CryptoDB
Akira Takahashi
ORCID: 0000-0001-8556-3053
Publications
Year
Venue
Title
2024
CIC
Verifiable Encryption from MPC-in-the-Head
Abstract
<p> Verifiable encryption (VE) is a protocol where one can provide assurance that an encrypted plaintext satisfies certain properties, or relations. It is an important building block in cryptography with many useful applications, such as key escrow, group signatures, optimistic fair exchange, and others. However, the majority of previous VE schemes are restricted to instantiation with specific public-key encryption schemes or relations. In this work, we propose a novel framework that realizes VE protocols using zero-knowledge proof systems based on the MPC-in-the-head paradigm (Ishai et al. STOC 2007). Our generic compiler can turn a large class of zero-knowledge proofs into secure VE protocols for any secure public-key encryption scheme with the undeniability property, a notion that essentially guarantees binding of encryption when used as a commitment scheme. Our framework is versatile: because the circuit proven by the MPC-in-the-head prover is decoupled from a complex encryption function, the work of the prover is focused on proving the encrypted data satisfies the relation, not the proof of plaintext knowledge. Hence, our approach allows for instantiation with various combinations of properties about the encrypted data and encryption functions. We then consider concrete applications, to demonstrate the efficiency of our framework, by first giving a new approach and implementation to verifiably encrypt discrete logarithms in any prime order group more efficiently than was previously known. Then we give the first practical verifiable encryption scheme for AES keys with post-quantum security, along with an implementation and benchmarks. </p>
2024
CRYPTO
Aggregating Falcon Signatures With LaBRADOR
Abstract
Several prior works have suggested to use non-interactive arguments of knowledge with short proofs to aggregate signatures of Falcon, which is part of the first post-quantum signatures selected for standardization by NIST. Especially LaBRADOR, based on standard structured lattice assumptions and published at CRYPTO'23, seems promising to realize this task. However, no prior work has tackled this idea in a rigorous way. In this paper, we thoroughly prove how to aggregate Falcon signatures using LaBRADOR. We start by providing the first complete knowledge soundness analysis for the non-interactive version of LaBRADOR. Here, the multi-round and recursive nature of LaBRADOR requires a complex and thorough analysis. For this purpose, we introduce the notion of predicate special soundness (PSS). This is a general framework for evaluating the knowledge error of complex Fiat-Shamir arguments of knowledge protocols in a modular fashion, which we believe to be of independent interest. We then explain the exact steps to take in order to adapt the non-interactive LaBRADOR proof system for aggregating Falcon signatures and provide concrete proof size estimates. Additionally, we formalize the folklore approach of obtaining aggregate signatures from the class of hash-then-sign signatures through arguments of knowledge.
2024
TCC
The Brave New World of Global Generic Groups and UC-Secure Zero-Overhead SNARKs
Abstract
The universal composability (UC) model provides strong security guarantees for
protocols used in arbitrary contexts. While these guarantees are highly desirable, in practice,
schemes with a standalone proof of security, such as the Groth16 proof system, are preferred.
This is because UC security typically comes with undesirable overhead, sometimes making
UC-secure schemes significantly less efficient than their standalone counterparts.
We establish the UC security of Groth16 without any significant overhead. In the spirit of
global random oracles, we design a global (restricted) observable generic group functionality
that models a natural notion of observability: computations that trace back to group elements
derived from generators of other sessions are observable. This notion turns out to be surprisingly
subtle to formalize. We provide a general framework for proving protocols secure in the presence
of global generic groups, which we then apply to Groth16.
2023
EUROCRYPT
Witness-Succinct Universally-Composable SNARKs
Abstract
Zero-knowledge Succinct Non-interactive ARguments of Knowledge (zkSNARKs) are becoming an increasingly fundamental tool in many real-world applications where the proof compactness is of the utmost importance, including blockchains. A proof of security for SNARKs in the Universal Composability (UC) framework (Canetti, FOCS'01) would rule out devastating malleability attacks. To retain security of SNARKs in the UC model, one must show their \emph{simulation-extractability} such that the knowledge extractor is both \emph{black-box} and \emph{straight-line}, which would imply that proofs generated by honest provers are \emph{non-malleable}. However, existing simulation-extractability results on SNARKs either lack some of these properties, or alternatively have to sacrifice \emph{witness succinctness} to prove UC security.
In this paper, we provide a compiler lifting any simulation-extractable NIZKAoK into a UC-secure one in the global random oracle model, importantly, while preserving the same level of witness succinctness. Combining this with existing zkSNARKs, we achieve, to the best of our knowledge, the first zkSNARKs simultaneously achieving UC-security and constant sized proofs.
2023
TCC
How to Compile Polynomial IOP into Simulation-Extractable SNARKs: A Modular Approach
Abstract
Most succinct arguments (SNARKs) are initially only proven knowledge sound (KS).
