : t → (B1 : t1 · · · Bn : tn )). The rewrite theory (ΣTPAP +State , ETPAP , RTPAP ) characterizes the behavior of a protocol P, where ΣTPAP +State extends ΣT P AP , by adding state constructor

Protocol Analysis with Time

137

symbols. We assume that a protocol run begins with an empty state, i.e., a state with an empty set of labeled processes, an empty network, and at time zero. Therefore, the initial empty state is always of the form {∅ | {∅} | 0.0}. Note that, in a specific run, all the distances are provided a priori according to the metric space and a chosen topology, whereas in a symbolic analysis, they will simply be variables, probably occurring within time constraints. State changes are defined by a set RTPAP of rewrite rules given below. Each transition rule in RTPAP is labeled with a tuple (ro, i , j , a, n, t), where: – – – –

ro is the role of the labeled process being executed in the transition. i denotes the instance of the same role being executed in the transition. j denotes the process’ step number since its beginning. a is a ground term identifying the action that is being performed in the transition. It has different possible values: “+m” or “−m” if the message m was sent (and added to the network) or received, respectively; “m” if the message m was sent but did not increase the network, “?” if the transition performs an explicit non-deterministic choice, “T ” if the transition performs an explicit deterministic choice, “Time” when the global clock is incremented, or “New ” when a new process is added. – n is a number that, if the action that is being executed is an explicit choice, indicates which branch has been chosen as the process continuation. In this case n takes the value of either 1 or 2. If the transition does not perform any explicit choice, then n = 0. – t is the global clock at each transition step. Note that in the transition rules RTPAP shown below, Net denotes the network, represented by a set of messages of the form M @ (A : t → (B1 : t1 · · · Bn : tn )), P denotes the rest of the process being executed and P S denotes the rest of labeled processes of the state (which can be the empty set ∅). – Sending a message is represented by the two transition rules below, depending on whether the message M is stored, (TPA++), or just discarded, (TPA+). In (TPA++), we store the sent message with its sending information, (ro, i) : t¯, and add an empty set for those who will be receiving the message in the future (M σ  @(ro, i) : t¯ → ∅). {(ro, i, j) (+M @t · P ) & P S | {N et} | t¯} −→(ro,i,j,+(M σ ),0,t¯) {(ro, i, j + 1) P σ  & P S | {(M σ  @(ro, i) : t¯ → ∅), N et} | t¯} if (M σ  : (ro, i) : t¯ → ∅) ∈ / Net where σ is a ground substitution binding choice variables in M and σ  = σ {t → t¯} (TPA++) {(ro, i, j) (+M @t · P ) & P S | {N et} | t¯} −→(ro,i,j,M σ ,0,t¯) {(ro, i, j + 1) P σ  & P S | {N et} | t¯} where σ is a ground substitution binding choice variables in M and σ  = σ {t → t¯} (TPA+)

138

D. Aparicio-S´ anchez et al.

– Receiving a message is represented by the transition rule below. We add the reception information to the stored message, i.e., we replace (M  @((ro , k) : t → AS)) by (M  @((ro , k) : t → (AS (ro, i) : t¯)). {(ro, i, j) (−(M @t) · P ) & P S | {(M  @((ro , k) : t → AS)), N et} | t¯} −→(ro,i,j,−(M σ ),0,t¯) {(ro, i, j + 1) P σ  & P S | {(M  @((ro , k) : t → (AS (ro, i) : t¯)), N et} | t¯} IF ∃σ : M  =EP M σ, t¯ = t + d((ro , k), (ro, i)), σ  = σ {t → tˆ} (TPA-) – An explicit deterministic choice is defined as follows. More specifically, the rule (TPAif1) describes the then case, i.e., if the constraint T is satisfied, then the process continues as P , whereas rule (TPAif2) describes the else case, that is, if the constraint T is not satisfied, the process continues as Q. {(ro, i, j) ((if T then P else Q) · R) & P S | {N et} | t¯} −→(ro,i,j,T,1,t¯) {(ro, i, j + 1) (P · R) & P S | {N et} | t¯}IF T {(ro, i, j) ((if T then P else Q) · R) & P S | {N et} | t¯} −→(ro,i,j,T,2,t¯) {(ro, i, j + 1) (Q · R) & P S | {N et} | t¯}IF¬T

(TPAif1) (TPAif2)

– An explicit non-deterministic choice is defined as follows. The process can continue either as P , denoted by rule (TPA?1), or as Q, denoted by rule (TPA?2). {(ro, i, j) ((P ? Q) · R) & P S | {N et} | t¯} −→(ro,i,j,?,1,t¯) {(ro, i, j + 1) (P · R) & P S | {N et} | t¯} {(ro, i, j) ((P ? Q) · R) & P S | {N et} | t¯} −→(ro,i,j,?,2,t¯) {(ro, i, j + 1)(Q · R) & P S | {N et} | t¯}

(TPA?1) (TPA?2)

– Global Time advancement is represented by the transition rule below that increments the global clock enough to make one sent message arrive to its closest destination. {P S | {N et} | t¯} −→(⊥,⊥,⊥,Time,0,t¯+t ) {P S | {N et} | t¯ + t } (PTime) IF t = mte(P S, N et, t¯) ∧ t = 0 where the function mte is defined as follows: mte(∅, N et, t¯) = ∞ mte(P &P S, N et, t¯) = min(mte(P, N et, t¯), mte(P S, N et, t¯)) mte((ro, i, j) nilP , N et, t¯) = ∞ mte((ro, i, j) + (M @t) · P, N et, t¯) = 0 mte((ro, i, j) − (M @t) · P, N et, t¯) =   d((ro, i), (ro , i )) | (M  @(ro , i ) : t0 → AS) ∈ N et min ∧∃σ : M σ =B M  mte((ro, i, j) (if T then P else Q) · R, N et, t¯) = 0

Protocol Analysis with Time

139

mte((ro, i, j) P1 ?P2 , N et, t¯) = 0 Note that the function mte evaluates to 0 if some instantaneous action by the previous rules can be performed. Otherwise, mte computes the smallest non-zero time increment required for some already sent message (existing in the network) to be received by some process (by matching with such an existing message in the network). Remark. The timed process semantics assumes a metric space with a distance function d : ProcId × ProcId → Real such that (i) d(A, A) = 0, (ii) d(A, B) = d(B, A), and (iii) d(A, B) ≤ d(A, C) + d(C, B). For every message M @ (A : t → (B1 : t1 · · · Bn : tn )) stored in the network Net, our semantics assumes that (iv) ti = t + d(A, Bi ), ∀1 ≤ i ≤ n. Furthermore, according to our wireless communication model, our semantics assumes (v) a time sequence monotonicity property, i.e., there is no other process C such that d(A, C) ≤ d(A, Bi ) for some i, 1 ≤ i ≤ n, and C is not included in the set of recipients of the message M . Also, for each class of attacks such as the Mafia fraud or the hijacking attack, (vi) some extra topology constraints may be necessary. However, in Sect. 4, timed processes are transformed into untimed processes with time constraints and the transformation takes care only of conditions (i), (ii), and (iv). For a fixed number of participants, all the instances of the triangle inequality (iii) as well as constraints (vi) should be added by the user. In the general case, conditions (iii), (v), and (vi) can be partially specified and fully checked on a successful trace. – New processes can be added as follows. ⎫ ⎧ ∀ (ro) Pk ∈ PPA ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ {P S | {N et} | t¯} ⎪ ⎪ ⎪ ⎪ ⎬ ⎨ −→(ro,i+1,1,N ew,0,t¯) ⎪ ⎪{(ro, i + 1, 1, x? σ, y? σ) Pk σρro,i+1 & P S | {N et} | t¯} ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ where ρro,i+1 is a fresh substitution, ⎪ ⎪ ⎪ ⎪ ⎭ ⎩ σ is a ground substitution binding x? and y? , and i = id(P S, ro) (TPA&) The auxiliary function id counts the instances of a role id(∅, ro) = 0  max(id(P S, ro), i) if ro = ro id((ro , i, j)P &P S, ro) = id(P S, ro) if ro = ro where P S denotes a process configuration, P a process, and ro, ro role names. Therefore, the behavior of a timed protocol in the process algebra is defined by the set of transition rules RTPAP = {(TPA++), (TPA+), (PTime), (TPA-), (TPAif1), (TPAif2), (TPA?1), (TPA?2) } ∪ (TPA&). Example 4. Continuing Example 2, a possible run of the protocol is represented in Fig. 3 for a prover p, an intruder i, and a verifier v. A simpler, graphical representation of the same run is included at the top of the figure. There, the

140

D. Aparicio-S´ anchez et al.

Fig. 3. Brand and Chaum execution for a prover, an intruder, and a verifier

Protocol Analysis with Time

141

neighborhood distance is d = 1.0, the distance between the prover and the verifier is d(p, v) = 2.0, but the distance between the prover and the intruder as well as the distance between the verifier and the intruder are d(v, i) = d(p, i) = 1.0, i.e., the honest prover p is outside v’s neighborhood, d(v, p) > d, where d(v, p) = d(v, i) + d(p, i). Only the first part of the rapid message exchange sequence is represented and the forwarding action of the intruder is denoted by i.F . The prover sends the commitment m1 = commit(n(p, f1 ), s(p, f2 )) at instant t¯0 = 0.0 and is received by the intruder at instant t¯1 = 1.0. The intruder forwards m1 at instant t¯1 and is received by the verifier at instant t¯2 = 2.0. Then, the verifier sends m2 = n(v, f3 ) at instant t¯2 , which is received by the intruder at instant t¯3 = 3.0. The intruder forwards m2 at instant t¯3 , which is received by the prover at instant t¯4 = 4.0. Then, the prover sends m4 = (m2 ⊕ n(p, f1 )) at instant t¯4 and is received by the intruder at instant t¯5 = 5.0. Finally, the intruder forwards m4 at instant t¯5 and is received by the verifier at instant t¯6 = 6.0. Thus, the verifier sent m2 at time t¯2 = 2.0 and received m4 at time t¯6 = 6.0. But the protocol cannot complete the run, since t¯6 − t¯2 = 4.0 < 2∗d = 2.0 is unsatisfiable. Our time protocol semantics can already be implemented straightforwardly as a simulation tool. For instance, [15] describes distance bounding protocols using an authentication logic, which describes the evolution of the protocol, [20] provides a strand-based framework for distance bounding protocols based on simulation with time constraints, and [8] defines distance bounding protocol using some applied-pi calculus. Note, however, that, since the number of metric space configurations is infinite, model checking a protocol for a concrete configuration with a simulation tool is very limited, since it cannot prove the absence of an attack for all configurations. For this reason, we follow a symbolic approach that can explore all relevant configurations. In the following section, we provide a sound and complete protocol transformation from our timed process algebra to the untimed process algebra of the Maude-NPA tool. In order to do this, we make use of an approach introduced by Nigam et al. [20] in which properties of time, which can include both those following from physics and those checked by principals, are represented by linear constraints on the reals. As a path is built, an SMT solver can be used to check that the constraints are satisfiable, as is done in [21].

4

Timed Process Algebra into Untimed Process Algebra with Time Variables and Timing Constraints

In this section, we consider a more general constraint satisfiability approach, where all possible (not only some) runs are symbolically analyzed. This provides both a trace-based insecure statement, i.e., a run leading to an insecure secrecy or authentication property is discovered given enough resources, and an unsatisfiability-based secure statement, i.e., there is no run leading to an insecure secrecy or authentication property due to time constraint unsatisfiability.

142

D. Aparicio-S´ anchez et al.

Example 5. Consider again the run of the Brands-Chaum protocol given in Fig. 3. All the terms of sort Real, written in blue color, are indeed variables that get an assignment during the run based on the distance function. Then, it is possible to obtain a symbolic trace from the run of Fig. 3, where the following time constraints are accumulated: t¯1 t¯2 t¯3 t¯4 t¯5 t¯6

= t¯0 + d((p, 0), (i.F, 0)), = t¯1 + d((v, 0), (i.F, 0)), = t¯2 + d((v, 0), (i.F, 1)), = t¯3 + d((p, 0), (i.F, 1)), = t¯4 + d((p, 0), (i.F, 2)), = t¯5 + d((v, 0), (i.F, 2)),

d((p, 0), (i.F, 0)) ≥ 0 d((v, 0), (i.F, 0)) ≥ 0 d((v, 0), (i.F, 1)) ≥ 0 d((p, 0), (i.F, 1)) ≥ 0 d((p, 0), (i.F, 2)) ≥ 0 d((v, 0), (i.F, 2)) ≥ 0

Note that these constraints are unsatisfiable when combined with (i) the assumption d > 0, (ii) the verifier check t¯6 − t¯2 ≤ 2 ∗ d, (iii) the assumption that the honest prover is outside the verifier’s neighborhood, d((p, 0), (v, 0)) > d, (iv) the triangular inequality from the metric space, d((p, 0), (v, 0)) ≤ d((p, 0), (i.F, 0)) + d((i.F, 0), (v, 0)), and (v) the assumption that there is only one intruder d((i.F, 0), (i.F, 1)) = 0 and d((i.F, 0), (i.F, 2)) = 0. As explained previously in the remark, there are some implicit conditions based on the mte function to calculate the time increment to the closest destination of a message. However, the mte function disappears in the untimed process algebra and those implicit conditions are incorporated into the symbolic run. In the following, we define a transformation of the timed process algebra by (i) removing the global clock; (ii) adding the time data into untimed messages of a process algebra without time (as done in [20]); and (iii) adding linear arithmetic conditions over the reals for the time constraints (as is done in [21]). The soundness and completeness proof of the transformation is included in the full version of the paper, available at https://arxiv.org/abs/2010.13707. Since all the relevant time information is actually stored in messages of the form M @ (A : t → (B1 : t1 · · · Bn : tn )) and controlled by the transition rules (TPA++), (TPA+), and (TPA-), the mapping tpa2pa of Definition 1 below transforms each message M @t of a timed process into a message M @ (A : t? → AS ? ) of an untimed process. That is, we use a timed choice variable t? for the sending time and a variable AS ? for the reception information (B1 : t1 · · · Bn : tn ) associated to the sent message. Since choice variables are replaced by specific values, both t? and AS ? will be replaced by the appropriate values that make the execution and all its time constraints possible. Note that these two choice variables will be replaced by logical variables during the symbolic execution. Definition 1 (Adding Time Variables and Time Constraints to Untimed Processes). The mapping tpa2pa from timed processes into untimed processes and its auxiliary mapping tpa2pa* are defined as follows:

Protocol Analysis with Time

143

tpa2pa(∅) = ∅ tpa2pa((ro,i,j) P & PS ) = (ro,i,j) tpa2pa*(P ,ro,i) & tpa2pa(PS ) tpa2pa*(nilP , ro, i) = nilP tpa2pa*( +(M @t) . P, ro, i) = +(M @((ro, i) : t? → AS ? )) . tpa2pa*(P γ, ro, i) where γ = {t → t? } tpa2pa*( −(M @t) . P, ro, i) = − (M @((ro , i ) : t → ((ro, i) : t)  AS)) . if t = t + d((ro, i), (ro , i )) ∧ d((ro, i), (ro , i )) ≥ 0 then tpa2pa*(P, ro, i) else nilP tpa2pa*( (if C then P else Q) . R,ro,i,x,y) = (if C then tpa2pa*(P ,ro,i,x,y) else tpa2pa*(Q,ro,i,x,y)) . tpa2pa*(R,ro,i,x,y) tpa2pa*( (P ? Q) . R,ro,i,x,y) = (tpa2pa*(P ,ro,i,x,y) ? tpa2pa*(Q,ro,i,x,y)) . tpa2pa*(R,ro,i,x,y)

where t? and AS ? are choice variables different for each one of the sending actions, ro , i , t , d, AS are pattern variables different for each one of the receiving actions, P , Q, and R are processes, M is a message, and C is a constraint. Example 6. The timed processes of Example 2 are transformed into the following untimed processes. We remove the “else nilP ” branches for clarity. (Verifier ) : −(Commit @ A1 : t1 → V? : t1 AS1 ) · if t1 = t1 + d(A1 , V? ) ∧ d(A1 , V? ) ≥ 0 then +(n(V? , f1 ) @ V? : t2? → AS2? ) · −((n(V? , f1 ) ⊕ NP ) @ A3 : t3 → V? : t3 AS3 ) · if t3 = t3 + d(A3 , V? ) ∧ d(A3 , V? ) ≥ 0 then ˙ 2 ? ≤ 2 ∗ d then if t3 −t −(SP @ A4 : t4 → V? : t4 AS4 ) · if t4 = t4 + d(A4 , V? ) ∧ d(A4 , V? ) ≥ 0 then if open(NP , SP , Commit) then −(sign(P, n(V? , f1 ); NP ⊕ n(V? , f1 )) @ A5 : t5 → V? : t5 AS5 ) if t5 = t5 + d(A5 , V? ) ∧ d(A5 , V? ) ≥ 0 (Prover ) : +(commit(n(P? , f1 ), s(P? , f2 ))@P? : t1? → AS1? ) · −(V ; NV @ A2 : t2 → V? : t2 AS2 ) · if t2 = t2 + d(A2 , P? ) ∧ d(A2 , P? ) ≥ 0 then +((NV ⊕ n(P? , f1 ))@P? : t3 ? → AS3 ? ) · +(s(P? , f2 )@P? : t4? → AS4? ) · +(sign(P? , NV ; n(P? , f2 ) ⊕ NV )@P? : t5 ? → AS5 ? ))

144

D. Aparicio-S´ anchez et al.

Example 7. The timed processes of Example 3 for the intruder are transformed into the following untimed processes. Note that we use the intruder identifier I associated to each role instead of a choice variable I? . (I .Conc) : −(X@ A1 : t1 → I : t1 AS1 ) · if t1 = t1 + d(A1 , I) ∧ d(A1 , I) ≥ 0 then −(Y @ A2 : t2 → I : t2 AS2 ) · if t2 = t2 + d(A2 , I) ∧ d(A2 , I) ≥ 0 then +(X; Y @I : t3 ? → AS ? )

(I .Deconc) : −(X; Y @ A1 : t1 → I : t1 AS1 ) · if t1 = t1 + d(A1 , I) ∧ d(A1 , I) ≥ 0 then +(X@I : t2? → AS ? ) (I .Forward ) : −(X@ A1 : t1 → I : t1 AS1 ) · if t1 = t1 + d(A1 , I) ∧ d(A1 , I) ≥ 0 then +(X@I : t2? → AS ? ) Once a timed process is transformed into an untimed process with time variables and time constraints using the notation of Maude-NPA, we rely on both a soundness and completeness proof from the Maude-NPA process notation into Maude-NPA forward rewriting semantics and on a soundness and completeness proof from Maude-NPA forward rewriting semantics into Maude-NPA backwards symbolic semantics, see [26,27]. Since the Maude-NPA backwards symbolic semantics already considers constraints in a very general sense [10], we only need to perform the additional satisfiability check for linear arithmetic over the reals.

5

Timed Process Algebra into Strands in Maude-NPA

This section is provided to help in understanding the experimental output. Although Maude-NPA accepts protocol specifications in either the process algebra language or the strand space language, it still gives outputs only in the strand space notation. Thus, in order to make our experimental output easier to understand, we describe the translation from timed process into strands with time variables and time constraints. This translation is also sound and complete, as it imitates the transformation of Sect. 4 and the transformation of [26,27]. Strands [25] are used in Maude-NPA to represent both the actions of honest principals (with a strand specified for each protocol role) and those of an intruder (with a strand for each action an intruder is able to perform on messages). In Maude-NPA, strands evolve over time. The symbol | is used to divide past ± ± ± and future. That is, given a strand [ msg± 1 , . . . , msgi | msgi+1 , . . . , msgk ], ± ± ± messages msg± 1 , . . . , msgi are the past messages, and messages msgi+1 , . . . , msgk

Protocol Analysis with Time

145

are the future messages (msg± i+1 is the immediate future message). Constraints ± can be also inserted into strands. A strand [msg± 1 , . . . , msgk ] is shorthand for ± ± [nil | msg1 , . . . , msgk , nil]. An initial state is a state where the bar is at the beginning for all strands in the state, and the network has no possible intruder fact of the form m ∈ I. A final state is a state where the bar is at the end for all strands in the state and there is no negative intruder fact of the form m ∈ / I. In the following example, we illustrate how the timed process algebra can be transformed into strands specifications of Maude-NPA. Example 8. The timed processes of Example 2 are transformed into the following strand specification. (Verifier ) : [−(Commit @ A1 : t1 → V : t1 AS1 ), (t1 = t1 + d(A1 , V ) ∧ d(A1 , V ) ≥ 0), +(n(V, f1 ) @ V : t2 → AS2 ), −((n(V, f1 ) ⊕ NP ) @ A3 : t3 → V : t3 AS3 ), (t3 = t3 + d(A3 , V ) ∧ d(A3 , V ) ≥ 0), ˙ 2 ≤ 2 ∗ d), (t3 −t −(SP @ A4 : t4 → V : t4 AS4 ), (t4 = t4 + d(A4 , V ) ∧ d(A4 , V ) ≥ 0), open(NP , SP , Commit), −(sign(P, n(V, f1 ); NP ⊕ n(V, f1 ))@ A5 : t5 → V : t5 AS5 ), (t5 = t5 + d(A5 , V ) ∧ d(A5 , V ) ≥ 0)] (Prover ) : [+(commit(n(P, f1 ), s(P, f2 ))@P : t1 → AS1 ), −(NV @ A2 : t2 → V : t2 AS2 ), (t2 = t2 + d(A2 , P ) ∧ d(A2 , P ) ≥ 0), +((NV ⊕ n(P, f1 ))@P : t3 → AS3 ), +(s(P, f2 )@P : t4 → AS4 ), +(sign(P, NV ; n(P, f2 ) ⊕ NV )@P : t5 → AS5 )] We specify the desired security properties in terms of attack patterns including logical variables, which describe the insecure states that Maude-NPA is trying to prove unreachable. Specifically, the tool attempts to find a backwards narrowing sequence path from the attack pattern to an initial state until it can no longer form any backwards narrowing steps, at which point it terminates. If it has not found an initial state, the attack pattern is judged unreachable. The following example shows how a classic mafia fraud attack for the BrandsChaum protocol can be encoded in Maude-NPA’s strand notation. Example 9. Following the strand specification of the Brands-Chaum protocol given in Example 8, the mafia attack of Example 1 is given as the following attack pattern. Note that Maude-NPA uses symbol === for equality on the reals, +=+ for addition on the reals, *=* for multiplication on the reals, and -=- for subtraction

146

D. Aparicio-S´ anchez et al.

on the reals. Also, we consider one prover p, one verifier v, and one intruder i at fixed locations. Extra time constraints are included in an smt section, where a triangular inequality has been added. The mafia fraud attack is secure for Brands-Chaum and no initial state is found in the backwards search. eq ATTACK-STATE(1) --- Mafia fraud = :: r :: --- Verifier [ nil, -(commit(n(p,r1),s(p,r2)) @ i : t1 -> v : t2), ((t2 === t1 +=+ d(i,v)) and d(i,v) >= 0/1), +(n(v,r) @ v : t2 -> i : t2’’), -(n(v,r) * n(p,r1) @ i : t3 -> v : t4), (t3 >= t2 and (t4 === t3 +=+ d(i,v)) and d(i,v) >= 0/1), ((t4 -=- t2) i : t1’’), -(n(v,r) @ i : t2’’ -> p : t3’), ((t3’ === t2’’ +=+ d(i,p)) and d(i,p) >= 0/1), +(n(v,r) * n(p,r1) @ p : t3’ -> i : t3’’) | nil ] || smt(d(v,p) > 0/1 and d(i,p) > 0/1 and d(i,v) > 0/1 and d(v,i) = d(v,p) and d(v,p) > d) || nil || nil || nil [nonexec] .

6

Experiments

As a feasibility study, we have encoded several distance bounding protocols in Maude-NPA. It was necessary to slightly alter the Maude-NPA tool by (i) including minor modifications to the state space reduction techniques to allow for timed messages; (ii) the introduction of the sort Real and its associated operations; and (iii) the connection of Maude-NPA to a Satisfiability Modulo Theories (SMT) solver1 (see [19] for details on SMT). The specifications, outputs, and the modified version of Maude-NPA are available at http://personales.upv.es/sanesro/ indocrypt2020/. Although the timed model allows an unbounded number of principals, the attack patterns used to specify insecure goal states allow us to limit the number of principals in a natural way. In this case we specified one verifier, one prover, and one attacker, but allowed an unbounded number of sessions. In Table 1 above we present the results for the different distance-bounding protocols that we have analyzed. Two attacks have been analyzed for each protocol: a mafia fraud attack (i.e., an attacker tries to convince the verifier that an honest prover is closer to him than he really is), and a distance hijacking attack (i.e., a dishonest prover located far away succeeds in convincing a verifier that they are actually close, and he may only exploit the presence of honest participants in the neighborhood to achieve his goal). Symbol  means the property is satisfied and × means an attack was found. The columns labelled tm(sec) give the times in seconds that it took for a search to complete. Finally the column labeled PreProc gives the time it takes Maude-NPA to perform some preprocessing on the specification that eliminates searches for some provably unreachable state. This only needs to be done once, after which the results can be used for any query, so it is displayed separately. 1

Several SMT solvers are publicly available, but the programming language Maude [6] currently supports CVC4 [7] and Yices [28].

Protocol Analysis with Time

147

Table 1. Experiments performed for different distance-bounding protocols Protocol

PreProc (s) Mafia tm (s) Hijacking tm (s)

Brands and Chaum [3]

3.0



4.3

×

11.4

Meadows et al. (nV ⊕ nP ,P ) [15] 3.7



1.3



22.5

Meadows et al. (nV ,nP ⊕ P ) [15] 3.5



1.1

×

1.5

Hancke and Kuhn [11]

1.2



12.5



0.7

MAD [4]

5.1



110.5

×

318.8

Swiss-Knife [12]

3.1



4.8



24.5

Munilla et al. [17]

1.7



107.1



4.5

CRCS [24]

3.0



450.1

×

68.6

TREAD [1]

2.4



4.7

×

4.2

We note that, since our semantics is defined over arbitrary metric spaces, not just Euclidean space, it is also necessary to verify that an attack returned by the tool is realizable over Euclidean space. We note that the Mafia and hijacking attacks returned by Maude-NPA in these experiments are all realizable on a straight line, and hence are realizable over n-dimensional Euclidean space for any n. In general, this realizability check can be done via a final step in which the constraints with the Euclidean metric substituted for distance is checked via an SMT solver that supports checking quadratic constraints over the reals, such as Yices [28], Z3 [29], or Mathematica [13]. Although this feature is not yet implemented in Maude-NPA, we have begun experimenting with these solvers.

7

Conclusions

We have developed a timed model for protocol analysis based on timing constraints, and provided a prototype extension of Maude-NPA handling protocols with time by taking advantage of Maude’s support of SMT solvers, as was done by Nigam et al. in [21], and Maude-NPA’s support of constraint handling. We also performed some initial analyses to test the feasibility of the approach. This approach should be applicable to other tools that support constraint handling. There are several ways this work can be extended. One is to extend the ability of the tool to reason about a larger numbers or principals, in particular an unbounded number of principals. This includes an unbounded number of attackers; since each attacker must have its own location, we cannot assume a single attacker as in Dolev-Yao. Our specification and query language, and its semantics, supports reasoning about an unbounded number of principals, so this is a question of developing means of telling when a principal or state is redundant and developing state space reduction techniques based on this.

148

D. Aparicio-S´ anchez et al.

Another important extension is to protocols that require the full Euclidean space model, in particular those in which location needs to be explicitly included in the constraints. This includes for example protocols used for localization. For this, we have begun experimenting with SMT solvers that support solving quadratic constraints over the reals. Looking further afield, we consider adding different types of timing models. In the timing model used in this paper, time is synonymous with distance. But we may also be interested including other ways in which time is advanced, e.g. the amount of time a principal takes to perform internal processing tasks. In our model, the method in which timing is advanced is specified by the mte function, which is in turn used to generate constraints on which messages can be ordered. Thus changing the way in which timing is advanced can be accomplished by modifying the mte function. Thus, potential future research includes design of generic mte functions together with rules on their instantiation that guarantee soundness and completeness Finally, there is also no reason for us to limit ourselves to time and location. This approach should be applicable to other quantitative properties as well. For example, the inclusion of cost and utility would allow us to tackle new classes of problems not usually addressed by cryptographic protocol analysis tools, such as performance analyses (e.g., resistance against denial of service attacks), or even analysis of game-theoretic properties of protocols, thus opening up a whole new set of problems to explore.

References 1. Avoine, G., et al.: A terrorist-fraud resistant and extractor-free anonymous distance-bounding protocol. In Proceedings of the Asia Conference on Computer and Communications Security (AsiaCCS 2017), pp. 800–814. ACM Press (2017) 2. Basin, D.A., Capkun, S., Schaller, P., Schmidt, B.: Formal reasoning about physical properties of security protocols. ACM Trans. Inf. Syst. Securi. 14(2), 16:1–16:28 (2011) 3. Brands, S., Chaum, D.: Distance-bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). https:// doi.org/10.1007/3-540-48285-7 30 4. Capkun, S., Butty´ an, L., Hubaux, J.-P.: SECTOR: secure tracking of node encounters in multi-hop wireless networks. In: Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN 2003), pp. 21–32. Association for Computing Machinery (2003) 5. Chothia, T., de Ruiter, J., Smyth, B.: Modelling and analysis of a hierarchy of distance bounding attacks. In: Proceedings of the 27th USENIX Security Symposium (USENIX Security 2018), pp. 1563–1580. USENIX (2018) 6. Clavel, M., et al.: Maude Manual (Version 3.0). Technical report, SRI International Computer Science Laboratory (2020). http://maude.cs.uiuc.edu 7. The CVC4 SMT Solver (2020). https://cvc4.github.io 8. Debant, A., Delaune, S.: Symbolic verification of distance bounding protocols. In: Nielson, F., Sands, D. (eds.) POST 2019. LNCS, vol. 11426, pp. 149–174. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17138-4 7

Protocol Analysis with Time

149

9. Debant, A., Delaune, S., Wiedling, C.: A symbolic framework to analyse physical proximity in security protocols. In: Proceedings of the 38th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2018), Leibniz International Proceedings in Informatics (LIPIcs), vol. 122, pp. 29:1–29:20. Schloss Dagstuhl - Leibniz-Zentrum f¨ ur Informatik (2018) 10. Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: Symbolic protocol analysis with disequality constraints modulo equational theories. In: Bodei, C., Ferrari, G.L., Priami, C. (eds.) Programming Languages with Applications to Biology and Security. LNCS, vol. 9465, pp. 238–261. Springer, Cham (2015). https://doi.org/ 10.1007/978-3-319-25527-9 16 11. Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: Proceedings of the 1st IEEE International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm 2005), pp. 67–73. IEEE Computer Society Press (2005) 12. Kim, C.H., Avoine, G., Koeune, F., Standaert, F.-X., Pereira, O.: The Swiss-Knife RFID distance bounding protocol. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 98–115. Springer, Heidelberg (2009). https://doi.org/10.1007/ 978-3-642-00730-9 7 13. Wolfram Mathematica (2020). https://www.wolfram.com/mathematica 14. Mauw, S., Smith, Z., Toro-Pozo, J., Trujillo-Rasua, R.: Distance-bounding protocols: verification without time and location. In: Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P 2018), pp. 549–566. IEEE Computer Society Press (2018) 15. Meadows, C., Poovendran, R., Pavlovic, D., Chang, L.W., Syverson, P.: Distance bounding protocols: authentication logic analysis and collusion attacks. In: Poovendran, R., Roy, S., Wang, C. (eds.) Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks: Advances in Information Security, vol. 30, pp. 279–298. Springer, Boston (2007). https://doi.org/10.1007/978-0387-46276-9 12 16. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/ 10.1007/978-3-642-39799-8 48 17. Munilla, J., Peinado, A.: Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels. Wirel. Commun. Mob. Comput. 8(9), 1227–1232 (2008) 18. Neumann, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos network authentication service (V5). Request Comments 4120, 1–37 (2005) 19. Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT modulo theories: from an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). Commun. ACM 53(6), 937–977 (2006) 20. Nigam, V., Talcott, C., Aires Urquiza, A.: Towards the automated verification of cyber-physical security protocols: bounding the number of timed intruders. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 450–470. Springer, Cham (2016). https://doi.org/10.1007/ 978-3-319-45741-3 23 21. Nigam, V., Talcott, C., Urquiza, A.A.: Symbolic timed observational equivalence. Computing Research Repository, abs/1801.04066 (2018) 22. Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6(1–2), 85–128 (1998)

150

D. Aparicio-S´ anchez et al.

23. Perrig, A., Song, D., Canetti, R., Tygar, J.D., Briscoe, B.: Timed efficient stream loss-tolerant authentication (TESLA): multicast source authentication transform introduction. Request Comments 4082, 1–22 (2005) 24. Rasmussen, K.B., Capkun, S.: Realization of RF distance bounding. In: Proceedings of the 19th USENIX Security Symposium (USENIX Security 2010), pp. 389– 402. USENIX (2010) 25. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7(1), 191–230 (1999) 26. Yang, F., Escobar, S., Meadows, C., Meseguer, J.: Strand spaces with choice via a process algebra semantics. Computing Research Repository, abs/1904.09946 (2019) 27. Yang, F., Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: Strand spaces with choice via a process algebra semantics. In: Proceedings of the 18th International Symposium on Principles and Practice of Declarative Programming (PPDP 2016), pp. 76–89. ACM Press (2016) 28. The Yices SMT Solver (2020). https://yices.csl.sri.com 29. The Z3 SMT Solver (2020). https://github.com/Z3Prover/z3

Verifpal: Cryptographic Protocol Analysis for the Real World Nadim Kobeissi1(B) , Georgio Nicolas1 , and Mukesh Tiwari2 1

Symbolic Software, Paris, France [email protected]

2

University of Melbourne, Melbourne, Australia

Abstract. Verifpal is a new automated modeling framework and verifier for cryptographic protocols, optimized with heuristics for common-case protocol specifications, that aims to work better for real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. In order to achieve this, Verifpal introduces a new, intuitive language for modeling protocols that is easier to write and understand than the languages employed by existing tools. Its formal verification paradigm is also designed explicitly to provide protocol modeling that avoids user error. Verifpal is able to model protocols under an active attacker with unbounded sessions and fresh values, and supports queries for advanced security properties such as forward secrecy or key compromise impersonation. Furthermore, Verifpal’s semantics have been formalized within the Coq theorem prover, and Verifpal models can be automatically translated into Coq as well as into ProVerif models for further verification. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3 as well as the first formal model for the DP-3T pandemic-tracing protocol, which we present in this work. Through Verifpal, we show that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners. Keywords: Formal analysis

1

· Protocol analysis · Protocol modeling

Introduction

Internet communications rely on a handful of protocols, such as Transport Layer Security (TLS), SSH and Signal, in order to keep user data confidential. These protocols often aim to achieve ambitious security properties (such as post-compromise security [30]) across complex use-cases (such as support for message synchronization across multiple devices.) Given the broad set of operations and states supported by these protocols, verifying that they do indeed achieve their desired security goals across all use-case scenarios has proven to be non-trivial [14,17,18]. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 151–202, 2020. https://doi.org/10.1007/978-3-030-65277-7_8

152

N. Kobeissi et al.

Automated formal verification tools have seen an encouraging success in helping to model the security of these protocols. Recently, the Signal secure messaging protocol [54], the TLS 1.3 web encryption standard [15], the 5G wireless communication standard [9,32], the Scuttlebutt decentralized messaging protocol [35], the Bluetooth standard [35], the Let’s Encrypt certificate issuance system [16,51], the Noise Protocol Framework [48,55] and the WireGuard [44] Virtual Private Network (VPN) protocol [59] have all been analyzed using automated formal verification (Fig. 1).

Fig. 1. Comparison between Verifpal and other tools for symbolic security analysis, using established impartial third-party criteria [7]. Verifpal analysis supports unbounded executions (including interleaving protocol sessions), equational theory (although not as refined as Tamarin’s), mutable principal states, trace properties and is able to link results to implementations via Coq (and soon Go). Verifpal does not support equivalence properties at the same level as Maude-NPA, ProVerif, Tamarin and DEEPSPEC, but does offer queries for notions of unlinkability between values. Verifpal also focuses on providing a substantially more intuitive overall framework for real-world protocol modeling and analysis through its language and built-in primitive definitions, although such a claim is more tricky to compare.

Despite this increase in the usage of formal verification tools, and despite the success obtained with this approach, automated formal verification technology remains unused outside certain specific realms of academia: an illustrative fact is that almost all of the example results cited above have, as a co-author, one of the designers of the automated formal verification tool that was used to obtain the research result. We conjecture that this lack of adoption is leading an increase in the number of weaknesses in cryptographic protocols: in the case of TLS, protocol designers did not use formal verification technology in the protocol’s design phase up until TLS 1.3, and that was only due to automated formal verification helping discover a large number of attacks in TLS 1.2 and below [14, 15,17], and was, again, only accomplished via collaboration with the designers of the formal verification tools themselves. 1.1

Verifpal’s Design Goals

It is important to discern that Verifpal does not aim to produce security proofs in the traditions of tools such as CryptoVerif [19]. In deciding Verifpal’s priorities,

Verifpal: Cryptographic Protocol Analysis for the Real World

153

we slam the brakes at the moment where the learning curve, effort and analysis cost begin to have strongly diminishing returns for the user while still maintaining a responsible level of rigor via a formal treatment of Verifpal’s semantics and analysis methodology. Our bet is that this path forward for Verifpal will lead to a hugely more substantial impact for engineers and practitioners than traditional automated proof modeling tools. In this paper, we will for example see how Verifpal makes compromises in analysis completeness that preclude its ability to output full proofs but that greatly increase the likelihood of analysis termination (a significant problem for tools such as ProVerif) without having an apparently significant impact on the analysis of real-world, non-Ivory-Tower protocols. Verifpal is able to analyze the security of complex protocols, such as Signal, and query for complex attack scenarios such as post-compromise security and key compromise impersonation, across unbounded session executions of the protocol and with fresh values not being shared across sessions. By giving practitioners this powerful symbolic analysis paradigm in an intuitive package, Verifpal stands a chance at making symbolic formal verification a staple in the diet of any protocol designer. 1.2

Simplifying Protocol Analysis with Verifpal

Extensive experience with automated formal verification tools has led us to the hypothesis that the prerequisite knowledge, modeling languages and structure in which the tools formalize their results are a significant barrier against wider adoption. Verifpal is an attempt to overcome this barrier. Building upon contemporary research in symbolic formal verification, Verifpal’s main aim is to appeal more to real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. Verifpal has four main design principles: An Intuitive Language for Modeling Protocols. Verifpal’s internal logic relies on the deconstruction and reconstruction of abstract terms, similar to existing symbolic verification tools. However, it reasons about the protocol model with explicit principals: Alice and Bob exist, they have independent states, they know certain values and perform operations with cryptographic primitives. They send messages to each other over the network, and so on. The Verifpal language is meant to illustrate protocols close to how one may describe them in an informal conversation, while still being precise and expressive enough for formal modeling. We argue that this paradigm extends beyond mere convenience, but extends protocol modeling and verification towards a necessary level of intuitiveness for real adoption. Modeling That Avoids User Error. Verifpal does not allow users to define their own cryptographic primitives. Instead, it comes with built-in cryptographic functions: ENC and DEC representing encryption and decryption, AEAD_ENC and AEAD_DEC representing authenticated encryption and decryption, RINGSIGN and SIGN representing asymmetric primitives, etc.—this is meant to remove the

154

N. Kobeissi et al.

potential for users to define fundamental cryptographic operations incorrectly. Verifpal also adopts a global name-space for all constants and does not allow constants to be redefined or assigned to one another. This enforces models that are clean and easy to follow. Furthermore, Sect. 3.1 briefly describes Verifpal’s use of heuristics in order to avoid non-termination due to state space explosion, a common problem with automated protocol verification tools. Easy to Understand Analysis Output. Existing tools provide “attack traces” that illustrate a deduction using session-tagged values in a chain of symbolic deconstructions. Verifpal follows a different approach: while it is analyzing a model, it outputs notes on which values it is able to deconstruct, conceive of, or reconstruct. When a contradiction is found for a query, the result is related in a readable format that ties the attack to a real-world scenario. This is done by using terminology to indicate how the attack could have been possible, such as through a mayor-in-the-middle attack on ephemeral keys. Compatibility with the Coq Theorem Prover. The Verifpal language and passive attacker analysis methodology has recently been formalized within the Coq theorem prover [13]. Consequently, Verifpal models can be automatically translated within Coq using the Verifpal software. This allows for further analysis in more established frameworks while also granting a higher level of confidence in Verifpal’s analysis methodology. Currently, the Coq work provides a complete formalized illustration of the Verifpal language semantics and of Verifpal analysis under a passive attacker. Our eventual goal is to use Coq as an attestation layer to Verifpal’s soundness logic and show that Verifpal analysis results can be attested as sound via the generated Coq implementations. In addition, Verifpal models can also be translated into ProVerif models for an additional parallel verification venue. 1.3

Related Work

Verifpal arrives roughly two decades since automated formal verification became a research focus. Here, we outline some of the more pertinent formal verification tools, use cases and broader methodologies this research area has seen, and which Verifpal aims to supersede in terms of accessibility and real-world usability. Verifpal is heavily inspired by the ProVerif [21,22] protocol verifier, designed by Bruno Blanchet. It does not construct all terms out of Horn clauses [26] in the way that ProVerif does, and it does not use the applied pi-calculus [1] as its modeling language. However, its analysis logic is inspired by ProVerif and is similarly based on the Dolev-Yao model [43]. ProVerif’s construction/deconstruction/rewrite logic is also mirrored in Verifpal’s own design. ProVerif has been recently used to formally verify TLS 1.2 and TLS 1.3 [15], Let’s Encrypt’s ACME certificate issuance protocol [16], the Signal secure messaging protocol [54], the Noise Protocol Framework [55], the Plutus network filesystem [23], e-voting protocols [5,31,33,41], FIDO [63] and many more use cases. The Tamarin [66] protocol prover also works under the symbolic model, but derives the progeny of its analysis from principals’ state transitions rather than

Verifpal: Cryptographic Protocol Analysis for the Real World

155

from the viewpoint of an attacker observing and manipulating network messages. It is also different from ProVerif in its analysis style, and its modeling language is unique within the domain. Tamarin has been recently used to formally verify Scuttlebutt [35], TLS [34], WireGuard [45], 5G [9,32], the Noise Protocol Framework [48], multiple e-voting protocols [10,25] and many more use cases. Scyther1 [11,38], whose authors also work on Tamarin, offers unbounded verification with guarantees of termination but uses a more accessible and explicit modeling language than Tamarin. Scyther has been used to analyze IKEv1 and IKEv2 [39] (used in IPSec), a large amount of Authenticated Key Exchange (AKE) protocols such as HMQV, UM and NAXOS [8], and to check for “multiprotocol attacks” [37]. Research focus seems to be moving towards Tamarin, but Scyther is still sometimes used. AVISPA [4]’s modeling language is somewhat similar to Verifpal’s: both have a focus on describing “actors” with “roles”, and explicitly attempt to allow the user to illustrate the protocol intuitively, as if describing actors in a theatrical play. Despite this, work on AVISPA seems to have largely moved to a successor tool, AVANTSSAR [3] which shares many of the same authors. In 2016, a new authentication protocol was designed and prototyped with AVISPA [2]. In 2011, Facebook’s Connect single sign-on protocol was modeled with AVISPA [60]. FDR [47] is not specifically a protocol verifier, but rather a refinement and equivalence checker for processes written using the Communicating Sequential Processes language [50]. CSP can be used to illustrate processes that capture secure channel protocols, and security queries can be illustrated as refinements or properties resulting from these processes. In that sense, FDR can act as a protocol verifier. In 2014, an RFID authentication protocol was formally verified using FDR [69]. A performance analysis of symbolic formal verification tools by Lafourcade and Pus [56], conducted in 2015, as well as a preceding study by Cremers and Lafourcade in 2011 [36] found mixed results, with ProVerif coming out on top more often than not. ProVerif and Tamarin appear to be the current titans of the symbolic verification space, and they tend to compliment each other due to diverging design decisions: for example, ProVerif does not require human assistance for verification, but sometimes may not terminate and may also sometimes find false attacks (although it is proven not to miss attacks.) Tamarin, on the other hand, claims to always yield a proof or an attack, but may require human assistance, therefore making it less suited for fully automated analysis—in some cases, fully automated analysis can be necessary to achieve certain research goals [55]. 1.4

Formal Verification Paradigms

Verifpal, as well as all of the tools cited above, analyze protocols in the symbolic model. There are other methodologies in which to formally verify protocols, 1

Not to be confused with the bug/flying-type Pok´emon of the same name, which, despite its “ninja-like agility and speed” [62], does not appear to have published work in formal verification.

156

N. Kobeissi et al.

including the computational model or, for example, by using SMT solvers. We choose the symbolic model as the focus of our research due to its academic success record in verifying contemporary protocols and due to its propensity for fully automated analysis. It should be noted, however, that more precise analysis can often be achieved using the aforementioned formal verification methodologies. Cryptographers, on the other hand, prefer to use computational models and do their proofs by hand. A full comparison between these styles [20] is beyond the scope of this work; here we briefly outline their differences in terms of the tools currently used in the field. ProVerif, Tamarin, AVISPA and other tools analyze symbolic protocol models, whereas tools such as CryptoVerif [19] verify computational models. The input languages for both types of tools can be similar. However, in the symbolic model, messages are modeled as abstract terms. Processes can generate new nonces and keys, which are treated as atomic opaque terms that are fresh and unguessable. Functions map terms to terms. For example, encryption constructs a complex term from its arguments (key and plaintext) that can only be deconstructed by decryption (with the same key). In ProVerif, for example, the attacker is an arbitrary process running in parallel with the protocol, which can read and write messages on public channels and can manipulate them symbolically. In the computational model, messages are concrete bit-strings. Freshly generated nonces and keys are randomly sampled bit-strings that the attacker can guess with some probability (depending on their length). Encryption and decryption are functions on bit-strings to which we may associate standard cryptographic assumptions such as IND-CCA. The attacker is a probabilistic polynomial-time process running in parallel. The analysis techniques employed by the two tools are quite different. Symbolic verifiers search for a protocol trace that violates the security goal, whereas computational model verification tries to construct a cryptographic proof that the protocol is equivalent (with high probability) to a trivially secure protocol. Symbolic verifiers are easy to automate, while computational model tools, such as CryptoVerif, are semi-automated: it can search for proofs but requires human guidance for non-trivial protocols. Queries can also be modeled similarly in symbolic and computational models as between events, but analysis differs: in symbolic analysis, we typically ask whether the attacker can derive a secret, whereas in the computational model, we ask whether it can distinguish a secret from a random bit-string. Recently, the F programming language [65], which exports type definitions to the Z3 theorem prover [40], has been used to produce implementations of TLS [65] and Signal that are formally verified for functional correctness at the level of the implementation itself [64]. 1.5

Contributions

We present the following contributions:

Verifpal: Cryptographic Protocol Analysis for the Real World

157

– In Sect. 1, we introduce Verifpal and provide a comparison against existing automated verification tools in the symbolic model, as well as a recap of the current state of the art. – In Sect. 2, we introduce the Verifpal modeling language and provide some justifications for the language’s design choices as well as examples. – In Sect. 3, we discuss Verifpal’s protocol analysis logic and whether we can be certain that Verifpal will not miss an attack on a protocol model. We also show that Verifpal can find attacks on sophisticated protocols, matching results previously obtained in ProVerif, and demonstrate Verifpal’s improved protocol analysis trace output which makes discovered attacks easier to discern for the user. – In Sect. 4, we provide the first formal model of the DP-3T decentralized pandemic-tracing protocol [68], written in Verifpal, with queries and results on unlinkability, freshness, confidentiality and message authentication. – In Sect. 5, we introduce Verifpal’s Coq compatibility layer. We show how Verifpal’s semantics and verification logic (for passive attacker only) are captured in the Coq theorem prover, as well as how Verifpal can translate arbitrary Verifpal models into Coq and ProVerif for further analysis. – In Sect. 6, we conclude with a discussion of future work. Verifpal is available as free and open source software at https://verifpal.com. In addition, Verifpal provides a Visual Studio Code extension that enables it to function as an IDE for the modeling, analysis and verification of cryptographic protocols (Fig. 2).

Fig. 2. A complete example Verifpal model of a simple protocol is shown on the left.

2

The Verifpal Language

Verifpal’s language is meant to be simple while allowing the user to capture comprehensive protocols. We posit that an intuitive language that reads similarly

158

N. Kobeissi et al.

to regular descriptions of secure channel protocols will provide a valuable asset in terms of modeling cryptographic protocols, and design Verifpal’s language around that assertion. This is radically different from how the languages of tools such as ProVerif and Tamarin are designed: the former is derived from the applied-pi calculus and the latter from a formalism of state transitions, making it reasonable to say that readability and intuitiveness were not the primary goals of these languages. When describing a protocol in Verifpal, we begin by defining whether the model will be analyzed under a passive or active attacker. Then, we define the principals engaging in activity other than the attacker. These could be Alice and Bob, a Server and one or more Clients, etc. Once we have described the actions of more than one principal, it’s time to illustrate the messages being sent across the network. Then, after having illustrated the principals’ actions and their messages, we may finally describe the questions, or queries (can a passive attacker read the first message that Alice sent to Bob? Can Alice be impersonated by an active attacker?) that we will ask Verifpal. 2.1

Primitives in Verifpal

In Verifpal, cryptographic primitives are essentially “perfect”. That is to say, hash functions are perfect one way functions, and not susceptible to something like length extension attacks. It is also not possible to model for, say, encryption primitives that use 40-bit keys, which could be guessed easily, since encryption functions are perfect pseudo-random permutations, and so on. Internally in Verifpal’s standard implementation, all primitives are defined using a common spec called PrimitiveSpec which restricts how they can be expressed to a set of common rules. Aside from information such as the primitive’s names, arity and number of outputs, each PrimitiveSpec defines a primitive solely via a combination of four standard rules: – Decompose. Given a primitive’s output and a defined subset of its inputs, reveal one of its inputs. (Given ENC(k, m) and k, reveal m). – Recompose. Given a subset of a primitive’s outputs, reveal one of its inputs. (Given a, b, reveal x if a,b,_ = SHAMIR_SPLIT(x)). – Rewrite. Given a matching defined pattern within a primitive’s inputs, rewrite the primitive expression itself into a logical subset of its inputs. (Given DEC(k, ENC(k, m)), rewrite the entire expression DEC(k, ENC(k, m)) to m). – Rebuild. Given a primitive whose inputs are all the outputs of some same other primitive, rewrite the primitive expression itself into a logical subset of its inputs. (Given SHAMIR_JOIN(a, b) where a, b, c = SHAMIR_SPLIT(x), rewrite the entire expression SHAMIR_JOIN(a, b) to x). If analyzing under a passive attacker, then Verifpal will only execute the model once. Therefore, if a checked primitive fails, the entire verification procedure will abort. Under an active attacker, however, Verifpal is forced to execute the model once over for every possible permutation of the inputs that can be

Verifpal: Cryptographic Protocol Analysis for the Real World

159

affected by the attacker. Therefore, a failed checked primitive may not abort all executions—and messages obtained before the failure of the checked primitive are still valid for analysis, perhaps even in future sessions. Messages, Guarded Constants, Checked Primitives and Phases. Sending messages over the network is simple. Only constants may be sent within messages: Example: Messages Alice→ Bob: ga, e1 Bob→ Alice: [gb], e2

In the first line of the above, Alice is the sender and Bob is the recipient. Notice how Alice is sending Bob her long-term public key ga = Gˆa. An active attacker could intercept ga and replace it with a value that they control. But what if we want to model our protocol such that Alice has pre-authenticated Bob’s public key gb = Gˆb? This is where guarded constants become useful. In the second message from the above example, we see that gb is surrounded by brackets ([]). This makes it a “guarded” constant, meaning that while an active attacker can still read it, they cannot tamper with it. In that sense it is “guarded” against the active attacker. In Verifpal, ASSERT, SPLIT, AEAD_DEC, SIGNVERIF and RINGSIGNVERIF are “checkable” primitives: if we add a question mark (?) after one of these primitives, then the model execution will abort should AEAD_DEC fail authenticated decryption, or should ASSERT fail to find its two provided inputs equal, or should SIGNVERIF fail to verify the signature against the provided message and public key. For example: SIGNVERIF(k, m, s)? makes this instantiation of SIGNVERIF a “checked” primitive. Phases allow Verifpal to express notions of temporal logic, which allow for reliable modeling of post-compromise security properties such as forward secrecy or future secrecy. When modeling with an active attacker, a new phase can be declared: Example: Phases Bob→ Alice: b1 phase[1] principal Alice[leaks a2]

In the above example, the attacker won’t be able to learn a2 until the execution of everything that occurred in phase 0 (the initial phase of any model) is concluded. Furthermore, the attacker can only manipulate a2 within the confines of the phases in which it is communicated. That is to say, the attacker will have knowledge of b1 when doing analysis in phase 1, but won’t be able to manipulate b1 in phase 1. The attacker won’t have knowledge of a2 during phase 0, but will be able to manipulate b1 in phase 0. Phases are useful to model scenarios where, for example, the attacker manages to steal Alice’s keys strictly after a protocol has been executed, allowing the attacker to use their knowledge of that key material, but only outside of actually injecting it into a running protocol session.

160

N. Kobeissi et al.

Values are learned at the earliest phase in which they are communicated, and can only be manipulated within phases in which they are communicated, which can be more than one phase since Alice can for example send a2 later to Carol, to Damian, etc. Importantly, values derived from mutations of b1 in phase 0 cannot be used to construct new values in phase 1. 2.2

Queries

Here are examples of three different types of queries: Simple Example Protocol: Queries queries[ confidentiality? m1 authentication? Bob→ unlinkability? ga, m1 ]

Alice: e1

The above example is drawn from Verifpal’s current four query types: – Confidentiality Queries: Confidentiality queries are the most basic of all Verifpal queries. We ask: “can the attacker obtain m1?”—where m1 is a sensitive message. If the answer is yes, then the attacker was able to obtain the message, despite it being presumably encrypted. When used in conjunction with phases, confidentiality queries can however be used to model for advanced security properties such as forward secrecy. – Authentication Queries: Authentication queries rely heavily on Verifpal’s notion of “checked” or “checkable” primitives. Intuitively, the goal of authentication queries is to ask whether Bob will rely on some value e1 in an important protocol operation (such as signature verification or authenticated decryption) if and only if he received that value from Alice. If Bob is successful in using e1 for signature verification or a similar operation without it having been necessarily sent by Alice, then authentication is violated for e1, and the attacker was able to impersonate Alice in communicating that value. – Freshness Queries: Freshness queries are useful for detecting replay attacks, where an attacker could manipulate one message to make it seem valid in two different contexts. In passive attacker mode, a freshness query will check whether a value is “fresh” between sessions (i.e. if it has at least one composing element that is generated, non-static). In active attacker mode, it will check whether a value can be rendered “non-fresh” (i.e. static between sessions) and subsequently successfully used between sessions. – Unlinkability Queries: Protocols such as DP-3T (see Sect. 4), voting protocols and RFID-based protocols posit an “unlinkability” security property on some of their components or processes. Definitions for unlinkability vary wildly despite the best efforts of researchers [6,49,67], but in Verifpal, we adopt the following definition: “for two observed values, the adversary cannot distinguish between a protocol execution in which they belong to the same user and a protocol execution in which they belong to two different users.”

Verifpal: Cryptographic Protocol Analysis for the Real World

2.3

161

Query Options

Imagine that we want to check if Alice will only send some message to Carol if it has first authenticated it from Bob. This can be accomplished by adding the precondition option to the authentication query for e: Query Options Example queries[authentication? Bob→ Alice: e[ precondition[Alice→ Carol: m2]]]

The above query essentially expresses: “The event of Carol receiving m2 from Alice shall only occur if Alice has previously received and authenticated an encryption of m2 as coming from Bob.”

3

Analysis in Verifpal

Verifpal’s active attacker analysis methodology follows a simple set of procedures and algorithms. The overall process is comprised of five steps (see Fig. 3 for an illustration): 1. Gather values. Attacker passively observes a protocol execution and gathers all values shared publicly between principals. 2. Insert learned values into attacker state. Attacker’s state (VA ) obtains newly learned values. 3. Apply transformations. Attacker applies the four transformations (detailed below) on all obtained values. 4. Prepare mutations for next session. If the attacker has learned new values due to the transformations executed in the previous step, they create a combinatorial table of all possible value substitutions, and from that, derive a set of all possible value substitutions across future executions of the protocol on the network. 5. Iterate across protocol mutations. Attacker proceeds to execute the protocol across sessions, each time “mutating” the execution by mayor-in-themiddling a value. Attacker then returns to step 1 of this list. The process continues so long as the attacker keeps learning new values. After each step, Verifpal checks to see if it has found a contradiction to any of the queries specified in the model and informs the user if such a contradiction is found. The four main transformations mentioned above are the following: – Resolve. Resolves a certain constant to its assigned value (for example, a primitive or an equation). Executed on VA , the set of all values known by the attacker. – Deconstruct. Attempts to deconstruct a primitive or an equation. In order to deconstruct a primitive, the attacker must possess sufficient values to satisfy the primitive’s rewrite rule. For example, the attacker must possess k and e in order to obtain m by deconstructing e = ENC(k, m) with k. In order to reconstruct an equation, the attacker must similarly possess all but one private exponent. Executed on VA , the set of all values known by the attacker.

162

N. Kobeissi et al.

Fig. 3. Verifpal analysis methodology. On the left, the three fundamental types usable in Verifpal models are illustrated. As noted in Sect. 2.1, all primitives are defined via a standard PrimitiveSpec structure with four logical rules. On the right, a model analysis is illustrated: first, the Verifpal model is parsed and translated into a global immutable “knowledge map” structure from which a “principal state” is derived for each declared principal. Based on the messages exchanged between these principal states, the attacker obtains values to which it can recursively apply the four transformations discussed in Sect. 3 before executing mutated sessions while still following the heuristics touched upon in Sect. 3.1, until it is unable to learn new values.

– Reconstruct. Attempts to reconstruct primitives and equations given that the attacker possesses all of the component values. Executed on VA , the set of all values known by the attacker, as well as on VP , the values known by the principal whose state is currently being evaluated by the attacker. – Equivalize. Determines if the attacker can reconstruct or equivalize any values within VP from VA . If so, then these equivalent values are added to VA . Verifpal’s goal is to obtain as many values as it is logically possible from their viewpoint as an attacker on the network. As a passive attacker, Verifpal can only do this by deconstructing the values made available as they are shared between principals, and potentially reconstructing them into different values. As an active attacker, Verifpal can modify unguarded constants as they cross the network. Each modification could result in learning new values, so an unbounded number of modifications can occur over an unbounded number of protocol executions.

Verifpal: Cryptographic Protocol Analysis for the Real World

163

“Fresh” (i.e. generated) values are not kept across different protocol executions, as they are assumed to be different for every session of the protocol. An active attacker can also generate their own values, such as a key pair that they control, and fabricate new values that they use as substitutes for any unguarded constants sent between principals. If, during a protocol execution, a checked primitive fails, that session execution is aborted and the attacker moves on to the next one. However, values obtained thus far in that particular session execution are kept. 3.1

Preventing State Space Explosion

A common problem among symbolic model protocol verifiers is that for complex protocols, the space of the user states and value combinations that the verifier must assess becomes too large for the verifier to terminate in a reasonable time. Verifpal optimizes for this problem via certain heuristic techniques: first, Verifpal separates its analysis into a number of stages in which it gradually allows itself to modify more and more elements of principals’ states. Only in later stages are the internal values of certain primitives (which are labeled “explosive” in their PrimitiveSpec) mutated. Verifpal also imposes other restrictions, such as limiting the maximum number of inputs and outputs of any primitive to five. Thus, Verifpal achieves unbounded state analysis, similarly to ProVerif, but also applies a set of heuristics that are hopefully more likely to achieve termination in a more reasonable time for large models (such as those seen for TLS 1.3 or Signal with more than three messages). Verifpal also leverages multi-threading and other such techniques to achieve faster analysis. Verifpal’s stages segment its search strategy in essentially the following way, with the aim to hold back infinite mutation recursion depth as far as possible, unless queries cannot be contradicted without it: – Stage 1: All of the elements of passive attacker analysis, plus constants and equation exponents may be mutated to nil only and not to each other (for equations, this means that gˆa mutates to gˆnil but not to gˆb). – Stage 2: All of the elements of Stage 1, plus non-explosive primitives are mutated but without exceeding a call depth that is pre-determined in relation to the way in which they were employed by principals in the Verifpal model. For example, HASH(HASH(x)) will not mutate to HASH(HASH(HASH(y))) (since the call depth is deeper in the mutation), and ENC(HASH(k), Gˆy) will not mutate to ENC(PW_HASH(k), k) (since the “skeleton” of the original primitive does not employ PW_HASH, but HASH, and employs an equation (Gˆy) as the second argument and not a constant (k)). – Stage 3: All of the elements of Stage 2, with the inclusion of explosive primitives. – Stage 4: All of the elements of Stage 3, with the addition of constants and equation exponents being replaced with one another and not just nil. – Stage 4 and beyond: All of the elements of Stage 3, with the addition of primitives being allowed a mutation depth of n − 3 where n represents the

164

N. Kobeissi et al.

current Stage, so long as the resulting mutations have the same “skeleton” as defined in Stage 2. 3.2

Analysis Results of Real-World Protocols

It is important to understand that the measures Verifpal takes to encourage analysis termination, as touched upon earlier in Sect. 3.1, do not affect the comprehensiveness of results that Verifpal can obtain from the analysis of real-world protocols. Verifpal ships with an integration testing suite comprised of 54 testing protocols. Of these, we highlight the following non-trivial protocols which have also been modeled in other symbolic analysis tools: – Signal is modeled in Verifpal as well as in ProVerif [54] and in Tamarin [29]. All three analyses obtain matching results when checking for message confidentiality, authentication and post-compromise security. Post-compromise security is modeled using temporal logic (see Sect. 2.1) in all three analysis frameworks. – Scuttlebutt is modeled in Verifpal as well as in ProVerif [57], CryptoVerif and in Tamarin [35]. All three analyses obtain matching results when checking for message confidentiality and authentication queries. – Verifpal also obtained results matching state-of-the art analysis on the Telegram MTProto “secure chat” protocol [52,58], Firefox Sync and ProtonMail’s email encryption feature towards recipients that do not use ProtonMail [53]. Queries were contradicted (or not contradicted) in the same scenarios across Verifpal, ProVerif and Tamarin, depending on which key materials were leaked, and when. Various forms of partial state leakage were tested. Aside from the above relatively sophisticated protocols, Verifpal obtained matching results on many variants of Needham-Schroeder, the “FFGG” “parallel attack” protocol discussed in Sect. 3.3, and over 50 other test protocols, some of which are mirrored in ProVerif’s own test suite. Finally, Verifpal was used by the popular Zoom telecommunications software in May 2020 during the entire conception and design process of their revised [24] end-to-end encryption protocol. During this collaboration, Verifpal not only helped the Zoom team design their protocol from scratch but also spotted non-obvious attacks which the Zoom team were able to fix prior to publication. 3.3

Improving Readability of Protocol Analysis Traces

ProVerif and Verifpal both ship with a set of example protocol models. Of those protocol models, the “FFGG” protocol [61] is included due to it requiring a parallel attack in order for confidentiality queries to be contradicted. We take Verifpal and ProVerif’s models of FFGG and modify them to be as functionally and structurally similar as possible.2 2

The full Verifpal and ProVerif FFGG models are available at https://source. symbolic.software/verifpal/verifpal/-/tree/master/examples.

Verifpal: Cryptographic Protocol Analysis for the Real World

165

Fig. 4. ProVerif and Verifpal attack traces for the protocol discussed in Sect. 3.3.

Figure 4 shows a ProVerif trace compared to a Verifpal trace for the confidentiality query contradiction on message m in FFGG.3 The Verifpal trace shows the two parallel sessions required for the attack to be pulled off, clearly noting which values had to be mutated by the attacker alongside their original resolved values. Each session ends with the message that had to be obtained by the attacker and re-used in the following session for the attack to work. In this case, msg2, which resolved to PKE_ENC(Gˆskb, CONCAT(n1, m, n1)), was injected by the active attacker to replace msg in the second session as it traveled across the network. As discussed in Sect. 1.2, one of Verifpal’s design principles is to improve the readability of protocol analysis traces. In line with this goal, Verifpal’s trace also makes it easier to see how the mutation of preceding values affects the resolution of values that are composed of those mutated values. In longer, more complex protocol models, Verifpal is able to still output traces of relatively similar size and simplicity, whereas the growth of complexity and length in ProVerif traces is more substantial.

4

Case Study: Contact Tracing

During the COVID-19 pandemic, a rise was observed in the number of proposals for privacy-preserving pandemic and contact tracing protocols. Arguably the most popular and well-analyzed of these proposals is the Decentralized PrivacyPreserving Proximity Tracing (DP-3T) protocol [68], which aims to “simplify and accelerate the process of identifying people who have been in contact with an infected person, thus providing a technological foundation to help slow the spread of the SARS-CoV-2 virus”, and to “minimize privacy and security risks for individuals and communities and guarantee the highest level of data protection.” 3

ProVerif is also capable of outputting graphical representations of attack traces, which could make them easier to read and understand.

166

4.1

N. Kobeissi et al.

Modeling DP-3T in Verifpal

To demonstrate DP-3T, we will assume that the principals participating in this simulation are the following: – A population of 3 individuals: Alice, Bob, and Charlie, each of them possessing a smartphone: SmartphoneA, SmartphoneB, and SmartphoneC respectively; – A Healthcare Authority serving this population; – A Backend Server, that individuals can communicate with to obtain daily information. We begin by defining an attacker which matches with our security model, which, in this case, is an active attacker. We then proceed to illustrate our model as a sequence of days in which DP-3T is in operation within the life cycle of a pandemic. Day 0: Setup Phase. We assume that no new individuals were diagnosed with the disease on Day 0 of using DP-3T. This means that the Healthcare Authority and the Backend Server will not act at this stage and we can simply ignore them for now. The DP-3T specification states that every principal, when first joining the system, should generate a random secret key (SK) to be used for one day only. For every SK value, and the knowledge of a public “broadcast key” value, principals should compute multiple Unique Ephemeral ID values (EphID) using a combination of a PRG and a PRF. The method of generating EphID is analogous with the HKDF function from Verifpal. We could add the following lines of code to our file in order to model Alice’s SmartphoneA: DP-3T: SmartphoneA, B and C Setup principal SmartphoneA[ knows public BroadcastKey generates SK0A EphID00A, EphID01A, EphID02A = HKDF(nil, SK0A, BroadcastKey) ]

Whenever two principals would come to be in physical proximity of each other, they would automatically exchange EphIDs. Once a principal uses an EphID value, they discard it and use another one when performing an exchange with another principal. Let’s imagine that Alice and Bob came into contact. It would mean that Alice sent EphID00A in a message to Bob and that Bob sent EphID00B to Alice. Further, let’s say that in the conclusion of Day 0, Bob sits behind Charlie in the Bus. Day 1. The Backend Server will automatically publish the SK values of people who were infected to the members of the general population. These values were previously unpublished and thus were private and only known by their generators and the server.

Verifpal: Cryptographic Protocol Analysis for the Real World

167

DP-3T: BackendServer Communication principal BackendServer[ knows private infectedPatients0 ] BackendServer→ SmartphoneA: infectedPatients0 // Also to SmartphoneB/C

Every day starting from Day 1, DP-3T mandates that principals will generate new SK values. The new value will be equal to the hash of the SK value from the day before. Principals will also generate EphIDs just like before. DP-3T: EphID Generation principal SmartphoneA[ SK1A = HASH(SK0A) EphID10A, EphID11A, EphID12A = HKDF(nil, SK1A, BroadcastKey) ] // Similar principal blocks for SmartphoneB/C here

Thankfully, Alice, Bob and Charlie were committed to self-confinement and have stayed at home, so they did not exchange EphIDs with anyone. Day 2. A similar sequence of events takes place. Since it is sufficient to define the values that we will need later on in our model, we will just define a block for Alice. DP-3T: EphID Generation principal SmartphoneA[ SK2A = HASH(SK1A) EphID20A, EphID21A, EphID22A = HKDF(nil, SK2A, BroadcastKey) ]

Fast-Forward to Day 15. Unfortunately, Alice tests positive for COVID-19. Since this breaks the routine that happened between Day 1 and Day 15, we will announce a new phase (see Sect. 2.1) in our protocol model: DP-3T: Declaring a New Phase phase[1]

Alice decides to announce her infection anonymously using DP-3T. This means that she will have to securely communicate SK1A (her SK value from 14 days ago) to the Backend Server, using a unique trigger token provided by the healthcare authority. Assuming that the Backend Server and the Healthcare Authority share a secure connection, and that a key ephemeral_sk has been exchanged off the wire by the Healthcare Authority, Alice, and the Backend Server, the Healthcare Authority will encrypt a freshly generated triggerToken using ephemeral_sk and send it to both Alice and the Backend Server. DP-3T: Sending Tokens to HealthCareAuthority principal HealthCareAuthority[ generates triggerToken knows private ephemeral_sk m1 = ENC(ephemeral_sk, triggerToken) ] HealthCareAuthority→ BackendServer : [m1] HealthCareAuthority→ SmartphoneA : m1

168

N. Kobeissi et al.

Then, Alice would have to use an AEAD cipher to encrypt SK1A using as the key and triggerToken as additional data and send the output to the BackendServer. Note that Alice can only obtain triggerToken after decrypting m1 using ephemeral_sk.

ephemeral_sk

DP-3T: Communicating with BackendServer principal SmartphoneA[ knows private ephemeral_sk m1_dec = DEC(ephemeral_sk, m1) m2 = AEAD_ENC(ephemeral_sk, SK1A, m1_dec) ] SmartphoneA→ BackendServer: m2

4.2

DP-3T Analysis Results

Since SK1A is now shared publicly, the DP-3T software running on anyone’s phone should be able to re-generate all EphID values generated by the owner of SK1A starting from 14 days prior to the day of diagnosis. These values would then be compared with the list of EphIDs they have received. Everyone who came in contact with Alice will therefore be notified that they have exchanged EphIDs with someone who has been diagnosed with the illness without revealing the identity of that person. DP-3T: Queries queries[ // Check if values shared 15 days before testing get flagged confidentiality? EphID02A // Check if Alice’s previous EphIDs can be computed by passerbys confidentiality? EphID10A, EphID11A, EphID12A, EphID20A, EphID21A, EphID22A // Is the server able to Authenticate Alice as the sender of m2? authentication? SmartphoneA→ BackendServer: m2 // Unlinkability of HKDF values unlinkability? EphID02A, EphID00A, EphID01A ]

The results of our initial modeling in Verifpal suggest to us the following: – No EphIDs generated by Alice are known by any parties before Alice announces her illness. – EphID02A remains confidential even after Alice declaring her illness. Note that it was generated 15 days before Alice got tested. – All of the following values EphID10A, EphID11A, EphID12A, EphID20A, EphID21A, EphID22A have been recoverable by an attacker in phase[1] after Alice announces her illness. These results come in line with what is expected from the protocol. We note that the security of communication channels between Healthcare Authorities, Backend Servers, and Individuals have not been defined, and we have placed our hypothetical security conditions in order to focus on quickly sketching the DP-3T protocol. While further analysis will be required in order to better elucidate the extent of the obtained security guarantees, Verifpal radically speeds up this process by allowing for the automated translation of easy-to-write Verifpal models to full-fat Coq and ProVerif models, as discussed in Sect. 5.

Verifpal: Cryptographic Protocol Analysis for the Real World

5

169

Verifpal in Coq and ProVerif

Verifpal’s core verification logic and semantics can be captured in Coq using our Verifpal Coq Library. This library includes high level functions that can be used to perform analysis on any valid protocol modeled using the Verifpal language. Additionally, a Verifpal functionality has been developed that automatically generates Coq code which uses the high level functions from our library, when input with a protocol file. This automates the process of translating Verifpal models into representations that could be further analysed using Coq’s powerful paradigm of constructive logic. Once executed, this Coq code would yield results for the queries defined in the protocol model. Parallel Analysis Confirmation in Coq and ProVerif. In addition to being able to output Coq implementations of Verifpal models, Verifpal is also able to translate Verifpal protocol models into ProVerif models. A similar approach is used: the generated models include a pre-defined library implementing all Verifpal primitives in the applied-pi calculus. ProVerif tables are used to keep track of principal states, with principal blocks being converted to let declarations. A public channel is used to exchange values and to potentially leak them to the attacker. Finally, the top-level process is declared as a parallel execution of all principal let declarations. This latter formulation of the Verifpal model in ProVerif allows us to make use of ProVerif’s ability to model the parallel execution of processes. By providing robust support for automatic translation of arbitrary models into Coq and ProVerif, Verifpal simultaneously allows for its own semantics to be defined more concretely and in relationship to established verification paradigms, while also increasing confidence in its own verification methodology by mirroring its results on security queries within the analysis framework of tools that have existed for decades. Verifpal Semantics in Coq. We define several types to capture all of the primitives of the Verifpal language in Coq. For example, we have defined constant, Principal, and knowledgemap as inductive types to capture the notions of constant, principal and knowledgemap from Verifpal respectively. Whenever a principal declares, generates, assigns, leaks, or receives a message, an item of knowledge would be added to their state. Suppose that Alice wants to send c to Bob, and that the latest knowledgemap contains Alice’s internal state a, ma, ka as well as Bob’s state, most relevantly a. We use send_message to send c from Alice to Bob and thereby update the knowledgemap of both principals. Bob’s state gets updated with the value c, to contain both a and c, after the function is executed. All of the primitives supported by Verifpal are formally specified in our Coq library. Outputs of certain primitives are defined as sub-types of the type constant. As an illustrative example, we demonstrate a lemma that proves decidable equality between elements of type constant. This lemma essentially captures the functionality of the ASSERT core primitive. When Alice performs c = ENC(ka, ma), and then sends c over the wire, we would expect that the decryption of c would only yield the plaintext ma if and

170

N. Kobeissi et al.

only if the key used to decrypt c is the same one that was used for encrypting ma, as defined in our formalization of the DEC primitive (see Sect. 2). We provide additional lemmas to prove that our model satisfies the behavior expected from our primitives. For example, we can prove that DEC(kb, ENC(ka, ma)) would yield ma using the enc_dec Theorem (see Sect. 2). Verifpal Analysis in Coq. Using the functionality provided by the Verifpal Coq library, and the Coq code generation feature of Verifpal, it is possible to perform a symbolic execution of any protocol that can be modeled using Verifpal. In addition, it is possible to independently run the axioms on which our primitives and analysis methodology are defined by simply running the included proofs that are written using the Ltac tactics language supported by Coq. The passive attacker methodology in the Verifpal Coq Library is analogous to that defined in Sect. 3: 1. The attacker can gather values: any value leaked, or declared as public is automatically added to the attacker’s list of knowledge. In addition, any value sent over the wire is known by the attacker. 2. The attacker attempts to apply transformations on the values learned. The definiton of these transformations accompany our primitive definitions and can be independently verifiable. 3. This process is repeated so long as the attacker was able to learn new values. We formalize this methodology using an Attacker inductive type. An instance of type Attacker contains the attacker type, a list of constant values that are known by the attacker, as well as the mutability status for every item of knowledge. constant_meta acts as a wrapper type for constant with the purpose of adding metadata relevant to the declearation of a constant. constant_meta, along with some helper types, is defined as follows: constant_meta elements are stored inside the Principal data structure and constitute the principal’s knowledge. Any value that is transmitted over the wire, is also sent as a constant_meta along with its corresponding metadata. Step 1 of the analysis methodology is modeled with the help of two functions: – absorb_message_attacker enables an Attacker to learn any value when it is being sent over the wire. – absorb_knowledgemap_attacker enables an Attacker to iterate over Principal elements found in the knowledgemap and their lists of constant_meta items. The attacker can learn a constant_meta that they come across strictly if its (l:leak_state) value equals leaked or if its (q:qualifier) equals public, otherwise the value is ignored. At the end of phase[0] of the example protocol, the attacker would have learned the constant c because it was sent over the wire. At the end of phase[1], the attacker would have learned a in addition to c because it was leaked by Alice. In phase[1], the attacker was able to reconstruct HASH1_c a after learning a then consequently attempted DEC(HASH1_c a)c. As discussed earlier, the DEC

Verifpal: Cryptographic Protocol Analysis for the Real World

171

operation would reveal the plaintext if the key provided is equivalent to the encryption key. Developing further we obtain DEC(HASH1_c a) (ENC_c ka ma) then DEC(HASH1_c a) (ENC(HASH1_c a)ma), the attacker would then automatically apply the enc_dec lemma (shown in Sect. 2) to deduce ma and add it to its knowledge. It is worth noting that all transformations that can be applied by the attacker, just like primitives, are accompanied with independently provable lemmas and theorems. Verifpal queries are analogous to decidable processes and help us reason about protocols. The confidentiality query defined would translate to “is the attacker able to obtain the value ma after the protocol is executed?” To answer this, we search in the attacker’s knowledge for a value that is equal to ma using the search_by_name_attacker function; if such a value is found, the query “fails”, otherwise it “passes”. In this case the query would fail, as the attacker was able to obtain ma by applying the methodology from the previous section. Generating a Coq implementation of the protocol discussed will yield an identical result, and could allow the user to verify the soundness of this result by executing the proofs included in the code.

6

Discussion and Conclusion

Verifpal’s focus on prioritizing usability leads it to have no road map to support, for example, declaring custom primitives or rewrite rules as supported in ProVerif and Tamarin. However, future work focuses on giving Verifpal the fine control that tools such as ProVerif can offer over how protocol processes are executed. However, Verifpal has recently managed to gain support for protocol phases and parametrized queries (useful for modeling post-compromise security) as well as querying for unlinkability and other advanced features. Verifpal also ships with a Visual Studio Code extension that turns Verifpal into essentially an IDE for the modeling, development, testing and analysis of protocol models. The extension offers live analysis feedback and diagram visualizations of models being described and supports translating models automatically into Coq. We plan to also launch within the coming weeks support for translating Verifpal models into prototype Go implementations immediately, allowing for live real-world testing of described protocols. Verifpal is also fully capable of supporting a more nuanced definition of primitives recently seen in other symbolic verifiers—for example, recent, more precise models for signature schemes [51] in Tamarin can be fully integrated into Verifpal’s design. We also plan to add support for more primitives as these are suggested by the Verifpal user community. We believe that Verifpal’s verification framework gives it full jurisdiction over maturing its language and feature set, such that it can grow to satisfy the fundamental verification needs of protocol developers without having the barrier-to-entry present in tools such as ProVerif and Tamarin. Verifpal is currently available as free and open source software for Windows, Linux, macOS and FreeBSD, along with a user manual that goes more in-depth into the Verifpal language and analysis methodology, at https://verifpal.com.

172

A

N. Kobeissi et al.

Partial Extract of DP-3T Verifpal Model Automatic Coq Translation

Verifpal: Cryptographic Protocol Analysis for the Real World

173

174

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

175

176

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

177

178

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

179

180

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

181

182

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

183

184

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

185

186

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

187

188

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

189

190

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

191

192

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

193

194

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

195

196

N. Kobeissi et al.

Verifpal: Cryptographic Protocol Analysis for the Real World

197

198

N. Kobeissi et al.

References 1. Abadi, M., Blanchet, B., Fournet, C.: The applied pi calculus: mobile values, new names, and secure communication. J. ACM 65(1), 1:1–1:41 (2018). https://doi. org/10.1145/3127586 2. Amin, R., Islam, S.H., Karati, A., Biswas, G.: Design of an enhanced authentication protocol and its verification using AVISPA. In: 2016 3rd International Conference on Recent Advances in Information Technology (RAIT), pp. 404–409. IEEE (2016) 3. Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., K¨ onig, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28756-5 19 4. Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). https://doi.org/ 10.1007/11513988 27 5. Backes, M., Hritcu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: IEEE Computer Security Foundations Symposium, pp. 195–209. IEEE (2008) 6. Baelde, D., Delaune, S., Moreau, S.: A method for proving unlinkability of stateful protocols. Ph.D. thesis, Irisa (2020) 7. Barbosa, M., et al.: SoK: computer-aided cryptography. In: IEEE Symposium on Security and Privacy (S&P). IEEE (2021) 8. Basin, D., Cremers, C.: Modeling and analyzing security in the presence of compromising adversaries. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 340–356. Springer, Heidelberg (2010). https://doi.org/ 10.1007/978-3-642-15497-3 21 9. Basin, D., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., Stettler, V.: A formal analysis of 5G authentication. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1383–1396. ACM (2018) 10. Basin, D., Radomirovic, S., Schmid, L.: Alethea: a provably secure random sample voting protocol. In: IEEE 31st Computer Security Foundations Symposium (CSF), pp. 283–297. IEEE (2018) 11. Basin, D., Cremers, C.: Degrees of security: protocol guarantees in the face of compromising adversaries. In: Dawar, A., Veith, H. (eds.) CSL 2010. LNCS, vol. 6247, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-64215205-4 1 12. Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. ACM Trans. Program. Lang. Syst. (TOPLAS) 33(2), 1–45 (2011) 13. Bertot, Y., Cast´eran, P.: Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-07964-5

Verifpal: Cryptographic Protocol Analysis for the Real World

199

14. Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: IEEE Symposium on Security and Privacy (S&P), pp. 535– 552. IEEE (2015) 15. Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: IEEE Symposium on Security and Privacy (S&P), pp. 483–502. IEEE (2017) 16. Bhargavan, K., Delignat-Lavaud, A., Kobeissi, N.: Formal modeling and verification for domain validation and ACME. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 561–578. Springer, Cham (2017). https://doi.org/10.1007/978-3-31970972-7 32 17. Bhargavan, K., Lavaud, A.D., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (S&P), pp. 98–113. IEEE (2014) 18. Bhargavan, K., Leurent, G.: On the practical (in-) security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456– 467 (2016) 19. Blanchet, B.: CryptoVerif: computationally sound mechanized prover for cryptographic protocols. In: Dagstuhl Seminar on Applied Formal Protocol Verification, p. 117 (2007) 20. Blanchet, B.: Security protocol verification: symbolic and computational models. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 3–29. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4 2 21. Blanchet, B.: Automatic verification of security protocols in the symbolic model: the verifier ProVerif. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 20122013. LNCS, vol. 8604, pp. 54–87. Springer, Cham (2014). https://doi.org/10.1007/ 978-3-319-10082-1 3 22. Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus R Priv. Secur. 1(1–2), 1–135 (2016) and ProVerif. Found. Trends 23. Blanchet, B., Chaudhuri, A.: Automated formal analysis of a protocol for secure file sharing on untrusted storage. In: IEEE Symposium on Security and Privacy (S&P), pp. 417–431. IEEE (2008) 24. Blum, J., et al.: E2E encryption for Zoom meetings (2020). https://github.com/ zoom/zoom-e2e-whitepaper 25. Bruni, A., Drewsen, E., Sch¨ urmann, C.: Towards a mechanized proof of selene receipt-freeness and vote-privacy. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Sch¨ urmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 110–126. Springer, Cham (2017). https://doi.org/10.1007/978-3-31968687-5 7 26. Chandra, A.K., Harel, D.: Horn clause queries and generalizations. J. Log. Program. 2(1), 1–15 (1985) 27. Cheval, V., Blanchet, B.: Proving more observational equivalences with ProVerif. In: Basin, D., Mitchell, J.C. (eds.) POST 2013. LNCS, vol. 7796, pp. 226–246. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36830-1 12 28. Cheval, V., Kremer, S., Rakotonirina, I.: DEEPSEC: deciding equivalence properties in security protocols theory and practice. Research report, INRIA, Nancy, May 2018. https://hal.inria.fr/hal-01698177 29. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466. IEEE (2017)

200

N. Kobeissi et al.

30. Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: IEEE Computer Security Foundations Symposium (CSF), pp. 164–178. IEEE (2016) 31. Cortier, V., Wiedling, C.: A formal analysis of the norwegian E-voting protocol. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 109–128. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4 7 32. Cremers, C., Dehnel-Wild, M.: Component-based formal analysis of 5G-AKA: channel assumptions and session confusion. In: 2019 Network and Distributed System Security Symposium (NDSS) (2019) 33. Cremers, C., Hirschi, L.: Improving automated symbolic analysis of ballot secrecy for E-voting protocols: a method based on sufficient conditions. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2019) 34. Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1773–1788. ACM (2017) 35. Cremers, C., Jackson, D.: Prime, order please! Revisiting small subgroup and invalid curve attacks on protocols using Diffie-Hellman. In: 2019 IEEE Computer Security Foundations Symposium (CSF) (2019) 36. Cremers, C.J.F., Lafourcade, P., Nadeau, P.: Comparing state spaces in automatic security protocol analysis. In: Cortier, V., Kirchner, C., Okada, M., Sakurada, H. (eds.) Formal to Practical Security. LNCS, vol. 5458, pp. 70–94. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02002-5 5 37. Cremers, C.: Feasibility of multi-protocol attacks. In: Proceedings of the First International Conference on Availability, Reliability and Security (ARES), pp. 287– 294. IEEE Computer Society, Vienna, April 2006. http://www.win.tue.nl/∼ecss/ downloads/mpa-ares.pdf 38. Cremers, C.J.F.: The Scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-705451 38 39. Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2 18 40. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3 24 41. Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17(4), 435–487 (2009) 42. Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Searching for shapes in cryptographic protocols. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 523–537. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-712091 41 43. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983) 44. Donenfeld, J.A.: WireGuard: next generation kernel network tunnel. In: Network and Distributed System Security Symposium (NDSS) (2017) 45. Donenfeld, J.A., Milner, K.: Formal verification of the WireGuard protocol. Technical report (2017) 46. Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03829-7 1

Verifpal: Cryptographic Protocol Analysis for the Real World

201

47. Gibson-Robinson, T., Armstrong, P., Boulgakov, A., Roscoe, A.W.: FDR3—a mod´ ern refinement checker for CSP. In: Abrah´ am, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 187–201. Springer, Heidelberg (2014). https://doi.org/ 10.1007/978-3-642-54862-8 13 48. Girol, G., Hirschi, L., Sasse, R., Jackson, D., Cremers, C., Basin, D.: A spectral analysis of noise: a comprehensive, automated, formal analysis of Diffie-Hellman protocols. In: 29th USENIX Security Symposium (USENIX Security 2020). USENIX Association, Boston, August 2020. https://www.usenix.org/conference/ usenixsecurity20/presentation/girol 49. Hirschi, L., Baelde, D., Delaune, S.: A method for verifying privacy-type properties: the unbounded case. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 564–581. IEEE (2016) 50. Hoare, C.A.R.: Communicating sequential processes. In: Hansen, P.B. (ed.) The Origin of Concurrent Programming, pp. 413–443. Springer, New York (1978). https://doi.org/10.1007/978-1-4757-3472-0 16 51. Jackson, D., Cremers, C., Cohn-Gordon, K., Sasse, R.: Seems legit: automated analysis of subtle attacks on protocols that use signatures. In: ACM CCS 2019 (2019) 52. Jakobsen, J., Orlandi, C.: On the CCA (in) security of MTProto. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 113–116 (2016) 53. Kobeissi, N.: An analysis of the protonmail cryptographic architecture. IACR Cryptology ePrint Archive 2018/1121 (2018) 54. Kobeissi, N., Bhargavan, K., Blanchet, B.: Automated verification for secure messaging protocols and their implementations: a symbolic and computational approach. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 435–450. IEEE (2017) 55. Kobeissi, N., Nicolas, G., Bhargavan, K.: Noise explorer: fully automated modeling and verification for arbitrary noise protocols. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2019) 56. Lafourcade, P., Puys, M.: Performance evaluations of cryptographic protocols verification tools dealing with algebraic properties. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds.) FPS 2015. LNCS, vol. 9482, pp. 137–155. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30303-1 9 57. Lapiha, O.: A cryptographic investigation of secure scuttlebutt. Technical report, ´ Ecole Normale Sup´erieure (2019) 58. Lee, J., Choi, R., Kim, S., Kim, K.: Security analysis of end-to-end encryption in telegram. In: Simposio en Criptograf´ıa Seguridad Inform´ atica, Naha, Jap´ on (2017). https://bit.ly/36aX3TK 59. Lipp, B., Blanchet, B., Bhargavan, K.: A mechanised cryptographic proof of the WireGuard virtual private network protocol. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2019) 60. Miculan, M., Urban, C.: Formal analysis of Facebook connect single sign-on authentication protocol. In: SOFSEM, vol. 11, pp. 22–28. Citeseer (2011) 61. Millen, J.: A necessarily parallel attack. In: Workshop on Formal Methods and Security Protocols. Citeseer (1999) 62. Oak, P.: Kanto regional Pok´edex. Kanto Region J. Pok´emon Res. 19 (1996) 63. Pereira, O., Rochet, F., Wiedling, C.: Formal analysis of the FIDO 1.x protocol. In: Imine, A., Fernandez, J.M., Marion, J.-Y., Logrippo, L., Garcia-Alfaro, J. (eds.) FPS 2017. LNCS, vol. 10723, pp. 68–82. Springer, Cham (2018). https://doi.org/ 10.1007/978-3-319-75650-9 5

202

N. Kobeissi et al.

64. Protzenko, J., Beurdouche, B., Merigoux, D., Bhargavan, K.: Formally verified cryptographic web applications in WebAssembly. In: IEEE Symposium on Security and Privacy (S&P). IEEE (2019) 65. Protzenko, J., et al.: Verified low-level programming embedded in F. In: 2017 Proceedings of the ACM on Programming Languages (ICFP), vol. 1 (2017) 66. Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of DiffieHellman protocols and advanced security properties. In: Chong, S. (ed.) IEEE Computer Security Foundations Symposium (CSF), Cambridge, MA, USA, 25–27 June 2012, pp. 78–94. IEEE (2012) 67. Steinbrecher, S., K¨ opsell, S.: Modelling unlinkability. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 32–47. Springer, Heidelberg (2003). https://doi.org/10. 1007/978-3-540-40956-4 3 68. Tronosco, C., et al.: Decentralized privacy-preserving proximity tracing, April 2020 69. Woo-Sik, B.: Formal verification of an RFID authentication protocol based on hash function and secret code. Wireless Pers. Commun. 79(4), 2595–2609 (2014). https://doi.org/10.1007/s11277-014-1745-8

Implementing Elliptic Curve Cryptography

On the Worst-Case Side-Channel Security of ECC Point Randomization in Embedded Devices Melissa Azouaoui1,2(B) , Fran¸cois Durvaux1,3 , Romain Poussier4 , Fran¸cois-Xavier Standaert1 , Kostas Papagiannopoulos2 , and Vincent Verneuil2 1

4

Universit´e Catholique de Louvain, Louvain-la-Neuve, Belgium [email protected] 2 NXP Semiconductors, Hamburg, Germany 3 Silex Insight, Mont-Saint-Guibert, Belgium Temasek Laboratories, Nanyang Technological University, Singapore, Singapore

Abstract. Point randomization is an important countermeasure to protect Elliptic Curve Cryptography (ECC) implementations against sidechannel attacks. In this paper, we revisit its worst-case security in front of advanced side-channel adversaries taking advantage of analytical techniques in order to exploit all the leakage samples of an implementation. Our main contributions in this respect are the following: first, we show that due to the nature of the attacks against the point randomization (which can be viewed as Simple Power Analyses), the gain of using analytical techniques over simpler divide-and-conquer attacks is limited. Second, we take advantage of this observation to evaluate the theoretical noise levels necessary for the point randomization to provide strong security guarantees and compare different elliptic curve coordinates systems. Then, we turn this simulated analysis into actual experiments and show that reasonable security levels can be achieved by implementations even on low-cost (e.g. 8-bit) embedded devices. Finally, we are able to bound the security on 32-bit devices against worst-case adversaries. Keywords: Side-Channel Analysis · Elliptic Curve Cryptography Point randomization · Belief Propagation · Single-trace attacks

1

·

Introduction

Elliptic Curve Cryptography (ECC) is a building block of many security components and critical applications including: passports, ID cards, banking cards, digital certificates and TLS. Its relative efficiency (compared to other publickey cryptosystems) is usually considered as an advantage for implementation in small embedded devices. As a result, it is also a natural target for side-channel attackers. In this context, the Elliptic Curve Scalar Multiplication (ECSM) operation is critical, and many attacks against it are described in the literature [3,6,8,16,24,28,29]. These attacks can exploit different sources of secretdependent leakages, under different assumptions on the attack model. As a c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 205–227, 2020. https://doi.org/10.1007/978-3-030-65277-7_9

206

M. Azouaoui et al.

result, countermeasures have been developed, for example based on regular execution [19], scalar randomization [7] and point blinding/randomization [8]. In the last years, the research on Side-Channel Analysis (SCA) has been shifting towards more powerful attacks in order to exploit as much available information as possible, with the goal to assess (or at least estimate) the worstcase security level of cryptographic implementations. For example the use of Soft-Analytical Side-Channel Attacks (SASCA) in the context of AES implementations [12,14,34] and more recently lattice-based cryptography [30], aim at exploiting more secret-dependent leakages that cannot be easily exploited by classical Divide-and-Conquer (D&C) attacks (e.g. the leakage of the MixColumns operation for the AES). Following this direction, Poussier et al. designed a nearly worst-case single-trace horizontal attack against ECSM implementations [29]. Their attack exploits all the single-precision multiplications executed during one step of the Montgomery ladder ECSM. Since this attack relies on the knowledge of the input point of the ECSM, it seems natural to use point randomization as a countermeasure against it, and the evaluation of this countermeasure was left as an important direction for further research. In this work, we aim at assessing the possibility of recovering the randomized input point so that the attack of Poussier et al. (or more generally horizontal attacks) can be applied again. Besides its importance for the understanding of side-channel protected ECC implementations in general, we note that it is also of interest for pairing-based cryptography [23] and isogeny-based cryptography [25]. Our first contribution in this respect is to show how to efficiently apply SASCA in the case of point randomization by targeting field multiplications. We study the impact of different parameters of the implementation’s graph representation required to perform SASCA. Then, in order to compare the efficiency of SASCA to a (simpler) D&C method, we extend the Local Random Probing Model (LRPM) introduced by Guo et al. [15] to our use case. Using this extension, we show that for realistic noise levels, SASCA does not provide a significant gain over the D&C strategy, especially when augmented with enumeration. The latter matches the intuition that such analytical attacks work best in the continuous setting of a Differential Power Analysis (DPA), while we are in the context of a Simple Power Analysis (SPA). Yet, we also show that this is not the case for very high Signal-to-Noise Ratio (SNR) values, especially for 32-bit implementations and the Jacobian coordinates system. Based on this result, we then infer on the required SNR for such implementations to be secure against SCA. We show that it is relatively low (in comparison, for example, with the high noise levels required for practicallysecure higher-order masked implementations [2,5]), and should enable secure implementations even in low-cost (e.g. 8-bit) micro-controllers. We also compare different elliptic curve coordinates systems w.r.t. their side-channel resistance against advanced side-channel attackers targeting the point randomization countermeasure. In addition, we evaluate the concrete security of the point randomization countermeasure on such low-cost devices. For this purpose, we consider two different options for implementing multi-precision multiplications.

On the Worst-Case Side-Channel Security of ECC

207

Interestingly, we observe that the level of optimization of the multiplication significantly impacts the level of leakage of the implementation. Concretely, we show that, while a naive schoolbook multiplication leads to successful singletrace attacks on an Atmel ATmega target, the operands caching optimization reduces the SNR enough such that attacks become hard, even with high enumeration power. Finally, we discuss the cases of two other implementations, one using Jacobian coordinates on an 8-bit device, and one using homogeneous coordinates on a 32bit device. Based on our detailed analyses of 8-bit implementations we show how the guessing entropy of the randomized point can be bounded using the LRPM for 32-bit implementations even against worst-case attackers.

2 2.1

Background Elliptic Curve Cryptography

In the following, we will introduce the necessary background on elliptic curve cryptography for the understanding of this paper. We only consider elliptic curves over a field of prime characteristic >3. An elliptic curve E(Fp ) over a field of prime characteristic p = 2,3 can be defined using a short Weierstrass equation: E : y 2 = x3 + ax + b, where a, b ∈ Fp and 4a3 + 27b2 = 0. Associated to a point addition operation +, the points (x, y) ∈ Fp 2 verifying the equation E, along with the point at infinity O as the neutral element, form an Abelian group. Point arithmetic (addition and doubling) in affine coordinates (using 2 coordinates x and y) requires field inversions, which are expensive compared to other field operations. In order to avoid them, most elliptic curve implementations use projective coordinates (X : Y : Z), such as the homogeneous ones where x = X/Z and y = Y /Z with X, Y, Z ∈ Fp and Z = 0. The equation of the curve is then given by: Y 2 Z = X 3 + aXZ 2 + bZ 3 , so that each point (x, y) can be mapped to (λx : λy : λ) for any λ ∈ F∗p . Alternatively, considering the Jacobian projective Weierstrass equation: Y 2 = X 3 + aXZ 4 + bZ 6 , a point (x, y) of the curve can this time be represented using so-called Jacobian projective coordinates as (λ2 x : λ3 y : λ), with λ ∈ F∗p . In the rest of this paper, the NIST P-256 curve [31] is used to illustrate the principle of our security assessment. Note that this choice is not restrictive, as the study is fully independent of the curve’s choice.

208

2.2

M. Azouaoui et al.

Problem Statement

At CHES 2017, Poussier et al. designed a nearly worst-case single-trace horizontal differential SCA (HDPA) against an implementation of the Montgomery ladder ECSM [29]. This attack relies on the knowledge of the input point and the operations executed. It aims at distinguishing between the two possible sequences of intermediate values depending on the processed scalar bit. Once the first bit has been recovered, the current state of the algorithm is known. The following intermediate values corresponding to the following scalar bit can then also be predicted and matched against the side-channel leakages. Randomizing the input point naturally prevents HDPA: considering an implementation using projective coordinates, for each execution, a random value λ ∈ F∗p is generated and the representation of the point P = (x, y) is replaced by (λx, λy, λ) before the scalar multiplication takes place. Thus the hypothesis space to recover one bit using HDPA is increased from 2 to 2|λ|+1 , with |λ| the size of λ in bits. If |λ| is large enough, it renders the attack impractical. Given that HDPA is close to a worst-case attack against the ECSM, we want to investigate the security of the point randomization that is considered as its natural countermeasure. More precisely: could a side-channel adversary exploiting the additional information brought by the randomization process itself recover a sufficient amount of information about λ (e.g. by reducing the number of λ candidates to an enumerable set) so that an HDPA can again be applied. For that purpose, we examine two types of profiled attacks that are detailed in the next section.

3

Attacking and Evaluating the Point Randomization

Let’s consider the homogeneous projective coordinates randomization method previously described. For each execution, a modular multiplication is performed between the coordinates of the input point (for instance the public base point G) and a random value λ. For an elliptic curve system, the implementation of an optimized modular multiplication depends on the underlying field and of various compromises. For instance, one can perform first a multiplication then a modular reduction. Alternatively, these steps can be interleaved to reduce memory footprint. In order to illustrate our two approaches to attack the point randomization, we first focus on this initial multiplication, for which an abstract architecture is given in Fig. 1. The Figure represents the overall functioning of a school-book like multiplication of two 256-bit operands yielding a 512-bit result, implemented on an 8-bit platform: {λ0 , λ1 , ..., λ31 } correspond to the words of λ, {xG0 , xG1 , ..., xG31 } to the known words of xG (the x coordinate of the base point G), and c = {c0 , c1 , ..., c63 } to the 512-bit result. Every word of λ is multiplied by every word of xG . The resulting 2048 low (R0) and high (R1) parts of the single-precision multiplications are then combined in a series of additions (shown by the accumulation block in Fig. 1) to yield the 64-word result. Given this abstract view of multiplication, we identified two profiled singletrace side-channel attacks that can be used to defeat the point randomization

On the Worst-Case Side-Channel Security of ECC

209

SASCA

× xG0

λ0

× xG1

...

λ31

× xG0

A C C U M U L A

c0 c1

. . .

. . .

× xG31

R0 R1

T E

...

c63

Divide-and-conquer

Fig. 1. Multi-precision multiplication of 256-bit operands on an 8-bit device.

countermeasure. Our aim is to compare them to assess the most optimal security evaluation strategy. We emphasize that both methods can be used, independently of the point randomization algorithm. 3.1

Horizontal Divide-and-Conquer Attack with Enumeration

The Horizontal Divide-and-Conquer attack (HD&C) is applied independently and similarly to each word of λ. Following Fig. 1, λ0 is multiplied by 32 known values {xG0 , xG1 , ..., xG31 } resulting in the lower parts and the higher parts: (λ0 × xGj )%256 and (λ0 × xGj )\256 (where % and \ denote the modulus and the integer division) for j ∈ {0, 1, ..., 31}. The attacker exploits the direct leakage on the value of λ0 but additionally observes the leakage of these 64 intermediates. The side-channel information is extracted by characterizing the joint conditional distribution: Pr[λ0 |L(λ0 ), L((λ0 × xG0 )%256), ..., L((λ0 × xG31 )\256)], where L(v) denotes the side-channel leakage of a value v. Assuming the algorithmic independence of the targeted intermediates, which is verified in this case, and additionally the independence of the noise (i.e. that the leakage of each intermediate is independent of the leakage of other intermediates)1 , the joint distribution can be factorized into: Pr[λ0 |L(λ0 )] ×

31 

Pr[λ0 |L((λ0 × xGj )%256)] × Pr[λ0 |L((λ0 × xGj )\256)].

j=0 1

This is referred to as Independent Operations’ Leakages (IOL) and is a commonly used assumption in SCA and was shown to be reasonable [13]. For our case study it can be easily verified by plotting a covariance matrix.

210

M. Azouaoui et al.

For a given word of λ, the exploitation of this information gives to the attacker a list of probabilities for each value this word can take. If the correct word is ranked first for all the λi , the attack trivially succeeds. However, recovering λ directly is not necessary. Indeed, a D&C attack allows the use of enumeration as a post-processing technique [32]. As a result, reducing the entropy of λ until the value of the randomized point can be reached through enumeration is enough. We note that there is no straightforward way to verify if the correct point has been found. Indeed, only the result of its multiplication by the full value of the secret scalar k is revealed at the end of the ECSM. Yet, the attacker can feed the points given by enumeration as inputs to (e.g.) an HDPA attack. If the right point has been recovered, it is very likely that the HDPA will be able to easily distinguish the scalar bits. Otherwise if the hypothesis on the input point is wrong it will assign the possible values on the scalar bits equal probabilities. 3.2

Soft Analytical Side-Channel Attack

SASCA was introduced in [34] by Veyrat-Charvillon et al. as a new approach that combines the noise tolerance of standard DPA with the optimal data complexity of algebraic attacks. SASCA works in three steps: first it builds a large graphical model, called a factor graph, containing the intermediate variables linked by constraints corresponding to the operations executed during the target algorithm. Then it extracts the posterior distributions of the intermediate values from the leakage traces. Finally, it propagates the side-channel information throughout the factor graph using the Belief Propagation (BP) algorithm [20], to find the marginal distribution of the secret key, given the distributions of all intermediate variables. We refer interested readers to [34] for a detailed description of SASCA. SASCA exploits a larger number of intermediates in comparison to D&C attacks as illustrated in Fig. 1. For instance, it can use the leakage coming from the addition operations in the accumulator that combines intermediates that depend on multiple words of λ. The optimized information combination approach of SASCA implies that it is an appropriate tool to approximate the worst-case security of cryptographic implementations. Running the BP algorithm on a factor graph of a cryptographic implementation is time-consuming. Its time complexity is dominated by (2vs )deg (corresponding to the factor to variable message update) with vs the variable size (for e.g. 8 bits or 32 bits) and deg the degree of the largest factors (number of variables connected to it). This message passing is then repeated for each factor and for the number of iterations required for the BP algorithm to converge. For that reason, Guo et al. introduced the Local Random Probing Model (LRPM) [15], which bounds the information that can be obtained by decoding the factor graph using BP without running the BP algorithm. Concretely, the LRPM propagates the amount of information collected throughout the graph using approximations employed in coding theory. Assuming that the variables’ distributions are not too correlated, information coming from neighboring factors is summed at variable nodes. At factor nodes the information coming from neighboring variables is multiplied. The information is not in bits but instead computed in base log

On the Worst-Case Side-Channel Security of ECC

211

the size of the variables (such that the information is always between 0 and 1). We refer to [34] for more details on the LRPM. The LRPM provides an upper bound on the information propagated through a generic factor function, but generally the actual information propagated by a specifc logic or arithmetic operation is significantly lower. For instance, Guo et al. noted that information can be diluted when propagated through a XOR operation: when XORing two values with partial information, we may end with even less information on the result than their product. Based on this observation, they refine the model by introducing the XOR loss: a coefficient 0 < α < 1 that is multiplied by the information and reduces the model’s approximation for the XOR operation to a value of information that is closer to the one that is observed. In practice, α is estimated as the ratio between the upper bound on the information evaluated using the model and the information estimated from actually running BP on the XOR factor.

4

Analysis of the Field Multiplication Factor Graph

Prior to comparing the attacks identified in Sect. 3, we investigate the application of SASCA on a multi-precision multiplication factor graph. The nodes included in the graph and its structure can impact the performance of the BP algorithm. In the following, we investigate the impact of these characteristics. For this purpose, we build the factor graph of the first block from the assembly description of the operand-caching multiplication2 of Hutter and Wenger [18, Appendix A] on an 8-bit micro-controller. This graph G is presented in Fig. 2. Given the size of this graph, it is possible to run multiple experiments of the BP algorithm to get meaningful averaged results. The conclusions drawn from our analysis can be generalized to the full graph and any multiplication that follows the abstract architecture in Fig. 1 because of its very regular structure. There are two aspects to consider before running BP on this graph that we detail and investigate hereafter. First, G is a cyclic graph and BP convergence to the correct marginals is not guaranteed [26]. Second, while for previous applications of SASCA to the AES [34] and lattice-based encryption [30], the factor graphs contained factors of at most degree 3, G contains factors of degree 4 and 5 due to the additions with carry propagations. Although carry bits are small variables, we note that their values and possibly errors on their values may ripple through all the following steps of the computation. To investigate the effect of cycles and carry bits, we construct four other factor graphs. G no cycles is an acyclic version of G built by following the strategy from Green et al. [12]: removing factors causing the cycles and severing edges. G no carry is constructed by deleting carry bit variable nodes and integrating both possible values of a carry into the factors as described by the diagram below, where the carry (resp. carry’) variable node corresponds to the input (resp. output) carry. It is given by the 2

The operand-caching multiplication is an optimized schoolbook-like multiplication that minimizes the number of operand word loads. It is specifically designed for small embedded devices in order to improve efficiency by minimizing memory operations.

212

M. Azouaoui et al. c30 ACC00

Multiplication results

+

R00

carry0

R10

+

R01 R11

ACC01

Carry bits

+ ACC11

carry2

+ carry1

c31

ACC02

+

carry3

+

ACC12

c32

carry4

R02

c33

+

R12

ACC13

Fig. 2. Factor graph G: first block of the operand caching multiplication.

diagram below for the addition with carry operation but is done similarly for all carry operations. Finally, G no carry no cycles is G no carry where remaining cycles have been removed. x y

r

x

carry’

y

adc

adc no carry

r

carry

with fadc and fadc no carry defined as: fadc (x, y, carry, r, carry )  1 if r = (x + y + carry) % 256 and carry = (x + y + carry)/256, = 0 otherwise.  fadc no carry (x, y, r) =

1 if r = (x + y) % 256 or r = (x + y + 1) % 256, 0 otherwise.

To compare the different graphs, we use simulated leakages for all intermediate variables (Hamming weight leakage with Gaussian noise). We estimate the single-trace attack success rate (SR), average across λ0 and λ1 for different noise levels. The results of these experiments are plotted in Fig. 3. First, we notice that for high SNR values, the cyclic graphs (G and G no carry) perform better than the acylic ones (G no cycles and G no carry no cycles). This can be explained by the fact that cycles typically exacerbate side-channel errors but in this case are less detrimental since errors from side-channel observations are less likely to occur for high SNR. Additionally, the acyclic graphs are constructed by removing factors which contribute the most to the connectedness of the graph

On the Worst-Case Side-Channel Security of ECC

213

and as a result lose some information. When moving to the (more realistic) low SNR range (below 2), G no carry yields marginally better results, as it still benefits from the additional information provided by factors in cycles, and is also not prone to errors on carry bits. For even lower SNR (below 0.05), the experiments indicate that the best graph option is G no carry no cycles, which reflects previous observations on the impact of cycles and carry bits.

Fig. 3. Average single-trace success rate. Right: close-up for low SNR values.

5

Comparison of SASCA and HD&C Attack

In this section, we begin our investigation of the security level that can be achieved by the point randomization countermeasure by comparing SASCA and an HD&C attack. We still consider the 8-bit implementation of the operand caching multiplicaton. Since SASCA comes at a higher computational cost than an HD&C attack, it is worth evaluating the advantage of SASCA over an HD&C attack. For this purpose we make use of the LRPM’s efficiency and introduce new extensions of it such that it is applicable to the target factor graph. 5.1

Applying the LRPM to Multi-precision Multiplication

To investigate the relevance of the LRPM, Guo et al. [15] consider the AES as a target, for which all atomic operations have one output only and LRPM rules apply straightforwardly. To apply the LRPM to the full factor graph of the multiprecision multiplication, we extend the LRPM rules to operations with multiple outputs. This new rule is described below and is based on the factorization principle of BP. An example factorization for an addition factor is given in Appendix A.

214

M. Azouaoui et al. out1

in1

F in2

out2

MIF→out1 = MIin1→F × MIin2→F MIF→out2 = MIin1→F × MIin2→F MIF→in1 = MIin2→F × (MIout1→F + MIout2→F ) MIF→in2 = MIin1→F × (MIout1→F + MIout2→F )

Additionally, based on the work of Guo et al. and as explained in Sect. 3.2, in order to avoid too pessimistic upper bounds on the information, we estimate loss coefficients for all variables for every kind of operation in the graph. We estimated the loss coefficients assuming a Hamming weight leakage function as the ratio between the information computed after performing BP and the one predicted by the LPRM rules. Prior to using the LRPM to compare SASCA and HD&C attacks, we confirm in Fig. 4 that the LRPM’s MI predictions fit the experimental SR on G and its variants. We ran the LRPM assuming MI values that correspond to the simulated SR experiments and we focus on reasonable and realistic noise levels for software implementations. The left part of Fig. 4 corresponds to the MI on one word of λ of each graph as a function of the SNR, and the right part to the SR. The efficiency orderings of the different graphs in terms of MI and SR are similar. Slight discrepancies might be due to the experimental estimation of the SR. Decisively, the LRPM and the SR estimations agree on the fact that the best graph option is G no carry for a reasonable SNR < 2, while for even lower SNR all seem to perform similarly.

Fig. 4. Left: MI evaluated with the LRPM with loss coefficients for the different graphs. Right: the SR of SASCA for different graphs.

5.2

SASCA vs. HD&C

Based on our previous results, we build the full graph of the multi-precision multiplication with carry bits integrated in factors. Notably, this graph option is not only the best based on the previously shown experiments and LRPM predictions,

On the Worst-Case Side-Channel Security of ECC

215

Fig. 5. Comparison of SASCA on the full graph of the field multiplication, including the modular reduction, and the HD&C attack on register multiplications.

but also the most pragmatic one. Indeed, the full graph of the multi-precision multiplication is highly connected. Attempting to remove all cycles will render the graph very close to the one exploited by the HD&C strategy. Accordingly, we build the full graph which consists of 1024 multiplication factors and 3216 addition factors, then the factor graph corresponding to the HD&C attack that only contains the multiplication factors and related variables. We additionally build the full graph of the randomization procedure including the modular reduction implemented as suggested in [31]. In comparison to the efficient HD&C attack, running the BP algorithm for a single iteration on the factor graph of the multiprecision multiplication would naively require more than 237 operations, or more than 229 operations with specific factor message passing optimizations. For all three graphs, we use the LRPM to upper bound the information extracted in bytes on a word of λ. Results are given in Fig. 5. We observe that both BP and D&C attacks reach the maximal information of one byte across all words of λ when the SNR exceeds 0.4. The horizontal attack succeeds right after SASCA and, for lower SNR values, the gain is negligible considering the running time and the effort required to mount a BP-based attack. This is in-line with the results from [15] (e.g. for the AES): when the number of attack traces is too low (e.g. in a DPA), SASCA does not provide any gain over a D&C template attack. Things naturally get worse for lower SNR values. Our results therefore indicate that classical D&C attacks (on our particular target) come very close to the worst-case attack for low SNR cases (which are essentially the most interesting ones for side-channel investigations). This fact can be additionally highlighted by the limited information provided by the addition of the modular reduction to the factor graph compared to solely the multiplication. An analogy can be made with the AES MixColumns: since the operations contained in these examples (MixColumns, modular reduction by a Mersenne prime) diffuse already limited information (by combining noisy leakages of multiple intermediates), they do not contribute significantly to the overall information on the targeted secret for low and reasonable SNR values.

216

M. Azouaoui et al.

Overall, this result shows that SASCA, which exploits all the available information, barely improves the results compared to a D&C attack. Moreover, as SASCA does not allow optimal enumeration: adding the use of computational power to HD&C mitigates even more the already small gap between them. As a result, the rest of this paper considers the HD&C strategy in order to evaluate the security of the point randomization countermeasure. This naturally raises the question of how much noise is necessary to make the attack fail, which we investigate in the following section.

6

Security Graphs and Necessary Noise Levels

In this section, we investigate the nearly worst-case security of the point randomization countermeasure. For this purpose, we use the HD&C strategy, identified in the previous section to achieve comparable efficiency to the worst-case BP-based attack. Since the HD&C attack strategy is extremely efficient computationally (in comparison to SASCA), it allows us to investigate different implementation cases. For our experiments, we choose a homogeneous projective coordinates system to represent the points and later discuss the case of Jacobian projective coordinates. A homogeneous coordinates system allows for a very efficient point randomization procedure as it requires at most two field multiplications. We consider the case where both the affine coordinates of a point are randomized, and additionally the fast parallel point addition and doubling Montgomery ladder from Fischer et al. [10], where only the x coordinate is required and thus randomized. The field multiplication is as described previously: a multi-precision multiplication followed by a modular reduction. We also take into account a 256-bit randomizing parameter λ and a 128-bit alternative. The goal of this section is to provide a characterization of the security level expected as a function of the measurements’ SNR. For this purpose, we plot security graphs based on [33] for the different cases of the point randomization procedure. These graphs are produced by performing 100 independent attacks and rank estimations for different SNR values. These experiments provide sampled ranks for each SNR value. Using these samples, the rank distributions can be easily estimated using kernel density estimation. The most interesting conclusions can be deduced from the cumulative distribution function (CDF) of the rank. The CDF of the rank for a specific SNR tells us about the probability that the rank of the secret lies above a certain enumeration effort, and thus the probability for an adversary to recover the secret. This is visually represented by a gray-scale on a security graph: the darker (resp. lighter) the zone is, the higher (resp. lower) is the probability of recovering the secret. For the following results, we performed HD&C attacks and corresponding rank estimations on simulated leakages of every 8-bit word of λ and every result of a register multiplication following the classical side-channel model: HW and Gaussian noise. This leads to 65 leakages per target byte (one for the byte itself and 64 for the 2 parts of the 32 multiplication results). We produce in Fig. 6 the security graph for a 128-bit λ, when randomizing only the x coordinate of the

On the Worst-Case Side-Channel Security of ECC

(a) Randomization of x

217

(b) Randomization of x and y.

Fig. 6. Security graph of the point randomization countermeasure for λ ∈ F2128 . (Color figure online)

(a) Randomization of x

(b) Randomization of x and y.

Fig. 7. Security graph of the point randomization countermeasure for λ ∈ F2256 . (Color figure online)

base point (Fig. 6a) and when randomizing both coordinates (Fig. 6b). Figure 7 gives the corresponding security graphs for a 256-bit λ. The red line corresponds to the log2 of the guessing entropy. The security graphs shown in Figs. 6 and 7 encompass a great deal of information on the security of the target. For e.g. to achieve security against an adversary attacking only the x coordinate randomization using a 256-bit parameter, who can enumerate up to 250 candidates, the SNR needs to be lower than 0.3 based on the results displayed in Fig. 7a. The comparison of Fig. 6a and b highlights the expected fact that the information is simply doubled when exploiting λ × xG and λ × yG compared to only λ × xG . Subsequently, to get the same level of security, the SNR has to be halved. The same applies to Fig. 7a and b. Moreover, the security graphs for the 128-bit case and the 256-bit case illustrate the trade-off between the randomness requirements (i.e. the size of λ) and the side-channel noise necessary to make the point randomization robust against nearly worst-case adversaries. Additionally, since the LRPM provides an upper bound on the information that can be extracted from a factor graph (in this case of the D&C attack), in all security graphs we plot the corresponding remaining entropy as a lower bound of the actual guessing entropy. This bound is quite helpful particularly in cases where performing multiple attacks and rank estimations is not possible.

218

7

M. Azouaoui et al.

Experimental Evaluations

In this section, we analyze two different implementations of a long-integer multiplication both written in assembly. First, a naively implemented schoolbook multiplication with two nested unrolled loops and no specific optimizations. The second multiplication is the operand-caching multiplication of Hutter and Wenger [18] that we presented above. We performed our experiments on an 8-bit AVR ATmega328p microcontroller mounted on an Arduino UNO board running at 16 MHz. Using a custom probe, the measurements are captured on a PicoScope5244D oscilloscope synchronized with a trigger at the beginning of each execution, at a sampling rate of 125 MSam/s. The traces are preprocessed using amplitude demodulation. Hereafter we describe the HD&C attack applied to both implementations. First, we first performed a preliminary Points Of Interest (POIs) selection step using a correlation test [9] to find the samples that correspond to leakages of intermediate values depending on the target byte. We then use a dimensionality reduction technique, namely Principal Component Analysis (PCA) [1], to further reduce the number of dimensions. This can be done since as the coordinate of the base point is fixed and known, the leakage only depends on the bytes of λ. Using the compressed traces, we build multivariate Gaussian templates using 49k traces based on the values of the bytes. Note that while the noise is independent for the attack on simulations presented in Sect. 6, it is not perfectly the case for real traces. We thus take the dependency into account in order to improve the results and perform a single-trace template attack on each secret byte. Finally, we combine the results of all the bytes using the Glowacz et al. histogram-based rank estimation algorithm [11]. 7.1

Classical Schoolbook Multiplication

In this section, we show the results of the HD&C attack on the non-optimized schoolbook multiplication. This multiplication loads every byte of the secret 32 times, displaying notable leakages on λ. As a first step, we examine the bytes’ guessing entropies as a function of the number of PCA components retained. These results are shown in Fig. 8. Typically, when applying PCA to side-channel leakages of symmetric cryptography implementations, the relevant information is located in a few principal directions (e.g. the recent [4] uses 10). For our specific target, more dimensions are useful, as shown by Fig. 8. This is presumably due to the large amount of intermediate values that relate to the secret bytes, and the amount of different single-precision operations manipulating these intermediates. From Fig. 8, we observe that the logarithms of the guessing entropies of all bytes decrease similarly and are mostly below 4 bits (less than 16 candidates) when the number of components is above 350. The guessing entropies keep on decreasing as the number of components increases. The next step of the evaluation is to assess if a single-trace recovery is feasible on the full value of λ. For each execution, we combine the results obtained from the independent attacks on the bytes of λ and plot the results of rank

On the Worst-Case Side-Channel Security of ECC

219

Fig. 8. Logarithm of the guessing entropy of the 32 bytes of λ as a function of the number of PCA components for the non-optimized schoolbook multiplication.

estimation in Fig. 9. We show the distribution of the logarithm of the ranks. The red vertical line denotes the mean log rank observed. We also focus on two sizes for λ, namely 128 and 256 bits, in order to evaluate the impact of the HD&C attack on the required randomness for each execution. First, for a 128-bit randomizing parameter, we observe that approximately half of the randomized points can be recovered with a minimal enumeration of less than 216 . The results for a 256-bit randomizing parameter are given in Fig. 9b. In this case, while the rank of the secret is higher than for the 128-bit case, the implementation can still be considered vulnerable with an average rank of 50 bits. Moreover, some parameters are easily recovered. For instance approximately 20% of all λs are fully recovered using an enumeration effort of 216 .

Fig. 9. Distribution of log rank of λ for the schoolbook multiplication. (Color figure online)

7.2

Operand Caching Multiplication

The second part of our experiment consists of applying the same process of HD&C attack against an optimized implementation, namely the operand-caching

220

M. Azouaoui et al.

one. This method is a variant of the long-integer multiplication that reduces the number of memory accesses to gain in efficiency, thereby reducing the amount of leakage. For each byte of λ, we perform the same systematic steps as for the non-optimized implementation. In Fig. 10, we plot the evolution of the guessing entropies for the different bytes as a function of the number of PCA components. Bytes are color coded according to the number of times they are loaded. First, we observe the same behavior as for the previous implementation when it comes to the number of PCA components: we require a large number of components. Next, we clearly notice the impact of the amount of loads on the guessing entropy. That is, less loads tend to lead to a higher entropy in comparison with the nonoptimized implementation. It is clear that the limited leakages in this case do not allow reaching guessing entropies below 20 candidates, which is significantly more than on the naive schoolbook multiplication.

Fig. 10. Logarithm of the guessing entropy of the 32 bytes of λ as a function of the number of PCA components for the optimized operand-caching multiplication.

Next, we plot the distribution of the log ranks for both 128- and 256-bit λ in Fig. 11. We observe that due to the optimizations applied for the operand caching, the leakages are minimized, leading to significantly different results compared to the non-optimized implementation. For the 128-bit (resp. 256-bit) size parameter, we obtain an average log rank of 100 bits (resp. 200 bits). The entropy of λ is only marginally reduced and its value cannot be recovered with a reasonable enumeration effort. Overall, the comparison of the non-optimized multiplication and the optimized one highlights how point randomization can be made quite robust against nearly worst-case adversaries without much performance overheads: as clear from [17], the additional cost of point randomization is limited for (already expensive) ECC implementations. That is, a few design considerations and optimizations suffice to reduce the overall leakages that can be exploited by an adversary, so that horizontal attacks become impractical. We note that, as usual in experimental side-channel attacks, these results obviously depend on the measurement setup and the preprocessing applied to the traces, which can possibly be improved. Yet, the conclusion that limited SNR reductions are enough to

On the Worst-Case Side-Channel Security of ECC

221

Fig. 11. Distributon of log rank of λ for the operand caching multiplication. (Color figure online)

secure point randomization, and that simple optimizations (that are motivated by general performance concerns) are good for this purpose, should hold in general.

8

Projective Coordinates System Comparison

In our preliminary analysis, we focused on an homogeneous projective point representation. This section investigates the use of a different coordinates system, namely Jacobian coordinates, and the possible consequences regarding sidechannel resistance. For this purpose, using the LRPM and its extensions proposed in this paper, we further extend our analysis by comparing the randomization in homogeneous and Jacobian projective coordinates. In the Jacobian case, the computation of λ2 is required. Therefore, we consider again two cases: one where a generic multiplication is used to perform the squaring, and one where the squaring is implemented efficiently (avoiding the re-calculation of equal cross products). The results of our evaluations are depicted in Fig. 12 where MI upper bounds are plotted as a function of the SNR. First, and as previously shown, we confirm that for homogeneous coordinates since λx and λy are independent operations when targeting λ, the overall information is simply doubled. Secondly, when it comes to Jacobian coordinates, using a squaring instead of a multiplication for λ2 leads to improved security. Regarding the comparison, while the coordinates system used is typically dictated by the ECSM’s overall performance, the results shown in Fig. 12 lead to interesting conclusions. These results suggest that for low SNR ( 0.1, the x-only homogeneous projective randomization is the best option, followed by the Jacobian coordinates randomization with a dedicated squaring operation.

222

M. Azouaoui et al.

Fig. 12. Comparison of SASCA on homogeneous projective coordinates randomization and Jacobian projective coordinates randomization.

9

Worst-Case Evaluation of 32-bit Implementations

In this section, we translate our previous investigation on 8-bit implementations to the practically-relevant case of 32-bit devices. First, we emphasize that implementing an actual attack against a 32-bit implementation is much more challenging. While profiling 32-bit leakage is feasible by using a linear regression based approach, exploitation on the other hand is very demanding since it would require enumerating 232 values, leading to large computation and storage efforts. Some workarounds are possible by trading computational complexity for algorithmic noise. As we focus on worst-case security, we analyze the information obtained by a strong attacker able to perform attacks on 32-bit leakages directly. For that purpose, we use the LRPM. As shown in Sect. 6 in Figs. 6 and 7, the LRPM provides a lower bound on the guessing entropy after the attack. Based on this observation, we bound the guessing entropy when targeting a 32-bit implementation for different attacks (D&C and SASCA) and for different SNR levels. The results of this analysis are plotted in Fig. 13 for high (left) and low SNR (right) cases. First, we note that when the SNR is low the gain of analytical strategies over D&C strategies is still very limited as for the 8-bit case. But more interestingly, we observe that implementations of the point randomization on 32-bit devices are able to resist worst-case adversaries as shown by the pessimistic lower bounds on the guessing entropy in Fig. 13. Concretely, for an SNR ≈ 0.9 as measured in a recent attack targeting an STM32F405 [21] it is possible to achieve excellent concrete security even against attackers exploiting all the possible leakage of the point randomization. This is a positive result that suggests that securing 32-bit ECC implementations (for e.g. on ARM devices) against very powerful attackers might be feasible in practice.

On the Worst-Case Side-Channel Security of ECC

(a) High SNR

223

(b) Low SNR

Fig. 13. Entropy lower bound comparison of SASCA on the full graph of the field multiplication, and the HD&C attack for a 32-bit implementation with λ ∈ F2256 .

10

Conclusion and Future Works

In this work, we investigated the security of the point randomization countermeasure w.r.t. worst-case attackers. We showed how to apply SASCA when targeting point randomization and additionally adapted a recent and efficient evaluation methodology for SASCA using the LRPM to this asymmetric use case. Second, and using that model, we showed that, for realistic noise levels for 8-bit devices, there is almost no gain in mounting a complex SASCA making use of all the available information compared to a simpler horizontal D&C attack that can be complemented with enumeration. As a result, we estimate the required SNR needed by implementations in small embedded devices to be secure. Somewhat surprisingly, we observe that the point randomization technique can be implemented quite securely even in 8-bit devices. We then perform practical experiments against basic and optimized implementations to further illustrate the impact of performance optimizations: while the naive implementation is shown to be broken, the optimized one leads to ranks that are not reachable with enumeration. Finally, we provide guessing entropy lower bounds for challenging attacks on 32-bit implementations which again confirm the resistance of point randomization against side-channel attacks. Interestingly, our results indicate that the point randomization on 32-bit devices provides excellent concrete security against worst-case adversaries. This leads to the positive conclusion that secure 32-bit ECC implementations might be feasible in practice. While we studied different implementation options of the point randomization, there is still room for analyzing other options to implement elliptic curve based systems and evaluate the security provided by side-channel countermeasures. For instance, then this additional leakage that does not depend on the secret scalar bit could potentially be exploited. Besides, different multiplication algorithms have been described in the literature. We focused on multiplications that share the same abstract architecture as a classical schoolbook multiplication, but other long-integer multiplication algorithms such as the Karatsuba

224

M. Azouaoui et al.

algorithm [22] or modular multiplication methods such as the Montgomery multiplication [27] remain to be studied. Acknowledgement. Fran¸cois-Xavier Standaert is a senior research associate of the Belgian fund for scientific research (FNRS-F.R.S.). This work has been funded in parts by the ERC project 724725 (SWORD) and by the European Commission through the H2020 project 731591 (acronym REASSURE). The authors acknowledge the support from the Singapore National Research Foundation (“SOCure” grant NRF2018NCRNCR002-0001 – www.green-ic.org/socure).

A

Factorization of fadd

The LPRM rules for information propagation for factors with multiple outputs are deduced from the factorization of a factor with two outputs into two factors with one output each, as shown by the diagram below for the addition operation: in1

out1

in1

1 fadd

out1

2 fadd

out2

f add in2

out2

in2

Where in1 and in2 refer to the two inputs to the addition. out1 to the result of the addition and out2 to the output carry bit. Then the add factor is defined as: fadd (in1, in2, out1, out2)  1 if out1 = (in1 + in2) % 256 and out2 = (in1 + in2)/256 = 0 otherwise 1 2 The add factor can be factorized into fadd and fadd which are defined as:  1 if out1 = (in1 + in2) % 256 1 (in1, in2, out1) = fadd 0 otherwise

 2 fadd (in1, in2, out2) =

1 if out2 = (in1 + in2)/256 0 otherwise

The LRPM propagation rules applied to the factorized factor yield for the variable in1: 1 →in1 = MIin2 × MIout1 and MIf 2 →in1 = MIin2 × MIout2 MIfadd add

Since information at variable node is summed we have: 1 ,f 2 )→in1 = MIf MI(fadd = MIin2 × (MIout1 + MIout2 ) add →in1 add

On the Worst-Case Side-Channel Security of ECC

225

References 1. Archambeau, C., Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 1–14. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063 1 2. Battistello, A., Coron, J.-S., Prouff, E., Zeitoun, R.: Horizontal side-channel attacks and countermeasures on the ISW masking scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 23–39. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2 2 3. Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. In: Lange, T., Lauter, K., Lisonˇek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 553–570. Springer, Heidelberg (2014). https://doi.org/10.1007/9783-662-43414-7 28 4. Bronchain, O., Standaert, F.-X.: Side-channel countermeasures’ dissection and the limits of closed source security evaluations. IACR Cryptology ePrint Archive 2019:1008 (2019) 5. Cassiers, G., Standaert, F.-X.: Towards globally optimized masking: From low randomness to low noise rate or probe isolating multiplications with reduced randomness and security against horizontal attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 162–198 (2019) 6. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., L´ opez, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010). https://doi.org/10. 1007/978-3-642-17650-0 5 7. Clavier, C., Joye, M.: Universal exponentiation algorithm. In: Cryptographic Hardware and Embedded Systems - CHES 2001, Third International Workshop, Paris, France, 14–16 May 2001, Proceedings, number Generators, pp. 300–308 (2001) 8. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Ko¸c, C ¸ .K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5 25 9. Durvaux, F., Standaert, F.-X.: From improved leakage detection to the detection of points of interests in leakage traces. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 240–262. Springer, Heidelberg (2016). https:// doi.org/10.1007/978-3-662-49890-3 10 10. Fischer, W., Giraud, C., Knudsen, E.W., Seifert, J.-P.: Parallel scalar multiplication on general elliptic curves over fp hedged against non-differential side-channel attacks. IACR Cryptology ePrint Archive, 2002:7 (2002) 11. Glowacz, C., Grosso, V., Poussier, R., Sch¨ uth, J., Standaert, F.-X.: Simpler and more efficient rank estimation for side-channel security assessment. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 117–129. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5 6 12. Green, J., Roy, A., Oswald, E.: A systematic study of the impact of graphical models on inference-based attacks on AES. Cryptology ePrint Archive, Report 2018/671 (2018). https://eprint.iacr.org/2018/671 13. Grosso, V., Standaert, F.-X.: Masking proofs are tight and how to exploit it in security evaluations. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 385–412. Springer, Cham (2018). https://doi.org/10.1007/978-3319-78375-8 13 14. Grosso, V., Standaert, F.-X.: ASCA, SASCA and DPA with enumeration: which one beats the other and when? Cryptology ePrint Archive, Report 2015/535 (2015). https://eprint.iacr.org/2015/535

226

M. Azouaoui et al.

15. Guo, Q., Grosso, V., Standaert, F.-X.: Modeling soft analytical side-channel attacks from a coding theory viewpoint. Cryptology ePrint Archive, Report 2018/498 (2018). https://eprint.iacr.org/2018/498 16. Hanley, N., Kim, H.S., Tunstall, M.: Exploiting collisions in addition chain-based exponentiation algorithms using a single trace. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 431–448. Springer, Cham (2015). https://doi.org/10.1007/ 978-3-319-16715-2 23 17. Hutter, M., Schwabe, P.: NaCl on 8-bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-3855379 18. Hutter, M., Wenger, E.: Fast multi-precision multiplication for public-key cryptography on embedded microprocessors. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 459–474. Springer, Heidelberg (2011). https://doi.org/ 10.1007/978-3-642-23951-9 30 19. Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski, B.S., Ko¸c, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5 22 20. Judea, P.: Reverend Bayes on inference engines: a distributed hierarchical approach. In: Proceedings of the Second AAAI Conference on Artificial Intelligence, AAAI 1982, pp. 133–136. AAAI Press (1982) 21. Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on keccak. Cryptology ePrint Archive, Report 2020/371 (2020). https://eprint.iacr.org/2020/371 22. Karatsuba, A., Ofman, Yu.: Multiplication of many-digital numbers by automatic computers. Dokl. Akad. Nauk SSSR 145, 293–294 (1962) 23. Kim, T.H., Takagi, T., Han, D.-G., Kim, H.W., Lim, J.: Side channel attacks and countermeasures on pairing based cryptosystems over binary fields. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 168–181. Springer, Heidelberg (2006). https://doi.org/10.1007/11935070 11 24. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5 9 25. Koziel, B., Ackie, A.-B., El Khatib, R., Azarderakhsh, R., Mozaffari-Kermani, M.: Sike’d up: fast and secure hardware architectures for supersingular isogeny key encapsulation. Cryptology ePrint Archive, Report 2019/711 (2019). https:// eprint.iacr.org/2019/711 26. MacKay, D.J.C.: Information Theory, Inference & Learning Algorithms. Cambridge University Press, New York (2002) 27. Montgomery, P.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985) 28. Nascimento, E., Chmielewski, L  .: Applying horizontal clustering side-channel attacks on embedded ECC implementations. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 213–231. Springer, Cham (2018). https:// doi.org/10.1007/978-3-319-75208-2 13 29. Poussier, R., Zhou, Y., Standaert, F.-X.: A systematic approach to the side-channel analysis of ECC implementations with worst-case horizontal attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 534–554. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4 26

On the Worst-Case Side-Channel Security of ECC

227

30. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3319-66787-4 25 31. NIST FIPS PUB. 186–2: Digital signature standard (DSS). National Institute for Standards and Technology (2000) 32. Veyrat-Charvillon, N., G´erard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6 25 33. Veyrat-Charvillon, N., G´erard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013). https://doi.org/10. 1007/978-3-642-38348-9 8 34. Veyrat-Charvillon, N., G´erard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-456118 15

Efficient Hardware Implementations for Elliptic Curve Cryptography over Curve448 Mojtaba Bisheh Niasar1(B) , Reza Azarderakhsh1,2 , and Mehran Mozaffari Kermani3 1

3

Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA {mbishehniasa2019,razarderakhsh}@fau.edu 2 PQSecure Technologies, LLC, Boca Raton, FL, USA Department of Computer Science and Engineering, University of South Florida, Tampa, FL, USA [email protected]

Abstract. In this paper, we present different implementations of point multiplication over Curve448. Curve448 has recently been recommended by NIST to provide 224-bit security over elliptic curve cryptography. Although implementing high-security cryptosystems should be considered due to recent improvements in cryptanalysis, hardware implementation of Curve488 has been investigated in a few studies. Hence, in this study, we propose three variable-base-point FPGA-based Curve448 implementations, i.e., lightweight, area-time efficient, and highperformance architectures, which aim to be used for different applications. Synthesized on a Xilinx Zynq 7020 FPGA, our proposed highperformance design increases 12% throughput with executing 1,219 point multiplication per second and increases 40% efficiency in terms of required clock cycles×utilized area compared to the best previous work. Furthermore, the proposed lightweight architecture works 250 MHz and saves 96% of resources with the same performance. Additionally, our area-time efficient design considers a trade-off between time and required resources, which shows a 48% efficiency improvement with 52% fewer resources. Finally, effective side-channel countermeasures are added to our proposed designs, which also outperform previous works. Keywords: Curve448 · Elliptic curve cryptography · FPGA Hardware security · Implementation · Point multiplication · Side-channel

1

·

Introduction

Elliptic curve cryptography (ECC) has gained prominent attention among asymmetric cryptographic algorithms due to its short key size. ECC is mostly implemented in Internet-of-Thing (IoT) devices considering their limited power c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 228–247, 2020. https://doi.org/10.1007/978-3-030-65277-7_10

Efficient Hardware Implementations for Elliptic Curve Cryptography

229

resources and processing units. Recently, to address some backdoor issues in ECC constructions due to advances in the strong cryptanalysis and classical attacks, new NIST [1] and IETF [2] recommendations make Curve25519 and Curve448 suitable for higher-level security requirements. Although we are confident with the security of ECC over prime fields, there is always the possibility that algorithmic improvements reduce the required computation to break ECC. Therefore, moving to a higher level of security will help to keep a margin against unknown attack improvements. However, higher security levels come with the performance penalty and industry often resists them. Hence, we need to provide a level of security that can be feasible subject to the performance requirement of the target application such as high-end servers of constrained devices. According to Shor’s algorithm [3], most of the current cryptosystems will be broken by quantum computing. Hence, Post-Quantum Cryptography (PQC) algorithm are going to replace the classic public key cryptography algorithms. PQC based on elliptic curves is available for example in [4–6]. However, the transition to PQC includes an emerging field called hybrid systems, which require both classic and PQC [7]. Hence, ECC is going to be used in the hybrid mode for maintaining accordance with industry or government regulations, while PQC updates will be applied completely. Therefore, classical cryptosystems cannot be eliminated even if PQC will significantly be developed, so designing high-security ECC is crucial. As a part of the Transport Layer Security (TLS) [8], Curve448 provides 224bit security designed by Hamburg in 2015 [9,10]. Moreover, Curve448 belongs to [11], and Safe-Curve policies are considered in its design procedures. Although Curve25519 is highly investigated in recent years for different applications [12–15], there are few FPGA-based Curve448 implementations due to its optimal software-based design. The closest related works that can be directly compared to ours are proposed by Sasdrich and G¨ uneysu in [16], and the protected architecture in [13] by adding re-randomization countermeasure to design the resistant scheme against horizontal attacks. In these works, a field arithmetic unit based on schoolbook multiplication is designed by cascading arithmetic and reduction core employing 28 and 5 DSP blocks, respectively. These architectures heavily rely on the DSP blocks which leads to work in high operating frequency (i.e. 357 and 341 MHz). Furthermore, Shah et al. in [17] proposed a LUT-based scheme for high-performance point multiplication employing the most significant digit multiplier. Moreover, our FPAG-based design for Curve448 is presented in [18]. Other FPGA implementations of ECC for Montgomery curves in the literature cannot be directly compared to ours, because they target different curves. Ananyi et al. in [19] introduced a flexible hardware ECC processor over several NIST prime fields. Furthermore, Alrimeih et al. designed an enhanced architecture over different NIST prime fields up to 521-bit in [20] including several countermeasures. Based on the aforementioned discussions, implementation gaps are identified in: (i) the need for exploration of the different trade-offs between resource

230

M. Bisheh Niasar et al.

utilization and performance considering different optimization goals, and (ii) the lack of employing the Karatsuba-friendly property of Curve448. Our Contributions: To the best of our knowledge, there appear to be extremely few hardware implementations that focus only on Curve448 and make the best of all its features. The main contributions of this work are as follows: – We Investigate three design strategies to port Curve448 to various platforms with different design goals (i.e., time-constrained, area-constrained, and area-time trade-off applications) using a precise schedule corresponding to each architecture. Hence, different modular multiplication and addition/subtraction modules are developed particularly tailored on a Xilinx Zynq 7020 FPGA to perform variable-base-point multiplications. Furthermore, all schemes are extended by side-channel countermeasures. – The proposed architectures are combined with interleaved multiplication and reduction employing redundant number presentation and refined Karatsuba multiplication to increase efficiency in comparison with those presented in previous. – Our proposed architectures outperform the counterparts available in the literature. The rest of this paper is organized as follows: In Sect. 2, some relevant mathematical background and side-channel considerations are reviewed. In Sect. 3, the proposed architectures are investigated. In Sect. 4, our proposed FPGA implementations are detailed. In Sect. 5, the results and comparison with other works are discussed. Eventually, we conclude this paper in Sect. 6.

2

Preliminaries

In this section, the mathematical background of ECC will be covered briefly. Additionally, Curve448 and its specifications will be introduced. Then, the respective side-channel analysis attack protection will be described. 2.1

Field Arithmetic and ECDH Key Exchange

The Galois Field GF (p) is described by finite elements including {0, 1, . . . , p − 1} to define a finite field. Curve448 over GF (p) is defined by E : y 2 + x2 ≡ 2 2 448 224 1 + dx y mod p where p = 2 − 2 − 1 and d = −39081. This curve is a Montgomery curve and also an untwisted Edwards curve which is called Edwards448 [2]. Curve448 specifications can be employed to speed up the elliptic curve DiffieHellman (ECDH) Key-Exchange. Using the advantage of 448 = 7 × 64 = 14 × 32 = 28 × 16 = 56 × 8 provides more flexibility to design efficient architecture for different platforms. Additionally, due to its Solinas prime with golden ratio φ = 2224 , fast Karatsuba multiplication can be performed as follows:

Efficient Hardware Implementations for Elliptic Curve Cryptography

231

C = A · B = (a1 φ + a0 ) · (b1 φ + b0 ) = a1 b1 φ2 + a0 b0 + ((a1 + a0 ) · (b1 + b0 ) − a1 b1 − a0 b0 )φ ≡ (a1 b1 + a0 b0 ) + ((a1 + a0 ) · (b1 + b0 ) − a0 b0 )φ

(mod p)

(1)

where A = (a1 φ + a0 ), B = (b1 φ + b0 ), and A, B, C ∈ GF (p). To implement modular inversion over GF (p) using Fermat’s Little Theorem (FLT), a−1 ≡ ap−2 mod p is computed by consecutive operations including 447 squaring and 15 multiplications. To generate a shared secret key Q between two parties through an insecure channel, i.e., internet, ECDH Key-Exchange protocol can be implemented using elliptic curve point multiplication (ECPM) Q = k · P over Curve448 where k and P are a secret scalar and a known base point, respectively. Moreover, public keys of Curve448 are reasonably short and do not require validation as long as the resulting shared secret is not zero. 2.2

Group Arithmetic and Montgomery Ladder

Scalar multiplication is broken down into 448 iterations considering bit values of k. To perform efficient scalar multiplication over the Montgomery curve, the Montgomery ladder was introduced [21] to perform one point addition (PA) and one point doubling (PD) in each iteration. Furthermore, using this method in projective coordinate increases efficiency. If P = (xp , yp ) is a base point in affine coordinate, it can be transmitted to projective coordinate such that P = (X, Y, Z) where xp = X/Z and yp = Y /Z. Suppose P1 = (X1 , Z1 ) and P2 = (X2 , Z2 ) are two points in projective coordinates. Therefore, P1 + P2 and 2P1 are computed by following equations: XP D =(X1 − Z1 )2 · (X1 + Z1 )2 ZP D =4X1 Z1 ·

(X12

+ 39081X1 Z1 +

XP A =4(X1 X2 − Z1 Z2 )

2

(3) (4)

ZP A =4xp (X1 Z2 − Z1 X2 )

2

2.3

(2) Z12 )

(5)

Side-Channel Protection

To implement a resistant architecture against side-channel analysis (SCA) attacks, different considerations are taken into account. Hence, several countermeasures should be embedded in the cryptographic implementations to prevent information leakage. Two basic protection including (i) constant-time implementation against timing attack, and (ii) secret-independent implementation against simple power analysis (SPA) can be achieved by performing inherently resistant algorithms. Hence, the proposed architecture is resistant against timing attacks and SPA attacks due to performing a constant number of operations in each

232

M. Bisheh Niasar et al.

iteration of the Montgomery ladder and employing constant-time FLT Inversion. Furthermore, some countermeasures which were introduced by Coron [22] are considered to avoid differential power analysis (DPA) attacks. These countermeasures include point randomization and scalar blinding which change both terms in the scalar multiplication Q = k · P . Point Randomization: Point randomization can be achieved by adding a degree of freedom to represent a base point using projective coordinate representations. In this method, the base point P = (X, Z) is projected from affine coordinates using a random value λ ∈ Z2448 \ {0} such that Pr = (λ · X, λ · Z). However, the scalar multiplication output is not changed, as proven in (6). xp =

λX X = Z λZ

(6)

Point randomization provides different point representations corresponding to random value λ to avoid any information extraction employing statistical analysis. Scalar Blinding: The second term in scalar multiplication is randomized in scalar blinding. In this method, multiple group order #E is added to k such that kr = k + r × #E where r is a random value. According to the fact that adding group order times of base point results in the point in infinity, the correctness of the scalar blinding approach can be proven as follows: kr · P = (k + r × #E) · P = k · P + r · O = k · P

(7)

This computation takes away data dependency between the swap function in the Montgomery ladder and the corresponding bit in k.

3

Proposed Algorithm and Architecture

In this section, the proposed algorithms for three different performance levels including lightweight, area-time efficient, and high-performance designs are covered. Moreover, their architectures and modular arithmetic units are investigated. The top-level architecture used in our schemes for different design strategies is illustrated in Fig. 1 composed of three stages: (i) the dedicated controller stage including an FSM and program ROM, (ii) the field arithmetic units in the middle stage including modular addition/subtraction and modular multiplication, and (iii) a memory stage to store the intermediate results. All stages are customized based on the corresponding design strategy for increasing efficiency. In lightweight and area-time efficient design, a major determinant of efficiency is matching the compute power to the memory bandwidth, so that most cycles the compute units and the memory units are used to accomplish as much work as possible. However, in high-performance design, more resources are utilized to reduce the required time for computation.

Efficient Hardware Implementations for Elliptic Curve Cryptography

233

P (base point) k

Design I

Implementing the Karatsuba multiplication requires a complex memory access pattern. Therefore, in lightweight architecture, the product scanning approach is proposed to perform repetitive operations with shared resources. In Design II and III, Karatsuba-based modular multiplication is employed.

c

0 c A B

1 16 16

A

+/-

16

16

B

16 C

17

Design II

A

+/-

128

128 C

84 Accu.

128

B

ai1

bi1

128 m0

64

ai0

Int. b i

A 128 B 128

128

16 C

+/-

B 0. Then (Su ||Sv ||Sw )k = (Su ||F (Sv )||Sw )k . Proof. By Lemma 2 we have (Su ||Sv ||Sw )k = (Su )k · k v +w + (Sv )k · k w + (Sw )k = (Su )k · k v +w + (F (Sv ))k · k w + (Sw )k = (Su ||F (Sv )||Sw )k .

Theorem 1. Let S = (a−1 , . . . , a1 , a0 ) be the k-ary representation of N ∈ Z+ with k  N . Let Sn || · · · ||S1 be the decomposition of S into GoodStrings and BadStrings given by Lemma 1. Then N = (Sn || · · · ||S1 )k = (F (Sn )|| · · · ||F (S1 ))k . Remark 3. For all 1 ≤ i ≤ n, the entries of F (Si ) lie in the set {±1, . . . , ±(k − 1)}. Proof. By definition of the ai we have N = (a−1 , a−2 , . . . , a1 , a0 )k = (Sn || · · · ||S1 )k . We define a new -String from the Si as S := (F (Sn )|| · · · ||F (S1 )) = (b−1 , b−2 , . . . , b1 , b0 ) so that bi = 0 for all i by to the definition of F . We apply Lemma 3 on each of the n GoodStrings or BadStrings in S where at each time we replace Si by F (Si ). At the end of n number of steps the new recoded string is (F (Sn )|| · · · ||F (S1 )). At each of these steps the k-ary value of the updated string remains the same according to Lemma 3 by the equation (Su ||Sv ||Sw )k = (Su ||F (Sv )||Sw )k . While doing so we follow three different settings following Lemma 3

Extending the Signed Non-zero Bit and Sign-Aligned Columns

255

1. We begin with applying the function F according to Definition 5 on Sn by setting Sv = Sn , Su to be an empty string and Sw = Sn−1 || · · · ||S1 . 2. In the intermediate steps we set Su = F (Sn )|| · · · ||F (Si+1 ), Sv = Si and Sw = Si−1 || · · · ||S1 for the intermediate applications 2 ≤ i ≤ n − 1 3. And at the final step we set Su = F (Sn )|| · · · ||F (S2 ) , Sv = S1 and Sw is an empty string Therefore, we can conclude N = (Sn || · · · ||S1 )k = (F (Sn )|| · · · ||F (S1 ))k . 2.2



Recoding Algorithm

In the previous section we have built a theory of replacing all zero entries within an -String with signed non-zero entries so that the k-ary value of the -String remains unchanged. While doing this we trace down all BadStrings, since only BadStrings contains zeroes in an -String, from left to right and replace each of them with a GoodString. Due to the fact that the length of each of the GoodStrings or BadStrings are very likely to be different makes this tracing process irregular. Therefore, building an algorithm following the tracing process that has such a lack of uniformity will make it vulnerable against simple power analysis attacks. Thus, in order to gain some degree of resistance against such attacks, we need to build an algorithm that replaces BadStrings by GoodStrings keeping the k-ary value unchanged in a uniform manner. To give it a regular structure, we use the lookup table given in Table 1, called the k-ary table. While generating the signed non-zero digit representation of a given -String S = (a−1 , . . . , a0 ), Algorithm 1 traces two entries ai , ai−1 from left to right and replaces ai−1 by the (ai , ai−1 )-th entry of the k-ary table. Since at each step we are tracing two entries at a time and replace one entry by a table look up, this gives a regularity to the algorithm. We call this algorithm Recode. The output of Recode on input (a−1 , . . . a1 , a0 ) is exactly Recode(a−1 , . . . a1 , a0 ) = (1, M(0,a−1 ) , M(a−1 ,a−2 ) , . . . , M(a1 ,a0 ) ).

(2)

Table 1. Lookup table where the entry in row x0 and column x1 represents the value of M(x0 ,x1 ) . x1 x0

0

1

2

3

···

m

···

k−1

0

−(k − 1)

−(k − 1)

−(k − 2)

−(k − 3)

···

−(k − m)

···

−(k − (k − 1))

1

1

1

2

3

···

m

···

(k − 1)

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

j

1

1

2

3

···

m

···

(k − 1)

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

k−1

1

1

2

3

···

m

···

(k − 1)

256

A. Dutta et al.

Algorithm 1. Recode Require: k ∈ N with k ≥ 2, and a string of digits (a−1 , . . . , a1 , a0 ) with each ai ∈ {0, 1, . . . , k − 1} and a0 = 0. Ensure: A string s = (s , s−1 , . . . , s1 , s0 ) with si ∈ {±1, ±2, . . . , ±(k − 1)}, and (s , s−1 , . . . , s1 , s0 )k = (a−1 , . . . , a1 , a0 )k 1: M ← GenTable(k) 2: for i = 0 to  − 2 do si ← M(ai+1 ,ai ) end for 3: s−1 ← M(0,a−1 ) and s ← 1 4: return s

Note that all rows of Table 1 after the first are identical. Therefore it can be compressed to a 2 × k table, where the two rows of the compressed table are identical with the first two rows of Table 1. Using the compressed k-ary table in the above context, one can instead replace ai−1 with the (χ(ai ), ai−1 ) entry of the compressed table, where χ is an indicator function (see Sect. 3.2). Alternatively, one might replace the entire table with an algebraic function which returns the appropriate value. Before we state and prove the next Lemma we introduce the following notation. For a string S+1 = (c , c−1 , c−2 , . . . , c0 ), we define S+1 ∼ (,  − 1) to be the string S+1 with the entries with index  and  − 1 removed: S+1 ∼ (,  − 1) := (c−2 , . . . , c0 ). Lemma 4. For 1 ≤ i ≤ n, let Si = (cii −1 , · · · , ci0 ) be either a GoodString or a BadString. Then Recode(Sn || · · · ||S1 ) = Recode(Sn ) || Tn −1 || · · · || T1 , where Ti = M(ci+1 ,ci

i −1 )

0

||(Recode(Si ) ∼ (i , i − 1)), for all 1 ≤ i < n.

Note that each Recode(Si ) is an (i +1)-String, and so the removal operation ∼ is well-defined here. Proof. Running Algorithm 1 with input Sn || · · · ||S1 gives exactly the output Recode(Sn || · · · ||S1 ) = S n ||S n−1 || · · · ||S 1 , where S n = (1, M(0,cn

n −1

n , M(cn −2 ,cn −3 ) , . . . , M(cn1 ,cn0 ) ) ) , M(cn n −1 ,cn −2 ) n n

S i = (M(ci+1 ,ci 0

i −1 )

, M(ci

i −1

,ci

i −2

),

M(ci

i −2

,ci

i −3

) , . . . , M(ci1 ,ci0 ) )

and for i < n.

For i < n, we can directly compute S i = (M(ci+1 ,ci

, M(ci −1 ,ci −2 ) , . . . , M(ci1 ,ci0 ) ) i i   = M(ci+1 ,ci ) || 1, M(0,ci −1 ) , M(ci −1 ,ci −2 ) , . . . , M(ci1 ,ci0 ) ∼ (i , i − 1) 0 i −1 i i i  = M(ci+1 ,ci ) || Recode(Si ) ∼ (i , i − 1) = Ti . 0

0

i −1 )

i −1

Extending the Signed Non-zero Bit and Sign-Aligned Columns

257

Finally, by Eq. 2 we have S n = Recode(Sn ).



Lemma 5. Let an -String S be written as Sn || . . . ||S1 where Si = (cii −1 , · · · , ci0 ) is either a GoodString or a BadString for all 1 ≤ i ≤ n. We define Ti = M(ci+1 ,ci ) ||(Recode(Si ) ∼ (i , i − 1)) 0

i −1

for all 1 ≤ i < n as in Lemma 4. Then for all i ∈ {1, 2, . . . , n − 1} we have Ti = F (Si ), where F is given in Definition 5. Proof. By Eq. 2 the full output of the  Recode algorithm on input Si is Recode(Si ) = 1, M(0,ci −1 ) , . . . , M(ci1 ,ci0 ) . We therefore have i



Ti = M(ci+1 ,ci 0

i −1 )

= (M(ci+1 ,ci 0

i −1 )

 ||(Recode(Si ) ∼ (i , i − 1))

, M(ci

i −1

,ci

i −2

) , M(ci

i −2

,ci

i −3

) , . . . , M(ci1 ,ci0 ) ).

Using the definition of M we can directly compute the M values above. Recall that each cij is nonzero when Si is a GoodString, each cij is zero for j > 0 when Si is a BadString, and every ci0 is always nonzero. For 1 < j < i , we then have  1 if Si is a BadString M(ci+1 ,ci ) = 0 i −1 if Si is a GoodString, cii −1  −(k − 1) if Si is a BadString M(cij ,cij−1 ) = if Si is a GoodString, cij−1  i −(k − c0 ) if Si is a BadString M(ci1 ,ci0 ) = if Si is a GoodString. ci0 By replacing each M table lookup with its value, we get  (1, −(k − 1), . . . , −(k − 1), −(k − ci0 )) if S is a BadString T i = if S is a GoodString. (cii −1 , cii −2 , . . . , ci1 , ci0 ) The right hand side in the above equation is exactly F (Si ).



Lemma 6. If S is any GoodString or BadString, then Recode(S )k = (S )k . Proof. Suppose first that S is a BadString of length  with S = (0, 0, . . . , 0, a) for some a ∈ {1, 2, . . . , k − 1}. Since M(0,a) = −(k − a) and M(0,0) = −(k − 1), the output of Recode is Recode(Sn ) = (1, −(k − 1), −(k − 1), . . . , −(k − 1), −(k − a)) .



+1

Computing the k-ary value results in a telescoping sum: (Recode(S ))k = [1 · k  ] + [−(k − 1) · k −1 ] + · · · + [−(k − 1) · k] + [−(k − a)] = k  + [−k  + k −1 ] + · · · + [−k 2 + k] + [−k + a] = a = (S )k .

258

A. Dutta et al.

This proves the statement when S is a BadString. Suppose now that S is a GoodString with S = (a−1 , a−2 , . . . , a1 , a0 ) for some ai ∈ {1, 2, . . . , k − 1} for all 0 ≤ i ≤  − 1. Since M(ai+1 ,ai ) = ai the output of Recode is mostly the same as the input, but we must account for the 0 that is initially prepended. We have M(0,a−1 ) = −(k − a−1 ), and so Recode(S ) = (1, −(k − a−1 ), a−2 , . . . , a1 , a0 ) When taking the k-ary value, the “1” and the “k” in the expression above cancel each other: (Recode(S ))k = [1 · k  ] + [−(k − a−1 ) · k −1 ] + (a−2 , . . . , a1 , a0 )k = a−1 · k −1 + (a−2 , . . . , a1 , a0 )k = (S )k . This proves the statement when S is a GoodString and concludes the proof.

Theorem 2. Let S = (a−1 , . . . , a0 ) be the k-ary representation of some N ∈ N with k  N . Write S = Sn || · · · ||S1 with each Si a GoodString or BadString. Then Recode(S ) = Recode(Sn )||F (Sn−1 )|| . . . ||F (S1 ), and 1. (Recode(S ))k = N , 2. Recode(S ) has entries in {±1, . . . , ±(k − 1)}, 3. the length of Recode(S ) is  + 1. Proof. As in Lemma 4 we define Ti = M(ci+1 ,ci 0

i −1 )

||(Recode(Si ) ∼ (i , i − 1))

for each 1 ≤ i < n. Applying Recode with Lemmas 4 and 5, we get Recode(S ) = Recode(Sn || · · · ||S1 ) = Recode(Sn )||Tn−1 || · · · ||T1 = Recode(Sn )||F (Sn−1 )|| · · · ||F (S1 ).

(3)

Taking the k-ary value, we have (Recode(S ))k = (Recode(Sn )||F (Sn−1 )|| · · · ||F (S1 ))k = (Recode(Sn ))k · k

n−1 j=1

i +1

+ (F (Sn−1 )|| · · · ||F (S1 ))k .

Now we apply Theorem 1 on (Sn−1 || · · · ||S1 )k and Lemma 6 on Recode(Sn ) to get (F (Sn−1 )|| · · · ||F (S1 ))k = (Sn−1 || · · · ||S1 )k ,

(Recode(Sn ))k = (Sn )k

and conclude Recode(S )k = (S )k = N , proving the first claim. To show claim 2, we examine Eq. (3). Each F (Sn ) has entries in K = {±1, . . . , ±(k − 1)} by definition, and the proof of Lemma 6 explicitly computes the value of Recode(Sn ), from which one can see it also has values in K. By examining Algorithm 1, it should be clear that the length of the output array B is exactly  + 1, which shows claim 3.

Extending the Signed Non-zero Bit and Sign-Aligned Columns

259

Algorithm 2. Align Require: k ∈ N with k ≥ 2; a sign sequence s = (s , s−1 , . . . , s0 ) with each si ∈ {−1, 1} and s = 1; and a = (a−1 , . . . , a0 ) with each ai ∈ {0, 1, . . . , k − 1}. Ensure: A string b = (b , b−1 , . . . , b0 ) with bi ∈ {0, ±1, ±2, . . . , ±(k − 1)}, with (b , b−1 . . . , b0 )k = (a−1 , . . . , a0 )k , and either bi = 0 or Sign(bi ) = si for all i. 1: bi ← ai for i = 0, 1, . . . ,  − 1. 2: b ← 0. 3: for i = 0 to  − 1 do 4: if bi = k then 5: bi ← 0, bi+1 ← bi+1 + 1 6: else 7: if si = 1 then 8: bi ← bi , bi+1 ← bi+1 9: else 10: if bi = 0 then 11: bi ← bi , bi+1 ← bi+1 12: else 13: bi ← −(k − bi ), bi+1 ← bi+1 + 1 14: end if 15: end if 16: end if 17: end for 18: return b

3

Generalized Sign Aligned Recoding Algorithm

In Sect. 2 we introduced an algorithm that recodes the k-ary representation of an integer into a signed non-zero digit representation. As was discussed in Sect. 1, it is desirable to have a sign aligned recoding algorithm which yields a better storage complexity for our scalar multiplication algorithm. This section will introduce a sign-alignment algorithm for a general base k and prove its correctness. 3.1

Basic Sign-Aligned Recoding

A sign sequence is any -String consisting of 1’s and −1’s. Suppose S = (a−1 , . . . , a0 ) is the k-ary representation of a positive integer N , and that S is recoded using Recode to a new representation (b , . . . , b0 ). In this section, we detail Algorithm 2, called Align, and its supporting mathematical proof. For a given length  + 1 sign-sequence (s , . . . , s0 ), the Align algorithm recodes an -String with entries in {0, 1, . . . , k − 1} so that the sign of each of its the entries agrees with the sign sequence. In the scalar multiplication algorithm presented in Sect. 4, we will take (Sign(b ), . . . , Sign(b0 )) as the sign sequence. The following theorem makes this discussion more precise and serves as a correctness statement for Algorithm 2.

260

A. Dutta et al.

Theorem 3. Let ξ+1 = (s , . . . , s0 ) such that si ∈ {1, −1} with s = 1, and let S = (a−1 , . . . , a0 ) with ai ∈ {0, 1, . . . , k − 1}. Let Align(ξ+1 , S ) = (b , . . . , b0 ). Then: 1. For 0 ≤ i <  we have bi ∈ (−k, k) ∩ Z, and b ∈ {0, 1}, 2. For 0 ≤ i ≤ , either bi = 0 or Sign(bi ) = si , 3. (b , b−1 , . . . , b0 )k = (a−1 , . . . , a0 )k . Proof. We first prove claims (1.) and (2.). Notice that during the algorithm every entry of b with the exception of b0 is updated exactly twice (though sometimes to the same value), with bi being updated on iterations i − 1 (by a “bi+1 ←” update rule) and i (by a “bi ←” update rule). We’ll first prove the claims true for b0 , which is only modified on iteration i = 0. At the start of the algorithm b0 is initialized with value a0 , which lies in the set {0, 1, . . . , k − 1} by assumption, and so the conditional statement “b0 = k” cannot evaluate to true. In the Else branch on line 6, if s0 = 1 then b0 is to remain unmodified from its value of a0 and the claims are true. Alternatively we have s0 = −1. Then either b0 = a0 = 0 and its value is left unchanged and the claims are true, or b0 = a0 ∈ {1, . . . , k − 1} in which case the final value becomes −(k − a0 ) ∈ {−1, −2, . . . , −(k − 1)} and Sign(b0 ) = −1 = s0 . This proves claims (1.) and (2.) for i = 0. Now fix an index 1 ≤ j ≤  − 1 to examine. As previously stated, bj is modified only on iterations i = j − 1 and i = j using separate sets of rules. All of the “bi+1 ←” update rules either leave the variable unchanged or increment it by 1, and we will handle each case separately. First suppose on iteration i = j − 1 that bj remains unchanged, so that at the start of iteration i = j we have bj = aj ∈ {0, 1, . . . , k − 1}. Here we cannot have bi = k, so we proceed into the Else branch of line 6. There are three separate cases to consider: 1. sj = 1: then no update to bi is performed and bj ’s final value is aj . 2. sj = −1 and bj = 0: then bj is assigned final value 0. 3. sj = −1 and bj ∈ {1, 2, . . . , k − 1}: then bj is assigned final value −(k − aj ) ∈ {−1, −2, . . . , −(k − 1)}. In each case above claims (1.) and (2.) of the theorem are satisfied. Now suppose that iteration i = j − 1 takes the action “bi+1 ← bi+1 + 1”, so that at the start of iteration i = j we have bj = aj + 1 ∈ {1, 2, . . . , k}. Here it’s possible that bi = k, in which event bj gets final value 0. Otherwise, the cases proceed identical to the previous paragraph except that the option bj = 0 is eliminated. In all cases claims (1.) and (2.) are therefore satisfied for b0 , . . . , b−1 . The final digit b is initialized to 0 and is only modified on the final iteration i =  − 1 by one of the “bi+1 ←” update rules. Consequently it can only have value 0 or 1. Note that s = 1 by assumption. This proves claims (1.) and (2.) for all digits. We prove claim (3.) by showing inductively that it holds true upon completion of each iteration of the main loop, and will therefore hold true at the end of the

Extending the Signed Non-zero Bit and Sign-Aligned Columns

261

algorithm. The first line of the algorithm initializes b with value a, serving as the base case of the induction. The branching structure of the algorithm gives four possible cases to consider, two of which leave the value of b unmodified. We consider the two nontrivial cases below. In the following, we let bij denote the value of the variable bj at the time of completion of the i-th iteration of the algorithm. Let 0 ≤ i ≤  − 1 be fixed. = k. In this case the update rules give The first nontrivial case is if bi−1 i i bi = 0 and bii+1 = bi−1 + 1, and all other values of b remain unchanged from the i+1 i−1 i previous iteration giving bj = bj for j = i, i + 1. We then have i−1 i−1 (bi , . . . , bii+1 , bii , . . . , bi0 )k = (bi−1  , . . . , bi+1 + 1, 0, . . . , b0 )k i−1 i−1 = (bi−1  , . . . , bi+1 , k, . . . , b0 )k

=

(same k-ary value)

i−1 i−1 , . . . , bi−1 (bi−1 0 )k  , . . . , bi+1 , bi

= (a−1 , . . . , a0 )k .

(by inductive hypothesis)

= 0, where the new values become The remaining case is when si = −1 and bi−1 i ) and bii+1 = bi−1 bii = −(k − bi−1 i i+1 + 1. Here we get i−1 i−1 (bi , . . . , bii+1 , bii , . . . , bi0 )k = (bi−1 ), . . . , bi−1 0 )k  , . . . , bi+1 + 1, −(k − bi i−1 i−1 = (bi−1 , . . . , bi−1 0 )k  , . . . , bi+1 , bi

= (a−1 , . . . , a0 )k .

(same k-ary value)

(by inductive hypothesis)

In all cases claim (3.) is satisfied. This completes the induction and concludes the proof. 3.2

Optimized Regular Sign-Alignment

As written, Algorithm 2 contains numerous branches which are heavily dependent upon the input string, which can potentially be exploited in side channel attacks. In this section, we present Algorithm 3, an alternate form of Algorithm 2, which is more resistant against side-channel attacks. To get started, we notice that each of the conditional statements in Algorithm 2 are a check for equality between two values. All of these checks can be put under the same umbrella by introducing an indicator function χ : Z → {0, 1}, whose value is defined to be  1 if x = 0 χ(x) = 0 if x = 0. The function χ can be used to transform conditional statements of a certain form into arithmetic evaluations in the following manner:

262

A. Dutta et al.

Algorithm 3. OptimizedAlign(s, a) Require: k ∈ N with k ≥ 2; a sign sequence s = (s , s−1 , . . . , s0 ) with each si ∈ {−1, 1} and s = 1; and a = (a−1 , . . . , a0 ) with each ai ∈ {0, 1, . . . , k − 1}. Ensure: A string b = (b , b−1 , . . . , b0 ) with bi ∈ {0, ±1, ±2, . . . , ±(k − 1)}, with (b , b−1 . . . , b0 )k = (a−1 , . . . , a0 )k , and either bi = 0 or Sign(bi ) = si for all i. 1: b ← 0 and bi ← ai for i = 0, 1, . . . ,  − 1. 2: for i = 0 to  − 1 do 3: u1 ← χ(bi − k), u2 ← χ(si − 1), u3 ← χ(bi ) 4: v ← (1 − u1 ) · (1 − u2 ) · (1 − u3 ) 5: bi ← (1 − u1 ) · bi − v · k and bi+1 ← bi+1 + u1 + v 6: end for 7: return b

a=b var ← X

−→

var ← χ(a − b) · X + (1 − χ(a − b)) · Y

var ← Y assuming that X and Y have numeric values. By repeatedly replacing the innermost conditional statements in Algorithm 2 with their equivalent arithmetic expressions as above and simplifying, we arrive at Algorithm 3. This version of Align makes three calls to the indicator function χ before computing the new value of b, and completely eliminates the branching based on secret data seen in Algorithm 2. Therefore, if both χ and integer arithmetic are implemented in a constant-time fashion, we obtain better side-channel resilience with Algorithm 3.

4

Cryptographic Applications

Algorithm 6 presents our scalar multiplication algorithm, which uses Recode (Algorithm 1) and OptimizedAlign (Algorithm 3) from the previous sections. Any cryptographic protocol which requires a VS-FB scalar multiplication computation is a suitable application for our algorithm; see Sect. 1 for examples of such protocols. If the precomputation stage has low cost (which may be the case on a curve with efficient endomorphisms, for instance), Algorithm 6 would also be suitable for applications in the VS-VB setting. In this section, we analyze Algorithm 6 and its cost in terms of both run time and storage. We also discuss choosing the parameters k and d, and the choice of curve and coordinate system which result in a more efficient algorithm. Throughout this section we will use the following notation for the cost of various operations: a, m, s, and i will respectively denote the costs of addition/subtraction, multiplication, squaring, and inversion in a fixed field F; we will use A, D, T, and K to respectively denote the elliptic curve operations of point addition, doubling, tripling, and general multiplication by k on some fixed elliptic curve E.

Extending the Signed Non-zero Bit and Sign-Aligned Columns

263

Algorithm 4. Scalar Multiplication Require: An integer k ≥ 2, a point P of order m relatively prime to k in an abelian a ∈ [1, group G, with  = log2 (m); a scalar  m); an integer d ≥ 2 determining the  number of subscalars, with w := Ensure: aP .

logk (2 ) d

.

Precomputation Stage 1: T [uk + v] ← (ud−1 k(d−1)w + · · · + u2 k2w + u1 kw + v)P for all v ∈ [1, k), u ∈ [0, kd−1 ) where (ud−1 , . . . , u1 ) is the k-ary representation of u. Recoding Stage 2: kMULT ← a mod k 3: if kMULT = 0 then a ← m − a 4: (adw−1 , . . . , a0 ) ← k-ary representation of a, padded with sufficiently many zeroes on the left. 5: (b1w , . . . , b10 ) ← Recode(aw−1 , . . . , a0 ) 6: (biw , . . . , bi0 ) ← OptimizedAlign(Sign(b1w ), . . . , Sign(b10 )), (aiw−1 , . . . , a(i−1)w )) for 2 ≤ i ≤ d. kd−2 + · · · + b2i k + b1i | for 0 ≤ i ≤ w. 7: Bi ← |bdi kd−1 + bd−1 i 8: 9: 10: 11: 12: 13: 14:

4.1

Evaluation Stage Q ← T [Bw ] for i = w − 1 to 0 by −1 do Q ← kQ Q ← Q + Sign(b1i ) · T [Bi ] end for if kMULT = 0 then return −Q return Q

Explanation of Algorithm 4

Our scalar multiplication algorithm uses an integer parameter k ≥ 2, for which the input scalar is written in base k and recoded, and an integer parameter d ≥ 2, which is used to split the input scalar into d subscalars for sign alignment. The base point P of the algorithm should have order m relatively prime to k, where P is a point of an abelian group G, with m having  = log2 (m) bits. The input scalar a is an integer in [1, m), and the algorithm returns aP as output. We let   logk (2) , which will determine the length in digits of each subscalar. w := d We briefly explain the details of Algorithm 4 as follows. In the Precomputation Stage of Algorithm 4, specific multiples of P are computed which will be used in the main loop of the algorithm (on line 11). For 0 ≤ i < d, let Pi = k iw P . Then line 1 computes all points in the set {ud−1 Pd−1 + · · · + u1 P1 + vP0 : 0 ≤ ui < k, 1 ≤ v < k}

(4)

and arranges them into a table T . For a fixed base algorithm (such as the first round of ECDH) this step will be performed offline at no cost, and so we do not go into details on how the computation of the points in this set is carried out.

264

A. Dutta et al.

In the Recoding Stage, the scalar a is recoded using Recode and OptimizedAlign from the previous sections, which gives our scalar multiplication algorithm its regular structure. Note that the input scalar a can be any integer in [1, m), while the input to Recode requires k not to divide a. To address this restriction, we assign a variable kMULT to a mod k and if this equals 0 we update scalar a to m − a. In this case, the return value should be corrected to −Q. We have included the restriction that k and m be relatively prime so that k cannot divide both a and m − a simultaneously. Line 3 uses this approach to ensure that k does not divide a. Afterwards, a is written in k-ary as a = (adw−1 , . . . , a0 )k (padded with zeroes if necessary) and partitioned into d subscalars; let a(i) := (aiw−1 , . . . , a(i−1)w ) for 1 ≤ i ≤ d. On line 5 the Recode algorithm is invoked on a(1) with base k (note that a0 = 0 since by this step a is not divisible by k) to get an output b(1) with the properties of Theorem 2. Next a sign alignment is performed on each of the remaining subscalars a(2) , . . . , a(d) on line 6 to find b(2) , . . . , b(d) , each of which satisfies the properties of Theorem 3 with respect to the signs of the digits of b(1) . Finally line 7 collects the digits of the b(j) into new scalars Bi which give the entries of the lookup table T to be used in the evaluation stage. The last lines 8–12 of Algorithm 4 define the Evaluation Stage. This stage proceeds by performing one point multiplication by k and one point addition in G on each iteration of the loop by use of the Bi . Due to the sign alignment of the scalars the sum involved is either an addition or subtraction based on the (1) sign of bi . 4.2

General Cost Analysis

Here we derive general costs involved in Algorithm 4 for a general group G in terms of storage and computation. The main storage cost involved is due to line 1, where all points in the set given in Eq. 4 are required to be stored in the table T . The number of points in this set is exactly (k − 1)k d−1 . Storage costs involved during runtime are that of storing the digits of a, the digits of the recoded scalars b(i) , the integers Bi , and the point Q; we assume these costs are negligible in comparison to the size of the table T and therefore ignore them. The computational costs involved in lines 3–7 deal mainly with small integer arithmetic (including the operations involved in Recode and OptimizedAlign), and we assume the construction of T in line 1 is performed offline at no cost, like in the VS-FB setting. Therefore, we only consider the computational costs involved in the evaluation stage. The loop contains w iterations, which each perform a single point multiplication by k and point addition (we assume inversion in G is negligible, such as on an elliptic curve). This gives a total cost of w(K + A) =   logk (2) (K + A). We summarize these costs as: d Algorithm 4 Storage Cost: Algorithm 4 Computation Cost:

(k − 1)k d−1 points of G,    logk (2) (K + A). d

(5) (6)

Extending the Signed Non-zero Bit and Sign-Aligned Columns

265

The split and comb method is a well-known general-use VS-FB algorithm generally attributed to Yao [28] and Pippenger [24] in 1976. Lim and Lee improved upon this method in [19] to give an efficient special case in 1994. The split and comb method further subdivides each of the d subscalars into v subsubscalars, increasing the storage space linearly in v with the benefit of reducing the number of K operations required. Algorithm 4 can be modified to use the split and comb method by partitioning the (biw , . . . , bi0 ) strings into v many blocks, padding with 0’s if necessary. New integers Bi,j can be derived in a similar way, and the main loop performs 1K and vA per iteration, with fewer iterations total. See [19] for further details on the split and comb method. The total costs for Algorithm 4 modified with the split and comb method are: (7) Storage Cost: v(k − 1)k d−1 points of G.       logk (2)  logk (2)/d + 1 Computational Cost: A+ − 1 K. (8) d v 4.3

Concluding Remarks

An interesting question to ask is under what scenario will k = 3 outperform k = 2 in our algorithm (Algorithm 4 with the split and comb modification) at the same storage level? To investigate this we now compare the computational costs for the k = 2 and k = 3 settings assuming approximately the same amount of total storage space. We choose 256-bit scalar and denote the cost of the point doubling, tripling and addition operations as D, T and A respectively. We use parameters d2 , v2 for the k = 2 setting and d3 , v3 for k = 3 setting. This leads to solving the following inequality, subject to the equal storage constraint: 



⎛⎡  256 log

256 log3 2 A + ⎝⎢ ⎢ d3 ⎢

d3

3

2

v3

 +1





⎥ − 1⎠ T ≤ ⎥ ⎥





⎛⎡ 

256 A + ⎝⎢ ⎢ d2 ⎢

256 d2



v2

+1





⎥ − 1⎠ D ⎥ ⎥

(9) d3 −1

3

d2 −1

2v3 ≈ 2

v2

(10)

To derive a concrete solution, we specialize to the case of Twisted Edwards curves using points in projective coordinates. Here, we assume table elements are stored with Z value 1 and therefore use the cost values of A = 9 m + 1 s, D = 3 m + 4 s, and T = 9 m + 3 s (see [1]), and assume 1 s = 0.8 m. We then d2 −2 solve Approximation 10 to obtain v3 ≈ 23d3 −1v2 , substitute this expression into inequality 9, and consider the two cases d2 = d3 = 2 and d2 = d3 = 4. For these cases, we find v2 ≥ 6 for d2 = d3 = 2 and v2 ≥ 13 for d2 = d3 = 4. Taking d2 = 2 and v2 = 6 yields a storage level of 21 · 6 = 12 points, while d2 = 4 and v2 = 13 gives a storage level of 23 · 13 = 108 points; these storage sizes are certainly feasible for implementation, and so k = 3 may indeed be more desirable than k = 2 in realistic scenarios. Table 2 lists some particular cases where k = 3 outperforms k = 2 at comparable storage levels when d = 2, 4.

266

A. Dutta et al.

We should note that our comparisons are made over a fixed choice of d (while varying v). This is the case in many cryptographic applications. For example, if a protocol is implemented using elliptic curves with endomorphisms of degree 4 [6], then d is naturally fixed to 4. Similarly, d = 2 is a common choice in applications where curves with endomorphisms of degree 2 are deployed [10, 11], or when double point multiplication is required such as in isogeny based cryptosystems [14]. Table 2. Fixing d = 2 and 4 the run time in terms of cost per bit unit for k = 3 is better than k = 2 when the storage i.e the number of precomputed points is equal (or approximately equal) k=2 d v2

4.4

k=3

Storage Cost Per Bit v3 Storage Cost Per Bit

2

6 12 9 18 12 24 54 108 108 216

5.41 5.24 5.14 4.95 4.92

2 12 3 18 4 24 18 108 36 216

4.88 4.30 3.99 3.28 3.19

4

13 104 20 160 27 216

2.55 2.52 2.50

2 108 3 162 4 216

2.46 2.15 2.01

Future Work

We considered only Twisted Edwards curves and projective coordinates for representing points, and we focused on the VS-FB setting. Other curve and coordinate choices may be more suitable for certain scenarios, such as using a triplingoriented Doche-Icart-Kohel curve in the k = 3 setting, or using a mixing of projective and extended coordinates on Twisted Edwards curves in the k = 2 setting. A careful analysis of the performance of Algorithm 4 will be required for both scenarios before a clear winner can be determined. A detailed C implementation would also be very insightful to see how our theoretical costs reflect the timings achieved in practice, for both VS-FB and VS-VB settings. Algorithms we presented in this paper provide some degree of resistance against side-channel attacks thanks to their regular nature. However, further analysis and implementation would be required to evaluate their security in practice.

A

Example of Algorithm 4

Let P be point in an abelian group, such as an elliptic curve over a finite field Fp , and that |P | = m with  = log2 (m) = 15. Then scalars in [1, m) are represented

Extending the Signed Non-zero Bit and Sign-Aligned Columns

267

with length log3 (2 ) = 10, appending leading 0s if necessary. Suppose we run Algorithm 4 with inputs P , a = 39907, d = 4 and k = 3. Notice k does not divide a, so the exact value of m is irrelevant. The length of each subscalar is determined as w = /d = 10/4 = 3. Algorithm 4 computes 39907P as follows. Precomputation Stage: According to Algorithm 4 we first precompute a table T of points of the form T [uk + v] = (u3 , u2 , u1 , v)kw P = (u3 k 3w + u2 k 2w + u1 k w + v)P for v = 1, 2 and u ∈ [0, 33 ) where (u3 , u2 , u1 ) is the k-ary representation of u. Recoding Stage: The k-ary representation of a = 39907 is (2, 0, 0, 0, 2, 0, 2, 0, 0, 1). We pad dw −  = 4 · 3 − 10 = 2 many 0’s on its left to get (0, 0, 2, 0, 0, 0, 2, 0, 2, 0, 0, 1). The string is then split into d = 4 many 3-Strings A1 , A2 , A3 , A4 , shown below. Recode is then applied to A1 = (0, 0, 1) to get the nonzero scalar b1 = (1, −2, −2, −2), and Align (or OptimizedAlign) is applied to A2 , A3 , A4 with the sign sequence Sign(b1 ) = (Sign(1), Sign(−2), Sign(−2), Sign(−2)) = (1, −1, −1, −1), to get sign-aligned scalars b2 , b3 , and b4 . This process can be visualized in matrix form as:

⎡ ⎤ ⎡ ⎤ A1 001 ⎢A2 ⎥ ⎢2 0 2⎥ ⎢ ⎥=⎢ ⎥ ⎣A3 ⎦ ⎣0 0 0⎦ A4 002

⎡ ⎤ ⎡ 1⎤ Recode 1 −2 −2 −2 b } − − − − − − → ⎫ 2⎥ ⎢ ⎥ ⎢ 1 0 −2 −1 b ⎬ ⎢ ⎥ = ⎢ 3⎥ Align −−−−−−→ ⎣0 0 0 0 ⎦ ⎣b ⎦ ⎭ b4 1 −2 −2 −1

Note that the above 4×3 matrix is the matrix used in Straus’ algorithm. The final step of the recoding stage is to compute B0 , B1 , B2 , B3 . These are determined by interpreting the columns of the 4×4 matrix above in base k, with the top row being the least significant digit and B0 corresponding to the rightmost column. Specifically, the Bi are derived as follows. For convenience, the corresponding table entries and the signs si = Sign(b1i ) are also listed. B0 = |(−1, 0, −1, −2)3 | = 32, B1 = |(−2, 0, −2, −2)3 | = 62,

T [32] = 19712P, T [62] = 39422P,

s0 = −1, s1 = −1,

B2 = |(−2, 0, 0, −2)3 | = 56, B3 = |( 1, 0, 1, 1)3 | = 31,

T [56] = 39368P, T [31] = 19711P.

s2 = −1,

Evaluation Stage: It can be easily verified that the following equality holds: 39907P = T [31] · 33 + s2 T [56] · 32 + s1 T [62] · 31 + s0 T [32].

268

A. Dutta et al.

Table 3. Evaluation stage of Algorithm 4 for input a = 39907, k = 3, and d = 4. i b1

b2

3 1 1 0 2 −2 1 −2 −2 0 −2 −1

b3

b4

Bi T [Bi ]

0 1 31 19711P 0 −2 56 39368P 0 −2 62 39422P 0 −1 32 19712P

si

Q ← 3Q Q ← Q + si T [Bi ]

— −1 −1 −1

— 59133P 59295P 59619P

19711P 59133P − 39368P = 19765P 59295P − 39422P = 19873P 59619P − 19712P = 39907P

In the evaluation stage Algorithm 4 computes 39907P in a triple-and-add manner using the above equality. We stress that in general the T [Bi ] are never zero, so trivial additions never occur. We therefore initialize a point Q to have value Q = T [B3 ] = T [31] = 19711P , and then proceed in an alternating sequence of tripling Q and adding/subtracting the appropriate T [Bi ] to Q. Each of the steps are given in Table 3.

References 1. Explicit Formulas Database. https://hyperelliptic.org/EFD/ 2. Avizienis, A.: Signed-Digit Number Representations for Fast Parallel Arithmetic. IRE Transactions on Electronic Computers, EC-10, pp. 289–400 (1961) 3. Avanzi, R., et al.: Handbook of Elliptic and Hyperelliptic Curve Cryptography, Second Edition. Chapman & Hall/CRC, 2nd edition (2012) 4. Booth, A.: A signed binary multiplication technique. Q. J. Mech. Appl. Math. 4, 236–240 (1951) 5. Bos, J., Coster, M.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 400–407. Springer, New York (1990). https://doi.org/ 10.1007/0-387-34805-0 37 6. Costello, C., Longa, P.: FourQ: four-dimensional decompositions on a Q-curve over the Mersenne Prime. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 214–235. Springer, Heidelberg (2015). https://doi.org/10.1007/9783-662-48797-6 10 7. Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22, 644–654 (1976) 8. Faz-Hern´ andez, A., Longa, P., S´ anchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 1–27. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9 1 9. Feng, M., Zhu, B.B., Zhao, C., Li, S.: Signed MSB-set comb method for elliptic curve point multiplication. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds.) ISPEC 2006. LNCS, vol. 3903, pp. 13–24. Springer, Heidelberg (2006). https://doi.org/10. 1007/11689522 2 10. Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 518–535. Springer, Heidelberg (2009). https://doi.org/10.1007/9783-642-01001-9 30

Extending the Signed Non-zero Bit and Sign-Aligned Columns

269

11. Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001). https://doi.org/10.1007/3540-44647-8 11 12. Hedabou, M., Pinel, P., B´en´eteau, L.: Countermeasures for preventing comb method against SCA attacks. In: Deng, R.H., Bao, F., Pang, H.H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 85–96. Springer, Heidelberg (2005). https:// doi.org/10.1007/978-3-540-31979-5 8 13. Hisil, H., Hutchinson, A., Karabina, K.: d -MUL: optimizing and implementing a multidimensional scalar multiplication algorithm over elliptic curves. In: Chattopadhyay, A., Rebeiro, C., Yarom, Y. (eds.) SPACE 2018. LNCS, vol. 11348, pp. 198–217. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05072-6 12 14. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5 2 15. Jedwab, J., Mitchell, C.: Minimum weight modified signed-digit representations and fast exponentiation. Electron. Lett. 25, 1171–1172 (1989) 16. Johnson, D., Menezes, A., Vanstone, S.: The Elliptic Curve Digital Signature Algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001). https://doi.org/10.1007/ s102070100002 17. Joye, M., Tunstall, M.: Exponent recoding and regular exponentiation algorithms. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 334–349. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2 21 18. Karabina, K.: A survey of scalar multiplication algorithms. In: Chung, F., Graham, R., Hoffman, F., Mullin, R.C., Hogben, L., West, D.B. (eds.) 50 years of Combinatorics, Graph Theory, and Computing, chapter 20, pp. 359–386. Chapman and Hall/CRC (2019) 19. Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 95–107. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5 11 20. Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 200–207. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-475559 18 21. M¨ oller, B.: Securing elliptic curve point multiplication against side-channel attacks. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 324–334. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45439-X 22 22. Morain, F., Olivos, J.: Speeding up the computations on an elliptic curve using addition-subtraction chains. Theoret. Informat. Appl. 24, 531–543 (1990) 23. Okeya, K., Takagi, T.: The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 328–343. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X 23 24. Pippenger, N.: On the Evaluation of Powers and Related Problems. In: 17th Annual IEEE Symposium on Foundations of Computer Science, pp. 258–263 (1976) 25. Solinas, J.: Efficient arithmetic on koblitz curves. Des. Codes Crypt. 19, 195–249 (2000)

270

A. Dutta et al.

26. Straus, E.: Addition chains of vectors (problem 5125). Am. Math. Monthly 70, 806–808 (1964) 27. Xu, M., Feng, M., Zhu, B., Liu, S.: Efficient comb methods for elliptic curve point multiplication resistant to power analysis. Cryptology ePrint Archive, Report 2005/22 (2005) 28. Yao, A.: On the evaluation of powers. SIAM J. Comput. 5, 281–307 (1976)

Ciphers and Cryptanalysis

Cryptanalysis of the Permutation Based Algorithm SpoC Liliya Kraleva1(B) , Raluca Posteuca1 , and Vincent Rijmen1,2 1

imec-COSIC, KU Leuven, Leuven, Belgium {liliya.kraleva,raluca.posteuca,vincent.rijmen}@esat.kuleuven.be 2 Department of Informations, University of Bergen, Bergen, Norway

Abstract. In this paper we present an analysis of the SpoC cipher, a second round candidate of the NIST Lightweight Crypto Standardization process. First we present a differential analysis on the sLiSCP-light permutation, a core element of SpoC. Then we propose a series of attacks on both versions of SpoC, namely round-reduced differential tag forgery and message recovery attacks in the related-key, related-nonce scenario, as well as a time-memory trade-off key-recovery attack on the full round version of Spoc-64. Finally, we present an observation regarding the constants used in the sLiSCP-light permutation. Keywords: SpoC · sLiSCP permutation · Lightweight · Differential cryptanalysis · TMTO attack · NIST Lightweight competition · LWC

1

Introduction

The majority of the current standards in symmetric cryptography were initially designed for desktop and server environments. The increasing development of technology in the area of constrained environments (RFID tags, industrial controllers, sensor nodes, smart cards) requires the design of new, lightweight primitives. For this reason, NIST organised a competition aiming at standardizing a portfolio of lightweight algorithms, targeting authenticated encryption with associated data (AEAD) ciphers and hash functions. Currently the competition is at the second round with 32 out of 56 candidates left. The candidates of the NIST Lightweight Competition [NIS19] need to satisfy certain criteria for performance and have a level of security of at least 112 bits. In order to contribute to the public research efforts in analysing the candidates of the on-going second round, we focused on the SpoC cipher, a permutation based AEAD. In this paper we present the results of a security research on both versions of SpoC, namely SpoC-64 and SpoC-128. We analyse the sLiSCP-light permutation used in the algorithm, as well as the structural behaviours of SpoC-64. 1.1

Related Work

In [LSSW18] the authors describe a differential analysis of reduced-step sLiSCP permutation, a previous version of sLiSCP-light, in the AE and hashing modes. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 273–293, 2020. https://doi.org/10.1007/978-3-030-65277-7_12

274

L. Kraleva et al.

This paper presents forgery attacks on 6 (out of 18) steps of the permutation. Their approach is similar to the one presented in this paper, even though we aim at analysing the newer version of the permutation, namely the sLiSCP-light permutation and its application in the SpoC cipher. In parallel with our research, an open source paper analyzing the sLiSCP and sLiSCP-light permutations was published. In [HNS20] the authors use an approach based on Limited birthday distinguishers, improving the attacks against the sLiSCP permutation and proving the lower bound of the complexity to solve LBDs for a random permutation. 1.2

Our Contribution

In this paper we present differential characteristics for round reduced versions of both sLiSCP-light-[256] and sLiSCP-light-[192]. For the former a 6 out of 18 rounds characteristic is given with probability 2−106.14 and for the latter a 7 round and 9 (out of 18) round characteristics with probabilities 2−108.2 and 2−110.84 respectively are presented. Based on the described characteristic, we introduce selective tag forgery attacks for both versions of round-reduced SpoC and a message recovery attack on 9-round SpoC-64. Additionally, a keyrecovery attack is introduced for the full round version of SpoC-64, based on a time-memory trade-off approach. Table 1 summarizes our attacks and their complexities. To the best of our knowledge, this is the first research that analyses the security of the sLiSCP-light permutation and the first published results on SpoC. Table 1. All attacks on SpoC. We underline that the data complexity of the keyrecovery attack corresponds to the success probability 2−15 Attack

Steps of π Data

Tag forgery on SpoC-128

6

2

Tag forgery on SpoC-64

7

2108.2

Message recovery on SpoC-64 9 Key recovery on SpoC-64 All ∗ SBox computations, ∗∗ table look ups,

1.3

106.14

2

110.84

Time

Memory Section

107.14∗

2

2109.2



109.84∗∗

2

267 2110 ∗∗∗ table entries



4.2



4.3

– 2110

4.4 ∗∗∗

5

Structure

The paper is structured as follows: In Sect. 2 we briefly introduce the tools used in our research, the SpoC cipher and the sLiSCP-light permutation. In Sect. 3 we present round-reduced differential characteristics of both versions of the sLiSCPlight permutation. Section 4 introduces tag-forgery and message recovery attacks on the SpoC cipher parameterized with round-reduced sLiSCP-light permutations, while in Sect. 5 is introduced a TMTO key-recovery attack on full Spoc64. Section 6 presents an observation regarding the generation algorithm of the sLiSCP-light constants. Finally, the last section concludes the paper.

