Olivier Blazy - Academia.edu (original) (raw)
Papers by Olivier Blazy
arXiv (Cornell University), Sep 9, 2022
Oblivious Transfer (OT) is a major primitive for secure multiparty computation. Indeed, combined ... more Oblivious Transfer (OT) is a major primitive for secure multiparty computation. Indeed, combined with symmetric primitives along with garbled circuits, it allows any secure function evaluation between two parties. In this paper, we propose a new approach to build OT protocols. Interestingly, our new paradigm features a security analysis in the Universal Composability (UC) framework and may be instantiated from post-quantum primitives. In order to do so, we define a new primitive named Smooth Projective Hash Function with Grey Zone (SPHFwGZ) which can be seen as a relaxation of the classical Smooth Projective Hash Functions, with a subset of the words for which one cannot claim correctness nor smoothness: the grey zone. As a concrete application, we provide two instantiations of SPHFwGZ respectively based on the Diffie-Hellman and the Learning With Errors (LWE) problems. Hence, we propose a quantum-resistant OT protocol with UC-security in the random oracle model.
IACR Cryptology ePrint Archive, 2013
Lecture Notes in Computer Science, 2023
Designs, Codes and Cryptography, Aug 12, 2022
Designs, Codes and Cryptography
Cramer and Shoup introduced at Eurocrypt'02 the concept of hash proof system, also designated as ... more Cramer and Shoup introduced at Eurocrypt'02 the concept of hash proof system, also designated as smooth projective hash functions. Since then, they have found several applications, from building CCA-2 encryption as they were initially created for, to being at the core of several authenticated key exchange or even allowing witness encryption. In the post-quantum setting, the very few candidates use a language based on ciphertexts to build their hash proof system. This choice seems to inherently introduce a gap, as some elements outside the language could not be distinguish from those in the language. This creates a lawless zone, where an adversary can possibly mount an undetectable attack, particularly problematic when trying to prove security in the UC framework [19]. We show that this gap could be completely withdrawn using code-based cryptography. Starting from RQC [4], a candidate selected for the second round of the National Institute of Standards and Technology (NIST) post-quantum cryptography standardization project, we show how to build such a hash proof system from code-based cryptography and present a way, based on a proof of knowledge, to fully negate the gap. We propose two applications of our construction, a witness encryption scheme and a password authenticated key exchange (PAKE).
The 16th International Conference on Availability, Reliability and Security, 2021
Decision forests are classical models to efficiently make decision on complex inputs with multipl... more Decision forests are classical models to efficiently make decision on complex inputs with multiple features. While the global structure of the trees or forests is public, sensitive information have to be protected during the evaluation of some client inputs with respect to some server model. Indeed, the comparison thresholds on the server side may have economical value while the client inputs might be critical personal data. In addition, soundness is also important for the receiver. In our case, we will consider the server to be interested in the outcome of the model evaluation so that the client should not be able to bias it. In this paper, we propose a new offline/online protocol between a client and a server with a constant number of rounds in the online phase, with both privacy and soundness against malicious clients.
Proceedings of the 13th International Conference on Availability, Reliability and Security, 2018
Since the seminal work of Diffie and Hellman [19], Non-Interactive Key Exchange (NIKE) has become... more Since the seminal work of Diffie and Hellman [19], Non-Interactive Key Exchange (NIKE) has become one of the fundamental problems of modern cryptography, but additional security requirements have led to elaborated ad-hoc constructions, which often lack simplicity in their design. In particular, Identity-Based NIKE is still a major problem with few available constructions, and those ad-hoc constructions do not give a lot of insight on what is required to be able to achieve such a NIKE scheme only based on the identity (and not relying on the public-key setting). In this work, we focus on the public-key setting and show how to generically build a NIKE scheme using a specific kind of Identity-Based Encryption, while also opening research on a new kind of Identity-Based Key Encapsulation Mechanisms (IBKEM), which we call identity-independent 2-tier IBKEM. As an interesting result, this construction also leads to the first known NIKE construction based on lattices. While most of the instantiations given in this paper lie in the random oracle model, this is not an inherent problem of our generic construction but rather a consequence of the lack of an existing identity-independent 2-tier IBKEM scheme in the standard model. Our proposal thus allows to reduce the problem to the construction of several building blocks, which can be studied independently in order to lead to an instantiation of NIKE in the standard model.
