Cryptography
https://csd.cs.cmu.edu/
enCrypto Seminar - Yi Tang
https://csd.cs.cmu.edu/calendar/crypto-seminar-yi-tang
<span>Crypto Seminar - Yi Tang</span>
Blelloch-Skees Conference Room, Gates Hillman 8115 and Zoom
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-09-19T16:30:00-04:00" title="Thursday, September 19, 2024 - 16:30">Thu, 09/19/2024 - 16:30</time>
</span>
In Person and Virtual - ET
Cryptanalysis of Lattice-Based Sequentiality Assumptions and Proofs of Sequential Work
YI TANG
<p><font>This work <strong>completely breaks </strong>the sequentiality assumption (and broad generalizations thereof) underlying the candidate lattice-based proof of sequential work (PoSW) recently proposed by Lai and Malavolta at CRYPTO 2023. In addition, it breaks an essentially identical variant of the PoSW, which differs from the original in only an arbitrary choice that is immaterial to the design and security proof (under the falsified assumption). This suggests that whatever security the original PoSW may have is fragile, and further motivates the search for a construction based on a sound lattice-based assumption. </font></p><p><font>Specifically, for sequentiality parameter T and SIS parameters n, q, m = n*log(q), the attack on the sequentiality assumption finds a solution of quasipolynomial norm m<sup>log T</sup> (or norm O(sqrt(m))<sup>log T</sup> with high probability) in only <em>logarithmic</em> Õ<sub>n,q</sub>(log T) depth; this strongly falsifies the assumption that finding such a solution requires depth *linear* in T. (The Õ notation hides polylogarithmic factors in the variables appearing in its subscript.) Alternatively, the attack finds a solution of polynomial norm m<sup>1/ε</sup> in depth Õ<sub>n,q</sub>(T<sup>ε</sup>), for any constant <em>ε > 0</em>. Similarly, the attack on the (slightly modified) PoSW constructs a valid proof in <em>polylogarithmic </em> Õ<sub>n,q</sub>(log<sup>2</sup> T) depth, thus strongly falsifying the expectation that doing so requires linear sequential work.</font></p><p><font><em>Joint work with Chris Peikert. </em><br><br><a href="https://eprint.iacr.org/2023/1880" target="_blank">Reference paper</a></font></p>
<time datetime="2024-09-19T20:30:00Z">September 19, 2024 4:30pm</time>
<time datetime="2024-09-19T21:30:00Z">September 19, 2024 5:30pm</time>
https://web.eecs.umich.edu/~yit/
Ph.D. Student, Electrical Engineering and Computer Science Department, University of Michigan
https://sites.google.com/view/crypto-seminar/home
<a href="mailto:qvd@andrew.cmu.edu">qvd@andrew.cmu.edu</a>
Seminar
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Blelloch-Skees Conference Room, Gates Hillman 8115 and Zoom
<p>Speaker: YI TANG, Ph.D. Student, Electrical Engineering and Computer Science Department, University of Michigan</p>
<p>Talk Title: Cryptanalysis of Lattice-Based Sequentiality Assumptions and Proofs of Sequential Work</p>
<p>This work completely breaks the sequentiality assumption (and broad generalizations thereof) underlying the candidate lattice-based proof of sequential work (PoSW) recently proposed by Lai and Malavolta at CRYPTO 2023. In addition, it breaks an essentially identical variant of the PoSW, which differs from the original in only an arbitrary choice that is immaterial to the design and security proof (under the falsified assumption). This suggests that whatever security the original PoSW may have is fragile, and further motivates the search for a construction based on a sound lattice-based assumption. </p>
<p>Specifically, for sequentiality parameter T and SIS parameters n, q, m = n*log(q), the attack on the sequentiality assumption finds a solution of quasipolynomial norm mlog T (or norm O(sqrt(m))log T with high probability) in only logarithmic Õn,q(log T) depth; this strongly falsifies the assumption that finding such a solution requires depth *linear* in T. (The Õ notation hides polylogarithmic factors in the variables appearing in its subscript.) Alternatively, the attack finds a solution of polynomial norm m1/ε in depth Õn,q(Tε), for any constant ε > 0. Similarly, the attack on the (slightly modified) PoSW constructs a valid proof in polylogarithmic Õn,q(log2 T) depth, thus strongly falsifying the expectation that doing so requires linear sequential work.</p>
<p>Joint work with Chris Peikert. Reference paper</p>
Thu, 19 Sep 2024 20:30:00 +0000Anonymous222336235 at https://csd.cs.cmu.eduCrypto Seminar - Quang Dao
https://csd.cs.cmu.edu/calendar/crypto-seminar-quang-dao
<span>Crypto Seminar - Quang Dao</span>
Blelloch Skees Conference Room, Gates Hillman 8115
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-09-12T16:30:00-04:00" title="Thursday, September 12, 2024 - 16:30">Thu, 09/12/2024 - 16:30</time>
</span>