Cryptanalysis of the Permutation Based Algorithm SpoC

2

275

Preliminaries

This section gives some essential aspects of differential cryptanalysis and how to estimate the differential probability. Additionally, the algorithms of SpoC and sLiSCP-light are presented. 2.1

Differential Cryptanalysis

Differential cryptanalysis is one of the most powerful and used cryptanalysis techniques against symmetric primitives. Proposed by Biham and Shamir [BS90], this approach was introduced as the first attack that fully breaks the DES algorithm [NIS79]. This attack has been largely analysed and further developed, leading to attacks like Truncated differentials [Knu94], the Boomerang attack [Wag99] or Impossible differentials [BBS99]. A differential characteristic over n rounds of an iterated cipher is defined as the sequence of intermediate differences (a = a1 , a2 . . . an = b), where each (ai , ai+1 ) represents the input and output difference of one round. Assuming that the rounds are independent and the keys are uniformly distributed, then the Expected Differential Probability (EDP) of a characteristic is computed by multiplying the single rounds’ probabilities.

EDP (a1 , a2 , . . . an ) =

n 

DP (ai−1 , ai ),

i

where DP represents the differential probability for one round. For simplicity, in this paper we also use the notion of weight of a differential characteristic, instead of probability, computed as the absolute value of the log2 of the probability. In practice, only the input and output differences can be observed without considering the intermediate differences. We define the set of all differential characteristics with input difference a and output difference b as a differential (a, b). The probability of a differential (a, b) is computed as the sum of the probabilities of all differential characteristics contained by it and is thus a hard problem. Therefore, the probability of the optimal characteristic serves as a lower bound for the probability of the differential. 2.2

SAT Solvers

Nowadays, the security against differential cryptanalysis of ARX ciphers is analysed using automated tools such as SAT (Booolean Satisfability) or MILP (Mixed-Integer Linear Programming) solvers. A SAT solver determines whether a boolean formula is satisfiable. Many operations like modular addition, rotation and XOR can be written as simple equations and easily translated to boolean expressions. For ARX ciphers several automatic search tools have been developed, see for example [Ste14,MP13,Ran17]. We chose to use the ARXpy tool [Ran17,RAS+20], because of its easy to use implementation, complete documentation and open-source code.

276

2.3

L. Kraleva et al.

Specifications of SpoC

SpoC, or Sponge with masked Capacity [AGH+19], is a permutation based mode of operation for authenticated encryption. Since it is a sponge construction, its b-bit state is divided into rate and capacity bits with r the size of the rate and c = b−r the size of the capacity. The authors introduced a masked capacity part with size r, representing the blocks in which the message and AD are added. Two main versions are defined, namely SpoC-64 sLiSCP-light-[192] and SpoC-128 sLiSCP-light-[256], where 64 and 128 represent the corresponding size of the rate bits and sLiSCP-light-[] is the permutation used. Throughout this paper we refer to each of the SpoC versions as SpoC-r, while the permutation is also denoted by π. The key and nonce sizes of both versions are 128 bits. The following table describes the bit size of the parameters of both versions:

Instance

State b Rate r Tag t SB size Rounds u Steps s

SpoC-64 sLiSCP-light-[192]

192

64

64

48

6

18

SpoC-128 sLiSCP-light-[256] 256

128

128

64

8

18

The state of SpoC is divided into 4 subblocks (S0 ||S1 ||S2 ||S3 ) with equal length, where || defines the concatenation. The encryption process of SpoC contains the Initialization, Associated Data Processing, Plaintext Processing and Tag Processing phases and is shown in Fig. 1. Initialization. This is the only step that is different for the two versions of SpoC. For SpoC-128, this process consists only of loading the key K = K0 ||K1 and nonce N = N0 ||N1 to the state into the odd and even numbered subblocks respectively. That is, S1 [j] ← K0 [j], S3 [j] ← K1 [j], S0 [j] ← N0 [j], S2 [j] ← N1 [j], where 0 < j < 7 and X[j] represents the j th byte of the block X. All capacity bits are considered as masked. In SpoC-64 the state is smaller, while the sizes of the key and nonce are unchanged. First, K and N0 are loaded to the state and then the permutation sliSCP-light-[192] is applied. Finally, N1 is added to the masked capacity bits. The rate part is represented by the first 4 bytes of subblocks S0 and S2 and is where N0 is loaded, while the key is loaded to the rest of the state. AD and Message Processing. This two phases are very similar. The blocks of AD, respectively message, are absorbed into the state and after each block a control signal (also referred to as a constant) is added. Finally, π is applied to the state. The added constant depends on both the phase and the length of the block. For the AD processing phase, the added constant is 0010 for a full block and 0011 for a partial (last) block. Respectively, for the message processing phase, 0100 is added for a full block and 0101 for a partial block. In both AD and message processing phases, in the case of an incomplete last block, a padding function is applied. We denote this by padding(M ) =

Cryptanalysis of the Permutation Based Algorithm SpoC N1

Aa−2

A0

277

Aa−1

c load (K, N0 )

π

π

π

π

r 0010||0n−4

0010||0n−4

0010||0n−4 (0011||0n−4 )

Mn−2

M0

π

Mn−1

π

π

0100||0n−4

0100||0n−4

Mn−2

M0 C0

π

0100||0n−4

1000||0n−4

(0101||0n−4 )

Mn−1 Cn−2

tag

Cn−1

Fig. 1. Schematic diagram of the different phases used in the SpoC cipher. The shown initialization is for SpoC-64. Note that the state is divided in two parts, the capacity (the upper part) and the rate (the lower part).

M ||1||0mc −n−1 for a block M of length n < mc , where mc is the length of a full block (which is, in fact, the length of the masked capacity part). Tag Processing. The control signal in this phase is set to 1000 and is added right after the control signal of the previous phase. Then π is applied and the tag is extracted from S1 and S3 of the output state. Note, that if there is null AD (respectively, null message), the corresponding phase is entirely omitted. We denote with (AD, M ) an associated data and message pair and with ”” an empty instance of either of them. For example, (””, M ) denotes an input pair having null associated data. 2.4

Specifications of sLiSCP-Light

sLiSCP-light-[b] is a permutation that operates on a b-bit state, where b equals 192 or 256, and is defined by repeating a step function s times. The state is divided into four 2m-bit subblocks (S0i ||S1i ||S2i ||S3i ), with 0 < i < s − 1 the step number and m being equal to 24 or 32. We denote a zero subblock as 02m or simply 0, where the number of zero bits is clear from the context. The following 3 transformations are performed: SubstituteSubblocks(SSb), AddStepconstants(ASc), and MixSubblocks(MSb). An ilustration is shown in Fig. 2a.

278

L. Kraleva et al. yi

xi S0

S1 rc0

S2 rc1

SB

sc0

S3 5 SB

sc1

S01

S11

1

S01

S01

rc

xi+1

(a)

yi+1

(b)

Fig. 2. The sLiSCP-light step function is shown in (a) On top, the blue blocks represent masked capacity bits and the green represent the rate bits for SpoC-64. (b) represents one round of the Simeck cipher, used as SB. (Color figure online)

The SSb transformation is a partial substitution layer, in which a non-linear operation is applied to half of the state - in subblocks S1 and S3 . The nonlinear operation, or the SBox, is represented by an u-round iterated unkeyed Simeck-2m block cipher [YZS+15]. The Simeck SBox used in the description of the permutation is depicted in Fig. 2b. For an input (xi , yi ) of the ith round, the output is R(xi+1 , yi+1 ) = (yi ⊕ f (xi ) ⊕ rc, xi ), where f (x) = (x  (x  5) ⊕ (x  1)) and rc represents a constant computed using the sLiSCP-light’s round constants rci . The ASc layer is also applied to half of the state as the step constants sci1 and sci2 are applied to subblocks S0i and S2i respectively. Table 2 lists all round and step constants used in sLiSCP-light. The reader can refer to [AGH+19] or [ARH+18] for more details regarding the description of SpoC and the sLiSCP-light permutation. 2.5

Security Claims and the Impact of Our Attacks

In the original paper, the authors of SpoC introduced the security claims in different manners. In this paper, we refer to the security claims described in Table 3.1 from [AGH+19], since we consider this to be the most restrictive. Our interpretation of this table is that the best attack on either version of SpoC uses at most 250 data encrypted under the same key and has a time complexity of at most 2112 . Furthermore, the attack, aiming at either breaking the confidentiality or the integrity of the cipher, has a success probability of at least 2−16 .

Cryptanalysis of the Permutation Based Algorithm SpoC

279

Table 2. (a) Round and step constants for sLiSCP-light-[192] (b) Round and step constants for sLiSCP-light-[256]

(a) Round and step constants for sLiSCP-light-[192]: 0-5

i (rci 0 , rc1 ) (7,27), (4,34), (6,2e), (25,19), (17,35), (1c,f)

i (sci 0 , sc1 ) (8, 29), (c, 1d), (a, 33), (2f, 2a), (38, 1f), (24, 10)

6-11

(12, 8), (3b, c), (26, a), (15, 2f), (3f, 38), (20, 24)

(36, 18), (d, 14), (2b, 1e), (3e, 31), (1, 9), (21, 2d)

step i

12-17 (30, 36), (28, d), (3c, 2b), (22, 3e), (13, 1), (1a, 21) (11, 1b), (39, 16), (5, 3d), (27, 3), (34, 2), (2e, 23)

(b) Round and step constants for sLiSCP-light-[256]: 0-5

i (rci 0 , rc1 ) (f, 47), (4, b2), (43, b5), (f1, 37), (44, 96), (73, ee)

i (sci 0 , sc1 ) (8, 64), (86, 6b), (e2, 6f), (89, 2c), (e6, dd), (ca, 99)

6-11

(e5, 4c), (b, f5), (47, 7), (b2, 82), (b5, a1), (37, 78)

(17, ea), (8e, 0f), (64, 04), (6b, 43), (6f, f1), (2c, 44)

step i

12-17 (96, a2), (ee, b9), (4c, f2), (f5, 85), (7, 23), (82, d9) (dd, 73), (99, e5), (ea, 0b), (0f, 47), (04, b2), (43, b5)

In all of our differential-based attacks, each encryption is performed under different key-nonce pairs, whereas in the online phase of the key-recovery attack the adversary intercepts messages encrypted by an honest user. The Impact of Our Attacks. Since all of our differential-based attacks are applied to round-reduced versions of SpoC, we consider that they do not have an impact on the security of the SpoC cipher. Nonetheless, we consider this work relevant because it presents an analysis on the SpoC cipher and on the sLiSCP-light permutation that improves the knowledge about the security of both. Regarding our key-recovery attack, since we were able to apply a generic Time-Memory Trade-Off on the full SpoC-64, we consider that there might be some undesirable properties inducing vulnerabilities in the mode of operation of SpoC-64. Since the initialization function of SpoC-64 is not bijective, different key-nonce pairs might lead to a collision on the internal state after initialization. This fact can be compared to the nonce misuse scenario since, in both cases, the same initialized state is used more than once. Therefore, there is no distinction, with respect to the ciphertext and tag, between encrypting twice with the same (key, nonce) pair and encrypting with two (key, nonce) pairs that collide after the initialization phase.

3

Differential Cryptanalysis on sLiSCP-Light

In this section we present several characteristics for both versions of the sLiSCPlight permutation. Our characteristics are constructed by imposing specific constraints on the input and output differences in order to be further used in a series of attacks on SpoC. First, the details for our 6 round characteristic on sLiSCP-light-[256] are presented, then 2 different characteristics over 7 and 9 rounds of sLiSCP-light-[192] are shown.

280

L. Kraleva et al. S1

S0

S2

S3

δ4 1

δ3

δ3

SB δ3

δ5 0

δ6

SB δ6

δ6

0 δ6 2

δ3

δ3

SB δ3

δ6

0

SB

δ6

0 δ6 3

δ3

δ3

SB δ3

SB

SB

SB

0

4

δ3 δ3

δ3 5

SB

0

δ2

SB δ2

δ2 δ2 6

0

δ1

SB δ1

δ2

0

SB

δ2

δ1 δ1

δ2

0

δ1

Fig. 3. The active SBoxes for 6 rounds of sLiSCP-[256] with the difference propagation

3.1

Characteristics on sLiSCP-Light-[256]

In order to construct this 6 rounds characteristic of sLiSCP-light-[256] we impose a constraint only on the output difference and thus we construct it backwards. We fix the output difference in the first and third subblocks to ΔS06 = δ1 and ΔS26 = 0. In fact, those are the positions of the rate bits when applied to SpoC. The purpose and value of δ1 is discussed in Sect. 4. The output difference in subblocks S16 and S36 is irrelevant for our attacks, thus can take any value. However, in order to decrease the number of active Sboxes, we choose ΔS16 = δ2 and ΔS36 = δ1 , where δ2 is a possible input difference for the Sbox that leads to δ1 . In this case, the characteristic has only one active Sbox in each of the last two rounds and none in the 4th one. As it can be seen in Fig. 3, for 6 rounds of the permutation we have 6 active Sboxes with the following transitions: SB

SB

SB

SB

δ5 −−→ δ6 −−→ δ3 −−→ δ2 −−→ δ1 ,

SB

δ4 −−→ δ3 .

The resulted characteristic has the input difference δ3 ||δ4 ||064 ||δ5 and the output difference δ1 ||δ2 ||064 ||δ1 , therefore, by fixing the input and the output

Cryptanalysis of the Permutation Based Algorithm SpoC

281

of the characteristic we actually fix the differences from δ1 to δ5 . However, the difference δ6 can take multiple values, as long as it is a valid output difference for the input difference δ5 and is a valid input difference for the output difference δ3 . In the case of our characteristic we take δ6 = δ4 . To choose the differences δi we used the automatic search tool ArxPy [Ran17]. By fixing δ1 to one of the possible values described in Sect. 4, we constructed a tree of differences. The nodes of this tree represent all possible input differences returned by ArxPy, having weight less than the optimal one plus 3. After choosing the appropriate differences, the weight of each transition was empirically verified using 230 data. In order to obtain the final weight of the characteristic all weights of the SBox transitions were added up. Our best differential characteristics and their corresponding weights are listed in Table 3. The best weight that we found for 6 rounds of the permutation is 106.14. Note that the optimal characteristic over one SBox (8 rounds of Simeck) has weight 18. This is proven in [LLW17] and verified by us with the ArxPy tool. The empirical differential probability of 8 rounds of Simeck has slightly lower or higher weight than the optimal characteristic, which is expected due to the differential effect and the independency assumptions. 3.2

sLiSCP-Light[192]

In this section we present 2 characteristics, one over 7 rounds and one over 9 rounds of sLiSCP-light-[192]. They are constructed in a similar way as the characteristic described in the previous subsection. The requirements of the desired differences in the input and output bit positions are different, since the constraints imposed by our attack scenarios are different. 7-Round Characteristic. The constraints of our 7-round characteristic fix the nonzero input difference to S10 and S30 , while the output difference is S07 = δ1 and S27 = 048 . The difference in S17 and S37 is chosen for convenience, to reduce the number of active SBoxes. Therefore, our characteristic has 7 active Sboxes, as shown in Fig. 4a. The described characteristic has input and output differences (048 ||δ4 ||048 ||048 → δ1 ||048 ||048 ||δ1 ), with SB

SB

SB

δ4 −−→ δ3 −−→ δ2 −−→ δ1 ,

SB

δ2 −−→ δ3 .

Table 3. The best characteristics we found for sLiSCP-[256] are shown in this table. For simplicity the 64-bit differences are presented in hexadecimal and separated in two halves and the “..” denote 3 zero bytes. The values above the arrows represent the weight of each transition’s differential. δ5

δ4 = δ6

δ3

δ2

δ1

17.69

17.69

17.69

17.69

17.69

17.69

17.69

17.69

18.69

17.69

17.69

17.69

18.30

18.30

18.30

18.90

w

1..0, 1..0 − −−− → 1..1, 0..0 − −−− → 1..0, 0..0 − −−− → 1..1, 0..0 − −−− → 1..0,0..0 106.14 1..0, 0..0 − −−− → 1..1, 0..0 − −−− → 1..0, 0..0 − −−− → 1..1, 0..0 − −−− → 1..0,0..0 106.14 1..0, 0..2 − −−− → 1..1, 0..0 − −−− → 1..0, 0..0 − −−− → 1..1, 0..0 − −−− → 1..0,0..0 107.14 0..0, 2..0 − −−− → 0..0, 2..2 − −−− → 0..0, 2..0 − −−− → 0..0, 2..2 − −−− → 6..0,0..0 110.4

282

L. Kraleva et al. S0

S1

S2

S3

δ4 1

δ3

SB δ3

δ3

δ4

0

SB

δ4

0 δ4 2

δ3

δ3

SB δ3

SB

SB

SB

0 S0

S1

S2

S3

δ4 1

0

δ3

SB δ3

SB

3

δ3

δ3

0

δ3 δ3

2

δ3

0

SB

0

δ2

SB δ2

δ3

SB δ3

δ3

δ3 δ2

δ2

SB δ2

δ3

0

SB δ3

δ3

SB

δ3

δ2

δ2

SB δ2

δ3

SB δ3

δ3

δ2

δ2

SB δ2

0

SB

δ3 0

δ4

SB δ4

δ4

0 δ3

SB

δ4

δ4 6

0

5

SB δ4

δ4

δ3

0

0

δ4

δ4 5

δ3 4

0 δ4

δ2 0

SB

δ2

δ3

3

δ3 4

δ4 7

δ4

SB δ3

δ4

δ4

0

SB

δ4

0 δ4 6

SB

δ2

SB

8

δ2

δ3

δ3

SB δ3

SB

SB

SB

0

δ2 7

0

δ1

SB δ1

δ1 δ1

0

0

SB

δ3 δ3

0 0

9

0

δ1

0

0

(a)

0

δ3

(b)

Fig. 4. Differential characteristics of a) 7 rounds and b) 9 rounds of sLiSCP-light-[192]

SB

From Fig. 4a we can see that the iterative transition δ3 −−→ δ2 happens 4 times, SB while δ2 −−→ δ3 appears only once. The exact values are chosen to minimize the SB weight of δ3 −−→ δ2 . Our best probability of 2−108.2 happens for δ1 = 0x700000000000, δ2 = 0x500001800000, δ3 = 0x100000200000, δ4 = 0x100001100000.

Cryptanalysis of the Permutation Based Algorithm SpoC

283

with weights 17

11,3

23.1

δ4 −→ δ3 −−→ δ2 −−→ δ1 ,

22.9

δ2 −−→ δ3 .

Note that the optimal characteristic over one SBox (6 rounds of Simeck) has weight 12, as verified with the ArxPy tool. 9 Round Characteristic. For this characteristic we fix the non-zero output difference to S19 and S39 . More precisely, in the first 4 bytes of the subblocks, which correspond to the masked capacity bits in SpoC. In order to design this characteristic we used an iterative transition SB SB δ3 −−→ δ4 −−→ δ3 . The input and output differences of our characteristic are (δ3 ||δ4 ||δ4 ||048 ) and (048 ||048 ||048 ||δ3 ), respectively. SB As seen in Fig. 4b, the characteristic has 8 active SBoxes with δ3 −−→ δ4 SB appearing 6 times and δ4 −−→ δ3 two times. Our best probability of 2−108.5 holds for the differences δ3 = 0x000a00000400 and δ4 = 0x000a00001000 with weights 22.34

10.65

δ3 −−−→ δ4 −−−→ δ3 .

4

Differential Attacks on SpoC-128 and SpoC-64

In this section we present a series of attacks based on the differential characteristics introduced in the previous section. More precisely, we design tagforgery attacks based on the 6-round characteristic of sLiSCP-light-[256] and the 7-round characteristic of sLiSCP-light-[192]. The 9-round characteristic of sLiSCP-light[192] is used to design a message-recovery attack. 4.1

Tag Forgery Attacks

As stated in Sect. 2.3, in order to distinguish between different phases of the encryption process, the authors of SpoC used a 4-bit control signal. The values of these 4 bits depend on the current phase, but also on whether the inputs (associated data or plaintext) are padded or not. Moreover, if the associated data or the plaintext is null, the corresponding phase is disregarded. Our approach is based on identifying and exploiting scenarios in which different types of inputs lead to similar internal states. Take, for example, the scenario where one uses SpoC-64 or SpoC-128 to encrypt two one-block plaintexts: an incomplete block M and a complete block M ∗ = padding(M ), using, in both cases, the same associated data and the same (key, nonce) pair. Take into account that, at the end of the plaintext addition phase, just before generating the tag, the difference between the corresponding internal states is given by the difference between the corresponding 4-bit control signals, i.e. 0001||0n−4 . In the plaintext processing phase of the first case, the 0101 control signal is used, while in the second case 0100 is used. The difference

284

L. Kraleva et al.

between the used constants we denote by δ1 and it represents the convenient difference that we can cancel locally. The Difference δ1 . Depending on the scenario, we identified three possible values for the control signals’ difference δ1 , as follows: 1. δ1 = 0001||0n−4 = 0100||0n−4 ⊕ 0101||0n−4 This value can be obtained in the case when we encrypt the plaintexts M and M ∗ described above, using the same (key, nonce) pair and the same AD. 2. δ1 = 0110||0n−4 = 0100||0n−4 ⊕ 0010||0n−4 This value can be obtained when we encrypt (””, M ) and (””, M ). More precisely, in the first case we use a null AD, while in the second case we use a null plaintext. The former encryption consist of initialization, message processing phase and finalization , whereas the latter has AD processing phase instead of message processing. It will produce no ciphertext, however the tags of the two would be the same. Hence we can forge the verification of associated data. 3. δ1 = 0111|0n−4 = 0101||0n−4 ⊕ 0010||0n−4 This value can be obtained when we encrypt the pairs (””, M ) and (AD, ””), where the length of M is less than the length of a full block and AD = padding(M ). In order to achieve a tag forgery, we designed differential characteristics such that, after the plaintext processing phase, the difference between the corresponding control signals is cancelled by the output difference of the characteristic. Since this results in the same internal states, the corresponding tags will collide. We underline the fact that the control signal bits are influencing the difference on the rate part of the internal state. The target characteristic might also have active bits in the capacity part, these being canceled through a difference between the two plaintexts. Therefore, we aim at finding characteristics having the output difference of the form (δ, λ, 0, γ), where δ is the difference between the constants, while the differences λ and γ can be cancelled through the plaintext block difference. In our experiments, in order to optimize the number of active Sboxes, we imposed the additional constraint that δ = γ. In Sect. 3 we presented the best characteristics that we found, suitable for our approach, on 6-round sLiSCP-256 and on 7-round sLiSCP-192. Using these characteristics and the approach presented above, we designed tag forgery attack on reduced versions of both Spoc-64 and Spoc-128. Since the complexity of our round-reduced characteristics are close to the security bound, we chose the input parameters such that the difference propagates through only one permutation. 4.2

Tag Forgery Attack on SpoC-128

After we have fixed our characteristic, we can proceed to the attack. Note that, in the case of SpoC-128, the initialization phase is represented only by the loading of the (key, nonce) pair into the internal state. Since there is only one

Cryptanalysis of the Permutation Based Algorithm SpoC

285

sLiSCP-light application before the ciphertext generation, our tag forgery attack on SpoC-128 follows the related-key related-nonce scenario. According to our 6-round characteristic, we use inputs such that the key difference is (δ4 ||δ5 ), while the nonce difference is (δ3 ||0). Moreover, since our best characteristic uses δ1 = 0x1||0124 , the setup of this attack assumes the use of null associated data, a plaintext M = M1 ||M2 having the size less than 128 bits and a plaintext M ∗ = padding(M ) ⊕ δ2 ||δ1 = M1∗ ||M2∗ encrypted under related-key relatednonce pairs. As we mentioned before, by injecting a difference in the plaintexts we cancel the capacity difference after the permutation. The encryption processes are described in Fig. 5. M ||8||0123−m ⊕ δ2 ||δ1

M padding

padding

M ||8||0123−m

M ||8||0123−m ⊕ δ2 ||δ1

c load (K, N )

c

π

π

tag

load (K ⊕ δ4 ||δ5 , N ⊕ δ3 ||0)

r

π

π

tag

r 0101||0n−4 1000||0n−4

0100||0n−4 1000||0n−4 M∗

M

C∗

C

Fig. 5. The encryption of an incomplete and a full block of plaintexts, using related-key related-nonce inputs and null associated data

If our differential characteristic holds, then the following equations also hold with probability 1: M1∗ = M1 ⊕ δ2 ,

S06∗ = S06 ⊕ δ1 ,

S26∗ = S26 ,

C ∗ = M1∗ ⊕ S06∗ ||M2∗ ⊕ S26∗ .

Therefore, C ∗ = (C1 ||C2 ) ⊕ (δ2 ⊕ δ1 ||δ1 ). More precisely, the ciphertext-tag pair (C ∗ , τ ) would then be valid under (K⊕ ΔK , N ⊕ ΔN ) = (K ⊕ δ4 ||δ5 , N ⊕ δ3 ||0) with the probability of the characteristic. The pseudocode of this attack is presented in Algorithm 1. Note that it is not needed to use the same key for each Encryption step of the algorithm. Since the rate part of the internal state is used for the encryption, by knowing both the plaintext and the ciphertext we can recover the rate part of each internal state used in the plaintext processing phase. In the case of our approach we use this observation to decrease the data complexity of our attack, by filtering the ciphertexts obtained in the first step. The data complexity of this attack, computed as the number of encryptions and decryptions required, is (PR6 + 1) · PR1 →R5 = (217.69 + 1) · 288.45 = 2106.14 + 288.45 , where Ri represents the ith sLiSCP step. The time complexity, computed as the number of offline SBox computations, is 2 · PR6 · PR1 →R5 = 2107.14 .

286

L. Kraleva et al.

Algorithm 1: The tag forgery attack on Spoc-128 Encryption Obtain (C = C1 C2 , τ ), the encryption of (””, M ) under arbitrary (K, N ); Compute S06 S26 = padding(M ) ⊕ C; if SB −1 (S06 ) ⊕ SB −1 (S06 ⊕ δ1 ) == δ2 then Decryption Ask for P , the decryption of (C1 ⊕ δ2 ⊕ δ1 ||C2 ⊕ δ1 , τ ) under (K ⊕ δ4 ||δ5 , N ⊕ δ3 ||0); if P =⊥ then P = (””, M ∗ ); else go to Encryption; end else go to Encryption; end

Improved Attack. We can improve the complexity of the attack by using multiple differential characteristics that have the same output difference, i.e. equal δ1 s and δ2 s. Suppose that we have d differential characteristics such that

where each characteristic has the probability pi , i = 1, . . . , d. The attack follows the lines of Algorithm 1, where instead of asking for the decryption under a fixed (key, nonce) pair, we use every (K ⊕ ΔiK , N ⊕ ΔiN ) pair. For our improved attack the time and data complexities can improve with at most a factor of log2 d, when all the characteristics have the same probability. By using 10 different characteristics that we found that have δ1 = 1..0, 0..0 and δ2 = 1..1, 0..0, the complexity is improved by a factor of 21.82 , the time complexity being around 2105.32 , while the data complexity decreases to approximately 2104.32 + 286.63 . Time-Memory Trade-Off. The time complexity of our attack can be improved by using a time-memory trade-off approach. In this case the attack will also imply an offline phase, as follows: for all possible values of S06 we verify if SB −1 (S06 ) ⊕ SB −1 (S06 ⊕ δ1 ) == δ2 . If the condition holds, we store the corresponding value of S06 in the sorted list listS06 . The complexity of this phase is 264 SBox computations. In this case, instead of verifying the specified condition, it will be verified if S06 ∈ listS06 . The time complexity of each query will be log2 (#listS06 ) operations, while the memory complexity will be less than 264 (negligible compared to the data complexity).

Cryptanalysis of the Permutation Based Algorithm SpoC

4.3

287

Tag Forgery Attack on SpoC-64

The main idea of the attack is similar to the one presented in Subsect. 4.2, some modifications being imposed due to the different loading phase of SpoC-64. This attack is based on the 7-round characteristic presented in Subsect. 3.2. Since our characteristic covers only one permutation, in this scenario we have one more constraint on the input differences. More precisely, the setup of our attack assumes the use of related N1 s, while the key and the nonce N0 are equal. The input difference is given by the difference between the corresponding N1 s, while the output difference respects the constraints from Subsect. 4.2. Since N1 is added to the masked capacity bits, note that the difference needs to have active bits only in the masked capacity part. Moreover, for the 7-round characteristic on sLiSCP-light-192 we used δ1 = 0111||0n−4 , therefore the setup of our attack is the one presented in Fig. 6. N1

M

c load (K, N0 )

π

N1

c

c

π

π

r

AD = padded(M ) ⊕ 0||δ1

r

tag

load (K, N0 )

π

π r

0100||0n−4 1000||0n−4

c

π

tag

r 0010||0n−4 1000||0n−4

(0101||0n−4 )

M C

Fig. 6. The two processes of SpoC-64 used by our approach. Note that the second XORed constant is imposed by the beginning of the tag generation phase.

We state that, while the encryption of the message (””, M ) will return a (ciphertext, tag) pair, the encryption of the pair (AD, ””) results in a null ciphertext and a tag. Therefore, assuming the 7-round characteristic holds, the ciphertext-tag pair (””, τ ) is valid under (K, N0 ||(N1 ⊕ ΔN )) = (K, N0 ||(N1 ⊕ δ4 ||0)) with probability 1. The tag forgery attack on SpoC-64 is very similar to the one described in Algorithm 1. The distinction is given by the input difference of the characteristic which impacts the decryption (key, nonce) pair. More precisely, only the nonce N1 is different. The data complexity of this attack, computed as the number of encryptions and decryptions required, is (PR7 +1)·PR1 →R6 = (223.1 +1)·285.1 = 2108.2 +285.1 . The time complexity, computed as the number of offline Sbox computations, is 2 · PR7 · PR1 →R6 = 2109.2 . Even though the required amount of data is higher than the size of the tag space, we consider that our attack is meaningful since the authors of SpoC claim security of 112 bits for both confidentiality and integrity.

288

L. Kraleva et al.

Time-Memory Trade-Off. By following the same time-memory trade-off approach presented in Subsect. 4.2, we can improve the time complexity of our attack. The complexity of the offline phase is also 264 SBox computations. Thus, the time complexity of each query will be log2 (#listS07 ) operations, while the memory complexity will be less than 264 (considerably smaller compared to the data complexity). 4.4

Message Recovery Attack on SpoC-64

In this section we present a message recovery attack on Spoc-64 based on a differential cryptanalysis approach. This attack exploits the fact that the initialization phase is not a bijective function, since the input is 256 bits and the internal state is 192 bits. The analysis aims at constructing (key, nonce) pairs that lead to the same internal state after the initialization. Thus, we designed the 9-round differential characteristic on sLiSCP-light-[192] presented in Sect. 3. More precisely, the constraint of our characteristic is that the output difference only affects the capacity part, this difference being canceled by a difference between the corresponding N1 ’s. Therefore our approach uses a key-related nonce-related scenario. By using our 9-round characteristic on a round-reduced scenario, the internal states after the initialization collide. Therefore, the encryption of the same plaintext under different (key, nonce) pairs lead to identical ciphertexts and tags. Moreover, if we encrypt two messages with the same l first blocks, the corresponding l ciphertext blocks will also be the same. We used this approach to design a related-key related-nonce attack on SpoC64. The attack works as follows: 1. With a key-nonce pair (K, N ) we ask for the encryption of an arbitrary, unknown plaintext M , using the associated data AD; we obtain the ciphertext-tag pair (C, τ ); 2. We ask for the decryption of (C, τ ) under (K ⊕ ΔK , N ⊕ ΔN ) and using the initial AD; 3. If the tag verification holds, we obtain the plaintext M  . If M  is a readable text, then M  = M and the message is recovered. We specify M  being readable, since there is always a probability that tags collide. As stated in Sect. 3, the probability of our 9-round characteristic is 2−109.84 . Since the data complexity defines the number of encryptions and decryptions, in our case the data complexity is 2110.84 , while the time complexity is bounded by the data complexity.

5

Key-Recovery Attack on SpoC-64

In this section we generalise the approach described in Subsect. 4.4, by defining the notion of class-equivalence over the space of all (key, nonce) pairs. We then present a time-memory trade-off attack based on the class-equivalence that leads to the recovery of the secret key K.

Cryptanalysis of the Permutation Based Algorithm SpoC

289

Equivalence in the Set of (Key, Nonce) Pairs Definition 1. The (key, nonce) pairs (K 1 , N 1 ) and (K 2 , N 2 ) are said to be in the same equivalence class (or simply equivalent) if the corresponding internal states, after the initialization phase, are equal. The number of equivalence classes is given by the number of all possible internal states of SpoC-64, namely 2192 . For each fixed internal state, one can consider all values of N1 and can compute the associated (K, N0 ) pairs by applying the inverse of the permutation. Therefore, each equivalence class is formed by 264 (key, nonce) pairs. Note that the encryption of the same message under equivalent (key, nonce) pairs results in equal ciphertexts and tags. Moreover, the decryption and tag verification of a (ciphertext, tag) pair can successfully be performed under any (key, nonce) pair belonging to the same equivalence class. The Key-Recovery Attack. Our attack consists of two phases: an offline and an online phase. In the offline phase, the adversary generates a table containing 2110 entries. Each entry contains a (K, N0 ||N1 ) pair and the ciphertexts and tag obtained by applying SpoC-64 on a well chosen plaintext M , under the (K, N0 ||N1 ) pair and a null AD. The (key, nonce) pairs are generated such that they belong to different equivalence classes. More precisely, 2110 different internal states are generated by the adversary. For each state an arbitrary N1 is chosen and, by XORing it to the internal state and by applying the inverse of the permutation, the (K, N0 ) pair is computed. Using each (K, N0 ||N1 ) pair, the adversary encrypts, using SpoC-64, a common short message M . Note that, in practice, depending on the nature of a correspondence, messages usually start with the same words or letters. For example, e-mails normally start with “Dear (*name*),” or “Hello (*name*),”. By making this assumption, we choose a plaintext M to be a regularly used word or phrase of length l blocks. In our research we make the assumption that the full 18-round sLiSCP-light behaves as a random permutation, thus no particular properties can be observed. Therefore, we claim that l = 3 is the number of blocks of ciphertext that uniquely defines the equivalence class of the (K, N0 ||N1 ) pairs. We consider the encryption function of SpoC-64, defined using a fixed plaintext and considering as the input state the result of the initialization phase. On one hand, in order to have uniqueness, this function has to be injective. Therefore, since the length of the internal state is 192 bits and the length of one block of ciphertext is 64 bits, the minimum value of l is 3. On the other hand, by writing the system of bit-level equations of the targeted function, for l blocks of ciphertext we obtain 64 × l equations using 192 variables. If this system does not have an unique solution for l = 3, it means that the resulted equations are not independent, thus there are some particular properties of the sLiSCP-light permutations that could be further extended to an attack. The pseudocode of the offline phase is presented in Algorithm 2. Note that π −1 denotes the inverse of the full sLiSCP-light-[192] permutation. The resulted list is sorted with respect to the ciphertexts, using a hash

290

L. Kraleva et al.

Algorithm 2: Offline phase list = null ; choose M ; while list.length < 2110 do sample internal state; sample N1 ; compute (K, N0 ) = π −1 (internal state ⊕ N1 ) ; encrypt (C, τ ) = SpoC-64(K, N0 ||N1 , ””, M ) ; list.Add(K, N0 ||N1 , C) end Result: list populated with 2110 entries

table. The memory complexity of this phase is 2110 table entries, while the time complexity is 2110 SpoC-64 encryptions. Note that the steps of an encryption are not performed sequentially. Since the first step is to sample the internal state, the encryption can be performed without the initialization phase, while the initialization phase is performed backwards, by computing a (key, nonce) pair corresponding to a fixed internal state. Thus, by assuming that the permutation function and the inverse of the permutation function are equivalent time-wise, the time complexity of our offline phase is 2110 encryptions. In the online phase the adversary intercepts the (ciphertext, tag) pairs encrypted by a valid user. For simplicity, we assume that the valid user used null associated data. We discuss in a paragraph below the case where the associated data is not null. For every intercepted ciphertext, the adversary verifies if the first l blocks belong to the table computed in the offline phase. Since a string of l blocks uniquely defines the equivalence class, a match means that the valid user encrypted the plaintext under a (key, nonce) pair that is in the same equivalence class with the pair (K, N0 ||N1 ) extracted from the precomputed table. Moreover, the adversary can easily compute the internal state obtained after the initialization phase, using the (K, N0 ||N1 ). Since the nonce N1 is public, it can XOR N1 to the internal state and, by applying the reverse of the permutation, the adversary can compute the user’s key. In the case where the valid user chooses a non-empty value for the associated data, the key-recovery works as follows: 1. The adversary verifies if the first l blocks of the ciphertext belongs to the table; 2. When a match is found, the adversary reverse the associated data addition phase; this action is allowed, since AD is a public value; 3. On the obtained internal state, the adversary XOR the N1 and apply the inverse of the permutation. Therefore, the adversary gains full control over the encryption of the valid user, being able to decrypt all the past and future communication in which the valid user used the recovered key. Moreover, the adversary gains the ability of

Cryptanalysis of the Permutation Based Algorithm SpoC

291

impersonating the valid user, being able to generate (ciphertext, tag) pairs using the secret key of the valid user. Since the adversary can control 2110 equivalence classes, through the precomputed table, the probability that an intercepted message belongs to the precomputed table is 2110−192 = 2−82 . Thus, if the adversary intercepts 267 (ciphertext, tag) pairs, the success probability of this attack is 2−15 , twice the probability claimed by the authors of SpoC. By increasing the amount of intercepted data, the success probability of the attack also increases. The data complexity of the online phase is represented by the number of required online encryptions. So, for a success probability of 2−15 , the data complexity of the online phase is 267 . Since the precomputed table is a sorted hash table, the search of a ciphertext has a time complexity of O(1). Thus, the time complexity of the online phase is 267 table lookups. For comparison, an exhaustive search attack with the same success probability of 2−15 would require 2113 data. Note that even though the online phase of the attack can be performed many times (e.g. the attack targets two or more valid users), the offline phase of the attack is only performed once. Thus, the time complexity of the offline phase can be overlooked in any application of the attack, except for the first one. Therefore, every other instance of the attack has a total time complexity of 267 . Note that our attack recovers only one of the secret keys used by the valid user.

6

Other Observations

While analyzing the sLiSCP-light-256 permutation we noticed a particular property of both the round and the step constants. More precisely, using the notations introduced in [AGH+19], we noticed that rci0 = rci+8 1 , ∀i ∈ {0, ...10} sci0 = sci+8 1 , ∀i ∈ {0, ...10} The design rationale behind the generation of these constants is described in [ARH+17]. The constants are computed using an LFSR with length 7 and the primitive polynomial x7 + x + 1. The initial state of the LFSR is filled with seven bits of 1. For the computation of the round constants, the LFSR runs continuously for 18 × 2 × 8 steps. The first 16 bits of the returning string are: 1111111000000100. The constants rc00 and rc01 are computed by 2-decimation. More precisely, the bits of rc00 are the bits in odd positions of the string above while the bits of rc01 are the bits from the even positions, both of them being read in an little-endian manner. Thus, rc00 = 00001111 = 0xF and rc01 = 01000111 = 0x47. Since the primitive polynomial has degree 7, it’s period is 27 − 1 = 127. Therefore, the 127 + nth bit will be equal to the nth generated bit. In particular, the bits of rc8+n are equal to the bits of rcn0 . A similar approach is used for the 1 computation of the step constants. In this case, after loading the initial state of

292

L. Kraleva et al.

the LFSR with seven bits of 1, 14 steps are performed (discarding the outputed bits). Then the same procedure is applied, thus, the same observation is also valid for the step constants. The round and step constants of the sLiSCP-light-192 permutation are computed by a similar manner. But since both the constants and the LFSR length is 6, the 2-decimation does not influence the distribution of the bits through the constants. Note that the authors of the sLiSCP permutation claim that each 8-bit constant is different.

7

Conclusion and Future Work

Our work analyzes the SpoC cipher, a second round candidate of NIST Lightweight competition, and the permutation sLiSCP-light which represents one core component of the SpoC cipher. For both versions of SpoC, namely SpoC-128 and SpoC-64, we propose characteristics covering round-reduced versions of the permutation. We then use these characteristics to design tag-forgery and message-recovery attacks on SpoC parameterized with round-reduced versions of the sLiSCP-light permutation. Furthermore, by using an TMTO approach, we designed a key-recovery attack on SpoC-64. A summary of our results is depicted in Table 1. The work we presented can be extended in several directions. For example, it would be interesting to analyse both the SpoC cipher and the sLiSCP-light permutation using other techniques. It also remains to be investigated if or how our observations regarding the round and step constants can be exploited. Further research should also consider investigating the impact of our characteristics to other ciphers based on the sLiSCP-light permutation. Acknowledgements. The authors would like to thank Adri´ an Ranea for all the fruitful discussions regarding the ARXpy tool. This work was supported by CyberSecurity Research Flanders with reference number VR20192203 and partially supported by the Research Council KU Leuven, C16/18/004, through the EIT Health RAMSES project, through the IF/C1 on New Block Cipher Structures and by the Flemish Government through FWO fellowship and FWO Project Locklock G0D3819N.

References [AGH+19] AlTawy, R., et al.: SpoC: an authenticated cipher submission to the NIST LWC competition (2019). https://csrc.nist.gov/CSRC/media/Projects/ lightweight-cryptography/documents/round-2/spec-doc-rnd2/spoc-specround2.pdf [ARH+17] AlTawy, R., Rohit, R., He, M., Mandal, K., Yang, G., Gong, G.: sLiSCP: simeck-based permutations for lightweight sponge cryptographic primitives. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 129– 150. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9 7 [ARH+18] AlTawy, R., Rohit, R., He, M., Mandal, K., Yang, G., Gong, G.: SLISCPlight: towards hardware optimized sponge-specific cryptographic permutations. ACM Trans. Embed. Comput. Syst. 17(4), 81:1–81:26 (2018)

Cryptanalysis of the Permutation Based Algorithm SpoC

293

[BBS99] Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi. org/10.1007/3-540-48910-X 2 [BS90] Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-54038424-3 1 [HNS20] Hosoyamada, A., Naya-Plasencia, M., Sasaki, Y.: Improved attacks on sliscp permutation and tight bound of limited birthday distinguishers. IACR Cryptology ePrint Archive 2020/1089 (2020) [Knu94] Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8 16 [LLW17] Liu, Z., Li, Y., Wang, M.: Optimal differential trails in SIMON-like ciphers. IACR Trans. Symmetric Cryptol. 2017(1), 358–379 (2017) [LSSW18] Liu, Y., Sasaki, Y., Song, L., Wang, G.: Cryptanalysis of reduced sliscp permutation in sponge-hash and duplex-ae modes. In: Cid, C., Jacobson Jr., M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 92–114. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7 5 [MP13] Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: application to Salsa20. Cryptology ePrint Archive, report 2013/328 (2013). https://eprint.iacr.org/2013/328 [NIS79] NIST: FIPS-46: Data Encryption Standard (DES) (1979). http://csrc.nist. gov/publications/fips/fips46-3/fips46-3.pdf [NIS19] NIST: Lightweight Cryptography Competition (2019). https://csrc.nist. gov/projects/lightweight-cryptography [Ran17] Ranea, A.: An easy to use tool for rotational-XOR cryptanalysis of ARX block ciphers (2017). https://github.com/ranea/ArxPy [RAS+20] Ranea, A., Azimi, S.A., Salmasizadeh, M., Mohajeri, J., Aref, M.R., Rijmen, V.: A bit-vector differential model for the modular addition by a constant (2020). https://eprint.iacr.org/2020/1025 [Ste14] K¨ olbl, S.: CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives (2014). https://github.com/kste/cryptosmt [Wag99] Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10. 1007/3-540-48519-8 12 [YZS+15] Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The simeck family of lightweight block ciphers. IACR Cryptology ePrint Archive 2015/612 (2015)

More Glimpses of the RC4 Internal State Array Pranab Chakraborty1 and Subhamoy Maitra2(B) 1

Learning and Development, Human Resources, Wipro Limited, Doddakannelli, Sarjapur Road, Bangalore 560035, India [email protected] 2 Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata 700108, India [email protected]

Abstract. We present three categories of new non-randomness results on RC4 here. First, using Jenkins’ Glimpse result (1996), we show that for every round, the key-stream value comes from a distant permutation array (S-Box) byte position with a probability higher than the fair chance. Moreover, we show how the Jenkins’ Glimpse gets modified when the two consecutive output keystream bytes are equal to a certain value. Second, we show that corresponding to every Fluhrer-McGrew bias (2000), the key-stream value for each of the two rounds comes from certain array positions with a higher (or a lower) probability than the uniform one, depending upon whether the double-byte is positively or negatively biased. Also, there are four “lag-one digraph” (or alternate pair double-byte) biases that have been summarized in a recent paper. We show that for each of these cases, there are preferred positions of permutation array byte corresponding to the key-stream value in that round. Third, we show that in each of the Fluhrer-McGrew or lag-one cases, the Jenkins’ correlation results must be refined. Surprisingly, in one particular configuration, the Glimpse correlation value becomes almost 4 instead of Jenkins’ N2 . N Keywords: RC4 · Non-randomness · Glimpse or Jenkins’ correlation Fluhrer-McGrew Digraph repetition bias · Sequence · Stream Cipher

1

·

Introduction

RC4 has been the most popular stream cipher in the commercial domain till 2015, following that it is being withdrawn from many applications [6] due to certain very serious cryptanalytic results [1,12]. However, it is quite challenging to replace RC4 from many of the applications running around the world and it is still in use in certain places, as evident from the security advisory [9] that has been updated very recently. From the research perspective, it is well known that RC4 is one of the most attractive cryptosystem to be analysed due to its simplicity in understanding. At the same time, there are lot of unexplored c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 294–311, 2020. https://doi.org/10.1007/978-3-030-65277-7_13

More Glimpses of the RC4 Internal State Array

295

non-randomness results. It is always surprising why such results have not been identified earlier even after so many research results (see [2,3,10,12] and the references therein). RC4 has a Key Scheduling Algorithm (KSA) and a Pseudo Random Generator Algorithm (PRGA). In this paper we mainly concentrate on the PRGA part and thus we present the algorithm below. Note that all the additions here are modulo N and we will use the same notation while discussing about operations that are related to RC4. The array S contains a permutation of 0 to N − 1. – Initialization: i = j = 0; – As long as keystream z is required: • i = i + 1; • j = j + S[i]; • swap(S[i], S[j]); • z = S[S[i] + S[j]]; In RC4, we have the N = 256 length array of 8-bit integers 0 to N − 1, and after the KSA, the array S is supposed to be randomly permuted. In contrary, there are several results that show the KSA cannot produce sufficiently random permutation and thus the initialization part is not completely secure [11, Chapter 3]. However, in this work, we will concentrate on the PRGA part only and thus we will assume the initial permutation (after KSA and before PRGA) as completely random. This can be achieved practically to some extent if around 2048 initial keystream bytes are thrown away during the PRGA and then we start looking at the permutation. In a stream cipher, one important requirement is any information about the state should not be revealed from the key-stream. It was first pointed out in [5] that RC4 cannot satisfy this. Here we have the complete information about the public index i and the key-stream byte z at any round of RC4. Thus, the question is, from i, z, is it possible to obtain additional information (‘Glimpse’ – this is the way it is generally referred in the literature) regarding the hidden variables j, S[i] or S[j] other than the random association? To explain the idea of information leakage clearly, we need to introduce the subscript r. The subscript identifies the round r and Sr [x] denotes the value at x-th location after the swap operation in the said round. The index jr is the value of j after updating j + S[i] in the round r. That way, zr is the key-stream output byte in round r. Given these, the result of [5] is as follows. Note that the fair chance should have the probability N1 . Theorem 1 (Jenkins’ Glimpse theorem [5]). During RC4 PRGA, for any arbitrary round r, Pr(Sr [ir ] = jr − zr ) = N2 − N12 and Pr(Sr [jr ] = ir − zr ) = 2 1 N − N2 . This result has been studied in great details and certain refinements in the probability calculation has been suggested in one of our recent work [2] (two authors of this paper are same). At the same time, the work of [2] considered

296

P. Chakraborty and S. Maitra

certain results related to Glimpse and the proofs of a family of biases by Fluhrer and McGrew [4]. On the other hand, in this paper, we note that the family of biases presented in [4] can provide a completely new set of Glimpses in RC4, that has not been described in [2]. Further, our newly identified results here, following [4], can be studied in conjunction with the Jenkins’ Glimpse theorem [5] to improve the existing works. Note that these were not covered in the revised results related to Glimpse in [2, Theorem 2]. We also investigate how the lag-one biases [2,12] (biases between two alternate keystream bytes) provide additional Glimpses. In summary, here we present several new family of Glimpses that have not been covered earlier [2,5,7,11,12]. All our results are supported by detailed experimental evidences. Let us outline the statistical method to detect a bias experimentally with strong confidence, i.e., the experimental bias observed should not be a false alarm. Consider two keystream sequences, one is generated from an ideally random source (say A) and the other one is the key-stream from an actual stream cipher (say B), which is a pseudo-random source. Let the probability of occurrence of certain event in A be p and the same from B be p(1 + q). Then it is possible to distinguish the sources A, B in O( pq12 ) samples with some confidence. Generally this estimate works quite well for q  p. We need to carefully study what constant c is to be taken in pqc2 and what are the corresponding confidence values, following [8, Section 3.3] and [11, Chapter 6.1]. The confidence of success for c = 26 = 64 is greater than 99.99%. 64 Thus, for each experiment we choose the sample size as pq 2. 1.1

Organization and Contribution

The results are organized as follows. In Sect. 2, we warm up with a corollary of Jenkins’ Glimpse theorem that relates locations of the internal state array S other than the ones indexed by i, j. However, this bias is less significant. Then we show how the Jenkins’ Glimpse value gets modified for two consecutive rounds having the same keystream byte output related to the round number. In Section 3, we consider the Glimpses discovered through the biases identified by Fluhrer-McGrew [4]. Note that [2, Section 2] studies “Glimpses corresponding to Fluhrer-McGrew biases”, but the results we present here are different (though related) from the ones in [2]. We explain the differences clearly in Sect. 3. Further, we also study the Glimpses arising out of lag-one biases [2,12] in this section. Then, in Sect. 4, we show how the Jenkins’ Glimpses [5] should be refined in conjunction with Fluhrer-McGrew [4] and lag-one biases [2,12]. We conclude the paper in Sect. 5. As there are several assumptions in the theoretical proofs in this paper, we checked the results with experiments having sufficient sample size.

2

Jenkins’ Glimpse [5] and Revised Results Using Two Consecutive Rounds

The Jenkins’ Glimpse [5] is surfaced following the way the output key-stream byte, zr = Sr [Sr [ir ] + Sr [jr ]], is generated based on the two indices. As pointed

More Glimpses of the RC4 Internal State Array

297

out in [2], the source of this bias is not dependent on the way RC4 permutation array (we will sometimes simply call array) or S-box S evolves. This is only dependent upon the way key-stream byte is derived in the last step of the PRGA algorithm. For a better understanding, let us now explain the proof of Theorem 1. This result follows from the understanding that if Sr [jr ] (respectively Sr [ir ]) becomes same as zr , then (Sr [ir ] + Sr [jr ]) which is the location of the output key-stream byte, must be equal to jr (respectively ir ). Hence, Sr [jr ] = zr (respectively Sr [ir ] = zr ) forces the desired condition of Sr [ir ] = jr − zr (respectively Sr [jr ] = ir − zr ). Under the assumption of uniform random distribution, if one assumes Pr(Sr [jr ] = zr ) = N1 and for the complimentary condition of Sr [ir ] = zr , if we accept a fair chance of N1 for the desired event of Sr [ir ] = jr − zr , the overall probability calculation comes out to be Pr(Sr [ir ] = jr −zr ) = N1 ·1+(1− N1 )· N1 = 2 1 2 1 N − N 2 . In the same way, the other result, i.e., Pr(Sr [jr ] = ir − zr ) = N − N 2 has been proved in [5]. Note that this calculation has been revisited in greater details in [2, Section 4.1] and refined further. As we note from Theorem 1, the Jenkins’ Glimpse [5] is related to the locations in S indexed by i, j and their values. Thus, the immediate question is whether it is possible to obtain any further information from the same result. This we show in the following result. Corollary 1 1 1 + 2 , when ir = zr + zr+1 − 1, N N 2 = , when ir = zr + zr+1 − 1. N

Pr(zr = Sr [zr + zr+1 ]) =

Proof. Suppose q = zr + zr+1 . First we consider the ir = q − 1 case. Under usual randomness assumption, Pr(jr+1 = q) = N1 . Now, as per Theorem 1, Pr(jr+1 − zr+1 = Sr+1 [ir+1 ]) = N2 . Now, jr+1 − zr+1 = Sr+1 [ir+1 ] implies q − zr+1 = Sr+1 [ir+1 ] = Sr [q], i.e., zr = Sr [q]. This follows as jr+1 = q, and Sr+1 [ir+1 ] = Sr [jr+1 ], considering the same situation before swap in the (r + 1)th round and after swap in r-th round. Thus, in this case, Pr(zr = Sr [q]) = 1 2 2 1 N · N = N 2 . For the rest of the cases, jr = q happens with probability (1 − N ) 1 and we consider random association of N in this case. Thus, finally, Pr(zr = Sr [zr + zr+1 ]) = N22 + (1 − N1 ) · N1 = N1 + N12 . Next, let us consider ir = q−1. As per Theorem 1, ir+1 −zr+1 = Sr+1 [jr+1 ] = Sr [ir+1 ] happens with probability N2 . Now, ir+1 − zr+1 = Sr [ir+1 ] implies q − zr+1 = Sr [q], i.e., zr = Sr [q]. Thus, in this case the probability is exactly the same as Jenkins’ Glimpse.   This result shows that knowing the values of two consecutive bytes always provides more information regarding the secret array location S[zr + zr+1 ]. The bias is lesser than the Jenkins’ Glimpse in all the cases, except it is the same one as the Jenkins’ for ir+1 = ir + 1 = zr + zr+1 . The experimental results perfectly match with the theoretical ones. We like to point out that one may again refine

298

P. Chakraborty and S. Maitra

such proofs for higher order terms involving O( N13 ). However, we are interested in more prominent biases, such as N2 or more instead of the random association N1 . In this regard, let us present the following results which shows different behaviours from the Jenkins’ Glimpse when two consecutive keystream output bytes at rounds r, r + 1 are equal to r + 1. Theorem 2. Consider two successive rounds r, r + 1 in RC4 PRGA such that zr = zr+1 = r + 1. Then 1. 2. 3. 4. 5.

Pr(Sr [ir ] = jr − zr |zr = zr+1 = r + 1) = N3 , Pr(Sr [jr ] = ir − zr |zr = zr+1 = r + 1) = N3 , Pr(Sr+1 [ir+1 ] = jr+1 − zr+1 |zr = zr+1 = r + 1) = Pr(Sr+1 [jr+1 ] = ir+1 − zr+1 |zr = zr+1 = r + 1) = Pr(Sr [jr ] = zr |zr = zr+1 = r + 1) = N2 ,

2 N, 1 N,

where terms of O( N12 ) are ignored. Proof. Let us first prove 1. Pr(Sr [ir ] = jr − zr |zr = zr+1 = (r + 1)) =

3 N.

We investigate the following three mutually independent configurations. Configuration 1: Sr [ir + 1] = 0, Configuration 2: Sr [ir + 1] = 0 and Sr [jr ] = (r + 1), Configuration 3: Rest of the cases. Configuration 1: The probability associated with this configuration is N1 . Since Sr [ir + 1] = 0, we have jr = jr+1 . Let us assume that Sr [ir ] = p and Sr [jr ] = q where p and q are two arbitrary byte values. As zr = (r +1) is given, it is evident that Sr [p+q] = (r+1). In the next round, Sr+1 [jr+1 ] = 0 and Sr+1 [ir+1 ] = q after the swap operation. As zr+1 = (r+1) is also given, Sr+1 [0+q] = Sr+1 [q] = (r+1). So we have a situation where Sr [p + q] = Sr+1 [q] = (r + 1). This is not possible if (r + 1) byte value remains in the same position in the permutation array S across the two rounds. In most of the cases the value of (r + 1) = 0. So the only possible option is to have q = (r + 1). In round r, (r + 1) is located at the position indexed by jr and in round (r + 1) it moves to the position indexed by ir+1 which is same as (r + 1). If in round r, Sr [jr ] = (r +1) = zr , we must have Sr [ir ] = jr −zr as only then Sr [ir ] + Sr [jr ] becomes equal to jr resulting in zr = (r + 1). Here Sr [ir ] = jr − zr is the desired condition. Configuration 2: The probability associated with this configuration is around (1 − N1 ) N1 = N1 − N12 . Since Sr [jr ] = (r + 1), the value of Sr [ir ] must be such that Sr [ir ] + Sr [jr ] becomes equal to jr resulting in zr = (r + 1). To have Sr [ir ]+Sr [jr ] = jr , we must have Sr [ir ] = jr −zr , which is the desired condition. Configuration 3: The probability associated with this configuration is around (1 − N1 − N1 + N12 ) = (1 − N2 + N12 ). Assuming that in this configuration, there is a fair chance ( N1 ) of the desired condition Sr [ir ] = jr − zr , the composite probability is (1 − N2 + N12 ) · N1 .

More Glimpses of the RC4 Internal State Array

299

We now add all the three mutually exclusive configuration probabilities to get the value of ( N1 + N1 − N12 + N1 − N22 + N13 ). By ignoring the terms of the order of N12 , we arrive at the result 1. Pr(Sr [ir ] = jr − zr |zr = zr+1 = (r + 1)) =

3 N

We now prove 2. Pr(Sr [jr ] = ir − zr |zr = zr+1 = (r + 1)) =

3 N.

Similar to the proof of the previous case (1), we identify the following three mutually independent configurations: Configuration 1: Sr [ir ] = (r + 1), Configuration 2: Sr [ir ] = (r + 1) and jr = (ir + 1), Configuration 3: Rest of the cases. Configuration 1: The probability associated with this configuration is N1 . Since Sr [ir ] = (r + 1), the value of Sr [jr ] must be such that Sr [ir ] + Sr [jr ] becomes equal to ir resulting in zr = (r + 1). To have Sr [ir ] + Sr [jr ] = ir , we must have Sr [jr ] = ir − zr , which is the desired condition. Configuration 2: The probability associated with this configuration is around (1 − N1 ) N1 = N1 − N12 . Let us assume that Sr [ir ] = p and Sr [jr ] = q where p and q are two arbitrary byte values. As zr = (r + 1) is given, it is evident that Sr [p + q] = (r + 1). If in round r + 1, jr+1 moves to a new position that contains a value k, then the position of output key-stream byte changes to q + k instead of p + q. In order to have zr = zr+1 , one must require that the permutation array byte value (r + 1) changes its position in round r + 1. However, it can be shown that as jr = (r + 1), this condition can not be satisfied. The only way to satisfy this is to have ir and jr swap their positions in round r + 1 resulting in the output key-stream byte position of p + q in both the rounds. This implies Sr [jr ] = N − 1 which satisfies the desired condition of Sr [jr ] = ir − zr . Configuration 3: The probability associated with this configuration is around (1 − N1 − N1 + N12 ) = (1 − N2 + N12 ). Assuming that in this configuration, there is a fair chance ( N1 ) of the desired condition Sr [jr ] = ir − zr , the composite probability is (1 − N2 + N12 ) · N1 . We now add all the three mutually exclusive configuration probabilities to get the value of ( N1 + N1 − N12 + N1 − N22 + N13 ). By ignoring the terms of the order of N12 , we arrive at the result: 2. Pr(Sr [jr ] = ir − zr |zr = zr+1 = (r + 1)) =

3 N.

Next, let us consider 3. Pr(Sr+1 [ir+1 ] = jr+1 − zr+1 |zr = zr+1 = (r + 1)) =

2 N.

This result coincides with the standard Jenkins’ Glimpse correlation (ignoring the term of the order of N12 )) and we do not observe any additional configuration to positively or negatively influence the usual result. We now prove

300

P. Chakraborty and S. Maitra

4. Pr(Sr+1 [jr+1 ] = ir+1 − zr+1 |zr = zr+1 = (r + 1)) =

1 N.

We observe that in this case ir+1 − zr+1 = (r + 1) − (r + 1) = 0. Hence, to satisfy the desired condition, we must have Sr+1 [jr+1 ] = ir+1 − zr+1 = 0. In this situation, there could be two possible configurations: Configuration 1: Sr+1 [ir+1 ] = r + 1, Configuration 2: Sr+1 [ir+1 ] = p where Sr+1 [p] = r + 1. We first argue that Configuration 2 cannot lead to the desired condition for round r. Since Sr+1 [jr+1 ] = 0, we must have jr = jr+1 . This also implies Sr [jr ] = p. So assuming Sr [ir ] = q for an arbitrary non-zero byte value, zr must come from p + q location which is different from the location p. This means zr can’t be same as zr+1 leading to a contradiction. Hence, in this case the special configuration used to prove the Jenkins’ Glimpse correlation is the only configuration possible (Configuration 1). There can’t be a situation where Sr+1 [ir+1 ] = zr+1 and still the desired condition is met. This leads to the result that 4. Pr(Sr+1 [jr+1 ] = ir+1 − zr+1 |zr = zr+1 = (r + 1)) =

1 N.

Finally, we prove 5. Pr(Sr [jr ] = zr |zr = zr+1 = (r + 1)) =

2 N.

We investigate the following two mutually independent configurations taken from the first case: Configuration 1: Sr [ir + 1] = 0, Configuration 2: Sr [ir + 1] = 0 and Sr [jr ] = (r + 1). Configuration 1: The probability associated with this configuration is N1 . Using the argument identical to that of the first case we get that in round r, Sr [jr ] = (r + 1) = zr , which is our desired condition in this case. Configuration 2: The probability associated with this configuration is around (1 − N1 ) N1 = N1 − N12 . Since Sr [jr ] = (r + 1) = zr , the desired condition is already satisfied. We now add the two mutually exclusive configuration probabilities to get the value of ( N1 + N1 − N12 ). By ignoring the terms of the order of N12 , we arrive at the result 5. Pr(Sr [jr ] = zr |zr = zr+1 = (r + 1)) =

2 N.

  We have checked and verified that the theoretical expressions match with the experimental results.

More Glimpses of the RC4 Internal State Array

3

301

New Glimpses Through Fluhrer-McGrew [4] and Lag-One [2, 12] Biases

We start this section referring to Table 1 to link the biases in [4] to the Glimpse results that we identify here. While there are some overlaps of the results of Table 1 with the results described in [2, Section 2], the following are the differentiated contributions of this paper. – We identify the biased S-Box (permutation array) values corresponding to the output key-stream bytes for both the rounds r and r + 1. – We also identify the source permutation array values and their associated biases corresponding to the four biased lag-one digraphs (as mentioned in [2]) for the successive two rounds. – We demonstrate that there could be multiple biased permutation array values in the same round. For example, in case of Fluhrer-McGrew bias [4] of (zr = 0, zr+1 = 0) where ir = 1, we have shown in Table 1 (see 1(a), 1(b)) that zr+1 can be independently associated with Sr+1 [ir ] as well as Sr+1 [jr ] with N2 and 3 N biases respectively. – In some Fluhrer-McGrew cases [4], our identified sources of zr and zr+1 do not have any direct mapping with the source configurations mentioned in [2]. For example, if we compare row 2 of Table 1 with [2, Scenario 2, Table 1], this becomes evident. While in [2] the source configurations are meant to be used together to arrive at the biased key-stream byte pairs and to prove the Fluhrer-McGrew biases [4], in this paper we focus on finding out the biased permutation array values that directly correspond to the output keystream bytes. Row 11 of Table 1 corresponding to the case of (zr = (N − 1), zr+1 = (N − 1)) for ir = (N − 2) is another such example, where the source configuration as mentioned in [2, Table 1] does not automatically lead to the source of zr or zr+1 and we have also not been able to identify any array value that corresponds to (N − 1) with a probability different from the fair chance ( N1 ). – It is interesting to observe (from Table 2) that even though the lag-one digraph (zr = 0, zr+2 = 0) at ir = N − 2 is negatively biased, there exist array positions in both the rounds that are positively biased to the output key-stream byte values. The findings captured in this section have the following implications. First, in the long term evolution of RC4 PRGA, whenever we observe consecutive or interleaved key-stream pairs corresponding to Fluhrer-McGrew biases [4] or lagone digraph biases [2] respectively, we can directly infer about the permutation array byte positions that can be deemed as the biased sources of the key-stream bytes. Second, unlike Jenkins’ Glimpse correlations, these results demonstrate that subject to certain conditions (like occurrence of specific key-stream byte pairs), direct correlation exists between a key-stream byte value (zr ) and some permutation array byte value(s) of the same round (r) without bringing any index variable (ir or jr ) in the relationship. In addition, it is interesting to

302

P. Chakraborty and S. Maitra Table 1. Glimpses related to Fluhrer-McGrew (FM) biases [4]. FM Biases

(zr , zr+1 )

Source of zr A

Pr(zr = A)

Source of zr+1 B

Pr(zr+1 = B)

1(a)

(0, 0)

Sr [ir + 1]

2 N

Sr+1 [ir ]

2 N 3 N 2 N 2 N

1(b) 2

(0, 0)

Sr [jr−1 ]

3(a)

(0, 1)

Sr [ir + 1]

3(b)

Sr [jr−1 ]

Sr+1 [ir+1 ]

Sr [jr ]

Sr+1 [jr ]

Sr [jr−1 ]

2 N

Sr+1 [ir+1 ]

0

Sr [ir ]

(N − 1, i + 1)

Sr [ir ]

(N − 1, i + 2)

Sr [ir + 1]

5(b)

7(a)

Sr [jr ] (N − 1, 0)

7(b) 8(a)

Sr [ir + 1] Sr [jr ]

(N − 1, 1)

8(b)

Sr [ir + 1] Sr [jr ]

9

(N − 1, 2)

Sr [ir + 1]

10(a)

(N + 1, N + 1) 2 2

Sr [ir ]

10(b) 11

(N − 1, N − 1)

12

(0, i + 1)

Sr+1 [ir ]

3 N 2 N 3 N 3 N 3 N 2 N 2 N 2 N 3 N

(i + 1, N − 1)

5(a)

6(b)

Sr+1 [jr ]

2 N 2 N 2 N 2 N 2 N 2 N 3 N 2 N 2 N 2 N 2 N 3 N

4

6(a)

2 N 2 N 2 N 2 N 2 N

Sr+1 [jr ]

Sr+1 [ir ] Sr+1 [ir+1 ] Sr+1 [jr ] Sr+1 [jr ] Sr+1 [ir+1 ] Sr+1 [jr ] Sr+1 [ir+1 ] Sr+1 [jr ] Sr+1 [ir+1 ] Sr+1 [ir ]

observe that in almost all the cases (except Row 11 of Table 1), there exist array byte positions that are biased towards the key-stream byte values of that round (r or r + 1) where many of these bias values are around N3 and in one particular case (Row 3 of Table 2) it is as high as N4 . We now explain the mechanism that is responsible for the biases shown in Table 1 and Table 2. Let us first consider the Fluhrer-McGrew scenario [4] where the consecutive key-stream byte-pair is (0, 0) at ir = 1. This corresponds to the sub-scenarios 1(a) and 1(b) as depicted in Table 1. That is, we are going to prove: 1. Pr(zr = Sr [ir + 1]) = N2 , 2. Pr(zr+1 = Sr+1 [ir ]) = N2 , 3. Pr(zr+1 = Sr+1 [jr ]) = N3 . The generic combinatorial approach that we are going to use is as follows. First, we count the possible number of ways through which one can achieve the desired key-stream byte pair (0, 0) at ir = 1. We refer to this as T . Next, we identify certain mutually independent configurations in which the value of zr or zr+1 may come from a particular permutation array byte position and we count the number of possible ways this can be achieved (let us call this C). The probability is derived by computing the ratio TC . We know that ir = 1 is fixed. However, jr can assume any value between 0 to N − 1. So there are N possibilities. The S array contains N integers in N locations which again can be chosen in (N !) ways. So if we do not have any restriction on the values of zr and zr+1 , the total number of possibilities would have been N · (N !). However, if we have to ensure that zr = 0 where we start

More Glimpses of the RC4 Internal State Array

303

with an arbitrary random configuration of S, we must fix the position of jr . This can be viewed as losing a degree of freedom. For example, if in the starting configuration, Sr [ir ] happens to be 5 and the array value 0 is located at 20, we must have jr at the array index position corresponding to the value of 15, so that we get Sr [ir ] + Sr [jr ] = 20. So far we haven’t put any restriction on the number of permutations possible. However, if we have to ensure that zr+1 = 0 as well, then depending upon the value of Sr [ir + 1] the value of Sr [jr + Sr [ir + 1]] gets fixed because we need to ensure that Sr+1 [ir+1 ] + Sr+1 [jr+1 ] also has the value of 20 (assuming the array value 0 has not changed its position in round r + 1) or the new index value of 0 (assuming it has changed its position). This implies that we need to lose one more degree of freedom resulting in T = (N − 1)!. For all the scenarios (with double key-stream byes) this value remains unchanged. Now we compute the value of C for the following glimpse value of zr . 1. Pr(zr = Sr [ir + 1]) =

2 N.

There can be two different configurations that lead to the above mentioned glimpse. Configuration 1: jr = 1, Sr [1] = 1 and Sr [2] = 0, Configuration 2: jr = 1, Sr [jr ] = jr , Sr [1] = 2 − jr and Sr [2] = 0. It is apparent that for both the configurations we get zr = 0 and zr+1 = 0, implying that both are valid for our current analysis. Moreover, in both the configurations the glimpse value zr = Sr [ir + 1] is satisfied. In fact, these are the only two configurations that lead to the desired glimpse result for the FluhrerMcGrew key-stream byte-pair (0, 0) at ir = 1 which we have cross checked experimentally as well. We now calculate the number of permutations for the two mutually exclusive configurations to arrive at the value C. In Configuration 1, jr is fixed and two permutation array byte values at the array index positions of 1 and 2 are also decided. Thus, the total number of permutations for Configuration 1 is (N − 2)!. In Configuration 2, jr may have N − 1 possible values out of N and three array values are fixed. So the possible alternatives in Configuration 2 is (N − 1) · (N − 3)!. Combining these two values we get C = (N − 2)! + (N − 1) · (N − 3)! ≈ 2 · (N − 2)!. By taking the ratio of T and C, we get the desired result. Next, we look at the result 2. Pr(zr+1 = Sr+1 [ir ]) =

2 N.

There can be two different mutually exclusive configurations that lead to the above mentioned glimpse. Configuration 1: jr = 1, Sr [1] = 1 and Sr [2] = 0, Configuration 2: Sr [1] = 0 and Sr [jr ] = 1. Since the Configuration 1 is identical to that of the previous result the computation part remains unchanged for that too. In Configuration 2, it is easy to verify that zr = 0 by sacrificing two degrees of freedom and by fixing one more array

304

P. Chakraborty and S. Maitra

value we can ensure that zr+1 = 0 as well. So the total number of possible ways in Configuration 2 is N · (N − 3)! ≈ (N − 2)! resulting in C ≈ 2 · (N − 2)!. By taking the ratio of T to C we get the desired result. We next prove the following result. 3. Pr(zr+1 = Sr+1 [jr ]) =

3 N.

There can be three different mutually exclusive configurations that lead to the above mentioned glimpse. Configuration 1: jr = 1, Sr [1] = 1 and Sr [2] = 0, Configuration 2: jr = 1, Sr [jr ] = jr , Sr [1] = 2 − jr and Sr [ir + 1] = 0, Configuration 3: Sr [jr ] = 0 and Sr [ir ] = jr . Since Configuration 1 and Configuration 2 are identical to the ones described in the first result (corresponding to zr = Sr [ir + 1]) the computations remain unchanged for those. It is easy to verify that all the three configurations satisfy the desired glimpse of zr+1 = Sr+1 [jr ]. For Configuration 3, we have already fixed two array values. To achieve zr+1 = 0, we must fix one more value in S. Hence, the total number of possible variations in Configuration 3 are N · (N − 3)! ≈ (N − 2)!. This implies C ≈ 3 · (N − 2)!. Therefore, the desired result follows by taking the ratio of C to T . Let us also look at the Fluhrer-McGrew scenario where the consecutive keystream byte-pair is (0, 0) for ir ∈ {1, (N − 1)}. This corresponds to the scenario 2 from Table tab11. For this scenario, the glimpse of zr+1 is associated with Sr+1 [jr ] and the probability is given by Pr(zr+1 = Sr+1 [jr ]) =

2 N.

If we compare this result with sub-scenario 1(b), we find that the bias here is smaller ( N2 ) than the bias of 1(b) which is N3 . This can be explained by observing that the applicable configurations here are: Configuration 1: Sr [jr ] = jr , Sr [1] = 2 − jr and Sr [ir + 1] = 0, Configuration 2: Sr [jr ] = 0 and Sr [ir ] = jr . So the configuration that corresponds to jr = 1, Sr [1] = 1 and Sr [2] = 0 is no longer applicable here and that accounts for the reduction of bias to N2 . To provide another illustration of the mechanism behind the glimpses, let us now consider the scenario 4 of lag-one bias (from Table 2) corresponding to (zr = N − 2, zr+2 = 0) at ir = N − 2. It is interesting to observe that this scenario includes a bias value of N4 in round r + 1. We now prove 1. Pr(zr = Sr [ir ]) = N2 , 2. Pr(zr+2 = Sr+2 [jr+2 ]) = 3. Pr(zr+2 = Sr+2 [jr+1 ]) =

3 N, 4 N.

Although here we consider lag-one digraphs instead of consecutive key-stream byte-pairs, the value of T remains unchanged as (N − 1)! since the approach to arrive at the number of possible ways remains the same. To prove the first result of this scenario, i.e., Pr(zr = Sr [ir ]) = N2 , we consider the following two mutually exclusive configurations.

More Glimpses of the RC4 Internal State Array

305

Table 2. Glimpses related to lag-one biases [2]. Lag-one Biases

(zr , zr+2 )

Source of zr A

Pr(zr = A)

Source of zr+2 B

Pr(zr+2 = B)

1

(0, 0)

Sr [jr−1 ]

Sr+2 [jr+2 ]

At i = 0

Sr [2]

2 N 3 N

(N , 0) 2

Sr [ir ]

3 N 2 N 2 N 2 N 3 N 2 N 2 N 2 N

Sr [jr ] 2

At i = 0

3 4

Sr [jr ]

(0, 0)

Sr [ir + 1]

At i = N − 2

Sr [jr−1 ]

(N − 2, 0)

Sr [ir ]

At i = N − 2

Sr+2 [jr+1 ] Sr+2 [jr+2 ] Sr+2 [jr+1 ] Sr+2 [jr+1 ] Sr+2 [jr ] Sr+2 [jr+2 ] Sr+2 [jr+1 ]

2 N 3 N 2 N 3 N 3 N 4 N

Configuration 1: Sr [ir ] = (N − 2), jr = 0 and Sr [jr ] = 0, Configuration 2: Sr [ir ] = p where Sr [p] = (N − 2), jr = 0 and Sr [jr ] = 0. It is apparent that both the configurations lead to (zr = (N − 2), zr+2 = 0) lag-one digraph in the output and satisfy the desired glimpse for zr . In both the configurations we have fixed the value of jr and two other array values. Hence, C = 2 · (N − 2)! and therefore, the desired probability result follows as expected. We now move to the second result 2. Pr(zr+2 = Sr+2 [jr+2 ]) =

3 N.

To prove the second result in this scenario we consider the following three mutually exclusive configurations. Configuration 1: Sr [ir ] = (N − 2), jr = 0 and Sr [jr ] = 0, Configuration 2: Sr [ir ] = p where Sr [p] = (N − 2), jr = 0 and Sr [jr ] = 0, Configuration 3: Sr [ir + 1] = N − p where jr = p and Sr [0] = 0. In the third configuration we also consider the value of Sr [ir ] in such a way that Sr [ir ] + Sr [jr ] points to the array index corresponding to (N − 2). It is apparent that all the three configurations lead to (zr = (N − 2), zr+2 = 0) lag-one digraph in the output and satisfy the desired glimpse for zr+2 . Since the Configuration 1 and Configuration 2 are identical to the corresponding ones from the first result of this scenario, we now count only the number of possibilities for Configuration 3. In Configuration 3, we have fixed one value of S in round r (Sr [ir ]). Similarly we have also fixed the values of Sr [ir + 1] and Sr [0]. Hence, the total number of possibilities is N · (N − 3)! ≈ (N − 2)!. So we get C = 3 cot(N − 2)! in this case as expected yielding the desired probability result. We now prove the final result of this scenario: 3. Pr(zr+2 = Sr+2 [jr+1 ]) =

4 N.

For this case, three possible configurations have already been shown in the previous result, i.e., Pr(zr+2 = Sr+2 [jr+2 ]) = N3 . One may check that in each of those three configurations, the desired glimpse for zr+2 = Sr+2 [jr+1 ] is also met as jr+2 = jr+1 based on the configuration. We now present the fourth configuration:

306

P. Chakraborty and S. Maitra

Configuration 4: Sr [ir + 1] = 0. In this configuration we also consider the value of Sr [ir ] in such a way that Sr [ir ] + Sr [jr ] points to the array index corresponding to (N − 2). In addition, we also consider that in round r + 2, the permutation array values of Sr+2 [ir+2 ] and Sr+2 [jr+2 ] are such that their summation points to the new index position of 0 after the swap in round r + 1. Please note that at the end of round r + 1, the value of Sr+1 [jr+1 ] = 0. This ensures the desired glimpse value of zr+2 = Sr+2 [jr+1 ]. So the possible number of permutations is N · (N − 3)! ≈ (N − 2)!. This means together with the other three scenarios, for this result we get C = 4 · (N − 2)!, which means the desired probability value would be given by Pr(zr+2 = Sr+2 [jr+1 ]) = N4 . As the techniques are similar in nature, we prove some representative results in this section as well as in the next section. Complete proof of all the results will be presented in the journal version.

4

Merging the New Glimpses with Jenkins’ [5]

In this section we present how the effect of FM [4] or lag-one [2] biases can be accumulated with the Jenkins’ Glimpse [5] (in both additive and conflicting sense). For presenting the tables, we consider two notations: – (J1 ): Pr(S[i] = j − z), – (J2 ): Pr(S[j] = i − z). First in Table 3, we consider the effect of both FM biases [4] and Jenkins’ Glimpse [5]. Table 3. Glimpses related to FM biases [4] and Jenkins’ [5] together. FM Biases

(zr , zr+1 )

Values of i

J1 (r)

J2 (r)

J1 (r + 1)

J2 (r + 1)

1

(0, 0)

i=1

2

(0, 0)

i = 1, N − 1

3

(0, 1)

i = 0, 1

4

(i + 1, N − 1)

i = N − 2

5

(N − 1, i + 1)

i = 1, N − 2

6

(N − 1, i + 2)

i = 0, N − 1, N − 2, N − 3

3 N 2 N 3 N 3 N 4 N 2 N

7

(N − 1, 0)

i=N −2

8

(N − 1, 1)

i=N −1

3 N 2 N 2 N 2 N 2 N 3 N 3 N 3 N

9

(N − 1, 2)

i = 0, 1

3 N 2 N 2 N 3 N 2 N 2 N 2 N 2 N 2 N 2 N 2 N 2 N

2 N 2 N 2 N 2 N 3 N 3 N 3 N 3 N 3 N 2 N

10

(N + 1, N + 1) 2 2

i=2

11

(N − 1, N − 1)

i = N − 2

12

(0, i + 1)

i = 0, N − 1

2 >N 4 N 2 N 2 N

2 >N 2 N 3 N 3 N 2 N 2 N

2 >N 1 N

We now explain the mechanisms that are responsible for altering the Jenkins’ Glimpse values by considering the two most prominent scenarios from Table 3 where the correlations are around N4 . Let us first consider the Fluhrer-McGrew

More Glimpses of the RC4 Internal State Array

307

scenario [4] where the consecutive key-stream byte-pair is (N − 1, ir + 1) and ir ∈ {1, N − 2}. This corresponds to the scenario 5 as depicted in Table 3. We are going to prove Table 3, scenario 5, J2 in round r: Pr(Sr [jr ] = ir − zr ) =

4 N

Similar to Section 3, here we use a generic combinatorial method to prove the result. First, we count the possible number of ways (T ) one can achieve the desired key-stream byte pair (N − 1, ir + 1) where ir ∈ {1, N − 2}. Next, we identify certain mutually independent configurations in which the expected Glimpse relation Sr [jr ] = ir − zr gets satisfied and we count the number of possible ways this can be achieved (C). The probability is derived by computing the ratio TC . We would like to point out that in this paper two different approaches have been used for proving the altered Jenkins’ Glimpse correlations - one is a purely probabilistic approach (as shown in Theorem 2) while in this section we use counting. We know that ir is fixed and jr can assume any value between 0 to N − 1. So if we do not have any restriction on the values of zr and zr+1 , the total number of possibilities would have been N · (N !). However, if we have to ensure that zr = N − 1 where we start with an arbitrary random configuration of S, we must fix the position of jr . This can be viewed as losing a degree of freedom. Similarly, we have to ensure that zr+1 = ir + 1 as well. So, we need to lose one more degree of freedom resulting in T = (N − 1)!. We now compute the value of C for the following Glimpse correlation. Table 3, scenario 5, J2 in round r: Pr(Sr [jr ] = ir − zr ) =

4 N

Since zr = N − 1, the desired condition turns out to be Sr [jr ] = ir + 1. There can be four mutually exclusive configurations that lead to the expected value of Sr [jr ]. Configuration 1: Sr [ir ] = N Configuration 2: Sr [ir ] = p and Sr [jr ] = ir + 1, Configuration 3: Sr [ir ] = N Configuration 4: Sr [ir ] = p and Sr [jr ] = ir + 1.

− 1, Sr [ir + 1] = 0 and Sr [jr ] = ir + 1, where Sr [p + ir + 1] = N − 1, Sr [ir + 1] = 0 − 1, Sr [ir + 1] = 0 and Sr [jr ] = ir + 1, where Sr [p + ir + 1] = N − 1, Sr [ir + 1] = 0

Clearly, for all the four configurations we get zr = N − 1. Also, for Configuration 1 and Configuration 2, zr+1 = ir +1. For Configuration 3 and Configuration 4, we must put a restriction on the new value of Sr+1 [jr+1 ] such that the value of zr+1 equals ir + 1. With these assumptions, all four configurations become valid for our current analysis. Moreover, in all the configurations the desired condition of Sr [jr ] = ir + 1 is satisfied. Moreover, these are the only four configurations that lead to the Glimpse correlation J2 for the Fluhrer-McGrew key-stream byte-pair (N −1, ir +1) where ir ∈ {1, N −2} which we have cross checked experimentally. We now calculate the number of permutations for each of the four mutually exclusive configurations to arrive at the value C. In Configuration 1, although

308

P. Chakraborty and S. Maitra

jr is not fixed, three permutation array byte values at the array index positions of ir , ir + 1 and jr are decided. Thus, the total number of permutations for Configuration 1 is N · (N − 3)! ≈ (N − 2). In Configuration 2, three array byte values at the array index positions of p + ir + 1, ir + 1 and jr are decided. So the possible alternatives in Configuration 2 is around (N −2)!. In Configuration 3, we have put an additional restriction on the value of Sr+1 [jr+1 ] so that zr+1 = ir +1. Hence, two values at the array index positions of ir and jr in round r and the value of Sr+1 [jr+1 ] in round r + 1 are decided. Similarly, in Configuration 4 also, three array byte values are assigned. So for Configuration 3 as well as for Configuration 4, the possible alternatives would be around (N − 2)! each. Combining these four values we get C = 4 · (N − 2)!. By taking the ratio of T and C, we obtain the desired result. Let us also prove another result in the same scenario. Table 3, scenario 5, J2 in round r + 1: Pr(Sr+1 [jr+1 ] = ir+1 − zr+1 ) =

3 N.

Since zr+1 = ir + 1, the desired condition turns out to be Sr+1 [jr+1 ] = 0. There can be three mutually exclusive configurations that lead to the expected value of Sr+1 [jr+1 ] where the first two are identical to the corresponding ones of the previous result that we have already proved. Configuration 1: Sr [ir ] = N − 1, Sr [ir + 1] = 0 and Sr [jr ] = ir + 1, Configuration 2: Sr [ir ] = p where Sr [p + ir + 1] = N − 1, Sr [ir + 1] = 0 and Sr [jr ] = ir + 1, Configuration 3: Sr [ir + 1] = 0 and Sr [jr ] = ir + 1. As we have already seen that for Configuration 1 and Configuration 2, the Fluhrer-McGrew double byte configuration corresponding to Scenario 5 gets satisfied. For Configuration 3, we must put additional constraints of one permutation array value in round r and one in round r + 1 to ensure zr = N − 1 and zr+1 = ir + 1. In all the three configurations, we end up with the desired value of 0 at jr+1 position of S. In each of the configurations we have fixed three permutation array values implying C = 3 · (N − 2)!. By taking the ratio of C to T , we get the desired probability result. Next, we prove another prominent result from the Table 3. Table 3, scenario 10, J1 in round r: Pr(Sr [ir ] = jr − zr ) =

4 N.

It corresponds to the Fluhrer-McGrew scenario where the consecutive key-stream byte-pair is ( N2 + 1, N2 + 1) for ir = 2. Since zr = N2 + 1, the desired condition turns out to be Sr [ir ] = jr − N2 − 1. There can be four mutually exclusive configurations that lead to the expected value of Sr [ir ]. Configuration Configuration Configuration Configuration

1: 2: 3: 4:

Sr [ir ] = N2 + 1, Sr [ir + 1] = 1 and jr = ir , Sr [ir ] = N2 + 1, Sr [ir + 1] = 1 and jr = ir , Sr [ir ] = jr − N2 − 1 and Sr [jr ] = N2 + 1, Sr [ir ] = jr − N2 − 1 and Sr [jr ] = N2 + 1.

More Glimpses of the RC4 Internal State Array

309

By inspecting all the four configurations and knowing that ir = 2 is given, one can verify that the desired Jenkins’ Glimpse relation (J1 ) holds for round r. Configuration 1 has already assigned definite values for two array bytes and jr is also fixed in such a way that the Fluhrer-McGrew digraph pattern of (N − 1, ir + 1) for ir = 2 is met. The possible number of choices would be (N − 2)! in this configuration. For Configuration 2, we need to assign another permutation array byte in round r + 1 to ensure zr+1 = ir + 1. The key-stream value for round r is as expected. The number of possible alternatives in this configuration is again approximately equals (N − 2)!. In Configuration 3, two array bytes are already assigned in such a way that zr = N − 1 and we need to assign one more permutation array in round r+1 to ensure the desired value of zr+1 . This implies we have a possible (N − 2)! choices here. In Configuration 4, only one constraint has been put so far. We need to put constraints on two additional permutation array values (one in round r and the other in round r + 1) to ensure the FluhrerMcGrew digraph pattern of Scenario 10. We have a possible (N − 2)! ways to accomplish the desired outcome in this configuration as well. Hence combining all the four configurations we get a value of C = 4(N − 2)! yielding the desired probability of N4 . Table 4. Glimpses related to lag-one biases [2] and Jenkins’ [5] together. Lag-one Biases (zr , zr+2 )

Values of i J1 (r) J2 (r) J1 (r + 2) J2 (r + 2)

1

(0, 0)

i=0

2

( N2

i=0

3

(0, 0)

4

(N − 2, 0) i = N − 2

, 0)

i=N −2

3 N 3 N 2 N 2 N

2 N 3 N 2 N

> N3

3 N 3 N 2 N 4 N

2 N 2 N 1 N 3 N

Using the same approach one can demonstrate the mechanism behind the modified Jenkins’ correlation results for lag-one digraphs [2] (or alternate keystream byte pairs) also. To illustrate the point let us prove the following result. Table 4, scenario 4, J1 in round r + 1: Pr(Sr+1 [ir+1 ] = jr+1 − zr+1 ) =

4 N.

It corresponds to the lag-one digraph scenario of (zr = N − 2, zr+2 = 0) for ir = (N − 2). Here, the desired condition turns out to be Sr+2 [ir+2 ] = jr+2 . There can be four mutually exclusive configurations that lead to the expected value of Sr+2 [ir+2 ]. Configuration 1: Sr [ir ] = N − 2, Sr [0] = 0 and jr = 0, Configuration 2: Sr [ir ] = p where Sr [p] = N − 2, Sr [0] = 0 and jr = 0, Configuration 3: Sr [ir + 1] = 0 and jr = 0, Configuration 4: jr = 0 and Sr+1 [jr+1 +Sr+1 [ir+2 ]] contains the same value as its index.

310

P. Chakraborty and S. Maitra

For each of the configurations, the conditions are chosen in such a way that the desired Jenkins’ Glimpse condition Sr+2 [ir+2 ] = jr+2 is met. For Configuration 1 and Configuration 2, two permutation array bytes along with the pseudorandom index (jr ) has been fixed. In these configurations the key-stream values in round r and round r + 2 assume the desired values as per the lag-one digraph pattern of (N − 2, 0). In the Configuration 3, zr+2 = 0 is ensured. To ensure the desired value of zr , one more permutation array byte value needs to be fixed. In Configuration 4, one permutation array byte in round r and in round r + 2 must be fixed to get the desired lag-one digraph pattern. In each of the four configurations, the number of possible choices becomes (N − 2)! implying C = 4 · (N − 2)!. This proves the probability result.

5

Conclusion

In this paper we identify several new cases where the secret state information of RC4 is revealed with higher probability than the random association. First we show how Jenkins’ results [5] related to RC4 Glimpse can be identified in locations other than i, j. We further revise the Jenkins’ Glimpses [5] considering two consecutive rounds r, r + 1 with the same keystream bytes r + 1. Then we show how one can obtain several other Glimpses that are related to the FluhrerMcGrew digraph repetition biases provided in [4] as well as the lag-one biases [2] (i.e., biases related to alternate keystream output bytes). Finally, we connect these Glimpses extracted through the biases in [2,4] with that of Jenkins’ [5] and provide sharper results. All the results are checked with theoretical experiments. With so many additional information related to non-randomness in the state of RC4, it is important to examine whether one can obtain further cryptanalytic results related to RC4. Acknowledgments. The authors like to thank the anonymous reviewers for detailed comments that helped in improving the editorial as well as technical quality of this paper. The second author acknowledges the support from project “Cryptography & Cryptanalysis: How far can we bridge the gap between Classical and Quantum Paradigm”, awarded by the Scientific Research Council of the Department of Atomic Energy (DAE-SRC), the Board of Research in Nuclear Sciences (BRNS) during 2016– 2021.

References 1. AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS and WPA. In: 22nd USENIX Security Symposium (2013). http://www.isg.rhul.ac.uk/tls/RC4biases.pdf 2. Chakraborty, C., Chakraborty, P., Maitra, S.: Glimpses are forever in RC4 amidst the Spectre of Biases. https://eprint.iacr.org/2020/512 3. Chakraborty, C., Chakraborty, P., Maitra, S.: RC4: non-randomness in the index j and some results on its cycles. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 95–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7 5

More Glimpses of the RC4 Internal State Array

311

4. Fluhrer, S.R., McGrew, D.A.: Statistical analysis of the alleged RC4 keystream generator. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001). https://doi.org/10. 1007/3-540-44706-7 2 5. Jenkins, R.J.: ISAAC and RC4. 1996. http://burtleburtle.net/bob/rand/isaac. html. Accessed on 1 Oct 2019 6. Langley, A.: Disabling SSLv3 and RC4. Google Security Blog, 17 September 2015. https://security.googleblog.com/2015/09/disabling-sslv3-and-rc4.html 7. Maitra, S., Sen Gupta, S.: New long-term Glimpse of RC4 stream cipher. In: Bagchi, A., Ray, I. (eds.) ICISS 2013. LNCS, vol. 8303, pp. 230–238. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45204-8 17 8. Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002). https://doi. org/10.1007/3-540-45473-X 13 9. Microsoft security advisory: update for disabling RC4. https://support.microsoft. com/en-in/help/2868725/microsoft-security-advisory-update-for-disabling-rc4. Accessed 16 Apr 2020 10. Paterson, K.G., Poettering, B., Schuldt, J.C.N.: Big bias hunting in amazonia: large-scale computation and exploitation of RC4 biases (Invited Paper). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 398–419. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8 21 11. Paul, G., Maitra, S.: RC4 Stream Cipher and Its Variants. CRC Press, Taylor & Francis Group, A Chapman & Hall Book, Boca Raton (2012) 12. SenGupta, S., Maitra, S., Paul, G., Sarkar, S.: (Non-)random sequences from (non-) random permutations - analysis of RC4 stream cipher. J. Cryptol. 27(1), 67–108 (2014)

Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box Lorenzo Grassi1,2 and Markus Schofnegger2(B) 1

2

Radboud University, Nijmegen, The Netherlands [email protected] IAIK, Graz University of Technology, Graz, Austria [email protected]

Abstract. In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES. The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), namely approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). For a success probability of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential attack. Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-box is known and in the case in which it is secret. Keywords: AES · Mixture Differential Cryptanalysis distinguisher · Low-data attack · Secret S-box

1

· Secret-key

Introduction

AES (Advanced Encryption Standard) [6] is probably the most used and studied block cipher, and many constructions employ reduced-round AES as part of their design. Determining its security is therefore one of the most important problems in cryptanalysis. Since there is no known attack which can break the full AES significantly faster than exhaustive search, researchers have focused on attacks which can break reduced-round versions of AES. Especially within the last couple of years, new cryptanalysis results on the AES have appeared regularly (e.g., [1,9,12,15]). While those papers do not pose any practical threat c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 312–331, 2020. https://doi.org/10.1007/978-3-030-65277-7_14

Mixture Integral Attacks on Reduced-Round AES

313

to the AES, they do give new insights into the internals of what is arguably the cipher that is responsible for the largest fraction of encrypted data worldwide. Among many others, a new technique called “Mixture Differential Cryptanalysis” [9] has been recently presented at FSE/ToSC 2019, which is a way to translate the (complex) “multiple-of-8” 5-round distinguisher [12] into a simpler and more convenient one (though, on a smaller number of rounds). Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the initial pair of plaintexts. As proved in [9], for 4-round AES the corresponding ciphertexts of the initial pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such a secret-key distinguisher, which is also independent of the details of the S-box and of the MixColumns matrix, has been reconsidered in [4], where the authors show that it is an immediate consequence of an equivalence relation on the input pairs, under which the difference at the output of the round function is invariant. Moreover, it is also the starting point for practical and competitive key-recovery attacks on 5-round AES-128 and 7-round AES-192 [1], breaking the record for these attacks which was obtained 18 years ago by the classical Square attack. In this paper, we reconsider this distinguisher on a smaller number of rounds in order to set up new (competitive) low-data distinguishers and key-recovery attacks on reduced-round AES. A summary of our results can be found in Tables 1, 2 and 3. Our Contribution and Related Work Cryptanalysis of block ciphers has focused on maximizing the number of rounds that can be broken without exhausting the full code book or key space. This often leads to attacks marginally close to that of brute force. Even if these attacks are important to e.g. determine the security margin of a cipher (i.e., the ratio between the number of rounds which can be successfully attacked and the number of rounds in the full cipher), they are not practical. For this reason, low-data distinguishers/attacks on reduced-round ciphers have recently gained renewed interest in the literature. Indeed, it seems desirable to also consider other approaches, such as restricting the attacker’s resources, in order to adhere to “real-life” scenarios. In this case, the time complexity of the attack is not limited (besides the natural bound of exhaustive search), but the data complexity is restricted to only a few known or chosen plaintexts. Attacks in this scenario have been studied in various papers, which include low-data Guess-and-Determine and Meet-in-the-Middle techniques [3], low-data truncated differential cryptanalysis [11], polytopic cryptanalysis [17], and, if adaptive chosen plaintexts/ciphertexts are allowed, yoyo-like attacks [15]. “Mixture Integral” Key-Recovery Attacks. In Sect. 4 we show that “Mixture Differential Cryptanalysis” [9] can be exploited in order to set up low-data attacks on reduced-round AES. Given a set of chosen plaintexts defined as in [9], our attacks are based on the fact that the XOR sum of the corresponding

314

L. Grassi and M. Schofnegger

Table 1. Secret-key distinguishers on 3-round AES which are independent of the secret key. The data complexity corresponds to the minimum number of chosen plaintexts/ciphertexts (CP/CC) and/or adaptive chosen plaintexts/ciphertexts (ACP/ACC) which are needed to distinguish the AES permutation from a random permutation with a success probability denoted by Prob. Property

Prob

Data

Reference

Imp. Mixt. Integral ≈ 65% ≈ 65% Trunc. Differential

6 CP 12 CP

Section 3.2 [11]

Imp. Mixt. Integral ≈ 95% ≈ 95% Trunc. Differential

10 CP 20 CP

Section 3.2 [11]

Integral

≈ 100% 256 = 28 CP

Yoyo

≈ 100% 2 CP + 2 ACC [15]

[5, 14]

texts after 2-round AES encryptions is equal to zero with prob. 1. Using the same strategy proposed in a classical square/integral attack [5,14], this zerosum property can be exploited to set up competitive attacks on 3- and 4-round AES, which require only 4 and 6 chosen plaintexts, respectively. A comparison of all known low-data attacks on AES and our attacks is given in Table 2. Since (1) the pairs of plaintexts used to set up the attacks share the same generating variables – which are mixed in the same way proposed by the Mixture Differential Distinguisher – and since (2) such attacks exploit the zero-sum property (instead of a differential one), we call this attack a mixture integral attack. “Impossible Mixture Integral” Secret-Key Distinguisher. In Sect. 3.2, we show that the previous distinguishers/attacks can also be exploited to set up a new 3-round secret-key distinguisher on AES, which is independent of the key, of the details of the S-box, and of the MixColumns operation. For a success probability of ≈ 95%, such a distinguisher requires only 10 chosen plaintexts (or ciphertexts), i.e., half of the data required by the most competitive distinguisher currently present in the literature (which does not require adaptive chosen texts). The Property Exploited by this New Distinguisher. Consider a zero-sum keyrecovery attack on 3-round AES (based on a 2-round zero-sum distinguisher). An integral attack assumes that the zero-sum property is always satisfied when decrypting under the secret key. Thus, if there is no key for which the zero-sum property is satisfied, the ciphertexts have likely been generated by a random permutation, and not by AES. Such a strategy can be used as a distinguisher, but requires key guessing and is thus not independent of the secret key. In Sect. 3.2, we show how to evaluate this property without guessing any key material by providing a property which is independent of the secret key, and which holds for the ciphertexts only in the case in which the key-recovery (mixture integral) attack just proposed fails. The obtained 3-round distinguisher can also be used to set up new key-recovery attacks on reduced-round AES.

Mixture Integral Attacks on Reduced-Round AES

315

Table 2. Attacks on reduced-round AES-128. The data complexity corresponds to the number of required chosen plaintexts (CP). The time complexity is measured in reduced-round AES encryption equivalents (E), while the memory complexity is measured in plaintexts (16 bytes). Precomputation is given in parentheses. The case in which the final MixColumns operation is omitted is denoted by “r.5 rounds” (r full rounds + the final round). “Key sched.” highlights whether the attack exploits the details of the key schedule of AES. Attack

Rounds

Data (CP)

Cost

Memory

Key sched.

Reference

TrD

2.5−3

2

231.6

28

No

[11]

G& D-MitM

2.5

2

224

216

Yes

[3]

G& D-MitM

3

2

216

28

Yes

[3]

TrD

2.5−3

3

211.2



No

[11] [3]

G& D-MitM

3

3

28

28

Yes

TrD

2.5−3

3

25.7

212

No

[11]

MixInt

2.5 − 3

4

28.1



No

Section 4.1

MixInt

2.5 − 3

4

1/2 when E is an ideally random block cipher. Hence we can recover K in polynomial time by using Simon’s algorithm. In other words, the generic attack recovers the secret key in polynomial time in R¨ otteler and Steinwandt’s model. Thus it seems less interesting to study quantum attacks in this exact same model. Our Attack Model. Our attack model is similar to R¨ otteler and Steinwandt’s, except that we impose restrictions on bit-flip patterns that adversaries can choose. More precisely, let b = b1 || · · · ||bk be a fixed k-bit string, and let Maskb := {x = x1 || · · · ||xk ∈ {0, 1}k | xi = 0 if bi = 0}. In our attack model, we allow −1 (x, M ), but we adversaries to access the quantum oracles of OK (x, M ) and OK assume that adversaries can choose x only from Maskb . The generic attack. In our model, R¨ otteler and Steinwandt’s polynomial-time attack no longer works due to the restriction of bit-flip patterns (when b = 11 · · · 1). Nevertheless, we can mount a simple quantum key-recovery attack by using the technique by Leander and May which combines Grover’s and Simon’s algorithms [18]. Lemma 1. Suppose that the Hamming weight of b (the bit-flip pattern) is w, and w is in Ω(log n). In our quantum related-key attack model, there exists a ˜ (k−w)/2 ). quantum attack that recovers the secret key in time O(2 The proof of the lemma is given in Section A.4 of this paper’s full version [6]. It seems that there is no quantum attack that is significantly faster than our attack for ideally random block ciphers. Therefore we pose the following conjecture. Conjecture 1. In our quantum related-key attack model, when the Hamming weight of b (bit-flip pattern) is w, and w is in Ω(log n), there is no key recovery attack10 that runs in time o(2(k−w)/2 ). 10

It is desirable to show that the conjecture holds, but proving quantum query lower bounds is quite difficult when quantum queries are made to both of E and E −1 .

Quantum Cryptanalysis on Contracting Feistel Structures

381

Under the assumption that this conjecture holds, theoretically then it is worth studying dedicated quantum attacks on concrete block ciphers that run in time o(2(k−w)/2 ): if there exists such an attack on a block cipher E, it follows that E does not behave like an ideally random block cipher in the quantum setting. In later sections we introduce such dedicated quantum related-key attacks on some Feistel structures. See also Section A.5 of this paper’s full version [6] for details on attack models.

3

Previous Works

This section gives an overview of previous works and results on quantum query attacks against Feistel structures. 3.1

Kuwakado and Morii’s Quantum Distinguisher on the 3-round Feistel Structure

Kuwakado and Morii showed a quantum chosen-plaintext attack that distinguishes the 3-round Feistel-F structure from a 2n-bit random permutation in polynomial time [16]. Let O denote the quantum encryption oracle of the 3-round Feistel-F structure. In addition, let OL (xL , xR ) and OR (xL , xR ) be the most and least significant n-bits of O(xL , xR ), respectively. Kuwakado and Morii’s distinguisher works as follows. First, let α0 and α1 be fixed n-bit strings such that α0 = α1 . Define a function (2) (1) f : F2 × Fn2 → Fn2 by f (b, x) := OL (x, αb ) ⊕ αb = Fk2 (Fk1 (αb ) ⊕ x). Then (1)

f ((b, x) ⊕ (1, s)) = f (b, x) holds for all (b, x) ∈ F2 × Fn2 , where s = Fk1 (α0 ) ⊕ (1)

Fk1 (α1 ), i.e., f is a periodic function and the period is (1, s). Thus, when the quantum oracle of O is available, we can apply Simon’s algorithm on f and recover the period (1, s). Remark 1. It is shown in [13] that the quantum oracle of OL (i.e., the truncation of O) can be implemented by making one query to the quantum oracle of O because O |xL |xR |y |+n = |xL |xR |y ⊕ OL (xL , xR ) |+n holds for arbitrary xL , xR , y ∈ Fn2 , where |+n := H ⊗n |0n . On the other hand, when we make a function f in the same way by using a 2n-bit random permutation instead of the 3-round Feistel-F structure, the function is not periodic with an overwhelming probability. In particular, even if we apply Simon’s algorithm on the function, the algorithm fails to find a period (since the function does not have any period). Therefore, we can distinguish the 3-round Feistel-F structure from a random permutation in polynomial time by checking the function f (made from the given quantum oracle that is either of the 3-round Feistel-F structure or a random permutation as f (b, x) := OL (x, αb ) ⊕ αb has a period, by using Simon’s algorithm. Later, the distinguishing attack was extended to a polynomial-time quantum chosen-ciphertext distinguishing attack on the 4-round Feistel-F structure [14].

382

C. Cid et al.

In addition, it has been shown that the keys of a 3-round Feistel-KF structure can be recovered by a polynomial time qCPA [7]. 3.2

Extension of the Distinguishers to Key Recovery Attacks with the Grover Search

Generally, classical distinguishing attacks on block ciphers can be extended to key recovery attacks. Here, we give an overview on how we can also extend the quantum chosen-plaintext distinguishing attack by Kuwakado and Morii to a quantum chosen-plaintext key recovery attack by using Grover’s algorithm, as shown by Hosoyamada and Sasaki [13] and Dong and Wang [10]. The time com˜ (r−3)n/2 ) when plexity of their attack on the r-round Feistel structure is in O(2 n the round keys k1 , . . . , kr are randomly chosen from {0, 1} . The basic strategy is to apply the combination of Grover’s algorithm and Simon’s algorithm shown by Leander and May [18]: guess the partial keys k4 , . . . , kr by using Grover’s algorithm, and check whether the guess is correct by applying Kuwakado and Morii’s algorithm on the first three rounds. Suppose that the quantum encryption oracle O of the r-round Feistel structure is given (r ≥ 4), and let k1 , . . . , kr be the round keys that we want to recover. Then, we can check whether a guess k4 , . . . , kr for the 4-th, . . . , r-th round keys is correct as follows. 1. Implement the quantum oracle of O := (Rk ◦ · · · ◦ Rk )−1 ◦ O. The O r 4 oracle performs the encryption with O and then the partial decryption by using k4 , . . . , kr . If the guess is correct, then O matches the partial encryption (1) (2) (3) Rk1 ◦ Rk2 ◦ Rk3 with the first three rounds. If the guess is incorrect, O is expected to behave like a random permutation. 2. Run Kuwakado and Morii’s quantum distinguisher on O . If we can distinguish the 3-round Feistel structure, with very high probability the key guess is correct. Otherwise, the key guess is incorrect. (4)

(r)

Since Simon’s algorithm can be implemented without any intermediate measurements (see Sect. 2.3 for details), we can implement a quantum circuit to calculate the Boolean function  1 (if (k4 , . . . , kr ) = (k4 , . . . , kr ))   G : (k4 , . . . , kr ) → 0 (if (k4 , . . . , kr ) = (k4 , . . . , kr )) with a small error. By applying Grover’s algorithm on G, we can then recover ˜ (r−3)n/2 ). The remaining keys k1 , k2 , and the round keys k4 , . . . , kr in time O(2 k3 can be easily recovered once k4 , . . . , kr are known. The above key-recovery attack is a quantum chosen-plaintext attack that is based on the 3-round chosen-plaintext distinguisher. If both the quantum encryption and decryption oracles are available, a quantum chosen-ciphertext ˜ (r−4)n/2 ) in the same way by using the attack recovers the keys in time O(2 4-round chosen-ciphertext distinguisher [14].

Quantum Cryptanalysis on Contracting Feistel Structures

3.3

383

Quantum Advanced Slide Attack and Nested Simon’s Algorithm

Consider the special case that there is a public random function F : {0, 1}n → (i) {0, 1}n and each round function Fki of the r-round Feistel structure is defined as (i) (3) Fki (x) := F (x ⊕ ki ) for all 1 ≤ i ≤ r. Assume also that the number of rounds r is divisible by 4, and the cyclic key-schedule is such that ki = ki+4 holds for each i is used (k1 , k2 , k3 , k4 are chosen independently and uniformly at random). In the classical setting, Biryukov and Wagner showed a chosen-ciphertext attack that recovers the keys with time O(2n/2 ) in this case [2]. In the quantum setting, Bonnetain et al. showed that the classical attack by Biryukov and Wagner can be exponentially sped up by nesting Simon’s algorithm [5], proposing a quantum attack that recovers keys in polynomial time. This section gives an overview on how Bonnetain et al.’s quantum chosen-ciphertext key-recovery attack works when r = 4. Let O and O−1 be the quantum encryption and decryption oracles of the 4-round Feistel structure of which the round functions are defined as in −1 (xL , xR )) and OR (xL , xR ) (resp., (3). In addition, let OL (xL , xR ) (resp., OL −1 OR (xL , xR )) denote the left and right n bits of O(xL , xR ) (resp., O−1 (xL , xR )), respectively. First, suppose that we can simulate the quantum oracle of the function g(x) := F (x ⊕ k1 ) ⊕ k2 ⊕ k4 .

(4)

Then, since F is a public function, we can evaluate the function H : Fn2 → Fn2 defined by H(x) := F (x) ⊕ g(x) in quantum superposition, and can thus recover the key k1 by Simon’s algorithm on H because H(x) = F (x)⊕F (x⊕k1 )⊕k2 ⊕k4 holds, and k1 is a period of H. Now, the problem is how to simulate the quantum oracle of such a function g(x) by using the quantum oracles of O and O−1 . For each fixed x ∈ Fn2 , define a function Gx : F2 × Fn2 → Fn2 by  −1 OR (y, x) if b = 0, Gx (b, y) := if b = 1. OR (y, x) Then, straightforward calculations show that Gx ((b, y) ⊕ (1, g(x))) = Gx (b, y) holds for all (b, y) ∈ F2 × Fn2 , i.e., Gx is a periodic function and the period is (1, g(x)), for arbitrarily fixed x. Therefore, by performing Simon’s algorithm on Gx without measurement (see Sect. 2.3 for details), we can implement a quantum circuit that evaluates g(x) in quantum superposition with some small error. In summary, we can recover k1 as follows: 1. Implement a quantum circuit Cg that simulates the quantum oracle of g with some small error. This can be done by applying Simon’s algorithm on Gx for each |x .

384

C. Cid et al.

2. Implement a quantum circuit that simulates the quantum oracle of H(x) by using Cg , and apply Simon’s algorithm on H to recover k1 . Note that Simon’s algorithm is nested in the above attack: when we apply Simon’s algorithm on H, another instance of Simon’s algorithm is called to evaluate the function H. Once we recover k1 , other subkeys k2 , k3 , k4 can be recovered easily. Eventually, we can recover all the keys in polynomial time. A Polynomial-Time Key Recovery Attack on the 3-Round Feistel Structure. Later, we use the technique of nested Simon’s algorithm to mount various attacks. Here we explain that Kuwakado and Morii’s distinguishing attack in Sect. 3.1 can easily be extended to a polynomial-time qCPA that recovers the key of the 3-round Feistel-KF structure, as another example on application of nested Simon’s algorithm, so that the readers will grasp the basic idea of the technique better11 . When Kuwakado and Morii’s attack in Sect. 3.1 is applied to the 3-round (1) (1) Feistel-KF structure, it recovers the value Fk1 (α0 ) ⊕ Fk1 (α1 ) = F (1) (α0 ⊕ k1 ) ⊕ F (1) (α1 ⊕ k1 ), where α0 and α1 are arbitrarily chosen constants such that α0 = α1 . Now, choose x ∈ {0, 1}n \{0n } arbitrarily, and set α0 := x and α1 := 0n . Then, given the quantum oracle of the 3-round Feistel-KF structure, Kuwakado and Morii’s attack allows us to compute the value fk1 (x) := F (1) (x ⊕ k1 ) ⊕ F (1) (k1 ) for each x = 0n . In particular, we can evaluate the function fk1 (x) in quantum superpositions by using Simon’s algorithm without intermediate measurements (note that fk1 (0n ) = 0n holds). Next, define a function Gk1 (x) by Gk1 (x) := fk1 (x) ⊕ F (1) (x). Then, since F (1) is a public function and we can evaluate fk1 (x) in quantum superpositions, we can also evaluate the function Gk1 (x) in quantum superpositions. In addition, it is easy to check that Gk1 (x) = Gk1 (x⊕k1 ) holds for all x ∈ {0, 1}n , i.e., Gk1 is a periodic function and the period is k1 . Hence we can recover the value k1 by applying Simon’s algorithm to Gk1 . Once we recover k1 , the remaining keys k2 and k3 can be recovered easily.

4

Contracting Feistel Structures

First, we present a 7-round quantum distinguisher for SM4-like structure under CPA setting in polynomial time. We further extend it to a polynomial time quantum key-recovery attack on 7-round SM4. Then we show the attacks can be generalised to attacks on (2d − 1)-round d-branch contracting Feistel structures. See Table 1 for a summary of the results in this section. (See also Theorem 1 of this paper’s full version [6] for a formalized statement on the attacks in this section.)

11

The previous polynomial-time qCPA on 3-round Feistel-KF structure [7] recovers the keys without nested Simon’s algorithm.

Quantum Cryptanalysis on Contracting Feistel Structures

385

Table 1. Polynomial-time qCPAs on contracting Feistel structures. The key-recovery attacks are applicable only to Feistel-KF structures.

4.1

Rounds Branch

Attack type

3

2

Distinguisher poly(n)

Complexity Ref. [16]

3

2

Key-recovery poly(n)

[7]

7

4

Distinguisher poly(n)

Sect. 4.2

7

4

Key-recovery poly(n)

Sect. 4.3

2d − 1

d (even) Distinguisher poly(n)

Sect. 4.4

2d − 1

d (even) Key-recovery poly(n)

Sect. 4.5

Specification

We denote the i-th round function SM4-like as follows: Xi = Xi−4 ⊕ Fi (Xi−3 ⊕ Xi−2 ⊕ Xi−1 ),

(5)

where Fi ’s are keyed functions, the input plaintext is (X−3 , X−2 , X−1 , X0 ) and the output ciphertext after r rounds is (Xr−3 , Xr−2 , Xr−1 , Xr ). r (xA , xB , xC , xD ) Let Or denote the r-round SM4-like quantum oracle, and OΛ r denote the branch xΛ of O (xA , xB , xC , xD ), where Λ ∈ {A, B, C, D}. 4.2

SM4-like Structure 7-Round Distinguisher Under CPA Setting

Idea of the Attack. The most important point of the quantum distinguishing attack on the 3-round balanced Feistel structure in Sect. 3.1 is that, given the encryption oracle, we can compute F2 (x ⊕ βa ) for arbitrary x by appropriately choosing plaintexts. Here, βa (a = 0, 1) is the constant such that we do not know its exact value and β0 = β1 . Since the function f : F2 × Fn2 → Fn2 defined by f (a, x) := F2 (x⊕βa ) has the period (1, β0 ⊕β1 ), we can mount the distinguishing attack by applying Simon’s algorithm on f . The basic strategy of our attack on SM4-like structure is similar. We try to compute the value Fi (x⊕βa ) for arbitrary x for some i. After some consideration we found that, given the encryption oracle of 7-round SM4-like structure, we can compute F4 (x ⊕ βa ) by setting X−3 = X−2 = X−1 = x and X0 = αa , where α0 and α1 are distinct constants. Details of the attack. Let X−3 = X−2 = X−1 = x and X0 = αa , where αa , a = 0, 1 are distinct constants. The branch values of each round function are as follows. From Table 2, we see that the 7-round ciphertext is (X4 , X5 , X6 , X7 ). Define a function f 7 : F2 × Fn2 → Fn2 by 7 (x, x, x, αa ) ⊕ αa f 7 (a, x) := OA

= F4 (x ⊕ g123,a )

(6)

386

C. Cid et al. Table 2. Values of branch Xi for 4-branch contracting Feistel-F structure.

Round

Xi

Notation

−3 ∼ −1 x 0

αa

1

x ⊕ g1,a

g1,a = F1 (αa )

2

x ⊕ g2,a

g2,a = F2 (αa ⊕ g1,a )

3

x ⊕ g3,a

g3,a = F3 (αa ⊕ g12,a ), g12,a = g1,a ⊕ g2,a

4

αa ⊕ g4,a (x)

g4,a (x) = F4 (x ⊕ g123,a ), g123,a = g12,a ⊕ g3,a

5

x ⊕ g1,a ⊕ g5,a (x) g5,a (x) = F5 (αa ⊕ g23,a ⊕ g4,a (x)), g23,a = g2,a ⊕ g3,a

6

x ⊕ g2,a ⊕ g6,a (x) g6,a (x) = F6 (αa ⊕ g13,a ⊕ g4,a (x) ⊕ g5,a (x)), g13,a = g1,a ⊕ g3,a

7

x ⊕ g3,a ⊕ g7,a (x) g7,a (x) = F7 (αa ⊕ g12,a ⊕ g4,a (x) ⊕ g5,a (x) ⊕ g6,a (x))

Then f 7 ((a, x) ⊕ (1, s)) = f 7 (a, x) holds for all (a, x) ∈: F2 × Fn2 , where s = g123,0 ⊕ g123,1 . One can see that f 7 (a ⊕ 1, x ⊕ g123,0 ⊕ g123,1 ) = F4 (x ⊕ g123,0 ⊕ g123,1 ⊕ g123,a⊕1 ) = F4 (x ⊕ g123,a ) = f 7 (a, x). Thus, when the quantum oracle of O7 is available, we can apply Simon’s algorithm on f 7 and recover the period (1, s)12 . 4.3

7-Round SM4 Key-Recovery Under CPA Setting

Recall that SM4 is a Feistel-KF structure. In other words, it deploys as round function Fi (x) = F (x ⊕ ki ), where F is a public function13 and ki is the round key. The key-recovery attack is similar as the distinguisher described in the previous section, except that we introduce 3 more variables and additional constraints on these variables. Let X−3 = x⊕βa , X−2 = x⊕γa , X−1 = x⊕δa and X0 = αa , where a ∈ {0, 1}. For all symbols Λ ∈ {α, β, γ, δ}, we set Λ0 = Λ ∈ Fn2 \ {0n } and Λ1 = 0n . Table 3 shows the value Xi at various round. Like before, although we consider 7-round SM4-like Feistel, we only need to know the value of X4 . Define a function f 7 : F2 × Fn2 → Fn2 by 7 f 7 (a, x) := OA (x ⊕ βa , x ⊕ γa , x ⊕ δa , αa ) ⊕ αa = F (x ⊕ h4 (a)) 12 13

(7)

7 To be more precise, we have to simulate OA (truncation) by using O7 . This can be done by using the technique explained in Remark 1. Here, we assume it to be the same public function for all rounds. In fact, every round can be an arbitrary public function and the attack still works.

Quantum Cryptanalysis on Contracting Feistel Structures

387

Table 3. Values of branch Xi for 4-branch contracting Feistel-KF structure. Round Xi

Notation

−3

x ⊕ βa

−2

x ⊕ γa

−1

x ⊕ δa

0

αa

1

x ⊕ βa ⊕ g1,a

g1,a = F (αa ⊕ γa ⊕ δa ⊕ k1 )

2

x ⊕ γa ⊕ g2,a

g2,a = F (αa ⊕ βa ⊕ δa ⊕ g1,a ⊕ k2 )

3

x ⊕ δa ⊕ g3,a

g3,a = F (αa ⊕ βa ⊕ γa ⊕ g1,a ⊕ g2,a ⊕ k3 )

4

αa ⊕ F (x ⊕ h4 (a)) h4 (a) = βa ⊕ γa ⊕ δa ⊕ g1,a ⊕ g2,a ⊕ g3,a ⊕ k4

Then f 7 ((a, x) ⊕ (1, s)) = f 7 (a, x) holds for all (a, x) ∈ F2 × Fn2 , where s = h4 (0) ⊕ h4 (1). One can see that f 7 (a ⊕ 1, x ⊕ h4 (0) ⊕ h4 (1)) = F (x ⊕ h4 (0) ⊕ h4 (1) ⊕ h4 (a ⊕ 1)) = F (x ⊕ h4 (a)) = f 7 (a, x) Thus, when the quantum oracle of O7 is available, we can apply Simon’s algorithm on f 7 and recover the period (1, h4 (0) ⊕ h4 (1)). In addition, this allows us to compute the value h4 (0) ⊕ h4 (1). Let Λ4 := (α, β, γ, δ) and T(Λ4 ) := β ⊕ γ ⊕ δ ⊕ g1 (Λ4 ) ⊕ g2 (Λ4 ) ⊕ g3 (Λ4 ), where g1 (Λ4 ) := F (α ⊕ γ ⊕ δ), g2 (Λ4 ) := F (α ⊕ β ⊕ δ ⊕ g1 (Λ4 )) and g3 (Λ4 ) := F (α ⊕ β ⊕ γ ⊕ g1 (Λ4 ) ⊕ g2 (Λ4 )). Then h4 (0) = T(Λ4 ⊕ key) and h4 (1) = T(key) hold, where key = (k1 ⊕ k2 ⊕ k3 , k2 ⊕ k3 ⊕ k4 , k1 ⊕ k3 ⊕ k4 , k1 ⊕ k2 ⊕ k4 ). In addition, let H(Λ4 ) := T(Λ4 ⊕ key) ⊕ T(key) ⊕ T(Λ4 ). Then H can be computed in quantum superposition since T((α, β, γ, δ) ⊕ key) ⊕ T(key) = h4 (0) ⊕ h4 (1) can be computed by using Simon’s algorithm on f 7 as above, and T(Λ4 ) does not depend on keys. Now, it is straightforward to check that the following conditions for s ∈ (Fn2 )4 are equivalent14 : 1. s is in the vector space V ⊂ (Fn2 )4 that is spanned by key and (0, η, η, η) for η ∈ Fn2 . 2. H(Λ4 ⊕ s ) = H(Λ4 ) holds for all Λ4 = (α, β, γ, δ) ∈ (Fn2 )4 . Thus, by applying Simon’s algorithm on H, we can compute the vector space V . Once we determine the space V , we can recover the keys k1 , k2 , and k3 since k1 = αs ⊕ γs ⊕ δs , k2 = αs ⊕ βs ⊕ δs , and k3 = αs ⊕ βs ⊕ γs hold for arbitrary (αs , βs , γs , δs ) ∈ V with αs = 0n . Once we have these round keys, the remaining round keys k4 , k5 , k6 , k7 can be recovered easily. 14

To be more precise, the conditions become equivalent with an overwhelming probability when the round function F is a random function.

388

4.4

C. Cid et al.

Generic (2d − 1)-round Distinguisher on Even Branches Contracting Feistel Structures Under CPA Setting

As mentioned earlier, the authors of [25] proved that when d is even, a d-branch r-round contracting Feistel-F structure is PRP-secure when r ≥ 2d − 1 rounds. Here, we show that it is not qPRP for r = 2d − 1 rounds for any even d. Let Or denote the r-round d-branch contracting Feistel-F quantum oracle. r (b1 , . . . , bd ) denote the branch bΛ of Or (b1 , . . . , bd ), where In addition, let OΛ Λ ∈ {1, 2, . . . , d}. We denote the value of each branch as a recursive function Xi = Xi−d ⊕ Fi (Xi−(d−1) ⊕ · · · ⊕ Xi−1 ),

(8)

where the input is (X1−d , . . . , X0 ) and output after r rounds is (Xr−(d−1) , . . . , Xr ). The distinguisher is a generalization of what is described in Sect. 4.2. In a nutshell, we show that if we let X1−d = · · · = X1 = x and X0 = αa , where α0 and α1 are distinct constants, and define a function f 2d−1 : F2 × Fn2 → Fn2 by f 2d−1 (a, x) := O12d−1 (x, . . . , x, αa ) ⊕ αa = Xd ⊕ αa

(9)

we can apply Simon’s algorithm on f 2d−1 and find a period, hence a distinguisher. The following theorem is the key observation to show the periodicity of f 2d−1 . Theorem 1. Given a d-branch contracting Feistel structure, where d is even. Now let X1−d = · · · = X1 = x and X0 = αa , where αa is constant. Then for 1 ≤ i ≤ d − 1, we have Xi = x ⊕ Ti (αa ). Here, Ti (αa ) denotes a constant value that consists of fixed keyed functions Fi and αa , and does not contain variable x. See Section B of this paper’s full version [6] for a proof. From Theorem 1, we can compute Xd = X0 ⊕ Fd (X1 ⊕ · · · ⊕ Xd−1 ) = αa ⊕ Fd (x ⊕ · · · ⊕ x ⊕T$ (αa )) = αa ⊕ Fd (x ⊕ T$ (αa ))    d−1 times

where T$ (αa ) = T1 (αa ) ⊕ · · · ⊕ Td−1 (αa ). Going back to Eq. (9), we have f 2d−1 (a, x) = Fd (x ⊕ T$ (αa )). Therefore, it is trivial to see that f 2d−1 ((a, x)⊕(1, s)) = f 2d−1 (a, x) holds for all (a, x) ∈ F2 ×Fn2 , where s = T$ (α0 ) ⊕ T$ (α1 ). 4.5

Generic (2d − 1)-round Key-Recovery on Even Branches Contracting Feistel-KF Structures Under CPA Setting

The key-recovery attack described in Sect. 4.3 can be easily extended to any even branches contracting Feistel-KF structures. The number of introduced variables, the analysis and recovered round keys will simply scale up linearly with the number of branches. For the sake of brevity, we omit the details of the keyrecovery attack for the generic case.

Quantum Cryptanalysis on Contracting Feistel Structures

5

389

Related-Key Attacks

We first show related-key attacks on the balanced Feistel-KF structures in Sect. 5.1, and then extend some of them to contracting Feistel-KF structures in Sect. 5.2. The related-key attacks on contracting Feistel-KF structures (especially, the distinguishing attack) are based on the single-key attacks in Sect. 4. 5.1

Related-Key Attacks on the Balanced Feistel-KF Structures

Recall that a bit-mask pattern is specified in our related-key setting. Adversaries do not know any information of the key itself, but can add an arbitrary value that is consistent with the bit-mask pattern when they make encryption queries (in quantum superposition). The focus of this subsection is related-key attacks on r-round Feistel-KF structures, which have rn-bit keys. Each key is denoted as (k1 , . . . , kr ) ∈ Frn 2 , where ki is the i-th round key. In our attacks, we fix a set of indices 1 ≤ i1 < i2 < · · · < iu ≤ r, and assume that adversaries can add any value in {0, 1}n to kij for all 1 ≤ j ≤ u (in quantum superpositions). For instance, we will consider an attack on the 4-round Feistel-KF structure where adversaries can add n-bit values to the first round key k1 . For ease of notation, we denote this related-key setting by (Δ, 0, 0, 0). Other related-key settings are denoted in the same way: the related-key setting on the 5-round Feistel-KF structure where adversaries can add values to k1 and k3 are denoted by (Δ, 0, Δ, 0, 0). Note that the pattern (0, . . . , 0) corresponds to the single-key setting, and (Δ, Δ, . . . , Δ) corresponds to the previous related-key setting by R¨ otteler and Steinwandt. See Table 4 for the summary of the results in this subsection and a comparison with other attacks. (See also this paper’s full version [6] for statements of the results in this subsection as a sequence of formal propositions). We denote the most and least significant n bits of a 2n-bit string X by XL and XR , respectively. Polynomial-time 5-round qCPA Distinguisher for Pattern (0, Δ, 0, 0, 0). Here we show a polynomial-time related-key qCPA that distinguishes the 5- round Feistel-KF structures from a random permutation for the related-key pattern (0, Δ, 0, 0, 0). Assume that the quantum oracle of O5,(0,Δ,0,0,0) : Fn2 × Fn2 × Fn2 → Fn2 × Fn2 , (L, R, Δ) → Enck1 ,k2 ⊕Δ,k3 ,k4 ,k5 (L, R) is available to adversaries. Here, Enc is the encryption of the 5-round FeistelKF structure or an ideally random cipher such that Enck1 ,...,k5 is a random permutation for each key (k1 , . . . , k5 ). The goal of an adversary is to distinguish whether Enc is the 5-round Feistel-KF structure or an ideally random cipher.

390

C. Cid et al. Table 4. Attack complexity of qCPAs on balanced Feistel-KF structures.

Rounds Key model

Attack type

Complexity Ref.

3

(0, 0, 0)

Distinguisher

poly(n)

[16]

3

(0, 0, 0)

Key-recovery

poly(n)

[7]

4

(Δ, Δ, Δ, Δ)

Key-recovery

poly(n)

[23]

4

(Δ, 0, 0, 0)

Key-recovery

poly(n)

This section

5

(0, Δ, 0, 0, 0)

Distinguisher

poly(n)

This section

5

(Δ, 0, Δ, 0, 0)

Key-recovery

poly(n)

This section

r

(0, . . . , 0)

Key-recovery

2(r−3)n/2

[10, 13]

r

(Δ, . . . , Δ)

Key-recovery

poly(n)

[23]

r

(Δ, 0, . . . , 0, 0, 0)

Key-recovery (only the first round key) poly(n)

This section

r

(Δ, . . . , Δ, 0, 0, 0)

Key-recovery

poly(n)

This section

r

(0, . . . , 0, Δ, 0, 0, 0)

Key-recovery

2(r−5)n/2

This section



2 + 3

((0, Δ) , 0, 0, 0)

Distinguisher

poly(n)

This section

2 + 2

({0, }(Δ, 0) , 0{, 0}) Distinguisher

poly(n)

This section

5,(0,Δ,0,0,0)

Define G : Fn2 → Fn2 by G(x) := OL (x, α0 , x) ⊕ 5,(0,Δ,0,0,0) (x, α1 , x). If Enc is the 5-round Feistel-KF structure, we have OL G(x) = α0 ⊕ α1 ⊕ F (2) (k2 ⊕ F (1) (k1 ⊕ α0 )) ⊕ F (2) (k2 ⊕ F (1) (k1 ⊕ α1 )) ⊕ F (4) (k4 ⊕ x ⊕ F (1) (k1 ⊕ α0 ) ⊕ F (3) (k3 ⊕ α0 ⊕ F (2) (k2 ⊕ F (1) (k1 ⊕ α0 )))) ⊕ F (4) (k4 ⊕ x ⊕ F (1) (k1 ⊕ α1 ) ⊕ F (3) (k3 ⊕ α1 ⊕ F (2) (k2 ⊕ F (1) (k1 ⊕ α1 )))).

In particular, G is a periodic function and s := F (3) (k3 ⊕α0 ⊕F (2) (k2 ⊕F (1) (k1 ⊕ α0 ))) ⊕ F (3) (k3 ⊕ α1 ⊕ F (2) (k2 ⊕ F (1) (k1 ⊕ α1 ))) ⊕ F (1) (k1 ⊕ α0 ) ⊕ F (1) (k1 ⊕ α1 ) is the period. On the other hand, when Enc is an ideally random cipher, G is not periodic with overwhelming probability. Hence the 5-round Feistel function can be distinguished from an ideally random cipher in polynomial time by checking whether G(x) is periodic, if the quantum related-key oracle of the pattern (0, Δ, 0, 0, 0) is given to adversaries. Remark 2. The above attack can also be used to mount a 4-round polynomialtime qCPA related-key distinguisher for the pattern (Δ, 0, 0, 0). Polynomial-time qCPA Distinguisher for the Pattern ((0, Δ) , 0, 0, 0). The polynomial-time 5-round distinguisher for the related-key pattern (0, Δ, 0, 0, 0) can easily be extended to a polynomial-time r-round qCPA distinguisher for the pattern ((0, Δ) , 0, 0, 0), where r = 2 + 3 for some  ≥ 2. See Section C.1 of this paper’s full version [6] for details. Remark 3. The attack can also be used to mount a (2 + 2)-round polynomialtime qCPA related-key distinguisher for pattern omitting either the first or last round (denoted in parenthesis) ({0, }(Δ, 0) , 0{, 0}).

Quantum Cryptanalysis on Contracting Feistel Structures

391

Polynomial-time r-round qCPA Key-recovery Attack for Related-key Pattern (Δ, 0, . . . , 0). Here we show a polynomial-time related-key qCPA that recovers the key of the r-round Feistel-KF structure for the related-key pattern (Δ, 0, . . . , 0). Our attack recovers all the keys when r = 4, and only the first round key when r > 4. (r) Let Enck1 ,...,kr denote the encryption function of the r-round Feistel-KF structure with the key (k1 , . . . , kr ) ∈ Frn 2 . Assume that the quantum oracle (r) of Or,(Δ,0,...,0) : Fn2 × Fn2 × Fn2 → Fn2 × Fn2 , (L, R, Δ) → Enck1 ⊕Δ,k2 ,...,kr (L, R) is available to adversaries. r,(Δ,0,...,0) (F (1) (x), 0, x). Define a function G : Fn2 → Fn2 × Fn2 by G(x) := OL (r) (r−1) Then G(x) = Enck1 ⊕x,k2 ,...,k4 (F (1) (x), 0) = Enck2 ,...,kr (0, F (1) (x) ⊕ F (1) (x ⊕ k1 )) holds. In particular, G(x) is periodic function with the period k1 . Thus we can recover the key k1 in polynomial time by applying Simon’s algorithm on G(x). When r = 4, once we recover k1 , other subkeys k2 , k3 , k4 can be recovered easily by using the 3-round key-recovery attack in Sect. 3.3. Since the generic ˜ 3n/2 ) (under the key-recovery attack in this related-key setting requires time O(2 assumption that Conjecture 1 holds), our attack is exponentially faster than the generic attack. Remark 4. By iteratively applying the above attack, we can also recover all the keys of r-round Feistel-FK structure in polynomial time when the related-key oracle of pattern (Δ, . . . , Δ, 0, 0, 0) is available. Polynomial-time 5-round qCPA Key-recovery Attack for the Pattern (Δ, 0, Δ, 0, 0). There also exists a polynomial-time related-key qCPA that recovers the key of the 5-round Feistel-KF for the related-key pattern (Δ, 0, Δ, 0, 0), by using nested Simon’s algorithm. See Section C.2 of this paper’s full version [6] for details. Attack on More Rounds with Grover’s Algorithm. The polynomial-time attacks introduced above can be used to mount key-recovery attacks on more rounds with the technique in Sect. 3.2, which converts key-recovery attacks and distinguishers into key-recovery attacks on more rounds by using the Grover search. For instance, assume that we are given the r-round related-key oracle of the pattern (0, . . . , 0, Δ, 0, 0, 0). Then, by guessing the first (r − 5) round keys k1 , . . . , kr−5 with the Grover search, and applying the polynomial-time 5-round distinguisher for the pattern (0, Δ, 0, 0, 0) on the remaining 5-rounds, we can ˜ (r−5)n/2 ). Once we recover k1 , . . . , kr−5 , we can recover k1 , . . . , kr−5 in time O(2 ˜ n/2 ) by applying the Grover search to guess kr−4 and recover kr−4 in time O(2 the 4-round distinguisher for the pattern (Δ, 0, 0, 0) on the last 4-rounds (see Remark 2). The remaining keys kr−3 , . . . , kr can be recovered in polynomial time by using the 4-round key-recovery attack for the pattern (Δ, 0, 0, 0) on the ˜ (r−5)n/2 ). last 4-round. Eventually, all the keys can be recovered in time O(2

392

5.2

C. Cid et al.

Related-Key Attacks on the Contracting Feistel Structures

For contracting Feistel-KF structures, let us use the same notation (0, Δ, 0, 0, 0) to denote related-key patterns under consideration, as in Sect. 5.1. Since contracting Feistel structures are much more complex than balanced Feistel structures, we focus on the setting that inserting differential is allowed for only a single round-key (that is, we do not consider the patterns such as (Δ, 0, Δ, 0, 0)). To avoid the awkward long notations for related-key patterns, we use an abbreviated notation as follows: we denote the pattern (0, Δ, 0, 0, 0) by Δd,2/5 , where “d” means that we are considering d-branch contracting Feistel structure, “5” means that we are considering 5-round construction, and “2” means that differentials are inserted into the second round key. Then, we can show that: 1. The polynomial-time qCPA related-key distinguisher on the 5-round balanced Feistel structure for the related-key pattern (0, Δ, 0, 0, 0) can be extended to a polynomial-time qCPA related-key distinguisher on the d-branch (3d − 1)round contracting Feistel structure for the pattern Δd,d/3d−1 . 2. The polynomial-time related-key qCPA that recovers the first round key k1 of the r-round balanced Feistel structure for the related-key pattern (Δ, 0, . . . , 0) can be extended to a polynomial-time related-key qCPA that recovers the first round key k1 of the d-branch (3d − 1)-round contracting Feistel structure for the related-key pattern Δd,1/r . Since it is straightforward to show the above extensions, we refrain from writing the full proofs here. See Section C.3 of this paper’s full version [6] for details. As in Sect. 4, it is also assumed that the number of the branch d is even. Attack on More Rounds with Grover’s Algorithm. The polynomial-time attacks introduced above can be used to mount key-recovery attacks on more rounds with the technique in Sect. 3.2, as well as the attacks on balanced Feistel structures in Sect. 5.1.

6

Future Work

Over and over again, we have seen polynomial-time quantum distinguisher breaking the classical PRP bound [9,16] (as well as the classical SPRP bound [14]) for Feistel structures. Our intuition is that the classical PRP or SPRP bounds represent the minimum number of rounds necessary for the last distinguishable branch to be masked by some pseudorandom value through a direct XOR. This is sufficient for the classical setting. However, in the quantum setting and with the right configuration and control over the input branches, we see that Simon’s algorithm is often able to find this masking value in polynomial time. Therefore we feel inclined to conjecture that if r is the minimum number of rounds for a Feistel structure to be classical PRP (resp. SPRP) secure, then there exists a r-round polynomial-time qCPA (resp. qCCA) distinguisher for that Feistel structure. Having said that, it would be interesting see if we can find (3d − 2)-round polynomial-time qCCA distinguisher for d-branch contracting Feistel structure.

Quantum Cryptanalysis on Contracting Feistel Structures

393

Acknowledgement. This work was initiated during the group sessions of the 9th Asian Workshop on Symmetric Key Cryptography (ASK 2019) held in Kobe, Japan. Yunwen Liu is supported by National Natural Science Foundation of China (No.61902414) and Natural Science Foundation of Hunan Province (No. 2020JJ5667).

References 1. Aoki, K., et al.: Camellia: A 128-bit block cipher suitable for multiple platforms— design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001). https://doi.org/10.1007/3-54044983-3 4 2. Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). https:// doi.org/10.1007/3-540-45539-6 41 3. Bonnetain, X.: Collisions on Feistel-MiMC and univariate GMiMC. IACR Cryptol. ePrint Arch. 2019, 951 (2019) 4. Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Yu., Schrottenloher, A.: Quantum attacks without superposition queries: the offline Simon’s algorithm. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 552–583. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5 20 5. Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On quantum slide attacks. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 492–519. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5 20 6. Cid, C., Hosoyamada, A., Liu, Y., Sim, S.M.: Quantum cryptanalysis on contracting Feistel structures and observation on related-key settings. IACR Cryptol. ePrint Arch. 2020, 959 (2020) 7. Daiza, T., Kurosawa, K.: Quantum/classical key recovery attack on 3-round FeistelKF structure (2020), unpublished manuscript 8. Diffie, W., Ledin, G.: SMS4 encryption algorithm for wireless networks. IACR Cryptology ePrint Archive 2008, vol. 329 (2008). http://eprint.iacr.org/2008/329 9. Dong, X., Li, Z., Wang, X.: Quantum cryptanalysis on some generalized Feistel schemes. Sci. China Inf. Sci. 62(2), 22501:1–22501:12 (2019) 10. Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. Sci. China Inf. Sci. 61(10), 102501:1–102501:7 (2018) 11. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22–24, 1996, pp. 212–219 (1996) 12. Hodˇzi´c, S., Knudsen Ramkilde, L., Brasen Kidmose, A.: On quantum distinguishers for type-3 generalized Feistel network based on separability. In: Ding, J., Tillich, J.P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 461–480. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1 25 13. Hosoyamada, A., Sasaki, Yu.: Quantum demiric-sel¸cuk meet-in-the-middle attacks: applications to 6-round generic Feistel constructions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 386–403. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0 21 14. Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Yu., Iwata, T.: Quantum chosenciphertext attacks against Feistel ciphers. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 391–411. Springer, Cham (2019). https://doi.org/10.1007/ 978-3-030-12612-4 20

394

C. Cid et al.

15. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5 8 16. Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: ISIT 2010, Proceedings, pp. 2682–2685. IEEE (2010) 17. Kuwakado, H., Morii, M.: Security on the quantum-type even-Mansour cipher. In: ISITA 2012, pp. 312–316. IEEE (2012) 18. Leander, G., May, A.: Grover meets Simon – quantumly attacking the FXconstruction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-31970697-9 6 19. Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudorandom functions. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 447–447. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X 34 20. National Bureau of Standards: Data encryption standard. FIPS 46, January 1977 21. Ni, B., Ito, G., Dong, X., Iwata, T.: Quantum attacks against type-1 generalized Feistel ciphers and applications to CAST-256. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 433–455. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7 22 22. NIST: Announcing request for nominations for public-key post-quantum cryptographic algorithms. National Institute of Standards and Technology (2016) 23. R¨ otteler, M., Steinwandt, R.: A note on quantum related-key attacks. Inf. Process. Lett. 115(1), 40–44 (2015) 24. Simon, D.R.: On the power of quantum computation. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 116–123 (1994) 25. Zhang, L.T., Wu, W.L.: Pseudorandomness and super pseudorandomness on the unbalanced feistel networks with contracting functions. China J. Comput., 32(7), 1320–1330 (2009). http://cjc.ict.ac.cn/eng/qwjse/view.asp?id=2909

Evaluation of Quantum Cryptanalysis on SPECK Ravi Anand1(B) , Arpita Maitra2 , and Sourav Mukhopadhyay1 1

Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur 721302, West Bengal, India [email protected], [email protected] 2 TCG Centres for Research and Education in Science and Technology, Kolkata 700091, West Bengal, India [email protected]

Abstract. In this work, all the versions of SPECK are evaluated against quantum adversary in terms of Grovers algorithm. We extensively study the resource requirements for quantum key search under the model of known plaintext attack and show that our estimation provides better result than the existing efforts. Further, for the first time, we explore differential cryptanalysis on SPECK in quantum framework that provides encouraging results. For both the cases, the quantum resources are evaluated in terms of several parameters, i.e., the T-depth of the circuits and the number of qubits required for the attacks. Experiments are performed in IBM-Q environment to support our claims. Keywords: Differential cryptanalysis Grover’s algorithm · Qiskit · IBM-Q

1

· Quantum reversible circuits ·

Introduction

In symmetric key cryptography, the well known fact is that the n-bit secret key can be recovered in O(2n/2 ) exploiting Grover search algorithm [8]. So to guarantee the required security, a useful heuristic is to double the key length. However, to implement Grover, one needs to design the quantum version of the cipher. In this direction, subsequent work has been done on AES and some other block ciphers [3,7,12,20,26]. In recent time, a lot of symmetric constructions are being evaluated in quantum settings. In this connection, we can mention the key recovery attack against Even-Mansour constructions and distinguishers against 3-round Feistel constructions [17]. The key recovery attacks against multiple encryptions [13] and forgery attacks against CBC-like MACs [14] have also been studied. Quantum meet-in-the-middle attack on Feistel constructions [9], key recovery attacks against FX constructions [21] have been explored too. The present trend is to study the feasibility of mapping the existing classical attacks in quantum settings [10,14,15,22]. Very recently, Bonnetain et al. [5] proposed a novel methodology for quantum cryptanalysis on symmetric ciphers. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 395–413, 2020. https://doi.org/10.1007/978-3-030-65277-7_18

396

R. Anand et al.

They exploited the algebraic structure of certain classical cryptosystems to bypass the standard quantum superposition queries. On the other hand, lightweight ciphers like SIMON and SPECK have been left unexplored. Very recently, in [4], Grover’s search algorithm has been evaluated on SIMON. In the current initiative, we are concentrating on SPECK. In [11], K. Jang, S. Choi, H. Kwon and H. Seo analyzed Grover search on SPECK. They followed the same approach which has been followed in [4]. For addition modulo 2n , they exploited Cuccaro et al.’s ripple-carry addition circuit [6]. We follow the addition circuit presented in [23]. This is because of the fact that the circuit presented in [23] for adding two n-bit numbers exploits (2n − 2) Toffoli and (5n − 6) CNOT gates and requires no ancilla whereas the circuit described in [6] requires (2n − 2) Toffoli , (5n − 4) CNOT , and (2n − 4) NOT gates and one ancilla. Hence, while the number of Toffoli gates remain the same, the number of Clifford, i.e., (CNOT +NOT ), gates are relatively low in our circuit. Moreover, we need one less qubit compared to [11]. K Jang et al. designed the circuit and estimated the resources only for two variants of SPECK, SPECK32/64 and SPECK64/128 whereas we provide the detailed circuits and resource counts for all the variants of SPECK. In addition to this, we analyzed quantum differential cryptanalysis on SPECK and implemented it in IBM-Q interface [25]. To the best of our knowledge, this is the first initiative to implement a quantum differential attack on lightweight ciphers. The rest of the article has been organized as follows. A brief description of the cipher SPECK and some quantum gates used later is described in Sect. 2. The quantum circuit for the cipher is illustrated in Sect. 3. Section 5 provides a detailed analysis of the resources required for applying Grover’s key search on SPECK. Implementation of quantum differential cryptanalysis on the cipher is described in Sect. 6. Finally we conclude in Sect. 7. The code for all the test circuits implemented in QISKIT are provided in [27].

2

Preliminaries

In this section, we briefly describe the construction of SPECK and some quantum gates which will be used for designing the quantum reversible circuit for the cipher. 2.1

Brief Summary of SPECK

SPECK is a family of lightweight block ciphers with 10 variants (Table 1). The state update function consists of circular shift, addition modulo 2n , and bit-wise XOR operations. The state update function is defined as, F (x, y) = ((S −α x  y) ⊕ k, S β y ⊕ (S −α x  y) ⊕ k),

(1)

The structure of one round SPECK encryption is depicted in Fig. 1, where S j , S −j represents a left circular shift and right circular shift by j bits respectively,  denotes the addition modulo 2n , Li and Ri are n-bit words which

Evaluation of Quantum Cryptanalysis on SPECK

397

constitute the state of SPECK at the i-th round and ki is the round key which is generated by key scheduling algorithm described below.

Fig. 1. SPECK round function

The different variants of SPECK are denoted by SPECK2n/mn, where 2n denotes the block size of the variant, and mn is the size of the secret key. Here n can take values from 16, 24, 32, 48 or 64, and m from 2, 3 or 4. For each combination of (m, n), the corresponding round number T is adopted. Table 1. SPECK parameters Block Size Key Size (k = mn) (2n)

word size keywords rot rot Rounds (n) (m) α β (T )

32

64

16

4

7

2

22

48

72,96

24

3,4

8

3

22,23

64

96,128

32

3,4

8

3

26,27

96

96, 144

48

2,3

8

3

28,29

2,3,4

8

3

32,33,34

128

128,192,256 64

The round keys of SPECK are generated using the state update function. Let K = (lm−2 , . . . , l0 , k0 ) for m ∈ 2, 3, 4. Then the sequences ki and li are defined as: li+m−1 = (ki  S −α li ) ⊕ i ki+1 = S β ki ⊕ li+m−1 2.2

Quantum Implementation of XOR, Rotation and Addition Modulo 2n

The Add-Rotate-XOR (ARX) ciphers make use of the following operations

(2)

398

R. Anand et al.

– bitwise XOR, ⊕ – left and right circular shifts (rotations), S j and S −j , respectively, by j bits, and – addition modulo 2n , . XOR of two numbers a and b, a ⊕ b, can be implemented by CNOT in quantum circuits i.e. {b = a ⊕ b} = CN OT {a, b}. Rotation of any number can be implemented by using SWAP values across wires which requires 3 CNOT gates. However this can also be done by simply keeping track of the necessary free re-wiring. So, in the estimations, the SWAP gates are disregarded as free which increases the compactness of the circuit. We have manually checked that this does not make the circuit incompatible. For addition, we use the circuit described in [23] as it uses no ancillas. To implement b = a  b where a = a0 a1 . . . an−1 and b = b0 b1 . . . bn−1 are n-bit numbers, the circuit is constructed as described in Algorithm 1. Algorithm 1. Implementing addition modulo n 1: procedure Addition modulo n 2: for i ← 1, n − 1 do 3: CNOT {ai , bi } 4: end for 5: for i ← n − 1, 1 do 6: CNOT {ai , ai+1 } 7: end for 8: for i ← 0, n − 1 do 9: Toffoli {bi , ai , ai+1 } 10: end for 11: for i ← n − 1, 1 do 12: CNOT {ai , bi } 13: Toffoli {bi−1 , ai−1 , ai } 14: end for 15: for i ← 1, n − 2 do 16: CNOT {ai , ai+1 } 17: end for 18: for i ← 0, n − 1 do 19: CNOT {ai , bi } 20: end for 21: end procedure

 Returns b = b  a

Here an stores the carry. To implement addition modulo 2n , we do not need to store the carry, so one CNOT gate and one Toffoli gate associated with an is removed. The numbers of CNOT and Toffoli gates are 5n − 6 and 2n − 2, respectively. The circuit for addition modulo 2n with n = 3 is implemented in IBM-Q (Fig. 2). Here, a = [1, 1, 0], and b = [0, 1, 0]. In Fig. 3, we present some schematic diagrams for different operations which will be exploited later.

Evaluation of Quantum Cryptanalysis on SPECK

(a)

399

(b)

Fig. 2. (a).Circuit for implementing b = a  b. (b). Result obtained after measurement when inputs were a = [1, 1, 0], b = [0, 1, 0] |b

ADD

|a



|b  a

|a

RRα

 −α  S (a)

|a

RLα

|S α (a)

|a

|b

RX β

|a



 β  S (b) ⊕ a |a

Fig. 3. Subroutines which will be exploited later. ADD implements b = b  a, RRα rotates a right α times, RLα rotates a left α times, and RX β rotates b left β times followed by XOR with a, i.e. bi = b(i+β)%n ⊕ a.

3

A Quantum Circuit for SPECK

In this section we develop a reversible quantum circuit for SPECK and analyze our circuits based on the number of qubits, N OT gates, CNOT gates, and Toffoli gates. We first construct a circuit for the key expansion, then the circuit for round update and use them to construct the circuit for full cipher. We also provide the implementation of a SPECK like toy cipher in IBM-Q. 3.1

Circuit for Key Expansion

The key expansion routine is defined in Eq. 2. We can implement an in-place construction of the key expansion. The number of N OT gates will depend on the values of the round constants. Here we show the construction for all the three cases m = 2, 3, and 4. For m = 2 we have two key words k0 , l0 . k0 is used for the first round of encryption. k0 , l0 are states of size n, so we need 2n qubits to store this value and one ancilla to store the carry after every round. The second round key k1 can be computed on the same qubits which stores k0 . k1 can be computed from (k0 , l0 ) as shown in the circuit below (Fig. 4). For m = 3 we have three key words k0 , l0 , l1 each of size n. For m = 4 we have four key words k0 , l0 , l1 , l2 each of size n. The round key for further rounds

400

R. Anand et al. |k0 

RXβ



|l0 

RRα

ADD

rc0

|k1 



RXβ



RRα

ADD

rc1

···

|k2 

···



Fig. 4. Circuit for key expansion with 2 keywords. rci = {0, 1, 2, ..., T − 2} represents the round dependent constants |k0  |l0 

RXβ

• RRα

ADD

rc0

|k1 

RXβ



|k2 



RRα

|l1 

RRα

rc1

ADD

RXβ

• ADD

rc2

|k3 

··· ···



···



Fig. 5. Circuit for key expansion with 3 keywords. rci = {0, 1, 2, ..., T − 2} represents the round dependent constants |k0  |l0  |l1 

RXβ

• RRα

ADD

rc0

RXβ

|k1 

RXβ

|k2 

|k3 

··· ···

• RRα

ADD

rc0

···



|l2 

RRα

ADD

rc0



···

Fig. 6. Circuit for key expansion with 4 keywords. rci = {0, 1, 2, ..., T − 2} represents the round dependent constants

Fig. 7. Key expansion for m = 2.

can be computed as explained above for m = 2 and the details are shown in Figs. 5 and 6. It can easily be calculated that one round of key expansion requires 6n − 6 CNOT gates, 2n − 2 Toffoli gates and i NOT gates (depending on the round number i). Consider the circuit in Fig. 7. This represents a reduced version of the key expansion of SPECK with 2 keywords (refer to Eq. 2) in IBM-Q interface. The value of α and β is assumed to be 1. The measurement of k0 gives the value of the next round key. 3.2

Circuit for Round Update Function

The round function F is defined as, F (x, y) = ((S −α x + y) ⊕ k, S β y ⊕ (S −α x + y) ⊕ k),

(3)

Evaluation of Quantum Cryptanalysis on SPECK |K0  |L0 

KE

|K1 

ADD



|L1 



RXβ

|R1 

• RRα

|R0 

401

Fig. 8. Circuit for one round state update

Fig. 9. Circuit for a round of reduced version of SPECK

The circuit for the state update is shown Fig. 8, where Kj , Lj , Rj represent quantum states of size n for round j. So, we need 2n qubits to store the values of L0 , R0 . Here, KE is the key expansion routine described in 3.1. It can easily be calculated that one round of state requires 7n − 6 CNOT gates, and 2n − 2 Toffoli gates. Now, consider the circuit in Fig. 9. This is the QISKIT implementation of the circuit for one round of a SPECK like toy cipher. The assumed state size is 6. The state is split into L, R each of size 3. The round update is defined as in 1 with the value of α and β assumed to be 1. The circuit here describes one round of the cipher, i.e. if we measure the L and R states, we would get the values of the state after one round. 3.3

Circuit for Full SPECK

We implement a reversible circuit for SPECK, as reversibility is necessary for the cipher to be useful as a subroutine in Grover search. Using the circuits developed for round function and key expansion we can now construct the circuit for full round SPECK. The input to the circuit is the key K and the plaintext which is split into two halves L0 , R0 . The output of the circuit is the ciphertext LT −1 , RT −1 , where T is the number of rounds. The size of K, L, R are mn, n, n respectively, where m is either 2 or 3 or 4. In Fig. 10, we draw the circuit considering m = 2. Similar construction can be made for variants with m = 3 and m = 4. U is the round update function and KE is the key expansion routine described in 3.2 and 3.1 respectively. Figure 11 gives an implementation of the toy cipher with two keywords in IBM-Q. We consider the key size and state size to be 6 and the number of rounds to be 2. The value of α and β is assumed to be 1. Let the plaintext be L0 = [0, 1, 1], R0 = [1, 1, 1] and the key words be

402

R. Anand et al. |k0 



|l0  |L0  |R0 

U

KE

|k1 



|l1  |L2  |R2 



U

KE

|k1 

···

|kT −1 



|l2 

···

|lT −1 

|L3 

···

|LT −1 

|R3 

···

|RT −1 

Fig. 10. The circuit for implementing SPECK with two key words

Fig. 11. Circuit for 2 rounds reduced SPECK with two key words

Fig. 12. Measurement of circuit in Fig. 11

k0 = [1, 1, 0], l0 = [0, 1, 0]. Then after four rounds the ciphertext will be L2 = [1, 0, 1], R2 = [1, 0, 1]. In Fig. 12 the output is [1, 0, 1, 1, 0, 1] and it should be read as [R2 (2), R2 (1), R2 (0), L2 (2), L2 (1), L2 (0)]. This difference in convention is because of the fact that L2 (0) is measured first and so the value is closer to the figure and R2 (2) is measured last and so its value is farthest from the figure. This same convention is followed in all the histogram output obtained in IBM-Q interface. Implementing two rounds of SPECK requires two round updates and one key expansion. So T rounds of SPECK would require T round updates and T − 1 key expansion. T round updates would require T (7n − 6) CNOT gates, T (2n − 2) Toffoli gates. T − 1 key expansion would require (T − 1)(6n − 6) CNOT gates, (T − 1)(2n − 2) Toffoli gates. NOT gates will depend on the number of rounds. We would also require NOT gates to initialize the plaintexts and the keys, but we omit those here as the number depends on the plaintext and would add only

Evaluation of Quantum Cryptanalysis on SPECK

403

a depth of 1 to the full circuit. We also require 2n + mn qubits to represent the plaintext and the key.

4

Grover’s Oracle

In this section, we will discuss the implementation of Grover search on a block cipher under known plain text attack. Let r many pairs of plaintext-ciphertext be sufficient to successfully extract a unique solution. In this regard, we have to design an oracle that encrypts the given r plaintexts under the same key and then computes a Boolean value which determines if all the resulting ciphertexts are equal to the given classical ciphertexts. This can be done by running the block cipher circuit r many times in parallel. Then the resultant ciphertexts are compared with the classical ciphertexts. The target qubit will be flipped if the ciphertexts match. This is called Grover oracle. In Fig. 13, the construction of such an oracle is given for two instances of plaintext-ciphertext pairs considering SPECK block cipher. |K



|M1 

EN C



DEC

|K



|M1 

|C1  |0 |M2 

EN C



DEC

|0 |M2 

|C2  |−

=

|−

Fig. 13. Grover’s oracle using two plaintext-ciphertext pairs. Here, EN C represents the encryption function and DEC the decryption function. The (=) operator compares the output of the EN C with the given ciphertexts and flips the target qubit if they are equal.

We implement the above idea, i.e., the Grover oracle for our toy version of SPECK (Fig. 11) in IBM-Q simulator. The functions Grover oracle and Grover Diffusion used in our code is taken from [16] by importing the file Our Qiskit Functions. In this case, the plaintext M is [0, 1, 1, 1, 1, 1] and the key K is [1, 1, 0, 0, 1, 0]. Then after two rounds the ciphertext C will be [1, 0, 1, 1, 0, 1]. In theory, this key, i.e., K = [1, 1, 0, 0, 1, 0] will be obtained as the output of the Grover oracle. Fig. 14a shows the outcome of the Grover applied to this circuit. Then we implement Grover for another plaintext ciphertext pair where M = [0, 1, 1, 1, 1, 0], and C = [0, 1, 1, 1, 0, 1], under the same key. The output of the oracle is K = [1, 1, 0, 0, 1, 0] as shown in Fig. 14b.

404

R. Anand et al.

(a)

(b)

Fig. 14. Histogram obtained after running Grover’s on the reduced SPECK described in Fig. 11.

5 5.1

Resource Estimation Cost of Implementing SPECK

We estimate the cost of implementing SPECK as a circuit including the key expansion as well as the round function. As discussed above the round constants are implemented to the key expansion function using adequate number of N OT gates. We have not included the number of N OT required to initialize the plaintext in our estimates as it depends on the given plaintext. Table 2 gives the cost estimates of implementing all SPECK variants. Table 2. Cost of implementing SPECK variants SPECK2n/mn

# N OT # CNOT # Toffoli # qubits depth

SPECK32/64

42

4222

1290

96

1694

SPECK48/72

42

6462

1978

120

2574

SPECK48/96

45

6762

2070

144

2691

SPECK64/96

54

10318

3162

160

4082

SPECK64/128

57

10722

3286

192

4239

SPECK96/96

60

16854

5170

192

6636

SPECK96/144

64

17466

5358

240

6873

SPECK128/128 75

25862

7938

256

10144

SPECK128/192 80

26682

8190

320

10461

SPECK128/256 81

27502

8442

384

10778

Evaluation of Quantum Cryptanalysis on SPECK

5.2

405

Cost of Grover Oracle

Following [12] we assume that r = k/(2n) known plaintext-ciphertext pairs are sufficient to give us a unique solution, where 2n is the block size and k = mn is the key size of the cipher. Here, one should mention that if r = k/(2n) is an integer, then consider its next integer. The Grover’s oracle consists of comparing the 2n-bit outputs of the SPECK instances with the given r ciphertexts. This can be done using a (2n·r)-controlled CNOT gates (we neglect some N OT gates which depend on the given ciphertexts). Following [19], we estimate the number of T gates required to implement a t-fold controlled N OT gates as (32 · t − 84). We use the decomposition of Toffoli gates to 7 T -gates plus 8 Clifford gates, a T -depth of 4 and total depth of 8 as in [2]. To estimate the full depth and the T -depth we only consider the depths of the SPECK instances ignoring the multi controlled N OT gate used in comparing the ciphertexts. We also need (2 · (r − 1) · k) CNOT gates to make the input key available to all the SPECK instances in the oracle. The total number of Clifford gates is the sum of the Clifford gates used in the implementation of SPECK and the (2 · (r − 1) · k) CNOT gates needed for input key. The cost estimates for all SPECK variants are presented in Table 3 Table 3. Cost of Grover oracle SPECK SPECK2n/k

r # Clifford gates # T gates T -depth full depth # qubits

SPECK32/64

3 214.85

214.28

213.33

213.52

161

15.45

14.76

13.94

214.16

169

14.01

14.22

SPECK48/72

2 2

15.53

2

14.96

2

SPECK48/96

3 2

2

2

2

241

SPECK64/96

2 216.13

215.55

214.62

214.83

224

SPECK64/128

3 216.18

215.60

214.68

214.89

321

16.83

16.25

15.33

15.53

SPECK96/96

2 2

2

2

2

289

SPECK96/144

2 216.85

216.30

215.38

215.58

337

17.45

16.86

15.95

16.15

SPECK128/128 2 2

2

2

2

385

SPECK128/192 2 217.49

216.90

216

216.19

449

17.52

16.94

SPECK128/256 3 2

5.3

2

16.04

2

16.23

2

641

Cost of Exhaustive Key Search

Using the estimates in Table 3, we provide the cost estimates for the full exhaustive key search on all variants of SPECK in Table 4. We consider  π4 2k/2  iterations of the Grovers operator. As in [20] we do not consider the depth of implementing the two multi-controlled N OT gates while calculating the T -depth and overall depth.

406

R. Anand et al.

Table 4. Cost estimates of Grovers algorithm with  π4 2k/2  oracle iterations for SPECK SPECK2n/k

# Clifford gates # T gates T -depth Full depth # qubits

SPECK32/64

246.85

246.24

245.33

245.52

161

51.45

50.76

2

49.94

2

250.16

169 241

SPECK48/72

2

SPECK48/96

263.53

262.96

262.01

262.22

64.13

63.55

62.62

62.83

SPECK64/96

2

2

2

2

224

SPECK64/128

280.18

279.60

278.68

278.89

321

64.83

64.25

63.33

63.53

SPECK96/96

2

2

2

2

289

SPECK96/144

288.85

288.30

287.38

287.58

337

81.45

80.86

79.95

80.15

SPECK128/128 2

2

2

2

385

SPECK128/192 2113.49

2112.90

2112

2112.19

449

145.72

144.94

SPECK128/256 2

6

2

144.04

2

144.23

2

641

Quantum Differential Attack on SPECK

In this section, we study the quantum resources required to implement the differential attack on SPECK. Analysis of complexities of differential cryptanalysis for quantum adversaries has been studied in [13,18,24]. Here we present circuits for two main types of differential attacks: the differential distinguisher and the the last round attack and then analyze the resource required to implement these on a quantum computer for SPECK. Full implementation of the attacks on SPECK are not possible due to the restrictions in the maximum number of qubits that we can avail in state-ofthe-art quantum processors and simulators. So, we construct the circuits for a reduced cipher and show that the implementation of such attacks are possible. We, then, compute the resources required for mounting the attack on all variants of SPECK. 6.1

Differential Cryptanalysis

Differential attacks exploit the fact that there exists a pair (α , β  ) for a cipher E such that p = − log Pr(E(P ) ⊕ E(P  = P ⊕ α ) = β  ) < N ,

(4)

where N = 2n. The pair (α , β  ) is known as the differential. Differential cryptanalysis is a chosen-plaintext attack. The attacker selects pairs of input (P, P  ), such that P ⊕ P  = α , knowing that their corresponding ciphertexts (C, C  ) will satisfy C ⊕ C  = β  with high probability and then attempt to recover the key faster than the exhaustive search.

Evaluation of Quantum Cryptanalysis on SPECK

6.2

407

Differential Distinguisher

In this attack model, we try to find a pair of plaintexts (P, P  ), P  = P ⊕ α , which satisfy E(P ) ⊕ E(P  ) = β  . If the cipher E is ideally random, obtaining such a pair would require 2N trials. On the other hand if E satisfies Eq. 4, the attacker will collect 2p plaintext pairs such that P ⊕ P  = α , and with very high probability find atleast one pair which satisfies E(P ) ⊕ E(P  ) = β  . In quantum settings, the adversary will apply a Grover’s search over the set of all possible messages of size N . The algorithm will attempt to find a message x such that E(x) ⊕ E(x ⊕ α ) = β  . Since, the fraction of messages which satisfies the given differential is 2−p , so it is sufficient to make 2p/2 Grover iterations to obtain the correct messages. Hence, the time complexity for this attack will be p  π4 2 2 . 6.2.1 Grovers Oracle Here we present the circuit for the Grover oracle to obtain the plaintext pair which satisfies the distinguisher.  N 0  N 0 |−

HN



EN C ⊕α

EN C



• •



DEC DEC

⊕α

= β

HN

|P  |P   |−

Fig. 15. Grover’s oracle to find the distinguisher. Here, EN C represents encryption and DEC decryption. The (= β  ) operator compares the value of P  with β  and flips the target qubit if they are equal.

We implement the Grovers oracle for our toy cipher to obtain the plaintext pairs which satisfies the distinguisher given below α = [1, 0, 0, 1, 1, 1] −−−−−→ β  = [1, 0, 1, 1, 1, 1] 4 rounds

with p ≈ 2. The round update function of the toy cipher is as in 1 and the key expansion schedule is as in 2 with the values of α and β being 1. We constructed a circuit for four rounds cipher and then applied Grovers. The output of Grovers is, [0, 0, 1, 1, 1, 1] shown in Fig. 16. Let the output be P , i.e. P = [0, 0, 1, 1, 1, 1], and let P  = P ⊕ α = [1, 0, 1, 0, 0, 0], then the corresponding ciphertexts after 4 rounds are C = [0, 0, 1, 0, 0, 1] and C  = [1, 0, 0, 1, 1, 0]. We can easily verify that C ⊕ C  = β  = [1, 0, 1, 1, 1, 1].

408

R. Anand et al.

Fig. 16. The plaintext which satisfies the given distinguisher.

6.3

Last Round Attack

In this subsection, we analyze the Last Round Attack on SPECK. For SPECK it is sufficient to recover any continuous m round keys to retrieve the secret key. We will discuss the classical attack followed by the quantum attack. 6.3.1 Classical Adversary p Consider that we have a differential α − → β. r



α = (Δx0 , Δy0 ) → (Δx1 , Δy1 ) → · · · → (Δxr , Δyr ) = β  , r is the number of rounds. Let d be a constant that depends on the signal to noise ratio of the used trail (in [1] d = 16). Then the process to extract the secret key can be divided into the following three phases: 1. Collecting and Filtering Phase: Choose d · 2p plaintext pairs (P, P  ) such that P ⊕ P  = α and request for their corresponding ciphertexts after (r + 1) rounds. Let the ciphertexts be (C, C  ). Let C = (cx , cy ) and C  = (cx , cy ). Then partially decrypt cy and cy one round and check if they form the deserved difference δyr . This reduces the number of ciphertext pairs that actually needs to be checked in the next phase. There also may be other filters which could be applied, for example in case of SPECK32/64, described in [1], cx [0, 1, 2, 3] ⊕ cx [0, 1, 2, 3] = [0, 0, 0, 1]. We store only those ciphertext pairs which pass this filter. Let us assume that there is a e-bit filter applied at this phase, then only d · 2(p−e) pairs are expected to pass this filter. 2. Sub-key Guessing Phase: In this phase we examine the pairs that survived the filtering phase to derive the last round key. This is done by keeping a counter for each of the 2n possible round keys and decrypting the last round with each possible key. If a particular key leads to the expected difference at round r, the counter for that particular key is increased. The sub-keys with the highest counter is stored as a potential candidate. 3. Brute Force: In this phase, the remaining (m − 1) round keys required to retrieve the complete secret key is recovered. For this, we proceed as in phase 2, and partially decrypt the correct pairs round by round to recover the corresponding round keys.

Evaluation of Quantum Cryptanalysis on SPECK

6.3.2 Classical Complexity Phase 1 has a computational complexity of (2d · 2p ) + 2d · 2p ·

1 (r+1)

409

for SPECK

encryptions. Since we assume that d · 2(p−e) pairs to satisfy the filter in Phase 1 1, so the second phase a complexity of d.2(p−e) · 2n · (r+1) . In the last phase we proceed as in the phase 2 so we expect roughly the same computational effort for the (m − 1) remaining round keys. So, in total we obtain (2d · 2p ) + 2d · 2p ·

1 1 + m(d · 2(p−e) · 2n · ) (r + 1) (r + 1)

(5)

SPECK encryptions as the computational complexity. 6.3.3 Quantum Adversary All the above phases can be described as procedures of searching the element which satisfies given conditions. So the quantum attack can be described as a Grover search over all these phases. 1. Apply Grovers over all possible set of pairs of plaintexts (P, P  ), such that P ⊕ P  = α , and search for the pair of plaintext whose corresponding ciphertexts (C, C  ) satisfy some given condition. This step outputs a message, say M . 2. Assuming that the pair (M, M ⊕ α ) is a good pair, apply Grovers again over all 2n sub-keys to obtain the sub-key which decrypts the corresponding ciphertext of (M, M ⊕ α ) to the required difference. 3. Recover the remaining (m − 1) round keys by proceeding as in step 2 and completely retrieving the secret key. 6.3.4 Quantum Complexity In the first step, Grovers algorithm finds M after 2p/2 iterations. Each iteration makes requires encrypting the plaintexts P and P  = P ⊕α and then decrypting 1 ) them partially one round. So, the complexity of first step is π4 (2p/2 + 2p/2 (r+1) n SPECK encryptions. The second step finds the round key after 2 2 iterations, n 1 2 2 SPECK encryptions. The so the computation time of this step is π4 (r+1) computational time required for each round keys in the last phase is expected to be same as the second step. So, in total we obtain c(2p/2 + 2p/2

2n/2 1 ) + mc  (r + 1) (r + 1)

SPECK encryptions as the computational complexity with c =

(6) π 4.

6.3.5 Implementation We now implement the above described quantum attack on our toy cipher with m = 2. We have made the following assumptions

410

R. Anand et al.

– We have a five round differential α = (Δx0 , Δy0 ) = ([1, 0, 0], [1, 1, 1]) → ([0, 0, 0], [1, 1, 1]) = (Δx5 , Δy5 ) = β  with p = 4 – We implement the key recovery on 6 rounds. Let the difference in the ciphertexts after 6 rounds be denoted by (Δx6 , Δy6 ) – The secret key is K = [k0 = [1, 1, 1], k1 = [1, 0, 1]] and so the round keys are 0th sub-key: [1, 1, 1] 3nd sub-key: [0, 1, 1] follows: 1st sub-key: [1, 0, 1] 4th sub-key: [1, 1, 0] 2nd sub-key: [1, 1, 1] 5th sub-key: [0, 1, 1] We will try to retrieve the 4th and 5th sub-keys, i.e in Phase 2, the output should be [0, 1, 1] and the output of Phase 3 should be [1, 1, 0]. – Phase 1: We search for plaintext pairs whose corresponding ciphertexts satisfies the following two properties • Δx6 [2] = [1], i.e. the 2nd -bit (msb) of Δx6 is 1. • one round decryption leads to difference Δy5 [0, 1, 2] = [1, 1, 1] The output of applying Grovers is shown in Fig. 17a. The plaintext obtained is [0, 1, 1, 0, 1, 0]. Since α = [1, 0, 0, 1, 1, 1], so the plaintext pair for second phase is ([0, 1, 1, 0, 1, 0], [1, 1, 1, 1, 0, 1]). The output obtained is only P , because of the limited number of qubits (32) available in IBM-Q simulator. The code can easily be modified to obtain both P and P  simultaneously. – Phase 2: The plaintext pair is ([0, 1, 1, 0, 1, 0], [1, 1, 1, 1, 0, 1]). We run SPECK encryption of 6 rounds to obtain the corresponding pair ([1, 1, 0, 1, 1, 1], [0, 0, 1, 1, 1, 1]). Now we apply Grovers to search for the key which decrypts this pair one round to form the difference (Δx5 , Δy5 ) = ([0, 0, 0], [1, 1, 1]). The output of Grovers search is shown in Fig. 17b. As expected the output is [0, 1, 1]. – Phase 3: We need to recover the 4th round key to completely retrieve the secret key. In this phase the ciphertext pair ([1, 1, 0, 1, 1, 1], [0, 0, 1, 1, 1, 1]) is decrypted one round using the key found in above phase. The decrypted pair is ([0, 1, 0, 1, 0, 0], [0, 1, 0, 0, 1, 1]). Then as above Grover search is applied to search the key for which this new pair leads to the difference (Δx4 , Δy4 ) = ([1, 0, 1], [1, 1, 1]). The output of Grovers search is shown in Fig. 17c. As expected the output is [1, 1, 0].

6.4

Resource Estimates

Phase 1 makes 2p/2 iterations of (r+1) rounds SPECK and one round decryption, i.e. (2p/2 (r+2)) SPECK rounds. This step also has 2n measurements and requires (mn + 2n + 2n + 1) = (4n + mn + 1) qubits and 2n classical bits. Phase 2 partially decrypts one round and makes measurements of the round key, so this step has 2n/2 iterations of one round of SPECK. This step has n measurements and requires (n + 2n + 2n + 1) = (5n + 1) qubits and n classical bits.

Evaluation of Quantum Cryptanalysis on SPECK

(b)

(a)

411

(c)

Fig. 17. Output of (a) Phase 1. (b) Phase 2. (c) Phase 3

Phase 3 is a repetition of Phase 2 for (m−1) times and the resources required can be computed similarly. Hence, constructing the entire circuit, the quantum resource required is as follows. – – – –

qubits - (mn + 4n + 1) + m(5n + 1) = (6mn + 4n + m + 1), classical bits - (2n + mn), measurements - (2n + mn), resources required to implement (2p/2 (r + 2) + 2n/2 m) round updates and 2p/2 (r) key expansions.

The resources required to implement differential attack on all the variants of SPECK is summarized in Table 5. Table 5. Estimate of resources required to implement differential attack on SPECK

7

SPECK2n/k

# Clifford gates

# T gates T -depth Full depth # Measurement # qubits

SPECK32/64

225.995

224.904

224.097

225.244

96

453

SPECK48/72

235.252

234.091

233.284

234.41

120

532

SPECK48/96

235.252

234.091

233.284

234.41

144

677

SPECK64/96

245.179

244.019

243.212

244.322

160

708

SPECK64/128

245.179

244.019

243.212

244.322

192

901

SPECK96/96

258.329

257.169

256.362

257.461

192

771

SPECK96/144

258.329

257.169

256.362

257.461

240

1060

SPECK128/128 272.401

271.242

270.434

271.527

256

1027

SPECK128/192 272.401

271.242

270.434

271.527

320

1412

SPECK128/256 272.401

271.242

270.434

271.527

384

1797

Conclusion

In the present manuscript, we perform quantum cryptanalysis on the lightweight cipher, SPECK. We analyze the exhaustive key search and the differential cryptanalysis in quantum framework exploiting Grover’s algorithm. For both the

412

R. Anand et al.

cases, we estimate the quantum resources required for implementing the attacks. The resource requirements for quantum key search under the model of known plaintext attack provides better result than the existing efforts [11]. To the best of our knowledge, for the first time, we study differential cryptanalysis on SPECK in quantum paradigm. Experiments are performed in IBM-Q environment to support our claims. The codes for all the experiments are provided in [27] for independent verification.

References 1. Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of roundreduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015). https://doi.org/10.1007/9783-662-46706-0 27 2. Amy, M., Maslov, D., Mosca, M., Roetteler, M.: A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits. IEEE Trans. Comput.-Aided Des. Integr. Circ. Syst. 32(6), 818–830 (2013) 3. Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 317–337. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5 18 4. Anand, R., Maitra, A., Mukhopadhyay, S.: Grover on SIMON. Quantum Inf. Process. 19, 340 (2020). https://doi.org/10.1007/s11128-020-02844-w 5. Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Yu., Schrottenloher, A.: Quantum attacks without superposition queries: the offline simon’s algorithm. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 552–583. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5 20 6. Cuccaro, S.A., Draper, T.G., Kutin, S.A., Moulton, D.P.: A new quantum ripplecarry addition circuit. arXiv preprint quant-ph/0410184 (2004) 7. Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying grover’s algorithm to AES: quantum resource estimates. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 29–43. Springer, Cham (2016). https://doi.org/10.1007/9783-319-29360-8 3 8. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219, July 1996 9. Hosoyamada, A., Sasaki, Yu.: Quantum demiric-sel¸cuk meet-in-the-middle attacks: applications to 6-round generic feistel constructions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 386–403. Springer, Cham (2018). https:// doi.org/10.1007/978-3-319-98113-0 21 10. Hosoyamada, A., Sasaki, Yu.: Cryptanalysis against symmetric-key schemes with online classical queries and offline quantum computations. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 198–218. Springer, Cham (2018). https:// doi.org/10.1007/978-3-319-76953-0 11 11. Jang, K., Choi, S., Kwon, H., Seo, H.: Grover on SPECK: quantum resource estimates. Cryptology ePrint Archive, Report 2020/640. https://eprint.iacr.org/ 2020/640

Evaluation of Quantum Cryptanalysis on SPECK

413

12. Jaques, S., Naehrig, M., Roetteler, M., Virdia, F.: Implementing grover oracles for quantum key search on AES and LowMC. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 280–310. Springer, Cham (2020). https://doi. org/10.1007/978-3-030-45724-2 10 13. Kaplan, M.: Quantum attacks against iterated block ciphers. arXiv preprint arXiv:1410.1434 (2014) 14. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5 8 15. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016, 71–94 (2015) 16. Koch, D., Wessing, L., Alsing, P.M.: Introduction to coding quantum algorithms: a tutorial series using Qiskit. arXiv preprint arXiv:1903.04359 (2019) 17. Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: 2012 International Symposium on Information Theory and its Applications, pp. 312–316. IEEE, October 2012 18. Li, H., Yang, L.: Quantum differential cryptanalysis to the block ciphers. In: Niu, W., Li, G., Liu, J., Tan, J., Guo, L., Han, Z., Batten, L. (eds.) ATIS 2015. CCIS, vol. 557, pp. 44–51. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3662-48683-2 5 19. Wiebe, N., Roetteler, M.: Quantum arithmetic and numerical analysis using repeatuntil-success circuits. arXiv preprint arXiv:1406.2040 (2014) 20. Langenberg, B., Pham, H., Steinwandt, R.: Reducing the cost of implementing the advanced encryption standard as a quantum circuit. IEEE Trans. Quantum Eng. 1, 1–12 (2020). Article no. 2500112. https://doi.org/10.1109/TQE.2020.2965697 21. Leander, G., May, A.: Grover meets simon – quantumly attacking the FXconstruction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-31970697-9 6 22. Santoli, T., Schaffner, C.: Using Simon’s algorithm to attack symmetric-key cryptographic primitives. arXiv preprint arXiv:1603.07856 (2016) 23. Takahashi, Y., Tani, S., Kunihiro, N.: Quantum addition circuits and unbounded fan-out. Quantum Inf. Comput. 10(9), 872–890 (2010) 24. Zhou, Q., Lu, S., Zhang, Z., Sun, J.: Quantum differential cryptanalysis. Quantum Inf. Process. 14(6), 2101–2109 (2015). https://doi.org/10.1007/s11128-015-0983-3 25. https://quantum-computing.ibm.com 26. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf 27. https://github.com/raviro/speckquant

Learning with Errors

Making the BKW Algorithm Practical for LWE Alessandro Budroni2(B) , Qian Guo1,2 , Thomas Johansson1 , Erik Mårtensson1 , and Paul Stankovski Wagner1 1

2

Department of Electrical and Information Technology, Lund University, Lund, Sweden {qian.guo,thomas.johansson,erik.martensson, paul.stankovski_wagner}@eit.lth.se Selmer Center, Department of Informatics, University of Bergen, Bergen, Norway [email protected]

Abstract. The Learning with Errors (LWE) problem is one of the main mathematical foundations of post-quantum cryptography. One of the main groups of algorithms for solving LWE is the Blum-Kalai-Wasserman (BKW) algorithm. This paper presents new improvements for BKW-style algorithms for solving LWE instances. We target minimum concrete complexity and we introduce a new reduction step where we partially reduce the last position in an iteration and finish the reduction in the next iteration, allowing non-integer step sizes. We also introduce a new procedure in the secret recovery by mapping the problem to binary problems and applying the Fast Walsh Hadamard Transform. The complexity of the resulting algorithm compares favourably to all other previous approaches, including lattice sieving. We additionally show the steps of implementing the approach for large LWE problem instances. The core idea here is to overcome RAM limitations by using large file-based memory. Keywords: BKW · LWE · Lattice-based cryptography Post-quantum cryptography

1

· FWHT ·

Introduction

Since a large-scale quantum computer easily breaks both the problem of integer factoring and the discrete logarithm problem [34], public-key cryptography needs to be based on other underlying mathematical problems. In post-quantum cryptography - the research area studying such replacements - lattice-based problems are the most promising candidates. In the NIST post-quantum standardization competition, 5 out of 7 finalists and 2 out of 8 alternates are lattice-based [1]. The Learning with Errors problem (LWE) introduced by Regev in [33], is the main problem in lattice-based cryptography. It has a theoretically very interesting average-case to worst-case reduction to standard lattice-based problems. It has many cryptographic applications, including but not limited to, design of c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 417–439, 2020. https://doi.org/10.1007/978-3-030-65277-7_19

418

A. Budroni et al.

Fully Homomorphic Encryption Schemes (FHE). An interesting special case of LWE is the Learning Parity with Noise problem (LPN), introduced in [12], which has interesting applications in light-weight cryptography. Considerable cryptanalytic effort has been spent on algorithms for solving LWE. These can be divided into three categories: lattice-reduction, algebraic methods and combinatorial methods. The algebraic methods were introduced by Arora and Ge in [9] and further considered in [3]. For very small noise these methods perform very well, but otherwise the approach is inefficient. The methods based on lattice-reduction are currently the most efficient ones in practise. One way of comparing the different approaches is through the Darmstadt LWE Challenges [2], where the lattice-based approach called General Sieve Kernel (G6K) is the currently most successful algorithm in breaking challenges [5]. The combinatorial algorithms are all based on the Blum-Kalai-Wasserman (BKW) algorithm and algorithms in this direction will be the focus of this paper. For surveys on the concrete and asymptotic complexity of solving LWE, see [7] and [22,24], respectively. In essence, BKW-style algorithms have a better asymptotic performance than lattice-based approaches for parameter choices with large noise. Unlike lattice-based approaches, BKW-style algorithms pay a penalty when the number of samples is limited (like in the Darmstadt challenges). 1.1

Related Work

The BKW algorithm was originally developed as the first subexponential algorithm for solving the LPN problem [13]. In [27] the algorithm was improved, introducing new concepts like LF2 and the use of the fast Walsh-Hadamard transform (FWHT) for the distinguishing phase. A new distinguisher using subspace hypothesis testing was introduced in [19,20]. The BKW algorithm was first applied to the LWE problem in [4]. This idea was improved in [6], where the idea of Lazy Modulus Switching (LMS) was introduced. The idea was improved in [23,26], where [23] introduced so called codedBKW steps. The idea of combining coded-BKW or LMS with techniques from lattice sieving [11] lead to the next improvement [21]. This combined approach was slightly improved in [22,30]. The distinguishing part of the BKW algorithm for solving LWE was improved by using the Fast Fourier Transform (FFT) in [16]. One drawback of BKW is its high memory-usage. To remedy this, timememory trade-offs for the BKW algorithm were recently studied in [15,17,18]. 1.2

Contributions

In this paper we introduce a new BKW-style algorithm including the following. – A generalized reduction step that we refer to as smooth-LMS, allowing us to use non-integer step sizes. These steps allow us to use the same time, space and sample complexity in each reduction step of the algorithm, which improves performance compared to previous work.

Making the BKW Algorithm Practical for LWE

419

– A binary-oriented method for the guessing phase, transforming the LWE problem into an LPN problem. While the previous FFT method guesses a few positions of the secret vector and finds the correct one, this approach instead finds the least significant bits of a large amount of positions using the FWHT. This method allows us to correctly distinguish the secret with a larger noise level, generally leading to an improved performance compared to the FFT based method. In addition, the FWHT is much faster in implementation. – Concrete complexity calculations for the proposed algorithm showing the lowest known complexity for some parameter choices selected as in the Darmstadt LWE Challenge instances, but with unrestricted number of samples. – An implementation approach for the algorithm that allows larger instances to be solved. The implementation is file-based and stores huge tables on disk and not in RAM only. The file read/write is minimized by implementing the algorithm in a clever way. Simulation results on solving larger instances are presented and verifies the previous theoretical arguments. 1.3

Organization

We organize the rest of the paper as follows. We introduce some necessary background in Sect. 2. In Sect. 3 we cover previous work on applying the BKW algorithm to the LWE problem. Then in Sect. 4 we introduce our new Smooth-LMS reduction method. Next, in Sect. 5 we go over our new binary-oriented guessing procedure. Section 6 and 7 cover the complexity analysis and implementation of our algorithm, respectively. Section 8 describes our experimental results using the implementation. Finally, the paper is concluded in Sect. 9.

2 2.1

Background Notation

Throughout the paper we use the following notations. – We write log(·) for the base 2 logarithm. – In the n-dimensional Euclidean space Rn , by the norm of a vector x = (x1 , x2 , . . . , xn ) we consider its L2 -norm, defined as  x = x21 + · · · + x2n . The Euclidean distance between vectors x and y in Rn is defined as x − y. q−1 – Elements in Zq are represented by the set of integers in [− q−1 2 , 2 ]. – For an [N, k] linear code, N denotes the code length and k denotes the dimension.

420

2.2

A. Budroni et al.

The LWE and LPN Problems

The LWE problem [33] is defined as follows. Definition 1. Let n be a positive integer, q a prime, and let X be an error distribution selected as the discrete Gaussian distribution on Zq with variance σ 2 . Fix s to be a secret vector in Znq , chosen from some distribution (usually the uniform distribution). Denote by Ls,X the probability distribution on Znq × Zq obtained by choosing a ∈ Znq uniformly at random, choosing an error e ∈ Zq from X and returning (a, z) = (a, a, s + e) in Znq × Zq . The (search) LWE problem is to find the secret vector s given a fixed number of samples from Ls,X . The definition above gives the search LWE problem, as the problem description asks for the recovery of the secret vector s. Another version is the decision LWE problem, in which case the problem is to distinguish between samples drawn from Ls,X and a uniform distribution on Znq × Zq . Let us also define the LPN problem, which is a binary special case of LWE. Definition 2. Let k be a positive integer, let x be a secret binary vector of length k and let X ∼ Berη be a Bernoulli distributed error with parameter η > 0. Let Lx,X denote the probability distribution on Fk2 × F2 obtained by choosing g uniformly at random, choosing e ∈ F2 from X and returning (g, z) = (g, g, x + e) The (search) LPN problem is to find the secret vector s given a fixed number of samples from Lx,X . Just like for LWE, we can also, analogously, define decision LPN. Previously, analysis of algorithms solving the LWE problem have used two different approaches. One being calculating the number of operations needed to solve a certain instance for a particular algorithm, and then comparing the different complexity results. The other being asymptotic analysis. Solvers for the LWE problem with suitable parameters are expected to have fully exponential complexity, bounded by 2cn as n tends to infinity, where the value of c depends on the algorithms and the parameters of the involved distributions. In this paper, we focus on the complexity computed as the number of arithmetic operations in Zq , for solving particular LWE instances (and we do not consider the asymptotics). 2.3

Discrete Gaussian Distributions

We define the discrete Gaussian distribution over Z with mean 0 and variance σ 2 , denoted DZ,σ as the probability distribution obtained by assigning a probability proportional to exp(−x2 /(2σ 2 )) to each x ∈ Z. Then, the discrete Gaussian distribution X over Zq with variance σ 2 (also denoted Xσ ) can be defined by

Making the BKW Algorithm Practical for LWE

421

folding DZ,σ and accumulating the value of the probability mass function over all integers in each residue class modulo q. It makes sense to consider the noise level as α, where σ = αq. We also define the rounded Gaussian distribution on Zq . This distribution samples values by sampling values from the continuous Gaussian distribution with mean 0 and variance σ 2 , rounding to the closest integer and then folding the result to the corresponding value in Zq . We denote it by Ψ¯σ,q . If two independent X1 and X2 are drawn from Xσ1 and Xσ2 respectively, we make the heuristic assumption that their sum is drawn from X√σ2 +σ2 . We make 1 2 the corresponding assumption for the rounded Gaussian distribution.

