Vipin Singh Sehrawat

Vipin Singh Sehrawat

Distributed Key Generation (DKG) lets parties derive a common public key while keeping the signing key secret-shared. UC-secure DKG requires a verifiable-sharing enforcement layer -- classically satisfied via Verifiable Secret Sharing (VSS) and/or commitment-and-proof mechanisms -- for secrecy, uniqueness, and affine consistency. We target the Non-eXportable Key (NXK) setting enforced by hardware-backed key-isolation modules (e.g., TEEs, HSM-like APIs), formalized via an ideal KeyBox (keystore) functionality $\mathcal{F}_{KeyBox}$ that keeps shares non-exportable and permits only attested KeyBox-to-KeyBox sealing. With confidentiality delegated to the NXK boundary, the remaining challenge is enforcing transcript-defined affine consistency without exporting or resharing shares. State continuity rules out rewinding-based extraction, mandating straight-line techniques. We combine (i) KeyBox confidentiality; (ii) Unique Structure Verification (USV), a publicly verifiable certificate whose certified scalar never leaves the KeyBox yet whose public group element is transcript-derivable; and (iii) Fischlin-based UC-extractable NIZK arguments of knowledge in a gRO-CRP (global Random Oracle with Context-Restricted Programmability) model. We construct Star DKG (SDKG), a UC-secure scheme for multi-device threshold wallets where a designated service must co-sign but cannot sign alone, realizing a 1+1-out-of-$n$ star access structure (center plus any leaf) over roles (primary vs. recovery) with role-based device registration. In the $\mathcal{F}_{KeyBox}$-hybrid and gRO-CRP models, under DL and DDH assumptions with adaptive corruptions and secure erasures, SDKG UC-realizes a transcript-driven refinement of the standard UC-DKG functionality. Over a prime-order group of size $p$, SDKG incurs $\widetilde{O}(n\log p)$ communication overhead and $\widetilde{O}(n\log^{2.585}p)$ bit-operation cost.

Vipin Singh Sehrawat

The \textsc{prim-lwe} problem (Sehrawat, Yeo, and Desmedt, \emph{Theoret.\ Comput.\ Sci.}\ 886, 2021) is a variant of Learning with Errors requiring the secret matrix to have a primitive-root determinant. The dimension-uniform reduction constant is $c(p)=\inf_{m\ge 1}c_m(p)$, where $c_n(p)$ is the density of $n\times n$ matrices over~$\mathbb{F}_p$ with primitive-root determinant. Those authors asked whether $\inf_{p\text{ prime}}c(p)=0$, noting that an affirmative answer would follow from the conjectural infinitude of primorial primes. We resolve this unconditionally using only Dirichlet's theorem and Mertens' product formula, bypassing the primorial-prime hypothesis entirely. We establish the sharp order $\min_{p\le x}c(p)\asymp 1/\log\log x$, prove that $c(p)$ possesses a continuous purely singular limiting distribution over the primes with support exactly $[0,1/2]$, and derive explicit lower bounds on $c(q)$ for primes of cryptographic interest parameterized solely by~$ω(q{-}1)$, the number of distinct prime factors of~$q{-}1$. These bounds apply to every prime~$q$ whose predecessor has controlled factorization structure, as measured by~$ω(q{-}1)$; this includes many NTT-friendly moduli, though NTT-friendliness alone does not imply the needed bound. For the NIST-standardized moduli $q=3329$ (ML-KEM) and $q=8380417$ (ML-DSA), the dimension-uniform expected rejection-sampling overhead~$1/c(q)$ is at most $2.17$ and $3.42$, respectively. As a simple conservative bound, for any prime $q>2^{30}$ one has $1/c(q)\le 1.79\log q$. The worst-case overhead among primes $p\le x$ is $Θ(\log\log x)$, and pointwise $1/c(q)=O(\log\log q)$.

Nolan Miranda, Foo Yee Yeo, Vipin Singh Sehrawat

Conditional disclosure of secrets (CDS) allows multiple parties to reveal a secret to a third party if and only if some pre-decided condition is satisfied. In this work, we bolster the privacy guarantees of CDS by introducing function-private CDS wherein the pre-decided condition is never revealed to the third party. We also derive a function secret sharing scheme from our function-private CDS solution. The second problem that we consider concerns threshold distributed point functions, which allow one to split a point function such that at least a threshold number of shares are required to evaluate it at any given input. We consider a setting wherein a point function is split among a set of parties such that multiple evaluations do not leak non-negligible information about it. Finally, we present a provably optimal procedure to perform threshold function secret sharing of any polynomial in a finite field.