In Person and Virtual - ETQUANG DAO
Non-Interactive Zero-Knowledge from LPN and MQ
QUANG DAO
<p><font>We give the first construction of non-interactive zero-knowledge (NIZK) arguments from post-quantum assumptions other than Learning with Errors. In particular, we achieve NIZK under the polynomial hardness of the Learning Parity with Noise (LPN) assumption, and the exponential hardness of solving random under-determined multivariate quadratic equations (MQ). We also construct NIZK satisfying statistical zero-knowledge assuming a new variant of LPN, Dense-Sparse LPN, introduced by Dao and Jain (CRYPTO 2024), together with exponentially-hard MQ. </font></p><p><font>The main technical ingredient of our construction is an extremely natural (but only in hindsight!) construction of correlation-intractable (CI) hash functions from MQ, for a NIZK-friendly subclass of constant-degree polynomials that we call concatenated constant-degree polynomials. Under exponential security, this hash function also satisfies the stronger notion of approximate CI for concatenated constant-degree polynomials. The NIZK construction then follows from a prior blueprint of Brakerski-Koppula-Mour (CRYPTO 2020). In addition, we show how to construct (approximate) CI hashing for degree-d functions from the (exponential) hardness of solving random degree-d equations, a natural generalization of MQ. To realize NIZK with statistical zero-knowledge, we design a lossy public-key encryption scheme with approximate linear decryption and inverse-polynomial decryption error from Dense-Sparse LPN. These constructions may be of independent interest.</font></p><p><em><font>This is joint work with Aayush Jain & Zhengzhong Jin.</font></em><br><br><a href="https://eprint.iacr.org/2024/1254" target="_blank"><font>Reference Paper</font></a></p><p><em>In Person and </em><a href="https://cmu.zoom.us/j/92220963973?pwd=T8LUCjsRVAktOfA5bqjUDQqIHAt63a.1" target="_blank"><em>Zoom</em></a><em> Participation. See announcement.</em></p>
<time datetime="2024-09-12T20:30:00Z">September 12, 2024 4:30pm</time>
<time datetime="2024-09-12T21:30:00Z">September 12, 2024 5:30pm</time>
https://quangvdao.github.io/
Ph.D. Student, Computer Science Department, Carnegie Mellon University,
https://sites.google.com/view/crypto-seminar/home
<a href="mailto:qvd@andrew.cmu.edu">qvd@andrew.cmu.edu</a>
Seminar Series
<a href="https://csd.cs.cmu.edu/people/doctoral-student/quang-dao" hreflang="en">Quang Dao</a>
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Blelloch Skees Conference Room, Gates Hillman 8115
<p>Speaker: QUANG DAO, Ph.D. Student, Computer Science Department, Carnegie Mellon University, </p>
<p>Talk Title: Non-Interactive Zero-Knowledge from LPN and MQ</p>
<p>We give the first construction of non-interactive zero-knowledge (NIZK) arguments from post-quantum assumptions other than Learning with Errors. In particular, we achieve NIZK under the polynomial hardness of the Learning Parity with Noise (LPN) assumption, and the exponential hardness of solving random under-determined multivariate quadratic equations (MQ). We also construct NIZK satisfying statistical zero-knowledge assuming a new variant of LPN, Dense-Sparse LPN, introduced by Dao and Jain (CRYPTO 2024), together with exponentially-hard MQ. </p>
<p>The main technical ingredient of our construction is an extremely natural (but only in hindsight!) construction of correlation-intractable (CI) hash functions from MQ, for a NIZK-friendly subclass of constant-degree polynomials that we call concatenated constant-degree polynomials. Under exponential security, this hash function also satisfies the stronger notion of approximate CI for concatenated constant-degree polynomials. The NIZK construction then follows from a prior blueprint of Brakerski-Koppula-Mour (CRYPTO 2020). In addition, we show how to construct (approximate) CI hashing for degree-d functions from the (exponential) hardness of solving random degree-d equations, a natural generalization of MQ. To realize NIZK with statistical zero-knowledge, we design a lossy public-key encryption scheme with approximate linear decryption and inverse-polynomial decryption error from Dense-Sparse LPN. These constructions may be of independent interest.</p>
<p>This is joint work with Aayush Jain & Zhengzhong Jin.</p>
<p>Reference Paper</p>
<p>In Person and Zoom Participation. See announcement.</p>
Thu, 12 Sep 2024 20:30:00 +0000Anonymous222336223 at https://csd.cs.cmu.eduCMU Workshop on Cryptography
https://csd.cs.cmu.edu/calendar/cmu-workshop-on-cryptography
<span>CMU Workshop on Cryptography</span>
Reddy Conference Room, Gates Hillman 4405
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-09-06T09:30:00-04:00" title="Friday, September 6, 2024 - 09:30">Fri, 09/06/2024 - 09:30</time>