3 3.1

A Review of BKW-Style Algorithms The LWE Problem Reformulated

Assume that m samples (a1 , z1 ), (a2 , z2 ), . . . , (am , zm ), are collected from the LWE distribution Ls,X , where ai ∈ Znq , zi ∈ Zq . Let z = (z1 , z2 , . . . , zm ) and y = (y1 , y2 , . . . , ym ) = sA. We have z = sA + e,   $ where A = aT1 aT2 · · · aTm , zi = yi + ei = s, ai  + ei and ei ← X . The search LWE problem is a decoding problem, where A serves as the generator matrix for a linear code over Zq and z is a received word. Finding the secret vector s is equivalent to finding the codeword y = sA for which the Euclidean distance ||y − z|| is minimal. In the sequel, we adopt the notation ai = (ai1 , ai2 , . . . , ain ). 3.2

Transforming the Secret Distribution

A transformation [8,25] can be applied to ensure that the secret vector follows the same distribution X as the noise. It is done as follows. We write A in systematic form via Gaussian elimination. Assume that the first n columns are linearly independent and form the matrix A0 . Define D = A0 −1 and write ˆs = sD−1 − ˆ = (z1 , z2 , . . . , zn ). Hence, we can derive an equivalent problem described by A ˆ = DA. We compute ˆTn+2 , · · · , a ˆTm ), where A ˆTn+1 , a (I, a ˆ = (0, zˆn+1 , zˆn+2 , . . . , zˆm ). ˆ = z − (z1 , z2 , . . . , zn )A z Using this transformation, each entry in the secret vector s is now distributed according to X . The fact that entries in s are small is a very useful property in several of the known reduction algorithms for solving LWE. The noise distribution X is usually chosen as the discrete Gaussian distribution or the rounded Gaussian Distribution from Sect. 2.3.

422

3.3

A. Budroni et al.

Sample Amplification

In some versions of the LWE problem, such as the Darmstadt Challenges [2], the number of available samples is limited. To get more samples, sample amplification can be used. For example, assume that we have M samples (a1 , b1 ), (a2 , b2 ), ..., (aM , bM ). Then we can form new samples, using an index set I of size k, as ⎛ ⎞   ⎝ (1) ±aj , ±bj ⎠ . j∈I

j∈I

Given an initial number of samples M we can produce up to 2k−1 M k samples. √ This comes at a cost of increasing the noise level (standard deviation) to k · σ. This also increases the sample dependency. 3.4

Iterating and Guessing

BKW-style algorithms work by combining samples in many steps in such a way that we reach a system of equations over Zq of the form z = sA + E, where E = (E1 , E2 , . . . , Em ) and the entries Ei , i = 1, 2, . . . , m are sums of not too 2t many original noise vectors, say Ei = j=1 eij , and where t is the number of iterations. The process also reduces the norm of column vectors in A to be small. , i = 1, 2, . . . , t denote the number of reduced positions in step i and let Let ni i Ni = j=1 nj . If n = Nt , then every reduced equation is of form zi = ai , s + Ei ,

(2)

for i = 1, 2, . . . , m. The right hand side can be approximated as a sample drawn from a discrete Gaussian and if the standard deviation is not too large, then the sequence of samples z1 , z2 , . . . can be distinguished from a uniform distribution. We will then need to determine the number of required samples to distinguish between the uniform distribution on Zq and Xσ . Relying on standard theory from statistics, using either previous work [28] or Bleichenbacher’s definition of bias [32], we can find that the required number of samples is roughly  2π

C ·e

σ

2 √ 2π q

,

(3)

where C is a small positive constant. Initially, an optimal but exhaustive distinguisher was used [10]. While minimizing the sample complexity, it was slow and limited the number of positions that could be guessed. This basic approach was improved in [16], using the FFT. This was in turn a generalization of the corresponding distinguisher for LPN, which used the FWHT [27]. 3.5

Plain BKW

The basic BKW algorithm was originally developed for solving LPN in [13]. It was first applied to LWE in [4]. The reduction part of this approach means that

Making the BKW Algorithm Practical for LWE

423

we reduce a fixed number b of positions in the column vectors of A to zero in each step. In each iteration, the dimension of A is decreased by b and after t iterations the dimension has decreased by bt. 3.6

Coded-BKW and LMS

LMS was introduced in [6] and improved in [26]. Coded-BKW was introduced in [23]. Both methods reduce positions in the columns of A to a small magnitude, but not to zero, allowing reduction of more positions per step. In LMS this is achieved by mapping samples to the same category if the ni considered positions give the same result when integer divided by a suitable parameter p. In codedBKW this is instead achieved by mapping samples to the same category if they are close to the same codeword in an [ni , ki ] linear code, for a suitable value ki . Samples mapped to the same category give rise to new samples by subtracting them. The main idea [23,26] is that positions in later iterations do not need to be reduced as much as the first ones, giving different ni values in different steps. 3.7

LF1, LF2, Unnatural Selection

Each step of the reduction part of the BKW algorithm consists of two parts. First samples are mapped to categories depending on their position values on the currently relevant ni positions. Next, pairs of samples within the categories are added/subtracted to reduce the current ni positions to form a new generation of samples. This can be done in a couple of different ways. Originally this was done using what is called LF1. Here we pick a representative from each category and form new samples by adding/subtracting samples to/from this sample. This approach makes the final samples independent, but also gradually decreases the sample size. In [27] the approach called LF2 was introduced. Here we add/subtract every possible pair within each category to form new samples. This approach requires only 3 samples within each category to form a new generation of the same size. The final samples are no longer independent, but experiments have shown that this effect is negligible. In [6] unnatural selection was introduced.The idea is to produce more samples than needed from each category, but only keep the best samples, typically the ones with minimum norm on the current Ni positions in the columns of A. 3.8

Coded-BKW with Sieving

When using coded-BKW or LMS, the previously reduced N √i−1 positions of the columns of A increase in magnitude with an average factor 2 in each reduction step. This problem was addressed in [21] by using unnatural selection to only produce samples that kept the magnitude of the previous Ni−1 positions small. Instead of testing all possible pairs of samples within the categories, this procedure was sped-up using lattice sieving techniques of [11]. This approach was slightly improved in [22,30].

424

4

A. Budroni et al.

BKW-Style Reduction Using Smooth-LMS

In this section we introduce a new reduction algorithm solving the problem of having the same complexity and memory usage in each iteration of a BKW-style reduction. The novel idea is to use simple LMS to reduce a certain number of positions and then partially reduce one extra position. This allows for balancing the complexity among the steps and hence to reduce more positions in total. 4.1

A New BKW-Style Step

Assume having a large set of samples written as before in the form z = sA + e mod q. Assume also that the entries of the secret vector s are drawn from some restricted distribution with small standard deviation (compared to the alphabet size q). If this is not the case, the transformation from Sect. 3.2 should be applied. Moreover, in case the later distinguishing process involves some positions to be guessed or transformed, we assume that this has been already considered and all positions in our coming description should be reduced. The goal of this BKW-type procedure is to make the norms of the column vectors of A small by adding and subtracting equations together in a number of steps. Having expressions of the form zi = sai + Ei mod q, if we can reach a case where ||ai || is not too large, then sai +Ei can be considered as a random variable drawn from a discrete Gaussian distribution Xσ . Furthermore, Xσ mod q can be distinguished from a uniform distribution over Zq if σ is not too large. Now let us describe the new reduction procedure. Fix the number of reduction steps to be t. We will also fix a maximum list size to be 2v , meaning that A can have at most 2v columns. In each iteration i, we are going to reduce some positions to be upper limited in magnitude by Ci , for i = 1, ..., t. Namely, these positions that are fully treated in iteration i will only have values in the set {−Ci + 1, . . . , 0, 1, . . . , Ci − 1} of size 2Ci − 1. We do this by dividing up the q possible values into intervals of length Ci . We also adopt the notation βi = q/Ci , which describes the number of intervals we divide up the positions into. We assume that βi > 2. First Step. In the first iteration, assume that we have stored A. We first compute the required compression starting in iteration 1 by computing C1 (we will explain how later). We then evaluate how many positions n1 that can be fully reduced by computing n1 = v/ log β1 . The position n1 + 1 can be partially reduced to be in an interval of size C1 fulfilling β1 · β1n1 · 3/2 ≤ 2v , where β1 = q/C1 . Now we do an LMS step that "transfers between iterations" in the following way. We run through all the columns of A. For column i, we simply denote it as x = (x1 , x2 , . . . , xn ) and we compute:

xj div C1 , x1 ≥ 0 kj = , for j = 1, . . . , n1 , −xj div C1 , x1 < 0

xn1 +1 div C1 , x1 ≥ 0 kn1 +1 = .  −xn1 +1 div C1 , x1 < 0

Making the BKW Algorithm Practical for LWE

425

The vector Ki = (k1 , k2 , . . . , kn1 +1 ) is now an index to a sorted list L, storing these vectors1 . Except for the inverting of values if x1 < 0, samples should have the same index if and only if all position values are the same when integer divided by C1 (C1 for the last position). So we assign L(Ki ) = L(Ki ) ∪ {i}. After we have inserted all columns into the list L, we go to the combining part. We build a new matrix A in the following way. Run through all indices K and if |L(K)| ≥ 2 combine every pair of vectors in L(K) by subtracting/adding2 them to form a new column in the new matrix A. Stop when the number of new columns has reached 2v . For each column in A we have that: – the absolute value of each position j ∈ {1, . . . , n1 } is < C1 , – the absolute value of position n1 + 1 is < C1 . Next Steps. We now describe all the next iterations, numbered as l = 2, 3, . . . , t. l−1 Iteration l will involve positions from Nl−1 + 1 = i=1 ni + 1 to Nl + 1. The very first position has possibly already been partially reduced and its absolute value   , so the interval for possible values is of size 2Cl−1 − 1. Assume that is < Cl−1 the desired interval size in iteration l is Cl . In order to achieve the corresponding  − 1)/Cl subintervals. reduction factor βl , we split this interval in βl = (2Cl−1 We then compute how many positions nl that can be fully reduced by computing nl = (v − log βl )/ log βl . The position Nl + 1 can finally be partially reduced to be in an interval of size Cl fulfilling βl · βlnl −1 βl · 3/2 ≤ 2v , where βl = q/Cl . Similar to iteration 1, we run through all the columns of A. For each column i in the matrix A denoted as x we do the following. For each vector position in {Nl−1 + 1, . . . , Nl + 1} , we compute (here div means integer division)

xNl−1 +j div Cl , xNl−1 +1 ≥ 0 kj = , for j = 1, . . . , nl , −xNl−1 +j div Cl , xNl−1 +1 < 0

knl

xNl +1 div Cl , xNl−1 +1 ≥ 0 = . −xNl +1 div Cl , xNl−1 +1 < 0

(4)

The vector K = (k1 , k2 , . . . , knl+1 ) is again an index to a sorted list L, keeping track of columns3 . So again we assign L(K) = L(K)∪{i}. After we have inserted all column indices into the list L, we go to the combining part. As in the first step, we build a new A as follows. Run through all indices K and if |L(K)| ≥ 2 combine every pair of vectors by adding/subtracting them to 1

2 3

The point of inverting all position values if x1 < 0 is to make sure that samples that get reduced when added should be given the same index. For example (x1 , x2 , . . . , xn1 +1 ) and (−x1 , −x2 , . . . , −xn1 +1 ) are mapped to the same category. Depending on what reduces the sample the most. Also here the point of inverting all position values if xNl−1 +1 < 0 is to make sure that samples that get reduced when added should be given the same index. For example (xNl−1 +1 , xNl−1 +2 , . . . , xNl +1 ) and (−xNl−1 +1 , −xNl−1 +2 , . . . , −xNl +1 ) are mapped to the same category.

426

A. Budroni et al.

form a column in the new matrix A. Stop when the number of new columns has reached 2v . For the last iteration, since Nt is the last row of A, one applies the same step as above but without reducing the extra position. After t iterations, one gets equations on the form (2), where the ai vectors in A have reduced norm. 4.2

Smooth-Plain BKW

The procedure described above also applies to plain BKW steps. For example, if in the first iteration one sets C1 = 1 and C1 > 1, then each column vector x of A will be reduced such that x1 = . . . = xn1 = 0 and xn1 +1 ∈ {−C1 +1, . . . , C1 −1}. Thus, one can either continue with another smooth-Plain BKW step by setting also C2 = 1 in the second iteration, or switch to smooth-LMS. In both cases, we have the advantage of having xn1 already partially reduced. Using these smoothPlain steps we can reduce a couple of extra positions in the plain pre-processing steps of the BKW algorithm. 4.3

How to Choose the Interval Sizes Ci

To achieve as small norm of the vectors as possible, we would like the variance of all positions to be equally large, after completing all iterations. Assume that a position x takes values uniformly in the set {−(C −1)/2, . . . , 0, 1, . . . , (C −1)/2}, for C > 0. Then, we have that in Var[x] = (C−1)(C+1)/12. Assuming C is somewhat large, we approximately get Var[x] = C 2 /12. When subtracting/adding two such values, the variance increases to 2Var[x] √ in each iteration. Therefore, a reduced position will have an expected growth of 2. For this reason, we choose a relation for the interval sizes of the form Ci = 2−(t−i)/2 Ct ,

i = 1, . . . , t − 1.

This makes the variance of each position roughly the same, after completing all iterations. √ In√particular, our vectors ||ai || in A are expected to have norm at most nCt / 12, and Ct is determined according to the final noise allowed in the guessing phase. Ignoring the pre-processing step with smooth-Plain tBKW steps, the maximum dimension n that can be reduced is then n = Nt = i=1 ni . Example 1. Let q = 1601 and α = 0.005, so σ = αq ≈ 8. Let us compute how many positions that can be reduced using 2v = 228 list entries. The idea is that the variance of the right hand side in (2) should be minimized by making the variance of the two terms roughly equal. The error part Ei is the sum of 2t initial errors, so its variance is Var[Ei ] = 2t σ 2 . In order to be able to distinguish the samples according to (3), we set Var[Ei ] < q 2 /2. This will give us the number of iterations possible as 2t σ 2 ≈ q 2 /2 or 2t ≈ 16012 /(2 · 82 ) leading to t = 14. Now we bound the variance of the scalar product part of (2) also to be < q 2 /2, so 2 2 2 nσ 2 Ct2 /12 ≈ q 2 /2 leading to Ct2 ≈ 12q 2 /(2nσ 2 ) and √ Ct ≈ 12 · 1601 /(2n · 8 ) or Ct ≈ 80 if n < 38. Then one chooses Ct−1 = Ct / 2 = 57 and so on.

Making the BKW Algorithm Practical for LWE

4.4

427

Unnatural Selection

We can improve performance by using the unnatural selection discussed in Sect. 3.7. Let us make some basic observations. Combining nl positions using interval size C gives as previously described a value in the set {−(C − 1)/2, . . . , 0, 1, . . . (C − 1)/2}, and results in Var[x] = (C − 1)(C + 1)/12. Combining two vectors from the same category, a position value y = x1 +x2 , where x1 , x2 are as above, results in a value in the interval {−(C − 1), . . . , 0, 1, . . . (C − 1)} with variance Var[y] = (C − 1)(C + 1)/6. Now observe that for the resulting reduced positions, smaller values are much more probable than larger ones.

5

A Binary Partial Guessing Approach

In this section we propose a new way of reducing the guessing step to a binary version. This way, we are able to efficiently use the FWHT to guess many entries in a small number of operations. In Sect. 6 we do the theoretical analysis and show that this indeed leads to a more efficient procedure than all previous ones. 5.1

From LWE to LPN

First, we need to introduce a slight modification to the original system of equations before the reduction part. Assume that we have turned the distribution of s to be the noise distribution, through the standard transformation described in Sect. 3.2. The result after this is written as before z = sA + e.

(5)

Now we perform a multiplication by 2 to each equation, resulting in z = sA + 2e, since when multiplied with a known value, we can compute the result modulo q. Next, we apply the reduction steps and make the values in A as small as possible by performing BKW-like steps. In our case we apply the smooth-LMS step from the previous section, but any other reduction  method like coded-BKW  with sieving would be possible. If A = aT1 aT2 · · · aTm the output of this step is a matrix where the Euclidean norm of each ai is small. The result is written as (6) z = sA + 2E, 2t where E = (E1 , E2 , . . . , Em ) and Ei = j=1 eij as before. Finally, we transform the entire system to the binary case by considering z0 = s0 A0 + e mod 2,

(7)

where z0 is the vector of least significant bits in z , s0 the vector of least significant bits in s, A0 = (A mod 2) and e denotes the binary error introduced.

428

A. Budroni et al.

We can now examine the error ej in position j of e. In (6) we have equations of the form zj = i si aij + 2Ej in Zq , which can be written on integer form as  si aij + 2Ej + kj · q. (8) zj =

i

Now if | i si aij +2Ej | < q/2 then kj = 0. In this case (8) can be reduced mod 2 without error and ej = 0. In general, the error is computed as ej = kj mod 2. So one can compute a distribution for ej = kj mod 2 by computing P (kj = x). It is possible to compute such distribution either making a general approximation or precisely for each specific position j using the known values aj and zj . Note that the distribution of ej depends on zj . Also note that if aj is reduced to a small norm and the number of steps t is not too large, then it is quite likely that | i si aij + 2Ej | < q/2 leading to P (ej = 0) being large. For the binary system, we finally need to find the secret value s0 . Either 1. there are no errors (or almost no errors), corresponding to P (ej = 0) ≈ 1. Then one can solve for s0 directly using Gaussian elimination (or possibly some information set decoding algorithm in the case of a few possible errors). 2. or the noise is larger. The binary system of equations corresponds to the situation of a fast correlation attack [31], or secret recovery in an LPN problem [13]. Thus, one may apply an FWHT to recover the binary secret values. 5.2

Guessing s0 Using the FWHT

The approach of using the FWHT to find the most likely s0 in the binary system in (7) comes directly from previous literature on Fast Correlation Attacks [14]. Let k denote an n-bit vector (k0 , k1 , . . . , kn−1 ) (also considered as an integer) and consider a sequence Xk , k = 0, 1, . . . , N − 1, N = 2n . It can for example be a sequence of occurrence values in the time domain, e.g. Xk = the number of occurrences of X = k. The Walsh-Hadamard Transform is defined as ˆw = X

N −1 

Xk · (−1)w·k ,

k=0

where w · k denotes the bitwise dot product of the binary representation of the n-bit indices w and k. There exists an efficient method (FWHT) to compute the  WHT in time O(N log N ). Given the matrix A0 , we define Xk = j∈J (−1)zj , where J is the set of all columns of the matrix A0 that equal k. Then, one ˆ w |, and we have that s0 corresponds to w ˆ w¯ | = ¯ such that |X computes maxw |X ˆ w |. In addition, X ˆ w is simply the (biased) sum of the noise terms. maxw |X ˆ w actually depends on the value of Soft Received Information. The bias of X  zj . So a slightly better approach is to use “soft received information” by defining zj Xk = · zj , where zj is the bias corresponding to zj . For each j∈J (−1)

Making the BKW Algorithm Practical for LWE

429

Algorithm 1. BKW-FWHT with smooth reduction (main framework) Input: Matrix A with n rows and m columns, received vector z of length m and algorithm parameters t1 , t2 , t3 , nlimit , σset Step 0: Use Gaussian elimination to change the distribution of the secret vector; Step 1: Use t1 smooth-plain BKW steps to remove the bottom npbkw entries; Step 2: Use t2 smooth-LMS steps to reduce ncod1 more entries; Step 3: Perform the multiplying-2 operations; Step 4: Use t3 smooth-LMS steps to reduce the remaining nt ≤ nlimit entries; Step 5: Transform all the samples to the binary field and recover the partial secret key by the FWHT. We can exhaustively guess some positions.

x ∈ {−(q −1)/2, ..., (q −1)/2}, the bias x can be efficiently pre-computed so that its evaluation does not affect the overall complexity of the guessing procedure. Hybrid Guessing. One can use hybrid approach to balance the overall complexity among reduction and guessing phases. Indeed, it is possible to leave some rows of the matrix A unreduced and apply an exhaustive search over the corresponding positions in combination with the previously described guessing step. 5.3

Retrieving the Original Secret

Once s0 is correctly guessed, it is possible to obtain a new LWE problem instance ˆ = 2A and with the secret half as big as follows. Write s = 2s + s0 . Define A ˆ z = z − s0 A. Then we have that ˆ + e. ˆ z = s A

(9)

The entries of s have a bit-size half as large as the entries of s, therefore (9) is an easier problem than (5). One can apply the procedure described above to (9) and guess the new binary secret s1 , i.e. the least significant bits of s . The cost of doing this will be significantly smaller as shorter secret translates to computationally easier reduction steps. Thus, computationally speaking, the LWE problem can be considered solved once we manage to guess the least significant bits of s. Given the list of binary vectors s0 , s1 , s2 , ..., it is easy to retrieve the original secret s.

6

Analysis of the Algorithm and Its Complexity

In this section, we describe in detail the newly-proposed algorithm called BKWFWHT with smooth reduction (BKW-FWHT-SR).

430

A. Budroni et al.

6.1

The Algorithm

The main steps of the new BKW-FWHT-SR algorithm are described in Algorithm 1. We start by changing the distribution of the secret vector with the secret-noise transformation [8], if necessary. The general framework is similar to the coded-BKW with sieving procedure proposed in [21]. In our implementation, we instantiated coded-BKW with sieving steps with smooth-LMS steps discussed before for the ease of implementation. The different part of the new algorithm is that after certain reduction steps, we perform a multiplication by 2 to each reduced sample as described in Sect. 5. We then continue reducing the remain positions and perform the mod 2 operations to transform the entire system to the binary case. Now we obtain a list of LPN samples and solve the corresponding LPN instance via known techniques such as FWHT or partial guessing. One high level description is that we aim to input an LWE instance to the LWE-to-LPN transform developed in Sect. 5, and solve the instance by using a solver for LPN. To optimize the performance, we first perform some reduction steps to have a new LWE instance with reduced dimension but larger noise. We then feed the obtained instance to the LWE-to-LPN transform. 6.2

The Complexity of Each Step

From now on we assume that the secret is already distributed as the noise distribution or that the secret-noise transform is performed. We use the LF2 heuristics and assume the the sample size is unchanged before and after each reduction step. We now start with smooth-plain BKW steps and let lred be the number of positions already reduced. Smooth-Plain BKW Steps. Given m initial samples, we could on average 4 have 2m 3 categories for one plain BKW step in the LF2 setting. Instead we b0 could assume for 2 categories, and thus the number of samples m is 1.5 · 2b0 . Let CpBKW be the cost of all smooth-plain BKW steps, whose initial value is set to be 0. If a step starts with never being reduced before, we can reduce   a position b lp positions, where lp = log (q) . Otherwise, when the first position is partially 2

reduced in the previous step and we need β  categories to further   reduce this 2 (β ) . position, we can in total fully reduce lp positions, where lp = 1 + b−log log2 (q) For this smooth-plain BKW step, we compute Cpbkw += ((n + 1 − lred ) · m + Cd,pbkw ),

where Cd,pbkw = m is the cost of modulus switching for the last partially reduced position in this step. We then update the number of the reduced positions, lred += lp . 4

The number of categories is doubled compared with the LF2 setting for LPN. The difference is that we could add and subtract samples for LWE.

Making the BKW Algorithm Practical for LWE

431

After iterating for t1 times, we could compute Cpbkw and lred . We will continue updating lred and denote npbkw the length reduced by the smooth-plain BKW steps. Smooth-LMS Steps Before the Multiplication of 2. We assume that the final noise contribution from each position reduced by LMS is similar, bounded by a preset value σset . Since the noise variable generated in the i-th (0 ≤ i ≤ t2 − 1) Smooth-LMS step will be added by 2t2 +t3 −i times and also be multiplied 2t2 +t3 −i ×4C 2

i,LM S1 2 = , where Ci,LM S1 is the length of by 2, we compute σset 12 the interval after the LMS reduction in this step. We use βi,LM S1 categories q . Similar to smooth-plain BKW for one position, where βi,LM S1 =  Ci,LM S1 steps, if this step starts with an new position, we can reduce lp positions, where b

. Otherwise, when the first position is partially reduced in the lp = log (βi,LM S1 ) 2  previous step and we need βp,i,LM S1 categories to further reduce this position,

b−log (β 

)

p,i,LM S1 we can in total fully reduce lp positions, where lp = 1 + log 2(βi,LM

. Let S1 ) 2 CLM S1 be the cost of Smooth-LMS steps before the multiplication of 2, which is innitialized to 0. For this step, we compute

CLM S1 += (n + 1 − lred ) · m, and then update the number of the reduced positions, lred += lp . After iterating t2 times, we compute CLM S1 and lred . We expect lred = n−nt (nt ≤ nlimit ) positions have been fully reduced and will continue updating lred . Smooth-LMS Steps After the Multiplication of 2. The formulas are similar to those for Smooth-LMS steps before the multiplication of 2. The difference 2t3 −i C 2

i,LM S2 2 = , is that the noise term is no longer multiplied by 2, so we have σset 12 for 0 ≤ i ≤ t3 − 1. Also, we need to track the a vector of length nt for the later distinguisher. The cost is

CLM S2 = t3 · (nt + 1) · m. We also need to count the cost for multiplying samples by 2 and the mod2 operations, and the LMS decoding cost, which are CmulM od = 2 · (nt + 1) · m, Cdec = (n − npbkw + t2 + t3 ) · m. FWHT Distinguisher and Partial Guessing. After the LWE-to-LPN transformation, we have an LPN problem with dimension nt and m instance. We perform partial guessing on nguess positions, and use FWHT to recover the remaining nF W HT = nt − nguess positions. The cost is, Cdistin = 2nguess · ((nguess + 1) · m + nF W HT · 2nF W HT ).

432

6.3

A. Budroni et al.

The Data Complexity

We now discuss the data complexity of the new FWHT distinguisher. In the integer form, we have the following equation, zj =

n t −1

si aij + 2Ej + kj · q.

i=0

If | si aij + 2Ej | < q/2 then kj = 0. Then the equation can be reduced mod 2 without error. In general, the error is ej = kj mod 2. We employ a smart FWHT distinguisher with soft received information, as described in Sect. 5. From [29], we know the sample complexity can be approxi4 ln nt . mated as m ≈ Ez=t[D(e z=t ||Ub )] Table 1. The comparison between D(Xσf ,2q ||U2q ) and Ez=t [D(ez=t ||Ub )] σf

q

D(Xσf ,2q ||U2q ) Ez=t [D(ez=t ||Ub )]

0.5q 0.6q 0.7q 0.8q

1601 1601 1601 1601

−2.974149 −4.577082 −6.442575 −8.582783

−2.974995 −4.577116 −6.442576 −8.582783

For different value of zj , the distribution of ej is different. The maximum bias is achieved when zj = 0. In this sense, we could compute the divergence as  Ez=t [D(ez=t ||Ub )] = Pr[z = t] D(ez=t ||Ub ) t∈Zq

=

 t∈Zq

1  Pr[z = t] ( Pr[ez=t = i] log(2 · Pr[ez=t = i])) i=0

where ez is the Bernoulli variable conditioned on the value of z and Ub the uniform distribution over the binary field. Following the previous research [4], we approximate the noise si aij + 2Ej as discrete Gaussian with standard deviation σf . If σf is large, the probability Pr[z = t] is very close to 1/q. Then, the expectation Ez=t,t∈Zq [D(ez=t ||Ub )] can be approximated as 1 

Pr[z = t] Pr[ez=t = i] log(2q · Pr[ez=t = i, z = t]),

t∈Zq i=0

i.e., the divergence between a discrete Gaussian with the same standard deviation and a uniform distribution over 2q, D(Xσf ,2q ||U2q ). We numerically computed

Making the BKW Algorithm Practical for LWE

433

that the approximation is rather accurate when the noise is sufficiently large (see Table 1). In conclusion, we use the formula m≈

4 ln nt , D(Xσf ,2q ||U2q )

to estimate the data complexity of the new distinguisher. It remains to control the overall variance σf2 . Since we assume that the noise contribution from each reduced position by LMS is the same and the multiplication of 2 will double the 2 (n − npbkw ). standard deviation, we can derive σf2 = 4 ∗ 2t1 +t2 +t3 σ 2 + σ 2 σset Note: The final noise is a combination of three parts, the noise from the LWE problem, the LMS steps before the multiplication by 2, and the LMS steps after the multiplication by 2. The final partial key recovery problem is equivalent to distinguishing a discrete Gaussian from uniform with the alphabet size doubled. We see that with the multiplication by 2, the variances of the first and the second noise parts are increased by a factor of 4, but the last noise part does not expand. This intuitively explains the gain of the new binary distinguisher. 6.4

In Summary

We have the following theorem to estimate the complexity of the attack. Theorem 1. The time complexity of the new algorithm is C = Cpbkw + CLM S1 + CLM S2 + Cdec + Cdistin + CmulM od , under the condition that m≥

4 ln nt , D(Xσf ,2q ||U2q )

2 where σf2 = 4 ∗ 2t1 +t2 +t3 σ 2 + σ 2 σset (n − npbkw ).

6.5

Numerical Estimation

We numerically estimate the complexity of the new algorithm BKW-FWHTSR (shown in Table 2). It improves the known approaches when the noise rate (represented by α) becomes larger. We should note that compared with the previous BKW-type algorithms, the implementation is much easier though the complexity gain might be mild.

7

A New BKW Algorithm Implementation for Large LWE Problem Instances

We have a new implementation of the BKW algorithm that is able to handle very large LWE problem instances. The code is written in C, and much care has been taken to be able to handle instances with a large number of samples.

434

A. Budroni et al.

Table 2. Estimated time complexity comparison (in log2 (·)) for solving LWE instances in the TU Darmstadt LWE challenge [2]. Here unlimited number of samples are assumed. The last columns show the complexity estimation from the LWE estimator [7]."ENU" represents the enumeration cost model is employed and "Sieve" represents the sieving cost model is used. Bold-faced numbers are the smallest among the estimations with these different approaches. n

q

α

BKWLWE estimator [7] FWHT-SR Coded- usvp dec dual BKW ENU Sieve ENU Sieve ENU Sieve

40

1601

0.005 0.010 0.015 0.020 0.025 0.030

34.4 39.3 42.4 46.2 48.3 50.0

42.6 43.7 52.6 52.6 52.7 52.7

31.4 34.0 42.5 ∞ ∞ ∞

41.5 44.8 54.2 ∞ ∞ ∞

34.7 36.3 43.1 51.9 59.2 67.1

44.6 44.9 50.6 58.2 66.1 68.9

39.1 51.1 61.5 73.1 84.7 96.3

47.5 57.9 64.4 75.9 85.4 92.5

45

2027

0.005 0.010 0.015 0.020 0.025 0.030

37.7 43.5 48.3 51.2 54.1 56.3

55.2 55.2 55.2 55.2 55.3 64.1

31.8 39.5 50.4 ∞ ∞ ∞

41.9 51.2 61.3 ∞ ∞ ∞

35.0 41.2 51.2 61.1 71.0 80.2

44.8 48.2 58.3 65.0 71.4 78.7

41.5 57.0 74.3 86.8 100.7 116.2

51.6 64.6 74.9 86.1 95.0 104.1

50

2503

0.005 0.010 0.015 0.020 0.025 0.030

41.8 48.7 52.5 56.4 59.3 63.3

46.4 56.0 56.8 61.9 66.1 66.3

32.4 46.0 ∞ ∞ ∞ ∞

42.6 57.5 ∞ ∞ ∞ ∞

35.5 47.6 60.8 72.1 83.5 94.2

45.1 54.1 63.6 72.1 80.8 89.1

46.7 66.8 84.9 101.9 120.0 134.0

58.0 65.4 83.5 96.5 105.7 115.6

70

4903

0.005 58.3 0.010 67.1 0.015 73.3

62.3 73.7 75.6

52.3 54.2 ∞ ∞ ∞ ∞

110.5 124.0 136.8

133.0 93.2 135.5 111.4 181.9 133.2 ∞ ∞ 195.0 150.4 266.2 165.7 ∞ ∞ 246.4 183.2 334.0 209.8

120 14401 0.005 100.1 0.010 115.1 0.015 127.0

55.2 63.3 80.4 77.1 102.5 93.2

76.2 75.9 111.3 98.9 146.0 118.0

A key success factor in the software design was to avoid unnecessary reliance on RAM, so we have employed file-based storage where necessary and practically possible. The implementation includes most known BKW reduction step, FFT and FWHT-based guessing methods, and hybrid guessing approaches. For our experiments, presented in Sect. 8, we assembled a machine with an ASUS PRIME X399-A motherboard, a 4.0 GHz Ryzen Threadripper 1950X processor and 128GiB of 2666 MHz DDR4 RAM. While the machine was built

Making the BKW Algorithm Practical for LWE

435

from standard parts with a limited budget, we have primarily attempted to maximize the amount of RAM and the size and read/write speeds of the fast SSDs for overall ability to solve large LWE problem instances. We will make the implementation available as an open source repository. We describe below how we dealt with some interesting performance issues. File-Based Sample Storage. The implementation does not assume that all samples can be stored in RAM, so instead they are stored on file in a special way. Samples are stored sorted into their respective categories. For simplicity, we have opted for a fixed maximum number of samples per category. The categories are stored sequentially on file, each containing its respective samples (possibly leaving some space if the categories are not full). A category mapping, unique for each reduction type, defines what category index a given sample belongs to5 . Optional Sample Amplification. We support optional sample amplification. That is, if a problem instance has a limited number of initial samples (e.g.., the Darmstadt LWE challenge), then it is possible to combine several of these to produce new samples (more, but with higher noise). While this is very straightforward in theory, we have noticed considerable performance effects when this recombination is performed naïvely. For example, combining triplets of initial samples using a nested loop is problematic in practice for some instances, since some initial samples become over-represented – Some samples are used more often than others when implemented this way. We have solved this by using a Linear Feedback Shift Register to efficiently and pseudo-randomly distribute the selection of initial samples more evenly. Employing Meta-Categories. For some LWE problem instances, using a very high number of categories with few samples in each is a good option. This can be problematic to handle in an implementation, but we have used meta-categories to handle this situation. For example, using plain BKW reduction steps with modulus q and three positions, we end up with q 3 different categories. With q large, an option is to use only two out of the three position values in a vector to first map it into one out of q 2 different meta-categories. When processing the (meta-)categories, one then needs an additional pre-processing in form of a sorting step in order to divide the samples into their respective (non-meta) categories (based on all three position values), before proceeding as per usual. We have used this implementation trick to, for example, implement plain BKW reduction for three positions. One may think of the process as bruteforcing one out of three positions in the reduction step.

5

In this section a category is defined slightly differently from the rest of the paper. A category together with its adjacent category are together what we simply refer to as a category in the rest of the paper.

436

A. Budroni et al.

Secret Guessing with FFT and FWHT. The same brute-forcing techniques are also useful for speeding up the guessing part of the solver. We have used this to improve the FFT and FWHT solvers in the corresponding way. For the FWHT case, if the number of positions to guess is too large for the RAM to handle, we leave some of them to brute-force. This case differs from the above by the fact that binary positions are brute-forced (so more positions can be handled) and that the corresponding entries in the samples must be reduced.

8

Experimental Results

In this section we report the experimental results obtained in solving some LWE problems. Our main goal was to confirm our theory and to prove that BKW algorithms can be used in practice to solve relatively large instances. Therefore, there is still room to run a more optimized code (for example, we did not use any parallelization in our experiments) and to make more optimal parameter choices (we generally used more samples than required and no brute-force guessing techniques were used). We considered two different scenarios. In the first case, we assumed for each LWE instance to have access to an arbitrary large number of samples. Here we create the desired amount of samples ourselves6 . In the second case, we considered instances with a limited number of samples. An LWE problem is “solved” when the binary secret is correctly guessed, for the reasons explained in Sect. 5.3. Unlimited Number of Samples. We targeted the parameter choices of the TU Darmstadt challenges [2]. For each instance, we generated as many initial samples as needed according to our estimations. In Table 3 we report the details of the largest solved instances. Moreover, in Example 2 we present our parameter choices for one of these. Table 3. Experimental results on target parameters. n

q

α

Number of samples Running time

40 1601 0.005 45 million 40 1601 0.01 1.6 billion 45 2027 0.005 1.1 billion

12 min 12 h 13 h

Example 2. Let us consider an LWE instance with n = 40, q = 1601 and σ = 0.005 · q. To successfully guess the secret, we first performed 8 smooth-plain BKW steps reducing 18 positions to zero. We used the following parameters. ni = 2, Ci =     (C1 , C2 , C3 , C4 , C5 , C6 , C7 , C8 ) 6

1, for i = 1, . . . , 8, = (165, 30, 6, 1, 165, 30, 6, 1).

we used rounded Gaussian noise for simplicity of implementation.

Making the BKW Algorithm Practical for LWE

437

Note that C4 = C8 = 1. In this way, we exploited the smoothness to zero 9 positions every 4 steps. For this reason, we start steps 5 and 9 by skipping one position. Finally, we did 5 smooth-LMS steps using the following parameters: (n9 , n10 , n11 , n12 , n13 ) = (3, 4, 4, 5, 6) (C9 , C10 , C11 , C12 , C13 ) = (17, 24, 34, 46, 66)    (C9 , C10 , C11 , C12 ) = (46, 66, 23, 81). These parameters are chosen in√such a way that the number of categories within each step is ≈13M and Ci ≈ 2Ci−1 . We used ≈40M samples in each step so that each category contained 3 samples in average. This way we are guaranteed to have enough samples in each step. Limited Number of Samples. As a proof-of-concept, we solved the original TU Darmstadt LWE challenge instance [2] with parameters n = 40, α = 0.005 and the number of samples limited to m = 1600. We did this by sample amplifying with triples of samples, taking 7 steps of smooth-plain BKW on 17 entries, 5 steps of smooth-LMS on 22 entries and 1 position was left to brute-force. The overall running time was of 3 h and 39 min.

9

Conclusions and Future Work

We introduced a novel and easy approach to implement the BKW reduction step which allows balancing the complexity among the iterations, and an FWHTbased guessing procedure able to correctly guess the secret with relatively large noise level. Together with a file-based approach of storing samples, the above define a new BKW algorithm specifically designed to solve practical LWE instances. We leave optimization of the implementation, including parallelization, for future work. Acknowledgements. This work was supported in part by the Swedish Research Council (Grants No. 2015–04528 and 2019–04166), the Norwegian Research Council (Grant No. 247742/070), and the Swedish Foundation for Strategic Research (Grant No. RIT17-0005 and strategic mobility grant No. SM17-0062). This work was also partially supported by the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation.

References 1. NIST Post-Quantum Cryptography Standardization. https://csrc.nist.gov/ Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization. Accessed 24 Sep 2018 2. TU Darmstadt Learning with Errors Challenge. https://www.latticechallenge.org/ lwe_challenge/challenge.php. Accessed 01 May 2020

438

A. Budroni et al.

3. Albrecht, M., Cid, C., Faugere, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the arora-Ge algorithm against LWE (2012) 4. Albrecht, M.R., Cid, C., Faugère, J.-C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 74(2), 325–354 (2013). https://doi.org/10.1007/s10623-013-9864-x 5. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25 6. Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). https://doi.org/10.1007/9783-642-54631-0_25 7. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Crypt. 9(3), 169–203 (2015) 8. Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35 9. Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34 10. Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_31 11. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. ACM-SIAM, Arlington, VA, USA, 10–12 January 2016 12. Blum, A., Furst, M., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_24 13. Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: 32nd Annual ACM Symposium on Theory of Computing, pp. 435–440. ACM Press, Portland, OR, USA, 21–23 May 2000 14. Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: an algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_14 15. Delaplace, C., Esser, A., May, A.: Improved low-memory subset sum and LPN algorithms via multiple collisions. In: Albrecht, M. (ed.) IMACC 2019. LNCS, vol. 11929, pp. 178–199. Springer, Cham (2019). https://doi.org/10.1007/978-3-03035199-1_9 16. Duc, A., Tramèr, F., Vaudenay, S.: Better algorithms for LWE and LWR. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 173– 202. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_8 17. Esser, A., Heuer, F., Kübler, R., May, A., Sohler, C.: Dissection-BKW. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 638– 666. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_22 18. Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). https:// doi.org/10.1007/978-3-319-63715-0_17

Making the BKW Algorithm Practical for LWE

439

19. Guo, Q., Johansson, T., Löndahl, C.: Solving LPN using covering codes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 1–20. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_1 20. Guo, Q., Johansson, T., Löndahl, C.: Solving LPN using covering codes. J. Cryptol. 33(1), 1–33 (2020) 21. Guo, Q., Johansson, T., Mårtensson, E., Stankovski, P.: Coded-BKW with sieving. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 323–346. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_12 22. Guo, Q., Johansson, T., Mårtensson, E., Stankovski Wagner, P.: On the asymptotics of solving the LWE problem using coded-BKW with sieving. IEEE Trans. Inf. Theory 65(8), 5243–5259 (2019) 23. Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_2 24. Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving LWE. Des. Codes Crypt. 86(1), 55–83 (2017). https://doi.org/10.1007/s10623-016-0326-0 25. Kirchner, P.: Improved generalized birthday attack. Cryptology ePrint Archive, Report 2011/377 (2011). http://eprint.iacr.org/2011/377 26. Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015). https://doi.org/10. 1007/978-3-662-47989-6_3 27. Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_24 28. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE–based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21 29. Lu, Y., Meier, W., Vaudenay, S.: The conditional correlation attack: a practical attack on Bluetooth encryption. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 97–117. Springer, Heidelberg (2005). https://doi.org/10.1007/ 11535218_7 30. Mårtensson, E.: The asymptotic complexity of coded-BKW with sieving using increasing reduction factors. In: 2019 IEEE International Symposium on Information Theory (ISIT), pp. 2579–2583 (2019) 31. Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1988). https://doi.org/10.1007/BF02252874 32. Mulder, E.D., Hutter, M., Marson, M.E., Pearson, P.: Using bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version. J. Cryptographic Eng. 4(1), 33–45 (2014) 33. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, Baltimore, MA, USA, 22–24 May 2005 34. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society Press, Santa Fe, New Mexico, 20–22 November 1994

On a Dual/Hybrid Approach to Small Secret LWE A Dual/Enumeration Technique for Learning with Errors and Application to Security Estimates of FHE Schemes Thomas Espitau1 , Antoine Joux2,3 , and Natalia Kharchenko4(B) 1

2

3

NTT Corporation, Tokyo, Japan [email protected] Institut de Math´ematiques de Jussieu–Paris Rive Gauche, CNRS, INRIA, Univ Paris Diderot, Paris, France CISPA Helmholtz Center for Information Security, Saarbr¨ ucken, Germany 4 Sorbonne Universit´e, LIP 6, CNRS UMR 7606, Paris, France [email protected] Abstract. In this paper, we investigate the security of the Learning With Error (LWE) problem with small secrets by refining and improving the so-called dual lattice attack. More precisely, we use the dual attack on a projected sublattice, which allows generating instances of the LWE problem with a slightly bigger noise that correspond to a fraction of the secret key. Then, we search for the fraction of the secret key by computing the corresponding noise for each candidate using the newly constructed LWE samples. As secrets are small, we can perform the search step very efficiently by exploiting the recursive structure of the search space. This approach offers a trade-off between the cost of lattice reduction and the complexity of the search part which allows to speed up the attack. Besides, we aim at providing a sound and non-asymptotic analysis of the techniques to enable its use for practical selection of security parameters. As an application, we revisit the security estimates of some fully homomorphic encryption schemes, including the Fast Fully Homomorphic Encryption scheme over the Torus (TFHE) which is one of the fastest homomorphic encryption schemes based on the (Ring-)LWE problem. We provide an estimate of the complexity of our method for various parameters under three different cost models for lattice reduction and show that the security level of the TFHE scheme should be re-evaluated according to the proposed improvement (for at least 7 bits for the most recent update of the parameters that are used in the implementation).

1

Introduction

The Learning With Errors (LWE) problem was introduced by Regev [Reg05] 2005. A key advantage of LWE is that it is provably as hard as certain lattice approximation problems in the worst-case [BLP+13], which are believed to be hard even on a quantum computer. The LWE problem has been a rich source of cryptographic constructions. As a first construction, Regev proposed c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 440–462, 2020. https://doi.org/10.1007/978-3-030-65277-7_20

On a Dual/Hybrid Approach to Small Secret LWE

441

an encryption scheme, but the flexibility of this security assumption proved to be extremely appealing to construct feature-rich cryptography [GPV08,BV11]. Among these constructions, Fully homomorphic encryption (FHE) is a very interesting primitive, as it allows performing arbitrary operations on encrypted data without decrypting it. A first FHE scheme relying on the so-called ideal lattices was proposed in a breakthrough work of Gentry [G+09]. After several tweaks and improvements through the years, the nowadays popular approaches to FHE rely on the LWE problem or its variants (e.g. [FV12,GSW13,BGV14, CS15,DM15]). Informally, when given several samples of the form (a, a, s+e mod q) where s is secret, a ∈ Zqn is uniform and e is some noise vector, the LWE problem is to recover s. In its original formulation, the secret vector is sampled uniformly at random from Znq , but more recent LWE-based constructions choose to use distribution with small entropy for the secret key to increase efficiency. For example, some FHE schemes use binary [DM15,CGGI16], ternary [CLP17], or even ternary sparse secrets [HS15]. Theoretical results are supporting these choices, which show that the LWE remains hard even with small secrets [BLP+13]. In practice, however, such distributions can lead to more efficient attacks [BG14,SC19, CHHS19]. The security of a cryptosystem, of course, depends on the complexity of the most efficient known attack against it. In particular, to estimate the security of an LWE-based construction, it is important to know which attack is the best for the parameters used in the construction. It can be a difficult issue; indeed, the survey of existing attacks against LWE given in [APS15] shows that no known attack would be the best for all sets of LWE parameters. In this article, we are interested in evaluating the practical security of the LWE problem with such small secrets. As an application, we consider the bitsecurity of several very competitive FHE proposals, such as the Fast Fully Homomorphic Encryption scheme over the Torus [CGGI16,CGGI17,CGGI20], FHEW [DM15], SEAL [LP16], and HElib [HS15]. The security of these constructions relies on the hardness of variants of the LWE problem which can all be encompassed in a scale-invariant version named Torus-LWE. This “learning a character” problem, captures both the celebrated LWE and Ring-LWE problems. In the case of TFHE, in [CGGI17], the authors adapted and used the dual distinguishing lattice attack from [Alb17] to evaluate the security of their scheme. Recently, in [CGGI20, Remark 9], the authors propose an updated set of the parameters for their scheme and estimate the security of the new parameters using the LWE estimator from [ACD+18]. It turns out that this approach falls into the caveat we described above: the estimator relies on attacks that are not fine-tailored to capture the peculiar choice of distributions. According to the LWE estimator, the best attack against the current TFHE parameters is the unique-SVP attack [BG14].

442

1.1

T. Espitau et al.

Contributions and Overview of the Techniques

We present our work in the generic context of the so-called scale-invariant LWE problem or Torus-LWE, which appears to give a more flexible mathematical framework to perform the analysis of the attacks. We aim at extending the usecase of the dual lattice attack which is currently one of the two main techniques used to tackle the LWE problem. Given Torus-LWE samples collected in matrix  ts + e = b mod 1, the vanilla dual attack consists in finding a vector v form A  t = 0 mod 1, yielding the equation v te = v tb mod 1. Since v te such that v t A should be small, we can then distinguish it from a random vector in the torus. A Refined Analysis of the Dual Attack. First, we introduce a complete nonasymptotic analysis of the standard dual lattice attack1 on LWE. In particular, we prove non-asymptotic bounds on the number of samples and the corresponding bit-complexity of the method, allowing precise instantiations for parameter selection2 . To do so, we introduce an unbiased estimator of the Levy transform for real random variables that allows us to sharpen the analysis of the attack. The intuition behind these techniques is the following. The crux of the dual attack is distinguishing the Gaussian distribution modulo 1 from the uniform distribution. Since we are working modulo 1, a natural approach is to tackle the problem by harmonic analysis techniques. Moving to the Fourier space is done by the so-called Levy transform (which is essentially given by x → e2iπx ). In this space, the Levy transform of the Gaussian distribution mod 1 and the full Gaussian distribution coincides, so we somehow get rid of the action of the modulo. Then we use Berry-Esseen inequality to derive sharper bounds. We hope these techniques may find other interests for the community. A Hybrid Enumeration/Dual Attack. In the second step, we show that applying the dual attack to a projected sublattice and combining it with the search for a fraction of the key can yield a more efficient attack. It can be considered as a dimension reduction technique, trading the enumeration time with the dimension of the lattice attack. More precisely, we obtain a tradeoff between the quality of lattice reduction in the dual attack part and the time subsequently spent in the exhaustive search. Additionally, for the lattice reduction algorithms using sieving as an SVP-oracle, we demonstrate that the pool of short vectors obtained by the sieving process can be used to amortize the cost of the reduction part. We also discuss possible improvements based on so-called “combinatorial” techniques, where we perform a random guess of the zero positions of the secret if it is sparse enough. In a word, our attack starts by applying lattice reduction to a projected sublattice in the same way as it is applied to the whole lattice in the dual attack. This way, we generate LWE instances with bigger noise but in smaller dimension, 1

2

We point out that this attack is slightly more subtle than the vanilla dual technique, as it encompasses a continuous relaxation of the lazy modulus switching technique of [Alb17]. Up to our knowledge previous analyses rely on instantiation of asymptotic inequalities and overlook the practical applicability.

On a Dual/Hybrid Approach to Small Secret LWE

443

corresponding to a fraction of the secret key. Then, the freshly obtained instances are used to recover the remaining fraction of the secret key. For each candidate for this missing fraction, we compute the noise vector corresponding to the LWE instances obtained at the previous step. This allows us to perform a majority voting procedure to detect the most likely candidates. For small secrets, this step boils down to computing a product of a matrix of the LWE samples with the matrix composed of all the possible parts of the secret key that we are searching for. We show that this computation can be performed efficiently thanks to the recursive structure of the corresponding search space. Applications. In the last part, we estimate the complexity of our attack under three different models of lattice reduction and compare the complexity of our attack with the standard dual attack and with the primal unique-SVP attack for a wide range of LWE parameters in the case of small non-sparse secrets. Concerning the comparison with the primal unique-SVP attack, both attacks give quite close results. Our attack is better than uSVP when the dimension and the noise parameter are big, the uSVP attack is better when the dimension is big and the noise parameter is small (see [?]). We also provide experiments in small dimensions, supporting the whole analysis. To evaluate the practicality of our approach, we apply our attack to the security analysis of competitive FHE schemes, namely TFHE [CGGI20], FHEW [DM15], SEAL [LP16], and HElib [HS15]. We show that our hybrid dual attack gives improvement compared to the unique-SVP or dual technique of [ACD+18] for the latest TFHE’s, FHEW’s and SEAL’s parameters. In case of sparse secrets in the HElib scheme, our attack doesn’t provide improvements over the dual attack from [Alb17], but gives comparable results. The results of our comparison for the TFHE scheme are presented in Table 1. Table 1. Security estimates of the parameters of TFHE from [CGGI20, Table 3, Table 4] and from the public implementation [G+16]. n denotes the dimension, α is the parameter of the modular Gaussian distribution. The bold numbers denote the overall security of the scheme for a given set of parameters. The “uSVP” column corresponds to the estimates obtained using the LWE Estimator [ACD+18] for the primal uSVP attack. For the lattice reduction algorithm, in all the cases, the sieving BKZ cost model is used.

Old param.

New param.

Parameters (n, α)

Dual [ACD+18, Alb17]

This work uSVP [ACD+18]

Switching key n = 500, α = 2.43 · 10−5

113

94

101

Bootstrapping key n = 1024, α = 3.73 · 10−9

125

112

116

Switching key n = 612, α = 2−15

140

118

123

Bootstrapping key n = 1024, α = 2−26

134

120

124

144

121

127

140

125

129

Implem. param. Switching key n = 630, α = 2−15 Bootstrapping key n = 1024, α = 2−25

444

1.2

T. Espitau et al.

Related Work

The survey [APS15] outlines three strategies for attacks against LWE: exhaustive search, BKW algorithm [BKW03,ACF+15], and lattice reduction. Lattice attacks against LWE can be separated into three categories depending on the lattice used: distinguishing dual attacks [Alb17], decoding (primal) attacks [LP11,LN13], and solving LWE by reducing it to the unique Shortest Vector Problem (uSVP) [AFG13]. The idea of a hybrid lattice reduction attack was introduced by Howgrave– Graham in [HG07]. He proposed to combine a meet-in-the-middle attack with lattice reduction to attack NTRUEncrypt. Then, Buchmann et al. adapted Howgrave–Graham’s attack to the settings of LWE with binary error [BGPW16] and showed that the hybrid attack outperforms existing algorithms for some sets of parameters. This attack uses the decoding (primal) strategy for the lattice reduction part. Following these two works, Wunderer has provided an improved analysis of the hybrid decoding lattice attack and meet-in-the-middle attack and re-estimated security of several LWE and NTRU based cryptosystems in [Wun16]. Also, very recently, a similar combination of primal lattice attack and meet-in-the-middle attack was applied to LWE with ternary and sparse secret [SC19]. This last reference shows that the hybrid attack can also outperform other attacks in the case of ternary and sparse secrets for parameters typical for FHE schemes. A combination of the dual lattice attack with guessing for a part of the secret key was considered in [Alb17, Section 5], in the context of sparse secret keys. Also, recently, a similar approach was adapted to the case of ternary and sparse keys in [CHHS19]. Both of these articles can be seen as dimension reduction techniques as they both rely on a guess of the part of the secret to perform the attack in smaller dimension. They gain in this trade-off by exploiting the sparsity of the secret: guessing the position of zero bits will trade positively with the dimension reduction as soon as the secret is sparse enough. However, the main difference of this work compared to [CHHS19,Alb17] is that the secret is not required to be sparse, and thus can be considered to be slightly more general. We positively trade-off with the dimension gain by exploiting the recursive structure of the small secret space. However, all these techniques are not incompatible! In Sect. 4.4, we propose a combination of the guessing technique with our approach, allowing us to leverage at the same time the sparsity and the structure of small secrets. Overall we can consider this work as providing a proper dual analog of enumeration-hybrid technique existing for primal attacks. Outline. This paper is organized as follows. In Sect. 2, we provide the necessary background on lattice reduction and probability. In Sect. 3, we revisit the dual lattice attack and provide a novel and sharper analysis of this method. In Sect. 4,

On a Dual/Hybrid Approach to Small Secret LWE

445

we describe our hybrid dual lattice attack and discuss its extension to sparse secrets. In Sect. 5, we compare the complexities of different attacks, revisit the security estimate of TFHE, and several other FHE schemes and provide some experimental evidence supporting our analysis.

2

Background

We use column notation for vectors and denote them using bold lower-case letters (e.g. x). Matrices are denoted using bold upper-case letters (e.g. A). For a vector x, xt denotes the transpose of x, i.e., the corresponding row-vector. Base2 logarithm is denoted as log, natural logarithm is denoted as ln. We denote the set of real numbers modulo 1 as the torus T. For a finite set S, we denote by |S| its cardinality and by U(S) the discrete uniform distribution on its elements. For any compact set S ⊂ Rn , the uniform distribution over S is also denoted by U(S). When S is not specified, U denotes uniform distribution over (−0.5; 0.5). 2.1

The LWE Problem

Abstractly, all operations of the TFHE scheme are defined on the real torus T and to estimate the security of the scheme it is convenient to consider a scaleinvariant version of LWE problem. [Learning with Errors, [BLP+13, Definition 2.11]] Let n  1, s ∈ Zn , ξ be a distribution over R and S be a distribution over Zn . We define the LWEs,ξ distribution as the distribution over Tn × T obtained by sampling a from U(Tn ), sampling e from ξ and returning (a, at s + e). Given access to outputs from this distribution, we can consider the two following problems: • Decision-LWE . Distinguish, given arbitrarily many samples, between U(Tn × T) and LWEs,ξ distribution for a fixed s sampled from S. • Search-LWE . Given arbitrarily many samples from LWEs,ξ distribution with fixed s ← S, recover the vector s. To complete the description of the LWE problem we need to choose the error distribution ξ and the distribution of the secret key S. Given a finite set of integers B, we define S to be U(B n ) and ξ to be a centered continuous Gaussian distribution, i.e., we consider the LWE problem with binary secret. This definition captures the binary and ternary variants of LWE by choosing B to be respectively {0, 1} and {−1, 0, 1}. In [BLP+13], it is shown that this variation of LWE with small secrets remains hard. Finally, we use the notation LWEs,σ as a shorthand for LWEs,ξ , when ξ is the Gaussian distribution centered at 0 and with standard deviation σ.

446

2.2

T. Espitau et al.

Lattices

A lattice Λ is a discrete subgroup of Rd . As such, a lattice Λ of rank n can be described as a set of all integer linear combinations of n  d linearly independent vectors B = {b1 , . . . , bd } ⊂ Rd : Λ = L(B) := Zb1 ⊕ · · · ⊕ Zbd , called a basis. Bases are not unique, one lattice basis may be transformed into another one by applying an arbitrary unimodular transformation. The volume of the lattice vol(Λ) is equal to the square root of the determinant of the Gram  matrix Bt B: vol(Λ) = det(Bt B). For every lattice Λ we denote the length of its shortest non-zero vector as λ1 (Λ). Minkowski’s theorem states that λ1 (Λ)  √ γn · vol(Λ)1/n for any d-dimensional lattice Λ, where γd < d is d-dimensional Hermite’s constant. The problem of finding the shortest non-zero lattice vector is called the Shortest Vector Problem(SVP). It is known to be NP-hard under randomized reduction [Ajt98]. 2.3

Lattice Reduction

A lattice reduction algorithm is an algorithm which, given as input some basis of the lattice, finds a basis that consists of relatively short and relatively pairwiseorthogonal vectors. The quality of the basis produced by lattice reduction algo b1 , where b1 is rithms is often measured by the Hermite factor δ = det(Λ)1/d  n/4 can the first vector of the output basis. Hermite factors bigger than 43 be reached in polynomial time using the LLL algorithm [LLL82]. In order to obtain smaller Hermite factors, blockwise lattice reduction algorithms, like BKZ2.0 [CN11] or S-DBKZ [MW16], can be used. The BKZ algorithm takes as input a basis of dimension d and proceeds by solving SVP on lattices of dimension β < d using sieving [BDGL16] or enumeration [GNR10]. The quality of the output of BKZ depends on the blocksize β. In [HPS11] it is shown that after a polynomial number of calls to SVP oracle, the BKZ algorithm with blocksize β produces a basis B that achieves the following bound: d−1

b1  2γβ2(β−1)

+ 32

· vol(B)1/d .

However, up to our knowledge, there is no closed formula that tightly connects the quality and complexity of the BKZ algorithm. In this work, we use experimental models proposed in [ACF+15,ACD+18] in order to estimate the running time and quality of the output of lattice reduction. They are based on the following two assumptions on the quality and shape of the output of BKZ. The first assumption states that the BKZ algorithm outputs vectors with balanced coordinates, while the second assumption connects the Hermite factor δ with the chosen blocksize β.

On a Dual/Hybrid Approach to Small Secret LWE

447

Assumption 2.1. Given as input, a basis B of a d-dimensional lattice Λ, BKZ outputs a vector of norm close to δ d · det(Λ)1/d with balanced coordinates. Each coordinate of this vector follows a distribution that can be √approximated by a Gaussian with mean 0 and standard deviation δ d det(Λ)1/d / d. Assumption 2.2. BKZ with blocksize β achieves Hermite factor δ=

1  β  2(β−1) 1 (πβ) β . 2πe

This assumption is experimentally verified in [Che13]. BKZ Cost Models. To estimate the running time of BKZ, we use three different models. The first model is an extrapolation by Albrecht [ACF+15] et al. of the Liu–Nguyen datasets [LN13]. According to that model, the logarithm of the running time of BKZ-2.0 (expressed in bit operations) is a quadratic function of log(δ)−1 : 0.009 log(T (BKZδ )) = − 27. log(δ)2 We further refer to this model as the delta-squared model. The model was used in [CGGI17] to estimate the security of TFHE. Another cost model [ACD+18] assumes that the running time of BKZ with blocksize β for d-dimensional basis is T (BKZβ,d ) = 8d·T (SVPβ ), where T (SVPβ ) is the running time of an SVP oracle in dimension β. For the SVP oracle, we use the following two widely used models: T (SVPβ ) ≈ 20.292β+16.4 ,

Sieving model:

T (SVPβ ) ≈ 20.187β log(β)−1.019β+16.1 .

Enumeration model:

Analysing the proof of the sieving algorithm [BDGL16] reveals that around  4  n2 short vectors while solving SVP on an n-dimensional lattice. Therefore, 3 when using the sieving model, we shall assume that one run of the BKZ routine  β produces 43 2 short lattice vectors, where β is the chosen blocksize. As such, we shall provide the following heuristic, which generalizes the repartition given in Assumption 2.1 when the number of output vectors is small with regards to the number of possible vectors of the desired length: 2

Assumption 2.3. Let R δ d Vd and R  (4/3)β/2 where Vd is the volume of the 2 unit ball in dimension d. Given as input, a basis B of a d-dimensional lattice Λ, BKZβ with a sieving oracle as SVP oracle outputs a set of R vectors of norm close to δ d · det(Λ)1/d with balanced coordinates. Each coordinate of these vector follows a distribution that can be√approximated by a Gaussian with mean 0 and standard deviation δ d det(Λ)1/d / d. In practice, for the dimensions involved in cryptography, this assumption can be experimentally verified. In particular, for the parameters tackled in this

448

T. Espitau et al.

work, the number of vectors used by the attack is way lower than the number of potential candidates. An experimental verification of this fact is conducted in [?]. In general settings (when we need to look at all the vectors of the sieving pool), one might see this exploitation as a slight underestimate of the resulting security parameters. An interesting open problem that we leave for future work as it is unrelated to the attacks mounted here, would be to quantify precisely the distribution of the sieved vectors. A related idea seems quite folklore in the lattice reduction community. In particular, in [Alb17], the output basis of the reduction is randomized with slight enumeration and a pass of LLL for instance. This approach is slightly more costly than just extracting the sieved vectors but is comparable for its effect as an amortization technique when a batch reduction is needed.

3

Dual Distinguishing Attack Against LWE

In this first section, we revisit the distinguishing dual attack against LWE (or more precisely for the generic corresponding scale-invariant problem described in [BLP+13,CGGI20]), providing complete proofs and introducing finer tools as a novel distinguisher for the uniform distribution and the modular Gaussian. In particular, all the results are non-asymptotic and can be used for practical instantiations of the parameters. Note that it also naturally encompasses a continuous relaxation of the lazy modulus switching technique of [Alb17], as the mathematical framework used makes it appear very naturally in the proof technique. Settings. In all of the following, we denote by B a finite set of integers (typically {0, 1} or {−1, 0, 1}). Let s ∈ B n be a secret vector and let α > 0 be a fixed constant. The attack takes as input m samples (a1 , b1 ), . . . , (am , bm ) ∈ Tn+1 × T which are either all from LWEs,α distribution or all from U(Tn × T), and guesses the input distribution. We can write input samples in a matrix form: A := (a1 , . . . , am ) ∈ Tn×m ,

b = (b1 , . . . , bm )t ∈ Tm ,

if input samples are from the LWEs,α distribution: b = At s + e mod 1. Distinguisher Reduction Using a Small Trapdoor. To distinguish between the two distributions, the attack searches for a short vector v = (v1 , . . . , vm )t ∈ Zm such that the linear combination of the left parts of the inputs samples defined by v, i.e.: m  vi ai = Av mod 1 x := i=1

is also a short vector. If the input was from the LWE distribution, then the corresponding linear combination of the right parts of the input samples is also small as a sum of two relatively small numbers: vt b = vt (At s + e) = xt s + vt e

mod 1.

(1)

On a Dual/Hybrid Approach to Small Secret LWE

449

On the other hand, if the input is uniformly distributed, then independently of the choice of the non-zero vector v, the product v · b mod 1 has uniform distribution on (−1/2; 1/2). Recovering a suitable v thus turns the decisionalLWE problem into an easier problem of distinguishing two distributions on T. This remaining part of this section is organized in the following way. First, in Sect. 3.1 we describe how such a suitable vector v can be discovered by lattice reduction and analyze the distribution of vt b. Then, in Sect. 3.2, we estimate the complexity of distinguishing two distributions on T that we obtain after this first part. Finally, Sect. 3.3 estimates the time complexity of the whole attack. 3.1

Trapdoor Construction by Lattice Reduction

Finding a vector v such that both parts of the sum (1) are small when the input has LWE distribution is equivalent to finding a short vector in the following (m + n)-dimensional lattice: 

Av mod 1 m+n m . L(A) = ∈R ∀v ∈ Z v The lattice L(A) can be generated by the columns of the following matrix:

In A ∈ R(m+n)×(m+n) B= 0m×n Im A short vector in L(A) can be found by applying a lattice reduction algorithm to the basis B. Using Assumption 2.1, we expect that the lattice reduction process produces a vector w = (x||v)t ∈ Zn+m with equidistributed coordinates. Our goal is to minimize the product vt b = xt s + vt e. The vectors e and s come from different distributions and have different expected norms. For practical schemes, the variance of e is much smaller than the variance of s. To take this imbalance into account, one introduces an additional rescaling parameter q ∈ R>0 . The first n rows of the matrix B are multiplied by q, the last m rows are multiplied by q −n/m . Obviously, this transformation doesn’t change the determinant of the matrix. A basis Bq of the transformed lattice is given by

qIn qA Bq = ∈ R(m+n)×(m+n) . 0m×n q −n/m Im We apply a lattice reduction algorithm to Bq . Denote the first vector of the reduced basis as wq . By taking the last m coordinates of wq and multiplying them by q n/m we recover the desired vector v. This technique can be thought of as a continuous relaxation of the modulus switching technique. That part of the attack is summarized in [?]. The following lemma describes the distribution of the output of [?] under Assumption 2.1 that BKZ outputs vectors with balanced coordinates.

Let2 1 α > 0 be a fixed constant, B a finite set of integers of variance S 2 = |B| b∈B b

450

T. Espitau et al.

and n ∈ Z>0 . Let s be a vector such that of its coefficients are sampled independently and uniformly in B. Suppose that Assumption 2.1 holds and let δ > 0 be the quality of the output of the BKZ algorithm. Then, given as input m = n · ln(S/α) ln(δ) − n samples from the LWEs,α distribution, lattice reduction outputs a random variable x with a distribution that can be approximated by a Gaussian distribution with mean 0 and standard deviation σ    σ = α · exp 2 n ln(S/α) ln(δ) .

Denote as Fx the cumulative distribution function of x and denote as Φσ the cumulative distribution function of the Gaussian distribution with mean 0 and standard deviation σ. Then, the distance between the two distributions can be  1 √ , as n → ∞. The crux of the proof bounded: sup |Fx (t) − Φσ (t)| = O 2 S (m+n)

t∈R

of Sect. 3.1 relies on the Berry-Esseen theorem. We provide the complete details in [?]. 3.2

Exponential Kernel Distinguisher for the Uniform and the Modular Gaussian Distributions

We now describe a novel distinguisher for the uniform and the modular Gaussian distributions. Formally, we construct a procedure that takes as input N samples which are all sampled independently from one of the two distributions and guesses this distribution. The crux of our method relies on the use of an empirical estimator of the Levy transform of the distributions, to essentially cancel the effect of the modulus 1 on the Gaussian. Namely, from the N samples X1 , . . . , XN , we construct the N

estimator Y¯ = N1 · e2πiXi . As N is growing to infinity, this estimator converges i=1

to the Levy transform at 0 of the underlying distribution, that is to say: • to 0 for2 the uniform distribution 2 • to e−2π σ for the modular Gaussian. Hence, to distinguish the distribution used to draw the samples, we now only 2 2 need to determine whether the empirical estimator Y¯ is closer to 0 or to e−2π σ . The corresponding algorithm is described in [?]. Let σ > 0 be a fixed constant. Assume that [?] is given as input N points that are sampled independently from the uniform distribution U or from the modular of the  input points Gaussian distribution Gσ . Then, [?] guesses the distribution  −4π 2 σ 2

· N . The time correctly with a probability at least pσ = 1 − exp − e 8 complexity of the algorithm is polynomial in the size of the input. Proof. See full version.

 

Section 3.2 implies that to distinguish the uniform distribution and the modular Gaussian distribution with the parameter σ with a non-negligible probability, 2 2 we need to take a sample of size N = O(e4π σ ).

On a Dual/Hybrid Approach to Small Secret LWE

451

Remark 1. The dual attack proposed in [CGGI20], does not specify, which algorithm is used for distinguishing the uniform and the modular Gaussian distributions. Instead, to estimate the size of the sample, needed to distinguish the distributions, they estimate the statistical distance ε (see [CGGI20, Section 7, Equation(6)] and use O(1/ε2 ) as an estimate for the required size of the sample. However, such an estimate does not allow a practical instantiation in the security analysis since it hides the content of the O. It turns out that the exponential kernel distinguisher, described in [?] has the same asymptotic complexity as the statistical distance estimate from [CGGI20] suggests, while enjoying a sufficiently precise analysis to provide non-asymptotic parameter estimation. 3.3

Complexity of the Dual Attack

The distinguishing attack is summarized in Algorithm 1. It takes as input m×N samples from an unknown distribution, then transforms them into N samples which have the uniform distribution if the input of the attack was uniform and the modular Gaussian distribution if the input was from the LWE distribution. Then, the attack guesses the distribution of N samples using [?] and outputs the corresponding answer.

Algorithm 1: Dual distinguishing attack

1 2 3 4 5 6 7 8 9 10

n×m input : {(Ai , bi )}N bi ∈ Tm , α > 0, S > 0, i=1 , where ∀i Ai ∈ T δ ∈ (1; 1.1) output: guess for the distribution of the input: Uniform or LWE distribution DistinguishingAttack({Ai , bi }N i=0 , α, S, δ): X := ∅    σ := α · exp 2 n ln(S/α) ln(δ) for i ∈ {1, . . . , N } do x ← LWEtoModGaussian(Ai , bi , S, α, δ) X ←X ∪x if (DistinguishGU(X, σ) = G) then return LWE distribution else return Uniform

The following theorem states that the cost of the distinguishing attack can be estimated by solving a minimization problem. The proof is deferred to [?]. Let α > 0 be a fixed constant, B a finite set of integers of variance 1 2 S 2 = |B| b∈B b and n ∈ Z>0 . Let s be a vector with all coefficients sampled independently and uniformly in B. Suppose that Assumption 2.1 holds. Then, the time complexity of solving Decision-LWEs,α with probability of success p by the distinguishing attack described in Algorithm 1 is   TDualAttack = min N (σ, p) · T (BKZδ ) , (2) δ

452

T. Espitau et al.

   2 2 1 where σ = α · exp 2 n ln(S/α) ln(δ) , N (σ, p) = 8 ln( 1−p ) · e4π σ .

4

Towards a Hybrid Dual Key Recovery Attack

In this section, we show how the dual distinguishing attack recalled in Sect. 3 can be hybridized with exhaustive search on a fraction of the secret vector to obtain a continuum of more efficient key recovery attacks on the underlying LWE problem. Recall that B is a finite set of integers from which the coefficients of the secret are drawn. Let then s ∈ B n be a secret vector and let α > 0 be a fixed constant. Our approach takes as input samples from the LWE distribution of form (3) (A, b = At s + e mod 1) ∈ (Tn×m , Tm ), where e ∈ Rm has centered Gaussian distribution with standard deviation α. The attack divides the secret vector into two fractions: s = (s1 ||s2 )t ,

s1 ∈ B n1 ,

s2 ∈ B n2 ,

n = n1 + n2 .

The matrix A is divided into two parts corresponding to the separation of the secret s: ⎛ ⎞ a1,1 . . . a1,m ⎜ .. ⎟ .. ⎜ . ⎟ . ⎜ ⎟

⎜ an1 ,1 . . . an1 ,m ⎟ A1 ⎟ A=⎜ (4) ⎜an +1,1 . . . an +1,m ⎟ = A2 1 1 ⎜ ⎟ ⎜ . ⎟ .. ⎝ .. ⎠ ... . an,1

. . . an,m

Then, Eq. 3 can be rewritten as At1 s1 + At2 s2 + e = b mod 1. By applying lattice reduction to matrix A1 as described in [?], we recover a vector v such that vt (At1 s1 + e) is small and it allows us to transforms m input LWE samples (A, b) ∈ (Tn×m , Tm ) into one new LWE sample (ˆ a, ˆb) ∈ (Tn2 , T) of smaller dimension and bigger noise: vt At s2 + vt (At1 s1 + e) =  vt b   2    a



mod 1.

(5)

ˆ b

The resulting LWE sample in smaller dimension can be used to find s2 . Let x ∈ B n2 be a guess for s2 . If the guess is correct, then the difference ˆb − a ˆ t x = ˆb − a ˆt s2 = (ˆ e mod 1) ∼ Gσ is small.

(6)

On a Dual/Hybrid Approach to Small Secret LWE

453

If the guess is not correct and x = s2 , then there exist some y = 0 such that ˆt x in the following way: x = s2 − y. Then, we rewrite ˆb − a ˆb − a ˆ t x = (ˆb − a ˆt s2 ) + a ˆt y = a ˆt y + eˆ. ˆt y + eˆ) as a sample from the LWE distribution that correWe can consider (ˆ a, a sponds to the secret y. Therefore, we may assume that if x = s2 , the distribution ˆt x mod 1 is close to uniform, unless the decision-LWE is easy to solve. of ˆb − a In order to recover s2 , the attack generates many LWE samples with reduced dimension. Denote by R the number of generated samples and put them into ˆ ∈ Tn2 ×R × TR . There are |B|n2 possible candidates for ˆ b) matrix form as (A, s2 . For each candidate x ∈ B n2 , the attack computes an R-dimensional vector ex = b − At s. The complexity of this computation for all the candidates is ˆ and S2 , where S2 is essentially the complexity of multiplying the matrices A a matrix whose columns are all vectors of (the projection of) the secret space in dimension n2 . Naively, the matrix multiplication requires O(n · |B|n2 · R) operations. However, by exploiting the recursive structure of S2 , it can be done in time O(R · |B|n2 ). Then, for each candidate x for s2 the attack checks whether the corresponding vector ex is uniform or concentrated around zero distribution. The attack returns the only candidate x whose corresponding vector ex has concentrated around zero distribution. The rest of this section is organized as follows. First, we describe the auxiliary algorithm for multiplying a matrix by the matrix of all vectors of the secret space that let us speed up the search for the second fraction of the secret key. Then, we evaluate the complexity of our attack. 4.1

Algorithm for Computing the Product of a Matrix with the Matrix of All Vectors in a Product of Finite Set

Let B = {b1 , . . . , bk } ⊂ Z be a finite set of integer numbers such that bi < bi+1 for all i ∈ {1, . . . , k − 1}. For any positive integer d, denote by S(d) the matrix whose columns are all vectors from {b1 , . . . , bk }d written in the lexicographical order. These matrices can recursively. For d = 1 the matrix is a   be constructed d single row, i.e., S(1) = b1 . . . bk , and for any d > 1 the matrix S(d) ∈ Zd×k can be constructed by concatenating k copies of the matrix S(d−1) and adding a row which consists of k d−1 copies of b1 followed by k d−1 copies of b2 and so on:

b . . . b1 b2 . . . b2 . . . bk . . . bk S(d) = 1 . (7) S(d−1) S(d−1) . . . S(d−1) Let a = (a1 , . . . , ad )t be a d-dimensional vector. Our goal is to compute the scalar products of a with each column of S(d) . We can do it by using the recursive structure of S(d) . Assume that we know the desired scalar products for

454

T. Espitau et al.

a(d−1) = (a2 , . . . , ad )t and S(d−1) Then, using Eq. (7), we get

  b1 . . . b1 . . . bk . . . bk t t a a a S(d) = 1 (d−1) · S(d−1) . . . S(d−1)  = (a1 · b1 , . . . , a1 · b1 )t + at(d−1) S(d−1) . . . (a1 · bk , . . . , a1 · bk )t + at(d−1) S(d−1)

(8) 

that is, the resulting vector is the sum of the vector at(d−1) S(d−1) concatenated with itself k times with the vector consisting of k d−1 copies of a1 ·b1 concatenated with k d−1 copies of a1 ·b2 and so on. The approach is summarized in Algorithm 2.

Algorithm 2: Compute a scalar product of a matrix of all vectors from {b1 , . . . , bk }d .

1 2 3 4 5 6 7 8 9

input : a = (a1 , . . . , ad )t , B = {b1 , . . . , bk } ⊂ Z such that b1 < b2 < · · · < bk . d output: at S(d) , where S(d) ∈ {b1 , . . . , bk }k ×d is the matrix whose columns are all the vectors from the set {b1 , . . . , bk }d written in the lexicographical order computeScalarProductWithAllVectors(a, B): x ← (ad · b1 , . . . , ad · bk )t ; y1 ← ∅, y2 ← ∅ for i ∈ {d − 1, . . . , 1} do for j ∈ {1, . . . , k} do y1 ← y1 ∪ x y2 ← y2 ∪ (ai · bj , . . . , ai · bj )t x ← y1 + y2 y1 ← ∅, y2 ← ∅ return x

Let d be a positive integer number and B = {b1 , . . . , bk } be a set of k integer numbers. Algorithm 2, given as input a d-dimensional vector a, outputs the vector x of dimension k d such that for all x = at S(d) . The time complexity of the algorithm is O(k d ). Proof. See Sect. 3.1

 

Let A be a matrix with R rows and d columns. The product of A and S(d) can be computed in time O(R · k d ). Proof. In order to compute A · S(d) we need to compute the product of each of the R rows of A with Sd . By Line 9 it can be done in time O(k d ). Then the   overall complexity of multiplying the matrices is O(R · k d ).

On a Dual/Hybrid Approach to Small Secret LWE

4.2

455

Complexity of the Attack

The pseudo-code corresponding to the full attack is given in Algorithm 3. Let α > 0, p ∈ (0; 1), S ∈ (0; 1), and n ∈ Z>0 be fixed constants. Let s ∈ B n and σ > 0. Suppose that Assumption 2.1 holds. Then, the time complexity of solving the Search-LWEs,α problem with the probability of success p by the attack described in Algorithm 3 is     n2 Tdual hybrid = min |B| + T (BKZδ ) · R(n2 , σ, p) , (9) δ,n2

where R(n2 , σ, p) = 8 · e4π

2

σ2

(n2 ln(2) − ln(ln(1/p))).

Proof. See full version.

 

Algorithm 3: Hybrid key recovery attack

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

4.3

n×m input : {(Ai , bi )}R , bi ∈ Tm , α > 0, S > 0, δ > 1, i=1 , where ∀i Ai ∈ T n1 ∈ {2, . . . , n − 1} output: s2 ∈ B n−n1 recoverS({(Ai , bi )}R i=1 , α, S, δ, n1 ): n2 ← (n − n1 )    σ ← α · exp 2 n1 ln(S/α) ln(δ) ˆ←∅ ˆ ←∅,b A /* lattice reduction part */ for i ∈ {1, . . . , R} do A ← Ai , b ← b i (A1 , A2 ) ← splitMatrix(A, n1 )  see Equation (4) v ← computeV(A1 , S, α, δ)  [?] ˆ←b ˆ ∪ {vt b} ˆ ←A ˆ ∪ {A2 v}, b A /* search for s2 */ S(n2 ) ← matrix of all vectors in the secret space of dimension n2 in lexicographical order ˆ . . . , b) ˆ ∈ TR×|B|n2 ˆ ← (b, B t ˆ ←B ˆ −A ˆ S(n ) mod 1  see Line 9 and Algorithm 2 E 2 for i ∈ {1, . . . , |B|n2 } do ˆ ˆ ← E[i] e /* guess the distribution of e (see [?]) */ if (distinguishGU(ˆ e, σ) = G) then return S(n2 ) [i]

Using Sieving in the Hybrid Attack

Assume that BKZ uses a sieving algorithm (for instance [BDGL16]) as an SVP oracle. At its penultimate step, the sieving algorithm produces many short vectors. Thus we may suppose that BKZ with the sieving SVP oracle produces

456

T. Espitau et al.

many short vectors in one run. Then,  we need N short lattice vectors, we need  N if times, where m is the number of short to run the lattice reduction only m vectors, returned by the lattice reduction. In the following corollary from Line 16, we use this property to revisit the time complexity of our attack under the sieving BKZ cost model. Let α, p, n, σ and s ∈ {0; 1}n be as in Line 16. Assume that the lattice reduction algorithm, used by Algorithm 1, uses the sieving algorithm from [BDGL16] as an oracle for solving SVP. Suppose that Algorithm 2.3 holds. Then, the time complexity of solving the Search-LWEs,α problem with probability of success p by the attack described in Algorithm 3 is    R(n , σ, p)  2 n2 Thybrid+sieving = min |B| · R(n1 , σ, p) + T (BKZδ ) · , (10) δ,n2 (4/3)β/2 where β is the smallest blocksize such that the lattice reduction with the blocksize β achieves the Hermite factor δ; R(n2 , σ, p) is as defined in Line 16. Proof. See full version. 4.4

 

The Sparse Case: Size Estimation and Guessing a Few Bits

When the secret is sparse we can use so-called combinatorial techniques [Alb17] to leverage this sparsity. Assume that only h components of the secret are nonzero. Then, we guess k zero components of the secret s and then run the full attack in dimension (n − k). If the guess was incorrect, we restart with a new and independent guess for the positions of zeroes. For sparse enough secrets, the running time of the attack in smaller dimension trade-offs positively with the failure probability. Also, the variance of the scalar product v ts is smaller in the sparse case because the variance of the key contains many zeros. Combining these observations, we obtain the following result for sparse secrets: Let α > 0, n > 0 and fix s ∈ B n . Suppose that s has exactly 0  h < n non-zero components. Suppose that Assumption 2.1 holds. Assume that the lattice reduction algorithm, used by Algorithm 1, uses the sieving algorithm from [BDGL16] as an oracle for solving SVP. Then, the time complexity of solving Decision-LWEs,α with probability of success p by the distinguishing attack described in Algorithm 1 is given by  

−1

n−h n (11) Tsparse = min · Thybrid (n − k, α) 0kh k k where β is the smallest blocksize such that the lattice reduction with the blocksize β achieves the Hermite factor δ; σ and N (σ, p) are as defined in Line 10. Proof. Please refer to the full version of the paper.

 

On a Dual/Hybrid Approach to Small Secret LWE

5

457

Bit-Security Estimation and Experimental Verification

We implement an estimator script for the attack that, given parameters of an LWE problem and a BKZ cost model as an input, finds optimal parameters for the dual attack (see Sect. 3) and our hybrid attack (see Sect. 4). Using this script, we evaluate the computational costs for a wide range of small-secret LWE parameters. In this section, we report the results of our numerical estimation and show that the security level of the TFHE scheme should be updated with regards to the hybrid attack. We also apply our attack to the parameters of FHEW, SEAL, and HElib. For completeness purposes, in the full version of this paper we also provide an in-depth comparison with the primal unique-SVP technique. Eventually, we support our argument by an implementation working on a small example. 5.1

Bit-Security of LWE Parameters

We numerically estimate the cost of solving LWE problem by the dual attack (as described in Sect. 3) and by our attacks for all pairs of parameters the (n, α) from the following set: (n, − log(α)) ∈ {100, 125, . . . , 1050} × {5, 6.25, . . . , 38.5}. We create a heatmap representing the cost of our attack as a function of parameters n and α. In Fig. 1 we present an estimation of the bit-security of the LWE parameters according to the combination of our attack and the collision attack, with time complexity 2n/2 . Thus, Fig. 1 represents the function min(TourAttack (n, α), 2n/2 ), where TourAttack (n, α) is the cost of our attack for the parameters n and α. Figure 1 is obtained under the sieving BKZ cost model. We also created similar heatmaps for our hybrid dual attack and the dual attack described in Sect. 3 under three BKZ cost models: enumeration, sieving, and delta-squared. For completeness, these heatmaps are presented in [?]. 5.2

Application to FHE Schemes

Non-sparse small secrets. TFHE. The TFHE scheme uses two sets of parameters: for the switching key and for the bootstrapping key. The security of the scheme is defined by the security of the switching key, which is the weaker link. The parameters of the TFHE scheme were updated several times. In Table 2, we presents the results of our estimates for the recently updated parameters from the public implementation [G+16, v1.1]. For completeness, we also reevaluate the security all the previous sets of TFHE parameters. The results for the previous parameters of TFHE can be found in [?]. FHEW. The fully homomorphic encryption scheme FHEW [DM15], as TFHE, uses binary secrets. Its parameters are given as n = 500, σ = 217 , q = 232 . The bit-security of these parameters under our hybrid dual attack in the sieving model is 96 bits, which is slightly better than the primal or dual attack estimated with [ACD+18] giving respectively 101 and 115 bits of security.

458

T. Espitau et al.

Fig. 1. Bit-security as a function of the LWE parameters n and α assuming the sieving BKZ cost model. Here, n denotes the dimension, α denotes the standard deviation of the noise, the secret key is chosen from the uniform distribution on {0, 1}n . The picture represents the security level λ of LWE samples, λ = log(min(TourAttack (n, α), 2n/2 )). The numbered lines on the picture represent security levels. The star symbol denotes the old TFHE key switching parameters from [CGGI17], the diamond symbol denotes the key switching parameters recommended in [CGGI20, Table 4]. Table 2. Security of the parameters of the TFHE scheme from the public implementation [G+16] (parameter’s update of February 21, 2020) against dual attack (as described in Sect. 3) and hybrid dual attack (as described in Sect. 4). λ denotes security in bits, δ and n1 are the optimal parameters for the attacks. “-” means that the distinguishing attack doesn’t have the parameter n1 . BKZ model

Switching key n = 630, α = 2−15 Bootstrapping key n = 1024, α = 2−25

Delta-squared Attack Dual

λ

δ

New attack 176 1.005 Sieving Enumeration

Dual

n1

270 1.0042 – 485

131 1.0044 –

Attack

λ

Dual

256 1.0042 –

δ

n1

New attack 190 1.0048 862 Dual

131 1.0044 –

New attack 121 1.0047 576

New attack 125 1.0046 967

Dual

Dual

292 1.0042 –

New attack 192 1.0052 469

280 1.0041 –

New attack 209 1.0049 842

SEAL. The SEAL v2.0 homomorphic library [LP16] uses ternary non-sparse secrets. We target these parameters directly with our hybrid approach and compare the (best) results with the dual attack of [Alb17]. The results are compiled in [?]. The results are very slightly better for our techniques, although being very comparable.

On a Dual/Hybrid Approach to Small Secret LWE

459

Sparse Secrets: HElib. The HElib homomorphic library [HS15] uses ternary sparse secrets which have exactly 64 non-zero components. We can then target these parameters using the combination of our hybrid attack with guessing. The results are compiled in [?]. The results are very slightly worse for our techniques, although are still very comparable. A reason might be that the exploitation of the sparsity in our case is more naive than the range of techniques used in [Alb17]. An interesting open question would be to merge the best of these two worlds to get even stronger attacks. We leave this question for future work as it is slightly out of the scope of the present paper. 5.3

Experimental Verification

In order to verify the correctness of our attack, we have implemented it on small examples. Our implementation recovers 5 bits of a secret key for LWE problems with the following two sets of parameters: (n, α) = (30, 2−8 ) and (n, α) = (50, 2−8 ). For implementation purposes, we rescaled all the elements defined over torus T to integers modulo 232 . For both examples, we use BKZ with blocksize 20, which yields the quality of the lattice reduction around δ  1.013. We computed the values of parameters of the attack required to guess correctly 5 bits of the key with probability 0.99 assuming that quality of the output of BKZ. The required parameters for both experiments are summarized in [?]. The first experiment was repeated 20 times, the second was repeated 10 times. For both experiments, the last five bits of the key were successfully recovered at all attempts. The correctness of both attacks rely on assumptions made in Sect. 3.1 for approximating the distribution of vt (At s + e) mod 1 by modular Gaussian distribution Gσ . In order to verify these assumptions, while running both experiments we have collected samples to check the distribution: each time when the attack found correctly the last bits of the secret key s2 , we collected the corre˜ −a ˜t s2 = vt (At s1 + e). For the first experiment, the size of the sponding e˜ = b collected sample is 20×R1 = 640, for the second experiment, it is 10×R2 = 740. The collected data is presented in the full version. In the full version, we compare theoretical predictions and estimations obtained from the experiments for the parameters of modular Gaussian distribution Gσ . Experimental estimations of mean and variance in both cases match closely theoretical predictions. For the analysis of our attack under the sieving BKZ cost model we assume that the sieving oracle produces at least (4/3)β/2 short lattice vectors, where β is the blocksize of BKZ (see Sect. 2.3). In order to check the correctness of the assumption, we studied the distribution of vectors returned by the sieving algorithm on random lattices in several small dimensions. All the experiments, details in [?], reveals essentially the same results: the size of the list was always a small constant around the expected (4/3)n/2 and√the norms of the vectors in the list were concentrated around a value of order n · vol(Λ)1/n , validating the heuristic used in practice. Acknowledgments. We thank the anonymous reviewers for valuable comments on this work, as well as Alexandre Wallet and Paul Kirchner for interesting discussions.

460

T. Espitau et al.

References [ACD+18] Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0 19 [ACF+15] Albrecht, M.R., Cid, C., Faugere, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Cryptogr. 74(2), 325–354 (2015) [AFG13] Albrecht, M.R., Fitzpatrick, R., G¨ opfert, F.: On the efficacy of solving LWE by reduction to unique-SVP. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 293–310. Springer, Cham (2014). https://doi. org/10.1007/978-3-319-12160-4 18 [Ajt98] Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pp. 10–19. ACM (1998) [Alb17] Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6 4 [APS15] Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015) [BDGL16] Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. Society for Industrial and Applied Mathematics (2016) [BG14] Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5 21 [BGPW16] Buchmann, J., G¨ opfert, F., Player, R., Wunderer, T.: On the hardness of LWE with binary error: revisiting the hybrid lattice-reduction and meet-in-the-middle attack. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 24–43. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1 2 [BGV14] Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Compu. Theory (TOCT) 6(3), 13 (2014) [BKW03] Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM (JACM) 50(4), 506–519 (2003) [BLP+13] Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehl´e, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 575–584. ACM (2013) [BV11] Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9 29 [CGGI16] Chillotti, I., Gama, N., Georgieva, M., Izabach`ene, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6 1

On a Dual/Hybrid Approach to Small Secret LWE

461

[CGGI17] Chillotti, I., Gama, N., Georgieva, M., Izabach`ene, M.: Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 377–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-31970694-8 14 [CGGI20] Chillotti, I., Gama, N., Georgieva, M., Izabach`ene, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33(1), 34–91 (2020) [Che13] Chen, Y.: R´eduction de r´eseau et s´ecurit´e concrete du chiffrement completement homomorphe. Ph.D. thesis, Paris 7 (2013) [CHHS19] Cheon, J.H., Hhan, M., Hong, S., Son, Y.: A hybrid of dual and meetin-the-middle attack on sparse and ternary secret LWE. IEEE Access 7, 89497–89506 (2019) [CLP17] Chen, H., Laine, K., Player, R.: Simple encrypted arithmetic library SEAL v2.1. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-7027801 [CN11] Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0 1 [CS15] Cheon, J.H., Stehl´e, D.: Fully homomophic encryption over the integers revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 513–536. Springer, Heidelberg (2015). https://doi.org/10. 1007/978-3-662-46800-5 20 [DM15] Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https:// doi.org/10.1007/978-3-662-46800-5 24 [FV12] Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptology ePrint Archive, 2012:144 (2012) [G+09] Gentry, C., et al.: Fully homomorphic encryption using ideal lattices. In: STOC, vol. 9, pp. 169–178 (2009) [G+16] Gama, N., et al.: Github repository. TFHE: Fast fully homomorphic encryption library over the torus (2016). https://github.com/tfhe/tfhe [GNR10] Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-64213190-5 13 [GPV08] Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM (2008) [GSW13] Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75– 92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-4004145 [HG07] Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/ 978-3-540-74143-5 9

462

T. Espitau et al.

[HPS11] Hanrot, G., Pujol, X., Stehl´e, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/ 978-3-642-22792-9 25 [HS15] Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5 25 [LLL82] Lenstra, A.K., Lenstra, H.W., Lov´ asz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982) [LN13] Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4 19 [LP11] Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-64219074-2 21 [LP16] Laine, K., Player, R.: Simple encrypted arithmetic library-seal (v2. 0). Technical report (2016) [MW16] Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3662-49890-3 31 [Reg05] Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005) [SC19] Son, Y., Cheon, J.H.: Revisiting the hybrid attack on sparse and ternary secret LWE. IACR Cryptology ePrint Archive, 2019:1019 (2019) [Wun16] Wunderer, T.: Revisiting the hybrid attack: Improved analysis and refined security estimates. IACR Cryptology ePrint Archive, 2016:733 (2016)

Encryption and Signatures

Adaptively Secure Threshold Symmetric-Key Encryption Pratyay Mukherjee(B) Visa Research, Palo Alto, USA [email protected] Abstract. In a threshold symmetric-key encryption (TSE) scheme, encryption/decryption is performed by interacting with any threshold number of parties who hold parts of the secret-keys. Security holds as long as the number of corrupt (possibly colluding) parties stay below the threshold. Recently, Agrawal et al. [CCS 2018] (alternatively called DiSE) initiated the study of TSE. They proposed a generic TSE construction based on any distributed pseudorandom function (DPRF). Instantiating with DPRF constructions by Naor, Pinkas and Reingold [Eurocrypt 1999] (also called NPR) they obtained several efficient TSE schemes with various merits. However, their security models and corresponding analyses consider only static (and malicious) corruption, in that the adversary fixes the set of corrupt parties in the beginning of the execution before acquiring any information (except the public parameters) and is not allowed to change that later. In this work we augment the DiSE TSE definitions to the fully adaptive (and malicious) setting, in that the adversary is allowed to corrupt parties dynamically at any time during the execution. The adversary may choose to corrupt a party depending on the information acquired thus far, as long as the total number of corrupt parties stays below the threshold. We also augment DiSE’s DPRF definitions to support adaptive corruption. We show that their generic TSE construction, when plugged-in with an adaptive DPRF (satisfying our definition), meets our adaptive TSE definitions. We provide an efficient instantiation of the adaptive DPRF, proven secure assuming decisional Diffie-Hellman assumption (DDH), in the random oracle model. Our construction borrows ideas from Naor, Pinkas and Reingold’s [Eurocrypt 1999] statically secure DDH-based DPRF (used in DiSE) and Libert, Joye and Yung’s [PODC 2014] adaptively secure threshold signature. Similar to DiSE, we also give an extension satisfying a strengthened adaptive DPRF definition, which in turn yields a stronger adaptive TSE scheme. For that, we construct a simple and efficient adaptive NIZK protocol for proving a specific commit-and-prove style statement in the random oracle model assuming DDH.

1

Introduction

Symmetric-key encryption is an extremely useful cryptographic technique to securely store sensitive data. However, to ensure the purported security it is of c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 465–487, 2020. https://doi.org/10.1007/978-3-030-65277-7_21

466

P. Mukherjee

utmost important to store the key securely. Usually this is handled by using secure hardware like HSM, SGX, etc. This approach suffers from several drawbacks including lack of flexibility (supports only a fixed operation), being expensive, prone to side-channel attacks (e.g. [22,26]) etc. Splitting the key among multiple parties, for example, by using Shamir’s Secret Sharing [31] provide a software-only solution. While this avoids a single-point of failure, many enterprise solutions, like Vault [4], simply reconstructs the key each time an encryption/decryption is performed. This leaves the key exposed in the memory in the reconstructed form. Threshold cryptography, on the other hand, ensures that the key is distributed at all time. A few recent enterprise solutions, such as [1–3], use threshold cryptographic techniques to provide software-only solutions without reconstruction for different applications. While studied extensively in the public-key setting [5,8–10,12,14–16,18,19,32], threshold symmetric-key encryption has been an understudied topic in the literature. This changed recently with the work by Agrawal et al. [6], that initiated the formal study of threshold symmetric-key encryption scheme (TSE). Their work, alternatively called DiSE, defines, designs and implements threshold (authenticated) symmetric-key encryption. They put forward a generic TSE scheme based on any distributed pseudorandom function (DPRF). They provided two main instantiations of TSE based on two DPRF constructions from the work of Naor Pinkas and Reingold [28] (henceforth called NPR): (i) One (DP-PRF) based on any  pseudorandom function, which is asymptotically efficient as long as O( nt ) is polynomial in the security parameter (when n is the total number of parties and t is the threshold). (i) Another one (DP-DDH) based on DDH assumption (proven secure in the random oracle model) and is efficient for any n, t (t ≤ n). By adding specialized NIZK to it, they constructed a stronger variant of DPRF– when plugged-in to the generic construction, a stronger TSE scheme is obtained. A shortcoming of the DiSE TSE schemes is that they are secure only in a static (albeit malicious) corruption model, in that the set of corrupt parties is decided in the beginning and remains unchanged throughout the execution.1 This is unrealistic in many scenarios where the adversary may corrupt different parties dynamically throughout the execution. For instance, an attacker may just corrupt one party and actively takes part in a few executions and based on the knowledge acquired through the corrupt party, decides to corrupt the next party and so on. Of course, the total number of corruption must stay below the threshold t, as otherwise all bets are off.

1

We note that, DiSE’s definition has a weak form of adaptivity, in that the corrupt set can be decided depending on the public parameters (but nothing else). Moreover, we do not have an adaptive attack against their scheme; instead their proof seems to rely crucially on the non-adaptivity.

Adaptively Secure Threshold Symmetric-Key Encryption

467

Our Contribution. In this paper we augment DiSE to support adaptive corruption.2 Our contributions can be summarized as follows: 1. We augment the security definitions of TSE, as presented in DiSE [6], to support adaptive corruption. Like DiSE, our definitions are game-based. While some definitions (e.g. adaptive correctness, Definition 7) extend straightforwardly, others (e.g. adaptive authenticity, Definition 9) require more work. Intuitively, subtleties arise due to the dynamic nature of the corruption, which makes the task of tracking “the exact information” acquired by the attacker harder. 2. Similarly, we also augment the DPRF security definitions (following DiSE) to support adaptive corruption. We show that the generic DiSE construction satisfies our adaptive TSE definitions when instantiated with any such adaptively secure DPRF scheme. The proof of the generic transformation for adaptive corruption works in a fairly straightforward manner. 3. We provide new instantiations of efficient and simple DPRF constructions. Our main construction is based on the NPR’s DDH-based DPRF (DP-DDH, as mentioned above) and the adaptive threshold signature construction by Libert, Joye and Yung [23] (henceforth called LJY). It is proven secure assuming DDH in the random oracle model. The proof diverges significantly from DiSE’s proof of DP-DDH. Rather, it closely follows the proof of the LJY’s adaptive threshold signature. Similar to DiSE, we also provide a stronger DPRF construction by adding NIZK proofs – this yields a stronger version of TSE via the same transformation. However, in contrast to DiSE, we need the NIZK to support adaptive corruption. We provide a construction of adaptive NIZK for a special commit-and-prove style statement from DDH in the random oracle model – this may be of an independent interest. Finally, we observe that the adaptively secure construction obtained via a standard complexity leveraging argument on DP-PRF is asymptotically optimal. So, essentially the same construction can be used to ensure security against adaptive corruption without any additional machinery. Efficiency Compared to DiSE. Though we do not provide implementation benchmarks, it is not too hard to see the performance with respect to DiSE. Our DDHbased DPRF scheme is structurally very similar to DP-DDH– the only difference is in the evaluation, which requires two exponentiation operations instead of one used in DiSE. So, we expect the overall throughput of the TSE scheme may degrade by about a factor of 2. However, the communication remains the same because in our construction, like DP-DDH, only one group element is sent by each party. 2

We remark that adaptive security is generically achieved from statically secure schemes using a standard complexity leveraging   argument, in particular, just by guessing the corrupt set ahead of time. When nt is super-polynomial (in the security parameter), this technique naturally incurs a super-polynomial blow-up, for which super-polynomially hard assumptions are required. In contrast, all our constructions are based on polynomially hard assumptions.

468

P. Mukherjee

For the stronger (NIZK-added) version, we expect again a factor of 2 slow down when instantiated with our adaptive NIZK construction (c.f. Appendix A) – we have 8 exponentiations as compared to DiSE’s 4 in this case. In this case, however, there are also some degradation (around a factor of 2) in the communication due to presence of two additional elements of Zp in the NIZK proof, compared to the (publicly verifiable) DiSE instantiation (Figure 5 of [7]).3 Roadmap. We discuss related works in Sect. 2 and technical overview in Sect. 3. After providing some basic notations and preliminaries in Sect. 4, we put forward our adaptive DPRF definitions in Sect. 5 and adaptive TSE definitions in Sect. 6. We give our DPRF constructions in Sect. 7. The full proof of our main construction is deferred to the full version [27]. In Appendix A we provide our adaptive NIZK construction. Our TSE construction, that extends fairly straightforwardly from DiSE, is deferred to the full version [27].

2

Related Work

Threshold cryptography may be thought of as a special-case of general-purpose secure multiparty computation (MPC). Specific MPC protocols for symmetric encryption has been proposed in the literature [1,13,20,29], that essentially serve the same purpose. While they adhere to the standardized schemes, such as AES, their performance often falls short of the desired level. Theoretical solutions, such as universal thresholdizers [11] resolve the problem of threshold (authenticated) symmetric-key encryption generically, but are far from being practical. For a detailed discussion on threshold cryptography literature, and comparison with other approaches such as general MPC we refer to DiSE. Adaptive DPRF has been constructed from lattice-based assumption by [25]. Their construction has an advantage of being in the standard model apart from being post-quantum secure. However, their construction is quite theoretical and is therefore not suitable for constructing practical TSE schemes. Our construction can be implemented within the same framework as DiSE with minor adjustments and will be similarly efficient (only with a factor of up to 2 degradation in the throughput, which is a reasonable price to pay for ensuring adaptive security). Our approach to construct adaptive DPRF is similar to and inspired by the adaptive threshold signature scheme of LJY [24]. Our proof strategy follows their footsteps closely. In fact, the LJY construction was mentioned as a plausible approach to construct adaptively secure DPRF in [25]. However, the threshold signature construction, as presented in LJY, becomes more cumbersome due to the requirement of public verification. In particular, it additionally requires bilinear maps and therefore is not suitable for using in the adaptive TSE setting. In this paper we provide a clean and simple exposition of the DPRF (that largely resembles the DiSE’s), formalize the arguments and apply it to construct efficient 3

A privately verifiable version, similar to Figure 6 of [7] can be constructed analogously with similar efficiency. We do not elaborate on that.

Adaptively Secure Threshold Symmetric-Key Encryption

469

adaptive TSE. Furthermore, we go one step further to combine it with adaptive NIZK to obtain a stronger version of adaptive DPRF and subsequently a stronger adaptive TSE.

3

Technical Overview

Technical Overview. Our main technical contribution is twofold: (i) definitions and (ii) constructions. DiSE definitions are game-based and hence they crucially rely on “tracking the exact amount of information” acquired by an attacker via playing security games with the challenger. In other words, the attacker is “allowed” to receive a certain amount of information and is only considered a “winner” if it is able to produce more than that. For standard (non-interactive) schemes, like CCA-secure encryption this is captured simply by requiring the adversary to submit challenge ciphertexts that are not queried to the decryption oracle (in other words the attacker is allowed to receive decryption of any ciphertexts that are not challenge ciphertexts). In the interactive setting this becomes challenging as already elaborated in DiSE. In the adaptive case this becomes even trickier as the corrupt set is not known until the very end.4 Our general strategy is to “remember everything” (in several lists) the adversary has queried so far. Later in the final phase, when the entire corrupt set is known, the challenger “extracts” the exact amount of information learned by the adversary from the list and decides whether the winning condition is satisfied based on that. Our DDH-based adaptive DPRF construction, inspired by the adaptive threshold signature of LJY, is based on a small but crucial tweak to the NPR’s DP-DDH construction. Recall that, NPR’s DP-DDH construction simply outputs y := DPk (x) = H(x)k on input x, when k is the secret-key and H : {0, 1} → G is a hash function (modeled as a random oracle) mapping to a cyclic group G; k is shared among n parties by a t-out-of-n Shamir’s secret sharing scheme. Each party i outputs yi := H(x)ki where ki is the i-th share of k. The reconstruction is a public procedure, that takes many yi ’s from a set S   λ (of size at least t) and computes i∈S yi i,S = H(x) i∈S λi,S ki = y where λi,S is the Lagrange coefficient for party i for set S. The DPRF pseudorandomness requires that, despite learning multiple real outputs DPk (x1 ), DPk (x2 ), . . . (xi ’s are called non-challenge inputs), the value H(x )k on a fresh x = xi remains pseudorandom. To prove security, the key k must not be known to the reduction (as it would be replaced by a DDH challenge) except in the exponent (that is g k ); the reduction may sample at most (t − 1) random ki ’s which leaves k completely 4

Note that, we assume a stronger erasure-free adaptive model, in that each party keeps its entire history from the beginning of execution in its internal state. Therefore, when the adversary corrupts a party, it gets access to the entire history. This compels the reduction to “explain” its earlier simulation of that party, before it was corrupt. In a weaker model, that assumes erasure, parties periodically removes their history.

470

P. Mukherjee

undetermined. Let us assume a relatively simpler case when the attacker corrupts exactly (t − 1) parties. In this case, a static adversary declares the corrupt set C ahead of time and the reduction may pick only those ki such that i ∈ C, which are given to the adversary to simulate corruption. The evaluation queries on nonchallenge inputs are easily simulated using DDH challenges and extrapolating adequately in the exponent (those (t − 1) keys and the DDH challenge fully determines the key in the exponent). However, in the adaptive case the reduction can not do that because it does not know C until the very end– in the mean-time it has to simulate evaluation queries on non-challenge inputs. If the reduction tries to simulate them by sampling any (t − 1) keys, it may encounter a problem. For example, the reduction may end up simulating a party i’s response yi on a non-challenge input on an extrapolated key ki , which is only known to the reduction in the exponent as g ki . Later, an adaptive adversary may corrupt party i, when the reduction has to return ki – which is not known in the “clear”. The tweak we employ here is very similar to the one used in the adaptive threshold signature scheme of LJY [23]. The DPRF construction will now have two keys u and v and the output on x will be DPu,v (x) := w1u w2v where H(x) = (w1 , w2 ) ∈ G × G. The main intuition is that the value w1u w2v is not revealing enough information on (u, v). In our proof we program the random oracle on non-challenge inputs such that they are answered by H(x) = (g sj , g wsj ) for the same w. This change is indistinguishable to the attacker as long as DDH is hard. Once we are in this hybrid, information theoretically it is possible to argue that the attacker only gets information {s1 (u + vw), s2 (u + vw), . . .} – this basically leaves (u, v) undetermined except u + vw = k for given k and w. Hence, it is possible to handle adaptive queries as the original keys u, v are always known to the reduction. For the case when the attacker corrupts  < t − 1 parties, the DiSE DP-DDH proof becomes significantly more complex. This is due to the fact that, in that case the attacker may ask evaluation queries on the challenge x too, albeit up to g = (t − 1 − ) many of them (otherwise the attacker would have enough information to compute DPk (x )). Now, it becomes hard to simulate the challenge and non-challenge evaluation queries together from the DDH challenge if it is not known ahead of time which g evaluation queries would be made on x . To handle that, the DiSE proof first makes the non-challenge evaluation queries independent of the challenge evaluation queries – they went through q hybrids, where q is the total number of distinct evaluation queries. Each successive hybrids are proven indistinguishable assuming DDH; in each of these reductions the knowledge of C plays a crucial role. Our construction, on the other hand, takes care of this setting already due to the adaptive nature. Specifically, when we switch all the random oracle queries on any no-challenge input x to H(x) = (g sj , g wsj ) for the same w, the answers to the evaluation queries on x (that are still being programmed with H(x) = (g sj g tj ) for uniform tj ) becomes statistically independent of them. So, no additional effort is needed to handle the case  < t − 1. Similar to DiSE, we provide a stronger version of DPRF with a stronger adaptive correctness property; plugging-in with the generic DiSE construction

Adaptively Secure Threshold Symmetric-Key Encryption

471

we obtain a stronger variant of TSE scheme that too achieves adaptive correctness. Our stronger DPRF is obtained by adding a commit-and-prove technique similar to DiSE. However, in contrast to DiSE, which relies on trapdoor commitments, we only require statistically hiding commitment scheme. This is due to the fact that DiSE DPRF definition supports a weak form adaptivity that allows the adversary to choose the corrupt set based on the public parameters. The public parameters contain the commitments. Therefore, the reduction needs to produce the commitments in an “equivocal manner” before knowing C – when C is known, the reduction picks up the shares for corrupt parties and uses the trapdoor to open them to the committed values. Our construction, on the other hand, tackles adaptivity in a different way and hence trapdoors are not required. However, we need adaptive NIZKs for this strengthened construction. We provide a simple and efficient adaptive NIZK construction for the specific commit-andprove statement in Appendix A based on Schnorr’s protocol and Fiat-Shamir, which may be of independent interest.

4

Preliminaries

In this paper, unless mentioned otherwise, we focus on specific interactive protocols that consist of only two-rounds of non-simultaneous interactions: an initiating party (often called an initiator) sends messages to a number of other parties and gets a response from each one of them. In particular, the parties contacted do not communicate with each other. Our security model considers adaptive and malicious corruption. Common Notation. We use notations similar to DiSE. Let N denote the set of positive integers. We use [n] for n ∈ N to denote the set {1, 2, . . . , n}. A function f : N → N is negligible, denoted by negl, if for every polynomial p, f (n) < 1/p(n) for all large enough values of n. We use D(x) =: y or y := D(x) to denote that y is the output of the deterministic algorithm D on input x. Also, R(x) → y or y ← R(x) denotes that y is the output of the randomized algorithm R on input x. R can be derandomized as R(x; r) =: y, where r is the explicit random tape used by the algorithm. For two random variables X and Y we write X ≈comp Y to denote that they are computationally indistinguishable and X ≈stat Y to denote that they are statistically close. Concatenation of two strings a and b is either denoted by (ab) or (a, b). Throughout the paper, we use n to denote the total number of parties, t to denote the threshold, and κ to denote the security parameter. We make the natural identification between players and elements of {1, . . . , n}. We will use Lagrange interpolation for evaluating a polynomial. For any polynomial P , the i-th Lagrange coefficient for a set S to compute P (j) is denoted by λj,i,S . Matching the threshold, we will mostly consider (t − 1)-degree polynomials, unless otherwise mentioned. In this case, at least t points on P are needed to compute any P (j). Inputs and Outputs. We write [j : x] to denote that the value x is private to party j. For a protocol π, we write [j : z  ] ← π([i : (x, y)], [j : z], c) to denote

472

P. Mukherjee

that party i has two private inputs x and y; party j has one private input z; all the other parties have no private input; c is a common public input; and, after the execution, only j receives an output z  . We write [i : xi ]∀i∈S or more compactly xS to denote that each party i ∈ S has a private value xi . Network Model. We assume that all the parties are connected by point-to-point secure and authenticated channels. We also assume that there is a known upperbound on the time it takes to deliver a message over these channels. Cryptographic Primitives. We need some standard cryptographic primitives to design our protocols like commitments, secret-sharing, adaptive non-interactive zero-knowledge proofs, etc. For completeness we provide the formal definitions, mostly taken verbatim from DiSE, in the full version [27].

5

Distributed Pseudo-Random Functions: Definitions

We now present a formal treatment of adaptively secure DPRF. First we present the DPRF consistency which is exactly the same as in DiSE [6] and is taken verbatim from there as it does not consider any corruption. Definition 1 (Distributed Pseudo-random Function). A distributed pseudo-random function (DPRF) DP is a tuple of three algorithms (Setup, Eval, Combine) satisfying a consistency property as defined below. – Setup(1κ , n, t) → ((sk1 , . . . , skn ), pp). The setup algorithm generates n secret keys (sk1 , sk2 , . . . , skn ) and public parameters pp. The i-th secret key ski is given to party i. – Eval(ski , x, pp) → zi . The Eval algorithm generates pseudo-random shares for a given value. Party i computes the i-th share zi for a value x by running Eval with ski , x and pp. – Combine({(i, zi )}i∈S , pp) =: z/⊥. The Combine algorithm combines the partial shares {zi }i∈S from parties in the set S to generate a value z. If the algorithm fails, its output is denoted by ⊥. Consistency. For any n, t ∈ N such that t ≤ n, all ((sk1 , . . . , skn ), pp) generated by Setup(1κ , n, t), any input x, any two sets S, S  ⊂ [n] of size at least t, there exists a negligible function negl such that Pr[Combine({(i, zi )}i∈S , pp) = Combine({(j, zj )}j∈S  , pp) = ⊥] ≥ 1 − negl(κ), where zi ← Eval(ski , x, pp) for i ∈ S, zj ← Eval(skj , x, pp) for j ∈ S  , and the probability is over the randomness used by Eval. Next we define the adaptive security of DPRF. This differs from the definition provided in DiSE as for both correctness and pseudorandomness adaptive corruption is considered.

Adaptively Secure Threshold Symmetric-Key Encryption

473

Definition 2 ((Strong)-adaptive security of DPRF). Let DP be a distributed pseudo-random function. We say that DP is adaptively secure against malicious adversaries if it satisfies the adaptive pseudorandomness requirement (Definition 3). Also, we say that DP is strongly-adaptively-secure against malicious adversaries if it satisfies both the adaptive pseudorandomness and adaptive correctness (Definition 4) requirements. A DPRF is adaptively pseudorandom if no adaptive adversary can guess the PRF value on an input for which it hasn’t obtained shares from at least t parties. It is adaptively correct if no adaptive adversary can generate shares which lead to an incorrect PRF value. We define these properties formally below. Definition 3 (Adaptive pseudorandomness). A DPRF DP := (Setup, Eval, Combine) is adaptively pseudorandom if for all PPT adversaries A, there exists a negligible function negl such that |Pr [PseudoRandDP,A (1κ , 0) = 1] − Pr [PseudoRandDP,A (1κ , 1) = 1]| ≤ negl(κ), where PseudoRand is defined below. PseudoRandDP,A (1κ , b): – Initialization. Run Setup(1κ , n, t) to get ((sk1 , . . . , skn ), pp). Give pp to A. Initialize the state of party-i as sti := {ski }. The state of each honest party is updated accordingly– we leave it implicit below. Initialize a list L := ∅ to record the set of values for which A may know the PRF outputs. Initialize the set of corrupt parties C := ∅. – Adaptive corruption. At any point receive a new set of corrupt parties C˜ from ˜ A. Give the states {sti }i∈C˜ of these parties to A and update C := C ∪ C. Repeat this step as many times as A desires. – Pre-challenge Evaluation. In response to A’s evaluation query (Eval, x, i) return Eval(ski , x, pp) to A. Repeat this step as many times as A desires. Record all these queries. – Build lists. For each evaluation query on an input x, build a list Lx containing all parties contacted at any time in the game. – Challenge. A outputs (Challenge, x , S  , {(i, zi )}i∈U  ) such that |S  | ≥ t and U  ∈ S  ∩ C. Let zi ← Eval(ski , x , pp) for i ∈ S  \U  and z  := Combine({(i, zi )}i∈S\U ∪ {(i, zi )}i∈U , pp). If z  = ⊥, return ⊥. Else, if b = 0, return z  ; otherwise, return a uniformly random value. – Post-challenge evaluation and corruption. Exactly same as the pre-challenge corruption and evaluation queries. – Guess. When A returns a guess b then do as follows: – if the total number of corrupt parties, |C| ≥ t then output 0 and stop; – if the challenge x has been queried for evaluation for at least g := t − |C| honest parties, that is if Lx ∩ ([n]\C) ≥ g then output 0 and stop; – otherwise output b .

474

P. Mukherjee

Remark 1 (Difference with static security [6]). The main differences with the static version, given in DiSE, are in the “Corruption” and the “Guess” phase. Corruption takes place at any time in the security game and the set of all corrupt parties is updated correspondingly. Now, we need to prevent the adversary to win trivially. For that, we maintain lists corresponding to each evaluation input (in DiSE definition only one list suffices) and in the end check that whether the adversary has sufficient information to compute the DPRF output itself. This becomes slightly trickier than the static case due to constant updating of the list of corrupt parties. Remark 2 (Comparing with definition of [25]). Our pseudorandomness definition is stronger than the definition of Libert et al. [25], in that a malicious adversary is not allowed to supply malformed partial evaluations during the challenge phase. We handle this by attaching NIZK proofs. Definition 4 (Adaptive correctness). A DPRF DP := (Setup, Eval, Combine) is adaptively correct if for all PPT adversaries A, there exists a negligible function negl such that the following game outputs 1 with probability at least 1 − negl(κ). – Initialization. Run Setup(1κ , n, t) to get ((sk1 , . . . , skn ), pp). Give pp to A. Initialize the state of party-i as sti := {ski }. The state of each honest party is updated accordingly– we leave it implicit below. Initialize the set of corrupt parties C := ∅. – Adaptive Corruption. At any time, receive a new set of corrupt parties C˜ from ˜ < t. Give the secret states {sti } ˜ of these parties to A A, where |C ∪ C| i∈C ˜ Repeat this step as many times as A desires. and update C := C ∪ C. – Evaluation. In response to A’s evaluation query (Eval, x, i) for some i ∈ [n]\C, return Eval(ski , x, pp) to A. Repeat this step as many times as A desires. – Guess. Receive a set S of size at least t, an input x , and shares {(i, zi )}i∈S∩C from A. Let zj ← Eval(skj , x , pp) for j ∈ S and zi ← Eval(ski , x , pp) for i ∈ S\C. Also, let z := Combine({(j, zj )}j∈S , pp) and z  := Combine({(i, zi )}i∈S\C ∪ {(i, zi )}i∈S∩C , pp). Output 1 if z  ∈ {z, ⊥}; else, output 0.

6

Threshold Symmetric-Key Encryption: Definitions

In this section, we provide the formal definitions of threshold symmetric-key encryption (TSE). We start by specifying the algorithms that constitute a TSE scheme, which is taken verbatim from DiSE [6]. Definition 5 (Threshold Symmetric-key Encryption). A threshold symmetric-key encryption scheme TSE is given by a tuple (Setup, DistEnc, DistDec) that satisfies the consistency property below.

Adaptively Secure Threshold Symmetric-Key Encryption

475

– Setup(1κ , n, t) → (sk[n] , pp): Setup is a randomized algorithm that takes the security parameter as input, and outputs n secret keys sk1 , . . . , skn and public parameters pp. The i-th secret key ski is given to party i. – DistEnc(sk[n] , [j : m, S], pp) → [j : c/⊥]: DistEnc is a distributed protocol through which a party j encrypts a message m with the help of parties in a set S. At the end of the protocol, j outputs a ciphertext c (or ⊥ to denote failure). All the other parties have no output. – DistDec(sk[n] , [j : c, S], pp) → [j : m/⊥]: DistDec is a distributed protocol through which a party j decrypts a ciphertext c with the help of parties in a set S. At the end of the protocol, j outputs a message m (or ⊥ to denote failure). All the other parties have no output. Consistency. For any n, t ∈ N such that t ≤ n, all (sk[n] , pp) output by Setup(1κ ), for any message m, any two sets S, S  ⊂ [n] such that |S|, |S  | ≥ t, and any two parties j ∈ S, j  ∈ S  , if all the parties behave honestly, then there exists a negligible function negl such that  Pr [j  : m] ← DistDec(sk[n] , [j  : c, S  ], pp) |

 [j : c] ← DistEnc(sk[n] , [j : m, S], pp) ≥ 1 − negl(κ),

where the probability is over the random coin tosses of the parties involved in DistEnc and DistDec. Next we define the security of a TSE scheme in presence of an adaptive and malicious adversary. Definition 6 ((Strong)-Adaptive Security of TSE). Let TSE be a threshold symmetric-key encryption scheme. We say that TSE is (strongly)adaptively secure against malicious adversaries if it satisfies the (strong)adaptive correctness (Definition 7), adaptive message privacy (Definition 8) and (strong)-adaptive authenticity (Definition 9) requirements. 6.1

Adaptive Correctness

The adaptive correctness definition barely changes from the static version in DiSE, except the required adjustment in the corruption phase. Definition 7 (Adaptive Correctness). A TSE scheme TSE := (Setup, DistEnc, DistDec) is adaptively correct if for all PPT adversaries A, there exists a negligible function negl such that the following game outputs 1 with probability at least 1 − negl(κ). – Initialization. Run Setup(1κ ) to get (sk[n] , pp). Give pp to A. Initialize the state of party-i as sti := {ski }. The state of each honest party is updated accordingly– we leave it implicit below. Initialize the set of corrupt parties to C := ∅.

476

P. Mukherjee

– Adaptive Corruption. At any time receive a new set of corrupt parties C˜ from ˜ < t. Give the secret-states {sti } ˜ to A. Repeat this as A, where |C ∪ C| i∈C many times as A desires. – Encryption. Receive (Encrypt, j, m, S) from A where j ∈ S\C and |S| ≥ t. Initiate the protocol DistEnc from party j with inputs m and S. If j outputs ⊥ at the end, then output 1 and stop. Else, let c be the output ciphertext. – Decryption. Receive (Decrypt, j  , S  ) from A where j  ∈ S  \C and |S  | ≥ t. Initiate the protocol DistDec from party j  with inputs c, S  and pp. – Output. Output 1 if and only if j  outputs m or ⊥. A strongly-adaptively-correct TSE scheme is a correct TSE scheme but with a different output step. Specifically, output 1 if and only if: – If all parties in S  behave honestly, then j  outputs m; or, – If corrupt parties in S  deviate from the protocol, then j  outputs m or ⊥. Remark 3. Note that, an adaptive adversary may corrupt a party j right after the encryption phase such that the condition j ∈ S\C does not hold anymore. However, this does not affect the winning condition, because we just need the party j, who makes the encryption query, to output a legitimate ciphertext immediately – for which we need that party to be honest only within the encryption phase. 6.2

Adaptive Message Privacy

Similar to DiSE our definition is a CPA-security style definition additionally accompanied by an indirect decryption access to the attacker. However, due to adaptive corruption, handling indirect decryption queries become more subtle. We provide the formal definition below. Definition 8 (Adaptive message privacy). A TSE scheme TSE := (Setup, DistEnc, DistDec) satisfies message privacy if for all PPT adversaries A, there exists a negligible function negl such that   Pr MsgPrivTSE,A (1κ , 0) = 1 −

where MsgPriv is defined below.

  Pr MsgPrivTSE,A (1κ , 1) = 1  ≤ negl(κ),

Adaptively Secure Threshold Symmetric-Key Encryption

477

MsgPrivTSE,A (1κ , b): – Initialization. Run Setup(1κ , n, t) to get (sk[n] , pp). Give pp to A. Initialize the state of party-i as sti := {ski }. The state of each honest party is updated accordingly– we leave it implicit below. Initialize a list Ldec := ∅. – Adaptive Corruption. Initialize C := ∅ At any time receive a new set of ˜ < t. Give the secret-states {sti } ˜ corrupt parties C˜ from A, where |C ∪ C| i∈C to A. Repeat this as many times as A desires. – Pre-challenge encryption queries. In response to A’s encryption query (Encrypt, j, m, S), where j ∈ S and |S| ≥ t, run an instance of the protocol DistEnc with A5 . If j ∈ / C, then party j initiates the protocol with inputs m and S, and the output of j is given to A. Repeat this step as many times as A desires. – Pre-challenge indirect decryption queries. In response to A’s decryption query (Decrypt, j, c, S), where j ∈ S\C and |S| ≥ t, party j initiates DistDec with inputs c and S. Record j in a list Ldec . Repeat this step as many times as A desires. – Challenge. A outputs (Challenge, j  , m0 , m1 , S  ) where |m0 | = |m1 |, j  ∈ S  \C and |S  | ≥ t. Initiate the protocol DistEnc from party j  with inputs mb and S  . Give c (or ⊥) output by j  as the challenge to A. – Post-challenge encryption queries. Repeat pre-challenge encryption phase. – Post-challenge indirect decryption queries. Repeat pre-challenge decryption phase. – Guess. Finally, A returns a guess b . Output b if and only if (i) j  ∈ C and (ii) Ldec ∩ C = ∅; otherwise return a random bit. Remark 4. The main difference from the non-adaptive setting comes in the Guess phase, in that, the winning condition requires that neither (i) the initiator of the challenge query, (ii) nor any of the initiator of an indirect decryption query is corrupt. To handle the later we introduce a list Ldec which records identities of all parties who made an indirect decryption query. 6.3

Adaptive Authenticity

Similar to DiSE, our authenticity definition follows a one-more type notion. To adapt the authenticity definition into the adaptive setting, we need to make sure to exactly track the information gained by adversary which is sufficient to produce valid ciphertexts. This leads to some subtleties in the adaptive case. We incorporate that below by “delaying” the counting of the number of honest responses per query. Definition 9 (Adaptive authenticity). A TSE scheme TSE := (Setup, DistEnc, DistDec) satisfies authenticity if for all PPT adversaries A, there exists a negligible function negl such that Pr [AUTHTSE,A (1κ ) = 1] ≤ negl(κ), 5

Note that j can be either honest or corrupt here. So both types of encryption queries are captured.

478

P. Mukherjee

where AUTH is defined below. AUTHTSE,A (1κ ): – Initialization. Run Setup(1κ , n, t) to get (sk[n] , pp). Give pp to A. Initialize the state of party-i as sti := {ski }. The state of each honest party is updated accordingly– we leave it implicit below. Initialize counter ct := 0 and ordered lists Lact , Lctxt := ∅. Below, we assume that for every query, the (j, S) output by A are such that j ∈ S and |S| ≥ t. Initialize C := ∅. – Adaptive Corruption. At any time receive a new set of corrupt parties C˜ from ˜ < t. Give the secret-states {sti } ˜ to A. Repeat this as A, where |C ∪ C| i∈C many times as A desires. – Encryption queries. On receiving (Encrypt, j, m, S) from A, run the protocol DistEnc with m, S as the inputs of j. Append (j, S) into list Lact . If j ∈ C, then also append the ciphertext into the list Lctxt . – Decryption queries. On receiving (Decrypt, j, c, S) from A run the protocol DistDec with c, S as the inputs of j. Append (j, S) into the list Lact . – Targeted decryption queries. On receiving (TargetDecrypt, j, , S) from A for some j ∈ S\C, run DistDec with c, S as the inputs of j, where c is the -th ciphertext in Lctxt . Append (j, S) into Lact . – Forgery. For each j ∈ C, for each entry (there can be multiple entries, which are counted as many times) (j, S) ∈ Lact increment ct by |S\C|. Define g := t− |C| and k := ct/g. A outputs ((j1 , S1 , c1 ), (j2 , S2 , c2 ), . . . , (jk+1 , Sk+1 , ck+1 )) / C and cu = cv for any u = v ∈ [k + 1] (ciphertexts such that j1 , . . . , jk+1 ∈ are not repeated). For every i ∈ [k + 1], run an instance of DistDec with ci , Si as the input of party ji . In that instance, all parties in Si behave honestly. Output 0 if any ji outputs ⊥; else output 1. A TSE scheme satisfies strong-authenticity if it satisfies authenticity but with a slightly modified AUTH: In the forgery phase, the restriction on corrupt parties in Si to behave honestly is removed (for all i ∈ [k + 1]). Remark 5. The above definition has some important differences with the static case [6], because tracking the exact amount of information acquired by the adversary throughout the game for producing legitimate ciphertexts becomes tricky in presence of adaptive corruption. To enable this we keep track of pairs (j, S) for any encryption or decryption query made at any time irrespective of whether j is honest or corrupt at that time. This is because, an adaptive adversary may corrupt j at a later time. In the forgery phase, when the whole corrupt set C is known, then for each such pair the corresponding number of maximum possible honest responses |S\C| for that query is computed. For static corruption this issue does not come up as the corrupted set C is known in the beginning.

7

Our DPRF Constructions

In this section we provide several DPRF constructions against adaptive attackers. In Sect. 7.1 we provide our main DPRF construction. In Sect. 7.2, we provide an extension which is strongly adaptively secure. Finally in Sect. 7.3 we briefly argue the adaptive security naturally achieved by the DP-PRF construction.

Adaptively Secure Threshold Symmetric-Key Encryption

7.1

479

Adaptively-Secure DPRF

Our DDH-based DPRF is provided in Fig. 1. We prove the following theorem formally.

Fig. 1. An adaptively secure DPRF protocol Πadap based on DDH.

Theorem 1. Protocol Πadap in Fig. 1 is an adaptively secure DPRF under the DDH assumption in the programmable random oracle model. proof sketch. We need to show that the construction given in Fig. 1 satisfies the consistency and adaptive pseudorandomness. The consistency is straightforward from the construction. So below we only focus on adaptive pseudorandomness. In particular, we show that if there exists a PPT adversary A which breaks the adaptive pseudorandomness game, then we can build a polynomial time reduction that breaks the DDH assumption. The formal proof is provided in the full version [27]. We give a sketch below. Somewhat surprisingly our proof is significantly simpler than DiSE. This is because, since our construction is purposefully designed to protect against adaptive corruption, we can easily switch to a hybrid where the information obtained by the adverasry through all non-challenge evaluation queries are simulated using a key, that is statistically independent from the actual key. In contrast, DiSE’s proof needs to carefully make the non-challenge evaluation query independent to reach a similar hybrid by crucially relying on the knowledge of corrupt set from the beginning. For any PPT adversary A and a bit b ∈ {0, 1} we briefly describe the hybrids below: PseudoRandA (b). This is the real game in that the challenger chooses random (si , ti )←$ Z2p for simulating the i-th random oracle query on any xi as H(xi ) := (g si , g ti ). Hyb1A (b). In the next hybrid experiment Hyb1A (b) the only change we make is: the challenger guesses the challenge input x randomly (incurring a 1/qH loss for

480

P. Mukherjee

qH = poly(κ) distinct random oracle queries) and simulates the random oracle query on all xi = x as H(xi ) := (g si , g ωsi ) where ω, s1 , s2 , . . . are each sampled uniformly random from Zp . This implicitly sets ti := ωsi . Note that, each query has the same ω, but a different si – this way the challenger ensures that the attacker does not learn any new information by making more queries. However, for x the random oracle is programmed as usual by sampling random s , t   values as H(x ) := (g s , g t ). Claim. Assuming DDH is hard in group G, we have that PseudoRandA (b) ≈comp Hyb1A (b). Given a DDH challenge g α , g β , g γ where γ is either is equal to αβ or uniform random in Zp the reduction set g si := g μi · g αbi for uniform random μi , σi ∈ Z2p and g ti := g μi β · g γσi . Now, if γ = αβ, then implicitly (in the exponent) the challenger sets si := μi + σi α and ti := β(μi + σi α), which implies that ω := β and ti := si ω. So Hyb1 is perfectly simulated. On the other hand, when γ is uniform random, then ti := μi β + σi γ which is uniform random in Zp – this perfectly simulates Hyb0 . Hyb2A (b). In this hybrid we do not make any change from Hyb1A (b) except that all non-challenge evaluation queries are responded with a key k←$ Zp sampled uniformly at random, whereas the corruption query for party j are answered using randomly sampled uj , vj subject to uj + ωvj = kj where kj is the j-th Shamir’s share of k. In particular, for a non-challenge evaluation query Eval(xi , j), the challenger returns g si kj where H(xi ) = (g si , g ωsi ). The challenge query and the evaluation queries on x are answered similar to Hyb1A (b). Claim. We have that: Hyb1A (b) ≈stat Hyb2A (b) Note that, this statement is information theoretic and hence we assume that the adversary here can be unbounded. First we notice that, in both the hybrids an unbounded adversary learns values {s1 , s2 , . . .}, ω from the random oracle responses. Furthermore, it learns at most t − 1 pairs {uj , vj }i∈C where |C| < t, given which (u, v) remains statistically hidden. Now, the only difference comes in the non-challenge evaluation queries. In Hyb1A (b), the adversary learns {u + ωv} from them whereas in Hyb2A (b) it learns a random k. Now, we note that conditioned on the common values, u + vω is uniformly random for randomly chosen u, v, because it is basically a universal hash function where ω is the input and (u, v) are uniform random keys. Hence the two distributions are statistically close. Now, once we are in Hyb2A (b), it is easy to observe that the response to the challenge query is uniformly random irrespective of b, which in turn implies that Hyb2A (0) ≈stat Hyb2A (1), which concludes the proof of the theorem. We provide the full proof in detail in the full version.  

Adaptively Secure Threshold Symmetric-Key Encryption

7.2

481

Strongly-Adaptively Secure DPRF

Adding adequate NIZK proofs and commitments we obtain an adaptively-secure DPRF which satisfies adaptive correctness too. However, we need to rely on statistically hiding and a specific adaptive NIZK6 argument [21] for a commitand-prove style statement. We also provide a simple and efficient construction of adaptive NIZK argument system for the particular commit-and-prove statement in Appendix A based on Schnorr’s protocol and Fiat-Shamir’s transformation, which may be of independent interest. The protocol is proven secure assuming DDH in the random oracle model. The construction is provided in Fig. 2. Formally we prove the following theorem. We skip the full proof as it is quite similar to the proof of Theorem 1 with the adequate changes. Instead we provide a sketch below remarking on the changes needed. Theorem 2. Protocol Πstr-adap in Fig. 2 is a strongly adaptively secure DPRF under the DDH assumption in the programmable random oracle model. proof sketch. For strong adaptive security we need to show (i) adaptive pseudorandomness and (ii) adaptive correctness. First we discuss adaptive correctness. The proof of adaptive correctness is very similar to the one provided in DiSE for the non-adaptive case except adequate changes in the statement of the NIZK proof. Recall that, the main idea of the construction (Fig. 2) is to use commitments using which the Setup procedure publishes commitments of everyone’s secret key. Later, when queried for an evaluation, each party, in addition to the evaluation, sends a NIZK proof stating that the evaluation is correctly computed using the actual keys (those are committed before). So, to violate adaptive correctness the attacker must break either the simulation-soundness of NIZK or the binding of the commitment scheme– rendering its task infeasible. Note that, the adversary does not gain anything by being adaptive in this case. The adaptive pseudorandomness proof follows the footstep of the proof of Theorem 1. However, due to presence of the commitments and NIZKs some adjustments are required. In particular, we need to ensure that neither the commitments, nor the proofs give away more information, for which statistical hiding and adaptive zero-knowledge properties of them will be used respectively. We describe the hybrids below and highlight the changes in red from the proof of Theorem 1. For any PPT adversary A and a bit b ∈ {0, 1} we briefly describe the hybrids below: PseudoRandA (b). This is the real game in that the challenger chooses random (si , ti )←$ Z2p for simulating the i-th random oracle query on any xi as H(xi ) := (g si , g ti ). Hyb1A (b). In the next hybrid experiment Hyb1A (b) the only change we make is: the challenger guesses the challenge input x randomly (incurring a 1/qH loss for qH = poly(κ) distinct random oracle queries) and simulates the random oracle 6

Groth et al. [21] alternatively calls them zero-knowledge in erasure-free model.

482

P. Mukherjee

query on all xi = x as H(xi ) := (g si , g ωsi ) where ω, s1 , s2 , . . . are each sampled uniformly random from Zp . This implicitly sets ti := ωsi . Note that, each query has the same ω, but a different si – this way the challenger ensures that the attacker does not learn any new information by making more queries. However, for x the random oracle is programmed as usual by sampling random s , t   values as H(x ) := (g s , g t ). Claim. Assuming DDH is hard in group G, we have that PseudoRandA (b) ≈comp Hyb1A (b). This claim follows analogously to Theorem 1. 1.5 (b). In this hybrid the only changes made are in the NIZK proofs– the HybA challenger sends simulated NIZK proofs instead of the actual NIZK proofs to the attacker for all honest evaluation/challenge requests. Hence, the NIZK proofs are made independent of the witnesses (ui , vi , ρ1i , ρ2i ). From the adaptive zero-knowledge property of NIZK we conclude that 1.5 (b). Note that, adaptive zero-knowledge is crucial here Hyb1A (b) ≈comp HybA as the attacker may corrupt a party, on behalf of which a simulated proof has already been sent earlier. The corruption request is simulated by providing a randomness along with the witnesses ((ui , vi , ρ1i , ρ2i ) for party i in this case) to explain the simulated proof. Hyb2A (b). In this hybrid we do not make any change from Hyb1A (b) except that all non-challenge evaluation queries are responded with an independent key k←$ Zp sampled uniformly at random, whereas the corruption query for party j are answered using randomly sampled uj , vj subject to uj + ωvj = kj where kj is the j-th Shamir’s share of k. In particular, for a non-challenge evaluation query Eval(xi , j), the challenger returns g si kj where H(xi ) = (g si , g ωsi ). Challenge queries and the evaluation query on x are answered similar to Hyb1A (b). Claim. We have that: Hyb1A (b) ≈stat Hyb2A (b) To prove this information theoretic claim we use that the fact that the commitments are statistically hiding and hence they do not reveal any additional information. Furthermore, in both the hybrids the proofs are simulated and hence they are too statistically independent of the witnesses. The rest of argument follows analogous to the proof of Theorem 1, and therefore we omit the details. 7.3

PRF-Based Construction

The PRF-based construction of NPR (also used in DiSE) can be easily shown to be adaptive secure using complexity leveraging, just by guessing the corrupt set aheadof time in the security game. This, of course, incurs a loss proportional to O( nt ) in the security as there are that many possible corrupt sets. n However, since the complexity of this scheme is anyway proportional to O( t ), this natural solution is asymptotically optimal in this case. As a result the DP-PRF construction can be used to protect against adaptive corruption readily without

Adaptively Secure Threshold Symmetric-Key Encryption

any change in certain settings, in particular when security parameter.

n t

483

is a polynomial in the  

Fig. 2. A strongly adaptively secure DPRF protocol Πstr-adap based on DDH. Differences from Πadap are highlighted in blue.

Appendix A

Our Adaptive Non-interactive Zero-Knowledge

Here we show a simple and efficient construction of adaptive NIZK for the specific commit-and-prove statement required for our construction Πstr-adap . We provide the relevant definitions in the full version [27]. Consider a group G of prime order p where discrete log is hard. Let g be a generator. Let SCom := (Setupcom , Com) be a the Pederson’s commitment scheme where Setupcom returns (g, h) such that h = g x and Com(m; r) := g m hr . It is easy to see that this is a statistically hiding commitment scheme. Let H : {0, 1} → G2 and H : {0, 1}∗ → Zp be hash functions modeled as random oracles. We construct a NIZK proof system for the relation Rcom-prov = {x, z, c1 , c2 : ∃ (k1 , k2 , ρ1 , ρ2 ) such that ∀ i ∈ {1, 2}, ci = Com(ki ; ρi ) and z = w1k1 w2k2 where (w1 , w2 ) := H(x)}. The main idea is to use a Schnorr’s proof [30] along with Fiat-Shamir transformation [17]. Recall that, the Schnorr proof system can be used prove a knowledge

484

P. Mukherjee

of exponent, in this case knowledge of k1 , k2 for which z = w1k1 w2k2 . Nevertheless, this does not prove anything about the individual ki . Separately, the commitment, when instantiated with Pederson’s, can also be thought of as knowledge of exponents of k1 , ρ1 and k2 , ρ2 individually and can be proven using Schnorrlike scheme–this is possible due to the homomorphic property of the commitment scheme, by which Com(m1 ; r1 ) and Com(m2 ; r2 ) can be combined to produce a commitment of Com(m1 + m2 ; r1 + r2 ). These two separate proofs are bound together (that is, the same ki are used) by using the same challenge e for verification.  ProveH,H ((x, z, c1 , c2 ), (k1 , k2 , ρ1 , ρ2 )): The prover works as follows: – – – – – –

Sample randomnesses v1 , v2 , vˆ1 , vˆ2 from Zp . Let (w1 , w2 ) := H(x). Compute t := w1v1 w2v2 ; tˆ1 := Com(v1 ; vˆ1 ) and tˆ2 := Com(v2 ; vˆ2 ). Generate the challenge (Fiat-Shamir) e := H (t, tˆ1 , tˆ2 ). Compute ui := vi + eki and u ˆi := vˆi + eρi for all i ∈ {1, 2}. Output π := ((t, tˆ1 , tˆ2 ), e, (u1 , u2 , u ˆ1 , u ˆ2 )). 

ˆ1 , u ˆ2 )) The verifier VerifyH,H (s := (x, z, c1 , c2 ), π := ((t, tˆ1 , tˆ2 ), e, (u1 , u2 , u computes (w1 , w2 ) := H(x) and then checks the following and output 1 if and only if all of them succeeds, and 0 otherwise: – – – –

e = H (t, tˆ1 , tˆ2 ). w1u1 w2u2 = tz e . huˆ1 g u1 = tˆ1 ce1 . huˆ2 g u2 = tˆ2 ce2 .

Lemma 1. The above protocol is a adaptive NIZK argument system in the random oracle model assuming DDH. Proof. Perfect completeness is obvious. The simulation soundness follows from a standard Fiat-Shamir rewinding argument in ROM. We show the adaptive zero-knowledge, for which we construct simulators S1 , S2 , S3 as follows: – S1 . This algorithm simulates fresh random oracle queries on x for H by sampling α, β←$ Z2p , storing (x, α, β) in table Q1 and finally returning the pair (g α , g β ). Furthermore, it also simulates fresh random oracle queries for H by returning a uniform random value in G and storing the input-output pair in Q2 . Repeating queries are simulated using the tables Q, Q2 appropriately. Furthermore, S1 can be asked by S2 or S3 to program both H, H with specific input-output pairs– if that pair is already defined (queried by A earlier), then S1 fails to program. – S2 . This algorithm, on input (x, z, c1 , c2 ) works as follows: ˆ1 , u ˆ2 from Zp and define ρS := – sample uniform random e, u1 , u2 , u ˆ1 , u ˆ2 ); (e, u1 , u2 , u – compute (w1 , w2 ) := H(x); – set t := w1u1 w2u2 z −e , {tˆi := huˆi g ui cei }i∈{1,2} ; – ask S1 to program H for input (t, tˆ1 , tˆ2 ) and output e;

Adaptively Secure Threshold Symmetric-Key Encryption

485

– returns π := ((t, tˆ1 , tˆ2 ), e, (u1 , u2 , u ˆ1 , u ˆ2 )). – S3 . This algorithm, on input statement (x, z, c1 , c2 ), witness (k1 , k2 , ρ1 , ρ2 ), ˆ1 , u ˆ2 ) works as follows: and S2 ’s randomness ρS = (e, u1 , u2 , u ˆ1 , u ˆ2 )) as – use S2 ((x, z, c1 , c2 ); ρS ) to generate π = ((t, tˆ1 , tˆ2 ), e, (u1 , u2 , u above; ˆi − eρi for i ∈ {1, 2}; – then compute vi := ui − eki and vˆi := u – output r := (v1 , v2 , vˆ1 , vˆ2 ) It is straightforward to see that the above simulators indeed satisfy the adaptive zero-knowledge property. This concludes the proof.

References 1. 2. 3. 4. 5.

6.

7.

8.

9.

10.

11.

Dyadic Security. https://www.dyadicsec.com Porticor Cloud Security. Acquired by Intuit. http://www.porticor.com/ Sepior. https://sepior.com Vault by HashiCorp. https://www.vaultproject.io/ Abdalla, M., Miner, S., Namprempre, C.: Forward-secure threshold signature schemes. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 441–456. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9 32 Agrawal, S., Mohassel, P., Mukherjee, P., Rindal, P.: DiSE: distributed symmetrickey encryption. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1993–2010. ACM Press, October 2018 Agrawal, S., Mohassel, P., Mukherjee, P., Rindal, P.: DiSE: distributed symmetrickey encryption. Cryptology ePrint Archive, report 2018/727 (2018). https://eprint. iacr.org/2018/727 Bendlin, R., Damg˚ ard, I.: Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3642-11799-2 13 Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10. 1007/3-540-36288-6 3 Boneh, D., Boyen, X., Halevi, S.: Chosen ciphertext secure public key threshold encryption without random oracles. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 226–243. Springer, Heidelberg (2006). https://doi.org/10. 1007/11605805 15 Boneh, D., et al.: Threshold cryptosystems from threshold fully homomorphic encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 565–596. Springer, Cham (2018). https://doi.org/10.1007/978-3-31996884-1 19

486

P. Mukherjee

12. Canetti, R., Goldwasser, S.: An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack (extended abstract). In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 90–106. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X 7 13. Damg˚ ard, I., Keller, M.: Secure multiparty AES. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 367–374. Springer, Heidelberg (2010). https://doi.org/10.1007/9783-642-14577-3 31 14. Damg˚ ard, I., Koprowski, M.: Practical threshold RSA signatures without a trusted dealer. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 152–165. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6 10 15. De Santis, A., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. In: 26th ACM STOC, pp. 522–533. ACM Press, May 1994 16. Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https:// doi.org/10.1007/0-387-34805-0 28 17. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7 12 18. Gennaro, R., Halevi, S., Krawczyk, H., Rabin, T.: Threshold RSA for dynamic and ad-hoc groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 88–107. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3 6 19. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9 31 20. Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.P.: MPC-friendly symmetric key primitives. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 430–443. ACM Press, October 2016 21. Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zeroknowledge. J. ACM 59(3), 11:1–11:35 (2012) 22. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. Commun. ACM 63(7), 93–101 (2020) 23. Libert, B., Joye, M., Yung, M.: Born and raised distributively: fully distributed non-interactive adaptively-secure threshold signatures with short shares. In: Halld´ orsson, M.M., Dolev, S. (eds.) 33rd ACM PODC, pp. 303–312. ACM, July 2014 24. Libert, B., Joye, M., Yung, M.: Born and raised distributively: fully distributed non-interactive adaptively-secure threshold signatures with short shares. Theor. Comput. Sci. 645, 1–24 (2016) 25. Libert, B., Stehl´e, D., Titiu, R.: Adaptively secure distributed PRFs from LWE. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 391–421. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6 15 26. Lipp, M., et al.: Meltdown: reading kernel memory from user space. Commun. ACM 63(6), 46–56 (2020) 27. Mukherjee, P.: Adaptively secure threshold symmetric-key encryption. Cryptology ePrint Archive, report 2020/1329 (2020). To appear in Indocrypt 2020. https:// eprint.iacr.org/2020/1329 28. Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X 23

Adaptively Secure Threshold Symmetric-Key Encryption

487

29. Rotaru, D., Smart, N.P., Stam, M.: Modes of operation suitable for computing on encrypted data. Cryptology ePrint Archive, report 2017/496 (2017). http://eprint. iacr.org/2017/496 30. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0 22 31. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979) 32. Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2), 75–96 (2002). https://doi.org/10.1007/s00145-0010020-9

Vetted Encryption Martha Norberg Hovd1,2 and Martijn Stam1(B) 1 Simula UiB, Merkantilen (3rd floor), Thormøhlensgate 53D, 5006 Bergen, Norway {martha,martijn}@simula.no 2 University of Bergen, Høyteknologisenteret i Bergen, Thormøhlensgate 55, 5008 Bergen, Norway

Abstract. We introduce Vetted Encryption (VE), a novel cryptographic primitive, which addresses the following scenario: a receiver controls, or vets, who can send them encrypted messages. We model this as a filter publicly checking ciphertext validity, where the overhead does not grow with the number of senders. The filter receives one public key for verification, and every user receives one personal encryption key. We present three versions: Anonymous, Identifiable, and Opaque VE (AVE, IVE and OVE), and concentrate on formal definitions, security notions and examples of instantiations based on preexisting primitives of the latter two. For IVE, the sender is identifiable both to the filter and the receiver, and we make the comparison with identity-based signcryption. For OVE, a sender is anonymous to the filter, but is identified to the receiver. OVE is comparable to group signatures with message recovery, with the important additional property of confidentiality of messages. Keywords: Encryption

1

· Group signatures · Signcryption

Introduction

Spam and phishing messages are a bane of modern communication methods, especially email. These days, most email still happens in the clear without endto-end cryptographic protection. Yet, there are standards, such as S/MIME and OpenPGP, that aim to secure email using a combination of public key and symmetric key confidentiality and authentication primitives. Intuitively, the primitive that best models secure email is signcryption [8,12]. Although signcryption allows receivers to verify locally whether an email was from its purported sender or not, this ability does not immediately lead to an efficient mechanism to filter spam centrally. A different, though not completely unrelated, scenario arrises with electronic voting systems and eligibility verifiability. This notion informally states that it should be possible to publicly verify that only those with the right to vote have done so. For obvious reasons, voters should still be anonymous, and so whitelisting is not a viable option to prevent ballot stuffing by the bulletin board, for instance. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 488–507, 2020. https://doi.org/10.1007/978-3-030-65277-7_22

Vetted Encryption

489

In this work we propose an alternative primitive called vetted encryption, which is closely related to both signcryption and group signatures. Vetted encryption lets a user, the recipient, to restrict who can send them encrypted messages by enabling an outside filter to detect which users are and are not vetted. The key features of vetted encryption are that a recipient only needs to vet each sender once (with out-of-band communication), yet does not need to tell the filter which users they have vetted. Vetted encryption comes in different flavours, depending on whether senders should be identified and authenticated or, in contrast, should remain anonymous. This choice of authentication versus anonymity can be made with respect to the outside filter and the intended receiver independently of each other, leading to a total of four possible configurations. One configurarion, where the filter would learn the identity of a ciphertext, yet the receiver could not, runs counter to our perspective that the filter is working on behalf of the recipient. Thus, only three settings remain: 1. Anonymous vetted encryption (AVE) where the sender remains anonymous to both the filter and the recipient; this scenario can be relevant for a voting system using a bulletin board, on which only eligible users should be able to post, anonymously. For example, the system Belenios [5] applies signatures and credentials to attain eligibility verifiability, which is not too dissimilar from AVE. 2. Identifiable vetted encryption (IVE) where the sender is identified for both the filter and the recipient; this scenario is typical for email spam, where the filter gets to see the email-address (or other identifying information) of the sender. 3. Opaque vetted encryption (OVE) where the sender is anonymous to the filter, yet can be identified by the recipient. This primitive is relevant for identifiable communication over an anonymous channel, for example between a trusted anonymous source and a journalist, where the source is anonymous to the newspaper, but identifiable to the reporter. OVE may also be used in an auction setting, where the seller vets who gets to bid. During bidding, the auctioneer may filter the bids, only forwarding bids from vetted participants. However, only the seller knows the identity of the active bidders in the auction. Our Contribution. Figure 1 provides an overview of the algorithms that constitute a vetted encryption scheme, where we endeavoured to surface all three variants in the picture. The private key material from the key generation (the red lines emanating at the bottom) feeds into two distinct functionalities: firstly to vet users by issuing them an encryption key, and secondly to decrypt ciphertexts. Thus one consideration to make is the possible orthogonality of the corresponding private keys. For both AVE and IVE (Definition 1) we opted for the simplest scenario where both keys are identical, whereas for OVE (Definition 2) we opted for the more challenging scenario where the keys are separate. This choice affects the security definitions and the design space for suitable constructions.

490

M. N. Hovd and M. Stam

ID

Kg

M

Derive EK Enc

C

Verify

/⊥

C

Dec

M /⊥

ID/⊥

Fig. 1. The algorithms and options involved in vetted encryption for the three options: anonymous includes neither dashed nor solid blue lines; identifiable adds the dashed blue lines only; opaque adds the solid blue lines only and distinguishes between the two red “secret” master keys for derivation resp. decryption. (Color figure online)

AVE is the simplest variant of vetted encryption and we present it in the full version [9]. It turns out all senders can be given the same signing key to encrypt then sign a message. Although this mechanism ensures full anonymity, a malicious sender could make everybody a vetted sender by simply forwarding her key. We therefore focus on IVE and OVE here. IVE is most closely related to a simplified form of identity-based signcryption with public verifiafibility. As far as we are aware, the related signcryption flavour is virtually unstudied. We give a full comparison of IVE and signcryption in the full version. Our use case for IVE allows us in Sect. 2 to navigate carefully through the possible definitional choices, esp. quite how much power is available to an adversary trying to break confidentiality, resp. integrity. Our choice allows us to use the novel primitive of “outsider-unique” identity-based signatures, which we show can be constructed by a combination of derandomisation and unique signatures (see Appendix A). The unique property is fundamental to provide non-malleability and hence confidentiality against chosen ciphertext attacks for our encrypt-then-IBsign construction (Fig. 4). OVE bears similarities with group signatures with message recovery, where additionally the message should remain confidential. However, as we will argue in Sect. 3, our use case allows us to relax security slightly, which in turn enables a slight simplification of the well-known sign-encrypt-proof paradigm for group signatures [2] which we dub verifiably encrypted certificates (Fig. 8). We give a thorough comparison with group signatures and signcryption in the full version, as well as comparisons with recent primitives such as access control encryption [6] or matchmaking encryption [1]. All proofs are also deferred to the full version [9]. Notation. When defining security, we will use concrete advantages throughout. Moreover, these advantages are defined in terms of an adversary interacting with a game or experiment. While these experiments depend on the schemes at hand, there will be no additional quantifications (e.g. over high entropy sources,

Vetted Encryption

491

simulators, or extractors). We use Pr [Code : Event] to denote probabilities where the Code is used to induce a probability distribution over which Event is defined (not to be confused with conditional probabilities). We write AO for an adversary A having access to oracle(s) O in security games and reductions. We use a number of standard primitives and their associated security notions, see the full version for a recapitulation.

2 2.1

Identifiable Vetted Encryption (IVE) Syntax and Security of IVE

The Algorithms. For identifiable vetted encryption, both the filter and the recipient may learn the identity of the sender, which we assume have received the identity via out-of-band communication. An IVE scheme consists of five algorithms, see Definition 1. The identity ID is not only an explicit input to the derivation algorithm, but also to both the verification and decryption algorithm, modelling the out-of-band communication. However, encryption does not take ID as an input, instead relying on a user’s encryption key EK implicitly encoding said identity. We allow encryption to fail, modelled by ⊥ as output. As we will see, for honestly generated encryption keys, we insist encryption never fails, but for adversarially generated encryption keys, allowing for explicit encryption failure turns out to be useful. One could alternatively introduce a separate algorithm to verify the validity of a private encryption key for a given public encryption/verification key; our approach looks simpler. Definition 1 (Identifiable Vetted Encryption (IVE)). An identifiable vetted encryption scheme IVE consists of a 5-tuple of algorithms (Ive.Kg, Ive.Derive, Ive.Enc, Ive.Verify, Ive.Dec), which behave as follows: – Ive.Kg generates a key pair (P K, SK), where P K is the public encryption (and verification) key and SK is the private derivation and decryption key. We write (P K, SK) ←$ Ive.Kg(param), allowing Ive.Kg to depend on parameters param. Henceforth, we will assume that P K can be uniquely and efficiently computed given SK. – Ive.Derive derives an encryption key EK based on the private derivation key SK and a user’s identity ID. Thus, EK ←$ Ive.DeriveSK (ID). – Ive.Enc encrypts a message M given the public encryption key P K and using the private encryption key EK, creating a ciphertext C or producing a failed encryption symbol ⊥. So, C ←$ Ive.EncP K,EK (M ) where possibly C = ⊥. – Ive.Verify verifies the validity of a ciphertext C given the public verification key P K and a user’s identity ID. With a slight abuse of notation, we write /⊥ ← Ive.VerifyID P K (C). – Ive.Dec decrypts a ciphertext C using the private key SK, given the user’s identity ID. The result can either be a message M or the invalid-ciphertext symbol ⊥. In short, M/⊥ ← Ive.DecID SK (C). The first three algorithms are probabilistic, the final two deterministic.

492

M. N. Hovd and M. Stam

Correctness and Consistency. For correctness, we require that all honestly generated ciphertexts are received as intended, that is, for all parameters param, identities ID and messages M , we have that ⎤ ⎡ C = ⊥ (P K, SK) ←$ Ive.Kg(param) ⎦ Pr ⎣ EK ←$ Ive.DeriveSK (ID) : ∧ Ive.VerifyID P K (C) =  = 1. ID C ←$ Ive.EncP K,EK (M ) ∧ Ive.DecSK (C) = M Conceptually, a ciphertext may be rejected at two different stages: the filter using Ive.Verify might reject or decryption using Ive.Dec might fail. Thus, we can consider two possible sets of ‘valid’ ciphertexts: those accepted by verification, and those accepted by decryption. Ideally, these sets coincide, but a priori this cannot be guaranteed. We call a scheme consistent if any ciphertext accepted by decryption will also be accepted by the filter verification, whereas we say the scheme is strict if any ciphertext that passes the filter, will decrypt to a message. Formally, we define both strictness and consistency in terms of rejected ‘invalid’ ciphertexts, thus flipping the order of Ive.Verify and Ive.Dec in the implications below (compared to the intuitive notion described above). That is for all possible keys (P K, SK) output by Ive.Kg and all ciphertexts C, we have ID – Consistency: Ive.VerifyID P K (C) = ⊥ ⇒ Ive.DecSK (C) = ⊥; ID ID – Strictness: Ive.DecSK (C) = ⊥ ⇒ Ive.VerifyP K (C) = ⊥.

Fortunately, it is relatively easy to guarantee consistency; the trivial transformation that runs verification as part of decryption takes care of this. Henceforth we will concentrate on consistent schemes. On the other hand, strictness is harder to guarantee a priori. Thus we will allow ciphertexts to pass the filter that are subsequently deemed invalid by decryption. Note that, for honestly generated ciphertexts, correctness ensures that decryption will actually succeed, so this scenario can only occur for ‘adulterine’ ciphertexts. Security. The security of IVE comprises of two components: integrity to ensure the filter cannot be fooled, and confidentiality of the messages to outsiders. With reference to the games defined in Fig. 2 and Fig. 3, the advantages are defined as follows: – Integrity:  Advint IVE (A)

= Pr

Expint IVE (A)

 ˆ ∈ E ∧ (ID, ˆ C) ˆ ∈ C ID : . ˆ ˆ ∧ Ive.VerifyID P K (C) = 

– Confidentiality:   conf -0 conf -1 ˆ ˆ Advconf IVE (A) = Pr ExpIVE (A) : b = 0 − Pr ExpIVE (A) : b = 0 .

Vetted Encryption

493

Fig. 2. The integrity game for IVE.

Integrity. A server running the verification algorithm to filter out invalid ciphertexts should not be easily fooled by an adversary: unless one is in possession of an encryption key (i.e. has been vetted), it should not be possible to construct a valid ciphertext. Even a vetted sender should not be able to construct a ciphertext which is considered valid under a different identity. We formally capture integrity in a game (Fig. 2) where we use the output of the verification algorithm as an indication of validity. For consistent schemes this choice is the strongest, as a forgery with respect to decryption will always be a forgery with respect to verification. The adversary is given the verification key as well as encryptions of messages of her own choosing under honest encryption keys. We use handles to grant an adversary control over the encryption keys that are used: an adversary can trigger the creation of an arbitrary number of keys for chosen identities and then indicate which key (by order of creation) should be used for a particular encryption query. Additionally, an adversary can adaptively ask for encryption keys from a corruption oracle. Obviously, a corrupted encryption key trivially allows for the construction of further valid ciphertexts for the underlying identity, so we exclude corrupted identities from the win condition. Similarly, ciphertexts resulting from an encryption query do not count as a win under the original query’s identity. Finally, an adversary has access to a decryption oracle. This oracle is superfluous for uncorrupted encryption keys, but an adversary could potentially use it to her advantage by querying it with ciphertext created under a corrupted identity. These ciphertexts will, of course, not help her win the integrity game directly, as the corresponding identity is corrupted. Yet, the oracle response might leak information about SK, which could help the adversary construct a valid ciphertext for an uncorrupted identity, hence giving an advantage in winning the integrity game. Constructing a non-strict pathological IVE scheme exploiting this loophole is easy: simply allow ciphertexts outside the support of the encryption algorithm to gradually leak the secret key based on their validity under decryption. We stress that in our instantiation of IVE we do not face this issue.

494

M. N. Hovd and M. Stam

Fig. 3. The confidentiality game for IVE.

Confidentiality. We adopt the CCA security notion for public key encryption to the setting of identifiable vetted encryption (Fig. 3). An adversary can, repeatedly, ask its challenge oracle for the encryption of one of two messages under an adversarially chosen encryption key. We give the adversary an oracle to derive and immediately learn encryption keys; moreover these known honest keys may be fed to the challenge encryption oracle. We want to avoid the decryption oracle being used by an adversary to win trivially, namely by simply querying a challenge ciphertext under the corresponding identity. But what is this corresponding identity? The encryption algorithm only takes as input an encryption key EK that may or may not allow easy extraction of an identity ID. One solution would be to only allow the adversary to ask for challenge encryptions on honestly derived encryption keys (so the game can keep track of the identity when EK is derived). Instead, we opted for a stronger version where the adversary provides the challenge encryption oracle with both an encryption key EK and a purported identity ID. If verification shows that the freshly generated challenge ciphertext does not correspond to ID, which can only happen for dishonestly generated pairs (EK, ID), then the encryption oracle rejects the query by outputting ⊥G . Intuitively, the decryption oracle is mainly relevant for identities that the adversary has previously queried to its derivation oracle: after all, if the decryption oracle would return anything but ⊥ for a fresh ciphertext under a fresh identity, this would constitute a break of the integrity game. 2.2

Encrypt-then-IBS

An obvious first attempt to create an identifiable vetted encryption scheme is to combine the confidentiality provided by a public key encryption scheme with the authenticity of that of an identity based signature scheme. There are three basic methods for the generic composition: sign-then-encrypt, encrypt-then-sign, and encrypt-and-sign. For the first option, the signature ends up being encrypted, which destroys public verifiability as required for the filter to do its work. The parallel encrypt-and-sign is well-known to be problematic, as the unencrypted signature directly on the message inevitably leaks information on the message,

Vetted Encryption

495

Fig. 4. Encrypt-then-IBSign (EtIBS): A straightforward composition of public key encryption and an identity-based signature scheme.

even when the signatures are confidential [7] (as the signature allows for an easy check whether a given plaintext was encrypted or not). Thus only encrypt-thensign remains as option, and we specify the construction in Fig. 4. We show the scheme achieves integrity and confidentiality in Lemmas 1 and 2, respectively. Integrity of the construction follows from the unforgeability of the underlying signature scheme. However, for IVE to inherit the confidentiality of the encryption scheme, we use an identity-based signature scheme with outsider unique signatures. Without unique signatures, an adversary who has received a challenge ciphertext (C, σ) could simply create a new tuple (C, σ  ) with a secondary valid signature σ  . This tuple will be accepted by a decryption oracle, and hence the adversary will learn the encrypted message, breaking confidentiality. To the best of our knowledge, unique identity-based signatures have not been studied before. It turns out that for our purposes, a computational version of uniqueness suffices (the details are in Appendix A). Correctness and Consistency. Both correctness and consistency follow easily by inspection. The signature verification as part of decryption is needed for consistency, cf. the transformation mentioned previously. Integrity. Integrity of the Encrypt-then-IBS construction boils down to the unforgeability of the underlying identity-based signature scheme. As the decryption key of the underlying encryption scheme is unrelated to the issuing key of

496

M. N. Hovd and M. Stam

the signature scheme (so an adversary cannot hope to learn any useful information about the issuing key by querying the decryption oracle with ciphertexts of corrupted identities), the reduction is fairly straightforward. Lemma 1 (Integrity of Encrypt-then-IBS). For all adversaries Aint there exists a similarly efficient adversary Beuf-cma such that euf-cma Advint IVE (Aint ) ≤ AdvUIBSS (Beuf-cma ).

Confidentiality. The confidentiality of the Encrypt-then-IBS hinges on both the confidentiality of the encryption scheme and the computational hardness of finding a signature collision in the IBS scheme. As the IVE adversary does not have access to the master private key of the underlying IBS scheme, it suffices that signatures are unique with respect to individual signing keys (that can be obtained through the derive oracle). That allows us to rule out mauling of a challenge ciphertext (C, σ) through the signature component, leaving the adversary with the only option of breaking the confidentiality of the encryption scheme. Lemma 2 (Confidentiality of Encrypt-then-IBS). For all adversaries Aconf there exist similarly efficient adversaries Bcca and Bou such that conf ou Advconf IVE (Aconf ) ≤ AdvPKE (Bconf ) + AdvUIBSS (Bou ).

3 3.1

Opaque Vetted Encryption (OVE) Syntax and Security of OVE

The Algorithms. For opaque vetted encryption, we are in the most challenging, ‘asymmetric’ scenario where the filter does not learn the identity of the sender, yet the recipient does. In the definition below, we model this change by letting the identity be output as part of decryption, in addition to the message of course. Having two outputs also affects how invalid ciphertexts are dealt with: for our syntax and security we deal with the general case where either component can lead to rejection, independently of each other. Thus we allow a large number of error messages, unlike the AVE or IVE case, where only a single error message was modeled. As we will see, OVE is quite similar to a group signature with message recovery, which seems to be an overlooked primitive. In line with the literature on group signatures, in Definition 2 we split the private key in two: an issuing key IK to derive identity-specific encryption keys and a master decryption key SK to decrypt ciphertexts. Throughout we will also borrow group signature terminology, for instance by referring to the derivation of an encryption key as ‘issuing’ (of course, in the group signature setting, said key would be a signing key instead), or use ‘opening’ to extract the identity from a ciphertext as part of decryption.

Vetted Encryption

497

Definition 2 (Opaque Vetted Encryption (OVE)). An opaque vetted encryption scheme OVE is a 5-tuple of algorithms (Ove.Kg, Ove.Derive, Ove.Enc, Ove.Verify, Ove.Dec) that satisfy – Ove.Kg generates a key triple (P K, SK, IK), where P K is the public encryption (and verification) key, SK is the private decryption key, and IK is the issuing key. We allow Ove.Kg to depend on parameters param and write (P K, SK, IK) ←$ Ove.Kg(param). Henceforth, we will assume that P K can be uniquely and efficiently computed given either SK or IK. – Ove.Derive issues an encryption key EK based on the issuing key IK and a user’s identity ID. We write EK ←$ Ove.DeriveIK (ID). – Ove.Enc encrypts a message M given the public encryption key P K and private encryption key EK, producing a ciphertext C or a failed encryption symbol ⊥. So, C ←$ Ove.EncP K,EK (M ) with maybe C = ⊥. – Ove.Verify verifies the validity of a ciphertext C given the public verification key P K. With a slight abuse of notation, /⊥ ← Ove.VerifyP K (C). – Ove.Dec decrypts a ciphertext C using the private key SK, resulting in a message–identity pair (M, ID). Both the message M and the identity ID may, independently of each other, result in a rejection, ⊥. Again, with a slight abuse of notation, (M/⊥, ID/⊥) ← Ove.DecSK (C). The first three algorithms are probabilistic, the final two deterministic. Correctness and Consistency. As is the case for AVE and IVE, correctness captures that honest usage of the scheme ensures that messages are received as intended, and assigned to the actual sender. For all parameters param, identities ID and messages M we have ⎤ ⎡ (P K, SK, IK) ←$ Ove.Kg(param) C = ⊥ EK ←$ Ove.DeriveIK (ID) Pr ⎣ : ∧ Ove.VerifyP K (C) =  ⎦ = 1. C ←$ Ove.EncP K,EK (M ) ∧ Ove.DecSK (C) = (M, ID) As with the previously presented schemes, consistency means that any ciphertext which decrypts to a valid message and identity, will also pass the filter. Thus we treat any occurrence of ⊥ in the decryption, as either message or identity, as an invalid ciphertext. Again, we can easily transform a correct scheme into one that is consistent as well: as part of decryption, run the verification, and if verification returns ⊥, then decryption returns (⊥, ⊥). Security. The security of OVE is an amalgam of the vetted encryption notions we have encountered so far and those for group signatures, primarily the static “BMW” notions [2]. The integrity component we saw earlier now splits into two: on the one hand, we want that ciphertexts that pass the filter (so verify) can be pinned to a user after decryption, yet on the other hand we want to avoid users being falsely suspected of spamming (by an honest recipient). We relabel the first notion integrity and strengthen it slightly, so it becomes essentially a computational equivalent of strictness. The second notion is traceability,

498

M. N. Hovd and M. Stam

Fig. 5. The traceability game for OVE.

known from group signatures. We also require confidentiality of the messages and anonymity of the senders, but it turns out we can fold these two concepts into a single notion, dubbed privacy. Formally, we define the following advantages, with specifications and explanations of the corresponding experiments described below:

trac – Traceability: Advtrac OVE (A) = Pr ExpOVE (A) : A wins . int – Integrity: Advint OVE (A) = Pr ExpOVE (A) : A wins .   – Privacy: Advpriv (A) = Pr Exppriv-0 (A) : ˆb = 0 −Pr Exppriv-1 (A) : ˆb = 0 . OVE

OVE

OVE

Traceability. This notion (Fig. 5) ensures that a colluding group of vetted users cannot successfully create a ciphertext that opens to the identity of another user (outside the collusion). As we do not incorporate a PKI in our model (cf. the dynamic “BSZ” notions for group signatures [4]), we need to exclude the issuing key IK from the adversary’s grasp. Furthermore, in contrast to BMW’s traceability, we also do not provide the decryption key DK to the adversary. Our weakening is motivated by the intended use case: the main purpose of the scheme is to trace messages which pass the filter back to an identity and the recipient has no motive to try and create ciphertexts that it will then subsequently open and trace incorrectly. Of course, in order to provide forward security, one could also consider strong traceability, where an adversary does have access to the decryption key SK. Finally, we initialize CU to contain ⊥ as we consider the case where the ciphertext opens to an invalid identity, so Ove.DecSK (C) = (M, ⊥), only as a breach of integrity, not of traceability. Again, this fits the intended use case: an adversary being able to pass the filter without being identified afterwards can effectively “spam” the receiver, who then does not know which sender to have a word with. As the protection against spamming is the raison d’ˆetre of our scheme, we will put much stronger guarantees in place to prevent it (as part of integrity).

Vetted Encryption

499

Fig. 6. The integrity game for OVE.

Integrity. In stark contrast to traceability, integrity (Fig. 6) ensures that even an adversary in possession of all the keys of the scheme cannot create a message which verifies, so Ove.VerifyP K (C) = , yet does not open to a valid message– identity pair, i.e. leads to Ove.DecSK (C) = (⊥, ID), Ove.DecSK (C) = (M, ⊥) or Ove.DecSK (C) = (⊥, ⊥). Thus any ciphertext that passes the verification, is opened without a failure message. We reiterate that we treat Ove.DecSK (C) = (M, ⊥) as a breach of integrity rather than traceability. One interpretation is that C decrypted successfully to an anonymous message. Yet allowing for anonymous messages would clearly defeat the purpose of opaque vetted encryption, namely that any ciphertext which verifies can be attributed to a vetted sender. Privacy, Confidentiality, and Anonymity. Any party not in possession of the decryption key should be unable to determine who is the sender of a ciphertext, and also what the ciphertext decrypts to. Note that we allow an adversary access to the issuing key IK. This is seemingly a contradiction to the discussed honest use case, where the recipient both issues keys and decrypts messages, which was after all the reasoning for denying the adversary the opening key in the traceability case. However, there is a possible separation of authorities, and even though we regard the recpient as the “owner” of the scheme, they may choose to delegate the authority of issuing keys to another authority. We require that even this party should not be able to infer the sender or the content when given a ciphertext. We formalize this notion as privacy (Fig. 7), which we model with a challenge encryption oracle that an adversary can query on two pairs of encryption keys and messages: (EK 0 , M0 ) and (EK 1 , M1 ). The oracle either returns an encryption of the left, 0-subscripted or the right, 1-subscripted key–message pair; the adversary should figure out which one. To avoid trivial wins based on faulty encryption keys, we encrypt both pairs, and reject the query if one of the encryptions fail. Privacy should hold even against adversaries knowing the issuing key IK. Our notion of privacy encompasses both anonymity and confidentiality of encryption schemes. We define anonymity as the privacy game with the restriction that for all challenge queries M0 = M1 , and confidentiality as the privacy game where we insist EK 0 = EK 1 for all challenge queries.

500

M. N. Hovd and M. Stam

Fig. 7. The privacy game for OVE.

The resulting anonymity game resembles anonymity known from group signatures. One notable difference is the additional mechanism we put in place by encrypting under both encryption keys and only output the ciphertext if both encryptions are successful. We are not aware of a similar mechanism to define anonymity of group signatures, i.e. where you would sign under both user signing keys and only release the group signature if both are successful: BMW only deal with honestly generated keys and BSZ have a join protocol that alleviates the need for an additional check. For confidentiality, arguably one could consider a stronger game where one directly encrypts the relevant challenge message under the adversarially chosen key. Yet, this strenghtening is not entirely without gain of generality, as one could concoct a pathological counterexample where for some fake encryption key some messages are more likely to result in an encryption error than others. Henceforth, we will ignore this subtlety. By definition, privacy obviously implies anonymity and confidentiality (with a small caveat for the latter, as explained above). The converse is true as well, namely that jointly anonymity and confidentiality imply privacy. However, in general this is not true, as can be shown by a simple, pathological counterexample. Consider a scheme that is secure, now modify the scheme so that key derivation prepends keys with a 0-bit. Encryption with a key starting with a 0-bit removes this bit and behaves as before. This fully describes the honest behaviour of the scheme and we proceed to describe behaviour that could only be triggered by an adversary: namely, our modified scheme’s encryption with a key starting with a 1-bit outputs the message iff that message equals the key, and rejects otherwise. Essentially, all 1-keys are fake, but it is possible to make each key accept on a single message (and each message can only be used for a single fake key). For the confidentiality and anonymity games, these fake keys cannot be exploited as the reject-filtering mechanism causes the oracle to reject; for the privacy game however it’s easy to win exploiting these fake keys.

Vetted Encryption

501

For schemes that behave nicely however, we show in Lemma 3 that the privacy game is implied by combination of anonymity and confidentiality. Here ‘nicely’ refers to the property that an encryption key is either always successful on the full message space, or it always rejects. Lemma 3 (OVE-Anonymity + OVE-Confidentiality ⇒ OVE-Privacy). Let OVE sport encryption keys EK with the property that for all messages M in the message space, Ove.EncP K,EK (M ) =⊥, or every message encrypts to a ciphertext with probability 1. Then for any privacy adversary Apriv against an OVE scheme, there exist anonymity and confidentiality adversaries Bconf and Banon of comparable efficiency such that anon conf Advpriv OVE (Apriv ) ≤ AdvOVE (Banon ) + AdvOVE (Bconf ).

3.2

Generic Construction: Verifiably Encrypted Certificates

Our construction is inspired by the sign-encrypt-proof construction for group signature schemes [2]. This provenance is natural, given the close relationship between OVE and group signatures (albeit with message recovery). The most important difference, aside from having to keep the message confidential, is our weakening of traceability, by not availing the adversary with the decryption key. We reflect on the difference between our scheme and known group signature schemes in the full version. Our scheme uses an IND-CCA secure PKE, an EUF-CMA secure SIG and a simulation-sound QANIZK; the construction is fleshed out in Fig. 8. The key generation algorithm generates the key pairs (P K, DK), (V K, SK) for the PKE and SIG respectively, as well as the crs σ and trapdoor τ for the QANIZK scheme. The public key for the OVE is the triple (P K, V K, σ), the derivation key is SK, and finally the decryption key is DK. We stress that the trapdoor τ is discarded after derivation: it is used only in the security reductions, not in the actual scheme itself, and accidentally including it in the private derivation or decryption key would actually invalidate integrity! For a given user with identity ID, the derivation issues a certificate CERT ID by signing ID using the signature scheme. The certificate may then be regarded as the encryption key of the user with identity ID. To encrypt a message M , on input the public key of the OVE as well as the identity ID and certificate CERT ID of the encryptor, first the validity of the certificate is checked to guard against dishonest certificates. If the certificate passes, the concatenated string M CERT ID ID is encrypted to C using the underlying encryption scheme. Next, a QANIZK proof π is generated for the statement that the ciphertext is created honestly, specifically that it contains a valid ID, CERT ID pair. The OVE encryption algorithm finally outputs (C, π). Formally, for the QANIZK proof, the language L(P K,V K) is determined by the public key (P K, V K) and consists of valid ciphertexts, i.e.,

502

M. N. Hovd and M. Stam

Fig. 8. Our “Verifiably Encrypted Certificate” construction for OVE.

L(P K,V K) = {C : ∃M,r,CERT ID ,ID C = Pke.EncP K (M CERT ID ID; r) ∧ Sig.VerifyV K (ID, CERT ID ) = }. Thus the message M and the randomness r used to encrypt are additional witnesses used to create the QANIZK proof π; the full witness is the tuple (r, M, CERT ID , ID). For the filter to verify a pair (C, π), it simply runs the verification algorithm of the QANIZK scheme, with the public key of the OVE scheme as well as (C, π) as input. Finally, in order to decrypt an OVE ciphertext (C, π), the receiver first verifies the proof π using the verification algorithm of the QANIZK. If the QANIZK verification fails, the receiver rejects. Otherwise, it decrypts C and attempts to parse the output as M CERT ID ID ← Pke.DecDK (C). If either decryption or parsing fails, the receiver rejects. If both succeed, it returns (M, ID). There is no need to explicitly run the verification algorithm of the signature scheme on the certificate as its validity is already implicitly checked by the QANIZK verification. Note that we output the rejection symbol (⊥, ⊥) in all cases (failure of the verification, decryption, or parsing), and in particular that we do not distinguish between a failure to decrypt the message M or the identity ID, as the syntax allows for. Correctness and Consistency. Correctness follows from the correctness of the underlying PKE and SIG, as well as the completeness of the QANIZK. Consistency is guaranteed by checking the proof in decryption, as this ensures that any ciphertext which decrypts also passes the filter.

Vetted Encryption

503

Traceability. Intuitively, the traceability of the scheme boils down to the unforgeability of the signature scheme used as a building block. The other properties of the PKE and QANIZK ensure that the encryption oracle is harmless, i.e. that the returned components (C, π) do not leak any information about the valid and potentially honest certificate used. Lemma 4 (Traceability of OVE). For all adversaries Atrac , there exist similarly efficient adversaries Bsound , Bzk , Bcca and Beuf-cma such that sound zk Advtrac OVE (Atrac ) ≤ AdvQANIZK (Bsound ) + AdvQANIZK (Bzk ) euf-cma + Advcca (Beuf-cma ). PKE (Bcca ) + AdvSIG

Integrity. The integrity of the OVE scheme follows from the zero-knowledge property of the QANIZK scheme, as well as the correctness of the PKE scheme. Informally, there are only two ways the adversary can win the game: either C has a witness, or it does not. If it does not, the adversary has been able to generate a verifiable proof for an invalid statement, which breaches the soundness of the QANIZK scheme. If C has a witness, it is generated by encrypting a plaintext, and such a ciphertext will decrypt correctly by correctness of PKE, so winning this way is not possible. Lemma 5 (Integrity of OVE). For all adversaries Aint , there exist an equally efficient adversary Bsound such that sound Advint OVE (Aint ) ≤ AdvQANIZK (Bsound ).

Privacy. The notion of privacy for the OVE rests on the security of the underlying encryption scheme and QANIZK protocol. In essence, the CCA notion of the PKE ensures that the C component does not leak any information about the message or the identity, whilst the zk notion of the QANIZK protocol guards against the proof π revealing anything useful to an adversary. Finally, the simulation soundness of the QANIZK helps guarantee that the adversary cannot forge a proof π  , and thus take advantage of a decryption oracle. Lemma 6 (Privacy of OVE). For all adversaries Apriv , there exist similarly efficient adversaries Buss , Bzk and Bcca such that zk uss cca Advpriv OVE (Apriv ) ≤ 2AdvQANIZK (Bzk ) + 2AdvQANIZK (Buss ) + 3AdvPKE (Bcca ).

We note that our bound is not as tight as the corresponding one for anonymity in BMW. The difference is primarily due to the proof strategy: instead of game hops, Bellare et al. directly provided the code of two CCA adversaries that integrated a bad event and a hop between two games G0 and G1 , coupled with a refined analysis of the relevant advantages. The integrated approach allowed for some terms in the derivation to cancel, leading to the slighlty tighter bound. We opted for simplicity instead, also as we deal with multi-query games as opposed to the single-query games in the BMW construction. Thus we can potentially avoid a tightness loss as a result of a hybrid argument by plugging in appopriate multi-query secure primitives.

504

4

M. N. Hovd and M. Stam

Conclusion

We introduced vetted encryption, which allows a recipient to specify who is allowed to send them messages and outsource the filtering to any third party. We concentrated on only a single receiver in two distinct scenarios: the filter would or would not learn the identity of the sender. Either way, the sender would remain identifiable to the recipient. OVE has the potential to facilitate confidential communication with whistleblowers, sources for journalists and other scenarios for anonymous communication where an organization wants to filter the anonymous traffic, yet the individual needs to be identified to the recipient in a way that is convincing to the recipient while allowing repudiation by the sender. When considering multiple receivers, a possible extension would be to allow a single filter in such a way that the intended recipient remains anonymous to the filter as well. Such an extension could be relevant for all three types of vetted encryption, though it is possibly more natural in the AVE and OVE setting. We have, after all, already lifted anonymity from the filter altogether in the IVE setting, which at the very least opens up the possibility to use the recipient’s identity. For identifiable vetted encryption we made the link with signcryption; one could further try to extend this link by considering an alternative multi-recipient scenario where a single sender wants to transmit the same message to multiple recipients simultaneously. This is quite common in email applications and one expects some performance benefits due to amortization (though the security definitions might become more complex, cf. multi-user signcryption). Finally, for our constructions we concentrated on proofs of concepts. For both IVE and OVE we leave open the challenge of designing the most efficient scheme, either by suitably instantiating our generic construction or by taking further inspiration from, respectively, signcryption and group signatures, and beyond. Another possible feature for either primitive would be to revoke the right to send.

A

Unique Identity Based Signature Scheme

We construct an identity based signature scheme with unique signatures (UIBSS) by using the known certificate based transformation on an unique signature scheme [3]. We generate a master signing and verification key for a USS scheme, as well as set up a PRF. Given an identity ID we use the PRF to derive randomness, which is then fed into the key generation algorithm of a USS scheme. In other words: the key generation of the USS is derandomised, with the given randomness depending on a given identity. The resulting key pair (SK, V K) are components of the user key U SK of ID. The key U SK also includes a certificate, which is V K ID signed under the master signing key. A signature of a message M in the UIBSS scheme is simply (σ, V K, CERT ID ), where σ ← Uss.Sign(SK, M ). Finally, verification requires that both signatures σ and CERT ID verifies on M and V K ID, respectively. We present the construction of our UIBSS in Fig. 9, see the full version for the syntax of IBS schemes.

Vetted Encryption

505

Fig. 9. The construction of an identity based signature scheme with unique signatures using a unique signature scheme (USS) and a psuedo random function (PRF). Note that we denote the signing and verification key generated by Uss.Kg during Uibss.Kg as (M SK, M V K) solely to distinguish these keys from the signing and verification keys that constitute the U SK of a particular ID.

Fig. 10. The outsider unicity game for unique identity based signature schemes.

We adopt the security notion of existential unforgeability of identity based signature schemes to our scheme [10]. Informally, the notion states that given access to a signing oracle and a corruption oracle, an adversary should not be able to find a tuple (M, ID, σ) which passes the verification algorithm, where she has not asked to corrupt ID, and not asked for a signature on (M, ID). Since the general certificate construction has been proven to produce identity-based signature schemes that satisfy this notion of security, it follows that our scheme is secure with respect to existential unforgeability [3]. For unique signature schemes Uss.VerifyV K (M, σ) = Uss.VerifyV K (M, σ  ) implies σ = σ  [11]. However, we will relax this requirement, and rather require that it is computationally hard for an adversary to win the following game: given the verification key, and access to a derivation oracle, find a tuple (M, ID, ς, ς  ) such that Uibss.VerifyV K,ID (M, ς) =  = Uibss.VerifyV K,ID (M, ς  ), yet ς = ς  . We define this security notion as outsider unicity, with the game formally defined in Fig. 10. As always, the advantage of the adversary is her probability of winning the game.

506

M. N. Hovd and M. Stam

Our certificate based UIBSS scheme achieves outsider unicity due to the unicity property of the underlying unique signature scheme, as well as it’s notion of unforgeability. Informally, the unicity of signatures forces an adversary to find a forgery on V K ID. Lemma 7 (Outsider unicity of UIBSS construction). For all adversaries Aou , there exists an adversary Beuf-cma such that euf-cma Advou (Beuf-cma ). UIBSS (Aou ) ≤ AdvUSS

References 1. Ateniese, G., Francati, D., Nu˜ nez, D., Venturi, D.: Match me if you can: matchmaking encryption and its applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 701–731. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7 24 2. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9 38 3. Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identification and signature schemes. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 268–286. Springer, Heidelberg (2004). https://doi.org/ 10.1007/978-3-540-24676-3 17 4. Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136– 153. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3 11 5. Cortier, V., Gaudry, P., Glondu, S.: Belenios: a simple private and verifiable electronic voting system. In: Guttman, J.D., Landwehr, C.E., Meseguer, J., Pavlovic, D. (eds.) Foundations of Security, Protocols, and Equational Reasoning. LNCS, vol. 11565, pp. 214–238. Springer, Cham (2019). https://doi.org/10.1007/978-3030-19052-1 14 6. Damg˚ ard, I., Haagh, H., Orlandi, C.: Access control encryption: enforcing information flow with cryptography. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 547–576. Springer, Heidelberg (2016). https://doi.org/10. 1007/978-3-662-53644-5 21 7. Dent, A.W., Fischlin, M., Manulis, M., Stam, M., Schr¨ oder, D.: Confidential signatures and deterministic signcryption. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 462–479. Springer, Heidelberg (2010). https:// doi.org/10.1007/978-3-642-13013-7 27 8. Dent, A.W., Zheng, Y. (eds.): Practical Signcryption. ISC. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-540-89411-7 9. Hovd, M.N., Stam, M.: Vetted encryption (2020). https://eprint.iacr.org/2020/ 1348 10. Paterson, K.G., Schuldt, J.C.N.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006). https://doi.org/10.1007/ 11780656 18

Vetted Encryption

507

11. Shen, S.-T., Rezapour, A., Tzeng, W.-G.: Unique signature with short output from CDH assumption. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 475–488. Springer, Cham (2015). https://doi.org/10.1007/978-3-31926059-4 26 12. Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption)  cost(signature) + cost(encryption). In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997). https://doi.org/10. 1007/BFb0052234

Security of Public Key Encryption Against Resetting Attacks Juliane Kr¨ amer and Patrick Struck(B) Technische Universit¨ at Darmstadt, Darmstadt, Germany {juliane,patrick}@qpc.tu-darmstadt.de

Abstract. Ciphertext indistinguishability under chosen plaintext attacks is a standard security notion for public key encryption. It crucially relies on the usage of good randomness and is trivially unachievable if the randomness is known by the adversary. Yilek (CT-RSA’10) defined security against resetting attacks, where randomness might be reused but remains unknown to the adversary. Furthermore, Yilek claimed that security against adversaries making a single query to the challenge oracle implies security against adversaries making multiple queries to the challenge oracle. This is a typical simplification for indistinguishability security notions proven via a standard hybrid argument. The given proof, however, was pointed out to be flawed by Paterson, Schuldt, and Sibborn (PKC’14). Prior to this work, it has been unclear whether this simplification of the security notion also holds in case of resetting attacks. We remedy this state of affairs as follows. First, we show the strength of resetting attacks by showing that many public key encryption schemes are susceptible to these attacks. As our main contribution, we show that the simplification to adversaries making only one query to the challenge oracle also holds in the light of resetting attacks. More precisely, we show that the existing proof can not be fixed and give a different proof for the claim. Finally, we define real-or-random security against resetting attacks and prove it equivalent to the notion by Yilek which is of the form left-or-right. Keywords: Public key encryption security

1

· Resetting attacks · Provable

Introduction

Encryption is a fundamental cryptographic primitive to achieve confidentiality between communicating parties. The main distinction is between symmetric key encryption and public key encryption. The former requires the communicating parties to exchange a symmetric key a priori, which the latter does not. An encryption scheme is deemed secure if a ciphertext does not leak information about the underlying plaintext. This is typically modelled as an indistinguishability game in which the adversary has to distinguish between the encryption of two messages of its choice, so-called left-or-right security. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 508–528, 2020. https://doi.org/10.1007/978-3-030-65277-7_23

Security of Public Key Encryption Against Resetting Attacks

509

For public key encryption schemes this mandates the usage of probabilistic algorithms for encryption to achieve security. This is in contrast to symmetric key encryption schemes which can use a nonce that has to be unique for each encryption but does not have to be chosen at random [25]. The classical security notion for public key encryption (IND-CPA) implicitly assumes that fresh randomness can be used for every encryption. This is modelled by letting the challenger encrypt using fresh random coins for every query. The natural question that arises is what happens when this assumption is not true. Clearly, security is elusive if the randomness is known by the adversary which can simply re-encrypt its challenge messages using this randomness. Another scenario, and simultaneously the focus of this paper, is one in which the randomness is unknown to the adversary but might be reused across several encryptions. The practical relevance of this scenario has been shown by Ristenpart and Yilek [24] who demonstrated how TLS can be attacked with reused randomness due to virtual machine snapshots. Based on this, Yilek [29] introduced security against resetting attacks. In this setting, the adversary can force the challenger to reuse a randomness across several encryptions. This setting has later been generalised to security against related randomness attacks by Paterson et al. [21] and Matsuda and Schuldt [19]. For related randomness attacks, the adversary can specify a function which is applied to the (reused) randomness generated by the challenger and the outcome of the function is the randomness that is used to actually encrypt. All notions introduced in [19,21,29] are in the left-or-right style. The adversary queries two messages to its challenge oracle, the oracle encrypts either the left or the right message, and the adversary tries to distinguish these cases. Security should always hold with respect to adversaries making multiple queries to the challenge oracle. For IND-CPA-like security notions, schemes are often proven secure against adversaries making only one query to the challenge oracle [3,8,9,11,15]. It is folklore that this implies security in the desired case of multiple queries via a standard hybrid argument. Yilek [29] argues that the same holds also for resetting attacks and provides a proof sketc.h for the claim. Later, however, Paterson et al. [21] pointed out that the proof is flawed as it results in a prohibited query by the reduction. They further argued that they could neither prove Yilek’s claim nor give a separation to disprove it. Thus, prior to this work, it has been unclear whether security against a single challenge query implies security against multiple challenge queries in the light of resetting attacks. 1.1

Our Contribution

In this work we revisit the resetting attack model proposed by Yilek [29]. First, we define a class of public key encryption schemes which we show to be insecure in this model. We then prove several schemes insecure by showing that they lie in the defined class. As our main contribution, we close the aforementioned gap by showing that security against a single query to the challenge oracle indeed implies security against multiple queries to the challenge oracle even against resetting attacks, hereby confirming the claim made in [29]. More precisely, we

510

J. Kr¨ amer and P. Struck

first investigate the flawed proof in [29] and give an adversary that distinguishes the different hybrid games in the proof almost perfectly. We then nevertheless prove the claim by giving a different proof approach, which only yields an additional factor of 2 compared to the claimed bound in [29]. Finally, we define realor-random security against resetting attacks and prove the equivalence between the existing left-or-right and our new real-or-random security notion. 1.2

Related Work

Garfinkel and Rosenblum [13] pointed out a theoretical threat to the security of a virtual machine, due to the possibility of snapshots. The practical relevance of this threat has later been shown by Ristenpart and Yilek [24], who demonstrated attacks on TLS. Based on these, Yilek [29] defined security against resetting attack, which models the threat pointed out in [13]. Later, Paterson et al. [21] and Matsuda and Schuldt [19] generalised this to security against related randomness attack. Bellare et al. [5] gave a public key encryption scheme which still achieves a meaningful security notion, yet qualitatively worse than IND-CPA, even if the randomness is bad. The same setting is also considered by Bellare and Hoang [6]. Huang et al. [14] study nonce-based public key encryption schemes in order to avoid the issue of bad randomness. Closer to our setting is the work by Wang et al. [28], which studies both resetting attacks and bad randomness, yet for authenticated key exchange. 1.3

Organization of the Paper

Section 2 covers the necessary background for this work. In Sect. 3 we show that several public key encryption schemes are susceptible to resetting attacks. Our main contribution is given in Sect. 4, where we restore the claim made in [29] by giving a different proof. The definition of real-or-random security against resetting attacks and the proof of its equivalence with the left-or-right security is given in Sect. 5.

