Forbidden City Crypto Day – 2nd Edition

======================================

Organized by cryptographers at Tsinghua University, IIIS.

Where: Tsinghua University, FIT Building 2nd floor Conference Room.

地点：清华大学 FIT楼2楼多功能厅

When: May 25, 2023 (Thursday)

13:30-14:30 刘天任 Tianren Liu (PKU)

Is AES Secure? From an Information-Theoretic Perspective

14:30-14:40 Coffee break

14:40-15:40 毛昕渝 Xinyu Mao (USC)

Non-Adaptive Universal One-Way Hash Functions from Arbitrary One-Way Functions

15:40-15:50 Tea break

15:50-16:50 朱晨智 Chenzhi Zhu (U. Washington)

Recent Developments in Pairing-Free Blind Signatures and More

======================================

Titles and abstracts:

Tianren Liu: Is AES Secure? From an Information-Theoretic Perspective

Abstract: AES is arguably the most widely used cipher. This talk covers a recent line of works targeting provable security of AES and other block ciphers.

We consider t-wise independence, a natural and attractive security target for block ciphers. A block cipher is t-wise independent, if for any t plaintexts, the joint distribution of the t corresponding ciphertexts is statistically close to uniform. It implies resistance to any statistical attack that only involves a few inputs.

We have a collection of results showing AES and a few of its variants are t-wise independent, under different parameters (the value of t, the security level, the number of rounds, etc.). Some of them will be presented in this talk.

The t-wise Independence of Substitution-Permutation Networks. Tianren Liu, Stefano Tessaro, Vinod Vaikuntanathan. Crypto 2019. https://eprint.iacr.org/2021/507

Layout Graphs, Random Walks and the t-wise Independence of SPN Block Ciphers. Tianren Liu, Angelos Pelecanos, Stefano Tessaro, Vinod Vaikuntanathan. Crypto 2023.

/

Xinyu Mao: Non-Adaptive Universal One-Way Hash Functions from Arbitrary One-Way Functions

Abstract: In this work we give the first non-adaptive construction of universal one-way hash functions (UOWHFs) from arbitrary one-way functions. Our construction uses O(n^9) calls to the one-way function, has a key of length O(n^10), and can be implemented in NC1 assuming the underlying one-way function is in NC1.

Prior to this work, the best UOWHF construction used O(n^13) adaptive calls and a key of size O(n^5) (Haitner, Holenstein, Reingold, Vadhan and Wee [Eurocrypt ’10]). By the result of Applebaum, Ishai and Kushilevitz [FOCS ’04], the above implies the existence of UOWHFs in NC0, given the existence of one-way functions in NC1.

We also show that the PRG construction of Haitner, Reingold and Vadhan (HRV, [STOC ’10]), with small modifications, yields a relaxed notion of UOWHFs, which is a function family which can be (inefficiently) converted to UOWHF by changing the functions on a negligible fraction of the inputs. In order to analyze this construction, we introduce the notion of next-bit unreachable entropy, which replaces the next-bit pseudoentropy notion used by HRV.

Link: https://eprint.iacr.org/2022/431

/

Chenzhi Zhu: Recent Developments in Pairing-Free Blind Signatures and More

Abstract: Blind signature schemes enable users to obtain signatures from issuers without disclosing any details about the signed content. They were initially proposed to build anonymous e-cash systems and lately found useful in constructing anonymous credentials and tokens.

In this talk, I will present my recent work, where we propose the first practical pairing-free three-move blind signature schemes that (1) are concurrently secure, (2) produce short signatures (i.e., three or four group elements/scalars), and (3) are provably secure either in the generic group model (GGM) or the algebraic group model (AGM) under the (plain or one-more) discrete logarithm assumption (beyond additionally assuming random oracles). Additionally, I will discuss a few of my follow-up works, which extend our techniques to threshold settings and the blind issuance of certain zero-knowledge proofs.

Link: https://eprint.iacr.org/2022/047

Advertisement

Forbidden City Crypto Day

Organized by cryptographers at Tsinghua University, IIIS.

Where: Tsinghua University, FIT Building 2nd floor Conference Room.

