Periodic Reporting for period 1 - REWORC (New Foundations for Real-World Cryptography)
Reporting period: 2022-11-01 to 2025-04-30
Almost half a century after the invention of public-key cryptography, there is still a vast discrepancy between the theory and practice of cryptography. With some notable exceptions, research from the cryptographic theory community focuses on problems of great theoretical interest, albeit completely disconnected from the real world. On the other hand, widely used real-world cryptographic protocols are being neglected because they are either mathematically ugly, their solutions appear uninteresting, or they simply do not cross the mind of theoreticians.
The central objective of the REWORC project is thus to narrow the gap between theory and practice of cryptography, providing a solid theoretical groundwork for real-world cryptography. REWORC will have a substantial long-term impact on theoretical protocol design, influence ongoing standardization efforts in post-quantum cryptography, and settle doubts about the security of important cryptography used in practice.
The central objective of the REWORC project is thus to narrow the gap between theory and practice of cryptography, providing a solid theoretical groundwork for real-world cryptography. REWORC will have a substantial long-term impact on theoretical protocol design, influence ongoing standardization efforts in post-quantum cryptography, and settle doubts about the security of important cryptography used in practice.
Several breakthrough results have already been achieved in the context of very efficient protocol with provable security.
For isogeny-based cryptography, we revisited the security of two previously proposed important protocols based on
isogenies: the Group Action Hashed ElGamal key encapsulation mechanism and the Group Action Hashed Diffie-Hellman non-interactive key-exchange protocol.
We prove that, suprisingly, active security of the two protocols in the Quantum Random Oracle Model inherently relies on very
strong variants of the Group Action Strong CDH problem, where the adversary is given arbitrary
quantum access to a DDH oracle. That is, quantum accessible Strong CDH assumptions are not
only sufficient but also necessary to prove active security of the GA-HEG KEM and the GA-HDH
NIKE protocols.
For lattice-based cryptography, we proposed new NTRU-based encryption schemes whose efficiency is equal (even slightly better,
actually) then their Ring/Module-LWE counterparts.
We also revisited the provable security of traditional signatures schemes. One of the most widely used digital signature schemes is ECDSA due to its use in TLS, various
Blockchains such as Bitcoin and Ethereum, and many other applications.
Are strong idealized models are necessary for proving the security of ECDSA?
In order to answer this question, we focused on the programmability of ECDSA’s “conversion function” which
maps an elliptic curve point into its x-coordinate modulo the group order. Unfortunately, our main
results are negative. We prove that an algebraic security reduction for can only exist if the security
reduction is allowed to program the conversion function. Consequently, a meaningful security
proof for is unlikely to exist for ECDSA without strong idealizations.
For isogeny-based cryptography, we revisited the security of two previously proposed important protocols based on
isogenies: the Group Action Hashed ElGamal key encapsulation mechanism and the Group Action Hashed Diffie-Hellman non-interactive key-exchange protocol.
We prove that, suprisingly, active security of the two protocols in the Quantum Random Oracle Model inherently relies on very
strong variants of the Group Action Strong CDH problem, where the adversary is given arbitrary
quantum access to a DDH oracle. That is, quantum accessible Strong CDH assumptions are not
only sufficient but also necessary to prove active security of the GA-HEG KEM and the GA-HDH
NIKE protocols.
For lattice-based cryptography, we proposed new NTRU-based encryption schemes whose efficiency is equal (even slightly better,
actually) then their Ring/Module-LWE counterparts.
We also revisited the provable security of traditional signatures schemes. One of the most widely used digital signature schemes is ECDSA due to its use in TLS, various
Blockchains such as Bitcoin and Ethereum, and many other applications.
Are strong idealized models are necessary for proving the security of ECDSA?
In order to answer this question, we focused on the programmability of ECDSA’s “conversion function” which
maps an elliptic curve point into its x-coordinate modulo the group order. Unfortunately, our main
results are negative. We prove that an algebraic security reduction for can only exist if the security
reduction is allowed to program the conversion function. Consequently, a meaningful security
proof for is unlikely to exist for ECDSA without strong idealizations.
We have developed a variety of novel and unconventional theoretical frameworks and proof
techniques within the ERC project.
In particular, we put forward the Generic Group Action Model, an adaptation of the Generic Group Model
(GGAM) to the setting of group actions. We can prove information-theoretic lower bounds in the
GGAM for the discrete logarithm assumption, as well as for non-standard assumptions recently
introduced in the setting of threshold and identification schemes on group actions. We also
introduce the Quantum Algebraic Group Action Model (QAGAM), in which we prove the
equivalence between the discrete logarithm assumption and non-standard assumptions recently
introduced in the setting of Password-Authenticated Key Exchange, Non-Interactive Key
Exchange, and Public-Key Encryption.
techniques within the ERC project.
In particular, we put forward the Generic Group Action Model, an adaptation of the Generic Group Model
(GGAM) to the setting of group actions. We can prove information-theoretic lower bounds in the
GGAM for the discrete logarithm assumption, as well as for non-standard assumptions recently
introduced in the setting of threshold and identification schemes on group actions. We also
introduce the Quantum Algebraic Group Action Model (QAGAM), in which we prove the
equivalence between the discrete logarithm assumption and non-standard assumptions recently
introduced in the setting of Password-Authenticated Key Exchange, Non-Interactive Key
Exchange, and Public-Key Encryption.