2 2.1

Preliminaries Notation

For an integer x, the set {1, . . . , x} is denoted by [x]. We use game-based proofs [7,27]. For a game G and an adversary A, we write GA ⇒ y if the game outputs y when played by A. In our case, the game output will either be true or false, indicating whether the adversary has won the game. Analogously, we write AG ⇒ y to denote that A outputs y when playing game G. We only use distinguishing games in which the adversary has to guess a randomly chosen bit b. To scale the advantage of an adversary A to the interval from 0 to 1, its advantage in a distinguishing game G is defined as AdvG (A) = 2 Pr[GA ⇒ true] − 1 .

Security of Public Key Encryption Against Resetting Attacks

511

Reformulation to adversarial advantage yields AdvG (A) = 2 Pr[GA ⇒ true] − 1   = 2 Pr[GA ⇒ true ∧ b = 0] + Pr[GA ⇒ true ∧ b = 1] − 1  = 2 Pr[GA ⇒ true | b = 0] Pr[b = 0]  + Pr[GA ⇒ true | b = 1] Pr[b = 1] − 1 = Pr[GA ⇒ true | b = 0] + Pr[GA ⇒ true | b = 1] − 1 = Pr[AG ⇒ 0 | b = 0] + Pr[AG ⇒ 1 | b = 1] − 1 = Pr[AG ⇒ 0 | b = 0] − Pr[AG ⇒ 0 | b = 1] . Analogously, we get AdvG (A) = Pr[AG ⇒ 1 | b = 1] − Pr[AG ⇒ 1 | b = 0] . A public key encryption Σ is a triple of three algorithms KGen, Enc, and Dec, where – KGen : N → SK × PK is the key generation algorithm which takes a security parameter1 as input and outputs a secret key and a public key. – Enc : PK × msp × R → C is the encryption algorithm which maps a public key, a message, and a randomness to a ciphertext. – Dec : SK × C → msp is the decryption algorithm which outputs a message on input a secret key and a ciphertext. By SK, PK, msp, C, and R we denote the secret key space, public key space, message space, ciphertext space, and randomness space, respectively. 2.2

Security Against Resetting Attacks

Yilek [29] defines security against resetting attacks, which extends the standard notion of IND-CPA.2 This models a scenario in which the randomness used to encrypt might be reused, for instance, when performed on a virtual machine using snapshots. The security game is displayed in Fig. 1. The adversary gets access to a challenge left-or-right oracle LR-Enc and aims to distinguish which of its messages it encrypts. In addition, the adversary gets an encryption oracle Enc which allows to encrypt using arbitrary, adversarial chosen public keys. The crucial part is that the adversary specifies an index for both oracles to determine which randomness is used to encrypt, i.e., repeating an index results in a repeated randomness. This is also the reason for the additional encryption oracle. In the classical IND-CPA setting, there is no need for this oracle since the adversary can encrypt locally. 1 2

We will often omit this input. In [29] the notion is also extended to the IND-CCA case, which is not relevant for this work.

512

J. Kr¨ amer and P. Struck

Fig. 1. Security game to define LR-RA security using different randomnesses.

Yilek gives two lemmas to simplify the notion. One lemma shows that we can restrict the notion to a single randomness which is used for every encryption query by the adversary. The other lemma, identified as flawed in [21], claims that we can restrict the adversary to a single query to its left-or-right oracle LR-Enc. Below we recall the former. Lemma 1 ([29, Lemma 1]). Let Σ be a PKE scheme and the game LR-RA be defined as in Fig. 1. Then for any adversary A, making q queries to LR-Enc and querying in total t different indices to LR-Enc and Enc, there exists an adversary B, making q queries to LR-Enc and querying only a single index to LR-Enc and Enc such that -RA (A) ≤ t AdvLR-RA (B). AdvLR Σ Σ Lemma 1 allows to simplify the security game by choosing one randomness r ∗ at the beginning of the game which is used for every query by the adversary. The simplified security game LR-RA is displayed in Fig. 2.

Fig. 2. Security game to define LR-RA security.

To exclude trivial wins, Yilek [29] defines equality-pattern respecting adversaries. Intuitively, these are adversaries which never repeat a message to their encryption oracles and do not make two challenge queries which are equal in

Security of Public Key Encryption Against Resetting Attacks

513

the left message but different in the right message, or vice versa. Below we formally define such adversaries.3 Note that this definition is necessary to achieve a meaningful security notion, but is not an immoderate restriction imposed on the adversary. Definition 2. Let A be an adversary playing LR-RA which makes q queries to LR-Enc. Let E be the set of messages m such that A makes a query (pk∗ , m) to Enc. Let (m10 , m11 ), . . . , (mq0 , mq1 ) be the queries to LR-Enc. We say that A is equality-pattern respecting if – for all b ∈ {0, 1} and i ∈ [q], m[b]i ∈ / E and – for all b ∈ {0, 1} and i = j, m[b]i = mjb =⇒ mi1−b = mj1−b . The LR-RA advantage of an adversary is defined as follows. Definition 3. Let Σ = (KGen,Enc,Dec) be a public key encryption scheme and the game LR-RA be defined as in Fig. 2. For any equality-pattern respecting adversary A, its LR-RA advantage is defined as AdvLR-RA (A) := 2 Pr[LR-RAA ⇒ true] − 1 .

3

LR-RA-Insecure Public Key Encryption Schemes

To show that the security notion LR-RA is strictly stronger than the classical notion of ciphertext indistinguishability (IND-CPA), Yilek gives a separation example, i.e., a PKE scheme that is IND-CPA-secure but LR-RA-insecure. The scheme follows the standard hybrid encryption idea and combines an arbitrary public key encryption scheme with the one-time pad encryption. The concrete scheme4 is displayed in Fig. 3. The core observation is that in the resetting attack case, the same one-time key will be used for every query as it is derived from the (reused) randomness. By making one query to the oracle Enc, the adversary learns this one-time key which it can then use to decrypt its challenge query. This clearly shows that the LR-RA security notion is stronger than the classical IND-CPA security notion. However, the attack does not exploit a weakness in the scheme. It essentially bypasses the security by using the one-time pad in an insecure way, namely, using a key twice. We emphasise that this specific attack no longer works if the one-time pad encryption is replaced with a secret key encryption scheme for which using the same secret key does not affect the security. Furthermore, the idea behind the hybrid encryption scheme is to avoid encrypting a large message using a (costly) public key encryption. Since a key for the one-time pad has the same length as the message, instantiating the hybrid 3

4

Note that this definition is tailored to the single randomness setting. The equivalent, more complicated definition for multiple randomnesses (see, e.g., [29, Appendix A]) is irrelevant for this work and therefore omitted. In [29] the scheme also consists of a MAC to achieve CCA security which we omit here for simplicity.

514

J. Kr¨ amer and P. Struck

Fig. 3. Separation example given in [29]. Algorithms KGenP and EncP are the key generation and encryption algorithm of the underlying PKE scheme, respectively.

encryption scheme with the one-time pad defeats its main advantage. The given separation is therefore more of theoretical interest and raises the question how critical resetting attacks are in practice. In this section, we show that resetting attacks are devastating in practice by showing that many PKE schemes are susceptible to these attacks. To this end, in Sect. 3.1, we define a class of public key encryption schemes that we call PKsplittable and show that such schemes are LR-RA-insecure. We then show, in Sect. 3.2, that every PKE scheme following the LWE-based scheme by Regev [23], several code-based encryption schemes, and any instantiation of the hybrid encryption scheme - i.e., not just the one using the one-time pad -, lie in this class of encryption schemes. Hence all these scheme are insecure against resetting attacks. 3.1

A Class of LR-RA-Insecure PKE Schemes

We define the term PK-splittable for public key encryption schemes. Intuitively, these are schemes for which the public key and the ciphertext can be divided into two parts such that: 1. each part of the public key affects exactly one part of the ciphertext and 2. only one part of the ciphertext depends on the message that is encrypted. Below we give the formal definition. Definition 4. Let Σ = (KGen, Enc, Dec) be a public key encryption scheme, where PK = PKf × PKg with PKg = ∅ and C = X × Y. If there exist functions f : PKf × R × msp → X and g : PKg × R → Y such that for any public key pk = (pkf , pkg ) it holds that Enc(pk, m; r ) = (f (pkf , r , m), g(pkg , r )) , then we say that Σ is a PK-splittable public key encryption scheme with core encryption function f and auxiliary encryption function g. From Definition 4 it is easy to see that PK-splittable public key encryption schemes are LR-RA insecure. First, the adversary makes a query to the challenge oracle LR-Enc on two randomly chosen messages to obtain a challenge ciphertext. Then it queries both messages to the oracle Enc but on a public key which differs from the challenge public key only in the part affecting the auxiliary encryption function g. To determine the secret bit, the adversary simply compares the output of the core encryption function f for its queries. This is formalised in the following theorem.

Security of Public Key Encryption Against Resetting Attacks

515

Theorem 5. For any PK-splittable public key encryption scheme Σ, there exists an adversary A such that AdvLR-RA (A) = 1 . Proof. We construct the following adversary A playing LR-RA. Upon receiving the target public key pk∗ = (pk∗f , pk∗g ), A chooses two messages m0 and m1 at random and queries (m0 , m1 ) to LR-Enc to obtain a challenge ciphertext c. Subsequently, A runs KGen to obtain a public key pk = (pkf , pkg ), sets pk = (pk∗f , pkg ), and queries both (pk, m0 ) and (pk, m1 ) to Enc to obtain ciphertexts c0 and c1 . Let c0f , c1f , and c f be the core encryption function parts of the ciphertext c0 , c1 , and c, respectively. If c f = c0f , A outputs 0. If c f = c1f , it outputs 1. Since Σ is a PK-splittable scheme, we have c0 = (f (pk∗f , r ∗ , m0 ), g(pkg , r ∗ )) and c1 = (f (pk∗f , r ∗ , m1 ), g(pkg , r ∗ )). The ciphertext c depends on the secret bit b of the game LR-RA. If b = 0, c equals (f (pk∗f , r ∗ , m0 ), g(pk∗g , r ∗ )) and if b = 1, it equals (f (pk∗f , r ∗ , m1 ), g(pk∗g , r ∗ )). Hence, if b = 0, the core encryption function part of the ciphertext c is equal to the core encryption function part of c0 . Likewise, if b = 1, the core encryption function parts of c and c1 are equal. This enables A to perfectly distinguish the cases b = 0 and b = 1. It remains to argue that A is a valid adversary against LR-RA. Since it queries m[0] and m[1] both to LR-Enc and Enc it looks like A is not equality-pattern respecting. However, the property equality-pattern respecting only prohibits querying a message to LR-Enc which has been queried to Enc together with the target public key. Our adversary never queries Enc on the target public key since it replaces pk∗g , i.e., the part that affects the auxiliary encryption function, for both queries. Hence the set E is empty which yields that A is an equality-pattern respecting adversary.

3.2

Real-World PKE Schemes that Are LR-RA-Insecure

The backbone of many lattice-based encryption schemes [3,10,12,17,18,20,22, 26] is the LWE-based public key encryption scheme due to Regev [23], which is displayed in Fig. 4 (for sake of simplicity we give the scheme in a generic form without specifying concrete sets). It is easy to see that from the two ciphertext parts c1 and c2 , only c1 depends on the message. Furthermore, each entry of the public key (poly (λ)a and poly (λ)b) affects exactly one ciphertext part. Thus, this scheme is PK-splittable. A similar argument applies to the code-based PKE schemes HQC [1], RQC5 [2], and ROLLO-II [4], which are also displayed in Fig. 4 (again in a generic form for sake of simplicity). For all schemes, only c2 is affected by the message and the public key can be split into a core encryption function and auxiliary encryption function related part (for ROLLO-II there is no core encryption function related part of the public key). This is formalised in the lemma below, the proof is given in the full version of this paper [16]. 5

RQC is very much akin to HQC, hence we provide the description and the formal proofs only for HQC.

516

J. Kr¨ amer and P. Struck

Fig. 4. LWE-based public key encryption schemes (left) and code-based public key encryption schemes HQC (middle) and ROLLO-II (right).

Lemma 6. The LWE-based public key encryption scheme and the code-based public key encryption schemes HQC and ROLLO-II (cf. Fig. 4) are PK-splittable. Corollary 7. The LWE-based public key encryption schemes and the code-based public key encryption schemes HQC and ROLLO-II are LR-RA insecure. For each scheme there exists an adversary A such that AdvLR-RA (A) = 1 . Proof. Follows directly from Theorem 5 and Lemma 6.



Now we turn our attention towards the security of the hybrid encryption scheme against resetting attacks. As discussed above, the attack proposed in [29] exploits the insecurity of the one-time pad when a key is used more than once. The attack no longer works when using an arbitrary symmetric key encryption scheme instead of the one-time pad, as the adversary does not learn the symmetric key from a single query. However, we show that the hybrid encryption scheme (cf. Fig. 5) is PK-splittable, irrespective of the underlying schemes. This shows that any instantiation is susceptible to resetting attacks. Lemma 8. Let (KGenP , EncP , DecP ) be a public key encryption scheme and (EncS , DecS ) be a symmetric key encryption scheme. The resulting hybrid encryption scheme (KGen, Enc, Dec), see Fig. 5, is a PK-splittable scheme. Proof. The scheme written as a PK-splittable scheme is displayed in Fig. 5.



Corollary 9. The hybrid encryption scheme is LR-RA insecure. There exists an adversary A such that AdvLR-RA (A) = 1 . Proof. Follows directly from Theorem 5 and Lemma 8.



Security of Public Key Encryption Against Resetting Attacks

517

Fig. 5. Left: Hybrid encryption scheme combining a public key encryption scheme (KGenP , EncP , DecP ) and a symmetric key encryption scheme (EncS , DecS ). Right: Hybrid encryption scheme written as a PK-splittable scheme.

4

Left-or-Right Security Against Resetting Attacks

In this section, we show that security against adversaries making a single query to the challenge oracle implies security against adversaries making multiple queries to the challenge oracle. This confirms the claim made in [29] by using a different proof that does not suffer from the issue pointed out in [21]. In Sect. 4.1 we recall the proof given in [29] and its flaw that has been identified in [21]. We construct an adversary which distinguishes the hybrid games almost perfectly, which entails that the existing proof can not be fixed. We then give a different proof for the claim in Sect. 4.2. 4.1

Shortcomings of Yilek’s Proof

We specify two special queries, which are not forbidden by Definition 2. It turns out that these queries are the ones that invalidate the proof in [29]. First, after making a query (m0 , m1 ) to LR-Enc, the adversary can make the same query to LR-Enc. We call this a repeating query. Second, after making a query (m0 , m1 ) to LR-Enc, the adversary can query (m1 , m0 ) to LR-Enc. We call this a flipping query. The proof in [29] uses a sequence of hybrid games H0 , . . . , Hq (cf. Fig. 6). In Hi , the first i queries are answered by encrypting the right message m1 , while the remaining q − i queries are answered by encrypting the left message m0 . By construction, H0 and Hq equal game LR-RA with secret bit b = 0 and b = 1, respectively. To bound two consecutive hybrids Hi−1 and Hi , the following reduction R is constructed. Each query by A to Enc is forwarded by R to its own oracle Enc. The first i − 1 challenge queries are answered by querying the left message to Enc, the last q −i challenge queries by querying the right message

518

J. Kr¨ amer and P. Struck

to Enc, in both cases together with the target public key pk∗ . The i-th challenge query is forwarded by R to its own challenge oracle LR-Enc. We now elaborate why the reduction does not work if the adversary makes a repeating query or a flipping query.6 Let (m0 , m1 ) be the i-th challenge query by A. Let j, k > i and, wlog, assume that the j-th and k-th query are (m0 , m1 ) and (m1 , m0 ), respectively. Thus, the j-th query is a repeating query and the k-th query is a flipping query. For the j-th query, the reduction would query its oracle Enc on m[0] and for the k-th query it would query it on m1 . Neither of these two queries is allowed, as both m0 and m1 have been queried to LR-Enc. Thus, this makes the reduction not equality-pattern respecting. At the first glance, this looks like an issue in the reduction, but we show that the issue lies in the hybrid games. More precisely, we give an equalitypattern respecting adversary that can distinguish two consecutive hybrid games with probability 1. This adversary rules out any proof using these hybrid games, thereby preventing a simple fix of the proof in [29]. Lemma 10. Let Σ = (KGen,Enc,Dec) be a perfectly correct public key encryption scheme and Hi be the hybrid game displayed in Fig. 6. For any i ∈ [q], there exists an adversary Ai such that H

i−1 i Pr[AH ⇒ 0] = 1 . i ⇒ 0] − Pr[Ai

Fig. 6. Hybrid games in the proof in [29].

Proof. For i ∈ [q − 1], we construct the following adversary Ai . The first i − 1 and the last q − i − 1 queries are randomly chosen messages that have never been queried. For the i-th query, Ai picks two messages m0 and m1 at random and queries LR-Enc on (m0 , m1 ) to obtain a ciphertext ci . For the (i + 1)-th query, Ai invokes LR-Enc on the flipping query (m1 , m0 ), resulting in a ciphertext ci+1 . If ci = ci+1 , Ai outputs 0. Otherwise, it outputs 1. In game Hi−1 , both the i-th and the (i+1)-th query are answered by encrypting the left message. Since the i-th and (i + 1)-th queries by Ai are (m0 , m1 ) and (m1 , m0 ), this yields ci ← Enc(pk∗ , m0 ; r ∗ ) and ci+1 ← Enc(pk∗ , m1 ; r ∗ ). Then we have ci = ci+1 since the scheme is perfectly correct. In game Hi , 6

The issue described in [21] corresponds to the issue for flipping queries we show here.

Security of Public Key Encryption Against Resetting Attacks

519

the i-th query is answered by encrypting the right message instead. This yields ci ← Enc(pk∗ , m1 ; r ∗ ) and ci+1 ← Enc(pk∗ , m1 ; r ∗ ). Hence we have ci = ci+1 . The adversary Aq performs q − 2 challenge queries on random messages, followed by querying first (m1 , m0 ) and then (m0 , m1 ). The same argument as above allows A to distinguish with probability 1.

Remark 11. When considering public key encryption schemes with negligible probability for decryption failures, the distinguishing advantage decreases negligibly. That is because the ciphertexts ci and ci+1 for the message m0 and m1 might be equal in Hi−1 . Nevertheless, two consecutive hybrids can be distinguished almost perfectly. 4.2

Alternative Proof for Yilek’s Claim

Having established that the proof approach in [29] does not work, we now turn our attention towards providing a different proof for the statement. Recall that the flawed proof uses a single hybrid argument over the number of queries by the adversary. To deal with the issue of flipping and repeating queries, we change the overall approach as follows. First, instead of a single hybrid argument where we switch from encryption of the left messages to encryption of the right messages, we use two hybrid arguments: one where we first switch from encrypting the left messages to encrypting random messages and one where we switch from encrypting random messages to encrypting the right messages. Second, instead of doing the hybrid argument over the number of queries, we do the hybrid argument over the number of distinct queries, i.e., non-repeating queries, by the adversary. The former change avoids the issue of flipping queries while the latter change circumvents the issue of repeating queries. Below we state our main result. It shows that, in the case of resetting attacks, security against adversaries making a single query to their challenge oracle implies security against adversaries making multiple queries to their challenge oracle. It confirms the claim in the flawed lemma in [29] at the cost of an additional factor of 2 in the bound. Theorem 12. Let Σ = (KGen,Enc,Dec) be a public key encryption scheme and the LR-RA security game be defined as in Fig. 2. Then for any equality-pattern respecting adversary A making q distinct queries to LR-Enc, there exists an equality-pattern respecting adversary R making 1 query to LR-Enc, such that LR-RA LR-RA (A) ≤ 2q AdvΣ (R) . AdvΣ

Proof. We prove the theorem using hybrid games L0 , . . . , Lq , R0 , . . . , Rq which are displayed in Fig. 7. In game Li , the first i distinct challenge queries are answered by encrypting a random message, while the remaining q − i distinct challenge queries are answered by encrypting the left message. Game Ri is defined analogously except that the right message, rather than the left message, is encrypted.

520

J. Kr¨ amer and P. Struck

Fig. 7. Hybrid games Li and Ri used to prove Theorem 12.

Note that, in any game, repeating queries are answered by looking up the previous response in the set Q (cf. Fig. 7). From this description we can deduce that hybrid games L0 and R0 correspond to the game LR-RA with secret bit b = 0 and b = 1, respectively. Furthermore, hybrid games Lq and Rq are identical, as they both answer all q distinct challenge queries by encrypting a random message. Thus we have AdvLR-RA (A) = Pr[ALR-RA ⇒ 0 | b = 0] − Pr[ALR-RA ⇒ 0 | b = 1] = Pr[AL0 ⇒ 0] − Pr[AR0 ⇒ 0] = Pr[AL0 ⇒ 0] − Pr[ALq ⇒ 0] + Pr[ARq ⇒ 0] − Pr[AR0 ⇒ 0] ≤

q  

 Pr[ALi−1 ⇒ 0] − Pr[ALi ⇒ 0]

i=1

+

q  

 Pr[ARi ⇒ 0] − Pr[ARi−1 ⇒ 0] .

i=1

To bound the consecutive hybrids Li−1 and Li for i ∈ [q], we construct the following adversary Bi playing LR-RA. On input pk∗ , Bi runs A on input pk∗ . When A makes a query m to Enc, Bi forwards m to its own oracle Enc and the i−1 response back to A. For the first i−1 distinct queries (m10 , m11 ), . . . , (mi−1 0 , m1 ) by A to LR-Enc, Bi responds by querying its oracle Enc on a random message m∗ ←$ msp and the target public key pk∗ to obtain a ciphertext that it forwards to A. For the i-th distinct query (mi0 , mi1 ), Bi chooses m∗ ← $ msp, queries

Security of Public Key Encryption Against Resetting Attacks

521

(mi0 , m∗ ) to its oracle LR-Enc, and sends the response back to A. For the last q q i+1 q − i distinct queries (mi+1 0 , m1 ), . . . , (m0 , m1 ) by A to LR-Enc, Bi queries its q i+1 oracle Encq−i times on m0 , . . . , m0 together with the target public key pk∗ and forwards the response to A. For all these distinct queries, Bi stores the queried messages along with the returned ciphertext in a set Q. For any repeating query, Bi returns the same ciphertext which it looks up in the set Q. When A halts and outputs a bit b , Bi outputs b . Recall that the proof in [29] does not hold since the reduction has to make a forbidden query. Since our reduction makes only one query to LR-Enc, we have to ensure that it never queries its oracle Enc on one of the messages queried to LR-Enc. The critical part is the simulation of the oracle LR-Enc for A using the oracle Enc. By construction, Bi queries LR-Enc on (mi0 , m∗ ), where mi0 is from the i-th query (mi0 , mi1 ) to LR-Enc by A and m∗ is a randomly chosen message by Bi . Prior to this query, Bi invokes Enc only on random messages, hence the probability that one of these is equal to either mi0 or m∗ is negligible. Subsequent to its challenge query, Bi queries Enc on the left messages that A queries to its challenge oracle. We know that each query of the form (mi0 , ·) is a repeating queries, i.e., (mi0 , mi1 ). Any query (mi0 , m ) where m = mi1 is excluded as A is equality-pattern respecting. Since repeating queries are answered using the set Q, they do not involve an oracle query by Bi . Hence Bi is a valid adversary, i.e., equality-pattern respecting, playing LR-RA. By construction we have that Bi simulates Li−1 and Li if its own challenge bit b is 0 and 1, respectively. This yields Pr[ALi−1 ⇒ 0] − Pr[ALi ⇒ 0] ≤ Pr[Bi LR-RA ⇒ 0 | b = 0] − Pr[Bi LR-RA ⇒ 0 | b = 1] ≤ AdvLR-RA (B ) . i

Analogously, we can construct adversaries Ci to bound consecutive hybrid games Ri−1 and Ri with the following two differences. First, for the i-th distinct query (mi0 , mi1 ) by A, Ci queries its own challenge oracle LR-Enc on (m∗ , mi1 ), for a randomly chosen message m∗ , and sends the result back to A. For the last q q i+1 q − i distinct queries (mi+1 0 , m1 ), . . . , (m0 , m1 ) by A, Ci invokes its oracle Enc q i+1 on the right messages, i.e., m1 , . . . , m1 , and sends the responses back to A. At the end, Ci outputs b , where b is the output of A. Just as above, Ci simulates Ri if b = 0 and Ri−1 if b = 1, which yields Pr[ARi ⇒ 0] − Pr[ARi−1 ⇒ 0] ≤ Pr[CiLR-RA ⇒ 0 | b = 0] − Pr[CiLR-RA ⇒ 0 | b = 1] ≤ AdvLR-RA (C ) . i

Let R be the adversary with the highest advantage among B1 , . . . , Bq , C1 , . . . , Cq . Then it holds that

522

J. Kr¨ amer and P. Struck

AdvLR-RA (A) ≤

q  

 Pr[ALi−1 ⇒ 0] − Pr[ALi ⇒ 0]

i=1

+

q  

 Pr[ARi ⇒ 0] − Pr[ARi−1 ⇒ 0]

i=1



q  

q     AdvLR-RA (Bi ) + AdvLR-RA (Ci )

i=1

i=1

≤ 2q AdvLR-RA (R) . This proves the claim.



We briefly discuss why the issue of the proof in [29] does not occur here. In [29], the reduction did not work as the adversary can query LR-Enc on (m0 , m1 ) in the i-th query and later make a flipping query (m1 , m0 ). Then the reduction would query (m0 , m1 ) to its oracle LR-Enc and later m1 to its oracle Enc which makes the reduction not equality-pattern respecting. The adversary can do the same in our case. However, our reduction invokes its oracle LR-Enc on (m0 , m∗ ), rather than (m0 , m1 ), which allows it to later invoke its oracle Enc on m1 . The issue of repeating queries does not occur as the reduction never makes an oracle query when the adversary makes a repeating query.

5

An Equivalent Security Notion

In this section we study security against resetting attacks in a real-or-random sense. In Sect. 5.1, we first define the corresponding security game and then show that security against adversaries making a single query to the challenge oracle implies security against adversaries making multiple queries to the challenge oracle. In classical security notions for public key encryption, it is known that left-or-right security and real-or-random security are equivalent. In Sect. 5.2, we show that this equivalence also holds for resetting attacks. As a side effect, these results yield a modular proof for our main result Theorem 12, which we give in Sect. 5.3. 5.1

Real-or-Random Security Against Resetting Attacks

In Fig. 8 we give the real-or-random security game RR-RA against resetting attacks. It is easy to see that this notion is unachievable, even when imposing the standard equality-pattern restrictions on the adversary (cf. Definition 2). An adversary simply queries the same message twice to its real-or-random oracle RR-Enc. In case b = 0, it obtains the same ciphertext since the same message is encrypted under the same randomness. In case b = 1, however, the ciphertexts will be different (even though they used the same randomness) as two different messages will be encrypted. This allows the adversary to distinguish with overwhelming probability.

Security of Public Key Encryption Against Resetting Attacks

523

Fig. 8. Security game to define RR-RA security.

To circumvent this trivial win, we can use the security game as displayed in Fig. 9. The game keeps a list of messages queried to the real-or-random oracle and ensures that, in case b = 1, the same random message is encrypted when the adversary queries the same challenge message. In the game displayed in Fig. 9 this is done via the table f . This prevents the trivial attack described above. However, it also renders repeating queries obsolete as it does not give the adversary any additional information.

Fig. 9. Real-or-random security dealing with repeating queries.

Due to this, we stick with the security game displayed in Fig. 8 and exclude repeating queries via the definition of equality-pattern respecting. Instead of having two different definitions for equality-pattern respecting, depending on the left-or-right and real-or-random case, we use the unified definition below. It extends Definition 2 to also cover real-or-random adversaries. Definition 13. Let ALR and ARR be adversaries playing LR-RA and RR-RA, respectively. Let further ELR (resp. ERR ) be the set of messages m such that ALR (resp. ARR ) makes a query (pk∗ , m) to Enc. Let (m[0]1 , m[1]1 ), . . . , (m[0]q , m[1]q ) be the queries that ALR makes to LR-Enc and m1 , . . . , mq be the queries of ARR to RR-Enc. We say that ALR is equality-pattern respecting if – for all b ∈ {0, 1} and i ∈ [q], m[b]i ∈ / ELR and

524

J. Kr¨ amer and P. Struck

– for all b ∈ {0, 1} and i = j, m[b]i = m[b]j =⇒ m[1 − b]i = m[1 − b]j . We say that ARR is equality-pattern respecting if – for all i ∈ [q], mi ∈ / ERR and – for i = j it holds that mi = mj . Just as for the left-or-right case, the real-or-random (RR-RA) advantage of an adversary is defined as its advantage over random guessing scaled to the interval from 0 to 1. Definition 14. Let Σ = (KGen,Enc,Dec) be a public key encryption scheme and the game RR-RA be defined as in Fig. 8. For any equality-pattern respecting adversary A, its RR-RA advantage is defined as AdvRR-RA (A) := 2 Pr[RR-RAA ⇒ true] − 1 . We now show that real-or-random security against adversaries making a single query to the challenge oracle RR-Enc implies real-or-random security against adversaries making multiple queries to the challenge oracle RR-Enc. It turns out that the standard hybrid technique, which failed in the left-or-right case, works for this setting. This stems from the fact that the real-or-random adversary submits only one message to its challenge oracle. This makes it impossible to make a flipping query which was the main issue in the left-or-right setting. Theorem 15. Let Σ be a public key encryption scheme and the game RR-RA be defined as in Fig. 8. Then for any equality-pattern respecting (cf. Definition 13) adversary A making q queries to its challenge oracle RR-Enc, there exists an equality-pattern respecting adversary B making 1 query to RR-Enc such that -RA (A) ≤ q AdvRR-RA (B) . AdvRR Σ Σ

Fig. 10. Hybrid games used to prove Theorem 15.

Security of Public Key Encryption Against Resetting Attacks

525

Proof. The theorem can be proven using a standard hybrid argument. We use q + 1 hybrid games H0 , . . . , Hq which are displayed in Fig. 10. In hybrid Hi , the first i queries are answered by encrypting a random message, while the remaining q − i queries are answered by encrypting the message provided by the adversary. It holds that AdvRR-RA (A) ≤ 2 Pr[RR-RAA ⇒ true] − 1 ≤ Pr[ARR-RA ⇒ 0 | b = 0] − Pr[ARR-RA ⇒ 0 | b = 1] ≤ Pr[AH0 ⇒ 0] − Pr[AHq ⇒ 0] ≤

q  

 Pr[AHi−1 ⇒ 0] − Pr[AHi ⇒ 0] .

i=1

We construct the following adversary Bi to bound the distinguishing advantage between Hi−1 and Hi for i ∈ [q]. It runs A on the same public key pk∗ it receives as input and answers any query to Enc by A using its own oracle Enc. For the first i − 1 challenge queries m1 , . . . , mi−1 by A, Bi invokes its oracle Enc on randomly chosen messages. For the i-th query mi , Bi invokes its own challenge oracle on mi and sends the obtained ciphertext back to A. For the last q − i queries mi+1 , . . . , mq by A, Bi invokes its oracle Enc on mi+1 , . . . , mq . The adversary Bi perfectly simulates Hi−1 and Hi for A if its own challenge bit is 0 and 1, respectively. To show that Bi is equality-pattern respecting, we have to show that it never repeats a query to RR-Enc and never queries a message to both RR-Enc and Enc. The former is trivial as Bi makes exactly one query to RR-Enc. For the latter, recall that only challenge queries by A that are answered using Enc can be problematic (otherwise, A would not be equality-pattern respecting). Since A is equality-pattern respecting, all its queries are on fresh messages, which yields that Bi never queries its challenge message also to Enc. Hence we have

Adv

RR-RA

(A) ≤

q   i=1



 Pr[AHi−1 ⇒ 0] − Pr[AHi ⇒ 0]

q  

 AdvRR-RA (Bi ) .

i=1

Let B be the adversary with the highest advantage among B1 , . . . , Bq . Then

Adv

RR-RA

(A) ≤

q  

 AdvRR-RA (Bi ) ≤ q AdvRR-RA (B) ,

i=1

which proves the claim.



526

5.2

J. Kr¨ amer and P. Struck

Real-or-Random and Left-or-Right Security Are Equivalent

In this section we show that our real-or-random security notion against resetting attacks is equivalent to the left-or-right security notion given in [29]. We show the equivalence by proving two lemmas. The former shows that left-or-right security implies real-or-random security while the latter shows that real-or-random security implies left-or-right security. The proofs appear in the full version [16]. Lemma 16. Let Σ be a public key encryption scheme and the games RR-RA and LR-RA be defined as in Fig. 8 and Fig. 2, respectively. Then for any equalitypattern respecting (cf. Definition 13) adversary A making q queries to its challenge oracle RR-Enc, there exists an equality-pattern respecting (cf. Definition 13) adversary B making q distinct queries to LR-Enc such that -RA (A) ≤ AdvLR-RA (B) . AdvRR Σ Σ Lemma 17. Let Σ be a public key encryption scheme and the games RR-RA and LR-RA be defined as in Fig. 8 and Fig. 2, respectively. Then for any equalitypattern respecting (cf. Definition 13) adversary A making q distinct queries to its challenge oracle LR-Enc, there exists an equality-pattern respecting (cf. Definition 13) adversary B making q queries to RR-Enc such that -RA (A) ≤ 2 AdvRR-RA (B) . AdvLR Σ Σ 5.3

A Modular Proof for Yilek’s Claim

Having established the equivalence between left-or-right and real-or-random via Lemma 16 and Lemma 17, we can leverage Theorem 15 to prove Theorem 12 more modular. Proof. (of Theorem 12). From Lemma 17, Theorem 15, and Lemma 16 there exist equality-pattern respecting adversaries B, C, and R, respectively, where – B makes q real-or-random queries, – C makes 1 real-or-random query, and – R makes 1 left-or-right query, such that (17) (15) (16) LR-RA RR-RA RR-RA LR-RA (A) ≤ 2 AdvΣ (B) ≤ ∈ Adv± (C) ≤ ∈ Adv± (R) . AdvΣ

This proves the claim.



Acknowledgements. This work was funded by the Deutsche Forschungsgemeinschaft (DFG) – SFB 1119 – 236615297.

Security of Public Key Encryption Against Resetting Attacks

527

References 1. Melchor, C.A., et al.: HQC. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/post-quantumcryptography/round-2-submissions 2. Melchor, C.A., et al.: RQC. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/post-quantumcryptography/round-2-submissions 3. Albrecht, M.R., Orsini, E., Paterson, K.G., Peer, G., Smart, N.P.: Tightly secure ring-LWE based key encapsulation with short ciphertexts. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 29–46. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6 4 4. Aragon, N., et al.: ROLLO. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/post-quantumcryptography/round-2-submissions 5. Bellare, M., et al.: Hedged public-key encryption: how to protect against bad randomness. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 232–249. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7 14 6. Bellare, M., Hoang, V.T.: Resisting randomness subversion: fast deterministic and hedged public-key encryption in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 627–656. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6 21 7. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10. 1007/11761679 25 8. Bos, J.W., et al.: CRYSTALS - kyber: a cca-secure module-lattice-based KEM. In: IEEE European Symposium on Security and Privacy, EuroS&P 2018, London, United Kingdom, April 24–26, 2018, pp. 353–367. IEEE (2018) 9. Carstens, T.V., Ebrahimi, E., Tabia, G.N., Unruh, D.: On quantum indistinguishability under chosen plaintext attack. IACR Cryptol. ePrint Arch., 2020:596 (2020) 10. D’Anvers, J.-P., et al.: SABER. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/post-quantumcryptography/round-2-submissions 11. Gagliardoni, T., Kr¨ amer, J., Struck, P.: Quantum indistinguishability for public key encryption. IACR Cryptol. ePrint Arch. 2020, 266 (2020) 12. Garcia-Morchon, O., et al.: Round5. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/postquantum-cryptography/round-2-submissions 13. Garfinkel, T., Rosenblum, M.: When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of HotOS 2005: 10th Workshop on Hot Topics in Operating Systems, June 12–15, : Santa Fe, New Mexico, USENIX Association, USA (2005) 14. Huang, Z., Lai, J., Chen, W., Au, M.H., Peng, Z., Li, J.: Hedged nonce-based public-key encryption: adaptive security under randomness failures. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 253–279. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5 9 15. Kr¨ amer, J., Struck, P.: Encryption schemes using random oracles: from classical to post-quantum security. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 539–558. Springer, Cham (2020). https://doi.org/10.1007/978-3030-44223-1 29

528

J. Kr¨ amer and P. Struck

16. Kr¨ amer, J., Struck, P.: Security of public key encryption against resetting attacks. IACR Cryptol. ePrint Arch. 2020, 1316 (2020) 17. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2 21 18. Lu, X., et al.: LAC. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/post-quantumcryptography/round-2-submissions 19. Matsuda, T., Schuldt, J.C.N.: Related randomness security for public key encryption, revisited. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 280–311. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5 10 20. Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/post-quantumcryptography/round-2-submissions 21. Paterson, K.G., Schuldt, J.C.N., Sibborn, D.L.: Related randomness attacks for Public key encryption. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 465–482. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-546310 27 22. Poppelmann, T., et al.: NewHope. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/post-quantumcryptography/round-2-submissions 23. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 1–40 (2009) 24. Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In NDSS 2010. The Internet Society (2010) 25. Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/ 10.1007/978-3-540-25937-4 22 26. Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2019). available at https://csrc.nist.gov/projects/postquantum-cryptography/round-2-submissions 27. Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004). http://eprint.iacr.org/2004/ 332 28. Yang, G., Duan, S., Wong, D.S., Tan, C.H., Wang, H.: Authenticated key exchange under bad randomness. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 113– 126. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0 10 29. Yilek, S.: Resettable public-key encryption: how to encrypt on a virtual machine. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 41–56. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5 4

The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures Mihir Bellare(B) and Wei Dai Department of Computer Science and Engineering, University of California San Diego, San Diego, USA {mihir,weidai}@eng.ucsd.edu Abstract. We introduce the Multi-Base Discrete Logarithm (MBDL) problem. We use this to give reductions, for Schnorr and Okamoto identification and signatures, that are non-rewinding and, by avoiding the notorious square-root loss, tighter than the classical ones from the Discrete Logarithm (DL) problem. This fills a well-known theoretical and practical gap regarding the security of these schemes. We show that not only is the MBDL problem hard in the generic group model, but with a bound that matches that for DL, so that our new reductions justify the security of these primitives for group sizes in actual use.

1

Introduction

It would not be an exaggeration to say that Schnorr identification and signatures [46] are amongst the best-known and most influential schemes in cryptography. With regard to practical impact, consider that Ed25519, a Schnorrderived signature scheme over twisted Edwards curves [13], is used, according to IANIX [35], in over 200 different things. (OpenSSL, OpenSSH and GnuPG to name a tiny fraction.) Meanwhile the algebraic structure of the Schnorr schemes has resulted in their being the basis for many advanced primitives including multi- [3,7,39,40], ring- [2,33] and threshold- [38,51] signatures. Proving security of these schemes has accordingly attracted much work. Yet, all known standard-model proofs [1,37,45] exhibit a gap: the proven bound on adversary advantage (success probability) is much inferior to (larger than) the one that cryptanalysis says is “true.” (The former is roughly the square-root of the latter. Accordingly we will refer to this as the square-root gap.) The square-root gap is well known and acknowledged in the literature. Filling this long-standing and notorious gap between theory and practice is the subject of this paper. We start with some background.

c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 529–552, 2020. https://doi.org/10.1007/978-3-030-65277-7_24

530

M. Bellare and W. Dai

Schnorr schemes. Let G be a group of prime order p, and g ∈ G a generator of G. We let ID = SchID[G, g] denote the Schnorr identification scheme [46] (shown in Fig. 4). The security goal for it is IMP-PA (impersonation under passive attack [25]). The Schnorr signature scheme DS = SchSig[G, g] [46] is derived from ID via the Fiat-Shamir transform [26] (also shown in Fig. 4). The security goal for it is UF (unforgeability under chosen-message attack [31]) in the ROM (random oracle model [11]). Recall that, G, g being public, the DL problem is for an adversary, given X = g x , to recover x. Since we will introduce variants, we may, for emphasis, refer to DL itself as the “basic” version of the discrete-logarithm problem. Existing standard-model proofs for both ID and DS [1,37,45] are based on the assumed hardness of DL. The heart of the proof for DS, and the cause of the square-root gap, is the rewinding reduction in the proof for ID. This makes ID the first and most basic concern. The situation with ID. The simplest proof of IMP-PA for ID = SchID[G, g] uses the Reset Lemma of [8]. It shows that, roughly:  1 imp-pa (t) ≤ dl (t) + , (1) p where imp-pa (t) is the probability of breaking IMP-PA security of ID in time t and dl (t) is the probability of breaking DL in time t. To draw quantitative conclusions about imp-pa (t) as required in practice, however, we now also need to estimate dl (t). The accepted way to do this is via the Generic Group Model (GGM) bound [48], believed to be accurate for elliptic curve groups. It says that dl (t) ≈

t2 . p

(2)

Putting together the two equations above, we get, roughly: t imp-pa (t) ≤ √ . p

(3)

There is, however, no known attack matching the bound of Eq. (3). Indeed, the best known time t attack on ID is via discrete-log computation and thus has the considerably lower success probability of t2 /p. For example if p ≈ 2256 the best known attack against ID gives a time t = 280 attacker a success probability of √ t2 /p = 2−96 , but Eq. (3) only rules out a success probability of t/ p = 2−48 . The proof is thus under-estimating security by a fairly large margin. Accordingly in practice the proof is largely viewed as a qualitative rather than quantitative guarantee, group sizes being chosen in ad hoc ways. Improving the reduction of Eq. (1) to bring the theory more in line with the indications of cryptanalysis has been a long-standing open question. Tiers and knobs. Before continuing with how we address this question, we draw attention to the two-tiered framework of a security proof for a scheme

The Multi-Base Discrete Logarithm Problem

531

S (above, S = ID) based on the assumed hardness of some problem P (above, P=DL). The first tier is the reduction from P. It is represented above by Eq. (1). The second tier is the estimate of the security of P itself, made (usually) in an idealized model such as the GGM [48] or AGM (Algebraic Group Model) [28]. It is represented above by Eq. (2). Both tiers are necessary to draw quantitative conclusions. This two-tier structure is an accepted one for security proofs, and widely, even if not always explicitly, used. In this structure, we have the flexibility of choice of P, making this a “knob” that we can tune. Creative and new choices of P have historically been made, and been very valuable in cryptography, yielding proofs for existing schemes and then going on to be useful beyond. Historically, a classical example of such a (at the time, new) P is the Diffie-Hellman problem; the schemes S whose proof this allows include the Diffie-Hellman secret-key exchange [22] and the El Gamal public-key encryption scheme [24]. An example P closer to our work is the OneMore Discrete Logarithm (OMDL) problem [6], which has by now been used to prove many schemes S [8,21,23,27,44]. But this knob-tuning approach is perhaps most visible in the area of bilinear maps, where many choices of problem P have been made, justified in the GGM, and then used to prove security of many schemes S. In the same tradition, we ask, how can we tune the knob to fill the square-root gap? Our answer is a choice of P we call MBDL. MBDL. Our Multi-Base Discrete Logarithm (MBDL) problem is a variant of the One-More Discrete Logarithm (OMDL) problem of [6]. Continue to fix a cyclic group G and generator g of G. In MBDL, the adversary is given a challenge Y ∈ G, a list X1 , X2 , . . . , Xn ∈ G∗ of generators of G, and access to an oracle DLO that, on input i, W , returns DLG,Xi (W ), the discrete logarithm of W , not in base g, but in base Xi . To win it must find DLG,g (Y ), the discrete logarithm of the challenge Y to base g, while making at most one call to DLO overall, meaning it is allowed to take the discrete log of at most one group element. (But this element, and the base Xi , can be chosen as it wishes.) The number of bases n is a parameter of the problem, so that one can refer to the n-MBDL problem or assumption. (Our results will rely only on 1-MBDL, but we keep the definition general for possible future applications.) The restriction to at most one DLO call is necessary, for if even two are allowed, DLG,g (Y ) can be obtained as DLO(1, Y ) · DLO(1, g)−1 mod p where p = |G|. Core results. We suggest that the square-root gap of Eq. (1) is a manifestation of an unformalized strength of the discrete logarithm problem. We show that this strength is captured by the MBDL problem. We do this by giving a proof of IMP-PA security of the Schnorr identification scheme ID = SchID[G, g] with a tight reduction from 1-MBDL: letting 1-mbdl (t) be the probability of breaking the 1-MBDL problem in time t, Theorem 1 says that, roughly: imp-pa (t) ≤ 1-mbdl (t) +

1 . p

(4)

532

M. Bellare and W. Dai

Fig. 1. Speedups yielded by our results for the Schnorr identification scheme ID = SchID[G, g] (top) and signature scheme DS = SchSig[G, g] (bottom). The target for the first is that IMP-PA adversaries with running time t should have advantage at most . We show the log of the group size pi required for this under prior results (i = 1), and our results (i = 2). Assuming exponentiation in G is cubic-time, we then show the speedup ratio of scheme algorithms. The target for the second is that UF adversaries with running time t, making qh queries to H, should have advantage at most , and the table entries are analogous.

Equation (4) does not suffer from the square-root gap of Eq. (1). Progress. But this is in the first of the two tiers discussed above. Turning to the second, we ask, how hard is MBDL? Theorem 3 shows that, in the GGM, roughly: 1-mbdl (t) ≈

t2 . p

(5)

That is, 1-MBDL problem has essentially the same GGM quantitative hardness as DL. Putting Eqs. (4) and (5) together, we get (roughly) the following improvement over Eq. (3): imp-pa (t) ≤

t2 . p

(6)

This bound is tight in the sense that it matches the indications of cryptanalysis. A direct indication of the practical value of this improvement is that, for a given target level of provable security, we increase efficiency. Thus suppose that, for some chosen values of , t, we want to pick the group G to ensure imp-pa (t) ≤ . Equation (6) allows us to use smaller groups than Eq. (3). Since scheme algorithms have running time cubic in the log of p = |G|, this results in a performance improvement. Figure 1 says that this improvement can range from 1.9× to 3×. What has been gained? A natural question is that our results rely on a new assumption (MBDL), so what has been gained? Indeed, MBDL, as with any new

The Multi-Base Discrete Logarithm Problem

533

assumption, should be treated with caution. However, it seems that improving Eq. (1) to something like Eq. (4) under the basic DL assumption is out of reach and likely not possible, and thus that, as indicated above, the apparent strength of the Schnorr schemes indicated by cryptanalysis is arising from stronger hardness properties of the discrete log problem not captured in the basic version. We are trying to understand and formalize this hardness via new problems that tightly imply security of the Schnorr primitives. Of course it would not be hard to introduce some problem which allows this. But we believe MBDL, and our results, are “interesting” in this regard, for the following reasons. First, MBDL is not a trivial reformulation of the IMP-PA security of ID, meaning we are not just assuming the square-root problem out of existence. Second, and an indication of the first, is that the proof of the IMP-PA security of ID from MBDL (see “Reduction approach” below) is correspondingly not trivial. Third, the use of MBDL is not confined to Schnorr identification; as we also discuss below under “MBDL as a hub,” it already has many further applications and uses, and we imagine even more will arise in the future. Reduction approach. The proof of Eq. (1) uses a rewinding argument that exploits the special soundness property of the Schnorr identification scheme, namely that from two compatible transcripts —this means they are accepting and have the same commitment but different challenges— one can extract the secret key. To find the discrete log, in base g, of a given challenge Y , the discrete log adversary B plants the challenge as the public key X and performs two, related runs of the given IMP-PA adversary, hoping to get two compatible transcripts, in which case it can extract the secret key and solve its DL instance. The Reset Lemma [8] says it is successful with probability roughly the square of the IMP-PA advantage of A, leading to the square-root in Eq. (1). Recall that our 1-mbdl adversary B gets input a challenge Y whose discrete logarithm in the usual base g it must find, just like a DL adversary. To get Eq. (4) we must avoid rewinding. The question is how and why the ability to take one discrete logarithm in some random base X1 helps to do this and get a tight reduction. Our reduction deviates from prior ones by not setting Y to the public key. Instead, it sets X1 to the public key. Then, it performs a single execution of the given IMP-PA adversary A, “planting” Y in the communication in such a way that success of A in impersonating the prover yields DLG,g (Y ). This planting step makes one call to DLO(1, ·), meaning asks for a discrete logarithm in base X1 of some W that depends on the execution. The full proof is in Sect. 4. MBDL as a hub. Having identified MBDL, we find that its applicability extends well beyond what is discussed above, making it a hub. Here we briefly discuss further results from MBDL. The Schnorr signature scheme DS = SchSig[G, g] has a proof of UF-security in the ROM under the basic DL assumption [1,37,42,45]. The bound—recalled in Eq. (15)— continues to exhibit the square-root gap. Theorem 2 gives a squareroot avoiding reduction from 1-MBDL to fill this gap. Figure 1 shows resulting speedup factors of 1.6× to 2.5× for Schnorr signatures.

534

M. Bellare and W. Dai

Security above refers to the single-user setting. Our results extend to tightly reduce the multi-user IMP-PA security of SchID[G, g] to 1-MBDL, and analogously for signatures. This can be shown directly, but is also a consequence of general results of [37]. The situation for the Okamoto identification and signature schemes [43] is analogous to that for Schnorr, meaning the reductions in the current security proofs, from DL, use rewinding and has the square-root loss. In [5] we give results for Okamoto that are analogous to our results for Schnorr, meaning reductions from 1-MBDL that avoid the square root. There’s more. In a follow-up work, we also give reductions from MBDL that improve security of the following: (1) Bellare-Neven multi-signatures [7] (2) Abe, Ohkubo, Suzuki 1-out-of-n (ring/group) signatures [2] and (3) Schnorr-based threshold signatures [51]. Related work. One prior approach to resolving the square-root gap has been to use only an idealized model like the GGM [48] or AGM [28]. Thus, Shoup [48] directly showed that imp-pa (t) ≤ t2 /p in the GGM. Fuchsbauer, Plouviez and Seurin [29] give, in the AGM, a tight reduction from DL to the UF security of DS = SchSig[G, g]. These results correspond to a setting of the knob, in the above-discussed two-tier framework, that is maximal: P is the target scheme itself (here Schnorr identification or signatures), so that the first tier is trivial and the second tier directly proves the scheme secure in the idealized model. But it is well understood that idealized models have limitations. Proofs in the GGM assume the adversary does not exploit the representation of group elements. In the AGM, it is assumed that, whenever an adversary provides a group element Z, it is possible to extract its representation as a product of known powers of prior group elements. This is analogous to a “knowledge of exponent assumption” [9,20,32]. However, even in a typical elliptic curve group, an adversary can quite easily create group elements without “knowing” such a representation. The maximal setting of knob (working purely in an idealized model) means the security guarantee on the scheme is fully subject to the limitations of the idealized model. With MBDL, we, instead make a non-trivial, moderate setting of the knob. Our tight reductions from MBDL, such as Eq. (4), are in the standard model, and make no GGM or AGM-like assumptions on adversaries. It is of course true that we justify MBDL in the GGM (Theorem 3), but we are limiting the use of the idealized model to show security for a purely number-theoretic problem, namely MBDL. The first direct benefit is better security guarantees for the schemes. The second is that MBDL is a hub. As discussed above, we can prove security of many schemes from it, which reduces work compared to proving them all from scratch in idealized models, and also increases understanding by identifying a problem that is at the core of many things. Another prior approach to improving reduction tightness has been to change metrics, measuring tightness, not via success probability and running time taken individually, but via their ratio [37]. This however does not translate to actual, numeric improvements. To discuss this further, let IMP-KOA denote

The Multi-Base Discrete Logarithm Problem

535

impersonation under key-only attack. (That is, IMP-PA for adversaries making zero queries to their transcript oracle.) Kiltz, Masny and Pan (KMP) [37] define a problem they call 1-IDLOG that is a restatement of (“precisely models,” in their language) the IMP-KOA security of ID = SchID[G, g]. Due to the zero knowledge of ID, its IMP-PA security reduces tightly to its IMP-KOA security and thus to 1-IDLOG. Now, KMP [37] give a reduction of 1-IDLOG to DL that is ratio-tight, meaning preserves ratios of advantage to running time. This, however, uses rewinding, and is not tight in our sense, incurring the usual square-root loss when one considers running time and advantage separately. In particular the results of KMP do not seem to allow group sizes any smaller than allowed by the classical Eq. (1). Our reductions, in contrast, are tight for advantage and time taken individually, and across the full range for these values, and numerical estimates (Fig. 1) show clear improvements over what one gets from Eq. (1). Also our results establish 1-IDLOG tightly (not merely ratio-tightly) under 1-MBDL. We discuss ratio-tightness further in [5]. Discussion. Measuring quality of a reduction in terms of bit security effectively only reflects the resources required to attain an advantage close to 1. Under this metric, whether one starts from Eq. (1) or Eq. (4), one concludes that ID = SchID[G, g] has log2 (|G|)/2-bits of security. This reflects bit security being a coarse metric. The improvement offered by Eq. (4) over Eq. (1) becomes visible when one considers the full curve of advantage as a function of runtime, and is visible in Fig. 1. While new assumptions (like MBDL) should of course be treated with caution, cryptographic research has a history of progress through introducing them. For example, significant advances were obtained by moving from the CDH assumption to the stronger DDH one [19,41]. Pairing-based cryptography has seen a host of assumptions that have had many further applications, including the bilinear Diffie-Hellman (BDH) assumption of [17] and the DLIN assumption of [16]. The RSA Φ-Hiding assumption of [18] has since found many applications. This suggests that the introduction and exploration of new assumptions, which we continue, is an interesting and productive line of research. There is some feeling that “interactive” or “non-falsifiable” assumptions are undesirable. However, it depends on the particular assumption. There are interactive assumptions that are unbroken and successful, like OMDL [6], while many non-interactive ones have been broken. It is important that it be possible to show an assumption is false, but this is possible even for assumptions that are classified as “non-falsifiable;” for example, knowledge-of-exponent assumptions have successfully been shown to be false through cryptanalysis [9]. (The latter result assumes DL is hard.) MBDL is similarly amenable to cryptanalytic evaluation.

2

Preliminaries

Notation. If n is a positive integer, then Zn denotes the set {0, . . . , n − 1} and [n] or [1..n] denote the set {1, . . . , n}. We denote the number of coordinates

536

M. Bellare and W. Dai

Fig. 2. Let G be a group of prime order p = |G|, and let g ∈ G∗ be a generator of G. Left: Game defining standard discrete logarithm problem. Right: Game defining (n, m)multi-base discrete logarithm problem. Recall DLG,X (W ) is the discrete logarithm of W ∈ G to base X ∈ G∗ .

of a vector x by |x|. If x is a vector then |x| is its length (the number of its coordinates), x[i] is its i-th coordinate and [x] = { x[i] : 1 ≤ i ≤ |x| } is the set of all its coordinates. A string is identified with a vector over {0, 1}, so that if x is a string then x[i] is its i-th bit and |x| is its length. By ε we denote the empty vector or string. The size of a set S is denoted |S|. For sets D, R let FNS(D, R) denote the set of all functions f : D → R. Let S be a finite set. We let x ←$ S denote sampling an element uniformly at random from S and assigning it to x. We let y ← AO1 ,... (x1 , . . . ; r) denote executing algorithm A on inputs x1 , . . . and coins r with access to oracles O1 , . . . and letting y be the result. We let y ←$ AO1 ,... (x1 , . . .) be the resulting of picking r at random and letting y ← AO1 ,... (x1 , . . . ; r). We let [AO1 ,... (x1 , . . .)] denote the set of all possible outputs of A when invoked with inputs x1 , . . . and oracles O1 , . . .. Algorithms are randomized unless otherwise indicated. Running time is worst case. Games. We use the code-based game playing framework of [12]. (See Fig. 3 for an example.) Games have procedures, also called oracles. Amongst these are Init and a Fin. In executing an adversary A with a game Gm, procedure Init is executed first, and what it returns is the input to A. The latter may now call all game procedures except Init, Fin. When the adversary terminates, its output is viewed as the input to Fin, and what the latter returns is the game output. By Pr[Gm(A)] we denote the event that the execution of game Gm with adversary A results in output true. In writing game or adversary pseudocode, it is assumed that boolean variables are initialized to false, integer variables are initialized to 0 and set-valued variables are initialized to the empty set ∅. When adversary A is executed with game Gm, the running time of the adversary, denoted TA , assumes

The Multi-Base Discrete Logarithm Problem

537

game procedures take unit time to respond. By QO A we denote the number of queries made by A to oracle O in the execution. These counts are all worst case. Groups. Let G be a group of order p. We will use multiplicative notation for the group operation, and we let 1G denote the identity element of G. We let G∗ = G \ {1G } denote the set of non-identity elements, which is the set of generators of G if the latter has prime order. If g ∈ G∗ is a generator and X ∈ G, the discrete logarithm base g of X is denoted DLG,g (X), and it is in the set Z|G| .

3

The Multi-base Discrete-Logarithm Problem

We introduce the multi-base discrete-logarithm (MBDL) problem. It is similar in flavor to the one-more discrete-logarithm (OMDL) problem [6], which has found many applications, in that it gives the adversary the ability to take discrete logarithms. For the rest of this Section, we fix a group G of prime order p = |G|, and we fix a generator g ∈ G∗ of G. Recall that DLG,g : G → Zp is the discrete logarithm function in G with base g. DL and OMDL. We first recall the standard discrete logarithm (DL) problem via game Gdl G,g on the left of Fig. 2. Init provides the adversary, as input, a random challenge group element Y , and to win it must output y  = DLG,g (Y ) dl to Fin. We let Advdl G,g (A) = Pr[GG,g (A)] be the discrete-log advantage of A. In the OMDL problem [6], the adversary can obtain many random challenges Y1 , Y2 , . . . , Yn ∈ G. It has access to a discrete log oracle that given W ∈ G returns DLG,g (W ). For better comparison with MBDL, let’s allow just one query to this oracle. To win it must compute the discrete logarithms of two group elements from the given list Y1 , Y2 , . . . , Yn ∈ G. The integer n ≥ 2 is a parameter of the problem. MBDL. In the MBDL problem we introduce, we return, as in DL, to there being a single random challenge point Y whose discrete logarithm in base g the adversary must compute. It has access to an oracle DLO to compute discrete logs, but rather than in base g as in OMDL, to bases that are public, random group elements X1 , X2 , . . . , Xn . It is allowed just one query to DLO. (As we will see, this is to avoid trivial attacks.) The integer n ≥ 1 is a parameter of the problem. Proceeding formally, consider game Gmbdl G,g,n on the right in Fig. 2, where n ≥ 1 is an integer parameter called the number of bases. The adversary’s input, as provided by Init, is a random challenge group element Y together with random generators X1 , X2 , . . . , Xn . It can call oracle DLO with an index i ∈ [n] and any group element W ∈ G of its choice to get back DLG,Xi (W ). Just one such call is allowed. At the end, the adversary wins the game if it outputs y  = DLG,g (Y ) to Fin. We define the mbdl-advantage of A by mbdl Advmbdl G,g,n (A) = Pr[GG,g,n (A)] .

538

M. Bellare and W. Dai

Fig. 3. Left: Algorithm defining an honest execution of the canonical identification scheme ID given key pair (sk, vk). Right: Game defining IMP-PA security of ID.

Discussion. By n-MBDL we will refer to the problem with parameter n. It is easy to see that if n-MBDL is hard then so is n -MBDL for any n ≤ n. Thus, the smaller the value of n, the weaker the assumption. For our results, 1-MBDL, the weakest assumption in the series, suffices. We explain why at most one DLO query is allowed. Suppose the adversary is allowed two queries. It could compute a = DLO(1, Y ) = DLG,X1 (Y ) and b = DLO(1, g) = DLG,X1 (g), so that X1a = Y and X1b = g. Now the adversary  −1 returns y  ← ab−1 mod p and we have g y = (g b )a = X1a = Y , so the adversary wins. As evidence for the hardness of MBDL, Theorem 3 proves good bounds on the adversary advantage in the generic group model (GGM). It is also important to consider non-generic approaches to the discrete logarithm problem over elliptic curves, including index-calculus methods and Semaev polynomials [30,36,47,49, 50], but, to the best of our assessment, these do not yield attacks on MBDL that beat the GGM bound of Theorem 3. The MBDL problem as we have defined it can be generalized to allow multiple DLO queries with the restriction that at most one query is allowed per base, meaning for each i there can be at most one DLO(i, ·) query. In this paper, we do not need or use this extension. We have found applications based on it, but not pursued them because we have been unable to prove security of this extended version of MBDL in the GGM. We consider providing such a GGM proof an intriguing open question, resolving which would open the door to several new applications. Our formalizations of DL and MBDL fix the generator g. See [4] for a discussion of fixed versus random generators.

The Multi-Base Discrete Logarithm Problem

4

539

Schnorr Identification and Signatures from MBDL

In this section, we give a tight reduction of the IMP-PA security of the Schnorr identification scheme to the 1-MBDL problem and derive a corresponding improvement for Schnorr signatures. Identification Schemes. We recall that a (canonical) identification scheme [1] ID (see Fig. 4 for an example) is a 3-move protocol in which the prover sends a first message called a commitment, the verifier sends a random challenge, the prover sends a response that depends on its secret key, and the verifier makes a decision to accept or reject based on the conversation transcript and the prover’s public key. Formally, ID is specified by algorithms ID.Kg, ID.Cmt, ID.Rsp, and ID.Vf, as well as a set ID.Ch of challenges Via (vk, sk) ←$ ID.Kg, the key generation algorithm generates public verification key vk and associated secret key sk. Algorithms ID.Cmt and ID.Rsp are the prover algorithms. The commitment algorithm ID.Cmt takes input the public key vk and returns a commitment message R to send to the verifier, as well as a state st for the prover to retain. The deterministic response algorithm ID.Rsp takes input the secret key sk, a challenge c ∈ ID.Ch sent by the verifier, and a state st, to return a response z to send to the verifier. The deterministic verification algorithm ID.Vf takes input the public key and a conversation transcript R, c, z to return a decision b ∈ {true, false} that is the outcome of the protocol. An honest execution of the protocol is defined via procedure ExecID shown in the upper left of Fig. 3. It takes input a key pair (vk, sk) ∈ [ID.Kg] to return a pair (b, tr) where b ∈ {true, false} denotes the verifier’s decision whether to accept or reject and tr = (R, c, z) is the transcript of the interaction. We require that ID schemes satisfy (perfect) completeness, namely that for any (vk, sk) ∈ [ID.Kg] and any (b, tr) ∈ [ExecID (sk, vk)] we have b = true. Impersonation under passive attack (IMP-PA) [25] is a security metric asking that an adversary not in possession of the prover’s secret key be unable to impersonate the prover, even given access to honestly generated transcripts. imp-pa given in the right column of Fig. 3. An Formally, consider the game GmID adversary has input the public key vk returned by Init. It then has access to honest transcripts via the oracle Tr. When it is ready to convince the verifier, it submits its commitment R∗ to oracle Ch. We allow only one query to Ch. In response the adversary obtains a random challenge c∗ . It must now output a response z∗ to Fin, and the game returns true iff the transcript is accepted by ID.Vf. The R∗ , c∗ at line 4 are, respectively, the prior query to Ch, and the response chosen at line 3. We define the IMP-PA advantage of A against ID as imp-pa imp-pa (A) = Pr[GmID (A)], the probability that the game returns true. AdvID Schnorr identification scheme and prior results. Let G be a group of prime order p = |G|, and g ∈ G∗ a generator of G. We recall the Schnorr identification scheme [46] ID = SchID[G, g] in Fig. 4. The public key vk = X = g x ∈ G where sk = x ∈ Zp is the secret key. The commitment is R = g r ∈ G, and r is returned as the prover state by the commitment algorithm. Challenges are drawn from ID.Ch = Zp , and the response z and decision b are computed as shown.

540

M. Bellare and W. Dai

Fig. 4. Let G be a group of prime order p = |G| and let g ∈ G∗ be a generator of G. The Schnorr ID scheme ID = SchID[G, g] is shown pictorially at the top and algorithmically at the bottom left. At the bottom right is the Schnorr signature scheme DS = SchSig[G, g], using H : G × {0, 1}∗ → Zp .

The IMP-PA security of ID = SchID[G, g] based on DL is proven by a rewinding argument. The simplest analysis is via the Reset Lemma of [8]. It leads to the following (cf. [8, Theorem 2], [10, Theorem 3]). Let A be an adversary attacking the IMP-PA security of ID. Then there is a discrete log adversary B such that  1 imp-pa . (7) (A) ≤ Advdl AdvID G,g (B) + p Additionally, the running time TB of B is roughly 2 TA plus simulation overhead exp exp is the time for an exponentiation in G. O(QTr A · TG ), where TG Our result. We show that the IMP-PA-security of the Schnorr identification scheme reduces tightly to the 1-MBDL problem. The reduction does not use rewinding. Our mbdl-adversary B solves the 1-MBDL problem by running the given imp-pa adversary A just once, so the mbdl-advantage, and running time, of the former, are about the same as the imp-pa advantage, and running time, of the latter. Refer to Sect. 2 for notation like TA , QTr A.

The Multi-Base Discrete Logarithm Problem

541

Theorem 1. Let G be a group of prime order p = |G|, and let g ∈ G∗ be a generator of G. Let ID = SchID[G, g] be the Schnorr identification scheme. Let A be an adversary attacking the imp-pa security of ID. Then we can construct an adversary B (shown explicitly in Fig. 5) such that -pa (A) ≤ Advmbdl (B) + Advimp G,g,1 ID

1 . p

(8)

exp Additionally, TB is roughly TA plus simulation overhead O(QTr A · TG ).

Proof (of Theorem 1). Recall that, when reducing IMP-PA security of Schnorr to DL, the constructed dl adversary B sets the target point Y to be the public key X. It is natural to take the same approach in our case. The question is how to use the discrete logarithm oracle DLO to avoid rewinding and get a tight reduction. But this is not clear and indeed the DLO oracle does not appear to help towards this. Our reduction deviates from prior ones by not setting the target point Y to be the public key. Instead we look at a successful impersonation by A. (Simulation of A’s transcript oracle Tr is again via the honest-verifier zero-knowledge property of the scheme.) Adversary A provides R∗ , receives c∗ and then returns z∗ satisfying g z∗ = R∗ X c∗ , where X is the public key. Thus, A effectively computes the discrete logarithm of R∗ X c∗ . We make this equal our mbdl challenge Y , meaning B, on input Y , arranges that Y = R∗ X c∗ . If it can do this successfully, the z∗ returned by A will indeed be DLG,g (Y ), which it can output and win. But how can we arrange that Y = R∗ X c∗ ? This is where the DLO oracle enters. Adversary B gives X as input to A, meaning the public key is set to the group generator relative to which B may compute discrete logarithms. Now, when A provides R∗ , our adversary B returns a challenge c∗ that ensures Y = R∗ X c∗ . This means c∗ = DLG,X (Y R∗−1 ), and this is something B can compute via its DLO oracle. Some details include that the X returned by Init is a generator, while the public key is a random group element, so they are not identically distributed, and that the challenge computed via DLO must be properly distributed. The analysis will address these. For the formal proof, consider the games of Fig. 5. Procedures indicate (via comments) in which games they are present. Game Gm1 includes the boxed code at line 2 while Gm0 does not. The games implement the transcript oracle via the zero-knowledge simulation rather than using the secret key, but otherwise imp-pa so we have Gm0 is the same as game GmID imp-pa AdvID (A) = Pr[Gm0 (A)]

= Pr[Gm1 (A)] + (Pr[Gm0 (A)] − Pr[Gm1 (A)]) . Games Gm0 , Gm1 are identical-until-bad, so by the Fundamental Lemma of Game Playing [12] we have Pr[Gm0 (A)] − Pr[Gm1 (A)] ≤ Pr[Gm1 (A) sets bad] .

542

M. Bellare and W. Dai

Fig. 5. Top: MBDL adversary B for Theorem 1, based on IMP-PA adversary A. Bottom: Games for proof of Theorem 1.

Clearly Pr[Gm1 (A) sets bad] ≤ 1/p. Now we can work with Gm1 , where the public key X is a random element of G∗ rather than of G. We claim that Pr[Gm1 (A) = Pr[Gm2 (A)] .

(9)

We now justify this. At line 4, game Gm2 picks x directly from Z∗p , just like Gm1 , and also rewrites Fin in a different but equivalent way. The main thing to check is that Ch in Gm2 is equivalent to that in Gm1 , meaning line 6 results in c∗ being uniformly distributed in Zp . For this regard R∗ , X as fixed and define the function fR∗ ,X : G → Zp by fR∗ ,X (Y ) = DLG,X (R∗−1 Y ). The adversary has no information about Y prior to receiving c∗ at line 6, so the claim is established

The Multi-Base Discrete Logarithm Problem

543

if we show that fR∗ ,X is a bijection. This is true because X ∈ G∗ is a generator, which means that the function hR∗ ,X : Zp → G defined by hR∗ ,X (c∗ ) = R∗ X c∗ is the inverse of fR∗ ,X . This establishes Eq. (9). We now claim that adversary B, shown in Fig. 5, satisfies Pr[Gm2 (A)] ≤ Advmbdl G,g,1 (B) .

(10)

Putting this together with the above completes the proof, so it remains to justify Eq. (10). Adversary B has access to oracle DLO as per game Gmbdl G,g,1 . In the code, Ch and Tr are subroutines defined by B and used to simulate the oracles of the same names for A. Adversary B has input the challenge Y whose discrete logarithm in base g it needs to compute, as well as the base X relative to which it may perform one discrete log operation. It runs A on input X, so that the latter functions as the public key, which is consistent with Gm2 . The subroutine Ch uses DLO to produce c∗ the same way as line 6 of Gm2 . It simulates Tr as per line 7 of Gm2 . If Gm2 returns true at line 9 then we have g z∗ = X c∗ R∗ =

W R∗ = R∗−1 Y R∗ = Y , so B wins. Quantitative comparison. Concrete security improvements are in the end efficiency improvements, because, for a given security level, we can use smaller parameters, and thus the scheme algorithms are faster. Here we quantify this, seeing what Eq. (8) buys us over Eq. (7) in terms of improved efficiency for the identification scheme. We take as goal to ensure that any adversary A with running time t has imp-pa (A) ≤  in violating IMP-PA security of ID = SchID[G, g]. advantage AdvID Here t,  are parameters for which many choices are possible. For example, t = 290 and  = 2−32 is one choice, reflecting a 128-bit security level, where we define the bit-security level as log2 (t/). The cost of scheme algorithms is the cost of exponentiation in the group, which is cubic in the representation size k = log p of group elements. So we ask what k must be to provably ensure the desired security. Equations (7) and (8) will yield different choices of k, denoted k1 and k2 , with k2 < k1 . We will conclude that Eq. (8) allows a s = (k1 /k2 )3 -fold speedup for the scheme. Let B1 denote the DL adversary referred to in Eq. (7), and B2 the 1-MBDL adversary referred to in (8). To use the equations, we now need estimates on their respective advantages. For this, we assume G is a group in which the security of discrete-log-related problems is captured by the bounds proven in the generic group model (GGM), as seems to be true, to best of our current understanding, for certain elliptic curve groups. We will ignore the simulation overhead in running time since the number of transcript queries of A reflects online executions of the identification protocol and should be considerably less than the running time of A, so that we take the running times of both B1 and B2 to be about t, the running time of our IMP-PA adversary A. Now the classical result 2 of Shoup [48] says that Advdl G,g (B1 ) ≈ t /p, and our Theorem 3 says that also mbdl 2 AdvG,g,1 (B2 ) ≈ t /p.

544

M. Bellare and W. Dai

Here we pause to highlight that these two bounds being the same is a central attribute of the 1-MBDL assumption. That Theorem 1 (as per Fig. 1) provides efficiency improvements stems not just from the reduction of Eq. (8) being tight, but also from that fact that the 1-MBDL problem is just as hard to solve as the dl 2 DL problem, meaning Advmbdl G,g (B2 ) ≈ AdvG,g (B1 ) ≈ t /p. Continuing, putting together what we have so far gives two bounds on the IMP-PA advantage of A, the first via Eqs. (7) and the second via Eq. (8), namely, dropping the 1/p terms,  t t2 imp-pa =√ (11) (A) ≤ 1 (t) = AdvID p p imp-pa AdvID (A) ≤ 2 (t) =

t2 . p

(12)

-pa Recall our goal was to ensure that Advimp SchID[G,g] (A) ≤ . We ask, what value of p, in either case, ensures this? Solving for p in the equations  = 1 (t) and  = 2 (t), we get two corresponding values, namely p1 ≈ t2 /2 and p2 ≈ t2 /. We see that p1 > p2 , meaning Theorem 1 guarantees the same security as Eq. (7) in groups of a smaller size. Finally, the ratio of representation sizes for group elements is r≈

log(t2 /) + log(1/) log(1/) log(p1 ) ≈ =1+ . 2 log(p2 ) log(t /) log(t2 /)

Scheme algorithms employ exponentiation in the group and are thus cubic time, so the ratio of speeds is s = r3 , which we call the speedup factor, and we can now estimate it numerically. For a few values of t, , Fig. 1 shows the log of the group size pi needed to ensure the desired security under prior results (i = 1) and ours (i = 2). Then it shows the speedup s. For example if we want attacks of time t = 264 to achieve advantage at most  = 2−64 , prior results would require a group of size p1 satisfying log(p1 ) ≈ 256, while our results allow it with a group of size log(p2 ) ≈ 192, which yields a 2.4× speedup. Of course many more examples are possible. Signature schemes. Towards results on the Schnorr signature scheme, we start by recalling definitions. A signature scheme DS specifies key generation algorithm DS.Kg, signing algorithm DS.Sign, deterministic verification algorithm DS.Vf and a set DS.HF of functions called the hash function space. Via (vk, sk) ←$ DS.Kg the signer generates a public verification key vk and secret signing key sk. Via σ ←$ DS.Signh (sk, m) the signing algorithm takes sk and a message m ∈ {0, 1}∗ , and, with access to an oracle h ∈ DS.HF, returns a signature σ. Via b ← DS.Vf h (vk, m, σ), the verifier obtains a boolean decision b ∈ {true, false} about the validity of the signature. The correctness requirement is that for all h ∈ DS.HF, all (vk, sk) ∈ [DS.Kg], all m ∈ {0, 1}∗ and all σ ∈ [DS.Signh (sk, m)] we have DS.Vf h (vk, m, σ) = true.

The Multi-Base Discrete Logarithm Problem

545

Fig. 6. Game defining UF security of signature scheme DS.

Game Guf in Fig. 6 captures UF (unforgeability under chosen-message attack) [31]. Procedure H is the random oracle [11], implemented as a function h chosen at random from DS.HF. We define the UF advantage of adversary uf A as Advuf DS (A) = Pr[GDS (A)]. Schnorr signatures. The Schnorr signature scheme DS = SchSig[G, g] is derived by applying the Fiat-Shamir transform [26] to the Schnorr identification scheme. Its algorithms are shown at the bottom right of Fig. 4. The set DS.HF consists of all functions h : G × {0, 1}∗ → Zp . Our and prior results. We give a reduction, of the UF security of the Schnorr signature scheme to the 1-MBDL problem, that loses only a factor of the number of hash-oracle queries of the adversary. We start by recalling the following lemma from [1]. It derives the UF security of SchSig[G, g] from the IMP-PA security of SchID[G, g]: Lemma 1. [1] Let G be a group of prime order p = |G|, and let g ∈ G∗ be a generator of G. Let ID = SchID[G, g] and DS = SchID[G, g] be the Schnorr identification and signature schemes, respectively. Let Ads be an adversary attacking Sign Sign the uf-security of DS. Let α = (1 + QH Ads + QAds )QAds . Then we can construct an adversary Aid such that imp-pa H (Aid ) + Advuf DS (Ads ) ≤ (1 + QAds ) · AdvID Sign Additionally, TAid ≈ TAds and QTr Aid = QAds .

α . p

546

M. Bellare and W. Dai

Fig. 7. Game defining n-MBDL problem in the generic group model.

Combining this with Theorem 1, we have: Theorem 2. Let G be a group of prime order p = |G|, and let g ∈ G∗ be a generator of G. Let DS = SchSig[G, g] be the Schnorr signature scheme. Let A be Sign Sign + an adversary attacking the uf security of ID. Let β = (1 + QH A + QA )QA H (1 + QA ). Then we can construct an adversary B such that mbdl H Advuf DS (A) ≤ (1 + QA ) · AdvG,g,1 (B) +

β . p

(13)

Additionally, TB is roughly TA plus simulation overhead O(QSign · TGexp ). A Let’s compare this to prior results. A simple proof of UF-security of DS from DL can be obtained by combining Lemma 1 with the classical DL-based security of ID as given by Eq. (7). For A an adversary attacking the UF security of DS, this would yield a discrete log adversary B such that  β H Advuf , (14) Advdl DS (A) ≤ (1 + QA ) · G,g (B) + p where β is as in Theorem 2 and TB is about 2 TA plus the same simulation overhead as above. This is however not the best prior bound. One can do better with a direct application of the general Forking Lemma of [7] as per [45].

The Multi-Base Discrete Logarithm Problem

547

For A an adversary attacking the UF security of DS, this would yield a discrete log adversary B such that  β dl , (15) (A) ≤ (1 + QH Advuf DS A ) · AdvG,g (B) + p where β and TB are as above. The reason Eq. (15) is a better bound than Eq. (14) is that the 1 + QH A term has moved under the square root. Still we see that Eq. (13) is even better; roughly (neglecting the additive term), the bound in Eq. (13) is the square of the one in Eq. (15), and thus (always) smaller. See [5] for details on the derivation of the quantitative results in Fig. 1.

5

MBDL Hardness in the Generic Group Model

With a new problem like MBDL it is important to give evidence of hardness. Here we provide this in the most common and accepted form, namely a proof of hardness in the generic group model (GGM). The quantitative aspect of the result is just as important as the qualitative. Theorem 3 below says that the advantage of a GGM adversary A in breaking n-MBDL is O(q 2 /p) where q is n plus the number of group operations (time) invested by A, namely about the same as the ggm-dl-advantage of an adversary of the same resources. Reductions (to some problem) from MBDL that are tighter than ones from DL now bear fruit in justifying the secure use of smaller groups, which lowers costs. The proof of Theorem 3 begins with a Lemma that characterizes the distribution of replies to the DLO query. A game sequence is then used to reduce bounding the adversary advantage to some static problems in linear algebra. Some prior proofs in the GGM have been found to be wrong. (An example is that of [14] as pointed out by [34]. We note that the assumption was changed to fill the gap in [15].) Also we, at least, have often found GGM proofs imprecise and hard to verify. This has motivated us to try to be precise with definitions and to attend to details. Starting with definitions, we associate to any encoding function E an explicit binary operation opE that turns the range-set of E into a group. A random choice of E then results in the GGM, with the “generic group” being now explicitly defined as the group associated to E. The proof uses a game sequence and has been done at a level of detail that is perhaps unusual in this domain. MBDL in the GGM. We start with definitions. Suppose G is a set whose size p = |G| is a prime, and E : Zp → G is a bijection, called the encoding function. For A, B ∈ G, define A opE B = E(E−1 (A) + E−1 (B)). Then G is a group under the operation opE [52], with identity element E(0), and the encoding function becomes a group homomorphism: E(a + b) = E(a) opE E(b) for all a, b ∈ Zp . The element g = E(1) ∈ G is a generator of this group, and E−1 (A) is then the discrete logarithm of A ∈ G relative to g. We call opE the group operation on G induced by E.

548

M. Bellare and W. Dai

In the GGM, the encoding function E is picked at random and the adversary gg-mbdl is given an oracle for the group operation opE induced on G by E. Game GG,n in Fig. 7 defines, in this way, the n-MBDL problem. The set G parameterizes the game, and the random choice of encoding function E : Zp → G is shown at line 1. Procedure Op then implements either the group operation opE on G induced by E (when sgn is +) or its inverse (when sgn is −). Lines 3, 4 pick y, x1 , . . . , xn and define the corresponding group elements Y, X1 , . . . , Xn . Set GL holds all group elements generated so far. The new element here is the oracle DLO that takes i ∈ [1..n] and W ∈ G to return the discrete logarithm of W times the discrete logarithm of W in base g, the in base Xi . This being x−1 i · E−1 (W ). The inverse and the operations here are procedure returns z ← x−1 i modulo p. Only one query to this oracle is allowed, and the adversary wins if it gg-mbdl gg-mbdl (A) = Pr[GG,n (A)] be halts with output y  that equals y. We let AdvG,n its ggm-mbdl-advantage. Result. The following upper bounds the ggm-mbdl-advantage of an adversary A as a function of the number of its Op queries and n. Theorem 3. Let G be a set whose size p = |G| is a prime. Let n ≥ 1 be an integer. Let A be an adversary making QOp A queries to its Op oracle and one query to its DLO oracle. Let q = QOp A + n + 3. Then -mbdl (A) ≤ Advgg G,n

2 + q(q − 1) . p−1

(16)

The proof is in [5]. Below we discuss the framework and a core lemma. Proof framework and lemma. Much of our work in the proof is over Zn+2 p regarded as a vector space over Zp . We let 0 ∈ Zn+2 be the all-zero vector, p the i-th basis vector, meaning it has a 1 in position i and zeros and ei ∈ Zn+2 p elsewhere. We let a, b = (a[1]b[1] + · · · + a[n + 2]b[n + 2]) denote the inner , where the operations are modulo p. product of vectors a, b ∈ Zn+2 p In the GGM, the encoding function takes as input a point in Zp . The proof of GGM hardness of the DL problem [48] moved to a modified encoding function that took input a univariate polynomial, the variable representing the target discrete logarithm y. We extend this to have the modified encoding function take input a degree one polynomial in n+1 variables, these representing x1 , . . . , xn , y. The polynomial will be represented by the vector of its coefficients, so that . At some point, games in our proof representations, formally, are vectors in Zn+2 p will need to simulate the reply to a DLO(i, W ) query, meaning provide a reply z without knowing xi . At this point, W ∈ G will be represented by a vector that is known to the game and adversary. The natural simulation w ∈ Zn+2 p approach is to return a random z ←$ Zp or z ←$ Z∗p , but these turn out to not perfectly mimic the true distribution of replies, because this distribution depends on w. We start with a lemma that describes how to do a perfect simulation.

The Multi-Base Discrete Logarithm Problem

549

Fig. 8. Games for Lemma 2.

While the above serves as motivation, the Lemma itself is self-contained, making no reference to the DLO oracle. Consider the games of Fig. 8. They are played with an adversary making a single Init query whose arguments are an . The operations in the games, including integer i ∈ [1..n] and a vector w ∈ Zn+2 p inverses of elements in Z∗p , are in the field Zp . The proof is in [5]. Lemma 2. Let p be a prime and n ≥ 1 an integer. Then for any adversary A we have smp0 Pr[Gsmp1 p,n (A)] = Pr[Gp,n (A)] ,

(17)

where the games are in Fig. 8. Acknowledgements. Bellare is supported in part by NSF grant CNS-1717640 and a gift from Microsoft. Dai is supported by the grants of the first author. We thank the Indocrypt 2020 reviewers for their insightful comments.

References 1. Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the fiat-shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-460357 28 2. Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of-n Signatures from a variety of keys. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 415–432. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2 26

550

M. Bellare and W. Dai

3. Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM CCS 2008, pp. 449–458. ACM Press (2008) 4. Bartusek, J., Ma, F., Zhandry, M.: The distinction between fixed and random generators in group-based assumptions. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. Part II, volume 11693 of LNCS, pp. 801–830. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-26951-7 27 5. Bellare, M., Dai, W.: The multi-base discrete logarithm problem: Tight reductions and non-rewinding proofs for Schnorr identification and signatures. Cryptology ePrint Archive, Report 2020/416 (2020) https://eprint.iacr.org/2020/416 6. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSAinversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003) 7. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S., (eds.) ACM CCS 2006, pp. 390–399. ACM Press (2006) 8. Bellare, M., Palacio, A.: Gq and schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9 11 9. Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zeroknowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-286288 17 10. Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-53890-6 15 11. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (1993) 12. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006, volume 4004 of LNCS, pp. 409–426. Springer, Heidelberg, May / June (2006) 13. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed highsecurity signatures. J. Crypto. Eng. 2(2), 77–89 (2012) 14. Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In: Ning, P., De Capitani di Vimercati, S., Syverson, P.F., (eds.) ACM CCS 2007, pp. 276–285. ACM Press (2007) 15. Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. Cryptology ePrint Archive, Report 2007/438 (2007) http://eprint.iacr.org/2007/ 438 16. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). https:// doi.org/10.1007/978-3-540-28628-8 3 17. Boneh, D., Franklin, M.K.: Identity based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)

The Multi-Base Discrete Logarithm Problem

551

18. Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999). https://doi.org/10. 1007/3-540-48910-X 28 19. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003) 20. Damg˚ ard, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 36 21. De Cristofaro, E., Tsudik, G.: Practical private set intersection protocols with linear complexity. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 143–159. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3 13 22. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976) 23. Drijvers, M., et al.: On the security of two-round multi-signatures. In: 2019 IEEE Symposium on Security and Privacy, pp. 1084–1101. IEEE Computer Society Press (2019) 24. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985) 25. Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988) 26. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7 12 27. Fischlin, M., Fleischhacker, N.: Limitations of the meta-reduction technique: the case of schnorr signatures. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 444–460. Springer, Heidelberg (2013). https://doi.org/ 10.1007/978-3-642-38348-9 27 28. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0 2 29. Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind schnorr signatures and signed elgamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https:// doi.org/10.1007/978-3-030-45724-2 3 30. Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Crypt. 78(1), 51–72 (2016) 31. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) 32. Hada, S., Tanaka, T.: On the existence of 3-round zero-knowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055744 33. Herranz, J., S´ aez, G.: Forking lemmas for ring signature schemes. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 266–279. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-24582-7 20 34. Hwang, J.Y., Lee, D.H., Yung, M.: Universal forgery of the identity-based sequential aggregate signature scheme. In: Li, W., Susilo, W., Tupakula, U.K., SafaviNaini, R., Varadharajan, V. (eds.) ASIACCS 09, pp. 157–160. ACM Press, Mar. (2009)

552

M. Bellare and W. Dai

35. IANIX. Things that use Ed25519. https://ianix.com/pub/ed25519-deployment. html 36. Jacobson, M.J., Koblitz, N., Silverman, J.H., Stein, A., Teske, E.: Analysis of the xedni calculus attack. Des. Codes Crypt. 20(1), 41–64 (2000) 37. Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-5300852 38. Komlo, C., Goldberg, I.: Frost: Flexible round-optimized schnorr threshold signatures. Cryptology ePrint Archive, Report 2020/852 (2020) https://eprint.iacr.org/ 2020/852 39. Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple schnorr multi-signatures with applications to bitcoin. Cryptology ePrint Archive, Report 2018/068 (2018) https://eprint.iacr.org/2018/068 40. Micali, S., Ohta, K., Reyzin, L.: Accountable-subgroup multisignatures: Extended abstract. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001, pp. 245–254. ACM Press (2001) 41. Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51(2), 231–262 (2004) 42. Ohta, K., Okamoto, T.: On concrete security treatment of signatures derived from identification. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 354– 369. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055741 43. Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4 3 44. Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447 1 45. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000) 46. Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991) 47. Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2004/031 (2004) http://eprint.iacr.org/ 2004/031 48. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0 18 49. Silverman, J.H.: The xedni calculus and the elliptic curve discrete logarithm problem. Des. Codes Crypt. 20(1), 5–40 (2000) 50. Silverman, J.H., Suzuki, J.: Elliptic curve discrete logarithms and the index calculus. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 110–125. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1 10 51. Stinson, D.R., Strobl, R.: Provably secure distributed schnorr signatures and a (t, n) threshold scheme for implicit certificates. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 417–434. Springer, Heidelberg (2001). https:// doi.org/10.1007/3-540-47719-5 33 52. Yun, A.: Generic hardness of the multiple discrete logarithm problem. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 817–836. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6 27

Skipping the q in Group Signatures Olivier Blazy1

and Saqib A. Kakvi2(B)

1

2

XLim, Universit´e de Limoges, Limoges, France [email protected] Bergische Universit¨ at Wuppertal, Wuppertal, Germany [email protected]

Abstract. The notion of group signatures was introduced to allow group members to sign anonymously on behalf of a group. A group manager allows a user to join a group, and another will be able to open a signature to revoke its anonymity. Several schemes have already been proposed to fulfil these properties, however very few of them are proven in the standard model. Of those proven in the standard model, most schemes rely on a so-called q-assumptions. The underlying idea of a q-assumptions is that to prove the security of the scheme, we are given a challenge long enough to allow the simulator to answer queries. Another common solution is to rely on an interactive hypothesis. We provide one of the first schemes proven in the standard model, requiring a constant-size non-interactive hypothesis. We then compare its efficiency to existing schemes, and show that this trade-off is acceptable as most schemes with better efficiency rely on either an interactive or a q-hypothesis. The exception to this is the recent independent work Libert, Peters and Yung (CRYPTO 2015), who presented an efficient group signature scheme in the standard model relying on standard assumptions. Keywords: Signatures · Group signatures Q-assumption · Provable security

1

· Standard model ·

Introduction

A group signature scheme [29] is a protocol which lets a member of a group individually issue signatures on behalf of the group, in an anonymous but traceable way. To this end, we have a trusted manager, called the Opener, who can revoke anonymity of the actual signer in case of abuse. Group signatures primarily guarantee anonymity, which means that nobody (except the Opener) can link the signature to the signer, but also unlinkability, which means that one cannot two signatures were produced by the same user or not. One application Group Signature use case is anonymous auction, where users are interested in knowing what the best offer is. Additionally, no bid (except the winning one) should be linkable to its owner. O. Blazy—The 1st author was supported by the French ANR project ID-FIX (ANR16-CE39-0004). c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 553–575, 2020. https://doi.org/10.1007/978-3-030-65277-7_25

554

O. Blazy and S. A. Kakvi

Several steps have been made in the study of those protocols: Bellare, Micciancio and Warinschi [7] gave formal definitions of the security properties of group signatures (the BMW model) and proposed a (impractical proof of concept) scheme under general assumptions. However, this model required that the size of the group be fixed a priori and may not change and are known as static groups. Later, Bellare, Shi and Zhang [9], and independently Kiyias and Yung [48], extended this model to dynamic groups (the BSZ model), which allows the group to grow arbitrarily large, emphasizing the importance of unforgeability and anonymity. To allow for this another group manager, called the Issuer, is required. 1.1

Previous Work

The first efficient proposed group signature schemes were proven in the Random Oracle Model [3,4,19,20]. Camenisch and Lysyanskaya [25] proposed one of the first standard model schemes. Despite being fairly efficient, these schemes suffered from the drawback that the signatures were non-constant and would grow related to either the size of the group or the number of revoked users. The first group signature with constant size was due to Groth [42], but the constant exceptionally large and impractical. Soon after, another scheme was proposed by Boyen and Waters [23], with more plausible sizes. Groth then improved on the scheme of [42] in [43] and provided not only an efficient group signature scheme, but also presented a generic approach consisting in using a re-randomizable certificate to produce a certified signature. Kakvi then proposed in [46] some improvements that lead to a more efficient SXDH instantiation. In another line of work, Delerabl´ee and Pointcheval [32] proposed another short scheme based, which was improved and extended by Blazy and Pointcheval in [15]. However, one critical flaw shared by all these schemes was that they relied on q-type assumptions. We attempt to overcome this, by presenting a scheme without relying on q-type assumptions. q-type assumptions are a common type of assumption in modern cryptographic schemes, due to their powerful nature. A large number of these are used due to the fact that we are unable to compute responses to oracle queries by adversaries in our reductions. In these, one must rely upon parametrized or socalled q-type assumption families. In these types of assumptions, we are given q intermediate values to aid in answering oracle queries. These assumptions tend to be quite bespoke assumptions for the scheme in question and may not be useful for anything else, which in turn means they will probably not be well studied. On occasion, authors will provide a proof in the generic group model of the hardness of an assumption; this is neither standard practice nor guarantee of the actual security of the assumption. This has also lead to “a dizzying array of tailor-made complexity assumptions.” [22]. As a result of this, several researchers have asked if it is at all possible to do away with q-type assumptions, or if there is some property in them that makes them indispensable. A study of sub-class of these assumptions, known as the “one-more” assumptions was undertaken by Bellare et al. [8] and later by

Skipping the q in Group Signatures

555

Bresson et al. [24]. The later framework of Boneh, Boyen and Goh [18] which was later dubbed the “Uber-Assumption” [22], the coining of which is attributed to Dan Boneh [22, Footnote 1]. This framework for a unified description of all q-type assumptions was the first step in a full classification of q-type assumption. There have been other works looking at removing q-type assumptions from cryptographic primitives. The question of generically removing q-assumptions was studied by Chase and Meiklejohn [28]. The approach of Chase and Meiklejohn [28] transforms schemes in a prime order pairing groups to schemes in composite order groups. This work was further extended by Chase, Maller and Meiklejohn [27], covering more assumptions and having a better security loss, however, they still require composite order groups. In the other direction, Bresson, Monnerat and Vergnaud [24] showed separation between q-type assumptions and their non-q or simple variants, using algebraic reductions. In a recent independent work, Libert, Peters and Yung [50] have proposed a group signatures scheme, which is secure without any q-type assumptions. They use the recent advances in structure preserving signatures [1] as a principal building block. However, the drawback of this construction, as also noted by Libert, Peters and Yung, is that their scheme is not modular and cannot be easily adapted with new building blocks. In contrast, our construction is highly modular and achieves similar efficiency to the of Libert, Peters and Yung [50]. Apart from the group signature schemes we discuss, there have been some advances in other directions regarding group signatures. There have been efficient schemes suggested in the Generic Group Model [30], the Random Oracle Model [33,40,54] or based on other assumptions, such as lattices [31,41,47,49,52,53] and code-based assumptions [2]. Additionally, Bootle et al. [21] presented a model for fully dynamic group signatures, i.e. signatures that can not only grow but also shrink in size. We do not compare our scheme to any of these, as they are in a different setting to the one we consider. 1.2

Our Contribution

In this paper, we present a simple and efficient construction of group signatures. In independent work, Libert, Peters and Yung [50] recently presented a compact groups signature scheme based on standard, or “simple”, assumptions1 , parallel to our work [13]. We note that our signatures are of comparable size to that of Libert, Peters and Yung, but we have a stronger security notion. Where as the underlying signature scheme in [50] is proven to be F-CMA secure, we prove full UF-CMA security. Note that both schemes have a loss linear in the number of signing queries. We present simple and efficient constructions of group signatures. They can be proven under reasonable assumptions (variations of the SDH) and prove the security of both schemes in the standard model. In this paper we combine the use of a Delerabl´ee-Pointcheval [32] certificate for Waters’ signature [55], and 1

While q-assumptions are more and more common, they require a polynomial number of inputs and thus should be avoided to provide a drastic improvement in security.

556

O. Blazy and S. A. Kakvi

the Groth-Sahai [44] methodology. We describe our instantiation through the framework of Groth [42,43] for generic group signatures. 1.3

Organization

In the next section, we present the primitive of group signature and the security model, due to Bellare, Shi and Zhang [9]. Then, we present the basic tools upon which our instantiations rely. Eventually, we describe our schemes, in the SXDH setting, with the corresponding assumptions for the security analysis that is provided. For the sake of consistency, we then explain the results with the (intuitive) DLin instantiations of this scheme in Sect. 4. This scheme requires roughly the same number of group elements and, based on the chosen elliptic curve and the way one wants to verify the signatures, one may prefer one instantiation to the other. It also allows us to compare our signature with the previous one, and show that we are roughly as efficient as most of the modern schemes, even though we require neither a q-assumption nor an interactive one.

2 2.1

Preliminaries Computational Assumptions

Our protocols will work with a pairing-friendly elliptic curve, of prime order: – G1 , G2 and GT are multiplicative cyclic groups of finite prime order p, and g1 , g2 are generators of G1 , G2 ; – e is a map from G1 × G2 to GT , that is bilinear and non-degenerated, such that e(g1 , g2 ) is a generator of GT . In particular, we consider Type 3 group, as per the definitions of Galbraith, Paterson and Smart [39]. For our purposes, we will need the following assumptions. Definition 1 (Symmetric eXternal Diffie-Hellman [19]). Let G1 , G2 be cyclic groups of prime order, e : G1 × G2 → GT be a bilinear map. The SXDH assumption states that the DDH assumption holds in both G1 and G2 . Definition 2 (q-Strong Diffie-Hellman Assumption in G [17]). Let G be a cyclic group of order p generated by g. The q-SDH problem consists, given 2 q (g, g γ , g γ , . . . , g γ ), in computing a pair (x, g 1/γ+x ). Definition 3 (Decision Linear Assumption in G [19]). Let G be a cyclic group of prime order, with generator g. The DLin assumption states that given (g, g x , g y , g ax , g by , g c ), it is hard to decide if c = a + b or not, for random a, b, x, y ∈ Zp .

Skipping the q in Group Signatures

557

Definition 4 (eXternal Decision Linear 2 Assumption [1]). Let G1 , G2 be cyclic groups of prime order, with generators (g1 , g2 ), and e : G1 × G2 → GT be a bilinear map.The XDLin2 assumption states that given a tuple of the form (g1 , g1x , g1y , g1ax , g1by , g2 , g2x , g2y , g2ax , g2by , g2c ), it is hard to decide if c = a + b or not, for random a, b, x, y ∈ Zp . Definition 5 (Advanced Computational Diffie-Hellman [12]). Let us be given two cyclic groups (G1 , G2 ) of prime order p with (g1 , g2 ) as respective generators and e an admissible bilinear map G1 × G2 → GT . The CDH+ assumption states that given (g1 , g2 , g1a , g2a , g1b ), for random a, b ∈ Zp , it is hard to compute g1ab . Definition 6 (q-Double Hidden Strong Diffie-Hellman [37]). Let G1 , G2 be multiplicative cyclic groups of order p generated by g1 , g2 respectively. The q-DHSDH problem consists given (g1 , k1 , g2 , g2γ ) and several tuples of the form (g1xi , g2xi , g1yi , g2yi , (k1 g1yi )1/(γ+xi ) )i∈[1,q] in computing a tuple (g1x , g2x , g1y , g2y , (k1 g1y )1/γ+x ) for a new pair (x, y). For completeness, we state the non-q (q = 0) version of this assumption, which we will need for our security proof. Definition 7 (Double Hidden Strong Diffie-Hellman in G1 , G2 ). Let G1 , G2 be multiplicative cyclic groups of order p generated by g1 , g2 respectively. The DHSDH problem consists of, given (g1 , k1 , g2 , g2γ ) in computing a tuple of the form (g1x , g2x , g1y , g2y , (k1 g1y )1/γ+x ) for any pair (x, y). It is critical to note that the DHSDH is not a q-type assumption. The q-DHSDH is an extension of the DHSDH assumption to a q-type assumption. Our goal is to remove any dependencies of number of queries from our assumptions, which is exactly was using the DHSDH instead of the q-DHSDH achieves. Additionally, the DHSDH is a strictly stronger problem that the q-DHSDH, as any algorithm that can solve the DHSDH problem can also solve the q-DHSDH problem. 2.2

Dynamic Group Signatures

We prove our scheme secure in the growing group security model of Bellare, Shi and Zhang [9], here on in referred to as the BSZ model. The model implicitly requires that all users have their own personal signing/verification key pairs, which are all registered in a Public Key Infrastructure(PKI). We thus assume that any user Ui wishing to join the group owns a public-secret key pair (usk[i], upk[i]), certified by the PKI. Within our group signature setting, we have two distinct2 authorities or managers, namely:

2

The BSZ model requires that both authorities must be distinct for certain notions of security. However, one could have them as the same entity in a relaxed version of the BSZ security model.

558

O. Blazy and S. A. Kakvi

– The Issuer who adds new uses to the group and issues them with a group signing key and the corresponding certificate, – The Opener, it is able to “open” any signature and extract the identity of the signer. A group signature scheme is defined by a sequence of (interactive) protocols, GS = (Setup, Join, Sig, Verif, Open, Judge), which are defined as follows: – Setup(1λ ): Generates the group public key gpk, the issuer key ik for the Issuer, and the opening key ok for the Opener. – Join(Ui ): This is an interactive protocol between a user Ui (who has their secret key usk[i]) and the Issuer (using his private key ik). At the end of the protocol, the user obtains their group signing key sk[i], and the group manager adds the user to the registration list, Reg. We denote the set of registered users by I. – Sig(gpk, , m, sk[i]): Produces a group signature σ on the message m, under user Ui ’s group signing key sk[i]. – Verif(gpk, m, σ): Verifies the validity of the group signature σ, with respect to the public key gpk. This algorithm thus outputs 1 if and only if the signature is valid. – Open(gpk, m, σ, ok): If σ is valid, the Opener, using ok, outputs a user identity i assumed to be the signer of the signature with a proof τ of this accusation. – Judge(gpk, m, σ, i, τ ): Verifies that the opening of σ to the identity i was indeed correctly done. We now recall the BSZ security model for group signatures. As stated before, group signatures guarantee anonymity, unlinkability and non-frameability, which we will explain below. We require that we have two group authorities, namely the Issuer, who will issue certificates to grant access to the group, and an Opener who will be able to revoke anonymity, and thus trace back the actual signers. For different security notions, we allow each authority to be independently corrupted to some extent. We say an authority is fully corrupted if it reveals its key and potentially deviates from its algorithm. We say an authority is partially corrupted if it reveals its key but does not deviate from its algorithm. An uncorrupted authority neither reveals its key nor deviates from its algorithm. We give the maximum corruption levels allowed for each security property in the table below (Table 1). Table 1. Maximum corruption level of managers allowed. Issuer

Opener

Traceability

Uncorrupted

Partially corrupted

Anonymity

Fully corrupted Uncorrupted

Non-frameabiity Fully corrupted Fully corrupted

Skipping the q in Group Signatures

559

Additionally, we assume that each user Ui owns a pair (usk[i], upk[i]) certified by a Public Key Infrastructure (PKI). We now recall the security notions. 2.3

Correctness

The correctness notion guarantees that honest users should be able to generate valid signatures, and the Opener should then be able to get the identity of the signers, and provide a convincing proof for the Judge. In the following experiments that formalize the security notions, the adversary can run the Join protocol: – Either through the joinP-oracle (passive join), which means that it creates an honest user for whom it does not know the secret keys: the index i is added to the HU (Honest Users) list. The adversary gets back the public part of the certificate pk[i]; – or through the joinA-oracle (active join), which means that it interacts with the group manager to create a user it will control: the index i is added to the CU (Corrupted Users) list. The adversary gets back the whole certificate pk[i], and sk[i]. For users whose secret keys are known to the adversary, we let the adversary play on their behalf. For honest users, the adversary can interact with them, granted some oracles: – corrupt(i), if i ∈ HU, provides the secret key sk[i] of this user. The adversary can now control it. The index i is then moved from HU to CU; – Sig(i, m), if i ∈ HU, plays as the honest user i would do in the signature process. Then i is appended to the list §[m]. 2.4

Traceability

Traceability asserts that nobody should be able to produce a valid signature that cannot be opened in a valid and convincing way. We detail the traceability experiment in Fig. 1 below.

Fig. 1. Traceability experiment

560

O. Blazy and S. A. Kakvi

We define the advantage of an adversary against traceability as: tr Advtr GS,A (λ) = Pr[ExpGS,A (λ) = 1]

and we say that a group signature scheme is traceable if, for any polynomial adversary A, the advantage Advtr GS,A (λ) is negligible. 2.5

Non-Frameability

Non-frameability guarantees that no dishonest player (even the authorities, i.e. the Issuer and the Opener, hence the keys msk and skO provided to the adversary) will be able to frame an honest user. That is to say an honest user that does not sign a message M should not be convincingly declared as a possible signer. We detail the non-frameability experiment in Fig. 2 below.

Fig. 2. Non-frameability experiment

We define the advantage of an adversary against non-frameability as nf Advnf GS,A (λ) = Pr[ExpGS,A (λ) = 1]

and we say a group signature scheme is non-frameable if, for any polynomial adversary A, the advantage Advnf GS,A (λ) is negligible. 2.6

Anonymity

Anonymity states that the signer of a message remains anonymous. In particular, given two of honest users i0 and i1 , the adversary should not have any significant advantage in guessing which one of them have issued a valid signature. The adversary can interact with honest users as before (with Sig and corrupt), but the challenge signature is generated using the interactive signature protocol Sign, where the adversary plays the role of the corrupted users, but honest users are activated to play their roles. We define the advantage of an adversary against anonymity as: An−1 An−0 AdvAn GS,A (λ) = Pr[ExpGS,A (λ) = 1] − Pr[ExpGS,A (λ) = 1]

and we say that a group signature scheme is anonymous for any polynomial adversary A, the advantage AdvAn GS,A (λ) is negligible.

Skipping the q in Group Signatures

561

Fig. 3. Anonymity experiment

2.7

Certified Signatures

We use a primitive known as a certified signature scheme which was introduced by Boldyreva et al. [16]. A certified signature scheme is a signature scheme where the well-formedness of the public key is verifiable due to an additional certificate. We use the BBS-like certification [19] proposed by Delerabl´ee and Pointcheval [32] to certify a Waters public key [55]. When a receiver wishes to verify a certified signature, he will not only verify the signature, as per usual, but also verify the certificate of the well-formedness of the public key. The security requirements for certified signatures is that we should neither be able to create a signature using a faked certificate key nor forge a signature for an already issued certificate. Although Boldyreva et al. provide more general security requirements, we use slightly simpler definitions, as in previous works. For a certified signature scheme to be secure, we require it to satisfy the following conditions: – Unfakeability: No adversary should be able to produce a valid certificate for a key pair generated of his choice, even after having seen a polynomial number of certificates – Unforgeability: We require that the basic signature scheme satisfies at least the notion of existential unforgeability under weak message attack. 2.8

Groth-Sahai Commitments

We will follow the Groth-Sahai methodology for SXDH-based commitment in the SXDH setting. The commitment key consists of u ∈ G12×2 and v ∈ G22×2 . There exist two initializations of the parameters; either in the perfectly binding setting, or in the perfectly hiding one. Those initializations are indistinguishable under the SXDH assumption which will be used in the simulation. We denote by C(X) a commitment of a group element X. An element is always committed in the group (G1 or G2 ) it belongs to. If one knows the commitment key in the perfectly binding setting, one can extract the value of X, else it is perfectly hidden. We note C (1) (x) a commitment of a scalar x embedded in G1 as g1x . If one knows the commitment key in the perfectly binding setting, on can extract

562

O. Blazy and S. A. Kakvi

the value of g1x else x is perfectly hidden. The same things can be done in G2 , if we want to commit a scalar, embedding it in G2 . Proofs. Under the SXDH assumption, the two initializations of the commitment key (perfectly binding or perfectly hiding) are indistinguishable. The former provides perfectly sound proofs, whereas the latter provides perfectly witness hiding × G2×2 . These proofs. A Groth-Sahai proof, is a pair of elements (π, θ) ∈ G2×2 1 2 elements are constructed to help in verifying pairing relations on committed values. Being able to produce a valid pair implies knowing plaintexts verifying the appropriate relation. We will use three kinds of relations: – pairing products equation which requires 4 extra elements in each group; – multi-scalar multiplication which requires 2 elements in one group and 4 in the other; – quadratic equations which only requires 2 elements in each group. If some of these equations are linear, some of the extra group elements are not needed, which leads to further optimizations. In the following, we will generate two Common Reference Strings to handle commitments and proofs under this methodology through the following algorithm: – GS.KeyGen(gk): generates two commitment keys, and the associated extraction key xk if it exists. In our protocol, ckB will provide perfectly binding commitments in both group and while ckH will provide perfectly hiding commitments in G2 . Both commitment keys are added to the Common Reference String crs. – C.Commit(ck∗ , A): allows to commit to an element A under the key ck∗ , this produces a commitment, and the randomness r used for the commitment. – GS.Prove(E, (C, ck∗ )): generates a Zero-Knowledge Groth-Sahai Proof of Knowledge π, that the plaintexts committed in C under ck∗ satisfy the equation E. Such proofs require the commitment randomness r, and can only be done directly if the elements are committed under the same key3 . – GS.Verify(π): verifies the validity of the proof π. To lighten the notation, we assume that a proof π implicitly contains the equation E and the commitment (C, ck∗ ). Additionally, we will denote by GS.Verify(π1 , π2 , . . .) the verification of several proofs, this can be done sequentially or using a batch technique, as presented in [11]. – GS.Re-Randomize(C, ck∗ , π): re-randomizes the commitment C, using C.Re-Randomize(C, ck∗ ), and then adapts the proof π. This step does not require the knowledge of the commitment randomness. – C.Extract(C, xk): extracts the plaintext A from C if A was committed in C under a binding key. The soundness of proof generated by Groth and Sahai methodology implies that if GS.Verify(E, (C, ckB ), π) holds, then we have that C.Extract(C, xk) verifies the equation E. 3

This means that we have to be careful that, for a given equation, our commitments in G2 are done solely with ckH or solely with ckB .

Skipping the q in Group Signatures

2.9

563

A Classical Trick

Our construction will rely on a classical trick used on Groth-Sahai proofs; in several e-cash papers [6,10,26,38,51], the construction needs an anonymity property where the adversary should not be able to get any information on a coin while a judge should be able to extract the information while in the same CRS. Another application around this idea was presented by Fischlin, Libert and Manulis in [36] where the authors used it to provide a non-interactive technique to commit to elements in the UC framework. In those cases, the solution proposed, is to commit twice to the value X, once with a perfectly binding commitment key, and once with a perfectly hiding key, and then proving the committed value X is the same in both. (While this is necessarily true because of the perfectly hiding commitment, under the CoSoundness of Groth-Sahai proof, this is hard to do without the knowledge of trapdoors in the commitment key). To then use this X in the rest of the scheme, one simply builds proof using the perfectly hiding commitment. We will employ exactly this trick in the context of group signatures. Most schemes rely on a q-assumption, or even an interactive assumption, to prove anonymity of the scheme. We use this trick to be able to prove anonymity without using either, thus achieving our goal.

Group Signature Without q-Assumptions

3 3.1

Asymmetric Waters Signature Scheme

We briefly recall the asymmetric Waters signature scheme, which is a core building block in our scheme [12,34]. – Setup(1k ): The scheme needs a (asymmetric) pairing-friendly environment (p, G1 , G2 , GT , e, g1 , g2 ), where e : G1 × G2 → GT is an admissible bilinear map, for groups G1 , G2 and GT , of prime order p, generated by g1 , g2 and >= e(g1 , g2 ) respectively. We will sign messages M = (M1 , . . . , Mk ) ∈ {0, 1}k . To , and for convenience, we this aim, we need a vector u = (u0 , . . . , uk ) ← Gk+1 1 k i . We also need an additional denote the Waters Hash as F(M ) = u0 i=1 uM i $

$

generator h1 ← G1 . The global parameters param consist of all these elements (p, G1 , G2 , GT , e, g1 , g2 , h1 , u). $

– KeyGen(param): Chooses a random scalar x ← Zp , which defines the public key as (X1 , X2 ) = (g1x , g2x ), and the secret key as sk = Y = hx1 . $

– Sign(sk = Y, M ; s): For some random s ← Zp , define the signature as σ = σ1 = Y (F(M ))s , σ2 = g1−s , σ3 = g2−s ). – Verif((X1 , X2 ), M, σ): Checks whether e(σ1 , g2 )·e(F(M ), σ3 ) = e(h1 , X2 ), and e(σ2 , g2 ) = e(g1 , σ3 ).

564

3.2

O. Blazy and S. A. Kakvi

Certified Signature Scheme

We will use a slight variant of the signature scheme due to Waters [55] using certificates as described by Delerabl´ee and Pointcheval [32], which we refer to as the DPW scheme from here on. We describe the scheme in Fig. 4

Fig. 4. The Delerabl´ee-pointcheval certified Waters signature scheme.

The DPW Scheme was shown to be secure under the q-DHSDH, and CDH+ assumptions. In Sect. 3.2, we will present a modification of this scheme so that we can prove the security under the DHSDH and CDH+ assumptions. We now present our variant of the Delerabl´ee-Pointcheval Certified Waters Signature Scheme, using commitments, which we will call the DPWC scheme from here on. In the DPWC scheme, instead of sending the certificate, the certificate authority will send commitments to the certificate, and a proof that the certificate is well-formed. The receiver must now verify the proof of wellformedness instead of the certificate. We can now show that the hardness of forging a certificate can be reduced to the soundness of the commitment scheme, which in turn is based upon the SXDH. Due to technical reasons, we need two common reference strings, one which is perfectly hiding and one which is perfectly binding. We present the DPWC scheme in Fig. 5. Theorem 1. The DPWC scheme is a certified signature scheme with perfect correctness for all messages m ∈ {0, 1} . It is unfakeable under the DHSDH assumption and unforgeable under the CDH+ assumption. Proof. The correctness of the scheme follows from the correctness of the Waters signatures, the Delerabl´ee-Pointcheval certification and the correctness of the Groth-Sahai NIZK scheme.

Skipping the q in Group Signatures

565

Fig. 5. The Delerabl´ee-Pointcheval Certified Waters Signature Scheme with Commitments.

Lemma 1. If an adversary can (q  , t , ε )-break the unfakeability of the scheme, then we can (t, ε)-solve the Double Hidden Strong Diffie-Hellman (DHSDH) problem, with and ε = ε . t ≈ t Proof. We receive as an initial input the DHSDH challenge of the form (p, G1 , G2 , GT , g1 , k1 , g2 , g2γ , e). We then generate new commitment keys and keys for the proof system, thus giving us the extraction keys for the commitments and the ability to simulate the proofs, using the CRS trapdoor. We send the challenge along with the commitment keys and public parameters for the proof system to the adversary. Note that these form a valid DPWC public key. The adversary will then make q queries to the KeyReg oracle, which will allow it to act as a user and receive a key and certificate. We pick random values y  , x as before. Now since we do not possess a valid certification key, we must simulate the certificate. To simulate a certificate, we pick a random value A and commit to it. We then simulate the zero-knowledge proofs of well-formedness using the simulation trapdoor. Since we never send the A values in the clear, under the indistinguishability of the commitments, the adversary will not distinguish the difference. Hence, we have a perfect simulation of the scheme. The adversary will then submit a forged certificate cert∗ , a public key pk ∗ , message m∗ , signature σ ∗ . We first verify the certified signature. If the adversary has produced a valid certified signature, then both the certificate and signature must be correctly formed. Using the extraction key on the binding commitments, we are able to extract the value A∗ from

566

O. Blazy and S. A. Kakvi ∗



the forged certificate, along with the values g1x , g2x , g1y , g2y . We then submit ∗ ∗ ∗ ∗ (g1x , g2x , g1y , g2y , A∗ ) our solution to the DHSDH problem. We note that we win with exactly the same probability as the adversary. ∗



The unforgeability of the DPW scheme was shown to hold by Blazy et al. in [12]. We include their statement in here for completeness. Lemma 2. Given an adversary can (q  , t , ε )-break the unforgeability of the scheme, then we can (t, ε)-solve the Advanced Computational Diffie-Hellman (CDH+ ) problem, with √ t ≈ t and ε = Θ(ε /q  ) where is the length of our messages. Proof. The proof can be found in [12, Appendix D]. 3.3

Our Group Signature Construction

Now that we have the DPWC scheme, we can begin to construct our group signature scheme. The na¨ıve approach would be to simply to provide each user with a DPWC certificate and key pair and use those to produce in the normal manner. However, we can immediately see that these signatures are no longer unlinkable, as a all the signatures from any user would have their DPWC certificate attached to it, along with the corresponding public key. This is remedied by treating the DPWC public key as part of the certificate and committing it as well during the Join/Issue protocol. When signing the user will re-randomize these commitments and the proofs. However, the signatures are still linkable. This is due to the fact that given a pair of Waters signatures, one can check if they are signed using the same key or not. To resolve this problem, we use an idea due to Fischlin [35] that a commitment to a signature and proof of well-formedness implies a signature. We apply this idea to the Waters signature and hence get commitments of our signature elements and proofs of their well-formedness. This “committed” signature and our re-randomized committed certificate and the relevant proofs are then sent as the group signature. The Open procedure will use the extraction key xk to extract the certificate from a signature and then check if there is a registry entry with the same certificate. If a matching certificate is found, we know that this user must have made that signature and thus it can be opened to their index. To prove that the opening was done correctly, we simply prove that the commitment stored in the registry and the one commitment from the signature contain the same certificate. Theorem 2. The scheme described in Fig. 6 is a group signature scheme with perfect correctness. The scheme satisfies anonymity, traceablity and nonframeability under the SXDH, DHSDH and CDH+ assumptions.

Skipping the q in Group Signatures

567

Fig. 6. The group signature scheme.

Proof. We will now provide proof sketches of the statements individually. We omit correctness, as it is clear. Lemma 3. The scheme described in Fig. 6 is a group signature scheme with (t, )-anonymity, assuming the Symmetric External Diffie-Hellman Assumption is (t , εSXDH )-hard, with t ≈ t

and

 εSXDH .

Proof. For the anonymity game, we that the issuer is fully corrupted, but the Opener is uncorrupted. This means that we give full control of the issuer, including the secret key to the adversary. However, the Opener is uncorrupted, thus we maintain full control of the opening key. In the initial game, we generate both ik and ok honestly. We give the adversary control of ik. We now modify our game such that the Opener’s key is no longer binding but in fact, hiding. This is indistinguishable to the adversary under the SXDH assumption. In particular, this means that any information contained in the certificates is hidden. This means that the game where the challenge bit b = 0 gives the adversary the same information as when b = 1. Thus, the adversary

568

O. Blazy and S. A. Kakvi

has no advantage. As the advantage in this game differs from the previous game by at most the advantage of an adversary against the SXDH, the adversary has a total advantage  εSXDH . Lemma 4. The scheme described in Fig. 6 is a group signature scheme with (t, )-traceability, assuming the Symmetric External Diffie-Hellman Assumption is (t , εSXDH )-hard and the Double Strong Hidden Diffie-Hellman Assumption is (t , εDHSDH )-hard, with t ≈ t

and

 2 · εSXDH + εDHSDH .

Proof. In the traceability game, we have a partially corrupted Opener and an uncorrupted Issuer. Thus, the adversary will know ok but the Issuer, will still behave in the prescribed manner. Initially we set up the game such that all keys are generated as expected, and we give the issuer key to the adversary. Since we have all the requisite keys, we can execute the requisite oracles in the standard manner. Since the Opener is only partially corrupted, they will still perform all the openings faithfully and generate valid proofs of that. If a signature opens and is traced to a user, then the proof produced will be accepted by the Judge algorithm. If the adversary can produce a false proof, then they will have broken the soundness of the proof scheme. They can do this with an advantage at most εSXDH . Thus, the adversary must produce a false certificate. Our next modification is the CRS generation. We switch now to a simulating CRS which provides perfectly hiding commitments. The difference in advantage the adversary has in this game and the previous game is at most εSXDH . As before, we execute all the oracles in the normal manner. For our final game, we now simulate our issue protocol in the same manner as we did for the unfakeability proof of the DPWC scheme in Lemma 1. Thus, we have that any adversary that can produce a fake certificate will break the DHSDH, which he can do with advantage at most εDHSDH . Combining these gives us  2 · εSXDH + εDHSDH , as required. Lemma 5. The scheme described in Fig. 6 is a group signature scheme with (t, )-non-frameability, assuming that the Symmetric External Diffie-Hellman problem is (t , εSXDH )-hard, the Double Strong Hidden Diffie-Hellman problem is (t , εDHSDH )-hard and the Advanced Computational Diffie-Hellman problem is (t , εCDH+ )-hard, with t ≈ t

and

 εSXDH + εDHSDH + εCDH+

Proof. For an adversary to win the non-framebility game, they must produce a signature which will be correctly attributed to an honest user who did not produce this signature. To achieve this, an adversary must provide: 1. A valid signature under the user’s public key 2. A valid proof that the signature is valid under the public key in the committed certificate

Skipping the q in Group Signatures

569

3. A valid committed certificate, with proofs Item 3 can be easily obtained by the adversary as he is able to fully corrupt both the Opener and Issuer and obtain the correct certificates and the corresponding proof from there. Thus we now need to only consider how the Adversary produces the other two components. To this end, we consider two types of Adversaries, namely Type I and Type II adversaries, which win by generating item 1, respectively item 2, listed above. Type I Non-Frameability Adversaries. The first type of adversary, which we call N F 1 , is an adversary who wins in the non-frameability game by forging a signature for an honest user. Once the adversary has a valid forgery, he can easily obtain a committed certificate and re-randomize that. Having both these, the adversary can then honestly generate a proof that the signature is valid. We see that this signature is a valid group signature and will indeed be attributed to the targeted user. If a N F 1 to succeeds, it can be turned into and adversary against the unforgeability of the DPWC signature scheme. We are able to generate all the keys, except for the signing keys. We use the oracle from the unforgeability game to produce the required signatures. We can simply use the adversary’s forgery as our own and thus win the DPWC unforgeability game, which in turn would break the Advanced Computational Diffie-Hellman Assumption. Type II Non-Frameability Adversaries. The second type of adversary, which we call N F 2 , is an adversary who wins in the non-frameability game by creating a false proof for an incorrect signature. The adversary will try to prove that an arbitrary invalid signature is actually a correct signature and then proceeds to produce a proof that this invalid “signature” is indeed valid. If an N F 2 adversary succeeds, they will have produced a NIZK proof on a false statement, which breaks the Soundness of the Groth-Sahai proof system, and thus the Symmetric External Diffie-Hellman Assumption. In addition to the above types of adversary, we must also consider an adversary who fakes a certificate for the targeted user and then performs a Type I or Type II attack. The adversary in this game has the capability to write to the registry and hence can replace the user’s old certificate with their faked one. After this, the user must perform a Type I or Type II attack as described above. Here we see that the adversary must first fake a certificate, hence breaking the unfakeability of the DPWC certified signature scheme, and thus the Double String Hidden Diffie-Hellman Assumption. After this, the adversary will proceed as a N F 1 or N F 2 and thus additionally break the Advanced Computational Diffie-Hellman Assumption or the Symmetric External Diffie-Hellman Assumption. Thus, we get that  εSXDH + εCDH+ + εDHSDH , as required.

4

A Linear Version of Our Construction

Our previous scheme can be directly transposed in a symmetric group, with Linear Commitments.

570

O. Blazy and S. A. Kakvi

Fig. 7. The symmetric group signature scheme.

Theorem 3. The scheme described in Fig. 6 is a group signature scheme with perfect correctness. The scheme satisfies anonymity, traceability and nonframeability under the DHSDH, DLin and CDH assumptions. This can be proven following the idea of the asymmetric instantiations. We omit the proofs, as they are of minimal interest. On the Efficiency of this Scheme. There is always a trade-off in efficiency while instantiating on a symmetric group a scheme designed for an asymmetric one. Verifying that two elements have the same discrete logarithm is way more efficient in a DLin setting because this becomes a linear equation while being a quadratic one in SXDH. However we will have equations with two CRS involved for the same group, and that is quite inefficient (approximately 13 elements for each proof). Component σ1 σ2 α χ X1 X2 G

3

1

3 3

3

3

π1

π2

π3 Y1 Y2 π ˜1 π ˜2 TOTAL

≈ 13 ≈ 13 2

3

3

2

3

≈ 55

Skipping the q in Group Signatures

571

The table above gives a rough estimation of the cost of the symmetric instantiation of our scheme, while not being so efficient it is still in the same order of magnitude as existing group signatures schemes. Once again our hypotheses are neither interactive nor relying on q-assumptions.

5

Efficiency Comparison and Conclusions

We now look at the efficiency of our scheme in comparison to the state of the art in signature schemes. We begin with a look at the exact size of our signatures. We list the size of each component of our signature in the table below. Component σ1 σ2 σ3 α χ X1 X2 π1 π2 π3 Y1 Y2 π ˜1 π ˜2 TOTAL G1

0

1

0

2 0

2

0

2

2

2

2

0

2

4

19

G2

2

0

1

0 2

0

2

4

2

2

0

2

2

4

23

Similar to the work of Libert, Peters and Yung [50], we compare not only the number of group elements, but the bit sizes, assuming classical instantiations on Barreto-Naehrig Curves [5], (one group of size 256 bits, and one of size 512 bits), we consider the smaller group to be the one with more elements. In our comparison, we only consider the schemes in Type 3 groups (Table 2). Table 2. Comparison of group signature schemes secure in the standard model. Scheme

Assumptions

G1 G2 Total Signature Size

Adapted Groth [43, 50]

SXDLin, q-SDH, q-U

27

12

39

13056

Kakvi [46] (Scheme 3)

SXDLin, q-SDH, q-U3a

24

15

39

13824

Kakvi [46] (Scheme 4)

SXDLin, q-SDH, q-U3b

16

23

39

14080

Blazy and Pointcheval [15]

CDH+ , q-DDHI, q-DHSDH 21

16

37

13568

14

47

15616

Total elements Bitsize

Libert, Peter and Yung [50] SXDH, XDLin2 , DLina

33

This Work CDH+ , DHSDH 19 23 42 15616 a The scheme in [50] requires a chameleon hash function. For simplicity, we assume the DLin-based chameleon hash due to Hofheinz and Jager [45], explicitly stated by Blazy et al. [14, Appendix A]

As we can see from the table, our signature sizes are comparable to that of the other schemes, but under standard assumptions. In particular, we have fewer elements than the scheme of Libert, Peters and Yung [50], with the same final signature size. Our signatures are slightly larger than the schemes based on q-assumption one, but not by a large margin. Additionally, this does not take into account that we rely on simpler assumptions. Hence, we do not have the same overheads to achieving higher levels of security. We believe that overall this

572

O. Blazy and S. A. Kakvi

technique allows quick and efficient transformation at minimal cost, and quite likely be extended to other protocols. Acknowledgements. We would like to thank the anonymous reviewers of INDOCRYPT 2020 for their comments. We would also like to thank Ruqayya Shaheed for her editorial comments. Part of this work was done while both authors were employed at the Ruhr University Bochum.

References 1. Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7 12 2. Alam´elou, Q., Blazy, O., Cauchie, S., Gaborit, P.: A code-based group signature scheme. Cryptology ePrint Archive, Report 2016/1119 (2016). http://eprint.iacr. org/2016/1119 3. Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000). https://doi.org/10. 1007/3-540-44598-6 16 4. Ateniese, G., Song, D., Tsudik, G.: Quasi-efficient revocation of group signatures. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 183–197. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36504-4 14 5. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383 22 6. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact E-cash and simulatable VRFs revisited. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 114–131. Springer, Heidelberg (2009). https://doi.org/10.1007/9783-642-03298-1 9 7. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9 38 8. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The power of RSA inversion oracles and the security of Chaum’s RSA-based blind signature scheme. In: Syverson, P. (ed.) FC 2001. LNCS, vol. 2339, pp. 319–338. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46088-8 25 9. Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136– 153. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3 11 10. Blazy, O., Canard, S., Fuchsbauer, G., Gouget, A., Sibert, H., Traor´e, J.: Achieving optimal anonymity in transferable e-cash with a judge. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 206–223. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21969-6 13

Skipping the q in Group Signatures

573

11. Blazy, O., Fuchsbauer, G., Izabach`ene, M., Jambert, A., Sibert, H., Vergnaud, D.: Batch groth–sahai. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 218–235. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-137082 14 12. Blazy, O., Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Signatures on randomizable ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 403–422. Springer, Heidelberg (2011). https://doi.org/ 10.1007/978-3-642-19379-8 25 13. Blazy, O., Kakvi, S.A.: Group signatures without q-assumptions. Cryptology ePrint Archive, Report 2015/858 (2015). Full Version of this paper. http://eprint.iacr.org/ 2015/858 14. Blazy, O., Kakvi, S.A., Kiltz, E., Pan, J.: Tightly-secure signatures from chameleon hash functions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 256–279. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2 12 15. Blazy, O., Pointcheval, D.: Traceable signature with stepping capabilities. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 108–131. Springer, Heidelberg (2012). https://doi.org/10.1007/9783-642-28368-0 10 16. Boldyreva, A., Fischlin, M., Palacio, A., Warinschi, B.: A closer look at PKI: security and efficiency. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 458–475. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3540-71677-8 30 17. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3 4 18. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639 26 19. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). https:// doi.org/10.1007/978-3-540-28628-8 3 20. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Atluri, V., Pfitzmann, B., McDaniel, P. (eds.) ACM CCS 2004: 11th Conference on Computer and Communications Security, pp. 168–177. ACM Press, October 2004. https://doi.org/10.1145/1030083.1030106 21. Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J.: Foundations of fully dynamic group signatures. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 117–136. Springer, Cham (2016). https://doi. org/10.1007/978-3-319-39555-5 7 22. Boyen, X.: The uber-assumption family. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008). https:// doi.org/10.1007/978-3-540-85538-5 3 23. Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679 26 24. Bresson, E., Monnerat, J., Vergnaud, D.: Separation results on the “One-More” computational problems. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 71–87. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79263-5 5 25. Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8 4

574

O. Blazy and S. A. Kakvi

26. Canard, S., Gouget, A.: Divisible e-cash systems can be truly anonymous. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 482–497. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4 28 27. Chase, M., Maller, M., Meiklejohn, S.: D´ej` a Q all over again: tighter and broader reductions of q-type assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 655–681. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-53890-6 22 28. Chase, M., Meiklejohn, S.: D´ej` a Q: using dual systems to revisit q-type assumptions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 622–639. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3642-55220-5 34 29. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/ 10.1007/3-540-46416-6 22 30. Clarisse, R., Sanders, O.: Short group signature in the standard model. Cryptology ePrint Archive, Report 2018/1115 (2018). https://eprint.iacr.org/2018/1115 31. del Pino, R., Lyubashevsky, V., Seiler, G.: Lattice-based group signatures and zeroknowledge proofs of automorphism stability. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018: 25th Conference on Computer and Communications Security, pp. 574–591. ACM Press, October 2018. https://doi.org/10.1145/ 3243734.3243852 32. Delerabl´ee, C., Pointcheval, D.: Dynamic fully anonymous short group signatures. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 193–210. Springer, Heidelberg (2006). https://doi.org/10.1007/11958239 13 33. Derler, D., Slamanig, D.: Highly-efficient fully-anonymous dynamic group signatures. In: Kim, J., Ahn, G.J., Kim, S., Kim, Y., L´ opez, J., Kim, T. (eds.) ASIACCS 18: 13th ACM Symposium on Information, Computer and Communications Security, pp. 551–565. ACM Press, April 2018 34. Ducas, L.: Anonymity from asymmetry: new constructions for anonymous HIBE. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 148–164. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5 11 35. Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175 4 36. Fischlin, M., Libert, B., Manulis, M.: Non-interactive and re-usable universally composable string commitments with adaptive security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 468–485. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0 25 37. Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Transferable constant-size fair e-cash. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 226–247. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3642-10433-6 15 38. Fuchsbauer, G., Vergnaud, D.: Fair blind signatures without random oracles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 16– 33. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12678-9 2 39. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008) 40. Garms, L., Lehmann, A.: Group signatures with selective linkability. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 190–220. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4 7

Skipping the q in Group Signatures

575

41. Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8 23 42. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230 29 43. Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2 10 44. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3 24 45. Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5 35 46. Kakvi, S.A.: Efficienct Fully Anonymous Group Signatures based on the Groth Group Signature Scheme. Master’s thesis, University College London (2010) 47. Katsumata, S., Yamada, S.: Group signatures without NIZK: from lattices in the standard model. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 312–344. Springer, Cham (2019). https://doi.org/10.1007/978-3-03017659-4 11 48. Kiayias, A., Yung, M.: Secure scalable group signature with dynamic joins and separable authorities. IJSN 1(1/2), 24–45 (2006). https://doi.org/10.1504/IJSN. 2006.010821 49. Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Adaptive oblivious transfer with access control from lattice assumptions. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 533–563. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8 19 50. Libert, B., Peters, T., Yung, M.: Short group signatures via structure-preserving signatures: standard model security from simple assumptions. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 296–316. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7 15 51. Libert, B., Vergnaud, D.: Group signatures with verifier-local revocation and backward unlinkability in the standard model. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 498–517. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10433-6 34 52. Ling, S., Nguyen, K., Wang, H., Xu, Y.: Lattice-based group signatures: achieving full dynamicity with ease. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 293–312. Springer, Cham (2017). https://doi.org/10. 1007/978-3-319-61204-1 15 53. Ling, S., Nguyen, K., Wang, H., Xu, Y.: Constant-size group signatures from lattices. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 58–88. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5 3 54. Ohara, K., Emura, K., Hanaoka, G., Ishida, A., Ohta, K., Sakai, Y.: Shortening the libert-peters-yung revocable group signature scheme by using the random oracle methodology. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 102-A(9), 1101–1117 (2019). http://search.ieice.org/bin/summary.php?id=e102-a 9 1101 55. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639 7

Incremental Cryptography Revisited: PRFs, Nonces and Modular Design Vivek Arte1(B) , Mihir Bellare1 , and Louiza Khati2 1

Department of Computer Science and Engineering, University of California, San Diego, USA {varte,mihir}@eng.ucsd.edu 2 ANSSI, Paris, France [email protected] https://cseweb.ucsd.edu/~varte/, https://cseweb.ucsd.edu/~mihir/ https://www.di.ens.fr/~khati/ Abstract. This paper gives the first definitions and constructions for incremental pseudo-random functions (IPRFs). The syntax is nonce based. (Algorithms are deterministic but may take as input a nonrepeating quantity called a nonce.) The design approach is modular. First, given a scheme secure only in the single-document setting (there is just one document on which incremental updates are being performed) we show how to generically build a scheme that is secure in the more realistic multi-document setting (there are many documents, and they are simultaneously being incrementally updated). Then we give a general way to build an IPRF from (1) an incremental hash function with weak collision resistance properties and (2) a symmetric encryption scheme. (This adapts the classic Carter-Wegman paradigm used to build message authentication schemes in the non-incremental setting.) This leads to many particular IPRFs. Our work has both practical and theoretical motivation and value: Incremental PRFs bring the benefits of incrementality to new applications (such as incremental key derivation), and the movement from randomized or stateful schemes to nonce based ones, and from UF (unforgeability) to PRF security, bring incremental symmetric cryptography up to speed with the broader field of symmetric cryptography itself.

1

Introduction

Data isn’t static. We routinely edit our videos, photos, MS-Word /Apple-Pages files or text files. (We’ll use the term “documents” to cover these types of data and more.) Incremental cryptography [5,6] was conceived to harmonize cryptography with this world of dynamic data. The idea is that, just as we edit the document, we can “edit” the already-computed result of a cryptographic function of the document, via a special, fast “update” algorithm, to obtain the result of the cryptographic function on the edited document much more quickly than if we had computed it from scratch. The challenge is not only to give schemes allowing updates, but to ensure that the updates are secure. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 576–598, 2020. https://doi.org/10.1007/978-3-030-65277-7_26

Incremental Cryptography Revisited

577

The relevance of incremental cryptography is even greater now in the world of big data, where the volume and size of documents makes from-scratch recomputations of cryptographic functions prohibitively expensive. In this light we revisit the subject. Contributions in brief. Incremental cryptography has been considered for many primitives [5,6,9,15,17,19,23,27,28,34]. But one for which it has surprisingly not so far been considered is Pseudo-Random Functions (PRFs) [20], arguably the most basic primitive, and important building block, in symmetric cryptography. Our work fills this gap by giving the first definitions and constructions for incremental pseudo-random functions (IPRFs). We do this, not in isolation, but as part of a broader effort. Its first component is a new framework. We adopt a nonce-based setting [31,33] (algorithms are deterministic but may take input a non-repeating quantity called a nonce), defining a syntactic object called an incremental function family (iFF). For it we define two security metrics, namely incremental unforgeability (IUF) and incremental pseudo-randomness (IPRF), and show that the latter implies the former. The second component is modular design. Where the most related prior work (on incremental message authentication) gave ad hoc, dedicated schemes, we instead give general transforms. First we show how, given a scheme secure only in the single-document setting (there is just one document to which updates are being applied), to build a scheme secure in the more realistic multi-document setting (the scheme can handle many documents on which updates are being performed simultaneously). Then we show how to achieve security in the single-document setting through an extension of the Carter-Wegman paradigm [36]. (Recall that the latter has been extensively used to obtain non-incremental UF-secure schemes such as [13,21,30,35].) The result is that, even ignoring PRF security and considering only the UF security goal targeted in incremental message authentication work [5,6,17,23], we bring stronger schemes (able to use, and be secure with, any non-repeating nonce) and modular ways of building and analyzing them. Background and context. Recall that a function family F takes a key K and input X to deterministically return an output Y = F(K, X). For this syntax, one can define both PRF and UF security. Classical examples include HMAC [4] and CMAC [16], but these are not incremental. To achieve incrementality, schemes, starting with [5,6] and continuing with [17,23], use randomization or state (a counter), making them, even just as syntactic objects, different from function families. They are usually called message authentication schemes because the goal is UF. But PRFs are inherently deterministic and stateless, so that PRF security cannot even be defined, let alone achieved, under this syntax. Our solution is to move to a nonce-based setting. iFF algorithms are deterministic but may take input a nonce. Security will require only that nonces are not reused. Now it becomes possible to define both UF and PRF security, and consider achieving them, either via nonce-based extensions of prior schemes, or in other ways. Why IPRFs? IPRF security (as opposed to just IUF) is valuable because it brings the possibility of efficiency improvement via incrementality to a broader range of applications, namely ones that, like key-derivation, require pseudorandomness. For example, an application holding key K may at regular intervals

578

V. Arte et al.

i = 1, 2, . . . derive a sub-key Ki by applying a PRF to a quantity Xi that contains both static data (application-dependent context) and dynamic data (the counter i). An incremental PRF allows the application to update Ki to Ki+1 in a way that is faster than computing Ki+1 from scratch. Why nonces? Nonce-based schemes are valuable (beyond allowing IPRF security) because, in practice, randomness is fragile (system RNGs are prone to failure) and state may not be maintainable (due to system resets), so schemes that maintain security for arbitrary (non-repeating) nonces are more versatile and robust, and correspondingly less error-prone. Beyond this, the movement from randomized or stateful schemes to nonce based ones, and from UF to PRF, “modernizes” incremental message authentication, bringing it up to speed with the broader field of symmetric cryptography in which, over the last 20 years, we have seen these same movements, not just in academic work but also in standards and deployment. The rest of this Introduction discusses our contributions, and related work, in more detail. New framework. As indicated above, prior work considered many types of syntax (randomized, stateful, deterministic). We define and consider just a single type: nonce-based. We call the object in question an incremental function family (iFF). It provides tagging, update and verification algorithms that are all deterministic, the first two (but not the last) taking as input a nonce. Thus, the tagging algorithm of an iFF iF takes the key K, a nonce N , document identifier id , and document D to return a tag. The update algorithm takes K, N, id , D, a description (consisting of an operation code op and corresponding argument arg) of the edit to be performed on the document, and current tag t, to return an updated tag t for the edited document. Verification algorithm Ver takes K, id , D, t to return a boolean decision on the validity of t. We define incremental unforgeability (IUF) of an iFF iF via a game that gives the adversary access to oracles Tag, Upd, Vf for tagging, update and verification (respectively) under a game-chosen key, winning requiring forging, via the last oracle, a valid tag for a new document. More novel and interesting is that this syntax permits us to define, for the first time in the incremental setting, a notion of PRF security, that we denote IPRF. The oracles in our game formalizing IPRF security have the same names as for IUF, but the first two return either real or random tags depending on a challenge bit that the adversary has to determine to win, while the last returns either real verifications or just rejects. Both definitions require that nonces cannot be re-used, except in the degenerate case that the scheme itself allows just one choice of nonce. (The exception allows us to capture nonce-free schemes as a special case.) Crafting these definitions was delicate, in part due to our wanting PRF security to imply UF security. Recall that for regular (no nonces, no incrementality) function families, the implication is true [8,20]. But nonces can disrupt this. Indeed, for the prevailing definitions of PRF and UF security for noncebased (not incremental) function families, the implication fails [29]. Through the (unusual) step of including a verification oracle in the IPRF game, we obtain (cf. Proposition 2) the “best of both worlds:” Nonces are allowed yet IPRF

Incremental Cryptography Revisited

579

security does imply IUF security. This is valuable because establishing the former now obviates us from having to separately establish the latter. In addition to a standard correctness requirement, we define strong correctness, which asks that updated tags produced by the update algorithm be identical to the ones that would have been computed by tagging the edited document from scratch with the tagging algorithm. For schemes with this property, Proposition 1 says that updates (the Upd oracle) may effectively be neglected in proving security. The security of updates having been, historically, the main new security concern brought by incrementality [5,6], Proposition 1 results in significant proof simplification. From single- to multi-document security. With new (and stronger) target definitions in place, we turn to designing efficient schemes that meet them. We aim for modularity as a way to simplify both design and analysis. The first angle we consider here is single-document (sd) versus multi-document (md) security. The tagging, update and verification algorithms in our syntax all take as input a document identifier id (for example myphoto.jpg) that names the document on which the operation is to be performed. In the sd setting, there is only one allowed choice of id , as though your filesystem contained just one file that you keep editing. In the more realistic md setting, any number of document identifiers may coexist, the adversary choosing them in its queries. The treatment in prior work (the two settings originate in [6]) has been ad hoc, with schemes and proofs given first for the sd setting, then separately for md. We step back to take a higher-level view. We show how sd-secure iFFs can be generically turned into md-secure ones, giving for this purpose two general “bootstrapping” transforms, StM1 and StM2. Each turns a given iFF iFsd that is IUF/IPRF-secure in the sd setting into an iFF iFmd that is IUF/IPRF-secure in the md-setting. The first transform is simple and natural, working for all choices of document edit operations, but the reduction (Theorem 3) is not tight. The second transform allows a tight reduction (Theorem 4). It requires strong correctness (discussed above) of iFsd and also that the document edit operations are what we call “translating,” but the first is met by our constructions discussed below, and the second is generous enough to include common operations like replace, insert, delete. Incremental Carter-Wegman. The above has simplified our task of designing iFFs that are IUF/IPRF-secure in the md setting, reducing it to the same task in the sd setting. We now further simplify the latter task, reducing it, via an extension of the Carter-Wegman paradigm, to the task of designing incremental hash functions satisfying weak collision-resistance properties. The standard Carter-Wegman (CW) paradigm [36] builds a nonce-based message authentication scheme by first applying a hash function to the message, and then masking the result h in some way using the key and nonce to get the tag. In our “incremental Hash-then-Encrypt” variant iHtE, the hash function iHF is assumed incremental for some set of edit operations. Now we need to extend CW so that (1) the incrementality of iHF is inherited by iF, and (2) IPRF security (as opposed to just the UF provided by CW) is provided. The change is in the masking. The general CW paradigm does not require this to be reversible, but, to allow incremental updates, we do, accordingly using for the purpose a

580

V. Arte et al.

symmetric encryption scheme SE. Furthermore, SE is required to meet the NBE2 syntax of [10]. This means the nonce is not required for decryption. (Otherwise, one has to include the nonce in the tag. This would provide IUF but violate IPRF.) The full construction in Sect. 5 also uses a key-derivation function that we omit here. Theorem 6 says that iHtE provides IPRF security assuming iHF is cau-secure and SE is AE2 secure. (Recall that cau [3], the computational relaxation of the almost universality notion of [36], is a very weak form of collision resistance for secretly-keyed hash functions. AE2 is the notion of authenticated encryption security for NBE2 schemes from [10].) Instantiations. We give many choices of cau-secure hash functions that are incremental for the replace operation, yielding, via iHtE, corresponding iFFs that are IPRF secure in the sd setting and incremental for the same operation. These hash functions are implicit in message authentication schemes already in the literature, and we only need to extract them. Section 6 takes a systematic approach. We look at different message authentication schemes in the literature including XOR-MACs [7], GMAC [25], Poly1305AES [12], PMAC [14], PWC [29], ZHASH [22] and more. For each, we extract an underlying incremental hash function. In some cases (eg. [12,14]), the authors have already noted that their algorithms allow incremental updates, but stopped short of showing that any formal notion of incremental security is met. To fill this gap, we cast their schemes as iFFs. Their results in some cases can be used to conclude IPRF security of our iFF. But more often, they only yield IUF security (because of inclusion of the nonce in the tag). In this case, we go back to the underlying hash function and use iHtE to get an IPRF. Some of the original message authentication schemes, however, are not themselves incremental, usually due to a non-invertible masking function in an (implicit or explicit) use of CW paradigm. In these cases, again, we go back to the underlying hash function and use iHtE to get an IPRF. Figure 6 summarizes the instantiations obtained. Limitations and extensions. Incrementality is with respect to some set of edit operations on the documents. (This is formalized as a document editing system in the body of this paper.) Our “boosting” results —from sd security to md via StM1, StM2, or from incremental cau-hash functions to incremental IPRFs via iHtE— are general in this regard, preserving the allowed set of operations. (That is, if the starting scheme is incremental for some set of edit operations, the constructed scheme is incremental for the same set, with the above-discussed caveat that for StM2 the operations must be translating.) However, we currently know of examples of incremental cau-secure hash functions only for the replace operation, so obtain IPRFs only for this. Via nonce-based extensions of the randomized schemes of [6,23], we can obtain iFFs that are incremental for insert, delete and that provide IUF security. These, however, will not provide IPRF security. We leave IPRFs for insert, delete as an open problem. For incremental message authentication, [6] considered security that was either “basic” (the adversary can request updates only on documents resulting from prior tagging or update operations) or “tamper-proof” (the restriction

Incremental Cryptography Revisited

581

is dropped). Our definitions and results are all for basic security. This already suffices for many applications. We can define and achieve tamper-proof IUF security, but for IPRFs we do not know how to do this extension, and leave it as an open problem. Overall we view our work as initiating the study of incremental PRFs, and leave extensions to future work. Related work. Incrementality has been considered for (UF-secure) message authentication [5,6,17,23], encryption [6,15,34], collision-resistant hashing [5, 9,27], digital signatures [5,18,26], deterministic PKE [28], program obfuscation [19] and beyond [1]. Early work on incremental symmetric encryption [6,15] used the classical randomized setting. Sasaki and Yasuda [34] were the first to bring nonces into this, treating nonce-based authenticated encryption. We follow in their vein, bringing nonces also to UF and PRF security.

2

Preliminaries

Notation. By [1..n] we abbreviate the set {1, . . . , n} and by [i . . . j] the set {i, . . . , j}, for integers n ≥ 1 and j ≥ i. We denote the number of coordinates of a vector D by |D| and its i-th coordinate by D[i]. By B ∗ we denote the set of all vectors over B, meaning vectors D with D[i] ∈ B for all i ∈ [1..|D|]. The empty vector is denoted (). The empty string is denoted ε. If x ∈ {0, 1}∗ is a string then |x| is its length and x[i] is its i-th bit. We let x[i..j] = x[i] . . . x[j] be the concatenation of bits i through j of x if i ≤ j and ε otherwise. If S is a finite set then |S| its is size or cardinality. We use ⊥ (bot) as a special symbol to denote rejection, and it is assumed to not be in {0, 1}∗ . By FUNC(D, R) we denote the set of all functions f : D → R and by PERM(D) the set of all permutations π : D → D. If X is a finite set, we let x ← ← X denote picking an element of X uniformly at random and assigning it to x. Algorithms may be randomized unless otherwise indicated. If A is an algorithm, we let y ← AO1 ,... (x1 , . . . ; ω) denote running A on inputs x1 , . . . and coins ω, with oracle access to O1 , . . ., and assigning the output to y. By y ← ← AO1 ,... (x1 , . . .) we denote picking ω at random and letting O1 ,... y←A (x1 , . . . ; ω). We let Out(AO1 ,... (x1 , . . .)) denote the set of all possible outputs of A when run on inputs x1 , . . . and with oracle access to O1 , . . .. An adversary is an algorithm. Running time is worst case, which for an algorithm with access to oracles means across all possible replies from the oracles. Games. We use the code-based game-playing framework of BR [11]. A game G (see Fig. 2 for an example) starts with an optional Init procedure, followed by a non-negative number of additional procedures called oracles, and ends with a Fin procedure. Execution of adversary A with game G consists of running A with oracle access to the game procedures, with the restrictions that A’s first call must be to Init (if present), its last call must be to Fin, and it can call these procedures at most once. The output of the execution is the output of Fin.

582

V. Arte et al.

Fig. 1. Examples of edit operations. The first column shows the edit-operation code, the second column shows the arguments and the third shows the resulting, edited document. Here i ∈ [1..nb], where nb = |D|, and x ∈ BS.

By Pr[G(A)] we denote the probability that the execution of game G with adversary A results in this output being the boolean true. The running time of an adversary playing some game, as referred to in theorem statements, is defined as the worst-case time of the execution of the adversary in the game, so that the time for game procedures to compute responses to oracle queries is included. This convention means that reductions usually preserve adversary running time, up to small terms that we will ignore. Note that our adversaries have no inputs or outputs. The role of what in other treatments is the adversary input is, for us, played by the response to the Init query, and the role of what in other treatments is the adversary output is, for us, played by the query to Fin. Different games may have procedures (oracles) with the same names. If we need to disambiguate, we may write G.O to refer to oracle O of game G. In games, integer variables, set variables, boolean variables and string variables are assumed initialized, respectively, to 0, the empty set ∅, the boolean false and ⊥.

3

Framework: iFFs, IUF and IPRF

Here we give a framework of definitions and basic results that has two main new elements. The first is that the setting is nonce based, and the second is that, besides defining incremental UF security, we give the first definitions for incremental PRFs. Nonce-based means algorithms in our iFF syntax are deterministic and may take as input a quantity called a nonce that, for security, is only required to be non-repeating. This generalizes and extends prior schemes, that used randomness or counters, yielding schemes that are more versatile and robust. An added benefit is that this setting allows us to define PRF security and also to define and achieve a strong form of correctness which asks that updated tags coincide with ones that would have been computed from scratch. This in turn allows us to neglect updates in proving security. We start with document editing systems, then give our syntax of nonce-based incremental function families, then define UF and PRF security, and then give some basic results and relations. Document editing systems. An incremental cryptographic scheme works for (sits atop) what we call a document editing system. Extending what [6] call

Incremental Cryptography Revisited

583

text modification operations, a document editing system describes the format of documents and a set of modification (edit) operations on them. It is an entirely non-cryptographic object. The specification of a document editing system DE = (bl, BS, OpC, OpA, Ed) starts with a block length bl ≥ 1. The block space is then set to BS = {0, 1}bl . Documents (also called messages) are vectors over BS, meaning members of BS∗ . There is a set OpC of edit-operation codes, which are names or formal symbols to indicate different edit operations on documents. The actual edit operations are defined and performed by a deterministic edit algorithm Ed : BS∗ ×OpC×OpA → BS∗ which takes, as inputs, a document D ∈ BS∗ , an operation code op ∈ OpC and arguments arg ∈ OpA to return an updated document Ed(D, op, arg) ∈ BS∗ . If necessary to disambiguate, we write DE.bl, DE.BS, DE.OpC, DE.OpA, DE.Ed in place of bl, BS, OpC, OpA, Ed. Figure 1 shows three common edit operations, namely replace, insert and delete. Their operation codes, denoted respectively by insert, replace and delete, are shown in the first column. By nb we denote the number of blocks in the starting document D. The insert operation allows inserting a block x ∈ BS at position i ∈ [1..nb] in the document D, the delete operation allows deletion of the i-th block of D, and the replace operation allows replacement of the i-th block of D by the block x. Of course a scheme which is incremental for the insert and delete operations is also incremental for the replace operation (the latter can be implemented by using the former two). Other possible operations are append or prepend of a block to a document. (They are special cases of insert, but some schemes are incremental for append or prepend, but not for insert [7,34].) Incremental function families. We define incremental function families as the syntax that will underly both incremental MACs and PRFs. An incremental function family iF = (KS, NS, Rng, Tg, Up, Ver) for a document editing system DE = (bl, BS, OpC, OpA, Ed) specifies numerous algorithms and sets, as follows: – A key space KS, a nonce space NS, and an output space Rng. – A tagging algorithm Tg : KS × NS × {0, 1}∗ × BS∗ → Rng that takes the key K, a nonce N , document identifier id , and document D to deterministically return a tag t ← Tg(K, N, id , D). – A tag update algorithm Up : KS × NS × {0, 1}∗ × BS∗ × OpC × OpA × Rng → Rng that takes the key K, a nonce N , a document identifier id , a document D, an operation code op, the operation arguments arg, and a current tag t to deterministically return an updated tag t ← Up(K, N, id , D, op, arg, t). – A tag verification algorithm Ver : KS × {0, 1}∗ × BS∗ × {0, 1}∗ → {true, false} that takes a key K, a document identifier id , a document D and a candidate tag t to deterministically return either true or false. We say that iF has (fixed) nonce-length nl if NS = {0, 1}nl . We require that if |iF.NS| = 1 then iF.NS = {ε}, meaning has nonce-length zero. In this case, we refer to iF as nonce-less.

584

V. Arte et al.

Fig. 2. Games defining correctness and strong correctness for an incremental function family iF. If a line indicates a game it means that line is included only in that game.

Update time. For an iFF to have practical value, the update time should be less than the time to compute the tag, on the modified document, from scratch via the tagging algorithm. The actual time for updates varies across schemes, and no formal condition on it is mandated. Ideally this time is proportional only to the time to perform the modification and the number of blocks modified, but in fact even an update time linear in the length of the document can be interesting if it is cheaper than from-scratch tagging. Most of our results are general transforms that preserve update time. Correctness and strong correctness. Correctness requires that tags generated by the tagging and update algorithms are accepted by the verification algorithm. It is a little more delicate to define than usual because it is required only for tags that arise through legitimate applications of the tagging or update algorithms. The clearest way we know to formalize this is via a game. We say that iF = (KS, NS, Rng, Tg, Up, Ver) satisfies correctness relative to DE = (bl, BS, OpC, OpA, Ed) if Pr[Gcorr iF,DE (A)] = 0 for all adversaries A (regardless of their running time), where game Gcorr iMA,DE is shown in Fig. 2. (Lines 8, 9 are excluded from this game. The game including them will be discussed next.) As per Init, the adversary is given the key K. Correctness is required regardless of whether or not nonces repeat. What oracles Tag, Upd return doesn’t matter since they are deterministic, so we have them return ⊥. We also introduce a notion of strong correctness. It asks that tags returned by the update algorithm are the same as if the updated document had instead been tagged directly, from scratch, via the tagging algorithm. Formally we say

Incremental Cryptography Revisited

585

that iF = (KS, NS, Rng, Tg, Up, Ver) satisfies strong correctness for DE = (bl, BS, OpC, OpA, Ed) if Pr[Gscorr iF,DE (A)] = 0 for all adversaries A (regardless of their running time), where game Gscorr iF,DE is shown in Fig. 2. Strong correctness implies correctness, since the lines of the latter game are present in the former. But there are two additional, important dividends. The first is Propostion 1, which says that when strong correctness is present, we can, in evaluating security, ignore the Upd oracle. This will significantly simplify proofs. The second dividend is that strong correctness implies privacy of updates, meaning updated tags do not reveal the modification history of the document [26]. Correctness will be the default, unstated assumption. If strong correctness is assumed or achieved, we will say so explicitly. IUF security. We define Incremental Unforgeability (IUF) of an incremental function family iF = (KS, NS, Rng, Tg, Up, Ver), relative to document editing system DE = (bl, BS, OpC, OpA, Ed), extending the notion of basic security [5] to our nonce-based setting. Consider game Giuf iF,DE of Fig. 3 and let iuf Adviuf (A) = Pr[G (A)] be the iuf-advantage of an adversary A. For any iF,DE iF,DE “live” document identity id , the game maintains: (1) Did , the current version of the document associated to id (2) tid , its tag (3) NLid , a set storing nonces used so far for id , and (4) DLid , a set storing versions of the document with identity id tagged so far. Variable Did starts out ⊥. An adversary initializes an id via its Tag oracle. The adversary is returned the tag as computed by the tagging algorithms Tg. Now id is live, and the adversary can make Upd queries, and also further Tag queries, with it. An Upd query for id takes a nonce and the description of the update. Document Did is updated (edited) according to the latter, and the tag computed by the Up algorithm is returned to the adversary. Each Tag and Upd query adds entries to the sets NLid , DLid , thus keeping track of which nonces have been used and which documents have been tagged. Lines 2, 8 disallow nonce reuse for any individual document identity, except if the scheme is nonce-less, in which case this restriction is dropped. The latter is important to capture nonce-less schemes as special case of our framework. It is always permitted to re-use the same nonce across different document identities. To win the adversary must make a query to Vf that is successful (algorithm Ver accepts) and non-trivial (the document was not previously tagged for this identity). Any number of Vf queries are allowed and they may be interleaved arbitrarily with other queries. The adversary cannot make an Upd query with some document identity prior to having initialized that identity via a Tag query with that identity, but can make a Vf query without such initialization. IPRF security. We define Incremental Pseudorandom Function (IPRF) security of an incremental function family iF = (KS, NS, Rng, Tg, Up, Ver), relative to document editing system DE = (bl, BS, OpC, OpA, Ed). Consider game Giprf iF,DE iprf of Fig. 3 and let Adviprf iF,DE (A) = 2 Pr[GiF,DE (A)] − 1 be the iprf-advantage of an adversary A. The game picks a random challenge bit b ∈ {0, 1}, samples a key K from the key space, and picks a random function with domain the Cartesian product of the nonce space, the document identity space, and the message

586

V. Arte et al.

Fig. 3. Games defining IUF (left) and IPRF (right) security of an incremental function family iF = (KS, NS, Rng, Tg, Up, Ver) relative to document editing system DE = (bl, BS, OpC, OpA, Ed).

space, and range the output space Rng. The game responds to Tag oracle queries depending on the value of the bit b, either generating tags using the tagging algorithm (when b = 1) or using the random function f (when b = 0). Similarly for responses to Upd, with the document used in the b = 0 case at line 13 being the updated one. The Vf oracle verifies as prescribed by iF if b = 1 and otherwise returns false. Inclusion of this oracle is important for showing that IPRF security implies IUF security. The adversary ends with a Finalize query that is a bit b representing its guess as to the challenge bit b, and the game returns true iff this guess is correct.

Incremental Cryptography Revisited

587

Dropping updates. In giving the first security definitions for incremental cryptography, [5,6] are at pains to warn that one must allow the adversary Upd queries, because updated tags may be different from from-scratch ones, and allow forgery. Their definitions and analyses reflect this. Nonetheless, below, we show that, for both IUF and IPRF security, we can assume that adversaries make no queries to their Upd oracles if the function family satisfies strong correctness. This will simplify later proofs. The proof of the following Proposition, which formalizes the claim, is in the full version [2]. Proposition 1. Let iF = (KS, NS, Rng, Tg, Up, Ver) be an incremental function family satisfying strong correctness relative to document editing system DE. Let (x, X) ∈ {(iuf, IUF), (iprf, IPRF)}. Suppose A is an adversary against the Xsecurity of iF making qt , qu , qv queries to its Tag, Upd, Vf oracles. Then we can construct an adversary A0 , also against the X-security of iF, making qt + qu queries to its Tag oracle, zero queries to its Upd oracle, and qv queries to its Vf oracle such that AdvxiF,DE (A0 ) = AdvxiF,DE (A). Adversary A0 has the same running time as A. Adversary classes. If A is a class (set) of adversaries, then we will say that an incremental function family iF is IPRF[A] (resp. IUF[A]) -secure relative to DE if the iprf (resp. iuf) -advantage of adversaries in A is small. Considering different classes of adversaries gives us a precise way to discuss special cases of our broad notion. Some of the adversary classes we consider are as follows: – Asd — The class of single-document adversaries. These, across all their queries, use only one document identity, that we can (wlog) assume to be ε. By restricting to this class we capture what prior work called the singledocument setting. – Amd — The class of multi-document adversaries, this is simply the class of all adversaries. We give it this name just for later emphasis. – Arn — The class of random-nonce adversaries. These are ones whose choices of nonces, across all queries, are made independently and uniformly at random. This restriction allows us to recover (in our nonce-based setting) the setting of randomized schemes used in all prior work. IPRF security implies IUF security. For regular (no nonces, no incrementality) function families, it is well known that PRF security implies UF security [8,20]. This is useful, since establishing the former obviates establishing the latter, and we would like to preserve it. Nonces, however, bring a challenge here. Indeed, prior work has defined notions of PRF and UF security for nonce-based (not incremental) function families [29], but (as they point out), PRF does not imply UF under their definitions. It is to remedy this that our IPRF game, unusually for a PRF definition, included a verification oracle. This allows us to recover the implication. The following says that an iFF that is IPRF-security will also be IUF-secure. The proof is in the full version [2]. A useful consequence is that an iFF which is shown to satisfy IPRF security can directly be used to perform incremental message authentication.

588

V. Arte et al.

Proposition 2. Let iF = (KS, NS, Rng, Tg, Up, Ver) be an incremental function family relative to document editing system DE. Let Auf be an adversary against the IUF security of iF making qt , qu , qv queries to its Tag, Upd, Vf oracles, respectively. Then we can construct an adversary Aprf against the IPRF security of iF making qt , qu , qv queries to its Tag, Upd, Vf oracles, respectively, such that iprf Adviuf iF,DE (Auf ) = AdviF,DE (Aprf ). Adversary Aprf has about the same running time as Auf . The result of [8], saying that PRF implies UF for regular function families, requires that the size of the range set F.O of the function family F be large. This shows up as an added qv /|F.O| in the concrete bound. This term is absent in Proposition 2 because our definition of IPRF security has the verification oracle reject in the random case. But in practice, one should still ensure that the range set is large enough to avoid forgery by tag guessing.

4

From Single- to Multi-Document Security

The work that introduced incremental message authentication [5] considered security only in the single-document (SD) setting. In practice one would however expect the user to have many documents that it wants to incrementally process with a single key. This lead [6] to introduce the multi-document (MD) setting. (In our definitions, this is the default.) They, and later [17], gave and analyzed schemes directly for this setting. We take a more abstract and high-level view, asking how IPRF and IUF security in the single and multi document settings relate. First we give a separation, showing that there exist schemes secure in the SD setting but insecure in the MD setting. This shows that the latter is a strictly stronger requirement than the former, and motivates making it the target. Next, to reach this target, we give two general “boosting” results: given a scheme secure only in the SD setting, we (efficiently) transform it into a scheme secure in the MD setting. This lets us simplify design and analysis by, in the end, doing this only in the original and simpler single-document setting, relying on our transform to boost security to the MD setting. The difference between the two transforms is in the tightness of the reductions, as we will see below. Separation result. Let iF = (KS, NS, Rng, Tg, Up, Ver) be an incremental function family that is IPRF[Asd ] relative to the document editing system DE = (bl, BS, OpC, OpA, Ed). Let X ∈ {IUF, PRF}. We modify iF to an incremental function family iF = (KS, NS, Rng, Tg , Up , Ver ) —the key space, nonce space and range are unchanged, but the algorithms are changed— that has the following properties. (1) iF remains X[Asd ]-secure relative to document editing system DE, but (2) iF is not X-secure, meaning there is an attack showing that it is insecure in the MD setting. The modification is simple, namely have the algorithms of iF ignore their id input and run the corresponding iF algorithms with the document identity set to the empty string. In detail, let Tg (K, N, id , D) return Tg(K, N, ε, D) and

Incremental Cryptography Revisited

589

Fig. 4. Algorithms of the incremental function family iFmd = StM1[iFsd , F] (top) and iFmd = StM2[iFsd , H] (bottom).

let Up (K, N, id , D, op, arg, t) return Up(K, N, ε, D, op, arg, t). Then (1) is true because queries of an adversary A ∈ Asd already only have id = ε, so nothing is really changed from the perspective of such an adversary. For (2), we give separate attacks IPRF and IUF, beginning with the former. Let id 1 , id 2 be some two distinct document identities, N some nonce and D some document. An adversary A can easily obtain an iprf-advantage of (1 − 1/|Rng|) as follows. Having started with its mandatory Init query, it then makes query t1 ← Tag(N, id 1 , D), followed by query t2 ← Tag(N, id 2 , D). (Although the nonce N is the same in both queries, it is for two different identities, so the adversary is nonce-respecting.) Then A calls Fin(1) if t1 = t2 , and Fin(0) otherwise. For the IUF case, an adversary A can obtain an iuf-advantage of 1 as follows. It starts with its mandatory Init query, then makes query t1 ← Tag(N, id 1 , D), followed by query d ← Vf(id 2 , D, t1 ). The adversary then ends with its Fin call. Boosting results. The above says that a scheme having sd security need not have md. We now show, however, that the sd-secure scheme can be generically transformed into one that is md secure. We give two transforms. The first uses a natural technique, namely to apply a PRF under the key K to the document-id to obtain a sub-key under which the SD scheme may be used. It works, but security degrades by a factor equal to the number of document identities. The second transform gives a tight reduction by a different technique. It uses, as an auxiliary tool, a variable-output-length hash function. The relevant definitions for the auxiliary tools (function families satisfying PRF security in the first case, and CR hash functions in the second) are provided in the full version [2].

590

V. Arte et al.

StM1. Given an incremental function family iFsd for a document editing system DE that is IPRF-secure only in the single-document setting, our transform StM1 uses as auxiliary tool a PRF F : F.KS × {0, 1}∗ → iFsd .KS to construct the incremental function family iFmd = StM1[iFsd , F] that is defined as follows. Its key space iFmd .KS = F.KS is that of the PRF . Its nonce space iFmd .NS = iFsd .NS is that of the given scheme. Its algorithms are shown in the top panel of Fig. 4. The following theorem says that if iFsd provides security in the single-document setting and F is a secure PRF then iFmd provides security in the multi-document setting. The proof is in the full version [2]. Theorem 3. Let (x, X) ∈ {(iuf, IUF), (iprf, IPRF)}. Let iFsd is an incremental function family for the document editing system DE. Let F : F.KS × {0, 1}∗ → iFsd .KS be a PRF. Let iFmd = StM1[iFsd , F] be the scheme constructed as above. Suppose we are given an adversary Amd against the X security of iFmd making qt , qu , qv queries per document to its Tag, Upd, Vf oracles, respectively. Let q denote the number of distinct document identifiers across all these queries. Then we construct an adversary Asd ∈ Asd against the X security of iFsd and an adversary B against the PRF security of F such that AdvxiFmd ,DE (Amd ) ≤ q · AdvxiFsd ,DE (Asd ) + Advprf F (B) . Adversary Asd makes qt , qu , qv queries to its Tag, Upd, Vf oracles, respectively, all involving just the one document identity ε, and its running time is about that of Amd . The number of distinct Fn queries of B is q, and its running time is about that of Amd . If Amd ∈ Arn then Asd ∈ Arn . StM2. Our second transform StM2 tightly reduces the IPRF security of the constructed multi-document function family iFmd to the IPRF security of the given single-document function family iFsd , meaning the factor q in Theorem 3 disappears. This requires that iFsd satisfies strong correctness and the operations of DE = (bl, BS, OpC, OpA, Ed) satisfy a translation condition we will define. We assume iFsd has a fixed nonce length nl ≥ 0. The transform uses as auxiliary tool a variable output length hash function H as defined in Sect. 2, constructing iFmd = StM2[iFsd , H] as follows. The key space iFmd .KS = iFsd .KS is that of the starting scheme. The nonce space iFmd .NS is {ε} if nl = 0 and is {0, 1}∗ otherwise. Its algorithms are shown in the bottom panel of Fig. 4. Here, if D is a document and d is a block, we have defined Prepend(d, D) to be the document (d, D[1], . . . , D[|D|]) obtained by pre-pending d to D as its first block. If D ∈ BS∗ is a document then we let First(D ) be its first block and Rest(D ) the rest. Thus, in the iFmd .Tg algorithm in Fig. 4, we have First(D ) = d and Rest(D ) = D. One must take care, however, that what is the “document” differs for iFmd —for which it is D, to which we want to apply op— and for iFsd —for which it is D = Prepend(d, D). So, for example, if the requested operation is replace on block 3 of D, we need to perform the replace on block 4 of D . We call this operation translation, and assume it is possible. More precisely, we assume there is a function OpTr such that if we compute X ← Ed(D , op, OpTr(op, arg)) then First(X) = D [1] —the first block is

Incremental Cryptography Revisited

591

unchanged— and Rest(X) = Ed(Rest(D ), op, arg) —the edit is performed correctly on the remaining document. For example, OpTr(replace, (i, v)) = (i+1, v), OpTr(insert, (i, v)) = (i + 1, v) and OpTr(delete, i) = i + 1, showing that these operations translate. (Not all operations translate, however. For example, prepend , the operation of pre-pending a block, does not, because it changes the first block of the document.) Note translation is a property of, and assumption on, the document editing system, not the incremental function families. The following theorem gives the tight reduction result. The proof is in the full version [2]. Theorem 4. Let (x, X) ∈ {(iuf, IUF), (iprf, IPRF)}. Let DE be a document editing system whose operations are translatable, and let OpTr denote the translation function. Let iFsd be an incremental function family that satisfies strong correctness for DE. Let H be a variable output length hash function. Let iFmd = StM2[iFsd , H] be the incremental function family constructed as above. Suppose we are given an adversary Amd against the X security of iFmd , making qt , qu , qv queries to its Tag, Upd, Vf oracles, respectively. Then we construct an adversary Asd ∈ Asd against the X security of iFsd and adversaries B1 , B2 against the CR security of H such that AdvxiFmd ,DE (Amd ) ≤ AdvxiFsd ,DE (Asd ) + Advcr H,bl (B1 ) +  , where  = Advcr H,nl (B2 ) if nl = 0 and  = 0 otherwise. Adversary Asd makes qt + qu queries to its Tag oracle, qv queries to its Vf oracle and zero queries to its Upd oracle, all involving just one document identity ε. The running times of the constructed adversaries is about the same as that of AiF . If Amd ∈ Arn then Asd ∈ Arn .

5

Incremental Hash-then-Encrypt (iHtE) Construction

In this Section we give a construction of an incremental PRF for a document editing system DE from the following ingredients: (1) an incremental hash function iHF for DE (2) a symmetric encryption scheme SE (2) a key-derivation function KDF. The construction is called iHtE for “incremental Hash-then-Encrypt,” and we write iF = iHtE[iHF, SE, KDF]. The construction adapts the Carter-Wegman paradigm. We target security in the single-document setting, since the results of Sect. 4 can be used to boost security to the multi-document setting. We show that one can obtain many examples of iHF, SE, KDF such that iHF is incremental for replace and iHtE[iHF, SE, KDF] is IPRF[Asd ]-secure. Thus, we obtain, via iHtE, many particular constructions of incremental PRFs for replace. We do not currently know of hash functions iHF that are incremental for operations other than replace, but, if these are found, iHtE would yield incremental PRFs for these operations. Meanwhile, we will see later how to obtain results for insert, delete in other ways. Ingredients. Our iHtE construction will need the following three objects:

592

V. Arte et al.

Fig. 5. Algorithms of the incremental function family iF = iHtE[iHF, SE, KDF].

– An incremental hash function iHF for document editing system DE = (bl, BS, OpC, OpA, Ed). It specifies a key space iHF.KS and an output length iHF.ol. Then, via h ← iHF.Hsh(KiHF , D), the deterministic hash computation algorithm determines the iHF.ol-bit hash of a message D ∈ BS∗ . Via h ← iHF.Up(KiHF , D, op, arg, h), the deterministic hash update algorithm can update a hash value h. The update must be correct: iHF.Up(KiHF , D, op, arg, iHF.Hsh(KiHF , D)) = iHF.Hsh(KiHF , Ed(D, op, arg)). – A symmetric encryption scheme SE. This has a key space SE.KS, nonce length SE.nl and a ciphertext space denoted Rng. We encrypt via t ← SE.Enc(KSE , N, h). Decryption, operating as h ← SE.Dec(KSE , t), does not take the nonce. (This is the NBE2 syntax of [10].) We require of course that decryption reverses encryption: SE.Dec(KSE , SE.Enc(KSE , N, h)) = h. – A key-derivation function KDF : KDF.KS → iHF.KS × SE.KS that via (KiHF , KSE ) ← KDF(K) maps a base key K into keys for iHF and for SE. The two may be related, or even the same , which is why a KDF is needed. One important way in which the above differs from, or extends, the classical Carter-Wegman paradigm, is that, in the latter, the object playing the role of SE is not required to be invertible, and in some cases is not invertible. For allowing updates (incrementality), it is not only crucial that SE is invertible (that is, the SE.Dec operation above exists) but also, as assumed above, that decryption does not require the nonce, meaning the syntax is NBE2. Also, in the usual CarterWegman paradigm, keys for hashing and encryption are independent. The above extends this by introducing a key-derivation function, which allows the hashing and encryption keys to be related, as happens in some constructions. We clarify that we do not, at this point, mandate any particular security conditions for iHF, SE, KDF. Different results (eg. Theorem 6) or constructions may assume different things that they will state as necessary. iHtE construction. We specify incremental function family iF = iHtE[iHF, SE, KDF]. We set the key space to iF.KS = KDF.KS. The nonce space is that of SE: we set iF.NS = {0, 1}SE.nl . The range is Rng. The tagging, update and verification algorithms are in Fig. 5. The idea for updates is to decrypt t via

Incremental Cryptography Revisited

593

SE.Dec to recover the iHF-hash h, exploit incrementality of iHF to update h to h , and then re-encrypt h to get the updated tag t . It is crucial that decryption is possible and also that decryption does not use the nonce used for encryption. In classical Carter-Wegman, the nonce is placed in the tag, but we cannot do this for (I)PRF security, so we must be able to decrypt without the nonce. The following proposition , which we prove in the full version [2], says that iHtE provides strong correctness. This allows us to exploit Theorem 4 to obtain a IPRF[Amd ]-secure scheme without loss of quantitative security. Proposition 5. Let iF = iHtE[iHF, SE, KDF] be the incremental function family built as above, and let DE be the underlying document editing system. Then iF satisfies strong correctness relative to DE. IPRF security from the iHtE construction. We now proceed to provide a result showing how to achieve IPRF security from specific security notions for the incremental hash function and the symmetric encryption scheme. To do this, we use a notion of computationally almost universal (CAU) security [3] for the incremental hash function, and a notion of AE2 security [10] for the symmetric encryption scheme. Formal definitions for these notions are provided in the full version [2]. Given the above definitions, the following shows that iHtE provides IPRF security in the sd setting. The proof of this is deferred to the full version [2]. Theorem 6. Let hash function iHF and symmetric encryption scheme SE be as above. Let KDF return (KiHF , KSE ) with the two keys chosen independently and at random. Let iF = iHtE[iHF, SE, KDF] be the incremental function family built as above, and let DE be the underlying document editing system. Suppose we are given an adversary AiF ∈ Asd against the IPRF security of iF, making qt , qu , qv queries to its Tag, Upd, Vf oracles, respectively, and let q = qt + qu + qv . Then we construct an adversary AH against the CAU security of iHF and an adversary ASE against the AE2 security of SE such that cau ae2 Adviprf iF,DE (AiF ) ≤ 2 · AdviHF (AH ) + 2 · AdvSE (ASE ) .

Adversary AH makes q queries to its Hash oracle and adversary ASE makes qt + qu queries to its Enc oracle, and qv queries to its Dec oracle. The running times of the constructed adversaries is about the same as that of AiF .

6

Instantiations

Armed with the tools from the previous sections, we turn to finding specific IUF/IPRF-secure iFFs with efficient update algorithms. In the following, incrementality is always for the replace operation, and security always means in the single document setting. The first examples of incremental message authentication schemes, given in [6], were the XORMACs of [7], but these are not nonce based and need to be

594

V. Arte et al.

Fig. 6. Table summarizing the constructed iFFs for different instantiations.

recast in our syntax before we can even talk of security. We begin by identifying, underlying these schemes, a hash function iHF that is incremental. Thence, we directly obtain an iFF iFXORMAC-1 that is the natural nonce-based extension of the original schemes. This is IUF-secure, but (due to inclusion of the nonce in the tag), not IPRF-secure. To get an IPRF-secure iFF (viz. iFXORMAC-2 ), we use iHtE and Theorem 6 in conjunction with the identified iHF. Many message authentication schemes have appeared subsequent to [5]. We divide them into groups. The first group is ones (eg. PMAC [14], PMAC1 [32], Poly1305−AES [12]) that come with explicit claims of incrementality by their authors. The works however stop short of establishing that the schemes meet any formal notion of incremental security. We revisit these schemes to fill these gaps and/or go beyond to obtain IUF/IPRF-secure iFFs. We use, broadly, the same approach as outlined above for XORMACs. First, we identify, underlying the schemes, a hash function iHF that is incremental. Thence, we attempt first to recover the natural expression of the original scheme as an iFF. In some cases, existing results can be used to show this iFF is IPRF secure, but this is rare. (The only examples we have are PMAC1 and PMAC.) In other cases (eg. Poly1305−AES), this iFF is IUF secure but not IPRF secure. (Because of inclusion of the nonce in the tag.) In this case, we go back to the incremental hash function iHF, and use iHtE and Theorem 6 to obtain an IPRF-secure iFF. In the second group are existing message authentication schemes that are not incremental but underlying which we can nevertheless identify an incremental hash function iHF. (These schemes, explicitly or implicitly, use the CW paradigm.

Incremental Cryptography Revisited

595

Incrementality fails due to the masking step not being invertible.) In these cases, we again use iHtE and Theorem 6 in conjunction with the identified iHF to obtain IPRFs. Figure 6 summarizes our analysis of different works – we cover one example – viz. the XORMAC, here, and defer the remaining to the full version [2]. In the following, let DE = (bl, BS, OpC, OpA, Ed) be the underlying document editing system. Recall that the only operation supported is replace. iFXORMAC-1 , iFXORMAC-2 . The original XORMAC [7] comes in two forms, randomized and counter based. We generalize these to create nonce-based iFFs. Let E : {0, 1}k × T × {0, 1}bl → {0, 1}bl be a tweakable blockcipher [24] with tweak space T = N. Define iHF : {0, 1}k × BS∗ → {0, 1}bl to take input K, D and return h ← E(K, 1, D[1]) ⊕ · · · ⊕ E(K, m, D[m]), where m ← |D| is the number of blocks in D. This hash function is easily seen to be incremental for replace [6], and we denote the update algorithm by iHF.Up. Define iFXORMAC-1 as follows. The nonce space is {0, 1}bl . The tagging algorithm Tg takes K, N, ε, D —recall we are in the sd setting, so the document id is ε— and returns tag (N, c) where c ← E(K, 0, N ) ⊕ iHF(K, D). The update algorithm Up takes K, N  , ε, D, replace, arg, (N, c) and returns (N  , c ) obtained by setting h ← iHF.Up(K, D, replace, arg, E(K, 0, N ) ⊕ c) and c ← E(K, 0, N  ) ⊕ h . The verification algorithm Ver takes K, ε, D, (N, c) and returns true iff Tg(K, N, ε, D) = (N, c). We can see that the iFF is strongly correct, whence the proofs of [7] (for their randomized and counter-based message authentication schemes) extend to our nonce-based setting to show that iFXORMAC-1 is IUF secure. The inclusion of the nonce N in the tag t = (N, c) in iFXORMAC-1 , however, precludes its being IPRF secure. To obtain an iFF that is IPRF secure, we can simply use the underlying incremental hash function iHF in iHtE. Namely, we pick some suitable symmetric encryption SE —there are many choices— and apply Theorem 6 to get an IPRF iFXORMAC-2 = iHtE[iHF, SE, KDF] that is incremental for DE. Acknowledgments. We thank Damien Vergnaud for discussions and comments in early stages of this work. We thank the IndoCrypt 2020 reviewers for their comments. Arte and Bellare are supported in part by NSF grant CNS-1717640 and a gift from Microsoft corporation.

References 1. Ananth, P., Cohen, A., Jain, A.: Cryptography with updates. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 445–472. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6 15 2. Arte, V., Bellare, M., Khati, L.: Incremental Cryptography Revisited: PRFs. Nonces and Modular Design, Cryptology ePrint Archive (2020) 3. Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175 36

596

V. Arte et al.

4. Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5 1 5. Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography: the case of hashing and signing. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 216–233. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5 22 6. Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography and application to virus protection. In 27th ACM STOC, pp. 45–56. ACM Press, May/June 1995 7. Bellare, M., Gu´erin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995). https:// doi.org/10.1007/3-540-44750-4 2 8. Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000) 9. Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0 13 10. Bellare, M., Ng, R., Tackmann, B.: Nonces are noticed: AEAD revisited. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 235– 265. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7 9 11. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/ 10.1007/11761679 25 12. Bernstein, D.J.: The poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760 3 13. Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999). https://doi.org/10.1007/3-54048405-1 14 14. Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7 25 15. Buonanno, E., Katz, J., Yung, M.: Incremental unforgeable encryption. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 109–124. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45473-X 9 16. Dworkin, M.: Recommendation for block cipher modes of operation: the CMAC mode for authentication. NIST Special Publication 800–38B (2005) 17. Fischlin, M.: Incremental cryptography and memory checkers. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 393–408. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0 27 18. Fischlin, M.: Lower bounds for the signature size of incremental schemes. In 38th FOCS, pp. 438–447. IEEE Computer Society Press, October 1997 19. Garg, S., Pandey, O.: Incremental program obfuscation. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 193–223. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0 7 20. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)

Incremental Cryptography Revisited

597

21. Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052345 22. Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 34–65. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9 2 23. Khati , L., Vergnaud, D.: Analysis and improvement of an authentication scheme in incremental cryptography. In: Cid, C., Jacobson Jr., M.J. (eds.) SAC 2018. LNCS, vol. 1349, pp. 50–70. Springer, Heidelberg, August 2019 https://doi.org/10.1007/ 978-3-030-10970-7 3 24. Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011) 25. McGrew, D.A., Viega, J.: The security and performance of the Galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). https://doi.org/ 10.1007/978-3-540-30556-9 27 26. Micciancio, D.: Oblivious data structures: applications to cryptography. In: 29th ACM STOC, pp. 456–464. ACM Press, May 1997 27. Mihajloska, H., Gligoroski, D., Samardjiska, S.: Reviving the idea of incremental cryptography for the Zettabyte era use case: incremental hash functions based on SHA-3. In: Camenisch, J., Kesdo˘ gan, D. (eds.) iNetSec 2015. LNCS, vol. 9591, pp. 97–111. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39028-4 8 28. Mironov, I., Pandey, O., Reingold, O., Segev, G.: Incremental deterministic publickey encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 628–644. Springer, Heidelberg (2012). https://doi.org/10. 1007/978-3-642-29011-4 37 29. Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3662-53018-4 2 30. Rogaway, P.: Bucket hashing and its application to fast message authentication. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 29–42. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4 3 31. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, November 2002 32. Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-3053922 33. Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001, pp. 196–205. ACM Press, November 2001 34. Sasaki, Yu., Yasuda, K.: A new mode of operation for incremental authenticated encryption with associated data. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 397–416. Springer, Cham (2016). https://doi.org/10.1007/ 978-3-319-31301-6 23 35. Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5 24

598

V. Arte et al.

36. Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981) 37. Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9 34

Functional Encryption

Gadget-Based iNTRU Lattice Trapdoors Nicholas Genise1(B) and Baiyu Li2 1

2

SRI International, San Diego, USA [email protected] University of California, San Diego, USA [email protected]

Abstract. We present two new related families of lattice trapdoors based on the inhomogeneous NTRU problem (iNTRU) defined in Genise et al. [16] (ASIACRYPT 2019). Our constructions are “gadget-based” and offer compact secret keys and preimages and compatibility with existing, efficient preimage sampling algorithms. Our trapdoors can be used as a fundamental building block in lattice-based schemes relying lattice trapdoors. In addition, we implemented our trapdoors using the PALISADE library.

1

Introduction

Lattice-based cryptography provides powerful building blocks used to create a plethora of advanced cryptographic capabilities. For example, lattices yield fully homomorphic encryption [19], fully-homomorphic signatures [21], and attributebased encryption (ABE) [6]. Further appealing aspects of lattice-based cryptography are its potential post-quantum hardness1 and its inherent parallelism. Many of the listed schemes rely on short integer solution (SIS) latticetrapdoors and their most efficient implementations are in the ring setting (RSIS). Let Rq (R) be a polynomial ring with coefficients in Zq (Z) and X ⊂ Rm be a set of small-norm polynomials. Then, RSIS trapdoors are summarized as follows: the user generates a (pseudo)random a ∈ Rqm together with a trapdoor which allows one to invert the function fa : X → Rq , defined as fa (x) := at x (mod q). A powerful method used to invert this function is discrete Gaussian sampling [20,28] where the trapdoor is used to sample a discrete, Gaussian-like distribution over all RSIS preimages of an output of the RSIS function, u ∈ Rq . There are two ways to instantiate the GPV paradigm [20]. The first is to generate an RSIS instance which is statistically close to uniformly random together with a trapdoor. The second, more efficient, way to instantiate the GPV paradigm is to generate a pseudorandom RSIS instance whose trapdoor is also the secret used in the pseudorandom generator. Lattice cryptography’s This work was done at Rutgers supported by National Science Foundation grant SaTC1815562. 1 https://csrc.nist.gov/Projects/post-quantum-cryptography/round-2-submissions. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 601–623, 2020. https://doi.org/10.1007/978-3-030-65277-7_27

602

N. Genise and B. Li

prominent sources of pseudorandomness are the (ring-)learning with errors problem (RLWE) [26,35] and the NTRU learning problem [22,32]. RSIS trapdoors whose pseudorandomness is based on RLWE were introduced in [28] (MP12). Here the trapdoor is used as a linear transformation and the trapdoor is hidden via Peikert’s discrete Gaussian perturbation method [31]. We call these trapdoors “gadget-based” since the trapdoor reduces inverting RSIS on a (pseudo)random matrix to a “gadget” matrix on which RSIS is easy to solve. The study of GPV trapdoors whose pseudorandomness is based on NTRU was initiated in [13]. Here the seed to the NTRU PRG is used to construct a short basis and trapdoor inversion is done via a structured version, [15], of the GPV discrete Gaussian sampler [20]. For the remainder, let approximate trapdoor sampling denote a trapdoor scheme where the trapdoor is used to sample a short vector whose RSIS image is close to the input’s RSIS image: given u ∈ Rq , sample a short x ∈ Rm such that fa (x) ≈ u ∈ Rq . Approximate trapdoors are used in [13] via the HNF optimization and [7]’s adaptation of MP12 to save a constant fraction of preimage and public key memory. Contribution. We introduce two similar families of gadget-based RSIS (approximate) trapdoors whose pseudorandomness is based on the inhomogeneous NTRU problem (iNTRU), introduced in [16]. Of the two instantiations presented in this paper, the first trapdoor is a noisy version of an RSIS trapdoor, but with the advantage that it can be almost entirely parallelized, down to the ring level. The second is an exact analog to MP12, but with a secret key nearly half the size of MP12 when we fix the parameters n, q, m, and R: ours has just one vector of small polynomials serving as a trapdoor instead of two vectors in MP12. Comparing the two iNTRU trapdoors gives an interesting trade-off: the second can have a smaller modulus making it suitable for use over cyclotomic rings where we can take advantage of the ring structure to sample perturbations as in [15,17], while the first scheme offers more parallelism at the cost of a noisy verification and larger modulus. The larger modulus implies a ring other than a cyclotomic should be used in order to avoid subfield lattice attacks [2,23]. From a theoretical point of view, our results show MP12’s efficient gadgetbased trapdoor framework exists on a family of NTRU lattices. This provides another connection between NTRU and ring-LWE, which have similar cryptographic functionality despite apparent structural differences. Lastly, we implemented our trapdoors in the PALISADE2 lattice cryptography library to demonstrate efficiency. The trapdoors presented in this paper offer interesting trade-offs with applicability to a large selection of lattice-based schemes. Technical Details. Similar to MP12, our RSIS inversions can be broken into two steps: offline (precomputation) sampling of perturbation vectors dependent only on the trapdoor/secret key and online sampling which depends on the 2

https://palisade-crypto.org/.