</span>
In Person
<em>Made possible thanks to support from CYLAB and Stellar Foundation. </em>
<time datetime="2024-09-06T13:30:00Z">September 6, 2024 9:30am</time>
<time datetime="2024-09-06T21:00:00Z">September 6, 2024 5:00pm</time>
https://sites.google.com/andrew.cmu.edu/cmu-workshop-on-cryptography-s/home
<a href="mailto:aayushja@andrew.cmu.edu">aayushja@andrew.cmu.edu</a>
Conference/Workshop
<a href="https://csd.cs.cmu.edu/research/research-areas/security" hreflang="en">Security</a>
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Reddy Conference Room, Gates Hillman 4405
<p>Made possible thanks to support from CYLAB and Stellar Foundation. </p>
Fri, 06 Sep 2024 13:30:00 +0000Anonymous222335779 at https://csd.cs.cmu.eduCrypto Seminar
https://csd.cs.cmu.edu/calendar/seminar-series-Crypto-2024-04-30
<span>Crypto Seminar</span>
Mehrabian Collaborative Innovation Center 2201 and Zoom
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-04-30T15:30:00-04:00" title="Tuesday, April 30, 2024 - 15:30">Tue, 04/30/2024 - 15:30</time>
</span>
In Person and Virtual - ET (New Time)
Maliciously-secure PIR (almost) for free
MATAN SHTEPEL
<p><font>Private Information Retrieval (PIR) enables a client to retrieve a database element from a semi-honest server while hiding the element being queried from the server. Maliciously-secure PIR (mPIR) [Colombo et al., USENIX~'23] strengthens the guarantees of plain (i.e., semi-honest) PIR by ensuring that even a misbehaving server:</font></p><ul><li><font>cannot compromise client privacy via selective-failure attacks, and </font></li><li><font>must answer every query </font><em><font>consistently</font></em><font> (i.e., with respect to the same database). </font></li></ul><p><font>These additional security properties are crucial for many real-world applications. </font><br><br><font>In this work we present a generic compiler that transforms any PIR scheme into an mPIR scheme in a black-box manner, with minimal overhead, and without requiring additional cryptographic assumptions. Since mPIR trivially implies PIR, our compiler establishes the equivalence of mPIR and PIR. By instantiating our compiler with existing PIR schemes, we immediately obtain mPIR schemes with </font><em><font>O(N<sup>ε</sup>)</font></em><font> communication cost. In fact, by applying our compiler to a recent doubly-efficient PIR [Lin et al., STOC~'23], we are able to construct a </font><em><font>doubly-efficient</font></em><font> mPIR scheme that requires only </font><em><font>\polylog(N)</font></em><font> communication and server and client computation. In comparison, all prior work incur a </font><em><font>Ω(√N)</font></em><font> cost in these metrics.</font><br><br><font>Our compiler makes use of smooth locally-decodable codes (LDCs) that have a robust decoding procedure. We term these codes "subcode''-LDCs, because they are LDCs where the query responses are from an error-correcting code. This property is shared by Reed-Muller codes (whose query responses are Reed-Solomon codewords) and more generally lifted codes.</font><br><br><font>Applying our compiler requires us to consider decoding in the face of </font><em><font>non-signaling adversaries</font></em><font>, for reasons analogous to the need for non-signaling PCPs in the succinct-argument literature. We show how to construct such decoders for Reed–Muller codes, and more generally for smooth locally-decodable codes that have a robust decoding procedure. </font><em><font>I</font></em></p><p><em><font>n Person and </font></em><a href="https://cmu.zoom.us/j/91014771260?pwd=Q3VtQ0QwNk5aYi8rUTVyWWo5WGk1dz09" target="_blank"><em><font>Zoom</font></em></a><em><font> Participation. See announcement.</font></em></p>
<time datetime="2024-04-30T19:30:00Z">April 30, 2024 3:30pm</time>
<time datetime="2024-04-30T20:30:00Z">April 30, 2024 4:30pm</time>
https://matanshtepel.com/
Research Assistant, Security and Privacy Laboratory, Department of Computer and Information Science, University of Pennsylvania
https://sites.google.com/view/crypto-seminar/home
<a href="mailto:qvd@andrew.cmu.edu">qvd@andrew.cmu.edu</a>
Seminar Series
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Mehrabian Collaborative Innovation Center 2201 and Zoom
Tue, 30 Apr 2024 19:30:00 +0000Anonymous222334961 at https://csd.cs.cmu.eduSearching for the Limits of Local Error Correction
https://csd.cs.cmu.edu/news/searching-for-the-limits-of-local-error-correction
<span>Searching for the Limits of Local Error Correction</span>
<img src="https://csd.cs.cmu.edu/sites/default/files/2024-04/cd_stock-web.jpg" width="900" height="596" alt="SCS researchers have developed ways to improve error-correction algorithms by breaking apart the math behind them. " loading="lazy">
