## CryptoDB

### Dario Catalano

#### Publications

**Year**

**Venue**

**Title**

2024

EUROCRYPT

Anamorphic Encryption: New Constructions and Homomorphic Realizations
Abstract

The elegant paradigm of Anamorphic Encryption (Persiano
et al., Eurocrypt 2022) considers the question of establishing a private
communication in a world controlled by a dictator. The challenge is to
allow two users, sharing some secret anamorphic key, to exchange covert
messages without the dictator noticing, even when the latter has full
access to the regular secret keys. Over the last year several works con-
sidered this question and proposed constructions, novel extensions and
strengthened definitions.
In this work we make progress on the study of this primitive in three
main directions. First, we show that two general and well established
encryption paradigms, namely hybrid encryption and the IBE-to-CCA
transform, admit very simple and natural anamorphic extensions. Next,
we show that anamorphism, far from being a phenomenon isolated to
"basic" encryption schemes, extends also to homomorphic encryption.
We show that some existing homomorphic schemes, (and most notably
the fully homomorphic one by Gentry, Sahai and Waters) can be made
anamorphic, while retaining their homomorphic properties both with
respect to the regular and the covert message.
Finally we refine the notion of anamorphic encryption by envisioning the
possibility of splitting the anamorphic key into an encryption component
(that only allows to encrypt covert messages) and a decryption compo-
nent. This makes possible for a receiver to set up several, independent,
covert channels associated with a single covert key.

2024

CRYPTO

Limits of Black-Box Anamorphic Encryption
Abstract

(Receiver) Anamorphic encryption, introduced by Persiano
et al. at Eurocrypt 2022, considers the question of achieving private
communication in a world where secret decryption keys are under the
control of a dictator. The challenge here is to be able to establish a secret
communication channel to exchange covert (i.e. anamorphic) messages
on top of some already deployed public key encryption scheme.
Over the last few years several works addressed this challenge by show-
ing new constructions, refined notions and extensions. Most of these con-
structions, however, are either ad hoc, in the sense that they build upon
specific properties of the underlying PKE, or impose severe restrictions
on the size of the underlying anamorphic message space.
In this paper we consider the question of whether it is possible to have
realizations of the primitive that are both generic and allow for large
anamorphic message spaces. We give strong indications that, unfortu-
nately, this is not the case.
Our first result shows that any black-box realization of the primitive, i.e.
any realization that accesses the underlying PKE only via oracle calls,
must have an anamorphic message space of size at most O(poly(λ)) (λ
security parameter).
Even worse, if one aims at stronger variants of the primitive (and, specif-
ically, the notion of asymmetric anamorphic encryption, recently pro-
posed by Catalano et al.) we show that such black-box realizations are
plainly impossible, i.e. no matter how small the anamorphic message
space is.
Finally, we show that our impossibility results are rather tight: indeed,
by making more specific assumptions on the underlying PKE, it becomes
possible to build generic AE where the anamorphic message space is of
size Ω(2^λ).

2023

PKC

Efficient and Universally Composable Single Secret Leader Election from Pairings
Abstract

Single Secret Leader Election (SSLE) protocols allow a set of users to elect a leader among them so that the identity of the winner remains secret until she decides to reveal herself. This notion was formalized and implemented in a recent result by Boneh, et al. (ACM Advances on Financial Technology 2020) and finds important applications in the area of Proof of Stake blockchains.
In this paper we put forward new SSLE solutions that advance the state of the art both from a theoretical and a practical front. On the theoretical side we propose a new definition of SSLE in the universal composability framework. We believe this to be the right way to model security in highly concurrent contexts such as those of many blockchain related applications. Next, we propose a UC-realization of SSLE from public key encryption with keyword search (PEKS) and based on the ability of distributing the PEKS key generation and encryption algorithms. Finally, we give a concrete PEKS scheme with efficient distributed algorithms for key generation and encryption and that allows us to efficiently instantiate our abstract SSLE construction.
Our resulting SSLE protocol is very efficient, does not require participants to store any state information besides their secret keys and guarantees so called on-chain efficiency:
the information to verify an election in the new block should be of size at most logarithmic in the number of participants.
To the best of our knowledge, this is the first efficient SSLE scheme achieving this property.