Gadget-Based iNTRU Lattice Trapdoors

603

RSIS image we are inverting. If we precompute the perturbation vectors, as is standard, then we can reduce preimage sampling in the first, parallel trapdoor scheme to the following computations (with parallelism listed in parentheses): – – – –

one polynomial addition, one G-lattice sample (parallelism n, the ring’s dimension), one ring polynomial multiplication (parallelism m = O(log q)), and one polynomial addition (parallelism m = O(log q)).

Now we briefly discuss the trapdoor mechanism. A matrix R is a g-trapdoor for the RSIS instance at if at R = gt and R has small entries [28, Definition 5.2]. The public vector gt is called a “gadget” since it is easy to solve RSIS on gt . The iNTRU problem is to distinguish at := r−1 (gt + et ) from uniformly random where (r, e) ← χk+1 is drawn from a distribution with small entries and gt is a gadget matrix, usually taken to be gt := [1, b, b2 , . . . , bk−1 ] ∈ Rk and k = logb q. In the first, parallelized version of the trapdoor, the polynomial r is almost a g-trapdoor for at := r−1 (gt + et ): r · at = gt + et ≈ gt . Let us proceed naively in an attempt to construct a preimage: given u ∈ Rq , sample a discrete Gaussian x satisfying gt x = u and return y := rx. Clearly, y leaks information about r, but the verification equation u − at y = et x leaks information about e in the range of the RSIS function. This implies we need to add a perturbation in the domain and the range of the RSIS function, unlike previous convolution based trapdoors which only perturb in the RSIS domain. The second trapdoor is given by correcting the error term et . This is   t scheme −e realized by using rI as a g-trapdoor for [1, a] = [1, r−1 (gt + et )]. In terms of applications, we describe the simple hash-and-sign digital signature scheme provided by the former trapdoor scheme and prove its security in the random oracle model (ROM) in the appendix of the full (eprint) version3 . In the ROM, we have that the message is hashed to an element in Rq and this hash is modeled as uniformly random, u ← H(m) = U(Rq ). Other applications, like identity-based encryption, attribute-based encryption, and others follow from the fact that the trapdoor is statistically hidden. Both trapdoor schemes can be instantiated with the approximate gadget/trapdoor introduced in [7]. The approximate trapdoor increases the verification error while lowering the memory of the scheme and keeping the same concrete security of the underlying SIS problem. This is in contrast to the large √ base gadget g = [1, q] which decreases the concrete hardness of the trapdoor’s underlying SIS problem since the shortness needed to break the SIS problem scales with the gadget base in MP12 trapdoors. Further, [7, Section 1.3] give √ parameter sets incompatible with g = [1, q].

3

https://eprint.iacr.org/.

604

N. Genise and B. Li

Comparison to Other SIS Signatures and Trapdoors. The most natural comparison is Falcon [13]4 , since it is an efficient NTRU-based, discrete Gaussian, hash-and-sign digital signature scheme. Falcon reports a signing time of .16 ms for dimension n = 512 and .36 ms when n = 1024 on an Intel i5 CPU. In contrast, for n = 512 we match Falcon’s online sampling with preprocessing and less classical concrete security (roughly 100 bits versus 130 bits) and we have slower online signing times by an order of magnitude with preprocessing for n = 1024. In addition, our computations were done on a faster CPU (Intel i7). We expect our online sampling to be an order of magnitude slower in dimension n = 512 due to this difference in CPU (four cores versus eight cores). Our experiments are reported in Table 1. We emphasize that the larger modulus in our trapdoors is significant since it lowers the concrete security and increases the storage costs. On the other hand, Falcon’s signing algorithm uses the power of two cyclotomic subfield structure whereas the trapdoor schemes presented here only use the subfield structure during their offline phase. Our iNTRU trapdoors have an efficient online sampling in any ring with efficient polynomial multiplication, like the NTRUPrime ring [5], R = Z[x]/(xp −x−1) whose lack of subfields resists the overstretched subfield attack [2] (yet still susceptible to [23] for a large modulus). In addition, our scheme is compatible with advanced protocols like ABE [6] and fully-homomorphic signatures [21] since the SIS matrix has the same length as some underlying gadget matrix whereas Falcon’s is not. Falcon has much smaller public keys (two ring elements) and signature sizes (one ring element with small coefficients). It should be noted that the recent ModFalcon [9,10] scheme is compatible with these advanced schemes due to its longer length and retains its efficient sampling (12 ms in [9]). Another comparison is MP12 [28] and its approximate trapdoor version [7]. These schemes’ online sampling phase involves a matrix-vector multiplication whereas our first trapdoor’s online sampling can be parallelized to one ring multiplication and gadget-lattice sample. Our first trapdoor’s offline sampling involves a diagonal covariance over R, so it can be parallelized to the ringlevel as well. The second trapdoor is a direct NTRU analog of MP12 but with nearly half the memory for the secret key. Conversely, the use of NTRU lattices invites the dense sublattice attack of [23] and has a lower concrete security in comparison with RLWE-based trapdoors as the modulus q increases for a fixed ring dimension n. We performed experiments to compare the performance of our trapdoor schemes with [7]. The offline and online running times as well as the key sizes are collected in our experiments, summarized in Table 1. The parameter set in the first column of Table 1 is a toy example for our schemes as by our estimation it provides only 40 bits of security, while the rest of the parameters provide at least 100 bits of security. These experimental results show our schemes have similar online and offline running times comparing to [7], and our secret signing keys are smaller. In Sect. 4 we explain concrete security estimations and we also provide more detailed discussion about performance comparisons with [7]. 4

https://falcon-sign.info/.

Gadget-Based iNTRU Lattice Trapdoors

605

Table 1. Summary of online preimage sampling times and key sizes of the hash-andsign signature schemes based our trapdoors versus the RLWE based trapdoor of [7]. For our schemes we set σ = q 1/4 , while for [7] we set σ = 8. The running times shown are the mode of the data collected from 100 runs for each parameter set. For some parameters, the verification error in Algorithm 2 exceeds q/2, and hence we discard its statistics and denote using “–”. Params

Exact Exact Exact Approx Exact Approx Exact Approx Exact

n

512

512

1024

1024

1024

1024

1024

1024

log2 q

13

20

20

20

27

27

30

30

30

b

4

4

4

4

4

4

8

8

32

j

0

0

0

3

0

3

0

4

0

σ

10

32

32

32

107

107

181

181

181

Alg 2, offline (ms)





−−

−−

19

16

16

12

105

Alg 2, online (ms)





−−

−−

2

2

2

2

12

Alg 4, offline (ms)

6

6

20

13

21

18

18

13

113

Alg 4, online (ms)

2

8192

0.12

0.16

2

2

2

2

2

2

14

[7], offline (ms)

6

6

16

14

19

15

15

12

113

[7], online (ms)

1

1

2

2

3

3

2

2

12

Alg 2 & 4, |sk| (KB) 7

7

32

24

53

42

47

31

248

Alg 2 & 4, |vk| (KB) 7

7

29

21

49

39

43

28

217

[7], |sk| (KB)

13

13

58

42

98

77

86

55

434

[7], |vk| (KB)

8

8

35

27

56

46

51

35

279

Preliminaries

Let N, Z, R, C denote the natural, integer, real, and complex numbers respectively. We denote numbers as lowercase plain (possibly Greek) letters, vectors as lowercase boldface letters (e.g. u, v ∈ Rn ), and matrices as boldface capital letters (e.g. T, M ∈ Zn×n ). Complex conjugation is denoted as z for z ∈ C and matrix transpose is denoted as Mt . The symbol Σ will be reserved for positive(semi)definite matrices. We will often use the integers modulo q for some integer q ≥ 2, Zq := Z/qZ. Denote the logarithm base b ≥ 2 as logb , and denote log as logarithm base two when b is omitted. We say a function f : N → [0, 1] is negligible if f (λ) = λ−ω(1) . The letter λ is reserved for the security parameter of a cryptographic scheme. For a probability distribution X with support S, we denote x ← X to denote an independent sample from X . Let X (s) be shorthand for Pr[x = s | x ← X ] for s ∈ S. We denote the uniform distribution over a finite set, Y , as U(Y ). We will use the max-log metric on discrete probability distributions over the same support, Δml (X , Y) := maxz∈S | log(X (z))−log(Y(z))| [30,34] and we abbreviate two probability distributions being close under this metric as X ≈s Y (meaning they are statistically close).

606

N. Genise and B. Li

Linear Algebra. We view vectors as column vectors, and matrices as collections of column vectors B = [b1 , . . . , bk ] ∈ Rn×k . For any matrix A ∈ Rm×n , its singular values are the square roots of the first d := min(m, n) eigenvalues of its Gram matrix At A, listed in non-increasing order: s1 (A) ≥ s2 (A) ≥ · · · ≥ sd (A) ≥ 0. A symmetric matrix Σ ∈ Rn×n is positive-(semi)definite if for all non-zero x ∈ Rn , xt Σx > 0 (≥). We denote a matrix as being positive-(semi)definite as Σ 0 ( ), and denote Σ1 − Σ2 0 ( ) as Σ1 Σ2 ( ). This relation forms a partial ordering on the set of positive-(semi)definite matrices. We abbreviate scalar matrices, σIn , by their scalar σ and denote σ Σ for σIn − Σ 0. For . We call R a any two matrices R, S ∈ Rn×k , we denote R ≥ S if RRt SSt√ square-root of Σ if RRt = Σ. We denote square-roots of Σ as Σ. If R is a square-root of Σ, then so is RQ for any orthogonal Q (QQt = I).   A Bmatrix View Σ 0 through its block form, Σ = Bt D . The Schur complement of D is Σ/D := A − BD−1 Bt , and the Schur complement of A is Σ/A := D − Bt A−1 B. A symmetric matrix Σ is positive definite if and only if Σ/A and A are positive definite—or equivalently Σ/D and D. Further, Σ with D 0 is positive semidefinite if and only if Σ/D 0. 2.1

Lattices and Discrete Gaussians

A lattice is a discrete subgroup in euclidean space, Λ ⊂ Rn , and kcan be expressed as the set of all integer combinations of a basis Λ = BZk = { i=1 zi bi : zi ∈ Z} for B = [b1 , . . . , bk ] ∈ Rn×k . The rank of a lattice Λ = BZk is k and it is full-rank if k = n. Each lattice of rank k ≥ 2 has infinitely many bases: any B = BU for U ∈ Zk×k with det(U) = ±1 is a basis of the same lattice. A lattice coset is a set of the form Λ + a := {v + a : v ∈ Λ}. Further, we call a subspace V of Rn a Λ-subspace if Λ intersect V spans V , span(Λ ∩ V ) = V . 1 , . . . , b k ] where  = [b The Gram-Schmidt orthogonalization of a basis B is B bi := bi ⊥ span(b1 , · · · , bi−1 ). We define the minimum GSO length of a lattice ˜  i 2 , where the minimum is taken over all bases B of Λ. as bl(Λ) := minB maxi b The dual of a lattice is the set of vectors mapping the lattice to the integers via the inner product, Λ∗ = {x ∈ span(Λ) : x, v ∈ Z, ∀v ∈ Λ}. Let T be an invertible linear transformation. Then we have (TΛ)∗ = T−t Λ∗ . Discrete Gaussians. We define the Gaussian function centered at t ∈ Rn as 2 ρt (x) := e−πx−t , and the warped Gaussian as ρt,√Σ := e−π(x−t)

t

Σ −1 (x−t)

for some Σ 0. We denote the Gaussian function as ρt,s (·) whenever Σ is a scalar, Σ = s2 I. A discrete Gaussian distribution over a lattice Λ, or a lattice coset Λ + a, is the probability distribution proportional to ρ√Σ (x) for x ∈ Λ + a. We denote this distribution as DΛ+a,t,√Σ and x ← DΛ+a,t,√Σ to mean x is efficiently sampled from DΛ+a,t,√Σ . In practice, we often sample from a distribution statistically close to DΛ+a,t,√Σ .

Gadget-Based iNTRU Lattice Trapdoors

607

Fix > 0, then the smoothing parameter [29] of Λ is η (Λ) := min{s > 0 : ρ(sΛ∗ ) ≤ 1 + }. Informally, this is the smallest width of a discrete Gaussian over Λ which acts like a continuous Gaussian distribution. Notice that s ≥ η (Λ) if and only if 1 ≥ η ((1/s)Λ). We extend the definition to invertible matrices and say T = √ Σ ≥ η (Λ) if and only if 1 ≥ η (T−1 Λ). We will use the following two lemmas in our analysis. Lemma 1 ([20,29]). Let Λ ⊆ Λ be full-rank lattices in Rn , ∈ (0, 1), and s ≥ η (Λ ). Let X be the probability distribution given by sampling x ← DΛ,s and returning x mod Λ . Then, Δml (X, U(Λ/Λ )) ≤ log

2 1+ ≤ . 1− 1−

Lemma 2 ([20,Lemma 3.1]). For any rank-n lattice Λ and > 0, we have ˜ η (Λ) ≤ bl(Λ) · log(2n(1 + 1/ ))/π. The next lemma is helpful in analyzing smoothness criteria. Lemma 3. For any > 0 and invertible matrix S, T ∈ Rn×n , η (Λ) ≤ S if and only if η (TΛ) ≤ TS. Proof. η (Λ) ≤ S is equivalent to η (S−1 Λ) = η (S−1 (T−1 T)Λ) ≤ 1.



The following theorem (first proved in [12] for the integer lattice Zn ) regarding linear transformations and discrete Gaussians is most useful for this work. Theorem 1 ([18, Theorem 3.2]). For any matrix S, lattice coset A = Λ + a ⊂ span(S), and linear transformation T, if ker(T) is a Λ-subspace, and η (ker(T)∩ Λ) ≤ S, then Δml (T(DA,S ), DTA,TS ) ≤ log

2 1+ ≤ . 1− 1−

The following concentration bound is useful since we will be working with approximate trapdoors. Lemma 4 (Lemma 4.4, [29]). Let Λ be a lattice of rank n, c ∈ span(Λ), and s ≥ η (Λ). Then for x ← DΛ,c,s , √ 1 + −n Pr[ x − c ≥ s n] ≤ 2 . 1−

608

N. Genise and B. Li

2.2

Polynomial Rings

We use R to denote some underlying polynomial ring, R := Z[x]/f (x) where f (x) is a monic, irreducible polynomial. Further, we use Rq := R/(qR) to denote its coefficients modulo q. The letter n is reserved for the ring’s dimension, or f (x)’s degree. Common choices for R are cyclotomic rings and the NTRUPrime ring [5] Z[x]/(xp −x−1) for p prime. We emphasize that the online sampling phase of our trapdoors works for any polynomial ring, but its offline perturbation sampling phase is most efficient in cyclotomic rings. Here we discuss power of two cyclotomic rings since our implementation is done in these rings. Let n be a power of two and ζ2n ∈ C be a 2n-th primitive root of unity. The 2n-th rational cyclotomic field’s  ringi of integers fi ζ2n , define its is R := Z[ζ2n ] ∼ = Z[x]/(x2n + 1). Given an element in R, f = coefficient embedding as its vector of coefficients (f0 , . . . , fn−1 ). All norms will be the l2 (euclidean) norm in the coefficient embedding. Further, the coefficient embedding allows us to treat Rm as the lattice Znm . We will represent multiplication by a fixed ring element (say p ∈ R) as an “anticylic” matrix and call this ring embedding ϕ : R → Zn×n , ⎡ ⎤ p0 −pn−1 . . . −p1 ⎢ p1 p0 . . . −p2 ⎥ ⎢ ⎥ . ϕ(p) = ⎢ . .. . . .. ⎥ ⎣ .. . . ⎦ . pn−1 pn−2 . . . p0 Further, we apply ϕ entry-wise to vectors and matrices over the ring R. An important fact is that matrix transpose of a ring element’s matrix representation corresponds to the complex conjugation automorphism of a ring element, ϕ(f )t = ϕ(f ). This implies ϕ(f f ) 0 and ϕ(et e) 0 for any non-zero f ∈ R and e ∈ Rm since ζ2n is primitive. For a matrix with√independent √ discrete √ Gaus√ m×k , we have s1 (ϕ(R)) ≤ s nO( m + k + ω( log n)) sian entries over R ← DR,s with overwhelming probability in n, [14, Appendix A]. Further, the empirically √ observed constant is ≈ 1/ 2π [28, Sect. 2]. 2.3

G-Lattices

√ Fix a modulus q > 1, an integer base 2 ≤ b ≤ q. Let gt := [1, b, . . . , bk−1 ] ∈ Rqk with k = logb q. The matrix gt is commonly referred to the gadget matrix since the Ring-SIS (RSIS) problem is easily solved on gt [28]. The trapdoor schemes presented in Sect. 3 will sample a discrete Gaussian over the lattice coset t k t Λ⊥ u (g ) := {x ∈ R : g x = u ∈ Rq }.

We denote the process of sampling from the discrete Gaussian DΛ⊥ as t u (g ),σg x ← SampleG(u, σg ). Efficient algorithms for SampleG(·, ·) can be found in [17,28].

Gadget-Based iNTRU Lattice Trapdoors

609

Table 2. A summary of parameters used to define our trapdoors. The pair Σp ,s represents a discrete Gaussian convolution. For example, the perturbation has shape Σp and the output of the online sampling phase is statistically close to a spherical discrete Gaussian of width s. The same for the pair Σe ,serr . See Algorithms 2 and 4. Notations

Description

n

Polynomial ring dimension

η

Smoothing parameter

q

Modulus

b, k = logb q Base and number of entries of the gadget vector g

2.4

j

# components dropped in the approximate gadget f

m=k−j

The dimension of the approximate gadget f

σg

Gaussian width for G-lattice sampling, see Tables 3 and 4

Σp ,s

Covariance and parameter of the perturbation p, see Theorems 2 and 3

Σe ,serr

Covariance and parameter of the perturbation pe , see Theorem 2

σe

Gaussian width of the verification error, see Tables 3 and 4

α,β

Approximate RSIS bounds, see Table 4

RSIS and iNTRU

Here we discuss the hardness assumptions used throughout the paper. Our main result’s hardness relies on the RSIS problem [1,25,27,33] and the inhomogeneous NTRU (iNTRU) problem [16]. The RSIS problem with parameters q, m ∈ N, β ∈ R+ , denoted as RSISq,m,β , over a ring R is: given a random vector a ← U(Rqm ), find a short vector x = 0 with x ≤ β such that at x = 0 ∈ Rq . The HNF optimization of the RSIS problem is the RSIS where we are given (1, a ) ∈ Rqm , with a uniformly random in place of a. Let q be an integer modulus, χ be a distribution over R whose coefficient embedding is  q with all but negligible probability, and gt := [1, b, b2 , . . . , bk−1 ] ∈ Rqk be the gadget matrix (defined below). The iNTRUq,χ distribution is r−1 (gt + et ) where (r, e) ← χk+1 and the iNTRU assumption is that (r, e) → r−1 (gt + et ) is a PRG. There is a reduction [16, Proposition 4.3] from iNTRU to a strengthened version of the RLWE problem [26]. We call (a, R) an (α, β)-approximate trapdoor if a ∈ Rqm is (pseudo)random, and R is any matrix having the following property. Given u ∈ Rq as input, R allows one to efficiently find an x ∈ Rm such that x ≤ β and at x − u ≤ α. It is shown in [7, Lemma 5.2] that (α, β)-approximate trapdoors is related to the RSIS problem via near collisions.

3

iNTRU Trapdoors

Fix a finite dimensional polynomial ring R := Z[x]/f (x) of degree n and its quotient ring modulo q for some modulus q ∈ N, Rq := R/qR. Let Rq∗ denote the polynomials of Rq which have multiplicative inverses. Fix an integer base b ≥ 2, a gadget dimension k = logb q, and a gadget-approximate gadget pair

610

N. Genise and B. Li

gt := [1, b, b2 , . . . , bk−1 ] = [mt |f t ] for f t := [bj , . . . , bk−1 ], where j ≥ 0 is the dimension of m. Let m := k −j be the approximate gadget’s dimension. Further, let χ be a distribution over R such that χ  q with high probability. We list the parameters used to define our trapdoors in Table 2 for reference. In this section, we present two efficient, gadget-based (approximate) RSIS trapdoor constructions. Both are pseudorandom whose pseudorandomness relies on the iNTRU problem, introduced in [16]. The first is a parallel approximate trapdoor where the online sampling portion of inversion can be done, after some preprocessing which corresponds to perturbation generation, by: – one G-lattice sample, – one polynomial multiplication (in-parallel), – then one vector addition. In addition, the first trapdoor’s offline perturbation sampling is parallelized to sampling one non-spherical ring element. This is because the perturbation’s shape is diagonal over the ring, Σp = γIm for γ a polynomial with positivedefinite coefficient embedding. The second trapdoor is an even more direct iNTRU-analog to the MP12 RLWE trapdoor than the first. Its ability to vary verification error allows for a smaller modulus, q. This is because the verification error only depends on if it uses the approximate gadget f or the exact gadget g. Also, its secret signing key is m + 1 polynomials in R with small entries compared to MP12’s 2 m polynomials, and the offline perturbation sampling reduces to sampling two positive-definite ring elements (with parallelism). Lastly, this second trapdoor scheme is compatible with applications requiring tag matrices. These are the trapdoor schemes where at R = hgt for some h ∈ Rq∗ (R is the trapdoor). Both of the RSIS trapdoor schemes we present rely on Peikert’s perturbation technique [31]. This technique is used to statistically hide the trapdoor. We analyze both trapdoors using the approximate gadget f t in place of the gadget gt for flexibility in parameter choices and because the analysis is nearly the same. Importantly, the second trapdoor scheme becomes an approximate trapdoor when using f t in place of gt . Trapdoor Descriptions. Recall, [28, Definition 1] defines a g-trapdoor for at ∈ Rqm as any matrix R with small entries such that at R = gt ∈ Rqm . One can easily invert the function fa (·) on any u ∈ Rq when armed with a g-trapdoor: t 5 sample x ← SampleG(u, σg ), for σg ≥ η (Λ⊥ q (g )) , then return Rx. Notice that t a Rx = u ∈ Rq and Rx has small entries since R has small entries. However, this clearly leaks information about the trapdoor. So, [28] uses Peikert’s perturbation method [31] to hide the trapdoor. Now recall the iNTRU distribution: a := r−1 (gt + et ) ∈ Rqm where (r, e) ← m+1 has small norm and gt = [1, b, b2 , . . . , bk−1 ] is the gadget matrix. The χ polynomial r is almost a g-trapdoor for at since rat = gt + et ≈ gt . As a result, 5

t The smoothing parameter of η (Λ⊥ be lower-bounded by ≈ b · η (Znk ) q (g )) can  nk [28, Sect. 4]. And, η (Z ) is no more than log(2nk(1 + 1/))/π by Lemma 2.

Gadget-Based iNTRU Lattice Trapdoors

611

we can simply sample x ← SampleG(u, σg ) and return y := rx. Then, we have at y = gt x + et x ≈ gt x = u ∈ Rq . The relation above shows that we have two areas where we can leak information about the trapdoor, (r, e). The first is in the domain of fa (·) given by rx. The second is in the range of fa (·), given by the verification error u − at y = et x. This implies we need to use Peikert’s perturbation method twice: once in fa (·)’s domain and again in its range. All of the above goes through when we replace the gadget gt with the approximate gadget f t , similar to [7]. So, let at := r−1 (f t + et ) for this construction. Now, we have an algorithmic outline for approximate trapdoor inversion. Given a trapdoor (r, e) and a target, we perform the following: 1. Sample a perturbation for the domain p ← DRm ,√Σ p , where Σp := (s2 − σg2 rr)Im 0, and a perturbation for the range pe ← DR,√Σ e , where Σe := s2err − σg2 et e 06 . 2. Set the shifted coset and sample from the G-lattice: v := u − at p + pe and x ← SampleG(v, σg ). 3. Add the perturbation in the domain of fa (·): y := rx + p. Notice that the perturbations in the first step are statistically independent of the coset u ∈ Rq . Therefore, we can precompute them offline and store them, as is done in [28]. Further, we can store their hashes at p ∈ Rq . These perturbations can be computed in time O(n log n) using the algorithms of [15,17] and p can be computed in parallel since its Gaussian shape is a diagonal over R. Then, online inversion is just a few efficient, parallel operations: 1. Shifting the coset (v := u − at p + pe ); 2. G-lattice sampling (x ← SampleG(v, σg )); and 3. Polynomial multiplication and addition (y := rx + p). The detailed trapdoor generation in this construction is shown in Algorithm 1 and the preimage sampling is shown in Algorithm 2.  −1 Now we describe our second trapdoor scheme.  t  Let a := r (g + e), a := −e the trapdoor. Then, at R = gt (1, a ) be the function description and R := rI m and we can carry on as in [28]: To sample a preimage of u ∈ Rq , 6

Notice how these are the best Gaussian shapes, in terms of spectral width, that one can hope for. The Gaussian shape of rx is σg2 rrIm and the Gaussian shape of et x is σg2 et e.

612

N. Genise and B. Li

1. first sample a perturbation p ← DRm+1 ,√Σ p for Σp := s2 Im+1 − σg2 RRt , 2. set the shifted coset as v := u = at p and sample from the G-lattice x ← SampleG(v, σg ), 3. then return y := Rx + p ∈ Rm+1 . Note, here the online signing does not have a natural parallelization since Rx involves a polynomial multiplication by r and an inner product with −et . We can also turn this into an approximate trapdoor scheme by replacing gt with f t for smaller preimages and public keys at the cost of a verification error. This verification error is smaller than the verification error in the first, parallel trapdoor. The rest of this section is organized as follows. Subsect. 3.1 proves that the first iNTRU-based approximate RSIS trapdoor construction is secure in the random oracle model, which are summarized in Theorem 2. The associated algorithms are Algorithms 1 and 2. Subsect. 3.2 contains the algorithms for the gtrapdoors, Algorithms 3 and 4, as well as the theorem statement for its security in the random oracle model, Theorem 3. 3.1

Trapdoor 1: Approximate Trapdoor with Parallel Online Sampling

Our first trapdoor construction is specified in Algorithms 1 and 2. Here we state and prove that the approximate preimage samples are statistically close to a trapdoor-independent distribution in the random oracle model. Table 3. The parameters for the first approximate trapdoor construction from iNTRU. Let η := η (Rm ) = η (Znm ) be the smoothing parameter of the underlying √ integer lattice. Let s1 (χ) be the expected singular value of ϕ(χ). We assume σg := b2 + 1η. √ The RSIS − β bound is s nm and the verification error’s Gaussian width is σe . Preimage Gaussian Width, s Verify Gaussian Width, σe     (b2 + 1)s21 (χ) + 1 · η (b2j − 1) 1 + b22−1 + m(b2 + 1)s21 (χ) + 1 · η

Theorem 2. Sample r ← χ, et ← χm and set the trapdoor function description as at := r−1 (f t + et ) ∈ Rqm as in Algorithm 1. Let η := η (Znm ) = η (Rm ),  √ t b2 + 1 · η for some ∈ (0, 1), s ≥ σg2 rr + η 2 , and serr ≥ σg = η (Λ⊥ q (g )) ≥  σg2 et e + η 2 . Then, the following distributions are within a max-log distance of 1+ 6 ≤ 1− : The “real” distribution with an honestly sampled approximate 3 log 1− preimage in the random oracle model (as in Fig. 1)

{(a, y, u, e) : u ← U(Rq ), y ← SamplePre(a, u, sk, s, serr ), e = u − at y ∈ Rq }, and the “programmed,” trapdoor-independent approximate preimage, distribution

Gadget-Based iNTRU Lattice Trapdoors

613

Algorithm 1: Approx.TrapGen(1λ )

1 2 3

Input: The security parameter 1λ . Output: A function-approximate trapdoor pair. Sample r ← χ, e ← χm . Set a := r−1 (f + e) ∈ Rqm . return (vk, sk) := (a, (r, e)) ∈ Rqm × Rm+1 .

Algorithm 2: Approx.SamplePre(a, u, sk, s, serr )

1 2 3 4 5 6

Input: A coset u ∈ Rq , a trapdoor (r, e). Output: An approximate preimage of u. Sample (offline) perturbation p ← DRm ,√Σ p for Σp := s2 Im − σg2 rrIm . Sample (offline) perturbation pe ← DR,√Σ e for Σe := s2err − σg2 et e. Set coset v := u − at p + pe ∈ Rq . Sample the G-lattice x = (x1 , x2 ) ← SampleG(v, σg ) for x2 ∈ Rm . Set the approximate preimage y := rx2 + p ∈ Rm . return y.

Fig. 1. The trapdoor generation (Algorithm 1) and approximate preimage (Algorithm 2) sampling algorithms of our parallel trapdoor construction. The perturbations in Algorithm 2 are independent of the input image, u ∈ Rq , and can be precomputed and stored before, along with at p. These perturbations can be computed in time O(n log n) using [15] or [17, Sect. 4]. The rest of Algorithm 2 is the “online” sampling portion. This consists mostly of G-lattice sampling, which can be done in time O(log q) for each polynomial coefficient [17].

{(a, y, u, e) : y ← DRm ,s , e ← DR,σe mod q, u = at y + e ∈ Rq },  2j −1 . for σe := s2err + σg2 bb2 −1 The intuition of the above theorem is clear once we see the samples from the viewpoint of the adversary: {(a, y, u, e) : u ← U(Rq ), y ← SamplePre(a, u, sk, s, serr ), e = u − at y ∈ Rq }. Let y ← DRm ,s and e ← DR,serr (trapdoor-independent samples). The proof is given through five hybrids as expressed through the shifted coset v in Algorithm 2: u = v + at p − p e ≈s gt x + at p − pe = f t x2 + a t p − p e + m t x1 ⎛ ⎞   p I 0 rI m ⎝ p e ⎠ + m t x1 = [at , 1] mt 0 −1 −et x2 ≈s at y + mt x1 + e .

614

N. Genise and B. Li

Note how this equation allows us to analyze the perturbations in the function domain and the function range simultaneously. Let   I 0 rIm . L := mt 0 −1 −et Then, the proof comes down to showing ⎛ ⎞ p L ⎝ pe ⎠ ≈s DRm+1 ,√s2 I⊕s2 . err x2 This is done by analyzing linear transformations of discrete Gaussians, Theorem 17 . We summarize the parameters in Table 3. Now we give a formal proof of Theorem 2 Proof (Theorem 2). Our proof is done  via hybrids on the distribution of rIm t t (a, y, u, e). Notice that f = [a , 1] −et . Let gt = [mt |f t ]. Let p ∼ DRm ,√Σp for Σp := s2 I−σg2 rrI and pe ← DR,√Σe for Σe := s2err −σg2 et e, as in Algorithm 2. Hybrid 0. Let this distribution be honestly sampled preimage in the ROM. That is, u ← U(Rq ) and y ← SamplePre(a, u, sk, s, serr ). Or in SamplePre(a, u, sk, s, serr ), p ← DRm ,√Σp , pe ← DR,√Σe , v := u − at p + pe ∈ Rq , (x1 , x2 ) = x ← SampleG(v, σg ), set y := rx2 + p, and return (a, y, u, e).

Hybrid 1. Swap the order in which u and v are sampled. So, sample v ← U(Rq ), sample the perturbations as before, and set u = v + at p − pe ∈ Rq . Sample the preimage as before: x ← SampleG(v, σg ) and return y := rx2 + p. Hybrid 0 and Hybrid 1 have the same distribution on (a, y, u, e). Hybrid 2. Here we first sample over the G-lattice cosets x ← DRk ,σg and replace v with gt x ∈ Rq . Since σg ≥ η (Λ⊥ q (g)), Hybrids 1 and 2 are within a max-log 1+ by Lemma 1. Notice that distance of log 1− ⎞ p u = [at , 1]L ⎝ pe ⎠ + mt x1 x2 ⎛

in this hybrid.

7

We remark that the analogous proof in [20] amounts to s being above the smoothing parameter, s ≥ η (Λ⊥ q (A)), and Lemma 1. In our situation, we must carefully show the trapdoor is statistically hidden with the kernel lemma, Lemma 5.

Gadget-Based iNTRU Lattice Trapdoors

615

Hybrid 3. Here we sample the trapdoor-independent preimage. Sample v and x as before and sample (y, e ) ← DRm+1 ,√s2 I⊕s2 . Theorem 1 combined with err

Lemma 5 (below) tells us the max-log distance between ⎛ ⎞ p L ⎝ pe ⎠ and DRm+1 ,√s2 I⊕s2 err x2 1+ is at most log 1− . We set u := at y + e + mt x1 . Therefore, Hybrids 2 and 3 are 1+ within a max-log distance of log 1− .

Hybrid 4. Here we combine the error terms mt x1 and e using Theorem 1. Note that mt x1 + e can be expressed as [1|mt1 ]DRj+1 ,√s2 ⊕σ2 Ij (over the ring). Now, the kernel of [1|mt1 ] is spanned by (1, −1, 0) and

err

g

(0, b, −1, 0), (0, 0, b, −1, 0, . . . ), . . . , (0, b, −1) √ and its intersection with Rj+1 has smoothing parameter at most b2 + 1η by the GPV bound, Lemma 2. The kernel lattice is full-rank in the kernel of [1|mt1 ] and the discrete Gaussian is smooth over the kernel lattice Theorem 1.  Next, we prove the main statistical lemma used in the Theorem 2’s proof. Lemma 5. Let – Σp = s2 Im − σg2 rrIm , – Σe = s2err − σg2 et e,   0 rIm – L = I0mt −1 t , as in Theorem 2’s proof, −e

– Γ = {x ∈ R2m+1 : Lx = 0 ∈ Rm+1 }, – and σg > η (Znm ), for some ∈ (0, 1).  Then, Σp ⊕ Σe ⊕ σg2 I ≥ η (Γ ) if

s2 I σg2 rr + η2 (Znm )I and s2err I σg2 et e + η2 (Znm )I. Proof. We write ring elements, and vectors and matrices over the ring, without the coefficient embedding, ϕ(·), throughout the proof with the understanding that we are using ϕ’s euclidean geometry. This significantly improves the proof’s readability. Consider that a basis for Γ is ⎤ ⎡ −rIm B = ⎣ −et ⎦ ∈ R(2m+1)×m . Im

616

N. Genise and B. Li

One can see this via Γ ’s definition, Γ = {x = (x1 , x2 , x3 ) ∈ R2m+1 : x1 + rx3 = 0 ∈ Rm , x2 + et x3 = 0 ∈ R}. Next, we use Lemma 3. Let     Im+1 Q rIm T := where Q := . et 0 Im Notice that

 TB =

 0 ∈ R(2m+1)×m . Im

In other words, T · Γ = {0} ⊕ Rm .

Lemma 3 tells us

  Σp ⊕ Σe ⊕ σg2 I ≥ η (Γ ) if and only if T Σp ⊕ Σe ⊕ σg2 I ≥

η (TΓ ) = η (Rm ). Let Σ := Σp ⊕ Σe ⊕ σg2 I. Then a (tedious) computation tells us   A σg2 Q  t Σ := TΣT = 2 t 2 σ g Q σ g Im where

 s2 Im σg2 re . σg2 ret s2err

 A=

Let η := ηε (Rm ) = ηε (Znm ). Now we use Schur complements in order to show Σ  := Σ  − η 2 I 0. Let D := (σg2 − η 2 )I and recall D 0 by assumption.  B with D 0 is positive-semidefinite if Recall, a symmetric matrix Σ  = BAt D and only if Σ  /D 0. Notice that   2 (s − η 2 − σg2 rr)I 0 . Σ  /D = 0 s2err − η 2 − σg2 et e Therefore, Σ  /D is positive semidefinite assuming s2err σg2 et e + η 2 , and s2 I (σg2 rr + η 2 )I.  3.2

Trapdoor 2: f -Trapdoor

Our second trapdoor construction is an iNTRU-analog of trapdoor. Let   MP12’s t −1 t t −et a = [1, r (f + e )] be the SIS matrix and let R = rIm be the trapdoor. Then, we have the trapdoor relation at R = f t . Now we can proceed as in [7,28] when given an RSIS image u ∈ Rq :

Gadget-Based iNTRU Lattice Trapdoors

617

– Sample a perturbation p independent of the image u. This can be done offline. – Sample the input coset shifted by the perturbation’s SIS image, as in x ← SampleG(v, σg ) for v = u − at p. We drop the necessary entries of x to match f ’s dimension. – Convolve the samples by returning y := Rx + p. The algorithms are given in Algorithms 3 and 4. Further, we list the parameters in Table 4. If R is a cyclotomic rings, we can efficiently sample the perturbation by using the structured samplers of [15,17]. A detailed example is given in Sect. 4. Similar to the previous trapdoor, this trapdoor has efficient online sampling over any ring with efficient polynomial multiplication. Algorithm 3: f .TrapGen(1λ )

1 2 3

Input: The security parameter 1λ . Output: A function-approximate trapdoor pair. Sample r ← χ, e ← χm . Set a := r−1 (f + e) ∈ Rqm and a := (1, a ) ∈ Rqm+1 . return (vk, T ) := (a, (r, e)) ∈ Rqm × Rm+1 .

Algorithm 4: f .SamplePre(a, u, sk, s)

1 2 3 4 5 6

Input: A coset u ∈ Rq , and a trapdoor (r, e). Output: An approximate preimage of u.  t  e e −ret . Sample perturbation p ← DRm+1 ,√Σ p for Σp := s2 Im+1 − σg2 −re rrIm Set coset v := u − at p ∈ Rq . Sample the G-lattice x = (x1 , x2 ) ← SampleG(v, σg ).  t −e . Define the f -trapdoor as R := rI m Set the approximate preimage y := Rx2 + p ∈ Rm . return y.

Fig. 2. The trapdoor generation and approximate preimage sampling algorithms of our second f -trapdoor construction. The perturbations in Algorithm 4 are independent of the input image u, and can be precomputed and stored before, along with at p. The covariance Σp can be decomposed using the Schur decomposition, and the perturbation p can be computed in parallel time O(n log n) in cyclotomic rings as in [17, Sect. 4]. The rest of Algorithm 4 is the “online” sampling phase, which consists mostly of G-lattice sampling that can be done in time O(log q) for each polynomial coefficient [17].

The following theorem’s statement and proof are nearly identical to [7]’s modification to [28]. The intuition is the same as Theorem 2. We include a detailed proof in the full version of this paper. Theorem 3. Sample r ← χ, et ← χm and set the trapdoor function description as a = (1, a ) := (1, r−1 (f + e)) ∈ Rqm+1 as in Algorithm 3. Let η := √ t η (Znm ) and σg = η (Λ⊥ b2 + 1 · η for some ∈ (0, 1), and let q (g )) ≥

618

N. Genise and B. Li

Table 4. The parameters for the second f -trapdoor construction from iNTRU. Let η := η (Rm ) = η (Znm ) be the smoothing parameter of the underlying√integer lattice. Let s1 (χ) be the expected singular value of ϕ(χ). We assume σg := b2 + 1η. Also, √ √ the RSIS − β bound is s nm and the verification width α is σe n. We remark that the verification width matches [7] and s matches [28]. Preimage Gaussian Width, s Verify Gaussian Width, σe     2 2 m(b + 1)s1 (χ) + 1 · η (b2j − 1) 1 + b22−1 · η

s



σg2 RRt + η 2 Im+1 . Then, the following distributions are within a max-

1+ 6 ≤ 1− : The “real” distribution with an honestly sampled log distance 3 log 1− approximate preimage in the random oracle model (as in Fig. 2)

{(a, y, u, e) : u ← U(Rq ), y ← SamplePre(a, u, sk, s), e = u − at y ∈ Rq }, and the “programmed,” trapdoor-independent approximate preimage, distribution {(a, y, u, e) : y ← DRm ,s , e ← DR,σe mod q, u = at y + e ∈ Rq },  2j −1 for σe := σg bb2 −1 .

4

Implementation and Experiment

We implemented both our trapdoor schemes using the PALISADE library. In our proof-of-concept implementations8 , we use power-of-2 cyclotomic rings, and we set the size of modulus to be no more than 30 bits. These parameters allow us to take advantage of the fast ring operations available in PALISADE and use native integer arithmetic. We conducted some experiments on an Intel i7-4790 CPU with 8 cores to compare the performance of the hash-and-sign signature schemes using our trapdoors versus the RLWE based approximate trapdoor in [7]. We now describe some implementation details and discuss the experiment results. 4.1

Perturbation Generation

The offline part of our preimage sampling algorithms require some perturbation vectors being sampled from discrete Gaussian distributions with certain covariances. Efficient sampling algorithms for power-of-2 cyclotomic rings have been proposed in [11,17], and they are implemented in PALISADE. Among them, we are particularly interested in the algorithm SampleFz, which on input a ring element f samples a perturbation pˆ ← DZn ,c,√φ(f ) . 8

Source code can be downloaded at https://www.dropbox.com/s/uz3g3atpqu7u87n/ intrusign.zip?dl=0.

Gadget-Based iNTRU Lattice Trapdoors

619

In Algorithm 2, since Σp and Σe are both diagonal matrices, we can directly call SampleFz on their diagonal entries to sample p and pe . More specifically, we make m parallel and independent calls to SampleFz on the diagonal entries s2 − σg2 rr to sample p. Similarly, we compute s2err − σg2 et e and call SampleFz to sample pe . In Algorithm 4, we compute the Schur complement decomposition of the covariance matrix Σp as       A B I BD−1 Σ/D 0 I 0 Σp = = , Bt D 0 I 0 D D−1 Bt I where A = s2 −σg2 et e, B = σg2 ret , D = (s2 −σg2 rr)Im , and Σ/D = A−BD−1 Bt . Using the convolution theorem in [17, Lemma 4.1], we generate the perturbation p = (p1 , p2 ) in the following steps: 1. Sample p2 ← DZnm ,√D . Since D is diagonal, we simply call SampleFz m times in parallel to sample each entry of q. 2. Compute c = BD−1 q. 3. Sample p1 ← DZm ,c,√A−BD−1 Bt . 4.2

Concrete Parameters

We estimated concrete security by estimating how long it would take the BKZ algorithm to break the scheme. Recall, BKZ [36] is a family of basis reduction algorithms which reduces to an SVP oracle of dimension k < r, where r is the input lattice’s rank. The BKZ algorithm with block size k is expected to return a basis with shortest vector length δkr det(Λ)1/r where δk is the root Hermite factor. The root Hermite factor is, asymptotically, the following function of the block size [8] 1   2(k−1) k 1/k (πk) δk ≈ . 2πe We used the core SVP hardness model [3] for BKZ. Here, we assume BKZ only needs one SVP oracle call. Further, we use [4] for the best known heuristic SVP time complexities: 2.292k(1+o(1)) classically and 2.265k(1+o(1)) for a quantum computer [24]. Given the above, we found the smallest block size k which would break the underlying RSISq,m+1,2(α+β) . We remark that this is a crude concrete security estimate, but we choose this method for its simplicity. This is not a state-of-theart concrete security estimate. We selected several sets of concrete parameters, which are summarized in Table 5 along with the estimated bit security levels. 4.3

Performance Comparisons with Other Schemes

Our first two sets of parameters fall into the regime of Falcon, with n = 512, q = 12289 and log q = 20. and σ = q 1/4 = 10 and 32. For such parameters, the

620

N. Genise and B. Li

Table 5. Summary of the concrete bit security estimations for the parameters mentioned in Sect. 4.2, where κ = 0.292 k is the classical bit security estimation using the method mentioned in Sect. 4.2, and κ is the classical bit security estimation using the overstretc.hed attack of [23]. Params Exact

Exact Exact

Approx Exact

Approx Exact

Approx Exact

n log2 q b j σ s nm κ κ

512 20 4 0 32 7229.5 3072 103 299

1024 20 4 3 32 10224.1 7168 243 397

1024 27 4 3 107 34186.7 10240 278 220

1024 30 8 4 181 113080 6144 251 179

512 13 4 0 10 2259.23 3072 42 299

1024 20 4 0 32 10224.1 10240 243 397

1024 27 4 0 107 34186.7 13312 278 220

1024 30 8 0 181 113080 10240 251 179

8192 30 32 0 181 1.27009e+06 49152 2192 2819

verification error width β exceeds q/2, so the signing error for our first trapdoor becomes big enough such that verification would not be able to distinguish correct and incorrect plaintexts. However, our second trapdoor works just fine. The next several sets of parameters have n = 1024 and various sizes of modulus q and gadget base b. When log q ≥ 27, the signing error in our first trapdoor becomes sufficiently small to allow valid verification. Notice that for these parameters, the modulus q falls into the range of the overstretched attack, and we set σ = q 1/4 as suggested in [2]. Our last parameter chooses a large ring dimension n = 8192 but with relatively small modulus log q = 30. We observed that our preimage sampling algorithms still run very fast with such parameters. In contrast, when Falcon is instantiated using large rings, the online stage may become slow due to the complicated ring decomposition operations. Experiments and Performance Results. For each set of parameter, we ran our signature schemes 100 times each, and we recorded the offline and online signing times. To compare with [7], we modified PALISADE’s implementation of [28] by adding the approximate trapdoor capability. The RLWE based schemes do not require large σ, so we ran it using the same parameters except with σ = 8, and we measure the offline and online signing times in the same way. These experiment results show that both the offline sampling times of our signature schemes are very close to the RLWE based signature schemes in [7], with about 5% to 20% slowdowns, while the online signing times are the same or shorter in a few cases. We also measured the sizes of the signing and the verification keys in these schemes, and as expected, the results show that our signing keys are almost half in size comparing to [7], and our verification keys are slightly smaller. The detailed performance numbers are shown in Table 1. In the offline stage, the slowdowns are mainly due to more complicated covariance matrices for the perturbation vectors, as our trapdoors require non-spherical discrete Gaussian sampling over integers for all m+1 perturbation ring elements,

Gadget-Based iNTRU Lattice Trapdoors

621

where as in [28] only two perturbation ring elements are non-spherical. However, with the help of parallel computation, the slowdowns are not significant. Moreover, with the help of parallel computation, signing using our second f -trapdoor of Algorithm 4 takes only about 10% more time comparing with our first, noisy trapdoor of Algorithm 2. The extra time is mainly spent on computing the center and covariance for the first part p1 of the perturbation. For the online stage, our signing algorithms take the same number of operations comparing to [7], but because we can take advantage of parallel computation, our schemes run slightly faster.

References 1. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108. ACM (1996) 2. Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-5301846 3. Alkim, E., Ducas, L., P¨ oppelmann, T., Schwabe, P.: Post-quantum key exchange a new hope. In: USENIX Security Symposium, pp. 327–343. USENIX Association (2016) 4. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA, pp. 10–24. SIAM (2016) 5. Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/ 978-3-319-72565-9 12 6. Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10. 1007/978-3-642-55220-5 30 7. Chen, Y., Genise, N., Mukherjee, P.: Approximate trapdoors for lattices and smaller hash-and-sign signatures. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 3–32. Springer, Cham (2019). https://doi. org/10.1007/978-3-030-34618-8 1 8. Chen, Y.: R´eduction de r´eseau et s´ecurit´e concr´ete du chiffrement compl´etement homomorphe. PhD thesis, Paris 7 (2013) 9. Cheon, J.H., Kim, D., Kim, T., Son, Y.: A new trapdoor over module-NTRU lattice and its application to id-based encryption. IACR Cryptology ePrint Archive, 1468 (2019) 10. Chuengsatiansup, C., Prest, T., Stehl´e, D., Wallet, A., Xagawa, K.: Modfalcon: compact signatures based on module NTRU lattices. IACR Cryptol. ePrint Arch. 2019, 1456 (2019) 11. Cousins, D.B.: Implementing conjunction obfuscation under entropic ring LWE. In: Proceedings of 2018 IEEE Symposium on Security and Privacy, SP 2018, 21–23 May 2018, San Francisco, California, USA, pp. 354–371 (2018)

622

N. Genise and B. Li

12. Ducas, L., Galbraith, S., Prest, T., Yu, Y.: Integral matrix gram root and lattice gaussian sampling without floats. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 608–637. Springer, Cham (2020). https://doi.org/10. 1007/978-3-030-45724-2 21 13. Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-66245608-8 2 14. Ducas, L., Micciancio, D.: Improved short lattice signatures in the standard model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 335–352. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2 19 15. Ducas, L., Prest, T.: Fast fourier orthogonalization. In: ISSAC, pp. 191–198. ACM (2016) 16. Genise, N., Gentry, C., Halevi, S., Li, B., Micciancio, D.: Homomorphic encryption for finite automata. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 473–502. Springer, Cham (2019). https://doi.org/10.1007/ 978-3-030-34621-8 17 17. Genise, N., Micciancio, D.: Faster gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 174–203. Springer, Cham (2018). https://doi.org/10.1007/978-3319-78381-9 7 18. Genise, N., Micciancio, D., Peikert, C., Walter, M.: Improved discrete Gaussian and sub Gaussian analysis for lattice cryptography. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 623–651. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9 21 19. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169– 178. ACM (2009) 20. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM (2008) 21. Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: STOC, pp. 469–477. ACM (2015) 22. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868 23. Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-31956620-7 1 24. Laarhoven, T.: Search Problems in Cryptography. PhD thesis, Eindhoven University of Technology (2015) 25. Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/ 10.1007/11787006 13 26. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5 1 27. Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient oneway functions from worst-case complexity assumptions. In: FOCS, pp. 356–365. IEEE Computer Society (2002)

Gadget-Based iNTRU Lattice Trapdoors

623

28. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-290114 41 29. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007) 30. Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 455–485. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-637150 16 31. Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7 5 32. Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016) 33. Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878 8 34. Prest, T.: Sharper bounds in lattice-based cryptography using the R´enyi divergence. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 347–374. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8 13 35. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005) 36. Schnorr, C.P., Euchner, M.: Improved practical algorithms and solving subset sum problems: lattice basis reduction. Math. Program. 66, 181–199 (1994)

Lattice-Based IBE with Equality Test Supporting Flexible Authorization in the Standard Model Giang Linh Duc Nguyen3(B) , Willy Susilo1(B) , Dung Hoang Duong1(B) , Huy Quoc Le1,2(B) , and Fuchun Guo1(B) 1

Institute of Cybersecurity and Cryptology, School of Computing and Information Technology, University of Wollongong, Northfields Avenue, 2522 Wollongong NSW, Australia {wsusilo,hduong,fuchun}@uow.edu.au, [email protected] 2 CSIRO Data61, Sydney, NSW, Australia 3 Futurify Software Development, 17 Street No. 2, Ward 4, District 3, Ho Chi Minh City, Vietnam [email protected] Abstract. Identity-based encryption with equality test supporting flexible authorization (IBEET-FA) allows the equality test of underlying messages of two ciphertexts while strengthens privacy protection by allowing users (identities) to control the comparison of their ciphertexts with others. IBEET by itself has a wide range of useful applicable domain such as keyword search on encrypted data, database partitioning for efficient encrypted data management, personal health record systems, and spam filtering in encrypted email systems. The flexible authorization will enhance privacy protection of IBEET. In this paper, we propose an efficient construction of IBEET-FA system based on the hardness of learning with error (LWE) problem. Our security proof holds in the standard model. Keywords: Identity-based encryption · Equality test · Flexible authorization · Lattice-based cryptography · Learning with errors

1

Introduction

The concept of identity-based encryption with equality test supporting flexible authorization (IBEET-FA) is the combination of public key encryption with equality test supporting flexible authorization (PKEET-FA) and identity-based encryption (IBE). IBE is a public key encryption mechanism where a public key can be an arbitrary string such as email address or phone number. The administrator who has knowledge of master secret key then can generate the corresponding private key by using Private-Key Generator (PKG). IBE by itself can simplify the certificate management of public key encryption. Identity-based encryption scheme with equality test (IBEET) was first introduced by Ma [12]. It supports the equality test of underlying message of two ciphertext with the help of trapdoors. Hence IBEET has found a wide range of applications especially in smart city applications [18], in cloud computing such as partition of encrypted c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 624–643, 2020. https://doi.org/10.1007/978-3-030-65277-7_28

Lattice-Based IBEET-FA in the Standard Model

625

emails [20], malware detection and verifiability of encrypted data [21], and in wireless body area networks [22]. The flexible authorization (FA) notion was first introduced by Ma et al. [13]. It enhances the privacy protection of data owners by allowing the users (identities) more choices in controlling of what they want to compare, either between identities’ ciphertexts, between two ciphertexts or between a specific ciphertext and other identity’s ciphertexts. One particular application scenario of using IBEET in smart city is in smart healthcare. Assume that, each family in the smart city has a smart device for monitoring their daily health, such as sleeping time, heart beat rate, how many steps a person walk a day, and so on. Their data is encrypted and stored in the cloud sever managed by the government and the encrypted data can be accessed by the healthcare department from the government. It is a common request that the healthcare officers need to get some residents’ health information in order to monitor the community’s health. The officers then can perform equality test for specific keywords on encrypted data stored in the cloud server. For this scenario, we can see that Type-1 is needed since this type of authorization allows the officers to do equality test on all ciphertexts from the users in the community. Let consider the case in which some third party, such as a medicine company, can harm the privacy if the system (comprising of smart healthcare devices) is only equipped with the Type-1 authorization. Suppose that, the medicine company wishes to know the body mass index (BMI) of people in the community for their new kind of weight loss pill. Obviously, the advertising company can encrypt a specific keyword relating to the BMI (e.g., the key word could be “obese”) using any or all public key(s) of users in the community. Therefore, if the advertising companies are given the Type-1 method, the company can perform equality test on all available ciphertexts in the database, which is not good for the residents’ privacy. However, it is a standard privacy policy by law that users can opt-in or opt-out for using of their data. Then, in this case, the users can choose the Type-2 and/or Type-3 authorization which definitely help to enhance the privacy protection. Note that in the identity-based encryption (IBE), we have a reduction from the IND security to the OW security (see [23, Table 1]). However, note that in the case of IBEET (hence, IBEET-FA), we do not always have the reduction. The reason for this is that, an OW adversary is able to get the trapdoor according to the target user, while an IND adversary is not allowed to get the target user’s trapdoor. Then both IND and OW should be simultaneously required for the IBEET-FA. Moreover, choosing CPA or CCA, CCA2 security depends on the real-life applications to which the IBEET-FA is applied. Recall that, the CPA security ensures that, even if the attacker can get ciphertexts for arbitrary plaintexts that it wants, the attacker’s advantage in revealing all or part of the secret encryption key is negligible. While the CCA and CCA2 securities guarantee that, even if the attackers can obtain the ciphertexts and the corresponding plaintexts, their advantage in attacks is still negligible. For IBEET and IBEET-FA, it is folkore to consider the security model which involves INDID-CPA (indistinguishability under chosen-identity and under chosen-plaintext

626

G. L. D. Nguyen et al.

attacks) and OW-ID-CPA (one-wayness under chosen-identity and under chosenplaintext attacks) into account. Related Works. There have been a lot of works involving with PKEET and IBEET such as Lee et al. [9], Wu et al. [18] and Duong et al. [7] just to name a few. Lee et al. [9] inherited knowledge from the existing proposals proven secure under the hardness of number theoretic assumptions and in the random oracle (ROM). The authors introduced a generic construction for PKEET (and also for IBEET) which is secure in the standard model (SDM) being able to be instantiated in the lattice setting. Their constructions based on two-level hierarchical identity-based, a strong unforgeable one time signature and a cryptographic hash function. Wu et al. [18] proposed an efficient IBEET scheme secure in the random oracle model (ROM) replying on the Computational Diffie-Hellman (CDH) assumption. Duong et al. [7] has introduced an efficient direct construction of an IBEET based on lattices which is secure in the standard model (SDM). Their method exploits the adaptive identity-based encryption (Full-IBE) scheme which is a post-quantum instantiation based on lattices proposed by [1]. Regarding the encryptions that support equality test with FA, there have been a few of works in the literature, e.g., Ma et al. [13], Duong et al. [8]. As the first PKEET-FA, Ma et al. [13] enhanced the original PKEET scheme which lacks of a solution for users to control the comparison of their ciphertexts with others’ by adding authorization mechanism. The authors also introduced new definitions, security policies, and a PKEET construction supporting four type of authorization proven under the CDH assumption and in the ROM. Recently, Duong et al. [8] have studied Ma et al. works and proposed the first quantum-safe PKEET supporting flexible authorization which are secure in the SDM based on the integer lattice and ideal lattice hard problems. Table 1. A summary of some PKEET and IBEET with/without flexible authorization. Here DBDH stands for the decisional Billinear Diffie-Hellman assumption. Literature

PKEET/IBEET

Hard assumption

Security model with FA?

Ma et al. [13]

PKEET

CDH

ROM

Lee et al. [9]

PKEET & IBEET CDH+DBDH or LWE SDM

×

Wu et al. [18]

IBEET

CDH

ROM

×

Duong et al. [7] IBEET

LWE

SDM

×

Duong et al. [8] PKEET

LWE

SDM



This work

LWE

SDM



IBEET



We summarize some related works in Table 1 below. According to the best of our knowledge, there have not been any post-quantum secure IBEET that supports a flexible authorization mechanism. Therefore, it is necessary to construct an identity-based encryption with equality test supporting flexible authorization in the standard model and secure in quantum era.

Lattice-Based IBEET-FA in the Standard Model

627

Our Contribution. We propose the first concrete construction of an IBEETFA scheme secure in the standard model based on the hardness assumption of lattices. In particular, our IBEET-FA construction offers the IND-ID-CPA and OW-ID-CPA security. However, we emphasize that our scheme can achieve CCA2 using the BCHK’s transformation [4] with the cost of increasing ciphertext size.

Table 2. Comparison of our IBEET-FA with other IBEET constructions. Data sizes are in number of field elements. Here t is the length of messages,  is the length of identity. Scheme

Ciphertext

Public key

Master SK Secret key

Our proposed IBEET-FA m2 + 2t + 6m + λ ( + 3)mn + nt 2m2

4m2

IBEET of Duong et al. [7] 2t + 4m

( + 3)mn + nt 2m2

4mt

IBEET of Lee et al. [9]

( + 3)mn + nt 2m2

2mt

8m + 2t + 2mt

Technical Overview. Our idea is from the works of Duong et al. [7,8]. Recall that, the PKEET-FA of Duong et al. [8] exploits the full-IBE construction by Agrawal et al. [1]. In particular: – Each user has their own pair of (PK, SK). – In Encrypt method, they choose a vector tag b = (b1 , · · · , b ) ∈ {−1, 1} and  then compute F1 := (A|B + i=1 bi Ai ). That means each user can produce many ciphertexts, each of which contains one different vector tag b. – The vector tag b is then combined with the trapdoor (which is the second part of the secret key SK) for flexible authorization methods. Although our IBEET-FA work is inspired from [8] and [1], we face the following obstacles: – The whole system only has one pair of (MPK, MSK). – Each user has their own ID = (id1 , · · · , id ) ∈ {−1, 1} , which is used to com pute the matrix FID = (A|B + i=1 idi Ai ) in Extract algorithm to produce their secret key from MSK. Each user can produce multiple ciphertexts. However, those all ciphertexts contain the same ID of the user. That’s why the ID cannot be used as the role of vector tag b. – We need a new tag (which can be a random vector or matrix) to play the role of the vector tag b. This tag will be appended to FID and be stored in ciphertext for flexible authorization later. Therefore, in order to support FA with many different types, we need to provide additional tag which is random and specified for each ciphertext. Namely, we sample uniformly at random a matrix R (called matrix tag) and build the matrix  F = (A|B + i=1 idi Ai |AR) which will be used during the encryption algorithm. By using the matrix AR like this, we can also construct a reduction from the

628

G. L. D. Nguyen et al.

learning with errors (LWE) problem to the IND-ID-CPA (and OW-ID-CPA) security of the proposed IBEET-FA. If we replace AR by some random matrix, the reduction will not work. In summary, we use the matrix AR for two purposes: – P1: To combine with trapdoor for different Type-α flexible authorisation. – P2: For the reduction from LWE to the IND-ID-CPA and to OW-ID-CPA security to work. The ciphertext in our scheme has this form CT = (R, c1 , c2 , c3 , c4 , c5 ), where R is the matrix tag to support flexible authorization, (c1 , c3 ) is the encryption of message m and (c2 , c4 ) is the encryption of hash value H(m). Both R and (c2 , c4 ) are used to support flexible authorization. Here c5 = H  (c1 ||c2 ||c3 ||c4 ) is used to strengthen the FA procedures by checking the consistence of ciphertexts before executing equality test. We present in Table 2 a comparison of our IBEET-FA with the lattice-based IBEETs of Lee et al. [9] and Duong et al. [7]. The Weakness of the Existing Security Model for IBEET and IBEETFA. We remark that the component c5 in the ciphertext of our IBEET-FA scheme is only used to check the consistence of ciphertexts before executing equality test. Without c5 (i.e., assume that CT = (R, c1 , c2 , c3 , c4 )), our scheme still enjoys the IND-ID-CPA and OW-ID-CPA security. However, for real-life applications, our construction with CT = (R, c1 , c2 , c3 , c4 ) may suffer from the following attack. Suppose that we use equality test on encrypted data for a research of counting the number of the obese people, each ciphertext corresponds to each person. Then, if an adversary can create malformed ciphertexts from some original ciphertext by keeping (R, c2 , c4 ) but replacing the pair of (c1 , c3 ), then the database would be changed in the number of ciphertexts having the same underlying message, which results in the wrong output of the research. Obviously, this also means that the existing security model for IBEET and IBEET-FA is not strong enough in some manners.

2 2.1

Preliminaries Identity-Based Encryption with Equality Test Supporting Flexible Authorization (IBEET-FA)

In this section, we will recall the model of IBEET-FA and its security model. Definition 1. An IBEET-FA scheme consists of the following polynomial-time algorithms: – Setup(λ): On input a security parameter λ, it outputs a public parameter PP and a master secret key MSK. – Extract(PP, MSK, ID): On input PP, MSK and an identity ID, it outputs an identity ID’s secret key SKID .

Lattice-Based IBEET-FA in the Standard Model

629

– Enc(PP, ID, m): On input PP, an identity ID and a message m, it outputs a ciphertext CT. – Dec(PP, SKID , CT): On input PP, an identity ID’s secret key SKID and a ciphertext CT, it outputs a message m or ⊥. Note that PP contain the information of the message space M. It is used in other algorithms implicitly. Suppose that an identity IDi has secret key SKi , whose ciphertext is CTi , and an identity IDj has secret key SKj , whose ciphertext is CTj respectively. The Type-α (α = 1, 2, 3) authorization for IDi and IDj consist of two algorithms: • Tdα (α = 1, 2, 3): an algorithm to generate trapdoors for IDi ’s ciphertexts that are required to be compared with IDj ’s ciphertexts. • Testα (α = 1, 2, 3): an algorithm to check and compare whether two identities’ ciphertexts contain the same underlying message or not. Type-1 Authorization: • Td1 (SKID ): On input the secret key SKID of the identity ID, it outputs a trapdoor td1,ID for that identity. • Test1 (td1,IDi , td1,IDj , CTIDi , CTIDj ): On input trapdoors td1,IDi , td1,IDj and ciphertexts CTIDi , CTIDj for identities IDi , IDj respectively, it outputs 1 or 0. Type-2 Authorization: • Td2 (SKID , CTID ): On input the secret key SKID and ciphertext CTID of the identity ID, it outputs a trapdoor td2,ID for CTID of that identity. • Test2 (td2,IDi , td2,IDj , CTIDi , CTIDj ): On input trapdoors td2,IDi , td2,IDj and ciphertexts CTIDi , CTIDj for identities IDi , IDj respectively, it outputs 1 or 0. Type-3 Authorization: • Td3 (SKID ): On input the secret key SKID of the identity ID, it outputs a trapdoor td3,ID for identity ID. • Td3 (SKID , CTID ): On input the secret key SKID and ciphertext CTID of the identity ID, it outputs a trapdoor td3,ID for CTID of identity ID. • Test3 (td3,IDi , td3,IDj , CTIDi , CTIDj ): On input trapdoors td3,IDi , td3,IDj and ciphertexts CTIDi , CTIDj for identities IDi , IDj respectively, it outputs 1 or 0. Correctness. We say that an IBEET-FA scheme is correct if the following conditions hold: (1) For any security parameter λ, any identity ID and any message m:     SK ← Extract(PP, MSK, ID)  ID = 1. Pr Dec(PP, SKID , CTID ) = m   CTID ← Enc(PP, ID, m)

630

G. L. D. Nguyen et al.

(2) For any security parameter λ, any identities IDi , IDj and any messages mi , mj , it holds that:  ⎡ ⎤  SKIDi ← Extract(PP, MSK, IDi ) ⎛ ⎞  td α,IDi  CTIDi ← Enc(PP, IDi , mi ) ⎢ ⎥  ⎢ ⎥ ⎜ td ⎟  ⎢ ⎥ tdα,IDi ← Tdα () ⎜ α,IDj ⎟  ⎢ ⎥ = 1. Pr ⎢Test ⎜ ⎟ = 1 ⎥ ⎝ CTIDi ⎠  SKIDj ← Extract(PP, MSK, IDj ) ⎥ ⎢  CTIDj ← Enc(PP, IDj , mj ) ⎣ ⎦  CTIDj  tdα,IDj ← Tdα () if mi = mj , regardless i and j value, where α = 1, 2, 3. (3) For any security parameter λ, any identities IDi , IDj and any messages mi , mj , it holds that:  ⎡ ⎤  SKIDi ← Extract(PP, MSK, IDi ) ⎛ ⎞  td α,IDi  CTIDi ← Enc(PP, IDi , mi ) ⎢ ⎥  ⎢ ⎥ ⎜ td ⎟  ⎢ ⎥ tdα,IDi ← Tdα () ⎜ α,IDj ⎟  ⎢ ⎥ = negligible(λ) Pr ⎢Test ⎜ ⎟ = 1 ⎥ ⎝ CTIDi ⎠  SKIDj ← Extract(PP, MSK, IDj ) ⎥ ⎢  CTIDj ← Enc(PP, IDj , mj ) ⎣ ⎦  CTIDj  tdα,IDj ← Tdα () if for any ciphertexts CTIDi , CTIDj and Dec(PP, SKIDi , CTIDi ) Dec(PP, SKIDj , CTIDj ), regardless of whether i = j, where α = 1, 2, 3.

=

Security Model of IBEET-FA. For the IBEET-FA security model, we consider two types of adversaries: • Type-I adversary: the adversaries can perform authorization (equality) tests on the challenge ciphertext by requesting to obtain a trapdoor for authorization of the target identity. Their goal is to reveal the plain text message in the challenge ciphertext. • Type-II adversary: the adversaries cannot perform authorization (equality) tests on the challenge ciphertext since they cannot obtain a trapdoor for authorization of the target identity. Their goal is to distinguish which message is in the challenge ciphertext between two candidates. Note that the Type-3 authorization is actually a combination of Type-1 and Type-2 authorizations. Hence the Type-3 authorization queries are intentionally omitted. For simplicity, we only provide Type-α (α = 1, 2) authorization queries to the adversary in security games. The security model of a IBEET-FA scheme against two types of adversaries above is described as follows. OW-ID-CPA Security Against Type-I Adversaries. We present the game between a challenger C and a Type-I adversary A. Let say A wants to attack target identity ID∗ and he can have a trapdoor for all ciphertexts of that identity. 1. Setup: C runs Setup(λ) to generate the pair (PP, MSK), and sends the public parameter PP to A.

Lattice-Based IBEET-FA in the Standard Model

631

2. Phase 1: A may adaptively make queries many times and in any order to the following oracles: – OExt : on input identity ID (= ID∗ ), OExt returns the ID’s secret key SKID . – OTdα for α = 1, 2: • oracle OTd1 return td1,ID ← Td1 (SKID ) using the secret key SKID . • oracle OTd2 return td2,ID ← Td2 (SKID , CTID ) using the secret key SKID and CTID . 3. Challenge: C chooses a random message m in the message space and sends CT∗ID∗ ← Enc(PP, ID∗ , m) to A. 4. Phase 2: same as in Phase 1 except that A cannot be queried to the secret key extraction oracle OExt for the identity ID∗ . 5. Guess: A output m . The adversary A wins the above game if m = m and the success probability of A is defined as ype−α (λ) := Pr[m = m ]. AdvOW-ID-CPA,T A,IBEET-FA Remark 2. It is necessary to have the size of the message space M to be exponential in the security parameter and the min-entropy of the message distribution is sufficiently higher than the security parameter. If not, a Type-I adversary A can perform the equality tests with the challenge ciphertext and all other ciphertexts from messages space generated the adversary himself by using the trapdoor for the challenge ciphertext. Then he can reveal the underlying message of the challenge ciphertext in polynomial-time or sufficiently small exponential time in the security parameter. For instance, an algorithm is said to be exponential time, if T (n) is upper bounded by 2poly(n) , where poly(n) is some polynomial in n. More k informally, an algorithm is exponential time if T (n) is bounded by O(2n ). If both n and k are small, then the total time is still sufficiently acceptable. IND-ID-CPA Security Against Type-II Adversaries. We illustrate the game between a challenger C and a Type-II adversary A, who cannot have a trapdoor for all ciphertexts of target identity ID∗ . 1. Setup: C runs Setup(λ) to generate (PP, MSK) and gives the public parameter PP to A. 2. Phase 1: A may adaptively make queries many times and in any order to the following oracles: – OExt : on input identity ID (= ID∗ ), returns the ID’s secret key SKID . – OTdα for α = 1, 2 (where input ID = ID∗ ): • oracle OTd1 : on input ID, OTd1 returns td1,ID ← Td1 (SKID ). • oracle OTd2 : on input (ID, CTID ), OTd2 returns td2,ID ← Td2 (SKID , CTID ). 3. Challenge: A selects a target user ID∗ , which was never queried to the OExt and OTd oracles in Phase 1, and two messages m0 m1 of same length and pass to C, who then selects a random bit b ∈ {0, 1}, runs CT∗ID∗ ,b ← Enc(PP, ID∗ , mb ) and sends CT∗ID∗ ,b to A.

632

G. L. D. Nguyen et al.

4. Phase 2: same as in Phase 1 except that A cannot query OExt and OTdα for the identity ID∗ . 5. Guess: A output b . The adversary A wins the above game if b = b and defined as   ype−α Pr[b = b ] − := AdvIND-ID-CPA,T A,IBEET-FA  2.2

the advantage of A is  1  . 2

Lattices

We mainly focus on integer lattices, namely discrete subgroups of Zm . Specially, a lattice Λ in Zm with basis B = [b1 , · · · , bn ] ∈ Zm×n , where each bi is written in column form, is defined as   n  bi xi |xi ∈ Z ∀i = 1, · · · , n ⊆ Zm . Λ := i=1

We call n the rank of Λ and if n = m we say that Λ is a full rank lattice. In this paper, we mainly consider full rank lattices containing qZm , called q-ary lattices, defined as the following, for a given matrix A ∈ Zn×m and u ∈ Znq   Λq (A) := e ∈ Zm s.t. ∃s ∈ Znq where AT s = e mod q m s.t. Ae = 0 Λ⊥ q (A) := {e ∈ Z

Λu q (A)

m

:= {e ∈ Z

mod q}

s.t. Ae = u mod q}

u ⊥ u Note that if t ∈ Λu q (A) then Λq (A) = Λq (A) + t. Hence, one can see Λq (A) as a shift of Λ⊥ q (A). Let S = {s1 , · · · , sk } be a set of vectors in Rm . We denote by S := maxi si for i = 1, · · · , k, the maximum l2 length of the vectors in S. We also denote S˜ := {˜s1 , · · · , ˜sk } the Gram-Schmidt orthogonalization of the vectors ˜ the Gram-Schmidt norm of S. s1 , · · · , sk in that order. We refer to S with an Ajtai [2] first proposed how to sample a uniform matrix A ∈ Zn×m q ⊥ associated basis SA of Λq (A) with low Gram-Schmidt norm. It is improved later by Alwen and Peikert [3] in the following Theorem.

Theorem 1. Let q ≥ 3 be odd and m := 6n log q . There is a probabilistic polynomial-time algorithm TrapGen(q, n) that outputs a pair (A ∈ Zn×m ,S ∈ q and S is Zm×m ) such that A is statistically close to a uniform matrix in Zn×m q (A) satisfying a basis for Λ⊥ q  ˜ ≤ O( n log q) S with all but negligible probability in n.

and

S ≤ O(n log q)

Lattice-Based IBEET-FA in the Standard Model

633

Definition 1 (Gaussian distribution). Let Λ ⊆ Zm be a lattice. For a vector c ∈ Rm and a positive parameter σ ∈ R, define:    x − c 2 ρσ,c (x). ρσ,c (x) = exp π and ρσ,c (Λ) = 2 σ x∈Λ

The discrete Gaussian distribution over Λ with center c and parameter σ is ∀y ∈ Λ

,

DΛ,σ,c (y) =

ρσ,c (y) . ρσ,c (Λ)

For convenience, we will denote by ρσ and DΛ.σ for ρ0,σ and DΛ,σ,0 respectively. When σ = 1 we will write ρ instead of ρ1 . We recall below in Theorem 2 some useful results. The first one comes from [14, Lemma 4.4] . The second one is from [5] and formulated in [1, Theorem 17] and the last one is from [1, Theorem 19]. with m > n and B Theorem 2. Let q > 2 and let A, B be matrices in Zn×m q ⊥ ⊥ is rank n. Let TA , TB be a basis for Λq (A) and Λq (B) respectively. Then for : c ∈ Rm and U ∈ Zn×t q  1 and σ ≥ T 1. Let M be a matrix in Zn×m A ω( log(m + m1 )). Then there q exists a PPT algorithm SampleLeft(A, M, TA , U, σ) that outputs a vector e ∈ Zm+m1 distributed statistically close to DΛuq (F1 ),σ where F1 := (A | M ). In particular e ∈ ΛU q (F1 ), i.e., F1 · e = U mod q. In addition, if A is rank n then there is a PPT algorithm SampleBasisLeft(A, M, TA , σ) that outputs a basis of Λ⊥ q (F1 ). 2. Let R be a matrix in Zk×m and let sR := supx=1 Rx . Let F2 := √ (A | AR + B). Then for σ ≥ T B sR ω( log m), there exists a PPT algorithm SampleRight(A, B, R, TB , U, σ) that outputs a vector e ∈ Zm+k distributed statistically close to DΛUq (F2 ),σ . In particular e ∈ Λu q (F2 ), i.e., F2 · e = U mod q. In addition, if B is rank n then there is a PPT algorithm SampleBasisRight(A, B, R, TB , σ) that outputs a basis of Λ⊥ q (F √2 ). Note that when R is a random matrix in {−1, 1}m×m then sR < O( m) with overwhelming probability (cf. [1, Lemma 15]). The security of our construction reduces to the LWE (Learning With Errors) problem introduced by Regev [15]. Definition 2 (LWE problem). Consider publicly a prime q, a positive integer n, and a distribution χ over Zq . An (Zq , n, χ)-LWE problem instance consists of access to an unspecified challenge oracle O, being either a noisy pseudorandom sampler Os associated with a secret s ∈ Znq , or a truly random sampler O$ who behaviors are as follows: Os : samples of the form (ui , vi ) = (ui , uTi s + xi ) ∈ Znq × Zq where s ∈ Znq is a uniform secret key, ui ∈ Znq is uniform and xi ∈ Zq is a noise withdrawn from χ.

634

G. L. D. Nguyen et al.

O$ : samples are uniform pairs in Znq × Zq . The (Zq , n, χ)-LWE problem allows responds queries to the challenge oracle O. We say that an algorithm A decides the (Zq , n, χ)-LWE problem if   := Pr[AOs = 1] − Pr[AO$ = 1] AdvLWE A is non-negligible for a random s ∈ Znq . Regev [15] showed that (see Theorem 3 below) when χ is the distribution Ψ α of the random variable qX mod q where α ∈ (0,√ 1) and X is a normal random variable with mean 0 and standard deviation α/ 2π then the LWE problem is hard. Theorem 3. If there exists an efficient, possibly quantum, algorithm for decid√ ing the (Zq , n, Ψ α )-LWE problem for q > 2 n/α then there is an efficient quantum algorithm for approximating the SIVP and GapSVP problems, to within ˜ O(n/α) factors in the l2 norm, in the worst case. Hence if we assume the hardness of approximating the SIVP and GapSVP problems in lattices of dimension n to within polynomial (in n) factors, then it follows from Theorem 3 that deciding the LWE problem is hard when n/α is a polynomial in n.

3 3.1

Proposed Construction: IBEET-FA over Integer Lattice Construction

Setup(λ) : On input a security parameter λ, set the parameters q, n, m, σ, α as in Sect. 3.3 1. Use TrapGen(q, n) to generate uniformly random n × m-matrices A, A ∈ together with trapdoors TA , TA ∈ Zm×m respectively. Zn×m q q 2. Select + 1 uniformly random n × m matrices A1 , · · · , A , B ∈ Zn×m q where is the bit length of identity vector ID. where t is the bit length of 3. Select a uniformly random matrix U ∈ Zn×t q message m. 4. H : {0, 1}∗ → {0, 1}t is a collision-resistant hash function. 5. H  : {0, 1}∗ → {0, 1}λ is a collision-resistant hash function. 6. Output the public key and the master secret key PP = (A, A , A1 , · · · , A , B, U )

,

MSK = (TA , TA ).

Extract(PP, MSK, ID) : On input the public parameter PP, a master secret key MSK and an identity ID = (id1 , · · · , id ) ∈ {−1, 1} :  . 1. Let AID = B + i=1 idi Ai ∈ Zn×m q  = (A |AID ) ∈ Zqn×2m . 2. Set FID = (A|AID ), FID

Lattice-Based IBEET-FA in the Standard Model

635

 3. Sample EID , EID ∈ Z2m×2m as

EID ← SampleBasisLeft(A, AID , TA , σ),  EID ← SampleBasisLeft(A , AID , TA , σ).  4. Output SKID := (EID , EID ).    Note that FID · EID = 0, FID · EID = 0 in Zq and EID , EID are basis of Λ⊥ q (FID ), ⊥  Λq (FID ) respectively.

Encrypt(PP, ID, m) : On input the public parameter PP, an identity ID = (id1 , · · · , id ) ∈ {−1, 1} and a message m ∈ {0, 1}t , do: 1. Choose uniformly random s1 , s2 ∈ Znq .   t 2. Choose x1 , x2 ∈ Ψ α and compute c1 = U T s1 + x1 + m 2q ∈ Ztq , c2 =   U T s2 + x2 + H(m) 2q ∈ Ztq . 3. Pick uniformly random matrices Ri ∈ {−1, 1}m×m for i = 1, · · · , , set RID =

 

idi Ri ∈ {− , · · · , }m×m .

i=1

4. Choose a uniformly at random R ∈ {− , · · · , }m×m and set  F2 = (FID |AR) ∈ Zqn×3m .

F1 = (FID |AR) , m

5. Choose y1 , y2 ∈ Ψ α and set T z1 = RID y1

,

T z2 = RID y2 ∈ Zm q ,

r1 = RT y1

,

r2 = RT y2 ∈ Zm q .

T

T

T 3m 6. Compute c3 = F1T s1 +[y1 |z1 |r1 ] ∈ Z3m q , c4 = F2 s2 +[y2 |z2 |r2 ] ∈ Zq .  7. Compute c5 = H (R||c1 ||c2 ||c3 ||c4 ). 8. The ciphertext is

CTID = (R, c1 , c2 , c3 , c4 , c5 ) ∈ Zm×m × Zq2t+6m × {0, 1}λ . q Decrypt(PP, SKID , CT) : On input public parameter PP, private key SKID =  ) and a ciphertext CT = (R, c1 , c2 , c3 , c4 , c5 ), do: (EID , EID 1. Check if c5 = H  (R||c1 ||c2 ||c3 ||c4 ). If not, returns ⊥. as 2. Sample e ∈ Z3m×t q e ← SampleLeft(FID , AR, EID , U, σ). 3. Note that F1 · e = U ∈ Zn×t . We compute w ← c1 − eT c3 ∈ Ztq . q 4. For each  i = 1, · · · , t, compare wi and  2q . If they are close, i.e. wi −  q  <  q , output mi = 1, otherwise mi = 0. We then obtain 2 4 the message m.

636

G. L. D. Nguyen et al.

5. Sample e ∈ Z3m×t as q   e ← SampleLeft(FID , AR, EID , U, σ).

. We compute w ← c2 − (e )T c4 ∈ Ztq . 6. Note that F2 · e = U ∈ Zn×t q 7. For each  i = 1, · · · , t, compare wi and  2q . If they are close, i.e. wi −  q  <  q , output hi = 1, otherwise hi = 0. We then obtain 2 4 the vector h. 8. Finally, if h = H(m) then output m, otherwise output ⊥. Flexible Authorization: Suppose we have two identities in the system IDi and IDj along with CTIDi = (Ri , ci1 , ci2 , ci3 , ci4 , ci5 ) and CTIDj = (Rj , cj1 , cj2 , cj3 , cj4 , cj5 ) be their ciphertexts respectively. Type-1 Authorization:   ), outputs a trapdoor td1,ID = EID . – Td1 (SKID ): On input SKID = (EID , EID – Test(td1,IDi , td1,IDj , CTIDi , CTIDj ): On input trapdoors td1,IDi , td1,IDj and ciphertexts CTIDi , CTIDj for identities IDi , IDj respectively, do 1. For each identity IDi (resp. IDj ), do the following: • Check if ci5 = H  (Ri ||ci1 ||ci2 ||ci3 ||ci4 ). If not, returns ⊥. as • Take Ri from CTIDi and sample ei ∈ Z3m×t q   ei ← SampleLeft(FID , ARi , EID , U, σ)

Note that Fi2 · ei = U ∈ Zn×t . q • Compute wi ← ci2 − (ei )T ci4 ∈ Ztq . For each k = 1, · · · , t, compare wik with  2q  and output hik = 1 if they are close, and 0 otherwise. We obtain the vector hi (resp. hj ). 2. Output 1 if hi = hj and 0 otherwise. Type-2 Authorization:  ) and its ciphertext CTID , – Td2 (SKID , CTID ): On input SKID = (EID , EID outputs a trapdoor td2,ID with following procedure: 1. Check if c5 = H  (R||c1 ||c2 ||c3 ||c4 ). If not, returns ⊥. as 2. Take R from CTID and sample td2,ID = e ∈ Z3m×t q   e ← SampleLeft(FID , AR, EID , U, σ).

Note that F2 · e = U ∈ Zn×t q – Test(td2,IDi , td2,IDj , CTIDi , CTIDj ): On input trapdoors td2,IDi , td2,IDj and ciphertexts CTIDi , CTIDj for identities IDi , IDj respectively, do 1. Compute wi ← ci2 − (ei )T ci4 ∈ Ztq . For each k = 1, · · · , t, compare wik with  2q  and output hik = 1 if they are close, and 0 otherwise. We then obtain the vector hi (resp. hj ). 2. Output 1 if hi = hj and 0 otherwise. Type-3 Authorization:   ), returns td3,IDi = EID . – Td3 (SKIDi ): On input SKIDi = (EIDi , EID i i

Lattice-Based IBEET-FA in the Standard Model

637

 – Td3 (SKIDj , CTj ): On input an identity’s secret key SKIDj = (EIDj , EID ) j and ciphertext CTj , it outputs a trapdoor td3,IDj using procedure: 1. Check if cj5 = H  (Rj ||cj1 ||cj2 ||cj3 ||cj4 ). If not, returns ⊥. as 2. Take Rj from CTIDj and sample td3,IDj = ej ∈ Z3m×t q   ej ← SampleLeft(FID , ARj , EID , U, σ).

. Note that Fj2 · ej = U ∈ Zn×t q – Test(td3,IDi , td3,IDj , CTIDi , CTIDj ): On input trapdoors td3,IDi , td3,IDj and ciphertexts CTIDi , CTIDj for identities IDi , IDj respectively, do 1. For identity IDi , do the following: • Check if ci5 = H  (Ri ||ci1 ||ci2 ||ci3 ||ci4 ). If not, returns ⊥. as • Take Ri from CTIDi and sample ei ∈ Z3m×t q   , ARi , EID , U, σ). ei ← SampleLeft(FID

Note that Fi2 · ei = U ∈ Zn×t . q • Compute wi ← ci2 − (ei )T ci4 ∈ Ztq . For each k = 1, · · · , t, compare wik with  2q  and output hik = 1 if they are close, and 0 otherwise. We then obtain the vector hi . 2. For each IDj : Compute wj ← cj2 − (ej )T cj4 ∈ Ztq . For each k = 1, · · · , t, compare wik with  2q  and output hjk = 1 if they are close, and 0 otherwise. We then obtain the vector hj . 3. Output 1 if hi = hj and 0 otherwise. Theorem 4. Proposed IBEET-FA construction above is correct if H is a collision-resistant hash function. Proof. We have that if CT is a valid ciphertext of m then the decryption will always output m. Furthermore, Test of Type-α (for α = 1, 2, 3) checks whether H(mi ) = H(mj ) where CTi and CTj are valid ciphertexts of two identities IDi and IDj respectively. It outputs 1, meaning that mi = mj , which is always correct with overwhelming probability since H is collision resistant. Hence, the proposed IBEET-FA described above is correct. 3.2

Security Analysis

We show that the our proposed IBEET-FA construction is OW-ID-CPA secure against Type-I adversaries (cf. Theorem 5) and IND-ID-CPA secure against TypeII adversaries (cf. Theorem 6). Due to space limitation, we prove in details Theorem 5, while we refer the detailed proof for Theorem 6 (which is simpler than that for Theorem 5) to the full version [24] Theorem 5. The IBEET-FA system with parameters (q, n, m, σ, α) as in Sect. (3.3) is OW-ID-CPA secure provided that H is a one-way hash function and the (Zq , n, Ψ¯α )-LWE assumption holds.

638

G. L. D. Nguyen et al.

Proof. Assume that there is a Type-I adversary A who breaks the OW-ID-CPA security of the IBEET-FA scheme. We construct an algorithm B who solves the LWE problem using A. The proof proceeds in a sequence of games where the first game is identical to the OW-ID-CPA. Game 0. This is the original OW-ID-CPA game between the attacker A against the scheme and the OW-ID-CPA challenger. Recall that in this Game 0 the challenger generates public parameter PP by choosing + 3 random matrices . Let Ri∗ ∈ {−1, 1}m×m for i = 1, · · · , be the A, A , A1 , · · · , A , B in Zn×m q ephemeral random matrices generated when creating the ciphertext CT∗ID∗ . Game 1. At setup phase, the challenger B chooses uniform random matrices Ri∗ , and random scalars hi ∈ Zq for i = 1, · · · , . After that, it generates A, A , B as in Game 0 and constructs the matrices Ai for i = 1, · · · , as . Ai ← A · Ri∗ − hi · B ∈ Zn×m q The remainder of Game 1 is unchanged with Ri∗ , i = 1, · · · , is used to generate the challenge ciphertext. Note that these Ri∗ ∈ {−1, 1}m×m are chosen in advance in setup phase without the knowledge of ID∗ . Using [1, Lemma 13], we prove that the matrices Ai are statistically close to uniform random independent. Therefore, the adversary’s view in Game 1 is identical to that in Game 0. Game 2. We add an abort that is independent of adversary’s view as follow: – In the setup phase, the challenger chooses random hi ∈ Zq , i = 1, · · · , and keeps these values private. – In the final guess phase, the adversary outputs a guest m for m. The challenger now does the following: 1. Abort check: for all queries SKID to the extract secret key oracle OExt , the challenger checks whether the identity ID = (id1 , · · · , id )   satisfies 1 + i=1 idi hi = 0 and 1 + i=1 id∗i hi = 0. If not then B overwrites m with a fresh random message and aborts the game. Note that this is unnoticed from the adversary’s view and B can even abort the game as soon as the condition is true. 2. Artificial abort: B samples a message Γ such that Pr[Γ = 1] = G(all queries SKID ) where G is defined in [1, Lemma 28]. If Γ = 1, B overwrites m with a fresh message and make a artificial abort. This completes the description of Game 2. Game 3. We choose A is a uniform random matrix in Zn×m . However, matrices q A , B and their trapdoor TA , TB are generated through TrapGen(q, n), where  ⊥ TA , TB are basis of Λ⊥ q (A ), Λq (B) respectively. The construction of Ai for i = 1, · · · , remains the same: Ai = ARi∗ − hi B. When A queries OExt (ID) where ID = (id1 , · · · , id ), the challenger generate secret key using trapdoor TB as follows:  – Challenger B sets FID := (A|B + i=1 idi Ai ) = (A|ARID + hID B), where RID ←

  i=1

idi Ri∗



Zm×m q

and

hID ← 1 +

  i=1

idi hi ∈ Zq .

(1)

Lattice-Based IBEET-FA in the Standard Model

639

– If hID = 0 then abort the game and pretend that the adversary outputs a random message m as in Game 2. – Sample EID ← SampleBasisRight(A, hID B, RID , TB , σ). Since hID is nonzero, TB is also a trapdoor for hID B. Hence the output EID satisfies FID · EID = 0 in Zq and EID is basis of Λ⊥ q (FID ). Moreover, Theorem 2 shows √  that when σ > TB sRID ω( log m) with sRID := RID   ) to A where EID is computed as in the – Finally B return SK = (EID , EID   real construction EID ← SampleBasisLeft(A , AID , TA , σ). Note that when A queries OTdα (including ID∗ ), the trapdoor is still computed as in the real construction. The rest of Game 3 is similar to Game 2. In particular, B uses abort check in challenge phase and artificial abort in guess phase. Then Game 3 and Game 2 are identical in the adversary’s view. Game 4. Game 4 is identical to Game 3, except that the challenge ciphertext is always chosen as a random independent element. And thus A’s advantage is always 0. The remaining part is to show Game 3 and Game 4 are computationally indistinguishable. If the abort event happens then the games are clearly indistinguishable. Hence, we only focus on sequences of queries that do not cause an abort. Reduction from LWE. Recall that an LWE problem instance is provided as a sampling oracle O that can be either truly random O$ or a noisy pseudorandom Os for some secret random s ∈ Znq . Suppose now A has a nonnegligible advantage in distinguishing Game 3 and Game 4, we use A to construct B to solve the LWE problem as follows. Instance. First of all, B requests from O and receives, for each j = 1, · · · , t a fresh pair of (ui , di ) ∈ Znq × Zq and for each i = 1, · · · , m, a fresh pair of (ai , vi ) ∈ Znq × Zq . Setup. B constructs the public parameter PP as follows: 1. Assemble the random matrix A ∈ Zn×m from m of previously given LWE q samples by letting the i-th column of A to be the n-vector ai for all i = 1, · · · , m. 2. Assemble the first t unused LWE samples u1 , · · · , ut to become a public . random matrix U ∈ Zn×t q 3. Matrix A , B and trapdoor TA , TB are generated as in Game 4 while matrices Ai for i = 1, · · · , are constructed as in Game 1. 4. Set PP := (A, A , A1 , · · · , A , B, U ) and send to A. Queries. B answers the queries as in Game 4, including aborting the game. Challenge. Now when A send B a target identity ID∗ = (id∗1 , · · · , id∗ ). B then choose a random message m∗ and computes the challenge ciphertext CT∗ID∗ = (R∗ , c∗1 , c∗2 , c∗3 , c∗4 , c∗5 ) as follows: 1. Assemble d∗ = [d1 , · · · , dt ]T ∈ Ztq , set c∗1 ← d∗ + m∗  2q  ∈ Ztq .

640

G. L. D. Nguyen et al. t

2. Choose uniformly random s2 ∈ Znq and x2 ← Ψ α , compute q ∈ Ztq . c∗2 = U T s2 + x2 + H(m∗ ) 2  ∗ ∗ ∗ m×m . 3. Compute RID ∗ := i=1 idi Ri ∈ {− , · · · , } ∗ 4. Choose uniformly at random R ∈ {− , · · · , }⎡m×m . ⎤ v∗ ∗ T ∗ ∗ 3m ⎣ (RID . 5. Assemble v∗ = [v1 , · · · , vm ]T ∈ Zm ∗ ) v ⎦ ∈ Zq q . Set c3 := ∗ T ∗ (R ) v ⎤ ⎡ AT s2 + y2 m ∗ T ∗ T 3m 6. Choose y2 ← Ψ α and set c∗4 := ⎣ (ARID . ∗ ) s2 + (RID∗ ) y2 ⎦ ∈ Zq ∗ T ∗ T (AR ) s2 + (R ) y2 7. Compute c∗5 = H  (R∗ ||c∗1 ||c∗2 ||c∗3 ||c∗4 ). Then B sends CT∗ID∗ = (R∗ , c∗1 , c∗2 , c∗3 , c∗4 , c∗5 ) to A. We argue that when the LWE oracle is pseudorandom (i.e. O = Os ) then CT∗ID∗ is distributed exactly as in Game 4. It suffices to argue only in case of no abort. Note that, since one has hID∗ = 0 and so ∗ FID∗ = (A|ARID ∗)

,

∗ ∗ F1∗ = (A|ARID ∗ |AR )

Because oracle is pseudorandom, then we have v∗ = AT s1 + y1 for some m random noise vector y1 ← Ψ α respectively. Therefore, c∗3 in Step 5 satisfies: ⎤ ⎤ ⎡ ⎡ y1 AT s1 + y1 ∗ T ∗ T ∗ T T c∗3 := ⎣ (RID ∗ ) (A s1 + y1 ) ⎦ = (F1 ) s1 + ⎣ (RID∗ ) y1 ⎦ . (R∗ )T y1 (R∗ )T (AT s1 + y1 ) ⎤ y2 ∗ T One can easily see that c∗4 := (F2∗ )T s2 + ⎣ (RID ∗ ) y2 ⎦ . ∗ T (R ) y2 ⎡

t

Moreover, for some x1 , ← Ψ α , we have d∗ = U T s1 + x1 , therefore c∗1 = U T s1 + x1 + m∗

q ∈ Ztq 2

Therefore CT∗ID∗ is a valid ciphertext. When O = O$ we have that d∗ is uniform in Ztq and v∗ is uniform in ∗ Zm q . Then obviously c1 is uniform. It follows also from the leftover hash lemma (cf. [17, Theorem 8.38]) that c∗3 is also uniform and independence in Z3q m. Consequently, the challenge ciphertext CT∗ID∗ is always uniform in × Zq2t+6m × {0, 1}λ . Zm×m q Guess. After making additional queries in Phase 2, A guesses if it is interacting with Game 3 or Game 4. The simulator also implements the artificial abort for these Games and uses the final guess as the answer to the LWE problem.

Lattice-Based IBEET-FA in the Standard Model

641

We claim that when O = Os then the adversary’s view is as in Game 3. When O = O$ then the view of adversary is as in Game 4. Hence B’s advantage in solving the LWE problem is the same as the advantage of A in distinguishing Game 3 and Game 4 as required. This completes the description of algorithm B and completes the proof. Theorem 6. The IBEET-FA system with parameters (q, n, m, σ, α) as in Sect. (3.3) is IND-ID-CPA secure provided that H is a one-way hash function and the (Zq , n, Ψ¯α )-LWE assumption holds. In particular, suppose there exists a probabilistic algorithm A that wins the IND-ID-CPA game with advantage . Then there is a probabilistic algorithm B that solves the (Zq , n, Ψ¯α )-LWE problem. Proof. The proof is quite similar to and simpler than that of Theorem 5 in which we show our construction is indistinguishable from random, meaning the challenge ciphertext is indistinguishable from a random element in the ciphertext space. We refer the readers to the full version [24] for a detailed proof. 3.3

Setting Parameters

Following [1, Section 7.3], we choose our parameters satisfying: – that the TrapGen works, i.e., m > 6n log q. – that σ is large enough for SampleLeft, SampleRight,  SampleBasisLeft and  log(2m)), T · ω( SampleBasisRight to work, i.e., σ > max{ T A B · sRID · √ m×m Note that, when R is a random matrix in {−1, 1} then ω( log m)}. √ 15]). Hence when sR < O( m) with overwhelming probability (cf. [1, Lemma √ RID is a random matrix in {− , }m×m then sRID < O( m). Also, note that √  T A , TB ≤ O( n log q). √ – that Regev’s reduction for the LWE problem to apply, i.e., q > 2 n/α. – that our security reduction applies (i.e., q > 2Q where Q is the number of identity queries from the adversary). – the error term in decryption √ is less than q/5 with high probability, i.e., q = Ω(σm3/2 ) and α < [σlmω( log m)]−1 .

4

Conclusion

In this paper, we propose a direct construction of IBEET-FA based on the hardness of Learning With Errors problem. This construction inherited the efficiency from direct construction of PKEET by Duong et al. [7,8]. However, in order to support flexible authorization, the ciphertext size and secret key size increase. One can improve it by using elegant methods in construction and security proof. We will leave as a future work for improving our schemes to achieve the CCA2security as well as reducing the storage size. Additionally, as mentioned earlier, the existing security model for IBEET and hence for IBEET-FA is not sufficiently strong in some scenarios. Therefore, finding a stronger security model for IBEET and IBEET-FA would also be an interesting future work.

642

G. L. D. Nguyen et al.

Acknowledgment. We all thank Ryo Nishimaki and anonymous reviewers for their insightful comments which improve the content and presentation of this work. This work is partially supported by the Australian Research Council Linkage Project LP190100984. Huy Quoc Le has been sponsored by a CSIRO Data61 PhD Scholarship and CSIRO Data61 Top-up Scholarship.

References 1. Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5 28 2. Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6 1 3. Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: Proceedings of 26th International Symposium on Theoretical Aspects of Computer Science, STACS 2009, 26–28 February 2009, Freiburg, Germany, pp. 75–86 (2009) 4. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007) 5. Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523– 552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5 27 6. Duong, D.H., Fukushima, K., Kiyomoto, S., Roy, P.S., Susilo, W.: A lattice based public key encryption with equality test in standard model. In: Proceedings of Information Security and Privacy - 24nd Australasian Conference, ACISP 2019, Christchurch, New Zealand, 3–5 July 2019, pp. 168–183 (2019) 7. Duong, D.H., Le, H.Q., Roy, P.S., Susilo, W.: Lattice-based IBE with equality test in standard model. In: Steinfeld, R., Yuen, T.H. (eds.) ProvSec 2019. LNCS, vol. 11821, pp. 19–40. Springer, Cham (2019). https://doi.org/10.1007/978-3-03031919-9 2 8. Duong, D.H., Fukushima, K., Kiyomoto, S., Roy, P.S., Sipasseuth, A., Susilo, W.: Lattice-based public key encryption with equality test supporting flexible authorization in standard model. In: ArXiv, 2005.05308 (2020) 9. Lee, H.T., Ling, S.S., Jae, H., Huaxiong, W., Youn, T.Y.: Public key encryption with equality test in the standard model. Cryptology ePrint Archive, Report 2016/1182 (2016) 10. Lee, H.T., Ling, S., Seo, J.H., Wang, H.: Semi-generic construction of public key encryption and identity-based encryption with equality test. Inf. Sci. 373, 419–440 (2016) 11. Lee, H.T., Wang, H., Zhang, K.: Security analysis and modification of ID-based encryption with equality test from ACISP 2017. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 780–786. Springer, Cham (2018). https://doi. org/10.1007/978-3-319-93638-3 46 12. Ma, S.: Identity-based encryption with outsourced equality test in cloud computing. Inf. Sci. 328, 389–402 (2016) 13. Ma, S., Huang, Q., Zhang, M., Yang, B.: Efficient public key encryption With equality test supporting flexible authorization. IEEE Trans. Inf. Forensics Secur. 10(3), 458–470 (2015)

Lattice-Based IBEET-FA in the Standard Model

643

14. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: Proceedings of 45th Symposium on Foundations of Computer Science (FOCS 2004), 17–19 October 2004, Rome, Italy, pp. 372–381 (2004) 15. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93 (2005) 16. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997) 17. Shoup, V.: A Computational Introduction to Number Theory and Algebra, second edn. Cambridge University Press, Cambridge (2008) 18. Wu, L., Zhang, Y., Choo, K.R., He, D.: Efficient identity-based encryption scheme with equality test in smart city. IEEE Trans. Sustain. Comput. 3(1), 44–53 (2018) 19. Wu, T., Ma, S., Mu, Y., Zeng, S.: Id-based encryption with equality test against insider attack. In: Pieprzyk, J., Suriadi, S. (eds.) Inf. Secur. Privacy, pp. 168–183. Springer International Publishing, Cham (2017) 20. Ma, S.: Identity-based encryption with outsourced equality test in cloud computing. Inf. Sci. 328, 389–402 (2016) 21. Alornyo, S., Asante, M., Hu, X., Mireku, K.K.: Encrypted traffic analytic using identity-based encryption with equality test for cloud computing. In: 2018 IEEE 7th International Conference on Adaptive Science Technology (ICAST), pp. 1–4 (2018) 22. Ramadan, M., Liao, Y., Li, F., Zhou, S., Abdalla, H.: IBEET-RSA: identity-based encryption with equality test over RSA for wireless body area networks. Mob. Netw. Appl. 25(1), 223–233 (2019). https://doi.org/10.1007/s11036-019-01215-9 23. Galindo, D., Hasuo, I.: Security notions for identity based encryption. Cryptology ePrint Archive, Report 2005/253 (2005). https://eprint.iacr.org/2005/253 24. Nguyen, G.L.D., Susilo, W., Duong, D.H., Le, H.Q., Guo, F.: Lattice-based IBE with equality test supporting flexible authorization in the standard model (full version). https://arxiv.org/abs/2010.14077 (2020)

Efficient Attribute-Based Proxy Re-Encryption with Constant Size Ciphertexts Arinjita Paul(B) , S. Sharmila Deva Selvi, and C. Pandu Rangan Department of Computer Science and Engineering, Indian Institute of Technology Madras, Chennai, India {arinjita,sharmila,prangan}@cse.iitm.ac.in

Abstract. Attribute-based proxy re-encryption (ABPRE) allows a semi-trusted proxy to transform an encryption under an access-policy into an encryption under a new access policy, without revealing any information about the underlying message. Such a primitive facilitates fine-grained secure sharing of encrypted data in the cloud. In its keypolicy flavor, the re-encryption key is associated with an access structure that specifies which type of ciphertexts can be re-encrypted. Only two attempts have been made towards realising key-policy ABPRE (KPABPRE), one satisfying replayable chosen ciphertext security (RCCA security) and the other claiming to be chosen ciphertext secure (CCA secure). We show that both the systems are vulnerable to RCCA and CCA attacks respectively. We further propose a selective CCA secure KP-ABPRE scheme in this work. Since we demonstrate attacks on the only two existing schemes in the literature, our scheme becomes the first KP-ABPRE scheme satisfying selective CCA security. Moreover, our scheme has an additional attractive property, namely collusion resistance. A proxy re-encryption scheme typically consists of three parties: a delegator who delegates his decryption rights, a proxy who performs reencryption, and a delegatee to whom the decryption power is delegated to. When a delegator wishes to share his data with a delegatee satisfying an access-policy, the proxy can collude with the malicious delegatee to attempt to obtain the private keys of the delegator during delegation period. If the private keys are exposed, security of the delegator’s data is completely compromised. Hence, achieving collusion resistance is indispensable to real-world applications. In this paper, we show that our construction satisfies collusion resistance. Our scheme is proven collusion resistant and selective CCA secure in the random oracle model, based on Bilinear Diffie-Hellman exponent assumption. Keywords: Proxy re-encryption · Key-policy encryption · Random oracle · Bilinear map

· Attribute-based

c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 644–665, 2020. https://doi.org/10.1007/978-3-030-65277-7_29

Efficient Attribute-Based Proxy Re-Encryption

1

645

Introduction

In traditional proxy re-encryption (PRE) systems [1,4], the communication model is one-to-one, in the sense that a message can be re-encrypted only towards a particular public key. In practice, however many scenarios require the re-encryption functionality without exact knowledge of the set of intended recipients. One such major application is data sharing in untrusted cloud storage. In the cloud, a data owner may wish to share his encrypted data with users satisfying a specified access policy. In order to enable such expressive and fine-grained data sharing, Liang et al. [15] introduced the notion of attribute-based proxy re-encryption (ABPRE). ABPRE is an extension of the traditional PRE primitive to its attribute-based counterpart. PRE was introduced by Blaze, Bleumer and Strauss [4] to provide delegation of decryption rights. ABPRE designates a semi-trusted proxy to transform ciphertexts of delegators satisfying an access policy into ciphertexts of delegatees satisfying a new access policy. The proxy performs the conversion as a service upon receiving a special key construct called re-encryption key from the delegator, and while transforming the ciphertext, the proxy should not learn anything about the underlying message. ABPRE integrates the notion of PRE with attribute-based encryption (ABE) to effectively enhance the flexibility of delegation of decryption capability. ABE is a generalization of Identity-Based Encryption (IBE), introduced in [22] wherein a user’s identity is generalized to a set of descriptive attributes instead of a single string. ABE has two variants: Key-Policy ABE (KP-ABE) and CiphertextPolicy ABE (CP-ABE). In KP-ABE systems, the private key captures an access structure that specifies which type of ciphertexts the key can decrypt, while ciphertexts are labeled with attribute sets. Its dual, CP-ABE associates a user’s private key with attributes, while ciphertexts are embedded with access policy information. In light of the above, ABPRE can be classified into key-policy ABPRE (KP-ABPRE) and ciphertext-policy ABPRE (CP-ABPRE). Based on the direction of delegation, ABPRE systems are classified into unidirectional and bidirectional schemes. Additionally, based on the number of re-encryptions permitted, ABPRE systems are classified into single-hop and multi-hop schemes. In this work, we focus on unidirectional single-hop key-policy ABPRE schemes. A cloud storage system may typically contain two kinds of encrypted data. The first kind termed first-level ciphertext, is the information that a user A encrypts under his attribute set W1 and is likely to share with users identified by an attribute set W2 . Such an information is subject to re-encryption by the cloud, which performs the conversion upon getting the re-encryption key from user A. The second kind termed as second-level ciphertext is the re-encrypted data, converted by the cloud towards an access policy fulfilled by attribute set W1 of user A, delegated by another user C. Such an encrypted file can not be further re-encrypted in a single hop scenario. The only way to illegally decrypt such ciphertexts is when a malicious user B with attributes W2 and a cloud possessing a re-encryption key collude to obtain the private key corresponding to an access structure satisfied by W1 . Again, the re-encryption rights are enabled for a bounded, fixed period and malicious parties may want to decrypt ciphertexts

646

A. Paul et al.

of A even beyond that period. Collusion attack [1] refers to such an act where a colluding delegatee and cloud extract the private key of the delegator, causing harm to the delegator in every possible manner, such as unauthorised access to his sensitive data, identity theft and illegal delegation of decryption power. Thus, achieving collusion resistance is one of the major important problems in KP-ABPRE schemes. Collusion-resistant KP-ABPRE has many real-world applications such as blockchain based distributed cloud data storage and sharing, online medical service systems, online payment systems among others [14]. Achieving this powerful functionality of fine-grained access control comes at a cost. In a typical implementation of any previous construction of KP-ABPRE in the literature, the ciphertext size grows linearly with the size of the attribute set embedded by the sender. Also, the re-encryption and decryption time is proportional to the number of attributes involved of the receiver. Reducing ciphertext size and computation cost is highly beneficial in scenarios with low-bandwidth requirements and limited computing power. In this paper, we study KP-ABPRE in light of achieving collusion resistance and constant size ciphertexts. Related Work and Contribution In this work, we address the problem of designing collusion-resistant noninteractive attribute based PRE in the key-policy setting supporting rich access policies such as monotonic access structures, proposed in [13]. To integrate PRE to ABE setting, Liang et al. [15] first defined the notion of attribute-based PRE and proposed a CP-ABPRE scheme in the standard model, proven CPA-secure under Augment Decisional Bilinear Diffie-Hellman assumption. Chung et al. [6] gives a detailed study of the existing attribute based PRE schemes in their work. Li et al. [13] proposed the first KP-ABPRE scheme wherein matrix access structure is used to provide key-policy. Their construction is unidirectional, multiuse, collusion-resistant and is proven CPA-secure based on the Bilinear Decisional Diffie Hellman (DBDH) assumption. Note that, their construction relies on a trusted authority for the generation of the re-encryption keys, making the scheme highly infeasible. Since the same trusted authority is responsible for the generation of private keys, achieving delegation with the involvement of the trusted authority is trivial but impractical. Their work is extended in [12] to achieve an RCCA-secure KP-ABPRE scheme with matrix access structure to realize key-policy. Their design is unidirectional, multi-use and is claimed to be adaptively RCCA-secure based on DBDH assumption, with the same drawback of entrusting the trusted authority with the generation of re-encryption keys. Note that RCCA is a weaker variant of CCA tolerating a “harmless mauling” of the challenge ciphertext. In 2015, Ge et al. [11] designed a unidirectional singlehop CCA-secure KP-ABPRE scheme supporting monotonic access structures, without random oracles under the 3-weak decisional bilinear Diffie–Hellman inversion(3-wDBDHI) assumption. However, their construction does not adhere to the standard definition of KP-ABPRE. In essence, their scheme is a variation of conditional proxy re-encryption [23]. In their design, a first-level ciphertext

Efficient Attribute-Based Proxy Re-Encryption

647

C is labelled with a set of descriptive conditions W , encrypted towards an individual public key pki , decryptable only using its corresponding private key ski . Here, every re-encryption key is generated using an access structure tree T associated with conditional keywords. That is, C can only be re-encrypted towards another public key pkj specified in the re-encryption key RKi,T ,j only if W (used to label C) satisfies the access tree T of the re-encryption key. Their system enables one-to-one communication subject to conditions specified via access trees in re-encryption key, rather than a many-to-many transformation enabled by KP-ABPRE. Recently, Ge et al. [10] proposed an adaptive CCA-secure collusion resistant KP-ABPRE scheme that supports any monotonic access structures on users’ keys. Their scheme is claimed to be secure in the standard model based on subgroup decision problem for 3 primes and composite order bilinear pairings. Our contribution in this work is twofold. Firstly, we demonstrate attacks on the security of two existing KP-ABPRE schemes in the literature. We show that the KP-ABPRE construction of Ge et al. [10] is vulnerable to CCA attack. We also demonstrate an RCCA attack on the KP-ABPRE scheme due to Li et al. [12], which claims to be RCCA secure. Consequently, only one result due to Li et al. [13] achieves KP-ABPRE, which is CPA secure in the random oracle model. In [7], Cohen et al remarks on the inadequacy of CPA security in PRE. Besides, the difficulty in achieving a CCA-secure KP-ABPRE scheme has been discussed in [12]. Our second contribution lies in designing the first construction of a selective CCA secure KP-ABPRE scheme in the selective model of security. Our scheme is proven secure under Decisional Bilinear Diffie Hellman Exponent assumption in the random oracle model. All the previous attempts to construct KP-ABPRE schemes admitting expressive re-encryption and decryption policies produce ciphertexts whose size grows linearly with the number of attributes embedded in the ciphertext for both levels of encryption. This paper proposes the first KP-ABPRE result allowing monotonic access structure with constant size ciphertext, based on the KP-ABE framework of Rao et al. [21] and BLS signature [5]. Also, the scheme enjoys the feature of constant number of exponentiations during encryption, and constant number of bilinear pairings during encryption, re-encryption and decryption. This is especially useful in applications that have low bandwidth requirements and limited computing power.

2 2.1

Preliminaries Bilinear Maps and Hardness Assumptions

Definition 1 (Bilinear prime order p. A bilinear is both: (bilinear) for all (non-degenerate) if G0 =

Maps). Let G0 and G1 be two finite cyclic groups of map is an efficient mapping eˆ : G0 × G0 → G1 which a, b  Z∗p and g, h  G0 , eˆ(g a , h b ) = eˆ(g, h)ab ; and g, then G1 = ˆ e(g, g).

Definition 2 (n-Decisional Bilinear Diffie-Hellman Exponentiation assumption [21]). The n-decisional bilinear diffie-hellman exponentiation 2 n n+2 (n-DBDHE) assumption is, given the elements {g, g b , g a , g a , · · · , g a , g a , · · · , 2n g a } ∈ G0 and Z ∈ G1 , there exists no PPT adversary which can decide whether

648

A. Paul et al. n+1

Z = eˆ(g, g)b(a ) or a random element from G1 with a non-negligible advantage, where g is a generator of G0 and a, b ∈R Z∗p . 2.2

Access Structure and Linear Secret Sharing Schemes

Definition 3 (Access Structure [2]). Let P = {P1 , P2 , · · · , Pn } be a set of parties. A collection A ⊆ 2P is monotone if ∀B, C, if B ∈ A and B ⊆ C, then C ∈ A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of P, i.e., A ⊆ 2P \{φ}. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets. In the context of ABE, the role of parties is taken by attributes. Thus, an access structure A contains all the authorized set of attributes. In this paper, we work with monotone access structures. Next, we define Linear Secret-Sharing Scheme (LSSS)-realizable access structure, used to specify access control policies over user attributes. Definition 4 (Linear Secret Sharing Scheme). [3] Let P be a set of parties. Let M be a matrix of size l×k, called the share generating matrix. ρ : [l] → P is a row-labeling function that maps rows in M to attributes in A. A secret sharing scheme Π for access structure A is called linear in Zp represented as (M, ρ) if it consists of the following polynomial time algorithms: – Share(M, ρ, s): To generate shares of secret s



Zp , it chooses

R

z2 , z3 , · · · , zk ← Zp and sets v = (s, z2 , z3 , · · · , zk )T . It outputs (M · v) as the vector of l shares. Share λi = (Mi · v) belongs to attribute ρ(i), where MiT is the ith row of M . – Reconstruct(M, ρ, W ): This algorithm accepts as input (M , ρ) and a set of attributes W ∈ A. Let I = {i|ρ(i) ∈ W }. It outputs a set {ωi : i ∈ I} of secret reconstruction constants such that i∈I ωi · λi = s, if {λρ(i) : i ∈ I} is a valid set of secret shares of the secret s according to Π.

3

Definition of KP-ABPRE

Definition 5 (Key-Policy Attribute-Based Proxy Re-Encryption (KPABPRE)). A single-hop unidirectional KP-ABPRE scheme consists of the following seven algorithms: – Setup(1κ , U ): A PPT algorithm run by a certification authority CA that takes the unary encoding of the security parameter κ and an attribute universe description U as inputs. It outputs the public parameters as params and a master secret key M SK.

Efficient Attribute-Based Proxy Re-Encryption

649

– KeyGen(M SK, (M, ρ), params): A PPT algorithm run by CA that takes as input the master secret key M SK, an access structure (M, ρ) for attributes over U and the public parameters params. It outputs a private key SK(M,ρ) corresponding to the access structure (M, ρ). – Encrypt(m, W, params): A PPT algorithm that takes as inputs a message m ∈ M, an attribute set W and params. It outputs a ciphertext C, termed as first-level ciphertext, which can be further re-encrypted. – Decrypt(C, SK(M,ρ) , params): A deterministic algorithm that takes as input a first-level ciphertext C encrypted under attribute set W , a private key SK(M,ρ) , and params. If W |= (M, ρ), it outputs the message m ∈ M, else output an error symbol ⊥ indicating C is invalid. – ReKeyGen(SK(M,ρ) , (M, ρ), (M  , ρ ), params): A PPT algorithm run by the delegator that takes as input a private key SK(M,ρ) corresponding to an access structure (M, ρ), an access structure (M  , ρ ) and params. It outputs a reencryption key RK(M,ρ)→(M  ,ρ ) , that can perform re-encryption of ciphertexts under attribute set W |= (M, ρ) towards attribute set W  |= (M  , ρ ). – ReEncrypt(C, RK(M,ρ)→(M  ,ρ ) , params): A PPT algorithm run by proxy that takes as input a first-level ciphertext C encrypted under attribute set W , a re-encryption key RK(M,ρ)→(M  ,ρ ) and params. It outputs a re-encrypted ciphertext D if W |= (M, ρ) or error symbol ⊥ indicating C is invalid. The ciphertext D cannot be re-encrypted, also termed as second-level ciphertext. – ReDecrypt(D, SK(M  ,ρ ) , params): A deterministic algorithm that takes as input a second-level ciphertext D encrypted under an attribute set W  , a private key SK(M  ,ρ ) and params. If W  |= (M  , ρ ), it outputs the message m ∈ M or an error symbol ⊥ indicating D is invalid. The consistency of a KP-ABPRE scheme for any given public parameters params, private keys SK(M,ρ) ← KeyGen(M SK, (M, ρ), params), SK(M  ,ρ ) ← KeyGen(M SK, (M  , ρ ), params) and re-encryption keys RK(M,ρ)→(M  ,ρ ) ← ReKeyGen(SK(M,ρ) , (M, ρ), (M  , ρ ), params) and ∀m ∈ M, the following equations hold: 1. Consistency between encryption and decryption: Decrypt(C, SK(M,ρ) , params) = m, where C ← Encrypt(m, W, params). 2. Consistency between encryption, proxy re-encryption and decryption: ReDecrypt((ReEncrypt(C, RK(M,ρ)→(M  ,ρ ) , params)), SK(M  ,ρ ) , params) = m, where C = Encrypt(m, W, params) and W |= (M, ρ).

4

Security Model

Our game-based definitions of selective security of a single-hop unidirectional KP-ABPRE against CCA attack are adaptations of the definitions of CCA security for KP-ABPRE systems in [11]. A KP-ABPRE scheme is IN D-P RE-CCA secure if no PPT adversary has a non-negligible advantage in the below game between the challenger C and adversary A. In this model, the adversary A needs to fix the target access structure (M ∗ , ρ∗ ) beforehand in the Initialization phase.

650

A. Paul et al.

Game Template of IN D-P RE-CCA security: • Initialization: A outputs a target access structure (M ∗ , ρ∗ ) on which it wishes to be challenged. C runs Setup(1κ , U ) and sends the public parameter params to A. • Phase 1: A issues queries to the following oracles simulated by C: – Private Key Extraction(OSK (M, ρ)): On input of an access structure (M, ρ), compute its corresponding private key SK(M,ρ) and return to A. – Re-encryption Key Generation(ORK ((M, ρ), (M  , ρ ))): Given two access structures (M, ρ) and (M  , ρ )) as input, compute the re-encryption key RK(M,ρ)→(M  ,ρ ) and return it to A. – Re-Encryption(ORE (C, (M, ρ), (M  , ρ ))): On input of a first-level ciphertext C, access structures (M, ρ) and (M  , ρ ), compute reencryption key RK(M,ρ)→(M  ,ρ ) and the second level ciphertext D ← ReEncrypt(C, RK(M,ρ)→(M  ,ρ ) , params). Return D to A. – Decryption(ODec (C, (M, ρ))): Given a first level ciphertext C and an access structure (M, ρ) as input, decrypt the ciphertext to obtain m ∈ M. Return m or ⊥ if the ciphertext is invalid. – Re-Decryption(ORD (D, (M  , ρ ))): Given a second level ciphertext D and an access structure (M  , ρ ) as input, decrypt the ciphertext to obtain m ∈ M. Return m or ⊥ if the ciphertext is invalid. • Challenge: A decides whether it wants to be challenged with a first level or a second level ciphertext. It outputs two equal length messages m0 and m1 in M to C. On receiving {m0 , m1 }, C picks ψ ∈ {0, 1} at random, an attribute set W ∗ |= (M ∗ , ρ∗ ) and generates a challenge ciphertext and returns to A. • Phase 2: A issues queries to the oracles similar to Phase 1, subject to constraints as discussed later. • Guess: A outputs its guess ψ  ∈ {0, 1}. The actual construction of challenge ciphertext and constraints on queries of A are defined based on the ciphertext type that A opts for. Due to the existence of two levels of ciphertexts, namely first level and second level, the security game and different adversarial constraints at both levels are shown next. 4.1

First Level Ciphertext Security:

For the first-level ciphertext security, C interacts with A as per the game template shown above (Game 1), with the following adversarial constraints, where the challenge ciphertext is C ∗ =Encrypt(mψ , W, params) and W |= (M ∗ , ρ∗ ): – OSK (M ∗ , ρ∗ ) should not be queried by A. – ORK ((M ∗ , ρ∗ ), (M  , ρ )) must not be queried if OSK (M  , ρ ) has already been queried. – OSK (M  , ρ ) must not be queried if ORE (C ∗ , (M ∗ , ρ∗ ), (M  , ρ )) has already been queried. – OSK (M  , ρ ) must not be queried if ORK ((M ∗ , ρ∗ ), (M  , ρ )) has already been queried.

Efficient Attribute-Based Proxy Re-Encryption

651

D−P RE−CCA (κ) CCA-Security Game 1 ExpIN A,1

(M ∗ , ρ∗ ) ← A, params ← Setup(κ); (m0 , m1 , St) ← AOSK ,ORK ,ORE ,ODec ,ORD (params); ψ R {0, 1}, C∗ ←Encrypt(mψ , W |= (M ∗ , ρ∗ ),params); ψ  ← AORK ,ORE ,ODec ,ORD (C∗ , St); //query constraints are shown in Section 4.1 if ψ = ψ  return 1, else return 0 Game 1: IND-PRE-CCA security game for first level ciphertext. Note that St is the state information maintained by A.

D−P RE−CCA (κ) CCA-Security Game 2 ExpIN A,2

(M ∗ , ρ∗ ) ← A, params ← Setup(κ); (m0 , m1 ,St) ← AOSK ,ORK ,ODec ,ORD (params); ψ R {0, 1}, C∗ ←Encrypt(W |= (M ∗ , ρ∗ ), mψ ,params); ψ  ← AORK ,ODec ,ORD (C∗ , St); //query constraints are shown in Section 4.2 if ψ = ψ  return 1, else return 0 Game 2: IND-PRE-CCA security game for second level ciphertext.

– ORE (C ∗ , (M ∗ , ρ∗ ), (M  , ρ )) must not be queried if OSK ((M  , ρ )) has already been queried. – ODec (C ∗ , (M ∗ , ρ∗ )) cannot be queried by A. – ORD (D, (M  , ρ )) cannot be queried for second level ciphertext D reencrypted towards (M  , ρ ) where D is a challenge derivative (defined next) of C ∗ . Definition 6 Challenge Derivative[10]. A challenge derivative of C ∗ in the CCA setting is inductively defined as below: – Reflexivity: C ∗ is a challenge derivative of itself. – Derivative by re-encryption: D is a challenge derivative of C ∗ if D ← ORE (C ∗ , (M ∗ , ρ∗ ), (M  , ρ )). – Derivative by re-encryption key: D is a challenge derivative of C ∗ if RK   ∗ (M ∗ ,ρ∗ )→(M  ,ρ ) ← ORK ((M, ρ), (M , ρ )) and D = ReEncrypt(C , RK(M,ρ) →(M  ,ρ ) , params). Definition 7. The advantage of any PPT adversary A denoted by AdvA in winning the above IND-PRE-CCA game (Game 1) for first level ciphertext which D−P RE−CCA (κ) is shown as we term as ExpIN A,1    1   IN D−P RE−CCA IN D−P RE−CCA  := P r ExpA,1 (κ) −  AdvA,1 2 where the probability is over the coin tosses of challenger C and adversary A.

652

A. Paul et al.

The scheme is IN D-P RE-CCA secure for the first level ciphertext against any t-time adversary A that makes atmost qSK , qRK , qReEnc , qDec and qRD queries to OSK , ORK , ORE , ODec and ORD oracles respectively, if the advantage of A IN D−P RE−CCA ≤ . is negligibly small: AdvA,1 4.2

Second Level Ciphertext Security:

For the second-level ciphertext security game (Game 2), the adversarial constraints on A are given below, where the challenge ciphertext is D∗ = ReEncrypt(C, RK(M  ,ρ )→(M ∗ ,ρ∗ ) , params) and C is a first level encryption of mψ under the delegator’s attribute set W  satisfying access structure (M  , ρ ). Note that for single-hop KP-ABPRE schemes, A is given access to all possible reencryption keys. As a result, there is no need to provide A with the re-encryption oracle. – OSK ((M ∗ , ρ∗ )) should not be queried by A. – ORD (D∗ , (M ∗ , ρ∗ )) must not be queried. Definition 8. The advantage of any PPT adversary A denoted by AdvA in winning the above IND-PRE-CCA game (Game 2) for second level ciphertext D−P RE−CCA (κ) is shown as which we term ExpIN A,2     IN D−P RE−CCA D−P RE−CCA AdvA,2 := P r ExpIN (κ) − A,2

 1  2

where the probability is over the coin tosses of challenger C and adversary A. The scheme is IN D-P RE-CCA secure for the second level ciphertext against any t-time adversary A that makes atmost qSK , qRK , qReEnc , qDec and qRD queries to OSK , ORK , ODec and ORD oracles respectively, if the advantage of IN D−P RE−CCA ≤ . A is negligibly small: AdvA,2 DSK-Security Game ExpDSK (κ) A (M ∗ , ρ∗ ) ← A, params ← Setup(κ); (SK(M ∗ ,ρ∗ ) , St) ← AOSK ,ORK (params); //query constraints shown in Section 4.3 if SK(M ∗ ,ρ∗ ) is a valid private key of (M ∗ , ρ∗ ), return 1, else return 0 Game 3: DSK security game for KP-ABPRE schemes.

4.3

Collusion Resistance

Collusion-resistance, also termed as delegator secret key security (DSK security) prevents a colluding proxy and delegatee to recover private keys of the delegator in full. The game template for DSK security is shown below, adapted from [18], illustrated in Game 3.

Efficient Attribute-Based Proxy Re-Encryption

653

– Setup: A outputs a challenge access structure (M ∗ , ρ∗ ). C generates the public parameters params using the Setup algorithm and returns it to A. – Queries: A issues queries to the Private Key Extraction(OSK (M, ρ)) and Re-encryption Key Generation(ORK ((M, ρ), (M  , ρ ))) oracle adaptively. It cannot query for the private key of the target access structure (M ∗ , ρ∗ ). – Output: A returns SK(M ∗ ,ρ∗ ) as the private key of the target access structure (M ∗ , ρ∗ ). A wins the game if SK(M ∗ ,ρ∗ ) is a valid private key of (M ∗ , ρ∗ ). Definition 9. The advantage of any PPT adversary A denoted by AdvA in win(κ) ning the DSK-security game given above (Game 3) which we term ExpDSK A is shown as DSK AdvA := Pr[A wins]

where the probability is over the coin tosses of challenger C and adversary A. The scheme is DSK secure against any t-time adversary A that makes atmost qSK and qRK queries to OSK and ORK oracles respectively, if the advantage of DSK ≤ . A is negligibly small: AdvA

5 5.1

Analysis of a CCA-secure KP-ABPRE Scheme Review of the Scheme Due to Ge et al. [10]

The CCA-secure KP-ABPRE scheme due to Ge et al [10] consists of the following algorithms. It is based on composite order bilinear pairing. – Setup(1κ , U ): The setup algorithm chooses a bilinear group G0 of order N = p1 p2 p3 . Let Gpi denote the subgroup of G0 of order pi . It chooses α, φ ∈ ZN , g, gˆ1 , gˆ2 ∈ Gp1 , X3 ∈ Gp3 . For each attribute i, it picks si ∈ ZN and computes Ti = g si . Let SYM be a CCA-secure one-time symmetric encryption scheme, and Sig = (G, S, V) be a strongly unforgeable one-time signature scheme. H1 : G1 → Z∗N and H2 : G1 → {0, 1}∗ are collision-resistant hash functions. The master secret key is M SK = (α, X3 ). The public parameters are params = (N, g, gˆ1 , gˆ2 , gˆ2 φ , eˆ(g, g)α , Ti , SY M, (G, S, V), H1 , H2 ). – KeyGen(M SK, (M, ρ), params): Given as input an access structure (M, ρ), the trusted authority picks a random vector μ such that μ · 1 = α. For each row Mx of matrix M , it chooses rx ∈ ZN and Wx , Vx ∈ Gp3 and computes rx Wx , Kx,2 = g rx Vx . private key as: ∀Mx ∈ {M1 , · · · Ml } : Kx,1 = g Mx ·μ Tρ(x) – Encrypt(m, W, params): To encrypt a message m ∈ G1 under an attribute set W , the sender encrypts as shown below: 1. Set C1 = W . Select a one-time signature pair (svk, ssk) ← G. 2. Pick s ∈ ZN and compute C0 = m · eˆ(g, g)αs , C2 = g s , ∀i ∈ W : Ci = Tis , C3 = (gˆ1 svk gˆ2 φ )s . Run the sign algorithm σ ← S(ssk, (C0 , C2 , Ci , C3 )). 3. Return the original ciphertext C = (svk, C0 , C1 , C2 , Ci , C3 , σ).

654

A. Paul et al.

– ReKeyGen(SK(M,ρ) , (M, ρ), (M  , ρ ), params): The delegator generates a re-encryption key from access structure (M, ρ) to (M  , ρ ), as shown below: 1. Choose θ ∈ Zp and δ ∈ G1 . For each row Mx of the matrix M , compute: H (δ)

rk1 = Kx,11

H (δ)

θ · Tρ(x) , rk2 = Kx,21

, rk3 = g θ .

2. Select an attribute set W  where W  |= (M  , ρ ). 3. Select a one-time signature pair (svk  , ssk  ) ← G.   4. Pick s ∈ ZN and compute rk4 = δ · eˆ(g, g)αs , rk5 = g s , ∀i ∈ W  : rk6,i =    Tis , rk7 = (gˆ1 svk gˆ2 φ )s . 5. Run the sign algorithm σ  ← S(ssk  , (rk4 , rk5 , rk6i , rk7 )). 6. Return RK(M,ρ)→(M  ,ρ ) = (rk1 , rk2 , rk3 , S  , svk  , rk4 , rk5 , rk6,i , rk7 , σ  ). – ReEncrypt(C, RK(M,ρ)→(M  ,ρ ) , params): On input of an original ciphertext C, the proxy re-encrypts C towards access structure (M  , ρ ) as below: 1. Check if the following equations hold: ?

V(svk, σ, (C0 , C2 , Ci , C3 )) = 1,

?

eˆ(C2 , gˆ1 svk gˆ2 φ ) = eˆ(g, C3 ).

2. If the above check fails, return ⊥. Else,  if W |= (M, ρ), compute reconstruction constants ωx such that ρ(x)∈W ωx Mx = 1. Compute  eˆ(C2 ,rk1 )ωx Q= (ˆ e(Cρx ,rk2 )ˆ e(Cρ(x) ,rk3 ))ωx . 3. Pick a random key ∈ G1 and compute Φ1 = SY M.Enc(H2 (key, G)), where G = (C||(W  , svk  , rk4 , rk5 , rk6,i , rk7 , σ  )||Q). 4. Select an attribute set W  such that W  |= (M  , ρ ) and a one-time signature pair (svk  , ssk  ) ← G. Choose s ∈ ZN and compute C0 =      key · eˆ(g, g)αs , C2 = g s , ∀i ∈ W  : Ci = Tis , C3 = (ˆ g1svk gˆ2φ )s . Run the sign algorithm to generate σ  ← S(ssk  , (C0 , C2 , Ci , C3 )). Denote Φ2 = (W  , svk  , C0 , C2 , Ci , C3 , σ  ). 5. Return the re-encrypted ciphertext D = (Φ1 , Φ2 ). – Decrypt(C, SK(M,ρ) , params): In order to decrypt a first-level ciphertext C, the decryption algorithm proceeds as below: 1. Check the validity of the ciphertext using Eqs. (1) and (2). 2. If check fails, output ⊥ and aborts. Otherwise if W |= (M, ρ), output ⊥ and aborts. Else, compute reconstruction constants = 1. Compute plaintext m = ωx such that ρ(x)∈W ωx Mx  ωx  eˆ(C2 ,Kx,1 ) C0 ρ(x)∈S eˆ(Cρ(x) ,Kx,2 )ωx . – ReDecrypt(D, sk(M  ,ρ ) , params): To decrypt a second-level ciphertext D = (Φ1 , Φ2 ), the decryption algorithm proceeds as below: • Check if the following equations hold: V(svk  , σ  , (C0 , C2 , Ci , C3 )) = 1, ?



eˆ(C2 , gˆ1svk gˆ2φ ) = eˆ(g, C3 ). ?

If the checks fail, output ⊥ and abort. Further, if W  |= M  , output ⊥ and abort. Compute the reconstruction constants ω  such that     eˆ(C2 ,Kx ,1 )ωx     . ωx  ρ(x )∈W  ωx Mx = 1. Compute key = C0 ρ(x )∈W  eˆ(Cρx ,Kx ,2 )

Efficient Attribute-Based Proxy Re-Encryption

655

• Run the decryption algorithm G = SY M.Dec(H2 (key), Φ1 ). • Check if the Eqs. (1) and (2) hold. If fails, return ⊥ and abort. Otherwise, perform the following checks: V(svk  , σ  , (rk4 , rk5 , rk6,i , rk7 )) = 1, ?



?

eˆ(rk5 , gˆ1svk gˆ2φ ) = eˆ(g, rk7 ).

If fails, return ⊥ and abort. If W  |= (M  , ρ ), return ⊥ and abort. • Compute the reconstruction constants ωx such that ρ(x )∈W  ωx Mx =    eˆ(rk5 ,Kx ,1 )ωx 1. Next, compute δ = rk4  .   ωx ρ(x )∈W eˆ(rk6,ρ(x ) ,Kx ,2 )

H1 (δ)−1

• Compute Q eˆ(g, g)sα . 5.2



= eˆ(g, g)

and output the plaintext m = C0 /

Attack on the Scheme

In this section we present a CCA-attack on the scheme due to Ge et al [10]. Note that the following attack is launched in the second-level ciphertext CCA-security game. In Phase 1 of the security game, the challenger C provides the adversary A with all possible re-encryption keys in the system, as per the security definition in [10]. Let D∗ = (Φ∗1 , Φ∗2 ) be the challenge ciphertext generated by C, which is the re-encryption of message mψ (selected randomly by C during challenge phase) from a delegator’s attribute set satisfying access structure (M  , ρ ) towards target access structure (M ∗ , ρ∗ ). The CCA attack is demonstrated below. 1. A parses re-encryption key RK(M  ,ρ )→(M ∗ ,ρ∗ ) = (rk1∗ , rk2∗ , rk3∗ , W ∗ , svk ∗ , ∗ , rk7∗ , σ ∗ ). rk4∗ , rk5∗ , rk6,i 2. A creates a first-level decryption query for a ciphertext generated as below: – Set C0 = rk4∗ , C1 = W ∗ , C2 = rk5∗ and C3 = rk7∗ . ∗ . Set the signature σ = σ ∗ . – For all attributes i ∈ W ∗ , set Ci = rk6,i ∗ – The ciphertext CA1 = (svk , C0 , C1 , C2 , Ci , C3 , σ) is passed a parameter to the first level decryption oracle provided by the challenger. 3. C decrypts ciphertext CA1 using Decrypt algorithm to extract δ ∗ used in re-encryption key generation corresponding to challenge ciphertext D∗ . 4. A parses challenge ciphertext component Φ∗2 = (W ∗ , svk ∗ , C0∗ , C2∗ , Ci∗ , C3∗ , σ ∗ ). 5. Using this second-level challenge ciphertext, the adversary now creates another decryption query for a first level ciphertext generated as below: – Set C0 = C0∗ , C1 = W ∗ , C2 = C2∗ and C3 = C3∗ . – For all attributes i ∈ W ∗ , set Ci = Ci∗ . Set the signature σ = σ ∗ . – The ciphertext CA2 = (svk ∗ , C0 , C1 , C2 , Ci , C3 , σ) is passed a parameter to the first level decryption oracle provided by the challenger. 6. On decryption of CA2 , A receives key ∗ used in generation of the challenge ciphertext D∗ . Therefore, A can now recover G∗ using the symmetric decryption algorithm G∗ = SY M.Dec(H2 (key ∗ ), Φ∗1 ). ∗ , rk7∗ , σ ∗ )||Q) and then parses 7. A parses G∗ = (C||(W ∗ , svk ∗ , rk4∗ , rk5∗ , rk6,i C = (svk, C0 , C1 , C2 , Ci , C3 , σ).

656

A. Paul et al.

8. Finally A computes mψ =

C0 −1 QH1 (δ)

as per ReDecrypt() algorithm.

This completes the description of the attack. A can recover the original message mψ re-encrypted by C towards a target access structure (M ∗ , ρ∗ ) in the challenge ciphertext D∗ , which successfully breaks the CCA security of the scheme.

6

Analysis of an RCCA-secure KP-ABPRE Scheme

6.1

Review of the Scheme Due to Li et al. [12]

The RCCA-secure KP-ABPRE scheme due to Li et al. [12] consists of the following algorithms. – Setup(1κ , U ): The setup algorithm takes as input the universe description U , where U = {0, 1}∗ and security parameter κ. It chooses groups G0 , G1 of prime order p. Let g by a generator of G0 . It randomly picks values α ∈ Zp and g1 , h ∈ G0 , and sets M SK = α. k is a parameter determined by κ and {0, 1}k is the message space M. Three cryptographic hash functions are chosen as follows: F : {0, 1}∗ → G0 , H1 : {0, 1}∗ → Zp and H2 : {0, 1}∗ → {0, 1}k . The public parameters params = g, g1 , h, g α , F, H1 , H2 , eˆ(g, h)α . – KeyGen(M SK, (M, ρ), params): On input of an access structure (M, ρ) where l × k is the size of access structure M , the trusted authority executes Share(M, ρ, α) to obtain l sets of shares λρ(i) = Mi · v, where it picks y2 , · · · yn ∈ Zp and sets v = (α, y2 , · · · yn ). It chooses r1 , · · · rl ∈ Z∗p and computes the private key SK(M,ρ) as follows: K11 = hλρ(1) · F (ρ(1))r1 , K21 = g r1 , · · · , K1l = hλρ(l) · F (ρ(l))rl , K2l = g rl . It outputs SK(M,ρ) along with the description of (M, ρ). – Encrypt(m, W, params): Given as input a message m ∈ M and an attribute set W , the algorithm randomly picks R ∈ G1 and computes s1 = H1 (R, m) and r = H2 (R). It computes the first level encryption C as follows: C0 = R · eˆ(g, h)αs1 , C1 = g s1 , C2 = g1s1 , C3 = r ⊕ m, {Cx = F (x)s1 , ∀x ∈ W }. It outputs ciphertext C = C0 , C1 , C2 , C3 , {Cx , ∀x ∈ W }, W . – ReKeyGen(SK(M,ρ) , (M, ρ), (M  , ρ ), params): To generate a re-encryption key from an access structure (M, ρ) to (M  , ρ ), the trusted authority calls the KeyGen algorithm and chooses d ∈ Z∗p at random and computes g αd , λ

d

{g1 ρ(i) } where λρ (i) for i = 1 to l is the set of l shares corresponding to access structure (M, ρ). It picks an attribute W  |= (M  , ρ ) and encrypts g αd with the attributes of W  by computing CT1 = Encrypt(g αd , W  , params). It picks random r1 · · · rl ∈ Zp and recomputes key RK(M,ρ)→(M  ,ρ ) as follows: 

λ

d





rk11 = hλρ(1) · F (ρ(1))r1 · g1 ρ(1) , rk21 = g r1 , · · · , rk1l = hλρ(l) · F (ρ(l))rl ·  λ d g1 ρ(l) , rk2l = g rl . It returns the re-encryption key as RK(M,ρ)→(M  ,ρ ) = ({rk1i , rk2i for i=1 to l}, CT1 ). – ReEncrypt(C, RK(M,ρ)→(M  ,ρ ) , params): Given as input a first-level ciphertext C and a re-encryption key RK(M,ρ)→(M  ,ρ ) , the re-encryption algorithm executes Reconstruct (M, ρ, W ) to obtain a set {ωi : i ∈ I} of secret reconstruction constants where I = {i ∈ [l] : attρ(i) ∈ W }. If W |= (M, ρ), then

Efficient Attribute-Based Proxy Re-Encryption

the relation

 i∈I

657

ωi λρ(i) = α implicitly holds. It computes the re-encrypted

ciphertext component D4 =

 ω eˆ(C1 , i∈I rk1ii )  ωi ˆ(rk2i ,Cρ(i) ) i∈I e

= eˆ(g, h)s1 α eˆ(g, g1 )(s1 αd) . It sets

D0 = C0 , D1 = C1 , D2 = C2 , D3 = C3 , D5 = CT1 and outputs second level ciphertext D = D0 , D1 , D2 , D3 , D4 , D5 . – Decrypt(C or D, SK(M  ,ρ ) , params): If the input to this algorithm is a first level ciphertext C encrypted under (M, ρ), the decryption algorithm invokes ReEncrypt(C, RK(M,ρ)→(M  ,ρ ) , params) to obtain D = D0 , D1 , D2 , D3 , D4 , D5 . If the input is a second level ciphertext D and a private key SK(M  ,ρ ) , the algorithm first decrypts D5 = C0 , C1 , C2 , C3 , {Cx }, W   by checking if W  |= (M  , ρ ) and computing the  set of reconstruction constants {ωi : i ∈ I}  where I = {i ∈ [l] : attρ(i) ∈ W } using Reconstruct (M  , ρ , W  ) such that ρ (i)∈W  ωi Mi = 1 holds implicitly.  ω eˆ(C1 , i∈I K1ii ) = eˆ(g, h)s1 α . It extracts g αd = D0 /CT2 . It  ω  i ) ˆ(K2i ,Cρ(i) i∈I e computes CT3 = eˆ(g αd , D2 ) = eˆ(g, g1 )s1 αd . Next, it computes R = D0 · CT3 / ? D4 , m = D3 ⊕ H2 (R) and s = H1 (R, m). If D0 = R · eˆ(g, h)αs and ? s ) D4 = eˆ(g, h)s1 α · eˆ(g αd , g11 , it outputs m. otherwise return ⊥.

It computes CT2 =

6.2

Attack on the Scheme

In this section, we present an RCCA-attack on the scheme due to Li et al [12]. The following attack is launched in the first-level ciphertext RCCA-security game. Suppose that C ∗ = C0∗ , C1∗ , C2∗ , C3∗ , {Cx∗ }, W ∗  is the challenge ciphertext generated by C, which is the encryption of message mψ (selected randomly by C during challenge phase from messages {m0 , m1 }) towards a delegator’s attribute set W ∗ |= (M ∗ , ρ∗ ) where (M ∗ , ρ∗ ) is the target access structure. The RCCA attack launched by the adversary A is demonstrated below: The adversary A picks β ∈ Z∗p at random. ∗ It computes C0 ” = C0∗ · eˆ(g, h)αβ = R · eˆ(g, h)α(s1 +β) . ∗ s∗ +β It computes C1 ” = C1∗ · g β = g s1 +β and C2 ” = C2∗ · g1β = g11 . It picks C3 ” ∈ {0, 1}k at random. ∗ For all x ∈ W ∗ , it computes {Cx ” = Cx∗ · F (x)β = F (x)s1 +β }. It constructs a first level ciphertext C” = C0 ”, C1 ”, C2 ”, C3 ”, {Cx ”}, W ∗ . It queries the re-encryption oracle ORE (C”, (M ∗ , ρ∗ ), (M  , ρ )) such that OSK (M  , ρ ) is already queried upon for the access structure (M  , ρ ). 8. The returned second level ciphertext is D = D0 , D1 , D2 , D3 , D4 , D5 , such ∗ ∗ that the ciphertext component D4 = eˆ(g, h)α(s1 +β) · eˆ(g, g1 )(s1 +β)αd . 9. A parses D5 = C0 , C1 , C2 , C3 , {Cx }, W  . Since SK(M  ,ρ ) is known to A, it computes the set of reconstruction constants {ωi : i ∈ I} where I = {i ∈ [l] : attρ(i) ∈ W  } by invoking Reconstruct (M  , ρ , W  ) such  ω  eˆ(C1 , i∈I K1ii )   that = ω  ρ (i)∈W  ωi Mi = 1 holds and computes CT2 = 

1. 2. 3. 4. 5. 6. 7.

s1 α

eˆ(g, h)

i∈I

.

i ) eˆ(K2i ,Cρ(i)

658

A. Paul et al.

10. It extracts g αd = D0 /CT2 and computes CT3 ∗ eˆ(g, g1 )(s1 +β)αd . 11. It computes R∗ = D0 · CT3 /D4 and r∗ = H2 (R∗ ). 12. Finally, A computes mψ = r ⊕ C3∗ .

=

eˆ(g αd , D2 )

=

Note that, as per the security definition of RCCA-secure PRE by Libert et al. [17], the adversary cannot issue decryption queries for any second level ciphertext D if Decrypt(D, SK(M  ,ρ ) ) ∈ {m0 , m1 } (such an adversarial constraint is not imposed in the security game of CCA secure PRE [10], and the adversary is allowed to issue such decryption queries). Accordingly, the adversary A does not query the decryption of any challenge ciphertext derivative in the above attack. In fact, the ciphertext component C3 is picked at random. The RCCA attack could be launched due to the absence of ciphertext validation in the re-encryption algorithm of the given construction. A can recover the original message mψ encrypted by the challenger towards the target access structure (M ∗ , ρ∗ ) as a first level challenge ciphertext C ∗ , which successfully breaks the RCCA security of the scheme. This completes the description of the attack.

7 7.1

Our Unidirectional CCA-secure KP-ABPRE Scheme Technical Overview of Construction

The starting points of our construction are the KP-ABE scheme of Rao et al. [21] which relies on the threshold public key encryption framework of Qin et al. [20] to design the basic construction realising monotone LSSS access structure and BLS short signature [5]. Constant size first-level ciphertexts are achieved by increasing the private key size by a factor of |W |, where W is the set of distinct attributes associated with the access structure embedded in the private key. The CA first chooses a random exponent α ∈ Z∗p as the master secret key and computes the public component Y = eˆ(g, g)α . The first-level ciphertext of a message m ∈ M and an attribute set W is generated using the “Hashed El-Gamal” [8,9] encryption system. First, a random string σ ∈ {0, 1}lσ is chosen and s = components C0 = (m||σ) ⊕ H2 (Y s ), H1 (m||σ) is computed. Then the ciphertext s   s s C1 = g , C2 = g1 and C3 = h0 atty ∈W hy are computed. Component  s C4 = H3 (W, C0 , C1 , C2 , C3 ) can be viewed as a BLS signature signing the components (C0 , C1 , C2 , C3 , W ) used during decryption/re-encryption to check well-formedness of the first-level ciphertexts. H1 , H2 and H3 are cryptographic hash functions defined in our construction. Finally, C = C0 , C1 , C2 , C3 , C4 , W  is returned as the first-level ciphertext. At the second-level, constant size ciphertexts is achieved by increasing the re-encryption key size by a factor of |W |, where W is the set of distinct attributes associated with the access structure (M, ρ) embedded in the private key of the delegator. To delegate decryption rights towards an access structure (M  , ρ ), the delegator chooses strings δ ∈ {0, 1}lm , γ ∈ {0, 1}lσ , picks an attribute set W  |= (M  , ρ ) and computes s = H1 (δ||γ). Next, it computes re-encryption key s      components rk4 = (δ||γ) ⊕ H2 (Y s ), rk5 = g s , rk6 = h0 atty ∈W  hy and

Efficient Attribute-Based Proxy Re-Encryption

659

 s computes a BLS signature rk7 = H5 (W  , rk4 , rk5 , rk6 ) on the components (rk4 , rk5 , rk6 , W  ). We construct our re-encryption key in such a way that the string (δ||γ) is blinded with a random salt and can only be removed by a delegatee with private key SK(M  ,ρ ) such that W  |= (M  , ρ ) during decryption of the re-encrypted ciphertexts. The private key Ki of delegator can be retrieved from the re-encryption key component rk1i only by users with the knowledge random element θ (chosen by delegator). This clearly makes it infeasible to retrieve the private key of the delegator from the re-encryption key and provides collusionresistance. The CCA-security of the second-level ciphertext follows from the two integrated “hashed” CCA-secure El-Gamal encryptions (D1 , D3 ) in the secondlevel ciphertext D = (D0 , D1 , D2 , D3 , D4 , D5 , D6 , W  ). 7.2

Our Construction

– Setup(1κ , U ): The algorithm chooses two bilinear groups G0 , G1 of prime order p. Let g and g1 be generators of G0 , and eˆ : G0 × G0 → G1 denote an admissible bilinear map. It chooses a random exponent α ∈ Z∗p and computes Y = eˆ(g, g)α . It picks h0 ∈ G0 and for every attribute atty ∈ U , picks hy ∈ G0 . lm and lσ are parameters determined by κ, {0, 1}lm is the size of the message space M. Let |U | = n be the attribute universe size. Five cryptographic hash functions, modelled as random oracles in the security proof are chosen as follows: H1 : {0, 1}lm +lσ → Z∗p , H2 : G1 → {0, 1}lm +lσ , H3 : {0, 1}∗ × G31 → G0 , H4 : {0, 1}lm → Z∗p , H5 : {0, 1}∗ × G21 → G0 . The public parameters returned are params = G0 , G1 , eˆ, p, g, g1 , h0 , h1 , · · · hn , Y, H1 , H2 , H3 , H4 , H5 . The master secret key M SK is α. – KeyGen(M SK, (M, ρ), params): On input of an access structure (M, ρ) where l × k is the size of matrix M , the CA executes Share(M, ρ, α) to obtain a set of l shares λρi = Mi · v, where v ∈R Zkp , such that v · 1 = α. Note that 1 = (1, 0, · · · , 0) is a vector of length k. For each row Mi of the matrix M , it picks ri ∈ Z∗p and computes:   : Kiy = hryi , ∀y ∈ [n]\{ρ(i)}}. Ki = g λρ(i) (h0 hρ(i) )ri , Ki = g ri , Ki = {Kiy

It returns SK(M,ρ) = (M, ρ), {∀i ∈ [l] : Ki , Ki , Ki } to the user. – Encrypt(m, W, params): Given as input a message m ∈ M and an attribute set W , the first-level encryption algorithm encrypts m as below: • Select σ ∈ {0, 1}lσ . • Compute s = H1 (m||σ). • Compute C0 = (m||σ) ⊕ H2 (Y s ). s • Compute C1 = g s , C 2 = g1 . s • Compute C3 = h0 atty ∈W hy .  s • Compute C4 = H3 (W, C0 , C1 , C2 , C3 ) . • Return the first-level ciphertext C = C0 , C1 , C2 , C3 , C4 , W . – Decrypt(C, SK(M,ρ) , params): On input of a first level ciphertext C and a private key SK(M,ρ) , the decryption algorithm works as below:

660

A. Paul et al.

1. First check if the ciphertext is well-formed as below: ?

eˆ(g, C2 ) = eˆ(g1 , C1 ) ?

eˆ(g, C3 ) = eˆ(C1 , h0



(1) hy ),

(2)

atty ∈W ?

eˆ(g, C4 ) = eˆ(C1 , H3 (W, C0 , C1 , C2 , C3 )).

(3)

2. If the checks fail, output ⊥ and abort. 3. Otherwise, execute Reconstruct (M, ρ, W ) to obtain a set {ωi : i ∈ I} of secret reconstruction constants  where I = {i ∈ [l] : attρ(i) ∈ W }. If holds. W |= (M, ρ), then the relation i∈I ωi λρ(i) = α ωimplicitly i     , E2 = i∈I (Ki )ωi 4. Compute: E1 = i∈I Ki · atty ∈W,y=ρ(i) Ki,y 5. Compute the plaintext:

 eˆ(C1 , E1 ) (m||σ) = C0 ⊕ H2 . (4) eˆ(C3 , E2 ) ?

6. If C1 = g H1 (m||σ) , return the plaintext m, else return ⊥. – ReKeyGen(SK(M,ρ) , (M, ρ), (M  , ρ ), params): To generate a re-encryption key from an access structure (M, ρ) to (M  , ρ ), the re-encryption key generation algorithm computes the re-key RK(M,ρ)→(M  ,ρ ) as follows: 1. Choose θ ∈ Zp . Pick δ ∈ {0, 1}lm and γ ∈ {0, 1}lσ . For each row Mi of the matrix M of size l × k, compute: θ H (δ)  rk1i = Ki 4 · h0 hρ(i) , rk2i = (Ki )H4 (δ) · g θ ,  H (δ) rk3i = {rk3iy : rk3iy = Kiy 4 · hθy , ∀y ∈ [n]\{ρ(i)}}. Compute s = H1 (δ||γ).  ⊕ H2 (Y s ). Compute rk4 = (δ||γ) s Compute rk5 = g . Pick an attribute set W  |= (M  , ρ ). s   Compute rk6 = h0 atty ∈W  hy .  s 7. Compute rk7 = H5 (W  , rk4 , rk5 , rk6 ) . 8. Return the re-encryption key RK(M,ρ)→(M  ,ρ ) = ({∀i ∈ [l] : rk1i , rk2i , rk3i }, rk4 , rk5 , rk6 , rk7 , W  ). – ReEncrypt(C, RK(M,ρ)→(M  ,ρ ) , params): Given as input a first-level ciphertext C and a re-encryption key RK(M,ρ)→(M  ,ρ ) , the re-encryption algorithm re-encrypts the first-level ciphertext as below: 1. It checks the validity of the ciphertext C using Eqs. 1, 2, 3. 2. Check the validity of the re-encryption key by checking if the following equations hold:

? hy , rk5 ) (5) eˆ(g, rk6 ) = eˆ(h0 2. 3. 4. 5. 6.

atty ∈W 

eˆ(rk7 , g) = eˆ(H5 (W  , rk4 , rk5 , rk6 ), rk5 ). ?

If the above checks fail, return ⊥.

(6)

Efficient Attribute-Based Proxy Re-Encryption

661

3. Else if W |= (M, ρ), compute a set {ωi : i ∈ I} of secret reconstruction constants where I = {i ∈ [l] : attρ(i) ∈ W } using Reconstruct (M, ρ, W )   such that ρ(i)∈S ωi Mi = 1 implicitly holds. Compute re1 = i∈I rk1i · ωi   , re2 = i∈I (rk2i )ωi atty ∈W,y=ρ(i) rk3i 4. Next, compute: D0 =

eˆ(C1 , re1 ) eˆ(C3 , re2 )

= Y sH4 (δ) .

(7)

5. Set ciphertext components: D1 = C0 , D2 = C1 , D3 = rk4 , D4 = rk5 , D5 = rk6 , D6 = rk7 . Return second level ciphertext D = D0 , D1 , D2 , D3 , D4 , D5 , D6 , W  . – ReDecrypt(D, SK(M  ,ρ ) , params): In order to decrypt a second-level ciphertext D, the decryption algorithm proceeds as below: 1. Check if the ciphertext is well-formed by checking below equations:

? eˆ(D4 , h0 hy ) = eˆ(g, D5 ) (8) atty ∈W 

eˆ(D6 , g) = eˆ(H5 (W  , D3 , D4 , D5 ), D4 ). ?

(9)

2. If the check fails, abort and return ⊥. 3. Otherwise, if W  |= (M  , ρ ), compute the set of reconstruction constants {ωi : i ∈ I} where I= {i ∈ [l] : attρ(i) ∈ W  } using Reconstruct (M  , ρ , W  ) such that ρ (i)∈W  ωi Mi = 1 holds implicitly. Compute: E1 =



Ki ·



 Ki,y

ωi

, E2 =

atty ∈W  ,y=ρ(i)

i∈I





(Ki )ωi

i∈I

4. Compute δ as below:  (δ||γ) = D3 ⊕ H2

 eˆ(D4 , E1 ) . eˆ(D5 , E2 )

(10)

?

5. If D4 = g H1 (δ||γ) does not hold, return ⊥. Else, extract plaintext as below: 1/H4 (δ)

(m||σ) = D1 ⊕ H2 (D0

).

(11)

?

6. If D2 = g H1 (m||σ) , output m, otherwise return ⊥. 7.3

Correctness

The consistency of our KP-ABPRE scheme is given in the full version of the paper [19] due to space limit.

662

A. Paul et al.

7.4

Security Proof

Proof Sketch. We now give an intuitive proof sketc.h of selective CCA security of our scheme for both first-level and second-level ciphertexts in the random oracle model, based on the n-Decisional Bilinear Diffie-Hellman Exponentiation (n-DBDHE) assumption. We first analyse the security for first-level ciphertexts. As per the Random Oracle Model, the Challenger handles the adversarial queries as follows: hash queries by oracles H1 , · · · , H5 , private key extraction queries by oracle OSK (M, ρ), re-encryption key generation queries by oracle ORK ((M, ρ), (M  , ρ )), re-encryption queries by oracle ORE (C, (M, ρ), (M  , ρ )), decryption queries by oracle ODec (C, (M, ρ)) and re-decryption queries by oracle ORD (D, (M  , ρ )). In the above oracles, the Challenger injects the hard problem instance into the query responses to Oracles H3 and private key extraction oracle OSK (M, ρ) respectively. The first-level and second-level decryption oracles return message m or ⊥ as per the protocol and the remaining oracles return uniformly random elements from the respective domains. The Challenger picks α ∈R Z∗p and implicitly sets msk as α = α + an+1 ,  where an+1 is not known to the Challenger. It computes Y = eˆ(g, g)α · a an α e(g , g ) = eˆ(g, g) , as proven in the Initialization Phase of the security proof (Section 7.5, page 20) in the full version of the paper [19]. For an oracle query to H3 (W, C0 , C1 , C2 , C3 ), the Challenger picks υ ∈R Z∗p and injects n the hard problem instance by computing value μ = (g a )υ . It returns μ as the value of H3 (W, C0 , C1 , C2 , C3 ). It is easy to follow that the computed value μ ∈ G0 is identically distributed as the real hash value from the construction. For a private key extraction query for access structure (M, ρ), if the target attribute set W ∗ |= (M, ρ), the Challenger aborts and returns “failure”. Otherwise, it computes the private keys by appropriately injecting the 2n given values of the hard problem instance at applicable points, as discussed in Phase 1 description (Sect. 7.5, page 21) in the full version of the paper [19]. The detailed analysis shows that the keys computed are identically distributed as the keys generated by the KeyGen algorithm in the construction. In the Challenge Phase, the challenger picks ψ ∈ {0, 1} at random and encrypts mψ under target attribute set W ∗ to form challenge ciphertext C ∗ = (C0∗ , C1∗ , C2∗ , C3∗ , C4∗ , W ∗ ) demonstrating that the ciphertext computed is identically distributed as the ciphertext generated by the Encrypt algorithm in the construction. In particular, the hard problem instance Z is injected into the  ciphertext component C0∗ , computed as C0∗ = (mψ ||σ ∗ ) ⊕ H2 (Z · eˆ(g b , g α )), where σ ∗ ∈R {0, 1}lσ . The details are provided in the full version of the paper [19] (Sect. 7.5, page 24). Therefore, once the adversary A produces its guess ψ  ∈ {0, 1}, if ψ  = ψ, A wins the game and the Challenger decides n+1 eˆ(g b , g a ) = Z, else Z is random. The security game for second-level ciphertexts proceeds in a similar way as the first-level security game. The computation of the challenge second level ciphertext D∗ = (D0∗ , D1∗ , D2∗ , D3∗ , D4∗ , D5∗ , D6∗ , W ∗ ) shown in the Challenger Phase (Sect. 7.6, page 29) in the full version of the paper [19] indicates that the ciphertext computed is identically distributed as the ciphertext generated by the ReEncrypt algorithm in the construction. In

Efficient Attribute-Based Proxy Re-Encryption

663

particular, the hard problem instance is injected in the ciphertext component   D3∗ , where D3∗ = (δ ∗ ||γ ∗ ) ⊕ H2 (Z · eˆ(g b , g α )) = (δ ∗ ||γ ∗ ) ⊕ H2 (Y s ). Therefore,   once the adversary A produces its guess ψ ∈ {0, 1}, if ψ = ψ, A wins the game n+1 and the Challenger decides eˆ(g b , g a ) = Z, else Z is random. First Level Ciphertext Security Theorem 1. If a (t, )IN D-P RE-CCA adversary A has a non-negligible advantage  in breaking the CCA security of the given KP-ABPRE scheme for first level ciphertext, with access to random oracles H1 , H2 , H3 , H4 , H5 , then there exists an algorithm C that solves the n-DBDHE problem with advantage  within time t where,

 q 1 1 qReEnc qH1 H1  − qDec + 2 − lm +lσ −  ≥ , qH2 2 p (2lm +lσ ) p t ≤ t + (qH3 + qH5 + (n + 2)lqSK + (n + 6)lqRK + 7qReEnc + 3qDec + 5qRD )te + (8qReEnc + 8qDec + 6qRD )tbp . where l is the number of rows in access structure (M, ρ), n is the size of attribute universe and te , tbp denote the time taken for exponentiation and pairing operations respectively. Proof. Due to space limit, the proof is given in the full version of the paper [19]. Second Level Ciphertext Security Theorem 2. If a (t, )IN D-P RE-CCA adversary A has a non-negligible advantage  in breaking the IN D-P RE-CCA security of the given KPABPRE scheme for second level ciphertext, with access to the random oracles H1 , H2 , H3 , H4 , H5 , then there exists an algorithm C that solves the n-DBDHE problem with advantage  within time t where,  ≥

   q  qH1 1 qH  H1 − qDec + , 2 · 1 − l 4 − l +l qH2 2m 2m σ (2lm +lσ ) p 1

t ≤ t + (qH3 + (n + 2)lqSK + (n + 6)lqRK + 3qDec + 5qRD )te + (8qDec + 6qRD )tbp .

Proof. Due to space limit, the proof is given in the full version of the paper [19]. Collusion Resistance Theorem 3 [16]. If a unidirectional single-hop KP-ABPRE scheme is INDPRE-CCA secure for first level ciphertexts, then it is collusion resistant as well.

664

8

A. Paul et al.

Conclusion

Although several KP-ABPRE schemes have been proposed in the literature, to the best of our knowledge, only one CCA-secure scheme due to Ge et al. has reported the collusion resistant property. In this paper, we demonstrate a CCA-attack on their construction. We also give a construction of the first unidirectional KP-ABPRE scheme with constant size ciphertexts requiring a constant number of exponentiations in encryption, and constant number of bilinear pairing operations during decryption and re-decryption while satisfying selective CCA-security for first-level and second level ciphertexts. Also, the definition of collusion resistance is met wherein a colluding proxy and delegatee cannot obtain the private key of the delegator. Our work affirmatively resolves the problem of collusion resistance by proposing a computationally efficient collusion resistant KP-ABPRE scheme that supports monotonic access structures for fine-grained delegation of decryption rights.

References 1. Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: NDSS (2005) 2. Beimel, A.: Secure schemes for secret sharing and key distribution. PhD thesis, Israel Institute of technology, Technion, Haifa, Israel (1996) 3. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20–23 May 2007, California, USA, pp. 321–334. IEEE Computer Society (2007) 4. Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054122 5. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. J. Cryptol. 17(4), 297–319 (2004) 6. Chung, P.-S., Liu, C.-W., Hwang, M.-S.: A study of attribute-based proxy reencryption scheme in cloud environments. I. J. Netw. Secur. 16(1), 1–13 (2014) 7. Cohen, A.: What about bob? the inadequacy of CPA security for proxy reencryption. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 287–316. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6 10 8. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013) 9. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7 2 10. Ge, C., Susilo, W., Fang, L., Wang, J., Shi, Y.: A CCA-secure key-policy attributebased proxy re-encryption in the adaptive corruption model for dropbox data sharing system. Des. Codes Crypt. 86(11), 2587–2603 (2018) 11. Ge, C., Susilo, W., Wang, J., Huang, Z., Fang, L., Ren, Y.: A key-policy attributebased proxy re-encryption without random oracles. Comput. J. 59(7), 970–982 (2016) 12. Li, K., Wang, J., Zhang, Y., Ma, H.: Key policy attribute-based proxy re-encryption and RCCA secure scheme. J. Internet Serv. Inf. Secur. 4(2), 70–82 (2014)

Efficient Attribute-Based Proxy Re-Encryption

665

13. Li, K., Zhang, Y., Ma, H.: Key policy attribute-based proxy re-encryption with matrix access structure. In: 2013 5th International Conference on Intelligent Networking and Collaborative Systems, Xi’an, China, 9–11 September 2013, pp. 46–50 (2013) 14. Liang, K., Fang, L., Wong, D.S., Susilo, W.: A ciphertext-policy attribute-based proxy re-encryption scheme for data sharing in public clouds. Concurrency Comput. Pract. Exper. 27(8), 2004–2027 (2015) 15. Liang, X., Cao, Z., Lin, H., Shao, J.: Attribute based proxy re-encryption with delegating capabilities. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 276–286. ACM (2009) 16. Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy reencryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1 21 17. Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy reencryption. IEEE Trans. Inf. Theor. 57(3), 1786–1802 (2011) 18. Luo, S., Hu, J., Chen, Z.: Ciphertext policy attribute-based proxy re-encryption. In: Soriano, M., Qing, S., L´ opez, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 401– 415. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0 28 19. Paul, A., Selvi, S.S.D., Rangan, C.P.: Attribute-based proxy re-encryption with constant size ciphertexts. IACR Cryptol. ePrint Arch., 2019:1325 (2019). https:// eprint.iacr.org/2019/1325/20201021:184704 20. Qin, B., Qianhong, W., Zhang, L., Farr` as, O., Domingo-Ferrer, J.: Provably secure threshold public-key encryption with adaptive security and short ciphertexts. Inf. Sci. 210, 67–80 (2012) 21. Rao, Y.S., Dutta, R.: Computational friendly attribute-based encryptions with short ciphertext. Theor. Comput. Sci. 668, 1–26 (2017) 22. Sahai, A., Waters, B.:. Fuzzy identity-based encryption. In: Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005, Proceedings, pp. 457–473. Springer (2005) 23. Weng, J., Deng, R.H., Ding, X., Chu, C.-K., Lai, J.: Conditional proxy reencryption secure against chosen-ciphertext attack. In: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, 10–12 March 2009, pp. 322–332 (2009)

Adaptive-Secure Identity-Based Inner-Product Functional Encryption and Its Leakage-Resilience Linru Zhang, Xiangning Wang, Yuechen Chen, and Siu-Ming Yiu(B) Department of Computer Science, The University of Hong Kong, Pokfulam, Hong Kong SAR, China {lrzhang,xnwang,ycchen,smyiu}@cs.hku.hk

Abstract. There are lots of applications of inner-product functional encryption (IPFE). In this paper, we consider two important extensions of it. One is to enhance IPFE with access control such that only users with a pre-defined identity are allowed to compute the inner product, referred as identity-based inner-product functional encryption (IBIPFE). We formalize the definition of IBIPFE, and propose the first adaptivesecure IBIPFE scheme from Decisional Bilinear Diffie-Hellman (DBDH) assumption. In an IBIPFE scheme, the ciphertext is related to a vector x and a new parameter, identity ID. Each secret key is also related to a vector y and an identity ID . The decryption algorithm will output the inner-product value x, y only if ID = ID . The other extension is to make IBIPFE leakage resilient. We consider the bounded-retrieval model (BRM) in which an adversary can learn at most l bits information from each secret key. Here, l is the leakage bound determined by some external parameters, and it can be set arbitrarily large. After giving the security definition of leakage-resilient IBIPFE, we extend our IBIPFE scheme into a leakage-resilient IBIPFE scheme in the BRM by hash proof system (HPS). Keywords: Identity-based access control · Inner-product functional encryption · Bounded-retrieval model · Hash proof system

1

Introduction

Functional encryption (FE) [11,42] is a cryptographic primitive that addresses the “all-or-nothing” issue of traditional Public key encryption (PKE). FE allows users with secret keys to learn specific functional values of the encrypted data. Roughly speaking, in an FE scheme, given a ciphertext of x, a user who holds secret key skf for function f can only learn f (x) and nothing else. Further, FE is the most general form of encryption. Identity-based encryption (IBE) [10,29, 44,46], Attribute-based encryption (ABE) [32,47] and Predicate encryption (PE) [45] are considered as special cases of FE. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 666–690, 2020. https://doi.org/10.1007/978-3-030-65277-7_30

Adaptive-Secure IBIPFE in the BRM

667

FE schemes for general functionalities (such as general circuits, Turing machines) have been proposed in many works [7,28,30,31,48]. But they have to rely on impractical and not well studied assumptions such as indistinguishability obfuscation (IO) or multilinear maps. Attacks were found for some constructions of IO and multilinear maps [8,14,15,17]. It is not clear if these FE schemes, based on IO and multilinear maps, are secure or not. From 2005, researchers started to focus on giving FE schemes more restricted functionalities with security guaranteed by simple and well studied assumptions [1–3,9,51]. [1] first proposed FE schemes for inner-product (IPFE), which were proved selective-secure under DDH and LWE assumptions. [3] improved its work to achieve adaptive-secure under DDH, LWE and Composite residuosity hardness assumptions. In IPFE schemes, given an encryption of vector x and a secret key sky based on a vector y, the decryption algorithm will output the innerproduct value x, y. IPFE has numerous applications, such as computing the weighted mean. It is important to make it more powerful and secure. First, we consider adding access control to it. Similar to IBE, we can allow users specify an identity ID in their ciphertext ct(ID,x) . Each secret key sk(ID ,y ) is also related to an identity ID . The decryption algorithm with input ct(ID,x) and sk(ID ,y ) will output the inner-product x, y only if ID = ID . We call it identity-based inner-product functional encryption (IBIPFE). There is only one work [23] that considers such identity-based access control of FE. They proposed an unbounded inner-product functional encryption scheme with identity-based access control as a byproduct without giving the formal descriptions of the definitions. And the scheme is only proven to be selective-secure in the random oracle model. 1.1

Our Contributions

As the first contribution of our work, in Sect. 3, we formalize the IND-security definition1 of IBIPFE, and give the first adaptive-secure IBIPFE scheme under the DBDH assumption. As another benefit, our security proof is simpler than the security proof in the selective case [23]. We use the fact that the master secret key is known to the reduction at any time, then it can handle secret key queries without knowing the challenge messages in advance. Actually, IBIPFE can be viewed as a variation of functional encryption as follows:  x, y, If ID = ID  F ((ID, x), (ID , y)) = ⊥, otherwise Both the plaintext and the key consist of 2 parts: an identity and a vector. So the IND-security states that the adversary who can query the secret keys for 1

Unlike traditional PKE, the simulation-based security is not always achievable for FE [42]. So Indistinguishability-based security (IND-security) is widely used in FE research. Generally speaking, IND-security states that the adversary who has the secret keys for functions {fi }i∈[η] cannot distinguish which of the challenge messages x0 or x1 was encrypted under the condition that for all i ∈ [η], fi (x0 ) = fi (x1 ).

668

L. Zhang et al.

a set of (ID, y) cannot distinguish which of the challenge messages (ID∗ , x0 ) or (ID∗ , x1 ) was encrypted under the condition that: For all pairs (ID, y) have been queried, it must hold that F ((ID∗ , x0 ), (ID, y)) = F ((ID∗ , x1 ), (ID, y)). The main difference between selective-IND-security and adaptive-IND-security is: in the adaptive-IND-security game, the adversary is given the master public key at the beginning and chooses the challenge messages after the first round of secret key queries. While in the selective-IND-security game, the adversary has to decide the challenge messages before the generation of master public key and master secret key. In Sects. 4 and 5, we further enhance the security of IPFE by allowing an adversary to learn some information about the secret keys, i.e. leakage-resilience. We extend our IBIPFE scheme under the bounded-retrieval model (BRM) [18, 24], one of the most widely used models in leakage-resilient cryptography. It states that our scheme can be proven secure even if an adversary can obtain l bits from a secret key sk, where l is the leakage bound and is decided by external factors. So in the security definition of leakage-resilient IBIPFE, in addition to secret key query, the adversary can make leakage query, in which the adversary chooses a pair (ID, y) and a leakage function f ∗ , and the challenger will reply with f ∗ (sk(ID,y ) ) as long as the bit-length of output is at most l. The adversary can know all secret keys in the form sk(ID,·) by making secret key query when ID = ID∗ (ID∗ is the challenge identity). Thus, the key issue in the leakage query is the queries on the challenge identity ID∗ . Also, the BRM requires that all efficiency parameters other than the secret key size (such as public key size, encryption time, decryption time and even master secret key size) only depend on the security parameter, and not the leakage bound l. Our leakage-resilient IBIPFE scheme and its security proof build on hash proof system (HPS). [5,39] showed how to use an HPS to construct leakageresilient PKE and IBE schemes. An HPS can be viewed as a key encapsulation mechanism (KEM) with specific structure. A KEM allows a sender that knows the public key, to securely agree on randomness k with a receiver possesses the secret key, by sending an encapsulation ciphertext. A KEM consists of a key generation algorithm to generate public key and secret key, an encapsulation algorithm to generate a pair of ciphertext and encapsulated key, and a decapsulation algorithm which uses the secret key to recover the encapsulated key from a ciphertext. An HPS is a KEM with the following properties: (1) It includes an invalidencapsulation algorithm to generate invalid ciphertexts. And the invalid ciphertexts are computationally indistinguishable from those valid ciphertexts generated by a valid-encapsulation algorithm. (2) The output of decapsulation algorithm with input a fixed invalid ciphertext and a secret key is related to the random numbers used to generate the invalid ciphertext and the secret key. The main benefit of using HPS to construct encryption scheme is that, when proving the security, after switching the valid ciphertext into invalid ciphertext in the first step, we can argue the leakage using information-theoretic analysis.

Adaptive-Secure IBIPFE in the BRM

669

However, existing HPS schemes such as IB-HPS [5] cannot be applied to our cases. When we build an encryption scheme from an HPS scheme, we usually use the encapsulated key as a mask to hide the plaintext in the encryption algorithm, and recover the plaintext from the ciphertext by running the decapsulation algorithm to get the encapsulated key. When we apply it to IBIPFE, if the decapsulation algorithm of the underlying HPS still outputs the encapsulated key directly, then the decryption of IBIPFE will reveal the plaintext vector, other than only an inner-product value. (Recall that IBIPFE requires that the decryption result only reveals an inner-product value and nothing else.) In order to guarantee the security of resulting IBIPFE scheme, modifications are necessary. We first develop the notion Identity-based inner-product hash proof system (IBIP-HPS), which can yield an IBIPFE scheme. Different from other HPS schemes, in an IBIP-HPS scheme, the decapsulation algorithm with input a ciphertext ctID and a secret key sk(ID ,y ) will only output an inner-product value of y and the encapsulated key k when ID = ID , and nothing else. Now, we can get a secure IBIPFE from IBIP-HPS very easily, by simply using the encapsulated key as a one-time pad to encrypt a plaintext vector. Next, we briefly introduce a key property of IBIP-HPS: Leakage-smoothness. Leakage-smoothness states that the distribution of encapsulated key derived from an invalid ciphertext and a set of secret keys is almost uniform over the key space, even if the adversary can learn at most l bits information from the secret keys, where l is a pre-determined leakage bound. Then, we move our focus from the leakage-resilience of IBIPFE to the leakage-smoothness of IBIP-HPS by proving the following theorem: Theorem 1 (informal). Given a leakage-smooth IBIP-HPS with leakage bound l , which satisfies the efficiency requirements of the BRM, we can obtain a  leakage-resilient IBIPFE with leakage bound l = ln in the BRM, where n is the length of vectors. Now our goal is to design a l -leakage-smooth IBIP-HPS, which meets the efficiency requirements of the BRM. To make it simple, we would like to design an IBIP-HPS scheme from simple assumptions, regardless the requirements of the leakage-smoothness and efficiency. We build an IBIP-HPS Π1 from our IBIPFE scheme Π. The main challenge is that, the key generation algorithm in Π is deterministic, while in IBIP-HPS, the secret key should be generated randomly. We first choose a random number z and define a new vector y ∗ by concatenating y and z. After that, we get the secret key by running the key generation algorithm of Π with input the new vector y ∗ . Thus, the secret key is related to the random number z. Then, we study the 0-universality of the decapsulation algorithm, where the 0-universality ensures that it is unlikely that any two distinct secret keys for the same pair (ID, y) will decapsulate a ciphertext to the same value. The formal definition of 0-universality is given in Definition 10. Now, we show that we can convert Π1 into a l -leakage-smooth IBIP-HPS that allows for arbitrarily large leakage-bounds l . We prove a theorem here:

670

L. Zhang et al.

Theorem 2 (informal). Given an 0-universal IBIP-HPS Π1 , we can get a l -leakage-smooth IBIP-HPS Π2 for arbitrarily large leakage bound l . And Π2 meets the efficiency requirements of the BRM. To handle arbitrarily large leakage bound l , [5] used a leakage amplification method, which can be viewed as parallel-repetition with small public key size. However, it cannot be applied to our cases here. In IB-HPS, the output of the decapsulation is already the encapsulated key, then the leakage-smoothness of their scheme can be proved directly from the 0-universality by leftover-hashing lemma [40]. Thus the only thing they need to do is to amplify the leakage bound while meeting the efficiency requirements of the BRM. However, in IBIP-HPS, the output of the decapsulation is only an inner-product value between the encapsulated key and the vector in the secret key. In order to determine an encapsulated key, we need at least n secret keys for n linear independent vectors. Thus, we cannot find the relation between leakage-smoothness and universality very easily, which is one of the most challenging part in our work. Although the leakage amplification method cannot be applied directly, there are some ideas we can borrow. We introduce a key-size parameter m, which gives us flexibility in the size of secret key and will depend on the desired leakage bound l . And also, due to the efficiency requirements, the encapsulation will choose only target on a small subset from {1, ..., m}, and show that the size of the subset (denote by t) is independent of l . Then, recall that we need n secret keys to recover one encapsulated key. In order to finish the proof of leakagesmoothness, the key generation will take an invertible n × n matrix Y as input and the encapsulation algorithm will output n ciphertexts which shares the same encapsulated key. In the proof, we use a similar idea with approximately universal hashing defined in [5], where we only insist that two secret keys generated by running the key generation algorithm with the same input Y which are different enough are unlikely to result in a same encapsulated key. Then we obtain the leakagesmoothness by applying a variant of leftover-hash lemma, and show our scheme meets the efficiency requirements of the BRM by giving a lower bound of t, which is independent of the leakage bound l . In summary, we do the followings: – Formalize the definitions of IBIPFE and give an adaptive-IND-secure IBIPFE scheme Π from DBDH assumption. – Propose the definition of IBIP-HPS and desired properties. Then, we give an IBIP-HPS construction Π1 based on our adaptive-secure IBIPFE scheme Π. – Construct a leakage-smooth IBIP-HPS Π2 from Π1 for arbitrarily large leakage bound l , while Π2 still satisfies the efficiency requirements of the BRM. – Build a leakage-resilient IBIPFE scheme Π3 in the BRM from Π2 . 1.2

Related Works: Leakage-Resilient Cryptography

Due to the advancement of side channel attacks [33–36], traditional cryptographic model, where an adversary can know nothing about the secret values,

Adaptive-Secure IBIPFE in the BRM

671

becomes insufficient. Leakage-resilient cryptography was proposed to formalize the security guarantees when the adversary can obtain some information of the secret values. Lots of leakage models were proposed to measure what and how much information of secrets the adversary can learn. [38] introduced the first leakage model: only computation leaks information. In this model, a function of only the bits accessed is leaked when the cryptographic system is called each time. Many cryptographic schemes were proposed under this model, such as stream ciphers [26,43] and signature schemes [27]. However, a famous type of side-channel attacks, cold-boot attack [33] was proposed and was not captured by this model, where all memory contents can leak information, regardless of whether it is accessed. Relative-leakage model was proposed for these attacks. In this model, an adversary can learn a proportion of secret values. And also, there are many schemes were proposed under this model, such as PKE schemes [4,39], IBE scheme [16]. After that, Bounded-retrieval model was introduced by [18,24]. In this model, the amount of information can be leaked is bounded by a leakage bound l, where l is decided by an external parameter. And it requires that the efficiency of the system, except the length of secret key, should be independent of the leakage bound l. Many schemes [5,13,25,41,52] were proposed under this model. Then, Auxiliary inputs model was proposed by [21]. In this scheme, an adversary can learn an auxiliary input h(s) of secret values s subject to the condition that it is computationally hard to find s from h(s). Many works [19,49] proposed different kinds of cryptographic systems under this model. As another line of work, Continual leakage model was introduced by [12,20]. This model considers the setting that there is a notion of time periods and secret values will be updated at the end of each time period. Here, an adversary can only learn a bounded amount of information in each time period, but it can learn an unbounded amount of information in all time periods. [37,49,50] proposed many cryptographic systems under this model.

2

Preliminaries

Notations. Let [n] denote the set {1, . . . , n}. For vectors x and y, let x||y be their concatenation. For a set S, define US as the uniform distribution over S. Similarly, for an integer v ∈ N, let Uv be the uniform distribution over {0, 1}v . 2.1

Functional Encryption (FE)

We give the definition of FE and its indistinguishable security. Following [11], we define functional encryption scheme for functionality F. Definition 1 (FE scheme). A functional encryption scheme for functionality F consists of 4 PPT algorithms: (Setup, KeyGen, Encrypt, Decrypt). The algorithms have the following syntax.

672

L. Zhang et al.

– Setup(1λ ): It takes the security parameter λ as input, and produces the master public key mpk and the master secret key msk. The following algorithms implicitly include mpk as input. – KeyGen(msk, k): It uses the master secret key msk and key k ∈ K to sample a secret key skk . – Encrypt(x): It uses the master public key mpk and a message x ∈ X to generate a ciphertext ctx . – Decrypt(skk , ctx ): It takes a ciphertext ctx and a secret key skk as input and outputs F(k, x) We require that a FE scheme satisfies the following properties: Correctness. For any (mpk, msk) generated by Setup(1λ ), any k ∈ K and x ∈ X , we have:     skk ← KeyGen(msk, k) ≤ negl(λ) . Pr F(k, x) = γ  ctx ← Encrypt(mpk, x), γ = Decrypt(ctx , skk ) Indistinguishable Security. We define the indistinguishable security game, parameterized by a security parameter λ as the game between an adversary A and a challenger in Table 1. The advantage of an adversary A in the indistinFE-IND (λ) := |Pr[A wins] − 12 |. guishable security game is defined by AdvFE,A Table 1. FE-IND(λ) Setup: The challenger computes (mpk, msk) ← Setup(1λ ) and sends mpk to the adversary A. Query 1: The adversary A can adaptively ask the challenger for the following queries: Secret key query: On input k ∈ K, the challenger replies with skk . Challenge: The adversary A chooses two vectors x0 , x1 ∈ X subject to the restriction that for all k that the adversary have make the secret key query in Query 1, it holds that F (k, x0 ) = F (k, x1 ). The challenger chooses b ← {0, 1} uniformly at random and computes ctb ← Encrypt(mpk, xb ) and gives ctb to the adversary A. Query 2: The adversary can make secret key query for arbitrary k as long as F (k, x0 ) = F (k, x1 ). Output: The adversary A outputs a bit b ∈ {0, 1} and wins if b = b.

Definition 2 (IND-secure FE). A FE scheme is IND-secure, if (1) it satisfies the correctness, and (2) the advantage of any PPT adversary A in the FE-IND (λ) = negl(λ). indistinguishable security game is AdvFE,A Inner-Product Functionality. In this paper, we are interested in the innerproduct functionality over the field Zp defined in [1]. It is a family of functionalities with vector space V consisting of vectors in Zp of length n: for any y, x ∈ V, the functionality F(y, x) = y, x.

Adaptive-Secure IBIPFE in the BRM

2.2

673

Bilinear Groups

Our construction relies on the widely-used technique: bilinear map. Definition 3 (Bilinear map). Let G1 , G2 and GT be cyclic groups of order p. Define function e : G1 × G2 → GT . Then e is an efficient computable (nondegenerate) bilinear map if it is: 1. Bilinear: ∀a, b ∈ Zp , (x1 , x2 ) ∈ G1 × G2 , e(xa1 , xb2 ) = e(x1 , x2 )ab . 2. Non-degenerate: e does not map all pairs in G1 × G2 to the identity in GT . 3. Efficiently computable: There’s an efficient algorithm to compute any of the function value of e. Let gi be the generator of Gi , for each i ∈ {1, 2, T }. Given an efficient computable (non-degenerate) bilinear map e, by definition we have e(g1 , g2 ) = gT . We will use a generator which on input 1λ , it will efficiently return (G1 , G2 , p, g1 , g2 , e) satisfying the above description. [10] introduce an assumption for the case when G1 = G2 , and it has been adapted to asymmetric setting in [23]. We use the latter one and give the definition. Definition 4 (Decisional Bilinear Diffie-Hellman Assumption). The Decisional Bilinear Diffie-Hellman Assumption (DBDH) Assumption in the asymmetric case is, given (G1 , G2 , p, g1 , g2 , e) returned by our generator, no PPT adversary can distinguish betweenthe with non  two following distributions  negligible advantage:

g1a , g1b , g2a , g2c , gTq , g1a , g1b , g2a , g2c , gTabc , where a, b, c, q are

sampled from Zp . 2.3

Entropy, Extractors and Hashing

We introduce the definition of min-entropy which measures the worst-case predictability of a random variable. Further, for a randomized function f , let f (x; r) be the unique output of f for input x, with random coins r. For simplicity, we will write f (x) to denote a random variable for the output of f (x; r) over the random coins r. Definition 5. The min-entropy of a random variable X is H∞ (X) := − log(maxx Pr[X = x]). A generalized version from [22] is called the average conditional min-entropy:       ˜ ∞ (X|Z) := − log Ez←Z max Pr [X = x|Z = z] = − log Ez←Z 2−H∞ (X|Z=z) H , x

where Z is another random variable. Lemma 1 (Lemma 2.2 in [22]). Let X, Y, Z be random variables where ˜ ∞ (X|(Y, Z)) ≥ Z takes on values in a set of size at most 2l . Then H ˜ ˜ ˜ H∞ ((X, Y )|Z) − l ≥ H∞ (X|Z) − l. In particular, H∞ (X|Y ) ≥ H∞ (X) − l.

674

L. Zhang et al.

Statistical Distance and Extractors. For two random variables X, Y , we can define the statistical distance between them as SD(X, Y ) := 12 x |Pr[X = x] − Pr[Y = x]|. If SD(X, Y ) ≤  then we write X ≈ Y . Further, if SD(X, Y ) is negligible, we write X ≈ Y . An extractor [40] can be used to extract uniform randomness out of a weakly-random variable which is only assumed to have sufficient min-entropy. Definition 6. An efficient randomized function Ext : {0, 1}a → {0, 1}v is a (β, )-extractor if for all X, Z such that X is distributed over {0, 1}a and ˜ ∞ (X|Z) ≥ β, we get (Z, R, Ext(X; R)) ≈ (Z, R, Uv ) where R is a random H variable for the coins of Ext. Definition 7 (ρ-Universal Hashing). A family H, consisting of (deterministic) functions h : {0, 1}a → {0, 1}v , is ρ-universal hash family if for any x1 = x2 ∈ {0, 1}a , we have Prh←H [h(x1 ) = h(x2 )] ≤ ρ. [40] states that universal hash functions are good extractors in the following leftover-hash lemma. Lemma 2 (Leftover-Hash Lemma [40]). Assume that the family H of functions h : {0, 1}a → {0, 1}v is ρ-universal hash family. Then the random extractor Ext(x; h) = h(x), where h is uniform over H, is an (β, )-extractor as long as: β ≥ v + 2 log(1/) − 1, ρ ≤ 2−v (1 + 2 ) . Also, we say that e is efficiently computable if given the description of e we are able to obtain a polynomial time algorithm for computing e.

3

Adaptive-Secure IBIPFE Scheme

3.1

Definitions

Identity-Based Inner-Product Functional Encryption. Firstly, we give the definition of IBIPFE as follows: An IBIPFE scheme consists of 4 PPT algorithms just like IBE and IPFE: (Setup, KeyGen, Encrypt, Decrypt). The algorithms have the following syntax.2 – Setup(1λ , 1n ): It takes the security parameter λ and n as input, and produces the master public key mpk and the master secret key msk. The following algorithms implicitly include mpk as input. – KeyGen(msk, ID, y): It uses the master secret key msk, an identity ID ∈ ID and a vector y ∈ V with length n to sample a secret key sk(ID,y ) . – Encrypt(ID, x): This is the encryption algorithm. It uses ID ∈ ID and x ∈ V to output a ciphertext ct(ID,x) . 2

Here, let ID be the identity space, V be the vector space, and IP be the innerproduct value space.

Adaptive-Secure IBIPFE in the BRM

675

– Decrypt(ct(ID,x) , sk(ID ,y ) ): This is the decryption algorithm(deterministic). It takes a ciphertext and a secret key as input and outputs the inner product: x, y if ID = ID . Here, we define a function F : (ID, V) × (ID, V) → IP, where  x, y, If ID = ID F ((ID, x), (ID , y)) = ⊥, otherwise Correctness. Given msk, mpk from Setup(1λ , 1n ), any ID ∈ ID, and x, y ∈ V, we have:     sk(ID,y ) ← KeyGen(msk, ID, y), ct(ID,x ) ← Encrypt(ID, x) ≤ negl(λ) . Pr x, y = γ  γ = Decrypt(ct(ID,x ) , sk(ID,y ) )

Indistinguishable Security. We define the indistinguishable security game, parametrized by a security parameter λ, a parameter of vector length n, as the game between an adversary A and a challenger C in Table 2. Table 2. IBIPFE-IND(λ, n) Setup: The challenger computes (mpk, msk) ← Setup(1λ , 1n ) and sends mpk to the adversary. Query 1: The adversary A adaptively queries C with (ID, y) ∈ ID × V. And the challenger C responds with sk(ID,y ) . Challenge: The adversary A chooses an challenge identity ID∗ ∈ ID and two messages x 0 , x 1 ∈ V subject to the condition that for all (ID, y) A has queried in Query 1, it must hold that F ((ID∗ , x 0 ), (ID, y)) = F ((ID∗ , x 1 ), (ID, y))

Query 2: The adversary A adaptively queries C with (ID, y) as long as F ((ID∗ , x 0 ), (ID, y)) = F ((ID∗ , x 1 ), (ID, y)). Output: The adversary A outputs a bit b ∈ {0, 1} and wins if b = b. Note: F ((ID∗ , x 0 ), (ID, y)) = F ((ID∗ , x 1 ), (ID, y)) holds if and only if (1) ID = ID∗ , or (2) ID = ID∗ and x 0 , y = x 1 , y.