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-04-30T09:28:57-04:00" title="Tuesday, April 30, 2024 - 09:28">Tue, 04/30/2024 - 09:28</time>
</span>
<p><span>Information can be finicky, especially if it has to travel. Whether you're making a phone call over a wireless network, playing music from a CD, or saving a document to a hard drive, when you transform or transmit information from one location to another, it has to go through many channels. </span><span></span></p>
<p><span>For a wireless call, for example, an information signal in the form of bits — some sequence of zeroes and ones that records everything you say and correlates it with natural language —bounces around your walls and hopefully ends up at your router. Naturally, throughout its journey, it can incur some errors or corruptions from electronic noise or other environmental disturbances. Some zeroes in the sequence could show up as ones, and the original message could become garbled. </span><span></span></p>
<p><span>Because errors are fairly unavoidable in computing and communications, scientists have long studied strategies to detect and correct them. At Carnegie Mellon University, <a href="https://csd.cmu.edu/people/faculty/pravesh-kothari" rel="noopener" target="_blank">Pravesh Kothari</a>, formerly an assistant professor in the School of Computer Science and now an assistant professor at Princeton University and adjunct faculty at CMU, worked with <a href="https://csd.cmu.edu/people/doctoral-student/peter-manohar" rel="noopener" target="_blank">Peter Manohar,</a> a Ph.D. student in CMU's <a href="https://csd.cmu.edu/" rel="noopener" target="_blank">Computer Science Department</a>, to develop ways to improve these error-correction algorithms by breaking apart the math behind them. Their most recent paper, "<a href="https://arxiv.org/abs/2311.00558" rel="noopener" target="_blank">An Exponential Lower Bound for Linear 3-Query Locally Correctable Codes</a>," adds to a growing body of mathematical proofs aimed at fine-tuning error-correction algorithms. Their work could also be used in <a href="https://csd.cmu.edu/research/research-areas/cryptography" rel="noopener" target="_blank">cryptography</a>, which allows individuals to securely share private information. </span><span></span></p>
<p><span>Research into error-correcting code stretches back decades. In 1948, MIT professor Claude Shannon came up with a simple trick to reliably communicate through unreliable channels, which improved information transmission rates. The trick? Adding redundancy to the information. In other words, send a bit sequence with cleverly chosen additions so the original message can be pieced together even if corruption occurs.</span><span> <br></span></p>
<p><span>Error correction takes different forms for different applications. And while these algorithms may vary, the underlying principle is the same. Computation happens on an encoded input — some redundant version of the actual input — to allow for error correction. CD-ROMs contain error-correcting codes, which is why discs can only hold around 700 megabytes of data even though their true capacity is 1,000 megabytes. This discrepancy allows the code to account for excess, redundant information that will allow the CD to play even if scratches on the surface destroy some bits. </span><span></span></p>
<p><span>The most basic version of error correction is to send each bit multiple times. Let's say you wanted to send 011. You would change the sequence to 000111111 so each block of three bits in this input encodes a single bit that you intended to send. If an error crept into one of the blocks and the message you received is 010111111, you would look at what the majority of the bits in each block say, and use that to suss out the error.</span></p>
<p><span>But this is an inefficient scheme, because to correct even a single error you have to blow up the size of the sequence you're sending by three times. Computer scientists — including Kothari and Manohar — have sought ways to make this process more efficient. The challenge is devising a code with the highest level of accuracy and the lowest amount of added redundancy. That boils down to a math problem. </span></p>