2023

TCC

Chainable Functional Commitments for Unbounded-Depth Circuits
Abstract

A functional commitment (FC) scheme allows one to commit to a vector $\vec{x}$ and later produce a short opening proof of $(f, f(\vec{x}))$ for any admissible function $f$. Since their inception, FC schemes supporting ever more expressive classes of functions have been proposed.
In this work, we introduce a novel primitive that we call chainable functional commitment (CFC), which extends the functionality of FCs by allowing one to 1) open to functions of multiple inputs $f(\vec x_1, \ldots, \vec x_m)$ that are committed independently, 2) while preserving the output also in committed form. We show that CFCs for quadratic polynomial maps generically imply FCs for circuits. Then, we efficiently realize CFCs for quadratic polynomials over pairing groups and lattices, resulting in the first FC schemes for circuits of unbounded depth based on either pairing-based or lattice-based falsifiable assumptions. Our FCs require fixing a-priori only the maximal width of the circuit to be evaluated, and have opening proofs whose size only depends on the depth of the circuit. Additionally, our FCs feature other nice properties such as being additively homomorphic and supporting sublinear-time verification after offline preprocessing.
Using a recent transformation that constructs homomorphic signatures (HS) from FCs, we obtain the first pairing- and lattice-based realisations of HS for bounded-width, but unbounded-depth, circuits. Prior to this work, the only HS for general circuits is lattice-based and requires bounding the circuit depth at setup time.

2022

ASIACRYPT

Additive-Homomorphic Functional Commitments and Applications to Homomorphic Signatures
📺
Abstract

Functional Commitments (FC) allow one to reveal functions of committed data in a succinct and verifiable way. In this paper we put forward the notion of additive-homomorphic FC and show two efficient, pairing-based, realizations of this primitive supporting multivariate polynomials of constant degree and monotone span programs, respectively. We also show applications of the new primitive in the contexts of homomorphic signatures: we show that additive-homomorphic FCs can be used to realize homomorphic signatures (supporting the same class of functionalities as the underlying FC) in a simple and elegant way.
Using our new FCs as underlying building blocks, this leads to the (seemingly) first expressive realizations of multi-input homomorphic signatures not relying on lattices or multilinear maps.

2022

TCC

On the Impossibility of Algebraic Vector Commitments in Pairing-Free Groups
Abstract

Vector Commitments allow one to (concisely) commit to a vector of messages so that one can later (concisely) open the commitment at selected locations. In the state of the art of vector commitments, {\em algebraic} constructions have emerged as a particularly useful class, as they enable advanced properties, such as stateless updates, subvector openings and aggregation, that are for example unknown in Merkle-tree-based schemes.
In spite of their popularity, algebraic vector commitments remain poorly understood objects. In particular, no construction in standard prime order groups (without pairing) is known.
In this paper, we shed light on this state of affairs by showing that a large class of concise algebraic vector commitments in pairing-free, prime order groups are impossible to realize.
Our results also preclude any cryptographic primitive that implies the algebraic vector commitments we rule out, as special cases.
This means that we also show the impossibility, for instance, of succinct polynomial commitments and functional commitments (for all classes of functions including linear forms) in pairing-free groups of prime order.

