Simulation-Sound Arguments for LWE and Applications to KDM-CCA2 Security

The Naor-Yung paradigm is a well-known technique that constructs IND-CCA2-secure encryption schemes by means of non-interactive zero-knowledge proofs satisfying a notion of simulation-soundness. Until recently, it was an open problem to instantiate it under the sole Learning-With-Errors (LWE) assumption without relying on random oracles. While the recent results of Canetti et al. (STOC’19) and PeikertShiehian (Crypto’19) provide a solution to this problem by applying the Fiat-Shamir transform in the standard model, the resulting constructions are extremely inefficient as they proceed via a reduction to an NP-complete problem. In this paper, we give a direct, non-generic method for instantiating Naor-Yung under the LWE assumption outside the random oracle model. Specifically, we give a direct construction of an unbounded simulation-sound NIZK argument system which, for carefully chosen parameters, makes it possible to express the equality of plaintexts encrypted under different keys in Regev’s cryptosystem. We also give a variant of our argument that provides tight security. As an application, we obtain an LWE-based public-key encryption scheme for which we can prove (tight) key-dependent message security under chosen-ciphertext attacks in the standard model.

[1]  Shota Yamada,et al.  Asymptotically Compact Adaptively Secure Lattice IBEs and Verifiable Random Functions via Generalized Partitioning Techniques , 2017, CRYPTO.

[2]  Melissa Chase,et al.  Simulatable VRFs with Applications to Multi-theorem NIZK , 2007, CRYPTO.

[3]  David Cash,et al.  Cryptographic Agility and Its Relation to Circular Encryption , 2010, EUROCRYPT.

[4]  Ron Rothblum,et al.  Fiat-Shamir: from practice to theory , 2019, STOC.

[5]  Fuyuki Kitagawa,et al.  CPA-to-CCA Transformation for KDM Security , 2019, IACR Cryptol. ePrint Arch..

[6]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[7]  Mihir Bellare,et al.  Encryption Schemes Secure under Selective Opening Attack , 2009, IACR Cryptol. ePrint Arch..

[8]  Goichiro Hanaoka,et al.  Simulation-based receiver selective opening CCA secure PKE from standard computational assumptions , 2019, Theor. Comput. Sci..

[9]  Xavier Boyen,et al.  Almost Tight Multi-Instance Multi-Ciphertext Identity-Based Encryption on Lattices , 2018, ACNS.

[10]  Guy N. Rothblum,et al.  Finding a Nash equilibrium is no easier than breaking Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[11]  Yael Tauman Kalai,et al.  From Obfuscation to the Security of Fiat-Shamir for Proofs , 2017, CRYPTO.

[12]  Zhedong Wang,et al.  Almost Tight Security in Lattices with Polynomial Moduli - PRF, IBE, All-but-many LTF, and More , 2020, Public Key Cryptography.

[13]  David J. Wu,et al.  Multi-Theorem Preprocessing NIZKs from Lattices , 2018, IACR Cryptol. ePrint Arch..

[14]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[15]  David A. Mix Barrington,et al.  Bounded-width polynomial-size branching programs recognize exactly those languages in NC1 , 1986, STOC '86.

[16]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[17]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[18]  Charanjit S. Jutla,et al.  Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces , 2013, Journal of Cryptology.

[19]  Rafail Ostrovsky,et al.  Zero-knowledge from secure multiparty computation , 2007, STOC '07.

[20]  Dennis Hofheinz,et al.  All-But-Many Lossy Trapdoor Functions , 2012, EUROCRYPT.

[21]  Craig Gentry,et al.  Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits , 2014, EUROCRYPT.

[22]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[23]  David Pointcheval,et al.  Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks , 2001, ASIACRYPT.

[24]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[25]  Daniele Venturi,et al.  On Adaptive Security of Delayed-Input Sigma Protocols and Fiat-Shamir NIZKs , 2020, IACR Cryptol. ePrint Arch..

[26]  Ran Canetti,et al.  Fiat-Shamir : From Practice to Theory , Part II NIZK and Correlation Intractability from Circular-Secure FHE , 2019 .

[27]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[28]  Damien Stehlé,et al.  Fully Secure Functional Encryption for Inner Products, from Standard Assumptions , 2016, CRYPTO.

[29]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[30]  Thomas Holenstein,et al.  On the (Im)Possibility of Key Dependent Encryption , 2009, TCC.

[31]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[32]  Shuai Han,et al.  Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions , 2016, ASIACRYPT.

[33]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[34]  Chris Peikert,et al.  Circular and KDM Security for Identity-Based Encryption , 2012, Public Key Cryptography.

[35]  Yael Tauman Kalai,et al.  Black-Box Circular-Secure Encryption beyond Affine Functions , 2011, TCC.

[36]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[37]  Nico Döttling,et al.  Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification , 2015, Public Key Cryptography.

[38]  Tibor Jager,et al.  Tightly secure signatures and public-key encryption , 2012, Designs, Codes and Cryptography.

[39]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[40]  Daniel Wichs,et al.  Fully Leakage-Resilient Signatures , 2011, Journal of Cryptology.

[41]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[42]  Dingding Jia,et al.  KDM-CCA Security from RKA Secure Authenticated Encryption , 2015, EUROCRYPT.

[43]  Hoeteck Wee,et al.  KDM-Security via Homomorphic Smooth Projective Hashing , 2016, Public Key Cryptography.

[44]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[45]  Ke Yang,et al.  On Simulation-Sound Trapdoor Commitments , 2004, EUROCRYPT.

