Recent zbMATH articles in MSC 94Ahttps://zbmath.org/atom/cc/94A2023-09-22T14:21:46.120933ZUnknown authorWerkzeugGraphical designs and gale dualityhttps://zbmath.org/1517.051132023-09-22T14:21:46.120933Z"Babecki, Catherine"https://zbmath.org/authors/?q=ai:babecki.catherine"Thomas, Rekha R."https://zbmath.org/authors/?q=ai:thomas.rekha-rSummary: A graphical design is a subset of graph vertices such that the weighted averages of certain graph eigenvectors over the design agree with their global averages. We use Gale duality to show that positively weighted graphical designs in regular graphs are in bijection with the faces of a generalized eigenpolytope of the graph. This connection can be used to organize, compute and optimize designs. We illustrate the power of this tool on three families of Cayley graphs -- cocktail party graphs, cycles, and graphs of hypercubes -- by computing or bounding the smallest designs that average all but the last eigenspace in frequency order.On the index of the Diffie-Hellman mappinghttps://zbmath.org/1517.111462023-09-22T14:21:46.120933Z"Işık, Leyla"https://zbmath.org/authors/?q=ai:isik.leyla"Winterhof, Arne"https://zbmath.org/authors/?q=ai:winterhof.arneIn this paper, the authors determine the index of the univariate Diffie-Hellman mapping \(d(\gamma^a) = \gamma^{a^2}\), \(0 \le a \le n-1\), and \(\gamma\) is a generator of a cyclic group \(G\) of order \(n\). They show that any mapping of small index coincides with \(d\) only on a small subset of \(G\). After that, the authors introduce the index pair of a bivariate function over \(G\) and obtain similar results for the bivariate Diffie-Hellman mapping. Also, in the special case that \(G\) is a subgroup of the multiplicative subgroup \(\mathbb{F}^*_q\) of the finite field \(\mathbb{F}_q\) they obtain some improvements.
Reviewer: Zlatko Varbanov (Veliko Tarnovo)A novel chaotic map constructed by geometric operations and its applicationhttps://zbmath.org/1517.340992023-09-22T14:21:46.120933Z"Zhang, Zhiqiang"https://zbmath.org/authors/?q=ai:zhang.zhiqiang"Wang, Yong"https://zbmath.org/authors/?q=ai:wang.yong.10"Zhang, Leo Yu"https://zbmath.org/authors/?q=ai:zhang.leo-yu"Zhu, Hong"https://zbmath.org/authors/?q=ai:zhu.hong.1(no abstract)Phase retrieval of bandlimited functions for the wavelet transformhttps://zbmath.org/1517.420332023-09-22T14:21:46.120933Z"Alaifari, Rima"https://zbmath.org/authors/?q=ai:alaifari.rima"Bartolucci, Francesca"https://zbmath.org/authors/?q=ai:bartolucci.francesca"Wellershoff, Matthias"https://zbmath.org/authors/?q=ai:wellershoff.matthiasIn the paper, the authors present two uniqueness results for wavelet phase retrieval. The first one is devoted to the recovery of a signal from the magnitude measurements of the continuous wavelet transform. The uniqueness is proved for the case of an integrable wavelet with finitely many vanishing moments and real-valued bandlimited function. The second contribution deals with samples of the continuous wavelet transform. Under the assumptions of the first result, the recovery is possible on the discrete set \(a^{-\mathbb{N}}(b\mathbb{Z}\times\{1\}),\) \(a>1,\) \(b>0\). Later, some theorems are applied to the Morlet wavelet and the chirp wavelet.
