Structure-Preserving Smooth Projective Hashing

Smooth projective hashing has proven to be an extremely useful primitive, in particular when used in conjunction with commitments to provide implicit decommitment. This has lead to applications proven secure in the UC framework, even in presence of an adv

  • PDF / 1,320,583 Bytes
  • 31 Pages / 439.37 x 666.142 pts Page_size
  • 34 Downloads / 212 Views

DOWNLOAD

REPORT


Universit´e de Limoges, XLim, Limoges, France [email protected] CRED, Universit´e Panth´eon-Assas, Paris, France

Abstract. Smooth projective hashing has proven to be an extremely useful primitive, in particular when used in conjunction with commitments to provide implicit decommitment. This has lead to applications proven secure in the UC framework, even in presence of an adversary which can do adaptive corruptions, like for example Password Authenticated Key Exchange (PAKE), and 1-out-of-m Oblivious Transfer (OT). However such solutions still lack in efficiency, since they heavily scale on the underlying message length. Structure-preserving cryptography aims at providing elegant and efficient schemes based on classical assumptions and standard group operations on group elements. Recent trend focuses on constructions of structure-preserving signatures, which require message, signature and verification keys to lie in the base group, while the verification equations only consist of pairing-product equations. Classical constructions of Smooth Projective Hash Function suffer from the same limitation as classical signatures: at least one part of the computation (messages for signature, witnesses for SPHF) is a scalar. In this work, we introduce and instantiate the concept of StructurePreserving Smooth Projective Hash Function, and give as applications more efficient instantiations for one-round PAKE and three-round OT, and information retrieval thanks to Anonymous Credentials, all UCsecure against adaptive adversaries. Keywords: Smooth projective hash functions · Structure preserving · Oblivious transfer · Password authenticated key exchange · UC Framework · Credentials

1

Introduction

Smooth Projective Hash Functions (SPHF) were introduced by Cramer and Shoup [30] as a means to design chosen-ciphertext-secure public-key encryption schemes. These hash functions are defined such as their value can be computed in two different ways if the input belongs to a particular subset (the language), either using a private hashing key or a public projection key along with a private witness ensuring that the input belongs to the language. c International Association for Cryptologic Research 2016  J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp. 339–369, 2016. DOI: 10.1007/978-3-662-53890-6 12

340

O. Blazy and C. Chevalier

In addition to providing a more intuitive abstraction for their original publickey encryption scheme in [29], the notion of SPHF also enables new efficient instantiations of their scheme under different complexity assumptions such as DLin, or more generally k − MDDH. Due to its usefulness, the notion of SPHF was later extended to several interactive contexts. One of the most classical applications is to combine them with commitments in order to provide implicit decommitments. Commitment schemes have become a central tool used in cryptographic protocols. These two-party primitives (between a committer and a receiver) are divided into two phases. First, in the commit phase, the committer gives