Advertisement

Journal of Cryptology

, Volume 32, Issue 1, pp 239–264 | Cite as

On the Impossibility of Structure-Preserving Deterministic Primitives

  • Masayuki Abe
  • Jan Camenisch
  • Rafael Dowsley
  • Maria Dubovitskaya
Article
  • 70 Downloads

Abstract

In structure-preserving cryptography over bilinear groups, cryptographic schemes are restricted to exchange group elements only, and their correctness must be verifiable only by evaluating pairing product equations. Several primitives, such as structure-preserving signatures, commitments, and encryption schemes, have been proposed. Although deterministic primitives, such as verifiable pseudorandom functions or verifiable unpredictable functions, play an important role in the construction of cryptographic protocols, no structure-preserving realizations of them are known. This is not coincident: In this paper, we show that it is impossible to construct algebraic structure-preserving deterministic primitives that provide provability, uniqueness, and unpredictability. This includes verifiable random functions, unique signatures, and verifiable unpredictable functions as special cases. The restriction of structure-preserving primitives to be algebraic is natural, otherwise it would not be known how to verify correctness only by evaluating pairing product equations. We further extend our negative result to pseudorandom functions and deterministic public key encryption as well as non-strictly structure-preserving primitives, where target group elements are also allowed in their ranges and public keys.

Keywords

Structure-preserving cryptography Verifiable random functions Unique signatures Groth–Sahai proofs 

Notes

Acknowledgements

The authors would like to thank Kristiyan Haralambiev for the useful discussions and the anonymous reviewers for their helpful comments and suggestions. The research leading to these results was supported in part by the European Community’s Seventh Framework Programme for the projects ABC4Trust (Grant Agreement No. 257782) and PERCY (Grant Agreement No. 321310).

