Collision-resistant Hash Functions Research Articles

Reusable and robust fuzzy extractor for CRS-dependent sources

Fuzzy extractors allow for the extraction and reproduction of a nearly uniform string from a noisy and non-uniform source. Reusable and robust fuzzy extractors further require that the output string should remain pseudorandom under multiple extractions and any modification of public value should be detectable. Existing constructions of reusable and robust fuzzy extractors are all designed in the Common Reference String (CRS) model and work only for CRS-independent sources. In this work, we introduce a construction of reusable and robust fuzzy extractor for CRS-dependent sources. Our construction is built upon some well-studied cryptography, including a collision resistant hash function, a symmetric key encryption that keeps secure with respect to auxiliary input, a public key encryption and simulation-sound non-interactive zero-knowledge argument. We also present some instantiations of these primitives from Learning with Parity Noise (LPN) assumption and Short Integer Solution (SIS) assumption. These instantiations result in the first reusable and robust fuzzy extractor for CRS-dependent sources that can tolerate linear errors.

Lower Bound on Number of Compression Calls of a Collision-Resistance Preserving Hash

The collision-resistant hash function is an early cryptographic primitive that finds extensive use in various applications. Remarkably, the Merkle-Damgård and Merkle tree hash structures possess the collision-resistance preserving property, meaning the hash function remains collision-resistant when the underlying compression function is collision-resistant. This raises the intriguing question of whether reducing the number of underlying compression function calls with the collision-resistance preserving property is possible. In pursuit of addressing these inquiries, we prove that for an ℓ n -to- s n -bit collision-resistance preserving hash function designed using r t n -to- n -bit compression function calls, we must have r ≥ ⌈ ( ℓ − s ) / ( t − 1 ) ⌉ . Throughout the paper, all operations other than the compression function are assumed to be linear (which we call linear hash mode).

READ: Resource efficient authentication scheme for digital twin edge networks

In recent vigorous developments, digital twin edge networks (DITEN) have emerged as a network paradigm to improve network communication efficiency. Given that Web 3.0 technologies promise secure decentralized data storage and effective information exchange, it is feasible to construct a wireless edge intelligence-enabled Web 3.0 physical infrastructure through DITEN. However, DITEN encounters various security threats related to communication and authentication, and establishing a secure and cost-effective authentication scheme for confidential access to physical entities poses a significant challenge. To tackle this issue, in this article, we introduce READ, a provably secure multi-factor user authentication scheme tailored for DITEN in industrial applications. Using designed ASCON cryptography primitive cipher suite, physical unclonable functions, extended Chebyshev chaotic maps, one-way secure collision-resistant hash functions, and lightweight bitwise exclusive-or operations, READ enables mutual authentication and session key negotiation among mobile users, smart gateways, and smart industrial devices. Rigorous security assessments, conducted through the real-or-random (ROR) model, the automated validation of internet security-sensitive protocols and applications (AVISPA) simulation tool, and heuristic informal security analysis, confirm that READ meets all 13 security evaluation criteria. Furthermore, compared to other seven advanced multi-factor user authentication schemes, READ excels in security and efficiency, making it ideal for practical multi-factor user authentication scenarios.

Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of a Prevailing Assumption

A two-input function is a dual PRF if it is a PRF when keyed by either of its inputs. Dual PRFs are assumed in the design and analysis of numerous primitives and protocols including HMAC, AMAC, TLS 1.3 and MLS. But, not only do we not know whether particular functions on which the assumption is made really are dual PRFs; we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain two specific symmetric and dual PRFs, the first assuming any collision-resistant hash function and the second assuming any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem.