<p><span>Shannon's original proposal in 1948 suggested that to have a fixed error-correction rate — correcting 1% of errors, for example — the size of the message bits needed to increase by a small multiplicative factor. So the size of the message plus the redundancy scales linearly as message size increases. But to put this idea into an error-correcting code, you need two pieces: an encoding algorithm and a decoding algorithm. The first takes some amount of message bits and stretches them by adding some redundancy. When a message word is run through the encoder, it turns into a code word, which is slightly longer than the message word because it captures some of the redundancy. After the message arrives at its destination, the decoding algorithm takes the possibly corrupted code words and turns them back into the message bits that were originally sent. Reed-Solomon codes, which are used on CDs, apply this basic structure using an algebraic function with some polynomials. </span></p>
<p><span>A local decoding algorithm — the type of decoding algorithm Manohar and Kothari focused on in their work — has a special property that allows it to query or examine random bits in the corrupted code word to retrieve the original message bit they code for. In a 3-query locally decodable algorithm, you would examine three random bits in the code word.</span></p>
<p><span>"We're not always going to recover the first bit correctly, because you could look at a triple that is corrupted," Manohar said. "But there's some good chance, like a two-thirds chance, that we get it right." </span></p>
<p><span>Locally correctable algorithms derive from a similar setup as locally decodable algorithms. They are noted to be stronger than local decoding algorithms because they have to recover a larger chunk of information. </span></p>
<p><span>"In local decoding I only want to reliably compute any given bit of the message," Kothari said. "But in local correction, I want to reliably compute any given bit of the code word." </span></p>
<p><span>Here's where the math gets interesting. A scheme called the Hadamard code can be used for both local decoding and local correction. It only needs two queries to locally correct, but it exponentially stretches the message bits. Researchers in <a href="https://dl.acm.org/doi/10.1145/1250790.1250830" rel="noopener" target="_blank">2007</a> and <a href="https://dl.acm.org/doi/abs/10.1145/1536414.1536422" rel="noopener" target="_blank">2009</a> worked out a way to build a 3-query code of subexponential length — a vastly more efficient encoding than the Hadamard code. </span></p>
<p><span>"By making the decoder only a tiny bit more complex, it's making our codes quite a bit more efficient," Kothari said. </span></p>
<p><span>But the efficiencies discovered by altering the Hadamard code only translate to 3-query decodable algorithms, not 3-query correctable algorithms. There are no space-saving efficiencies known for the 3-query correctable algorithms. </span></p>
<p><span>The new paper that Kothari and Manohar penned mathematically proves that such an improvement is in fact impossible. </span></p>
<p><span>"For the first time, we have a provable gap between local decodability and local correctability," Kothari said. "We have a confirmation, a mathematical proof that local correction is indeed a stronger requirement than local decodability. And we have a concrete bound that suggests that the Reed-Muller codes, which are closely related to the Reed-Solomon codes, are the best."</span></p>
<p><span>The specific functions that Kothari and Manohar studied are mostly used directly in complexity theory, which calculates limits on the speed of computations. Indirectly, the principles behind 3-query locally decodable and correctable algorithms can be applied to a variety of cryptographic problems such as private information retrieval, which allows the user to download information from a database without the owner of the database knowing what they're looking at; and secret sharing, distributing sensitive, high-stakes information piecemeal across multiple individuals. </span></p>
<p>Manohar and Kothari will present their work at the <a href="http://acm-stoc.org/" rel="noopener" target="_blank">Association for Computing Machinery's Symposium on Theory of Computing</a> this June in Vancouver.</p>
Aaron Aupperlee | 412-268-9068 | aaupperlee@cmu.edu
SCS researchers have developed ways to improve error-correction algorithms by breaking apart the math behind them.
The Key to Better Algorithms Is Making the Math Work
Charlotte Hu
Charlotte Hu
<a href="https://csd.cs.cmu.edu/research/research-areas/security" hreflang="en">Security</a>
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Tue, 30 Apr 2024 13:28:57 +0000Anonymous222334976 at https://csd.cs.cmu.eduCyLab Blockchain Distinguished Seminar
https://csd.cs.cmu.edu/calendar/seminar-series-BLOCKCHAIN-2024-04-29
<span>CyLab Blockchain Distinguished Seminar</span>
Simmons Auditorium A , Tepper Building and Youtube
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-04-29T12:00:00-04:00" title="Monday, April 29, 2024 - 12:00">Mon, 04/29/2024 - 12:00</time>
</span>
In Person and Virtual - ET
Recent Developments in Succinct Proof Systems and Their Applications
