Skip to main content

Lifting Standard Model Reductions to Common Setup Assumptions

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2022 (PKC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13178))

Included in the following conference series:

  • 883 Accesses

Abstract

In this paper we show that standard model black-box reductions naturally lift to various setup assumptions, such as the random oracle (ROM) or ideal cipher model. Concretely, we prove that a black-box reduction from a security notion P to security notion Q in the standard model can be turned into a non-programmable black-box reduction from \(P_\mathcal {O}\) to \(Q_\mathcal {O}\) in a model with a setup assumption \(\mathcal {O}\), where \(P_\mathcal {O}\) and \(Q_\mathcal {O}\) are the natural extensions of P and Q to a model with a setup assumption \(\mathcal {O}\).

Our results rely on a generalization of the recent framework by Hofheinz and Nguyen (PKC 2019) to support primitives which make use of a trusted setup. Our framework encompasses standard idealized settings like the random oracle and the ideal cipher model. At the core of our main result lie novel properties of negligible functions that can be of independent interest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We do not attempt to make a sharp distinction between primitives and protocols. We use the terms primitive and protocol loosely and only to emphasize that one employs the other in its design. P may also stand for cryptographic assumption, e.g. factorization is hard, just as Q may stand for a more involved primitive, e.g. authenticated encryption.

  2. 2.

    Note that this would incorporate the reduction in CSMW as well as some specific, potentially smarter way, of answering RO queries of the adversary against CSMW[BR].

  3. 3.

    Usually, the security threshold function \(\sigma \) is a constant – either 0 or \(\frac{1}{2}\).

  4. 4.

    Formally, we mean the set of functions \(\{P(\lambda ,f(\lambda )) : f \in \{g:\mathbb {N} \rightarrow \mathbb {N}\} \}\).

  5. 5.

    One side effect of this change is that Definition 5 does not cover a number of potential oddities which can be represented using previous frameworks [16, 22], e.g. a primitive where the set of valid instances is defined as some undecidable set of Turing machines. However, these cases are irrelevant for our purpose.

References

  1. Baecher, P., Brzuska, C., Fischlin, M.: Notions of black-box reductions, revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 296–315. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_16

    Chapter  Google Scholar 

  2. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V., (ed.), ACM CCS 93, pp. 62–73. ACM Press, November 1993

    Google Scholar 

  3. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  4. Blum, M., Feldman, P., Micali, S.: Proving security against chosen ciphertext attacks. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 256–268. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_20

    Chapter  Google Scholar 

  5. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  6. Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054117

    Chapter  Google Scholar 

  7. Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_2

    Chapter  Google Scholar 

  8. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. Cryptology ePrint Archive, Report 1998/011 (1998). http://eprint.iacr.org/1998/011

  9. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7

    Chapter  Google Scholar 

  10. Choi, S.G., Dachman-Soled, D., Malkin, T., Wee, H.: Black-box construction of a non-malleable encryption scheme from any semantically secure one. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 427–444. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_24

    Chapter  MATH  Google Scholar 

  11. Coron, J.-S., Holenstein, T., Künzler, R., Patarin, J., Seurin, Y., Tessaro, S.: How to build an ideal cipher: the indifferentiability of the Feistel construction. J. Cryptol. 29(1), 61–114 (2016)

    Article  MathSciNet  Google Scholar 

  12. Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  13. Fischlin, M., Lehmann, A., Ristenpart, T., Shrimpton, T., Stam, M., Tessaro, S.: Random oracles with(out) programmability. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 303–320. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_18

    Chapter  Google Scholar 

  14. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_3

    Chapter  Google Scholar 

  15. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    Article  MathSciNet  Google Scholar 

  16. Hofheinz, D., Nguyen, N.K.: On tightly secure primitives in the multi-instance setting. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 581–611. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_20

    Chapter  Google Scholar 

  17. Hsiao, C.-Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_6

    Chapter  Google Scholar 

  18. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 44–61 (1989)

    Google Scholar 

  19. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st ACM STOC, pp. 44–61. ACM Press, May 1989

    Google Scholar 

  20. Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_7

    Chapter  Google Scholar 

  21. Rabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)

    Google Scholar 

  22. Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_1

    Chapter  MATH  Google Scholar 

  23. Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)

    Article  MathSciNet  Google Scholar 

  24. Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054137

    Chapter  Google Scholar 

Download references

Acknowledgments:

We would like to thank all the anonymous reviewers for their helpful suggestions which may also guide future work. Work was conducted while Eftychios Theodorakis was at DFINITY U.S. Research. Ngoc Khanh Nguyen was supported by the EU H2020 ERC Project 101002845 PLAZA.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Ngoc Khanh Nguyen or Eftychios Theodorakis .

