Algebraic (trapdoor) one-way functions: Constructions and applications

In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of number-theoretic one-way functions. Informally, a (trapdoor) one way function F : X ? Y is said to be algebraic if X and Y are (finite) abelian cyclic groups, the function is homomorphic i.e. F ( x ) ? F ( y ) = F ( x ? y ) , and is ring-homomorphic, meaning that it is possible to compute linear operations "in the exponent" over some ring (which may be different from Z p where p is the order of the underlying group X) without knowing the bases. Moreover, algebraic OWFs must be flexibly one-way in the sense that given y = F ( x ) , it must be infeasible to compute ( x ' , d ) such that F ( x ' ) = y d (for d ? 0 ). Interestingly, algebraic one way functions can be constructed from a variety of standard number theoretic assumptions, such as RSA, Factoring and CDH over bilinear groups.As a second contribution of this paper, we show several applications where algebraic (trapdoor) OWFs turn out to be useful. In particular:Publicly Verifiable Secure Outsourcing of Polynomials: We present efficient solutions which work for rings of arbitrary size and characteristic. When instantiating our protocol with the RSA/Factoring based algebraic OWFs we obtain the first solution which supports small field size, is efficient and does not require bilinear maps to obtain public verifiability.Linearly-Homomorphic Signatures: We give a direct construction of FDH-like linearly homomorphic signatures from algebraic (trapdoor) one way permutations. Our constructions support messages and homomorphic operations over arbitrary rings and in particular even small fields such as F 2 . While it was already known how to realize linearly homomorphic signatures over small fields (Boneh-Freeman, Eurocrypt 2011), from lattices in the random oracle model, ours are the first schemes achieving this in a very efficient way from Factoring/RSA.Batch execution of Sigma protocols: We construct a simple and efficient Sigma protocol for any algebraic OWP and show a "batch" version of it, i.e. a protocol where many statements can be proven at a cost (slightly superior) of the cost of a single execution of the original protocol. Given our RSA/Factoring instantiations of algebraic OWP, this yields, to the best of our knowledge, the first batch verifiable Sigma protocol for groups of unknown order.

[1]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[2]  Darren Leigh,et al.  Batching Schnorr Identification Scheme with Applications to Privacy-Preserving Authorization and Low-Bandwidth Communication Devices , 2004, ASIACRYPT.

[3]  Bennet S. Yee,et al.  Using Secure Coprocessors , 1994 .

[4]  Bogdan Warinschi,et al.  Adaptive Pseudo-Free Groups and Applications , 2011, IACR Cryptol. ePrint Arch..

[5]  Nuttapong Attrapadung,et al.  Homomorphic Network Coding Signatures in the Standard Model , 2011, Public Key Cryptography.

[6]  Rosario Gennaro,et al.  Algebraic (Trapdoor) One-Way Functions and Their Applications , 2013, TCC.

[7]  Yevgeniy Vahlis,et al.  Verifiable Delegation of Computation over Large Datasets , 2011, IACR Cryptol. ePrint Arch..

[8]  David Mandell Freeman,et al.  Improved Security for Linearly Homomorphic Signatures: A Generic Framework , 2012, Public Key Cryptography.

[9]  Alptekin Küpçü,et al.  Incentivizing outsourced computation , 2008, NetEcon '08.

[10]  Rosario Gennaro,et al.  Publicly verifiable delegation of large polynomials and matrix computations, with applications , 2012, IACR Cryptol. ePrint Arch..

[11]  Dan Boneh,et al.  Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures , 2011, Public Key Cryptography.

[12]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[13]  Vinod Vaikuntanathan,et al.  How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption , 2012, IACR Cryptol. ePrint Arch..

[14]  Bogdan Warinschi,et al.  Efficient Network Coding Signatures in the Standard Model , 2012, Public Key Cryptography.

[15]  Payman Mohassel,et al.  Efficient and Secure Delegation of Linear Algebra , 2011, IACR Cryptol. ePrint Arch..

[16]  Fabian Monrose,et al.  Distributed Execution with Remote Audit , 1999, NDSS.

[17]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[18]  Allison Bishop,et al.  New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques , 2012, CRYPTO.

[19]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[20]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[21]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[22]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[23]  Elaine Shi,et al.  Signatures of Correct Computation , 2013, TCC.

[24]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[25]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[26]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, EUROCRYPT.

[27]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[28]  László Babai,et al.  Trading group theory for randomness , 1985, STOC '85.

[29]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[30]  Silvio Micali,et al.  CS proofs , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[31]  Jonathan Katz,et al.  Signing a Linear Subspace: Signature Schemes for Network Coding , 2009, IACR Cryptol. ePrint Arch..

[32]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[33]  Aggelos Kiayias,et al.  Group Signatures: Provable Security, Efficient Constructions and Anonymity from Trapdoor-Holders , 2004, IACR Cryptol. ePrint Arch..

[34]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[35]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[36]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[37]  Yuval Ishai,et al.  From Secrecy to Soundness: Efficient Verification via Secure Computation , 2010, ICALP.

[38]  Jonathan Katz,et al.  Secure Network Coding Over the Integers , 2010, IACR Cryptol. ePrint Arch..

[39]  Adi Shamir,et al.  On the generation of cryptographically strong pseudorandom sequences , 1981, TOCS.

[40]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[41]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[42]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[43]  Silvio Micali,et al.  CS Proofs (Extended Abstracts) , 1994, FOCS 1994.

[44]  Rudolf Ahlswede,et al.  Network information flow , 2000, IEEE Trans. Inf. Theory.

[45]  Shuo-Yen Robert Li,et al.  Linear network coding , 2003, IEEE Trans. Inf. Theory.