Reviewer: Elena Lebedeva (Sankt-Peterburg)A stochastic multi-layer algorithm for semi-discrete optimal transport with applications to texture synthesis and style transferhttps://zbmath.org/1517.490282023-09-22T14:21:46.120933Z"Leclaire, Arthur"https://zbmath.org/authors/?q=ai:leclaire.arthur"Rabin, Julien"https://zbmath.org/authors/?q=ai:rabin.julienSummary: This paper investigates a new stochastic algorithm to approximate semi-discrete optimal transport for large-scale problem, i.e., in high dimension and for a large number of points. The proposed technique relies on a hierarchical decomposition of the target discrete distribution and the transport map itself. A stochastic optimization algorithm is derived to estimate the parameters of the corresponding multi-layer weighted nearest neighbor model. This model allows for fast evaluation during synthesis and training, for which it exhibits faster empirical convergence. Several applications to patch-based image processing are investigated: texture synthesis, texture inpainting, and style transfer. The proposed models compare favorably to the state of the art, either in terms of image quality, computation time, or regarding the number of parameters. Additionally, they do not require any pixel-based optimization or training on a large dataset of natural images.Archetypal model of entropy by Poisson cohomology as invariant Casimir function in coadjoint representation and geometric Fourier heat equationhttps://zbmath.org/1517.530712023-09-22T14:21:46.120933Z"Barbaresco, Frédéric"https://zbmath.org/authors/?q=ai:barbaresco.fredericThe author introduces a geometric characterization of entropy as a generalized Casimir invariant function in the coadjoint representation, where the Souriau cocycle is a measure of the lack of equivariance of the moment mapping. The dual space of the Lie algebra foliates into coadjoint orbits that are also the level sets of the entropy that could be studied in the framework of thermodynamics. The motion remains on these surfaces and is non-dissipative, whereas the motion transversal to these surfaces is dissipative. In this framework also the second principle in thermodynamics can be explained by means of the definite positiveness of the Souriau tensor, thus extending the Koszul-Fisher metric from information geometry. This allows the author to introduce a new geometric Fourier heat equation with Souriau-Koszul-Fisher tensor.
In conclusion, the entropy is characterized as a Casimir function by Koszul-Poisson cohomology. This paper is organized as follows: Section 1 is an introduction to the subject. Section 2 deals with thermodynamics on Lie groups and Section 3 with the entropy characterization as a generalized Casimir invariant function in the coadjoint representation. Section 4 is devoted to Koszul-Poisson cohomology and the entropy characterization. The bad presentation of some parts of the text makes the reading of this paper rather difficult (although the comprehension of the contents remains possible).
For the entire collection see [Zbl 1482.94007].
Reviewer: Ahmed Lesfari (El Jadida)Shannon entropy rate of hidden Markov processeshttps://zbmath.org/1517.600852023-09-22T14:21:46.120933Z"Jurgens, Alexandra M."https://zbmath.org/authors/?q=ai:jurgens.alexandra-m"Crutchfield, James P."https://zbmath.org/authors/?q=ai:crutchfield.james-pSummary: Hidden Markov chains are widely applied statistical models of stochastic processes, from fundamental physics and chemistry to finance, health, and artificial intelligence. The hidden Markov processes they generate are notoriously complicated, however, even if the chain is finite state: no finite expression for their Shannon entropy rate exists, as the set of their predictive features is generically infinite. As such, to date one cannot make general statements about how random they are nor how structured. Here, we address the first part of this challenge by showing how to efficiently and accurately calculate their entropy rates. We also show how this method gives the minimal set of infinite predictive features. A sequel addresses the challenge's second part on structure.PnP-ReG: learned regularizing gradient for plug-and-play gradient descenthttps://zbmath.org/1517.620712023-09-22T14:21:46.120933Z"Fermanian, Rita"https://zbmath.org/authors/?q=ai:fermanian.rita"Le