Linicrypt: A Model for Practical Cryptography

A wide variety of objectively practical cryptographic schemes can be constructed using only symmetric-key operations and linear operations. To formally study this restricted class of cryptographic algorithms, we present a new model called Linicrypt. A Linicrypt program has access to a random oracle whose inputs and outputs are field elements, and otherwise manipulates data only via fixed linear combinations. Our main technical result is that it is possible to decide in polynomial time whether two given Linicrypt programs induce computationally indistinguishable distributions against arbitrary PPT adversaries, in the random oracle model. We show also that indistinguishability of Linicrypt programs can be expressed as an existential formula, making the model amenable to automated program synthesis. In other words, it is possible to use a SAT/SMT solver to automatically generate Linicrypt programs satisfying a given security constraint. Interestingly, the properties of Linicrypt imply that this synthesis approach is both sound and complete. We demonstrate this approach by synthesizing Linicrypt constructions of garbled circuits.

[1]  Matthew Green,et al.  Machine-generated algorithms, proofs and software for the batch verification of digital signature schemes , 2014, J. Comput. Secur..

[2]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[3]  Johannes A. Buchmann,et al.  CMSS - An Improved Merkle Signature Scheme , 2006, INDOCRYPT.

[4]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[5]  Mehdi Tibouchi,et al.  Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures , 2014, IACR Cryptol. ePrint Arch..

[6]  Ueli Maurer,et al.  Abstract Models of Computation in Cryptography , 2005, IMACC.

[7]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[8]  Jens Groth,et al.  Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups , 2011, CRYPTO.

[9]  Reihaneh Safavi-Naini,et al.  Automated Security Proof for Symmetric Encryption Modes , 2009, ASIAN.

[10]  Alex J. Malozemoff,et al.  Automated Analysis and Synthesis of Block-Cipher Modes of Operation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[11]  David Evans,et al.  Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits Using Half Gates , 2015, EUROCRYPT.

[12]  Paulo S. L. M. Barreto,et al.  Shorter hash-based signatures , 2016, J. Syst. Softw..

[13]  Alex J. Malozemoff,et al.  Automated Analysis and Synthesis of Authenticated Encryption Schemes , 2015, IACR Cryptol. ePrint Arch..

[14]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1985, CRYPTO.

[15]  Mehdi Tibouchi,et al.  Strongly-optimal structure preserving signatures from Type II pairings: synthesis and lower bounds , 2016, IET Inf. Secur..

[16]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[17]  Vladimir Kolesnikov,et al.  Improved Garbled Circuit: Free XOR Gates and Applications , 2008, ICALP.

[18]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.

[19]  Mihir Bellare,et al.  Foundations of garbled circuits , 2012, CCS.

[20]  Yehuda Lindell,et al.  Fast Garbling of Circuits Under Standard Assumptions , 2017, Journal of Cryptology.

[21]  Periklis A. Papakonstantinou,et al.  How powerful are the DDH hard groups? , 2012, Electron. Colloquium Comput. Complex..

[22]  Yuval Ishai,et al.  Secure Arithmetic Computation with No Honest Majority , 2008, IACR Cryptol. ePrint Arch..

[23]  Oded Goldreich,et al.  Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme , 1986, CRYPTO.

[24]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[25]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[26]  Reihaneh Safavi-Naini,et al.  Automated Verification of Block Cipher Modes of Operation, an Improved Method , 2011, FPS.

[27]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[28]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[29]  Leonid Reyzin,et al.  Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying , 2002, ACISP.

[30]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[31]  Avishai Wool,et al.  One-Time Signatures Revisited: Have They Become Practical? , 2005, IACR Cryptol. ePrint Arch..

[32]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[33]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[34]  Mihir Bellare,et al.  Efficient Garbling from a Fixed-Key Blockcipher , 2013, 2013 IEEE Symposium on Security and Privacy.

[35]  Robert S. Winternitz Producing a One-Way Hash Function from DES , 1983, CRYPTO.

[36]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[37]  Mehdi Tibouchi,et al.  Structure-Preserving Signatures from Type II Pairings , 2014, CRYPTO.

[38]  Russell Impagli A Personal View of Average-Case Complexity , 1995 .

[39]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[40]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[41]  Andreas Hülsing,et al.  W-OTS+ - Shorter Signatures for Hash-Based Signature Schemes , 2013, AFRICACRYPT.

[42]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[43]  Vladimir Kolesnikov,et al.  FleXOR: Flexible garbling for XOR gates that beats free-XOR , 2014, IACR Cryptol. ePrint Arch..

[44]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[45]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[46]  Huaxiong Wang,et al.  Multiple-Time Signature Schemes against Adaptive Chosen Message Attacks , 2003, Selected Areas in Cryptography.

[47]  Matthew Green,et al.  Using SMT solvers to automate design tasks for encryption and signature schemes , 2013, CCS.

[48]  Moni Naor,et al.  Privacy preserving auctions and mechanism design , 1999, EC '99.

[49]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[50]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[51]  Johannes A. Buchmann,et al.  Merkle Signatures with Virtually Unlimited Signature Capacity , 2007, ACNS.

[52]  Benny Applebaum,et al.  Arithmetic Cryptography: Extended Abstract , 2015, ITCS.

[53]  Silvio Micali,et al.  The Round Complexity of Secure Protocols (Extended Abstract) , 1990, STOC 1990.

[54]  Yevgeniy Dodis,et al.  On the Instantiability of Hash-and-Sign RSA Signatures , 2012, TCC.