地点：清华大学 FIT楼2楼多功能厅

When: May 18, 2023 (Thursday)

13:30-14:25 缪沛晗 Peihan Miao (Brown University)

Secure Multi-Party Computation: From Theory to Practice

14:25-14:35 Tea break

14:35-15:30 罗辑 Ji Luo (U. Washington)

Ad Hoc (Decentralized) Broadcast, Trace, and Revoke

15:30-16:25 李寒君 Hanjun Li (U. Washington)

New Ways to Garble Arithmetic Circuits

======================================

Titles and abstracts:

Secure Multi-Party Computation: From Theory to Practice / Peihan Miao (Brown University)

Abstract: Encryption is the backbone of cybersecurity. While encryption can secure data both in transit and at rest, in the new era of ubiquitous computing, modern cryptography also aims to protect data during computation. Secure multi-party computation (MPC) is a powerful technology to tackle this problem, which enables distrustful parties to jointly perform computation over their private data without revealing their data to each other. Over the last decade, MPC has gradually progressed from being purely of theoretical interest to being adopted more and more in practice. Yet, the adoption of MPC in real-world settings is still very much limited as of today. In light of the recent data privacy legislations, there is an urgent need for bridging the gap between the theoretical feasibility and practical efficiency of MPC. Research in this area spans both theoretical and applied cryptography. In this talk, I will discuss the technical challenges and how to overcome these challenges using novel cryptographic approaches.

/

Ad Hoc (Decentralized) Broadcast, Trace, and Revoke / Ji Luo (U. Washington)

Link: https://eprint.iacr.org/2022/925

The talk will be given in Mandarin. The Chinese title and abstract:

标题．自组型广播、追踪、撤销

摘要．叛徒追踪（traitor tracing）是可追踪泄露解密密钥的公钥加密方案，可用于内容提供商反盗版。虽然传统模型契合其动机，但它完全中心化导致用法较局限。本作考虑互不信任的人之间发送加密信息的场景，提出并研究了“自组型”（ad hoc）叛徒追踪（天然具有广播和撤销的功能）。在此系统中，各个用户生成自己的公私钥对而无需信任他人为之生成，加密时使用公钥列表指定收件人，密文可用任一对应私钥解密。此外，系统要求存在一追踪算法，根据收件人的公钥列表和可以解密发给他们的密文的解密程序，可找出至少一个该解密程序中所包含私钥的收件人。

本作给出两款构造：第一款基于适用于电路的泛函加密（functional encryption；其实主要用的是程序混淆，即 obfuscation），密文长度是常数，然而它的解密时间与收件人数成正比；第二款是空间换时间（降低解密时间，代价是增加密文长度）的一般变换。本作亦证明了时空效率下界，结果表明这两款构造实现了所有可能的最优效率权衡，即完全刻画了 Pareto 效率前沿。该下界对广播加密（broadcast encryption；进而也对一切稍具功能的属性加密，即 attribute-based encryption）成立，意义应属可自立。

本次报告我将沿袭上次在叉院讨论班的风格，融合技术内容和研究经历的故事。

/

New Ways to Garble Arithmetic Circuits / Hanjun Li (U. Washington)

Link: https://eprint.iacr.org/2023/501

Abstract: The beautiful work of Applebaum, Ishai, and Kushilevitz [FOCS’11] initiated the study of arithmetic variants of Yao’s garbled circuits, where the circuits consist of Add, Mult, gates instead of logical XOR, AND gates. The wire values are elements in some ring R, with bit-length |R|. To measure efficiency, we define the rate of a garbling scheme as the maximal ratio between the size of the garbled circuit |\hat{C}|, and the cost of writing the computation in the clear |C|*|R|. In AIK’s paper, they construct a scheme for arithmetic circuits over bounded integers under the LWE assumption, with rate O(K_LWE).

In this talk, I’ll present two schemes:

• One for bounded integers, as in AIK, under the DCR assumption with rate O(1) for large domains.
• One for Z_p elements for any modulus p, under either LWE or DCR.

In our paper, we also have a variant of the first scheme supporting circuits that are augmented with Boolean computation (e.g., truncation of an integer value, and comparison between two values), while keeping the constant rate when garbling the arithmetic part.