Pendu, Mikael"https://zbmath.org/authors/?q=ai:le-pendu.mikael"Guillemot, Christine"https://zbmath.org/authors/?q=ai:guillemot.christineSummary: The plug-and-play framework makes it possible to integrate advanced image denoising priors into optimization algorithms to efficiently solve a variety of image restoration tasks generally formulated as maximum a posteriori (MAP) estimation problems. The plug-and-play alternating direction method of multipliers (ADMM) and the regularization by denoising (RED) algorithms are two examples of such methods that made a breakthrough in image restoration. However, the former plug-and-play approach only applies to proximal algorithms. And while the explicit regularization in RED can be used in various algorithms, including gradient descent, the gradient of the regularizer computed as a denoising residual leads to several approximations of the underlying image prior in the MAP interpretation of the denoiser. We show that it is possible to train a network directly modeling the gradient of a MAP regularizer while jointly training the corresponding MAP denoiser. We use this network in gradient-based optimization methods and obtain better results compared to other generic plug-and-play approaches. We also show that the regularizer can be used as a pretrained network for unrolled gradient descent. Lastly, we show that the resulting denoiser allows for a better convergence of the plug-and-play ADMM.Convergence results for primal-dual algorithms in the presence of adjoint mismatchhttps://zbmath.org/1517.650552023-09-22T14:21:46.120933Z"Chouzenoux, Emilie"https://zbmath.org/authors/?q=ai:chouzenoux.emilie"Contreras, Andrés"https://zbmath.org/authors/?q=ai:contreras.andres-a"Pesquet, Jean-Christophe"https://zbmath.org/authors/?q=ai:pesquet.jean-christophe"Savanier, Marion"https://zbmath.org/authors/?q=ai:savanier.marionSummary: Most optimization problems arising in imaging science involve high-dimensional linear operators and their adjoints. In the implementations of these operators, changes may be introduced for various practical considerations (e.g., memory limitation, computational cost, convergence speed), leading to an \textit{adjoint mismatch}. This occurs for the X-ray tomographic inverse problems found in computed tomography (CT), where a surrogate operator often replaces the adjoint of the measurement operator (called the projector). The resulting adjoint mismatch can jeopardize the convergence properties of iterative schemes used for image recovery. In this paper, we study the theoretical behavior of a panel of primal-dual proximal algorithms, which rely on forward-backward-(forward) splitting schemes when an adjoint mismatch occurs. We analyze these algorithms by focusing on the resolution of possibly nonsmooth convex penalized minimization problems in an infinite-dimensional setting. Using tools from fixed point theory, we show that they can solve monotone inclusions beyond minimization problems. Such findings indicate that these algorithms can be seen as a generalization of classical primal-dual formulations. The applicability of our findings is also demonstrated through two numerical experiments in the context of CT image reconstruction.Information security and cryptology -- ICISC 2022. 25th international conference, ICISC 2022, Seoul, South Korea, November 30 -- December 2, 2022. Revised selected papershttps://zbmath.org/1517.680282023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1499.68021].
Indexed articles:
\textit{Park, Jonghyun; Kim, Jongsung}, See-in-the-middle attacks on blockciphers ARIA and DEFAULT, 3-16 [Zbl 07730568]
\textit{Bossert, Jannis; List, Eik; Lucks, Stefan}, Implicit key-stretching security of encryption schemes, 17-40 [Zbl 07730569]
\textit{Chen, Shiyao; Guo, Chun; Guo, Jian; Liu, Li; Wang, Meiqin; Wei, Puwen; Xu, Zeyu}, Related-key differential cryptanalysis of GMiMC used in post-quantum signatures, 41-60 [Zbl 07730570]
\textit{Zhang, Li; Wu, Wenling; Mao, Yongxia}, Impossible differential cryptanalysis on reduced-round PRINCEcore, 61-77 [Zbl 07730571]
\textit{Park, Leo Hyun; Hwang, Eunbi; Lee, Donggun; Kwon, Taekyoung}, Towards constructing consistent pattern strength meters with User's visual perception, 81-99 [Zbl 07730572]
\textit{Alatawi, Mashari; Saxena, Nitesh}, Exploring encrypted keyboards to defeat client-side scanning in end-to-end encryption systems, 100-123 [Zbl 07730573]
