Everybody’s a Target: Scalability in Public-Key Encryption

Auerbach, Benedikt; Giacon, Federico; Kiltz, Eike

doi:10.1007/978-3-030-45727-3_16

Cited by 6 publications

(5 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We remark that the reliance on XOR, as opposed to AND, is indeed the "natural" thing to do when capturing multi-instance security of indistinguishability based notions. This was argued in the work of Bellare et al [BRT12], and was recently used in work by Auerbach et al [AGK20]. Our work shows this in a technical sense.…”

Section: Our Resultssupporting

confidence: 84%

Concentration bounds for almost k-wise independence with applications to non-uniform security

Gravin¹,

Guo²,

Kwok³

et al. 2021

Proceedings of the 2021 ACM-SIAM Symposium on Discrete Algorithms (SODA)

View full text Add to dashboard Cite

We prove a few concentration inequalities for the sum of n binary random variables under weaker conditions than k-wise independence. Namely, we consider two standard conditions that are satisfied in many applications: (a) direct product conditions (b) the XOR condition. Both conditions are weaker than mutual independence and both imply strong concentration bounds (similar to Chernoff-Hoeffding) on the tail probability of the sum of bounded random variables ([Impagliazzo and Kabanets, APPROX-RANDOM 10], [Unger, FOCS 09]). Our inequalities can be stated as the implication of threshold direct product theorems from either k-wise direct product conditions, or the k-wise XOR condition. By proving optimality of our inequalities, we show a clear separation for k n between k-wise product conditions and XOR condition as well as a stark contrast between k-wise and n-wise product theorems.We use these bounds in the cryptographic application that provides provable security against algorithms with S-bit advice. Namely, we show how the problem reduces to proving S-wise direct product theorems or Swise XOR lemmas for certain ranges of parameters. Finally, we derive a new S-wise XOR lemma, which yields a tight non-uniform bound for length increasing pseudorandom generators, resolving a 10-year-old open problem from [De, Trevisan, and Tulsiani, CRYPTO 10].

show abstract

Section: Our Resultssupporting

confidence: 84%

Concentration bounds for almost k-wise independence with applications to non-uniform security

Gravin¹,

Guo²,

Kwok³

et al. 2021

Proceedings of the 2021 ACM-SIAM Symposium on Discrete Algorithms (SODA)

View full text Add to dashboard Cite

show abstract

“…Furthermore, the relevant multi-instance OW-PCA security can be linked to the low granularity MI-GapCDH problem with corruptions (Theorem 12 of the full version). By extending AGK's low granularity bound [4,Thm. 6] to include corruptions (Thm.…”

Section: Corollarymentioning

confidence: 99%

“…Recently, Auerbach, Giacon and Kiltz [4], henceforth AGK, argued the importance of BRT's concept to protect against mass surveillance. They introduced the (n, κ) scaling factor as the effort to break n out of κ instances relative to the effort needed to break a single instance.…”

Section: Introductionmentioning

confidence: 99%

“…[20] recently followed up BRT's line of work on the multi-instance security of password hashing by combining it with the related preprocessing setting. AGK [4] motivated their investigation into multi-instance security by the threat of mass surveillance. The latter had previously motivated Bellare et al [11] to consider subversion, namely the ease with which a "big brother" might subvert an encryption algorithm by replacing it surreptitiously with a trapdoored one with otherwise identical behaviour.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Multi-instance Secure Public-Key Encryption

Brunetta

Hans

Stam

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Mass surveillance targets many users at the same time with the goal of learning as much as possible. Intuitively, breaking many users' cryptography simultaneously should be at least as hard as that of only breaking a single one, but ideally security degradation is gradual: an adversary ought to work harder to break more. Bellare, Ristenpart and Tessaro (Crypto'12) introduced the notion of multi-instance security to capture the related concept for password hashing with salts. Auerbach, Giacon and Kiltz (Eurocrypt'20) motivated the study of public key encryption (PKE) in the multi-instance setting, yet their technical results are exclusively stated in terms of key encapsulation mechanisms (KEMs), leaving a considerable gap.We investigate the multi-instance security of public key encryption. Our contributions are twofold. Firstly, we define and compare possible security notions for multi-instance PKE, where we include PKE schemes whose correctness is not perfect. Secondly, we observe that, in general, a hybrid encryption scheme of a multi-instance secure KEM and an arbitrary data encapsulation mechanism (DEM) is unlikely to inherit the KEM's multi-instance security. Yet, we show how with a suitable information-theoretic DEM, and a computationally secure key derivation function if need be, inheritance is possible. As far as we are aware, ours is the first inheritance result in the challenging multi-bit scenario.

show abstract

“…This model is strictly stronger than the GGM; for example, index-calculus algorithms that apply to certain classes of groups are algebraic and hence allowed in the AGM, even though they are ruled out in the GGM by known lower bounds on the hardness of the discrete-logarithm problem in that model. The AGM has been used to show equivalence of various number-theoretic assumptions [5,6,18] and to prove security of SNARKs [16,18,26] and blind signatures [19]. An extension called the strong AGM has recently been used to prove hardness of the repeated squaring assumption underlying timed commitments and related primitives [23].…”

Section: Introductionmentioning

confidence: 99%

Algebraic Adversaries in the Universal Composability Framework

Abdalla

Barbosa

Katz

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The algebraic-group model (AGM), which lies between the generic group model and the standard model of computation, provides a means by which to analyze the security of cryptosystems against so-called algebraic adversaries. We formalize the AGM within the framework of universal composability, providing formal definitions for this setting and proving an appropriate composition theorem. This extends the applicability of the AGM to more-complex protocols, and lays the foundations for analyzing algebraic adversaries in a composable fashion. Our results also clarify the meaning of composing proofs in the AGM with other proofs and they highlight a natural form of independence between idealized groups that seems inherent to the AGM and has not been made formal before-these insights also apply to the composition of game-based proofs in the AGM. We show the utility of our model by proving several important protocols universally composable for algebraic adversaries, specifically:(1) the Chou-Orlandi protocol for oblivious transfer, and (2) the SPAKE2 and CPace protocols for password-based authenticated key exchange.

show abstract

Everybody’s a Target: Scalability in Public-Key Encryption

Cited by 6 publications

References 27 publications

Concentration bounds for almost k-wise independence with applications to non-uniform security

Concentration bounds for almost k-wise independence with applications to non-uniform security

Multi-instance Secure Public-Key Encryption

Algebraic Adversaries in the Universal Composability Framework

Contact Info

Product

Resources

About