Definition 8 (Adaptive-IND-secure IBIPFE). An IBIPFE scheme is adaptive-IND-secure, if (1) it satisfies the correctness, and (2) the advantage of any admissible PPT adversary A in the indistinguishable security game is: IBIPFE-IND (λ, n) = negl(λ). AdvIBIPFE,A

676

3.2

L. Zhang et al.

Adaptive-IND-secure IBIPFE Scheme

Now, we present our adaptive-IND-secure IBIPFE scheme Π. Here we set IP = Zp , V = Znp and ID = {0, 1}log p−log n . Also, the set [n] can be seen as the set of all non-zero (0, 1)-strings with length log n (i.e. {0, 1}log n \ 0log n ). For any i ∈ [n] and ID ∈ ID, let i01 be the binary representation of i (we will use this notion below), then ID||i01 is in fact a non-zero (0, 1)-string with length log p (i.e. {0, 1}log p \ 0log p ). – Setup(1λ , 1n ) : Pick a bilinear group BG = (G1 , G2 , GT , g1 , g2 , e, p) of prime order p, where g1 and g2 are generators of G1 and G2 , and we have gT = e(g1 , g2 ). Choose random numbers w, v, s, t ←R Z∗p Now we can pick a random one-to-one function h : {0, 1}log p \ 0log p → Z∗p . And set h1 = g1w , h2 = g2v , k1 = g1s ·ht1 , f (·) = v·h(·).3 Output: mpk = (G1 , G2 , GT , e, g1 , g2 , h1 , h2 , k1 , f ), msk = (s, t, h). – Encrypt(mpk, ID, x) : Pick a random number r ←R Zp and set C = g1r , f (ID||i01 )

D = e(h1 , h2 )r , and for i ∈ [n], Ei = gTxi ·e(k1 , g2 )r . Output: ct(ID,x) = (C, D, E1 , ..., En ).

n n f (ID||i01 )yi −s ) and d2 = −t – KeyGen(msk, ID, y) : Set d1 = ( i=1 g2 i=1 h(ID||i01 )yi . Output: sk(ID,y ) = (d1 , d2 ). n – Decrypt(ct(ID,x) , sk(ID ,t) ) : Compute: IP = e(C, d1 ) · Dd2 · ( i=1 Eiyi ). Then, compute and output the discrete logarithm loggT IP. For simplicity we use ID||i to represent ID||i01 in the following of this paper. Correctness. When ID = ID , we have

IP = e(C, d1 ) · Dd2 · (

n

Eiyi )

i=1

  n n n  f (ID ||i)yi −s r = e g1 , ( g2 ) · e(h1 , h2 )r(−t i=1 h(ID ||i)yi ) · ( Eiyi ) i=1

=

−rv(s+wt) gT

=

x,y  gT

·

n

i=1

n  h(ID ||i)yi

rv(s+wt) gT



n

i=1 rv(s+wt) gTxi yi gT

n

i=1

h(ID||i)yi



i=1

i=1 (h(ID||i)−h(ID



||i))yi

x,y 

= gT

.

Therefore Decrypt(ct(ID,x) , sk(ID,y ) ) outputs x, y. Similar to many IPFE works based on DDH assumption and its variants, the decryption algorithm of Π requires to compute the discrete logarithm. We can 3

Here we keep function h secret and set function f to be a black box, which means that one can only get the function value of f by making a query to the oracle, instead of computing it directly.

Adaptive-Secure IBIPFE in the BRM

677

use some methods to reduce the cost of it (see the analysis in [3]). The security analysis follows similar arguments to [3] in that at some steps, the challenge ciphertext is generated using msk instead of mpk. It will perfectly hide which challenge message is encrypted as long as msk retains a sufficient amount of entropy from the adversary’s view. We state the security in the following theorem and the proof are shown in our full version. Theorem 3 (adaptive-IND security). The IBIPFE scheme Π described above is adaptive-IND-secure under the DBDH assumption.

4 4.1

Identity-Based Inner-Product Hash Proof System (IBIP-HPS) Definitions

To construct a leakage-resilient IBIPFE scheme, we introduce the notion, IBIPHPS, and the required properties: An Identity-based Inner-product hash proof system (IBIP-HPS) consists of 5 PPT algorithms: (Setup, KeyGen, Encap, Encap∗ , Decap). The algorithms have the following syntax. (ID is the identity space, V is the vector space.) – Setup(1λ , 1n ): It takes the security parameter λ and n as input, and produces the master public key mpk and the master secret key msk. The following algorithms implicitly include mpk as input. – KeyGen(msk, ID, y): It uses the master secret key msk, an identity ID ∈ ID and a vector y ∈ V with length n to sample a secret key sk(ID,y ) . – Encap(ID): This is the valid encapsulation algorithm. It uses ID ∈ ID to output a valid ciphertext ctID and a encapsulated key k ∈ V. – Encap∗ (ID): This is the invalid encapsulation algorithm. It uses ID ∈ ID to output only an invalid ciphertext ctID . – Decap(ctID , sk(ID ,y ) ): This is the decapsulation algorithm(deterministic). It takes a ciphertext as input and outputs a functional value of the encapsulated key and y: k, y if ID = ID . Correctness. Given msk, mpk from Setup(1λ , 1n ), any ID ∈ ID, and y ∈ V, we have:     sk(ID,y ) ← KeyGen(msk, ID, y) Pr k, y = γ  ≤ negl(λ) . (ctID , k) ← Encap(ID), γ = Decap(ctID , sk(ID,y ) )

678

L. Zhang et al. Table 3. V/I-IND(λ, n) Setup: The challenger C computes (mpk, msk) ← Setup(1λ , 1n ), and gives mpk to the adversary A, Query 1: The adversary A adaptively queries C with (ID, y) ∈ ID × V, and C responds with sk(ID,y ) .

Challenge: The adversary A chooses an arbitrary ID∗ ∈ ID, and the challenger C chooses a random bit b ∈ {0, 1} If b = 0, then C computes (ctID∗ , k) ← Encap(ID∗ ). If b = 1, then C computes ctID∗ ← Encap∗ (ID∗ ). The challenger C gives ctID∗ to the adversary A.

Query 2: The adversary A adaptively queries C with (ID, y) ∈ ID × V, and C responds with sk(ID,y ) .

Output: The adversary A outputs a bit b ∈ {0, 1}, and A wins the game if b = b. Note: In Query 1,2 the challenger computes sk(ID,y ) ← KeyGen(msk, ID, y) the first time that the pair (ID, y) is queried and responds to all future queries on the same pair (ID, y) with the same sk(ID,y ) .

Valid/Invalid Ciphertext Indistinguishability. The valid ciphertexts generated by Encap and the invalid ciphertexts generated by Encap∗ should be computationally indistinguishable, even if an adversary can obtain one secret key per pair for at most n linear independent vectors with the challenge identity ID∗ . For an adversary A, we define the following experiment for an IBIP-HPS Π in Table 3. Definition 9. A PPT adversary A is admissible if in the whole experiment, for the challenge identity ID∗ , A can make at most n secret key queries in the form (ID∗ , y i ), i ∈ [n], where y 1 , ..., y n are linear independent. Then, we say that an IBIP-HPS Π is adaptively secure if for any admissible adversary A, the    V/I-IND advantage satisfies: AdvΠ,A (λ, n) := Pr[A wins] − 12  = negl(λ). We will explain why such restriction on key queries is needed after show the following property: Smoothness and leakage-smoothness. Intuitively, this property is to ensure that there are many possible results for the decapsulation algorithm with input an invalid ciphertext. Smoothness and Leakage-Smoothness. Define a matrix Y := [y 1 , . . . , y n ] consisting of n linear independent vectors. We say that an IBIP-HPS Π is smooth if, for any fixed values of mpk, msk from Setup(1λ , 1n ), any fixed Y and ID ∈ ID, we have

SD (ct, k), (ct, k ) ≤ negl(λ) , where ct ← Encap∗ (ID), k ← UV , and k is determined by first choosing sk(ID,y i ) ← KeyGen(msk, ID, y i ) for each i ∈ [n] and then computing kT := [Decap(ct, sk(ID,y 1 ) ), ..., Decap(ct, sk(ID,y n ) )]Y −1 .

Adaptive-Secure IBIPFE in the BRM

679

An IBIP-HPS Π is l -leakage-smooth if, for any (possible randomized and inefficient) function f with at most l -bit output, we have:

SD (ct, f ({sk(ID.y i ) }ni=1 ), k), (ct, f ({sk(ID.y i ) }ni=1 ), k ) ≤ negl(λ) , where ct, k , k and each sk(ID,y i ) are sampled as above. Definition 10 (0-universal IBIP-HPS). For any fixed mpk, msk returned by Setup(1λ ), any fixed ID ∈ ID, and any fixed vector y, we let SK be the support of all possible output of KeyGen(msk, ID, y). Then we say that an IBIP-HPS is 0-universal if, for any fixed distinct values skID = skID , we have Prc←Encap∗ (ID) [Decap(c, skID ) = Decap(c, skID )] = 0 . We also say that its decapsulation algorithm is 0-universal. The restriction on key queries with the challenge identity in this game is due to the fact that, like all other HPS schemes, in order to achieve the smoothness/leakage-smoothness, the key generation algorithm should be a randomized algorithm. It means that we will get different output from KeyGen with the same input in different running. As a result of it, the output of the decapsulation algorithm with input an invalid ciphertext and a secret key is also random, which depends on the random numbers used to generate the secret key. However, no matter what random numbers are used in the secret key, the output of the decapsulation algorithm with input a valid ciphertext and the secret key is always the real inner-product value when the identities in ciphertext and secret key are the same. If we do not have any restriction on the key queries with the challenge identity, the adversary can distinguish between valid and invalid ciphertexts easily, by making use of the above properties. For example, the adversary makes 2 queries: (ID∗ , y 1 = (1, 0, ..., 0)) and (ID∗ , y 2 = (2, 0, ..., 0)). If the ciphertext ctID∗ is a valid ciphertext, then we have Decap(ctID∗ , sk(ID∗ ,y 2 ) ) − Decap(ctID∗ , sk(ID∗ ,y 1 ) ) = 2k1 − k1 = Decap(ctID∗ , sk(ID∗ ,y 1 ) ). While if it is an invalid ciphertext, then Decap(ctID∗ , sk(ID∗ ,y 2 ) ) − Decap(ctID∗ , sk(ID∗ ,y 1 ) ) = Decap(ctID∗ , sk(ID∗ ,y 1 ) ) in general. Instead of aiming at building an IBIP-HPS scheme which satisfies correctness, valid/invalid ciphertext indistinguishability and leakage-smoothness at the same time, we first consider how to construct an IBIP-HPS scheme which only satisfies orrectness and valid/invalid ciphertext indistinguishability. We show that we can get an IBIP-HPS scheme Π1 from our IBIPFE scheme Π easily, by adding random numbers into key generation algorithm. We construct an IBIP-HPS Π1 from our adaptive-IND-secure IBIPFE scheme Π. – Setup(1λ , 1n ) : It runs (mpk, msk) ← Π.Setup(1λ , 1n+1 ), and outputs mpk, msk. – KeyGen(msk, ID, y) : It samples a random number z ←R Zp and sets y ∗ = y||z. Then it runs sk0(ID,y ∗ ) ← Π, KeyGen(msk, ID, y ∗ ) and outputs sk(ID,y ) := (sk0(ID,y ∗ ) , z).

680

L. Zhang et al.

– Encap(ID) : It samples x ←R V and sets x∗ = x||0. It chooses a random number r ←R Zp and computes ct0(ID,x ∗ ) = Π.Encrypt(mpk, ID, x∗ ) with randomness r. It outputs (ctID = ct0(ID,x ∗ ) , k = x). – Encap∗ (ID) : It samples x ←R V and sets x∗ = x||0. It chooses a random  number r, r ←R Zp and r = r . It sets C = g1r , D = e(h1 , h2 )r and for x∗ f (ID||i) r ) , where f is obtained from mpk. It i ∈ [n + 1], Ei = gTi · e(k1 , g2 outputs ctID = (C, D, E1 , ..., En+1 ). – Decap(ctID , sk(ID ,y ) ) : It outputs Π.Decrypt(ctID , sk(ID ,y ) ). Both the correctness and valid/invalid ciphertext indistinguishability of IBIPHPS Π1 can be easily proved from the correctness and the adaptive-IND security of the underlying IBFE scheme Π. We have the following theorem and the proof are shown in our full version. Theorem 4. Under DBDH assumption, the above IBIP-HPS construction Π1 satisfies the correctness requirement and valid/invalid ciphertext indistinguishability. We also show that the decapsulation function of Π1 is a 0-universal, which could help us to construct a leakage-smooth IBIP-HPS in the next section. 0-Universality of the Decapsulation Function. For any fixed mpk, msk produced by Π1 .Setup(1λ , 1n ), a set of linear independent vectors {y i }ni=1 and identity ID, let ctID be some output of Π1 .Encap∗ (ID), so that ctID =  (C, D, E1 , ..., En+1 ) for C = g1r , D = e(h1 , h2 )r , and for i ∈ [n + 1], Ei = x∗ f (ID||i) r gTi e(k1 , g2 ) where r = r . Then for any secret key sk(ID,y ) = (d1 , d2 , z), which is generated by Π1 .KeyGen(msk, ID, y) with y ∈ {y i }ni=1 . Then we can get: Π1 .Decap(ctID , sk(ID,y ) ) = Π.Decrypt(ctID , sk(ID,y ) )  n+1 y∗  Ei i ) = loggT e(C, d1 ) · Dd2 · ( i=1



e(g1r , (

= loggT  = loggT = loggT

n+1



f (ID||i)yi∗ −s g2 ) )

r  (−t

· e(h1 , h2 )

n+1 i=1

h(ID||i)yi∗ )

·(

i=1 −v(sr+twr  )( gT x,y 

gT



y∗ Ei i )

i=1 n+1 i=1

wvt(r−r  )(

· gT

= k, y + wvt(r − r )

n+1

n

h(ID||i)yi∗ ) n+1 i=1

n+1

· gT

i=1

h(ID||i)yi∗ ))

∗ x∗ i yi

·

rv(s+wt)( gT

n+1 i=1

h(ID||i)yi∗ ))





h(ID||i)yi + wvt(r − r )h(ID||(n + 1))z .

i=1

(1) From r = r , we can get that if Π1 .Decap(ctID , sk(ID,y ) ) = Π1 .Decap(ctID , sk(ID,y ) ) and sk(ID,y ) , sk(ID,y ) are outputs of Π1 .KeyGen(msk, ID, y), then sk(ID,y ) = sk(ID,y ) . This implies 0-universality of the decapsulation function.

Adaptive-Secure IBIPFE in the BRM

4.2

681

Leakage-Smooth IBIP-HPS

In this section, we show how to construct an l -leakage-smooth IBIP-HPS, for arbitrarily large values of l , meeting the efficiency requirements of the BRM. We start with the IBIP-HPS scheme Π1 = (Π1 .Setup, Π1 .KeyGen, Π1 .Encap, Π1 .Encap∗ , Π1 .Decap) and compile it into a new IBIP-HPS scheme Π2 = (Π2 .Setup, Π2 .KeyGen, Π2 .Encap, Π2 .Encap∗ , Π2 .Decap). Before showing our construction, we introduce our main idea of leakage amplification. In order to tolerate arbitrarily large leakage l , we introduce a key-size parameter m and map each secret key in Π2 into m secret keys generated by Π1 . And m will depend on the desired leakage parameter l . Recall that the encapsulated key k in the definition of leakage-smoothness is recovered by n secret keys for n linear independent vectors. In the proof of leakage-smoothness, we need to use the same random numbers to generate the n secret keys for each y i . Thus, the key generation algorithm will take n linear independent vectors (an invertible matrix Y ) as input. In order to meet the efficiency requirements, the encapsulation and decapsulation algorithms should be independent of m. So they will target only a small subset of t-out-of-m of the secret keys. The encapsulation algorithm will choose t random indices from {1, ..., m} to generate t ciphertexts. And the decapsulation algorithm will read only the corresponding t secret keys. Finally, since the key generation algorithm will output n secret keys for n vectors and one identity ID , the encapsulation algorithm will also run n times to get n ciphertexts. These n ciphertexts share one identity ID and one encapsulated key k. If ID = ID , then the i-th ciphertext can be decapsulated by the i-th secret key. IBIP-HPS Construction. Let Π1 = (Π1 .Setup, Π1 .KeyGen, Π1 .Encap, Π1 .Encap∗ , Π1 .Decap) be an IBIP-HPS with identity space ID1 , vector space V and secret key randomness space R. For simplicity, we use sk(ID,y ) = Π1 .KeyGen(msk, ID, y, z  ) to denote that sk(ID,y ) is generated by computing Π1 .KeyGen(msk, ID, y) with random value z  (setting z = z  in Π1 .KeyGen), and use (ctID , k) = Π1 .Encap(ID, x ) to denote that (ctID , k) is generated by computing Π1 .Encap(ID) with vector x (setting x = x in Π1 .Encap). Let H : ID2 × [m] × [n] → ID1 be a one-to-one function for some set ID2 . Define Π2 = (Π2 .Setup, Π2 .KeyGen, Π2 .Encap, Π2 .Encap∗ , Π2 .Decap) with identity space ID2 as follows: – Setup(1λ , 1n ): This is the same as Π1 .Setup. – KeyGen(msk, ID, Y ): Prase Y = [y 1 , ..., y n ]. Sample z1 , ..., zm ←R R. For i ∈ [n], j ∈ [m], ski,j is generated by computing Π1 .KeyGen(msk, H(ID, j, i), y i , zj ). Set sk(ID,y i ) = (ski,1 , ..., ski,m ) for i ∈ [n]. It outputs sk(ID,Y ) := (sk(ID,y 1 ) , ..., sk(ID,y n ) ) .

682

L. Zhang et al.

– Encap(ID): First it samples a vector k = (k1 , ..., kn ) ∈ V. This algorithm will run the following steps for n times. In step τ : (1) Choose t random indices α[τ ] = (α1 [τ ], ..., αt [τ ]) ← [m]t , and β[τ ] = (β1 [τ ], ..., βt [τ ]) ← Ztp . t ∗ ∗ ∗ [τ ], ..., kjn [τ ]) ← V, s.t. j=1 βj [τ ]kji [τ ] = (2) For j ∈ [t], sample k∗j [τ ] = (kj1 ki , i ∈ [n]. (3) For j ∈ [t], compute (ctj [τ ], k∗j [τ ]) ← Π1 .Encap(H(ID, αj [τ ], τ ), k∗j [τ ]). It outputs ctID := ({ct1 [τ ], ..., ctt [τ ], α[τ ], β[τ ]}nτ=1 ), k . For simplicity, we just omit the subscription ID in each term of ctID , when we only consider one specified ID. – Encap∗ (ID): First it samples a vector k = (k1 , ..., kn ) ∈ V. This algorithm will run the following steps for n times. In step τ : (1) Choose t random indices α[τ ] = (α1 [τ ], ..., αt [τ ]) ← [m]t , and β[τ ] = (β1 [τ ], ..., βt [τ ]) ← Ztp . t ∗ ∗ ∗ [τ ], ..., kjn [τ ]) ← V, s.t. j=1 βj [τ ]kji [τ ] = (2) For j ∈ [t], sample k∗j [τ ] = (kj1 ki , i ∈ [n]. (3) For j ∈ [t], compute ctj [τ ] ← Π1 .Encap∗ (H(ID, αj [τ ], τ ), k∗j [τ ]). It outputs ctID := ({ct1 [τ ], ..., ctt [τ ], α[τ ], β[τ ]}nτ=1 ) . – Decap(ctID , sk(ID,y τ ) ): For any τ ∈ [n], prase sk(ID,y τ ) = (skτ,1 , ..., skτ,m ). For j ∈ [t], compute γj [τ ] := Π1 .Decap(ctj [τ ], skτ,αj [τ ] ). Then, it outputs t j=1 (βj [τ ]γj [τ ]). The correctness and valid/invalid ciphertext indistinguishability of Π2 can be easily extended from such properties of Π1 . Efficiency. We will show that Π2 meets the efficiency requirements of the BRM by giving a lower bound of t, which is independent of the leakage bound l in the proof of the leakage-smoothness. Leakage-Smoothness. In our full version, firstly, we show that the decapsulation algorithm of Π2 is not 0-universal, so we cannot directly obtain the leakage-smoothness by the leftover-hash lemma (Lemma 2). Then, we try to relax the condition in the definition of universality. We use a similar idea as in [5], where we only insist that sk(ID,Y ) and sk(ID,Y ) are different enough so that they are unlikely to result in the same k. More precisely, we state the following theorem, and will prove it in the full version. Theorem 5. For any ε > 0, there exists some setting of η = O(log p), so that for any polynomial m(λ), the above construction of Π2 from Π1 is l -leakagesmooth as long as: l ≤ (1 − ε)m log p − n log p − 2λ.

Adaptive-Secure IBIPFE in the BRM

5

683

Leakage-Resilient IBIPFE in the BRM

Here, we define the security for an IBIPFE scheme, which is resistant to key leakage attacks in the Bounded-retrieval model (BRM). Then we show how to construct such an IBIPFE scheme from an leakage-smooth IBIP-HPS we presented in the above section. Our security notion only allows leakage attacks against the secret keys of the various functions, but not the master secret key. And we only allow the adversary to perform leakage attacks before seeing the challenge ciphertext. As shown in [4,6,39], this limitation is inherent to encryption schemes since otherwise the leakage function can simply decrypt the challenge ciphertext and output its first bit. 5.1

Definitions

Recall that in our leakage-smooth IBIP-HPS scheme, the encapsulation algorithm will output n ciphertexts sharing the same encapsulated key k. The key generation algorithm will also output n secret keys for n vectors, and the i-th ciphertext can be decapsulated by the i-th secret key. But the input of IBIPFE’s key generation algorithm contains only one vector, instead of n vectors, so it cannot output n secret keys in one round. And actually we only need one secret key to get the decryption result k, y since all n ciphertexts share the same encapsulated key k. Therefore, in our leakage-resilient IBIPFE scheme, we will allow the user to choose an index τ ∈ [n] in the key generation algorithm to indicate which ciphertext it wants to decrypt with this secret key. It means that the syntax of Setup, Encrypt, Decrypt is the same as that in IBIPFE (Sect. 3.1), and KeyGen has the following syntax: sk(ID,y ,τ ) ← KeyGen(msk, ID, y, τ ): The key generation algorithm generates the secret key sk(ID,y ,τ ) , which can decrypt the τ -th ciphertext output by Encrypt(ID, x). Indistinguishable Security with Key Leakage. We define the indistinguishable security game, parametrized by a security parameter λ, a parameter of vector length n and a leakage parameter l, as the following game between an adversary A and a challenger in Table 4. The advantage of an adversary A in IBIPFE-IND (λ, l) := |Pr[A wins] − 12 |. the security game is AdvIBIPFE,A We now give some explanation about the definition. The restrictions of the definition come from the definitions and proofs of properties of IBIP-HPS. Recall that there are only 3 items in the definition of leakage-smoothness: ct, f ({skID,y i }ni=1 ), k. The secret keys {skID,y i }ni=1 used to compute k do not appear in the equation directly. In order to rely our security of Π3 on the leakage smoothness of Π2 , for the secret keys used to compute k (we need n secret keys of n linear independent vectors to determine a k), the adversary can only know a functional value f (·), instead of the secret keys. Thus, we only allow the adversary to perform leakage queries on the challenge identity ID∗ and arbitrary

684

L. Zhang et al. Table 4. IBIPFE-IND(λ, n) Setup: The challenger C computes (mpk, msk) ← Setup(1λ , 1n ) and sends mpk to the adversary A. The challenger keeps a list RID to store the random numbers which is sampled in leakage-query stage. Query 1: The adversary A can adaptively ask the challenger for: Secret key query: On input an identity ID, a vector y and an index τ , the challenger replies with sk(ID,y ,τ ) ← KeyGen(msk, ID, y, τ ).

Leakage query: On input an identity ID, a vector y and a PPT function f ∗ , if there is no tuple (ID, y, ·) has been queried to leakge query before, the challenger first check whether ID is in the list RID : – If it is not, then the challenger first runs sk(ID,y ,1) ← KeyGen(msk, ID, y, 1), then store the tuple (ID, r, 1) in the list RID , where r denotes the random numbers sampled by KeyGen(msk, ID, y, 1). – If ID is in RID , then the challenger reads and deletes the tuple (ID, r, τ ) from RID and generates sk(ID,y ,τ +1) with the randomness r, and puts (ID, r, τ +1) into RID . Then the challenger replies with f ∗ (sk(ID,y ,·) ) if  f ∈{f  }(ID,y ) ∪{f ∗ } |f (sk(ID,y ,·) )| ≤ l, where {f }(ID,y ) denotes the set of leakage functions that the adversary have queried on the secret key sk(ID,y ,·) , and |f (sk(ID,y ,·) )| is the bit-length of the function value f (sk(ID,y ,·) ).

Challenge: The adversary A chooses an challenge identity ID∗ ∈ ID and two messages x 0 , x 1 ∈ V subject to the conditions that (1) ID∗ never appeared in any secret key query (2) There are at most n different vectors {y i }n i=1 appeared in leakage query in the form (ID∗ , y i , f ∗ ) and these n vectors should be linear independent. The challenger chooses b ∈ {0, 1} uniformly at random and returns ct ← Encrypt(mpk, ID∗ , x b ) to the adversary. Query 2: The adversary A adaptively makes secret key query with (ID, y) as long as ID = ID∗ Output: The adversary A outputs a bit b ∈ {0, 1} and wins if b = b. Notes: a) For secret key queries in Query 1 and 2, the challenger computes sk(ID,y ,τ ) ← KeyGen(msk, ID, y, τ ) only in the first time that the tuple (ID, y, τ ) is queried and responds to all future queries on the same tuple (ID, y, τ ) with the same sk(ID,y ,τ ) . b) For leakage queries in Query 1, the challenger computes sk(ID,y ,τ ) ← KeyGen(msk, ID, y, τ ) only in the first time that the tuple (ID, y, ∗) is queried and responds to all future queries on the tuples (ID, y, ∗) with the same secret key.

vector y, instead of secret key queries on ID∗ and y subject to the condition that x0 , y = x1 , y. From the definition of valid/invalid ciphertext indistinguishability in IBIPHPS, the adversary can make one key query for the challenge identity ID∗ with an n × n invertible matrix. So we also restrict that there are at most n different linear independent vectors appearing in the leakage queries with the form (ID∗ , y, f ∗ ). And such n vectors mentioned above are generated from the same random numbers and are corresponding to the 1-th,...,n-th ciphertexts respectively.

Adaptive-Secure IBIPFE in the BRM

685

Remark on Stateful Key Authority. Similar with [5], in the query stage of our security game, some secret keys are computed only once and reused subsequently. In reality, this requires that key authority that issues secret keys is stateful, and caches the secret keys that it computes. As the analysis in [5], this requirement can be overcome easily by adding a pseudo-random function to the master secret key. Definition 11 (Leakage-resilient IBIPFE). An IBIPFE scheme is lleakage-resilient, if (1) it satisfies the correctness, and (2) the advantage of any admissible PPT adversary A in the indistinguishable security game with leakage IBIPFE-IND (λ, n, l) = negl(λ). We define the leakage l (defined in Table 4) is AdvIBIPFE,A l ratio of the scheme to be μ = |sk(ID,y ,τ ) | , where |sk(ID,y ,τ ) | is the number of bits needed to efficiently store a secret key sk(ID,y ,τ ) . Definition 12 (leakage-resilient IBIPFE in the BRM). We say that an IBIPFE scheme is adaptively leakage-resilient in the bounded-retrieval model (BRM), if the scheme is adaptive-secure, and the master public key size, master secret key size, ciphertext size, encryption time, and decryption time (and the number of secret-key bits read by decryption) are independent of the leakage-bound l. More formally, there exist polynomials mpksize, msksize, ctsize, encTime, decTime, such that, for any polynomial l and any (mpk, msk) ← KeyGen(1λ , 1n , 1l ), x ∈ V, ctx ← Encrypt(mpk, x), the scheme satisfies: – Master public key size is |mpk| ≤ O(mpksize(λ)), master secret key size is |msk| ≤ O(msksize(λ)), and ciphertext size is |ct(|ID|,x) | ≤ O(ctsize(λ, |ID|, |x|)). – Run-time of Encrypt(mpk, ID, x) is ≤ O(encTime(λ, |ID|, |x|)). – Run-time of Decrypt(sk(ID,y ) , ct(ID,x) ), and the number of bits of sk(ID,y ) accessed, are ≤ O(encTime(λ, |ID|, |x|)). 5.2

Construction of Leakage-Resilient IBFE for Inner-Product

Given an leakage-smooth IBIP-HPS scheme Π2 = (Setup, KeyGen, Encap, Encap∗ , Decap) where the vector space is V, we construct a leakage-resilient IBIPFE scheme with the same vector space V. We show our construction in Table 5. Theorem 6. If we start with an l -leakage-smooth IBIP-HPS Π2 , then the con struction in Table 5 yields a l = ln -leakage-resilient IBIPFE. We use a series of games argument in our security analysis, which begins with the real security game and ends with a game whose challenge ciphertext is independent of the bit b chosen by the challenger. And these games are indistinguishable from each other. The details of proof of Theorem 6 are shown in the full version.

686

L. Zhang et al. Table 5. Leakage-resilient IBIPFE scheme Π3 . Setup(1λ , 1n ): The Setup procedure is the same as Π2 .Setup. KeyGen(msk, ID, y, τ ): It chooses n − 1 random vectors y 1 , ..., y τ −1 , y τ +1 , ..., y n , such that Y = [y 1 , ..., y τ = y, ..., y n ] is a n × n invertible matrix. It gets (sk(ID,y 1 ) , ..., sk(ID,y n ) ) ← Π2 .KeyGen(msk, ID, Y ) and returns sk(ID,y ,τ ) = sk(ID,y τ ) .

Encrypt(ID, x): It computes (ctID , k) ← Π2 .Encap(ID). It sets c1 = ctID and c2 = k + x. And output ctID,x = (c1 , c2 ). Decrypt(ct(ID,x ) , sk(ID,y ) ): Parse ct(ID,x ) = (c1 , c2 ) and output y · c2 − Π2 .Decap(ctID , sk(ID,y ,τ ) ).

Theorem 7. Using the l -leakage-smooth IBIP-HPS construction Π2 , we can get an l-leakage-resilient IBIPFE scheme in the BRM with vector space V = Znp and it satisfies: (1) The master public-key size and the master secret-key size are the same as in Π2 , and are independent of l. (2) The size of the ciphertext and the number of secret-key bits read by decryption are the same as in Π2 , both of which are independent of l. (3) Encryption time consists of the Encap time of Π2 and the time of one vector addition operation with length n. Decryption time consists of the Decap time of Π2 , the time of inner-product operation with vector length n, and a subtraction. Both the encryption time and decryption time are independent of l. (4) The leakage ratio is μ = 1−ε 3n , for sufficiently large values of the leakageparameter l. Proof. The first 3 statements are easy to check from the construction. For the  log p−2λ leakage ratio, by Theorem 5, we have l = ln ≤ (1−ε)m log p−n . From it we n  log p+2λ can get the lower bound of m is that m ≥ l +n . Then the leakage ratio (1−ε) log p for a given l is defined as: μ=

l |sk(ID,y ,τ ) |

=

l (1 − ε)l = . 3m log p 3nl + 3n log p + 6λ

For sufficiently large l, the ratio is approximately

1−ε 3n .

References 1. Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733– 751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2 33 2. Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-56620-7 21

Adaptive-Secure IBIPFE in the BRM

687

3. Agrawal, S., Libert, B., Stehl´e, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-53015-3 12 4. Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009). https://doi.org/10.1007/9783-642-00457-5 28 5. Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S., Wichs, D.: Public-key encryption in the bounded-retrieval model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 113–134. Springer, Heidelberg (2010). https://doi.org/ 10.1007/978-3-642-13190-5 6 6. Alwen, J., Dodis, Y., Wichs, D.: Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 36–54. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8 3 7. Ananth, P., Sahai, A.: Functional encryption for turing machines. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 125–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9 6 8. Apon, D., D¨ ottling, N., Garg, S., Mukherjee, P.: Cryptanalysis of indistinguishability obfuscations of circuits over GGH13. In: LIPIcs-Leibniz International Proceedings in Informatics, vol. 80. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2017) 9. Baltico, C.E.Z., Catalano, D., Fiore, D., Gay, R.: Practical functional encryption for quadratic functions with applications to predicate encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 67–98. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7 3 10. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8 13 11. Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6 16 12. Brakerski, Z., Kalai, Y.T., Katz, J., Vaikuntanathan, V.: Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage. In: 2010 IEEE 51st Annual Symposium on Foundations of Computer Science, pp. 501–510. IEEE (2010) 13. Cash, D., Ding, Y.Z., Dodis, Y., Lee, W., Lipton, R., Walfish, S.: Intrusion-resilient key exchange in the bounded retrieval model. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 479–498. Springer, Heidelberg (2007). https://doi.org/10. 1007/978-3-540-70936-7 26 14. Chen, Y., Gentry, C., Halevi, S.: Cryptanalyses of candidate branching program obfuscators. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 278–307. Springer, Cham (2017). https://doi.org/10.1007/978-3-31956617-7 10 15. Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehl´e, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). https://doi.org/10.1007/ 978-3-662-46800-5 1

688

L. Zhang et al.

16. Chow, S.S., Dodis, Y., Rouselakis, Y., Waters, B.: Practical leakage-resilient identity-based encryption from simple assumptions. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 152–161. ACM (2010) 17. Coron, J.-S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of GGH15 multilinear maps. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 607–628. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-530085 21 18. Di Crescenzo, G., Lipton, R., Walfish, S.: Perfectly secure password protocols in the bounded retrieval model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 225–244. Springer, Heidelberg (2006). https://doi.org/10. 1007/11681878 12 19. Dodis, Y., Goldwasser, S., Tauman Kalai, Y., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010). https://doi.org/ 10.1007/978-3-642-11799-2 22 20. Dodis, Y., Haralambiev, K., L´ opez-Alt, A., Wichs, D.: Cryptography against continuous memory attacks. In: 2010 IEEE 51st Annual Symposium on Foundations of Computer Science, pp. 511–520. IEEE (2010) 21. Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 621–630. ACM (2009) 22. Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008) 23. Dufour-Sans, E., Pointcheval, D.: Unbounded inner-product functional encryption with succinct keys. In: Deng, R.H., Gauthier-Uma˜ na, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 426–441. Springer, Cham (2019). https:// doi.org/10.1007/978-3-030-21568-2 21 24. Dziembowski, S.: Intrusion-resilience via the bounded-storage model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 207–224. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878 11 25. Dziembowski, S., Pietrzak, K.: Intrusion-resilient secret sharing. In: 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2007), pp. 227–237. IEEE (2007) 26. Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: 2008 49th Annual IEEE Symposium on Foundations of Computer Science, pp. 293–302. IEEE (2008) 27. Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.N.: Leakage-resilient signatures. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 343–360. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2 21 28. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016) 29. Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679 27 30. Goldwasser, S., Kalai, Y., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Proceedings of the FortyFifth Annual ACM Symposium on Theory of Computing, pp. 555–564. ACM (2013)

Adaptive-Secure IBIPFE in the BRM

689

31. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5 11 32. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2006) 33. Halderman, J.A., et al.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009) 34. Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side channel cryptanalysis of product ciphers. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 97–110. Springer, Heidelberg (1998). https:// doi.org/10.1007/BFb0055858 35. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1 25 36. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5 9 37. Lewko, A., Rouselakis, Y., Waters, B.: Achieving leakage resilience through dual system encryption. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6 6 38. Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004). https://doi.org/ 10.1007/978-3-540-24638-1 16 39. Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. SIAM J. Comput. 41(4), 772–814 (2012) 40. Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996) 41. Nishimaki, R., Yamakawa, T.: Leakage-resilient identity-based encryption in bounded retrieval model with nearly optimal leakage-ratio. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 466–495. Springer, Cham (2019). https:// doi.org/10.1007/978-3-030-17253-4 16 42. O’Neill, A.: Definitional issues in functional encryption. IACR Cryptology ePrint Archive 2010, 556 (2010) 43. Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009). https:// doi.org/10.1007/978-3-642-01001-9 27 44. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https:// doi.org/10.1007/11426639 27 45. Shi, E., Waters, B.: Delegating capabilities in predicate encryption systems. In: Aceto, L., Damg˚ ard, I., Goldberg, L.A., Halld´ orsson, M.M., Ing´ olfsd´ ottir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 560–578. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3 46 46. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639 7

690

L. Zhang et al.

47. Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8 4 48. Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3662-48000-7 33 49. Yuen, T.H., Chow, S.S.M., Zhang, Y., Yiu, S.M.: Identity-based encryption resilient to continual auxiliary leakage. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 117–134. Springer, Heidelberg (2012). https:// doi.org/10.1007/978-3-642-29011-4 9 50. Zhang, J., Chen, J., Gong, J., Ge, A., Ma, C.: Leakage-resilient attribute based encryption in prime-order groups via predicate encodings. Des. Codes Crypt. 86(6), 1339–1366 (2018) 51. Zhang, L., Chen, Y., Zhang, J., He, M., Yiu, S.-M.: From quadratic functions to polynomials: generic functional encryption from standard assumptions. In: Carlet, C., Guilley, S., Nitaj, A., Souidi, E.M. (eds.) C2SI 2019. LNCS, vol. 11445, pp. 142–167. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16458-4 10 52. Zhang, L., Wang, X., Chen, Y., Yiu, S.M.: Leakage-resilient inner-product functional encryption in the bounded-retrieval model

CCA-Secure ABE Using Tag and Pair Encoding Olivier Blazy and Sayantan Mukherjee(B) XLim, University of Limoges, Limoges, France {olivier.blazy,sayantan.mukherjee}@unilim.fr

Abstract. Jutla and Roy (Asiacrypt 2013) proposed the first tagbased identity-based encryption which Chen and Gong (Asiacrypt 2017) extended to construct CPA-secure attribute-based encryption (ABE) in prime-order groups. However, Chen and Gong used predicate encoding for ABE construction. In literature, there exists a more powerful encoding, namely, pair encoding which Attrapadung (Eurocrypt 2014, Asiacrypt 2016) introduced as a generic framework to construct CPA-secure attribute-based encryptions in prime order groups. In reality, however, CPA-secure encryptions are not always sufficient as a security requirement. Yamada et al. (PKC 2011, PKC 2012) suggested generic techniques to get CCA secure attribute-based encryptions from CPA-secure attribute-based encryptions. In this work, we achieve two-fold improvements. We provide a tagbased ABE construction that uses pair encoding and at the same time achieves CCA security from the matrix Diffie-Hellman assumption in the standard model. As a result, our tag-based ABE can be utilized to construct new attribute-based encryptions with multiple randomnesses required in both the secret key and the ciphertext. Moreover, the cost we pay for CCA security is still significantly less than the cost of generic approach of Yamada et al.

1

Introduction

An attribute-based encryption (ABE) is a generalization of identity-based encryption (IBE) where the fine-grained access control is determined by a predicate R : X × Y → {0, 1}. Informally speaking, a user having a secret key sk associated with the key-index x ∈ X , can decrypt a ciphertext ct with dataindex y ∈ Y, if R(x, y) = 1. Earlier, the main focus was to develop dedicated protocols for different predicates like ABE for boolean span program [12], innerproduct encryption [15], doubly-spatial encryption [6] etc. Around the end of the last decade, Waters [16,25] introduced the famous dual system technique as an interesting and simpler way to achieve CPA-secure (H)IBE. This technique was invoked to construct several CPA-secure ABEs in later works [17,21]. In the middle of this decade, the seminal works by Wee [26] and Attrapadung [4] changed the scenario completely. Loosely speaking, they independently formalized a technique that the attribute-based encryption development till that time c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 691–714, 2020. https://doi.org/10.1007/978-3-030-65277-7_31

692

O. Blazy and S. Mukherjee

had been using implicitly and decoupled the security argument from the functionality (in the form of encoding). As a result, the CPA-security argument can now be done in a more modular manner. For schemes to be deployed in real life, it is always preferred that the scheme supports stronger security, namely, CCA-security. Yamada et al. [27,28] presented generic techniques to convert a CPA-secure attribute-based encryption to a CCA-secure one. Basically, they introduced properties like verifiability and delegation to achieve cca-security. However, the cost of having those properties often is still high in a practical sense. Therefore, the construction of CCA-secure ABE from a CPA-secure ABE generically is an interesting research problem. 1.1

Related Works

To construct attribute-based encryptions, Wee [26] and Attrapadung [4] independently came up with the concepts of predicate encoding and pair encoding respectively. These works were extended to get prime-order attribute-based encryption from predicate encoding by Chen et al. [9] and from pair encoding by Attrapadung [5]. Agrawal and Chase [1,2] then proposed several attribute-based encryption constructions from pair encodings with relaxed security properties. Ambrona et al. [3] presented relation between different encodings and concluded the pair encodings to be more general, as a tool, than the predicate encodings. Informally speaking, [3] showed that every predicate encoding scheme can be viewed as a pair encoding scheme where both secret key generation and ciphertext generation are defined using single randomness. There has been another series of works starting with the seminal work of Jutla and Roy [14] who proposed the shortest tag-based IBE. Several works [7,22–24] used such tag-based technique to achieve attribute-based encryptions for different functionalities. Chen and Gong [10] proposed tag-based ABE construction which used predicate encoding [9,26]. Note that, all these constructions mentioned above focus on achieving ind-cpa secure ABE. One can use works of Yamada et al. [27,28] to get corresponding ind-cca secure ABE. However, as we mentioned earlier, that turns out to be still costly as the resulting ind-cca-secure ABE defines almost doubles the ciphertext size to introduce verifiability property. There has been a series of works [8,18–20] to propose ind-cca secure pair encoding-based attribute-based encryptions which are significantly efficient than the generic approach of Yamada et al. [27,28]. 1.2

Contributions

In this paper, our primary aim is to explore if the tag-based construction of [10] can be lifted for pair encoding that supports the presence of multiple randomnesses in encryption and secret key generation. The non-triviality here stems from the presence of multiple randomnesses. Along with this, our aim was also to see if the same tag-based construction of [10] can be extended to get CCAsecurity without using the available costly generic approach of Yamada et al.

CCA-Secure ABE Using Tag and Pair Encoding

693

This paper presents an ABE construction that achieves both. To achieve the construction, we used the pair encoding description of [2]. The idea, intuitively, is to construct the so-called tag using the pair encoding itself. This adds some additional ciphertext components. Here, we should mention that this was also done implicitly in the security proof of [10] but as they supported only simpler predicate encoding, the tags were also simpler namely a single Zp element. The second contribution of this paper is to get ind-cca security for the said construction. Here we follow the idea of [8] who extended Attrapadung’s work [5] to get ind-cca secure attribute-based encryptions from pair encoding. The informal idea of [8] was to use G2 elements present in the master public key to verify the well-formedness of the ciphertext. Comparing to this, the security proof of tag-based ABE by Chen and Gong [10] does not allow one to keep necessary G2 elements in the master public key. In this work, we find an alternative way to make sure [8] style argument can be imported to achieve ind-cca secure attribute-based encryption without the prohibitively high cost. Loosely speaking, we create a binding constant-size commitment on the CPA-ciphertext to achieve ind-cca security such that the well-formedness of the ciphertext can be verified efficiently. To do this, we borrow techniques from [9] and [8]. Intuitively, we use a collision-resistant hash function to compute a commitment of the CPA-ciphertext and then use a one-time signature to ensure that no efficient adversary can replace the commitment with an arbitrary value of its choice. The CCA-security here, similar to [8], adds only three additional components to the CPA-ciphertext and requires only one additional pairing evaluation during the decryption. 1.3

Organization of This Paper

In Sect. 2, we present the definitions and mathematical preliminaries. In Sect. 3, we give a construction of pair encoding-based ABE using tags. In Sect. 4, we argue the security of the construction. Then, in Sect. 5, we compare the performance of this construction with the state-of-the-art. Finally, we conclude this paper in Sect. 6.

2

Preliminaries

Notations. For a, b ∈ N, [a, b] = {a, a + 1, . . . , b}. Further, we often use [a] to denote {1, . . . , a} for a ∈ N. A vector is denoted as v = (v1 , . . . , vn ) for some n ∈ N. For a finite set S, we write x ← S to say x is sampled uniformly at random from S. For a distribution D, we write x ← D to say that x is sampled from D. For two distributions X, Y , by X ≡ Y , we denote that the distribution for X is identically distributed to the distribution Y . For a matrix M ∈ Zk×t p k > t, we let M be the matrix consisting of the first t rows and M denotes the matrix consisting of rest of the rows. We use O to denote the zero matrix.

694

2.1

O. Blazy and S. Mukherjee

Strong One-Time Signature

Definition. A signature scheme consists of three probabilistic polynomial time algorithms, – Gen: It takes 1λ as input and outputs verification key vk and signing key sgk. – Sign: It takes a message m as input and uses sgk to compute a signature σ. – Verify: It takes the verification key vk, a message and signature pair (m , σ  ) as input and outputs 1 if σ  is a valid signature on m ; else outputs 0. Security Definition. Strong One-Time Signature (OTS) security is defined by the following game between challenger C and adversary A. – Gen: C runs (vk, sgk) ← Gen(1λ ). A is provided with vk. – Query: A is given access to oracle Sign(sgk, ·) for only one query. Let A queries with a message m and gets back the signature σ. – Forge: A outputs a pair (m , σ  ). Then, the advantage of adversary A is defined as following:     AdvsUf-CMA A,OTS (λ) = Pr [Verify(vk, m , σ ) = 1 : (m, σ) = (m , σ )] .

We call a signature strongly one-time secure if for all probabilistic polynomial time adversary A, its advantage is a negligible function of λ. 2.2

Bilinear Group

We assume Gabg to be the asymmetric bilinear group generator that generates the bilinear group description. Precisely, Gabg (1λ ) → (p, G1 , G2 , GT , e) such that G1 , G2 , GT are cyclic groups of prime order p and e : G1 × G2 → GT is an admissible non-degenerate pairing function. We also assume the description of G1 and G2 contain the descriptions of respective generators, namely, g1 and we define g2 . Then, following [11], for s ∈ {1, 2, T} and A = (aij ) ∈ Zβ×α p ⎞ ⎛ a gs 11 . . . gsa1α ⎟ ⎜ [A]s = ⎝ ... . . . ... ⎠ ∈ Gβ×α . Given A ∈ Zβ×α and B ∈ Zβ×γ , we define s p p a

a

gs β1 . .. gs βα e([A]1 , [B]2 ) = B A T . Distribution. Let Dk be a matrix sampling function. Then for (A, a⊥ ), (k+1)×k (B, b⊥ ) ← Dk such that both A, B ∈ Zp are full-rank (such that both   (k+1)×1 ⊥ ⊥ A, B are invertible) and a , b ∈ Zp where a⊥ A = b⊥ B = 0 but    a⊥ b⊥ = 0. Then, with high probability both A || b⊥ and B || a⊥ are basis due to the basis lemma of [9]. Sometimes we will abuse the notation and of Zk+1 p (k+1)×k

use U ← Dk which samples U ∈ Zp

where U is invertible.

D k -matDH Assumption. Let i ∈ {1, 2}. For any adversary A, the advantage function is defined as following k -matDH AdvD (λ) = | Pr[A([U]i , [Ux]i ) = 1] − Pr[A([U]i , [z]i ) = 1]| A

CCA-Secure ABE Using Tag and Pair Encoding

695

where U ← Dk , x ← Zkp and z ← Zk+1 . The Dk -matDH assumption states that p Dk -matDH AdvA (λ) is negligible in λ for all probabilistic polynomial time adversary A. Random Self-Reducibility of D k -matDH Assumption. The Dk -matDH assumption is random self-reducible [5,11]. Let i ∈ {1, 2}. For any adversary A, the advantage function is defined as following k -matDH Advm,D (λ) = | Pr[A([U]i , [UX]i ) = 1] − Pr[A([U]i , [Z]i ) = 1]| A

(k+1)×m

where U ← Dk , X ← Zk×m and Z ← Zp . Existing results [5,11] show p that the m-fold Dk -matDH problem is as hard as the Dk -matDH problem for any m ∈ N. This is because, for any m ∈ N, given a Dk -matDH problem instance, one can construct an m-fold Dk -matDH problem instance without the necessity (k+1)×k of hybrid argument. More precisely, given ([U]i , [z]i ) ∈ Gi × Gk+1 i  , choose k+1 t1 , . . . , tm ← Zp and define [Z]i = ([Z1 ]i , . . . , [Zm ]i ) where [Zj ]i = U z i · (k+1)×k

(k+1)×m

× Gi basically is an m-fold Dk -matDH tj . Then, ([U]i , [Z]i ) ∈ Gi problem instance. This happens since Dk -matDH is random self-reducible.

2.3

Attribute-Based Encryption

We first define the predicate family and then define attribute-based encryption. The predicate family for an index family χ is R = {Rκ }κ∈χ , where Rκ : Xκ × Yκ → {0, 1} is a predicate and Xκ and Yκ are the key-space and the data-space respectively. For a predicate Rκ : Xκ ×Yκ → {0, 1}, an attribute-based encryption ABE is defined as a collection of following four probabilistic polynomial time algorithms. – Setup: It takes 1λ as input and the predicate Rκ . It outputs a master secret key msk and the corresponding master public key mpk. – KeyGen: It takes msk and a key-index x ∈ Xκ as input and outputs a secret key sk. – Encrypt: It takes mpk, a data-index y ∈ Yκ and a message M ∈ M as input and outputs a ciphertext ct. – Decrypt: It takes mpk, a secret key sk and a ciphertext ct as input. It outputs M or ⊥. Correctness. For all (mpk, msk) ← Setup(1λ , Rκ ), all key-indexes x ∈ X , sk ← KeyGen(msk, x), all data-indexes y ∈ Y, all messages M ∈ M, all ct ← Encrypt(mpk, y, M ),

M if Rκ (x, y) = 1 Decrypt(mpk, sk, ct) = . ⊥ otherwise Security. Chosen ciphertext security of the attribute-based encryption scheme ABE can be modeled as a security game between challenger C and adversary A.

696

O. Blazy and S. Mukherjee

– Setup: C gives out mpk and keeps msk as secret. – Query Phase-I: Two kind of queries are done here. • Key Queries: Given a key-index x ∈ Xκ , returns sk ← KeyGen(msk, x). • Dec Queries: Given a key-index and a ciphertext (x, (ct , y)) ∈ Xκ × CT × Yκ , returns Decrypt(sk, ct ) where sk ← KeyGen(msk, x). – Challenge: A provides challenge data-index y (such that Rκ (x, y) = 0 for all key query x) and two messages (M0 , M1 ) of equal length. C generates ct ← Encrypt(mpk, y, M b) for b ← {0, 1}. – Query Phase-II: Similar to Query Phase-I. • Key Queries: Given a key-index x ∈ Xκ if Rκ (x, y) = 0, returns sk ← KeyGen(msk, x). • Dec Queries: Given a key-index and a ciphertext (x, (ct , y)) ∈ Xκ ×CT × Yκ , returns Decrypt(sk, ct ) where sk ← KeyGen(msk, x) if the conditions Rκ (x, y) = 1 and ct = ct are not satisfied together. – Guess: A outputs its guess b ∈ {0, 1} and wins if b = b . For any adversary A the advantage is,  Advind-cca A,ABE (λ) = | Pr[ b = b ] − 1/2|.

An attribute-based encryption scheme is said to be CCA-secure if for all probabilistic polynomial time adversary A, Advind-cca A,ABE (λ) ≤ neg(λ). 2.4

Pair Encoding

Attrapadung [4] introduced the notion of pair encoding while giving generic construction of attribute-based encryption in the composite-order bilinear groups. Then, he introduced the regular pair encoding in [5] to give generic construction of attribute-based encryption in the prime-order bilinear groups. This was followed by the works of Agrawal and Chase [1,2] who suggested alternative security definitions for pair encodings and obtained several new attribute-based encryptions. Here, we present the pair encoding definition by [2] which, as they claimed, already covers the existing pair encodings suggested by [1,4,5]. A pair encoding P for predicate Rκ : Xκ × Yκ → {0, 1} is defined by following four algorithms: – Param(κ) → n is the number of common variables in EncK and EncC where κ identifies the pair encoding scheme. Let w = (w1 , . . . , wn ) ∈ Znp denote the list of common variables. – EncK(x) → (m1 , m2 , k(r, u, w)). On input the key-index x ∈ Xκ , output a vector of polynomials k = (k1 , . . . , km3 ) in non-lone variables r = (r1 , . . . , rm1 ) and lone 1 variables u = (α, u1 , . . . , um2 ). For ι ∈ [m3 ], where bι , bιj , bιjk ∈ Zp , the ιth polynomial is given by, kι (r, u, w) = bι α + bιj uj + bιjk rj wk j∈[m2 ] 1

j∈[m1 ] k∈[n]

By lone, we mean no lone variable z will ever appear in the form of zwj for all j ∈ [n]. This representation was introduced in [2].

CCA-Secure ABE Using Tag and Pair Encoding

697

– EncC(y) → (q1 , q2 , c(s, t, w)). On input the data-index y ∈ Yκ , output a vector of polynomials c = (c1 , . . . , cq3 ) in non-lone variables s = (s0 , s1 , . . . , sq1 ) and lone variables t = (t1 , . . . , tq2 ). For ˜ι ∈ [q3 ], where a˜ιj , a˜ιjk ∈ Zp , the ˜ιth polynomial is given by, c˜ι (s, t, w) = a˜ιj tj + a˜ιjk sj wk j∈[q2 ]

j∈[0,q1 ] k∈[n] (q +1)×m3

– Pair(x, y) → (E, F). On input both x and y, output E ∈ Zp 1 F ∈ Zqp3 ×m1 .

and

Correctness. A pair encoding scheme is said to be correct if for all y ∈ Yκ , c ← EncC(y), all x ∈ Xκ , k ← EncK(x) and (E, F) ← Pair(x, y), if Rκ (x, y) = 1, kEs + rFc = kj Ej,i si + rj Fj,i ci = αs0 . i∈[0,q1 ] j∈[m3 ]

i∈[q3 ] j∈[m1 ]

Example. The following is a pair encoding for equality predicate Rκ (x, y) = 1 ⇐⇒ x = y. – – – –

Param → 2. Denote w = (w1 , w2 ). EncK(x) → k(r, u, w) = (α + r(w1 x + w2 )) where r = (r) and u = (α). EncC(y) → c(s, t, w) = (s(w1 y + w2 )) where s = (s) and t = φ. Pair(x, y) → E = (1) and F = (−1).

It is easy to verify that kEs + rFc = αs if Rκ (x, y) = 1. Regular Decryption Property. This property was introduced in [19] and was also used in [8]. For α ← Z∗p , (x, y) ∈ Xκ ×Yκ such that R(x, y) = 1, k ← EncK(x) and (E, F) ← Pair(x, y) then k(0, (α, 0), 0)E = (∗, 0, . . . , 0) ∈ Zqp3 where ∗ is any non-zero entry. Here, we note that all available pair encoding schemes satisfy this property. Perfect Security. A pair encoding P is said to be perfectly master-key hiding (aka PMH-secure) if the following holds. Suppose R(x, y) = 0. Let n ← Param(κ), k ← EncK(x) and c ← EncC(y). Then the following distributions are identical {c(s, t, w), k(r, (0, u), w)} and {c(s, t, w), k(r, (α, u), w)}

(1)

(q +1)

m2 1 and α ← Zp . where w ← Znp , s ← Zp 1 , t ← Zqp2 , r ← Zm p , u ← Zp Notice that, the equality predicate example we considered earlier is a PMH-secure pair encoding. This is because, {w1 x + w2 , w1 y + w2 } are pair-wise independent functions for x = y where x ∈ X and y ∈ Y if w1 , w2 are uniformly random elements chosen independently from Zp .

PMH∗ Security. In this work, we use a tweaked version of PMH security mentioned above. A pair encoding P is said to be PMH∗ -secure if the following holds.

698

O. Blazy and S. Mukherjee

Suppose R(x, y) = 0. Let n ← Param(κ), k ← EncK(x) and c ← EncC(y). Then the following distributions are identical. {c(s, 0, w), k(r, (0, 0), w)} and {c(s, 0, w), k(r, (α, 0), w)}

(2)

(q +1)

1 where w ← Znp , s ← Zp 1 , r ← Zm p , and α ← Zp . Intuitively, the lone variables t (resp. u) are usually used to link different components of ciphertexts (resp. secret keys) and they get nullified by themselves. The master-key hiding in such cases is, therefore, ensured by the so-called non-lone variables s and r.

Fact. The following property holds for PMH∗ -security of the pair encoding presented above. 1. The following distributions are identical as s in Eq. (2) is replaced by S symbolically. {c(S, 0, w), k(r, (0, 0), w)} and {c(S, 0, w), k(r, (α, 0), w)} k×(q1 +1)

where w ← Znp , S ← Zp

3

(3)

1 , r ← Zm p , and α ← Zp .

Construction

Here we present the construction of generic tag-based ABE from pair encoding P for predicate R : X × Y → {0, 1}.2 Being an ABE, this construction ABE is defined using four probabilistic polynomial time algorithms as following: – Setup(1λ , R): Run n ← Param(κ) and (p, G1 , G2 , GT , e) ← Gabg . Sample (k+1)×k A, B ← Dk and α ← Zk+1 . Sample Wi ← Zp for i ∈ [0, n] and p (k+1)×(k+1)

Vj ← Zp for j ∈ [2] to define W = (W0 , W1 , . . . , Wn ) and V = (V1 , V2 ). Choose a CRHF H : {0, 1}∗ → Zp and a pair-wise independent hash function H : GT → {0, 1} for that is polynomial in λ. Output the master secret and public key pair: msk = (W, V, α )



mpk =

[A]1 , [B]2 ,





 

Wi A

1

 i∈[0,n]

,



 

Vi A

1



i∈[2]

, [Vi B]2







 , α A i∈[2]

T

.

, H, H

– KeyGen(msk, x): On input x ∈ X , run k ← EncK(x). Sample r1 , . . . , rm1 ← to define R = (r1 , . . . , rm1 ) and U = Zkp and u1 , . . . , um2 ← Zk+1 p α, u1 , . . . , um2 ). Output the secret key sk = (K1 , K2 , K3 ) as following, (α K1 = {[rκ ]2 }κ∈[m1 ] K2 = {[W0 rκ ]2 }κ∈[m1 ]

.

K3 = {[kι (R, U, W)]2 }ι∈[m3 ] 2

From now on, we omit κ in the subscript for the simplicity of representation.

(4)

CCA-Secure ABE Using Tag and Pair Encoding

699

The component K3 above is defined as following where for ι ∈ [m3 ], each ιth polynomial is bιj uj + bιjk Wk rj . kι (R, U, W) = bια + (5) j∈[m2 ] j∈[m1 ] k∈[n]

– Encrypt(mpk, y, M ): On input y ∈ Y, run c ← EncC(y). Sample s0 , s1 , . . . , sq1 , t1 , . . . , tq2 ← Zkp to define S = (As0 , As1 , . . . , Asq1 ) and T = (t1 , . . . , tq2 ) implicitly. Sample γ1 , . . . , γn ← Zp and define Γ = (0, γ1 , . . . , γn ). Run (vk, sgk) ← OTS.Gen(1λ ). Output the ciphertext ct = (C0 , C1 , C2 , C3 , CT , vk, σ) as following,3 C0 = (C0 [0], C0 [1], . . . , C0 [q1 ]) = {[Asκ˜ ]1 }κ˜ ∈[0,q1 ] C1 = (C1 [1], . . . , C1 [q3 ]) = {[c˜ι (S, O, Γ )]1 }˜ι∈[q3 ] C2 = (C2 [1], . . . , C2 [q3 ]) = {[ˆc˜ι (S, T, W)]1 }˜ι∈[q3 ]  C3 = (V1 + ηV2 )As0 1  CT = M ⊕ H( α  As0 T )

(6)

σ = OTS.Sign(sgk, C3 ) where η = H(C0 , C1 , C2 , CT , vk). The components C1 and C2 in Eq. (6) are defined as collections of polynomials where for ˜ι ∈ [q3 ], each ˜ιth polynomial is a˜ιjk γk Asj c˜ι (S, O, Γ ) = j∈[0,q1 ] k∈[n]

ˆc˜ι (S, T, W) =



j∈[q2 ]

a˜ιj tj +



a˜ιjk (Wk + γk W0 )Asj .

(7)

j∈[0,q1 ] k∈[n]

= c˜ι (S, T, W) + W0 c˜ι (S, O, Γ ) – Decrypt(mpk, (sk, x), (ct, y)): Parse ct = (C0 , C1 , C2 , C3 , CT , vk, σ) and sk = (K1 , K2 , K3 ). If R(x, y) = 0 or if OTS.Verify(vk, C3 , σ) evaluates to 0, output ⊥ and abort. Otherwise, run (E, y). Com F) ← Pair(x, (K3 [κ])Eκι . Recompute pute tk = (tk0 , tk1 , . . . , tkq1 ) where tkι = κ∈[m3 ]

η = H(C0 , C1 , C2 , CT , vk) and sample r0 ← Zkp to define altKey ak = (ak0 , ak1 , . . . , akq1 , akq1 +1 ) where ak0 = tk0 · [(V1 + ηV2 )Br0 ]2 , aki = tki for all i ∈ [q1 ] and akq1 +1 = [Br0 ]2 . Compute

  e(C0 [i], aki ) α As0 T ← e(C3 , akq1 +1 )−1 · ·

i∈[q3 ] j∈[m1 ]

3

i∈[0,q1 ]

e(C1 [i], K2 [j])−Fj,i ·

e(C2 [i], K1 [j])Fj,i

i∈[q3 ] j∈[m1 ]

Here, we abused the notation a little to accommodate [As0 ]1 .

(8)

700

O. Blazy and S. Mukherjee

 and obtain M ← CT ⊕ H( α  As0 T ). Correctness. Note that R(x, y) = 1. During decryption, we compute the following:

A = e(C3 , akq1 +1 )−1 ·

e(C0 [i], aki )

i∈[0,q1 ]

  = e( (V1 + ηV2 )As0 , [Br0 ]2 )−1 · e(C0 [0], [(V1 + ηV2 )Br0 ]2 ) · 1

=

i∈[0,q1 ]

B=





e(C0 [i], tki ) =

i∈[0,q1 ] j∈[m3 ]

D=



i∈[q3 ] j∈[m1 ]

=



i∈[q3 ] j∈[m1 ]

e(C2 [i], K1 [j])Fj,i =



i∈[q3 ] j∈[m1 ]





i∈[q3 ] j∈[m1 ]

=



i∈[q3 ] j∈[m1 ]

=



i∈[q3 ] j∈[m1 ]

e([ci (S, O, Γ )]1 , [W0 rj ]2 )−Fj,i

e([ˆ ci ]1 , [rj ]2 )Fj,i

e( ci (S, T, W) + W0 ci (S, O, Γ )

i∈[q3 ] j∈[m1 ]

=

e(C0 [i], tki )

i∈[0,q1 ]

e([Asi ]1 , [kj ]2 )Ej,i

e(C1 [i], K2 [j])−Fj,i =

i∈[q3 ] j∈[m1 ]



e([ci (S, T, W)]1 , [rj ]2 )Fj,i e([ci (S, T, W)]1 , [rj ]2 )Fj,i



i∈[q3 ] j∈[m1 ]



i∈[q3 ] j∈[m1 ]

1

, [rj ]2 )Fj,i

  e( W0 ci (S, O, Γ ) , [rj ]2 )Fj,i 1

e([ci (S, O, Γ )]1 , [W0 rj ]2 )Fj,i

e([ci (S, T, W)]1 , [rj ]2 )Fj,i · B −1

Then, A × B × D

=

i∈[0,q1 ] j∈[m3 ]

e([Asi ]1 , [kj ]2 )Ej,i

i∈[q3 ] j∈[m1 ]

e([ci ]1 , [rj ]2 )Fj,i

=

 H( α  As0 T ) due to the correctness of the pair encoding P following [2]. Alternative Decryption. The function Decrypt can be viewed as the composition of two sub-functions AltKeyGen and AltDecrypt where at first AltKeyGen(mpk, (sk, x), (ct, y)) computes an altKey ak which  AltDecrypt((K1 , K2 , ak), (ct, y)) uses to compute α  As0 T and thus the message M . Precisely, given the public key mpk, a secret key sk corresponding to a key-index x and a ciphertext ct corresponding to data-index y, AltKeyGen aborts if R(x, y) = 0 or OTS signature verification does not hold. Otherwise, AltKeyGen defines tk and subsequently the altKey ak just as was done in case of Decrypt above. On the other hand, AltDecrypt takes an altKey ak, two key components (K1 , K2 ) and a ciphertext ct as input and evaluates the pairing product equation in Eq. (8). Defining Decrypt in terms of AltKeyGen and AltDecrypt is helpful during the security proof of ABE that we see in the coming section.

CCA-Secure ABE Using Tag and Pair Encoding

701

Remark 1. We also define an alternative Setup as following that will be used in (k+1)×k the security proof. Setup (1λ ; [A]1 ): Sample B ← Dk such that B ∈ Zp . Then define α , β, W, V, H and H just as Setup above and output msk and mpk just as above.

4

Security

Here, we argue the security of ABE which is a tag-based ABE from pair encoding. We show that under the Dk -matDH assumption, ABE is ind-cca secure provided the hash function H is CRHF and the signature OTS is a strong OTS. Theorem 1. Suppose a regular decryption pair encoding scheme P for predicate R is PMH∗ -secure and the Dk -Matrix DH Assumption holds in Gabg . Then ABE is ind-cca secure encryption scheme if H is a collision resistant hash function and OTS is a strong one-time signature. More precisely, for any PPT adversary A of ABE in the ind-cca model that makes at most q secret key queries and at most Q decryption queries, there exist PPT algorithms B1 , B2 , B3 such that, Dk -matDH sUf-CMA (λ)+Q·(AdvCRH Advind-cca A,ABE (λ) ≤ (2q+2Q+1)·AdvB1 B2 ,H (λ)+AdvB3 ,OTS (λ))+ 1/pk+1 + 2−Ω( ) We argue the security using dual system technique [25]. The security proof is essentially a hybrid argument derived from [8,10] where first we make the ciphertext semi-functional, then all the secret keys are made semi-functional and then all the altKeys are made semi-functional. Finally, we argue that the ciphertext is basically an encryption of a random message. We explain the sequence of games in the hybrid argument a little more elaborately in an informal manner next. Note that, Game0 is the real security game. Then, in Game1 , we make the challenge ciphertext semi-functional. Next, we change all the q normal secret keys to type-3 semi-functional secret keys one by one. Basically we modify each ith secret key to type-j semi-functional secret key in Game2,i,j for each i ∈ [q] and j ∈ {1, 2, 3}. Once all the secret keys are turned type-3 semi-functional, we proceed to change altKeys to make them type-3 semi-functional one by one. Here, we modify each ith altKey to type-j semi-functional altKey in Game3,i,j for each i ∈ [Q] and j ∈ {1, 2, 3}. In the final game Game4 , we show that the ciphertext is independent of b except with negligible probability. Therefore, the advantage of adversary A in Game4 is negligible and this concludes the security. Note that, in the sequence of games mentioned above, we use Game2,0,3 and Game3,0,3 to denote Game1 and Game2,q,3 respectively. We now proceed to argue the security following the overall idea presented above. For this, we first define different semi-functional algorithms that will be useful in the security argument.

702

4.1

O. Blazy and S. Mukherjee

Semi-functional Algorithms

The semi-functional (SF) algorithms which will be used in the security proof are described in this section. (k+1)×k

and – SFSetup(1λ ): Run (A, a⊥ ), (B, b⊥ ) ← Dk such that A, B ∈ Zp    (k+1)×1 where a⊥ A = b⊥ B = 0 but a⊥ b⊥ = 0. Sample a⊥ , b⊥ ∈ Zp (k+1) (k+1)×k    α ← Zp and β ∈ Z to define p . Choose W0 , W1 , . . . , Wn ← Zp (k+1)×(k+1)     to define V = (V1 , V2 ); W = W0 , W1 , . . . , Wn ; V1 , V2 ← Zp  ˆ γ1 W, ˆ ..., γ1 , . . . , γn ← Zp to define Γ = (0, γ1 , . . . , γn ) and define  W = − W,    M (k+1)×k ˆ for W ˆ = a⊥ (MM−1 ) ∈ Z(k+1)×k for some M = γn W ∈ Zp p M  i + γi W ˆ for all i ∈ [n] with M ∈ Zk×k invertible. Program Wi = W p  ˆ and W0 = W0 − W such that W = (W0 , W1 , . . . , Wn ). Choose a CRHF H : {0, 1}∗ → Zp and a pair-wise independent hash function H : GT → {0, 1} . Compute the following: = msk mpk =

  , Γ, V, α ; β, A, B, a⊥

,W W     [A]1 , [B]2 ,



Wi A

1

i∈[0,n]

 ,



 

Vi A

1



i∈[2]

, [Vi B]2

 i∈[2]







 ; α A

T

, H, H

Remark 2. We define an alternative form of SFSetup as following that will be used in the security proof. SFSetup (1λ ; A, a⊥ , [M]2 ): Sample B ← Dk such that (k+1)×k B ∈ Zp . Then define α , β,  W,  W, Γ , V, H and H just as SFSetup above  and output msk and mpk just as above. (k+1)×1  λ ): Run (A, a⊥ ) ← Dk such that A ∈ Z(k+1)×k – SFSetup(1 and a⊥ ∈ Zp p  (k+1)×k where a⊥ A = 0. Run B ← Dk such that B ∈ Zp . Sample α ← (k+1) (k+1)×k Zp and β ∈ Zp . Choose W0 , W1 , . . . , Wn ← Zp to define W = (k+1)×(k+1) (W0 , W1 , . . . , Wn ); V1 , V2 ← Zp to define V = (V1 , V2 ); and γ1 , . . . , γn ← Zp to define Γ = (0, γ1 , . . . , γn ). Choose a CRHF H : {0, 1}∗ → Zp and a pair-wise independent hash function H : GT → {0, 1} . Setup the following:

= msk mpk =

 W, V, Γ, α ; β, A, a⊥     [A]1 , [B]2 ,





Wi A

1

i∈[0,n]

,



 

Vi A

1



i∈[2]

, [Vi B]2

 i∈[2]







 ; α A

T

, H, H

 as following that will be used Remark 3. We also define an alternative SFSetup  λ ⊥  in the security proof. SFSetup (1 ; A, a , [B]2 ): Define α , β, W, V, H and H just  and mpk just as above.  above and output msk as SFSetup  x, type, β): Run k ← EncK(x). Choose r1 , . . . , rm ← Zk , – SFKeyGen(msk, p 1 , rˆ1 , . . . , rˆm1 ← Zp to define R = (r1 , . . . , rm1 ), U = u1 , . . . , um2 ← Zk+1 p

CCA-Secure ABE Using Tag and Pair Encoding

703

α, u1 , . . . , um2 ) and ˆr = (ˆ (α r1 , . . . , rˆm1 ). Then there are three types of semifunctional secret keys sk = (K1 , K2 , K3 ) defined as following: K1 = {[rκ ]2 }κ∈[m1 ]

  W0 rκ − a⊥ rˆκ 2 κ∈[m ] if type = 1, 2 1 K2 = if type = 3 {[W0 rκ ]2 }κ∈[m1 ] ⎧  ⎪ k (R, U, W) + a⊥ kι (ˆr , (0, 0), Γ ) 2 ι∈[m ] ⎪ ⎨ ι 3  kι (R, U, W) + a⊥ kι (ˆr , (β, 0), Γ ) 2 ι∈[m ] K3 = 3 ⎪ ⎪ ⎩kι (R, U, W) + a⊥ kι (0, (β, 0), Γ ) 

2 ι∈[m3 ]

if type = 1

(9)

if type = 2 if type = 3

, (β, 0), Γ )  where kι (R, U, W) + a⊥ kι (ˆr  α + βa⊥ ) + = bι (α bιj uj + bιjk Wk rj + a⊥ bιjk γk rˆj . j∈[m2 ]

j∈[m1 ] k∈[n]

j∈[m1 ] k∈[n]

 y ∈ Y, M ): Run c ← EncC(y). Choose  s1 , . . . ,  sq1 ← – SFEncrypt(mpk, msk, s0 ,  k+1   = (  = Zp ; t1 , . . . ,  tq2 ← Zkp to define S s0 ,  s1 , . . . ,  sq1 ) and T λ   (t1 , . . . , tq2 ). Run (vk, sgk) ← OTS.Gen(1 ). Then the ciphertext ct = (C0 , C1 , C2 , C3 , CT , vk, σ) is computed as following, sκ˜ ]1 }κ˜ ∈[0,q1 ] C0 = {[ !   O, Γ ) C1 = c˜ι (S, 1 ˜ ι∈[q3 ]  !   C2 = ˆc˜ι (S, T, W) 1 ˜ ι∈[q3 ]    C3 = (V1 + ηV2 ) s0   1 CT = M ⊕ H( α  s0 T )

(10)

σ = OTS.Sign(sgk, C3 ) where η = H(C0 , C1 , C2 , CT , vk). The components C1 and C2 in Eq. (10) are defined as following where for ˜ι ∈ [q3 ], each ˜ιth polynomial is    O, Γ = c˜ι S, a˜ιjk γk sj j∈[0,q1 ] k∈[n]

 T,  W) = ˆc˜ι (S,



j∈[q2 ]

a˜ιj  tj +



a˜ιjk (Wk + γk W0 ) sj

.

(11)

j∈[0,q1 ] k∈[n]

 x, (ct, y), type, ξ): Parse ct = (C0 , C1 , C2 , C3 , CT , vk, – SFAltKeyGen(mpk, msk, σ). If R(x, y) = 0 or if OTS.Verify(vk, C3 , σ) evaluates to 0, output ⊥ and abort. Create a normal secret key sk = (K1 , K2 , K3 ) ← KeyGen(msk, x) where  Then run (E, F) ← observe that msk = (W, V, α ) is contained in given msk. (K3 [κ])Eκι . Pair(x, y). Compute tk = (tk0 , tk1 , . . . , tkq1 ) where tkι = κ∈[m3 ]

704

O. Blazy and S. Mukherjee

Then define the altKey ak = (ak0 , ak1 , . . . , akq1 , akq1 +1 ) where ak0 = tk0 · Φ and aki = tki for all i ∈ [q1 ] such that ⎧    ⊥ ⊥ ⎪ ⎨(V1 + ηV2 )(Br0 + a ˆr0 ) 2 , Br0 +a ˆr0 2  (Φ, akq1 +1 ) = ξa⊥ + (V1 + ηV2 )(Br0 + a⊥ˆr0 ) 2 , Br0 + a⊥ˆr0 2 ⎪   ⎩ ⊥ ξa + (V1 + ηV2 )Br0 2 , [Br0 ]2

if type = 1 if type = 2 if type = 3

(12)

for r0 ← Zkp , ˆr0 ← Zp and η = H(C0 , C1 , C2 , CT , vk). 4.2

Sequence of Games

Now we present the hybrid argument to show our construction ABE is ind-cca secure. This is done by presenting a series of lemmas which together show that the real security scenario (i.e. Game0 ) and the final game (i.e. Game4 ) are computationally indistinguishable for all PPT adversaries. Since Game4 produces a ciphertext of a random message, we finally argue that no PPT adversary can get any new information about M b and this, therefore, completes the proof of Theorem 1. Lemma 1. (Game0 to Game1 ) For any efficient adversary A that makes at most q secret key queries and Q decryption queries, there exists a PPT algorithm B k -matDH (λ). such that |Pr [X0 ] −Pr [X1 ] | ≤ AdvD B Proof. Given a Dk -matDH instance ([A]1 , [z]1 ) for A ← Dk and z ∈ Zk+1 , p B first uses random self-reducibility of Dk -matDH to construct a (1 + q1 )-fold (k+1)×k (k+1)×(1+q1 ) Dk -matDH instance ([A]1 , [Z]1 ) for A ∈ Zp and Z ∈ Zp . Then B does the following: – Setup: Runs (msk, mpk) ← Setup (1λ ; [A]1 ). – Key Queries: Given x ∈ X , B returns sk ← KeyGen(msk, x) as msk is known to B. – Dec Queries: Given any (x, (ct, y)) ∈ X × CT × Y such that ct encrypts data-index y, if R(x, y) = 0 or OTS verification rejects, B outputs ⊥ and aborts. Otherwise, B runs sk = (K1 , K2 , K3 ) ← KeyGen(msk, x) and ak ← AltKeyGen(mpk, (sk, x), (ct, y)) as msk is known to itself and returns AltDecrypt((K1 , K2 , ak), (ct, y)).  = Z such that – Challenge: B chooses  t1 , . . . ,  tq2 ← Zkp and implicitly sets S  = (  = ( s1 , . . . ,  sq1 ) and T t1 , . . . ,  tq2 ). It also chooses γ1 , . . . , γn ← Zp S s0 ,  and defines Γ = (0, γ1 , . . . , γn ). Then it runs (vk, sgk) ← OTS.Gen(1λ ) and computes the ciphertext ct = (C0 , C1 , C2 , C3 , CT , vk, σ) as, C0 = {[ sκ˜ ]1 }κ˜ ∈[0,q1 ] ⎧⎡ ⎤ ⎪ ⎪ ⎨⎢ ⎥ sj ⎥ C1 = ⎢ a˜ιjk γk ⎣ ⎦ ⎪ ⎪ ⎩ j∈[0,q1 ] k∈[n]

1

⎫ ⎪ ⎪ ⎬ ⎪ ⎪ ⎭ ˜ ι∈[q3 ]

CCA-Secure ABE Using Tag and Pair Encoding

⎧⎡ ⎤ ⎪ ⎪ ⎨⎢ ⎥ C2 = ⎢ a˜ιj  a˜ιjk (Wk + γk W0 ) sj ⎥ tj + ⎣ ⎦ ⎪ ⎪ j∈[0,q1 ] ⎩ j∈[q2 ] C3 = CT =





(V1

k∈[n]

1

705

⎫ ⎪ ⎪ ⎬ ⎪ ⎪ ⎭ ˜ ι∈[q3 ]

+ ηV2 ) s0   1 s0 T ) M b ⊕ H( α 

σ = OTS.Sign(sgk, C3 ) for η ← H(C0 , C1 , C2 , CT , vk). – Key Queries: Same as Query Phase-I. – Dec Queries: Same as Query Phase-I. – Guess: A outputs b as its guess of b. Then B outputs 1 if b = b and 0 otherwise. Observe that, if z ∈ span(A), then for all i ∈ [1 + q1 ], Zi ∈ span(A) and the / span(A), then for all i ∈ [1 + q1 ], output is identical to that of Game0 . If z ∈ Zi ∈ / span(A) and the output is identical to that of Game1 . Therefore, this lemma holds. Lemma 2. (Game2,i−1,3 to Game2,i,1 ) For i ∈ [q], for any efficient adversary A that makes at most q secret key queries and Q decryption queries, there exists a k -matDH (λ). PPT algorithm B such that |Pr [X2,i−1,3 ] − Pr [X2,i,1 ] | ≤ AdvD B Proof. Given a Dk -matDH instance ([M]1 , [y]1 ) for M ← Dk and y ∈ Zk+1 , p B first uses random self-reducibility of Dk -matDH to construct a m1 -fold (k+1)×k (k+1)×m1 Dk -matDH instance ([M]1 , [Y]1 ) for M ∈ Zp and Y ∈ Zp where Y = (Z1 , . . . , Zm1 ). Then B does the following:  mpk) ← SFSetup (1λ ; (A, a⊥ , – Setup: Samples (A, a⊥ ) ← Dk . Runs (msk, [M]2 )). – Key Queries: For j th secret key query on x ∈ X , there are three cases: 1. j > i: B creates normal secret keys. First it samples r1 , . . . , rm1 ← Zkp   and implicitly sets  rι = Mrι for all ι ∈ [m1 ]. Since, Wk is known to B,  k rι for any k ∈ [0, n] and ι ∈ [m1 ]. Furthermore, B it can compute W 2

. Then it defines R = (r1 , . . . , rm1 ) and U = samples u1 , . . . , um2 ← Zk+1 p   ˆ ι = a⊥ · (Mr ) . α, u1 , . . . , um ). This then allows B to define Wr (α 2

ι

2

2

 k + γk W  0 − W. ˆ ˆ for all k ∈ [n] and W0 = W Recall that Wk = W    ˆ Therefore, B can compute [Wk rι ]2 from Wk rι and Wrι for any 2

2

k ∈ [0, n] and ι ∈ [m1 ]. Finally, B outputs sk = (K1 , K2 , K3 ) as following, K1 = {[rκ ]2 }κ∈[m1 ] K2 = {[W0 rκ ]2 }κ∈[m1 ]

706

O. Blazy and S. Mukherjee

⎫ ⎪ ⎪ ⎬

⎧⎡ ⎤ ⎪ ⎪ ⎨⎢ ⎥ bι α + K3 = ⎢ bιj uj + bιjk Wk rj ⎥ ⎣ ⎦ ⎪ ⎪ j∈[m2 ] j∈[m1 ] ⎩ k∈[n]

.

⎪ ⎪ ⎭

2

ι∈[m3 ]

2. j = i: B sets rι = Zι = M ·  rι implicitly for all ι ∈ [m1 ]. Again,    Wk is known to B, it can compute Wk rι for any k ∈ [0, n] and 2

. Then it defines ι ∈ [m1 ]. Furthermore, B samples u1 , . . . , um2 ← Zk+1 p α, u1 , . . . , um2 ). Note that, a⊥ · Zι = R = (r1 , . . . , rm1 ) and U = (α −1 ˆ ι + a⊥ rˆι for all rι + rˆι ) = a⊥ · (MM ) · (M rι ) + a⊥ rˆι = Wr a⊥ · (M ι ∈ [m1 ]. Finally, B outputs sk = (K1 , K2 , K3 ) as following,  Zκ 2 κ∈[m ] 1



K2 = W0 Zκ − a⊥ Zκ 2 κ∈[m1 ] ⎧⎡ ⎤ ⎪ ⎪ ⎨⎢    ⎥ k Zj + K3 = ⎢ bιj uj + bιjk W bιjk γk a⊥ Zj ⎥ ⎣bι α + ⎦ ⎪ ⎪ j∈[m2 ] j∈[m1 ] j∈[m1 ] ⎩ K1 =



k∈[n]

k∈[n]

⎫ ⎪ ⎪ ⎬ ⎪ ⎪ ⎭ 2

ι∈[m3 ]

Now, we show that K2 and K3 are properly distributed. K2 =

    0 rκ − Wr ˆ κ − a⊥ rˆκ W 2

κ∈[m1 ]

=

   ⊥ W0 rκ − a rˆκ 2

κ∈[m1 ]

⎧⎡ ⎤ ⎪ ⎪ ⎪ ⎨⎢ ⎥    ⎢  k rj + ˆ j + a⊥ rˆj )⎥ K3 = ⎢bια + bιj uj + bιjk W bιjk γk (Wr ⎥ ⎪ ⎣ ⎦ ⎪ ⎪ j∈[m2 ] j∈[m1 ] j∈[m1 ] ⎩

⎫ ⎪ ⎪ ⎪ ⎬

⎧⎡ ⎤ ⎪ ⎪ ⎪ ⎥ ⎨⎢    ⎥ ⎢ ⊥ ˆ j+  k + γk W)r = ⎢ bι α + bιj uj + bιjk (W bιjk γk a rˆj ⎥ ⎪ ⎦ ⎣ ⎪ ⎪ j∈[m ] j∈[m ] j∈[m ] 2 1 1 ⎩

⎫ ⎪ ⎪ ⎪ ⎬

k∈[n]

k∈[n]

k∈[n]

2

k∈[n]

⎧⎡ ⎤ ⎪ ⎪ ⎪ ⎨⎢ ⎥   ⎢ ⎥ ⊥ = ⎢ bι α + bιj uj + bιjk Wk rj + a kι (ˆ r , (0, 0), Γ )⎥ ⎪ ⎣ ⎦ ⎪ ⎪ j∈[m ] j∈[m ] 2 1 ⎩ k∈[n]

=

   ⊥ kι (R, U, W) + a kι (ˆ r , (0, 0), Γ ) 2

2

⎫ ⎪ ⎪ ⎪ ⎬

⎪ ⎪ ⎪ ⎭

2

ι∈[m3 ]

⎪ ⎪ ⎪ ⎭ ι∈[m3 ]

⎪ ⎪ ⎪ ⎭ ι∈[m3 ]

ι∈[m3 ]

3. j < i: B returns type-3 semi-functional secret key sk  x, 3, β). SFKeyGen(msk,



CCA-Secure ABE Using Tag and Pair Encoding

707

– Dec Queries: Given any (x, (ct, y)) ∈ X × CT × Y such that ct encrypts data-index y, if R(x, y) = 0 or OTS verification rejects, B outputs ⊥ and aborts. Otherwise, B creates a normal secret key sk = (K1 , K2 , K3 ) just as above to compute the altKey ak ← AltKeyGen(mpk, (sk, x), (ct, y)) and returns AltDecrypt((K1 , K2 , ak), (ct, y)). s , . . . , sq1 ← Zk+1 ;  t1 , . . . ,  tq2 ← Zkp to define – Challenge: B chooses  s0 ,  p   1 =   = ( s1 , . . . ,  sq1 ) , T tq2 . It runs (vk, sgk) ← OTS.Gen(1λ ) and S s0 ,  t1 , . . . ,  computes the ciphertext ct = (C0 , C1 , C2 , C3 , CT , vk, σ) as following, sκ˜ ]1 }κ˜ ∈[0,q1 ] , C0 = {[ ⎧⎡ ⎤ ⎪ ⎪ ⎨⎢ ⎥ sj ⎥ a˜ιjk γk C1 = ⎢ ⎣ ⎦ ⎪ ⎪ ⎩ j∈[0,q1 ] k∈[n]

⎫ ⎪ ⎪ ⎬

 =

⎪ ⎪ ⎭

1

 O, Γ ) c˜ι (S,

˜ ι∈[q ]

3 ⎧⎡ ⎤ ⎪ ⎪ ⎨⎢ ⎥   ⎥  s C2 = ⎢ a + a t W ˜ ι j j ˜ ι jk j k ⎣ ⎦ ⎪ ⎪ j∈[0,q1 ] ⎩ j∈[q2 ]

k∈[n]

C3 = CT =

⎫ ⎪ ⎪ ⎬ =

⎪ ⎪ ⎭

1

! 1

˜ ι∈[q3 ]

,

!   T,   ˆc˜ι (S, W) 1

˜ ι∈[q3 ]

˜ ι∈[q3 ]

(V1

+ ηV2 ) s0   s0 T ), M b ⊕ H( α 

σ = OTS.Sign(sgk, C3 ) where η = H(C0 , C1 , C2 , CT , vk). Here we show that C2 is properly distributed. Observe that, for ˜ι ∈ [q3 ],  T,  W) = c˜ι (S,  T,  W) + W c˜ι (S,  O, Γ ) ˆc˜ι (S, 0 a˜ιj  a˜ιjk Wk a˜ιjk γk W0 = tj + sj + sj j∈[q2 ]

=



j∈[0,q1 ] k∈[n]

a˜ιj  tj +

j∈[q2 ]

+



  a˜ιjk γk W 0 sj − a˜ιj  tj +

j∈[q2 ]

=



  a˜ιjk W k sj +

j∈[0,q1 ] k∈[n]

j∈[0,q1 ] k∈[n]

=



j∈[0,q1 ] k∈[n]

j∈[0,q1 ] k∈[n]

a˜ιj  tj +

j∈[q2 ]

 T,   = ˆc˜ι (S, W)



j∈[0,q1 ] k∈[n]





ˆ  sj a˜ιjk γk W

j∈[0,q1 ] k∈[n]

ˆ  sj a˜ιjk γk W

j∈[0,q1 ] k∈[n]

  a˜ιjk W k sj +



  ) a˜ιjk (γk W 0 sj

j∈[0,q1 ] k∈[n]

  + γk W   ) a˜ιjk (W k 0 sj

708

O. Blazy and S. Mukherjee

Therefore ct is a semi-functional ciphertext. – Key Queries: Same as Query Phase-I. – Dec Queries: Same as Query Phase-I. – Guess: A outputs b as its guess of b. Then B outputs 1 if b = b and 0 otherwise. Observe that, if y ∈ span(M), then Zi ∈ span(M) for all i ∈ [m1 ] so that ˆr = 0 and the output is identical to that of Game2,i−1,3 . If y ∈ / span(M), then 1 / span(M) for all i ∈ [m1 ] so that ˆr ← Zm Zi ∈ p , the output is identical to that of Game2,i,1 . Therefore, this lemma holds. Lemma 3. (Game2,i,1 to Game2,i,2 ) For i ∈ [q], for all adversary A, |Pr [X2,i,1 ]− Pr [X2,i,2 ] | = 0. Proof Sketch. Firstly C1 in the iscompletely  challenge   determined  ciphertext         O, Γ for by c˜ι S, O, Γ . Moreover, ˆc˜ι S, T, W = c˜ι S, T, W + W0 c˜ι S,     T,  W does not give any new information any ˜ι ∈ [q3 ]. Therefore, C2 = ˆc˜ι S, 1

about Γ . From Eqs. (4) and (9), it is clear that the so-called semi-functional comr , (β, 0), ! Γ ) where β =!0 in Game2,i,1 and β ← Zp in Game2,i,2 . ponent is a⊥ kι (ˆ   (1)

(2)

≡ ct, ski

(d)

where ski denotes the ith secret key in   !   O, Γ , a⊥ k(ˆr , (0, 0), Γ ) ≡ Game2,i,d essentially boils down to arguing c S,   !   O, Γ , a⊥ k(ˆr , (β, 0), Γ ) . Now, this holds due to the PMH∗ security of c S, the pair encoding P as mentioned in Eq. (3). The argument ct, ski

Lemma 4. (Game2,i,2 to Game2,i,3 ) For i ∈ [q], for any efficient adversary A that makes at most q secret key queries and Q decryption queries, there exists a k -matDH (λ). PPT algorithm B such that |Pr [X2,i,2 ] − Pr [X2,i,3 ] | ≤ AdvD B Proof Sketch. The proof is similar to that for Lemma 2. Lemma 5. (Game3,i−1,3 to Game3,i,1 ) For i ∈ [Q], for any efficient adversary A that makes at most q secret key queries and Q decryption queries, there exists k -matDH (λ). a PPT algorithm B such that |Pr [X3,i−1,3 ] − Pr [X3,i,1 ] | ≤ AdvD B , B does Proof. Given Dk -matDH instance [B]2 , [y]2 for B ← Dk and y ∈ Zk+1 p the following: 

 mpk) ← SFSetup  (1λ ; (A, a⊥ , – Setup: Samples (A, a⊥ ) ← Dk . Runs (msk,  [B]2 )). It also defines msk = (W, V, α ) and msk = (W, V, α + βa⊥ ) where the  variables involved in msk and msk are available from msk. – Key Queries: Given key-index x ∈ X , B returns type-3 semi-functional secret key sk ← KeyGen(msk , x). – Dec Queries: On j th decryption query on (x, (ct, y)) ∈ X × CT × Y where ct is a ciphertext on the data-index y, if R(x, y) = 0 or OTS verification rejects, B returns ⊥ and aborts. Otherwise it computes the altKey ak as following and returns AltDecrypt((K1 , K2 , ak), (ct, y)) to A.

CCA-Secure ABE Using Tag and Pair Encoding

709

1. j > i: B computes normal altKey ak ← AltKeyGen(mpk, (sk, x), (ct, y)) for sk = (K1 , K2 , K3 ) ← KeyGen(msk, x). 2. j = i: B first creates normal secret key sk = (K1 , K2 , K3 ) ← KeyGen(msk, x). It then computes corresponding tk = (tk0 , tk1 , . . . , tkq1 ). Then compute the altKey ak = (ak0 , ak1 , . . . , akq1 , akq1 +1 ) where: ⎧ ⎪ ⎨tk0 · [(V1 + ηV2 )y]2 if k = 0 akk = tkk if k ∈ {1, . . . , q1 } ⎪ ⎩ if k = q1 + 1 [y]2

– – – –

for η = H(C0 , C1 , C2 , CT , vk).  x, (ct, y), 3, β) which is 3. j < i: B computes ak ← SFAltKeyGen(mpk, msk, type-3 semi-functional altKey that implicitly constructed normal secret key sk = (K1 , K2 , K3 ) ← KeyGen(msk, x). Challenge: Returns ct ← SFEncrypt(mpk, msk, y, M b). Key Queries: Same as Query Phase-I. Dec Queries: Same as Query Phase-I. Guess: A outputs b as its guess of b. B outputs 1 if b = b and 0 otherwise.

Then if y ∈ span(B), then the altKey is normal altKey and thus, we are in Game3,i−1,3 ; otherwise the key is type-1 semi-functional altKey and thus, we are in Game3,i,1 . Lemma 6. (Game3,i,1 to Game3,i,2 ) For i ∈ [Q], for all adversary A we have sUf-CMA |Pr [X3,i,1 ] − Pr [X3,i,2 ] | ≤ AdvCRH B2 ,H (λ) + AdvB3 ,OTS (λ) for H is a collision resistant hash function and OTS is a strong one-time signature. Proof Sketch. Here, like [8], we argue that the joint distribution of {ct, ak} for ak type-1 semi-functional altKey is identical to the joint distribution of {ct, ak} for ak type-2 semi-functional altKey where ct is semi-functional challenge ciphertext. As sk in both the distribution is type-3 semi-functional and does not involve  already provides. V, it can be simulated knowing the msk that msk th Suppose, the i decryption query is made on ct(i) from which the correspond(i) (i) (i) (i) (i) ing altKey ak is computed. Suppose ct(i) = (C0 , C1 , C2 , C3 , CT , vk(i) , σ (i) ). (i) By natural restriction ct = ct . Now there could be following two mutually exclusive and exhaustive cases: (i)

(i)

(i)

(i)

1. If (C0 , C1 , C2 , CT , vk(i) ) = (C0 , C1 , C2 , CT , vk), then this results in a (i) forgery of strong one-time signature OTS as (C3 , σ (i) ) = (C3 , σ). (i) (i) (i) (i) (i) (i) 2. If (C0 , C1 , C2 , CT , vk(i) ) = (C0 , C1 , C2 , CT , vk), then η (i) = H(C0 , C1 , (i) (i) C2 , CT , vk(i) ) and η = H(C0 , C1 , C2 , CT , vk) are unequal unless otherwise we break collision resistance of the hash function H. Recall that both type-1 and type-2 semi-functional altKey are defined from tk = (tk0 , . . . , tkq1 ) as ak = (ak0 , . . . , akq1+1 ) where ak 0 = tk0 · Φ, aki = tki for all i ∈ [q1 ] and akq1 +1 = Br0 + a⊥ˆr0 2 for Φ =

710

O. Blazy and S. Mukherjee

 ⊥ βa + (V1 + η (i) V2 )(Br0 + a⊥ˆr0 ) 2 such that if β = 0, ak is a type-1 semifunctional altKey and if β is a random element from Zp , ak is a type-2 semifunctional altKey. To prove the lemma, it suffices to show that the joint disirrespective of the value of β for C3 = tribution of {C3 , Φ} stays identical  s0 = (V1 + ηV2 ) As0 + b⊥ sˆ0 1 for some s0 ∈ Zkp , sˆ0 ∈ Zp as (V1 + ηV2 )  A || b⊥ is a basis of Zk+1 and Φ is defined as above. Furthermore, it suffices p to show that the joint distribution of {C3 , Φ  } stays identical irrespective of the    value of β where C3 = (V1 + ηV2 )b⊥ sˆ0 1 is the semi-functional part of C3  and Φ = βa⊥ + (V1 + η (i) V2 )a⊥ˆr0 2 is the semi-functional part of Φ. Now, we make use of the parameter-hiding lemma of [9] to replace Vi by  ˆ for V ˆ = a⊥ b⊥  . Firstly note that this change nether Vi + τi (a⊥ b⊥ )−1 V ˆ ⊥ = (a⊥  b⊥ )a⊥ affects the mpk nor the secret keys. It is easy to verify that, Va  ˆ  b⊥ = (a⊥ b⊥ )b⊥ . Then and V   ˆ  b⊥ sˆ0 C3 = (V1 + ηV2 )b⊥ sˆ0 + (τ1 + ητ2 )(a⊥ b⊥ )−1 V 1    ⊥ ⊥  ⊥ −1 ⊥  ⊥ = (V1 + ηV2 )b sˆ0 + (τ1 + ητ2 )(a b ) (a b )b⊥ sˆ0 1    ⊥ ⊥  ⊥ −1 ⊥  ⊥ ⊥ = (V1 + ηV2 )b sˆ0 + (τ1 + ητ2 )(a b ) (a b )b sˆ0 1  = (V1 + ηV2 )b⊥ sˆ0 + (τ1 + ητ2 )b⊥ sˆ0 1   ˆ ⊥ˆr0 Φ = βa⊥ + (V1 + η (i) V2 )a⊥ˆr0 + (τ1 + η (i) τ2 )(a⊥ b⊥ )−1 Va 2  ⊥ (i) ⊥ (i) ⊥  ⊥ −1 ⊥  ⊥ ⊥ = βa + (V1 + η V2 )a ˆr0 + (τ1 + η τ2 )(a b ) (a b )a ˆr0 2  ⊥ (i) ⊥ (i) ⊥ = βa + (V1 + η V2 )a ˆr0 + (τ1 + η τ2 )a ˆr0 2

As τ1 + ητ2 is independent to τ1 + η (i) τ2 for τ1 , τ2 ← Zp and η = η (i) (as H is a CRHF), the joint distribution of {C3 , Φ } stays identical irrespective of β = 0 or a random element from Zp which concludes the proof. Lemma 7. (Game3,i,2 to Game3,i,3 ) For i ∈ [Q], for any efficient adversary A that makes at most q secret key queries and Q decryption queries, there exists a k -matDH (λ). PPT algorithm B such that |Pr [X3,i,2 ] − Pr [X3,i,3 ] | ≤ AdvD B Proof Sketch. The proof is similar to that for Lemma 5. Lemma 8. (Game3,q,3 to Game4 ) For all adversary A, we have |Pr [X3,q,3 ] − Pr [X4 ] | ≤ 1/pk+1 + 2−Ω( ) . (k+1)×k

(k+1)×1

Proof. Run (A, a⊥ ) ← Dk such that A ∈ Zp , a⊥ ∈ Zp and  ⊥ k+1 ⊥  = α + βa and and β ← Zp to define α a A = 0. Sample α ← Zp   subsequently set msk = (W, V, α ). Notice that, mpk still stays the same as      ⊥  A α = α A T since a A = 0. Now, on any key generation query T

on x ∈ X , return sk ← KeyGen( α , x). Notice that, the sk is statistically

CCA-Secure ABE Using Tag and Pair Encoding

711

independent of β and at the same time the distribution of sk in Game4 is the same as that of in Game3,q,3 . Furthermore, on any decryption query on (x, (ct, y)) ∈ X × CT × Y, if R(x, y) = 1, use sk = (K1 , K2 , K3 ) ← KeyGen( α , x) to create ak ← AltKeyGen(mpk, (sk, x), (ct, y)) then return M  ← AltDecrypt((K1 , K2 , ak), (ct, y)). Firstly, sk and mpk is statistically independent of β, therefore ak is statistically independent of β. Interestingly, the distribution of ak in Game4 is the same as that of in Game3,q,3 because of the regular decryption property from Sect. 2.4. This is because, due to the regular decryption property, in Game3,q,3 in all the altKeys ak, α and β was present in ak0  to create sk alone (in the α + βa⊥ form). Therefore, in Game4 , when we use α and successively compute ak, the altKeys we compute are properly distributed. Recall that, neither mpk nor the secret keys {skxi }i∈[q] nor the decryptions     = {Mi }i∈[Q] , leak any new information about β. Then, CT = M b ⊕H α s0 T     . Now, a⊥  M b ⊕ H α  s0 + βa⊥  s0 s0 = 0 (as  s0 ∈ / span(A)) unless  s0 = 0 T

which 1/pk+1 . Then, by left-over hash lemma [13],   happens with probability  ⊥  −Ω( ) is 2 H α s0 + βa s0 -close to the uniform distribution over {0, 1} . T In that case, M b is completely hidden in CT .

5

Performance Comparison

In this section, we compare this paper with [8]. As we already mentioned earlier, our aim primarily was to construct CCA-secure ABE from tags and pair encoding that improves upon the works of Chen and Gong [10]. Here, we mention that since we construct tag using the pair encoding itself, our construction results in heavier ciphertext and secret key. However, our public parameter size is quite smaller. This can be seen in the following table (Table 1). Table 1. Comparison of CCA-secure pair encoding-based ABE constructions. Here, k determines the security level, and the rest n, m1 , m3 , q1 , q3 are the variables defined in the pair encoding (See Sect. 2.4 for details).

[8]

|mpk|

|sk|

|ct|

(|G1 |, |G2 |, |GT |)

(|G2 |)

(|G1 |, |GT |)

2(n + 3), 2(n + 3), 1

2(m1 + m3 )

(n + 3)(k + 1)k, (n + 3)(k + 1)k, k (m1 + m3 )(k + 1) This work n + 7, 6, 1

2(2m1 + m3 )

Assumption

2(q1 + q3 + 2), 1

SXDH

(q1 + q3 + 2)(k + 1), 1

Dk -matDH

2(q1 + q3 + 1), 1

SXDH

(n + 1)k2 + 3(k + 1)k, 3(k + 1)k, k (2m1 + m3 )(k + 1) (q1 + 1)(k + 1) + 2q3 k, 1 Dk -matDH

712

6

O. Blazy and S. Mukherjee

Conclusion

In this paper, we gave a tag-based ABE construction [10] from pair encoding [5]. This, therefore, gives the first generic tag-based ABE construction that can support multiple randomnesses in both Encrypt and KeyGen. Moreover, we extended the construction to achieve ind-cca security in the standard model under Dk -matDH assumption using simple tools like a CRHF and an OTS. This allows us to get an ind-cca secure tag-based ABE from pair encoding at a very small cost. However, here, the pair encoding we considered is PMH∗ secure. For future work, it will be interesting to see if pair encodings with relaxed security can be used for CCA-secure tag-based ABE constructions.

References 1. Agrawal, S., Chase, M.: A study of pair encodings: predicate encryption in prime order groups. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 259–288. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-490990_10 2. Agrawal, S., Chase, M.: Simplifying design and analysis of complex predicate encryption schemes. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 627–656. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-56620-7_22 3. Ambrona, M., Barthe, G., Schmidt, B.: Generic transformations of predicate encodings: constructions and applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 36–66. Springer, Cham (2017). https://doi.org/10. 1007/978-3-319-63688-7_2 4. Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557– 577. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_31 5. Attrapadung, N.: Dual system encryption framework in prime-order groups via computational pair encodings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 591–623. Springer, Heidelberg (2016). https://doi. org/10.1007/978-3-662-53890-6_20 6. Boneh, D., Hamburg, M.: Generalized identity based and broadcast encryption schemes. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455–470. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_28 7. Chatterjee, S., Mukherjee, S.: Large universe subset predicate encryption based on static assumption (without random oracle). In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 62–82. Springer, Cham (2019). https://doi.org/10.1007/9783-030-12612-4_4 8. Chatterjee, S., Mukherjee, S., Pandit, T.: CCA-secure predicate encryption from pair encoding in prime order groups: generic and efficient. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 85–106. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71667-1_5 9. Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). https://doi.org/10. 1007/978-3-662-46803-6_20

CCA-Secure ABE Using Tag and Pair Encoding

713

10. Chen, J., Gong, J.: ABE with tag made easy. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 35–65. Springer, Cham (2017). https:// doi.org/10.1007/978-3-319-70697-9_2 11. Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. J. Cryptol. 30(1), 242–281 (2017) 12. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2006) 13. Hrastad, J., Impagliazzo, R., Levin, L., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999). https://doi.org/ 10.1137/S0097539793244708 14. Jutla, C.S., Roy, A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. J. Cryptol. 30(4), 1116–1156 (2017) 15. Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10. 1007/978-3-540-78967-3_9 16. Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/9783-642-11799-2_27 17. Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4 18. Nandi, M., Pandit, T.: Generic conversions from CPA to CCA secure functional encryption. IACR Cryptology ePrint Archive 2015, 457 (2015). http://eprint.iacr. org/2015/457 19. Nandi, M., Pandit, T.: On the power of pair encodings: Frameworks for predicate cryptographic primitives. IACR Cryptology ePrint Archive 2015, 955 (2015). http://eprint.iacr.org/2015/955 20. Nandi, M., Pandit, T.: Verifiability-based conversion from CPA to CCA-secure predicate encryption. Appl. Algebra Eng. Commun. Comput. 29(1), 77–102 (2017). https://doi.org/10.1007/s00200-017-0330-2 21. Okamoto, T., Takashima, K.: Adaptively attribute-hiding (hierarchical) inner product encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 591–608. Springer, Heidelberg (2012). https://doi.org/10. 1007/978-3-642-29011-4_35 22. Ramanna, S.C.: More efficient constructions for inner-product encryption. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 231–248. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_13 23. Ramanna, S.C., Sarkar, P.: Efficient (anonymous) compact HIBE from standard assumptions. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 243–258. Springer, Cham (2014). https://doi.org/10. 1007/978-3-319-12475-9_17 24. Ramanna, S.C., Sarkar, P.: Efficient adaptively secure IBBE from the SXDH assumption. IEEE Trans. Inf. Theory 62(10), 5709–5726 (2016) 25. Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619– 636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36

714

O. Blazy and S. Mukherjee

26. Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). https://doi.org/ 10.1007/978-3-642-54242-8_26 27. Yamada, S., Attrapadung, N., Hanaoka, G., Kunihiro, N.: Generic constructions for chosen-ciphertext secure attribute based encryption. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 71–89. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_5 28. Yamada, S., Attrapadung, N., Santoso, B., Schuldt, J.C.N., Hanaoka, G., Kunihiro, N.: Verifiable predicate encryption and applications to CCA security and anonymous predicate authentication. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 243–261. Springer, Heidelberg (2012). https:// doi.org/10.1007/978-3-642-30057-8_15

Simpler Constructions of Asymmetric Primitives from Obfuscation Pooya Farshim1(B) , Georg Fuchsbauer2 , and Alain Passel`egue3 1

University of York, York, UK [email protected] 2 TU Wien, Vienna, Austria [email protected] 3 Inria and ENS Lyon, Lyon, France [email protected]

Abstract. We revisit constructions of asymmetric primitives from obfuscation and give simpler alternatives. We consider public-key encryption, (hierarchical) identity-based encryption ((H)IBE), and predicate encryption. Obfuscation has already been shown to imply PKE by Sahai and Waters (STOC’14) and full-fledged functional encryption by Garg et al. (FOCS’13). We simplify all these constructions and reduce the necessary assumptions on the class of circuits that the obfuscator needs to support. Our PKE scheme relies on just a PRG and does not need any puncturing. Our IBE and bounded HIBE schemes convert natural key-delegation mechanisms from (recursive) applications of puncturable PRFs to IBE and HIBE schemes. Our most technical contribution is an unbounded HIBE, which uses (public-coin) differing-inputs obfuscation for circuits and whose proof relies on a pebbling-based hybrid argument by Fuchsbauer et al. (ASIACRYPT’14). All our constructions are anonymous, support arbitrary inputs, and have compact keys and ciphertexts. Keywords: Obfuscation · Public-key encryption · Identity-based encryption · Hierarchical IBE · Predicate encryption · Puncturable PRF · Pebbling

1

Introduction

Indistinguishability obfuscation [BGI+12,GGH+13] has rekindled interest in the search for a unified approach to constructions of cryptographic primitives. It has been proven sufficient to build almost every primitive, from the most basic such as public-key encryption or short signatures, to powerful ones such as functional encryption for all circuits. Indistinguishability obfuscation has been used extensively as a building block for many other constructions [GGH+13,SW14,HSW14,BZ14,BLR+15,HW15,CLP15,PPS15,AS16]. Motivation. In this paper, we take a second look at constructions of basic cryptographic primitives and try to obtain the simplest possible constructions. Devising simple constructions based on indistinguishability obfuscation (iO) presents multiple interests. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 715–738, 2020. https://doi.org/10.1007/978-3-030-65277-7_32

716

P. Farshim et al.

First, certain simple circuits, such as those with logarithmic input lengths or point functions, can be easily obfuscated, and more advanced circuits such as “compute-and-compare” programs (of the form “if C(x) = z then output m,” where x is the input, C a circuit, m a string and z a long pseudorandom secret string) can be obfuscated assuming only the learning with errors assumption [WZ17,GKW17,CVW18]. More and more specific forms of computation, such as conjonctions or evasive finite automata, can now be efficiently obfuscated, via indistinguishability obfuscation or even sometimes with virtual black-box obfuscation [BLMZ19,GZ20]. Second, major progress have been made recently towards achieving fullfledged iO from standard assumptions. On the one-hand, a long line of research [AS17,LT17,AJL+19,JLMS19,GJLS20] with constructions based on local PRGs led to the recent construction [JLS20] by Jain, Lin, Sahai, which constructs full-fledged iO from subexponential hardness of SXDH, LWE, LPN, and local PRGs. On the other hand, another line of work has tried to instantiate XiO [LPST16] based on standard assumptions, which led to constructions of iO based on circular-secure FHE [BDGM20a,GP20,BDGM20b]. As a consequence, building primitives via simple constructions based on indistinguishability obfuscation guarantees that these primitives can be based on well-studied assumptions. Contributions. In this work, we study public-key encryption (PKE), (hierarchical) identity-based encryption (IBE) and predicate encryption with the goal of minimizing the required class of obfuscated circuits. Our PKE scheme, which we sketch below, will demonstrate the core (conceptual) idea behind all schemes that we study in this work: using iO we can convert a (trivial) key-delegation mechanism for a single user (namely a single secret key for that user) to an asymmetric encryption scheme that supports this key delegation. We show that this idea lends itself to natural generalizations. The key delegation underlying an IBE can be seen as a tree of height one with the trusted authority sitting at the root and the users at its leaves. Keys are derived by applying a pseudorandom function (PRF) to leaf identities under the root key. A hierarchical delegation generalizes this to trees of arbitrary height with a PRF iteratively applied to identities along a path. We show that the technique underlying our PKE can convert these key-delegation mechanisms to encryption schemes that support these mechanisms. The HIBE construction just sketched supports a bounded number of levels. As we shall discuss shortly, a number of obstacles prevent us from directly extending the bounded HIBE to an unbounded one. Nevertheless, we show that these obstacles can be overcome by introducing a somewhat more involved key delegation (which ensures the compactness of the key delegation operation) and at the expense of introducing stronger primitives.1 We see this result as the main technical contribution of the paper. 1

Although the proof of this construction is somewhat complex, the construction itself is relatively simple given that it achieves an unbounded number of levels.

Simpler Constructions of Asymmetric Primitives from Obfuscation

717

Public-key encryption. We start by constructing a simple public-key encryption scheme following the ideas of the PKE constructions from [GGSW13, BNPW16]. The secret key of the scheme is a random seed sk ∈ {0, 1}λ and the corresponding public key is G(sk) where G is a length-doubling pseudorandom generator (PRG). Encrypting a message M under pk consists of obfuscating a circuit that takes as input some sk  ∈ {0, 1}λ , and checks if G(sk  ) = pk, in which case it outputs the message M, and ⊥ otherwise. To decrypt, a user runs the ciphertext (which is an obfuscated circuit) on input the secret key sk. If sk corresponds to the public key, the check passes and the message M is returned; the scheme is thus correct. A similar idea was used in [BZ14] to construct n-party non-interactive key exchange. The setup outputs a public obfuscated program that on input x1 , . . . , xn , s evaluates a hardwired PRF Fk on (x1 , . . . , xn ) if and only if xi = G(s) for some i for a PRG G. A group key is then obtained via each party publishing a PRG evaluation G(si ) for a private seed si and running the obfuscated program on inputs G(s1 ), . . . , G(sn ), si . Security of our PKE follows from the security of the PRG, which ensures the public key G(sk) is indistinguishable from a random bit string of the same length. Now, if pk is outside of the range of G, there is no sk  for which G(sk  ) = pk and encryptions under pk are (obfuscated) circuits that always output ⊥. By the security of the obfuscator, this circuit reveals no more information than a circuit (of the same size) that is independent of the message and always returns ⊥. This arguably very simple construction can also be shown to be anonymous, meaning that its ciphertexts do not reveal their intended recipients. Due to its simplicity, we show that our construction can be efficiently instantiated based on the DDH assumption. In particular, we give a PRG and an indistinguishability obfuscator, both based on DDH, which when used within the construction result in an anonymous (and lossy) version of ElGamal. Identity-based encryption. We now apply the idea to key-delegation mechanism for IBEs. In our scheme the secret key of an identity id is the output of a pseudorandom function F (K, id), where K is the master secret key. The master public key is an obfuscated circuit that on input id outputs its public key pk id := G(F (K, id)). Encryption and decryption work as in the PKE scheme. To prove the security of the scheme, similarly to our PKE, we need to switch the public key of the challenge identity id∗ from G(F (K, id∗ )) to a random value. Intuitively, this should follow from the pseudorandomness of F . But the IBE game also contains an obfuscated circuit depending on the master key K, and furthermore key extraction for identities id = id∗ should be simulated by the security reduction. This restriction in the IBE security game precisely matches the functionality and security of puncturable PRFs: from K we can derive a punctured key K ∗ that allows evaluating the PRF everywhere except at id∗ and F (K, id∗ ) is indistinguishable from random even in the presence of K ∗ . (Such PRFs can be based on the GGM [GGM86] construction only assuming the existence of PRGs [BW13,BGI14,KPTZ13].) Like for our PKE construction, ciphertexts are

718

P. Farshim et al.

indistinguishable from obfuscations of a constant circuit. They thus hide both their underlying plaintexts and recipient identities, giving rise to an IBE that is anonymous and can therefore be used, for example, in the context of public-key encryption with keyword search [ABC+05]. Bounded HIBE. In an HIBE, identities take the form id = (id1 , . . . , idi ) and a key for (id1 , . . . , idi ) allows deriving keys for (id1 , . . . , idi+1 ) for any idi+1 . By recursively applying the PRF to identities along a path we arrive at a hierarchical key-delegation mechanism. Following the PKE construction, we can then convert this to an HIBE scheme as follows. Our scheme defines the master secret key as a random value sk 0 = K, and sets the key for id1 to sk 1 := F (K, id1 ), that for (id1 , id2 ) to sk2 := F (sk 1 , id2 ), and so on. We follow the encryption and decryption procedures of the PKE scheme to arrive at a full scheme. When the puncturable GGM PRF is used, it is easy to see how the puncturability of the PRF maps to the ability to extract keys for identities that are not parents of the challenge identity. This HIBE only supports an a priori bounded number of levels. To prove security, we need to replace the public key for the challenge identity id∗ = (id∗1 , . . . , id∗n ), computed as pk ∗ = G(F (. . . F (F (K, id∗1 ), id∗2 ) . . . , id∗n )), by a random value. To this end, we first define a game where we change the master circuit (used to compute public keys) and hardwire all values that we will change later in the proof. In more detail, we replace K by K ∗ punctured at id∗1 , then from sk1∗ = F (K, id∗1 ) we derive a key punctured at id∗2 (which allows to derive public keys for all (id∗1 , id2 , . . .) with id2 = id∗2 ) and so on until we finally hardwire the public key pk ∗ = G(skn∗ ) at the lowest level. As we did not change the functionality of the circuit, its obfuscation is indistinguishable from an honestly generated master public key. Note, however, that we did change the size of the circuit, and thus need to pad the master circuit in the scheme to the maximum size of the circuits that will be used in the proof. (This issue will reappear when extending the construction to an unbounded HIBE.) The rest of the proof proceeds via a sequence of hybrids where we iteratively replace sk1∗ by a random value, then sk2∗ , etc., until we arrive at a random skn∗ , which together with PRG security allows us to replace pk ∗ = G(skn∗ ) by a random value. Unbounded HIBE. There are a number of challenges when extending the HIBE to support an unbounded number of levels (analogously to direct constructions of unbounded HIBEs [LW11]). An obvious one is that circuits cannot take identities of arbitrary lengths as inputs. We could define a Turing machine (TM) that accepts identities of arbitrary lengths and carries out the recursive PRF evaluation to derive its public key. Using the TM-obfuscator of Ishai, Pandey, and Sahai [IPS15], we could then obfuscate this TM. However, when using puncturing, we still need to hardwire random values in the circuit in the proof, which would result in a TM whose description size is not a priori bounded. The problem seems to stem from the fact that in order to replace key sk ∗n corresponding

Simpler Constructions of Asymmetric Primitives from Obfuscation

719

to (id∗1 , . . . , id∗n ) with a random value, we first need to replace all intermediate values sk ∗1 := F (K, id∗1 ), sk ∗2 := F (sk ∗1 , id∗2 ), . . . with random. While it is true that we can only replace a value sk ∗i = F (sk ∗i−1 , id∗i ) by random if sk ∗i−1 is already random (since the reduction would not know sk ∗i−1 ), the previous values do not have to be random for this specific game hop. Let Si ⊆ {1, . . . , n} denote the set of indices j for which sk ∗j is random in hybrid i. In the proof of the bounded HIBE, where the i-th hybrid replaces sk ∗i by a random value, we have Si := {1, . . . , i}. For the proof to work, the sequence of sets S0 , S1 , . . . , S associated to the hybrids needs to have the following properties: (A) S0 = ∅ and n ∈ S , and (B) every two consecutive sets differ in exactly one element j, and j − 1 belongs to both sets. Set S0 with no random values corresponds to the original game and S makes the last value corresponding to skn∗ random. To go from one hybrid to the next, we can replace an additional value by random, since its ancestor is already random (by property (B)). Similarly to the pebbling strategy used in the context of reversible computation in [Ben89], Fuchsbauer et al. [FKPR14] give such a sequence where the number of sets is  = nlog2 3 and with the property that |Si | ≤ log n (this corresponds to a pebbling of a path in the GGM tree with logarithmically many pebbles). Letting n be an upper bound on the length of the challenge identity the adversary chooses (which is polynomial in the security parameter λ), we would have a polynomial number  of hybrids, while in each hybrid step we only need to hardwire a logarithmic number of values. It seems that we can thus pad the actual scheme to support an exponential number of levels in the hierarchy. Alas, this approach does not work: we also need to hardwire the positions (id∗1 , . . . , id∗n ) of these values for which there is no upper bound. We therefore use a different approach and hash the identities to obtain compact representations of them. We define the secret key for id as F (K, H(id)). The problem now is that hashing completely destroys the hierarchical relationship between the identities and we thus need to implement key delegation differently. We do this by adding a second functionality to the public parameters that given a valid secret key sk for an identity id and a value id returns a secret key sk  = F (K, H(id, id )) for (id, id ). Rather than relying on TM-obfuscators, which can be constructed from public-coin differing-input obfuscation (pc-diO) for circuits2 [IPS15], we devise circuits for computing public keys and delegating secret keys so that we directly rely on pc-diO for circuits. One benefit of this approach is that any (natural) iO for circuits is conjecturally also a public-coin differing-input obfuscator for circuits. Hence we avoid the overheads associated with the complex constructions of [IPS15]. Computing public keys can easily be done by defining a circuit Cgen (h) that returns G(F (K, h)) and to get a public key for id we simply run Cgen (H(id)). The delegation circuit Cdel , on the other hand, needs to ensure it only works for descendants. If we relied on pc-diO for Turing machines, we could define Cdel 2

We note that public-coin diO is not known to suffer from impossibility results that apply to its private-coin counterpart [GGHW14, BSW16].

720

P. Farshim et al.

on input (sk, id, id ) to check whether G(sk) = G(F (K, H(id))), and if so return F (K, H(id, id )). This results in a fairly simple construction of an unbounded HIBE (whose proof is nevertheless somewhat involved). At the expense of slightly increasing the complexity of the scheme, we modify this construction so as to only rely on pc-diO for circuits (as discussed above). To do this, we require a user to compactly prove (to the circuit) that two hash values (h, h ) correspond to (id, id ) with h = H(id) and h = H(id, id ). For this we use a succinct noninteractive argument of knowledge (SNARK) system and define Cdel as follows: On input (sk, h, h , π) the delegation circuit checks the validity of the proof π for (h, h ), then checks that G(sk) = G(F (K, h)), and if so returns F (K, h ). To bound the number of hardwired values, our proof strategy follows a pebbling strategy discussed above. For a set system S0 , . . . , S satisfying properties (A) and (B), we define game Gi as one that replaces the values pk ∗j = G(F (K, H(id∗1 , . . . , id∗j ))) by random values for all j ∈ Si . That is, these values are hardwired into the circuits Cgen and Cdel . Games Gi and Gi+1 differ in that pk ∗j is random in only one of them, with j defined as {j} := Si  Si+1 (where  denotes the symmetric difference). To show that these games are indistinguishable, we puncture K at H(id∗1 , . . . , id∗j ) and use this K ∗ in Cgen and Cdel . Since we can first hardwire pk ∗j , this does not change the behavior of Cgen , and thus we can rely on iO security. The behavior of Cdel , on the other hand, does change, which is why we require (public-coin) differing-inputs obfuscation and must show that it is hard to actually find a differing input. Suppose an adversary finds an input (sk, h, h , π) for which Cdel behaves differently when using the punctured key. This means h = H(id∗1 , . . . , id∗j ); but π (together with the collision-resistance of H) guarantees that h = H(id∗1 , . . . , id∗j−1 ). By property (B) of our set system: j−1 ∈ Si ; thus the value pk ∗j−1 corresponding to G(F (K, H(id∗1 , . . . , id∗j−1 ))), and thus G(F (K, h)), was replaced by random, and hence no sk will satisfy G(sk) = pk ∗j−1 . But this means that Cdel returns ⊥, which contradicts (sk, h, h , π) being a differing input. Consistently, we require H to be public-coin and collision-resistant [HR04] and the SNARK to be in the common-random-string model [IPS15].3 We observe that if identities are restricted to be of bounded length, the hash function can be replaced with the identity function, and the SNARK with a trivial one that simply outputs the witness. These in turn allow us to rely on iO (for circuits) in the Cdel circuit. Predicate encryption. Predicate encryption (PE) [BW07,KSW08] is a powerful type of public-key encryption that can support, for example, searching for complex queries on encrypted data and encompasses other forms of PKE such as attribute-based encryption [GPSW06,LOS+10]. A natural construction of a PE scheme also falls out from our techniques. Intuitively, we identify attributes with identities. A secret key sk P for a predicate P is then an obfuscated circuit with 3

Since our construction relies on public-coin diO, it must be hard to find a differing input even when given the coins used to sample the circuits (whose obfuscations should be indistinguishable). As a hash collision results in a differing input, it must be hard to find one even given the coins used to sample the hash function.

Simpler Constructions of Asymmetric Primitives from Obfuscation

721

K and P hardwired that on input an attribute γ outputs F (K, γ) if P(γ) = 1 and ⊥ otherwise. We defer the details of the construction to the full version [AFP14]. Related Works. Canetti, Rothblum, and Varia [CRV10] adopt a similar approach for building leakage-resilient one-time signatures by first constructing a special-purpose obfuscator for testing hyperplane membership. Similarly, Matsuda and Hanaoka [MH14] propose a construction of CCA-secure encryption based on rerandomizable and composable point function obfuscators. Garg et al. [GGSW13] show that witness encryption (which is implied by iO) and unique signatures imply identity-based encryption. Such unique signatures can be based on iO and injective one-way functions (or just one-way functions for constructions in the CRS model) [BP15]. Combining these results, one obtains an IBE from (injective) one-way functions and iO, but the construction is fairly complex. In particular, encrypting consists of obfuscating a circuit that runs the verification circuit of a signature scheme, which is itself an obfuscated circuit. Our construction relies on iO and one-way functions and is much simpler. Garg et al. also show that witness encryption combined with a perfectly binding noninteractive commitment scheme implies (key-policy) attribute-based encryption. Their scheme does not guarantee privacy of the attributes, while our predicate encryption scheme does. Garg et al. [GGH+13] also show that full-fledged functional encryption is implied by iO and non-interactive zero-knowledge proofs (and hence so is predicate encryption). Our construction is conceptually simpler, avoids NIZKs, and relies on iO and one-way functions only. A simple construction of a (semi-adaptive) functional encryption from indistinguishability obfuscation is also described in [Wat15], but it relies on the full power of obfuscation, since a functional secret key for f is an obfuscated circuit that evaluates f (amongst other things). Our PE construction follows a different path and obfuscates constrained PRFs. Obfuscating the latter could imply the existence of iO that can be bootstrapped to full iO. Thus our PE construction should be seen as an alternative route to more expressive primitives. Finally, in recent work Brakerski et al. [BCG+17] construct a hierarchical notion of functional encryption. This implies bounded HIBEs from LWE or low-complexity PRGs and public-key encryption (for their constant-depth and polynomially-bounded-width delegation structure), and a construction of unbounded HIBE based on unbounded-collusion functional encryption (which implies iO for P/poly assuming subexponential security). Their construction is fairly simple, which is not surprising as functional encryption is powerful enough to subsume IBEs. Since their construction relies on re-encryption techniques, it is inherently public-key. Our construction takes a very different route and relies on potentially weaker special-purpose obfuscation, while re-encryption techniques lead to indistinguishability obfuscation for any circuit supported by the underlying functional encryption scheme [BV15]. As we use iO as a tool, we do not discuss further recent advances in generalpurpose indistinguishability obfuscators.

722

P. Farshim et al. Algo. Gen(1λ ) SK ← ←{0, 1}λ PK ← PRG(SK) return (SK, PK) Algo. Dec(SK, CT) return CT(SK)

Algo. Enc(PK, M) CT← ←iO(1λ , C[PK, M]) return CT Circ. C[PK, M](SK) if PRG(SK) = PK return M return ⊥

Fig. 1. Public-key encryption scheme from a PRG and an obfuscator.

2

Preliminaries

We briefly recall various cryptographic primitives that we will use throughout the paper. A pseudorandom generator is a deterministic algorithm PRG that takes as input a string x and outputs a longer string y. PRG outputs on uniform inputs must be indistinguishable from uniform elements in the output space. We call a hash function public-coin if its key generation algorithm simply outputs its random coins. We assume public-coin hash functions that are collision-resistant. A puncturable pseudorandom function (PPRF) is a tuple (CPRF, Cons), where CPRF(K, x ) evaluates the PRF on input x under key K. For a set S, let C[S](x ) denote the circuit that returns 1 iff x ∈ S. Algorithm Cons(K, C[S]) outputs a constrained key KC[S] that allows evaluating the PRF anywhere except on set S. Given KC[S] , PRF evaluations on points inside S should be indistinguishable from uniform. An obfuscator is an algorithm Obf that on input a circuit C outputs an ← Obf (1λ , C) obfuscated circuit C. Perfect correctness requires that for all C ← λ and all x ∈ {0, 1} : C(x ) = C(x ). Indistinguishability obfuscation requires the outputs of the obfuscator on two functionally equivalent (and equal-size) circuits to be indistinguishable. Public-coin differing-input obfuscation requires this same for circuits sampled from a public-coin distribution and for which it is hard to find an input on which the outputs of the circuits differ. For completeness, all formal definitions are included in the full version [AFP14].

3

Public-Key Encryption

We start by presenting our simple PKE construction based on iO and a pseudorandom generator with sparse image. Our construction uses an obfuscator that only needs to support simple circuits. In particular, we show this class is simple enough to be instantiated based on the DDH assumption. We will prove the scheme IND-CPA as well as anonymous, meaning that ciphertexts do not reveal their intended recipients. We now formalize our public-key encryption scheme, for which we have given a high-level description in the introduction. The details of the construction are shown in Fig. 1. The proof of the following theorem closely follows the ideas outlined in the introduction and can be found in the full version [AFP14].

Simpler Constructions of Asymmetric Primitives from Obfuscation Circ. C[X, Z, M](x) Algo. Obf (C[X, Z, M]) x

x

if (g , Y ) = (X, Z) return M return 1

723

Circ. C[{hij }3,2 i,j=1 ](x)

r1 , r2 , r3 , s1 , s2 , s3 ← ← Zq if hx11 = h12 ∧ hx21 = h22 h11 ← g r1 Y s1 ; h12 ← X r1 Z s1 return h32 · h−x 31 r2 s2 r2 s2 h21 ← g Y ; h22 ← X Z return 1 r3 s3 r3 s3 h31 ← g Y ; h32 ← M · X Z return C[h11 , h12 , h21 , h22 , h31 , h32 ]

Fig. 2. Left: Circuits that are obfuscated in encryption. Middle: An obfuscator for this class. Right: The obfuscated circuits.

Theorem 3.1. Scheme PKE in Fig. 1 is AI-CPA secure if its underlying pseudorandom generator PRG and obfuscator Obf are secure. More precisely, for any ppt adversary A against PKE there are ppt adversaries B1 and B2 against PRG and Obf , respectively, such that ind ind Advai-cpa PKE,A (λ) ≤ 2 · AdvPRG,B1 (λ) + AdvObf ,B2 (λ).

Algorithm B2 places the same number of queries to its (obfuscation) LR oracle as A does to its (encryption) LR oracle. In this section we show that the above construction can be instantiated under the standard DDH assumption. That is, we provide a DDH-based PRG and an indistinguishability obfuscator for the class of circuits used in the above construction. The resulting PKE scheme is defined over the message space G\{1} where we identify the element 1 with the error symbol ⊥. We now describe our construction, which is basically a lossy version of the El-Gamal PKE scheme [ElG84], meaning that one can define lossy public keys, which are indistinguishable from regular ones, but for which ciphertexts statistically hide all information about their underlying plaintexts. A DDH-based PRG. Let G denote a cyclic group of order q generated by g. The public parameters are (G, q, g, Y ) with Y a random element in G∗ . Algo2 rithm PRG : Z∗q −→ (G∗ ) is defined as PRG : x → (g x , Y x ). Under the DDH assumption, the outputs of PRG are computationally indistinguishable from 2 uniformly random elements in (G∗ ) . Plugging this into our PKE construction in Sect. 3, secret keys take the form x ∈ Z∗q and public keys PK = (g x , Y x ). The circuit class. We next define an indistinguishability obfuscator for the class of circuits C[PK, M] associated with the PRG above. This class consists of 2 circuits defined in Fig. 2 (left) for PK = (X, Z) ∈ (G∗ ) and M ∈ G∗ , where we identify the identity group element 1 with the error symbol ⊥. The obfuscator. Given a description (X, Z, M) of the circuit C[X, Z, M], we define our obfuscator as shown in Fig. 2 (middle), which takes randomness (r1 , r2 , r3 , s1 , s2 , s3 ) ← ← Z6q and returns a circuit C[h11 , h12 , h21 , h22 , h31 , h32 ] as described on the right of Fig. 2. Intuitively, (h31 , h32 ) is an encryption of M if (X, Z) is in the range of PRG, whereas it is a random pair otherwise. Similarly,

724

P. Farshim et al.

(h11 , h12 ) and (h21 , h22 ) are encryptions of 1, which let C check whether (X, Z) is in the range of PRG. If this is the case then the obfuscated circuit is functionally equivalent to C[X, Z, M]. However, if (X, Z) is not in the range of PRG then C[X, Z, M] always returns 1, whereas with negligible probability over the coins of Obf , for C there is one input on which it returns a different value (since h11 , h12 , h21 , h22 are uniformly random, the probability that there exists x with hx11 = h12 and hx21 = h22 is negligible4 ). Theorem 3.2. The obfuscator described in Fig. 2 is an indistinguishability obfuscator with statistical correctness and statistical indistinguishability. Consider an adversary outputting two functionally equivalent circuits C[X, Z, M] and C[X  , Z  , M ]. Both of them always return 1 iff (X, Z) and (X  , Z  ) are not in the range of PRG, in which case the obfuscator returns a random tuple (h11 , h12 , h21 , h22 , h31 , h32 ). If X = g x and Z = Y x then C[X, Z, M] returns M on input x and 1 otherwise. For C[X  , Z  , M ] to be functionally equivalent to C[X, Z, M], we must thus have X  = X, Z  = Z and M = M. This shows the iO security of the obfuscator. A formal proof is given in the full version [AFP14].

4

Identity-Based Encryption

We now present a simple construction of identity-based encryption, again based on an indistinguishability obfuscator and a pseudorandom generator. In addition, we will use a pseudorandom function, which we assume to be puncturable. We prove that our scheme is both IND-CPA secure and anonymous in the selectiveID model. Anonymity means that ciphertexts do not leak the identity of the intended recipients; a property that can be leveraged to construct public-key encryption with keyword search [ABC+05]. Our IBE construction generalizes the PKE scheme as follows. The master secret key MSK is a random PRF key. The secret key for user ID is simply the PRF evaluated at the identity, that is PRF(MSK, ID). The master public key MPK is an obfuscation of a circuit Cgen that computes a public key PKID for ID by computing PRG(PRF(MSK, ID)), as in our PKE scheme. Hence we use a PRF to “compress” exponentially many public keys into the master public key MPK (by generating their secret key using the PRF). A message is encrypted by first deriving PKID for the identity using MPK and then obfuscating the same circuit as the PKE scheme. Decryption is identical to the PKE. The details of the scheme are shown in Fig. 3 (with S gen defined below). In our security analysis, detailed in the full version [AFP14], we rely on the puncturability of the PRF to simulate key-extraction queries. That is, we use a PRF key punctured at {ID0 , ID1 } to derive keys for all other users. We will use the indistinguishability security of the obfuscator in conjunction with this to form the master public key. Hence we need to pad the circuit Cgen so that its 4

Note that this is not the case if we only use one encryption of 1 (i.e. if we remove h21 and h22 ).

Simpler Constructions of Asymmetric Primitives from Obfuscation Algo. IBSetup(1λ ) MSK ← ←{0, 1}λ pad Cgen so that |Cgen | = S gen (λ) MPK ← ← iO(1λ , Cgen [MSK]) return (MSK, MPK)

Algo. IBEnc(MPK, ID, M) PK ← MPK(ID) CT ← ← iO(1λ , Cenc [PK, M]) return CT

Circ. Cgen [MSK](ID) PK ← PRG(PPRF(MSK, ID)) return PK

Circ. Cenc [PK, M](SK) if PRG(SK) = PK return M return ⊥

Algo. IBGen(ID) SK ← PPRF(MSK, ID) return SK

Algo. IBDec(SK, CT) M ← CT(SK) return M

725

Fig. 3. Identity-based encryption from a PRG, a puncturable PRF, and an iO.

size matches that of the modified circuit used in the proof. We define S gen (λ) as (an upper bound on) the maximum size of circuits defined by ⎧ ⎪ ⎨PRG(PPRF(Cons(K, C[{x0 , x1 }]; r), x)) gen  C [K, r, x0 , x1 ](x) PRG(PPRF(K, x0 )) := ⎪ ⎩ PRG(PPRF(K, x1 ))

if x ∈ {x0 , x1 } if x = x0 if x = x1

Here the maximum is taken over (K, r, x0 , x1 ) ∈ {0, 1}λ × {0, 1}tCons (λ) × {0, 1}m(λ) × {0, 1}m(λ) , where tCons is the polynomial bounding the runtime of Cons. We recall that Cons denotes the puncturing algorithm of the puncturable PRF. The following is proved in the full version [AFP14]. Theorem 4.1. Scheme IBE in Fig. 3 is Sel-AI-CPA secure if the underlying pseudorandom generator PRG, the puncturable pseudorandom function PPRF, and the obfuscator Obf are secure. More precisely, for any ppt adversary A against IBE there are ppt adversaries B1 , B2 , and B3 against PRG, PPRF, and Obf respectively such that ind ind ind Advsel-ai-cpa IBE,A (λ) ≤ 2 · AdvObf ,B1 (λ) + AdvPPRF,B2 (λ) + 2 · AdvPRG,B3 (λ).

Algorithm B1 places at most the same number of queries to its (obfuscation) LR oracle that A does to its (encryption) LR oracle. ID space. The ID space IDSpλ of the construction matches the input space {0, 1}m(λ) of PPRF. An IBE with IDSpλ = {0, 1}∗ can be obtained in the standard way by hashing the identities using a collision-resistant hash function. An alternative route would be to use a variable-input-length puncturable PRF. A statistically correct puncturable PRF is needed when used in conjunction with an indistinguishability obfuscator. However, such PRFs with unbounded

726

P. Farshim et al.

domain cannot have compact punctured keys (as a punctured key informationtheoretically determines the punctured point). This means that there is no a  gen used in the security proof in G1 . We priori bound on the size of the circuit C note, however, that the GGM PRF can be turned into a PRF with unbounded input length [Gol01], whose keys can be punctured in the same way as those of the original construction. Adaptive security. We have established the selective security of the IBE based on the selective security of the puncturable PRF. This raises the question if the theorem naturally extends to the adaptive-ID model under the adaptive security of the puncturable PRF. This turns out not to be the case: during the proof we need to puncture the MPK, which is given to the adversary at the onset. It is unclear at which point the underlying MSK should be punctured, even with a reduction down to the adaptive security of the PPRF. On the other hand, adaptive security can be obtained with a sub-exponential loss (on all underlying primitives) through complexity leveraging, or with only a polynomial loss in the random-oracle model. The recent work of Zhandry [Zha16] on extremely lossy functions (ELFs) proposes a generic selective-to-adaptive transformation for IBEs in the standard model that also results in a polynomial loss in security from a single exponential assumption. This transformation can be also applied to our IBE and we obtain an adaptive IBE with only a polynomial loss in security. Bounded HIBE. Our IBE construction generalizes that for PKEs by using a PRF, instead of a single secret corresponding to the PRG seed, to derive many secret keys. Similarly, we can further generalize the IBE construction to a hierarchal IBE by considering a tree of (puncturable) PRFs (as in the GGM construction). The secret key for a vector of identities ID := (ID1 , . . . , IDn ) corresponds to the iterative PRF applications via SKi ← PRF(SKi−1 , IDi ) where SK0 is the master secret key. We can then use the puncturing property of the PRF to replace, via a sequence of hybrids, the PRF value corresponding to any identity (ID1 , . . . , IDn ) with random values one at a time. This then allows us to apply the PRG game hop (as for IBEs) at the leaf nodes to conclude the proof. We formalize this construction and prove its security in the full version [AFP14]. We refer the reader to the introduction for why this construction does not yield an unbounded HIBE. Predicate Encryption. Our IBE also generalizes to predicate encryption fairly easily. A natural way to build a PE scheme would be to modify the IBE construction so that instead of a puncturable PRF it uses a constrained PRF. The idea is that a constrained key for a circuit C can evaluate a PRF value on γ correctly if C(γ) = 1. This approach does not work directly, as the puncturability of the PRF is used to simulate the key-extraction queries in the IBE game. Hence, an analogous form of puncturing would be also needed to derive constrained keys. Luckily, a natural construction of a constrained PRF from a puncturable PRF due to Boneh and Waters [BW13] already enjoys this property. We formalize this construction and prove its security in the full version [AFP14].

Simpler Constructions of Asymmetric Primitives from Obfuscation

5

727

Unbounded HIBE

A hierarchal IBE (HIBE) [GS02] generalizes IBEs to a setting where a user with a secret key for identity ID can derive secret keys for child identities with prefix ID. In this section we present a construction of an unbounded HIBE, where key delegation can be carried out for an exponential number of prefixes. As before, we use a PRG and a puncturable PRF. We however also rely on a public-coin differing-inputs obfuscator (pc-diO) for circuits, an indistinguishability obfuscator, a public-coin collision-resistant (pc-CR) hash function, and a SNARK proof system with a common random string. Given a public-coin hash function H, we rely on SNARKs for the relation Rel(1λ , (k , h1 , h2 ), (w1 , w2 )) that checks   |k | = λ ∧ H(k , w1 ) = h1 ∧ H(k , w1 |w2 ) = h2 ∧ w2 = ε . In our construction, the obfuscation of a delegation circuit Cdel with a hardwired master key will be made public. This circuit takes as input a user secret key SK, two hash values h , h, and a SNARK proof π. The circuit checks that the proof π verifies (and hence proves knowledge of ID, ID such that h = H(k , ID) and h = H(k , ID|ID)). This is done explicitly by computing a public key for h using the master key and checking if the result matches the one derived from SK. (Comparison with the public key rather than the secret key is needed as in the security proof we have to forget the SK at some point). If all checks pass, a secret key for h (i.e., the hash of child identity ID|ID) is returned. The other algorithms operate as in the IBE scheme on hashed identities. The details of the construction are shown in Fig. 4. As for our IBE construction in Fig. 3, we pad  gen the circuits Cgen and Cdel respectively to the maximum size of any circuit C del  and C used in the proof (these sizes are polynomially bounded). Theorem 5.1. Scheme HIBE in Fig. 4 is Sel-AI-CPA secure if PRG and PPRF are secure, H is public-coin collision-resistant, the obfuscator iO is an indistinguishability obfuscation, and the obfuscator diO is public-coin differinginput secure. More precisely, for any ppt adversary A against HIBE there exist ppt adversaries B1 against iO, diO-legitimate B2 against diO, B3 against H, B4 against PPRF and B5 against PRG such that ind ind Advsel-ai-cpa HIBE,A (λ) ≤ (4p(λ) + 1) · AdviO,B1 (λ) + 4p(λ) · AdvdiO,B2 (λ) ind ind + 4p(λ) · Advcr H,B3 (λ) + 2p(λ) · AdvPPRF,B4 (λ) + 2p(λ) · AdvPRG,B5 (λ), (0)

where p(λ) = (n(λ))log 3 +1 and n(λ) is such |ID |, |ID B1 and B2 are iO and diO-legitimate respectively.

(1)

| ≤ n(λ). Furthermore,

We refer the reader to the introduction for a high-level overview of the proof. The detailed proof of the theorem follow. Proof. For a fixed n we will use a sequence of sets S0 , S1 , . . . , S(n) with Si ⊆ {0, . . . , n}, where two consecutive sets only differ in exactly one element j, and j − 1 is contained in both sets. Formally, we require

728

P. Farshim et al. Algo. HSetup(1λ ) K← ←{0, 1}λ ; k ← ←{0, 1}λ rS (λ) crs ← ←{0, 1} gen C ← ← iO(1λ , Cgen [K]) del C ← ← diO(1λ , Cdel [K]) gen del MPK ← (crs, k, C , C ) SK0 ← PPRF(K, H(k, ε)) return ((SK0 , ε), MPK)

Algo. HEnc(MPK, ID, M) gen PK ← C (H(k, ID)) CT ← ← iO(1λ , Cenc [PK, M]) return CT Circ. Cenc [PK, M](SK) if PRG(SK) = PK return M return ⊥ Algo. HDel((SK, ID), ID ) h ← H(k, ID); h ← H(k, ID|ID ) π← ← Prove(crs, (k, h, h ), (ID, ID )) del ← C (SK, h, h , π) SK ← return (SK , ID | ID )

gen

Circ. C [K](h) PK ← PRG(PPRF(K, h)) return PK Circ. Cdel [K, k, crs](SK, h, h , π) if Ver(crs, (k, h, h ), π) = 0 return ⊥ PK ← PRG(PPRF(K, h)) if PRG(SK) = PK return ⊥ return PPRF(K, H(k, h ))

Algo. HDec((SK, ID), CT) M ← CT(SK) return M

Fig. 4. Unbounded HIBE from a PRG, a puncturable PRF, a pc-CR hash function and a pc-diO.

(A) S0 = {0} and n ∈ S(n) ; (B) ∀ i ∈ {0, . . . , (n)} ∃ j : Si  Si+1 = {j} and j − 1 ∈ Si ∩ Si+1 (where “” denotes symmetric difference) For notational convenience, we also define S−1 := ∅. A simple example of such a sequence would be {Si }ni=−1 with Si := {0, . . . , i}. Fuchsbauer et al. [FKPR14] give a sequence S0 , . . . , S(n) with (n) = nlog 3 and |Si | ≤ log n+2 (defined formally in the proof). This logarithmic bound on Si will be used to guarantee that the total size of the hardwired values grows slowly and hence when preparing the master public key circuit, it only needs to be padded to a logarithmic length in the maximum depth of identities. We prove the theorem via a sequence of games illustrated in Fig. 5. Game Gi,δ,L for i = −1, . . . , (n), δ = ±1, and L = 1, . . . , 5 contains all boxed statements that have a label ≤ L . Fix an adversary A and its coins, and let n(0) (0)

and n(1) be the lengths of the identity vectors ID

(1)

and ID

that A outputs.

Gi for −1 ≤ i ≤ (n0 ): These games are defined as the original game, except that (0)

the public keys for all identities ID[j] (i.e., the length-j prefix of challenge (0)

(0)

identity ID ) for j ∈ Si are replaced by random values. These values yj are hardwired into the circuits Cgen and Cdel . The games are formally defined in Fig. 5 (ignoring all boxes). Since S−1 = ∅, we have that G−1 is the Sel-AI-CPA game and thus   sel-ai-cpa 2 · Pr GA −1 − 1 = AdvHIBE,A (λ).

Simpler Constructions of Asymmetric Primitives from Obfuscation

Game Gi , (0)

Gi,δ,

1

, Gi,δ,

2

, Gi,δ,

, Gi,δ,

3

4

, Gi,δ,

5

729

:

(1)

(ID , ID , st) ← ← A(1λ ); b ← ←{0, 1} ←{0, 1}λ ; crs ← ←{0, 1}rS (λ) K← ←{0, 1}λ ; k ← Proc. LR(M0 , M1 ): for j ∈ Si // assume |M0 | = |M1 | (0) (0) hj ← H(k, ID[j] ) gen (b) PK ← C (ID ) (0) ←{0, 1}2n(λ) yj ← λ CT ← ← iO(1 , Cenc [PK, Mb ]) let j ∗ s.t. Si+δ = Si ∪ {j ∗ } L1 ← L1 ∪ {(M0 , M1 )} (0) (0) hj ∗ ← H(k, ID[j ∗ ] ) return CT (0) (0) yj ∗ := PRG(PPRF(K, hj ∗ )) (0)  Circ. Cenc [PK, M](SK) K∗ ← ← Cons K, C[{hj ∗ }] 1 if PRG(SK) = PK return M (0) (0) (0) sj ∗ ← ←{0, 1}n(λ) ; yj ∗ := PRG(sj ∗ ) 4 return ⊥ (0)

yj ∗ ← ←{0, 1}2n(λ) gen

C

gen

C

5

← ← iO(1λ , Cgen )  gen ) ← ← iO(1λ , C

del

← ← diO(1λ , Cdel )

del

 del ) ← ← diO(1λ , C

C

C

gen

del

Proc. Ext(ID): (0)

1

SK ← PPRF(K∗ , H(k, ID)) 2

MPK ← (C , C ) ← ALR,Ext (MPK, st) b ← for (M0 , M1 ) ∈ L1 if |M0 | = |M1 | then b ← 0 for ID = (ID1 , . . . , IDn ) ∈ L2 , j = 1, . . . , n (0) (1) if ID = ID[j] ∨ ID = ID[j] then b ← 0 return (b = b ) 

(1)

/ {ID[j] , ID[j] }j // assume ID ∈ SK ← PPRF(K, H(k, ID)) 3

L2 ← L2 ∪ {ID} return SK

Circ. Cgen (h) for j ∈ Si (0) (0) if h = hj return yj PK ← PRG(PPRF(K, h)) return PK

 gen (h) Circ. C for j ∈ Si+δ (0) (0) if h = hj return yj PK ← PRG(PPRF(K∗ , h)) return PK

Circ. Cdel (SK, h, h , π) if Ver(crs, (k, h, h ), π) = 0 return ⊥ PK ← ⊥ for j ∈ Si (0) (0) if h = hj then PK ← yj if PK = ⊥ PK ← PRG(PPRF(K, h)) if PRG(SK) = PK return ⊥ return PPRF(K, h )

 del (SK, h, h , π) Circ. C if Ver(crs, (k, h, h ), π) = 0 return ⊥ PK ← ⊥ for j ∈ Si+δ (0) (0) if h = hj then PK ← yj if PK = ⊥ PK ← PRG(PPRF(K∗ , h)) if PRG(SK) = PK return ⊥ return PPRF(K∗ , h )

Fig. 5. The selective AI-CPA security of the HIBE scheme from Fig. 4 (where we have simplified procedure Ext).

730

P. Farshim et al.

We now show that Gi and Gi+1 are indistinguishable. Suppose Si ⊂ Si+1 = Si+δ with δ = 1. We show this by defining intermediate hybrid games Gi,1,1 , . . . , Gi,1,5 and showing that in the following sequence, two consecutive games are indistinguishable. Gi ,

Gi,1,1 ,

Gi,1,2 ,

Gi,1,3 ,

Gi,1,4 ,

Gi,1,5 ,

Gi+1

If Si+1 ⊂ Si then again we have Si+1 ⊂ S(i+1)+δ with δ = −1 and we simply invert the sequence of hybrids and show that in the following sequence all neighboring games are indistinguishable. Gi+1 ,

Gi+1,−1,1 ,

Gi+1,−1,2 ,

Gi+1,−1,3 ,

Gi+1,−1,4 ,

Gi+1,−1,5 ,

Gi

Gi,δ,1 : Let j ∗ be the element that distinguishes Si and Si+δ , i.e., Si+δ = Si ∪{j ∗ }. This game modifies the generation of MPK by replacing the obfuscation of  gen , which computes the public key for identities Cgen by an obfuscation of C (0) (0) (0) ID with H(k, ID) = hj ∗ := H(k, ID[j ∗ ] ) by using a hard-coded value yj ∗ (in (0)

with j ∈ Si ). It  gen is also uses a key K punctured at for all other identities. Circuit C  gen padded to the maximum size of any such circuit (See Fig. 5). Note that C gen and C are functionally equivalent and have the same size. addition to the hard-coded (and also random) values yj ∗

(0) hj ∗

Suppose there exists an adversary A that distinguishes game Gi from game Gi,δ,1 . We build an adversary B against iO as follows: B simulates Gi,δ,1 for  gen , queries them to its (obfuscation) LR oracle A, constructs both Cgen and C gen to receive an obfuscated circuit which B defines to be C . B continues the  simulation of the game and when A returns a bit b , algorithm B returns (b = b ). Depending on the bit chosen by B’s (obfuscation) game, A is run either in game Gi or Gi,δ,1 and the output of B matches the output of these games. Hence  A    ind Pr GA i − Pr Gi,δ,1 ≤ AdviO,B (λ). Gi,δ,2 : This game again modifies the generation of MPK by replacing the obfus del . The latter differs from Cdel in two cation of Cdel by an obfuscation of C (0) (0) aspects: First, if h = hj ∗ , it uses the hard-coded value yj ∗ to compute PK (0)  del , instead of using the key K. Since hj ∗ is never evaluated in the 6th line of C ∗ K can be replaced by a punctured key K without affecting behavior. Second,  del now returns PPRF(K∗ , h ) (i.e., using a punctured if all checks pass, C  del is also padded to the maximum size of any key instead of K). Circuit C such circuit.  del , in particular Cdel and C  del The second change modifies the behavior of C  differ on inputs (SK, h, h , π) of the following form:

Simpler Constructions of Asymmetric Primitives from Obfuscation

1. 2. 3. 4.

731

Proof π is valid for the statement (h, h ); (0) (0) If h = hj for some j ∈ Si+δ then PRG(SK) = yj ; Otherwise PRG(SK) = PRG(PPRF(K, h)); (0) h = hj ∗ (i.e., K∗ is punctured at h )

Suppose there exists an adversary A that distinguishes game Gi,δ,1 from game Gi,δ,2 . We build an adversary B against diO, which simulates Gi,δ,1 for A, except  del and queries its (obfuscation) LR oracle to that it constructs both Cdel and C del receive an obfuscated circuit which B defines to be C . When A returns a bit b , algorithm B returns (b = b ). Depending on the bit chosen by B’s (obfuscation) game, A is run either in Gi,δ,1 or Gi,δ,2 and the output of B matches the output of these games when run with A. Hence    A  ind Pr GA i,δ,1 − Pr Gi,δ,2 ≤ AdvdiO,B (λ). In order to argue that Advind diO,B (λ) is negligible, it remains to show that B is diO-legitimate; that is, for every ppt extractor E we have Adveq B,E (λ) ∈ Negl. Suppose there exists an extractor E that given B’s coins returns an input on  del differ, i.e., E returns (SK, h, h , π) that satisfies items (1)– which Cdel and C (4) above. Then we show that E can be used to construct a BS that breaks the extractability of SNARK or a BH that breaks the collision-resistance of H. We define BS to be an algorithm that samples coins for B, runs E on them to obtain (SK, h, h , π) and returns statement (h, h ) and π. By the extractability property of the SNARK, for this BS there exists an extractor ES that on input the coins of BS outputs a witness (ID, ID ). In particular if item (1) above holds, we have 5. h = H(k, ID) and h = H(k , ID|ID ) and ID = ε. (0)

(0)

By definition we have hj ∗ = H(k , ID[j ∗ ] ); combining this with items (4) and (5) yields (0) H(k, ID|ID ) = H(k, ID[j ∗ ] ). We now argue that with overwhelming probability we have that (0)

6. ID|ID = ID[j ∗ ] . If this was not the case then we could build an adversary BH that breaks the public-coin collision resistance of H as follows. Algorithm BH receives k , which it uses to define k ∈ {0, 1}λ for the scheme. It samples the remaining randomness used by B and combines it with the received r to form coins rB for B. It samples coins rE for E, which together define coins rBS for BS , on which BH runs ES to (0)

obtain (ID, ID ). Finally, BH returns (ID|ID , ID[j ∗ ] ). (0)

If j ∗ = 0, we have ID[j ∗ ] = ε, so (6) contradicts (5) and thus we have shown that no differing-input extractor exists. (0) (0) If j ∗ ≥ 1, then (6) implies ID = ID[j ∗ −1] , thus h = H(k, ID) = H(k, ID[j ∗ −1] ) (0)

= hj ∗ −1 . By property (B) of the set system {S0 , . . .} (see beginning of the

732

P. Farshim et al.

proof), we have j ∗ − 1 ∈ Si , meaning yj ∗ −1 is a random value for which with overwhelming probability there is no pre-image SK under PRG, i.e., with (0) PRG(SK) = yj ∗ −1 . This however contradicts item (2), showing no differinginput extractor exists. (0)

Gi,δ,3 : This game modifies the previous game by using the key K∗ punctured at (0)

H(k, ID[j ∗ ] ) instead of K when answering A’s queries to Ext. (0)

Since A is not allowed to query a key for ID[j ∗ ] , the two games only differ if A (0)

queries the oracle for an identity ID with H(k, ID) = H(k, ID[j ∗ ] ). We can thus construct an adversary BH , using the given randomness for k, simulates the rest (0) of the game and outputs a collision (ID, ID[j ∗ ] ). Hence   A   cr Pr GA i,δ,2 − Pr Gi,δ,3 ≤ AdvH,B (λ). (0)

(0)

Gi,δ,4 : This game no longer sets yj ∗ := PRG(PPRF(K, hj ∗ )), but instead com(0)

(0)

(0)

putes it by sampling sj ∗ ← ←{0, 1}n(λ) and then setting yj ∗ := PRG(sj ∗ ). Let A be an adversary that distinguishes Gi,δ,3 and Gi,δ,4 . We use A to build an adversary B against the selective security of the puncturable PRF as fol(0) (1) lows. Algorithm B runs A until it outputs a pair (ID , ID ). It then queries (0)

a punctured key K∗ at H(k, ID[j ∗ ] ) and it queries its PPRF challenge oracle (0)

(0)

(0)

(0)

on hj ∗ = H(k, IDj ∗ ) to receive sj ∗ (which is either PPRF(K, hj ∗ ) or truly random.) Note that B’s query is legitimate. Algorithm B then simulates the rest of Gi,δ,3 . Note that B can do this because K, the un-punctured key, is not used (0) anywhere. When A terminates with a bit b , algorithm B returns (b = b ). If sj ∗ (0)

is PPRF(K, hj ∗ ) then A is run in game Gi,δ,3 , and when it is random then A is run with respect to Gi,δ,4 . Hence,   A   ind Pr GA i,δ,3 − Pr Gi,δ,4 ≤ AdvPPRF,B (λ). (0)

(0)

Gi,δ,5 : This game modifies yj ∗ further: instead of setting it to PRG(sj ∗ ) it (0)

directly samples yj ∗ ← ←{0, 1}2n(λ) . Let A be an adversary that distinguishes Gi,δ,4 from Gi,δ,5 . We use A to build an adversary B against the security of PRG as follows. Algorithm B receives a (0) (0) (0) value yj ∗ which is either PRG(sj ∗ ) for a uniformly random sj ∗ , or is a truly random value. Algorithm B simulates Gi,δ,4 for A, except that it uses the given (0) yj ∗ (instead of running the code in boxes 4 and 5 in Fig. 5). When A terminates with a bit b , algorithm B returns (b = b ). If yj ∗ is PRG(sj ∗ ), algorithm A is run in game Gi,δ,4 and when it is truly random it is run in Gi,δ,5 . Hence,   A   ind Pr GA i,δ,4 − Pr Gi,δ,5 ≤ AdvPRG,B (λ). (0)

(0)

Simpler Constructions of Asymmetric Primitives from Obfuscation

733

(0)

We have thus arrived at a game, Gi,δ,5 , in which all values yj for j ∈ Si+δ are random. The only difference to game Gi+δ is that the latter uses circuits Cgen and Cdel and oracle Ext, which have an un-punctured key K for the PPRF evaluations. Analogously to game hops 0 → 1, 1 → 2 and 2 → 3, we can show that there exist iO adversary B1 , diO adversary B2 , and H-adversary B3 with   A   ind ind cr Pr GA i,δ,5 − Pr Gi+δ ≤ AdviO,B1 (λ) + AdvdiO,B2 (λ) + AdvH,B3 (λ). So far we have thus shown that the Sel-AI-CPA game is indistinguishable from game G(n(0) ) , in particular there exist B1 , . . . , B5 with      ind Pr GA (λ) − Pr G(n(0) ) ≤ 2((n(0) ) + 1) · Advind iO,B1 (λ) + AdvdiO,B2 (λ)    ind (0) +Advcr ) + 1) · Advind H,B3 (λ) + ((n PPRF,B4 (λ) + AdvPRG,B5 (λ) . (0)

By property (A) of our set system S−1 , . . . , S(n(0) ) , in G(n(0) ) the value y(n(0) ) , (0)

which corresponds to the public key for challenge identity ID , is random. (1) (1) We now define a similar sequence of games G(1) −1 := G(n(0) ) , G0 , . . . , G(n(1) )

where G(1) is defined by setting all values yj(0) for j ∈ S(n(0) ) and all values i (1) yj for j ∈ Sj to be random. An analogous argument to the one above now (1) shows that G(1) −1 is indistinguishable from G(n(1) ) . Together, this shows that the original game is indistinguishable from G(1) , a game in which the public keys (n(1) )

(0) (1) corresponding the challenge identities, i.e., the vales y(n (0) ) and y(n(1) ) with overwhelming probability do not have preimages under PRG.

G(2) : Defined like G(1) but generates the challenge ciphertext by always (n(1) ) (0)

encrypting M0 for ID . and G(2) . We use A to build Let A be an adversary that distinguishes G(1) (n(1) ) an adversary B against the security of iO as follows. B simulates G(1) for (n(1) ) (i)

A answering its LR queries on (M0 , M1 ) by setting PK(i) ← yn(i) for i = 0, 1 gen

(i)

(which implements PK(i) ← C (ID )) and calling its (obfuscation) LR oracle on Cenc [PK(b) , Mb ] and Cenc [PK(0) , M0 ] and returning the received CT to A. When A outputs b then B returns (b = b ). According to the challenge bit in or G(2) : the obfuscation game, A is run in game G(1) (n(1) )     )A − Pr (G(2) )A ≤ Advind Pr (G(1) iO,B (λ). (n(1) ) It remains to show that the circuits queried by B to its challenge oracle are (0) (1) functionally equivalent. Since yn(0) and yn(1) are truly random bit strings of length 2n(λ), with overwhelming probability there do not exist SK(0) , SK(1) (i) (0) with PRG(SK(i) ) = yn(i) . With overwhelming probability over the choice of yn(0) (1)

and yn(1) the circuits Cenc [PK(b) , Mb ] and Cenc [PK(0) , M0 ] are both functionally

734

P. Farshim et al.

equivalent to a circuit that always outputs ⊥. (And they are of the same size, since |Mb | = |M0 |.) Finally note that G(2) is independent of the bit b and hence for any (even   unbounded) adversary A we have Pr[(G(2) )A ] = 0. The theorem follows. Remark. Suppose we define H(k, ID) := ID for all k, ID and Prove(crs, (h, h ), w) := w. Then there are no collisions for H and the SNARK proofs are perfectly extractable. This means that the diO adversary we construct when showing that Gi,δ,1 and Gi,δ,2 in the proof of Theorem 5.1 are indistinguishable is actually iO-legitimate. It then suffices to use an indistinguishability obfuscator to obtain a bounded -depth HIBE from the above construction. Acknowledgments. Farshim was supported by the European Research Council under the European Community’s Seventh Framework Programme (FP7/ 2007–2013 Grant Agreement no. 339563 - CryptoCloud). Fuchsbauer is supported by the Vienna Science and Technology Fund (WWTF) through project VRG18-002; work done while at Inria and supported by the French ANR Project ANR-16-CE39-0002 EfTrEC. Passel`egue was supported in part from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1619348, 1228984, 1136174, and 1065276, BSF grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant.

References [ABC+05] Abdalla, M., et al.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218 13 [AFP14] Abusalah, H., Fuchsbauer, G., Pietrzak, K.: Constrained PRFs for unbounded inputs. Cryptology ePrint Archive, report 2014/840 (2014) [AJL+19] Ananth, P., Jain, A., Lin, H., Matt, C., Sahai, A.: Indistinguishability obfuscation without multilinear maps: new paradigms via low degree weak pseudorandomness and security amplification. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 284–332. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8 10 [AS16] Ananth, P., Sahai, A.: Functional encryption for turing machines. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 125–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-66249096-9 6 [AS17] Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-31956620-7 6 [BCG+17] Brakerski, Z., Chandran, N., Goyal, V., Jain, A., Sahai, A., Segev, G.: Hierarchical functional encryption. In: Papadimitriou, C.H. (ed.) ITCS 2017, vol. 4266, pp. 8:1–8:27, 67. LIPIcs, January 2017

Simpler Constructions of Asymmetric Primitives from Obfuscation

735

[BDGM20a] Brakerski, Z., D¨ ottling, N., Garg, S., Malavolta, G.: Candidate iO from homomorphic encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 79–109. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1 4 [BDGM20b] Brakerski, Z., D¨ ottling, N., Garg, S., Malavolta, G.: Factoring and pairings are not necessary for iO: circular-secure LWE suffices. IACR Cryptology ePrint Archive 2020/1024 (2020) [Ben89] Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18(4), 766–776 (1989) [BGI+12] Barak, B., et al.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6:1–6:48 (2012) [BGI14] Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-64254631-0 29 [BLMZ19] Bartusek, J., Lepoint, T., Ma, F., Zhandry, M.: New techniques for obfuscating conjunctions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 636–666. Springer, Cham (2019). https://doi.org/ 10.1007/978-3-030-17659-4 22 [BLR+15] Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure order-revealing encryption: multi-input functional encryption without obfuscation. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 563–594. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6 19 [BNPW16] Bitansky, N., Nishimaki, R., Passel`egue, A., Wichs, D.: From cryptomania to obfustopia through secret-key functional encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 391–418. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5 15 [BP15] Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7 16 [BSW16] Bellare, M., Stepanovs, I., Waters, B.: New negative results on differinginputs obfuscation. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 792–821. Springer, Heidelberg (2016). https:// doi.org/10.1007/978-3-662-49896-5 28 [BV15] Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: Guruswami, V. (ed.) 56th FOCS, pp. 171–190. IEEE Computer Society Press, October 2015 [BW07] Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-54070936-7 29 [BW13] Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). https://doi.org/10. 1007/978-3-642-42045-0 15 [BZ14] Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 480–499. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2 27

736

P. Farshim et al.

[CLP15] Chung, K.-M., Lin, H., Pass, R.: Constant-round concurrent zeroknowledge from indistinguishability obfuscation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 287–307. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6 14 [CRV10] Canetti, R., Rothblum, G.N., Varia, M.: Obfuscation of hyperplane membership. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 72–89. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-1179925 [CVW18] Chen, Y., Vaikuntanathan, V., Wee, H.: GGH15 beyond permutation branching programs: proofs, attacks, and candidates. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 577–607. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0 20 [ElG84] ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/ 10.1007/3-540-39568-7 2 [FKPR14] Fuchsbauer, G., Konstantinov, M., Pietrzak, K., Rao, V.: Adaptive security of constrained PRFs. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 82–101. Springer, Heidelberg (2014). https:// doi.org/10.1007/978-3-662-45608-8 5 [GGH+13] Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013 [GGHW14] Garg, S., Gentry, C., Halevi, S., Wichs, D.: On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 518–535. Springer, Heidelberg (2014). https://doi.org/10. 1007/978-3-662-44371-2 29 [GGM86] Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986) [GGSW13] Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 467–476. ACM Press, June 2013 [GJLS20] Gay, R., Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from simple-to-state hard problems: new assumptions, new techniques, and simplification. IACR Cryptology ePrint Archive 2020/764 (2020) [GKW17] Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: Umans, C. (ed.) 58th FOCS, pp. 612–621. IEEE Computer Society Press, October 2017 [Gol01] Goldreich, O.: Foundations of Cryptography: Basic Tools, vol. 1. Cambridge University Press, Cambridge (2001) [GP20] Gay, R., Pass, R.: Indistinguishability obfuscation from circular security. IACR Cryptology ePrint Archive 2020/1010 (2020) [GPSW06] Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 89–98. ACM Press, October/November 2006. Available as Cryptology ePrint Archive Report 2006/309

Simpler Constructions of Asymmetric Primitives from Obfuscation

737

[GS02] Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2 34 [GZ20] Galbraith, S.D., Zobernig, L.: Obfuscating finite automata. IACR Cryptology ePrint Archive 2020/1009 (2020) [HR04] Hsiao, C.-Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004). https://doi. org/10.1007/978-3-540-28628-8 6 [HSW14] Hohenberger, S., Sahai, A., Waters, B.: Replacing a random oracle: full domain hash from indistinguishability obfuscation. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 201–220. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-552205 12 [HW15] Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: Roughgarden, T. (ed.) ITCS 2015, pp. 163–172. ACM, January 2015 [IPS15] Ishai, Y., Pandey, O., Sahai, A.: Public-coin differing-inputs obfuscation and its applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 668–697. Springer, Heidelberg (2015). https://doi.org/10. 1007/978-3-662-46497-7 26 [JLMS19] Jain, A., Lin, H., Matt, C., Sahai, A.: How to leverage hardness of constant-degree expanding polynomials over R to build iO. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 251–281. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2 9 [JLS20] Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from wellfounded assumptions. CoRR, abs/2008.09317 (2020) [KPTZ13] Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 669–684. ACM Press, November 2013 [KSW08] Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3 9 [LOS+10] Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/ 10.1007/978-3-642-13190-5 4 [LPST16] Lin, H., Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation with non-trivial efficiency. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 447–462. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8 17 [LT17] Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 630–660. Springer, Cham (2017). https:// doi.org/10.1007/978-3-319-63688-7 21

738

P. Farshim et al. [LW11] Lewko, A., Waters, B.: Unbounded HIBE and attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 547–567. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-64220465-4 30 [MH14] Matsuda, T., Hanaoka, G.: Chosen ciphertext security via point obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 95–120. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8 5 [PPS15] Pandey, O., Prabhakaran, M., Sahai, A.: Obfuscation-based non-black-box simulation and four message concurrent zero knowledge for NP. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 638–667. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7 25 [SW14] Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484. ACM Press, May/June 2014 [Wat15] Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015). https:// doi.org/10.1007/978-3-662-48000-7 33 [WZ17] Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: Umans, C. (ed.) 58th FOCS, pp. 600–611. IEEE Computer Society Press, October 2017 [Zha16] Zhandry, M.: The magic of ELFs. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 479–508. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4 18

Secure Multi-party Computation

Adaptive Security of Practical Garbling Schemes Zahra Jafargholi1 and Sabine Oechsner2(B) 1

2

Sepior, Aarhus, Denmark [email protected] Aarhus University, Aarhus, Denmark [email protected]

Abstract. A garbling scheme enables one to garble a circuit C and an input x in a way that C(x) can be evaluated, but nothing else is revealed. Since the first construction by Yao, tremendous practical efficiency improvements for selectively secure garbling schemes –where the adversary is forced to choose both input and circuit to be garbled at the same time– were proposed. However, in the more realistic setting of adaptive security where an adversary can choose the input adaptively based on the garbled circuit little is known about practical efficiency improvements. In this work, we initiate the study of practical garbling schemes that are both more efficient than Yao’s construction and adaptively secure. We provide insights into characteristics of these schemes and highlight the limitations of current techniques for proving adaptive security in this regime. Furthermore, we present an adaptively secure garbling scheme that garbles XOR gates with 2 and AND gates with 3 ciphertexts per gate, thus providing the first practical garbling scheme for NC1 circuits with adaptive security based on PRFs whose garbled circuit size is smaller than that of Yao’s construction.

1

Introduction

Garbled circuits (GC) were introduced in 1982 by Yao [25,26] and have in the past four decades since turned into a fundamental corner stone of cryptography, with applications such as secure multi-party computation, functional encryption and zero-knowledge protocols. A garbling scheme provides a way to garble a  x circuit C and an input x (into C, ˜), such that the output C(x) can be computed  from C and x ˜, but nothing else is revealed about the circuit or its input. This Z. Jafargholi—Supported by the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 669255 (MPCPRO). S. Oechsner—Supported by the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 669255 (MPCPRO), the Concordium Blockhain Research Center, Aarhus University, Denmark, and the Danish Independent Research Council under Grant-ID DFF-802100366B (BETHE). c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 741–762, 2020. https://doi.org/10.1007/978-3-030-65277-7_33

742

Z. Jafargholi and S. Oechsner

property of concealing all other information about C and x can be formalized in two different ways. The first flavor is selective security, where the adversary picks  x C and x at the same time and sends them to the challenger and gets back C, ˜. The second and more realistic flavor is adaptive security where the adversary  and then gets to adaptively chose x. A first chooses and sends C and gets back C, garbling scheme needs to provide adaptive security in all settings where the input is not yet determined at the time of circuit garbling. Examples include one-time programs [11], verifiable computation [10] succinct adaptively secure functional encryption [1,2], and two-party computation in the preprocessing model based on the garbled circuits approach (see Lindell and Riva [21,22] for further discussion). In both cases, there must be a simulator that only gets C(x) (once x is known) and produces a simulated garbled circuit and input such that the adversary cannot tell the difference between the real and simulated results. In general, the topology of the graph is assumed to be public knowledge. In case of some optimized schemes, the circuit function is not private either, since the garbling and evaluation of XOR and AND gates are different. We refer to the time it takes to garble the circuit as off-line complexity of the garbling scheme as opposed to the on-line complexity of garbling the input (which is lower bounded by |˜ x|). The importance of efficient on-line complexity is more apparent in adaptive settings. Say a client (with dismal computational power) needs to compute a large circuit on a small as yet unknown input as quickly as possible. This client can take their time computing a garbled version of that large circuit. But once the client knows x, they can quickly garble x and continue the protocol. In this case, clearly the on-line complexity must be much smaller than the time it takes to compute C(x). From a theoretical point of view a range of adaptively secure garbling schemes exist [5,6,9,13,16] as well as generic transformation from selective to adaptive security [6,22]. Unfortunately, most of them are prohibitively inefficient for practical applications and/or are based on strong non-standard assumptions. The only exception so far is Yao’s garbled circuits (YaoGC) which was shown to be selectively secure based on the existence of one-way functions by Lindell and Pinkas [19], and adaptively secure for NC1 circuits by Jafargholi and Wichs [16] based on the same assumption. For the rest of this work, we will refer to the technique used in [16] as the JW technique. A considerable body of work has been dedicated to creating garbling schemes that improve in off-line complexity over Yao’s construction (without sacrificing on-line complexity efficiency) by reducing the garbled circuit size [12,17,18,23,24,27], and we will refer to this class of garbling schemes as optimized garbling schemes. All these construction are proven selectively secure (based on different assumptions of various strength), yet their adaptive security remained unexamined. This is not surprising since proving adaptive security is notoriously difficult for many cryptographic primitives. Given the importance of efficient garbling schemes in modern cryptographic protocols, it is natural to ask about the adaptive security of optimized garbling schemes. The challenge is the inherent need for equivocation of the circuit garbling to the real input. The existing generic transformations either increase

Adaptive Security of Practical Garbling Schemes

743

the offline complexity to be proportional to the circuit size by using equivocal encryption [6], assume universal computational extractors [5], or shift the equivocation into the assumption of a programmable random oracle [6], resulting in the number of queries that need to programmed to be linear in the circuit size. That means that all approaches either drastically increase the concrete on-line efficiency or rely on assumptions that are believed to be widely unrealistic. It remains therefore a challenge to find or construct a garbling scheme that can be proved to be adaptively secure based on standard assumptions, with on-line complexity similar to YaoGC and off-line complexity smaller than YaoGC. Contributions. In this work, we present the following contributions: 1. We initiate the study of adaptively secure practical garbling schemes. To this extent, we examine the adaptive security of existing optimized garbling schemes and provide insights into characteristics of practical garbling schemes which can be proven adaptively secure – using currently known techniques. These characteristics provide a shortcut for analyzing adaptive security of future optimized garbling schemes constructions. 2. We construct the first adaptively secure optimized garbling scheme for NC1 circuits with garbled circuit size that is 25% to 50% smaller than that of YaoGC and same on-line complexity, assuming only the existence of PRFs. 3. We apply the JW technique for the first time to a garbling scheme built on hash functions with the point-and-permute optimization instead of an encryption scheme (where permutation bits are not needed) and thus show that point-and-permute does not interfere with adaptive security under standard assumptions. Moreover, our construction uses the three-row reduction optimization, proving that this technique is compatible with adaptive security. 1.1

Overview of Our Results

Adaptive Security of Existing Optimized Garbling Schemes. Since we are interested in optimized garbling schemes with adaptive security that improve over Yao’s garbling scheme, we start by examining the adaptive security of existing optimized garbling schemes constructions. Our starting point will be YaoGC as the only known practical garbling scheme with adaptive security based on standard assumption. YaoGC: From Selective to Adaptive Security. We briefly revisit YaoGC and the main challenge in proving it adaptively secure. Recall that to garble a Boolean circuit in Yao’s scheme, each wire is assigned two random keys encoding zero and one, respectively. In the next step, four ciphertexts are computed for each gate according to the gate function: each output wire key is encrypted under all combinations of input wire keys which evaluate to that output wire key. The selective security proof consists of a simulator and a series of hybrid arguments. In order to create this series of hybrid garbled circuits, it is crucial to know the

744

Z. Jafargholi and S. Oechsner

input x, to make sure that the half-real-half-simulated garbled circuits indeed output correct and indistinguishable distributions. Even though the final simulation must succeed without knowledge of x, the hybrids will depend on this knowledge and will only gradually remove the dependency. The challenge for proving adaptive security thus is the inconvenient absence of x in the adaptive setting when the garbled circuit is supposed to be created. In fact, this lack of knowledge is the crux in any attempt of lifting the selective security proof of a garbling scheme to a proof of adaptive security. For the adaptive security proof of YaoGC, Jafargholi and Wichs [16] define a larger set of hybrid games wherein a few wire values in the circuit are guessed (since they are not known) at the beginning of the game, and the game is terminated if the guesses are not correct. They then propose a pebbling game to find a sequence of hybrids that minimizes the amount of wire value guesses and thus the security loss. Optimized Garbling Schemes with Selective Security. The existing optimized garbling schemes with selective security achieve their efficiency improvements by correlating wire keys (within a gate and/or across gates) and thereby removing the need to communicate every wire key separately. Furthermore, this correlation creates opportunities to reduce the number of ciphertexts per gate. Various works proposed different wire key correlations such as row-reduction techniques [23,24], FreeXOR [18], half gates [27] and the work by Gueron et al. [12] which we will refer to as the fast garbling approach. Note that the FreeXOR and half gates constructions, that is the most efficient constructions in terms of on-line complexity, assume primitives much stronger than PRFs (circular correlationrobust hash functions) and as a result have “simpler” selective security proofs where indistinguishability of real and simulated garbling can be shown without intermediate hybrids. Nevertheless, their selective security proof relies crucially on knowledge of the input x. From Selective to Adaptive Security. Turning now to adaptive security of existing optimized garbling schemes, we stumble over the same challenge as the one we were facing with YaoGC: The absence of the input x at the beginning of our security game. Since the challenge is the same as before, one might wonder if the same solution is applicable here. Furthermore, since some optimized garbling schemes are based on stronger assumptions and their selective security proofs are somewhat simpler, there is hope that this simplicity translates into simpler adaptive security proofs. However, once studied more closely, the stronger assumptions (e.g. encryption schemes with stronger security) prove to be of no help at all. Remember that the main challenge in proving adaptive security is the absence of x and since these stronger assumptions are still selective in nature (requiring the adversary to commit to a choice in advance), they do not simplify this particular challenge. Moreover, the solution from [16] (JW technique) is in most cases not applicable either. In fact, we argue that in order to prove an optimized garbling schemes adaptively secure using the existing techniques, the scheme needs to have the right balance of wire key correlation. On the one hand, more wire key correlation can yield an efficiency gain. On the other hand, too much correlation and the JW technique is not applicable anymore.

Adaptive Security of Practical Garbling Schemes

745

To see this, on a very high level, consider the distribution of wire keys in Yao’s construction: independent and uniformly random. Or rather, they start as such, but as soon as the garbled circuit is created and the gate garblings published, all wire keys are correlated with the garbled circuit (except for the input wire keys to the circuit), because they appear as part of the garbled circuit inside ciphertexts. To prove (adaptive or selective) security, for every wire in the circuit, all occurrences of one of the wire keys (call it k1 ) have to be removed from the garbled circuit through a sequence of hybrids. These occurrences are replaced by the other wire key (k0 ). This sequence of hybrids should be defined such that each two consecutive hybrids can be shown to be indistinguishable via a reduction from the underlying assumption. If the sequence starts from using two keys on each wire and ends in using only one key in all wires, then real and simulated garbling are indistinguishable. In [16], a pebbling game is defined to capture the requirements of a valid sequence of hybrids in order to prove adaptive security. In this game, hybrid garbling gate modes are defined as nodes without a pebble/with black pebbles/with gray pebbles. The graph state representing the real garbling is the graph of the circuit with no pebbles and the graph state representing the simulated garbling is the circuit graph with a gray pebble on each node. The rules of the pebbling game ensure that if in between two hybrid garbled circuits, an encryption of key k1 under key k1 is replaced with an encryption of key k0 under k1 , then k1 has to be both random and cannot appear anywhere in the hybrid garbled circuit, not even in encrypted form. This is crucial, because to be able to invoke the security of the underlying encryption scheme –to argue the change of the message cannot be detected– we have to make sure the key k1 of the encryption follows the distribution of the security game, i.e. is independent and uniformly random. It is now discernible that if we add more dependency between the wire keys by not only creating ciphertexts of them, but also by correlating them to each other from the beginning, the pebbling rules might have to be changed to make sure that during reduction, k1 is completely independent of the garbled circuit. Indeed this revision of rules might not even be possible if the keys are actually derived directly from other keys in the circuit. Even if this revision is possible, the resulting pebbling game might be so costly that makes this approach to proving security futile. If we can find a way to correlate wire keys that preserve the JW pebbling rules (or at least does not make them too involved), then we can use the JW technique to prove adaptive security for the new garbling scheme. Unfortunately, it turns out that the pebbling rules cannot be adapted for FreeXOR and garbling schemes using the FreeXOR technique. For Two-Row Reduction and the garbling scheme by Gueron et al., the pebbling game could in principle be modified, but the resulting proof strategy would be prohibitively expensive. The only existing optimized garbling scheme that can be proven secure using the JW technique is YaoGC combined with Three-Row Reduction. Our New Construction. With these insights, we move on to constructing a new garbling scheme that can in fact be proven adaptively secure. The scheme is

746

Z. Jafargholi and S. Oechsner

similar in spirit to that of Gueron et al. [12] and adaptive security relies only on the existence of PRFs. XOR gates can be garbled with two ciphertexts and AND gates with three. The key insight is that the garbling of XOR gates in Gueron et al.’s garbling scheme almost achieves adaptive security. Consider therefore the garbling of XOR gates. As observed by Kolesnikov and Schneider [18], an XOR gate can be evaluated without any ciphertext if both the input wire key pairs as well as the output wire key pair are correlated by the same offset. As a consequence, the output wire keys are determined deterministically by the input wire keys. This approach requires however to either prove selective security in the random oracle model or assume the existence of circular-correlation robust hash functions [8] or the corresponding notion of related-key key-dependent message security for encryption schemes [3]. In order to enable a reduction to PRFs, the garbling scheme by Gueron et al. first “translates” the input wire keys (evaluates a PRF on them) to hide the dependency on the predecessor gates and enable a reduction to PRFs. The construction manages to still keep the number of ciphertexts for a garbled XOR gate at just one by computing the gate offset deterministically from the input wire keys on one gate and forcing the output wire key pair to have the same offset. The remaining ciphertext encrypts the gate-specific offset. However, the input wire keys still determine the output wire keys uniquely. By choosing the offset in XOR gates uniformly at random and using the strongest known row reduction technique compatible with adaptive security proofs, that is three-row reduction, for AND gates, we achieve the first garbling scheme that improves in off-line complexity over Yao’s construction and has adaptive security based on weak standard assumptions. Our construction uses the point-and-permute technique [23] and is therefore also the first efficient adaptively secure garbling scheme using point-and-permute, proving that pointand-permute is compatible with adaptive security from standard assumptions. 1.2

Outline

We start by providing the necessary notation and background on garbling schemes in Sect. 2. Then, we revisit the JW technique in Sect. 3. We also derive characteristics of adaptively secure garbling schemes and examine the applicability of the JW technique to existing optimized garbling schemes. Section 4 presents our new garbling scheme which is proven to be adaptively secure in Sect. 5.

2 2.1

Preliminaries General Notation

We will use [q] as a shorthand for the set {1, . . . , q}. For a bitstring s = s1 . . . sk of arbitrary length k, we will denote by sabl (“all but last (bit)”) the substring s1 . . . sk−1 and by slsb the last bit sk .

Adaptive Security of Practical Garbling Schemes

747

Definition 1 [16]. Two distributions X and Y are (T, ε)-indistinguishable, denoted DT [X, Y ] = ε, if for any probabilistic algorithm A running in time T , | Pr[A(X) = 1] − Pr[A(Y ) = 1]| ≤ ε. For two games Game and Game , we say that they are (T (λ), ε(λ))indistinguishable, DT (λ) Game, Game = ε(λ), if for any adversary A running in time T (λ), | Pr[GameA = 1] − Pr[GameA = 1]| ≤ ε(λ). Let games Game(λ) and Game (λ) be games parameterized by the security parameter λ. If for any polynomial function T (λ), there exists a negligible func  tion ε(λ) such that for all λ, DT (λ) Game(λ), Game (λ) ≤ ε(λ), we say that the two games are computationally indistinguishable, denoted Game(λ) Game (λ). 2.2

comp



Garbling Schemes

The bulk of this section defining what garbled circuits are and presenting Yao’s construction, is taken verbatim from [13]. There are many variants of such definitions in the literature, and we refer the reader to [7] for a comprehensive treatment. Definition 2. A garbling scheme is a tuple of PPT algorithms GC = (GCircuit, GInput, Eval) such that:  k) ← GCircuit(1λ , C): takes as input a security parameter λ, a circuit – (C,  and key k. C : {0, 1}n → {0, 1}m , and outputs the garbled circuit C, n ˜. – x ˜ ← GInput(k, x): takes as input, x ∈ {0, 1} , and key k and outputs x  x  and a garbled input x – y = Eval(C, ˜): given a garbled circuit C ˜ output y ∈ {0, 1}m . $

Correctness. There is a negligible function ν such that for any λ ∈ N, any  x circuit C and input x it holds that Pr[C(x) = Eval(C, ˜)] = 1 − ν(λ), where λ  ˜ ← GInput(k, x). (C, k) ← GCircuit(1 , C), x Adaptive Security. There exists a PPT simulator Sim = (SimC, SimIn) such that, for any PPT adversary A, there exists a negligible function ε such that:     adaptive adaptive Pr[ExpA,GC,Sim (λ, 0) = 1] − Pr[ExpA,GC,Sim (λ, 1) = 1] ≤ ε(λ) where the experiment Expadaptive A,GC,Sim (λ, b) is defined as follows:  where C  is created as follows: 1. The adversary A specifies C and gets C  k) ← GCircuit(1λ , C), – if b = 0: (C,  state) ← SimC(1λ , Φ(C)), – if b = 1: (C,

748

Z. Jafargholi and S. Oechsner

2. The adversary A specifies x and gets x ˜ created as follows: – if b = 0, x ˜ ← GInput(k, x), – if b = 1, x ˜ ← SimIn(C(x), state). 3. Finally, the adversary outputs a bit b , which is the output of the experiment. In other words, we say GC is adaptively secure if   adaptive DT (λ) Expadaptive (λ, 0), Exp (λ, 1) = ε(λ). GC,Sim GC,Sim Online Complexity. The time it takes to garble an input x (i.e. time complexity of GInput) is the online complexity of the scheme. Clearly the online complexity of the scheme gives a bound on the size of the garbled input x ˜. 0 1 Yao’s Scheme. For each wire w in the circuit, we pick two keys kw , kw for a symmetric-key encryption scheme. For each gate in the circuit computing a function g : {0, 1}2 → {0, 1} and having input wires a, b and output wire c we create a garbled gate consisting of 4 randomly ordered ciphertexts created as: g(0,0)

c0,0 = Encka0 (Enckb0 (kc

c0,1 = Enc (Enc 0 ka

kb1

g(1,0)

)) c1,0 = Encka1 (Enckb0 (kc

g(0,1) (kc ))

c1,1 = Enc (Enc 1 ka

kb1

)),

g(1,1) (kc ))

(1)

 where (Enc, Dec) is a CPA-secure encryption scheme. The garbled circuit C 0 1 consists of all of the gabled gates, along with an output map {kw → 0, kw → 1} which maps the keys to the bits they represent for each output wire w. To garble xi ˜ consists of the keys kw for an n-bit value x = x1 x2 · · · xn , the garbled input x i the n input wires wi . To evaluate the garbled circuit on the garbled input, it’s possible to decrypt v(w) exactly one ciphertext in each garbled gate and get the key kw corresponding to the bit v(w) going over the wire w during the computation C(x). Once the keys for the output wires are computed, it’s possible to recover the actual output bits by looking them up in the output map. 2.3

Pseudorandom Functions

Definition 3. A pseudorandom function (PRF) is an efficiently computable family of functions F = {Fn }n∈N such that for every function Fn : {0, 1}n × {0, 1}m → {0, 1}m , no efficient PPT algorithm D can distinguish the outputs of a randomly chosen function from those of a function that outputs uniformly random values. We will write Fk (x) where k ∈ {0, 1}n is the key and x ∈ {0, 1}m is the input of the function. Definition 4. Let F = {Fn }n∈N be an efficient family of functions where for every n, Fn : {0, 1}n × {0, 1}n+1 → {0, 1}n+1 . Family F is a (T (λ), ε(λ))-secure 2PRF if for every n and every probabilistic adversary A, running in time T   RF 2P RF DT (λ) Exp2P F ,A (n, 1), ExpF ,A (n, 0) ≤ ε(n). RF for experiment Exp2P in Fig. 1. F ,A

Adaptive Security of Practical Garbling Schemes

749

RF Experiment Exp2P,A (n, σ)

1. Choose random keys k1 , k2 ← {0, 1}n for the pseudorandom function, and choose two truly random functions f 1 , f 2 . If σ = 0, set (O(1) , O(2) , O(3) , O(4) ) = ( k1 , k1 , k2 , k2 ). Else, set (O(1) , O(2) , O(3) , O(4) ) = (f 1 , k1 , f 2 , k2 ). 2. The adversary A is invoked upon input 1n . 3. When A makes a query (j, x) to its oracles with j ∈ {1, 2, 3, 4} and x ∈ {0, 1}n+1 , answer as follows: – If j ∈ {1, 2} and x was already queried to {1, 2}\{j}, return ⊥. – If j ∈ {3, 4} and x was already queried to {3, 4}\{j}, return ⊥. – Otherwise, return O(j) (x). 4. A outputs a bit σ  , and this is the output of the experiment.

Fig. 1. The 2PRF experiment from [12].

Lemma 1 [12]. If F is a family of pseudorandom functions, then it is a 2PRF.

3

Adaptive and Practical Garbling Schemes: Background and a Way Forward

This section revisits the only adaptive security proof of a practical garbling scheme currently known based on standard assumptions. We start by a brief overview of YaoGC and the challenges in proving it adaptively secure. Section 3.2 then revisits the JW technique which is due to Jafargholi and Wichs [16], with a focus on how adaptive security is achieved. Following this, in Sect. 3.3 we identify properties of a garbling scheme that can be proven adaptively secure using the JW technique and examine well-known optimized garbling schemes with respect to these findings (Sect. 3.4). 3.1

Yao’s Scheme and the Challenge of Adaptive Security [16]

To understand the difficulty with analyzing the adaptive security of optimized garbling schemes, we need to start from selective security of Yao’s scheme (see Sect. 2.2). This subsection captures the basic information on the construction of YaoGC, the selective security proof and the difficulty proving adaptive security quite succinctly, and for this reason appears in multiple works on this topic [13,15,16] and we gratefully make use of it in this work as well.