DAN BONEH
<p>In recent years succinct zero knowledge proof systems have become a very active area of research with many commercial applications. In this talk we will discuss a number of recent advances in the space, as well as an important application that is outside of the realm of decentralized systems. </p><p>— </p><p>Dr. <a href="https://profiles.stanford.edu/dan-boneh" target="_blank">Dan Boneh</a> is a Professor of Computer Science at Stanford University where he heads the applied cryptography group and co-directs the computer security lab. Dr. Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, cryptography for blockchains, web security, and cryptanalysis. He is the author of over 200 publications in the field and is a recipient of the 2014 ACM prize and the 2013 Godel prize, and is a member of the National Academy of Engineering. </p><p><strong>Faculty Host:</strong> Elaine Shi <em>In Person and Livestream Participation. See announcement.</em></p>
<time datetime="2024-04-29T16:00:00Z">April 29, 2024 12:00pm</time>
<time datetime="2024-04-29T17:00:00Z">April 29, 2024 1:00pm</time>
https://profiles.stanford.edu/dan-boneh
Professor, Computer Science Department, Stanford University
https://www.cylab.cmu.edu/events/2024/04/29-seminar-boneh.html
<a href="mailto:bethbuch@andrew.cmu.edu">bethbuch@andrew.cmu.edu</a>
Seminar Series
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Simmons Auditorium A , Tepper Building and Youtube
Mon, 29 Apr 2024 16:00:00 +0000Anonymous222334935 at https://csd.cs.cmu.eduCrypto Seminar
https://csd.cs.cmu.edu/calendar/seminar-series-Crypto-2024-04-18
<span>Crypto Seminar</span>
Gates Hillman 8102 and Zoom
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-04-18T16:30:00-04:00" title="Thursday, April 18, 2024 - 16:30">Thu, 04/18/2024 - 16:30</time>
</span>
In Person and Virtual - ET
Hard Languages in NP ∩ coNP and NIZK Proofs from Unstructured Hardness
PAUL S. LUO
The existence of "unstructured'' hard languages in <em><em>NP</em> ∩ <em>coNP</em></em> is an intriguing open question. Bennett and Gill (<em>SICOMP, 1981</em>) asked whether <em><em>P</em></em> is separated from <em><em>NP</em> ∩ <em>coNP</em></em> relative to a random oracle, a question that remained open ever since. While a hard language in <em><em>NP</em> ∩ <em>coNP</em></em> can be constructed in a black-box way from a <em>one-way permutation</em>, for which only few (structured) candidates exist, Bitansky et al. (<em>SICOMP, 2021</em>) ruled out such a construction based on an <em>injective one-way function</em>, an unstructured primitive that is easy to instantiate heuristically. In fact, the latter holds even with a black-box use of indistinguishability obfuscation.
<font>We give the first evidence for the existence of unstructured hard languages in <em><em>NP</em> ∩ <em>coNP</em></em> by showing that if <em><em>UP</em> ⊈ <em>RP</em></em>, which follows from the existence of injective one-way functions, the answer to Bennett and Gill's question is affirmative: with probability 1 over a random oracle <em>ℴ</em>, we have that <em><em>P</em><sup>ℴ</sup> ≠ <em>NP</em><sup>ℴ</sup> ∩ <em>coNP</em><sup>ℴ</sup></em>. Our proof gives a constructive <em>non-black-box</em> approach for obtaining candidate hard languages in <em><em>NP</em> ∩ <em>coNP</em></em> from cryptographic hash functions.</font><br><br><font>The above conditional separation builds on a new construction of <em>non-interactive zero-knowledge</em> (NIZK) proofs, with a computationally unbounded prover, to convert a hard promise problem into a hard language. We obtain such NIZK proofs for <em><em>NP</em></em>, with a <em>uniformly random</em> reference string, from a special kind of hash function which is implied by (an unstructured) random oracle. This should be contrasted with previous constructions of such NIZK proofs that are based on one-way permutations or other <em>structured</em> primitives, as well as with (computationally sound) NIZK <em>arguments</em> in the random oracle model.</font><br><br><em><font>This joint work with Riddhi Ghosal, Yuval Ishai, Alexis Korb, Eyal Kushilevitz, and Amit Sahai.</font></em><br><br><em>In Person and <a href="https://cmu.zoom.us/j/91014771260?pwd=Q3VtQ0QwNk5aYi8rUTVyWWo5WGk1dz09" target="_blank">Zoom</a> Participation. See announcement.</em>
<time datetime="2024-04-18T20:30:00Z">April 18, 2024 4:30pm</time>
<time datetime="2024-04-18T21:30:00Z">April 18, 2024 5:30pm</time>
https://paullou.me/
Ph.D. Student, Computer Science Department, University of California Los Angeles
https://sites.google.com/view/crypto-seminar/home
<a href="mailto:qvd@andrew.cmu.edu">qvd@andrew.cmu.edu</a>
Seminar Series
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Gates Hillman 8102 and Zoom