Merkle-Damgård hash functions and blockchains : Securing electronic health records

The integration of Blockchain (BC) technology with the Merkle-Damgård Structure (M-DS) presents a practical model for securing Electronic Health Records (EHR). This research study examines how these cryptographic mechanisms can be functional to address confidentiality, integrity, and availability concerns when working with specific clinical data. Secure EHR is developed based on the M-DS, which is notable for being capable of generating Collision-Resistant Hash Functions (CRHF). The summary of BC-based technology in the EHR environment enhances access control, allows it to be fixed, and simplifies decentralized access. A decentralized BC system stores the values that have been hashed, resulting in patient EHR using the M-DC, as per the proposed method. As an outcome of smart contracts’ ability to manage access, only persons who have been authorized to access can analyze and alter clinical information. The strategy of the model’s cryptographic mechanism highlights openness and accountability by securing data confidentiality by encryption and by regularly generating a verification record of every transaction. This work discusses an exhaustive method to secure EHR in a clinical system that develops more computer-aided and data-driven over performing a complete assessment of the mathematical models that are enabling MDC and BC Technology within the overall system of EHR security.

A lightweight delegated private set intersection cardinality protocol

Secure multiparty computation (MPC) is an important means to realize privacy computing (PC). Private set intersection cardinality (PSI-CA) is a variant of an important problem in MPC research, that is private set intersection. PSI-CA allows multiple participants jointly compute the size of the common intersection of their private sets through interaction without revealing any other information about their respective sets. Delegated PSI-CA delegates a large number of computing in the protocol to some untrusted cloud servers, which makes the protocol efficient. Delegated PSI-CA is considered to be of great significance for the construction of privacy-preserving contact tracing systems recently. However, the existing work is still not ideal for the resource-limited mobile terminal of clients. In this paper, we propose a lightweight delegated PSI-CA protocol based on multi-point oblivious pseudorandom function and collision-resistant hash function. Our protocol does not need to do additional pre-operations, so the computation complexity and the communication complexity on the client side are further reduced compare to the existing works. In addition, we build a privacy-preserving contact tracing system by utilizing our protocol, which can be publicly checked if necessary, named PC-CONTrace. The experimental results show that our system is more practical and advantageous for densely populated areas.

SPARKs: Succinct Parallelizable Arguments of Knowledge

We introduce the notion of aSuccinct Parallelizable Argument of Knowledge(SPARK). This is an argument of knowledge with the following three efficiency properties for computing and proving a (non-deterministic, polynomial time) parallel RAM computation that can be computed in parallel timeTwith at mostpprocessors:—The prover’s (parallel) running time is\( T + \mathrm{poly}\hspace{-2.0pt}\log (T \cdot p) \). (In other words, the prover’s running time is essentiallyTfor large computation times!)—The prover uses at most\( p \cdot \mathrm{poly}\hspace{-2.0pt}\log (T \cdot p) \)processors.—The communication and verifier complexity are both\( \mathrm{poly}\hspace{-2.0pt}\log (T \cdot p) \).The combination of all three is desirable, as it gives a way to leverage a moderate increase in parallelism in favor of near-optimal running time. We emphasize that even a factor two overhead in the prover’s parallel running time is not allowed.Our main contribution is a generic construction of SPARKs from any succinct argument of knowledge where the prover’s parallel running time is\( T \cdot \mathrm{poly}\hspace{-2.0pt}\log (T \cdot p) \)when usingpprocessors, assuming collision-resistant hash functions. When suitably instantiating our construction, we achieve a four-round SPARK foranyparallel RAM computation assuming only collision resistance. Additionally assuming the existence of a succinctnon-interactiveargument of knowledge (SNARK), we construct a non-interactive SPARK that also preserves the space complexity of the underlying computation up to\( \mathrm{poly}\hspace{-2.0pt}\log (T\cdot p) \)factors.We also show the following applications of non-interactive SPARKs. First, they immediately imply delegation protocols with near optimal prover (parallel) running time. This, in turn, gives a way to construct verifiable delay functions (VDFs) from any sequential function. When the sequential function is also memory-hard, this yields the first construction of a memory-hard VDF.