References

  1. 1.
    M. Abdalla, D. Catalano, D. Fiore, Verifiable random functions from identity-based key encapsulation, in A. Joux, editor, Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. Proceedings. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 554–571Google Scholar
  2. 2.
    M. Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures: generic constructions and simple assumptions. J. Cryptol. 29(4):833–878 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements. J. Cryptol. 29(2):363–421 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    M. Abe, J. Groth, K. Haralambiev, M. Ohkubo, Optimal structure-preserving signatures in asymmetric bilinear groups, in Advances in Cryptology—CRYPTO’11. LNCS. (Springer, Berlin, 2011)Google Scholar
  5. 5.
    M. Abe, K. Haralambiev, M. Ohkubo, Group to group commitments do not shrink, in D. Pointcheval, T. Johansson, editors, Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15–19, 2012. Proceedings. LNCS, vol. 7237 (Springer, Berlin 2012), pp. 301–317Google Scholar
  6. 6.
    M. Belenkiy, M. Chase, M. Kohlweiss, A. Lysyanskaya, Non-interactive anonymous credentials, in R. Canetti, editor, Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008. LNCS, vol. 4948 (Springer, Berlin, 2008). Also available on IACR ePrint Archive, 2007/384Google Scholar
  7. 7.
    M. Belenkiy, M. Chase, M. Kohlweiss, A. Lysyanskaya, Compact e-cash and simulatable VRFs revisited, in H. Shacham, B. Waters, editors, Pairing-Based Cryptography—Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12–14, 2009, Proceedings. LNCS, vol. 5671 (Springer, Berlin 2009), pp. 114–131.Google Scholar
  8. 8.
    M. Bellare, D. Micciancio, B. Warinschi, Foundations of group signatures: formal definitions, simplified requirements and a construction based on general assumptions, in E. Biham, editor, Advances in Cryptology—EUROCRPYT’03. LNCS, vol. 2656 (2003), pp. 614–629Google Scholar
  9. 9.
    M. Bellare, A. Palacio, The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols, in M. Franklin, editor, Advances in Cryptology—CRYPTO 2004. LNCS, vol. 3152 (Springer, Berlin 2004), pp. 273–289Google Scholar
  10. 10.
    M. Bellare, A. Boldyreva, A. O’Neill, Deterministic and efficiently searchable encryption, in A. Menezes, editor, Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007, Proceedings. LNCS, vol. 4622 (Springer, Berlin, 2007), pp. 535–552Google Scholar
  11. 11.
    M. Bellare, M. Fischlin, A. O’Neill, T. Ristenpart, Deterministic encryption: definitional equivalences and constructions without random oracles, in D. Wagner, editor, Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings. LNCS, vol. 5157 (Springer, Berlin, 2008), pp. 360–378Google Scholar
  12. 12.
    A. Boldyreva, S. Fehr, A. O’Neill, On notions of security for deterministic encryption, and efficient constructions without random oracles, in D. Wagner, editor, Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings. LNCS, vol. 5157 (Springer, Berlin, 2008), pp. 335–359Google Scholar
  13. 13.
    J. Camenisch, M. Dubovitskaya, K. Haralambiev, Efficient structure-preserving signature scheme from standard assumptions, in SCN. LNCS, vol. 7485 (Springer, Berlin, 2012), pp. 76–94Google Scholar
  14. 14.
    J. Camenisch, M. Dubovitskaya, G. Neven, Oblivious transfer with access control, in E. Al-Shaer, S. Jha, A.D. Keromytis, editors, Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9–13, 2009 (ACM, 2009), pp. 131–140Google Scholar
  15. 15.
    J. Camenisch, M. Dubovitskaya, G. Neven, G.M. Zaverucha, Oblivious transfer with hidden access control policies, in D. Catalano, N. Fazio, R. Gennaro, A. Nicolosi, editors, Public Key Cryptography—PKC 2011—14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, March 6–9, 2011. Proceedings. LNCS, vol. 6571 (Springer, Berlin, 2011), pp. 192–209Google Scholar
  16. 16.
    J. Camenisch, K. Haralambiev, M. Kohlweiss, J. Lapon, V. Naessens, Structure preserving CCA secure encryption and applications, in Advances in Cryptology—Asiacrypt 2011. LNCS (Springer, Berlin, 2011)Google Scholar
  17. 17.
    J. Camenisch, S. Hohenberger, A. Lysyanskaya, Compact e-cash, in R. Cramer, editor, Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings. LNCS, vol. 3494 (Springer, Berlin 2005), pp. 302–321Google Scholar
  18. 18.
    J. Camenisch, A. Kiayias, M. Yung, On the portability of generalized Schnorr proofs, in A. Joux, editor, Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. Proceedings. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 425–442Google Scholar
  19. 19.
    J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in B. Pfitzmann, editor, Advances in Cryptology—EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, May 6–10, 2001, Proceeding. LNCS, vol. 2045 (Springer, Berlin, 2001), pp. 93–118Google Scholar
  20. 20.
    J. Camenisch, A. Lysyanskaya, A signature scheme with efficient protocols, in S. Cimato, C. Galdi, G. Persiano, editors, Security in Communication Networks, Third International Conference, SCN 2002, Amalfi, Italy, September 11–13, 2002. Revised Papers. LNCS, vol. 2576 (Springer, Berlin, 2002), pp. 268–289Google Scholar
  21. 21.
    J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in M.K. Franklin, editor, Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 56–72Google Scholar
  22. 22.
    J. Camenisch, G. Neven, A. Shelat, Simulatable adaptive oblivious transfer, in M. Naor, editor, Advances in Cryptology—EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20–24, 2007, Proceedings. LNCS, vol. 4515 (Springer, Berlin, 2007), pp. 573–590Google Scholar
  23. 23.
    J. Camenisch, V. Shoup, Practical verifiable encryption and decryption of discrete logarithms, in D. Boneh, editor, Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings. LNCS, vol. 2729 (Springer, Berlin, 2003), pp. 126–144Google Scholar
  24. 24.
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in Proceedings of the 42nd IEEE Annual Symposium on Foundations of Computer Science (2001), pp. 136–145Google Scholar
  25. 25.
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited, in Proceedings of the 30th Annual ACM Symposium on Theory of Computing (1998), pp. 209–218Google Scholar
  26. 26.