Thu, 18 Apr 2024 20:30:00 +0000Anonymous222334859 at https://csd.cs.cmu.eduCrypto Seminar
https://csd.cs.cmu.edu/calendar/seminar-series-Crypto-2024-04-15
<span>Crypto Seminar</span>
Mehrabian Collaborative Innovation Center 2201
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-04-15T16:30:00-04:00" title="Monday, April 15, 2024 - 16:30">Mon, 04/15/2024 - 16:30</time>
</span>
In Person and Virtual - ET
Adaptively Secure BLS Threshold Signatures from DDH and co-CDH
SOURAV DAS
<p><font>Threshold signature is one of the most important cryptographic primitives in distributed systems. A popular choice of threshold signature scheme is the BLS threshold signature introduced by Boldyreva (PKC'03). Some attractive properties of Boldyreva's threshold signature are that the signatures are unique and short, the signing process is non-interactive, and the verification process is identical to that of non-threshold BLS. These properties have resulted in its practical adoption in several decentralized systems. However, despite its popularity and wide adoption, up until recently, the Boldyreva scheme has been proven secure only against a static adversary. Very recently, Bacho and Loss (CCS'22) presented the first proof of adaptive security for Boldyreva's threshold signature, but they have to rely on strong and non-standard assumptions such as the hardness of one-more discrete log (OMDL) and the Algebraic Group Model~(AGM).</font></p><p><font>In this paper, we present the first adaptively secure threshold BLS signature scheme that relies on the hardness of DDH and co-CDH in asymmetric pairing group in the Random Oracle Model (ROM). Our signature scheme also has non-interactive signing, compatibility with non-threshold BLS verification, and practical efficiency like Boldyreva's scheme. Moreover, to achieve static security, our scheme only needs the hardness of CDH in the ROM, which is the same as the standard non-threshold BLS signature. These properties make our protocol a suitable candidate for practical adoption with the added benefit of provable adaptive security. We also present an efficient distributed key generation (DKG) protocol to set up the signing keys for our signature scheme. We implement our scheme in Go and evaluate its signing and aggregation costs. </font><em><font>I</font></em></p><p><em><font>n Person and </font></em><a href="https://cmu.zoom.us/j/91014771260?pwd=Q3VtQ0QwNk5aYi8rUTVyWWo5WGk1dz09" target="_blank"><em><font>Zoom</font></em></a><em><font> Participation. See announcement.</font></em></p>
<time datetime="2024-04-15T20:30:00Z">April 15, 2024 4:30pm</time>
<time datetime="2024-04-15T21:30:00Z">April 15, 2024 5:30pm</time>
https://sourav1547.github.io/
Ph.D. Student in Computer Science, The Grainer College of Engineering, University of Illinois Urbana-Champaign
https://sites.google.com/view/crypto-seminar/home
<a href="mailto:qvd@andrew.cmu.edu">qvd@andrew.cmu.edu</a>
Seminar Series
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Mehrabian Collaborative Innovation Center 2201
Mon, 15 Apr 2024 20:30:00 +0000Anonymous222334856 at https://csd.cs.cmu.eduCrypto Seminar
https://csd.cs.cmu.edu/calendar/conference-CRYPTO-2024-04-11
<span>Crypto Seminar</span>
Gates Hillman 8102 and Zoom
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-04-11T16:30:00-04:00" title="Thursday, April 11, 2024 - 16:30">Thu, 04/11/2024 - 16:30</time>
</span>
In Person and Virtual - ET
Commitments from Quantum One-Wayness
KABIR TOMER
<p><font>One-way functions are central to classical cryptography. They are necessary for the existence of non-trivial classical cryptosystems, and also sufficient to realize meaningful primitives including commitments, pseudorandom generators and digital signatures. At the same time, a mounting body of evidence suggests that assumptions even weaker than one-way functions may suffice for many cryptographic tasks of interest in a quantum world, including bit commitments and secure multi-party computation.</font></p><p><font>This work studies one-way state generators [<em>Morimae-Yamakawa, CRYPTO 2022</em>], a natural quantum relaxation of one-way functions. Given a secret key, a one-way state generator outputs a hard to invert quantum state. A fundamental question is whether this type of quantum one-wayness suffices to realize quantum cryptography. We obtain an affirmative answer to this question, by proving that one-way state generators with pure state outputs imply quantum bit commitments and secure multiparty computation.</font></p><p><font>Along the way, we use efficient shadow tomography [<em>Huang et. al., Nature Physics 2020</em>] to build an intermediate primitive with classical outputs, which we call a (quantum) one-way puzzle. Our main technical contribution is a proof that one-way puzzles imply quantum bit commitments. This proof develops new techniques for pseudoentropy generation [<em>Hastad et. al., SICOMP 1999</em>] from arbitrary distributions, which may be of independent interest.</font></p><p><em>In Person and <a href="https://cmu.zoom.us/j/91014771260?pwd=Q3VtQ0QwNk5aYi8rUTVyWWo5WGk1dz09" target="_blank">Zoom</a> Participation. See announcement.</em></p>