[46]  Kenneth G. Paterson,et al.  Programmable Hash Functions in the Multilinear Setting , 2013, CRYPTO.

[47]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[48]  Dennis Hofheinz,et al.  Towards Key-Dependent Message Security in the Standard Model , 2008, EUROCRYPT.

[49]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[50]  Xavier Boyen,et al.  Towards Tightly Secure Lattice Short Signature and Id-Based Encryption , 2016, ASIACRYPT.

[51]  Ron Rothblum,et al.  Fiat-Shamir From Simpler Assumptions , 2018, IACR Cryptol. ePrint Arch..

[52]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[53]  Yuval Ishai,et al.  Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs , 2015, Journal of Cryptology.

[54]  Fuyuki Kitagawa,et al.  Simple and Efficient KDM-CCA Secure Public Key Encryption , 2019, IACR Cryptol. ePrint Arch..

[55]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[56]  Rosario Gennaro,et al.  Multi-Trapdoor Commitments and their Applications to Non-Malleable Protocols , 2003, IACR Cryptol. ePrint Arch..

[57]  Goichiro Hanaoka,et al.  Efficient Key Dependent Message Security Amplification Against Chosen Ciphertext Attacks , 2014, ICISC.

[58]  Moti Yung,et al.  Efficient Circuit-Size Independent Public Key Encryption with KDM Security , 2011, EUROCRYPT.

[59]  Fuyuki Kitagawa,et al.  A Framework for Achieving KDM-CCA Secure Public-Key Encryption , 2018, IACR Cryptol. ePrint Arch..

[60]  Dan Boneh,et al.  Key Homomorphic PRFs and Their Applications , 2013, CRYPTO.

[61]  Ron Rothblum,et al.  New Constructions of Reusable Designated-Verifier NIZKs , 2019, IACR Cryptol. ePrint Arch..

[62]  Ron Rothblum,et al.  Fiat-Shamir and Correlation Intractability from Strong KDM-Secure Encryption , 2018, IACR Cryptol. ePrint Arch..

[63]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..

[64]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[65]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[66]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[67]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[68]  Chris Peikert,et al.  Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors , 2019, IACR Cryptol. ePrint Arch..

[69]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[70]  Mihir Bellare,et al.  Foundations of garbled circuits , 2012, CCS.

[71]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[72]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[73]  Benny Applebaum,et al.  Key-Dependent Message Security: Generic Amplification and Completeness , 2011, Journal of Cryptology.

[74]  Nir Bitansky,et al.  Why "Fiat-Shamir for Proofs" Lacks a Proof , 2013, TCC.

[75]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[76]  Yuval Ishai,et al.  Bounded Key-Dependent Message Security , 2010, IACR Cryptol. ePrint Arch..

[77]  Steven Myers,et al.  On Seed-Incompressible Functions , 2008, TCC.

[78]  Ran Canetti,et al.  On the Correlation Intractability of Obfuscated Pseudorandom Functions , 2016, TCC.

[79]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[80]  Moti Yung,et al.  Crptograpic Applications of the Non-Interactive Metaproof and Many-Prover Systems , 1990, CRYPTO.

[81]  Jan Camenisch,et al.  A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks , 2009, IACR Cryptol. ePrint Arch..

[82]  Moti Yung,et al.  Non-Malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures , 2014, IACR Cryptol. ePrint Arch..

[83]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[84]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[85]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[86]  Zvika Brakerski,et al.  Circular and Leakage Resilient Public-Key Encryption Under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back) , 2010, IACR Cryptol. ePrint Arch..

[87]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[88]  Rafail Ostrovsky,et al.  New Techniques for Noninteractive Zero-Knowledge , 2012, JACM.

[89]  Eike Kiltz,et al.  Chosen-Ciphertext Security from Tag-Based Encryption , 2006, TCC.

[90]  Ron Steinfeld,et al.  All-But-Many Lossy Trapdoor Functions and Selective Opening Chosen-Ciphertext Security from LWE , 2017, CRYPTO.

[91]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[92]  Rafael Pass,et al.  Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments , 2013, computational complexity.

[93]  Carmit Hazay,et al.  On the Power of Secure Two-Party Computation , 2016, Journal of Cryptology.

[94]  Dan Boneh,et al.  Secure Identity Based Encryption Without Random Oracles , 2004, CRYPTO.

[95]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[96]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[97]  Angelo De Caro,et al.  Simple Functional Encryption Schemes for Inner Products , 2015, IACR Cryptol. ePrint Arch..

[98]  Vinod Vaikuntanathan,et al.  Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE , 2012, EUROCRYPT.

[99]  Yael Tauman Kalai,et al.  Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[100]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[101]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, Journal of Cryptology.

[102]  Dennis Hofheinz,et al.  Designated-verifier pseudorandom generators, and their applications , 2019, IACR Cryptol. ePrint Arch..

[103]  Tibor Jager,et al.  Verifiable Random Functions from Weaker Assumptions , 2015, TCC.

[104]  Dennis Hofheinz,et al.  Circular Chosen-Ciphertext Security with Compact Ciphertexts , 2013, EUROCRYPT.

[105]  Serge Fehr,et al.  Perfect NIZK with Adaptive Soundness , 2007, TCC.

[106]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[107]  Alex Lombardi,et al.  Cryptographic Hashing from Strong One-Way Functions (Or: One-Way Product Functions and Their Applications) , 2018, 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS).

[108]  Dingding Jia,et al.  KDM and Selective Opening Secure IBE Based on the LWE Problem , 2017, APKC '17.

[109]  Tibor Jager,et al.  Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts , 2016, TCC.

[110]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[111]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.