Vipin Singh Sehrawat, Foo Yee Yeo, Yvo Desmedt

Secret sharing allows distributing a secret among several parties such that only authorized subsets, specified by an access structure, can reconstruct the secret. Sehrawat and Desmedt (COCOON 2020) introduced hidden access structures, that remain secret until some authorized subset of parties collaborate. However, their scheme assumes semi-honest parties and supports only restricted access structures. We address these shortcomings by constructing an access structure hiding verifiable secret sharing scheme that supports all monotone access structures. It is the first secret sharing scheme to support cheater identification and share verifiability in malicious-majority settings. The verification procedure of our scheme incurs no communication overhead. As the building blocks of our scheme, we introduce and construct: (i) a set-system with $> \exp\left(c\frac{2(\log h)^2}{(\log\log h)}\right)+2\exp\left(c\frac{(\log h)^2}{(\log\log h)}\right)$ subsets of a set of $h$ elements. Our set-system, $\mathcal{H}$, is defined over $\mathbb{Z}_m$, where $m$ is a non-prime-power. The size of each set in $\mathcal{H}$ is divisible by $m$ but the sizes of their pairwise intersections are not, unless one set is a subset of another, (ii) a new variant of the learning with errors (LWE) problem, called PRIM-LWE, wherein the secret matrix is sampled such that its determinant is a generator of $\mathbb{Z}_q^*$, where $q$ is the LWE modulus. The security of our scheme relies on the hardness of the LWE problem, and its share size is $$(1+ o(1)) \dfrac{2^{\ell}}{\sqrt{π\ell/2}}(2 q^{\varrho + 0.5} + \sqrt{q} + \mathrmΘ(h)),$$ where $\varrho \leq 1$ is a constant and $\ell$ is the total number of parties. We also provide directions for future work to reduce the share size to \[\leq \dfrac{1}{3} \left( (1+ o(1)) \dfrac{2^{\ell}}{\sqrt{π\ell/2}}(2 q^{\varrho + 0.5} + 2\sqrt{q}) \right).\]

Vipin Singh Sehrawat, Yvo Desmedt

Secret sharing provides a means to distribute shares of a secret such that any authorized subset of shares, specified by an access structure, can be pooled together to recompute the secret. The standard secret sharing model requires public access structures, which violates privacy and facilitates the adversary by revealing high-value targets. In this paper, we address this shortcoming by introducing \emph{hidden access structures}, which remain secret until some authorized subset of parties collaborate. The central piece of this work is the construction of a set-system $\mathcal{H}$ with strictly greater than $\exp\left(c \dfrac{1.5 (\log h)^2}{\log \log h}\right)$ subsets of a set of $h$ elements. Our set-system $\mathcal{H}$ is defined over $\mathbb{Z}_m$, where $m$ is a non-prime-power, such that the size of each set in $\mathcal{H}$ is divisible by $m$ but the sizes of their pairwise intersections are not divisible by $m$, unless one set is a subset of another. We derive a vector family $\mathcal{V}$ from $\mathcal{H}$ such that superset-subset relationships in $\mathcal{H}$ are represented by inner products in $\mathcal{V}$. We use $\mathcal{V}$ to "encode" the access structures and thereby develop the first \emph{access structure hiding} secret sharing scheme. For a setting with $\ell$ parties, our scheme supports $2^{\binom{\ell}{\ell/2+1}}$ out of the $2^{2^{\ell - O(\log \ell)}}$ total monotone access structures, and its maximum share size for any access structures is $(1+ o(1)) \dfrac{2^{\ell+1}}{\sqrt{π\ell/2}}$. The scheme assumes semi-honest polynomial-time parties, and its security relies on the Generalized Diffie-Hellman assumption.

Vipin Singh Sehrawat, Yogendra Shah, Vinod Kumar Choyi et al.

Anonymity is a desirable feature for vehicle-to-vehicle (V2V) communications, but it conflicts with other requirements such as non-repudiation and revocation. Existing, pseudonym-based V2V communications schemes rely on certificate generation and signature verification. These schemes require cumbersome key management, frequent updating of certificate chains and other costly procedures such as cryptographic pairings. In this paper, we present novel V2V communications schemes, that provide authentication, authorization, anonymity, non-repudiation, replay protection, pseudonym revocation, and forward secrecy without relying on traditional certificate generation and signature verification. Security and privacy of our schemes rely on hard problems in number theory. Furthermore, our schemes guarantee security and privacy in the presence of subsets of colluding malicious parties, provided that the cardinality of such sets is below a fixed threshold.

Vipin Singh Sehrawat, Yvo Desmedt

We define a pseudorandom function (PRF) $F: \mathcal{K} \times \mathcal{X} \rightarrow \mathcal{Y}$ to be bi-homomorphic when it is fully Key homomorphic and partially Input Homomorphic (KIH), i.e., given $F(k_1, x_1)$ and $F(k_2, x_2)$, there is an efficient algorithm to compute $F(k_1 \oplus k_2, x_1 \ominus x_2)$, where $\oplus$ and $\ominus$ are (binary) group operations. The homomorphism on the input is restricted to a fixed subset of the input bits, i.e., $\ominus$ operates on some pre-decided $m$-out-of-$n$ bits, where $|x_1| = |x_2| = n$, and the remaining $n-m$ bits are identical in both inputs. In addition, the output length, $\ell$, of the operator $\ominus$ is not fixed and is defined as $n \leq \ell \leq 2n$, hence leading to Homomorphically induced Variable input Length (HVL) as $n \leq |x_1 \ominus x_2| \leq 2n$. We present a learning with errors (LWE) based construction for a HVL-KIH-PRF family. Our construction is inspired by the key homomorphic PRF construction due to Banerjee and Peikert (Crypto 2014). An updatable encryption scheme allows rotations of the encryption key, i.e., moving existing ciphertexts from old to new key. These updates are carried out via \emph{update tokens}, which can be used by an untrusted party since the update procedure does not involve decryption of the ciphertext. We use our novel PRF family to construct an updatable encryption scheme, named QPC-UE-UU, which is quantum-safe, post-compromise secure and supports unidirectional ciphertext updates, i.e., the update tokens can be used to perform ciphertext updates but they cannot be used to undo already completed updates. Our PRF family also leads to the first left/right key homomorphic constrained-PRF family with HVL.