<time datetime="2024-04-11T20:30:00Z">April 11, 2024 4:30pm</time>
<time datetime="2024-04-11T21:30:00Z">April 11, 2024 5:30pm</time>
https://dblp.org/pid/247/9433.html
https://sites.google.com/view/crypto-seminar/home
<a href="mailto:qvd@andrew.cmu.edu">qvd@andrew.cmu.edu</a>
Seminar Series
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Gates Hillman 8102 and Zoom
Thu, 11 Apr 2024 20:30:00 +0000Anonymous222334810 at https://csd.cs.cmu.eduCrypto Seminar
https://csd.cs.cmu.edu/calendar/conference-CRYPTO-2024-04-05
<span>Crypto Seminar</span>
Gates Hillman 7501 and Zoom
<span><span>Anonymous (not verified)</span></span>
<span><time datetime="2024-04-05T16:30:00-04:00" title="Friday, April 5, 2024 - 16:30">Fri, 04/05/2024 - 16:30</time>
</span>
In Person and Virtual - ET
Accountability for Misbehavior in Threshold Decryption via Threshold Traitor Tracing
ADITI PARTAP
<p><font>A t<em>-out-of-</em>n threshold decryption system assigns key shares to <em>n</em> parties so that any <em>t</em> of them can decrypt a well-formed ciphertext. Existing threshold decryption systems are <em>not secure</em> when these parties are rational actors: an adversary can offer to pay the parties for their key shares. The problem is that a quorum of <em>t</em>~parties, working together, can sell the adversary a decryption key that reveals nothing about the identity of the traitor parties. This provides a risk-free profit for the parties since there is no accountability for their misbehavior — the information they sell to the adversary reveals nothing about their identity. This behavior can result in a complete break in many applications of threshold decryption, such as encrypted mempools, private voting, and sealed-bid auctions.</font></p><p><font>In this work we propose a solution to this problem. Suppose a quorum of~<em>t</em> or more parties construct a decoder algorithm~<em>D(⋅)</em> that takes as input a ciphertext and outputs the corresponding plaintext or <em>⊥</em>. They sell~<em>D</em> to the adversary. Our threshold decryption systems are equipped with a tracing algorithm that can trace~<em>D</em> to members of the quorum that created it. The tracing algorithm is only given blackbox access to~<em>D</em> and will identify some members of the misbehaving quorum. The parties can then be held accountable, which may discourage them from selling the decoder~<em>D</em> in the first place.</font></p><p>Our starting point is standard (non-threshold) traitor tracing, where <em>n</em> parties each holds a secret key. Every party can decrypt a well-formed ciphertext on its own. However, if a subset of parties <em>{𝒥} ⊆ [n]</em> collude to create a pirate decoder <em>D(⋅)</em> that can decrypt well-formed ciphertexts, then it is possible to trace <em>D</em> to at least one member of <em>{𝒥}</em> using only blackbox access to the decoder~<em>D</em>.</p><p><font>In this work we develop the theory of traitor tracing for threshold decryption, where now only a subset <em>{𝒥} ⊆ [n]</em> of~<em>t</em> or more parties can collude to create a pirate decoder <em>D(⋅)</em>. This problem has recently become quite important due to the real-world deployment of threshold decryption in encrypted mempools, as we explain in the paper. While there are several non-threshold traitor tracing schemes that we can leverage, adapting these constructions to the threshold decryption settings requires new cryptographic techniques. We present a number of constructions for traitor tracing for threshold decryption, and note that much work remains to explore the large design space.</font></p><em>In Person and <a href="https://cmu.zoom.us/j/91014771260?pwd=Q3VtQ0QwNk5aYi8rUTVyWWo5WGk1dz09" target="_blank">Zoom</a> Participation. See announcement.</em>
<time datetime="2024-04-05T20:30:00Z">April 5, 2024 4:30pm</time>
<time datetime="2024-04-05T21:30:00Z">April 5, 2024 5:30pm</time>
https://aditi741997.github.io/
Ph.D. Student, Computer Science Department, Stanford University
https://sites.google.com/view/crypto-seminar/home
<a href="mailto:qvd@andrew.cmu.edu">qvd@andrew.cmu.edu</a>
Seminar Series
<a href="https://csd.cs.cmu.edu/research/research-areas/cryptography" hreflang="en">Cryptography</a>
Gates Hillman 7501 and Zoom
Fri, 05 Apr 2024 20:30:00 +0000Anonymous222334513 at https://csd.cs.cmu.edu