\textit{Jin, Hoyong; An, Dohyeon; Kwon, Taekyoung}, Differential testing of cryptographic libraries with hybrid fuzzing, 124-144 [Zbl 07730574]
\textit{Liu, Zi-Yuan; Chien, Chu-Chieh; Tseng, Yi-Fan; Tso, Raylin; Mambo, Masahiro}, Public key encryption with hierarchical authorized keyword search, 147-170 [Zbl 07730575]
\textit{Ahmed, Mohammad Nabil; Shimizu, Kana}, Private evaluation of a decision tree based on secret sharing, 171-194 [Zbl 07730576]
\textit{Larangeira, Mario}, Reputation at stake! A trust layer over decentralized ledger for multiparty computation and reputation-fair lottery, 195-215 [Zbl 07730577]
\textit{Seck, Boly; Cayrel, Pierre-Louis; Diop, Idy; Dragoi, Vlad-Florin; Couzon, Kalen; Colombier, Brice; Grosso, Vincent}, Key-recovery by side-channel information on the matrix-vector product in code-based cryptosystems, 219-234 [Zbl 07730578]
\textit{Huh, Jae-Won; Han, Dong-Guk}, Differential fault attack on AES using maximum four bytes faulty ciphertexts, 235-245 [Zbl 07730579]
\textit{Bae, Seungyeon; Chang, Yousung; Park, Hyeongjin; Kim, Minseo; Shin, Youngjoo}, A performance evaluation of IPsec with post-quantum cryptography, 249-266 [Zbl 07730580]
\textit{Zheng, Jianliang; Li, Jie}, An ultrafast cryptographically secure pseudorandom number generator, 267-291 [Zbl 07730581]
\textit{Anastasova, Mila; Azarderakhsh, Reza; Kermani, Mehran Mozaffari; Beshaj, Lubjana}, Time-efficient finite field microarchitecture design for Curve448 and Ed448 on Cortex-M4, 292-314 [Zbl 07730582]
\textit{Tezuka, Masayuki; Tanaka, Keisuke}, Pointcheval-Sanders signature-based synchronized aggregate signature, 317-336 [Zbl 07730583]
\textit{Ishizaka, Masahito; Fukushima, Kazuhide; Kiyomoto, Shinsaku}, Trapdoor sanitizable and redactable signatures with unlinkability, invisibility and strong context-hiding, 337-362 [Zbl 07730584]
\textit{Sato, Shingo; Shikata, Junji; Matsumoto, Tsutomu}, Group testing aggregate signatures with soundness, 363-381 [Zbl 07730585]
\textit{Ishizaka, Masahito; Fukushima, Kazuhide}, Attribute-based signatures for range of inner product and its applications, 382-407 [Zbl 07730586]
\textit{Sato, Shingo; Shikata, Junji}, Identity-based interactive aggregate signatures from lattices, 408-432 [Zbl 07730587]
\textit{Iwata, Ichiro; Yoshida, Yusuke; Tanaka, Keisuke}, Analysis of (U,U+V)-code problem with Gramian over binary and ternary fields, 435-449 [Zbl 07730588]
\textit{Wang, Ruize; Ngo, Kalle; Dubrova, Elena}, A message recovery attack on LWE/LWR-based PKE/KEMs using amplitude-modulated EM emanations, 450-471 [Zbl 07730589]
\textit{Dévéhat, Anaëlle Le; Hasegawa, Shingo; Shizuya, Hiroki}, Preimage sampling in the higher-bit approximate setting with a non-spherical Gaussian sampler, 472-490 [Zbl 07730590]
\textit{Chaum, David; Larangeira, Mario; Yaksetig, Mario}, WOTSwana: a generalized \(\mathcal{S}_{\mathrm{ leeve }}\) construction for multiple proofs of ownership, 491-511 [Zbl 07730591]Two-server distributed ORAM with sublinear computation and constant roundshttps://zbmath.org/1517.680462023-09-22T14:21:46.120933Z"Hamlin, Ariel"https://zbmath.org/authors/?q=ai:hamlin.ariel"Varia, Mayank"https://zbmath.org/authors/?q=ai:varia.mayankSummary: Distributed ORAM (DORAM) is a multi-server variant of Oblivious RAM. Originally proposed to lower bandwidth, DORAM has recently been of great interest due to its applicability to secure computation in the RAM model, where circuit complexity and rounds of communication are equally important metrics of efficiency. All prior DORAM constructions either involve linear work per server (e.g., Floram) or logarithmic rounds of communication between servers (e.g., square root ORAM). In this work, we construct the first DORAM schemes in the 2-server, semi-honest setting that simultaneously achieve sublinear server computation and constant rounds of communication. We provide two constant-round constructions, one based on square root ORAM that has \(O(\sqrt{N}\log N)\) local computation and another based on secure computation of a doubly efficient PIR that achieves local computation of \(O(N^\epsilon )\) for any \(\epsilon > 0\) but that allows the servers to distinguish between reads and writes. As a building block in the latter construction, we provide secure computation protocols for evaluation and interpolation of multivariate polynomials based on the Fast Fourier Transform, which may be of independent interest.
