Improved Constructions of PRFs Secure Against Related-Key Attacks

Lewi, Kevin; Montgomery, Hart; Raghunathan, Ananth

doi:10.1007/978-3-319-07536-5_4

Cited by 23 publications

(15 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Related-key security was first studied in the context of symmetric encryption [10,46,33,4,3]. With time a number of cryptographic primitives with security against related-key attacks have emerged, including pseudorandom functions [7,43,5,1], hash functions [34], identity-based encryption [8,12], public-key encryption [8,57,12,45], signatures [8,12,11], and more [15,54,19].…”

Section: Related Workmentioning

confidence: 99%

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience

Faonio

Venturi

2016

Advances in Cryptology – ASIACRYPT 2016

View full text Add to dashboard Cite

We revisit the question of constructing public-key encryption and signature schemes with security in the presence of bounded leakage and tampering memory attacks. For signatures we obtain the first construction in the standard model; for public-key encryption we obtain the first construction free of pairing (avoiding non-interactive zero-knowledge proofs). Our constructions are based on generic building blocks, and, as we show, also admit efficient instantiations under fairly standard number-theoretic assumptions. The model of bounded tamper resistance was recently put forward by Damgård et al. (Asiacrypt 2013) as an attractive path to achieve security against arbitrary memory tampering attacks without making hardware assumptions (such as the existence of a protected self-destruct or key-update mechanism), the only restriction being on the number of allowed tampering attempts (which is a parameter of the scheme). This allows to circumvent known impossibility results for unrestricted tampering (Gennaro et al., TCC 2010), while still being able to capture realistic tampering attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience

Faonio

Venturi

2016

Advances in Cryptology – ASIACRYPT 2016

View full text Add to dashboard Cite

show abstract

“…Shortly after this, Coron, Lepoint, and Tibouchi [15] proposed another potential graded encoding scheme (CLT13) over integers. These graded encoding schemes expanded their applications such as general-purpose obfuscation, functional encryption, and others [1,3,5,6,22,[24][25][26]30,36,37].…”

Section: Introductionmentioning

confidence: 99%

“…Thus, the CLT13 scheme is considered as the only candidate for implementing applications that require the presumed hardness of the problems as the security basis. Such applications include key-homomorphic pseudorandom functions and a one-round group password-based authenticated key exchange [1,3,5,6,15,22,30,36]: The widespread use of the CLT13 scheme has raised concerns about its security because its presumed hardness has not been proven for standard assumptions.…”

Section: Introductionmentioning

confidence: 99%

“…Consequently, there is no direct construction of secure multilinear maps, for which any of the GDDH, SubM, DLIN, and GXDH problems are hard. 1 Several cryptographic applications are impacted,e.g., all the constructions of [3,22,30,36], GPAKE construc-tion in [1] for more than three users, one of the two constructions of password hashing in [5], and one of the key-homomorphic PRF constructions in [6].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Cryptanalysis of the CLT13 Multilinear Map

Cheon¹,

Han²,

Lee³

et al. 2018

J Cryptol

View full text Add to dashboard Cite

In this paper, we describe a polynomial time cryptanalysis of the (approximate) multilinear map proposed by Coron, Lepoint, and Tibouchi in Crypto13 (CLT13). This scheme includes a zero-testing functionality that determines whether the message of a given encoding is zero or not. This functionality is useful for designing several of its applications, but it leaks unexpected values, such as linear combinations of the secret elements. By collecting the outputs of the zero-testing algorithm, we construct a matrix containing the hidden information as eigenvalues, and then recover all the secret elements of the CLT13 scheme via diagonalization of the matrix. In addition, we provide polynomial time algorithms to directly break the security assumptions of many applications based on the CLT13 scheme. These algorithms include solving subgroup membership, decision linear, and graded external Diffie-Hellman problems. These algorithms mainly rely on the computation of the determinants of the matrices and their greatest common divisor, instead of performing their diagonalization.

show abstract

“…Several recent cryptographic constructions can no longer be realized. This includes all constructions from [2,23,24,37], the one-round group password authenticated key exchange construction of [1] for more than 3 users, one of the two constructions of password hashing of [3], the alternative key-homomorphic pseudo random function construction from [6], and the use of the latter in [33].…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of the Multilinear Map over the Integers

Cheon

Han

Lee

et al. 2015

Lecture Notes in Computer Science

164

View full text Add to dashboard Cite

The CRT-ACD problem is to find the primes p 1 , . . . , p n given polynomially many instances of CRT (p1,...,pn) (r 1 , . . . , r n ) for small integers r 1 , . . . , r n . The CRT-ACD problem is regarded as a hard problem, but its hardness is not proven yet. In this paper, we analyze the CRT-ACD problem when given one more input CRT (p1,...,pn) (x 0 /p 1 , . . . , x 0 /p n ) forp i and propose a polynomial-time algorithm for this problem by using products of the instances and auxiliary input.This algorithm yields a polynomial-time cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT): We show that by multiplying encodings of zero with zero-testing parameters properly in the CLT scheme, one can obtain a required input of our algorithm: products of CRT-ACD instances and auxiliary input. This leads to a total break: all the quantities that were supposed to be kept secret can be recovered in an efficient and public manner.We also introduce polynomial-time algorithms for the Subgroup Membership, Decision Linear, and Graded External Diffie-Hellman problems, which are used as the base problems of several cryptographic schemes constructed on multilinear maps.

show abstract

Improved Constructions of PRFs Secure Against Related-Key Attacks

Cited by 23 publications

References 36 publications

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience

Cryptanalysis of the CLT13 Multilinear Map

Cryptanalysis of the Multilinear Map over the Integers

Contact Info

Product

Resources

About