Editor information

Editors and Affiliations

A Supporting Proofs

A Supporting Proofs

1.1 A.1 Proof of Lemma 2

Firstly, we observe that for all \((a_s)_{s\in S} \in A^{|S|}\) we have:

$$ \sum _{s \in S}f_s(a_s) \le \sum _{s \in S} \sup _{a \in A} f_s(a) $$

and by definition of supremum we have

$$ \sup _{(a_s)_{s\in S} \in A^{|S|}} \sum _{s \in S}f_s(a_s) \le \sum _{s \in S} \sup _{a \in A} f_s(a).$$

Now, suppose there exists \(\varepsilon > 0\) such that

$$ \sum _{s \in S} \sup _{a \in A} f_s(a) = \sup _{(a_s)_{s\in S} \in A^{|S|}} \sum _{s \in S}f_s(a_s) + \varepsilon .$$

Let \(\phi :S \rightarrow \mathbb {N}\) be an injective map. Then, by definition of supremum, for each \(s \in S\) we can find an element \(a_s \in A\) such that:

$$ \sup _{a \in A} f_s(a) < f_s(a_s) + \varepsilon _{\phi (s)}$$

where \(\varepsilon _i\) is defined as \(\varepsilon _i = (\varepsilon /2) \cdot (1/2)^i\) for \(i\in \mathbb {N}\). Hence, we get:

$$\begin{aligned} \sum _{s \in S} \sup _{a \in A} f_s(a)&< \sum _{s \in S} f_s(a_s) + \sum _{s \in S} \varepsilon _{\phi (s)} \nonumber \\&< \sup _{(a_s)_{s\in S} \in A^{|S|}} \sum _{s \in S}f_s(a_s) + \sum _{i \in \mathbb {N}} \varepsilon _{i}\\&< \sup _{(a_s)_{s\in S} \in A^{|S|}} \sum _{s \in S}f_s(a_s) + \varepsilon \nonumber \end{aligned}$$
(15)

which leads to a contradiction.

1.2 A.2 Proof of Lemma 3

Let \(\varepsilon > 0\). Then, there exists \(\alpha \in A\) such that

$$\sup _{a \in A} \lim _{k \rightarrow +\infty } f_a(k) \le \lim _{k \rightarrow +\infty } f_\alpha (k) + \varepsilon /2.$$

Next, there exists \(N \in \mathbb {N}\) so that for all \(n \ge N\):

$$|\lim _{k \rightarrow +\infty } f_\alpha (k) - f_\alpha (n)| < \varepsilon /2.$$

Since \(f_\alpha \) is non-decreasing, we get

$$ 0 \le \lim _{k \rightarrow +\infty } f_\alpha (k) - f_\alpha (n) < \varepsilon /2.$$

Therefore:

$$\sup _{a \in A} \lim _{k \rightarrow +\infty } f_a(k) - \varepsilon /2 \le \lim _{k \rightarrow +\infty } f_\alpha (k) < f_\alpha (n) + \varepsilon /2 \le \sup _{a \in A} f_a(n) + \varepsilon /2.$$

On the other hand, for any n, \(\sup _{a \in A} \lim _{k \rightarrow +\infty } f_a(k) \ge \sup _{a \in A} f_a(n)\) since \(f_a\) is non-decreasing for all \(a\in A\). Hence, for \(n \ge N\) we have:

$$ 0\le \sup _{a \in A}\lim _{k \rightarrow +\infty } f_a(k) - \sup _{a \in A} f_a(n) < \varepsilon /2 + \varepsilon /2 = \varepsilon $$

and consequently, \(\lim _{k \rightarrow +\infty }\sup _{a \in A} f_a(k) = \sup _{a \in A} \lim _{k \rightarrow +\infty } f_a(k)\).