We show that the commonly employed compilation strategy from polynomial interactive oracle proofs (PIOP) via polynomial commitments to knowledge sound SNARKS actually also achieves other desirable properties: weak unique response (WUR) and trapdoorless zero-knowledge (TLZK); and that together they imply simulation extractability (SIM-EXT).
The factoring of SIM-EXT into KS + WUR + TLZK is becoming a cornerstone of the analysis of non-malleable SNARK systems. We show how to prove WUR (and TLZK) for PIOP compiled SNARKs under mild falsifiable assumptions on the polynomial commitment scheme. This means that the analysis of knowledge soundness from PIOP properties that inherently relies on non-falsifiable or idealized assumption such as the algebraic group model (AGM) or generic group model (GGM) need not be repeated.
While the proof of WUR requires only mild assumptions on the PIOP, TLZK is a different matter. As perfectly hiding polynomial commitments sometimes come at a substantial performance premium, SNARK designers prefer to employ deterministic commitments with some leakage. This results in the need for a stronger zero-knowledge property for the PIOP.
The modularity of our approach implies that any analysis improvements, e.g. in terms of tightness, credibility of the knowledge assumption and model of the KS analysis, or the precision of capturing real-world optimizations for TLZK also benefits the SIM-EXT guarantees.
2022
PKC
ECLIPSE: Enhanced Compiling method for Pedersen-committed zkSNARK Engines
📺
Abstract
We advance the state-of-the art for zero-knowledge commit-and-prove SNARKs (CP-SNARKs).
CP-SNARKs are an important class of SNARKs which, using commitments as ``glue'', allow to efficiently combine proof systems---e.g., general-purpose SNARKs (an efficient way to prove statements about circuits) and $\Sigma$-protocols (an efficient way to prove statements about group operations).
Thus, CP-SNARKs allow to efficiently provide zero-knowledge proofs for composite statements such as $h=H(g^{x})$ for some hash-function $H$.
Our main contribution is providing the first construction of CP-SNARKs where the proof size is succinct in the number of commitments.
We achieve our result by providing a general technique to compile Algebraic Holographic Proofs (AHP) (an underlying abstraction used in many modern SNARKs) with special ``decomposition'' properties into an efficient CP-SNARK. We then show that some of the most efficient AHP constructions---Marlin, PLONK, and Sonic---satisfy our compilation requirements.
Our resulting SNARKs achieve universal and updatable reference strings, which are highly desirable features as they greatly reduce the trust needed in the SNARK setup phase.
2022
EUROCRYPT
Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon
📺
Abstract
This work describes the Mitaka signature scheme: a new hash-and-sign
signature scheme over NTRU lattices which can be seen as a variant of
NIST finalist Falcon. It achieves comparable efficiency but is
considerably simpler, online/offline, and easier to parallelize and
protect against side-channels, thus offering significant advantages from
an implementation standpoint. It is also much more versatile in terms of
parameter selection.
We obtain this signature scheme by replacing the FFO lattice Gaussian
sampler in Falcon by the “hybrid” sampler of Ducas and Prest, for
which we carry out a detailed and corrected security analysis. In
principle, such a change can result in a substantial security loss, but
we show that this loss can be largely mitigated using new techniques in
key generation that allow us to construct much higher quality lattice
trapdoors for the hybrid sampler relatively cheaply. This new approach
can also be instantiated on a wide variety of base fields, in contrast
with Falcon's restriction to power-of-two cyclotomics.
We also introduce a new lattice Gaussian sampler with the same quality
and efficiency, but which is moreover compatible with the integral matrix
Gram root technique of Ducas et al., allowing us to avoid floating point
arithmetic. This makes it possible to realize the same signature
scheme as Mitaka efficiently on platforms with poor support for
floating point numbers.
Finally, we describe a provably secure masking of Mitaka. More precisely,
we introduce novel gadgets that allow provable masking at any order at much
lower cost than previous masking techniques for Gaussian sampling-based
signature schemes, for cheap and dependable side-channel protection.
2022
EUROCRYPT
Fiat-Shamir Bulletproofs are Non-Malleable (in the Algebraic Group Model)
📺
Abstract
Bulletproofs (B{\"u}nz et al.~IEEE S\&P 2018) are a celebrated ZK proof system that allows for short and efficient proofs, and have been implemented and deployed in several real-world systems.
In practice, they are most often implemented in their \emph{non-interactive} version obtained using the Fiat-Shamir transform, despite the lack of a formal proof of security for this setting.
Prior to this work, there was no evidence that \emph{malleability attacks} were not possible against Fiat-Shamir Bulletproofs. Malleability attacks can lead to very severe vulnerabilities, as they allow an adversary to forge proofs re-using or modifying parts of the proofs provided by the honest parties.