Proceedings of the 14th International Conference on Availability, Reliability and Security, 2019
Since the seminal result of Kilian, Oblivious Transfer (OT) has proven to be a fundamental primit... more Since the seminal result of Kilian, Oblivious Transfer (OT) has proven to be a fundamental primitive in cryptography. In such a scheme, a user is able to gain access to an element owned by a server, without learning more than this single element, and without the server learning which element the user has accessed. The NIST call for post-quantum encryption and signature schemes has revived the interest for cryptographic protocols based on post-quantum assumptions and the need for secure post-quantum OT schemes. In this paper, we show how to construct an OT scheme based on lattices, from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Note that our scheme does not rely on random oracles and provides UC security against adaptive corruptions assuming reliable erasures.
Designs, Codes and Cryptography, 2016
In this work we propose the first code-based group signature. As it will be described below, its ... more In this work we propose the first code-based group signature. As it will be described below, its security is based on a relaxation of the model of Bellare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. Furthermore, it has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to dynamically add new members and signature and public key sizes are constant with respect to the number of group members. Last but not least, our scheme can be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [19] (KTY model) and handles membership revocation. The main idea of our scheme consists in building a collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's authentication protocol. For applications, we consider the case of the code-based CFS signature scheme [11] of Courtois, Finiasz and Sendrier.
Topics in Cryptology - CT-RSA 2016, 2016
Password-Authenticated Key Exchange allows users to generate a strong cryptographic key based on ... more Password-Authenticated Key Exchange allows users to generate a strong cryptographic key based on a shared "human-memorable" password without requiring a public-key infrastructure. It is one of the most widely used and fundamental cryptographic primitives. Unfortunately, mass password theft from organizations is continually in the news and, even if passwords are salted and hashed, brute force breaking of password hashing is usually very successful in practice. In this paper, we propose two efficient protocols where the password database is somehow shared among two servers (or more), and authentication requires a distributed computation involving the client and the servers. In this scenario, even if a server compromise is doable, the secret exposure is not valuable to the adversary since it reveals only a share of the password database and does not permit to brute force guess a password without further interactions with the parties for each guess. Our protocols rely on smooth projective hash functions and are proven secure under classical assumption in the standard model (i.e. do not require idealized assumption, such as random oracles).
Advances in Cryptology – ASIACRYPT 2016, 2016
Smooth projective hashing has proven to be an extremely useful primitive, in particular when used... more Smooth projective hashing has proven to be an extremely useful primitive, in particular when used in conjunction with commitments to provide implicit decommitment. This has lead to applications proven secure in the UC framework, even in presence of an adversary which can do adaptive corruptions, like for example Password Authenticated Key Exchange (PAKE), and 1-out-of-m Oblivious Transfer (OT). However such solutions still lack in efficiency, since they heavily scale on the underlying message length. Structure-preserving cryptography aims at providing elegant and efficient schemes based on classical assumptions and standard group operations on group elements. Recent trend focuses on constructions of structure-preserving signatures, which require message, signature and verification keys to lie in the base group, while the verification equations only consist of pairing-product equations. Classical constructions of Smooth Projective Hash Function suffer from the same limitation as classical signatures: at least one part of the computation (messages for signature, witnesses for SPHF) is a scalar. In this work, we introduce and instantiate the concept of Structure-Preserving Smooth Projective Hash Function, and give as applications more efficient instantiations for one-round PAKE and three-round OT, and information retrieval thanks to Anonymous Credentials, all UCsecure against adaptive adversaries.
Lecture Notes in Computer Science, 2015
We show how to construct a completely generic UC-secure oblivious transfer scheme from a collisio... more We show how to construct a completely generic UC-secure oblivious transfer scheme from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Our work is based on the work of Abdalla et al. at Asiacrypt 2013, where the authors formalize the notion of SPHF-friendly commitments, i.e. accepting an SPHF on the language of valid commitments (to allow implicit decommitment), and show how to construct from them a UC-secure oblivious transfer in a generic way. But Abdalla et al. only gave a DDH-based construction of SPHF-friendly commitment schemes, furthermore highly relying on pairings. In this work, we show how to generically construct an SPHF-friendly commitment scheme from a collision-resistant CH scheme and an SPHF-friendly CCA encryption scheme. This allows us to propose an instanciation of our schemes based on the DDH, as efficient as that of Abdalla et al., but without requiring any pairing. Interestingly, our generic framework also allows us to propose an instantiation based on the learning with errors (LWE) assumption. For the record, we finally propose a last instanciation based on the decisional composite residuosity (DCR) assumption.
Journal of Computer Security, 2013
Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, t... more Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signer is minimal and whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the common-reference-string model without random oracles and under standard assumptions: CDH and the decision-linear assumption. (We also give variants over asymmetric groups based on similar assumptions.) The blind signatures are Waters signatures, which consist of 2 group elements. Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the signer and a commonly known public part, and schemes achieving perfect blindness. We propose new variants of blind signatures, such as signer-friendly partially blind signatures, where the public part can be chosen by the signer without prior agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated messages provided by independent sources. We also extend Waters signatures to non-binary alphabets by proving a new result on the underlying hash function.
Lecture Notes in Computer Science, 2015
We give a new framework for obtaining signatures with a tight security reduction from standard ha... more We give a new framework for obtaining signatures with a tight security reduction from standard hardness assumptions. Concretely, we show that any Chameleon Hash function can be transformed into a (binary) tree-based signature scheme with tight security. The transformation is in the standard model, i.e., it does not make use of any random oracle. For specific assumptions (such as RSA, Diffie-Hellman and Short Integer Solution (SIS)) we further manage to obtain a more efficient flattree construction. Our framework explains and generalizes most of the existing schemes as well as providing a generic means for constructing tight signature schemes based on arbitrary assumptions, which improves the standard Merkle tree transformation. Moreover, we obtain the first tightly secure signature scheme from the SIS assumption and several schemes based on Diffie-Hellman in the standard model. Some of our signature schemes can (using known techniques) be combined with Groth-Sahai proof methodology to yield tightly secure and efficient simulation-sound NIZK proofs of knowledge and CCA-secure encryption in the multi-user/-challenge setting under classical assumptions.
Lecture Notes in Computer Science, 2012
Partially-blind signatures find many applications in the area of anonymity, such as in e-cash or ... more Partially-blind signatures find many applications in the area of anonymity, such as in e-cash or e-voting systems. They extend classical blind signatures, with a signed message composed of two parts: a public one (common to the user and the signer) and a private one (chosen by the user, and blindly signed). The signer cannot link later the message-signature to the initial interaction with the user, among other signatures on messages with the same public part. This paper presents a one-round partially-blind signature which achieves perfect blindness in the standard model using a Common Reference String, under classical assumptions: CDH and DLin assumptions in symmetric groups, and similar ones in asymmetric groups. This scheme is more efficient than the previous ones: reduced round complexity and communication complexity, but still weaker complexity assumptions. A great advantage is also to end up with a standard Waters signature, which is quite short. In addition, in all the previous schemes, the public part required a prior agreement between the parties on the public part of the message before running the blind signature protocol. Our protocol does not require such pre-processing: the public part can be chosen by the signer only. Our scheme even allows multiple messages provided from independent sources to be blindly signed. These messages can either be concatenated or aggregated by the signer, without learning any information about them, before returning the blind signature to the recipient. For the aggregation (addition of the messages), we provide a new result, of independent interest, about the Waters hash function over non binary-alphabets.
Advances in Cryptology – CRYPTO 2013, 2013
Password-authenticated key exchange (PAKE) protocols allow two players to agree on a shared high ... more Password-authenticated key exchange (PAKE) protocols allow two players to agree on a shared high entropy secret key, that depends on their own passwords only. Following the Gennaro and Lindell's approach, with a new kind of smooth-projective hash functions (SPHFs), Katz and Vaikuntanathan recently came up with the first concrete one-round PAKE protocols, where the two players just have to send simultaneous flows to each other. The first one is secure in the Bellare-Pointcheval-Rogaway (BPR) model and the second one in the Canetti's UC framework, but at the cost of simulation-sound non-interactive zeroknowledge (SS-NIZK) proofs (one for the BPR-secure protocol and two for the UC-secure one), which make the overall constructions not really efficient. This paper follows their path with, first, a new efficient instantiation of SPHF on Cramer-Shoup ciphertexts, which allows to get rid of the SS-NIZK proof and leads to the design of the most efficient one-round PAKE known so far, in the BPR model, and in addition without pairings. In the UC framework, the security proof required the simulator to be able to extract the hashing key of the SPHF, hence the additional SS-NIZK proof. We improve the way the latter extractability is obtained by introducing the notion of trapdoor smooth projective hash functions (TSPHFs). Our concrete instantiation leads to the most efficient oneround PAKE UC-secure against static corruptions to date. We additionally show how these SPHFs and TSPHFs can be used for blind signatures and zero-knowledge proofs with straight-line extractability.
Lecture Notes in Computer Science, 2013
Authenticated Key Exchange (AKE) protocols enable two parties to establish a shared, cryptographi... more Authenticated Key Exchange (AKE) protocols enable two parties to establish a shared, cryptographically strong key over an insecure network using various authentication means, such as cryptographic keys, short (i.e., lowentropy) secret keys or credentials. In this paper, we provide a general framework, that encompasses several previous AKE primitives such as (Verifier-based) Password-Authenticated Key Exchange or Secret Handshakes, we call LAKE for Language-Authenticated Key Exchange. We first model this general primitive in the Universal Composability (UC) setting. Thereafter, we show that the Gennaro-Lindell approach can efficiently address this goal. But we need smooth projective hash functions on new languages, whose efficient implementations are of independent interest. We indeed provide such hash functions for languages defined by combinations of linear pairing product equations. Combined with an efficient commitment scheme, that is derived from the highly-efficient UC-secure Lindell's commitment, we obtain a very practical realization of Secret Handshakes, but also Credential-Authenticated Key Exchange protocols. All the protocols are UC-secure, in the standard model with a common reference string, under the classical Decisional Linear assumption. Motivation. PAKE, for Password-Authenticated Key Exchange, was formalized by Bellovin and Merritt [BM92] and followed by many proposals based on different cryptographic assumptions (see [ACP09,CCGS10] and references therein). It allows users to generate a strong cryptographic key based on a shared "human-memorable" (i.e. low-entropy) password without requiring a public-key infrastructure. In this setting, an adversary controlling all communication in the network should not be able to mount an off-line dictionary attack. The concept of Secret Handshakes has been introduced in 2003 by Balfanz, Durfee, Shankar, Smetters, Staddon and Wong [BDS + 03] (see also [JL09, AKB07]). It allows two members of the same group to identify each other secretly, in the sense that each party reveals his affiliation to the other only if they are members of the same group. At the end of the protocol, the parties can set up an ephemeral session key for securing further communication between them and an outsider is unable to determine if the handshake succeeded. In case of failure, the players do not learn any information about the other party's affiliation. More recently, Credential-Authenticated Key Exchange (CAKE) was presented by Camenisch, Casati, Groß and Shoup [CCGS10]. In this primitive, a common key is established if and only if a specific relation is satisfied between credentials hold by the two players. This primitive includes variants of PAKE and Secret Handshakes, and namely Verifier-based PAKE, where the client owns a password pw and the server knows a one-way transformation v of the password only. It prevents massive password recovering in case of server corruption. The two players eventually agree on a common high entropy secret if and only if pw and v match together, and off-line dictionary attacks are prevented for third-party players. Our Results. We propose a new primitive that encompasses most of the previous notions of authenticated key exchange. It is closely related to CAKE and we call it LAKE, for Language-Authenticated Key-Exchange, since parties establish a common key if and only if they hold credentials that belong to specific (and possibly independent) languages. The definition of the primitive is more practice-oriented than the definition of CAKE
Advances in Cryptology - ASIACRYPT 2013, 2013
In 2009, Abdalla et al. proposed a reasonably practical password-authenticated key exchange (PAKE... more In 2009, Abdalla et al. proposed a reasonably practical password-authenticated key exchange (PAKE) secure against adaptive adversaries in the universal composability (UC) framework. It exploited the Canetti-Fischlin methodology for commitments and the Cramer-Shoup smooth projective hash functions (SPHFs), following the Gennaro-Lindell approach for PAKE. In this paper, we revisit the notion of non-interactive commitments, with a new formalism that implies UC security. In addition, we provide a quite efficient instantiation. We then extend our formalism to SPHF-friendly commitments. We thereafter show that it allows a blackbox application to one-round PAKE and oblivious transfer (OT), still secure in the UC framework against adaptive adversaries, assuming reliable erasures and a single global common reference string, even for multiple sessions. Our instantiations are more efficient than the Abdalla et al. PAKE in Crypto 2009 and the recent OT protocol proposed by Choi et al. in PKC 2013. Furthermore, the new PAKE instantiation is the first one-round scheme achieving UC security against adaptive adversaries.
Abstract. Password-Authenticated Key Exchange (PAKE) has received deep attention in the last few ... more Abstract. Password-Authenticated Key Exchange (PAKE) has received deep attention in the last few years, with a recent strong improvement by Katz-Vaikuntanathan, and their one-round protocol: the two players just have to send simultaneous flows to each other, that depend on their own passwords only, to agree on a shared high entropy secret key. We follow their work with a further study of their new Smooth-Projective Hash Function framework, and namely we introduce new efficient instantiations on IND-CCA ciphertexts. ...
arXiv (Cornell University), Sep 9, 2022
Oblivious Transfer (OT) is a major primitive for secure multiparty computation. Indeed, combined ... more Oblivious Transfer (OT) is a major primitive for secure multiparty computation. Indeed, combined with symmetric primitives along with garbled circuits, it allows any secure function evaluation between two parties. In this paper, we propose a new approach to build OT protocols. Interestingly, our new paradigm features a security analysis in the Universal Composability (UC) framework and may be instantiated from post-quantum primitives. In order to do so, we define a new primitive named Smooth Projective Hash Function with Grey Zone (SPHFwGZ) which can be seen as a relaxation of the classical Smooth Projective Hash Functions, with a subset of the words for which one cannot claim correctness nor smoothness: the grey zone. As a concrete application, we provide two instantiations of SPHFwGZ respectively based on the Diffie-Hellman and the Learning With Errors (LWE) problems. Hence, we propose a quantum-resistant OT protocol with UC-security in the random oracle model.
IACR Cryptology ePrint Archive, 2013
Lecture Notes in Computer Science, 2023
Designs, Codes and Cryptography, Aug 12, 2022
Designs, Codes and Cryptography
Cramer and Shoup introduced at Eurocrypt'02 the concept of hash proof system, also designated as ... more Cramer and Shoup introduced at Eurocrypt'02 the concept of hash proof system, also designated as smooth projective hash functions. Since then, they have found several applications, from building CCA-2 encryption as they were initially created for, to being at the core of several authenticated key exchange or even allowing witness encryption. In the post-quantum setting, the very few candidates use a language based on ciphertexts to build their hash proof system. This choice seems to inherently introduce a gap, as some elements outside the language could not be distinguish from those in the language. This creates a lawless zone, where an adversary can possibly mount an undetectable attack, particularly problematic when trying to prove security in the UC framework [19]. We show that this gap could be completely withdrawn using code-based cryptography. Starting from RQC [4], a candidate selected for the second round of the National Institute of Standards and Technology (NIST) post-quantum cryptography standardization project, we show how to build such a hash proof system from code-based cryptography and present a way, based on a proof of knowledge, to fully negate the gap. We propose two applications of our construction, a witness encryption scheme and a password authenticated key exchange (PAKE).
The 16th International Conference on Availability, Reliability and Security, 2021
Decision forests are classical models to efficiently make decision on complex inputs with multipl... more Decision forests are classical models to efficiently make decision on complex inputs with multiple features. While the global structure of the trees or forests is public, sensitive information have to be protected during the evaluation of some client inputs with respect to some server model. Indeed, the comparison thresholds on the server side may have economical value while the client inputs might be critical personal data. In addition, soundness is also important for the receiver. In our case, we will consider the server to be interested in the outcome of the model evaluation so that the client should not be able to bias it. In this paper, we propose a new offline/online protocol between a client and a server with a constant number of rounds in the online phase, with both privacy and soundness against malicious clients.
Proceedings of the 13th International Conference on Availability, Reliability and Security, 2018
Since the seminal work of Diffie and Hellman [19], Non-Interactive Key Exchange (NIKE) has become... more Since the seminal work of Diffie and Hellman [19], Non-Interactive Key Exchange (NIKE) has become one of the fundamental problems of modern cryptography, but additional security requirements have led to elaborated ad-hoc constructions, which often lack simplicity in their design. In particular, Identity-Based NIKE is still a major problem with few available constructions, and those ad-hoc constructions do not give a lot of insight on what is required to be able to achieve such a NIKE scheme only based on the identity (and not relying on the public-key setting). In this work, we focus on the public-key setting and show how to generically build a NIKE scheme using a specific kind of Identity-Based Encryption, while also opening research on a new kind of Identity-Based Key Encapsulation Mechanisms (IBKEM), which we call identity-independent 2-tier IBKEM. As an interesting result, this construction also leads to the first known NIKE construction based on lattices. While most of the instantiations given in this paper lie in the random oracle model, this is not an inherent problem of our generic construction but rather a consequence of the lack of an existing identity-independent 2-tier IBKEM scheme in the standard model. Our proposal thus allows to reduce the problem to the construction of several building blocks, which can be studied independently in order to lead to an instantiation of NIKE in the standard model.
Proceedings of the 14th International Conference on Availability, Reliability and Security, 2019
Since the seminal result of Kilian, Oblivious Transfer (OT) has proven to be a fundamental primit... more Since the seminal result of Kilian, Oblivious Transfer (OT) has proven to be a fundamental primitive in cryptography. In such a scheme, a user is able to gain access to an element owned by a server, without learning more than this single element, and without the server learning which element the user has accessed. The NIST call for post-quantum encryption and signature schemes has revived the interest for cryptographic protocols based on post-quantum assumptions and the need for secure post-quantum OT schemes. In this paper, we show how to construct an OT scheme based on lattices, from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Note that our scheme does not rely on random oracles and provides UC security against adaptive corruptions assuming reliable erasures.
Designs, Codes and Cryptography, 2016
In this work we propose the first code-based group signature. As it will be described below, its ... more In this work we propose the first code-based group signature. As it will be described below, its security is based on a relaxation of the model of Bellare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. Furthermore, it has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to dynamically add new members and signature and public key sizes are constant with respect to the number of group members. Last but not least, our scheme can be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [19] (KTY model) and handles membership revocation. The main idea of our scheme consists in building a collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's authentication protocol. For applications, we consider the case of the code-based CFS signature scheme [11] of Courtois, Finiasz and Sendrier.
Topics in Cryptology - CT-RSA 2016, 2016
Password-Authenticated Key Exchange allows users to generate a strong cryptographic key based on ... more Password-Authenticated Key Exchange allows users to generate a strong cryptographic key based on a shared "human-memorable" password without requiring a public-key infrastructure. It is one of the most widely used and fundamental cryptographic primitives. Unfortunately, mass password theft from organizations is continually in the news and, even if passwords are salted and hashed, brute force breaking of password hashing is usually very successful in practice. In this paper, we propose two efficient protocols where the password database is somehow shared among two servers (or more), and authentication requires a distributed computation involving the client and the servers. In this scenario, even if a server compromise is doable, the secret exposure is not valuable to the adversary since it reveals only a share of the password database and does not permit to brute force guess a password without further interactions with the parties for each guess. Our protocols rely on smooth projective hash functions and are proven secure under classical assumption in the standard model (i.e. do not require idealized assumption, such as random oracles).
Advances in Cryptology – ASIACRYPT 2016, 2016
Smooth projective hashing has proven to be an extremely useful primitive, in particular when used... more Smooth projective hashing has proven to be an extremely useful primitive, in particular when used in conjunction with commitments to provide implicit decommitment. This has lead to applications proven secure in the UC framework, even in presence of an adversary which can do adaptive corruptions, like for example Password Authenticated Key Exchange (PAKE), and 1-out-of-m Oblivious Transfer (OT). However such solutions still lack in efficiency, since they heavily scale on the underlying message length. Structure-preserving cryptography aims at providing elegant and efficient schemes based on classical assumptions and standard group operations on group elements. Recent trend focuses on constructions of structure-preserving signatures, which require message, signature and verification keys to lie in the base group, while the verification equations only consist of pairing-product equations. Classical constructions of Smooth Projective Hash Function suffer from the same limitation as classical signatures: at least one part of the computation (messages for signature, witnesses for SPHF) is a scalar. In this work, we introduce and instantiate the concept of Structure-Preserving Smooth Projective Hash Function, and give as applications more efficient instantiations for one-round PAKE and three-round OT, and information retrieval thanks to Anonymous Credentials, all UCsecure against adaptive adversaries.
Lecture Notes in Computer Science, 2015
We show how to construct a completely generic UC-secure oblivious transfer scheme from a collisio... more We show how to construct a completely generic UC-secure oblivious transfer scheme from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Our work is based on the work of Abdalla et al. at Asiacrypt 2013, where the authors formalize the notion of SPHF-friendly commitments, i.e. accepting an SPHF on the language of valid commitments (to allow implicit decommitment), and show how to construct from them a UC-secure oblivious transfer in a generic way. But Abdalla et al. only gave a DDH-based construction of SPHF-friendly commitment schemes, furthermore highly relying on pairings. In this work, we show how to generically construct an SPHF-friendly commitment scheme from a collision-resistant CH scheme and an SPHF-friendly CCA encryption scheme. This allows us to propose an instanciation of our schemes based on the DDH, as efficient as that of Abdalla et al., but without requiring any pairing. Interestingly, our generic framework also allows us to propose an instantiation based on the learning with errors (LWE) assumption. For the record, we finally propose a last instanciation based on the decisional composite residuosity (DCR) assumption.
