论文信息 - Instantiating Random Oracles via UCEs

Instantiating Random Oracles via UCEs

This paper provides a (standard-model) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; message-locked encryption; hardcore functions; point-function obfuscation; OAEP; encryption secure for key-dependent messages; encryption secure under related-key attack; proofs of storage; and adaptively-secure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standard-model schemes for these goals. The definition of UCE-security itself is quite simple, asking that outputs of the function look random given some “leakage,” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.

[1] Mihir Bellare,et al. Cryptography from Compression Functions: The UCE Bridge to the ROM , 2014, CRYPTO.

[2] Manuel Blum,et al. How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[3] Mihir Bellare,et al. Foundations of garbled circuits , 2012, CCS.

[4] Gil Segev,et al. Deterministic Public-Key Encryption for Adaptively Chosen Plaintext Distributions , 2013, EUROCRYPT.

[5] Goichiro Hanaoka,et al. Chosen Ciphertext Security via Point Obfuscation , 2014, TCC.

[6] Eike Kiltz,et al. On the Security of Padding-Based Encryption Schemes - or - Why We Cannot Prove OAEP Secure in the Standard Model , 2009, EUROCRYPT.

[7] Pooya Farshim,et al. Indistinguishability Obfuscation and UCEs: The Case of Computationally Unpredictable Sources , 2014, IACR Cryptol. ePrint Arch..

[8] Martín Abadi,et al. Message-Locked Encryption for Lock-Dependent Messages , 2013, IACR Cryptol. ePrint Arch..

[9] Ramakrishna Kotla,et al. SafeStore: A Durable and Practical Storage System , 2007, USENIX Annual Technical Conference.

[10] Rafail Ostrovsky,et al. Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[11] Mihir Bellare,et al. The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[12] Matthew K. Franklin,et al. Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[13] Mihir Bellare,et al. Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[14] Ari Juels,et al. Pors: proofs of retrievability for large files , 2007, CCS '07.

[15] Brent Waters,et al. Encoding Functions with Constant Online Rate or How to Compress Garbled Circuits Keys , 2013, CRYPTO.

[16] Serge Fehr,et al. On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles , 2008, CRYPTO.

[17] Yael Tauman Kalai,et al. On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[18] Mihir Bellare,et al. Deterministic and Efficiently Searchable Encryption , 2007, CRYPTO.

[19] Adam O'Neill,et al. Correlated-Input Secure Hash Functions , 2011, TCC.

[20] Brent Waters,et al. Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[21] Eike Kiltz,et al. Programmable Hash Functions and Their Applications , 2008, Journal of Cryptology.

[22] Pooya Farshim,et al. Random-Oracle Uninstantiability from Indistinguishability Obfuscation , 2015, TCC.

[23] Adam O'Neill,et al. Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles , 2008, CRYPTO.

[24] Arno Mittelbach,et al. Using Indistinguishability Obfuscation via UCEs , 2014, IACR Cryptol. ePrint Arch..

[25] Alexander W. Dent,et al. Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model , 2002, ASIACRYPT.

[26] Ran Canetti,et al. Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups , 2013, IACR Cryptol. ePrint Arch..

[27] Benny Applebaum,et al. Key-Dependent Message Security: Generic Amplification and Completeness , 2011, Journal of Cryptology.

[28] Yevgeniy Dodis,et al. On the Generic Insecurity of the Full Domain Hash , 2005, CRYPTO.

[29] Marc Fischlin,et al. A Note on Security Proofs in the Generic Model , 2000, ASIACRYPT.

[30] Ran Canetti,et al. The random oracle methodology, revisited , 2000, JACM.

[31] Rafail Ostrovsky,et al. Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[32] Ran Canetti,et al. Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[33] Jean-Sébastien Coron,et al. Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[34] Mihir Bellare,et al. A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[35] Eike Kiltz,et al. Instantiability of RSA-OAEP under Chosen-Plaintext Attack , 2010, CRYPTO.

[36] Hugo Krawczyk,et al. Computational Extractors and Pseudorandomness , 2011, IACR Cryptol. ePrint Arch..

[37] Yuval Ishai,et al. Semantic Security under Related-Key Attacks and Applications , 2011, ICS.

[38] Vinod Vaikuntanathan,et al. Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[39] Arno Mittelbach,et al. Indistinguishability Obfuscation versus Multi-bit Point Obfuscation with Auxiliary Input , 2014, ASIACRYPT.

[40] Nir Bitansky,et al. Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall , 2013, IACR Cryptol. ePrint Arch..

[41] Silvio Micali,et al. How to construct random functions , 1986, JACM.

[42] Mihir Bellare,et al. Adaptively Secure Garbling with Applications to One-Time Programs and Secure Outsourcing , 2012, ASIACRYPT.

