Non-Committing Encryption with Constant Ciphertext Expansion from Standard Assumptions

Non-committing encryption (NCE) introduced by Canetti et al. (STOC ’96) is a central tool to achieve multi-party computation protocols secure in the adaptive setting. Recently, Yoshida et al. (ASIACRYPT ’19) proposed an NCE scheme based on the hardness of the DDH problem, which has ciphertext expansion O(log λ) and public-key expansion O(λ). In this work, we improve their result and propose a methodology to construct an NCE scheme that achieves constant ciphertext expansion. Our methodology can be instantiated from the DDH assumption and the LWE assumption. When instantiated from the LWE assumption, the public-key expansion is λ · poly(log λ). They are the first NCE schemes satisfying constant ciphertext expansion without using iO or common reference strings. Along the way, we define a weak notion of NCE, which satisfies only weak forms of correctness and security. We show how to amplify such a weak NCE scheme into a fullfledged one using wiretap codes with a new security property.

[1]  Mihir Bellare,et al.  Polynomial-Time, Semantically-Secure Encryption Achieving the Secrecy Capacity , 2012, IACR Cryptol. ePrint Arch..

[2]  Zvika Brakerski,et al.  Constant Ciphertext-Rate Non-Committing Encryption from Standard Assumptions , 2020, IACR Cryptol. ePrint Arch..

[3]  Nico Döttling,et al.  New Constructions of Identity-Based and Key-Dependent Message Secure Encryption Schemes , 2018, Public Key Cryptography.

[4]  Fuyuki Kitagawa,et al.  Non-Committing Encryption with Quasi-Optimal Ciphertext-Rate Based on the DDH Problem , 2019, IACR Cryptol. ePrint Arch..

[5]  Thomas Holenstein,et al.  One-Way Secret-Key Agreement and Applications to Circuit Polarization and Immunization of Public-Key Encryption , 2005, CRYPTO.

[6]  Pritish Kamath,et al.  Limits on the Efficiency of (Ring) LWE-Based Non-interactive Key Exchange , 2020, Journal of Cryptology.

[7]  Tal Malkin,et al.  Improved Non-committing Encryption with Applications to Adaptively Secure Protocols , 2009, ASIACRYPT.

[8]  Sik K. Leung-Yan-Cheong On a special class of wiretap channels (Corresp.) , 1977, IEEE Trans. Inf. Theory.

[9]  Alexander Vardy,et al.  Semantic Security for the Wiretap Channel , 2012, CRYPTO.

[10]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[11]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[12]  Ivan Damgård,et al.  Improved Non-committing Encryption Schemes Based on a General Complexity Assumption , 2000, CRYPTO.

[13]  Rafail Ostrovsky,et al.  Non-committing Encryption from Φ-hiding , 2015, TCC.

[14]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[15]  Ivan Damgård,et al.  Linear Secret Sharing Schemes from Error Correcting Codes and Universal Hash Functions , 2015, EUROCRYPT.

[16]  Moni Naor,et al.  Immunizing Encryption Schemes from Decryption Errors , 2004, EUROCRYPT.

[17]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[18]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[19]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[20]  Alexander Vardy,et al.  A Cryptographic Treatment of the Wiretap Channel , 2012, IACR Cryptol. ePrint Arch..

[21]  Rafail Ostrovsky,et al.  Adaptive Security with Quasi-Optimal Rate , 2016, TCC.

[22]  A. D. Wyner,et al.  The wire-tap channel , 1975, The Bell System Technical Journal.

[23]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[24]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[25]  Donald Beaver,et al.  Cryptographic Protocols Provably Secure Against Dynamic Adversaries , 1992, EUROCRYPT.

[26]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[27]  Stefano Tessaro,et al.  Amplification of Chosen-Ciphertext Security , 2013, EUROCRYPT.

[28]  Erdal Arikan,et al.  Channel Polarization: A Method for Constructing Capacity-Achieving Codes for Symmetric Binary-Input Memoryless Channels , 2008, IEEE Transactions on Information Theory.

[29]  Nico Döttling,et al.  Identity-Based Encryption from the Diffie-Hellman Assumption , 2017, CRYPTO.

[30]  Donald Beaver,et al.  Plug and Play Encryption , 1997, CRYPTO.