Journal of Computer Security, 2013
Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, t... more Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signer is minimal and whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the common-reference-string model without random oracles and under standard assumptions: CDH and the decision-linear assumption. (We also give variants over asymmetric groups based on similar assumptions.) The blind signatures are Waters signatures, which consist of 2 group elements. Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the signer and a commonly known public part, and schemes achieving perfect blindness. We propose new variants of blind signatures, such as signer-friendly partially blind signatures, where the public part can be chosen by the signer without prior agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated messages provided by independent sources. We also extend Waters signatures to non-binary alphabets by proving a new result on the underlying hash function.
Lecture Notes in Computer Science, 2015
We give a new framework for obtaining signatures with a tight security reduction from standard ha... more We give a new framework for obtaining signatures with a tight security reduction from standard hardness assumptions. Concretely, we show that any Chameleon Hash function can be transformed into a (binary) tree-based signature scheme with tight security. The transformation is in the standard model, i.e., it does not make use of any random oracle. For specific assumptions (such as RSA, Diffie-Hellman and Short Integer Solution (SIS)) we further manage to obtain a more efficient flattree construction. Our framework explains and generalizes most of the existing schemes as well as providing a generic means for constructing tight signature schemes based on arbitrary assumptions, which improves the standard Merkle tree transformation. Moreover, we obtain the first tightly secure signature scheme from the SIS assumption and several schemes based on Diffie-Hellman in the standard model. Some of our signature schemes can (using known techniques) be combined with Groth-Sahai proof methodology to yield tightly secure and efficient simulation-sound NIZK proofs of knowledge and CCA-secure encryption in the multi-user/-challenge setting under classical assumptions.
Lecture Notes in Computer Science, 2012
Partially-blind signatures find many applications in the area of anonymity, such as in e-cash or ... more Partially-blind signatures find many applications in the area of anonymity, such as in e-cash or e-voting systems. They extend classical blind signatures, with a signed message composed of two parts: a public one (common to the user and the signer) and a private one (chosen by the user, and blindly signed). The signer cannot link later the message-signature to the initial interaction with the user, among other signatures on messages with the same public part. This paper presents a one-round partially-blind signature which achieves perfect blindness in the standard model using a Common Reference String, under classical assumptions: CDH and DLin assumptions in symmetric groups, and similar ones in asymmetric groups. This scheme is more efficient than the previous ones: reduced round complexity and communication complexity, but still weaker complexity assumptions. A great advantage is also to end up with a standard Waters signature, which is quite short. In addition, in all the previous schemes, the public part required a prior agreement between the parties on the public part of the message before running the blind signature protocol. Our protocol does not require such pre-processing: the public part can be chosen by the signer only. Our scheme even allows multiple messages provided from independent sources to be blindly signed. These messages can either be concatenated or aggregated by the signer, without learning any information about them, before returning the blind signature to the recipient. For the aggregation (addition of the messages), we provide a new result, of independent interest, about the Waters hash function over non binary-alphabets.
Advances in Cryptology – CRYPTO 2013, 2013
Password-authenticated key exchange (PAKE) protocols allow two players to agree on a shared high ... more Password-authenticated key exchange (PAKE) protocols allow two players to agree on a shared high entropy secret key, that depends on their own passwords only. Following the Gennaro and Lindell's approach, with a new kind of smooth-projective hash functions (SPHFs), Katz and Vaikuntanathan recently came up with the first concrete one-round PAKE protocols, where the two players just have to send simultaneous flows to each other. The first one is secure in the Bellare-Pointcheval-Rogaway (BPR) model and the second one in the Canetti's UC framework, but at the cost of simulation-sound non-interactive zeroknowledge (SS-NIZK) proofs (one for the BPR-secure protocol and two for the UC-secure one), which make the overall constructions not really efficient. This paper follows their path with, first, a new efficient instantiation of SPHF on Cramer-Shoup ciphertexts, which allows to get rid of the SS-NIZK proof and leads to the design of the most efficient one-round PAKE known so far, in the BPR model, and in addition without pairings. In the UC framework, the security proof required the simulator to be able to extract the hashing key of the SPHF, hence the additional SS-NIZK proof. We improve the way the latter extractability is obtained by introducing the notion of trapdoor smooth projective hash functions (TSPHFs). Our concrete instantiation leads to the most efficient oneround PAKE UC-secure against static corruptions to date. We additionally show how these SPHFs and TSPHFs can be used for blind signatures and zero-knowledge proofs with straight-line extractability.