In this paper, we show for the first time that Bulletproofs (or any other similar multi-round proof system satisfying some form of \emph{weak unique response} property) achieve \emph{simulation-extractability} in the \emph{algebraic group model}.
This implies that Fiat-Shamir Bulletproofs are \emph{non-malleable}.
2022
CRYPTO
MuSig-L: Lattice-Based Multi-Signature With Single-Round Online Phase
📺
Abstract
Multi-signatures are protocols that allow a group of signers to jointly produce a single signature on the same message. In recent years, a number of practical multi-signature schemes have been proposed in the discrete-log setting, such as MuSigT (CRYPTO'21) and DWMS (CRYPTO'21).
The main technical challenge in constructing a multi-signature scheme is to achieve a set of several desirable properties, such as (1) security in the plain public-key (PPK) model, (2) concurrent security, (3) low online round complexity, and (4) key aggregation. However, previous lattice-based, post-quantum counterparts to Schnorr multi-signatures fail to satisfy these properties.
In this paper, we introduce MuSigL, a lattice-based multi-signature scheme simultaneously achieving these design goals for the first time.
Unlike the recent, round-efficient proposal of Damgård et al. (PKC'21), which had to rely on lattice-based trapdoor commitments, we do not require any additional primitive in the protocol, while being able to prove security from the standard module-SIS and LWE assumptions.
The resulting output signature of our scheme therefore looks closer to the usual Fiat--Shamir-with-abort signatures.
2022
JOFC
Two-Round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices
Abstract
Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA or variants of Schnorr signatures; however, and in particular, little attention has been given to constructions based on post-quantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have been proposed in the literature, but they either rely on hash-and-sign lattice signatures (which tend to be comparatively inefficient), use expensive generic transformations, or only come with incomplete security proofs. In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat–Shamir with Aborts (FSwA) paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme and the full security proof can be made assuming the hardness of module SIS and LWE problems. A key step to achieving security (unexplained in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message—which can inevitably happen in the Fiat–Shamir with Aborts setting. We manage to do so using homomorphic commitments. Exploiting the similarities between FSwA and Schnorr-style signatures, our approach makes the most of observations from recent advancements in the discrete log setting, such as Drijvers et al.’s seminal work on two-round multi-signatures (S&P 2019). In particular, we observe that the use of commitment not only resolves the subtle issue with aborts, but also makes it possible to realize secure two-round n -out-of- n distributed signing and multi-signature in the plain public key model , by equipping the commitment with a trapdoor feature. The construction of suitable trapdoor commitment from lattices is a side contribution of this paper.
2021
PKC
Two-round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattice
📺
Abstract
Although they have been studied for a long time, distributed signature
protocols have garnered renewed interest in recent years in view of novel
applications to topics like blockchains. Most recent works have focused
on distributed versions of ECDSA or variants of Schnorr signatures,
however, and in particular, little attention has been given to
constructions based on post-quantum secure assumptions like the hardness
of lattice problems. A few lattice-based threshold signature and
multi-signature schemes have been proposed in the literature, but they
either rely on hash-and-sign lattice signatures (which tend to be
comparatively inefficient), use expensive generic transformations, or
only come with incomplete security proofs.
In this paper, we construct several lattice-based distributed signing
protocols with low round complexity following the Fiat--Shamir with
Aborts (FSwA) paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed
variants of the fast Dilithium-G signature scheme and the full security proof can
be made assuming the hardness of module SIS and LWE problems. A key step to achieving
security (unexplained in some earlier papers) is to prevent the leakage
that can occur when parties abort after their first message---which can
inevitably happen in the Fiat--Shamir with Aborts setting. We manage to
do so using homomorphic commitments.
Exploiting the similarities between FSwA and Schnorr-style signatures,
our approach makes the most of observations from recent advancements in the
discrete log setting, such as Drijvers et al.'s seminal work on two-round multi-signatures (S&P 2019).
In particular, we observe that the use of commitment not only resolves the
subtle issue with aborts, but also makes it possible to realize secure two-round
n-out-of-n distributed signing and multi-signature
in the plain public key model, by equipping the commitment with a trapdoor feature.
The construction of suitable trapdoor commitment from
lattices is a side contribution of this paper.