2020

PKC

Bandwidth-Efficient Threshold EC-DSA
📺
Abstract

Threshold Signatures allow n parties to share the power of issuing digital signatures so that any coalition of size at least $$t+1$$ can sign, whereas groups of t or less players cannot. Over the last few years many schemes addressed the question of realizing efficient threshold variants for the specific case of EC-DSA signatures. In this paper we present new solutions to the problem that aim at reducing the overall bandwidth consumption. Our main contribution is a new variant of the Gennaro and Goldfeder protocol from ACM CCS 2018 that avoids all the required range proofs, while retaining provable security against malicious adversaries in the dishonest majority setting. Our experiments show that – for all levels of security – our signing protocol reduces the bandwidth consumption of best previously known secure protocols for factors varying between 4.4 and 9, while key generation is consistently two times less expensive. Furthermore compared to these same protocols, our signature generation is faster for 192-bits of security and beyond.

2020

PKC

Mon$\mathbb {Z}_{2^{k}}$a: Fast Maliciously Secure Two Party Computation on $\mathbb {Z}_{2^{k}}$
📺
Abstract

In this paper we present a new 2-party protocol for secure computation over rings of the form $$mathbb {Z}_{2^k}$$ . As many recent efficient MPC protocols supporting dishonest majority, our protocol consists of a heavier (input-independent) pre-processing phase and a very efficient online stage. Our offline phase is similar to BeDOZa (Bendlin et al. Eurocrypt 2011) but employs Joye-Libert (JL, Eurocrypt 2013) as underlying homomorphic cryptosystem and, notably, it can be proven secure without resorting to the expensive sacrifice step. JL turns out to be particularly well suited for the ring setting as it naturally supports $$mathbb {Z}_{2^k}$$ as underlying message space. Moreover, it enjoys several additional properties (such as valid ciphertext-verifiability and efficiency) that make it a very good fit for MPC in general. As a main technical contribution we show how to take advantage of all these properties (and of more properties that we introduce in this work, such as a ZK proof of correct multiplication) in order to design a two-party protocol that is efficient, fast and easy to implement in practice. Our solution is particularly well suited for relatively large choices of k ( e.g. $$k=128$$ ), but compares favorably with the state of the art solution of SPD $$mathbb {Z}_{2^k}$$ (Cramer et al. Crypto 2018) already for the practically very relevant case of $$mathbb {Z}_{2^{64}}$$ .

2020

ASIACRYPT

Inner-Product Functional Encryption with Fine-Grained Access Control
📺
Abstract

We construct new functional encryption schemes that combine the access control functionality of attribute-based encryption with the possibility of performing linear operations on the encrypted data. While such a primitive could be easily realized from fully fledged functional encryption schemes, what makes our result interesting is the fact that our schemes simultaneously achieve all the following properties. They are public-key, efficient and can be proved secure under standard and well established assumptions (such as LWE or pairings). Furthermore, security is guaranteed in the setting where adversaries are allowed to get functional keys that decrypt the challenge ciphertext. Our first results are two functional encryption schemes for the family of functions that allow users to embed policies (expressed by monotone span programs) in the encrypted data, so that one can generate functional keys to compute weighted sums on the latter. Both schemes are pairing-based and quite generic: they combine the ALS functional encryption scheme for inner products from Crypto 2016 with any attribute-based encryption schemes relying on the dual-system encryption methodology. As an additional bonus, they yield simple and elegant multi-input extensions essentially for free, thereby broadening the set of applications for such schemes. Multi-input is a particularly desirable feature in our setting, since it gives a finer access control over the encrypted data, by allowing users to associate different access policies to different parts of the encrypted data. Our second result builds identity-based functional encryption for inner products from lattices. This is achieved by carefully combining existing IBE schemes from lattices with adapted, LWE-based, variants of ALS. We point out to intrinsic technical bottlenecks to obtain richer forms of access control from lattices. From a conceptual point of view, all our results can be seen as further evidence that more expressive forms of functional encryption can be realized under standard assumptions and with little computational overhead.