750

Z. Jafargholi and S. Oechsner

Selective Security Simulator. To prove the selective security of Yao’s scheme, we need to define a simulator that gets the output y = y1 y2 · · · ym = C(x) and must 0 1  x , kw for each wire w just like produce C, ˜. The simulator picks random keys kw the real scheme, but it creates the garbled gates as follows: c0,0 = Encka0 (Enckb0 (kc0 )) c1,0 = Encka1 (Enckb0 (kc0 )), c0,1 = Encka0 (Enckb1 (kc0 )) c1,1 = Encka1 (Enckb1 (kc0 ))

(2)

where all four ciphertexts encrypt the same key kc0 . It creates the output mapping 0 1 0 → yw , kw → 1 − yw } by “programming it” so that the key kw corresponds {kw to the correct output bit yw for each output wire w. This defines the simulated  To create the simulated garbled input x garbled circuit C. ˜ the simulator simply 0 for each input wire w. Note that, when evaluating the gives out the keys kw simulated garbled circuit on the simulated garbled input, the adversary only 0 for every wire w. sees the keys kw Selective Security Hybrids. To prove indistinguishability between the real world and the simulation, there is a series of carefully defined hybrid games that switch the distribution of one garbled gate at a time. Unfortunately, we cannot directly switch a gate from the real distribution (1) to the simulated one (2) and therefore must introduce an intermediate distribution (3) as below: v(c)

c0,0 = Encka0 (Enckb0 (kc c0,1 =

v(c)

)) c1,0 = Encka1 (Enckb0 (kc

v(c) Encka0 (Enckb1 (kc ))

c1,1 =

)),

v(c) Encka1 (Enckb1 (kc ))

(3)

where v(c) is the correct value of the bit going over the wire c during the computation of C(x). Let us give names to the three modes for creating garbled gates that we defined above: (1) is called RealGate mode, (2) is called SimGate mode, and (3) is called InputDepSimGate mode, since the way that it is defined depends adaptively on the choice of the input x. We can switch a gate from RealGate to InputDepSimGate mode if we are in the input level or the predecessor gates are in InputDepSimGate mode. The latter follows by CPA security of encryption. In particular, we are not changing v(a) v(b) the value contained in ciphertext cv(a),v(b) encrypted under the keys ka , kb that the adversary obtains during evaluation, but we can change the values 1−v(a) 1−v(b) , kb do not contained in all of the other ciphertexts since the keys ka appear anywhere inside the predecessor garbled gates as long as they are already in InputDepSimGate mode. We can also switch a gate from InputDepSimGate to SimGate mode if we are at the output level or the successor gates are in InputDepSimGate or SimGate mode. This is actually an information theoretic step; since the keys kc0 , kc1 are used completely symmetrically in the successor gates there is no difference between always v(c) as in InputDepSimGate mode or encrypting kc0 as in SimGate. encrypting kc This allows us to first switch every gate from RealGate to InputDepSimGate mode and then from InputDepSimGate to SimGate, proving the selective security of Yao’s construction.

Adaptive Security of Practical Garbling Schemes

751

Challenges in Achieving Adaptive Security. There are two issues in using the above strategy in the adaptive setting: an immediate but easy to fix problem and a more subtle but difficult to overcome problem. The first immediate issue is that the selective simulator needs to know the  and in particular to program the output y = C(x) to create the garbled circuit C 0 1 → yw , kw → 1 − yw } for the output wires w. However, the output mapping {kw adaptive simulator does not get the output y until after it creates the garbled  Therefore, we cannot (even syntactically) use the selective security circuit C. simulator in the adaptive setting. This issue turns out to be easy to fix by modifying the construction to send the output mapping as part of the garbled  in the input x ˜ in the on-line phase1 , rather than as part of the garbled circuit C off-line phase. This modification raises on-line complexity to also being linear in the output size of the circuit, which we know to be necessary by the lower bound of [4]2 . We refer to this modification as YaoGC construction in the adaptive setting. With this modification, the adaptive simulator can program the output mapping after it learns the output y = C(x) in the on-line phase and therefore we get a syntactically meaningful simulation strategy in the adaptive setting. The second problem is where the true difficulty lies. Although we have a syntactically meaningful simulation strategy, the previous proof of indistinguishability of the real world and the simulation completely breaks down in the adaptive setting. In particular InputDepSimGate mode as specified in equation (3) is syntactically undefined in the adaptive setting. Recall that in this mode the garbled gate is created in a way that depends on the input x, but in the adaptive setting the input x is chosen adaptively after the garbled circuit is created! Therefore, although we have a syntactically meaningful simulation strategy for the adaptive setting, we do not have any syntactically meaningful sequence of intermediate hybrids to prove indistinguishability between the real and the simulated world. 3.2

A Tool and a Trick: Adaptive Security from the JW Technique

To understand how Jafargholi and Wichs overcome the challenges in proving adaptive security of YaoGC, we revisit their strategy here. The first part of their strategy is to introduce a tool: pebbling games. Think of the circuit as a graph where the gates are nodes and the input and output wires of each gate are (directed) ingoing and outgoing edges of that node. Then let predecessor and successors of a node be naturally nodes with edges outgoing to and ingoing from that node. Finally translate “gate in RealGate/InputDepSimGate/SimGate mode” to “node with no pebble/a black pebble/a gray pebble”. This way, we can describe the sequence of hybrids in the selective security proof as series of 1

2

In considering the adaptive security of any selectively secure garbling scheme, we in fact consider a slightly modified variation of that scheme, where the output map is part of the garbled input. Jafargholi et al. [15] circumvent this lower bound by considering indistinguishabilitybased instead of simulation-based security. Since the size of the garbled circuit increases by a factor of 2 (compared to YaoGC), it is out of scope of this work.

752

Z. Jafargholi and S. Oechsner

pebbling steps that start with a graph with no pebbles and end up with a graph with a gray pebble on each node, following the 2 rules below: 1. A black pebble can be added to or removed from a node if its predecessors already have a black pebble, or if it has no predecessor. 2. A black pebble on a node can replaced with gray pebble, if its successors already have a pebble, or it has no successors, and vice versa. Using pebbling games as a way to describe – and maybe more importantly, to think about the sequence of hybrids, simplifies matters greatly. However this may not be apparent looking at the selective security, since there, first every node gets a black pebble starting from the roots (nodes with no ingoing edges) and moving toward the leaves. And then every black pebble is replace with a gray pebble (say, in the reverse order). After all there was no restriction on the number of pebbles used and no incentive to minimize them. Now let us move to the adaptive security proof, here the objective is the same, except that the InputDepSimGate mode is not well-defined because the value on the output wire of the gate is not known when the garbled circuit is produced. That brings us to the trick: guess the unknown output wire value of the gates that are in InputDepSimGate mode. By adding this guessing step at the beginning of the hybrid games and aborting if any of the guesses are wrong (once the input is fixed) it is possible to once more define gates in InputDepSimGate mode. This almost solves our problem, except now we need to make sure the probability of guessing correctly is reasonably high, in other words the number of guessed values are as small as possible, and this in turn means the number of gates in InputDepSimGate mode should be as small as possible. [16] shows that if there is a pebbling strategy to pebble the graph of circuit C in γ steps and using t black pebbles then YaoGC is 2t γε adaptively secure if encryption used in the construction of the garbled circuit is ε IND-CPA secure. 3.3

Characteristics of Adaptively Secure Garbling Schemes

We are now ready to explain our observations about the adaptive security proof of YaoGC by Jafargholi and Wichs [16] and derive necessary characteristics of optimized garbling schemes with adaptive security. Jafargholi and Wichs manage to reduce the security loss by limiting the number of gates in InputDepSimGate mode and hence the guessing needed in each hybrid. To this extent, the proof needs to be able to change the gate mode of any gate g from InputDepSimGate back to RealGate i.e. from input-dependent to input-independent garbling, leading to the case of gate g  in InputDepSimGate mode with predecessor g in RealGate mode. (For ease of explanation, assume g is a gate at the input layer.) To argue indistinguishability of two garbled circuits that only differ in gate g, one now has to reduce to a computational assumption by embedding the challenger’s key as one of the input wire keys of g. Note that this case does not need to be considered in a proof of selective security, as limiting the number of gates in InputDepSimGate mode is not an

Adaptive Security of Practical Garbling Schemes

753

issue. Conveniently, YaoGC has the property that each input wire key is chosen uniformly at random which happens to be the challenger’s key distribution in the IND-CPA game. The key point here is that changes to the distribution of gate g do not automatically change the garbling distribution of its successor g  . More generally, if a selectively secure garbling scheme that is a variant of Yao’s construction has either of the following properties the JW technique cannot be used to prove adaptive security: Undesirable Property 1: The Selective Security Proof Is a Global Argument Reasoning About All Gates at Once. If the selective security proof is a global argument, (usually comprising of a constant number of hybrid arguments) it is not possible to gradually introduce and remove input dependencies during the security proof. Instead, the whole argument requires knowledge of the entire input. This might be rather counter-intuitive at first glance, since these constructions are often based on much stronger assumptions and might give one the impression that the stronger assumption might help with proof of adaptive security. However since these stronger assumptions remain selective in flavor, they do not help with proving adaptive security. This is typically the case when wire key pairs are correlated across all gates. Undesirable Property 2: The Input Wire Keys Uniquely Determine both Output Wire Keys. When both output wire keys are uniquely determined from the input wire keys, the pebbling game must be changed to reflect this additional dependency, because the pebbling rules are designed to make sure when a gate g is changed from one mode to another, the necessary underlying reduction (from a computational assumption) is possible. And this is possible if one wire key of each input to the gate g is completely independent and random, i.e. they do not appear inside any ciphertext in the garbled circuit. But now if we do not update the pebbling rules to reflect the additional dependency, the following situation can occur: Even though key k (an input wire to g  ) is not encrypted in any gate, the keys that compute k are encrypted in some other gate (say predecessor g which is now in RealGate mode). This makes it impossible to use k for the reduction (to replace a challenger’s key), since its distribution is no longer independent of the garbled circuit. However changing the pebbling rules to solve this problem will prove to be futile too. The new rule would require a black pebble to be removed as soon as one of its predecessors does not have a pebble. Therefore the savings gained by the JW technique are lost. 3.4

Characterising Existing Garbling Schemes

We will now examine existing selectively secure constructions and optimizations that are practically efficient with respect to the findings from Sect. 3.3. Row Reduction Techniques. The Three-Row Reduction technique (also referred to as 4-3 GRR) by Naor, Pinkas and Sumner [23] sets the first ciphertext

754

Z. Jafargholi and S. Oechsner

in a garbled gate to be the all-zero string (which in turn determines one of the output wire keys), and therefore it is not necessary to include that ciphertext in the garbled gate. This means that one of the output wire keys is determined by the input wire keys while the other output wire key is chosen uniformly at random. Indeed, our new construction presented in Sect. 4 uses this idea. Pinkas et al.’s Two-Row Reduction technique [24] (or 4-2 GRR) uses polynomial interpolation to further reduce the number of ciphertexts for a gate garbling to just two. In particular, both output wire keys are uniquely determined by the input wire keys. Therefore, a garbling scheme that uses the 4-2 GRR reduction cannot be proven adaptively secure using the JW technique. Gueron et al. [12] propose another method for garbling AND gate with two ciphertexts only (referred to as Fast 4-2 GRR). The idea is to employ simple XOR operations in a clever way to stretch two ciphertext masks to be used in three different ways, and to combine this with 4-3 GRR to get a new two-row reduction. Once more, the input wire keys determine both output wire keys uniquely and hence the JW adaptive security proof fails. FreeXOR, FleXor and Half Gates. The FreeXOR optimization by Kolesnikov and Schneider [18] is one of the most successful optimization techniques for garbling schemes. It allows to garble XOR gates “for free” (without sending any ciphertext), while AND gates require three ciphertexts using 4-3 GRR. The idea for garbling XOR gates is to correlate wire keys by a global shift or offset Δ that is only known to the circuit garbler. For each wire a, the two keys are a random ka0 and the derived ka1 = ka0 ⊕ Δ. When garbling an XOR gate, the garbler uses the input wire keys ka0 , ka1 , kb0 , kb1 to (implicitly) define output wire keys kc0 = ka0 ⊕ kb0 = ka1 ⊕ kb1 and kc1 = ka0 ⊕ kb0 ⊕ Δ = ka0 ⊕ kb1 = ka1 ⊕ kb0 . This way, the garbled XOR gate can be evaluated without any ciphertext by computing the output wire key as kcba ⊕bb = kaba ⊕ kbbb = kc0 ⊕ (ba ⊕ bb )Δ. In summary, all wire key pairs in the garbled circuit are correlated by the same offset. The selective security of FreeXOR is based on strong assumptions such as circular-correlation robust hash functions [8] or RK-KDM encryption scheme [3] and fall into the category of proofs that satisfy Undesirable Property 1. Moreover, in XOR gates the input wire keys uniquely determine both output wire keys (satisfying Undesirable Property 2). Thus the FreeXOR construction cannot be proven adaptively secure using the JW technique. Since the FreeXOR allows to garble XOR gate for free but is incompatible with 4-2 GRR, the FleXor technique by Kolesnikov et al. [17] gives a compromise between them, i.e. using FreeXOR for as many XOR gates as possible and likewise two-row reduction for AND. Assume for a start that each gate has its own gate offset. The challenge is then to minimize the garbled circuit size with respect to all gates and hence to find out which offset to use for which wire. This is important because two-row reduction requires that two of the ciphertexts can be chosen freely. To this extent, Kolesnikov et al. group wires according to equivalence classes, i.e. wires that can use the same offset without violating circularity restrictions.

Adaptive Security of Practical Garbling Schemes

755

The number of ciphertexts per AND gate was further reduced to two in the Half Gates scheme by Zahur et al. [27]. The scheme retains the FreeXOR procedure for XOR gate garbling and in fact crucially relies on it for garbling AND gates with two ciphertexts. The half gates construction observes that each AND gate can be split into two “half” AND gates where in each half gate, one of the parties knows one of the inputs in the clear. Moreover, each half gate can be garbled with one ciphertext, and the two half gates are combined using a (free) XOR operation. As both FleXor and half gates rely on the FreeXOR approach, they cannot be proven to be adaptively secure using the JW technique. Fast Garbling. Gueron et al. [12] propose another approach to reducing garbled circuit size using shared wire offsets. The work is motivated by the question of reducing the assumptions required to prove security (and by the wish to leverage special-purpose hardware for AES). Instead of ensuring that subsequent gates share common offsets, their work shows a garbling method that correlates the keys of all wires within an XOR gate by the same offset, but in a way that makes this offset independent of the offsets in the surrounding gates. This way they circumvent both the “circularity” difficulties present in FreeXOR and the “correlation-robustness” requirement of FleXor. For simplicity, consider the case where the permutation bits of both input wires are 0. AND gates are garbled with three ciphertexts using 4-3 GRR, or with two ciphertexts following Fast 4-2 GRR. To garble an XOR gate g with input wires a and b and output wire c, the garbler computes the keys to be used in the gate as follows: 1. Randomize (“translate”) wire keys ka0 , ka1 to k˜a0 , k˜a1 using the PRF to ensure that keys are independent from those of other gates. 2. Compute the gate offset Δ = k˜a0 ⊕ k˜a1 . 3. Translate kb0 to k˜b0 using the PRF and set the corresponding translated input wire key k˜b1 = k˜b0 ⊕ Δ. 4. Compute output wire keys as kc0 = k˜a0 ⊕ k˜b0 and kc1 = kc0 ⊕ Δ. Finally, the only ciphertext of the XOR gate contains k˜b1 . However, the offset of a gate and therefore also the two output wire keys are still computed from the input wire keys (Undesirable Property 2) and so again, we cannot use the JW technique to prove adaptive security.

4

Construction

In this section, we are going to present our construction of a garbling scheme with adaptive security based on the existence of pseudorandom functions. It allows to garble XOR gates with 2 ciphertexts and AND gates with 3. The garbling scheme is similar in spirit to [12] for XOR gates. The main difference is that in XOR gates, a fresh gate offset is chosen at random instead of being derived deterministically from the input wire keys. As a consequence, XOR gates are

756

Z. Jafargholi and S. Oechsner

PAGXor g, {kaσ , kbσ }σ∈{0,1} , πa , πb



//HybXor0

1. Set πc := πa ⊕ πb . 2. Δ ← {0, 1}λ . 3. Compute the translated wire keys: ˜aπa := kπa (g0) , ˜aπ¯a := k ˜aπa ⊕ Δ k k a abl π π ¯ b b ˜ := k ˜πb ⊕ Δ ˜ := πb (g0) , k k b b b kb abl ˜a0 ⊕ k ˜b0 , kc1 := kc0 ⊕ Δ. 4. Set output wire keys: kc0 := k 5. Compute the ciphertexts: ˜aπ¯a , ˜π¯b . Tb := kπ¯ b (g1) ⊕ k Ta := kaπ¯ a (g1) ⊕ k b abl b abl  6. Output kc0 , kc1 , πc , g = (Ta , Tb ) .  PAGAnd g, {kaσ , kbσ }σ∈{0,1} , πa , πb //HybAnd0 1. Set K0 :=

ka a

K2 :=

π ¯ ka a

π

(g00) ⊕ (g10) ⊕

π

(g00), K1 :=

ka a

π kb b

(g10), K3 :=

π ¯ ka a

kb b

π

(g01) ⊕ (g11) ⊕

π ¯

(g01)

π ¯ kb b

(g11)

kb b

2. Set output wire keys: If πa = πb = 1 then kc1 := K0abl , kc0 ← {0, 1}λ , πc := K0lsb . else kc1 ← {0, 1}λ , kc0 := K0abl , πc := K0lsb . 3. let t0 := kc0 πc and t1 := kc1 ¯ πc . //auxiliary variables 4. Compute the ciphertexts: T2 := K2 ⊕ tπ¯a ∧πb , T3 := K3 ⊕ tπ¯a ∧¯πb . T1 := K1 ⊕ tπa ∧¯πb ,  0 1 5. Output kc , kc , πc , g = (T1 , T2 , T3 ) .

Fig. 2. Garbling procedure PAGXor and PAGAnd for XOR and AND gates.

garbled using 2 ciphertexts (instead of one). While this seems like a step back at first, we will demonstrate in the Sect. 5 how this modification facilitates the proof of adaptive security. AND gates are garbled following the three-row reduction technique by Naor, Pinkas and Sumner [23], demonstrating for the first time that three-row reduction is compatible with adaptive security. We start by giving some prerequisites, followed by a description of how to garble an XOR gate before providing a full specification of our garbling scheme. We assume that the circuit to be garbled consists solely of AND and XOR gates. Point-and-Permute. While not resulting in a reduction of garbled circuit size, this optimization is crucial for the following constructions. In the original construction of Yao’s garbled circuits, each garbled gate consists of four ciphertexts. In order to hide to which input wire bit each ciphertext corresponds, the ciphertexts are randomly permuted. Evaluating the gate requires now attempting to decrypt all four, while only one of them can be successfully decrypted. To reduce the evaluation time, Naor et al. [23] proposed the point-and-permute technique. It assigns a random permutation bit to each wire. The permutation bits on the two input wires of a gate allow the evaluator to determine which ciphertext to

Adaptive Security of Practical Garbling Schemes

757

decrypt, thus reducing the number of ciphertexts to be decrypted per gate to 1. We will follow the convention of [12] and refer to this bit as permutation bit during the garbling and as signal bit when evaluating. Primitives. Our garbling scheme uses a PRF F as defined in Definition 3 to compute and evaluate garbled gates. More specifically, the scheme uses the method of [20] as a form of double encryption: For message m and two keys k1 , k2 , the ciphertext is computed as Fk1 (r1 ) ⊕ Fk2 (r2 ) ⊕ m for fresh nonces r1 , r2 . 4.1

Garbling XOR Gates

We now describe how to garble an XOR gate. The full description is shown in Fig. 2. To garble an XOR gate g with input wires a, b and output wire c given four input wire keys {kaσ , kbσ }σ∈{0,1} and permutation bits πa , πb , do the following: 1. Compute the permutation bit πc of the output wire as πa ⊕ πb . 2. Sample a uniformly random gate offset Δ. 3. Rerandomize each input wire key by computing a translated input wire key. Denote by k˜ the translated key of k. For each input wire, one of the translated keys is derived from F using the input wire key as PRF key. The other translated input wire key is set to be correlated by the gate offset Δ: k˜aπa := Fkaπa (g0)abl ,

k˜aπ¯a := k˜aπa ⊕ Δ

k˜bπb := Fkπb (g0) ,

k˜bπ¯b := k˜bπb ⊕ Δ

b

abl

Observe that since F is a pseudorandom function, the translated input wire keys are independent of the original ones. 4. Compute the output wire keys as kc0 := k˜a0 ⊕ k˜b0 and kc1 := kc0 ⊕ Δ, i.e. the output wire keys are correlated by the same offset as the translated input wire keys. Now the evaluator can XOR two translated input wire keys to compute the corresponding output wire key. 5. For each input wire i ∈ {a, b}, the evaluator can only derive at most one translated input wire key k˜iπi since they do not know the offset Δ. For the case that the evaluator needs the other translated input wire key k˜iπ¯i , we are going to provide an encryption Ti := Fkπ¯i (g1) ⊕ k˜iπ¯i of it, using the input i abl wire key as encryption key. To evaluate an XOR gate, an evaluator computes the translated input wire keys where possible and decrypt the ciphertexts corresponding to the remaining ones. XORing the translated input wire keys yields the output wire key. 4.2

Description of Our Garbling Scheme

Garbling Single Gates. Full descriptions of garbling AND and XOR gates can be found in Fig. 2. The garbling of AND gates follows the three-row reduction

758

Z. Jafargholi and S. Oechsner

PAGGCircuit(λ, C) 1. Garble Circuit: ◦ (Input wires) For i ∈ [n], σ ∈ {0, 1}, σ ← {0, 1}λ , πini ← {0, 1} kin i 0 1 , kin , πini )i∈[n] . K := (kin i i ◦ (Gates) For gi = (Gate, a, b, c) , Gate ∈ {AND, XOR}:  (kc0 , kc1 , πc , gi ) ← PAGGate i, {kaσ , kbσ }σ∈{0,1} , πa , πb .   = ( 2. Output C gi )i∈[p] , k = K, (πj )j∈[m] . GInput(x, k) 0 1 1. Parse k into (kin , kin , πini )i∈[n] and (πj )j∈[m] i i  x1 xn 2. Select input keys K x = kin (πin1 ⊕ x1 ), . . . , kin (πinn ⊕ xn ) . n 1 3. Output x ˜ = K x , (πj )j∈[m] .

 x PAGEval(C, ˜) 1. Parse x ˜ = (K, (πj )j∈[m] ). 2. Evaluate Circuit: – Parse K = (kin1 φin1 , . . . , kinn φinn ). – For each level j = 1, . . . , d, and each gi = (Gate, a, b, c) at level j: • if Gate = AND: Let gi = (T1 , T2 , T3 ), α := 2φa + φb , and T0 := 0. Set kc φc := Tα ⊕ Fka (gφa φb ) ⊕ Fkb (gφa φb ). • if g = XOR Let gi = [Ta,1 , Tb,1 ], and Ta,0 =Tb,0 = 0.  Set kc := Ta,φa ⊕ Fka (gφa )abl ⊕ Tb,φb ⊕ Fkb (gφb )abl . φc := φa ⊕ φb . 3. Unmask output: For j ∈ [m], – Set yj := πj ⊕ φj . 4. Output y1 , . . . , ym .

Fig. 3. PAG garbling scheme: GCircuit, GInput and Eval.

technique from [12] based on [23]. XOR gates are garbled as in the modification described above. Each gate garbling procedure takes as input a gate index g, two input wire keys {k σ }σ∈{0,1} per input wire, and a permutation bit π per input wire. The output consists of two output wire keys {kcσ }σ∈{0,1} , a permutation bit π for the output wire, and the actual garbled gate g. Garbling Circuit and Input. Figure 3 presents the procedures for circuit and input garbling. PAGGCircuit takes the security parameter λ and a circuit C to  as well as some state k. be garbled as input, and outputs a garbled circuit C To garble the circuit, PAGGCircuit first chooses two uniformly random input wire keys and a permutation bit for each input wire, and then traverses C and garbles each gate according to PAGGate for gate type Gate ∈ {AND, XOR}.  then consists of garblings gi of all gates gi in the circuit. The garbled circuit C

Adaptive Security of Practical Garbling Schemes

759

The procedure also outputs the keys assigned to the input wires of the circuits as well as their permutation bits, for later use when garbling the input. GInput takes input x and the state from PAGGCircuit and outputs the input garbling x ˜. Note that x ˜ contains the output map which is known to be necessary in the adaptive setting by the lower bound of Applebaum et al. [4].  Evaluation. Figure 3 shows the evaluation procedure given a garbled circuit C and a garbled input x ˜. PAGEval parses the garbled input x ˜ into K containing input wire keys as well as permutation bits for the input wires, and the output map consisting of signal bits φj for each output wire j. The procedure then traverses the circuit and evaluates each gate. Finally, the output map is applied to learn the output of the circuit evaluation. Correctness and Security. Correctness and selective security of the scheme can be shown similarly to the fast garbling technique. Security holds under the assumption that F is a PRF. In the next section, we are going to show that unlike fast garbling, our new garbling scheme additionally provides adaptive security under the same assumption.

5

Adaptive Security of Our Construction

Our goal is to show indistinguishability of real and simulated garbling towards an adaptive adversary. The proof follows [16]. Due to space constraints, we give a brief overview and refer to the full version [14] for the complete proof. Setting up hybrid games. Each gate will be assigned a mode from {RealGate, InputDepSimGate, SimGate} which indicates the way it is garbled. A circuit configuration consists of two sets (modei )i∈[q] and I, specifying the gate mode modei of each gate gi and the set of guessed wires. If every gate is in RealGate mode, the hybrid corresponds to the real security game. The hybrid with every gate in SimGate mode corresponds to simulator SimPAGGCircuit described in Fig. 4. Indistinguishability of hybrid games. Next, provide rules for moving between circuit configurations and prove that the corresponding hybrid games are indistinguishable. Rule 1 allows changing a gate’s mode from RealGate to InputDepSimGate if all of its predecessors are in InputDepSimGate mode. Indistinguishability of the resulting circuit configurations can be reduced to the 2PRF assumption. Rule 2 allows changing a gate mode from InputDepSimGate to SimGate if all of its successors are in InputDepSimGate or SimGate mode, and is a statistical argument. Sequences of hybrid games. To find a sequence of hybrid games from real game to simulation, define a pebbling game where each pebble configuration specifies a circuit configuration. Then show that the hybrids in the sequence of circuit configurations are indeed indistinguishable using the results above.

760

Z. Jafargholi and S. Oechsner

SimPAGGCircuit(λ, C) 1. Garble Circuit: – (Input wires) For i ∈ [n], σ ∈ {0, 1}, σ ← {0, 1}λ , πini ← {0, 1} kin i 0 1 , kin , πini )i∈[n] . K = (kin i i – (Gates) For gi = (Gate, a, b, c) , Gate ∈ {AND, XOR} in C:  (kc0 , kc1 , πc , gi ) ← SimPAGGate i, {kaσ , kbσ }σ∈{0,1} , πa , πb , 0 .  j = πj . – (Decoding info) For j ∈[m]: Set sd    2. Output C = ( gi ) , k = K, (sdj )j∈[m] . i∈[p]

   j )j∈[m] ) SimGInput(y, K, (sd  j ⊕ yj . 1. Set the output permutation bits πj := sd  x0 x 0 πini . 2. Select output keys, K = kin1 πini , . . . , kin n  3. Output x ˜ = K x , (πj )j∈[m] .

Fig. 4. Simulation for PAG garbling scheme.

As a result, we can established the following theorem: Theorem 1. Assume that F is a (T +TimeGC(|C|), ε(λ))-secure 2PRF. If there is a pebbling of circuit C in γ moves, using t pebbles, then Expadaptive A,GC,Sim (λ, 0) and   Expadaptive A,GC,Sim (λ, 1) are (T (λ), ε (λ))-indistinguishable with γ – ε (λ) ≤ i=1 2ri +1 · ε(λ) ≤ γ · 2t+1 · ε(λ) and – T  (λ) = T (λ) − TimeGC(|C|),

where ri = max (si−1 , si ) and si is the number of black pebbles used in the ith pebbling step. Finally, instantiate Theorem 1 with a result of Hemenway et al. [13] stating that for any circuit with q gates and depth d, there exists a pebbling in at most γ = q · 22d moves using t = 2d black pebbles. Corollary 1. The PAG garbling scheme is adaptively secure for all circuits of depth d = O(log λ) assuming that pseudorandom functions exist. Acknowledgments. The authors would like to thank Koutarou Suzuki and Ryo Kikuchi for helpful discussions.

References 1. Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7 32

Adaptive Security of Practical Garbling Schemes

761

2. Ananth, P., Sahai, A.: Functional encryption for turing machines. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part I. LNCS, vol. 9562, pp. 125–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9 6 3. Applebaum, B.: Garbling XOR gates “for free” in the standard model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 162–181. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2 10 4. Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1 10 5. Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-400841 23 6. Bellare, M., Hoang, V.T., Rogaway, P.: Adaptively secure garbling with applications to one-time programs and secure outsourcing. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 134–153. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4 10 7. Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, pp. 784–796. ACM Press, October 2012 8. Choi, S.G., Katz, J., Kumaresan, R., Zhou, H.-S.: On the security of the “FreeXOR” technique. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 39–53. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9 3 9. Garg, S., Srinivasan, A.: Adaptively secure garbling with near optimal online complexity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 535–565. Springer, Cham (2018). https://doi.org/10.1007/978-3319-78375-8 18 10. Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). https://doi.org/10.1007/9783-642-14623-7 25 11. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5 3 12. Gueron, S., Lindell, Y., Nof, A., Pinkas, B.: Fast garbling of circuits under standard assumptions. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 567–578. ACM Press, October 2015 13. Hemenway, B., Jafargholi, Z., Ostrovsky, R., Scafuro, A., Wichs, D.: Adaptively secure garbled circuits from one-way functions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 149–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3 6 14. Jafargholi, Z., Oechsner, S.: Adaptive security of practical garbling schemes. Cryptology ePrint Archive, Report 2019/1210 (2019). https://eprint.iacr.org/2019/1210 15. Jafargholi, Z., Scafuro, A., Wichs, D.: Adaptively indistinguishable garbled circuits. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10678, pp. 40–71. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3 2 16. Jafargholi, Z., Wichs, D.: Adaptive security of Yao’s garbled circuits. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part I. LNCS, vol. 9985, pp. 433–458. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4 17

762

Z. Jafargholi and S. Oechsner

17. Kolesnikov, V., Mohassel, P., Rosulek, M.: FleXOR: flexible garbling for XOR gates that beats free-XOR. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 440–457. Springer, Heidelberg (2014). https://doi. org/10.1007/978-3-662-44381-1 25 18. Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damg˚ ard, I., Goldberg, L.A., Halld´ orsson, M.M., Ing´ olfsd´ ottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-705833 40 19. Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. J. Cryptol. 22(2), 161–188 (2009) 20. Lindell, Y., Pinkas, B., Smart, N.P.: Implementing two-party computation efficiently with security against malicious adversaries. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 2–20. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85855-3 2 21. Lindell, Y., Riva, B.: Cut-and-choose Yao-based secure computation in the online/offline and batch settings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 476–494. Springer, Heidelberg (2014). https:// doi.org/10.1007/978-3-662-44381-1 27 22. Lindell, Y., Riva, B.: Blazing fast 2PC in the offline/online setting with security for malicious adversaries. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 579–590. ACM Press, October 2015 23. Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: EC, pp. 129–139 (1999) 24. Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-103667 15 25. Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press, November 1982 26. Yao, A.C.-C.: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167. IEEE Computer Society Press, October 1986 27. Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6 8

Constructive t-secure Homomorphic Secret Sharing for Low Degree Polynomials Kittiphop Phalakarn1(B) , Vorapong Suppakitpaisarn1 , Nuttapong Attrapadung2 , and Kanta Matsuura1

2

1 The University of Tokyo, Tokyo, Japan {kittipop,kanta}@iis.u-tokyo.ac.jp, [email protected] National Institute of Advanced Industrial Science and Technology, Tokyo, Japan [email protected]

Abstract. This paper proposes t-secure homomorphic secret sharing schemes for low degree polynomials. Homomorphic secret sharing is a cryptographic technique to outsource the computation to a set of servers while restricting some subsets of servers from learning the secret inputs. Prior to our work, at Asiacrypt 2018, Lai, Malavolta, and Schr¨ oder proposed a 1-secure scheme for computing polynomial functions. They also alluded to t-secure schemes without giving explicit constructions; constructing such schemes would require solving set cover problems, which are generally NP-hard. Moreover, the resulting implicit schemes would require a large number of servers. In this paper, we provide a constructive solution for threshold-t structures by combining homomorphic encryption with the classic secret sharing scheme for general access structure by Ito, Saito, and Nishizeki. Our scheme also quantitatively improves the number of required servers from O(t2 ) to O(t), compared to the implicit scheme of Lai et al. We also suggest several ideas for future research directions.

Keywords: Homomorphic secret sharing Threshold non-access structure

1

· Homomorphic encryption ·

Introduction

Homomorphic secret sharing is one of the interesting techniques in cryptography which introduces a way to outsource the computation to a set of servers while restricting some subsets of servers from learning about the secret inputs. There are several homomorphic secret sharing schemes that support polynomial computation, including the scheme of Shamir [36], Catalano and Fiore [15], and Lai, Malavolta, and Schr¨ oder [31]. The schemes of Catalano and Fiore [15], and Lai et al. [31] both used degreek homomorphic encryption, which supports computation of degree-k polynomial c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 763–785, 2020. https://doi.org/10.1007/978-3-030-65277-7_34

764

K. Phalakarn et al.

of ciphertexts, as a building block. The scheme of Catalano and Fiore [15] outsources the secret inputs to two servers, and the maximum computable degree of the scheme is 2k. Obviously, the security of the scheme is 1-secure, meaning that the two servers cannot collude. The work of Lai et al. [31] improved the results of Catalano and Fiore. The secret inputs are outsourced to m servers, and the maximum computable degree of the scheme is (k + 1)m − 1. The scheme of Lai et al. [31] has many applications. It can support outsourced computation of low-degree polynomials on private data, which appears in private information retrieval system, non-linear function approximation in neural networks [16,24], and many other applications. It is also shown in [1] that any P/poly functions can be evaluated using polynomials of degree 3 with the assumption that there exists a pseudo-random generator in NC1. However, the main scheme of Lai et al. [31] is still 1-secure. Any subsets of m servers, including any pairs of servers, cannot collude, which is not a realistic situation. The authors also discussed in the paper that the scheme can be extended to t-secure, where a collusion of t servers does not violate the security of the scheme. Their proposed construction requires solving set cover problems, which are NP-complete. Since there is no efficient and accurate algorithms for set cover problems, their scheme gives an implicit construction which requires a large number of servers. If we consider the secret sharing scheme of Shamir [36] instead, which is information theoretic, the maximum computable degree of the scheme is equal to the upper bound proved in [4]. Trying to further increase the maximum computable degree of the scheme by using computational setting is not straightforward, since the threshold of the scheme changes after performing computations. All in all, finding a constructive t-secure homomorphic secret sharing that can compute polynomials of degree higher than the limit set by [4] can be considered as an open problem. 1.1

Our Contributions

In this paper, we propose t-secure homomorphic secret sharing scheme for low degree polynomials. Our scheme improves the scheme of Lai et al. [31] so that it can constructively support threshold security. The proposed scheme also inherits the applications of [31], but with t-security for all possible t ≥ 1. Here, we claim four contributions: (1) increasing the maximum degree of homomorphic secret sharing from Shamir [36], (2) adding threshold structures to Lai et al., (3) decreasing the number of required servers in t-secure scheme of Lai et al., and (4) extending the capability of homomorphic encryption. Before going into details, we briefly explain the overview of the proposed scheme as shown in Fig. 1. There are three roles, namely n input clients (each has secret input xi ), m servers, and an output client. The goal is to let the output client learn the value f (x1 , . . . , xn ) for some function f , while the unauthorized sets of servers are restricted from knowing this value. In addition, both output client and servers should not know the secret inputs. We scope the function f in this paper to be a polynomial of the secret inputs.

Constructive t-secure Homomorphic Secret Sharing

765

Fig. 1. The overview of our homomorphic secret sharing scheme.

In our proposed scheme, any homomorphic encryption scheme can be used as the underlying scheme. Each input client divides its secret input into b shares, xi = xi,1 + . . . + xi,b . These b shares are given to each computing server with p shares as plaintexts (represented as yellow circles without border) and b − p shares as ciphertexts of the homomorphic encryption scheme (represented as yellow circles with border). Each server then locally performs some computations on the given shares, and send the result to the output client. The output client combines all the shares into the final result. We consider these parameters in this paper, including – λ: The security parameter of the underlying homomorphic encryption scheme – k: The maximum computable degree of the underlying homomorphic encryption scheme – m: Number of servers – t: The maximum number of colluding servers allowed – b: Number of shares per input for each server – p: Number of plaintext shares per input for each server – d: The maximum computable degree of the homomorphic secret sharing scheme The results of previous works and our work are shown in Table 1. Note that for t-secure scheme of Lai et al. [31], the values of k, t, p, and d are given as a scheme specification, while in the other schemes, the values of k, m, and t are given. Next, we claim four contributions of our work. Increase the Maximum Degree of Homomorphic Secret Sharing from Shamir [36]. It is well known that Shamir’s secret sharing scheme supports threshold security. However, the threshold of the scheme changes after local multiplication. If we consider Shamir’s secret sharing as a homomorphic secret sharing scheme, the maximum polynomial degree of the homomorphic secret sharing is d =  m−1 t , which is equal to the upper bound proved in [4] for information theoretic setting. When a polynomial of degree higher than d is computed, the computation result will not be able to be reconstructed. In our proposed scheme, combining secret sharing of general access structure from Ito,

766

K. Phalakarn et al.

Saito, and Nishizeki [27] and homomorphic encryption allows us to construct t-secure homomorphic secret sharing scheme, and increase the maximum degree  which is approximately k + 1 times increasing comparing to [36] d to  (k+1)m−1 t with the same values of m and t. Add Threshold Structures to Lai et al. [31]. The main scheme proposed in [31] is 1-secure, which is secure only if no servers are colluding. This security model may not suffice for real-life applications. The authors of [31] also proposed a t-secure scheme, but it is not so constructive: one needs to solve the set cover problem in order to know which plaintext shares are distributed to which server. In our work, we use the idea of secret sharing from Ito et al. [27] to realize threshold non-access structures. Our scheme is constructive, and allows us to use any values of threshold t. Although our scheme has more number of shares, possible improvements are also mentioned in this paper. Table 1. Comparing homomorphic secret sharing schemes for polynomials. Scheme

k m t b

p

d

Shamir [36]

- m t 1

1

 m−1  t

Catalano et al. [15]

k 2

1

2k

1-secure Lai et al. [31]

k m 1 m

1 1, 2

m − 1 (k + 1)m − 1

t-secure Lai et al. [31]a 1 t2 t 2t + 1 2 3 m m−1 (k+1)m−1 This work k m t   t t t a The construction is not explicitly provided.

Decrease the Number of Required Servers in t-secure Scheme of Lai et al. [31]. For t-secure scheme of [31], they set the parameters as k = 1, d = 3, p = 2, and b = 2t + 1 as shown in Table 1, and they claimed that the number of required servers is m = t2 , which is not efficient. With the same setting, our scheme requires  3t+1 2  servers, which is linear in threshold t. Our scheme also requires O(t) servers for any values of k, d, and t. Extend the Capability of Homomorphic Encryption. The purpose of this work is not to outperform homomorphic encryption, but to combine it with secret sharing. It is known that computing complex polynomials using homomorphic encryption is quite inefficient. Our proposed combination enables higher . Moreover, it can be seen that our computable degrees, from k to  (k+1)m−1 t setting adds the capability in mitigating a single point of failure to the homomorphic encryption scheme. Although we are not aiming to improve homomorphic encryption, our scheme could be better than them for higher degree computation. 1.2

Overview of Our Techniques

We use the idea of secret sharing from Ito, Saito, and Nishizeki [27] to add threshold structures to the work of Lai et al. [31]. Here, we explain the concept of our scheme by using a simple example.

Constructive t-secure Homomorphic Secret Sharing

767

Example 1. Suppose we have two input clients. The first input client has a secret input x1 , and the second input client has a secret input x2 . The goal of the scheme is to let the output client learn the multiplication of the secret inputs x1 x2 , but not the secret inputs x1 or x2 . The input clients decide to outsource the computation to three servers, and any collusion of two servers are not allowed to learn the secret inputs. Suppose that the ID of the servers are 1, 2, and 3, we can write all the largest forbidden subsets of servers or “the maximum non-access structure” as Γ ∗ = {{1, 2}, {1, 3}, {2, 3}}. To secretly share the secret input x1 to the three servers, we randomly generate a share for each member of Γ ∗ according to Ito et al. [27] with the condition that x1,{1,2} + x1,{1,3} + x1,{2,3} = x1 . Suppose further that we use degree-1 homomorphic encryption scheme, which supports additions between ciphertexts, additions between ciphertexts and plaintexts, and multiplications between a ciphertext and plaintexts. For each share x1,γ , the j-th server will get the share as a ciphertext if j ∈ γ, and as a plaintext otherwise. This process is also applied to the secret input x2 . Packages of shares S1 , S2 and S3 of the secret inputs x1 and x2 for the three servers are     x1,{1,2} x1,{1,3} x1,{2,3} x1,{1,2} x1,{1,3} x1,{2,3} S1 = S2 = x2,{1,2} x2,{1,3} x2,{2,3} x2,{1,2} x2,{1,3} x2,{2,3}

S3 =

 x1,{1,2} x1,{1,3}

x1,{2,3}

x2,{1,2} x2,{1,3}

x2,{2,3}



where xi,γ denotes the ciphertext of xi,γ . Note that the plaintexts from any pairs of servers are not enough to reconstruct the secret inputs. In contrast, in the 1-secure scheme of Lai et al. [31], the number of shares per input is equal to the number of servers. The j-th server will get only one share as a ciphertext, the j-th share, and get the other shares as plaintexts. This makes the scheme of Lai et al. only 1-secure.  To compute the multiplication x1 x2 , we have x1 x2 = γ1 ,γ2 ∈Γ ∗ x1,γ1 x2,γ2 . Using the properties of homomorphic encryption scheme, servers 1, 2, and 3 can locally compute the ciphertexts y1 = x1,{2,3} x2,{1,2} + x1,{2,3} x2,{1,3} + x1,{2,3} x2,{2,3} y2 = x1,{1,3} x2,{1,2} + x1,{1,3} x2,{1,3} + x1,{1,3} x2,{2,3} y3 = x1,{1,2} x2,{1,2} + x1,{1,2} x2,{1,3} + x1,{1,2} x2,{2,3} respectively. Note that for each term, there is at most one ciphertext, so computing with degree-1 homomorphic encryption is possible. Each server then forwards the result ciphertext yj to the output client who sums all the ciphertexts and then decrypts to see the final result x1 x2 . From the formula in Table 1 which we will prove in this paper, the maximum polynomial degree that our homomorphic secret sharing scheme can compute is

768

K. Phalakarn et al.

 (1+1)3−1  = 2. Other degree-2 polynomials can be computed in the same way. 2 This concept can also be generalized to any numbers of servers and any values of threshold. 1.3

Related Works

One of the first secret sharing techniques is additive secret sharing [25], where the j-th server gets a share  si,j with the condition that the sum of all shares is equal to the secret input j∈[m] si,j = xi . To perform the multiplication on this scheme, a lot of communication between the servers are required. Optimization techniques such as Beaver’s multiplication triple [5] are proposed in order to reduce the communication costs. Homomorphic secret sharing was first defined by Boyle, Gilboa, and Ishai [11]. The scheme is designed in the way that the communication between the servers are not required. Homomorphic secret sharing is shown in [12] to imply a useful related primitive called server-aided secure multi-party computation [29,30]. In the scheme of Boyle et al. [11], a branching program is evaluated on secret inputs using two computing servers, based on the decisional Diffie-Hellman (DDH) assumption. However, the result from the scheme will be correct only with 1 where λ is the security parameter. probability poly(λ) Homomorphic encryption can also be used as a private outsourced computation scheme. Secret inputs are encrypted and are sent to only one server to perform the computations, so the communication is minimized. The spooky encryption of [17] is similar to multi-key homomorphic encryption and can also be used for secure computation. However, using homomorphic encryption to compute a polynomial with degree greater than 1 is not so efficient. Catalano and Fiore [19] proposed a generic method to increase the degree of the homomorphic encryption from k to 2k. They also proposed two-server homomorphic secret sharing scheme from homomorphic encryption. The work of Lai et al. [31] further generalized this by sending plaintexts and ciphertexts to m servers. As mentioned in [31], this classic technique to split the evaluation of polynomials came from [3] and [7]. There are also other kinds of private outsourced computation. Function secret sharing [10] and non-interactive secure multiparty computation [6] are different from our scheme. The function secret sharing focused on the sharing of secret functions which will be computed on public inputs, while our work focuses on the sharing of secret inputs which will be computed on public functions. For non-interactive secure multiparty computation, the work focused on the secret sharing of public functions which will be computed on secret inputs. Note that the secret inputs of this scheme are not shared.

2

Preliminaries

In this section, we first review the definition of non-access structure. Since our homomorphic secret sharing scheme is based on homomorphic encryption, we

Constructive t-secure Homomorphic Secret Sharing

769

then introduce the definitions of homomorphic secret sharing together with homomorphic encryption. We refer to some notations in [31]. Notations. We denote a set of positive integers {1, . . . , n} as [n]. We denote the uniform sampling of an element x from a set S as x ← S. We denote any function that is a polynomial in λ as poly(λ), and denote any function that is negligible in λ as negl(λ). 2.1

Non-access Structure

Suppose there is a set of m servers defined as [m]. We define a non-access (adversarial) set, a non-access (adversarial) structure, and the maximum non-access (adversarial) structure according to [27] as follows. Definition 1. A non-access set γ ⊂ [m] is a subset of servers that is restricted from obtaining the secret. A non-access structure Γ ⊂ 2[m] is a set that contains all selected non-access sets. The non-access structure should follow the monotone property that if γ ∈ Γ and γ  ⊂ γ, then γ  ∈ Γ . The maximum non-access structure Γ ∗ of Γ is defined as Γ ∗ = {γ ∈ Γ : γ  ∈ Γ, γ ⊂ γ  }. In the case that Γ = {γ ⊂ [m] : |γ| ≤ t}, the non-access structure Γ is called as (m, t)-threshold non-access structure. The (maximum) non-access structure can be represented as a hyper-graph H = (V, E) where the set of vertices is V = [m] and the set of hyper-edges is E = Γ (or E = Γ ∗ ). Each vertex in V represents a server in [m], and each hyper-edge in E represents a non-access set γ in Γ (or Γ ∗ ). 2.2

Homomorphic Secret Sharing (HSS)

Our setting is already described in Fig. 1. The scheme starts when the output client generates a pair of a public key and a secret key, and distributes the public key to all parties. Each input client then generates shares from its secret input using the public key, and forwards the shares to each corresponding server. Each server gathers the shares from input clients, and performs the computation on the shares using the public key. The result from each server is then forwarded to the output client. Finally, the output client combines all the results using the secret key. We refer to the definitions in [31] as follows. More details can be found in [9,12]. Definition 2. Suppose there are n inputs and m servers, a homomorphic secret sharing scheme consists of four algorithms HSS = (KGen, Share, Eval, Dec). Key Generation. (pk, sk) ← HSS.KGen(1λ ) : The algorithm receives the security parameter λ as an input, and then generates a pair of a public key and a secret key (pk, sk).

770

K. Phalakarn et al.

Secret Sharing. (si,1 , . . . , si,m ) ← HSS.Share(pk, i, xi ) : The algorithm receives the public key pk, the index i of the input, and a secret input xi in a specified input space, and then generates shares si,j for the j-th server. Evaluation. yj ← HSS.Eval(pk, j, f, (s1,j , . . . , sn,j )) : The algorithm receives the public key pk, the index j of the server, a function f , and the shares of the j-th server s1,j , . . . , sn,j as inputs, and then returns the output of the evaluation yj . Decoding. y ← HSS.Dec(sk, (y1 , . . . , ym )) : The algorithm receives the secret key sk, and the evaluation results from all servers (y1 , . . . , ym ) as inputs, and then combines the results into y. Correctness. The homomorphic secret sharing for degree-d polynomials with n inputs and m servers is correct if, for any λ ∈ N, any n, m ∈ poly(λ), any key pair (pk, sk) ← HSS.KGen(1λ ), any degree-d polynomial f , any secret inputs (x1 , . . . , xn ), any shares (si,1 , . . . , si,m ) ← HSS.Share(pk, i, xi ) for all i ∈ [n], and any yj ← HSS.Eval(pk, j, f, (s1,j , . . . , sn,j )) for all j ∈ [m], it holds that Pr[HSS.Dec(sk, (y1 , . . . , ym )) = f (x1 , . . . , xn )] ≥ 1 − negl(λ). Security. The homomorphic secret sharing for degree-d polynomials with n inputs and m servers is Γ -secure if, for any λ ∈ N, any n, m ∈ poly(λ), there exists a negligible function negl(λ) such that for any probabilistic polynomial time adversary A = (A0 , A1 ), |Pr[Security0A,HSS = 1] − Pr[Security1A,HSS = 1]| < negl(λ) where SecuritybA,HSS is defined in Fig. 2 (left) for b ∈ {0, 1}. If Γ is (m, t)-threshold non-access structure, we call Γ -security as t-security. To explain in more details, adversaries A0 together with A1 are trying to guess the bit b. After receiving the public key pk, adversary A0 generates two secret inputs x0 and x1 , chooses a non-access set γ from the non-access structure Γ , and creates state to pass some messages to A1 . Adversary A1 receives state and all shares of the parties in the chosen non-access set γ, and then guesses which input x0 or x1 that the shares are generated from. Context Hiding. The output client should learn nothing from the shares except the result of the evaluation. This means the distribution of shares (y1 , . . . , ym ) from the actual evaluation function and the distribution of shares (si,1 , . . . , si,m ) ← HSS.Share(pk, i, f (x1 , . . . , xn )) from secret sharing of the result f (x1 , . . . , xn ) should be indistinguishable. The homomorphic secret sharing for degree-d polynomials with n inputs and m servers is context-hiding if, for any λ ∈ N, any n, m ∈ poly(λ), there exists a probabilistic polynomial time algorithm SHSS and a negligible function negl(λ) such that for any probabilistic polynomial time adversary A = (A0 , A1 ), |Pr[ContextHiding0A,SHSS ,HSS = 1] − Pr[ContextHiding1A,SHSS ,HSS = 1]| < negl(λ)

Constructive t-secure Homomorphic Secret Sharing

771

where ContextHidingbA,SHSS ,HSS is defined in Fig. 2 (right) for b ∈ {0, 1}. The explanation is similar to the definition of the security. Adversaries A0 together with A1 are trying to guess the bit b. After receiving the public key pk, adversary A0 generates a function f , secret inputs x1 , . . . , xn , and creates state to pass some messages to A1 . Adversary A1 receives state and the computation results y1 , . . . , ym . It has to guess whether the results are generated from the actual homomorphic secret sharing, or are simulated by the algorithm SHSS . SecuritybA,HSS (1λ ) : (pk, sk) ← HSS.KGen(1λ ) (x0 , x1 , γ ∈ Γ, state) ← A0 (pk) (s1 , . . . , sm ) ← HSS.Share(pk, b, xb ) b ← A1 (state, {sj : j ∈ γ}) return b = b

ContextHidingbA,SHSS ,HSS (1λ ) : (pk, sk) ← HSS.KGen(1λ ) (f, x1 , . . . , xn , state) ← A0 (pk) if b = 0 then (si,1 , . . . , si,m ) ← HSS.Share(pk, i, xi ) ∀i ∈ [n] yj ← HSS.Eval(pk, j, f, (si,j )i∈[n] ) ∀j ∈ [m] else (y1 , . . . , ym ) ← SHSS (1λ , pk, f (x1 , . . . , xn )) endif b ← A1 (state, (y1 , . . . , ym )) return b = b

Fig. 2. Security and context hiding for homomorphic secret sharing scheme

One of the most famous homomorphic secret sharing schemes is Shamir’s secret sharing scheme [36]. To share a secret input in the (m, t)-threshold setting, a degree-t polynomial P (x) is randomly generated with the constant term equals to the secret input. The j-th server gets the share of the secret input as P (j). If the servers locally add two shares, the results, which is also degree-t, will represent the addition of the two corresponding inputs. However, the results of locally multiplying two shares will correspond to a degree-2t polynomial, which represents (m, 2t)-threshold setting. Thus, the maximum computable polynomial degree d of Shamir’s scheme must satisfy dt < m in order to reconstruct the computation result, and we have d ≤  m−1 t . Shamir’s scheme only supports threshold non-access structure. To realize any general non-access structure Γ , the secret sharing technique of Ito et al. [27] can be used. To share a secret input xi , generate a share xi,γfor each non-access set γ in the maximum non-access structure Γ ∗ such that γ∈Γ ∗ xi,γ = xi . The / γ. From this technique, each server share xi,γ is given to the j-th server if j ∈ can get more than one shares per one secret input. 2.3

Homomorphic Encryption (HE)

Homomorphic encryption schemes let users perform operations on ciphertext in the same way as performing on plaintext while keeping the plaintext secret. The definition of homomorphic encryption scheme is as follows. More details can be found in [33].

772

K. Phalakarn et al.

Definition 3. A homomorphic encryption scheme consists of four algorithms HE = (KGen, Enc, Eval, Dec). Key Generation. (pk, sk) ← KGen(1λ ) : The algorithm receives the security parameter λ as an input, and then generates a pair of a public key and a secret key (pk, sk). Encryption. c ← Enc(pk, x) : The algorithm receives the public key pk and a plaintext x in a specified plaintext space as inputs, and then generates the corresponding ciphertext c. Evaluation. c ← Eval(pk, f, (c1 , . . . , cn )) : The algorithm receives the public key pk, a function f , and ciphertexts c1 , . . . , cn as inputs, and then generates the ciphertext of the evaluation c. Decryption. x ← Dec(sk, c) : The algorithm receives the secret key sk and a ciphertext c as inputs, and then decrypts into the corresponding plaintext x. Compactness. The homomorphic encryption scheme is compact if the size of the output from the evaluation algorithm HE.Eval is a polynomial in the security parameter λ, independent to the size of the description of the function f . Correctness. The homomorphic encryption scheme for degree-d polynomials with n inputs is correct if, for any λ ∈ N, any n ∈ poly(λ), any key pair (pk, sk) ← HE.KGen(1λ ), any degree-d polynomial f , any inputs (x1 , . . . , xn ), any ciphertexts ci ← HE.Enc(pk, xi ) for all i ∈ [n], and any ciphertext c ← HE.Eval(pk, f, (c1 , . . . , cn )), it holds that Pr[HE.Dec(sk, c) = f (x1 , . . . , xn )] ≥ 1 − negl(λ). Security. The homomorphic encryption scheme for degree-d polynomials with n inputs is semantically secure [26] if, for any λ ∈ N, any n ∈ poly(λ), there exists a negligible function negl(λ) such that for any probabilistic polynomial time adversary A = (A0 , A1 ), 1 + negl(λ) 2 where SecurityA,HE is defined in Fig. 3. The explanation of adversaries A0 and A1 is similar to the explanation in Sect. 2.2. Pr[SecurityA,HE = 1] ≤

Circuit Privacy. Similar to homomorphic secret sharing, the output client should learn nothing from the ciphertexts except the result of the evaluation. This means the distribution of the actual encrypted result c ← HE.Eval(pk, f, (c1 , . . . , cn )) and the distribution of newly encrypted result c ← HE.Enc(pk, f (x1 , . . . , xn )) should be indistinguishable. The homomorphic encryption scheme for degree-d polynomials with n inputs is circuit-private if there exists a probabilistic polynomial time algorithm SHE

Constructive t-secure Homomorphic Secret Sharing

773

and a negligible function negl(λ) such that for any λ ∈ N, any n ∈ poly(λ), any key pair (pk, sk) ← HE.KGen(1λ ), any degree-d polynomial f , any inputs (x1 , . . . , xn ), any ciphertext ci ← HE.Enc(pk, xi ) for all i ∈ [n], it holds that SD[HE.Eval(pk, f, (c1 , . . . , cn )), SHE (1λ , pk, f (x1 , . . . , xn ))] < negl(λ) where the statistical distance SD between random variables X and Y over a finite set U is defined as 1 | Pr[X = u] − Pr[Y = u] | . SD[X, Y ] = 2 u∈U

SecurityA,HE (1λ ) : (pk, sk) ← HE.KGen(1λ ) (x0 , x1 , state) ← A0 (pk) b ← {0, 1} c ← HE.Enc(pk, xb ) b ← A1 (state, pk, c) return b = b

Fig. 3. Security for homomorphic encryption scheme

In the literature, there exists homomorphic encryption schemes for degree1 polynomials [18,34] which are the most efficient, for degree-2 polynomials [2,8,15,20] which are somewhat efficient, and for degree-k polynomials [13,22,37] which are not efficient enough to be used in real applications when k is large.

3

Proposed Scheme

In this section, we show our construction of a t-secure homomorphic secret sharing scheme for degree-d polynomials with n inputs and m servers from degree-k homomorphic encryption scheme. Note again that the maximum polynomial . After that, we prove the fordegree of our proposed scheme is d =  (k+1)m−1 t mula for the maximum polynomial degree d and the maximum number of servers m. We also analyze correctness and security of the scheme, and suggest several variants. 3.1

Construction

Given the number of inputs n, the number of servers m, and the threshold t, our homomorphic secret sharing scheme consists of four algorithms as follows. We also refer to some details of Lai et al. [31] for the sake of completeness of this paper. Similar to [31], a specific type of ring mentioned in [15] is sufficient to be our message space.

774

K. Phalakarn et al.

Key Generation. Output client generates a pair of a public key and a secret key of the underlying degree-k homomorphic encryption (pk, sk) ← HE.KGen(1λ ), and publishes the public key pk to all parties. Secret Sharing. Consider the maximum non-access structure Γ ∗ of the (m, t)threshold non-access structure. To secretly share an input xi from the message space of the underlying homomorphic encryption scheme, randomly genshares (xi,γ )γ∈Γ ∗ corresponding to each γ ∈ Γ ∗ such that erate |Γ ∗ | = m t  et al. [27]. In addition, randomly generate shares of γ∈Γ ∗ xi,γ = xi as in Ito  zero (zi,j )j∈[m] such that j∈[m] zi,j = 0. For the j-th server, define xi,γ,j as HE.Enc(pk, xi,γ ) if j ∈ γ, and define as xi,γ otherwise. Finally, the j-th server gets si,j = ((xi,γ,j )γ∈Γ ∗ , zi,j ) as a share of xi . The shares si,j of the secret input xi for the j-th server and all relevant values can be summarized as follows. share

−−−−→

0

share

xi −−−−→

(zi,j )j∈[m] (xi,γ )γ∈Γ ∗

separate

−−−−−→ (xi,γ )γ∈Γ ∗ :j ∈γ / , (xi,γ )γ∈Γ ∗ :j∈γ when consider the j-th server encrypt

si,j

−−−−−→ (xi,γ )γ∈Γ ∗ :j ∈γ / , ( xi,γ )γ∈Γ ∗ :j∈γ := (xi,γ )γ∈Γ ∗ :j ∈γ / , ( xi,γ )γ∈Γ ∗ :j∈γ , (zi,j )

Evaluation. To calculate a degree-d polynomial f with n variables (x1 , . . . , xn ), we split the function f into (f1 , . . . , fm ) and assign fj to the j-th server. The first condition for the split is j∈[m] fj (s1,j , . . . , sn,j ) = f (x1 , . . . , xn ). The second condition can be explained as follows. Similar to [31],  we write the polynomial f as a sum of monomials f (x1 , . . . , xn ) = w aw Mw (x1 , . . . , xn ) where each w is a monomial of degree c ≤ d with coefficient aw . Consider each monomial w of degree c, say aw Mw (x1 , . . . , xn ) = aw xw1 xw2 · · · xwc forsome indices w1 , . . . , wc ∈ [n]. From the secret sharing algorithm above, xi = γ∈Γ ∗ xi,γ . Thus, we have ⎛



aw Mw (x1 , . . . , xn ) = aw xw1 · · · xwc = aw



i∈{w1 ,...,wc }

=





⎞ xi,γ ⎠

γ∈Γ ∗

aw xw1 ,γ1 · · · xwc ,γc

γ1 ,...,γc ∈Γ ∗

We prove in Sect. 3.2 that to calculate any monomial aw xw1 ,γ1 · · · xwc ,γc with c ≤ d, there must be at least one j-th server such that from all c variables, aw xw1 ,γ1 ,j · · · xwc ,γc ,j , at most k of them are encrypted. Because the underlying homomorphic encryption supports degree-k polynomials, the j-th server can compute this monomial. Each monomial will be assigned to one of the servers that can compute that monomial. We define the homomorphic summation of all monomials assigned to the j-th  server as gj (x1 , . . . , xn ). Finally, we define fj (x1 , . . . , xn ) = gj (x1 , . . . , xn ) + i∈[n] zi,j . The j-th server then computes yj = fj (x1 , . . . , xn )

Constructive t-secure Homomorphic Secret Sharing

775

using the operations of the underlying homomorphic encryption scheme, and forwards yj to the output client. Decoding. The output client homomorphically sums the results from all servers y = y1 +. . .+ym . The final result of f (x1 , . . . , xn ) is obtained from HE.Dec(sk, y). 3.2

The Maximum Degree d of the Proposed Scheme

We prove the upper bound of the maximum degree d of the proposed homomorphic secret sharing scheme in this section. We show that each monomial aw xw1 ,γ1 · · · xwc ,γc with degree c ≤ d can be assigned to one of the servers. Theorem 1. The upper bound of the maximum degree d of the construction in Sect. 3.1 is d ≤ (k+1)m−1 . t Proof. We prove the theorem using hyper-graph representation of the non-access structure. Do not confuse between the degree of the hyper-graph and the degree of the polynomial. Given the maximum non-access structure Γ ∗ , we construct a hyper-graph H = (V, E) with V = [m] and E = Γ ∗ . A hyper-edge γ ∈ Γ ∗ represents a non-access set, and is incident to a vertex j if and only if j ∈ γ. This also means that the j-th server gets the γ-part of the share as a ciphertext. To be able to calculate the degree-d monomials aw xw1 ,γ1 · · · xwd ,γd , there should be at least one servers that the number of encrypted variables is at most k (the degree of the underlying homomorphic encryption scheme). Note that a hyper-edge is corresponding to a non-access set and also corresponding to one part of the shares. In the same way, if we choose any d hyper-edges, we want that there exists at least one vertex that has at most k incident hyper-edges. The degree of each hyper-edge is t. Thus, choosing d hyper-edges is equivalent to dt incidences. From pigeonhole principle and the fact that H is a regular hypergraph, if there is at least one vertex that has at most k incident hyper-edges, the maximum number of all incidences must not exceed (k + 1) + · · · + (k + 1) +k = (k + 1)m − 1  

m−1 times

Thus, we have dt ≤ (k + 1)m − 1, and this concludes the proof. 3.3



Computational Complexity

The computational complexity of all parties must be a polynomial in the security parameter λ. The output client only performs m homomorphic additions and one decryption. If the underlying homomorphic encryption scheme is compact, it is obvious that the computational complexity of the output client is poly(λ). For the input clients, each one generates m-choose-t shares   and encrypts t (m − 1)-choose-(t − 1) out of them per server. We know that m t ≤ (em) where e is Euler’s constant. Because t < m, the computational complexity of each input

776

K. Phalakarn et al.

client is O(mm ). It is sufficient to set m = O( logloglogλ λ ) to let this bound be a polynomial in λ. This bound of m is equal to 1-secure scheme of Lai et al. [31]. The computational complexity of each server must also be a polynomial in the security parameter λ. From Sect. 3.1, we define that each monomial aw Mw (x1 , . . . , xn ) = aw xw1 · · · xwc in f (x1 , . . . , xn ) is expanded  to aw xw1 ,γ1 · · · xwc ,γc . We now show that the number of monomials aw xw1 ,γ1 · · · xwc ,γc assigned to each server for each monomial aw Mw (x1 , . . . , xn ) can be poly(λ). The maximum number of degree-d monomials aw xw1 ,γ1 · · · xwd ,γd that a  m−1d− k   k   . server can calculate is equal to =0 d (b−p) pd− = =0 d m−1 t−1 t The idea is that a server can calculate all monomials with  ≤ k encrypted shares. For a monomial with  encrypted shares, we can choose  out of d positions  to be the encrypted shares. For each encrypted position, there are b − p = m−1 t−1 choices of ciphertexts to choose from. For each plaintext position, there are m−1 choices of plaintexts to choose from. Thus the total combinations are p= k tdm−1 m−1d− . We show that this value can be a polynomial in λ if =0  t−1 t we choose an appropriate value of m.   d− k    d m−1 m−1 =0



t−1

t

k    d (em)t (em)(d−)t  =0 k    d dt = (em) 



=0

≤ (em)dt 2d ≤ e(k+1)m 2

(k+1)m t

m(k+1)m = mO(m)

It is sufficient to set m = O( logloglogλ λ ) to let this bound be a polynomial in λ. In addition, assume that the number of all monomials aw Mw (x1 , . . . , xn ) in f (x1 , . . . , xn ) is also a polynomial in λ. Thus, the total number of monomials aw xw1 ,γ1 · · · xwc ,γc that a server has to calculate is a polynomial in λ. In case that we want a larger value of threshold t, the maximum degree d of our homomorphic secret sharing scheme will be smaller, and this will not affect the bound. 3.4

Correctness and Security

We have shown that the bound of the maximum degree d is correct, and the number of servers can be a polynomial in the security parameter λ. In this section, we extend the arguments of Lai et al. [31] to show correctness and security of the proposed t-secure scheme. We first show that the proposed scheme is correct. Theorem 2. If the underlying homomorphic encryption scheme is correct, then the proposed homomorphic secret sharing scheme is correct.

Constructive t-secure Homomorphic Secret Sharing

777

Proof. From Theorem 1, each monomial aw xw1 ,γ1 · · · xwc ,γc with degree c ≤ d can be assigned to one of the servers. Thus,according to the description of the evaluation algorithm in Sect. 3.1, we have j∈[m] HE.Dec(sk, gj (x1 , . . . , xn )) = f (x1 , . . . , xn ). If the underlying homomorphic encryption scheme is correct, then  yj ) HE.Dec(sk, y) = HE.Dec(sk, j∈[m]

= HE.Dec(sk,



fj (x1 , . . . , xn ))

j∈[m]

= HE.Dec(sk,



(gj (x1 , . . . , xn ) +

j∈[m]

= HE.Dec(sk, =







zi,j ))

i∈[n]

gj (x1 , . . . , xn )) +

j∈[m]

 

zi,j

i∈[n] j∈[m]

HE.Dec(sk, gj (x1 , . . . , xn )) + 0 = f (x1 , . . . , xn )

j∈[m]

which means the proposed scheme is also correct.



Next, we show that the proposed scheme is a t-secure homomorphic secret sharing scheme. Theorem 3. If the underlying homomorphic encryption scheme is semantically secure, then the proposed homomorphic secret sharing scheme is t-secure. Proof. We will show that if there is an adversary A that can guess the input of our homomorphic secret sharing with a non-negligible advantage, we can construct an adversary A to break the semantic security of the underlying homomorphic encryption scheme. The process is shown in Fig. 4. Consider (m, t)-threshold non-access structure Γ . The process starts when the oracle generates a public key pk of the homomorphic encryption scheme, and forwards it to the adversary A , which also forwards to the adversary A. Adversary A then generates two inputs x∗0 , x∗1 , and a non-access set γ ∗ ∈ Γ ∗ , and forwards to A . (If the homomorphic secret sharing scheme is secure for Γ ∗ , then it is also secure for Γ .) A then generates a set of random shares S, and let x0 and x1 be γ ∗ -part of the shares of x∗0 and x∗1 , respectively. Adversary A sends x0 and x1 to the oracle, and gets cb as a response. Adversary A forwards (S, cb ) as the shares of x∗b with γ ∗ -part encrypted. If the adversary A can correctly guess the input x∗b with a non-negligible advantage, this guess also has the same

non-negligible advantage for adversary A to guess xb . Finally, we state the theorem for context hiding as follows. The proof below is similar to the proof in [31]. Theorem 4. If the underlying homomorphic encryption scheme is circuit- private, then the proposed homomorphic secret sharing scheme is context-hiding.

778

K. Phalakarn et al.

Proof. According to the definition of context hiding, we must show that there exists a probabilistic polynomial time algorithm SHSS . To pro, . . . , xn )), the algorithm SHSS generates random shares cess SHSS (1λ , pk, f (x1 r1 , . . . , rm such that j∈[m] rj = f (x1 , . . . , xn ). The algorithm then generates yj ← HE.Enc(pk, rj ) for all j ∈ [m], and outputs (y1 , . . . , ym ). We compare the distributions of the output from SHSS and the output from HSS.Eval. Because the random shares of zeroes zi,j are added in the evaluation algorithm HSS.Eval, the output from HSS.Eval can be any encrypted tuple that adds up to f (x1 , . . . , xn ). In the same way, the output from the algorithm SHSS is randomly generated such that the encrypted tuple adds up to f (x1 , . . . , xn ). If the underlying homomorphic encryption is semantically secure, then these two distributions must be indistinguishable. Thus, there is no adversary that can distinguish these two distributions with non-negligible advantage.

3.5

Variants of the Scheme

Extending from Lai et al. [31], we present two variants of our homomorphic secret sharing scheme. Multi-key Homomorphic Encryption and Plain Model. There exists several multi-key homomorphic encryption schemes in the literature [32]. We describe it as follows. Adversary A Adversary A pk ⇒ pk ⇐ Gen x∗0 , x∗1 , γ ∗ x∗0 , x∗1 , γ ∗ ∗ ∗ Gen S = (sγ )γ∈Γ  ∧γ=γ ⇐ x0 = x∗0 − s∈S s ⇐ x1 = x∗1 − s∈S s

Oracle pk ← HE.KGen(1λ ) ⇒

x0 x1 Random b cb ← HE.Enc(pk, xb ) ⇒ b



cb (S, cb ) b

⇒ ⇐

(S, cb ) Guess b

Fig. 4. Security proof of Theorem 3

Definition 4. A multi-key homomorphic encryption scheme consists of four algorithms MKHE = (KGen, Enc, Eval, Dec). Key Generation and Encryption. The algorithms behave exactly the same as simple homomorphic encryption scheme in Definition 3. Evaluation. c ← Eval(f, ((pk1 , c1 ), . . . , (pkn , cn ))) : The algorithm receives a function f , and the pairs of public key and the corresponding ciphertext (pk1 , c1 ), . . . , (pkn , cn ) as inputs, and then generates the ciphertext of the evaluation c under all the public keys pk1 , . . . , pkn .

Constructive t-secure Homomorphic Secret Sharing

779

Decryption. x ← Dec((sk1 , . . . , skn ), c) : The algorithm receives the secret keys sk1 , . . . , skn and a ciphertext c encrypted under all the corresponding public keys as inputs, and then decrypt into the plaintext x. Similar to [31], our proposed scheme can be naturally extended to multikey plain model. In this setting, the output client does not have to generate any key pairs. The i-th input client will generate its own key pair (pki , ski ), and publish pki to all parties. The secret input xi will be shared as si,j using the public key pki . In addition, the shares of secret key ski are generated such  that j∈[m] ski,j = ski . Both si,j and ski,j are forwarded to the corresponding j-th server. The j-th server then calculates fj using the multi-key evaluation algorithm, and forwards the result together with the secret key shares to the output client. Finally, the output client reconstructs the secret keys from all shares, and uses the multi-key decryption algorithm to see the final result. It can be proved similar to [31] that this variant is t-secure. r-robustness. Suppose that only r servers can forward the results to the output client, the scheme is not completely failed. Calculating some polynomials is still possible in this setting. This property is called as r-robustness in [31]. The . This bound maximum degree d of the scheme will be decreased to  (k+1)r−1 t can be proved in the same way as in Theorem 1. There are some points to consider. Notice that in Sect. 3.1 and in the plain model described in this section, the shares of zeroes and the shares of secret keys can be reconstructed if all the servers are presented (m-out-of-m secret sharing). These prevent the possibility of r-robustness. The solution for the shares of zeroes is to use the secret sharing of the (m, t)-threshold non-access structure. The secret sharing of secret keys can also be done in the same way. In addition, threshold homomorphic encryption [28] may be used for this purpose.

4

Discussions

Compare to Lai et al. We consider these topics comparing to t-secure homomorphic secret sharing scheme of Lai et al. [31]. Number of Servers. For the t-secure scheme in [31], the authors fixed the degree of homomorphic encryption k = 1, the degree of homomorphic secret sharing d = 3, number of plaintext shares per input for each server p = 2, and number of all shares per input for each server b = 2t + 1. Then, the number of required servers is m = t2 which is not efficient. In contrast, our scheme has m ≥ 3t+1 2 which is linear in t. This can be generalized to m ≥ dt+1 k+1 for all values of k, d, and t, which is also linear in t. Number of Shares. In 1-secure scheme of [31], the number of shares per input for each server is equal to the number of servers, b = m, and the number of plaintext shares per input for each server is p = m − 1. For the t-secure scheme, the authors fixed the degree of homomorphic encryption k = 1 and the degree of homomorphic secret sharing d = 3, then the suggested number of shares per

780

K. Phalakarn et al.

input for each server is b = 2t + 1, and the number of plaintext shares per input for each server is p = 2. m−1   . Increasing share size can be viewed as In our scheme, b = m t and p = t a trade-off with security. Since [31] is the special case of ours, the share size is the same when t = 1. We believe that the size is acceptable when t is small or close to m. For t ≈ m/2, possible improvements are mentioned in Sect. 5. Although, our scheme has more number of shares, the computational complexity of the scheme is still a polynomial in the security parameter λ if the number of servers m is O( logloglogλ λ ). This bound is equal to the 1-secure scheme of [31]. Constructiveness. The concrete construction of the t-secure homomorphic secret sharing scheme is not proposed in [31]. We have to solve set cover problem in order to find the combination of encrypted shares for each server. Since the set cover problem is NP-complete, their construction is not constructive. In our scheme, the construction is concrete and clear. In addition, it is claimed in [31] that the number of plaintext shares from t servers must not exceed the number of all shares per input for each server, which can be written as t · p < b, in order to keep the scheme secure. However, this is not mandatory. The plaintext shares from different servers can be overlapped. Compare to Homomorphic Encryption. Let m, t, and d be fixed constants. Roughly comparing our scheme (with the BGN scheme [8] as the base scheme) to the GSW scheme [23], with the security parameter λ, our share size and computation time for each server are O(λ) and O(λ3 ), while the ciphertext size 3 and computation time of GSW are O(λ2 log mλ) and O(λ log λ), respectively. Although, our scheme has hidden constant t for share size, it can be smaller than cλ log λ for small m and t, and c depends on the GSW implementation. We mention again that the purpose of our work is not to outperform homomorphic encryption, but to combine it with secret sharing. The results are higher computable degree and single-point-of-failure mitigation.

5

Possible Improvements from Non-threshold Structure

Until the previous section, we only focus on threshold non-access structures. In fact, our proposed scheme also supports any non-access structures, including non-threshold non-access structures. Some observations about the benefits from non-threshold non-access structures are found, but they are not thoroughly understood. We give an example here how we can optimize the scheme using a non-threshold non-access structure and a relaxed constraint. Example 2. Consider a setting with m = 4 servers and threshold t = 2. We can construct the maximum (4, 2)-threshold non-access structure Γ1∗ = {{1, 2}, {1, 3}, {1, 4}, {2, 3}, {2, 4}, {3, 4}}. With this maximum threshold nonaccess structure, each server gets b1 = |Γ1∗ | = 6 shares, and the maximum degree of the homomorphic secret sharing scheme is d1 = 3. However, if we relax the constraint that any three servers can reconstruct the

Constructive t-secure Homomorphic Secret Sharing

781

secret, we can have the other maximum non-threshold non-access structure Γ2∗ = {{1, 2}, {1, 3}, {1, 4}, {2, 3, 4}}. Any two servers still cannot reconstruct the secret inputs. Using this non-threshold structure, the number of shares for each server is reduced to b2 = |Γ2∗ | = 4 while the maximum computable degree is still d2 = 3. In this case, the numbers of plaintext and ciphertext shares are different for each server. In addition, we also find an improvement in 6-party non-threshold cases that can reduce the share size from 20 to 10 shares. The setting is m = 6, t = 3, and Γ3∗ = {{1, 2, 3, 4}, {1, 2, 5}, {1, 2, 6}, {1, 3, 5, 6}, {1, 4, 5}, {1, 4, 6}, {2, 3, 5, 6}, {2, 4, 5}, {2, 4, 6}, {3, 4, 5, 6}}. We have tried to find the relationship between non-threshold non-access structures and the other parameters, but it is still unclear. We present four possible improvements as follows. Non-threshold Non-access Structure and the Maximum Degree d. To find the maximum degree d of the homomorphic secret sharing scheme realized any non-access structure, the exact formula is still unknown. However, we can construct an optimization model from the corresponding hyper-graph. This optimization model can be solved using integer program (IP) as in Fig. 5. The idea is to select the smallest number of hyper-edges which is adjacent to each vertex more than k times. Input Output Objective function Constraints

Positive integers m, Non-negative integer k, hyper-graph H = (V, E) = ([m], Γ ∗ ) Non-negative integer d Minimize d ∗ Let  xγ ∈ Z≥0 be a variable for each γ ∈ Γ x = d + 1 γ∈Γ ∗ γ γ∈Γ ∗ :j∈γ xγ > k for all j ∈ [m]

Fig. 5. Integer program to find the maximum degree d of any non-access structure.

In addition to the optimization model, the multiplicative property of the non-access structure in [4] may also be considered. In the paper, the maximum degree of computable polynomial is described for the case when homomorphic encryption is not used (or the degree of the homomorphic encryption is k = 0). Non-threshold Non-access Structure and Number of Shares b. It is possible to reduce the number of shares by using non-threshold non-access structures as in Example 2 above. The process may be considered as to union some non-access sets in the threshold structure. However, we still do not know which non-threshold structure should be used instead of the threshold one. Generalizing threshold structure to non-threshold structure can sometimes reduce the maximum degree d of the homomorphic secret sharing scheme.

782

K. Phalakarn et al.

Extension of r-robustness. It may be possible to generalize the definition of r-robustness to Γ¯ -robustness, where Γ¯ is the “access” structure that contains the “access” sets. In Γ¯ -robustness, combining the result from an access set of server γ¯ ∈ Γ¯ can reconstruct the secret. The relationship between Γ¯ and the maximum degree d of the Γ¯ -robustness homomorphic secret sharing is also unknown. It may be possible to use Γ¯ such that Γ ∩ Γ¯ = ∅ but Γ ∪ Γ¯ = 2[m] . Multi-use Context Hiding. For the sake of randomness, the shares of zeroes must be used for one time only. To evaluate several polynomials of the same shares, Lai et al. [31] proposed a technique using random values from a pseudorandom function. The key kj and kj+1 are given to the j-th server, and PRF(kj , f ) − PRF(kj+1 , f ) is used instead of the shares of zeroes. However, their security threshold is only 1. If at least m/2 servers are colluding, they can learn all the keys. The construction of multi-use context-hiding homomorphic secret sharing scheme for threshold and non-threshold non-access structure Γ from a pseudo-random function has not been proposed. Extending the idea to r-robust and Γ¯ -robust multi-use context-hiding is also interesting.

6

Concluding Remarks

In this paper, we propose the constructive t-secure homomorphic secret sharing scheme from homomorphic encryption. The maximum computable degree of the scheme is proved using hyper-graph, and the number of required servers is analyzed. We also proposed several variants and possible improvements from non-threshold structure. To conclude the paper, two interesting settings are suggested as future works. Malicious Security. In the construction presented in Sect. 3, we only consider semi-honest security where each party follows the protocol correctly, but may try to collude and learn the secret inputs. However, a party may deviate from the protocol arbitrarily. The input client may send different value of shares to each server. The ciphertext and plaintext may represent different values. The sum of all shares of zeroes may not be equal to zero. For the server, it may send any value as the evaluation result to the output client. We may have to change the security model to real-ideal model [14] to handle the malicious security. The solution to these problems can be proposed in two levels. The simpler solution is to detect the malicious behaviour, and abort if some errors are detected. The better solution is to correct the errors, and then continue to follow the protocol. The scheme with r-robustness or Γ¯ -robustness can be useful. The idea of verifiable homomorphic encryption [19] and verifiable secret sharing [21,35] may also be used for this purpose. Generalize to any Inner/Outer Scheme. In our construction, it can be seen that we use homomorphic encryption as the inner scheme, and secret sharing of Ito et al. as the outer scheme. It may be possible to generalize this idea of homomorphic secret sharing construction to any combinations of inner and

Constructive t-secure Homomorphic Secret Sharing

783

outer schemes. Thus, we should have a better understanding of each secure computation protocol, and how the combinations should be. Acknowledgment. Nuttapong Attrapadung was partly supported by JST CREST Grant Number JPMJCR19F6, and by JSPS KAKENHI Kiban-A Grant Number 19H01109.

References 1. Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. Comput. Complex. 15(2), 115–162 (2006) 2. Attrapadung, N., Hanaoka, G., Mitsunari, S., Sakai, Y., Shimizu, K., Teruya, T.: Efficient two-level homomorphic encryption in prime-order bilinear groups and a fast implementation in WebAssembly. In: Asia Conference on Computer and Communications Security, pp. 685–697 (2018) 3. Babai, L., Kimmel, P.G., Lokam, S.V.: Simultaneous messages vs. communication. In: Mayr, E.W., Puech, C. (eds.) STACS 1995. LNCS, vol. 900, pp. 361–372. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-59042-0 88 4. Barkol, O., Ishai, Y., Weinreb, E.: On d -multiplicative secret sharing. J. Cryptol. 23(4), 580–593 (2010). https://doi.org/10.1007/s00145-010-9056-z 5. Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 34 6. Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E., Meldgaard, S., PaskinCherniavsky, A.: Non-interactive secure multiparty computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 387–404. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1 22 7. Beimel, A., Ishai, Y.: Information-theoretic private information retrieval: a unified construction. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 912–926. Springer, Heidelberg (2001). https://doi.org/10. 1007/3-540-48224-5 74 8. Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7 18 9. Boyle, E.: Recent advances in function and homomorphic secret sharing - (invited talk). In: International Conference on Cryptology in India, pp. 1–26 (2017) 10. Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 337–367. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6 12 11. Boyle, E., Gilboa, N., Ishai, Y.: Breaking the circuit size barrier for secure computation under DDH. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. Breaking the circuit size barrier for secure computation under DDH, vol. 9814, pp. 509–539. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4 19 12. Boyle, E., Gilboa, N., Ishai, Y., Lin, H., Tessaro, S.: Foundations of homomorphic secret sharing. In: Innovations in Theoretical Computer Science Conference (2018) 13. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: IEEE Symposium on Foundations of Computer Science, pp. 97–106 (2011)

784

K. Phalakarn et al.

14. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: IEEE Symposium on Foundations of Computer Science, pp. 136–145 (2001) 15. Catalano, D., Fiore, D.: Using linearly-homomorphic encryption to evaluate degree2 functions on encrypted data. In: ACM SIGSAC Conference on Computer and Communications Security, pp. 1518–1529 (2015) 16. Chabanne, H., de Wargny, A., Milgram, J., Morel, C., Prouff, E.: Privacypreserving classification on deep neural network. IACR Cryptology ePrint Archive (2017) 17. Dodis, Y., Halevi, S., Rothblum, R.D., Wichs, D.: Spooky encryption and its applications. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 93– 122. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3 4 18. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. 31, 469–472 (1985) 19. Fiore, D., Gennaro, R., Pastro, V.: Efficiently verifiable computation on encrypted data. In: ACM SIGSAC Conference on Computer and Communications Security, pp. 844–855 (2014) 20. Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. Converting pairing-based cryptosystems from composite-order groups to prime-order groups, vol. 6110, pp. 44–61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3642-13190-5 3 21. Gennaro, R., Rabin, M.O., Rabin, T.: Simplified VSS and fast-track multiparty computations with applications to threshold cryptography. In: ACM Symposium on Principles of Distributed Computing, pp. 101–111 (1998) 22. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: ACM Symposium on Theory of Computing, pp. 169–178 (2009) 23. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4 5 24. Gilad-Bachrach, R., Dowlin, N., Laine, K., Lauter, K., Naehrig, M., Wernsing, J.: Cryptonets: applying neural networks to encrypted data with high throughput and accuracy. In: International Conference on Machine Learning, pp. 201–210 (2016) 25. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: ACM Symposium on Theory of Computing, pp. 218–229 (1987) 26. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984) 27. Ito, M., Saito, A., Nishizeki, T.: Secret sharing schemes realizing general access structure. In: IEEE Global Telecommunication Conference, pp. 99–102 (1987) 28. Jain, A., Rasmussen, P.M.R., Sahai, A.: Threshold fully homomorphic encryption. IACR Cryptology ePrint Archive (2017) 29. Kamara, S., Mohassel, P., Raykova, M.: Outsourcing multi-party computation. IACR Cryptology ePrint Archive (2011) 30. Kamara, S., Mohassel, P., Riva, B.: Salus: a system for server-aided secure function evaluation. In: ACM Conference on Computer and Communications Security, pp. 797–808 (2012)

Constructive t-secure Homomorphic Secret Sharing

785

31. Lai, R.W.F., Malavolta, G., Schr¨ oder, D.: Homomorphic secret sharing for low degree polynomials. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 279–309. Springer, Cham (2018). https://doi.org/10.1007/978-3030-03332-3 11 32. L´ opez-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: ACM Symposium on Theory of Computing, pp. 1219–1234 (2012) 33. Martins, P., Sousa, L., Mariano, A.: A survey on fully homomorphic encryption: an engineering perspective. ACM Comput. Surv. 50(6), 1–33 (2017) 34. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X 16 35. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 9 36. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979) 37. van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 24–43 (2010)

Perfectly-Secure Asynchronous MPC for General Adversaries (Extended Abstract) Ashish Choudhury(B) and Nikhil Pappu International Institute of Information Technology, Bangalore, India {ashish.choudhury,nikhil.pappu}@iiitb.ac.in Abstract. We study perfectly-secure Multiparty Computation (MPC) in the asynchronous communication setting, tolerating a generalized nonthreshold adversary, characterized by an adversary structure. Ashwin Kumar et al. (ACISP2002) presented a condition which is both necessary as well as sufficient for the existence of perfectly-secure MPC in this setting. However, we show that their protocol is flawed and present a new protocol (with the same necessity condition). Moreover, our protocol is conceptually simpler, and unlike their protocol, does not rely on monotone span programs (MSPs). As a sub-contribution, we also present an asynchronous Byzantine agreement protocol (tolerating a non-threshold adversary), which is used as a key component in our MPC protocol. Keywords: Secure MPC · General adversary structures · Asynchronous protocols · Byzantine agreement · Non-threshold model

1

Introduction

Secure MPC [8,14,25,42,46] is a widely studied problem in secure distributed computing. Informally, an MPC protocol allows a set of n mutually distrusting parties to compute any agreed upon function of their inputs, while keeping their respective inputs as private as possible. Due to its generality and powerful abstraction, the MPC problem has been widely studied and various interesting results have been achieved related to the theoretical possibility and practical feasibility of MPC protocols. A large bulk of MPC literature assumes a threshold adversary, i.e., an adversary that can corrupt any t out of the n parties. In [29], Hirt and Maurer initiated the study of MPC in the non-threshold adversarial model under a more general constraint on the adversary’s corruption capability, where the adversary is allowed to corrupt any set of parties from a pre-defined collection of subsets of P called a general adversary structure (where P is the set of all parties) and presented necessity and sufficiency conditions for the same This research is an outcome of the R&D work undertaken in the project under the Visvesvaraya PhD Scheme of Ministry of Electronics & Information Technology, Government of India, being implemented by Digital India Corporation (formerly Media Lab Asia). c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 786–809, 2020. https://doi.org/10.1007/978-3-030-65277-7_35

Perfectly-Secure Asynchronous MPC

787

in various settings. Although, as shown in [30], such a specification comes with a downside that there exist adversary structures for which any MPC protocol requires communication and computation complexities polynomial in the size of the adversary structure (which could be exponential in n due to the number of possible subsets of P), the added flexibility makes it applicable in more real-world scenarios, especially when n is not too large. The communication complexity of the MPC protocol of [29] is superpolynomial in the size of the adversary structure. Subsequent works presented polynomial time protocols [19,20,23,38,44] and focused on further improving the communication complexity [32,36]. These protocols can be categorized into two based on the secret-sharing scheme [43] they deploy. The protocols presented in [19,20,36,44] deploy a secret-sharing scheme based on monotone span programs (MSPs) [33], while those presented in [32,38] use a simpler additive secret-sharing scheme. The significance of both of these stems from the fact that for a given adversary structure, one might be more efficient compared to the other (see for e.g., [36]). Our Motivation. All the above works on general adversaries are in the synchronous model, where the delays of messages in the network are bounded by a publicly known constant. However, real-life networks like the Internet are modelled more appropriately by the asynchronous communication model [11], where messages can be arbitrarily delayed with only the guarantee that messages of honest parties are delivered eventually. The asynchronous MPC (AMPC) problem has been studied, but in the threshold adversary setting [4,7,9,16,17,21,31,39,45]. These protocols are more involved and less efficient than their synchronous counterparts as in a completely asynchronous setting, from the view point of an honest party, it is impossible to distinguish between a slow but honest sender (whose messages are delayed arbitrarily) and a corrupt sender (who does not send any message). Consequently, to avoid an endless wait, no party can afford to receive messages from all its neighbours, thus ignoring communication from potentially slow honest parties. An MPC protocol tolerating a generalized adversary which is secure in an asynchronous network, would better model real-world scenarios due to the increased flexibility arising from relaxed assumptions on both the adversary and the underlying network. Adapting general adversary MPC protocols for the asynchronous setting was mentioned as an open problem in [28,44]. We focus on the design of an AMPC protocol with the highest level of security, namely perfect-security tolerating a computationally unbounded malicious adversary, characterized by a general adversary structure. Existing Results and Our Contributions. The only work in the domain of AMPC in the non-threshold model is due to [34], which presented a necessary and sufficient condition for perfectly-secure AMPC. They showed that for perfect security (where the security properties are achieved in an error-free fashion even if the adversary is computationally unbounded), the set of parties P should satisfy the Q(4) condition. That is, the union of any four subsets from the underlying adversary structure should not “cover” the entire party set P. In this paper, our main contributions are as follows:

788

A. Choudhury and N. Pappu

– The AMPC protocol of [34] is based on MSPs and utilizes the playerelimination framework, commonly deployed against a threshold adversary in the synchronous communication setting (see for example [5,26]). However, we show that the player-elimination framework will not necessarily work, which further implies that the protocol of [34] is flawed (see Sect. 3). – We present a new perfectly-secure AMPC protocol with the Q(4) condition. The protocol is conceptually simpler than the protocol of [34] and does not deploy MSPs or utilize a player-elimination framework. The computation and communication complexities of the protocol are polynomial in n and the size of the underlying adversary structure. The multiplication protocols that have been deployed in the existing non-threshold protocols in the synchronous setting for evaluating multiplication gates [32,38], will not work in the asynchronous communication setting. Intuitively, this is because the security of the synchronous protocols depends upon the availability of the messages of all honest parties, which is not guaranteed in the asynchronous setting. Hence, we design a new sub-protocol for securely evaluating multiplication gates asynchronously (see Sect. 6). – As a sub-contribution, we present an asynchronous Byzantine agreement (ABA) protocol in the non-threshold model. The protocol is almost-surely terminating [1,2]. That is, if the parties keep on running the protocol, then asymptotically, they terminate with probability 1. ABA is used as a subprotocol, both in the protocol of [34] as well as ours. However, [34] does not provide any ABA protocol and simply states that the existing ABA protocol(s) in the threshold setting [13] can be generalized in a straightforward fashion for the non-threshold setting. Unfortunately, it turns out that the generalization is non-trivial and involves few subtleties. For instance, we find that generalizing these protocols for the non-threshold setting requires a nonconstant expected number of asynchronous “rounds”, while only a constant number of such rounds are required by existing threshold protocols [13,15]. We follow the offline/online phase paradigm [3]. The offline phase (also called the preprocessing phase) generates additively-shared random and private multiplication triples, independent of the function f . These triples are later used in the online phase for securely evaluating the circuit representing f . While this paradigm is the de facto standard for designing generic MPC protocols, the new components are the protocols for perfectly-secure asynchronous verifiable secret-sharing (AVSS), asynchronous perfectly-secure multiplication and ABA, for instantiating the paradigm in the non-threshold setting. Due to space constraints, we are unable to give complete formal proofs for our protocols in this extended abstract and we defer the formal proofs to the full version of the paper.

2

Preliminaries

We assume a set of n mutually distrusting parties P = {P1 , . . . , Pn }, connected by pair-wise private and authentic channels. The distrust in the system is modelled by a computationally-unbounded adversary Adv, specified by an adversary

Perfectly-Secure Asynchronous MPC

789

structure Z ⊆ 2P , where each Z ∈ Z satisfies the condition that Z ⊂ P. The adversary structure Z is monotone in the sense that if Z ∈ Z, then any Z  ⊆ Z also belongs to Z. For convenience, we assume that Z consists of maximal subsets of parties, which can be potentially corrupted by Adv during the execution of a protocol. Consequently, we denote the adversary structure as Z = {Z1 , . . . , Zq }, where Z1 , . . . , Zq are maximal subsets of potentially corruptible parties. For m = 1, . . . , q, we use the notation Gm to denote the set of parties P \ Zm . The adversary Adv can corrupt a set of parties Z  ⊂ P during the protocol execution, where Z  is part of some set in the adversary structure (i.e., Z  ⊆ Z for some Z ∈ Z). The parties not under the control of Adv are called honest. The adversary is Byzantine (malicious) and can force the parties under its control to deviate from the protocol instructions in any arbitrary fashion. Note that the exact identity of Z  won’t be known to the honest parties at the beginning of the execution of any protocol, and need not be revealed at the end of the protocol. We say that a set of parties S ⊆ P satisfies the Q(k) condition, if S ⊆ Z1 ∪ . . . ∪ Zk , for every Z1 , . . . , Zk ∈ Z. Notice that if S satisfies the Q(k)  condition, then it also satisfies the Q(k ) condition for any 1 ≤ k  < k. We assume that the set of parties P satisfies the Q(4) condition, which is necessary for the existence of any perfectly-secure AMPC protocol tolerating Z [34]. In our protocols, all the computations are performed over some finite algebraic structure K, which could be a finite ring or a field and we assume that the parties want to compute a function f , represented by a publicly known arithmetic circuit cir over K. For simplicity and without loss of generality, we assume that each party Pi ∈ P has a single input x(i) to the function f , and there is a single output y = f (x(1) , . . . , x(n) ), which is supposed to be learnt by all the parties. Apart from the input and output gates, cir consists of 2-input gates of the form g = (x, y, z), where x and y are the inputs and z is the output. The gate g can either be an addition gate (i.e. z = x + y) or a multiplication gate (i.e. z = x · y). The circuit cir consists of M multiplication gates. We follow the asynchronous communication model of [7,11], which does not put any restriction on the message delays and the only guarantee is that the messages of the honest parties are delivered eventually. The sequence of message delivery is controlled by an adversarial scheduler. Due to the absence of any globally known upper bound on the message delays, no party can wait to receive messages from all its neighbours to avoid an endless wait (as a corrupt neighbour may not send any message). Hence, any party has to proceed as soon as it receives messages from a set of parties in S, where P \ S ∈ Z. 2.1

Definitions

Definition 2.1 ([·]-sharing). A value s ∈ K is said to be [·]-shared, if there exist values s(1) , . . . , s(q) ∈ K where s = s(1) + . . . + s(q) , such that for each m = 1, . . . , q, all (honest) parties in the group Gm hold the share s(m) . The notation [s] denotes the vector of shares (s(1) , . . . , s(q) ). Note that a party Pi may possess more than one share in the vector [s], depending upon the number of groups Gm in which Pi is present, which further depends

790

A. Choudhury and N. Pappu

upon the adversary structure Z. It is easy to see that [·]-sharings are linear: given [a], [b] and public constants c1 , c2 ∈ K, the parties can locally compute their shares corresponding to [c1 · a + c2 · b]. In general, the parties can locally compute any publicly known linear function of [·]-shared values. In our protocols, we come across situations where there exists a publicly known value s ∈ K and the parties have to take some default [·]-sharing of s. Definition 2.2 (Default [·]-sharing). Let s ∈ K be publicly known. Then the vector (s, 0, . . . , 0 (q − 1 times)) is considered as a default [·]-sharing of s. That is, the parties in G1 consider s as their share corresponding to G1 , while for m = 2, . . . , q, the parties in Gm consider 0 as their share corresponding to Gm . We next recall a data-structure from [34] used in our secret-sharing protocol. Definition 2.3 (Z−clique [34]). Let G = (V, E) be an undirected graph where V ⊆ P. Then a subset V  ⊆ V is called a Z−clique in G, if the following hold: • The set of nodes V  constitute a clique in G. That is, for every Pi , Pj ∈ V  , the edge (Pi , Pj ) ∈ E. def

• The set of nodes Z  = V \V  is a subset of some set from Z. That is, Z  ⊆ Zm for some Zm ∈ Z. To find whether there exists a Z−clique in a given graph G, one can check whether the set of nodes in V \ Zm constitutes a clique in G for any Zm ∈ Z. The running time of this algorithm is O(|Z| · poly(n)). Definition 2.4 (ABA [37]). Let Π be an asynchronous protocol for the parties in P, where each party Pi has a binary input xi and a binary output σi . Then, Π is said to be an ABA protocol if the following hold, where the probability is taken over the random coins and inputs of the honest parties and Adv. • Termination: If all honest parties invoke Π, then with probability 1, all honest parties eventually terminate1 Π. • Agreement: σi = σj holds for every honest Pi and Pj . • Validity: If all honest parties have the same input x ∈ {0, 1}, then σi = x holds for every honest Pi . For designing our ABA protocol, we use another primitive called common coin. Definition 2.5 (Common Coin (CC) [13]). Let Π be an asynchronous protocol for the parties in P, where each party has some local random input and a binary output. Then Π is called a p-common coin protocol, if the following holds: • Correctness: For every value σ ∈ {0, 1}, with probability at least p, all honest parties output σ. 1

The classic FLP impossibility result [22] implies that any deterministic ABA protocol will have non-terminating executions where honest parties do not terminate even if a single party is corrupted. As a result, the best that one can hope for is that the protocol terminates with probability 1 (i.e. almost-surely). See [11] for more details.

Perfectly-Secure Asynchronous MPC

791

• Termination: If all honest parties invoke Π, then all honest parties eventually terminate Π. Formalizing the security definition of MPC is subtle, and in itself is an interesting field of research. In the synchronous setting, the standard definition is based on the universally-composable (UC) real-world/ideal-world based simulation paradigm [12]. On a very high level, any protocol Πreal for MPC is defined to be secure in this paradigm, if it “emulates” what is called as an ideal-world protocol Πideal . In Πideal , all the parties give their respective inputs for the function f to be computed to a trusted third party (TTP), who locally computes the function output and sends it back to all the parties and hence, no communication is involved among the parties in Πideal . Protocol Πreal is said to emulate Πideal if for any adversary attacking Πreal , there exists an adversary attacking Πideal that induces an identical output in Πideal , where the output is the concatenation of the outputs of the honest parties and the view of the adversary [24]. Extending the above definition to the asynchronous setting brings a lot of additional technicalities to deal with the eventual message delivery in the system, controlled by an adversarial scheduler. In the case of the asynchronous setting, the local output of the honest parties is only an approximation of the pre-specified function f over a subset C of the local inputs, the rest being taken to be 0, where P \ C ∈ Z (this is analogous to the definition of asynchronous MPC in the threshold setting [7,9,11]). Protocol Πreal is said to be perfectlysecure in the asynchronous setting if the local outputs of the honest players are correct, Πreal terminates eventually with probability 1 for all honest parties, and the output of Πreal is identically distributed with respect to the output of Πideal (which involves a TTP that computes an approximation of f ). We refer to [18] for the complete formalization of the UC-security definition of MPC in the asynchronous communication setting, with eventual message delivery. As the main focus of the paper is to present a simple asynchronous MPC protocol, to avoid bringing in additional technicalities, we defer giving the security proofs of our protocols as per the asynchronous UC framework to the full version of the paper. 2.2

Existing Asynchronous Primitives

Asynchronous Reliable Broadcast (Acast). The protocol allows a designated sender S ∈ P to asynchronously send some message m identically to all the parties, even in the presence of Adv. If S is honest, then every honest party eventually terminates with output m. If S is corrupt and some honest party terminates with output m , then eventually every honest party terminates with output m . In the threshold setting, Bracha [10] presented an asynchronous reliable broadcast protocol tolerating t < n/3 corruptions. The protocol is generalized for a Q(3) adversary structure in [35]. The protocol needs a communication of O(poly(n) · ) bits for broadcasting an -bit message. We stress that the termination guarantees of the Acast protocol are “asynchronous” in the sense that if some honest Pi terminates an Acast instance with some output, then the further participation of Pi in the instance is no longer necessary to ensure the eventual termination (and output computation) of the other honest parties.

792

A. Choudhury and N. Pappu

We say “Pi broadcasts m” to mean that Pi ∈ P acts as an S and invokes an instance of protocol Acast to broadcast m, and the parties participate in this instance. The notation “Pj receives m from the broadcast of Pi ” means that Pj terminates an instance of protocol Acast invoked by Pi as S, with output m . Agreement on a Common Subset (ACS). In our asynchronous protocols, we come across situations of the following kind: there exists a set of parties S ⊆ P where S satisfies the Q(k) condition with k ≥ 2. Each party in S is supposed to act as a dealer and verifiably-share some value(s). While the honest dealers in S invoke the required sharing instance(s), the corrupt dealers in S may not do the same. To avoid an endless wait, the parties should terminate immediately after completing the sharing instances of a subset of dealers S  , where S \ S  ⊆ Z, for some Z ∈ Z. However, the set Z might be different for different honest parties, as the order in which the parties terminate various sharing instances may differ, implying that the subset S  might be different for different honest parties. Protocol ACS allows the honest parties to agree on a common subset S  satisfying the above properties. The primitive was introduced in [7] in the threshold setting and generalized for the non-threshold setting in [34]. The complexity of the protocol is equivalent to that of |S| = O(n) ABA instances. Beaver’s Circuit-Randomization. We use the Beaver’s circuit-randomization method [3] to evaluate multiplication gates in our MPC protocol. If the underlying secret-sharing scheme is linear (which is the case for [·]-sharing), then the method allows for evaluation of a multiplication gate with secret-shared inputs at the expense of publicly reconstructing two secret-shared values, using an auxiliary secret-shared multiplication triple. In more detail, let g = (x, y, z) be a multiplication gate such that the parties hold [x] and [y], and the goal is to compute a [·]-sharing of z = x · y. Moreover, let ([a], [b], [c]) be a shared multiplication triple available with the parties, such that c = a·b. We note that z = (x−a+a)·(y−b+b) and hence z = (x − a) · (y − b) + b · (x − a) + a · (y − b) + a · b. Based on this idea, to compute [z], the parties first locally compute [d] = [x − a] = [x] − [a] and [e] = [y − b] = [y] − [b], followed by publicly reconstructing d and e. The parties then locally compute [z] = d · e + d · [b] + e · [a] + [c]. If a and b are random and private, then the view of the adversary remains independent of x and y. Namely, even after learning d and e, the privacy of the gate inputs and output is preserved. We denote this protocol as Beaver(([x], [y]), ([a], [b], [c])), which can be executed in a completely asynchronous setting. If the underlying public reconstruction protocol terminates for the honest parties (which will be the case for [·]-sharing), then protocol Beaver eventually terminates for all the honest parties. The complexity of the protocol is equivalent to that of two instances of publicly reconstructing a [·]-shared value.

3

The Flaw in the AMPC Protocol of [34]

The protocol of [34] deploys the player-elimination framework [27], commonly deployed against threshold adversaries in the synchronous communication setting

Perfectly-Secure Asynchronous MPC

793

for obtaining efficient protocols (see for example [5,26]). As part of the framework, the AMPC protocol of [34] deploys several non-robust sub-protocols which succeed with all the honest parties receiving the correct output if the potentially corrupt parties behave honestly. Else, all the honest parties agree upon a subset of conflicting parties, which is either a triplet or a pair of parties, such that it is guaranteed to consist at least one corrupt party. We stress that the adversary has the flexibility to decide the choice of (corrupt and honest) parties who make it to the conflicting set. The non-robust sub-protocols are executed repeatedly until they succeed, each time with a new set of parties, which is obtained by discarding the conflicting set of parties from the previously considered set of parties. Each time a conflicting set is obtained, the adversary structure also gets updated for the next iteration by excluding subsets (from the adversary structure) which have zero overlap with the conflicting set. In [34], it is claimed that the updated party set still satisfies the Q(4) condition with respect to the updated adversary structure after every update, which is necessary for maintaining security in the subsequent invocations of the nonrobust sub-protocols. However, we show that this need not be the case, implying the breach of security in the subsequent invocations. Consider the following adversary structure Z over the set of parties P = {P1 , P2 , P3 , P4 , P5 , P6 , P7 }: Z = {{P1 , P2 }, {P1 , P3 }, {P1 , P4 }, {P1 , P5 , P6 }, {P7 }} Clearly, P satisfies the Q(4) condition. Let the parties agree upon the conflicting set {P1 , P2 , P7 }. Then the updated party set will be P  = {P3 , P4 , P5 , P6 }, while as per [34], the updated Z remains the same. Now, it is easy to see that P  does not satisfy even the Q(3) condition with respect to Z, as P  ⊆ {P1 , P3 } ∪ {P1 , P4 } ∪ {P1 , P5 , P6 }. Hence, the instances of Acast and ABA (which are used with the non-robust sub-protocols) in the subsequent invocations fail, as the existence of the Q(3) condition is necessary for the security of Acast and ABA.

4

Perfectly-Secure AVSS

We begin by presenting a protocol for the sharing phase. 4.1

Sharing Protocol

We present a protocol called Sh, which allows a designated dealer D ∈ P to verifiably [·]-share a value s ∈ K. The protocol eventually terminates for an honest D. The verifiability here ensures that even for a corrupt D, if some honest party terminates, then there exists some fixed value, say s (which could be different from s), such that s is eventually [·]-shared among the parties. The protocol proceeds as follows: D first creates a q-out-of-q additive sharing of s and generates the shares s(1) , . . . , s(q) . The share s(m) is given to all the parties in the group Gm . This distribution of shares maintains the privacy of s for an honest D, as there exists at least one group, say Gm , consisting only of honest parties whose corresponding share s(m) will not be known to the adversary.

794

A. Choudhury and N. Pappu

While the above distribution of information is sufficient for an honest D to generate [s], a potentially corrupt D may distribute “inconsistent” shares to the honest parties. So the parties publicly verify whether D has distributed a common share to all the (honest) parties in every group Gm , without revealing any additional information about this share. For this, each Pi ∈ Gm upon receiv(m) ing a share si from D, sends it to every party in Gm to check whether they received the same share from D as well, which should be the case for an honest D. If Gm consists of only honest parties and if D is honest, then this exchange of information in Gm does not reveal any information about the share s(m) . The parties in Gm then publicly confirm the pair-wise consistency of their common share. That is, a party Pi broadcasts an OKm (Pi , Pj ) message, if Pi receives the (m) value sj from Pj ∈ Gm (namely, the share which Pj received from D) and finds (m)

that si

(m)

= sj

holds. Similarly, Pj broadcasts an OKm (Pj , Pi ) message, if Pj (m)

(m)

(m)

receives the value si from Pi and finds that si = sj holds. The next step is to check if “sufficiently” many parties in each Gm confirm the receipt of a common share from D, for which the broadcasted OKm (, ) messages are used. To avoid an endless wait, the parties cannot afford to wait and receive a confirmation from all the parties in Gm , as corrupt parties in Gm may not respond. Hence, the parties wait for confirmations only from a subset of parties Cm ⊆ Gm , such that the parties excluded from Cm (who either do not respond or respond with negative confirmations) constitute a potential adversarial subset from Z. Due to the asynchronous nature of communication, the parties may get confirmations in different order and as a result, different parties may have different versions of Cm . To ensure that all the parties agree on a common Cm set, D is assigned the task of collecting the positive confirmations from the parties in Gm , followed by preparing the set Cm and broadcasting it. We call the subsets Cm as “core” sets to signify that the parties in these subsets have publicly confirmed the receipt of a common share on the behalf of the group Gm . To construct Cm , D prepares a “consistency graph” Gm over the set of parties in Gm based on the OKm (, ) messages and searches for the presence of a Z−clique in Gm . As soon as a Z−clique in Gm is found, the set of parties belonging to the Z−clique is assigned as Cm and broadcasted. Upon receiving Cm from the broadcast of D, the parties check its validity. For this, every party constructs its own local copy of the consistency graph Gm based on the various broadcasted OKm (, ) messages and checks whether the parties in Cm constitute a Z−clique in Gm . Once the parties receive a valid Cm for each Gm , they ensure that D has distributed a common share, say s(m) , to all the (honest) parties in Cm . However, this does not conclude the [·]-sharing of D’s secret, as in each Gm , the parties not included in Cm (i.e., parties in Gm \ Cm ) may not possess s(m) . Hence, the final step is to ensure that even the excluded parties possess s(m) . To get the correct s(m) , the parties excluded from Cm (i.e., parties in Gm \Cm ) take the “help” of the parties in Cm . More specifically, as part of the pair-wise (m) consistency check, Pi receives the value sj from “several” parties in Cm . Party Pi checks if there is a subset of parties Q = Cm \ Z for some Z ∈ Z, such that

Perfectly-Secure Asynchronous MPC (m)

all the parties Pj in Q reported the same sj

795

to Pi , in which case Pi sets s(m)

(m) sj .

to this common value The idea is that Q satisfies the Q(1) condition (since (2) Cm satisfies the Q condition) and hence, includes at least one honest party who sends the correct value of the missing share s(m) to Pi .

Protocol Sh(D, s) – Distribution of shares by D: The following code is executed only by D. • On having the input s ∈ K, randomly select s(1) , . . . , s(q) ∈ K, subject to the condition that s = s(1) + . . . + s(q) . • For m = 1, . . . , q, send the share s(m) to every party Pi in the group Gm . – Pair-wise consistency: For m = 1, . . . , q, the parties in Gm do the following. (m) (for the group Gm ) from D, • Each Pi ∈ Gm on receiving the share si (m) (m) sends si to every party Pj ∈ Gm . On receiving sj from Pj , broadcast (m)

(m)

OKm (Pi , Pj ), provided sj = si holds. – Identification of core sets: For m = 1, . . . , q, D does the following. • Initialize a set Cm to ∅. Additionally, construct an undirected graph Gm with the parties in Gm as the vertex set. • Add the edge (Pi , Pj ) to Gm , if OKm (Pi , Pj ) and OKm (Pj , Pi ) are received from the broadcast of Pi and Pj respectively, where Pi , Pj ∈ Gm . • Keep updating the graph Gm by repeatedly executing the above step till a Z−clique, say Wm , is identified in Gm . • Once a Z−clique Wm is identified, assign Cm := Wm . Upon computing non-empty C1 , . . . , Cq , broadcast these sets. – Verification of core sets: The parties wait to receive non-empty sets C1 , . . . , Cq from the broadcast of D. Upon receiving them, the parties verify each of these sets Cm for m = 1, . . . , q by executing the following steps. • Construct an undirected graph Gm with the parties in Gm as the vertex set. • For every Pi , Pj ∈ Cm , wait for messages OKm (Pi , Pj ) and OKm (Pj , Pi ) from Pi and Pj respectively. On receiving them, add the edge (Pi , Pj ) to Gm . • Mark Cm as valid, if the parties in Cm constitute a Z−clique in graph Gm . – Share computation and termination: If the sets C1 , . . . , Cq are marked as valid, then for m = 1, . . . , q, each party Pi in each group Gm executes the following steps to compute its share corresponding to Gm . (m) (m) • If Pi ∈ Cm , then set s(m) := si , where si has been received from D. (m) (m) to the common value, say sj , received from a subset of parties • Else, set s Pj ∈ Cm \Z for some Z ∈ Z, during the pair-wise consistency check of shares for the group Gm . Each party Pi ∈ P, upon computing the share corresponding to each Gm such that Pi ∈ Gm , terminates the protocol.

Fig. 1. The Secret-Sharing Protocol.

Theorem 4.1. Let P satisfy the Q(4) condition. Moreover, let D have input s in protocol Sh. Then, the following holds in protocol Sh.

796

A. Choudhury and N. Pappu

• Termination: If D is honest, then each honest party eventually terminates the protocol. On the other hand, if D is corrupt and some honest party terminates, then eventually, every other honest party terminates the protocol. • Correctness: If some honest party terminates, then there exists some fixed value s ∈ K, where s = s for an honest D, such that s is eventually [·]shared among the parties. • Privacy: If D is honest, then the view of Adv is independent of s. • Communication Complexity: The protocol incurs a communication of O(|Z|·poly(n)) elements from K over the point-to-point channels and a broadcast of O(|Z| · poly(n)) bits. 4.2

Reconstruction Protocol

Let s ∈ K be a value which is [·]-shared. Protocol Rec allows the parties to reconstruct s. Let [s] = (s(1) , . . . , s(q) ). To reconstruct s, party Pi needs to obtain the shares s(1) , . . . , s(q) . While Pi holds all the shares s(k) of s corresponding to the groups Gk where Pi ∈ Gk , party Pi needs to obtain the missing shares s(m) for the groups Gm where Pi ∈ Gm . For this, all the parties in Gm send the share (m) s(m) to Pi . Let sj be the value received by Pi from Pj ∈ Gm . Party Pi checks if there is a subset of parties Q = Gm \ Z for some Z ∈ Z, such that all the parties (m) Pj in Q reported the same value sj to Pi , in which case Pi sets s(m) to this (m)

common value sj . The idea is that the set Q will satisfy the Q(1) condition (since Gm satisfies the Q(2) condition) and hence, will include at least one honest party Pj , who sends the correct value of the missing share s(m) to Pi . Protocol Rec([s]) Let [s] = (s(1) , . . . , s(q) ) where s = s(1) + . . . + s(q) . – Exchanging the shares: For m = 1, . . . , q, the parties in Gm do the following. • Send the share s(m) to every party in P \ Gm . – Computing the missing shares: Each Pi ∈ P does the following.  Gm , set s(m) to be the • Corresponding to every group Gm for which Pi ∈ common value from a set of parties in Gm \ Z, for some Z ∈ Z. received s(k) + • Output s = s(m) and terminate. Gk :Pi ∈Gk

Gm :Pi ∈  Gm

Fig. 2. The reconstruction protocol.

The properties of protocol Rec are stated in Lemma 4.2. Lemma 4.2. Let s be a value which is [·]-shared among a set of parties P, such that P satisfies the Q(3) condition. Then in protocol Rec, the following holds. • Each honest party eventually terminates the protocol with output s. • The protocol needs a communication of O(|Z| · poly(n)) elements from K.

Perfectly-Secure Asynchronous MPC

5

797

Asynchronous Byzantine Agreement (ABA)

Our ABA protocol follows the traditional route of building ABA via common coin (CC) protocol [6,10,41], which in turn reduces to AVSS. We therefore begin with the design of a CC protocol in the non-threshold setting. 5.1

Common Coin (CC) Protocol

The CC protocol CC (Fig. 3) consists of two stages. In the first stage, a uniformly random, yet unknown value Coini over {0, . . . , n−1} is “attached” to every party Pi . Then, once it is ensured that a “sufficiently large” number of parties FS have been attached with their respective Coin values, in the second stage, these Coin values are publicly reconstructed, and an output bit is computed taking into account these reconstructed values. However, due to the asynchronous nature of communication, each (honest) party may have a different FS set and hence, a potentially different output bit. To circumvent this problem, the protocol ensures that there is a non-empty overlap among the contents of the FS sets of all (honest) parties. Ensuring this common overlap is the crux of the protocol. The existing CC protocols in the threshold setting [1,2,13,40] ensure that the overlap is some constant fraction of the number of parties n, which in turn guarantees that the “success probability” (namely the probability with which all honest parties have the same final output bit) is a constant fraction. This property further guarantees that the resultant ABA protocol in the threshold setting requires a constant expected number of asynchronous rounds of communication. Unfortunately, it is not clear whether a straightforward generalization of the threshold CC protocol for the non-threshold setting, will always lead to a non-empty overlap among the FS sets of all the (honest) parties, for every possible adversary structure Z. Hence, we modify the steps of the protocol so that it is always guaranteed (irrespective of Z) that there exists at least a non-empty overlap among the FS sets of all the (honest) parties, ensuring that the success probability is at least n1 (this leads to an ABA protocol which requires O(n2 ) expected number of asynchronous communication rounds). The details follow. The first stage is implemented by making each party act as a dealer to run n instances of Sh and share n random values from K, one on the behalf of each party. To ensure that Coini ∈ {0, . . . , n − 1}, the parties set K to either a finite ring or a field, where |K| ≥ n. Each party Pi creates a dynamic set of accepted dealers ADi , which includes all the dealers whose Sh instances terminate for Pi . The termination property of Sh guarantees that these dealers are eventually included in the accepted-dealer set of every other honest party as well. Party Pi then waits for a “sufficient” number of dealers to be accepted, such that ADi is guaranteed to contain at least one honest dealer. For this, Pi keeps on expanding ADi until P \ ADi ∈ Z holds (which eventually happens for an honest Pi ), thus guaranteeing that the resultant ADi satisfies the Q(1) condition. Once ADi achieves this property, Pi assigns ADi to the set ADi and publicly announces the same. This is interpreted as Pi having attached the set of dealers ADi to itself. Then, the summation of the values modulo n shared by the dealers in ADi on

798

A. Choudhury and N. Pappu

the behalf of Pi , is set to be Coini . The value Coini won’t be known to anyone at this point (including Pi ), as the value(s) shared by the honest dealer(s) in ADi on the behalf of Pi is(are) not yet known, owing to the privacy property of Sh. On receiving the set ADj from Pj , each Pi verifies if the set is “valid” by checking if the Sh instances of dealers in ADj terminate for Pi . That is, ADj ⊆ ADi holds. Once the validity of ADj is confirmed, Pi publicly “approves” the same by broadcasting an OK message for Pj (this implicitly means Pi ’s approval for the yet unknown, but well defined value Coinj ). Party Pi then waits for the approval of ADj from a set of parties Sj including itself, such that P \ Sj ∈ Z, guaranteeing that Sj satisfies the Q(2) condition. After this, Pj is included by Pi in a dynamic set of accepted parties AP i . Notice that the acceptance of Pj by Pi implies the eventual acceptance of Pj by every other honest party, as the corresponding approval (namely the OK messages) for ADj are publicly broadcasted. Waiting for an approval for Pj (and hence Coinj ) from a set of parties which satisfies the Q(2) condition, ensures that sufficiently many honest parties have approved Pj . Later, this property is crucial to ensure a non-empty overlap among the FS sets of honest parties. Party Pi keeps on expanding its accepted-party set AP i until P \ AP i ∈ Z holds and then publicly announces it with a Ready message and the corresponding AP i set, denoted by APi . On receiving the Ready message and APj from Pj , each Pi verifies if the set is “valid” by checking if the parties in APj (and hence the corresponding Coin values) are accepted by Pi itself; i.e. APj ⊆ AP i holds. Upon successful verification, Pj is included by Pi in a dynamic set of supportive parties SP i . The interpretation of SP i is that each party in SP i is “supporting” the beginning of the second stage of the protocol, by presenting a sufficiently-large valid set of accepted-parties (coins). Notice that the inclusion of Pj to SP i implies the eventual inclusion of Pj by every other honest party in its respective SP set. Once the set of supportive-parties becomes sufficiently large, i.e. P \ SP i ∈ Z holds, Pi sets a boolean indicator Flagi to 1, marking the beginning of the second stage. Let SPi denote the set of supportive-parties SP i when Flagi is set to 1. The second stage involves publicly reconstructing the unknown Coin values which were accepted by Pi till this point. Let FSi be defined to be the set of accepted-parties AP i when Flagi is set to 1. This implies that the union of the APj sets of all the parties in SPi is a subset of FSi , as each APj ⊆ AP i . The parties proceed to reconstruct the value Coink corresponding to each Pk ∈ FSi . For this, the parties start executing the corresponding Rec instances, that are required for reconstructing the secrets shared by the accepted-dealers ADk on the behalf of Pk . If any of the Coink values turns out to be 0, Pi sets the overall output to 0, else, it outputs 1 and terminates the protocol. To argue that there exists a non-empty overlap among the FS sets of the honest parties, we consider the first honest party Pi to broadcast a Ready message and claim that the set APi will be the common overlap (see Lemma 5.3). The termination of CC by an honest Pi may hamper the termination of other honest parties, as the corresponding Rec instances required to reconstruct the set of accepted Coin values by other honest parties may not terminate. This is because

Perfectly-Secure Asynchronous MPC

799

Protocol CC All computations in the protocol are done over K, which is either a finite ring or a field, with |K| ≥ n. – The following code is executed by each Pi ∈ P: 1. For 1 ≤ j ≤ n, choose a random secret sij ∈R K on the behalf of Pj , and as a D, invoke an instance of Sh(Pi , sij ) of Sh. Denote this invocation by Shij . Participate in the invocations Shjk for every Pj , Pk ∈ P. 2. Initialize a set of accepted dealers ADi to ∅. Add a party Pj to ADi , if Shjk has terminated for all 1 ≤ k ≤ n. Wait until P \ ADi ∈ Z. Then, assign ADi = ADi and broadcast the message (Attach, ADi , Pi ). The set ADi is  def considered to be the set of dealers attached to Pi . Let Coini = ( sji ) Pj ∈ADi

3.

4.

5.

6.

mod n. We saya that the coin Coini is attached to party Pi . If the message (Attach, ADj , Pj ) is received from the broadcast of Pj , then broadcast a message OK(Pi , Pj ), if all the dealers attached to Pj are accepted by Pi , i.e. ADj ⊆ ADi holds. Initialize a set of accepted parties AP i to ∅. Add Pj to AP i , if the OK(, Pj ) message is received from the broadcast of a set of parties Sj including Pi , such that P \ Sj ∈ Z. Wait until P \ AP i ∈ Z. Then, assign APi = AP i and broadcast the message (Ready, Pi , APi ). Consider Pj to be supportive and include it in the set SP i (initialized to ∅), if Pi receives the message (Ready, Pj , APj ) from the broadcast of Pj and each party in APj is accepted by Pi , i.e. APj ⊆ AP i holds. Wait until P \SP i ∈ Z. Then, set Flagi = 1 (initialized to 0). Let SPi and FSi denote the contents of SP i and AP i respectively, when Flagi becomesb 1. Wait until Flagi = 1. Then, reconstruct the value of the coin attached to each party in FSi as follows: – Start participating in the instances Rec(Pj , sjk ) corresponding to each Pj ∈ ADk , such that Pk ∈ FSi , Denote this instance of Rec as Recjk and let rjk be the corresponding output.  rjk ) mod n. – For every Pk ∈ FSi , compute Coink = ( Pj ∈ADk

7. Wait until the coins attached to all the parties in FSi are computed. If there exists a party Pk ∈ FSi where Coink = 0, then output 0. Else, output 1. Then, broadcast the message (Terminate, Pi , SPi , FSi ) followed by terminating CC. 8. If a message (Terminate, Pj , SPj , FSj ) is received from the broadcast of Pj , then check the following conditions: – SPj ⊆ SP i and FSj ⊆ AP i hold. – The value of Coink attached to every Pk ∈ FSj is computed. If the above conditions hold, then compute the output as follows and terminate: If for some Pk ∈ FSj , Coink = 0, then output 0. Else, output 1. a b

The value of Coini will not be known to anyone at this step, including Pi . Note that APj ⊆ FSi holds, as each APj ⊆ AP i . Pj ∈SPi

Fig. 3. The common coin protocol

800

A. Choudhury and N. Pappu

the termination of a Rec instance is not necessarily guaranteed if some honest parties do not participate. To circumvent this, before terminating, Pi publicly announces it along with the corresponding SPi and FSi sets. Any party who has not yet terminated the protocol, upon receiving these sets, locally verifies their validity and tries to compute its final output in the same way as done by Pi . The properties of protocol CC are stated in Lemmas 5.1–5.5. In all these lemmas, we assume that the set of parties P satisfies the Q(4) condition. Lemma 5.1. If each honest party invokes protocol CC, then each honest party eventually terminates CC. Lemma 5.2. Once some honest party Pi receives the message (Attach, ADk , Pk ) from the broadcast of any party Pk , then a unique value Coink is fixed such that the following holds: • All honest parties attach Coink with Pk . • The value Coink is distributed uniformly over {0, . . . , n−1} and is independent of the values attached with the other parties. Lemma 5.3. Once some honest party sets its Flag to 1, then there exists a set, say M, such that: (1): P \ M ∈ Z; (2): For each Pj ∈ M, some honest party receives the message (Attach, ADj , Pj ) from the broadcast of Pj . (3): Whenever any honest party Pi sets its Flagi = 1, it holds that M ⊆ FSi . Lemma 5.4. If all the honest parties have completed the protocol, then for every value σ ∈ {0, 1}, with probability at least n1 , all the honest parties output σ. Lemma 5.5. The protocol incurs a communication of O(|Z| · poly(n)) elements from K over the point-to-point channels and a broadcast of O(|Z| · poly(n)) bits. 5.2

Voting Protocol

For designing the ABA protocol using the blueprint of [6,10,41], we need another sub-protocol called the voting protocol. Informally, the voting protocol does “whatever can be done deterministically” to reach agreement. In a voting protocol, every party has a single bit as input. The protocol tries to find whether there is a detectable majority for some value among the inputs of the parties. In the protocol, each party’s output can have five different forms: 1. For σ ∈ {0, 1}, the output (σ, 2) stands for “overwhelming majority for σ”; 2. For σ ∈ {0, 1}, the output (σ, 1) stands for “distinct majority for σ”; 3. The output (Λ, 0) stands for “non-distinct majority”. The voting protocol ensures the following properties: (1): If each honest party has the same input σ, then every honest party outputs (σ, 2); (2): If some honest party outputs (σ, 2), then every other honest party outputs either (σ, 2) or (σ, 1); (3): If some honest party outputs (σ, 1) and no honest party outputs (σ, 2), then each honest party outputs either (σ, 1) or (Λ, 0).

Perfectly-Secure Asynchronous MPC

801

In [13], a voting protocol is presented in the threshold setting tolerating t < n/3 corruptions and which requires a constant number of asynchronous “rounds” of communication. The protocol can be easily generalized for the nonthreshold setting, if the set of parties P satisfies the Q(3) condition. We defer the formal details to the full version of the paper. 5.3

Asynchronous Byzantine Agreement (ABA) Protocol

Once we have the protocols CC and Vote, we get an ABA protocol (see Fig. 4) by generalizing the blueprint of [6,10,41]. The ABA protocol proceeds in iterations, where in each iteration, the parties execute an instance of Vote and CC. For the first iteration, the inputs of the parties are their inputs for the ABA protocol. For subsequent iterations, the inputs are decided based on the outcome of Vote and CC of the previous iteration as follows: If the output of Vote is (σ, 1) then a party sticks to input σ for the next iteration, else it sets the output of CC as its input for the next iteration. This process is repeated until the party obtains output (σ, 2) during an instance of Vote, in which case it broadcasts σ. Finally, once a party receives σ from the broadcast of a set of parties in some set Sacc such that P \ Sacc ∈ Z (implying that the set Sacc includes at least one honest party), it outputs σ and terminates. The termination guarantees of protocol Acast ensure that the same set of broadcast messages are eventually received by every other honest party, leading to their termination as well. The idea here is that if all honest parties start with the same input bit, then the instance of Vote during the first iteration enables them to reach agreement on this common bit.

Protocol ABA – Each Pi ∈ P executes the following code: 1. Set r = 0 and vi = xi , where xi ∈ {0, 1} is the input bit for party Pi . 2. Repeat until terminating: (each iteration is considered as a round) a. Set r = r + 1. Participate in Vote with input vr and wait for its termination. Let this instance of Vote be denoted by Voter . Let (yr , mr ) denote the output of Voter . b. Invoke CC and wait until its termination. Let this instance of CC be denoted by CCr . Let cr denote the output of CCr . c. Consider the following cases: i. If mr = 2, then set vr+1 = yr and broadcast the message (Terminate with vr ). Participate in only one more instance of Vote and only one more instance of CC. ii. If mr = 1, then set vr+1 = yr . iii. Else, set vr+1 = cr . d. Upon receiving the message (Terminate with σ) for some value σ from the broadcast of parties in some set Sacc such that P \ Sacc ∈ Z, output σ and terminate the protocol.

Fig. 4. The ABA protocol in the non-threshold setting

802

A. Choudhury and N. Pappu

Else, the instance of CC ensures that all honest parties have the same input bit for the next iteration with probability at least n1 . Theorem 5.6. Let the set of parties P satisfy the Q(4) condition. Then protocol ABA is an ABA protocol with expected running time of R = O(n2 ). The protocol incurs an expected communication complexity of O(R · |Z| · poly(n)) elements from K over the point-to-point channels and a broadcast of O(R · |Z| · poly(n)) bits.

6

Perfectly-Secure Preprocessing Phase

In this section, we present a preprocessing phase protocol with perfect security. We first present a perfectly-secure multiplication protocol, which allows the parties to securely generate a [·]-sharing of the product of two [·]-shared values. 6.1

Perfectly-Secure Multiplication

Let a and b be two [·]-shared values. Protocol Mult (Fig. 5) allows the parties to securely generate a [·]-sharing of [a · b]. The high level idea of the protocol is as follows. Let [a] = (a(1) , . . . , a(q) ) and [b] = (b(1) , . . . , b(q) ). Then, the protocol securely computes a [·]-sharing of each of the terms a(l) · b(m) , after which the parties set [a · b] to the sum of the [·]-sharing of each of the terms a(l) · b(m) . The computation of a [·]-sharing of [a(l) · b(m) ] happens as follows. Let Ql,m be the set of parties who own both a(l) as well as b(m) . Since P satisfies the Q(4) condition, it follows that Ql,m satisfies the Q(2) condition. Each party in the set Ql,m is asked to independently share a(l) · b(m) by executing an instance of Sh. Due to the asynchronous nature of communication, the parties cannot afford to terminate the Sh instances of all the parties in Ql,m , as the corrupt parties in Ql,m may not invoke their Sh instances. So, the parties invoke an instance of ACS to agree on a common subset of parties Rl,m of Ql,m , whose Sh instances eventually terminate, such that the set of excluded parties Ql,m \ Rl,m belongs to Z. Notice that Rl,m satisfies the Q(1) condition, as Ql,m satisfies the Q(2) condition. This implies that there exists at least one honest party in Rl,m who correctly shares a(l) · b(m) . However, since the exact identity of the honest parties in Rl,m is not known, the parties check if all the parties in Rl,m shared the same value by computing their differences and publicly checking if the differences are all 0. The idea here is that if all the parties in Rl,m share the same value in their respective instances of Sh, then any of these sharings can be taken as a [·]-sharing of a(l) · b(m) . However, if any of the parties in Rl,m shares an incorrect a(l) · b(m) , then it will be detected, in which case the parties publicly reconstruct both a(l) as well as b(m) and compute a default [·]-sharing of a(l) · b(m) . Notice that in the latter case, the privacy of a and b is still preserved, as the shares a(l) and b(m) are already known to the adversary.

Perfectly-Secure Asynchronous MPC

803

Protocol Mult([a], [b]) Let [a] = (a(1) , . . . , a(q) ) and [b] = (b(1) , . . . , b(q) ), with parties in Gm holding the shares a(m) and b(m) respectively, for m = 1, . . . , q. – For every ordered pair (l, m) ∈ {1, . . . , q} × {1, . . . , q}, the parties do the following to compute [a(l) · b(m) ]. • Let Ql,m ⊂ P be the set of parties who own both the shares a(l) and b(m) . def

That is, Ql,m = Gl ∩Gm . Each party Pi ∈ Ql,m acts as a dealer and [·]-shares a(l) · b(m) by invoking an instance Sh(Pi , a(l) b(m) ) of Sh. • The parties participate in the Sh instances invoked by various parties in Ql,m . • The parties execute an instance ACS(Ql,m ) of ACS to agree on a subset of parties Rl,m ⊆ Ql,m , where Ql,m \ Rl,m ⊆ Z for some Z ∈ Z, such that the Sh instances of all the parties in Rl,m eventually terminate for all (honest) parties. def

• Let r = |Rl,m | and let Rl,m = {Pα1 , . . . , Pαr }, where vi is the value shared by the party Pαi ∈ Rl,m in its Sh instancea . • The parties check whether v1 , . . . , vr are all equal. For this, the parties locally compute the r −1 differences [d1 ] = [v1 ]−[v2 ], . . . , [dr−1 ] = [v1 ]−[vr ]. This is followed by publicly reconstructing the differences d1 , . . . , dr−1 by invoking instances Rec([d1 ]), . . . , Rec([dr−1 ]) of Rec and checking if all of them are 0. • If d1 , . . . , dr−1 are all 0, then the parties set [a(l) b(m) ] = [v1 ]. • Else, the parties reconstruct a(l) , b(m) by invoking instances of Rec. The parties then set [a(l) · b(m) ] to a default [·]-sharing of a(l) · b(m) . – The parties set [a · b] = [a(l) · b(m) ] and terminate. (l,m)∈{1,...,q}×{1,...,q} a

If Pαi is honest, then vi = a(l) · b(m) holds.

Fig. 5. The perfectly-secure multiplication protocol.

The properties of protocol Mult are stated in the following theorem. Theorem 6.1. Let a and b be [·]-shared among a set of parties P, satisfying the Q(4) condition. Then in Mult, the honest parties eventually terminate with a [·]-sharing of a · b. Moreover, the view of Adv in the protocol is independent of a and b. The protocol incurs a communication of O(|Z|3 · poly(n)) elements from K over the point-to-point channels and a broadcast of O(|Z|3 · poly(n)) bits. In addition, |Z|2 instances of ACS are required. Multiplying Multiple Shared Values Simultaneously: Let ([a1 ], [b1 ]), . . . , ([a ], [b ]) be  pairs of [·]-shared values and the goal be to securely compute a [·]-sharing of the product [ci ], where ci = ai ·bi , for i = 1, . . . , . A straightforward way of doing this is to invoke  independent instances of protocol Mult, where the ith instance is used for computing [ai · bi ] from [ai ] and [bi ]. This will require a number of ACS instances which is proportional to , namely  · |Z|2 instances of ACS will be involved. Instead, the number of ACS instances can be made independent of . For this, the parties execute  instances of the protocol Mult.

804

A. Choudhury and N. Pappu

Let these instances be denoted as Mult1 , . . . , Mult . Then, for each of these  instances, for the ordered pair (l, m), the parties execute a single instance of ACS instead of  instances, to identify a single set Rl,m for all the  instances. More explicitly, the set Ql,m will be the same for Mult1 , . . . , Mult and each (l) (m) (l) party in Ql,m executes  instances of Sh to [·]-share the values a1 · b1 , . . . , a · (m) (l) (m) b respectively. Here, ai and bi denote the lth and mth shares of ai and bi respectively. Next, the parties execute a single instance of ACS to identify a subset Rl,m of Ql,m , such that the  instances of Sh of all the parties in Rl,m eventually terminate for all honest parties, where Ql,m \ Rl,m ⊆ Z, for some Z ∈ Z. The rest of the steps of Mult in the instances Mult1 , . . . , Mult are carried out as previously mentioned. With this, the number of ACS instances remains |Z|2 (one instance for each (l, m) across all the  instances of Mult). We call the modified protocol Mult({[ai ], [bi ]}i∈{1,...,} ). The protocol incurs a communication of O(·|Z|3 ·poly(n)) elements from K over the pair-wise channels and a broadcast of O( · |Z|3 · poly(n)) bits, apart from |Z|2 instances of ACS. 6.2

Preprocessing Phase Protocol with Perfect Security

The preprocessing phase protocol PP is presented in Fig. 6. The protocol outputs M number of [·]-shared random multiplication triples over K, such that the view of Adv is independent of these multiplication triples. The protocol consists of two stages. During the first stage, the parties generate M pairs of [·]-shared random values and during the second stage, a [·]-sharing of the product of each pair is computed. For the first stage, each party shares M pairs of random values, after which the parties identify a sufficiently large number of parties R whose sharing instances terminate, such that it is ensured that at least one party in R is honest. Since the honest parties in R share random values, summing up the pairs of values shared by all the parties in R results in random pairs.

Protocol PP – Generating random pairs of values: The parties execute the following steps to generate a [·]-sharing of M pairs of random values. (1) (1) (M ) (M ) • Each party Pi ∈ P picks M pairs of random values (ai , bi ), . . . , (ai , bi ) over K and [·]-shares these values by executing 2M instances of Sh. • The parties execute an instance ACS(P) of ACS to identify a set of parties R ⊆ P where P \ R ⊆ Z for some Z ∈ Z, such that the 2M instances of Sh of all the parties in R eventually terminate all the parties.  for  (k) (k) [ai ] and [bk ] = [bi ]. • For k = 1, . . . , M , the parties set [ak ] = Pi ∈R

Pi ∈R

– Computing the product of the pairs: The parties compute [c1 ], . . . , [cM ] by executing Mult({[ak ], [bk ]}k∈{1,...,M } ) and terminate.

Fig. 6. The preprocessing phase protocol.

Perfectly-Secure Asynchronous MPC

805

The properties of protocol PP are stated in Lemma 6.2. Lemma 6.2. Let the set of parties P satisfy the Q(4) condition. Then in the protocol PP, the following holds. • • • •

7

Termination: All honest parties eventually terminate the protocol. Correctness: The parties output M number of [·]-shared random triples. Privacy: The view of Adv is independent of the output multiplication triples. Communication Complexity: The protocol incurs a communication of O(M · |Z|3 · poly(n)) elements from K over the point-to-point channels and a broadcast of O(M · |Z|3 · poly(n)) bits, along with |Z|2 instances of ACS.

The AMPC Protocol

Once we have a preprocessing phase protocol, constructing an AMPC protocol is straightforward. The protocol consists of three phases. The first phase is the preprocessing phase, where the parties generate [·]-sharings of M random multiplication triples by executing the protocol PP. The second phase is the input phase, where each party [·]-shares its input by executing an instance of Sh. Due to the asynchronous nature of communication, the parties cannot afford to wait for the termination of Sh instances of all the parties and hence, they execute an instance of ACS to agree on a common subset of input providers C whose sharing instances eventually terminate, such that the remaining set of parties P \ C is a part of some set in Z. For these missing parties, a default [·]-sharing of 0 is taken as their inputs. The third phase is the circuit-evaluation phase, where the parties jointly evaluate each gate in the circuit by maintaining the invariant that given the gate inputs, the parties compute the corresponding gate output in a [·]-shared fashion. Maintaining the invariant is non-interactive for the addition gates, owing to the linearity property of [·]-sharing. For the multiplication gates, the parties deploy the standard Beaver’s circuit-randomization method. Finally, once the circuit output is available in a [·]-shared fashion, the parties publicly reconstruct it by executing an instance of Rec. Since each honest party eventually invokes this instance of Rec, all honest parties eventually terminate the protocol. As the protocol is standard, we defer the formal details to the full version of the paper. Theorem 7.1. Let f : Kn → K be a publicly known function, expressed as an arithmetic circuit over K (which could be a ring or a field), consisting of M number of multiplication gates. Moreover, let Adv be a computationally unbounded adversary, characterized by an adversary structure Z, such that the set of parties P satisfies the Q(4) condition. Then, there exists a perfectlysecure AMPC protocol tolerating Adv. The protocol incurs a communication of O(M · |Z|3 · poly(n)) elements from K over the point-to-point channels and a broadcast of O(M · |Z|3 · poly(n)) bits, along with |Z|2 + 1 instances of ACS.

806

8

A. Choudhury and N. Pappu

Open Problems

Our work leaves several open problems. The first is to improve the communication complexity of our protocol, both in terms of the dependency on |Z|, as well as in terms of the involved poly(n) factor. In this work, we considered perfect security. One could also explore statistical and computational security in the asynchronous communication model, tolerating a generalized adversary. Acknowledgement. We sincerely thank the anonymous reviewers of INDOCRYPT 2020 for several helpful remarks and comments.

References 1. Abraham, I., Dolev, D., Halpern, J.Y.: An almost-surely terminating polynomial protocol for asynchronous byzantine agreement with optimal resilience. In: Proceedings of the 27th ACM Symposium on Principles of Distributed Computing, pp. 405–414. ACM (2008) 2. Bangalore, L., Choudhury, A., Patra, A.: The power of shunning: efficient asynchronous byzantine agreement revisited. J. ACM 67(3), 14:1–14:59 (2020) 3. Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 34 4. Beerliov´ a-Trub´ıniov´ a, Z., Hirt, M.: Simple and efficient perfectly-secure asynchronous MPC. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 376–392. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-769002 23 5. Beerliov´ a-Trub´ıniov´ a, Z., Hirt, M.: Perfectly-secure MPC with linear communication complexity. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 213–230. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8 13 6. Ben-Or, M.: Another advantage of free choice (Extended Abstract) Completely asynchronous agreement protocols. In: Proceedings of the second Annual ACM Symposium on Principles of Distributed Computing, 27–30. ACM (1983) 7. Ben-Or, M., Canetti, R., Goldreich, O.: Asynchronous secure computation. In: Proceedings of the 25th Annual ACM Symposium on Theory of Computing, pp. 52–61. ACM (1993) 8. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computation. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2–4, 1988, Chicago, Illinois, USA, pp. 1–10. ACM (1988) 9. Ben-Or, M., Kelmer, B., Rabin, T.: Asynchronous secure computations with optimal resilience. In: Proceedings of the 13th Annual ACM Symposium on Principles of Distributed Computing, Los Angeles, California, USA, August 14–17, 1994, pp. 183–192. ACM (1994) 10. Bracha, G.: An asynchronous [(n-1)/3]-resilient consensus protocol. In: Proceedings of the 3rd Annual ACM Symposium on Principles of Distributed Computing, pp. 154–162. ACM (1984) 11. Canetti, R.: Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute, Israel (1995)

Perfectly-Secure Asynchronous MPC

807

12. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14–17 October 2001, Las Vegas, Nevada, USA, pp. 136–145. IEEE (2001) 13. Canetti, R., Rabin, T.: Fast asynchronous Byzantine agreement with optimal resilience. In: Proceedings of the 25th Annual ACM Symposium on Theory of Computing, pp. 42–51 (1993) 14. Chaum, D., Cr´epeau, C., Damg˚ ard, I.: Multiparty unconditionally secure protocols. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2–4, 1988, Chicago, Illinois, USA, pp. 11–19. ACM (1988) 15. Choudhury, A.: Brief announcement: almost-surely terminating asynchronous Byzantine agreement protocols with a constant expected running time. In: Proceedings of the 39th Symposium on Principles of Distributed Computing, pp. 169– 171. ACM (2020) 16. Choudhury, A., Hirt, M., Patra, A.: Asynchronous multiparty computation with linear communication complexity. In: Afek, Y. (ed.) DISC 2013. LNCS, vol. 8205, pp. 388–402. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3642-41527-2 27 17. Choudhury, A., Patra, A.: Optimally resilient asynchronous mpc with linear communication complexity. In: Proceedings of the International Conference on Distributed Computing and Networking, ICDCN ’15, New York, NY, USA, 2015. Association for Computing Machinery, pp. 1–10 (2015) 18. Coretti, S., Garay, J., Hirt, M., Zikas, V.: Constant-round asynchronous multiparty computation based on one-way functions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 998–1021. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6 33 19. Cramer, R., Damg˚ ard, I., Dziembowski, S., Hirt, M., Rabin, T.: Efficient multiparty computations secure against an adaptive adversary. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 311–326. Springer, Heidelberg (1999). https:// doi.org/10.1007/3-540-48910-X 22 20. Cramer, R., Damg˚ ard, I., Maurer, U.: General secure multi-party computation from any linear secret-sharing scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 316–334. Springer, Heidelberg (2000). https://doi.org/10. 1007/3-540-45539-6 22 21. Dani, V., King, V., Movahedi, M., Saia, J.: Quorums quicken queries: efficient asynchronous secure multiparty computation. In: Chatterjee, M., Cao, J.-N., Kothapalli, K., Rajsbaum, S. (eds.) ICDCN 2014. LNCS, vol. 8314, pp. 242–256. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-45249-9 16 22. Fischer, M.J., Lynch, N.A., Paterson, M.: Impossibility of distributed consensus with one faulty process. J. ACM 32(2), 374–382 (1985) 23. Fitzi, M., Hirt, M., Maurer, U.: General adversaries in unconditional multi-party computation. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 232–246. Springer, Heidelberg (1999). https://doi.org/10. 1007/978-3-540-48000-6 19 24. Goldreich, O.: The Foundations of Cryptography, vol. 2. Cambridge University Press, Basic Applications (2004) 25. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game, or a completeness theorem for protocols with honest majority. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, USA, pp. 218–229. ACM (1987)

808

A. Choudhury and N. Pappu

26. Goyal, V., Liu, Y., Song, Y.: Communication-efficient unconditional MPC with guaranteed output delivery. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 85–114. Springer, Cham (2019). https://doi.org/10. 1007/978-3-030-26951-7 4 27. Hirt, M., Maurer, U., Przydatek, B.: Efficient secure multi-party computation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 143–161. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3 12 28. Hirt, M.: Multi-Party Computation: Efficient Protocols, General Adversaries, and Voting. PhD thesis, ETH Zurich, September 2001. Reprint as, vol. 3 of ETH Series in Information Security and Cryptography, ISBN 3-89649-747-2, Hartung-Gorre Verlag, Konstanz (2001) 29. Hirt, M., Maurer, U.: Complete characterization of adversaries tolerable in secure multi-party computation. In: Proceedings of the 16th Annual ACM Symposium on Principles of Distributed Computing, PODC 1997, New York, NY, USA. Association for Computing Machinery, pp. 25–34 (1997) 30. Hirt, M., Maurer, U.: Player simulation and general adversary structures in perfect multiparty computation. Journal of Cryptology 13(1), 31–60 (2000). https://doi. org/10.1007/s001459910003 31. Hirt, M., Nielsen, J.B., Przydatek, B.: Asynchronous multi-party computation with quadratic communication. In: Aceto, L., Damg˚ ard, I., Goldberg, L.A., Halld´ orsson, M.M., Ing´ olfsd´ ottir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 473–485. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-705833 39 32. Hirt, M., Tschudi, D.: Efficient general-adversary multi-party computation. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 181–200. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0 10 33. Karchmer, M., Wigderson, A.: On span programs. In: Proceedings of the Eigth Annual Structure in Complexity Theory Conference, pp. 102–111 (1993) 34. Kumar, M.V.N.A., Srinathan, K., Rangan, C.P.: Asynchronous perfectly secure computation tolerating generalized adversaries. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 497–511. Springer, Heidelberg (2002). https:// doi.org/10.1007/3-540-45450-0 37 35. Kursawe, K., Freiling, F.C.: Byzantine Fault Tolerance on General Hybrid Adversary Structures. Technical Report, RWTH Aachen (2005) 36. Lampkins, J., Ostrovsky, R.: Communication-efficient MPC for general adversary structures. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 155–174. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7 10 37. Lynch, N.A.: Distributed Algorithms. Morgan Kaufmann (1996) 38. Maurer, U.: Secure multi-party computation made simple. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 14–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7 2 39. Patra, A., Choudhary, A., Rabin, T., Rangan, C.P.: The round complexity of verifiable secret sharing revisited. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 487–504. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3642-03356-8 29 40. Patra, A., Choudhury, A., Rangan, C.P.: Asynchronous byzantine agreement with optimal resilience. Distrib. Comput. 27(2), 111–146 (2013). https://doi.org/10. 1007/s00446-013-0200-5 41. Rabin, M.O.: Randomized byzantine generals. In 24th Annual Symposium on Foundations of Computer Science, Tucson, Arizona, USA, 7–9 November 1983, pp. 403– 409 (1983)

Perfectly-Secure Asynchronous MPC

809

42. Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, May 14–17, 1989, Seattle, Washigton, USA, pp. 73–85. ACM (1989) 43. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979) 44. Smith, A., Stiglic, A.: Multiparty computation unconditionally secure against Q2 adversary structures. arXiv preprint cs/9902010 (1999) 45. Srinathan, K., Pandu Rangan, C.: Efficient asynchronous secure multiparty distributed computation. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 117–129. Springer, Heidelberg (2000). https://doi.org/10.1007/3540-44495-5 11 46. Yao, A.C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3–5 November 1982, pp. 160–164. IEEE (1982)

Improving the Efficiency of Optimally-Resilient Statistically-Secure Asynchronous Multi-party Computation Ashish Choudhury(B) International Institute of Information Technology, Bangalore, India [email protected]

Abstract. We present an optimally-resilient, statistically-secure asynchronous multi-party computation (AMPC) protocol for n parties, capable of corrupting up to t < n3 parties. Our protocol needs a communication of O(n4 ) field elements per multiplication gate. This is to be compared with previous best AMPC protocol (Patra et al., ICITS 2009) in the same setting, which needs a communication of O(n5 ) field elements per multiplication gate. To design our protocol, we present a simple and highly efficient asynchronous verifiable secret-sharing (AVSS) protocol, which is of independent interest. Keywords: Verifiable secret-sharing

1

· Secure MPC · Fault-tolerance

Introduction

Secure multi-party computation (MPC) [7,17,23,25] is a fundamental problem, both in cryptography as well as distributed computing. Informally a MPC protocol allows a set of n mutually-distrusting parties to perform a joint computation on their inputs, while keeping their inputs as private as possible, even in the presence of an adversary Adv who can corrupt any t out of these n parties. Ever since its inception, the MPC problem has been widely studied in various flavours (see for instance, [16,18–20] and their references). While the MPC problem has been pre-dominantly studied in the synchronous communication model where the message delays are bounded by known constants, the progress in the design of efficient asynchronous MPC (AMPC) protocols is rather slow. In the latter setting, the communication channels may have arbitrary but finite delays and deliver messages in any arbitrary order, with the only guarantee that all sent messages are eventually delivered. The main challenge in designing a fully asynchronous protocol is that it is impossible for an honest party to distinguish between a slow but honest sender (whose messages are delayed) and a corrupt This research is an outcome of the R&D work undertaken in the project under the Visvesvaraya PhD Scheme of Ministry of Electronics & Information Technology, Government of India, being implemented by Digital India Corporation (formerly Media Lab Asia). c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 810–831, 2020. https://doi.org/10.1007/978-3-030-65277-7_36

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

811

sender (who did not send any message). Hence, at any stage, a party cannot wait to receive messages from all the parties (to avoid endless waiting) and so communication from t (potentially honest) parties may have to be ignored. We consider a setting where Adv is computationally unbounded. In this setting, we have two class of AMPC protocols. Perfectly-secure AMPC protocols give the security guarantees without any error, while statistically-secure AMPC protocols give the security guarantees with probability at least 1−AMPC , where AMPC is any given (non-zero) error parameter. The optimal resilience for perfectly-secure AMPC is t < n/4 [6], while that for statistically-secure AMPC it is t < n/3 [8]. While there are quite a few works which consider optimallyresilient perfectly-secure AMPC protocol [5,22], not too much attention has been paid to the design of efficient statistically-secure AMPC protocol with the optimal resilience of t < n3 . We make inroads in this direction, by presenting a simple and efficient statistically-secure AMPC protocol. 1.1

Our Results and Comparison with the Existing Works

In any statistically-secure AMPC protocol, the function to be computed is abstracted as a publicly-known circuit cir over some finite field F, consisting of addition and multiplication gates and the goal is to let the parties jointly and “securely” evaluate cir. The field F is typically the Galois field GF(2κ ), where κ depends upon AMPC . The communication complexity of any AMPC protocol is dominated by the communication needed to evaluate the multiplication gates in cir (see the sequel for details). Consequently, the focus of any generic AMPC protocol is to improve the communication required for evaluating the multiplication gates in cir. The following table summarizes the communication complexity of the existing AMPC protocols with the optimal resilience of t < n3 and our protocol. Reference

Communication Complexity (in bits) for Evaluating a Single Multiplication Gate

[8]

O(n11 κ4 )

[21]

O(n5 κ)

This paper O(n4 κ)

We follow the standard approach of shared circuit-evaluation, where each value during the evaluation of cir is Shamir secret-shared [24] among the parties, with threshold t. Informally, a value s is said to be Shamir-shared with threshold t, if there exists some degree-t polynomial with s as its constant term and every party Pi holds a distinct evaluation of this polynomial as its share. In the AMPC protocol, each party Pi verifiably secret-shares its input for cir. The verifiability here ensures that if the parties terminate this step, then some value is indeed Shamir secret-shared among the parties on the behalf of Pi . To verifiably secret-share its input, each party executes an instance of asynchronous

812

A. Choudhury

verifiable secret-sharing (AVSS). Once the inputs of the parties are secret-shared, the parties then evaluate each gate in cir, maintaining the following invariant: if the gate inputs are secret-shared, then the parties try to obtain a secret-sharing of the gate output. Due to the linearity of Shamir secret-sharing, maintaining the invariant for addition gates do not need any interaction among the parties. However, for maintaining the invariant for multiplication gates, the parties need to interact with each other and hence the onus is rightfully shifted to minimize this cost. For evaluating the multiplication gates, the parties actually deploy the standard Beaver’s circuit-randomization technique [4]. The technique reduces the cost of evaluating a multiplication gate to that of publicly reconstructing two secret-shared values, provided the parties have access to a Shamir-shared random multiplication triple (a, b, c), where c = a · b. The shared multiplication triples are generated in advance in a bulk in a circuit-independent pre-processing phase, using the efficient framework proposed in [12]. The framework allows to efficiently and verifiably generate Shamir-shared random multiplication triples, using any given AVSS protocol. Once all the gates in cir are evaluated and the circuit-output is available in a secret-shared fashion, the parties publicly reconstruct this value. Since all the values (except the circuit output) during the entire computation remains Shamir-shared with threshold t, the privacy of the computation follows from the fact that during the shared circuit-evaluation, for each value in cir, Adv learns at most t shares, which are independent of the actual shared value. While the AMPC protocols of [8,21] also follow the above blue-print, the difference is in the underlying AVSS protocol. AVSS [6,8] is a well-known and important primitive in secure distributed computing. On a very high level, an AVSS protocol enhances the security of Shamir secret-sharing against a malicious adversary (Shamir secret-sharing achieves its properties only in the passive adversarial model, where even the corrupt parties honestly follow protocol instructions). The existing statisticallysecure AVSS protocols with t < n/3 [8,21] need high communication. This is because there are significant number of obstacles in designing statistically-secure AVSS with exactly n = 3t+1 parties (which is the least value of n with t < n/3). The main challenge is to ensure that all honest parties obtain their shares of the secret. We call an AVSS protocol guaranteeing this “completeness” property as complete AVSS. However, in the asynchronous model, it is impossible to directly get the confirmation of the receipt of the share from each party, as corrupt parties may never respond. To get rid off this difficulty, [8] introduces a “weaker” form of AVSS which guarantees that the underlying secret is verifiably shared only among a set of n − t parties and up to t parties may not have their shares. To distinguish this type of AVSS from complete AVSS, the latter category of AVSS is termed an asynchronous complete secret-sharing (ACSS) in [8], while the weaker version of AVSS is referred as just AVSS. Given any AVSS protocol, [8] shows how to design an ACSS protocol using n instances of AVSS. An AVSS protocol with t < n/3 is also presented in [8]. With a communication complexity of Ω(n9 κ) bits, the protocol is highly expensive. This AVSS protocol when used in their ACSS protocol requires a communication complexity Ω(n10 κ). Apart from

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

813

being communication expensive, the AVSS of [8] involves a lot of asynchronous primitives such as ICP, A-RS, AWSS and Two & Sum AWSS. In [21], a simplified AVSS protocol with communication complexity O(n3 κ) bits is presented, based on only ICP and AWSS. This AVSS is then converted into an ACSS following [8], making the communication complexity of their ACSS O(n4 κ) bits. In this work, we further improve upon the communication complexity of the ACSS of [21]. We first design a new AVSS protocol with a communication complexity O(n2 κ) bits. Then using the approach of [8], we obtain an ACSS protocol with communication complexity O(n3 κ) bits. Our AVSS protocol is conceptually simpler and is based on just the ICP primitive and hence easy to understand. Moreover, since we avoid the usage of AWSS in our AVSS, we get a saving of Θ(n) in the communication complexity, compared to [21] (the AVSS of [21] invokes n instances of AWSS, which is not required in our AVSS).

2

Preliminaries, Definitions and Existing Tools

We assume a set of n parties P = {P1 , . . . , Pn }, connected by pair-wise private and authentic asynchronous channels. A computationally unbounded active adversary Adv can corrupt any t < n/3 parties. We assume n = 3t + 1, so that t = Θ(n). In our protocols, all computation are done over a Galois field F = GF(2κ ). The parties want to compute a function f over F, represented by a publicly known arithmetic circuit cir over F. For simplicity and without loss of generality, we assume that each party Pi ∈ P has a single input x(i) for the function f and there is a single function output y = f (x(1) , . . . , x(n) ), which is supposed to be learnt by all the parties. The circuit cir consists of cM multiplication gates. We require |F| > n. Additionally, we need the condition n5 κ 2κ −(3cM +1) ≤ AMPC to hold. Looking ahead, this will ensure that the error probability of our AMPC protocol is upper bounded by AMPC . We assume that α1 , . . . , αn are distinct, non-zero elements from F, where αi is associated with Pi as the “evaluation point”. By communication complexity of a protocol, we mean the total number of bits communicated by the honest parties in the protocol. While denoting the communication complexity of a protocol, we use the term BC() to denote that  bits are broadcasted in the protocol. 2.1

Definitions

A degree-d univariate polynomial is of the form f (x) = a0 + . . . + ad xd , where each ai ∈ F. A degree-(, m) bivariate polynomial F (x, y) is of the form F (x, y) = i=,j=m def def rij xi y j , where each rij ∈ F. Let fi (x) = F (x, αi ), gi (y) = F (αi , y). i,j=0 We call fi (x) and gi (y) as ith row and column polynomial respectively of F (x, y) and often say that fi (x), gi (y) lie on F (x, y). We use the following well-known lemma, which states that if there are “sufficiently many” degree-t univariate polynomials which are “pair-wise consistent”, then there exists a unique degree(t, t) bivariate polynomial, passing through these univariate polynomials.

814

A. Choudhury

Lemma 1 (Pair-wise Consistency Lemma [1,10]). Let fi1 (x), . . . , fi (x), gj1 (y), . . . , gjm (y) be degree-t polynomials where , m ≥ t + 1 and i1 , . . . , i , j1 , . . . , jm ∈ {1, . . . , n}. Moreover, let for every i ∈ {i1 , . . . , i } and every j ∈ {j1 , . . . , jm }, fi (αj ) = gj (αi ) holds. Then there exists a unique degree-(t, t) bivariate polynomial, say F (x, y), such that the row polynomials fi1 (x), . . . , fi (x) and the column polynomials gj1 (y), . . . , gjm (y) lie on F (x, y). We next give the definition of complete t-sharing. Definition 1 (t-sharing and Complete t-sharing). A value s ∈ F is said to be t-shared among C ⊆ P, if there exists a degree-t polynomial, say f (x), with def f (0) = s, such that each honest Pi ∈ C holds its share si = f (αi ). The vector of shares of s corresponding to the honest parties in C is denoted as [s]Ct . A set of values S = (s(1) , . . . , s(L) ) ∈ FL is said to be t-shared among a set of parties C, if each s(i) ∈ S is t-shared among C. A value s ∈ F is said to be completely t-shared, denoted as [s]t , if s is t-shared among the entire set of parties P; that is C = P holds. Similarly, a set of values S ∈ FL is completely t-shared, if each s(i) ∈ F is completely t-shared Note that complete t-sharings are linear: given [a]t , [b]t , then [a + b]t = [a]t + [b]t and [c · a]t = c · [a]t hold, for any public c ∈ F. Definition 2 (Asynchronous Complete Secret Sharing (ACSS) [8,21]). Let CSh be an asynchronous protocol, where there is a designated dealer D ∈ P with a private input S = (s(1) , . . . , s(L) ) ∈ FL . Then CSh is a (1 − ACSS ) ACSS protocol for a given error parameter ACSS , if the following requirements hold. • Termination: Except with probability ACSS , the following holds. (a): If D is honest and all honest parties participate in CSh, then each honest party eventually terminates CSh. (b): If some honest party terminates CSh, then every other honest party eventually terminates CSh. • Correctness: If the honest parties terminate CSh, then except with probability ACSS , there exists some S ∈ FL which is completely t-shared, where S = S for an honest D. • Privacy: If D is honest, then the view of Adv during CSh is independent of S. We stress that all the existing works on asynchronous VSS/CSS [2,5,6,8,22] follow the above “property-based” definition. Even in the synchronous setting, to the best of our knowledge, all the works on VSS/CSS follow a corresponding property-based definition, except the work of [1]. The work of [1] presents an ideal-world functionality of VSS/CSS and give a corresponding simulationbased security proof of their VSS protocol. To the best of our knowledge, an ideal-world functionality to model VSS/CSS in the asynchronous setting has not been done till now. There are inherent technical challenges to model VSS/CSS (and in general any secure distributed computing task) in the asynchronous setting, specifically to deal with asynchronous message delivery, controlled by the adversary. As the main focus of this work is to design a communication-efficient

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

815

ACSS (and AMPC), we defer the formalization of the ideal-world functionality of AVSS/ACSS and corresponding simulation-based security proof of our ACSS to the full version of the paper. We next give the definition of asynchronous information-checking protocol (AICP), which will be used in our ACSS protocol. An AICP involves three entities: a signer S ∈ P, an intermediary I ∈ P and a receiver R ∈ P, along with the set of parties P acting as verifiers. Party S has a private input S. An AICP can be considered as information-theoretically secure analogue of digital signatures, where S gives a “signature” on S to I, who eventually reveals it to R, claiming that it got the signature from S. The protocol proceeds in the following three phases, each of which is implemented by a dedicated sub-protocol. • Distribution Phase: Executed by a protocol Gen, where S sends S to I along with some auxiliary information and to each verifier, S gives some verification information. • Authentication Phase: Executed by P through a protocol Ver, to verify whether S distributed “consistent” information to I and the verifiers. Upon successful verification I sets a Boolean variable VS,I to 1 and the information held by I is considered as the information-checking signature on S, denoted as ICSig(S → I, S). The notation S → I signifies that the signature is given by S to I. • Revelation Phase: Executed by I, R and the verifiers by running a protocol RevPriv, where I reveals ICSig(S → I, S) to R, who outputs S after verifying S. Definition 3 (AICP [21]). A triplet of protocols (Gen, Ver, RevPriv) where S has a private input S ∈ FL for Gen is called a (1 − AICP )-secure AICP, for a given error parameter AICP , if the following holds for every possible Adv. • Completeness: If S, I and R are honest, then I sets VS,I to 1 during Ver. Moreover, R outputs S at the end of RevPriv. • Privacy: If S, I and R are honest, then the view of Adv is independent of S. ¯ and if • Unforgeability: If S and R are honest, I reveals ICSig(S → I, S) R outputs S¯ during RevPriv, then except with probability at most AICP , the condition S¯ = S holds. • Non-repudiation: If S is corrupt and if I, R are honest and if I sets VS,I ¯ during Ver, then except with probability AICP , R to 1 holding ICSig(S → I, S) outputs S¯ during RevPriv. We do not put any termination condition for AICP. Looking ahead, we use AICP as a primitive in our ACSS protocol and the termination conditions in our instantiation of ACSS ensure that the underlying instances of AICP also terminate. Finally, we give the definition of two-level t-sharing with IC-signatures, which is the data structure generated by our AVSS protocol, as well as by the AVSS protocols of [8,21]. This sharing is an enhanced version of t-sharing, where each share is further t-shared. Moreover, for the purpose of authentication, each second-level share is signed.

816

A. Choudhury

Definition 4 (Two-level t-Sharing with IC-signatures [21]). A set of values S = (s(1) , . . . , s(L) ) ∈ FL is said to be two-level t-shared with IC-signatures if there exists a set C ⊆ P with |C| ≥ n − t and a set Cj ⊆ P for each Pj ∈ C with |Cj | ≥ n − t, such that the following conditions hold. • Each s(k) ∈ S is t-shared among C, with each party Pj ∈ C holding its primary(k) share sj . • For each primary-share holder Pj ∈ C, there exists a set of parties Cj ⊆ P, (k) such that each primary-share sj is t-shared among Cj , with each Pi ∈ Cj (k)

(k)

holding the secondary-share sj,i of the primary-share sj . (1)

(L)

• Each primary-share holder Pj ∈ C holds ICSig(Pi → Pj , (sj,i , . . . , sj,i )), corresponding to each honest secondary-share holder Pi ∈ Cj . We stress that the Cj sets might be different for each Pj ∈ C. Formalizing the security definition of MPC is subtle, and in itself is an interesting field of research. The standard security notion in the synchronous setting is that of universal composability (UC), based on the real-world/ideal-world based simulation paradigm [11]. Informally, a protocol Πreal for MPC is defined to be secure in this paradigm, if it securely “emulates” an ideal-world protocol Πideal . In Πideal , all the parties give their respective inputs for the function f to be computed to a trusted third party (TTP), who locally computes the function output and sends it back to all the parties. Protocol Πreal is said to securely emulate Πideal if for any adversary attacking Πreal , there exists an adversary attacking Πideal that induces an indistinguishable output in Πideal , where the output is the concatenation of the outputs of the honest parties and the view of the adversary. In the case of the asynchronous setting, the local output of the honest parties is only an approximation of the pre-specified function f over a subset C of the local inputs, the rest being taken to be 0, where |C| ≥ n − t. This is to model the fact that in a completely asynchronous setting, “input-provision” is impossible and inputs of up to t (potentially honest) parties may be ignored for computation. Protocol Πreal is said to be statistically-secure in the asynchronous setting if the local outputs of the honest players are correct (except with some error probability for a given error parameter), Πreal terminates eventually for all honest parties (except with some error probability for a given error parameter), and the output of Πreal is statistically-indistinguishable from the output of Πideal (which involves a TTP that computes an approximation of f ). We refer to [13,14] for the complete formalization of the UC-security definition of MPC in the asynchronous communication setting, with eventual message delivery. 2.2

Existing Asynchronous Protocols Used in Our ACSS Protocol

nκ and where Gen, We use the AICP protocol of [21], where AICP ≤ 2κ −(L+1) Ver and RevPriv has communication complexity of O((L + nκ)κ), O(nκ2 ) and O((L + nκ)κ) bits respectively. In the AICP, any party in P can play the role of S, I and R. We use the following terms while using the AICP of [21].

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

817

• “Pi gives ICSig(Pi → Pj , S) to Pj ” to mean that Pi acts as a signer S and invokes an instance of the protocol Gen, where Pj plays the role of intermediary I. • “Pj receives ICSig(Pi → Pj , S) from Pi ” to mean that Pj as an intermediary I holds ICSig(Pi → Pj , S) and has set VPi ,Pj to 1 during Ver, with Pi being the signer S. • “Pj reveals ICSig(Pi → Pj , S) to Pk ” to mean Pj as an intermediary I invokes an instance of RevPriv, with Pi and Pk playing the role of S and R respectively. • “Pk accepts ICSig(Pi → Pj , S)” to mean that Pk as a receiver R outputs S, during the instance of RevPriv, invoked by Pj as I, with Pi playing the role of S. We also use the asynchronous reliable broadcast protocol of Bracha [9], which allows a designated sender S ∈ P to identically send a message m to all the parties, even in the presence of Adv. If S is honest, then all honest parties eventually terminate with output m. If S is corrupt but some honest party terminates with an output m , then eventually every other honest party terminates with output m . The protocol has communication complexity O(n2 · ) bits, if sender’s message m consists of  bits. We use the term Pi broadcasts m to mean that Pi acts as S and invokes an instance of Bracha’s protocol to broadcast m. Similarly, the term Pj receives m from the broadcast of Pi means that Pj (as a receiver) completes the execution of Pi ’s broadcast (namely the instance of broadcast protocol where Pi is S), with m as output.

3

Verifiably Generating Two-Level t-sharing with IC Signatures

We present a protocol Sh, which will be used as a sub-protocol in our ACSS scheme. In the protocol, there exists a designated D ∈ P with a private input S ∈ FL and the goal is to verifiably generate a two-level t-sharing with IC signatures of S. The verifiability allows the parties to publicly verify if D behaved honestly, while preserving the privacy of S for an honest D. We first present the protocol Sh assuming that D has a single value for sharing, that is L = 1. The modifications needed to share L values are straight-forward. To share s, D hides s in the constant term of a random degree-(t, t) bivariate polynomial F (x, y). The goal is then to let D distribute the row and column polynomials of F (x, y) to respective parties and then publicly verify if D has distributed consistent row and column polynomials to sufficiently many parties, which lie on a single degree-(t, t) bivariate polynomial, say F¯ (x, y), which is considered as D’s committed bivariate polynomial (if D is honest then F¯ (x, y) = F (x, y) holds). Once the existence of an F¯ (x, y) is confirmed, the next goal is to let each Pj who holds its row polynomial F¯ (x, αj ) lying on F¯ (x, y), get signature on F¯ (αi , αj ) values from at least n − t parties Pi . Finally, once n − t parties Pj get their row polynomials signed, it implies the generation of two-level t-sharing of s = F¯ (0, 0) with IC signatures. Namely, s will be t-shared through

818

A. Choudhury

degree-t column polynomial F¯ (0, y). The set of signed row-polynomial holders Pj will constitute the set C, where Pj holds the primary-share F¯ (0, αj ), which is the constant term of its row polynomial F¯ (x, αj ). And the set of parties Pi who signed the values F¯ (αi , αj ) for Pj constitute the Cj set with Pi holding the secondary-share F¯ (αi , αj ), thus ensuring that the primary-share F¯ (0, αj ) is t-shared among Cj through degree-t row polynomial F¯ (x, αj ). For a pictorial depiction of how the values on D’s bivariate polynomial constitute the two-level t-sharing of its constant term, see Fig. 1.

P1 .. . Pj .. . P2t+1

⇒ .. . ⇒ .. . ⇒

[s = F (0, 0)]Ct P1 ⇓ ⇓ F (0, α1 ) F (α1 , α1 ) .. .. . . F (0, αj ) F (α1 , αj ) .. .. . . F (0, α2t+1 ) F (α1 , α2t+1 )

... ... .. . ... .. . ...

Pi ⇓ F (αi , α1 ) .. . F (αi , αj ) .. . F (αi , α2t+1 )

... ... .. . ... .. . ...

P2t+1 ⇓ F (α2t+1 , α1 ) ⇐ [F (0, α1 )]Ct 1 .. . C F (α2t+1 , αj ) ⇐ [F (0, αj )]t j .. . C F (α2t+1 , α2t+1 ) ⇐ [F (0, α2t+1 )]t 2t+1

Fig. 1. Two-level t-sharing with IC signatures of s = F (0, 0). Here we assume that C = {P1 , . . . , P2t+1 } and Cj = {P1 , . . . , P2t+1 } for each Pj ∈ C. Party Pj will possess all the values along the j th row, which constitute the row polynomial fj (x) = F (x, αj ). Column-wise, Pi possesses the values in the column labelled with Pi , which lie on the column polynomial gi (y) = F (αi , y). Party Pj will possess Pi ’s information-checking signature on the common value fj (αi ) = F (αi , αj ) = gi (αj ) between Pj ’s row polynomial and Pi ’s column polynomial, denoted by blue color. (Color figure online)

The above stated goals are achieved in four stages, each of which is implemented by executing the steps in one of the highlighted boxes in Fig. 2 (the purpose of the steps in each box appears as a comment outside the box). To begin with, D distributes the column polynomials to respective parties (the row polynomials are currently retained) and tries to get all the row polynomials signed by a common set M of n − t column holders, by asking each of them to sign the common values between their column polynomials and row polynomials. That is, each Pi is given its column polynomial gi (y) = F (αi , y) and is asked to sign the values fji for j = 1, . . . , n, where fji = fj (αi ) and fj (x) = F (x, αj ) is the j th row polynomial. Party Pi signs the values f1i , . . . , fni for D after verifying that all of them lie on its column polynomial gi (y) and then publicly announces the issuance of signatures to D by broadcasting a MC message (standing for “matched column”). Once a set M of n−t parties broadcasts MC message, it confirms that the row polynomials held by D and the column polynomials of the parties in M together lie on a single degree-(t, t) bivariate polynomial (due to the pair-wise consistency Lemma 1). This also confirms that D is committed to a single (yet unknown) degree-(t, t) bivariate polynomial. The next stage is to let D distribute the row polynomials of this committed bivariate polynomial to individual parties.

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

819

To prevent a potentially corrupt D from distributing arbitrary polynomials to the parties as row polynomials, D actually sends the signed row polynomials to the individual parties, where the values on the row polynomials are signed by the parties in M. Namely, to distribute the row polynomial fj (x) to Pj , D reveals the fj (αi ) values to Pj , signed by the parties Pi ∈ M. The presence of the signatures ensure that D reveals the correct fj (x) polynomial to Pj , as there are at least t + 1 honest parties in M, whose signed values uniquely define fj (x). Upon the receipt of correctly signed row polynomial, Pj publicly announces it by broadcasting a MR message (standing for “matched row”). The next stage is to let such parties Pj obtain “fresh” signatures on n − t values of fj (x) by at least n − t parties Cj . We stress that the signatures of the parties in M on the values of fj (x), which are revealed by D cannot be “re-used” and hence M cannot be considered as Cj , as IC-signatures are not “transferable” and those signatures were issued to D and not to Pj . We also stress that the parties in M cannot be now asked to re-issue fresh signatures on Pj ’s row polynomial, as corrupt parties in M may now not participate honestly during this process. Hence, Pj has to ask for the fresh signatures on fj (x) from every potential party. The process of Pj getting fj (x) freshly signed can be viewed as Pj recommitting its received row polynomial to a set of n − t column-polynomial holders. However, extra care has to be taken to prevent a potentially corrupt Pj from getting fresh signatures on arbitrary values, which do not lie in fj (x). This is done as follows. Party Pi on receiving a “signature request” for fji from Pj signs it, only if it lies on Pi ’s column polynomial; that is fji = gi (αj ) holds. Then after receiving the signature from Pi , party Pj publicly announces the same. Now the condition for including Pi to Cj is that apart from Pj , there should exist at least 2t other parties Pk who has broadcasted MR messages and who also got their respective row polynomials signed by Pi . This ensures that there are total 2t + 1 parties who broadcasted MR messages and whose row polynomials are signed by Pi . Now among these 2t + 1 parties, at least t + 1 parties Pk are honest, whose row polynomials fk (x) lie on D’s committed bivariate polynomial. Since these t + 1 parties got signature on fk (αi ) values from Pi , this further implies that fk (αi ) = gi (αk ) holds for these t + 1 honest parties Pk , further implying that Pi ’s column polynomial gi (y) also lies on D’s committed bivariate polynomial. Now since fji = gi (αj ) holds for Pj as well, it implies that the value which Pj got signed by Pi is gi (αj ), which is the same as fj (αi ). Finally, If D finds that the set Cj has n − t parties, then it includes Pj in the C set, indicating that Pj has recommitted the correct fj (x) polynomial. The last stage of Sh is the announcement of the C set and its public verification. We stress that this stage of the protocol Sh will be triggered in our ACSS scheme, where Sh will be used as a sub-protocol. Looking ahead, in our ACSS protocol, D will invoke several instances of Sh and a potential C set is built independently for each of these instances. Once all these individual C sets achieve the cardinality of at least n − t and satisfy certain additional properties in the ACSS protocol, D will broadcast these individual C sets and parties will have to verify each C set individually. The verification of a publicly announced

820

A. Choudhury

C set as part of an Sh instance is done by this last stage of the Sh protocol. To verify the C set, the parties check if its cardinality is at least n − t, each party Pj in C has broadcasted MR message and recommitted its row polynomial correctly to the parties in Cj . We stress that there is no termination condition in Sh. The protocol will be used as a sub-protocol in our ACSS and terminating conditions of ACSS will ensure that all underlying instances of Sh terminate, if ACSS terminates. Protocol Sh is presented in Fig. 2. Comparison with the AVSS Protocol of [21]. The sharing phase protocol of the AVSS of [21] also uses a similar four-stage approach as ours. However, the difference is in the first two stages. Namely, to ensure that D is committed to a single bivariate polynomial, each row polynomial fj (x) is first shared by D using an instance of asynchronous weak secret-sharing (AWSS) and once the commitment is confirmed, each polynomial fj (x) is later reconstructed towards the corresponding designated party Pj . There are n instances of AWSS involved, where each such instance is further based on distributing shares lying on a degree(t, t) bivariate polynomial. Consequently, the resultant AVSS protocol becomes involved. We do not involve any AWSS instances for confirming D’s commitment to a single bivariate polynomial. Apart from giving us a saving of Θ(n) in communication complexity, it also makes the protocol conceptually much simpler. We next proceed to prove the properties of protocol Sh protocol. In the proofs, we use the fact that the error probability of a single instance of AICP in Sh is AICP , where AICP ≤ 2κnκ −2 , which is obtained by substituting L = 1 in the AICP of [21]. Lemma 2. In protocol Sh, if D is honest, then except with probability n2 · AICP , all honest parties are included in the C set. This further implies that D eventually finds a valid C set. Proof. Since D is honest, each honest Pi eventually receives the degree-t column polynomial gi (y) from D. Moreover, Pi also receives the values fji from D for signing, such that fji = gi (αj ) holds. Furthermore, Pi eventually gives the signatures on these values to D and broadcasts MCi . As there are at least 2t + 1 honest parties who broadcast MCi , it implies that D eventually finds a set M of size 2t + 1 and broadcasts the same. Next consider an arbitrary honest party Pj . Since D is honest, it follows that corresponding to any Pi ∈ M, the signature ICSig(Pi → D, fji ) revealed by D to Pj will be accepted by Pj : while this is always true for an honest Pi (follows the correctness property of AICP), for a corrupt Pi ∈ M it holds except with probability AICP (follows from the non-repudiation property of AICP). Moreover, the revealed values {(αi , fji )}Pi ∈M interpolate to a degree-t row polynomial. As there can be at most t ≤ n corrupt parties Pi in M, it follows that except with probability n·AICP , the conditions for Pj to broadcast MRj are satisfied and hence Pj eventually broadcasts MRj . As there are at most n honest parties, it follows that except with probability n2 · AICP , all honest parties eventually broadcast MR.

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

821

Protocol Sh(D, s) %Distribution of values and identification of signed column polynomials.

– Distribution of Column Polynomials and Common Values on Row Polynomials by D: The following code is executed only by D. • Select a random degree-(t, t) bivariate polynomial F (x, y) over F, such that F (0, 0) = s. • Send gj (y) = F (αj , y) to each Pj ∈ P. And send fj (αi ) to each Pi ∈ P, where fj (x) = F (x, αj ). – Signing Common Values on Row Polynomials for D: Each Pi ∈ P (including D) executes the following code. • Wait to receive a degree-t column polynomial gi (y) and for j = 1, . . . , n the values fji from D. • On receiving the values from D, give ICSig(Pi → D, fji ) to D for j = 1, . . . , n and broadcast the message MCi , provided fji = gi (αj ) holds for each j = 1, . . . , n. – Identifying Signed Column Polynomials: The following code is executed only by D: • Include Pi to an accumulative set M (initialized to ∅), if MCi is received from the broadcast of Pi and D received ICSig(Pi → D, fji ) from Pi , for each j = 1, . . . , n. • Wait till |M| = 2t + 1. Once |M| = 2t + 1, then broadcast M. % Distribution of signed row polynomials by D and verification by the parties.

– Revealing Row Polynomials to Respective Parties: for j = 1, . . . , n, D reveals ICSig(Pi → D, fji ) to Pj , for each Pi ∈ M. – Verifying the Consistency of Row Polynomials Received from D: Each Pj ∈ P (including D) broadcasts MRj , if the following holds. • Pj received an M with |M| = 2t + 1 from D and MCi from each Pi ∈ M. • Pj accepted {ICSig(Pi → D, fji )}Pi ∈M and {(αi , fji )}Pi ∈M lie on a degree-t polynomial fj (x).

%Recommitment of row polynomials.

– Getting Signatures on Row Polynomial: Each Pj ∈ P (including D) executes the following. • If Pj has broadcast MRj , then for i = 1, . . . , n, send fj (αi ) to Pi for getting Pi ’s signature. Upon receiving ICSig(Pi → Pj , fji ) from Pi , broadcast (SRj , Pi ), if fji = fj (αi ) holds. • If Pi sent fij and has broadcast MRi , give ICSig(Pj → Pi , fij ) to Pi , provided fij = gj (αi ) holds. – Preparing the Cj Sets and C Set: the following code is executed only by D. • Include Pi in Cj (initialized to ∅), if (SRk , Pi ) is received from the broadcast of at least 2t + 1 parties Pk (including Pj ) who have broadcasted the message

Fig. 2. Two-level secret-sharing with IC signatures of a single secret.

822

A. Choudhury MRk . • Include Pj ∈ C (initialized to ∅), if |Cj | ≥ n − t. Keep on including new parties Pi in Cj even after including Pj to C, if the above conditions for Pi ’s inclusion to Cj are satisfied.

%Public announcement of C and verification. This code will be triggered by our ACSS protocol..

– Publicly Announcing the C Set: D broadcasts C and Cj for each Pj ∈ C. – Verification of the C Set by the Parties: Upon receiving C and Cj sets from the broadcast of D, each party Pm ∈ P checks if C is valid by checking if all the following conditions hold for C. • |C| ≥ n − t and each party Pj ∈ C has broadcast MRj . • For each Pj ∈ C, |Cj | ≥ n−t. Moreover, for each Pi ∈ Cj , the message (SRk , Pi ) is received from the broadcast of at least 2t + 1 parties Pk (including Pj ) who broadcasted MRk .

Fig. 2. (continued)

Finally, consider an arbitrary pair of honest parties Pi , Pj . Since D is honest, the condition fj (αi ) = gi (αj ) holds. Now Pi eventually receives fji = fj (αi ) from Pj for signing and finds that fji = gi (αj ) holds and hence gives the signature ICSig(Pi → Pj , fji ) to Pj . Consequently, Pj eventually broadcasts (SRj , Pi ). As there are at least 2t + 1 honest parties Pk , who eventually broadcast (SRk , Pi ), it follows that Pi is eventually included in the set Cj . As there are at least 2t + 1 honest parties, the set Cj eventually becomes of size 2t + 1 and hence Pj is eventually included in C. Lemma 3. In protocol Sh, if some honest party receives a valid C set from D, then every other honest party eventually receives the same valid C set from D. Proof. Since the C set is broadcasted, it follows from the properties of broadcast that all honest parties will receive the same C set, if at all D broadcasts any C set. Now it is easy to see that if a broadcasted C set is found to be valid by some honest party Pm , then it will be considered as valid by every other honest party. This is because in Sh the validity conditions for C which hold for Pm will eventually hold for every other honest party. Lemma 4. Let R be the set of parties Pj , who broadcast MRj messages during Sh. If |R| ≥ 2t + 1, then except with probability n2 · AICP , there exists a degree(t, t) bivariate polynomial, say F (x, y), where F (x, y) = F (x, y) for an honest D, such that the row polynomial fj (x) held by each honest Pj ∈ R satisfies fj (x) = F (x, αj ) and the column polynomial gi (y) held by each honest Pi ∈ M satisfies gi (y) = F (αi , y).

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

823

Proof. Let l and m be the number of honest parties in the set R and M respectively. Since |R| ≥ 2t + 1 and |M| = 2t + 1, it follows that l, m ≥ t + 1. For simplicity and without loss of generality, let {P1 , . . . , Pl } and {P1 , . . . , Pm } be the honest parties in R and M respectively. We claim that except with probability AICP , the condition fj (αi ) = gi (αj ) holds for each j ∈ [l] and i ∈ [m], where fj (x) and gi (y) are the degree-t row and column polynomials held by Pj and Pi respectively. The lemma then follows from the properties of degree-(t, t) bivariate polynomials (Lemma 1) and the fact that there can be at most n2 pairs of honest parties (Pi , Pj ). We next proceed to prove our claim. The claim is trivially true with probability 1, if D is honest, as in this case, the row and column polynomials of each pair of honest parties Pi , Pj will be pair-wise consistent. So we consider the case when D is corrupt. Let Pj and Pi be arbitrary parties in the set {P1 , . . . , Pl } and {P1 , . . . , Pm } respectively. Since Pj broadcasts MRj , it implies that Pj accepted the signature ICSig(Pi → D, fji ), revealed by D to Pj . Moreover, the values (α1 , fj1 ), . . . , (αm , fjm ) interpolated to a degree-t polynomial fj (x). Furthermore, Pj also receives MCi from the broadcast of Pi . From the unforgeability property of AICP, it follows that except with probability AICP , the signature ICSig(Pi → D, fji ) is indeed given by Pi to D. Now Pi gives the signature on fji to D, only after verifying that the condition fji = gi (αj ) holds, which further implies that fj (αi ) = gi (αj ) holds, thus proving our claim. Finally, it is easy to see that F (x, y) = F (x, y) for an honest D, as in this case, the row and column polynomials of each honest party lie on F (x, y). Lemma 5. In the protocol Sh, if D broadcasts a valid C, then except with probability n2 · AICP , there exists some s ∈ F, where s = s for an honest D, such that s is eventually two-level t-shared with IC signature. Proof. Since the C set is valid, it implies that the honest parties receive C and Cj for each Pj ∈ C from the broadcast of D, where |C| ≥ n − t = 2t + 1 and |Cj | ≥ n−t = 2t+1. Moreover, the parties receive MRj from the broadcast of each Pj ∈ C. Since |C| ≥ 2t + 1, it follows from Lemma 4, that except with probability n2 · AICP , there exists a degree-(t, t) bivariate polynomial, say F (x, y), where F (x, y) = F (x, y) for an honest D, such that the row polynomial fj (x) held by each honest Pj ∈ C satisfies fj (x) = F (x, αj ) and the column polynomial gi (y) held by each honest Pi ∈ M satisfies gi (y) = F (αi , y). We define s = F (0, 0) and show that s is two-level t-shared with IC signatures. We first show the primary and secondary-shares corresponding to s. Consider def the degree-t polynomial g0 (y) = F (0, y). Since s = g0 (0), the value s is tshared among C through g0 (y), with each Pj ∈ C holding its primary-share def sj = g0 (αj ) = fj (0). Moreover, each primary-share sj is further t-shared among Cj through the degree-t row polynomial fj (x), with each Pi ∈ Cj holding its secondary-share fj (αi ) in the form of gi (αj ). If D is honest, then s = s as F (x, y) = F (x, y) for an honest D. We next show that each Pj ∈ C holds the IC-signatures of the honest parties from the Cj set on the secondary-shares. Consider an arbitrary Pj ∈ C. We claim that corresponding to each honest Pi ∈ Cj , party Pj holds the signature ICSig(Pi → Pj , fji ), where fji = F (αi , αj ).

824

A. Choudhury

The claim is trivially true for an honest Pj . This is because fj (αi ) = F (αi , αj ) and Pj includes Pi in the set Cj only after receiving the signature ICSig(Pi → Pj , fji ) from Pi , such that the condition fji = fj (αi ) holds. We next show that the claim is true, even for a corrupt Pj ∈ C. For this, we show that for each honest Pi ∈ Cj , the column polynomial gi (y) held by Pi satisfies the condition that gi (y) = F (αi , y). The claim then follows from the fact that Pi gives the signature ICSig(Pi → Pj , fji ) to Pj , only after verifying that the condition fji = gi (αj ) holds. So consider a corrupt Pj ∈ C and an honest Pi ∈ Cj . We note that Pj is allowed to include Pi to Cj , only if at least 2t + 1 parties Pk (including Pj ) who have broadcasted MRk , has broadcast (SRk , Pi ). Let H be the set of such honest parties Pk . For each Pk ∈ H, the row polynomial fk (x) held by Pk satisfies the condition fk (x) = F (x, αk ) (follows from the proof of Lemma 4). Furthermore, for each Pk ∈ H, the condition fk (αi ) = gi (αk ) holds, where gi (y) is the degree-t column polynomial held by the honest Pi . This is because Pk broadcasts (SRk , Pi ), only after receiving the signature ICSig(Pi → Pk , fki ) from Pi , such that fki = fk (αi ) holds for Pk and Pi gives the signature to Pk only after verifying that fki = gi (αk ) holds for Pi . Now since |H| ≥ t + 1 and gi (αk ) = fk (αi ) = F (αi , αk ) holds for each Pk ∈ H, it follows that the column polynomial gi (y) held by Pi satisfies the condition gi (y) = F (αi , y). This is because both gi (y) and F (αi , y) are degree-t polynomials and two different degree-t polynomials can have at most t common values. Lemma 6. If D is honest then in protocol Sh, the view of Adv is independent of s. Proof. Without loss of generality, let P1 , . . . , Pt be under the control of Adv. We claim that throughout the protocol Sh, the adversary learns only t row polynomials f1 (x), . . . , ft (x) and t column polynomials g1 (y), . . . , gt (y). The lemma then follows from the standard property of degree-(t, t) bivariate polynomials [1,3,15,21]. We next proceed to prove the claim. During the protocol Sh, the adversary gets f1 (x), . . . , ft (x) and g1 (y), . . . , gt (y) from D. Consider an arbitrary party Pi ∈ {P1 , . . . , Pt }. Now corresponding to each honest party Pj , party Pi receives fji = fj (αi ) for signature, both from D, as well as from Pj . However the value fji is already known to Pi , since fji = gi (αj ) holds. Next consider an arbitrary pair of honest parties Pi , Pj . These parties exchange fji and fij with each other over the pair-wise secure channel and hence nothing about these values are learnt by the adversary. Party Pi gives the signature ICSig(Pi → D, fji ) to D and ICSig(Pi → Pj , fji ) to Pj and from the privacy property of AICP, the view of the adversary remains independent of the signed values. Moreover, even after D reveals ICSig(Pi → D, fji ) to Pj , the view of the adversary remains independent of fji , which again follows from the privacy property of AICP. Lemma 7. The communication complexity of Sh is O(n3 κ2 ) + BC(n2 ) bits.

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

825

Proof. In the protocol D distributes n row and column polynomials. There are Θ(n2 ) instances of AICP, each dealing with L = 1 value. In addition, D broadcasts a C set and Cj sets, each of which can be represented by a n-bit vector. We finally observe that D’s computation in the protocol Sh can be recast as if D wants to share the degree-t polynomial F¯ (0, y) among a set of parties C of size at least n − t by giving each Pj ∈ C the share F¯ (0, αj ). Here F¯ (x, y) is the degree(t, t) bivariate polynomial committed by D, which is the same as F (x, y) for an honest D (see the pictorial representation in Fig. 1 and the proof of Lemma 5). If D is honest, then adversary learns at most t shares of the polynomial F (0, y), corresponding to the corrupt parties in C (see the proof of Lemma 6). In the protocol, apart from Pj ∈ C, every other party Pj who broadcasts the message MRj also receives its share F¯ (0, αj ), lying on F¯ (0, y), as the row polynomial received by every such Pj also lies on F¯ (x, y). Based on these observations, we propose the following alternate notation for invoking the protocol Sh, where the input for D is a degree-t polynomial, instead of a value. This notation will later simplify the presentation of our ACSS protocol. Notation 1 (Sharing Polynomial Using Protocol Sh). We use the notation Sh(D, r(·)), where r(·) is some degree-t polynomial possessed by D, to denote that D invokes the protocol Sh by picking a degree-(t, t) bivariate polynomial F (x, y), which is otherwise a random polynomial, except that F (0, y) = r(·). If D broadcasts a valid C, then it implies that there exists some degree-t polynomial, say r¯(·), where r¯(·) = r(·) for an honest D, such that each Pj ∈ C holds a primary-share r¯(αj ). We also say that Pj (who need not be a member of C set) receives a share rj during Sh(D, r(·)) from D to denote that Pj receives a degree-t signed row polynomial from D with rj as its constant term and has broadcast MRj message. 3.1

Designated Reconstruction of Two-Level t-shared Values

Let s be a value which has been two-level t-shared with IC signatures by protocol Sh, with parties knowing a valid C set and respective Cj sets for each Pj ∈ C. Then protocol RecPriv (see Fig. 3) allows the reconstruction of s by a designated party R. Protocol RecPriv will be used as a sub-protocol in our ACSS protocol. In the protocol, each party Pj ∈ C reveals its primary-share to R. Once R receives t + 1 “valid” primary-shares, it uses them to reconstruct s. For the validation of primary-shares, each party Pj actually reveals the secondary-shares, signed by the parties in Cj . The presence of at least t + 1 honest parties in Cj ensures that a potentially corrupt Pj fails to reveal incorrect primary-share. The properties of RecPriv are stated in Lemma 8, which simply follows from its informal discussion and formal steps and the fact that there are Θ(n2 ) instances of RevPriv, each dealing with L = 1 value. Lemma 8. Let s be two-level t-shared with IC-signatures. Then in protocol RecPriv, the following hold for every possible Adv, where AICP ≤ 2κnκ −2 .

826

A. Choudhury Protocol RecPriv(D, s, R)

– Revealing the signed secondary-shares: Each Pj ∈ C executes the following code. • Corresponding to each Pi ∈ Cj , reveal ICSig(Pi → Pj , fji ) to R. – Verifying the signatures and reconstruction: The following code is executed only by R. • Include party Pj ∈ C to a set K (initialized to ∅), if all the following holds: • R accepted ICSig(Pi → Pj , fji ), corresponding to each Pi ∈ Cj . • The values {(αi , fji )}Pi ∈Cj lie on a degree-t polynomial, say fj (x). • Wait till |K| = t + 1. Then interpolate a degree-t polynomial, say g0 (y), using the values {αj , fj (0)}Pj ∈K . Output s and terminate, where s = g0 (0).

Fig. 3. Reconstruction of a two-level t-shared value by a designated party.

• Termination: An honest R terminates, except with probability n2 · AICP . • Correctness: Except with probability n2 · AICP , an honest R outputs s. • Communication Complexity: The communication complexity is O(n3 κ2 ) bits. The computations done by the parties in RecPriv can be recast as if parties enable a designated R to reconstruct a degree-t polynomial r(·), which has been shared by D by executing an instance Sh(D, r(·)) of Sh (see Notation 1). This is because in RecPriv, party R recovers the entire column polynomial g0 (y), which is the same as F (0, y). And as discussed in Notation 1, to share r(·), the dealer D executes Sh by setting F (0, y) to r(·). Based on this discussion, we propose the following alternate notation for reconstructing a shared polynomial by R using RecPriv, which will later simplify the presentation of our ACSS protocol. Notation 2 (Reconstructing a Shared Polynomial Using RecPriv). Let r(·) be a degree-t polynomial which has been shared by D by executing an instance Sh(D, r(·)) of Sh. Then RecPriv(D, r(·), R) denotes that the parties execute the steps of the protocol RecPriv to enable R reconstruct r(0), which implicitly allows R to reconstruct the entire polynomial r(·). 3.2

Protocols Sh and RecPriv for L Polynomials

To share L number of degree-t polynomials r(1) (·), . . . , r(L) (·), D can execute L independent instances of Sh (as per Notation 1). This will cost a communication of O(L · n3 κ2 ) + BC(L · n2 ) bits. Instead, by making slight modifications, we achieve a communication complexity of O(L · n2 κ + n3 κ2 ) + BC(n2 ) bits. In the modified protocol, each Pi while issuing signatures to any party, issues a single signature on all the required values, on the behalf of all the L instances. For instance, as part of recommitment of row polynomials, party Pj will have L row polynomials (one from each Sh instance) and there will be L common values on these polynomials between Pi and Pj , so Pi needs to sign L values for Pj . Party Pi

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

827

issues signature on the common values on all these L polynomials simultaneously and for this only one instance of AICP is executed, instead of L instances. Thus all instances of AICP now deal with L values and the error probability of single nκ . To make the broadcast such instance will be AICP where AICP ≤ 2κ −(L+1) complexity independent of L, each Pj broadcasts a single MRj , MCj and (SRj , Pi ) message, if the conditions for broadcasting these messages are satisfied with respect to each Sh instance. Finally, each Pj recommits all its L row polynomials to a common set Cj and similarly D constructs a single C set with respect to each value in S. We call the resultant protocol as MSh(D, (r(1) (·), . . . , r(L) (·))). To enable R reconstruct the polynomials r(1) (·), . . . , r(L) (·) shared using MSh, the parties execute RecPriv L times. But each instance of signature revelation now deals with L values. The communication complexity will be O(L·n2 κ+n3 κ2 ) bits.

4

Asynchronous Complete Secret Sharing

We now design our ACSS protocol CSh by using protocols Sh and RecPriv as subprotocols, following the blueprint of [21]. We first explain the protocol assuming D has a single secret for sharing. The modifications for sharing L values are straight forward. To share a value s ∈ F, D hides s in the constant term of a random degree-(t, t) bivariate polynomial F (x, y) where s = F (0, 0) and distributes the column polynomial gi (y) = F (αi , y) to every Pi . D also invokes n instances of our protocol Sh, where the j th instance Shj is used to share the row polynomial fj (x) = F (x, αj ) (this is where we use our interpretation of sharing degree-t univariate polynomial using Sh as discussed in Notation 1). Party Pi upon receiving a share fji from D during the instance Shj checks if it lies on its column polynomial (that is if fji = gi (αj ) holds) and if this holds for all the n instances of Sh, Pi broadcasts a MC message. This indicates that all the row polynomials of D are pair-wise consistent with the column polynomial gi (y). The goal is then to let D publicly identify a set of 2t + 1 parties, say W, such that W constitutes a common C set in all the n Sh instances and such that each party in W has broadcast MC message. If D is honest, then such a common W set is eventually obtained, as there are at least 2t + 1 honest parties, who constitute a potential common W set. This is because if D keeps on running the Sh instances, then eventually every honest party is included in the C sets of individual Sh instances. The idea here is that if such a common W is obtained, then it guarantees that the row polynomials held by D are pair-wise consistent with the column polynomials of the parties in W, implying that the row polynomials of D lie on a single degree-(t, t) bivariate polynomial. Moreover, each of these row polynomials is shared among the common set of parties W. The next goal is then to let each party Pj obtain the j th row polynomial held by D, for which the parties execute an instance of the protocol RecPriv (here we use our interpretation of using RecPriv to enable designated reconstruction of a shared degree-t polynomial). We stress that once

828

A. Choudhury

the common set W is publicly identified, each Pj obtains the desired row polynomial, even if D is corrupt, as the corresponding RecPriv instance terminates for Pj even for a corrupt D. Once the parties obtain their respective row polynomials, the constant term of these polynomials constitute a complete t-sharing of D’s value. For the formal details of CSh, see Fig. 4.

Protocol CSh(D, s) – Distribution of Column Polynomials and Sharing of Row Polynomials by D: • D selects a random degree-(t, t) bivariate polynomial F (x, y) over F, such that F (0, 0) = s. • For i = 1, . . . , n, D sends the column polynomial gi (y) = F (αi , y) to Pi . • For j = 1, . . . , n, D executes an instance Shj = Sh(D, fj (x)), where fj (x) = F (x, αj ). – Pair-wise Consistency Check: Each Pi ∈ P (including D) executes the following code. • Wait to receive a degree-t column polynomial gi (y) from D. • Participate in the instances Sh1 , . . . , Shn . • If a share fji is received from D during the instance Shj , then broadcast the message MCj , if the condition fji = gi (αj ) holds for each j = 1, . . . , n. – Construction of W and Announcement: The following code is executed only by D. • Let C (j) denote the instance of C set constructed during the instance Shj . Keep updating the C (j) sets till a set W = C (1) ∩ . . . ∩ C (n) is obtained, where |W| = n − t and MCi message is received from the broadcast of each party Pi ∈ W. • Once a set W satisfying the above conditions are obtained, broadcast W. – Verification of W: Each party Pj ∈ P (including D) executes the following code. • Upon receiving W from the broadcast of D, check if W is a valid C set for each of the instances Sh1 , . . . , Shn and if MCi message is received from the broadcast of each Pi ∈ W. • If the set W satisfies the above conditions, then invoke an instance RecPrivj = RecPriv(D, fj (x)) to reconstruct the polynomial fj (x). Participate in the instances RecPrivk , for k = 1, . . . , n. – Share Computation and Termination: Each party Pj ∈ P (including D) does the following. • Wait to terminate the instance RecPrivj and obtain the row polynomial fj (x). • Upon terminating RecPrivj , output the share sj = fj (0) and terminate the protocol CSh.

Fig. 4. Complete sharing of a single secret.

To generate a complete t-sharing of S = (s(1) , . . . , s(L) ), the parties execute the steps of the protocol CSh independently L times with the following modifications: corresponding to each party Pj , D will now have L number of degree-t row polynomials to share. Instead of executing L instances of Sh to share them,

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

829

D shares all of them simultaneoulsy by executing an instance MShj of MSh. Similarly, each party Pi broadcasts a single MCi message, if the conditions for broadcasting the MCi message is satisfied for Pi in all the L instances. The proof of the following theorem follows from [21] and the fact that there are n instances of MSh and RecPriv, each dealing with L polynomials. nκ Theorem 3. Let AICP ≤ 2κ −(L+1) . Then CSh constitutes a (1 − ACSS ) ACSS protocol, with communication complexity O(L · n3 κ + n4 κ2 ) + BC(n3 ) bits where ACSS ≤ n3 · AICP .

5

The AMPC Protocol

Our AMPC protocol is obtained by directly plugging in our protocol CSh in the generic framework of [12]. The protocol has a circuit-independent pre-processing phase and a circuit-dependent computation phase. During the pre-processing phase, the parties generate cM number of completely t-shared, random and private multiplication triples (a, b, c), where c = a · b. For this, each party first verifiably shares cM number of random multiplication triples by executing CSh with L = 3cM . As the triples shared by corrupt parties may not be random, the parties next apply a “secure triple-extraction” procedure to output cM number of completely t-shared multiplication triples, which are truly random and prin5 κ vate. The error probability AMPC of the pre-processing phase will be 2κ −(3c M +1) and its communication complexity will be O(cM n4 κ + n4 κ2 ) + BC(n4 ) bits (as there are n instances of CSh). During the computation phase, each party Pi generates a complete t-sharing of its input x(i) by executing an instance of CSh. As the corrupt parties may not invoke their instances of CSh, to avoid endless wait, the parties agree on a common subset of n − t CSh instances which eventually terminate for every one. For this, the parties execute an instance of agreement on common-subset (ACS) primitive [8,10]. The parties then securely evaluate each gate in cir, as discussed in Sect. 1. As the AMPC protocol is standard and obtained using the framework of [12], we refer to [12] for the proof of the following theorem. Theorem 4. Let F = GF(2κ ) and f : Fn → F be a function, expressed as a circuit over F consisting of cM multiplication gates. Then there exists a statisticallysecure AMPC protocol, tolerating Adv, where all the properties are satisfied n5 κ . The communication complexity for except with probability AMPC ≤ 2κ −(3c M +1) evaluating the multiplication gates is O(cM n4 κ + n4 κ2 ) + BC(n4 ) bits. Acknowledgement. The author would like to sincerely thank the anonymous reviewers of INDOCRYPT 2020 for their helpful comments.

References 1. Asharov, G., Lindell, Y.: A full proof of the BGW protocol for perfectly secure multiparty computation. J. Cryptology 30(1), 58–151 (2017). https://doi.org/10. 1007/s00145-015-9214-4

830

A. Choudhury

2. Backes, M., Kate, A., Patra, A.: Computational verifiable secret sharing revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 590–609. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0 32 3. Bangalore, L., Choudhury, A., Patra, A.: Almost-surely terminating asynchronous byzantine agreement revisited. In: Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing, pp. 295–304. ACM (2018) 4. Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 34 5. Beerliov´ a-Trub´ıniov´ a, Z., Hirt, M.: Simple and efficient perfectly-secure asynchronous MPC. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 376–392. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-769002 23 6. Ben-Or, M., Canetti, R., Goldreich, O.: Asynchronous secure computation. In: Proceedings of the 25th Annual ACM Symposium on Theory of Computing, pp. 52–61. ACM (1993) 7. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computation. In: Providing Sound Foundations for Cryptography: On the Work of Shafi Goldwasser and Silvio Micali, pp. 1–10. ACM (1988) 8. Ben-Or, M., Kelmer, B., Rabin, T.: Asynchronous secure computations with optimal resilience. In: Proceedings of the 13th Annual ACM Symposium on Principles of Distributed Computing, pp. 183–192. ACM (1994) 9. Bracha, G.: An asynchronous [(n − 1)/3]-resilient consensus protocol. In: Proceedings of the 3rd Annual ACM Symposium on Principles of Distributed Computing, pp. 154–162. ACM (1984) 10. Canetti, R.: Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute, Israel (1995) 11. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001) 12. Choudhury, A., Patra, A.: An efficient framework for unconditionally secure multiparty computation. IEEE Trans. Inf. Theory 63(1), 428–468 (2017) 13. Cohen, R.: Asynchronous secure multiparty computation in constant time. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 183–207. Springer, Heidelberg (2016). https://doi.org/10.1007/9783-662-49387-8 8 14. Coretti, S., Garay, J., Hirt, M., Zikas, V.: Constant-round asynchronous multiparty computation based on one-way functions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 998–1021. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6 33 15. Cramer, R., Damg˚ ard, I.: Multiparty Computation, an Introduction. Contemporary Cryptography, Birkh˚ auser Basel (2005) 16. Fitzi, M.: Generalized communication and security models in Byzantine agreement. PhD thesis, ETH Zurich, Z¨ urich, Switzerland (2003) 17. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game, or a completeness theorem for protocols with honest majority. In: Providing Sound Foundations for Cryptography: On the Work of Shafi Goldwasser and Silvio Micali, pp. 218–229. ACM (1987) 18. Hirt., M.: Multi party computation: efficient protocols, general adversaries, and voting. PhD thesis, ETH Zurich, Z¨ urich, Switzerland (2001)

Improving the Efficiency of Optimally-Resilient Statistically-Secure AMPC

831

19. Lindell, Y.: Secure Multiparty Computation (MPC). Cryptology ePrint Archive, Report 2020/300 (2020) 20. Patra, A.: Studies on verifiable secret sharing, byzantine agreement and multiparty computation. IACR Cryptol. ePrint Arch. 2010, 280 (2010) 21. Patra, A., Choudhary, A., Rangan, C.P.: Efficient statistical asynchronous verifiable secret sharing with optimal resilience. In: Kurosawa, K. (ed.) ICITS 2009. LNCS, vol. 5973, pp. 74–92. Springer, Heidelberg (2010). https://doi.org/10.1007/ 978-3-642-14496-7 7 22. Patra, A., Choudhury, A., Pandu Rangan, C.: Efficient asynchronous verifiable secret sharing and multiparty computation. Journal of Cryptology 28(1), 49–109 (2013). https://doi.org/10.1007/s00145-013-9172-7 23. Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 73–85. ACM (1989) 24. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979) 25. Yao, A.C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), pp. 160–164. IEEE (1982)

High Throughput Secure MPC over Small Population in Hybrid Networks (Extended Abstract) Ashish Choudhury(B) and Aditya Hegde International Institute of Information Technology Bangalore, Bangalore, India [email protected], [email protected]

Abstract. We study secure multi-party computation (MPC) among small number of parties, in partially synchronous and completely asynchronous settings. Prior works have only considered the synchronous setting. The setting considered in this paper is that of n = 4 parties with t = 1 corruption. In this setting, we present the following results. • A perfectly-secure protocol in the partially synchronous setting with 2 synchronous rounds. Our protocol simultaneously enjoys the properties of optimal resilience and optimal number of synchronous rounds and it partially answers one of the open problems of Patra and Ravi (IEEE Transactions on Information Theory, 2018). • A cryptographically-secure protocol in the partially synchronous setting with 1 initial synchronous round. Our protocol has optimal resilience and optimal number of synchronous rounds. The previous such protocol (Beerliov´ a, Hirt and Nielsen, PODC 2010) requires expensive public-key machinery and associated zero-knowledge (ZK) proofs and it was left as an open problem to reduce the cryptographic setups of their protocol. Our protocol makes inroads into solving this problem, where we deploy only standard symmetric-key gadgets and completely shun ZK proofs. Our protocol also improves upon the protocol of Beerliov´ a et al, in terms of communication complexity. • A cryptographically-secure protocol in the asynchronous setting, relying only on symmetric-key primitives. It improves upon the previous best protocols (Choudhury et al, ICDCN 2015 and Cohen, PKC 2016), which deploy expensive public-key tools and ZK protocols. Keywords: MPC

1

· Asynchronous networks · High-throughput

Introduction

A central concept in cryptography introduced by Yao [58] is that of secure multiparty computation (MPC), which states that any distributed computation among A. Choudhury—This research is an outcome of the R&D work undertaken in the project under the Visvesvaraya PhD Scheme of Ministry of Electronics & Information Technology, Government of India, being implemented by Digital India Corporation (formerly Media Lab Asia). c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 832–855, 2020. https://doi.org/10.1007/978-3-030-65277-7_37

High Throughput Secure MPC over Small Population in Hybrid Networks

833

mutually-distrusting participants in the presence of a centralised trusted entity can also be performed in the absence of any such trusted entity by running a protocol among the participants. A MPC protocol allows a set of n mutuallydistrusting parties to perform a joint computation on their inputs while keeping it as private as possible. The MPC problem has been widely studied in various flavours [9,36,53] and several interesting results have been obtained regarding the theoretical possibility and feasibility of secure MPC (see [44] and its references). The last decade has seen a surge in developing MPC protocols with a small number of parties for many practical tasks such as privacy-preserving machine learning [16,23,24,47,49,52,54,57], data analysis for financial applications [12], sugar beet auctions [13], etc. The advantages of MPC protocols for a small population are their simplicity and practical efficiency [1,2,14,25,34]. Also, most interesting use cases of MPC involve only a small number of parties. Several wellknown MPC frameworks such as VIFF [32] and Sharemind [11] are targeted only for a small number of parties. MPC with a small number of parties also helps with MPC for a large population via server-aided computation, where the large population outsource their data and computation to a small number of servers. The world of MPC over small population can be divided into two categories. The first group of protocols offer high throughput and require very low communication complexity [1,2,14,24,25,34,41]. Based on secret-sharing mechanisms, these protocols perform very simple computations over some algebraic structure (typically a ring or a field). The downside is that the number of rounds of interaction among the parties required in the protocol is proportional to the multiplicative depth of the circuit representing the underlying function to be computed. Consequently, the number of rounds is not a constant and hence these protocols are suited for low-latency networks, where small bandwidth is the primary concern. The second class of protocols, based on garbled circuits, require a constant number of rounds of interaction [17,18,22,48] and are suited for high-latency networks. The downside of these protocols is that they involve a huge amount of computation and parties need to perform a lot of symmetric-key cryptographic operations. In this work, we focus on high-throughput protocols. Synchronous vs Asynchronous Networks. All prior works for MPC over small population are in the synchronous setting, where the parties are synchronized by a global clock and there exists a publicly known upper bound on the message delays over the communication channels among the parties. That is, each party knows beforehand how long it has to wait for an expected message, and if the message does not arrive within that time-bound, then it can conclude that the sender is corrupt. Unfortunately, it is impossible to ensure such strict time-outs in real-world networks like the Internet, where the communication channels may have arbitrary delays. Such networks are more appropriately captured by the asynchronous communication setting [8,20], where there does not exist any global clock and the messages of the parties can be arbitrarily delayed. The only guarantee in this model is that any message sent by a party is eventually delivered and is not “stuck” in the network forever. Apart from a better modelling of real-world networks, asynchronous protocols have the advantage

834

A. Choudhury and A. Hegde

of running at the actual speed of the underlying network. More specifically, for a synchronous protocol, the participants have to pessimistically set the global delay Δ to a large value to ensure that the messages sent by every honest party at the beginning of each round reaches their destination within the Δ time frame. But if the actual delay δ is such that δ 4 to hold, for the cryptographically-secure protocols, the condition |F| ≥ 2ssec · 2cM is imposed, to

840

A. Choudhury and A. Hegde

ensure that the correctness of the protocols hold except with probability at most 2−ssec . We use the notation [] to denote the set {1, . . . , }. Communication Model. We follow two different communication models, the completely asynchronous communication model of [8,20] with eventual message delivery and the hybrid communication setting of [5,7,51], which is a mix of synchronous and asynchronous communication models. The asynchronous model does not put any restriction on the message delays and the only guarantee is that the messages of the honest participants are delivered eventually. The sequence of message delivery is controlled by a scheduler, which is under the control of the adversary. Due to the lack of any globally known upper bound on the message delays, no party can wait to receive communication from all its neighbours to avoid an endless wait (as a corrupt neighbour may not send any message) and hence in each step of an asynchronous protocol, a party can afford to receive communication from at most 3 parties (including itself), thus ignoring communication from 1 potentially honest neighbour. The hybrid model is a combination of both synchronous, as well as asynchronous model. Namely, the system is assumed to be synchronous during the initial phase, followed by a completely asynchronous phase. Here the parties execute a protocol where the first r rounds are synchronous, with parties synchronized by a global clock and where the protocol operates as a sequence of rounds. In each such round, a party computes the set of messages to be sent to its neighbours, which are communicated over the channels, followed by receiving the messages sent by its neighbours to it in this round. There will be a publicly known upper bound on the message delays for the first r rounds and hence each party will know how long it has to wait for the messages from its neighbours for each of these r rounds. If an expected message does not arrive within this time-limit, then the receiving party can substitute a default message and proceed to the next round. Consequently, within the first r rounds, each party receives communication from all the parties. As in [7,51], during the synchronous phase, apart from the pair-wise channels, the network is augmented by a system-wide broadcast channel, modelled by an ideal-functionality FBC , which allows any designated sender S ∈ P to send some message identically to all the parties. Once the synchronous phase is over, the system becomes asynchronous and protocol execution occurs asynchronously. We assume r = 2 and r = 1 for our perfectly-secure and cryptographically-secure HMPC respectively. Cryptographic Tools. To minimize the communication of our cryptographically-secure protocols, we assume a one-time symmetric-key set-up for a secure pseudo-random function (PRF) F [42] among the parties as follows. • A random PRF key kP among all the parties in P. • For every Gi , a PRF key kGi among the parties in Gi . The above set-up implicitly implies that for every D ∈ P and every Gi , there is a common PRF key kD,Gi among D and the parties in Gi . If D ∈ Gi , then D ∪ Gi = P and hence kD,Gi = kP holds. If D ∈ Gi , then D ∪ Gi = Gi and hence kD,Gi = kGi holds. Using the appropriate common key, the respective parties

High Throughput Secure MPC over Small Population in Hybrid Networks

841

can non-interactively generate common random values, whenever required, by running some appropriate secure mode of PRF. The above set-up can be made available, by running any standard MPC protocol. Since this is a one-time affair, we do not go into the exact details of the instantiation of the set-up. We also use a collision-resistant hash function H(·), with output size |H| bits. 2.1

Definition and Existing Asynchronous Primitives

Definition 1. A value s ∈ F is said to be [[·]]-shared, if there exists s1 , . . . , s4 ∈ F, with s1 + . . . + s4 = s, such that for each i ∈ [4], all (honest) parties in Gi hold si . The notation [[s]] denotes the vector of shares (s1 , . . . , s4 ). A set of values S ∈ (m) (m) F is [[·]]-shared, if each s(m) ∈ S is [[·]]-shared, where [[s(m) ]] = (s1 , . . . , s4 ). [[·]]-sharings are linear: given [[s(1) ]], [[s(2) ]] and public constants c1 , c2 ∈ F, then the parties can locally compute their shares corresponding to [[c1 ·s(1) +c2 ·s(2) ]]. In the synchronous setting, the standard security definition of MPC is based on the universal composability (UC) real-world/ideal-world based simulation paradigm [21]. Informally a protocol Πreal for MPC is defined to be secure in this paradigm, if it securely “emulates” what is called as an ideal-world protocol Πideal . In Πideal , all the parties give their respective inputs for the function f to be computed to a trusted third party (TTP), who locally computes the function output and sends it back to all the parties. Protocol Πreal is said to securely emulate Πideal if for any adversary attacking Πreal , there exists an adversary attacking Πideal that induces an indistinguishable output in Πideal , where the output is the concatenation of the outputs of the honest parties and the view of the adversary. Extending the above definition to the asynchronous setting brings in a lot of additional technicalities, specially to deal with the eventual message delivery in the system, controlled by an adversarial scheduler. Due to this, most works in the domain of AMPC [5,28,38,39,50,51] follow a simpler “property based” security definition as originally proposed in [8,10]. Recently, in [29,31], asynchronous MPC has been modelled in the UC framework. Informally, in the case of the asynchronous setting, the local output of the honest parties is only an approximation of the pre-specified function f over a subset C of the local inputs of the parties, the rest being taken to be 0, where |P \ C| = 3 (this is to model the fact in a completely asynchronous setting, the inputs of all the parties can not be considered to avoid endless wait). Protocol Πreal is said to be secure in the asynchronous setting, if the local outputs of the honest players are correct (correctness), Πreal terminates eventually for all honest parties (termination) and the output of Πreal is indistinguishable from the output of Πideal (which involves a TTP that computes an approximation of f ). If Πreal is executed in the hybrid communication model, then it is called an HMPC protocol. For the perfectly-secure setting, the termination property should be achieved with probability 1 and the output of Πreal should be perfectly-indistinguishable from that of Πideal . For the cryptographic setting, the output of Πreal should be computationally-indistinguishable from that of Πideal and a negligible error is allowed in the termination property.

842

A. Choudhury and A. Hegde

As our main goal is to provide efficient AMPC and HMPC protocols, to avoid blurring the main focus of the paper and to avoid additional technicalities, we keep the formalism to a minimum in this extended abstract and defer the simulation-based security proofs of our protocols to the full version of the paper. We stress that all AMPC protocols suffer from input deprivation, where inputs of up to t honest parties may be excluded from computation. A natural question is whether it is possible to achieve input provision and get the inputs of all the n parties for computation (i.e. C = P) in the hybrid setting. In [51] it is shown that any perfectly-secure HMPC protocol with 2 synchronous rounds suffers from input deprivation and so does our perfectly-secure HMPC protocol. On the other hand, our cryptographically-secure HMPC protocol achieves input provision, a property also achieved by the cryptographically-secure HMPC protocol of [7]. Asynchronous Broadcast and Agreement on a Common-subset. We use the asynchronous reliable broadcast (Acast) protocol of [19], which needs a communication of 57|H| + 54 + 15 2 |m| bits [46], to broadcast a message m consisting of |m| bits. The protocol allows a sender S ∈ P to send some message m identically to all the parties. If S is honest, then every honest party eventually terminates with output m. If S is corrupt and some honest party terminates with output m , then eventually every honest party terminates with output m . We say “Pi acasts m” to mean that Pi ∈ P acts as a S and invokes an instance of Acast protocol to broadcast m and the parties participate in this instance. Similarly, “Pj receives m from the acast of Pi ” means that Pj terminates the instance of Acast protocol invoked by Pi as S, with output m . In our asynchronous protocols, we come across situations, where each party is supposed to act as a dealer and share some values. Due to asynchronous communication, the parties cannot afford to wait for the termination of sharing instances of all the dealers, as the corrupt dealer need not invoke its instance. So the parties should terminate, immediately after terminating 3 out of the 4 sharing instances. However, each party may terminate a different subset of 3 sharing instances. The ACS protocol [8] allows agreement on a common subset of 3 sharing instances, which eventually terminate for all the honest parties. Beaver’s Circuit-Randomization [3]. Let g(x, y, z) be a multiplication gate, such that the parties hold [[x]] and [[y]] and the goal is to compute a [[·]]-sharing of z = x · y. Moreover, let ([[u]], [[v]], [[w]]) be a shared multiplication triple available with the parties, such that w = u · v. We note that z = (x − u + u) · (y − v+v) and hence z = (x−u)·(y−v)+v·(x−u)+u·(y−v)+u·v. Based on this idea, to compute [[z]], the parties first locally compute [[d]] = [[x − u]] = [[x]] − [[u]] and [[e]] = [[y − v]] = [[y]] − [[v]], followed by publicly reconstructing d and e. The parties then locally compute [[z]] = d · e + d · [[v]] + e · [[u]] + [[w]]. It is easy to see that if u and v are random and private, then during the above process, the view of the adversary remains independent of x and y. Namely, even after learning d and e, the privacy of the gate inputs and output is preserved. We denote this protocol as Beaver(([[x]], [[y]]), ([[u]], [[v]], [[w]])), which can be executed in a completely asynchronous setting. If the underlying public reconstruction protocol terminates for the honest parties, then the protocol Beaver

High Throughput Secure MPC over Small Population in Hybrid Networks

843

eventually terminates for all the honest parties. We also note that if the auxiliary triple (u, v, w) is not a multiplication triple (namely w = u · v + Δ for some non-zero Δ), then in the above protocol, z = x · y + Δ holds. Asynchronous Triple-transformation Protocol. We borrow the asynchronous triple-transformation protocol TripTrans from [28], which transforms a batch of independent secret-shared triples into another batch of secret-shared triples, which are related by some nice properties. The input is a set of 2k + 1 secret-shared triples {[[a(i) ]], [[b(i) ]], [[c(i) ]]}i∈[2k+1] . The protocol outputs a set of 2k + 1 shared triples {[[A(i) ]], [[B (i) ]], [[C (i) ]]}i∈[2k+1] , such that all the following hold: • There exist polynomials fa (·), fb (·) and fc (·) of degree k, k and 2k respectively, such that fa (i) = A(i) , fb (i) = B (i) and fc (i) = C (i) hold for each i ∈ [2k + 1]. • For each i ∈ [2k + 1], the ith output triple (A(i) , B (i) , C (i) ) is a multiplication triple, if and only if the ith input triple (a(i) , b(i) , c(i) ) is a multiplication triple. This further implies that fc (·) = fa (·) · fb (·) holds if and only if all the 2k + 1 input triples are multiplication triples. • Adv learns the ith triple (A(i) , B (i) , C (i) ) iff it knows the ith triple (a(i) , b(i) , c(i) ). This implies that if Adv knows k  input triples where k  < (k + 1), then adversary learns k  points on the fa (·) and fb (·) polynomials, leaving (k + 1) − k  “degree-of-freedom” on these polynomials. On the other hand, if k  ≥ (k + 1), then Adv will completely know the fa (·), fb (·) and fc (·) polynomials. The complexity of TripTrans is that of k instances of Beaver.

3 3.1

Perfectly-Secure HMPC Verifiable Secret-Sharing (VSS) with Party Elimination

Protocol Sh either allows a designated dealer D ∈ P to verifiably generate a [[·]]sharing of its private input s or outputs a public dispute set D consisting of at most three parties, including the corrupt party. The privacy of s is preserved, if D is honest. Verifiability ensures that even if D is corrupt and the parties do not output a non-empty D, then there exists some value, say s , which is [[·]]-shared. During the first round, D distributes the [[·]]-shares of s. To verify the consistency of shares, during the second round, the group members within each group Gi publicly exchange their respective versions of the received share; the public exchange is done by using the broadcast functionality. To maintain the privacy of the ith share, the group members in Gi actually exchange a masked version of the received share, where the masks are pair-wise exchanged during the first round. At the end of the second round, the parties verify if there exists any Gi , for which there exists a pair of parties Pj , Pk with inconsistency in their reported common share. This would imply that either D is corrupt or at least one among Pj , Pk is corrupt; consequently, the parties output the dispute set {D, Pi , Pj }. Else, the parties output their respective shares.

844

A. Choudhury and A. Hegde

3.2

Reconstruction Protocols

Protocol RecPriv allows a designated Pi to reconstruct a [[·]]-shared value s, in a completely asynchronous setting. Since Pi will be a part of exactly 3 groups, it will have all the shares of s, except for the share si . So all the parties in Gi can send si to Pi , who waits to receive two identical copies of si , which eventually arrive, as there are at least 2 honest parties in Gi . Upon receiving, Pi reconstructs s and terminates. Protocol RecPub allows all the parties in P to reconstruct s, by invoking 4 instances of RecPriv, one on the behalf of each Pi ∈ P. 3.3

Triple-Sharing with Party Elimination

Protocol TripSh either allows a designated D to verifiably [[·]]-share a multiplication triple (d, e, f ) or outputs a public dispute set D containing at most three parties, with one of them being corrupt. The verifiability ensures that if the parties output ([[d]], [[e]], [[f ]]), then f = d · e holds, even if D is corrupt. Moreover, for an honest D, the view of adversary will be independent of (d, e, f ). The protocol is divided into two phases, a synchronous phase for the first two rounds, followed by an asynchronous phase. During the synchronous phase, D [[·]]-shares 3 random multiplication triples, by executing instances of Sh. Independently, each Pi [[·]]-shares a random verifying multiplication triple by executing Sh. If a non-empty D is identified during any of these Sh instances, then the parties terminate the protocol with D. Else, they proceed to the asynchronous phase. The goal of the asynchronous phase is to verify if D’s triples are multiplication triples. For this, D’s triples {[[a(i) ]], [[b(i) ]], [[c(i) ]]}i∈[3] are transformed into the triples {[[A(i) ]], [[B (i) ]], [[C (i) ]]}i∈[3] , by executing TripTrans with k = 1. Let fa (·), fb (·) and fc (·) be the corresponding polynomials of degree 1, 1 and 2 respectively, which are guaranteed to exist at the end of TripTrans. It follows that {[[a(i) ]], [[b(i) ]], [[c(i) ]]}i∈[3] are multiplication triples, iff fc (·) = fa (·) · fb (·) holds ?

and the parties proceed to verify the same. To verify if fc (·) = fa (·) · fb (·), the parties asynchronously test if (fa (i), fb (i), fc (i)) is a multiplication triple, using the “help” of Pi , for each i ∈ [4], where only Pi learns (fa (i), fb (i), fc (i)), but everyone learns the outcome of the test. It will be ensured that if Pi is honest and if the test is positive, then (fa (i), fb (i), fc (i)) is a multiplication triple. But a negative test outcome occurs, only if either D or Pi is corrupt, in which case, the parties output D = {D, Pi }. Consequently, if no D is obtained during the asynchronous phase, then it confirms that fc (i) = fa (i) · fb (i) holds, corresponding to all honest parties Pi , further implying fc (·) = fa (·) · fb (·), as the degree of fa (·), fb (·) and fc (·) are 1, 1 and 2 respectively. If D is honest and no disputes are obtained, then throughout adversary learns only (fa (i), fb (i), fc (i)) corresponding to corrupt Pi , leaving “one degree of freedom” in these polynomials. Hence in this case, the parties output a [[·]]-sharing of the multiplication triple fa (β), fb (β) and fc (β) on the behalf of D, where β is different from 1, . . . , 4. ?

The verification of fc (·) = fa (·)·fb (·) is done as follows. At the end of TripTrans, the parties have [[A(i) = fa (i)]]i∈[3] , [[B (i) = fb (i)]]i∈[3] and [[C (i) = fc (i)]]i∈[3] .

High Throughput Secure MPC over Small Population in Hybrid Networks

845

The parties locally compute [[A(4) = fa (4)]], [[B (4) = fb (4)]] and [[C (4) = fc (4)]]. ?

Each ([[A(i) ]], [[B (i) ]], [[C (i) ]]) is then verified for the relation C (i) = A(i) · B (i) , using the verifying triple ([[X (i) ]], [[Y (i) ]], [[Z (i) ]]), shared by Pi during the syn(i)

chronous phase. Namely, the parties recompute [[C = A(i) · B (i) ]] from [[A(i) ]] and [[B (i) ]], by executing Beaver, treating ([[X (i) ]], [[Y (i) ]], [[Z (i) ]]) as an auxiliary (i)

triple. Then the parties compute the difference [[D(i) ]] = [[C ]] − [[C (i) ]] and publicly reconstruct D(i) , to check if it is zero. If D(i) is found to be non-zero, then the parties output D = {D, Pi }. Clearly, if D, Pi are honest, then D(i) = 0. Moreover, the privacy of ([[A(i) ]], [[B (i) ]], [[C (i) ]]) is maintained, as the auxiliary multiple triple will be random and private. 3.4

Triple Generation with Party Elimination

Protocol TripGen outputs either a dispute set D, containing the corrupt party, or a [[·]]-sharing of a random and private multiplication triple. In the protocol, each Pi ∈ {P1 , P2 , P3 } invokes an instance of TripSh to share a random multiplication triple (d(i) , e(i) , f (i) ). The parties terminate, if a non-empty D is obtained in any of the TripSh instance. Else the parties have 3 shared multiplication triples {(d(i) , e(i) , f (i) )}i∈[3] , with at least two of them being shared by honest parties, which are random and private. Since the exact identity of the honest parties are not known, the parties securely and asynchronously “extract” out a random and private multiplication triple (u, v, w) from {(d(i) , e(i) , f (i) )}i∈[3] as follows. The parties transform the shared triples {(d(i) , e(i) , f (i) )}i∈[3] into another set of shared triples {(U (i) , V (i) , W (i) )}i∈[3] by executing an instance of TripTrans with k = 1. Let fU (·), fV (·) and fW (·) be the resultant polynomials of degree at most 1, 1 and 2 respectively, such that U (i) = fU (i), V (i) = fV (i) and W (i) = fW (i). Since all the input triples {(d(i) , e(i) , f (i) )}i∈[3] for TripTrans are multiplication triples, it follows that the condition fW (·) = fU (·) · fV (·) holds. Additionally, adversary will know at most one value on these polynomials, as it will know at most one of the input triples. Consequently, from the view point of the adversary, there exists one degree of freedom in these polynomials and hence the parties set (u, v, w) to be the value of these polynomials at β. 3.5

Perfectly-Secure Hybrid MPC Protocol

Protocol PerfMPC starts with a triple-generation and input phase, executed in parallel, followed by a circuit-evaluation phase. The input phase consumes the first 2 synchronous rounds and so does the triple-generation phase, which continues to the asynchronous phase after the consumption of the first 2 synchronous rounds. The circuit-evaluation is completely asynchronous. During the triplegeneration phase, the parties execute TripGen cM number of times and try to generate cM number of shared and random multiplication triples. On the other hand, during the input phase, each party acts as a dealer and [[·]]-shares its input for cir by executing an instance of Sh. The parties then wait for the termination of the instances of TripGen and Sh. There are two possible cases. If a

846

A. Choudhury and A. Hegde

non-empty dispute set D is obtained during any of the instances of TripGen or Sh, then the parties designate the first party Phon from the set P \ D to perform the circuit evaluation in clear during the circuit-evaluation phase. If there are multiple instances where a non-empty D is obtained, then the parties focus on the first such instance, ensuring that all the honest parties agree on a common D. Note that Phon will be non-empty, as D will have at most 3 parties and since it will always include the corrupt party, Phon will be honest. Hence, during the circuit-evaluation phase, all the parties provide their input for cir to Phon . Since the circuit-evaluation happens asynchronously, Phon waits for the input from 3 parties and substitutes 0 as the missing input and proceeds to evaluate cir with these inputs. Hence, the protocol does not ensure input-provision in this case, as the missing party could be a potentially slow honest party, whose actual input is substituted with 0. The privacy of the inputs of the honest parties whose inputs are considered for the computation is preserved, since Phon is honest. If no D is obtained during the triple-generation phase or input phase, then the parties proceed to perform shared circuit-evaluation, using the shared random multiplication triples from the triple-generation phase and the shared inputs from the input phase. During the shared circuit-evaluation, the parties evaluate each gate of the circuit, maintaining the invariant that if the inputs of the gate are available in a [[·]]-shared fashion, then the output of the gate is also available in a [[·]]-shared fashion. While maintaining the invariant for the addition gate requires only local computation, for the multiplication gates, protocol Beaver is deployed, using an auxiliary multiplication triple from the triple-generation phase. Finally, once the circuit output is available in a [[·]]-shared fashion, the parties publicly reconstruct the same. Note that in this case input-provision is ensured, as the actual input of all honest parties are considered for the computation.

4

Cryptographically-Secure HMPC and AMPC

We take the leverage of the PRF key set-up and hash function, to reduce the communication complexity of the building blocks used in our perfectly-secure protocol. All the building blocks are robust, with no party elimination. 4.1

Cryptographically-Secure Synchronous VSS

Protocol CSh allows a dealer D to verifiably [[·]]-share its input. In the protocol, the shares for G1 , G2 , G3 are computed non-interactively, using the appropriate common randomness; this ensures that none of these groups are inconsistent. The share for G4 is computed by D and a masked version of it is broadcast by D, where the mask is computed using the common randomness of D and G4 . The parties in G4 on receiving the masked share, unmask it, thus ensuring that G4 is also not inconsistent. The privacy for an honest D is maintained, as there exists at least one Gi consisting of only honest parties, such that the corresponding si will be unknown because either it is locally generated by D and Gi or available in a masked fashion, with the mask being known only to D and Gi .

High Throughput Secure MPC over Small Population in Hybrid Networks

4.2

847

Reconstruction Protocols with Cryptographic Security

Protocol RecPriv is modified to get CRecPriv, where only the first two parties in Gi send the share si to the designated party Pi , while the third party in Gi sends a hash of si . Party Pi either waits for two identical copies of si or a copy of si and a “matching” hash value. Extending this idea for the case when there exist  [[·]]-shared values to be reconstructed by Pi , allows to almost avoid the communication of the shares from one of the members of Gi . Namely, only the first two members of Gi has to send all the si shares, while the third member sends a single hash value for all the si shares. Executing CRecPriv once for each Pi , we get the public reconstruction protocol CRecPub. 4.3

Cryptographically-Secure Hybrid Triple-Sharing Protocol

Protocol CTripSh outputs  multiplication triples. The protocol is similar to TripSh, with the following differences. Instead of sharing only 3 multiplication triples, D shares 2+1 multiplication triples by executing instances of CSh, which ensures that these triples are robustly [[·]]-shared by D. However, no verifyingtriples need to be shared by the individual parties, as D’s triples are verified for the multiplication relationship probabilistically. Namely, D’s triples are transformed by executing an instance of TripTrans and fitting polynomials fa (·), fb (·) and fc (·) of degree ,  and 2 respectively through the transformed triples. ?

The parties next publicly check if fc (r) = fa (r) · fb (r) holds, for a randomly chosen r, to verify D’s shared triples. The idea here is that if a corrupt D has ? not shared multiplication triples, then the test fc (r) = fa (r) · fb (r) will fail for a randomly chosen r not known in advance to D, except for the case when r is a root 2 . of the polynomial fc (·) − fa (·) · fb (·), which happens with probability at most |F| If D is honest, then the test is always successful and throughout the protocol the adversary learns only one point on the polynomials, namely (fa (r), fb (r), fc (r)), leaving  degrees of freedom in the polynomials. Consequently, if the test is successful, the parties output a [[·]]-sharing of  publicly known distinct points on the polynomials (different from r and the 2 + 1 values used during TripTrans) on behalf of D. For this, we need |F| > 3 to hold, which is the case, as  will be cM in our MPC protocol and 2ssec · 2cM > 3cM holds for any ssec ≥ 1. 4.4

Cryptographically-Secure Hybrid Triple-Generation

Protocol CTripGen is similar to the perfectly-secure protocol TripGen, with the following modifications. Each Pi ∈ {P1 , P2 , P3 } now verifiably [[·]]-shares  number of random and private multiplication triples by executing a single instance of CTripSh. The parties then output  random multiplication triples by grouping the triples of P1 , P2 , P3 into  batches and then securely extracting out one random multiplication triple from each batch. For the sake of efficiency, a common random r can be used for verifying the multiplication triples in all the 3 instances of CTripSh. Similarly, whenever possible, all the values which are supposed to

848

A. Choudhury and A. Hegde

be publicly reconstructed across all the instances of TripTrans can be “clubbed” together and reconstructed by a single instance of CRecPub. Conditioned on the event that the triples shared by P1 , P2 , P3 are multiplication triples, which occurs 2 , the output triples are multiplication triples. except with probability |F| 4.5

Cryptographically-Secure HMPC

In the protocol, the parties generate cM shared triples by executing CTripGen; simultaneously each party [[·]]-shares its input by invoking CSh. So the first synchronous round is used for both generating the triples, as well as for getting the inputs of all the parties, thus guaranteeing input-provision. This is followed by shared circuit-evaluation and reconstruction of the shared circuit output. 4.6

Cryptographically-Secure AMPC

The cryptographically-secure AMPC is similar to the HMPC protocol. The difference is that the protocol CSh is now executed asynchronously, where the parties do not have access to FBC . Consequently, D acasts m4 and the parties wait to terminate this acast instance. We call this modified protocol as ASh, which terminates only if D acasts m4 (which an honest D eventually does). All the instances of CSh in the HMPC protocol are now replaced by ASh. As different honest parties can terminate various ASh instances in arbitrary order, an instance of ACS is executed during the pre-processing stage to agree on the ASh instances to be considered during the triple-generation protocol. Similarly, an instance of ACS is required to agree on the set of input providers for the circuit evaluation. The details are deferred to the full version of the paper.

5

Experimental Results

Here we evaluate our implementation of the cryptographically-secure AMPC (Sect. 4.6) with an emphasis on the communication and computation costs. Network and Hardware Details: We run our experiments on Microsoft Azure Standard D1 v2 instances comprising 1 vcpu and 3.5 GB RAM. We benchmark over both LAN and WAN networks. For LAN, we use four instances in the same region (Southeast Asia), where the average bandwidth is 671 Mbps while the average round trip time (RTT) is 906.88 ± 345.38 μs as measured by the iperf and irtt tools respectively. For WAN, the cloud instances are in different regions (Southeast Asia, Northern Europe, Central US, Brazil South) with an average bandwidth of 141 Mbps and an average RTT of 182.42 ± 0.34 ms. Software Details: HoneyBadgerMPC [45] is a MPC-based confidentiality layer for blockchains implemented in Python and provides many AMPC primitives like ACast and ACS. We thus implement our protocol in Python 3 using HoneyBadgerMPC [45] and SageMath [56] for field and matrix computations. Though single-threaded, it makes use of asynchronous I/O operations using the asyncio

High Throughput Secure MPC over Small Population in Hybrid Networks

849

library. Data is serialized before communication using the pickle library which was observed to have an average overhead of 1.32 times a fixed length encoding when serializing a list of integers. In the experiments discussed below, all parties behave honestly unless stated otherwise. Each experiment has been run 50 times and the data reported below is the average across all runs. 5.1

Primitives

We use AES-128 and SHA256 for instantiating the PRF F and the hash function H respectively. The PRF is run in counter mode to generate a stream of pseudorandom values. Asynchronous broadcast (ACast) is instantiated using the Reliable Broadcast protocol described in [46] which improves the efficiency of Bracha’s broadcast [15] using erasure codes [19]. Asynchronous Common Subset (ACS) is instantiated using the protocol proposed by Ben-Or et al. [10]. We adopt the implementation of these primitives from HoneyBadgerMPC. The main computational bottleneck for triple-generation is polynomial interpolation, since the degrees of polynomials is proportional to the number of multiplication gates. We opt for the efficient Fast Fourier Transform (FFT) based interpolation, which runs in O(m log m) time, where m is the number of points over which the polynomial is interpolated, and allows interpolation only when m + 1 is a power of 2. The requirement on m essentially means that we can generate triplets only in batches of powers of 2. Thus any arbitrary l number of triples can be generated in log l batches. Computation is done over the field Zp where p = 264 − 1835007 is a 64-bit prime number. 5.2

Triple-Generation Phase

Table 1. Throughput in triples per second and communication in bytes per triple for the triple-generation protocol across different values of l in LAN and WAN settings.

Table 2. Throughput in triples per second and communication in Bytes per triple for generating ≈ 104 triples with different batch sizes. l

b

Comm. (B/triple)

WAN (triples/s)

Comm. (B/triple)

31

8.92

869.26

63

323 178.72

162.74

550.78

159 169.74

155.40

125.85

17.22

539.70

695.59

127 79 158.62

148.06

127 140.15

534.32

31.23

610.48

255 40 151.70

141.28

531.63

255 138.20

51.72

564.35

511 20 144.65

135.14

530.28

511 136.67

71.69

547.47

1023 10 135.93

126.62

529.62

1023 132.36

88.42

527.05

2047 5

118.17

529.28

2047 126.60

100.04

515.08

l

LAN (triples/s)

31

100.08

63

WAN (triples/s)

LAN (triples/s)

126.94

As discussed in Sect. 4.6, the triple-generation phase involves the generation of l random and secret-shared multiplication triples. Since these triples are consumed

850

A. Choudhury and A. Hegde

in the circuit-evaluation phase, during the evaluation of multiplication gates, l is usually equal to or a multiple of cM , the number of multiplication gates in the circuit. Table 1 summarises the triple-generation throughput (namely the number of triples generated per second) and communication costs in the LAN and WAN settings for different values of l, the number of triples generated. The throughput initially increases with l since the bandwidth is not completely utilized. However in LAN, the throughput starts to decrease for large values of l since the computation costs dominate. On the other hand, the throughput continues to increase in WAN, since network latency is the main bottleneck. Trade-off between Computation and Communication: As l becomes increasingly large, the interpolation is over polynomials of large degrees and the computation costs start to dominate leading to lower throughput. Running b instances of the triple-generation protocol in parallel for smaller values of l allows us to decrease the computation time with a linear overhead in b for the communication cost. Computing l multiplication triples requires each honest party to secret share 2l + 1 local random triples. Thus, running b instances of  the protocol with l = lb in parallel requires each party to secret share an additional b − 1 local triples. Similarly the communication grows linearly with b in case of triple-transformation and verification of shared triples. Table 2 summarizes the throughput and communication costs when generating around 104 triples using different batch sizes. In case of both LAN and WAN settings, we achieve the highest throughput when the batch size b = 31. As expected, the communication cost is also the highest in this case though we achieve a 41% increase in throughput at the cost of a 4% increase in communication. 5.3

Secure Prediction

We benchmark our protocol for secure prediction on a linear regression model for the MNIST dataset [43] with d = 784 features. Given secret shares of the → weight vector [[− w]] = ([[w1 ]], [[w2 ]] . . . [[wd ]]), the bias term [[b]] and the input → − vector [[ x ]] = ([[x1 ]], [[x2 ]], . . . [[xd ]]), secure prediction on a linear regression → → model requires securely computing [[− w − x + b]] where  denotes vector dot v 2f mod p product. A decimal value v is encoded as an element in Zp as v =  where we set f = 13. Thus, decimal numbers are encoded as fixed point numbers with f = 13 bits for the fractional part and 63 − 13 − 1 = 49 bits for integer part (we cannot use all 50 bits for the integer part since we work with a 64-bit prime field). Since the linear regression function has a multiplicative depth of 1, we have 26 bits for the fractional part and 36 bits for the integer part in the output and bias term which provides sufficient accuracy. Thus, we do not need additional mechanisms for secure fixed point arithmetic. Table 3 summarizes the performance of our protocol for secure prediction on linear regression on the MNIST dataset while Fig. 1 compares the circuitevaluation throughput against the number of features.

High Throughput Secure MPC over Small Population in Hybrid Networks

851

Table 3. Latency in seconds and communication cost in bytes for the triple-generation and circuit-evaluation protocols for secure prediction on a linear regression model for the MNIST dataset. Setting

Triple Gen Circuit Eval

LAN (s)

4.86

0.17

WAN (s)

8.48

0.27

Comm. (KiB) 437.73

32.23 Fig. 1. Circuit-evaluation throughput of linear regression against the number of features in the dataset.

Fig. 2. LAN: The messages sent by affected parties are delayed up to 100ms.

Robustness to Network Delays: As asynchronous protocols have the advantage of running at the actual speed of the underlying network, we evaluate this property by randomly delaying the messages sent by a party up to 100ms and 1s in the LAN and WAN setting respectively. We affect each party with such random delays incrementally across experiments, the results for which are summarized in Fig. 2. We find that there is negligible change in latency in both the LAN and WAN settings when a single party is affected since the asynchronous protocol requires communication from at most 3 parties at each step. The latency increases as more number of parties are affected since the RTT increases. However, the latency is proportional to the average RTT rather than the RTT for any single party as shown by the gradual increase in latency with the number of affected parties. In a synchronous protocol, even a single affected party would require setting the global round delay Δ to the highest possible value of 100ms in the LAN setting and 1s in the WAN setting.

852

A. Choudhury and A. Hegde

Acknowledgement. We would like to thank the anonymous reviewers of INDOCRYPT 2020 for several helpful suggestions and comments.

References 1. Araki, T., et al.: Optimized honest-majority MPC for Malicious adversaries - breaking the 1 billion-gate per second barrier. In: Symposium on Security and Privacy, pp. 843–862. IEEE Computer Society (2017) 2. Araki, T., Furukawa, J., Lindell, Y., Nof, A., Ohara, K.: High-throughput semihonest secure three-party computation with an honest majority. In: CCS, pp. 805– 817. ACM (2016) 3. Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 34 4. Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: STOC, pp. 503–513. ACM (1990) 5. Beerliov´ a-Trub´ıniov´ a, Z., Hirt, M.: Simple and efficient perfectly-secure asynchronous MPC. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 376–392. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-769002 23 6. Beerliov´ a-Trub´ıniov´ a, Z., Hirt, M.: Perfectly-secure MPC with linear communication complexity. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 213–230. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8 13 7. Beerliov´ a-Trub´ıniov´ a, Z., Hirt, M., Nielsen, J.B.: On the theoretical gap between synchronous and asynchronous MPC protocols. In: PODC, pp. 211–218. ACM (2010) 8. Ben-Or, M., Canetti, R., Goldreich, O.: Asynchronous secure computation. In: STOC, pp. 52–61. ACM (1993) 9. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computation (extended abstract). In: STOC, pp. 1–10. ACM (1988) 10. Ben-Or, M., Kelmer, B., Rabin, T.: Asynchronous secure computations with optimal resilience (extended abstract). In: PODC, pp. 183–192. ACM (1994) 11. Bogdanov, D., Laur, S., Willemson, J.: Sharemind: a framework for fast privacypreserving computations. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 192–206. Springer, Heidelberg (2008). https://doi.org/10.1007/9783-540-88313-5 13 12. Bogdanov, D., Talviste, R., Willemson, J.: Deploying secure multi-party computation for financial data analysis. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 57–64. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-64232946-3 5 13. Bogetoft, P., et al.: Secure multiparty computation goes live. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 325–343. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4 20 14. Boyle, E., Gilboa, N., Ishai, Y., Nof, A.: Practical fully secure three-party computation via sublinear distributed zero-knowledge proofs. In: CCS, pp. 869–886. ACM (2019) 15. Bracha, G.: An ssynchronous [(n-1)/3]-resilient consensus protocol. In: PODC, pp. 154–162. ACM (1984)

High Throughput Secure MPC over Small Population in Hybrid Networks

853

16. Byali, M., Chaudhari, H., Patra, A., Suresh, A.: FLASH: fast and robust framework for privacy-preserving machine learning. IACR Cryptol. ePrint Archive 2019, 1365 (2019) 17. Byali, M., Hazay, C., Patra, A., Singla, S.: Fast actively secure five-party computation with security beyond abort. In: CCS, pp. 1573–1590. ACM (2019) 18. Byali, M., Joseph, A., Patra, A., Ravi, D.: Fast secure computation for small population over the internet. In: CCS, pp. 677–694. ACM (2018) 19. Cachin, C., Tessaro, S.: Asynchronous verifiable information dispersal. In: SRDS, pp. 191–202. IEEE Computer Society (2005) 20. Canetti, R.: Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute, Israel (1995) 21. Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000) 22. Chandran, N., Garay, J.A., Mohassel, P., Vusirikala, S.: Efficient, constant-round and actively secure MPC: beyond the three-party case. In: CCS, pp. 277–294. ACM (2017) 23. Chandran, N., Gupta, D., Rastogi, A., Sharma, R., Tripathi, S.: EzPC: programmable and efficient secure two-party computation for machine learning. In: European Symposium on Security and Privacy, pp. 496–511. IEEE (2019) 24. Chaudhari, H., Choudhury, A., Patra, A., Suresh, A.: ASTRA: high throughput 3PC over rings with application to secure prediction. In: CCSW@CCS, pp. 81–92. ACM (2019) 25. Chida, K., et al.: Fast large-scale honest-majority MPC for malicious adversaries. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 34–64. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0 2 26. Choudhury, A., Loftus, J., Orsini, E., Patra, A., Smart, N.P.: Between a rock and a hard place: interpolating between MPC and FHE. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 221–240. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0 12 27. Choudhury, A., Patra, A.: Optimally resilient asynchronous MPC with linear communication complexity. In: ICDCN, pp. 5:1–5:10. ACM (2015) 28. Choudhury, A., Patra, A.: An efficient framework for unconditionally secure multiparty computation. IEEE Trans. Inf. Theory 63(1), 428–468 (2017) 29. Cohen, R.: Asynchronous secure multiparty computation in constant time. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 183–207. Springer, Heidelberg (2016). https://doi.org/10.1007/9783-662-49387-8 8 30. Cohen, R., Lindell, Y.: Fairness versus guaranteed output delivery in secure multiparty computation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 466–485. Springer, Heidelberg (2014). https://doi.org/10.1007/9783-662-45608-8 25 31. Coretti, S., Garay, J., Hirt, M., Zikas, V.: Constant-round asynchronous multiparty computation based on one-way functions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 998–1021. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6 33 32. Damg˚ ard, I., Geisler, M., Krøigaard, M., Nielsen, J.B.: Asynchronous multiparty computation: theory and implementation. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 160–179. Springer, Heidelberg (2009). https://doi.org/ 10.1007/978-3-642-00468-1 10

854

A. Choudhury and A. Hegde

33. Damg˚ ard, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5 38 34. Furukawa, J., Lindell, Y., Nof, A., Weinstein, O.: High-throughput secure threeparty computation for malicious adversaries and an honest majority. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 225–255. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6 8 35. Gentry, C., Halevi, S., Vaikuntanathan, V.: A simple BGN-type cryptosystem from LWE. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 506–522. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5 26 36. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229. ACM (1987) 37. Hirt, M., Maurer, U.: Robustness for free in unconditional multi-party computation. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 101–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8 6 38. Hirt, M., Nielsen, J.B., Przydatek, B.: Cryptographic asynchronous multi-party computation with optimal resilience. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 322–340. Springer, Heidelberg (2005). https://doi.org/10. 1007/11426639 19 39. Hirt, M., Nielsen, J.B., Przydatek, B.: Asynchronous multi-party computation with quadratic communication. In: Aceto, L., Damg˚ ard, I., Goldberg, L.A., Halld´ orsson, M.M., Ing´ olfsd´ ottir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 473–485. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-705833 39 40. Ishai, Y., Kumaresan, R., Kushilevitz, E., Paskin-Cherniavsky, A.: Secure computation with minimal interaction, revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 359–378. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7 18 41. Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: CCS, pp. 525–537. ACM (2018) 42. Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, United States (2014) 43. LeCun, Y., Cortes, C., Burges, C.J.: Mnist handwritten digit database. ATT Labs. http://yann.lecun.com/exdb/mnist, February 2010 44. Lindell, Y.: Secure Multiparty Computation (MPC). Cryptology ePrint Archive, Report 2020/300 (2020) 45. Lu, D., Yurek, T., Kulshreshtha, S., Govind, R., Kate, A., Miller, A.K.: HoneyBadgerMPC and AsynchroMix: practical asynchronous MPC and its application to anonymous communication. In: CCS, pp. 887–903. ACM (2019) 46. Miller, A., Xia, Y., Croman, K., Shi, E., Song, D.: The honey badger of BFT protocols. In: CCS, pp. 31–42. ACM (2016) 47. Mohassel, P., Rindal, P.: ABY3 : a mixed protocol framework for machine learning. In: CCS, pp. 35–52. ACM (2018) 48. Mohassel, P., Rosulek, M., Zhang, Y.: Fast and secure three-party computation: the garbled circuit approach. In: CCS, pp. 591–602. ACM (2015) 49. Mohassel, P., Zhang, Y.: SecureML: a system for scalable privacy-preserving machine learning. In: Symposium on Security and Privacy, pp. 19–38. IEEE Computer Society (2017)

High Throughput Secure MPC over Small Population in Hybrid Networks

855

50. Patra, A., Choudhury, A., Pandu Rangan, C.: Efficient asynchronous verifiable secret sharing and multiparty computation. J. Cryptol. 28(1), 49–109 (2015) 51. Patra, A., Ravi, D.: On the power of hybrid networks in multi-party computation. IEEE Trans. Inf. Theory 64(6), 4207–4227 (2018) 52. Patra, A., Suresh, A.: BLAZE: blazing fast privacy-preserving machine learning. IACR Cryptol. ePrint Archive 2020, 42 (2020) 53. Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: STOC, pp. 73–85. ACM (1989) 54. Rachuri, R., Suresh, A.: Trident: efficient 4PC framework for privacy preserving machine learning. IACR Cryptol. ePrint Archive 2019, 1315 (2019) 55. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979) 56. The Sage Developers. SageMath, the Sage Mathematics Software System (Version 8.9) (2020). https://www.sagemath.org 57. Wagh, S., Gupta, D., Chandran, N.: SecureNN: 3-party secure computation for neural network training. PoPETs 2019(3), 26–49 (2019) 58. Yao, A.C.: Protocols for secure computations (extended abstract). In: FOCS, pp. 160–164. IEEE Computer Society (1982)

Non-interactive Zero-Knowledge Proofs

Dual-Mode NIZKs: Possibility and Impossibility Results for Property Transfer Vivek Arte(B) and Mihir Bellare Department of Computer Science and Engineering, University of California, San Diego, USA {varte,mihir}@eng.ucsd.edu http://cseweb.ucsd.edu/~varte/, http://cseweb.ucsd.edu/~mihir/

Abstract. This paper formulates, and studies, the problem of property transference in dual-mode NIZKs. We say that a property P (such as soundness, ZK or WI) transfers, if, one of the modes having P allows us to prove that the other mode has the computational analogue of P, as a consequence of nothing but the indistinguishability of the CRSs in the two modes. Our most interesting finding is negative; we show by counter-example that the form of soundness that seems most important for applications fails to transfer. On the positive side, we develop a general framework that allows us to show that zero knowledge, witness indistinguishability, extractability and weaker forms of soundness do transfer. Our treatment covers conventional, designated-verifier and designated-prover NIZKs in a unified way.

1

Introduction

Non-interactive zero-knowledge (NIZK) systems [7,8] are blossoming. New applications are fueling the development of schemes that are not only more efficient than classical ones but may also be simpler, more elegant and more powerful in application. One way this happens is via the concept of dual mode [2,18–21,24]. Background. Groth, Ostrovsky and Sahai [18–20] build a pair of NIZK systems Π0 , Π1 such that (1) the prover and verifier are the same for both (2) the two systems have CRSs that, although different, are computationally indistinguishable under the SubGroup Decision or Decision Linear Assumptions, and (3) Π0 has perfect soundness while Π1 has perfect zero-knowledge (ZK). Why do this? GOS wanted a (single) NIZK system that was perfect ZK and computationally sound. The claim would be that Π1 has these properties, because CRS indistinguishability, plus the perfect soundness of Π0 , would automatically imply computational soundness of Π1 . In our language, soundness has been “transferred” from Π0 to Π1 , as a consequence of nothing but CRS indistinguishability. Recognition of the power of this technique lead to the formalization of dualmode systems. Rather than a single or accepted definition, however, there are c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 859–881, 2020. https://doi.org/10.1007/978-3-030-65277-7_38

860

V. Arte and M. Bellare

many, with a common core and varying peripherals [2,21,24]. At its core, a dual-mode system DΠ has a CRS generator that takes an input μ ∈ {0, 1} (the desired mode), and the CRSs generated in the two modes must be computationally indistinguishable. Proving and verification algorithms are as in a (single mode) NIZK system. The modes are called binding and hiding, and the (varying) peripheral requirements placed on them in prior works are summarized in Fig. 1. Looking across usage and applications in the literature, the value of dualmode continues to lie in transference, namely, being able to prove that if a property (like soundness) is present in one mode then its computational analogue is also present in the other, as a consequence just of the indistinguishability of the CRSs in the two modes. But there is growing recognition that transference can be subtle and not as simple as it seems. For example, certain (weaker) forms of soundness are proven to transfer, but for other (stronger) forms, the natural proof approach fails, and whether or not the transference holds remains an open question [20,24]. This lead GOS, in the journal version of their work [20], to introduce culpable soundness, an intermediate notion that they could show transfers. Overview of our contributions. We want to understand the limitations and possibilities of transference, including which properties transfer, which don’t, and why. We divide our contributions into the following parts.  Definitions. We start by defining a dual-mode system DΠ in a different way; we ask only for the (core) CRS indistinguishability requirement. Unlike prior works (cf. Fig. 1), no requirements are placed on the individual modes. We then define, in the natural way, the (single-mode) systems DΠ0 , DΠ1 induced by DΠ. A property P (soundness, ZK, WI, ...) is a requirement on a single-mode system, not a dual-mode one. Transference of a property P is now the question: If DΠμ satisfies P, does DΠ1−μ satisfy the computational analogue of P?  Negative Results. We show that certain strong (desirable, applicationenabling) forms of soundness fail to transfer. These negative results are established by giving explicit counter-examples under standard assumptions (CDH, DDH). This shows that the difficulties noted in prior work with regard to proving transference for certain forms of soundness [20,24], are inherent.

Requirements for mode 1 [2] perfect soundness and extractability perfect ZK and WI [21] statistical soundness and extractability statistical WI [24] statistical soundness statistical ZK Our work None None Who

Requirements for mode 0

Fig. 1. Requirements placed on the two modes in definitions of dual-mode systems.

Dual-Mode NIZKs: Results for Property Transfer

861

 Positive Results. We formalize a “property” P as a property specification PS and give sufficient conditions on PS for it to successfully transfer. Through this we show that ZK, WI and extractability (we define them in strong ways that are application-enabling) do transfer, as do weaker (as per what follows, not application-enabling) forms of soundness. Our framework may have future value in helping evaluate or establish transference of the many definitional variants of the basic properties that arise.  Applicability Assessment. It is desirable that the forms of soundness that transfer be suitable for applications, leading us to ask, which are? We examine a canonical application of NIZKs, the one to digital signatures [4,11], and find that the form of soundness it needs is one that our negative results show does not transfer. Thus, our finding is that the most application-enabling (stronger, desirable) forms of soundness fail to transfer, while weaker forms do transfer.  Unified Treatment. We define single and dual-mode systems in a way that includes, as special cases, the conventional [7,8], designated verifier [13,15,27] and designated prover [22,23] settings. Our definition of CRS indistinguishability asks that it hold even when the adversary knows the proving and verification keys (if any). Soundness is required even in the presence of a verification oracle, to capture the reusable designated verifier setting [24]. Our results apply to all these settings. The motivation for this broad treatment is the many recent advances in settings beyond the conventional one [9,10,22–24]. In the rest of this Introduction, however, we will for simplicity confine discussion to the conventional setting. Transference intuition. One would imagine that any property P transfers, by the following proof. Suppose P holds for one mode, wlog DΠ0 . We want to show it also holds in DΠ1 . Let A be a PT (polynomial-time) adversary violating P in DΠ1 . We build a PT adversary D violating mode indistinguishability. As per the definition of the game for the latter, the input to D is a crs of a challenge mode μ ←$ {0, 1}, and D is trying to determine μ. Adversary D runs A on input crs and tests if it violates P. If so, it predicts that μ = 1, else that μ = 0. The difficulty is that “testing whether A violates P” may not be doable in polynomial-time. In particular, for soundness (depending on the precise definition of the property as we consider below), it may involve testing membership in the underlying language, which, for languages of interest, is not doable in polynomial-time. This difficulty is recognized [20,24]. However, it does not mean that the property necessarily fails to transfer; it just means that the obvious proof approach fails. Is there another, more clever one, that succeeds? We will answer this question negatively, giving counterexamples to show non-transference for certain properties of interest in applications. Soundness notions. The underlying NP-relation R defines a language LR (crs). (As per [17], and to cover systems in the literature, the language is allowed to depend on the CRS.) Soundness of a (single-mode) proof system Π for R asks that an adversary given crs be unable to find an x ∈ LR (crs), and a proof pf, such that Π.V(1λ , crs, x, pf) = true. The difficulty, for transference, is that testing whether

862

V. Arte and M. Bellare

the adversary wins seems to require testing that x ∈ LR (crs), which is likely not doable in PT. With attention drawn to this issue, however, one sees that whether or not the test is required depends on exactly how the soundness game is defined. The broad format is that the game picks and gives crs to the adversary, who then provides the game with x, pf, and the game then performs a “winning test.” Now we consider two definitions: SND-P (penalty style) and SND-E (exclusion style). (This follows the consideration of similar notions for IND-CCA encryption in [5].) In SND-P, the winning test is that x ∈ LR (crs) and Π.V(1λ , crs, x, pf) = true, and SND-P security asks that any PT adversary has negligible winning probability. In SND-E the winning test is just that Π.V(1λ , crs, x, pf) = true, and SND-E security asks for negligible winning probability, not for all adversaries, but for a subclass we call membership conscious: the probability that the x they provide is in LR (crs) is negligible. (Membership consciousness is an assumption on the adversary. Nothing in the game verifies it.) Clearly, SND-P is stronger: SNDP ⇒ SND-E. (Any SND-P secure Π is also SND-E secure.) We can show that SND-E is strictly weaker: SND-E ⇒ SND-P. (There exists a Π that is SND-E secure but not SND-P secure.) Soundness transference. We show that (1) SND-E transfers, but (2) SND-P does not. The first follows from general results we discuss below. With regard to the second, that the winning test is not PT is an indication that transfer may fail, but not a proof that it does. (What it means is that the particular, above-discussed approach to prove transference fails.) In Theorem 4, we show non-transference via a counter-example. We give a dual-mode proof system DΠ and relation R such that (2a) DΠ satisfies mode indistinguishability (2b) DΠ1 satisfies SND-P for R but (2c) DΠ0 does not satisfy SND-P for R. These results assume hardness of the DDH (Decision Diffie-Hellman) problem in an underlying group. We show (2a) and (2b) by reductions to the assumed hardness of DDH. We show (2c) by an attack, a description of an explicit PT adversary that, with probability one, violates SND-P for DΠ0 . Penalty or exclusion? The lack of transference of SND-P is more than an intellectual curiosity; it inhibits applicability. We consider building digital signatures from NIZKs, a canonical application that originates in [4], and, with [11], is seeing renewed interest as a way to obtain efficient post-quantum signatures. We look closely at the proof to see that while SND-P suffices, SND-E does not appear to do so. This phenomenon seems fairly general: applications of NIZKs that rely on soundness seem to need SND-P, not SND-E. Transference framework. We turn to positive results, proving that certain (important) properties P do transfer. We could give such proofs individually for different choices P, but this has a few drawbacks. First, proofs which at heart are very similar will be repeated. Second, proofs will be needed again for new or further property variants that we do not consider. Most important, however, from our perspective, ad hoc proofs fail to yield theoretical understanding; exactly what about a property allows it to transfer? To address this we give a framework to obtain positive transference results. The intent is to formalize the above-described transference intuition. We start

Dual-Mode NIZKs: Results for Property Transfer

863

with a definition, of an object, denoted PS, that we call a property specification PS. While the game defining P would typically pick crs by running Π.C, the corresponding property specification sees the game output (result, win or not, of executing the game with an adversary) as a function of crs, effectively pulling the latter out of the game. We then give a general result (Theorem 6, the Transfer Theorem) saying that property specifications transfer successfully as long as they are polynomial time. To apply this to show transference of a particular property P, we must specify the corresponding property specification PS and show that it is polynomial time. We do it for SND-E, zero-knowledge, witness indistinguishability and extractability to conclude that all these properties transfer successfully. (A property specification can be given for SND-P, but it is not polynomial time.) Discussion and related work. It is valuable, for applications, to have proof systems satisfying SND-P. The dual-system framework does not automatically provide this for its induced proof systems, because these properties do not transfer. This does not, however, say whether or not the induced proof systems have these properties for particular dual-mode systems in the literature. For example, does the PZK mode of the [19] system satisfy SND-P? We have found neither an attack to show it does not, nor a proof to show it does, and consider this an interesting question to settle. Broadly, our work calls for care in using dual-mode systems in applications. One needs to check that the mode one is using has the desired properties, rather than expect that they arrive by transference. Our Transfer Theorem can help with such checks. In our Theorem 4 counter-example showing that SND-P does not transfer, the relation R is CRS-dependent. To settle, by proof or counter-example, whether SND-P transfers for relations that are not CRS-dependent, is an interesting open question. Abe and Fehr (AF) [1] show that if Π is statistical ZK for an NP-complete relation for R then it is unlikely that it can be proven SND-P via a certain restricted type of blackbox reduction to what they call a standard decision problem. Now suppose DΠ is a dual-mode system for R such that DΠ1 satisfies statistical ZK and DΠ0 satisfies SND-P. Then the AF result says that, if mode indistinguishability is proven via a blackbox reduction to a standard decision problem, then one will be unlikely to be able to give a blackbox proof that SND-P transfers to DΠ1 . This however does not rule out transference altogether; it rules out proving it in certain limited ways. (Possibly transference could be shown via non-black box reductions, or assumptions that are not standard decision problems.) In comparison, our Theorem 4 gives an example where transference not only cannot be proven, but demonstrably fails.

2

Preliminaries

Notation. If w is a vector then |w| is its length (the number of its coordinates) and w[i] is its i-th coordinate. Strings are identified with vectors over {0, 1},

864

V. Arte and M. Bellare

so that |Z| denotes the length of a string Z and Z[i] denotes its i-th bit. By ε we denote the empty string or vector. By xy we denote the concatenation of strings x, y. If x, y are equal-length strings then x⊕y denotes their bitwise xor. If S is a finite set, then |S| denotes it size. If X is a finite set, we let x ←$ X denote picking an element of X uniformly at random and assigning it to x. Algorithms may be randomized unless otherwise indicated. If A is an algorithm, we let y ← AO1 ,... (x1 , . . . ; ω) denote running A on inputs x1 , . . . and coins ω, with oracle access to O1 , . . ., and assigning the output to y. By y ←$ AO1 ,... (x1 , . . .) we denote picking ω at random and letting y ← AO1 ,... (x1 , . . . ; ω). We let [AO1 ,... (x1 , . . .)] denote the set of all possible outputs of A when run on inputs x1 , . . . and with oracle access to O1 , . . .. An adversary is an algorithm. Running time is worst case, which for an algorithm with access to oracles means across all possible replies from the oracles. We use ⊥ (bot) as a special symbol to denote rejection, and it is assumed to not be in {0, 1}∗ . A function ν : N → N is negligible if for every positive polynomial p : N → R there is a λp ∈ N such that ν(λ) ≤ 1/p(λ) for all λ ≥ λp . “PT” stands for “polynomial time.” By 1λ we denote the unary representation of the integer security parameter λ ∈ N. Games. We use the code-based game-playing framework of BR [6]. A game G (see Fig. 2 for examples) starts with an optional Init procedure, followed by a non-negative number of additional procedures, and ends with a Fin procedure. Execution of adversary A with game G consists of running A with oracle access to the game procedures (which accordingly are also called oracles), with the restrictions that A’s first call must be to Init (if present), its last call must be to Fin, and it can call these two procedures at most once each. The output of the execution is the output of Fin. By Pr[G(A) ⇒ y] we denote the probability that the execution of game G with adversary A results in this output being y, and write just Pr[G(A)] for the probability that the execution of game G with adversary A results in the output of the execution being the boolean true. Note that our adversaries have no input or output. The role of what in other treatments is the adversary input is, for us, played by the response to the Init query, and the role of what in other treatments is the adversary output is, for us, played by the query to Fin. Different games may have procedures (oracles) with the same names. If we need to disambiguate, we may write G.O to refer to oracle O of game G. In games, integer variables, set variables, boolean variables and string variables are assumed initialized, respectively, to 0, the empty set ∅, the boolean false and ⊥. CDH and DDH assumptions. A group generator GG is a PT algorithm that takes as input a security parameter 1λ and outputs a triple (p, G, g) ←$ GG(1λ ) consisting of a prime p, (a description of) a group G of order p and a generator g ∈ G \ {1G } of G. We recall the Computational Diffie-Hellman (CDH) and Decisional Diffie-Hellman (DDH) problems associated to GG via the games in cdh Fig. 2. We define Advcdh GG,λ (A) = Pr[GGG,λ (A)] to be the cdh-advantage of an

Dual-Mode NIZKs: Results for Property Transfer Game Gcdh GG,λ

Game Gddh GG,λ

Init(): λ 1 (p, G, g) ←$ GG(1 ) 2 a, b ←$ Zp a b 3 Return (p, G, g, g , g )

Init(): λ 1 (p, G, g) ←$ GG(1 ) ; d ←$ {0, 1} ; a, b, c ←$ Zp ab 2 If (d = 1) then C ← g else C ← g c a b 3 Return (p, G, g, g , g , C)

Fin(C): ab 4 Return (C = g )

Fin(d ):  4 Return (d = d)

865

Fig. 2. Games defining the CDH and DDH assumptions for GG.

adversary A. The CDH problem is hard for GG, or the CDH assumption holds for GG, if for every PT adversary A the function λ → Advcdh GG,λ (A) is negligible. ddh ddh We define AdvGG,λ (A) = 2 Pr[GGG,λ (A)] − 1 to be the ddh-advantage of an adversary A. The DDH problem is hard for GG, or the DDH assumption holds for GG, if for every PT adversary A the function λ → Advddh GG,λ (A) is negligible.

3

Proof Systems and Dual Mode Proof Systems

A proof system provides a way for one party (the prover) to prove some “claim” to another party (the verifier). A claim pertains to membership of an instance x in an NP language, the latter defined by an NP relation R. NP relations. Following [17], and to cover existing proof systems, we allow the relation to depend on the CRS. Thus a relation is a function R : {0, 1}∗ × {0, 1}∗ × {0, 1}∗ → {true, false} that takes the CRS crs, a instance x and a candidate witness w to return either true (saying w is a valid witness establishing the claim) or false (the witness fails to validate the claim). For crs, x ∈ {0, 1}∗ we let R(crs, x) = { w : R(crs, x, w) = true } be the witness set of x. R is said to be an NP relation if it is PT and there is a polynomial R.wl : N → N called the maximum witness length such that every w in R(crs, x) has length at most R.wl(|crs| + |x|) for all x ∈ {0, 1}∗ . We let LR (crs) = { x : R(crs, x) = ∅ } be the language associated to R and crs. Proof systems. A proof system is the name of the syntax for the primitive that enables the production and verification of such proofs, in the classical, single-mode sense. Soundness, zero-knowledge and many other things will be security properties for such (single-mode) proof systems. We give a general, unified syntax that allows us to recover, as special cases, various models such as the common reference/random string (CRS) models [7,8,12,16,26], the designatedverifier (DV) model [13,15,27], the designated-prover (DP) model [22,23], and the preprocessing (PP) model [14]. (Further discussion and history of these models is provided in the full version [3].) Now proceeding formally, a proof system Π specifies the following PT algorithms:

866

V. Arte and M. Bellare

– CRS generation. Via (crs, td, kP , kV ) ←$ Π.C(1λ ), the crs-generation algorithm Π.C takes the (unary representation of the) security parameter and returns an output crs called the common reference string, a trapdoor td, a proving key kP and a verification key kV . – Proof generation. Via pf ←$ Π.P(1λ , crs, kP , x, w) the proof generation algorithm Π.P takes the unary security parameter, crs, a prover key kP , an instance x and a witness w to produce a proof string. – Proof verification. Via d ← Π.V(1λ , crs, kV , x, pf) the deterministic proof verification algorithm Π.V produces a decision d ∈ {true, false} indicating whether or not it considers pf valid. We say that Π satisfies completeness for relation R if Π.V(1λ , crs, kV , x, pf) = true for all λ ∈ N, all (crs, td, kP , kV ) ∈ [Π.C(1λ )], , all x ∈ LR (crs), all w ∈ R(crs, x) and all pf ∈ [Π.P(1λ , crs, kP , x, w))]. This required completeness is perfect, but this can be relaxed if necessary. Recovering the different models within our syntax.The common reference string (CRS) model is the special case of our syntax in which Π.C always sets both the proving key and verification key to the empty string, kP = kV = ε. The designated verifier (DV) model corresponds to Π.C always setting the proving key to the empty string, kP = ε. In some constructions [15,27], the verification key is dependent on both the crs and the trapdoor td, while in other constructions [24,25,28] it is dependent only on the crs. This distinction can be captured as a condition on Π.C. The designated prover (DP) model corresponds to Π.C always setting the verification key to the empty string, kV = ε. The preprocessing (PP) model is captured by our syntax with no further restrictions. Here, the proving and verification keys may be dependent on the crs [22], or it might even be that the crs and td are set to the empty string and the keys do not depend on these parameters [23], all of which can be captured as conditions on Π.C. Dual-mode systems. We define a dual-mode proof system DΠ as also specifying a PT CRS generation algorithm DΠ.C, a PT proof generation algorithm DΠ.P and a PT deterministic proof verification algorithm DΠ.V. The syntax of the last two is identical to that in a proof system as defined above. The difference is the CRS generator DΠ.C, which now (in addition to 1λ ) takes an input μ ∈ {0, 1} called the mode, and returns a tuple (crs, td, kP , kV ), as before. For the common reference string model, the security requirement for a dualmode proof system would be that the common reference strings created in the two modes are computationally indistinguishable. We suggest and introduce a generalization to our broader syntax, asking that the common reference strings and the proving and verification keys created in the two modes are indistinguishable. We call this mode indistinguishability. To formalize this, consider game Gmode DΠ,λ of Fig. 3 associated to dual-mode proof system DΠ, and let the mode mode advantage of adversary A be defined by Advmode DΠ,λ (A) = 2 Pr[GDΠ,λ (A)] − 1. Mode indistinguishability asks that for all PT adversaries A, the function λ → Advmode DΠ,λ (A) is negligible.

Dual-Mode NIZKs: Results for Property Transfer Game Gmode DΠ,λ

snd-e Games Gsnd-p Π,R,λ / GΠ,R,λ

Init(): 1 b ←$ {0, 1} λ 2 (crs, td, kP , kV ) ←$ DΠ.C(1 , b) λ 3 Return (1 , crs, kP , kV )

Init(): λ 1 (crs, td, kP , kV ) ←$ Π.C(1 ) λ 2 Return (1 , crs, kP )

Fin(b ):  4 Return (b = b)

867

Vf(x, pf): λ 3 d ← Π.V(1 , crs, kV , x, pf) 4 If (x ∈ LR (crs)) then 5 bad ← true ; Return d 6 If (d) then win ← true 7 Return d Fin(): 8 Return win

Fig. 3. Left: Game defining mode indistinguishability for a dual-mode proof system DΠ. Right: Games defining SND-P and SND-E soundness of proof system Π for relation R.

A dual-mode proof system DΠ gives rise to two (standard) proof systems that we call the proof systems induced by DΠ and denote DΠ1 and DΠ0 . Their proof generation and verification algorithms are those of DΠ, meaning DΠμ .P = DΠ.P and DΠμ .V = DΠ.V, for both μ ∈ {0, 1}. The difference between the two proof systems is in their CRS generation algorithms. Namely DΠμ .C is defined by: (crs, td, kP , kV ) ←$ DΠ.C(1λ , μ); Return (crs, td, kP , kV ). Comparison with prior notions. Unlike prior definitions [2,21,24], we do not tie to DΠ, or mandate for it, any properties like soundness or ZK. These properties are defined (only) for (single-mode) proof systems. Accordingly, we can talk about whether or not the induced proof systems meet them. This allows us to decouple the core dual-mode concept from particular properties. Our definition of mode indistinguishability asks that (crs, kP , kV ) be indistinguishable across the two modes, while prior definitions asked only that crs be indistinguishable across the modes. For the cases where dual-mode systems have been defined in the past, the two coincide. This is clearly true for the common reference string model, since here kP , kV are ε. For the designated-verifier setting of [24], our definition may at first seem different, but it isn’t, because in [24], kV is determined from crs by a key-generation algorithm, and doesn’t depend on the trapdoor. (And meanwhile, kP = ε.) A distinguisher can thus compute kP , kV from crs, making our definition equivalent to that of [24] in this case. The case where our definition is different from asking just for crs indistinguishability is when kP , kV depend on the coins underlying crs, td. Dual-mode systems for this setting, however, do not seem to have been defined prior to our work.

868

4

V. Arte and M. Bellare

A Study in Soundness

We study soundness transference, showing that whether or not it holds depends on exactly how soundness is defined. We start thus with definitions. SND-E and SND-P soundness. Soundness for a relation R asks that it be hard to create a valid proof for x ∈ LR (crs). We consider two ways to define this, namely the penalty style (SND-P) and the exclusion style (SND-E). These two styles, and their issues, were first formally considered in [5] in the context of IND-CCA public-key encryption and KEMs. In the penalty style the adversary is penalized by the game when it submits a verification query where the claim is in the language, the game testing this and not allowing it to win in this case. In the exclusion style, the adversary is simply prohibited from making queries with claims in the language, meaning a claim of SND-E security quantifies only over the sub-class of adversaries that never make such queries (or make them with negligible probability). Consider the games in Fig. 3. A verification oracle Vf is used to cover the designated-verifier setting. Game Gsnd−p Π,R,λ includes the boxed code, so that when the adversary submits x ∈ LR (crs) to Vf, the oracle returns the output of the verification algorithm on the query without setting the win flag. Otherwise, the game returns the decision taken by Π.V based on the instance x (now known not to be in LR (crs)) and proof pf provided by the adversary, and only sets win if the verifier algorithm returns true in this case. From the transference perspective, the relevant fact is that the membership test will usually not be PT. We let snd−p Advsnd−p Π,R,λ (A) = Pr[GΠ,R,λ (A)] be the sndp-advantage of A. We say that Π is computational SND-P for R if for all PT A the function λ → Advsnd−p Π,R,λ (A) is negligible; statistical SND-P if for all A, regardless of running time, the function λ → Advsnd−p Π,R,λ (A) is negligible; perfect SND-P if for all A, regardless of running

time, Advsnd−p Π,R,λ (A) = 0. Saying just that Π is SND-P means it could be any of the three, meaning the default assumption is computational. Game Gsnd−e Π,R,λ excludes the boxed code. If the adversary submits x ∈ LR (crs) to Vf, the game sets the flag bad but does nothing beyond that, so that, regardless of whether or not x is in LR (crs), line 6 says that the adversary wins if the verifier decision d computed at line 3 is true. (Winning by submitting x ∈ LR (crs) is excluded, not by the game, but by the restriction to membership conscious adversaries discussed below.) The benefit, from the transference perspective, is snd−e that the check is now PT. We let Advsnd−e Π,R,λ (A) = Pr[GΠ,R,λ (A)] be the sndeadvantage of A. The flag bad does not influence the game outcome. It is there to allow us to make the following definition: We say that an adversary A is membership conscious if the function λ → Pr[Gsnd−e Π,R,λ (A) sets bad] is negligible. Now we say that Π is computational SND-E for R if for all PT, membership-conscious A the function λ → Advsnd−e Π,R,λ (A) is negligible; statistical SND-E if for all membershipconscious A, regardless of running time, the function λ → Advsnd−e Π,R,λ (A) is negligible; perfect SND-E if for all membership-conscious A, regardless of running

Dual-Mode NIZKs: Results for Property Transfer

869

time, Advsnd−e Π,R,λ (A) = 0. Saying just that Π is SND-E means it could be any of the three, meaning the default assumption is computational. In SND-E, there is no check as to whether or not the adversary is membership conscious. The quantification is simply restricted to ones that are. Relations between definitions. To better understand the differences between the notions, we briefly study some relations between them. The following says that SND-P always implies SND-E: Proposition 1. Let Π be a proof system and R a relation. If Π is computational (respectively statistical, perfect) SND-P then it is also computational (respectively statistical, perfect) SND-E. The proof is simple. Let A be a membership-conscious adversary A that wins the SND-E game, violating SND-E. Then it also wins the SND-P game. (Its advantage as measured in the SND-P game can only be less than its advantage as measured in the SND-E game by a negligible amount.) And since SND-P quantifies over all PT adversaries (whether membership conscious or not), we have an adversary violating SND-P. Another observation is that an unbounded adversary can check membership in the language. Due to this, the two formulations of soundness coincide in the statistical and perfect cases: Proposition 2. Let Π be a proof system and R a relation. Then (1) Π is statistically SND-P for R iff it is statistically SND-E for R, and (2) Π is perfectly SND-P for R iff it is perfectly SND-E for R. The interesting case is the computational one. Here the two definitions do not coincide. We defer the proof of the following to the full version [3]. Proposition 3. Assume there exists a group generator relative to which DDH is hard. Then there exists a proof system Π and relation R such that (1) Π is SND-E for R but (2) Π is not SND-P for R. We will see in the full version [3] that SND-P is what works for applications, SND-E being too weak. Thus, it is desirable that SND-P transfer. Unfortunately, we show below that, in general, it does not. Later, we will show that SND-E does, however, transfer. Non-transference of SND-P. We give a counter-example to show that SND-P does not, in general, transfer. The counter-example constructs an explicit relation R and dual-mode proof system DΠ such that DΠ satisfies mode indistinguishability and SND-P holds in mode 1, but we can give an attack showing it does not hold in mode 0. DΠ is a conventional (common reference string model) system, meaning kP = kV = ε, which means the result holds also in the designated verifier and prover settings. Theorem 4. Assume there exists a group generator relative to which DDH is hard. Then there exists a dual-mode proof system DΠ and relation R such that (1) DΠ satisfies mode indistinguishability and (2) DΠ1 satisfies SND-P for R, but (3) DΠ0 does not satisfy SND-P for R.

870

V. Arte and M. Bellare

Relation R((p, G, g, A, B, C), X, w): 1

w

w

Return (g = A)∧(X = B )∧(X ∈ G)

Adversary Addh : 1 2

DΠ.C(1λ , μ): 2 3 4 5 6 7 8

λ

(p, G, g) ← GG(1 ) ; a, b ← Zp If (μ = 1) then c ←$ Zp Else c ← ab mod p A ← ga ; B ← gb ; C ← gc crs ← (p, G, g, A, B, C) td ← ε ; kP ← ε ; kV ← ε Return (crs, td, kP , kV ) $

$

DΠ.P(1λ , crs, kP , X, w): 9

(p, G, g, A, B, C) ← crs ; Return ε

DΠ.V(1λ , crs, kV , X, pf): 10 11 12

(p, G, g, A, B, C) ← crs If (X ∈ / G) then return false Else return true

Adversary A0 : 1 2 3

←$ Gsnd-p DΠ0 ,R,λ .Init

(crs, kP ) (p, G, g, A, B, C) ← crs snd-p Gsnd-p DΠ0 ,R,λ .Vf(C, ε) ; GDΠ0 ,R,λ .Fin

(p, G, g, A, B, C) ←$ Gddh GG,λ .Init AInit,Fin

Init: 3 Return ((p, G, g, A, B, C), ε, ε) Fin(b ): ddh  4 GGG,λ .Fin(1 − b ) Adversary Acdh : 1 2

(p, G, g, A, B) ←$ Gcdh GG,λ .Init AInit,Vf,Fin

Init: c 3 c ←$ Zp ; C ← g 4 Return ((p, G, g, A, B, C), ε) Vf(X, pf): 5 S ← S ∪ {X} 6 If (X ∈ G) then return true 7 Return false Fin(): cdh 8 X ←$ S ; GGG,λ .Fin(X)

Fig. 4. Relation R, dual-mode proof system DΠ and various adversaries for the proof of Theorem 4.

Proof (Theorem 4). Let GG be a group generator relative to which DDH is hard. Consider the relation R shown in Fig. 4. Its first input is the CRS, which has the form (p, G, g, A, B, C), where (p, G, g) ∈ [GG(1λ )] and A, B, C ∈ G. The second input X is the instance. The third input w is the witness, which we assume is in Zp . Recall that dlogG,g (Y ) ∈ Zp is the discrete logarithm of Y ∈ G to base g. Let a, b, c ∈ Zp be such that A = g a , B = g b and C = g c . The relation tests three things, returning true iff all hold. The test that g w = A forces the witness w to be a = dlogG,g (A), meaning it can have only one value. The third test requires X to be a group element, and the second test then says that X may be any group element except B w = g bw = g ba . Recall that the language associated to R, (p, G, g, A, B, C) is the set of all X for which there exists a witness w making R((p, G, g, A, B, C), X, w) = true, so we have LR ((p, G, g, A, B, C)) = G \ {g ab }, meaning it is all group elements except g ab . Since violating soundness requires submitting an X ∈ LR ((p, G, g, A, B, C)), this means that there is only one choice of X that potentially violates soundness, namely g ab .

Dual-Mode NIZKs: Results for Property Transfer

871

Now consider the dual-mode proof system DΠ whose algorithms DΠ.C, DΠ.P, DΠ.V are described in Fig. 4. The CRS generator picks a group G and returns CRS (p, G, g, A, B, C) such that, again letting A = g a , B = g b and C = g c , if μ = 0 then (A, B, C) is a DH-tuple—meaning C = g ab —and if μ = 1 then A, B, C are uniform and independent group elements. Under the DDH assumption, the two CRSs are indistinguishable, while the proving and verification keys are identical in both modes since they are set to the empty string. Formally, this is claim (1) of the theorem statement, which we show by a reduction from the mode-indistinguishability of DΠ to the DDH assumption for the group generator GG. For this, let A be a PT adversary. We construct the PT time adversary Addh ddh shown in Fig. 4. For all λ ∈ N we have Advmode DΠ,R,λ (A) ≤ AdvGG,λ (Addh ), which justifies claim (1). The other algorithms of DΠ perform trivially: The proof generator always returns the empty string as the proof, and the verifier algorithm always accepts. Let DΠ0 and DΠ1 be the induced proof systems of DΠ. We show claim (3) of the theorem by an attack, namely an adversary violating SND-P for DΠ0 . The adversary A0 is shown in Fig. 4. It starts, at line 1, by calling the Init a b oracle of its game Gsnd−p DΠ0 ,R,λ . The CRS (p, G, g , g , C) in this game is generated by DΠ0 .C, and hence C = g ab . This gives the adversary an instance outside the language LR ((p, G, g a , g b , C)), namely X = C. It can now submit C to Vf at line 3. What it submits as the proof does not matter (the choice made is the empty string) since DΠ.V always accepts as long as the statement is in the group G; the challenge in violating SND-P was to find an instance outside the language. This Vf query will set the win flag, and therefore this adversary will win the game when it calls Fin. We have Advsnd−p DΠ0 ,R,λ (A0 ) = 1, establishing claim (3) of the theorem. It remains to show claim (2), namely that DΠ1 does satisfy SND-P. This is true under the CDH assumption on GG, which is implied by the DDH assumption we have made, and is proved by reduction. Given a PT adversary A trying to win game Gsnd−p DΠ1 ,R,λ , we construct the PT cdh-adversary Acdh shown in Fig. 4. It is playing game Gcdh GG,λ . From the Init oracle of that game, it obtains (p, G, g, A, B), and then runs A, simulating A’s Init, Vf, Fin oracles as shown. When A calls Init, our Acdh can return a legitimate mode-1 CRS by itself picking C at random and returning (p, G, g, A, B, C). When A calls Vf with an argument X (and a proof pf which does not matter) that, if it sets the win flag, will be g ab , where A = g a and B = g b . If only one Vf query was allowed, Acdh could call its own Fin oracle with X to also win. However, since multiple Vf queries can be made, the best Acdh can do is to pick one of the statements queried to the Vf by A at random to submit to its Fin oracle. This adds a multiplicative factor of the number of Vf queries made by A, say q(λ), to the bound. For all λ ∈ N we have cdh Advsnd−p DΠ0 ,R,λ (A) ≤ q(λ) · AdvGG,λ (Acdh ). This completes the proof of claim (3) and thus of the Theorem.  

872

5

V. Arte and M. Bellare

Transference Framework and Positive Results

Let DΠ be a dual-mode proof system satisfying mode indistinguishability. Recall we say that a “property” P (for example, zero-knowledge, soundness, extractability) transfers, if, for any μ ∈ {0, 1}, we have: If DΠμ satisfies P then DΠ1−μ satisfies the computational counterpart of P. In this Section we want to give positive results, showing some properties P do transfer. We could try to do this exhaustively for target properties P1 , P2 , . . .: prove P1 transfers; then prove P2 transfers; and so on. This ad hoc approach has several drawbacks. First, proofs which at heart are very similar will be repeated. Second, proofs will be needed again for new or further properties that we do not consider. (Counting definitional variants in the literature, the number of properties of interest, namely the length of the list above, is rather large.) Third, we’d like a better theoretical understanding of what exactly are the attributes of a property that allow transference. To address this, we give a framework to obtain positive transference results. We start by formalizing what we call a property specification PS. While the game defining P will pick the CRS and the proving and verification keys by running the CRS generator, PS will aim to see the adversary advantage in this game as a function of an external choice of CRS and keys, effectively pulling the choice of CRS and keys out of the game. We will then give a general result (the Transfer Theorem) saying that polynomial-time property specifications transfer successfully. To apply this to get a positive transfer result for some property P of interest, one then has to show that P can be captured by a polynomial time property specification PS. We will illustrate such applications by providing PS explicitly for a few choices of P. It will soon be easy to just look at the game defining P and see from it whether or not P can be cast as a polynomial-time PS, making it simple to see which properties transfer successfully. When the property specification PS is not polynomial time, our Transfer Theorem does not apply. This does not necessarily mean the property fails to transfer, but is an indication in that direction. To show that a particular (non polynomial-time) property P fails to transfer, one can give a counter-example, as with Theorem 4. Property specifications. A property specification PS is a function that, given a proof system Π, returns a triple ( PS.StI, PS[Π.P, Π.V].Or, PS.type ). The first component PS.StI is an algorithm that we refer to as the state initializer, and, as the notation indicates, it does not depend on Π. The second component PS[Π.P, Π.V].Or is an algorithm that we refer to as the oracle responder. We require that it invokes the prover and verifier algorithms of Π as oracles, so that if two proof systems have the same prover and verifier algorithms, the corresponding oracle responders are identical. The final component PS.type ∈ {dec, ser} is a keyword (formally, just a bit), indicating the type of problem, decision or search. The state initializer takes the unary security parameter and a tuple (crs, kP , kV ) ∈ [Π.C(1λ )] to return an initial state, st ←$ PS.StI(1λ , crs, kP , kV ). Then, given a string Oname ∈ PS.ONames ⊆ {0, 1}∗ called an oracle name, another

Dual-Mode NIZKs: Results for Property Transfer

873

string Oarg called an oracle argument, and also given a current state st, the oracle responder returns a pair (Orsp, st) ←$ PS[Π.P, Π.V].Or(Oname, Oarg, st) consisting of an oracle response Orsp and an updated state. The finite set of oracle names PS.ONames (also defined by PS but not allowed to depend on Π) must contain the special name Fin, and it must be that the response Orsp is in the set {true, false} whenever (Orsp, st) ←$ PS[Π.P, Π.V].Or(Fin, Oarg, st). A property specification PS is said to be polynomial time (PT) if for every proof system Π there is a polynomial p such that algorithms PS.StI and PS[Π.P, Π.V].Or run in time bounded by p applied to the lengths of their inputs.

PS[Π].Outcrs,kP kV ,λ (A) λ

st ←$ PS.StI(1 , crs, kP , kV ) Run AOr Return out

Oracle Or(Oname, Oarg) // Oname ∈ PS.ONames (Orsp, st) ←$ PS[Π.P, Π.V].Or(Oname, Oarg, st) If ((Oname = Fin) and (out = ⊥)) then out ← Orsp Return Orsp

Fig. 5. Description of the execution of PS with a proof system Π, security parameter λ, input (crs, kP , kV ) ∈ [Π.C(1λ )] and an adversary A.

We can run PS with a proof system Π, security parameter λ, input (crs, kP , kV ) ∈ [Π.C(1λ )] and an adversary A to get a boolean output, which is denoted PS[Π].Outcrs,λ (A). This output is determined by the process on the left in Fig. 5, the right showing the oracle provided to A. In the figure, the execution initializes the state to st ← PS.StI(1λ , crs, kP , kV ). Then it runs A with access to the oracle Or shown on the right. Given the string naming an oracle, and an argument for it, Or provides the response as defined by PS[Π.P, Π.V].Or. The first time the oracle named Fin is called, the computed response is retained as out, and the latter becomes the output of the execution, namely the value returned as PS[Π].Outcrs,kP ,kV ,λ (A). We define the ps-advantage of A, depending on whether it is a search or decision problem, via λ $ Advps PS[Π],λ (A) = Pr[PS[Π].Outcrs,kP ,kV ,λ (A) : (crs, kP , kV ) ← Π.C(1 )]

if PS.type = ser, and λ $ Advps PS[Π],λ (A) = 2 · Pr[PS[Π].Outcrs,kP ,kV ,λ (A) : (crs, kP , kV ) ← Π.C(1 )] − 1

if PS.type = dec. Here Pr[PS[Π].Outcrs,kP ,kV ,λ (A) : (crs, kP , kV ) ←$ Π.C(1λ )] is the probability that the output of the property specification is true when the CRS and proving and verification keys are chosen at random according to Π.C. We say that Π satisfies PS for a class (set) of adversaries Aps PS if for every ps , the function λ →

Adv (A) is negligible. Parameteradversary A ∈ Aps PS PS[Π],λ izing the definition by a class of adversaries allows us to cover restrictions like membership-consciousness, and to capture computational and statistical variants of a property.

874

V. Arte and M. Bellare State initializer PSsndp .StI(1λ , crs, kP , kV ) / PSsnde .StI(1λ , crs, kP , kV ): R R 1

st ← (1λ , crs, kP , kV , false) ; Return st

[Π.P, Π.V].Or(Oname, Oarg, st): PSsndp [Π.P, Π.V].Or(Oname, Oarg, st) / PSsnde R R 2 3 4 5 6 7 8 9

(1λ , crs, kP , kV , win) ← st If (Oname = Init) then return ((1λ , crs, kP ), st) If (Oname = Vf) then (x, pf) ← Oarg If (x ∈ LR (crs)) then return (Π.V(1λ , crs, kV , x, pf), st) If (Π.V(1λ , crs, kV , x, pf)) then win ← true ; st ← (1λ , crs, kP , kV , win) Return (Π.V(1λ , crs, kV , x, pf), st) If (Oname = Fin) then return (win, st)

Fig. 6. Algorithms associated by the SND-P property specification PSsndp and the R to proof system Π, where R is an NP-relation. SND-E property specification PSsnde R The boxed code is only included in the SND-P specification.

The SND-E and SND-P property specifications. We pause to illustrate property specifications by an example before providing the Transfer Theorem. and PSsndp corresponding to the We describe the property specifications PSsnde R R SND-E and SND-P properties for R, respectively, in Fig. 6. The state initializer algorithms are the same for both, setting the initial state st to the crs, proving key and verification key they are given as input, together with the security parameter. The oracle responder algorithms differ only at line 6, which is included for SND-P and excluded for SND-E. To each of the oracles Init, Vf, Fin in the games of Fig. 3, we associate a string naming it, these being Init, Vf, Fin, .ONames = PSsndp .ONames = {Init, Vf, Fin}. Passing respectively, so that PSsnde R R the name of an oracle, and arguments for it, to the oracle responder, results in the response of that oracle being returned. (Also returned is the state, which is updated here, but may not be in other property specifications.) The problem .type = PSsndp .type = ser, meaning both are search problems. As type is PSsnde R R this shows, there is a quite direct connection between the games and the property specification, the key difference being that the latter has the CRS as input while the former picks it internally. We connect the actual properties with their formal property specifications via the following, which says that, for x ∈ {e, p}, the sndx-advantage is identical to the corresponding ps-advantage. Proposition 5. Let R be an NP-relation, Π a proof system and A an adversary. Then for all λ ∈ N we have: ps snd−p ps Advsnd−e Π,R,λ (A) = AdvPSsnde [Π],λ (A) and AdvΠ,R,λ (A) = Adv sndp R

PSR

[Π],λ

(A) .

Dual-Mode NIZKs: Results for Property Transfer

875

In the case of SND-E, Proposition 5 does not restrict to membership conscious adversaries, even though these are the ones of eventual interest; the claim of the Proposition is true for all adversaries. The key difference between the two property specifications is in their running is polynomial time. But property specificatime. Property specification PSsnde R sndp tion PSR is only polynomial time if testing membership of x in LR (crs) can be done in time polynomial in the lengths of x and crs, which, for relations of but, interest, is usually not the case. Our Transfer Theorem applies to PSsnde R due to its not in general being polynomial time, not to PSsndp . R Transfer theorem. We are now ready to state the Transfer Theorem. Refer above for what it means for a proof system Π to satisfy a property specification PS for a class of adversaries Aps PS . The following says that when this is true in one mode of a dual-mode proof system DΠ, then its computational counterpart is true in the other mode. Below, we let APT be the class of all polynomial-time PT in the conclusion of the Theorem adversaries; the intersection of Aps PS with A captures that the transferred property is the computational counterpart of the original one. Theorem 6. Let DΠ be a dual-mode proof system that is mode indistinguishable. Let μ ∈ {0, 1}. Let PS be a polynomial-time property specification. Assume DΠμ satisfies PS for a class of adversaries Aps PS . Then DΠ1−μ satisfies PS for the class PT ∩ A . of adversaries Aps PS Proof (Theorem 6). Let A be a polynomial-time adversary. We build a polynomial-time adversary Aμ such that for all λ ∈ N we have ps mode Advps PS[DΠ1−µ ],λ (A) ≤ AdvPS[DΠµ ],λ (A) + 2 · AdvDΠ,λ (Aμ ) .

(1)

The theorem follows. To establish Eq. (1), recall that, as per the definition of a property specification, the oracle responder algorithm depends only on the prover and verifier algorithms of the proof system it is given, invoking these as oracles. But, by the definition of the proof systems induced proof by a dual-mode proof system, for both DΠ0 and DΠ1 , the prover algorithm is DΠ.P and the verifier algorithm is DΠ.V. This means that the oracle responder algorithms corresponding to DΠ0 and DΠ1 are identical, both being PS[DΠ.P, DΠ.V].Or. With this, consider the games Gd , defined, for d ∈ {0, 1}, in Fig. 7. At line 1, they generate the CRS and the proving and verification keys in mode d, and then run the state initializer (we use here the fact that it does not depend on the proof system) to get an initial state. In responding to Or queries at line 2, they use the oracle responder with prover and verifier algorithms set to those of the dual-mode proof system, as per the above. Then for both d = 0 and d = 1 we have  Pr[Gd (A)] if type = ser (A) = Advps PS[DΠd ],λ 2 Pr[Gd (A)] − 1 if type = dec.

876

V. Arte and M. Bellare Game Gd // d ∈ {0, 1} Init(): λ λ 1 (crs, td, kP , kV ) ←$ DΠ.C(1 , d) ; st ←$ PS.StI(1 , crs, kP , kV ) Or(Oname, Oarg): 2 (Orsp, st) ←$ PS[DΠ.P, DΠ.V].Or(Oname, Oarg) 3 If ((Oname = Fin) and (out = ⊥)) then out ← Orsp 4 Return Orsp Fin(): 5 Return out Adversary Aμ 1 2 3

λ Or (crs, kP , kV ) ←$ Gmode DΠ,λ .Init ; st ← PS.StI(1 , crs, kP , kV ) ; Run A If out then a ← 1 else a ← 0 Return (a ⊕ μ)

Or(Oname, Oarg): 4 (Orsp, st) ←$ PS[DΠ.P, DΠ.V].Or(Oname, Oarg) 5 If ((Oname = Fin) and (out = ⊥)) then out ← Orsp 6 Return Orsp

Fig. 7. Left: Games for the proof of Theorem 6. Right: Adversary for the proof of Theorem 6.

Thus if type = ser we have Advps PS[DΠ1−µ ],λ (A) = Pr[G1−μ (A)] = Pr[Gμ (A)] + ( Pr[G1−μ (A)] − Pr[Gμ (A)] ) = Advps PS[DΠµ ],λ (A) + ( Pr[G1−μ (A)] − Pr[Gμ (A)] ) . And if type = dec we have Advps PS[DΠ1−µ ],λ (A) = 2 Pr[G1−μ (A)] − 1 = 2 Pr[Gμ (A)] − 1 + 2 · ( Pr[G1−μ (A)] − Pr[Gμ (A)] ) = Advps PS[DΠµ ],λ (A) + 2 · ( Pr[G1−μ (A)] − Pr[Gμ (A)] ) . We build PT mode indistinguishability adversary Amode so that Pr[G1−μ (A)] − Pr[Gμ (A)] ≤ Advmode DΠ,λ (Aμ ) . The adversary Aμ is shown at the bottom in Fig. 7. At line 1 it obtains a CRS and proving and verification keys from its own Init oracle. It then runs A and simulates the Or oracle of the latter as shown. Let b be the randomly chosen bit in Gmode DΠ,λ . Then Advmode DΠ,λ (Aμ ) = Pr [ a⊕μ = 1 | b = 1 ] − Pr [ a⊕μ = 1 | b = 0 ] .

Dual-Mode NIZKs: Results for Property Transfer

877

Let us consider the two cases depending on whether μ is 0 or 1. μ=0:

Advmode DΠ,λ (A0 ) = Pr [ a = 1 | b = 1 ] − Pr [ a = 1 | b = 0 ] = Pr[G1 (A)] − Pr[G0 (A)]

μ=1:

Advmode DΠ,λ (A1 ) = Pr [ a = 0 | b = 1 ] − Pr [ a = 0 | b = 0 ] = Pr [ a = 1 | b = 0 ] − Pr [ a = 1 | b = 1 ] = Pr[G0 (A)] − Pr[G1 (A)]

We can combine the two cases together as follows: Advmode DΠ,λ (Aμ ) = Pr[G1−μ (A)] − Pr[Gμ (A)] . This completes the proof.

 

Transference of SND-E. We can apply this to conclude transference of SND-E as follows. Let Asnde be the class of membership-conscious, PT adver. saries. (Restricting, here, to PT only strengthens the result.) Let PS be PSsnde R Then combining Theorem 6 with Proposition 5 says that if DΠμ is SND-E then so is DΠ1−μ . This is however a simple case. For ZK, the property specification definition is more delicate, and some work will be needed to check that it obeys the conditions required by the definition of a property specification. We now turn to establishing transference for other properties. We will give their definitions, and the property specifications, side by side. Zero knowledge is considered below, while further property specifications are described in the full version [3]. Zero knowledge. The property specification allowing showing transference for ZK is more interesting, in part because it is a decision problem. We formalize what is usually called adaptive zero knowledge, as the form most useful for applications. A simulator S specifies a PT algorithm S.C (the simulation CRS-generator) and a PT algorithm S.P (the simulation proofgenerator). Consider game Gzk Π,R,S,λ specified in Fig. 8. ZK-adversary A can adaptively request proofs by supplying an instance and a valid witness for it. The proof is produced either by the honest prover using the witness, or by the proof simulator S.P using a simulation trapdoor td0 . The adversary outputs a guess b as to whether the proofs were real or simulated. Let Advzk Π,R,S,λ (A) = (A)] − 1 be its zk-advantage relative to S. 2 Pr[Gzk Π,R,S,λ We say that Π is computational ZK for R if there exists a simulator S such that for all PT A the function λ → Advzk Π,R,S,λ (A) is negligible; statistical ZK for R if there exists a simulator S such that for all A, regardless of running time, the function λ → Advzk Π,R,S,λ (A) is negligible; and perfect ZK for R if there exists a simulator S such that for all A, regardless of running time, Advzk Π,R,S,λ (A) = 0.

878

V. Arte and M. Bellare

Game Gzk Π,R,S,λ Init(): λ 1 (crs1 , td1 , kP , kV1 ) ←$ Π.C(1 ) λ 2 (crs0 , td0 , kV0 ) ←$ S.C(1 ) 3 b ←$ {0, 1} ; crs ← crsb ; kV ← kVb λ 4 Return (1 , crs, kV ) Pf(x, w): 5 If (¬R(crs, x, w)) then return ⊥ 6 If (b = 1) then 7 pf ←$ Π.P(1λ , crs, kP , x, w) λ 8 Else pf ←$ S.P(1 , crs, kV , td0 , x) 9 Return pf Fin(b ):  10 Return (b = b)

λ State initializer PSzk R,S .StI(1 , crs, kP , kV ):

1 2 3

b ←$ {0, 1} If (b = 0) then (crs, td, kV ) ←$ S.C(1λ ) st ← (1λ , crs, td, kP , kV , b) ; Return st

PSzk R,S [Π.P, Π.V].Or(Oname, Oarg, st): 4 5 6 7 8 9 10 11 12 13 14 15 16

(1λ , crs, td, kP , kV , b) ← st If (Oname = Init) then return (crs, kV , st) If (Oname = Pf) then (x, w) ← Oarg If (¬R(crs, x, w)) then return (⊥, st) If (b = 1) then pf ←$ Π.P(1λ , crs, kP , x, w) Else pf ←$ S.P(1λ , crs, kV , td, x) Return (pf, st) If (Oname = Fin) then b ← Oarg ; Return ((b = b ), st)

Fig. 8. Left: Game defining zero-knowledge (relative to simulator S) for proof system Π. Right: The state initializer and oracle responder algorithms associated by the ZK property specification PSzk R,S to proof system Π, where R is an NP-relation and S is a simulator.

Saying just that Π is ZK means it could be any of the three, meaning the default assumption is computational. We describe the property specification PSzk R,S corresponding to the ZK property for relation R and simulator S. Fig. 8 shows the algorithms that it associates to a given proof system Π. While game Gzk Π,R,S of Fig. 8 picks the CRS and the proving and verification keys via Π.C when b = 1, state initializer PSzk R,S .StI takes the CRS and the proving and verification keys as input and sets this CRS as the CRS when b = 1. If b = 0, this CRS is overwritten at line 2. The state is the 6-tuple at line 4. To each oracle Init, Pf, Fin in game Gzk Π,R,S we associate a string naming it, these being Init, Pf, Fin, respectively, so that PSzk R,S .ONames = {Init, Pf, Fin}. Passing the name of an oracle, and arguments for it, to PSzk R,S [Π.P, Π.V].Or, results in the response of that oracle being returned. (Also returned is the state, which here is not updated, but may be in other property specifications.) The type is PSzk R,S .type = dec, meaning this is a decision problem. To connect the ZK property with the property specification PSzk R,S , we see that the zk-advantage is identical to the ps-advantage:

Dual-Mode NIZKs: Results for Property Transfer

879

Proposition 7. Let R be an NP-relation, S a simulator, Π a proof system and A an adversary. Then for all λ ∈ N we have: ps Advzk Π,R,S,λ (A) = AdvPSzk [Π],λ (A) . R,S

From Fig. 8, one can see that the ZK property specification PSzk R,S is polynomial time. Combining Theorem 6 with Proposition 7 thus says that the ZK property transfers. We provide property specifications for witness indistinguishability and extractability in the full version [3]. Acknowledgments. We thank the IndoCrypt 2020 reviewers for their comments. The authors are supported in part by NSF grant CNS-1717640 and a gift from Microsoft corporation.

References 1. Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007). https:// doi.org/10.1007/978-3-540-70936-7 7 2. Albrecht, M.R., Farshim, P., Hofheinz, D., Larraia, E., Paterson, K.G.: Multilinear maps from obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 446–473. Springer, Heidelberg (2016). https://doi.org/10.1007/9783-662-49096-9 19 3. Arte, V., Bellare, M.: Dual-mode NIZKs: possibility and impossibility results for property transfer. Cryptology ePrint Archive, Report 2020/629 (2020). https:// eprint.iacr.org/2020/629 4. Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interative zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg (1990) 5. Bellare, M., Hofheinz, D., Kiltz, E.: Subtleties in the definition of IND-CCA: when and how should challenge decryption be disallowed? J. Cryptol. 28(1), 29–48 (2015) 6. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/ 10.1007/11761679 25 7. Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991) 8. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th ACM STOC, pp. 103–112. ACM Press, May 1988 9. Boyle, E., Couteau, G., Gilboa, N., Ishai, Y.: Compressing vector OLE. In: Lie, D., Mannan, M., Michael, B., XiaoFeng W., (eds.), ACM CCS 2018, pp. 896–912. ACM Press, October 2018

880

V. Arte and M. Bellare

10. Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Kohl, L., Scholl, P.: Efficient pseudorandom correlation generators: silent OT extension and more. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 489–518. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8 16 11. Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetrickey primitives. In: Bhavani M., David Evans, T., Malkin, T., Xu, D., (eds.), ACM CCS 2017, pp. 1825–1842. ACM Press, October / November 2017 12. Damg˚ ard, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6 30 13. Damg˚ ard, I., Fazio, N., Nicolosi, A.: Non-interactive zero-Knowledge from homomorphic encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 41–59. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878 3 14. De Santis, A., Micali, S., Persiano, G.: Non-interactive zero-knowledge with preprocessing. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 269–282. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2 21 15. Elkind, E., Sahai, A.: A unified methodology for constructing public-key encryption schemes secure against adaptive chosen-ciphertext attack. Cryptology ePrint Archive, Report 2002/042, (2002). http://eprint.iacr.org/2002/042 16. Fischlin, M., Fischlin, R.: Efficient non-malleable commitment schemes. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 413–431. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6 26 17. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230 29 18. Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175 6 19. Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679 21 20. Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zeroknowledge. J. ACM (JACM) 59(3), 1–35 (2012) 21. Hofheinz, D., Ursu, B.: Dual-mode NIZKs from obfuscation. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 311–341. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5 12 22. Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T.: Designated verifier/prover and preprocessing NIZKs from Diffie-Hellman assumptions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 622–651. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3 22 23. Kim, S., Wu, D.J.: Multi-theorem preprocessing NIZKs from lattices. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 733–765. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0 25 24. Libert, B., Passel`egue, A., Wee, H., Wu, D.J.: New constructions of statistical NIZKs: dual-mode DV-NIZKs and more. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 410–441. Springer, Cham (2020). https://doi. org/10.1007/978-3-030-45727-3 14 25. Lombardi, A., Quach, W., Rothblum, R.D., Wichs, D., Wu, D.J.: New constructions of reusable designated-verifier NIZKs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 670–700. Springer, Cham (2019). https:// doi.org/10.1007/978-3-030-26954-8 22

Dual-Mode NIZKs: Results for Property Transfer

881

26. Pass, R., shelat, A.: Unconditional characterizations of non-interactive zeroknowledge. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 118–134. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218 8 27. Pass, R., shelat, A., Vaikuntanathan, V.: Construction of a non-malleable encryption scheme from any semantically secure one. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 271–289. Springer, Heidelberg (2006). https://doi.org/10. 1007/11818175 16 28. Quach, Willy., Rothblum, R.D., Wichs, D.: Reusable designated-verifier NIZKs for all NP from CDH. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 593–621. Springer, Cham (2019). https://doi.org/10.1007/978-3-03017656-3 21

On Black-Box Extension of a Non-Interactive Zero-Knowledge Proof System for Secret Equality Kyosuke Yamashita1,2(B) , Mehdi Tibouchi1,3 , and Masayuki Abe1,3 1 Graduate School of Informatics, Kyoto University, Kyoto, Japan [email protected], [email protected], [email protected] 2 Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology, Tokyo, Japan 3 Secure Platform Laboratories, NTT Corporation, Tokyo, Japan

Abstract. A non-interactive zero-knowledge proof system (NIZK) for a composite language (i.e., a language that combines distinct statements by AND or OR) is widely used in cryptographic applications. The (im)possibility of black-box constructions of such NIZKs has been studied so far. We extend it to the case of proving equality of a witness behind distinct statements that often plays a central role in cryptographic constructions as illustrated by the seminal work by Naor and Yung (STOC, 1990). In this paper, we investigate the impossibility of a black-box construction of NIZKs for equality of witnesses from those proving the validity of the witnesses. Concretely, we prove that there exists no black-box construction of NIZKs for equality of plaintexts in two distinct ciphertexts of public-key encryption schemes based on NIZKs for proving validity of ciphertexts. It implies that one has to exploit specific properties of the underlying encryption schemes or NIZKs to construct NIZKs for proving equality, and hence justifies existing constructions.

Keywords: Black-box construction

1

· NIZK · Witness equality

Introduction

A non-interactive zero-knowledge proof system (NIZK) [6] is one of the most important cryptographic primitives, which consists of two parties. A prover, who is given a statement x and a witness w of an NP language L, convinces a verifier that x is indeed in L without interaction. Recently, practical NIZKs have been proposed such as [19,21,23] and thus NIZKs are becoming building blocks for practical applications such as blockchain. There already exist NIZKs for NP complete languages based on some assumptions [6,16,20,30]. However, when it comes using NIZKs as building blocks for advanced protocols, it is often assumed that NIZKs support convenient languages for the constructions [17,22]. c Springer Nature Switzerland AG 2020  K. Bhargavan et al. (Eds.): INDOCRYPT 2020, LNCS 12578, pp. 882–904, 2020. https://doi.org/10.1007/978-3-030-65277-7_39

On Black-Box Extension of an NIZK for Secret Equality

883

An extended language [2] (or a composite statement [3]1 ) is a language that combines two languages L1 and L2 by a logical binary operator  ∈ {∧, ∨}, i.e., L1  L2 . There are several applications that employ NIZKs for extended languages. For instance, it is often necessary that an NIZK in a cryptocurrency supports both Boolean and algebraic statements. Thus, an NIZK for an extended language is employed to meet this requirement [3,9]. While NIZKs for extended languages are seen in the literature, to the best of our knowledge, there are few works that treat such NIZKs in a black-box manner. However, Abe et al. [2] initiated the study of black-box language extension, which investigates, given NIZKs for languages L1 and L2 respectively, if we can construct an NIZK for L1  L2 in a black-box manner. For instance, given NIZKs for languages L1 and L2 respectively, it is possible to construct an NIZK for L1 ∧ L2 by invoking given NIZKs in parallel. They showed the (im)possibility of NIZKs that prove extended languages. However, their result tells nothing about extended languages that take account of binary relations between witnesses. It is non-trivial whether we can construct NIZKs for extended languages that take account of witness relations in a black-box manner whereas such languages are found in the literature [4,17,22,27]. For instance, it is not obvious if we can construct an NIZK for (x1 ∈ L1 ) ∧ (x2 ∈ L2 ) ∧ (w1 = w2 ) where (x1 , w1 ) ∈ RL1 and (x2 , w2 ) ∈ RL2 from NIZKs for L1 and L2 in a black-box manner. We refer to such a language as an equality language. Often it is not hard to construct an NIZK for an equality language in a non-black-box manner, especially by exploiting algebraic properties. For instance, the well-known Chaum-Pedersen protocol [11] constitutes an NIZK in the random oracle model for the equality language over discrete logarithms of group elements. It should also be noted that relations among witnesses might be easily proven if the underlying NIZK is a commit-and-prove (CP) system [10,25] where commitments of witnesses are provided as parts of proofs. The CP systems, including CP-NIZKs, are popular in the literature, e.g., [5,9,12,28,29], as noted in [24]. As mentioned above, CP-NIZKs for proving equality languages have already been proposed. However, there also exist NIZKs that do not invoke commitment schemes at all and it is open if we can construct NIZKs for proving equality languages based on such NIZKs in a black-box manner. Our Contribution We study a black-box language extension to NIZKs for an equality language. We in particular focus on NIZKs for proving the equality of plaintexts embedded in a pair of ciphertexts, which is a well-studied NIZK required in the NaorYung construction [27]. More precisely, given two ciphertexts generated by a chosen plaintext secure public key encryption scheme (CPA-PKE) under distinct public keys of the scheme respectively, it proves that these ciphertexts originate from the same plaintext. We refer to such a language as the plaintext equality language (zero-knowledge proofs for this language are found in the literature such as [12,29]). We focus on such a language since the Naor-Yung construction 1

While the terminology “composite statement” in [3] includes nested functions, we only focus on statements combined by AND or OR in this paper.

884

K. Yamashita et al.

is one of the most notable applications of an NIZK that proves an equation among witnesses. Technically, we first introduce oracles that constitute a CPAPKE and a simulation-sound NIZK (SS-NIZK) [32] that proves the validity of a ciphertext generated by the CPA-PKE respectively. Then we show that, given these oracles, there is no black-box construction of a (standard) NIZK for the plaintext equality language. Our result suggests that we should rely on specific properties or structures of the underlying NIZKs or language to prove witness equality even at the expense of the efficiency or generality of the construction. Related Work As is already mentioned above, equality languages are seen in the literature [5,9,11,22,24,28], and some of them deal with the plaintext equality language [12,27,29]. Particularly, Campanelli et al. [9] introduced a framework for commitand-prove SNARKs (CP-SNARKs). They generalized CP-SNARKs for certain basic binary relations, and the CP-SNARK that proves the equality between two committed values plays an essential role for their framework. Because SNARKs are known to be efficient NIZKs, we claim that proving equality between witnesses is meaningful for both theoretical and practical aspects. We remark that CP-SNARKs are found in the literature such as [13,26]. Abe et al. [2] showed the impossibility of a black-box constructions of NIZKs for L1 ∨ L2 (resp., SS-NIZKs for L1 ∧ L2 ) based on NIZKs (resp., SS-NIZKs) for languages L1 and L2 . In spite of such negative results, there is still room for consideration of a black-box construction of NIZKs for extended languages. We argue that our result is orthogonal to [2] as it is not trivial if an SS-NIZK for a conjunctive language implies a (standard) NIZK for a conjunctive language that takes account of a witness relation (and thus, the plaintext equality language). Our work is inspired by Brakerski et al. [7]. They introduced the augmented black-box framework that takes an NIZK into account to encompass a non-blackbox technique. However, our work differs from theirs in terms of a language that the NIZK oracle proves. In [7], the NIZK oracle proves an NP complete language (thus sufficiently powerful to capture the Naor-Yung construction in their framework), while ours are restricted to a specific language for a CPA-PKE. Progress from the Previous Work Here we first review the technical aspect of [2] and then overview the proof of our main theorem. They showed that, given SS-NIZKs for languages L1 and L2 where both of them are so-called oracle languages, it is impossible to construct an (unbounded) SS-NIZK for L1 ∧ L2 in a black-box manner. With assuming the existence of a black box construction M of a proof system for L1 ∧ L2 that is complete and zero-knowledge, they demonstrated an adversary that attacks the soundness of M in the (unbounded) simulation-sound game. In the soundness game, the adversary runs the prover of M (denoted by M.Prv) on a false statement / L1 and x2 ∈ L2 . When M.Prv makes a query on x1 to the (x1 , x2 ) where x1 ∈ given oracle, the adversary simulates the answer so that x1 looks like a correct instance of L1 , and finally outputs a forged proof. We call such a technique as a “swapping technique.” Then, they showed that the verifier algorithm of M (denoted by M.Vrf) cannot distinguish such a forged proof with a genuine

On Black-Box Extension of an NIZK for Secret Equality

885

proof as long as it does not make a query on a witness of a given instance, and thus accepts such a proof with high probability. Because it was shown that the verifier makes such a query only with negligible probability, the adversary wins the soundness game with high probability. We argue that the swapping technique can be applied to our problem, as both our work and [2] treat conjunctive languages, while the equality language requires the equality of witnesses behind two ciphertexts. In [2], they demonstrated that a forged proof is indistinguishable from a real proof by showing that M.Vrf makes a query on a witness only with negligible probability. We take a step further and prove that the absence of such a query causes M.Vrf not to validate the witness equality. More technically, our adversary differs from in [2] in terms of the soundness game they participate. Recall that we consider the standard soundness game whereas they considered the unbounded simulation-soundness game. In [2], the adversary simulates the oracle answers based on a list of query/answer pairs that the challenger gives to the adversary, and they put an assumption, named the “full verification model,” that the list contains sufficient information for the simulation. On the contrary, we consider the standard soundness game so that the adversary’s behavior becomes simpler and we do not put any assumptions such as the full verification model. (We exhibit the idea and overview of our adversary before formally demonstrating it in Sect. 4.)

2 2.1

Preliminary Basic Notation

Throughout this paper n ∈ N denotes a security parameter. We denote polynomial functions and negligible functions by poly and negl respectively. For a finite set X, let x ← X denote sampling an instance x ∈ X with the uniform distribution over X. We denote by PPT a probabilistic polynomial time Turing machine. A Turing machine M that is allowed to access an oracle O is said an oracle Turing machine, denoted by MO . For an NP language L, we denote the NP relation by RL , and define Ln := L ∩ {0, 1}n and Rn := {(x, w) | (x, w) ∈ RL ∧ x ∈ Ln }. For an algorithm A, let y ← A(x) denote a computation where A takes x as an input, and outputs y. For an oracle algorithm AO , the notation y ← O(x) represents a computation that O is given an input x from A, and returns y to A. The same notation y ← O(x) denotes a query to O on x results in y. Brackets notation [·] represents a variable that matches to any value; for instance, y ← O([x]) matches to any query that results in y, and we refer to the input value by x thereafter. When the matched value is not important in the context, we use the wildcard ∗ and write y ← O(∗). For a function f , we define f −1 (y) = {x | f (x) = y}, i.e., f −1 is the inverse function of f . The notation M(func, x) is an algorithm or an oracle M that works as a function specified by func on input x. We write M.func to denote the function func implemented by M if an input is not important in the context. An oracle O can be seen as a set of entries of a form (func, x, y) where func is a function

886

K. Yamashita et al.

implemented by O, x is an input of func and y is an output s.t. y ← O(func, x), and we denote by O(func, x, y) the entry. A partial oracle of an oracle O is a set S that is defined only on some subset of the possible inputs of O. A partial oracle S of O is consistent to O if there exists another set S  s.t. S ∪ S  = O. We let S = S1 ||S2 || · · · be an oracle that consists of partial oracles Si ’s and works as follows; given a query on x, it first searches S1 for a matching entry (x, [y]) and returns y if such a query exists, otherwise it searches S2 and so forth. For a function f : {0, 1}n1 → {0, 1}n2 where n1 < n2 , we say y ∈ {0, 1}n2 is legitimate with respect to f if there exists x ∈ {0, 1}n1 s.t. f (x) = y. If f is clear in the context, we simply say y is legitimate. Definition 1 (Public Key Encryption). A tuple Π = (Π.Key, Π.Enc, Π.Dec) of PPTs is a public key encryption scheme (PKE) where each machine works as follows: Π.Key: pk ← Π(Key, sk) Given a secret key sk, output a public key pk. Π.Enc: c ← Π(Enc, pk, m, r) Given a public key pk, a plaintext m and a randomness r, output a ciphertext c. Π.Dec: {m, ⊥} ← Π(Dec, sk, c) Given a secret key sk and a ciphertext c, output a plaintext m or ⊥ where ⊥ indicates c is invalid. With probability 1, Π(Dec, sk, Π(Enc, pk, m, r)) = m where (pk, sk) ← Π(Key, 1n ). Definition 2 (Security Property of PKEs). Let Π = (Π.Key, Π.Enc, Π.Dec) be a PKE. For atk ∈ {CP A, CCA1, CCA2} and any PPT adversary A = (A0 , A1 ), if the advantage |Pr[ExptPKEatk A,Π (n) = 1] − 1/2| of the following is negligible in n, then Π is said to be atk secure: experiment ExptPKEatk A,Π atk ExptPKEA,Π (n) Choose a secret key sk, pk ← Π(Key, sk), 0 Output 1 if b = b (m0 , m1 , μ) ← AO 0 (pk), : n b ← {0, 1}, r ← {0, 1} , c ← Π(Enc, pk, mb , r), else output 0 1 b ← A O 1 (μ, c) where O0 = φ and O1 = φ if atk = CP A, O0 = Π(Dec, sk, ·) and O1 = φ if atk = CCA1 and O0 = Π(Dec, sk, ·), O1 = Π(Dec, sk, ·) if atk = CCA2. None of the queries of A1 contains the challenge ciphertext c if atk = CCA2. Definition 3 (NIZK). A tuple of PPTs L = (L.Crs, L.Prv, L.Vrf, L.CrsSim, L.PrvSim) that work as follows is a non-interactive zero-knowledge proof system (NIZK) for a language L where L.Vrf is deterministic and others are probabilistic: L.Crs: σ ← L(Crs, 1n ) Given a security parameter, output a common reference string (CRS) σ.

On Black-Box Extension of an NIZK for Secret Equality

L.Prv: π ← L(Prv, σ, x, w) Given a CRS σ, an instance x and L.Vrf: b ← L(Vrf, σ, x, π) Given a CRS σ, an instance x and L.CrsSim: (σ, τ ) ← L(CrsSim, 1n ) Given a security parameter, output L.PrvSim: π ← L(PrvSim, σ, x, τ ) Given a CRS σ, an instance x and

887

a witness w, output a proof π or ⊥. a proof π, output a bit b ∈ {0, 1}. a trapdoor τ and a CRS σ. a trapdoor τ , output a proof π or ⊥.

Definition 4 (Security Properties of NIZKs). An NIZK L = (L.Crs, L.Prv, L.Vrf, L.CrsSim, L.PrvSim) for a language L has the following properties. Completeness: For any n ∈ N, any σ ← L(Crs, 1n ) and any (x, w) ∈ RL , Pr[L(Vrf, σ, x, L(Prv, σ, x, w)) = 1] ≥ 1 − negl(n). Soundness: For any PPT adversary A, the following holds;   σ ← L(Crs, 1n ) / L ≤ negl(n). : L(Vrf, σ, x, π) = 1 ∧ x ∈ Pr (x, π) ← A(σ) Adaptive Zero-Knowledge: For any stateful PPT adversary A, the following holds; ⎤ ⎡ σ ← L(Crs, 1n ) AdvZKA,L,L (n) = Pr ⎣ (x, w) ← A(σ) : A(π) = 1 ∧ (x, w) ∈ RL ⎦ π ← L(Prv, σ, x, w) ⎡ ⎤ (σ, τ ) ← L(CrsSim, 1n ) (x, w) ← A(σ) − Pr ⎣ : A(π) = 1 ∧ (x, w) ∈ RL ⎦ π ← L(PrvSim, σ, x, τ ) ≤ negl(n). Sahai [32] introduced an SS-NIZK that captures the intuition behind zeroknowledge proofs. That is, a proof generated by an NIZK does not increase the power of an adversary apart from the capability of proving the same statement. Definition 5 ((Unbounded) Simulation-Sound NIZK). Let L = (L.Crs, L.Prv, L.Vrf, L.CrsSim, L.PrvSim) be an NIZK for a language L. Then L is an (unbounded) simulation-sound NIZK (SS-NIZK) for L if for any stateful PPT adversary A, the probability Pr[ExptSSA,L,L (n) = 1] is negligible in n where ExptSSA,L,L (n) is defined as follows: ExptSSA,L,L (n) (σ, τ ) ← L(CrsSim, 1n ) output 1 if x ∈ / L∧x∈ / Q ∧ L(Vrf, σ, x, π) = 1 : (x, π) ← AL(PrvSim,σ,·,τ ) (σ) else output 0 where Q is a list of queries that A makes to L(PrvSim, σ, ·, τ ). This work focuses on the impossibility of a black-box construction of a primitive. We define a black-box construction of a primitive as follows.

888

K. Yamashita et al.

Definition 6 ([31]). There exists a (fully) black-box construction of a primitive Q from a primitive P if there exists PPT oracle machines G and S s.t. – For any implementation f of P , Gf implements Q. – For any implementation f of P and any Turing machine M , if M f breaks the security of Q, then S f,M breaks the security of P . On the other hand, when we say “impossibility of a primitive Q from P ,” it means that there is no black-box construction of Q from P . We formally define an extended language. Definition 7 (Extended Language [2]). Let L and Lˆ be languages, and  ∈ {∨, ∧} denotes a logical binary operator. An extended language is defined as the ˆ) |(x ∈ Ln )(ˆ x ∈ Lˆn )}. The extension union n (Ln  Lˆn ) where Ln  Lˆn := {(x, x  ˆ is non-trivial if Ln  Ln ∈ / Ln for any n and n . Definition 8 (Extended Language with Witness Relation). Let L and Lˆ be languages, R be a binary relation and  ∈ {∨, ∧} denotes a logical binary operator. An extended language with witness relation R is defined as the union  ˆn ), for any n and n , (L  L n n Ln  Lˆn := {(x, x ˆ) |∃ w, w ˆ s.t. {(x, w) ∈ RLn  (ˆ x, w) ˆ ∈ RLˆn } ∧ R(w, w) ˆ = 1}. The extension is non-trivial if Ln  Lˆn ∈ / Ln for any n and n . In this work we make use of the CPA-PKE oracle defined by Gertner et al. [18]. Definition 9 (The CPA-PKE Oracle [18]). Let O = (O.g, O.e, O.d, O.w, O.u) be an oracle that is chosen uniformly according to the following distributions. O.g: pk ← O(g, sk) Given a secret key sk ∈ {0, 1}n , output a public key pk ∈ {0, 1}3n where O.g is a random injection. O.e: c ← O(e, pk, b, r) Given a public key pk ∈ {0, 1}3n , a message bit b ∈ {0, 1} and a randomness r ∈ {0, 1}n , output a ciphertext c ∈ {0, 1}3n where O(e, pk, ·, ·) is a random injection for any pk ∈ {0, 1}3n . O.d: {0, 1, ⊥} ← O(d, sk, c) Given a secret key sk ∈ {0, 1}n and a ciphertext c ∈ {0, 1}3n , output a bit b ∈ {0, 1} if there exists a randomness r s.t. O(e, O(g, sk), b, r) = c; otherwise output ⊥. O.w: O(e, pk, sk1 , rpk,1,j ), · · · , O(e, pk, skn , rpk,n,j ) ← O(w, pk, j) Given a public key pk ∈ {0, 1}3n and an index j ∈ {0, 1}n , output ⊥ if O(g −1 , pk) = ⊥ 2 ; otherwise output O(e, pk, sk1 , rpk,1,j ), · · · , O(e, pk, skn , rpk,n,j ) where (sk1 , · · · , skn ) = sk = O(g −1 , pk) and rpk,k,j are uniformly chosen from {0, 1}n for any 1 ≤ k ≤ n. 2

Since O.g is injective, O.g −1 is uniquely defined.

On Black-Box Extension of an NIZK for Secret Equality

889

O.u: {, ⊥} ← O(u, pk, c) Given a public key pk ∈ {0, 1}3n and a ciphertext c ∈ {0, 1}3n , output  if there exist an sk ∈ {0, 1}n , b ∈ {0, 1} and r ∈ {0, 1}n s.t. O(g, sk) = pk and O(e, pk, b, r) = c; otherwise ⊥. We denote by On the set of all oracles that satisfy the above syntax for a security parameter n. Theorem 1 (The Construction of a CPA-PKE [18]). Let O = (O.g, O.e, O.d, O.w, O.u) be an oracle uniformly chosen from the distribution defined in Definition 9. Then, the following construction Π is a CPA-PKE. Π O .Key: pk ∗ ← Π O (Key, sk ∗ ) Given a secret key sk ∗ ∈ {0, 1}n , compute pk ← O(g, sk ∗ ) and output sk ∗ and pk ∗ := pk. O Π .Enc: c∗ ← Π O (Enc, pk ∗ , b, r) Given a public key pk ∗ = pk, a message bit b ∈ {0, 1} and a randomness r ∈ {0, 1}n , compute c = O(e, pk, b, r) and output c∗ := c. O Π .Dec: b ← Π O (Dec, sk ∗ , c∗ ) Given a secret key sk ∗ = sk and a ciphertext c∗ = c, output b = O(d, sk, c) where it might be the case that b = ⊥. It is known that there is no black-box construction of a CCA-PKE based on O in a bit restricted model named the shielding model [18]. The Naor-Yung/Sahai Paradigm We introduce the Naor-Yung/Sahai paradigm [27,32]. The construction is simple; encrypt a message by two distinct public keys of a CPA-PKE together with a zero-knowledge proof that shows these two ciphertexts are generated from the same plaintext. Let Π = (Π.Key, Π.Enc, Π.Dec) be a CPA-PKE and L = (L.Crs, L.Prv, L.Vrf, L.CrsSim, L.PrvSim) be an NIZK for the following plaintext equality language with respect to Π: LΠ EQ = {(c0 , c1 , pk0 , pk1 ) | ∃m, r0 , r1 s.t. c0 = Π(Enc, pk0 , m, r0 ) ∧ c1 = Π(Enc, pk1 , m, r1 )}. We remark that LΠ EQ is an extended language with witness relation which is defined in Definition 8 since it requires that plaintexts behind two ciphertexts are the same. We sometimes omit the description “with respect to Π” if it is clear from the context. Note that LΠ EQ is a non-trivial extended language. The formal description of the Naor-Yung construction M is as follows: M.Key: pk ∗ ← M(Key, sk ∗ ) Given a secret key sk ∗ = (sk0 , sk1 ), compute pk0 ← Π(Key, sk0 ), pk1 ← Π(Key, sk1 ) and σ ← L(Crs, 1n ), and output (pk ∗ , sk ∗ ) := ((pk0 , pk1 , σ), sk0 ). M.Enc: c∗ ← M(Enc, pk ∗ , m, r0 , r1 ) Given a public key pk ∗ = (pk0 , pk1 , σ), a plaintext m and randomnesses r0 , r1 ∈ {0, 1}n , compute c0 = Π(Enc, pk0 , m, r0 ), c1 = Π(Enc, pk1 , m, r1 ) and π ← L(Prv, σ, (c0 , c1 , pk0 , pk1 ), m, r0 , r1 ) and output c∗ := (c0 , c1 , π).

890

K. Yamashita et al.

M.Dec: m ← M(Dec, sk ∗ , c∗ ) Given a secret key sk ∗ = sk1 and a ciphertext c∗ = (c0 , c1 , π), output ⊥ if L(Vrf, σ, (c0 , c1 , pk0 , pk1 ), π) = 0, otherwise output m := Π(Dec, sk0 , c0 ). The above construction is not necessarily CCA2 secure. The first CCA2-PKE based on general assumption is by Dolev et al. [15]. However, their construction is quite complicated, and Sahai [32] removed this drawback. He showed that CCA2 security can be achieved if the NIZK in the Naor-Yung construction is simulation-sound.

3

An NIZK Oracle for a Single Ciphertext Language

This section introduces an oracle s.t. given a CPA-PKE oracle and a pair of a public key and a ciphertext, the oracle constitutes an SS-NIZK that proves the validity of the ciphertext. Recall that our main purpose is to show the impossibility of a construction of an NIZK for the plaintext equality language from a CPA-PKE and an SS-NIZK for the CPA-PKE. As a first step, we show the existence of a CPA-PKE and an SS-NIZK respectively, based on the CPA-PKE oracle introduced in Definition 9 and an NIZK oracle that we introduce in this section. Before introducing our NIZK oracle, we formally define the language that the oracle is able to prove and give an intuition behind the oracle. Let Π = (Π.Key, Π.Enc, Π.Dec) be a CPA-PKE. A single ciphertext language with respect to Π is LΠ CP A := {(c, pk) | ∃b, r s.t. c = Π(Enc, pk, b, r)}. The oracle has several interfaces that almost constitute the functionalities of an NIZK. Namely, the CRS generator and the prover interfaces are implemented by random injections Hc and Hp respectively, where these random injections work only when valid inputs are given to the interfaces. Namely, we guarantee the soundness of a proof by constructing the prover interface so that it works only when it is given a correct witness or a trapdoor. Definition 10 (An NIZK Oracle). Let O be a CPA-PKE oracle chosen uniformly from the distribution defined in Definition 9 and Hc : {0, 1}n → {0, 1}2n and Hp : {0, 1}8n → {0, 1}9n be random injections. An NIZK oracle ZK = (ZK.Crs, ZK.Prv, ZK.PrvSim, ZK.Vrf) is equipped with Hc and Hp , with oracle access to O (we omit superscript O for legibility), and provides four functionalities: ZK.Crs: σ ← ZK(Crs, τ ) Given a trapdoor τ ∈ {0, 1}n , output a CRS σ ← Hc (τ ). ZK.Prv: {π, ⊥} ← ZK(Prv, σ, (c, pk), b, r) Given a CRS σ ∈ {0, 1}2n , a statement (c, pk) where c, pk ∈ {0, 1}3n , a bit b ∈ {0, 1} and a randomness r ∈ {0, 1}n , output ⊥ if ⊥ ← Hc−1 (σ), ⊥ ← O(g −1 , pk) or c = O(e, pk, b, r), otherwise output π ← Hp (σ||c||pk).

On Black-Box Extension of an NIZK for Secret Equality

891

ZK.PrvSim: {π, ⊥} ← ZK(PrvSim, σ, (c, pk), τ ) Given a CRS σ ∈ {0, 1}2n , a statement (c, pk) where c, pk ∈ {0, 1}3n and a trapdoor τ ∈ {0, 1}n , output ⊥ if τ  Hc−1 (σ) or ⊥ ← O(g −1 , pk), otherwise output π ← Hp (σ||c||pk). ZK.Vrf: {0, 1} ← ZK(Vrf, σ, (c, pk), π) Given a CRS σ ∈ {0, 1}2n , a statement (c, pk) where c, pk ∈ {0, 1}3n and a proof π ∈ {0, 1}9n , output 1 if (σ||c||pk) ← Hp−1 (π), otherwise 0. We let ZKn denote the set of all oracles that satisfy the above syntax for a security parameter n. We say a query is successful if the query is made to ZK.Prv or ZK.PrvSim and the output is some value other than ⊥, or to ZK.Vrf and the output is 1. Given σ without τ , the validity of σ can be checked easily by making a query ZK(Prv, σ, (c, pk), b, r) if the query O(e, pk, b, r) = c has been made previously. We first show the construction of a CPA-PKE under the existence of O and ZK. It has been already proven that the construction Π in Theorem 1 is a CPAPKE under the existence of O [18]. Hence, it is sufficient to show that queries to ZK does not break the CPA security of Π. Lemma 1. Let O be a CPA-PKE oracle chosen uniformly from the distribution defined in Definition 9 and ZK be an NIZK oracle chosen uniformly from the distribution in Definition 10. Then the construction Π in Theorem 1 is CPA secure under the existence of O and ZK. Proof: What we are to prove is that there is no PPT adversary AO,ZK that breaks the CPA security of Π. It is sufficient for the lemma to show the following claim. Claim 1: If there exists an adversary AO,ZK that breaks CPA security of Π, then an adversary AˆO that breaks CPA security of Π can be constructed from A. As the existence of an adversary that breaks CPA security of Π only with accessing to O contradicts the result in [18], the above claim implies that there is no adversary AO,ZK that breaks CPA security of Π. In what follows we show that a PPT with oracle access to O can simulate ZK within negligible difference. We set terminologies for the proof. Let q be a bound for running time of a PPT. We assume that, for ease of discussion, A is stateful. We first define two bad events and prove that these events occur only with negligible probability. Then, under the assumption that these events never happen, we show that ZK can be simulated by an oracle PPT AˆO within negligible difference. Let BadCrs be an event that a PPT adversary AO,ZK makes a query on a legitimate CRS σ without prior generation by ZK.Crs. Similarly, let BadProof be an event that a PPT adversary AO,ZK makes a query on a legitimate proof π without prior generation by ZK.Prv or ZK.PrvSim. We first evaluate BadCrs. Recall that ZK.Crs is implemented by a random injections Hc : {0, 1}n → {0, 1}2n . Considering the domain of Hc , the probability

892

K. Yamashita et al.

that a CRS which is not generated by ZK.Crs is legitimate is at most 2n /22n = 1/2n . As A makes at most q queries, the probability that this event occurs is at most q/2n , which is negligible. BadProof can be evaluated in the same way as BadCrs. Since both of ZK.Prv and ZK.PrvSim are implemented by a random injection Hp : {0, 1}8n → {0, 1}9n , this event happens with probability at most q/2n . Summarizing the above, these events occur with probability at most 2q/2n , which is negligible. Now we show how a PPT with oracle access to O simulates ZK, assuming those bad events never happen. ZK(Crs, τ ): If τ is already asked, return the assigned answer. Otherwise, pick a CRS σ ∈ {0, 1}2n uniformly and output σ as an answer. ZK(Prv, σ, (c, pk), b, r): If either π = ZK(Prv, σ, (c, pk), b, r) or π = ZK(PrvSim, σ, (c, pk), τ ) is already answered, return π. Note that ZK(Prv, σ, (c, pk), [b], [r]) = ZK(PrvSim, σ, (c, pk), [τ ]) since both ZK.Prv and ZK.PrvSim return the same proof π = Hp (σ||c||pk). Further, we do not care if a query to O.e that results in c has been made previously as we are only focusing on how to simulate ZK. Output ⊥ if the query that results in σ is not made previously. Otherwise, pick a proof π ∈ {0, 1}9n uniformly and output π as an answer. ZK(PrvSim, σ, (c, pk), τ ): If either π = ZK(Prv, σ, (c, pk), b, r) or π = ZK(PrvSim, σ, (c, pk), τ ) is already answered, return π. (The fact that π is already answered indicates σ = ZK(Crs, τ ) is already asked.) Output ⊥ if the query that results in σ is not asked previously. Otherwise, pick a π ∈ {0, 1}9n uniformly and output π as an answer. ZK(Vrf, σ, (c, pk), π): If b = ZK(Vrf, σ, (c, pk), π) is already asked, output the answer b. Output ⊥ if the queries that result in σ or π are not asked previously. Output 1 if a query to ZK.Prv or ZK.PrvSim that results in π has been made previously, otherwise 0. The above simulation is correct unless BadCrs and BadProof happen. Hence, if there exists an adversary AO,ZK that breaks CPA security of Π with nonnegligible advantage, then we can construct an adversary AˆO that breaks CPA security of Π with non-negligible advantage, which concludes the claim. Summarizing the above, we conclude that Π is a CPA-PKE under the existence of O and ZK.   The Construction of an SS-NIZK Now, we present the construction of an SS-NIZK based on the NIZK oracle. Lemma 2. Let O be a CPA-PKE oracle chosen uniformly from the distribution defined in Definition 9, ZK be an NIZK oracle chosen uniformly from the distribution in Definition 10 and Π be the CPA-PKE in Theorem 1. The following construction L is an SS-NIZK for LΠ CP A . LO,ZK .Crs: σ ← LO,ZK (Crs, 1n ) Given a security parameter, choose a trapdoor τ ← {0, 1}n and output a CRS σ ← ZK(Crs, τ ).

On Black-Box Extension of an NIZK for Secret Equality

893

LO,ZK .Prv: π ← LO,ZK (Prv, σ, (c, pk), b, r) Given a CRS σ, a statement (c, pk), a bit b and a randomness r, output π ← ZK(Prv, σ, (c, pk), b, r). LO,ZK .Vrf: b ← LO,ZK (Vrf, σ, (c, pk), π) Given a CRS σ, a statement (c, pk) and a proof π, output a bit b ← ZK(Vrf, σ, (c, pk), π). LO,ZK .CrsSim: (τ, σ) ← LO,ZK (CrsSim, 1n ) Given a security parameter, choose a trapdoor τ ← {0, 1}n , and output τ and a CRS σ ← ZK(Crs, τ ). LO,ZK .PrvSim: π ← LO,ZK (PrvSim, σ, (c, pk), τ ) Given a CRS σ, a statement (c, pk) and a trapdoor τ , output π ← ZK(PrvSim, σ, (c, pk), τ ). Proof: In the following, we omit the superscript O, ZK for simplicity. The completeness is immediate. f We show L is zero-knowledge. The difference between the output of L.Crs and that of L.CrsSim is only their interface. Additionally, for any σ and (c, pk) s.t. pk ← O(g, [sk]), c ← O(e, pk, [b], [r]) and σ ← ZK(Crs, [τ ]), it holds that ZK(Prv, σ, (c, pk), b, r) = ZK(PrvSim, σ, (c, pk), τ ). Therefore, for any PPT A, AdvZKA,L,LCP A (n) = 0. To show the simulation soundness, we show that any PPT adversary AO,ZK , whose running time is bounded by a polynomial q, has negligible advantage in ExptSSA,L,LCP A . In order to break simulation-soundness, A should create a / LCP A . Since the proof is computed by the forgery proof π  for a pair (c , pk  ) ∈ is with respect to O, A has to make a successful random injection Hp and LΠ CP A query to forge the proof. That is, (a) making a query to ZK.Prv on (c , pk  ) that returns π  , (b) making a query to ZK.PrvSim on (c , pk  ) returning π  or (c) making a query to ZK.Vrf on (c , pk  ) and π  that returns 1. / LCP A . In The first case is useless as ZK.Prv outputs ⊥ for any (c , pk  ) ∈ the second case, to make a successful query to ZK.PrvSim on σ, A is required to find the trapdoor τ of σ. As ZK.CrsSim is implemented by the random injection Hc , all A can do is to make a query to ZK.PrvSim to find the uniformly chosen trapdoor τ ∈ {0, 1}n . However, the probability that such a τ is the trapdoor of σ is at most 1/2n . Hence, taking union bound on at most q queries, the probability that A succeeds to output a forgery proof is at most q/2n , which is negligible. In the third case, A seeks for π  s.t. 1 ← ZK(Vrf, σ, (c , pk  ), π  ). Similar to the previous case, the probability that such a π  is in the domain of Hp is at most 28n /29n = 1/2n . Thus A succeeds to output a forgery proof in the third strategy with probability at most q/2n . To summarize the above, the probability that A   succeeds to output a forgery proof is at most 2q/2n , which is negligible.

4

Separation

This section presents a negative result on constructions of (standard) NIZKs for the plaintext equality language. That is, there is no fully black-box construction of an NIZK for the plaintext equality language based on a CPA-PKE Π and

894

K. Yamashita et al.

an SS-NIZK for LΠ CP A . We note that, as mentioned in Sect. 1, our result is not obtained trivially from the result of Abe et al. [2]. This section is devoted to proving the following theorem. Theorem 2. There does not exist a fully black-box construction M that converts Π any SS-NIZK for LΠ CP A with respect to a CPA-PKE Π into an NIZK for LEQ that is complete, adaptive zero-knowledge and sound. For proving the theorem, it suffices to show the absence of a black-box construction of an NIZK for LΠ EQ from a specific CPA-PKE Π and an NIZK for Π LCP A , as we are concerned about fully black-box separation. Thus, we prove the theorem with respect to the CPA-PKE Π introduced in Theorem 1. We assume the existence of a construction M that is complete and zero-knowledge for LΠ EQ based on O and ZK, which are uniformly chosen from distributions introduced in Definition 9 and Definition 10 respectively. Then we demonstrate an adversary that attacks the soundness of M since it implies that, under the existence of O and ZK, such a construction M cannot have the soundness. We construct such an adversary and show that the adversary indeed breaks the soundness of M. Hence, we show the following lemma to prove our main theorem. Lemma 3. Let O and ZK be oracles that are uniformly chosen from the distributions introduced in Definition 9 and Definition 10 respectively, where ZK is chosen with respect to O. Furthermore, let Π be a CPA-PKE introduced in Theorem 1 and M be a black-box construction of a proof system for LΠ EQ based on O and ZK that is complete and adaptive black-box zero-knowledge, which is based on O and ZK. Then there exists a polynomial time adversary A that breaks the soundness of M. Proof: (of Lemma 3): Before exhibiting our adversary, we set terminologies. In the following, we omit the superscript O, ZK if it is unnecessary. Let q = poly(n) be the maximum number of queries that M makes to O and ZK in its execution. We construct an adversary AO,ZK that attacks the soundness of M in the soundness game. We note that, while O and ZK constitute an SS-NIZK for LΠ CP A based on O and ZK, we do not require M to have the simulation soundness. Thus, the soundness game we will consider is not ExptSS, but a simpler one: A challenger outputs a CRS σ ˆ . Given σ ˆ , an adversary generates a forgery proof π ˆ ˆ and π ˆ to the challenger. If the challenger for a statement x ˆ∈ / LEQ , and sends x accepts π ˆ , then the adversary wins the game. Overview and Idea for an Adversary. We construct an adversary that simulates MO,ZK .Prv on a false statement, and fools the prover as if it were a correct statement. Given σ ˆ , the adversary computes two public keys pk1 and pk2 and computes ciphertexts c1 = O(e, pk1 , b, r1 ), c2 = O(e, pk2 , b, r2 ) and c1 = O(e, pk1 , 1 − b, r1 ) for a message bit b and randomnesses r1 and r2 . Then, A ˆ = (b, r1 , r2 ). We remark that M.Prv runs M.Prv on σ ˆ, x ˆ = (c1 , c2 , pk1 , pk2 ) and w is supposed to return ⊥ on this input since x ˆ∈ / LEQ . A crucial observation is that, O and ZK are equipped by random injections, and there is another pair of

On Black-Box Extension of an NIZK for Secret Equality

895

oracles O∗ and ZK∗ in the distributions On and ZKn that contain entries that swap the computation results for c1 and c1 . For instance, there exists an oracle O∗ that includes entries O∗ (e, pk, b, r, c1 ) and O∗ (e, pk, 1 − b, r, c1 ). (Note that M is supposed to work properly with such swapped oracles as O∗ is a valid oracle.) We exploit this property to construct the adversary. Another important observation is that M.Prv simulated by A does not directly access the given oracles. In other words, when M.Prv calls an oracle, A forwards the query to the corresponding oracle, and returns its output to M.Prv. When M.Prv makes inexpedient queries for the forgery, A swaps the answer to the other consistent one. Because O.e and ZK.Prv are implemented by random injections, M.Prv cannot detect such swapping. To do so, the adversary defines partial oracles O and ZK based on the query/answer pairs that she learned when she computed c1 and c1 . Then, A runs M.Prv with algorithms O and ZK that, roughly speaking, work as follows: If M.Prv makes a query that is registered in O or ZK , then A returns the registered answer, otherwise A forwards the query to the real oracles and returns the answer. In other words,   A runs MO ,ZK .Prv on a false statement to obtain a forged proof. Note that M with oracle access to O and ZK does not abort unless the completeness error happens since they are correct oracles in On and ZKn , respectively. [Soundness Game] Step 1: Setup Phase The challenger generates a CRS σ ˆ ← M(Crs, 1n ) and sends σ ˆ to the adversary A. Step 2: Forgery Phase Given σ ˆ , A samples two distinct secret keys sk1 , sk2 ← {0, 1}n and computes pk1 = O(g, sk1 ) and pk2 = O(g, sk2 ). Choose b ← {0, 1} and r1 , r2 ← {0, 1}n , set b := 1 − b and compute c1 = O(e, pk1 , b, r1 ), c2 = O(e, pk2 , b, r2 ) and c1 = O(e, pk1 , b , r1 ). Then, A defines partial oracles O and ZK based on the query/answer pairs she has learned where O consists of entries (e, pk1 , b , r1 , c1 ), (e, pk1 , b, r1 , c1 ), (d, sk1 , c1 , b), and (d, sk1 , c1 , b ) and ZK consists of entries (Prv, ˆ := (c1 , c2 , pk1 , pk2 ) and ∗, (c1 , pk1 ), b, r1 , ⊥) and (Prv, ∗, (c1 , pk1 ), b , r1 , ⊥). Let x O  ,ZK  (Prv, σ ˆ, x ˆ, w) ˆ where O and ZK simulate O and w ˆ := (b, r1 , r2 ). Run M ZK as follows: [Algorithm O ] – If a given query is in O , return the output that is registered in O . – For any other queries, forward it to O and return the output. [Algorithm ZK ] – If a given query is in ZK , return the answer corresponding to the query that is registered in ZK . – Given a query (Prv, [σ], (c1 , pk1 ), b, r1 ) with a legitimate σ, return π ← ZK(Prv, σ, (c1 , pk1 ), b , r1 ) and record (Prv, σ, (c1 , pk1 ), b, r1 , π) to ZK . Recall that for a function f : {0, 1}n1 → {0, 1}n2 where n1 < n2 , we say y ∈ {0, 1}n2 is legitimate if there exists x ∈ {0, 1}n1 s.t. f (x) = y.

896

K. Yamashita et al.

– Given a query (Prv, [σ], (c1 , pk1 ), b , r1 ) with a legitimate σ, return π ← ZK(Prv, σ, (c1 , pk1 ), b, r1 ) and record (Prv, σ, (c1 , pk1 ), b , r1 , π) to ZK . – For any other queries, forward it to ZK and return the output. When M outputs a proof π ˆ , A sends x ˆ and π ˆ to the challenger. Step 3: Verification Phase ˆ , the challenger outputs 1 if 1 ← M(Vrf, σ ˆ, Given x ˆ = (c1 , c2 , pk1 , pk2 ) and π x ˆ, π ˆ ). Otherwise it outputs 0. Now, we show the adversary demonstrated in the above soundness game breaks the soundness of M. Evaluation of A Let P be the probability that the challenger outputs 1 in Step 3. The probability is taken over the choice of O, ZK and all random coins by the challenger and the adversary. Let AdvZKA ,M,LEQ ≤ ρzk for any stateful PPT adversary A , and Pr[Vrf(σ, x, Prv(σ, x, w)) = 1] ≥ 1 − ρco for any n ∈ N, any σ ← Crs(1n ) and any (x, w) ∈ RLEQ . As M is complete and zero-knowledge, ρco and ρzk are negligible in n. We let |Pr[ExptPKEcpa A ,Π = 1]−1/2| ≤ ρcpa = negl(n) for any PPT adversary A , which is taken over the choice of oracles and randomness in the experiment. We assume that M makes at most q = poly(n) queries. In order to prove the lemma, we show that P is non-negligible by considering a sequence of games s.t. the final game introduces the situation that the challenger outputs 1 trivially. Let Pi denotes the probability that the challenger outputs 1 in Game i. In games from Game 1 to Game 4, we exclude some bad events that happen only by accident and simplify the game. In the remaining games, we replace oracle O and ZK with O and ZK respectively step by step, finally reaching the situation that M.Vrf always accepts the proof unless the completeness error occurs. Again, the intuition behind the analysis is that, swapping oracle answers only results in the other correct oracle, as we are considering oracles that are implemented by random injections. Game 0: The above soundness game. Thus P0 = P . Game 1: The game halts if one of the following events occurs: – A successful query that includes a legitimate σ is made without a prior query that results in σ. – A successful query that includes a legitimate π is made to ZK.Vrf without a prior query that generates π. In other words, the above cases exclude the events that the challenger and the adversary find a legitimate CRS or a legitimate proof by chance. A query on σ without prior generation is successful only if σ is in the domain of Hc . Thus, considering the domain of Hc , it happens with probability at most 2n /22n = 1/2n . Similarly, any query to ZK.Vrf on π without prior generation by ZK.Prv or ZK.PrvSim outputs 1 with probability at most 28n /29n = 1/2n . Since at most 3q queries can be made throughout the soundness game by M, there is at most 3q(1/2n + 1/2n ) = 6q/2n chance of halting the game by observing the above

On Black-Box Extension of an NIZK for Secret Equality

897

events. Thus we have |P1 −P0 | ≤ 6q/2n . In what follows, we consider probabilities which are conditioned on the events do not occur. We will exclude certain events in Game 2–4 as well, and treat the probabilities in the same manner. Game 2: The game halts if one of the following events occurs: – A query that includes a legitimate public key pk is made without a prior query to O.g that results in pk. – A query that includes a legitimate ciphertext c is made without a prior query to O.e or O.w that results in c. The first event describes the situation where a uniformly chosen public key is in the range of g. Considering the domain of g, this event happens with probability at most 2n /23n = 1/22n . We evaluate the second case as follows. Recall that for a public key pk, the encryption oracle O(e, pk, ∗, ∗) constitutes a random injection {0, 1}n+1 → {0, 1}3n . Hence, even if one knows a legitimate public key pk, the probability that he generates a legitimate ciphertext without making a query to O.e or is at most 2n+1 /23n = 2/22n . Similarly, as O.w outputs n ciphertexts, the probability that a legitimate ciphertext without making a query to O.w or is at most n · 2n+1 /23n = 2n/22n . As at most 3q queries are made by M in the soundness game, we have |P2 −P1 | ≤ 3q(1/22n +2/22n +2n/22n ) = (6n+9)q/22n . Game 3: The game halts if a query that contains one of the following values is made in Step 1; sk1 , sk2 , pk1 , pk2 , c1 , c1 , c2 , r1 and r2 . Note that this event can be defined after the adversary in Step 2 obtains these values. This avoids the challenger to learn the secrets beforehand. Since the secret keys and the randomnesses are chosen uniformly and O.g and O.e are random injections, the challenger finds these values only by chance. We evaluate the probability to make a query on each value as follows. The Secret Keys. Considering the domain of O.g, the probability that making queries on a specific secret key is at most 1/2n . Hence, given at most q queries in an execution of M, the probability that making a query on sk1 or sk2 is bounded by q(1/2n + 1/2n ) = 2q/2n . The remaining cases are evaluated in the same way. The Public Keys. The probability that a query on a specific public key is made without prior generation is at most 1/23n . We remark that the situation making a query on sk1 or sk2 to O.g to find pk1 or pk2 is already excluded by the above case. Thus, this event occurs with probability at most q(1/23n +1/23n ) = 2q/23n . The Ciphertexts. Similar to the above case, the probability that the challenger finds a specific ciphertext is at most 1/23n . Taking union bound for at most q queries and three ciphertexts, a query on the ciphertexts is made with probability at most 3q/23n . The Randomness. Since r1 and r2 are chosen uniformly, this event happens only by chance among at most q queries. Therefore, this event occurs with probability at most 2q/2n . Summarizing the above, we have |P3 −P2 | ≤ 4q/2n +5q/23n . Game 4: The game halts if the output of O.w contains c1 , c1 or c2 in Step 1. We exclude this case because we cannot avoid the possibility that the challenger makes a query to O.w to obtain something about the proof. Recall that

898

K. Yamashita et al.

the output of O.w is uniformly chosen n ciphertexts. Since O.e is a random injection, the probability that an output of O.w contains a specific ciphertext is at most n/23n . Since at most 2q queries are made in Step 1, we have |P4 − P3 | ≤ nq(1/23n + 1/23n + 1/23n ) = 3nq/23n . Game 5: Replace O and ZK in Step 1 with O and ZK with partial oracles O and ZK defined at the end of Step 2. In other words, the randomness in the adversary is chosen at the beginning of the game. Observe that the adversary ˆ . Hence, it in the previous game chooses b, r1 and r2 in Step 2 independent of σ does not affect the distribution of the output of this game if the randomness in the adversary is chosen beforehand. The view of Step 1 changes only if M makes a query defined in O or ZK . Observe that each query registered in O and ZK contains r1 or sk1 . Hence this event does not happen as we have excluded such cases in Game 3. Thus we have P5 = P4 . Game 6: Replace O and ZK in Step 3 with O and ZK that contains the partial oracles O and ZK defined at the end of Step 2. Note that the view in Step 3 differs only if the challenger (i.e., M.Vrf) makes a query registered in O or ZK . Observe that such a query contains the secret randomness r1 , i.e., O (e, pk1 , b, r1 ), O (e, pk1 , b , r1 ), ZK (Prv, ∗, (c1 , pk1 ), b, r1 , ⊥), ZK’(Prv, ∗, (c1 , pk1 ), b , r1 , ⊥), ZK (Prv, [σ], (c1 , pk1 ), b, r1 , [π]) and ZK (Prv, [σ], (c1 , pk1 ), b , r1 , [π]). Hence, it is sufficient to show the probability that the challenger makes queries on r1 in Step 3 to evaluate the difference between Game 5 and Game 6. Let AskRndi be an event that r1 is asked by M.Vrf in Step 3 in Game i. Obviously, |P6 − P5 | ≤ Pr[AskRnd6 ]. In what follows, we consider a sequence of subgames that finally reaches the situation where π ˆ is independent of r1 and we can evaluate the probability that AskRnd occurs. Game 6.0: The same as Game 6. ˜ instead. Let O and ZK be ˜ and ZK Game 6.1: We use the following oracles O the same partial oracles as previous game. Let Rcpa and Rzk be uniformly chosen ˜ := ZK||Rzk ∈ ZKn where ZK ˜ ˜ := O ||Rcpa ∈ On and ZK partial oracles so that O ˜

constitutes an NIZK for LO CP A and bad events in Game 1–4 never happen in ˜ must exist as On and ZKn are implemented ˜ and ZK Step 1. Note that such O by random injections. We remark that in both Game 6.0 and 6.1, only queries outside of O and ZK are made as long as AskRnd never happens in Step 3. As these oracles in both Game 6.0 and Game 6.1 yield the same view in the soundness game, we have Pr[AskRnd6.0 ] = Pr[AskRnd6.1 ]. ˜ ← ZKn so that the ˜ ← On and ZK Game 6.2: Choose oracles uniformly, i.e., O events defined in Game 1–4 never happen. Furthermore, we modify the adversary ˆ = (b, r1 , r2 ). In Game 6.1, the so that it runs M.Prv on x ˆ = (c1 , c2 , pk1 , pk2 ) and w partial oracles O and ZK are determined by the (random) choice of oracles and the randomness of the adversary and the remaining parts of oracles are chosen uniformly so that they are consistent to O and ZK respectively. Thus, the view

On Black-Box Extension of an NIZK for Secret Equality

899

in Game 6.2 does not differ from that in Game 6.1 while we have modified the way of choosing oracles. Therefore, we have Pr[AskRnd6.2 ] = Pr[AskRnd6.1 ]. Game 6.3: Replace M.Crs and M.Prv in the game with M.CrsSim and M.PrvSim and let the challenger pass the trapdoor τˆ generated in Step 1 to the adversary. Note that this modification does not affect the upper-bound of the probability that the events defined in Game 1–4 occur. We allow the challenger to pass τˆ to the adversary because we are considering a game transition. That is, in a game transition, it is sufficient if we can compare the distribution of outputs of games. Hence, it does not matter how intermediate games of the transition are composed. We first claim the following: Claim 2: Pr[AskRnd6.2 ] − Pr[AskRnd6.3 ] ≤ ρzk + 2 where  = 10q/2n + (6n + 9)q/22n + (3n + 5)q/23n . Note that  is the summation of the upper-bounds of the probabilities that events defined in Game 1–4 occur. The proof of this claim appears at the end of this section. Now, a proof generated in Game 6.3 is independent of r1 since it is generated by M.PrvSim. We show that if Pr[AskRnd6.3 ] ≥ ρcpa + , then we can construct an ˜ ˜ adversary that breaks the CPA security of Π O,ZK . We construct a PPT adversary cpa B = (B0 , B1 ) in the experiment ExptPKEB,Π (n) so that B1 simulates Game 6.3 and outputs a correct message bit if AskRnd happens. B0 : Given a public key pk, output μ where μ contains pk (note that as we are considering 1-bit messages, it is not necessary to choose massages explicitly). B1 : Given (μ, c) where c is a ciphertext, simulate Game 6.3 as described below. Throughout the simulation, if B1 observes events that are defined in Game 1 or Game 2, then abort the simulation and output a random bit. ˜ ˜ (i) Choose a trapdoor τˆ ← {0, 1}n and run MO,ZK (CrsSim, τˆ) to obtain σ ˆ.  n  (ii) Choose sk ← {0, 1} to obtain pk = O(g, sk  ), choose b∗ ← {0, 1} uniformly and r ← {0, 1}n and compute c = O(e, pk  , b∗ , r ). Halt the simulation and output a random bit b if B1 observes that events defined in Game 3 or Game 4 occur. ˜ ˜ ˆ , (c, c , pk, pk  ), τˆ) to obtain a proof π ˆ. (iii) Run MO,ZK (PrvSim, σ ˜ ˜ ˜ ˜ ZK O,ZK O,   (iv) Run M (Vrf, (c, c , pk, pk ), π ˆ ). If M .Vrf makes a query that includes some randomness r, then the adversary sees if c = O(e, pk, b∗ , r). If such an r is found, then abort the simulation and output b := b∗ , otherwise output a random bit b . Note that the above simulation can be done in polynomial time. Now, we have the following claim. Claim 3: If Pr[AskRnd6.3 ] ≥ ρcpa +, then |Pr[ExptPKEcpa B,Π (n) = 1]−1/2| ≥ ρcpa . (Proof of Claim 3) Let b ∈ {0, 1} be a plaintext behind c. Let AskRndcpa be an event that a query that contains r s.t. c = O(e, pk, b∗ , r) is made in (iv) and Bad be

900

K. Yamashita et al.

an event that events defined in Game 1–4 occur during the execution of B1 . Observe that Pr[AskRnd6.3 ] = Pr[AskRndcpa | Bad ∧ b∗ = b] = Pr[AskRndcpa | Bad]/2. Furthermore Pr[b = b | AskRndcpa ] = 1 and Pr[b = b | AskRndcpa ] = 1/2. Then, we have the following formula, which justifies Claim 3.  Pr[ExptPKEcpa B,Π (n) = 1] = Pr[b = b]

= Pr[b = b | AskRndcpa ] · Pr[AskRndcpa ] + Pr[b = b | AskRndcpa ] · Pr[AskRndcpa ] = Pr[b = b | AskRndcpa ] · Pr[AskRndcpa ]

= = ≥ = ≥

+ Pr[b = b | AskRndcpa ] · (1 − Pr[AskRndcpa ]) 1 1 1 Pr[AskRndcpa ] + (1 − Pr[AskRndcpa ]) = + Pr[AskRndcpa ] 2 2 2 1 1 cpa + (Pr[AskRnd | Bad] · Pr[Bad] + Pr[AskRndcpa | Bad] · Pr[Bad]) 2 2 1 1 1 + Pr[AskRndcpa | Bad] · Pr[Bad] = + Pr[AskRnd6.3 ] · Pr[Bad] 2 2 2 1 1 + Pr[AskRnd6.3 ] · (1 − Pr[Bad]) ≥ + Pr[AskRnd6.3 ] · (1 − ) 2 2 1 1 6.3 + Pr[AskRnd ] −  ≥ + ρcpa . 2 2

  Due to Claim 3, we obtain Pr[AskRnd6.3 ] ≤ ρcpa + . Summarizing the above, we have |P6 − P5 | ≤ Pr[AskRnd6.0 ] = Pr[AskRnd6.1 ] = Pr[AskRnd6.2 ] ≤ ρzk + 2 + Pr[AskRnd6.3 ] ≤ ρzk + 2 + ρcpa +  = ρzk + ρcpa + 3, which is negligible. Game 7: Similar to the modification in Game 6.1, modify O and ZK to be O := O ||Rcpa and ZK := ZK ||Rzk with random partial oracles Rcpa and Rzk that make O and ZK one of oracles in On and ZKn respectively, so that it no longer uses O and ZK, respectively. As the same discussion in Game 6.1 can be applied, we have P7 = P6 . Now O and ZK are oracles in On and ZKn respectively, that generate a correct proof on (c1 , c2 , pk1 , pk2 ). Then, M.Vrf accepts the generated proof unless the completeness error occurs. Thus we have P7 > 1 − ρco . Summarizing the above, we have P > 1 − ρco − ρzk − ρcpa − 4 where  = 10q/2n +(6n+9)q/22n +(3n+5)q/23n , hence P is non-negligible. This concludes Lemma 3, thus Theorem 2. What remains is to apply a standard technique from Borel-Cantelli Lemma that allows us to choose oracles from particular distributions.   (Proof of Claim 2) To justify the claim, we construct a stateful PPT adversary B O,ZK that attacks the zero-knowledgeness of M. The adversary works in a zeroknowledge game (between a challenger) as follows: Step I: Given a CRS σ ˆ , sample two distinct secret keys sk1 , sk2 ← {0, 1}n and compute pk1 = O(g, sk1 ) and pk2 = O(g, sk2 ). Choose b ← {0, 1} and r1 , r2 ← {0, 1}n and compute c1 = O(e, pk1 , b, r1 ) and c2 = O(e, pk2 , b, r2 ). ˆ = (b, r1 , r2 ) and output (ˆ x, w). ˆ (Note that Set x ˆ = (c1 , c2 , pk1 , pk2 ) and w (ˆ x, w) ˆ is chosen in the same way as Game 6.2 and Game 6.3).

On Black-Box Extension of an NIZK for Secret Equality

901

Step II: Given a proof π ˆ , run M(Vrf, σ ˆ, x ˆ, π ˆ ). Output b = 1 if B  observes a query that includes r1 during the execution of M.Vrf, otherwise b = 0. Note that since B  simulates M.Vrf, B  fetc.hes all queries made by M.Vrf. We denote the situation by ˜b = 1 (resp., ˜b = 0) where the challenger runs M.Crs and M.Prv (resp., M.CrsSim and M.PrvSim). Let BadRl (resp., BadSm) be an event that one of the events that are described in Game 1–4 occurs in the CRS generation phase of the challenger conditioned on ˜b = 1 (resp., ˜b = 0). We remark that, considering the upper-bounds by Game1–4, Pr[BadRl] and Pr[BadSm] are upper-bounded by 10q/2n + (6n + 9)q/22n + (3n + 5)q/23n (= ). Observe that the distributions of values that are given to M.Vrf (i.e., σ ˆ, x ˆ, π ˆ) in Step II are the same as those of Game 6.2 (resp., Game 6.3), if ˜b = 1 (resp., ˜b = 0) and BadRl (resp., BadSm) does not occur. Thus, it holds that Pr[b = 1 |˜b = 1 ∧ BadRl] = Pr[AskRnd6.2 ] and Pr[b = 1 |˜b = 0 ∧ BadSm] = Pr[AskRnd6.3 ]. , we obtain the following Therefore, considering the advantage AdvZKB ,M,LΠ EQ formula: ρzk ≥ AdvZKB ,M,LΠ = Pr[b = 1 |˜b = 1] − Pr[b = 1 |˜b = 0] EQ = Pr[b = 1 |˜b = 1 ∧ BadRl] · Pr[BadRl] + Pr[b = 1 |˜b = 1 ∧ BadRl] · Pr[BadRl] − Pr[b = 1 |˜b = 0 ∧ BadSm] · Pr[BadSm] − Pr[b = 1 |˜b = 0 ∧ BadSm] · Pr[BadSm] ≥ − Pr[b = 1 |˜b = 0 ∧ BadSm] · Pr[BadSm] + Pr[b = 1 |˜b = 1 ∧ BadRl] · Pr[BadRl] − Pr[b = 1 |˜b = 0 ∧ BadSm] · Pr[BadSm] ≥ − Pr[BadSm] + Pr[b = 1 |˜b = 1 ∧ BadRl] · Pr[BadRl] − Pr[b = 1 |˜b = 0 ∧ BadSm] · Pr[BadSm] ≥− + Pr[b = 1 |˜b = 1 ∧ BadRl] · Pr[BadRl] − Pr[b = 1 |˜b = 0 ∧ BadSm] · Pr[BadSm] = −  + Pr[AskRnd6.2 ] · Pr[BadRl] − Pr[AskRnd6.3 ] · Pr[BadSm] = −  + Pr[AskRnd6.2 ] · (1 − Pr[BadRl]) − Pr[AskRnd6.3 ] · (1 − Pr[BadSm]) = −  + (Pr[AskRnd6.2 ] − Pr[AskRnd6.3 ]) − Pr[AskRnd6.2 ] · Pr[BadRl] + Pr[AskRnd6.3 ] · Pr[BadSm] ≥ −  + (Pr[AskRnd6.2 ] − Pr[AskRnd6.3 ]) − Pr[AskRnd6.2 ] · Pr[BadRl] ≥ − 2 + (Pr[AskRnd6.2 ] − Pr[AskRnd6.3 ]) Therefore, we obtain Pr[AskRnd6.2 ] − Pr[AskRnd6.3 ] ≤ ρzk + 2, as we claimed.  

5

Conclusion and Open Question

In this work we uncovered the impossibility of a black-box construction of an NIZK for the plaintext equality language based on a CPA-PKE and an SS-NIZK for a single ciphertext language. However, it still remains open whether we can

902

K. Yamashita et al.

extend a specific NIZK to an NIZK for an equality language in a black-box way. While there are known results that employ the CP technique for an equality language [5,9,12,28,29], it is still open if such a language can be generally proven by, for instance, Quasi-Adaptive NIZKs [23]. Another important direction is showing the (im)possibility of NIZKs for witness relations other than equality. There are a lot of constructions of NIZKs for these extended languages that employ non-black-box techniques such as [1,8,14,17]. It is still debatable whether these NIZKs are possible in a blackbox manner. Acknowledgements. We thank Takahiro Matsuda for very insightful discussions in the proof of Sect. 4.

References 1. Abdalla, M., Benhamouda, F., Pointcheval, D.: Disjunctions for hash proof systems: new constructions and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 69–100. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6 3 2. Abe, M., Ambrona, M., Ohkubo, M.: On black-box extensions of non-interactive zero-knowledge arguments, and signatures directly from simulation soundness. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) Public-Key Cryptography - PKC 2020, pp. 558–589. Springer International Publishing, Cham (2020) 3. Agrawal, S., Ganesh, C., Mohassel, P.: Non-interactive zero-knowledge proofs for composite statements. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 643–673. Springer, Cham (2018). https://doi.org/10.1007/ 978-3-319-96878-0 22 4. Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. In: Brassard, G. (ed.) Advances in Cryptology – CRYPTO 1989 Proceedings, pp. 194–211. Springer, New York (1990) 5. Blazy, O., Derler, D., Slamanig, D., Spreitzer, R.: Non-interactive plaintext (In-)equality proofs and group signatures with verifiable controllable linkability. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 127–143. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8 8 6. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 103–112. STOC 1988, ACM, New York, NY, USA (1988). http:// doi.acm.org/10.1145/62212.62222 7. Brakerski, Z., Katz, J., Segev, G., Yerukhimovich, A.: Limits on the power of zeroknowledge proofs in cryptographic constructions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 559–578. Springer, Heidelberg (2011). https://doi.org/10. 1007/978-3-642-19571-6 34 8. Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against Key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9 20 9. Campanelli, M., Fiore, D., Querol, A.: Legosnark: modular design and composition of succinct zero-knowledge proofs. In: CCS 2019 (2019)

On Black-Box Extension of an NIZK for Secret Equality

903

10. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: Conference Proceedings of the Annual ACM Symposium on Theory of Computing (08 2003). https://doi.org/10.1145/ 509907.509980 11. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) Advances in Cryptology – CRYPTO 1992, pp. 89–105. Springer, Berlin Heidelberg, Berlin, Heidelberg (1993) 12. Choi, S.G., Elbaz, A., Juels, A., Malkin, T., Yung, M.: Two-party computing with encrypted data. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 298–314. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-769002 18 13. Costello, C., et al.: Geppetto: versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, pp. 253–270 (May 2015). https://doi.org/10.1109/ SP.2015.23 14. Cramer, R., Damg˚ ard, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) Advances in Cryptology – CRYPTO 1994, pp. 174–187. Springer, Berlin Heidelberg (1994) 15. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: Proceedings of the Twenty-third Annual ACM Symposium on Theory of Computing, pp. 542– 552. STOC 1991, ACM, New York, NY, USA (1991). http://doi.acm.org/10.1145/ 103418.103474 16. Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 September 1999. http:// dx.doi.org/10.1137/S0097539792230010 17. Garg, S., Gupta, D.: Efficient round optimal blind signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 477–495. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5 27 18. Gertner, Y., Malkin, T., Myers, S.: Towards a separation of semantic and CCA security for public key encryption. In: Proceedings of the 4th Conference on Theory of Cryptography, pp. 434–455. TCC 2007, Springer-Verlag, Berlin, Heidelberg (2007). http://dl.acm.org/citation.cfm?id=1760749.1760781 19. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230 29 20. Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679 21 21. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3 24 22. Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5 35 23. Jutla, C.S., Roy, A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. J. Cryptol. 30(4), 1116–1156 October 2017. https://doi.org/10.1007/s00145-0169243-7 24. Khurana, D., Ostrovsky, R., Srinivasan, A.: Round optimal black-box “commitand-prove”. IACR Cryptol. ePrint Arch. 2018, 921 (2018) 25. Kilian, J.: Uses of Randomness in Algorithms and Protocols. MIT Press, Cambridge, MA, USA (1990)

904

K. Yamashita et al.

26. Lipmaa, H.: Prover-efficient commit-and-prove zero-knowledge SNARKs. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 185–206. Springer, Cham (2016). https://doi.org/10.1007/978-3-31931517-1 10 27. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the Twenty-second Annual ACM Symposium on Theory of Computing, pp. 427–437. STOC 1990, ACM, New York, NY, USA (1990). http://doi.acm.org/10.1145/100216.100273 28. Ostrovsky, R., Richelson, S., Scafuro, A.: Round-optimal black-box two-party computation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 339–358. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3662-48000-7 17 29. Parkes, D.C., Rabin, M.O., Shieber, S.M., Thorpe, C.: Practical secrecy-preserving, verifiably correct and trustworthy auctions. Electron. Commer. Res. Appl. 7(3), 294–312 (2008). https://doi.org/10.1016/j.elerap.2008.04.006, http://www. sciencedirect.com/science/article/pii/S1567422308000197, special Section: New Research from the 2006 International Conference on Electronic Commerce 30. Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (Plain) learning with errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 89–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-03026948-7 4 31. Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) Theory of Cryptography, pp. 1–20. Springer, Berlin Heidelberg, Berlin, Heidelberg (2004) 32. Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosenciphertext security. In: Proceedings of the 40th Annual Symposium on Foundations of Computer Science, p. 543-. FOCS 1999. IEEE Computer Society, Washington, DC, USA (1999). http://dl.acm.org/citation.cfm?id=795665.796535

Author Index

Abe, Masayuki 882 Agarwal, Archita 62 Almeida, José Bacelar 107 Anand, Ravi 395 Aparicio-Sánchez, Damián 128 Arte, Vivek 576, 859 Attrapadung, Nuttapong 763 Azarderakhsh, Reza 228 Azouaoui, Melissa 205 Barbosa, Manuel 107 Barthe, Gilles 107 Bellare, Mihir 529, 576, 859 Bisheh Niasar, Mojtaba 228 Blazy, Olivier 553, 691 Budroni, Alessandro 417 Chakraborty, Pranab 294 Chen, Yuechen 666 Choudhury, Ashish 786, 810, 832 Cid, Carlos 373 Dai, Wei 529 Dunkelman, Orr 332 Duong, Dung Hoang 624 Durvaux, François 205 Dutta, Abhraneel 248 Eichlseder, Maria 345 Escobar, Santiago 128 Espitau, Thomas 440 Farshim, Pooya 715 Fuchsbauer, Georg 715 Genise, Nicholas 601 Grassi, Lorenzo 312 Guo, Fuchun 624 Guo, Qian 417 Hegde, Aditya 832 Hoffmann, Clément 39 Hosoyamada, Akinori 373

Hovd, Martha Norberg 488 Hutchinson, Aaron 248 Jafargholi, Zahra 741 Johansson, Thomas 417 Joux, Antoine 440 Kakvi, Saqib A. 553 Kamara, Seny 62 Karabina, Koray 248 Kermani, Mehran Mozaffari Kharchenko, Natalia 440 Khati, Louiza 576 Kleinrock, Leonard 16 Kobeissi, Nadim 151 Kraleva, Liliya 273 Krämer, Juliane 508 Kumar, Abhishek 332

228

Lambooij, Eran 332 Laporte, Vincent 107 Le, HuyQuoc 624 Leander, Gregor 345 Li, Baiyu 601 Liu, Yunwen 373 Maitra, Arpita 395 Maitra, Subhamoy 294 Mårtensson, Erik 417 Matsuura, Kanta 763 Meadows, Catherine 128 Méaux, Pierrick 39 Meseguer, José 128 Mukherjee, Pratyay 465 Mukherjee, Sayantan 691 Mukhopadhyay, Sourav 395 Nguyen, Giang Linh Duc Nicolas, Georgio 151 Oechsner, Sabine 741 Oliveira, Tiago 107 Ostrovsky, Rafail 16

624

906

Author Index

Papagiannopoulos, Kostas 205 Pappu, Nikhil 786 Passelègue, Alain 715 Paul, Arinjita 644 Phalakarn, Kittiphop 763 Pietrzak, Krzysztof 3 Posteuca, Raluca 273 Poussier, Romain 205

Stam, Martijn 488 Standaert, François-Xavier 205 Struck, Patrick 508 Suppakitpaisarn, Vorapong 763 Susilo, Willy 624

Rangan, C. Pandu 644 Rasoolzadeh, Shahram 345 Ricosset, Thomas 39 Rijmen, Vincent 273

Verneuil, Vincent 205

Sanadhya, Somitra Kumar 332 Sapiña, Julia 128 Schofnegger, Markus 312 Selvi, S. Sharmila Deva 644 Shi, Cheng 89 Sim, Siang Meng 373

Yamashita, Kyosuke 882 Yiu, Siu-Ming 666 Yoneyama, Kazuki 89

Tibouchi, Mehdi 882 Tiwari, Mukesh 151

Wagner, Paul Stankovski 417 Wang, Xiangning 666

Zhang, Linru 666 Zikas, Vassilis 16