2021
TCHES
Side-Channel Protections for Picnic Signatures
📺
Abstract
We study masking countermeasures for side-channel attacks against signature schemes constructed from the MPC-in-the-head paradigm, specifically when the MPC protocol uses preprocessing. This class of signature schemes includes Picnic, an alternate candidate in the third round of the NIST post-quantum standardization project. The only previously known approach to masking MPC-in-the-head signatures suffers from interoperability issues and increased signature sizes. Further, we present a new attack to demonstrate that known countermeasures are not sufficient when the MPC protocol uses a preprocessing phase, as in Picnic3.We overcome these challenges by showing how to mask the underlying zero-knowledge proof system due to Katz–Kolesnikov–Wang (CCS 2018) for any masking order, and by formally proving that our approach meets the standard security notions of non-interference for masking countermeasures. As a case study, we apply our masking technique to Picnic. We then implement different masked versions of Picnic signing providing first order protection for the ARM Cortex M4 platform, and quantify the overhead of these different masking approaches. We carefully analyze the side-channel risk of hashing operations, and give optimizations that reduce the CPU cost of protecting hashing in Picnic by a factor of five. The performance penalties of the masking countermeasures ranged from 1.8 to 5.5, depending on the degree of masking applied to hash function invocations.
2020
EUROCRYPT
Security of Hedged Fiat-Shamir Signatures under Fault Attacks
📺
Abstract
Deterministic generation of per-signature randomness has been a widely accepted solution to mitigate the catastrophic risk of randomness failure in Fiat--Shamir type signature schemes. However, recent studies have practically demonstrated that such de-randomized schemes, including EdDSA, are vulnerable to differential fault attacks, which enable adversaries to recover the entire secret signing key, by artificially provoking randomness reuse or corrupting computation in other ways. In order to balance concerns of both randomness failures and the threat of fault injection, some signature designs are advocating a ``hedged'' derivation of the per-signature randomness, by hashing the secret key, message, and a nonce. Despite the growing popularity of the hedged paradigm in practical signature schemes, to the best of our knowledge, there has been no attempt to formally analyze the fault resilience of hedged signatures.
We perform a formal security analysis of the fault resilience of signature schemes constructed via the Fiat--Shamir transform. We propose a model to characterize bit-tampering fault attacks, and investigate their impact across different steps of the signing operation. We prove that, for some types of faults, attacks are mitigated by the hedged paradigm, while attacks remain possible for others. As concrete case studies, we then apply our results to XEdDSA, a hedged version of EdDSA used in the Signal messaging protocol, and to Picnic2, a hedged Fiat--Shamir signature scheme in Round 2 of the NIST Post-Quantum standardization process.
2018
TCHES
New Bleichenbacher Records: Fault Attacks on qDSA Signatures
Abstract
In this paper, we optimize Bleichenbacher’s statistical attack technique against (EC)DSA and other Schnorr-like signature schemes with biased or partially exposed nonces. Previous approaches to Bleichenbacher’s attack suffered from very large memory consumption during the so-called “range reduction” phase. Using a carefully analyzed and highly parallelizable approach to this range reduction based on the Schroeppel–Shamir algorithm for knapsacks, we manage to overcome the memory barrier of previous work while maintaining a practical level of efficiency in terms of time complexity.As a separate contribution, we present new fault attacks against the qDSA signature scheme of Renes and Smith (ASIACRYPT 2017) when instantiated over the Curve25519 Montgomery curve, and we validate some of them on the AVR microcontroller implementation of qDSA using actual fault experiments on the ChipWhisperer-Lite evaluation board. These fault attacks enable an adversary to generate signatures with 2 or 3 bits of the nonces known.Combining our two contributions, we are able to achieve a full secret key recovery on qDSA by applying our version of Bleichenbacher’s attack to these faulty signatures. Using a hybrid parallelization model relying on both shared and distributed memory, we achieve a very efficient implementation of our highly scalable range reduction algorithm. This allows us to complete Bleichenbacher’s attack in the 252-bit prime order subgroup of Curve25519 within a reasonable time frame and using relatively modest computational resources both for 3-bit nonce exposure and for the much harder case of 2-bit nonce exposure. Both of these computations, and particularly the latter, set new records in the implementation of Bleichenbacher’s attack.
Program Committees
- Asiacrypt 2024
- PKC 2023
Coauthors
- Marius A. Aardal (1)
- Masayuki Abe (1)
- Diego F. Aranha (4)
- Emil Madsen Bennedsen (1)
- Sebastian Berndt (1)
- Jan Bobolz (1)
- Cecilia Boschini (1)
- Katharina Boudgoust (1)
- Matteo Campanelli (1)
- Ivan Damgård (2)
- Thomas Eisenbarth (1)
- Thomas Espitau (1)
- Pooya Farshim (1)
- Pierre-Alain Fouque (1)
- Chaya Ganesh (3)
- François Gérard (1)
- Markulf Kohlweiss (2)
- Sebastian Kolby (1)
- Yashvanth Kondi (1)
- Claudio Orlandi (6)
- Mahak Pancholi (3)
- Mélissa Rossi (1)
- Okan Seker (1)
- Akira Takahashi (14)
- Mehdi Tibouchi (5)
- Daniel Tschudi (2)
- Alexandre Wallet (1)
- Luca Wilke (1)
- Yang Yu (1)
- Greg Zaverucha (3)