2019

CRYPTO

Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations
📺
Abstract

ECDSA is a widely adopted digital signature standard. Unfortunately, efficient distributed variants of this primitive are notoriously hard to achieve and known solutions often require expensive zero knowledge proofs to deal with malicious adversaries. For the two party case, Lindell [Lin17] recently managed to get an efficient solution which, to achieve simulation-based security, relies on an interactive, non standard, assumption on Paillier’s cryptosystem. In this paper we generalize Lindell’s solution using hash proof systems. The main advantage of our generic method is that it results in a simulation-based security proof without resorting to non-standard interactive assumptions.Moving to concrete constructions, we show how to instantiate our framework using class groups of imaginary quadratic fields. Our implementations show that the practical impact of dropping such interactive assumptions is minimal. Indeed, while for 128-bit security our scheme is marginally slower than Lindell’s, for 256-bit security it turns out to be better both in key generation and signing time. Moreover, in terms of communication cost, our implementation significantly reduces both the number of rounds and the transmitted bits without exception.

2018

CRYPTO

Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions Without Pairings
📺
Abstract

We present new constructions of multi-input functional encryption (MIFE) schemes for the inner-product functionality that improve the state of the art solution of Abdalla et al. (Eurocrypt 2017) in two main directions.First, we put forward a novel methodology to convert single-input functional encryption for inner products into multi-input schemes for the same functionality. Our transformation is surprisingly simple, general and efficient. In particular, it does not require pairings and it can be instantiated with all known single-input schemes. This leads to two main advances. First, we enlarge the set of assumptions this primitive can be based on, notably, obtaining new MIFEs for inner products from plain DDH, LWE, and Decisional Composite Residuosity. Second, we obtain the first MIFE schemes from standard assumptions where decryption works efficiently even for messages of super-polynomial size.Our second main contribution is the first function-hiding MIFE scheme for inner products based on standard assumptions. To this end, we show how to extend the original, pairing-based, MIFE by Abdalla et al. in order to make it function hiding, thus obtaining a function-hiding MIFE from the MDDH assumption.

2017

CRYPTO

2014

JOFC

2008

JOFC

2007

JOFC

2005

CRYPTO

2003

ASIACRYPT

1998

CRYPTO

#### Program Committees

- Crypto 2024
- PKC 2023
- Crypto 2019
- PKC 2019
- PKC 2018
- Eurocrypt 2016
- Crypto 2016
- PKC 2016
- Crypto 2015
- Eurocrypt 2014
- PKC 2012
- Eurocrypt 2012
- PKC 2010
- TCC 2010
- Eurocrypt 2007

#### Coauthors

- Michel Abdalla (7)
- David Balbás (1)
- Carmen Elisabetta Zaira Baltico (1)
- Mihir Bellare (2)
- James Birkett (1)
- Emmanuel Bresson (3)
- Guilhem Castagnos (2)
- Alexander W. Dent (1)
- Yevgeniy Dodis (1)
- Nelly Fazio (1)
- Dario Fiore (20)
- Romain Gay (3)
- Rosario Gennaro (11)
- Irene Giacomelli (1)
- Emanuele Giunta (4)
- Shai Halevi (1)
- Nick Howgrave-Graham (2)
- Eike Kiltz (2)
- Tadayoshi Kohno (2)
- Fabien Laguillaumie (2)
- Russell W. F. Lai (1)
- Tanja Lange (2)
- John Malone-Lee (3)
- Antonio Marcedone (1)
- Mariagrazia Messina (1)
- Francesco Migliaro (2)
- Gregory Neven (3)
- Phong Q. Nguyen (1)
- Antonio Nicolosi (1)
- Luca Nizzardo (2)
- Pascal Paillier (2)
- David Pointcheval (3)
- Thomas Pornin (2)
- Orazio Puglisi (1)
- Mario Di Raimondo (2)
- Federico Savasta (2)
- Jacob C. N. Schuldt (1)
- Haixia Shi (2)
- Nigel P. Smart (1)
- Jacques Stern (1)
- Ida Tucker (3)
- Bogdan Ursu (2)
- Konstantinos Vamvourellis (1)
- Ivan Visconti (1)
- Bogdan Warinschi (3)