    M. Chase, A. Lysyanskaya, Simulatable VRFs with applications to multi-theorem NIZK, in A. Menezes, editor, Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007, Proceedings. LNCS, vol. 4622 (Springer, Berlin, 2007), pp. 303–322Google Scholar
  27. 27.
    R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput.  33(1):167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Y. Dodis, Efficient construction of (distributed) verifiable random functions, in Y. Desmedt, editor, Public Key Cryptography—PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, January 6–8, 2003, Proceedings. LNCS, vol. 2567 (Springer, Berlin, 2003), pp. 1–17Google Scholar
  29. 29.
    Y. Dodis, A. Yampolskiym, A verifiable random function with short proofs and keys, in S. Vaudenay, editor, Public Key Cryptography—PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23–26, 2005, Proceedings. LNCS, vol. 3386 (Springer, Berlin, 2005), pp. 416–431Google Scholar
  30. 30.
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in G.R. Blakley, D. Chaum, editors, Advances in Cryptology—CRYPTO’84. LNCS, vol. 196 (Springer, Berlin, 1985), pp. 10–18Google Scholar
  31. 31.
    A. Escala, J. Groth, Fine-tuning Groth–Sahai proofs, in H. Krawczyk, editor, Public-Key Cryptography—PKC 2014—17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014. Proceedings. LNCS, vol. 8383 (Springer, Berlin, 2014), pp. 630–649Google Scholar
  32. 32.
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in A.M. Odlyzko, editor, Advances in Cryptology—CRYPTO’86. LNCS, vol. 263 (Springer, Berlinm 1987), pp. 186–199Google Scholar
  33. 33.
    M.J. Freedman, Y. Ishai, B. Pinkas, O. Reingold, Keyword search and oblivious pseudorandom functions, in J. Kilian, editor, Theory of Cryptography, Second Theory of Cryptography Conference, TCC 2005, Cambridge, MA, USA, February 10–12, 2005, Proceedings. LNCS, vol. 3378 (Springer, Berlin, 2005), pp. 303–324Google Scholar
  34. 34.
    S.D. Galbraith, K.G. Peterson, N.P. Smart, Pairings for cryptographers. Discrete Appl. Math.  156(16):3113–3121 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM  33(4):792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    S. Goldwasser, Y.T. Kalai, On the (in)security of the Fiat–Shamir paradigm, in 44th Symposium on Foundations of Computer Science (FOCS 2003), 11–14 October 2003, Cambridge, MA, USA, Proceedings (IEEE Computer Society, 2003), pp. 102–113Google Scholar
  37. 37.
    S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent (extended abstract), in E.F. Brickell, editor, Advances in Cryptology—CRYPTO’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, Proceedings. LNCS, vol. 740 (Springer, Berlin, 1992), pp. 228–245Google Scholar
  38. 38.
    J. Groth, A. Sahai, Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput.  41(5):1193–1232 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    C. Hazay, Y. Lindell, Efficient protocols for set intersection and pattern matching with security against malicious and covert adversaries, in R. Canetti, editor, Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008. LNCS, vol. 4948 (Springer, Berlin, 2008), pp. 155–175Google Scholar
  40. 40.
    D. Hofheinz, T. Jager, Tightly secure signatures and public-key encryption, in CRYPTO. LNCS, vol. 7417 (Springer, Berlin, 2012), pp. 590–607Google Scholar
  41. 41.
    S. Hohenberger, B. Waters, Constructing verifiable random functions with large input spaces, in H. Gilbert, editor, Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings. LNCS, vol. 6110 (Springer, Berlin, 2010), pp. 656–672Google Scholar
  42. 42.
    S. Jarecki, X. Liu, Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection, in O. Reingold, editor, Theory of Cryptography, 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15–17, 2009. Proceedings. LNCS, vol. 5444 (Springer, Berlin, 2009), pp. 577–594Google Scholar
  43. 43.
    S. Jarecki, V. Shmatikov, Handcuffing big brother: an abuse-resilient transaction escrow scheme, in C. Cachin, J. Camenisch, editors, Advances in Cryptology—EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2–6, 2004, Proceedings. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 590–608Google Scholar
  44. 44.
    A. Kiayias, M. Yung, Group signatures with efficient concurrent join, in R. Cramer, editor, Advances in Cryptology—EUROCRYPT 2005. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 198–214Google Scholar
  45. 45.
    M. Liskov, Updatable zero-knowledge databases, in B.K. Roy, editor, Advances in Cryptology—ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4–8, 2005, Proceedings. LNCS, vol. 3788 (Springer, Berlin, 2005), pp. 174–198Google Scholar
  46. 46.
    A. Lysyanskaya, Unique signatures and verifiable random functions from the DH-DDH separation, in M. Yung, editor, Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 597–612Google Scholar
  47. 47.
    S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in 40th Annual Symposium on Foundations of Computer Science, FOCS’99, 17–18 October, 1999, New York, NY, USA (IEEE Computer Society, 1999), pp. 120–130Google Scholar
  48. 48.
    S. Micali, L. Reyzin, Soundness in the public-key model, in J. Kilian, editor, Advances in Cryptology—CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19–23, 2001, Proceedings. LNCS, vol. 2139 (Springer, Berlin 2001), pp. 542–565Google Scholar
  49. 49.
    S. Micali, R.L. Rivest, Micropayments revisited, in B. Preneel, editor, Topics in Cryptology—CT-RSA 2002, The Cryptographer’s Track at the RSA Conference, 2002, San Jose, CA, USA, February 18–22, 2002, Proceedings. LNCS, vol. 2271 (Springer, Berlin, 2002), pp. 149–163Google Scholar
  50. 50.
    T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in J. Feigenbaum, editor, Advances in Cryptology—CRYPTO’91. LNCS, vol. 576 (Springer, Berlin 1992), pp. 129–140Google Scholar
  51. 51.
    C.P. Schnorr, Efficient signature generation for smart cards. J. Cryptol.  4(3):239–252 (1991).CrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Masayuki Abe
    • 1
  • Jan Camenisch
    • 2
  • Rafael Dowsley
    • 3
  • Maria Dubovitskaya
    • 2
  1. 1.NTT Secure Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.IBM Research - ZurichRüschlikonSwitzerland
  3. 3.Aarhus UniversityAarhus CDenmark

Personalised recommendations