Shorter Linkable Ring Signature Based on Middle-Product Learning with Errors Problem

Abstract DualRing is a novel generic construction introduced by Yuen et al. (CRYPTO’21), which can transform a special kind of (Type-T*) canonical identification scheme to a ring signature scheme. Compared with the classical approaches, this method can get a shorter signature. In this paper, we construct a new middle-product learning with errors (MPLWE)-based ring signature scheme by using this framework. Specifically, we propose a new MPLWE-based identification scheme, which is compatible with the DualRing, then we obtain a ring signature scheme by using DualRing framework. We also show how to achieve linkability from this ring signature by using a collision resistant hash function. In the end, we provide available parameter options for our (linkable) ring signature scheme. Under these parameters, the signature size of our linkable ring signature is $2-40 \times $ shorter (depending on the ring size) than the previous MPLWE-based scheme by Das et al. (Africacrypt’19).

Efficient Lattice-Based Ring Signature Scheme without Trapdoors for Machine Learning.

Machine learning (ML) and privacy protection are inseparable. On the one hand, ML can be the target of privacy protection; on the other hand, it can also be used as an attack tool for privacy protection. Ring signature (RS) is an effective way for privacy protection in cryptography. In particular, lattice-based RS can still protect the privacy of users even in the presence of quantum computers. However, most current lattice-based RS schemes are based on a strong trapdoor like hash-and-sign, and in such constructions, there is a hidden algebraic structure, that is, added to lattice so that the trapdoor shape is not leaked, which greatly affects the computational efficiency of RS. In this study, utilizing Lyubashevsky collision-resistant hash function over lattice, we construct an RS scheme without trapdoors based on ideal lattice via Fiat‒Shamir with aborts (FSwA) protocol. Regarding security, the proposed scheme satisfies unconditional anonymity against chosen setting attacks (UA-CSA), which is stronger than anonymity against full key exposure (anonymity-FKE), and moreover, our scheme satisfies unforgeability with respect to insider corruption (EU-IC). Regarding computational overhead, compared with other RS schemes that satisfy the same degree of security, our scheme has the highest computational efficiency, the signing and verification time costs of the proposed scheme are obviously better than those of other lattice-based RS schemes without trapdoors, which is more suitable for ML scenarios.

Privacy Amplification With Tamperable Memory via Non-Malleable Two-Source Extractors

We extend the classical problem of privacy amplification to a setting where the active adversary, Eve, is also allowed to <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">fully corrupt</i> the internal memory (which includes the shared randomness, and local randomness tape) of one of the honest parties, Alice and Bob, before the execution of the protocol. We require that either one of Alice or Bob detects tampering, or they agree on a shared key that is indistinguishable from the uniform distribution to Eve. We obtain the following results: 1) we give a privacy amplification protocol via low-error non-malleable two-source extractors with one source having low min-entropy. In particular, this implies the existence of such (non-efficient) protocols; 2) we show that even slight improvements to the state-of-the-art explicit non-malleable two-source extractors would lead to explicit low-error, low min-entropy two-source extractors, thereby resolving a long-standing open question. This suggests that obtaining (information-theoretically secure) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">explicit</i> non-malleable two-source extractors for (1) might be hard; 3) we present explicit constructions of low-error, low min-entropy non-malleable two-source extractors in the CRS model of (Garg, Kalai, Khurana, Eurocrypt 2020), assuming either the quasi-polynomial hardness of DDH or the existence of nearly-optimal collision-resistant hash functions; 4) we instantiate our privacy amplification protocol with the above mentioned non-malleable two-source extractors in the CRS model, leading to explicit, computationally-secure protocols. This is not immediate from (1) because in the computational setting we need to make sure that, in particular, all randomness sources remain samplable throughout the proof. This requires upgrading the assumption of quasi-polynomial hardness of DDH to sub-exponential hardness of DDH.We emphasize that each of the first three results can be read independently.

On the complexity of fair coin flipping

A two-party coin-flipping protocol is ε-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than ε. Cleve [STOC '86] showed that r-round o(1/r)-fair coin-flipping protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript '85] constructed a Θ(1/r)-fair coin-flipping protocol, assuming the existence of one-way functions. Moran, Naor, and Segev [Journal of Cryptology '16] constructed an r-round coin-flipping protocol that is Θ(1/r)-fair (thus matching the aforementioned lower bound of Cleve [STOC '86]), assuming the existence of oblivious transfer.The above gives rise to the intriguing question of whether oblivious transfer, or more generally “public-key primitives,” is required for an o(1/r)-fair coin-flipping protocol. Towards answering this intriguing question, Maji and Wang [Crypto '18] have recently showed that in the random oracle model (ROM), any coin-flipping protocol can be biased by Ω(1/r). This implies that o(1/r)-fair coin-flipping protocol cannot be constructed from one-way function, or from a family of collision-resistant hash functions, in a black-box way. This result does not rule out, however, non black-box constructions, and black-box constructions based on primitives that cannot be realized in the ROM.We make a different progress towards answering above question by showing that, for any constant r∈N, the existence of an 1/(c⋅r)-fair, r-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where c denotes some universal constant (independent of r). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner, Nissim, Omri, Shaltiel, and Silbak [SICOMP '20] to facilitate a two-party variant of the recent attack of Beimel, Haitner, Makriyannis, and Omri [FOCS '18] on multi-party coin-flipping protocols.

On subset-resilient hash function families

In this paper, we analyze the security of subset-resilient hash function families, which is first proposed as a requirement of a hash-based signature scheme called HORS. Let {mathcal {H}} be a family of functions mapping an element to a subset of size at most k. (r, k)-subset resilience guarantees that given a random function H from {mathcal {H}}, it is hard to find an (r+1)-tuple (x,x_1,ldots ,x_r) such that (1) H(x) is covered by the union of H(x_i) and (2) x is not equal to any x_i. Subset resilience and its variants are related to nearly all existing stateless hash-based signature schemes, but the power of this security notion is lacking in research. We present three results on subset resilience. First, we show a generic quantum attack against subset resilience, whose time complexity is smaller than simply implementing Grover’s search. Second, we show that subset-resilient hash function families imply the existence of distributional collision-resistant hash function families. Informally, distributional collision resistance is a relaxation of collision resistance, which guarantees that it is hard to find a uniform collision for a hash function. This result implies a comparison among the power of subset resilience, collision resistance, and distributional collision resistance. Third, we prove the fully black-box separation from one-way permutations.

A Commitment Scheme with Output Locality-3 Fit for the IoT Device

Low output locality is a property of functions, in which every output bit depends on a small number of input bits. In IoT devices with only a fragile CPU, it is important for many IoT devices to cooperate to execute a single function. In such IoT’s collaborative work, a feature of low output locality is very useful. This is why it is desirable to reconstruct cryptographic primitives with low output locality. However, until now, commitment with a constant low output locality has been constructed by using strong randomness extractors from a nonconstant-output-locality collision-resistant hash function. In this paper, we construct a commitment scheme with output locality-3 from a constant-output-locality collision-resistant hash function for the first time. We prove the computational hiding property of our commitment by the decisional M , δ -bSVP assumption and prove the computational binding property by the M , δ -bSVP assumption, respectively. Furthermore, we prove that the M , δ -bSVP assumption can be reduced to the decisional M , δ -bSVP assumption. We also give a parameter suggestion for our commitment scheme with the 128 bit security.

Polaris: Transparent Succinct Zero-Knowledge Arguments for R1CS with Efficient Verifier

AbstractWe present a new zero-knowledge succinct argument of knowledge (zkSNARK) scheme for Rank-1 Constraint Satisfaction (RICS), a widely deployed NP-complete language that generalizes arithmetic circuit satisfiability. By instantiating with different commitment schemes, we obtain several zkSNARKs where the verifier’s costs and the proof size range fromO(log2N) toO(N)O\left( {\sqrt N } \right)depending on the underlying polynomial commitment schemes when applied to anN-gate arithmetic circuit. All these schemes do not require a trusted setup. It is plausibly post-quantum secure when instantiated with a secure collision-resistant hash function. We report on experiments for evaluating the performance of our proposed system. For instance, for verifying a SHA-256 preimage (less than 23k AND gates) in zero-knowledge with 128 bits security, the proof size is less than 150kB and the verification time is less than 11ms, both competitive to existing systems.

Relaxed Locally Correctable Codes in Computationally Bounded Channels

Error-correcting codes that admit local decoding and correcting algorithms have been the focus of much recent research due to their numerous theoretical and practical applications. An important goal is to obtain the best possible tradeoffs between the number of queries the algorithm makes to its oracle (the locality of the task), and the amount of redundancy in the encoding (the information rate). In Hamming's classical adversarial channel model, the current tradeoffs are dramatic, allowing either small locality, but superpolynomial blocklength, or small blocklength, but high locality. However, in the computationally bounded, adversarial channel model, proposed by Lipton (STACS 1994), constructions of locally decodable codes suddenly exhibit small locality and small blocklength, but these constructions require strong trusted setup assumptions e.g., Ostrovsky, Pandey and Sahai (ICALP 2007) construct private locally decodable codes in the setting where the sender and receiver already share a symmetric key. We study variants of locally decodable and locally correctable codes in computationally bounded, adversarial channels, in a setting with no public-key or private-key cryptographic setup. The only setup assumption we require is the selection of the public parameters (seed) for a collision-resistant hash function. Specifically, we provide constructions of relaxed locally correctable and relaxed locally decodable codes over the binary alphabet, with constant information rate, and poly-logarithmic locality. Our constructions, which compare favorably with their classical analogues in the computationally unbounded Hamming channel, crucially employ collision-resistant hash functions and local expander graphs, extending ideas from recent cryptographic constructions of memory-hard functions.

A comprehensive review on collision-resistant hash functions on lattices

Hash functions have always attracted a lot of attention in modern cryptography because of their hard to invert nature. However, all previous constructions of cryptographic primitives face the threat of being broken by the recent advancements in quantum technology. The focus has thus shifted to developing cryptographic primitives on mathematical structures such as lattices that are intractable by quantum algorithms. We review the computational problems defined on lattices and their respective hardness and discuss constructions of hash function families based on both integer and ideal lattices whose security depends on these computational problems on lattices. We provide a comparative analysis of the theoretical security and concrete instantiations claimed by the different hash function families. Finally, we review techniques used in the reductions for the security proofs of constructions of different hash function families.

Immunization against complete subversion without random oracles

We seek constructions of general-purpose immunizers that take arbitrary cryptographic primitives, and transform them into ones that withstand a powerful “malicious but proud” adversary, who attempts to break security by possibly subverting the implementation of all algorithms (including the immunizer itself!), while trying not to be detected. This question is motivated by the recent evidence of cryptographic schemes being intentionally weakened, or designed together with hidden backdoors, e.g., with the scope of mass surveillance.Our main result is a subversion-secure immunizer in the plain model, that works for a fairly large class of deterministic primitives, i.e. cryptoschemes where a secret (but tamperable) random source is used to generate the keys and the public parameters, whereas all other algorithms are deterministic. The immunizer relies on an additional independent source of public randomness, which is used to sample a public seed.Assuming the public source is untamperable, and that the subversion of the algorithms is chosen independently of the seed, we can instantiate our immunizer from any one-way function. In case the subversion is allowed to depend on the seed, and the public source is still untamperable, we obtain an instantiation from collision-resistant hash functions. In the more challenging scenario where the public source is also tamperable, we additionally need to assume that the initial cryptographic primitive has sub-exponential security.Previous work in the area only obtained subversion-secure immunization for very restricted classes of primitives, often in weaker models of subversion and using random oracles.

Chosen-Ciphertext Secure Key Encapsulation Mechanism in the Standard Model

Key Encapsulation Mechanism (KEM) is a foundational cryptography primitive, which can provide secure symmetric cryptographic key material for transmission by using public key algorithms. Until now, many Chosen-Ciphertext (IND-CCA) secure KEM schemes are constructed from Chosen-Plaintext (IND-CPA) or One-Way (OW-CPA) secure PKE via the generic Fujisaki-Okamoto (FO) transformations (TCC 2017). However, the security relies on the Random Oracle Model (ROM). To the best of our knowledge, there are no IND-CCA secure KEM schemes based on Learning Parity with Noise (LPN) assumption that can against post quantum attacks in the standard model. In this work, we propose the first direct construction of LPN-based KEM, which is secure in the standard model. In particular, we use double-trapdoor technique to answer adversary’s decryption queries correctly and a Target Collision Resistant (TCR) hash function to check the validity of the ciphertext. The encapsulated key is determined by a special LPN problem (with no random oracle required). The scheme is IND-CCA secure against post-quantum attacks under the low-noise LPN assumptions by a series of games and the security reduction is tight. Compared with previous schemes on 128-bit security level, our CCA-secure scheme only holds 50.78MB public keys, 62.50MB secret keys and 4.54KB ciphertexts, which is more efficient than the schemes of Döttling <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> (ASIACRYPT 2012), Kiltz <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> (PKC 2014) and Yu <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> (CRYPTO 2016) ((7.27GB, 7.24GB, 7.03KB), (80.89MB, 46.23MB, 6.80KB) and (70.95MB, 70.65MB, 86.50KB) respectively).

Efficient Attribute-Based Signatures for Unbounded Arithmetic Branching Programs

This paper presents the first attribute-based signature (ABS) scheme in which the correspondence between signers and signatures is captured in an arithmetic model of computation. Specifically, we design a fully secure, i.e., adaptively unforgeable and perfectly signer-private ABS scheme for signing policies realizable by arithmetic branching programs (ABP), which are a quite expressive model of arithmetic computations. On a more positive note, the proposed scheme places no bound on the size and input length of the supported signing policy ABP’s, and at the same time, supports the use of an input attribute for an arbitrary number of times inside a signing policy ABP, i.e., the so called unbounded multi-use of attributes. The size of our public parameters is constant with respect to the sizes of the signing attribute vectors and signing policies available in the system. The construction is built in (asymmetric) bilinear groups of prime order, and its unforgeability is derived in the standard model under (asymmetric version of) the well-studied decisional linear (DLIN) assumption coupled with the existence of standard collision resistant hash functions. Due to the use of the arithmetic model as opposed to the boolean one, our ABS scheme not only excels significantly over the existing state-of-the-art constructions in terms of concrete efficiency, but also achieves improved applicability in various practical scenarios. Our principal technical contributions are (a) extending and refining the techniques of Okamoto and Takashima [PKC 2011, PKC 2013], which were originally developed in the context of boolean span programs, to the arithmetic setting; and (b) innovating new ideas to allow unbounded multi-use of attributes inside ABP’s, which themselves are of unbounded size and input length.

Practical and Provably Secure Distributed Aggregation: Verifiable Additive Homomorphic Secret Sharing

Often clients (e.g., sensors, organizations) need to outsource joint computations that are based on some joint inputs to external untrusted servers. These computations often rely on the aggregation of data collected from multiple clients, while the clients want to guarantee that the results are correct and, thus, an output that can be publicly verified is required. However, important security and privacy challenges are raised, since clients may hold sensitive information. In this paper, we propose an approach, called verifiable additive homomorphic secret sharing (VAHSS), to achieve practical and provably secure aggregation of data, while allowing for the clients to protect their secret data and providing public verifiability i.e., everyone should be able to verify the correctness of the computed result. We propose three VAHSS constructions by combining an additive homomorphic secret sharing (HSS) scheme, for computing the sum of the clients’ secret inputs, and three different methods for achieving public verifiability, namely: (i) homomorphic collision-resistant hash functions; (ii) linear homomorphic signatures; as well as (iii) a threshold RSA signature scheme. In all three constructions, we provide a detailed correctness, security, and verifiability analysis and detailed experimental evaluations. Our results demonstrate the efficiency of our proposed constructions, especially from the client side.