Lecture Notes in Computer Science, 2013
Authenticated Key Exchange (AKE) protocols enable two parties to establish a shared, cryptographi... more Authenticated Key Exchange (AKE) protocols enable two parties to establish a shared, cryptographically strong key over an insecure network using various authentication means, such as cryptographic keys, short (i.e., lowentropy) secret keys or credentials. In this paper, we provide a general framework, that encompasses several previous AKE primitives such as (Verifier-based) Password-Authenticated Key Exchange or Secret Handshakes, we call LAKE for Language-Authenticated Key Exchange. We first model this general primitive in the Universal Composability (UC) setting. Thereafter, we show that the Gennaro-Lindell approach can efficiently address this goal. But we need smooth projective hash functions on new languages, whose efficient implementations are of independent interest. We indeed provide such hash functions for languages defined by combinations of linear pairing product equations. Combined with an efficient commitment scheme, that is derived from the highly-efficient UC-secure Lindell's commitment, we obtain a very practical realization of Secret Handshakes, but also Credential-Authenticated Key Exchange protocols. All the protocols are UC-secure, in the standard model with a common reference string, under the classical Decisional Linear assumption. Motivation. PAKE, for Password-Authenticated Key Exchange, was formalized by Bellovin and Merritt [BM92] and followed by many proposals based on different cryptographic assumptions (see [ACP09,CCGS10] and references therein). It allows users to generate a strong cryptographic key based on a shared "human-memorable" (i.e. low-entropy) password without requiring a public-key infrastructure. In this setting, an adversary controlling all communication in the network should not be able to mount an off-line dictionary attack. The concept of Secret Handshakes has been introduced in 2003 by Balfanz, Durfee, Shankar, Smetters, Staddon and Wong [BDS + 03] (see also [JL09, AKB07]). It allows two members of the same group to identify each other secretly, in the sense that each party reveals his affiliation to the other only if they are members of the same group. At the end of the protocol, the parties can set up an ephemeral session key for securing further communication between them and an outsider is unable to determine if the handshake succeeded. In case of failure, the players do not learn any information about the other party's affiliation. More recently, Credential-Authenticated Key Exchange (CAKE) was presented by Camenisch, Casati, Groß and Shoup [CCGS10]. In this primitive, a common key is established if and only if a specific relation is satisfied between credentials hold by the two players. This primitive includes variants of PAKE and Secret Handshakes, and namely Verifier-based PAKE, where the client owns a password pw and the server knows a one-way transformation v of the password only. It prevents massive password recovering in case of server corruption. The two players eventually agree on a common high entropy secret if and only if pw and v match together, and off-line dictionary attacks are prevented for third-party players. Our Results. We propose a new primitive that encompasses most of the previous notions of authenticated key exchange. It is closely related to CAKE and we call it LAKE, for Language-Authenticated Key-Exchange, since parties establish a common key if and only if they hold credentials that belong to specific (and possibly independent) languages. The definition of the primitive is more practice-oriented than the definition of CAKE
Advances in Cryptology - ASIACRYPT 2013, 2013
In 2009, Abdalla et al. proposed a reasonably practical password-authenticated key exchange (PAKE... more In 2009, Abdalla et al. proposed a reasonably practical password-authenticated key exchange (PAKE) secure against adaptive adversaries in the universal composability (UC) framework. It exploited the Canetti-Fischlin methodology for commitments and the Cramer-Shoup smooth projective hash functions (SPHFs), following the Gennaro-Lindell approach for PAKE. In this paper, we revisit the notion of non-interactive commitments, with a new formalism that implies UC security. In addition, we provide a quite efficient instantiation. We then extend our formalism to SPHF-friendly commitments. We thereafter show that it allows a blackbox application to one-round PAKE and oblivious transfer (OT), still secure in the UC framework against adaptive adversaries, assuming reliable erasures and a single global common reference string, even for multiple sessions. Our instantiations are more efficient than the Abdalla et al. PAKE in Crypto 2009 and the recent OT protocol proposed by Choi et al. in PKC 2013. Furthermore, the new PAKE instantiation is the first one-round scheme achieving UC security against adaptive adversaries.
Abstract. Password-Authenticated Key Exchange (PAKE) has received deep attention in the last few ... more Abstract. Password-Authenticated Key Exchange (PAKE) has received deep attention in the last few years, with a recent strong improvement by Katz-Vaikuntanathan, and their one-round protocol: the two players just have to send simultaneous flows to each other, that depend on their own passwords only, to agree on a shared high entropy secret key. We follow their work with a further study of their new Smooth-Projective Hash Function framework, and namely we introduce new efficient instantiations on IND-CCA ciphertexts. ...