[43] Ran Canetti,et al. On the Random-Oracle Methodology as Applied to Length-Restricted Signature Schemes , 2004, TCC.

[44] Chi-Jen Lu,et al. Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility , 2007, EUROCRYPT.

[45] Moti Yung,et al. Efficient Circuit-Size Independent Public Key Encryption with KDM Security , 2011, EUROCRYPT.

[46] Andrew Chi-Chih Yao,et al. Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[47] Yuval Ishai,et al. Bounded Key-Dependent Message Security , 2010, IACR Cryptol. ePrint Arch..

[48] Mihir Bellare,et al. Hash Function Balance and Its Impact on Birthday Attacks , 2004, EUROCRYPT.

[49] Marvin Theimer,et al. Reclaiming space from duplicate files in a serverless distributed file system , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[50] Hugo Krawczyk,et al. Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[51] Yael Tauman Kalai,et al. On Symmetric Encryption and Point Obfuscation , 2010, TCC.

[52] Yael Tauman Kalai,et al. One-Time Programs , 2008, CRYPTO.

[53] Nir Bitansky,et al. Point Obfuscation and 3-Round Zero-Knowledge , 2012, TCC.

[54] Vinod Vaikuntanathan,et al. Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[55] Mihir Bellare,et al. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[56] Guy N. Rothblum,et al. Obfuscating Conjunctions , 2015, Journal of Cryptology.

[57] Yuval Ishai,et al. Founding Cryptography on Tamper-Proof Hardware Tokens , 2010, IACR Cryptol. ePrint Arch..

[58] Silvio Micali,et al. Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[59] Mihir Bellare,et al. Resisting Randomness Subversion: Fast Deterministic and Hedged Public-Key Encryption in the Standard Model , 2015, EUROCRYPT.

[60] Dan Boneh,et al. Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[61] Marc Fischlin,et al. Analysis of Random Oracle Instantiation Scenarios for OAEP and Other Practical Schemes , 2005, CRYPTO.

[62] Mihir Bellare,et al. An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[63] John Black,et al. Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[64] Ueli Maurer,et al. Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[65] David Pointcheval,et al. HMAC is a randomness extractor and applications to TLS , 2008, ASIACCS '08.

[66] Jean-Sébastien Coron,et al. On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[67] Michael Luby,et al. How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[68] Brent Waters,et al. Full Domain Hash from (Leveled) Multilinear Maps and Identity-Based Aggregate Signatures , 2013, CRYPTO.

[69] Ran Canetti,et al. Perfectly one-way probabilistic hash functions (preliminary version) , 1998, STOC '98.

[70] Hovav Shacham,et al. Short Group Signatures , 2004, CRYPTO.

[71] Dan Boneh,et al. Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[72] Noam Nisan,et al. Randomness is Linear in Space , 1996, J. Comput. Syst. Sci..

[73] Oded Goldreich,et al. Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity , 1988, SIAM J. Comput..

[74] Dennis Hofheinz,et al. Possibility and Impossibility Results for Selective Decommitments , 2011, Journal of Cryptology.

[75] Andrew Chi-Chih Yao,et al. Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[76] Leonid A. Levin,et al. A hard-core predicate for all one-way functions , 1989, STOC '89.

[77] Silvio Micali,et al. Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[78] Ran Canetti,et al. Extractable Perfectly One-Way Functions , 2008, ICALP.

[79] Andrew Chi-Chih Yao,et al. Protocols for secure computations , 1982, FOCS 1982.

[80] Hovav Shacham,et al. Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[81] Zvika Brakerski,et al. Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting , 2011, Journal of Cryptology.

[82] Hovav Shacham,et al. Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[83] Johan Håstad,et al. The security of individual RSA bits , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[84] Jesper Buus Nielsen,et al. Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[85] Mihir Bellare,et al. Message-Locked Encryption and Secure Deduplication , 2013, EUROCRYPT.

[86] Amit Sahai,et al. Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[87] Shai Halevi,et al. Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[88] Nir Bitansky,et al. On the existence of extractable one-way functions , 2014, SIAM J. Comput..

[89] Rafael Pass,et al. Limits of provable security from standard assumptions , 2011, STOC '11.

[90] Saqib A. Kakvi,et al. Optimal security proofs for full domain hash, revisited , 2012 .

[91] Craig Gentry,et al. Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[92] David Cash,et al. Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[93] John P. Steinberger,et al. To Hash or Not to Hash Again? (In)differentiability Results for H2 and HMAC , 2012, IACR Cryptol. ePrint Arch..

[94] Reza Curtmola,et al. Provable data possession at untrusted stores , 2007, CCS '07.

[95] David Cash,et al. Cryptographic Agility and Its Relation to Circular Encryption , 2010, EUROCRYPT.