1.3 A.3 Proof of Lemma 4

Denote \(a_k = \lim _{\ell \rightarrow + \infty } f (k,\ell )\) and \(b_\ell = \lim _{k \rightarrow + \infty } f(k,\ell )\). The monotonocity property and the fact that \(f(k,\ell ) \le 1\) for all \(k,\ell \in \mathbb {N}\) implies that sequences \((a_k),(b_\ell )\) are well-defined and they are non-decreasing. Moreover, \(a_k,b_\ell \le 1\) for all \(k,\ell \). Thus, \(a = \lim _{k \rightarrow + \infty } a_k\) and \(b = \lim _{\ell \rightarrow + \infty } b_\ell \) do exist. Then, for all \(k,\ell \in \mathbb {N}\) we have \( f(k,\ell ) \le a_k \le a\) and hence

$$ b_\ell = \lim _{k \rightarrow + \infty }f(k,\ell ) \le a$$

for all \(\ell \). In particular, \(b = \lim _{\ell \rightarrow + \infty } b_\ell \le a\). One similarly proves that \(a\le b\).

Lastly, we need to show that \(c = a\) where \(c:=\lim _{k \rightarrow + \infty } f(k,k)\). It is easy to see that for \(k \in \mathbb {N}\) we have \(f(k,k) \le a_k\) and thus \(c = \lim _{k \rightarrow + \infty } f(k,k) \le \lim _{k \rightarrow + \infty } a_k = a\). On the other hand, for every k and \(\ell \) we have \(f(k,\ell ) \le c\). Thus, \(a_k = \lim _{\ell \rightarrow + \infty } f(k,\ell ) \le c\) for all k and consequently, \(a \le c\). Hence, \(a=b=c\).

1.4 A.5 Proof of Lemma 5

The statement is easy to prove when S is finite. Hence, suppose there is a bijective map \(\phi : \mathbb {N} \rightarrow S\) and define a function \(g : \mathbb {N} \times \mathbb {N} \rightarrow [0,1]\) as \(g(k,\ell ) = \sum ^\ell _{i=0} f(k,\phi (i))\). Note that for all \(k,\ell \) we have \(g(k,\ell ) \le g(k+1,\ell )\) and \(g(k,\ell ) \le g(k,\ell +1)\). Then, by Lemma 4 and the fact that the limit of a finite sum is a sum of limits, we have:

$$\begin{aligned} \lim _{k \rightarrow +\infty } \sum _{s \in S}f(k,s)&= \lim _{k \rightarrow +\infty } \lim _{\ell \rightarrow +\infty } g(k,\ell ) \nonumber \\&= \lim _{\ell \rightarrow +\infty } \lim _{k \rightarrow +\infty } g(k,\ell ) \nonumber \\&= \lim _{\ell \rightarrow +\infty } \lim _{k \rightarrow +\infty } \sum ^\ell _{i=0} f(k,\phi (i))\\&= \lim _{\ell \rightarrow +\infty } \sum ^\ell _{i=0} \lim _{k \rightarrow +\infty } f(k,\phi (i)) \nonumber \\&= \sum _{s \in S} \lim _{k \rightarrow +\infty } f(k,s). \nonumber \end{aligned}$$
(16)

1.5 A.4 Proof of Lemma 7

Clearly, \(F(k,\ell ) \in [0,1]\). We just need to show that for all \(k,\ell \in \mathbb {N}\) we have \(F(k,\ell ) \le F(k,\ell +1)\) and \(F(k,\ell ) \le F(k+1,\ell )\). Then, the statement follows directly from Lemma 4.

Let us fix \(k,\ell \in \mathbb {N}\). Let us define \(\mathcal {B}_{\ell +1}\) which behaves exactly as \(\mathcal {A}_{\ell +1}\) but when it queries \(x \in S\) such that \(\phi (x) = \ell +1\), it also aborts. Hence, we have

figure w

Now, by the consistency property of the setup assumption, the view of \(\mathcal {B}_{\ell +1}\) given an oracle is exactly the same as \(\mathcal {A}_\ell \) given . Therefore

figure x

Similarly, one proves \(F(k,\ell ) \le F(k+1,\ell )\).

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Nguyen, N.K., Theodorakis, E., Warinschi, B. (2022). Lifting Standard Model Reductions to Common Setup Assumptions. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13178. Springer, Cham. https://doi.org/10.1007/978-3-030-97131-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-97131-1_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-97130-4

  • Online ISBN: 978-3-030-97131-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics