Abstract. We construct the first public-key encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, and for arbitrary but fixed polynomials L and N , we obtain a public-key encryption scheme that resists key-dependent message (KDM) attacks for up to N (k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security.We also observe that any fully homomorphic encryption scheme that additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that its algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain non-standard hardness assumptions.Finally, we extend an impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions if the proof makes only a black-box use of the query function and the adversary attacking the scheme. This shows that the non-black-box use of the query function in our proof of security is inherent.
We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results that hold both in the private and in the public key settings:-Let H be the family of poly(n)-wise independent hash-functions. There exists no fully-black-box reduction from an encryption scheme secure against key-dependent messages to one-way permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H.-There exists no reduction from an encryption scheme secure against key-dependent messages to, essentially, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for an arbitrary g, as long as the reduction's proof of security treats both the adversary and the function g as black boxes.
No abstract
We give a construction of statistically-hiding commitment schemes (ones where the hiding property holds information theoretically), based on the minimal cryptographic assumption that one-way functions exist. Our construction employs two-phase commitment schemes, recently constructed by Nguyen, Ong and Vadhan (FOCS '06), and universal oneway hash functions introduced and constructed by Naor and Yung (STOC '89) and Rompel (STOC '90).
We give a construction of statistically hiding commitment schemes (those in which the hiding property holds against even computationally unbounded adversaries) under the minimal complexity assumption that one-way functions exist. Consequently, one-way functions suffice to give statistical zero-knowledge arguments for any NP statement (whereby even a computationally unbounded adversarial verifier learns nothing other than the fact that the assertion being proven is true, and no polynomial-time adversarial prover can convince the verifier of a false statement). These results resolve an open question posed by Naor et al. [by Nguyen and Vadhan [28]. 2 We then use this 2-phase commitment scheme together with universal one-way hash functions (whose existence is also implied by the existence of one-way functions [7]) to construct the desired statistically hiding commitment scheme.1.3.1. 2-phase commitments from any one-way function. 2-phase commitment schemes are commitment schemes with two phases, each consisting of a commit stage and a reveal stage. In the first phase, the sender commits to and reveals one value v 1 , and subsequently, in the second phase, the sender commits to and reveals a second value v 2 . We say that the 2-phase commitment is hiding if both phases are hiding and say that it is 1-out-of-2-binding, symbolically written as 2 1binding, if the following holds: with high probability, the sender will be forced to reveal the correct committed value in at least one of the phases (but which of the two phases can be determined dynamically by the malicious sender?). More specifically, with high probability after the first-phase commit, there is a single value such that if the sender decommits to any other value, then the second commitment is guaranteed to be binding (in the standard sense).Even though we draw upon [28] for the notion of 2-phase commitments, there are many differences between the contexts of the two works and their constructions of 2-phase commitments. In [28], the goal was to prove unconditional results about prover efficiency in zero-knowledge proofs (specifically, that one can transform zeroknowledge proofs with inefficient provers into ones with efficient provers). This was done by showing that every problem having a zero-knowledge proof has an "instancedependent" 2-phase commitment scheme, where the sender and receiver get an instance x of the problem as auxiliary input and we only require hiding to hold when x is a "yes instance" and binding when x is a "no instance." Here, we are giving conditional results (assuming the existence of one-way functions) and are obtaining standard (as opposed to instance-dependent) 2-phase commitments. Moreover, the focus in [28] is on statistically binding 2-phase commitments; thus here we need to develop new formulations to work with the computational binding property.Our initial construction, which gives a 2-phase commitment scheme satisfying a "weak hiding" property, is inspired by the construction of [28]. Indeed, the second phase in [28] was also in...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.