For the entire collection see [Zbl 1476.94004].Flexible and efficient verifiable computation on encrypted datahttps://zbmath.org/1517.681042023-09-22T14:21:46.120933Z"Bois, Alexandre"https://zbmath.org/authors/?q=ai:bois.alexandre"Cascudo, Ignacio"https://zbmath.org/authors/?q=ai:cascudo.ignacio"Fiore, Dario"https://zbmath.org/authors/?q=ai:fiore.dario"Kim, Dongwoo"https://zbmath.org/authors/?q=ai:kim.dongwooSummary: We consider the problem of verifiable and private delegation of computation [\textit{R. Gennaro} et al., Lect. Notes Comput. Sci. 6223, 465--482 (2010; Zbl 1284.68065)] in which a client stores private data on an untrusted server and asks the server to compute functions over this data. In this scenario we aim to achieve three main properties: the server should not learn information on inputs and outputs of the computation (privacy), the server cannot return wrong results without being caught (integrity), and the client can verify the correctness of the outputs faster than running the computation (efficiency). A known paradigm to solve this problem is to use a (non-private) verifiable computation (VC) to prove correctness of a homomorphic encryption (HE) evaluation on the ciphertexts. Despite the research advances in obtaining efficient VC and HE, using these two primitives together in this paradigm is concretely expensive. Recent work [the third author et al., CCS 2014, 844--855 (2014; \url{doi:10.1145/2660267.2660366}); Lect. Notes Comput. Sci. 12111, 124--154 (2020; Zbl 1517.68105)] addressed this problem by designing specialized VC solutions that however require the HE scheme to work with very specific parameters; notably HE ciphertexts must be over \(\mathbb{Z}_q\) for a large prime \(q\).
In this work we propose a new solution that allows a flexible choice of HE parameters, while staying modular (based on the paradigm combining VC and HE) and efficient (the VC and the HE schemes are both executed at their best efficiency). At the core of our new protocol are new homomorphic hash functions for Galois rings. As an additional contribution we extend our results to support non-deterministic computations on encrypted data and an additional privacy property by which verifiers do not learn information on the inputs of the computation.
For the entire collection see [Zbl 1476.94004].Boosting verifiable computation on encrypted datahttps://zbmath.org/1517.681052023-09-22T14:21:46.120933Z"Fiore, Dario"https://zbmath.org/authors/?q=ai:fiore.dario"Nitulescu, Anca"https://zbmath.org/authors/?q=ai:nitulescu.anca"Pointcheval, David"https://zbmath.org/authors/?q=ai:pointcheval.davidSummary: We consider the setting in which an untrusted server stores a collection of data and is asked to compute a function over it. In this scenario, we aim for solutions where the untrusted server does not learn information about the data and is prevented from cheating. This problem is addressed by verifiable and private delegation of computation, proposed by \textit{R. Gennaro} et al. [Lect. Notes Comput. Sci. 6223, 465--482 (2010; Zbl 1284.68065)], a notion that is close to both the active areas of homomorphic encryption and verifiable computation (VC). However, in spite of the efficiency advances in the respective areas, VC protocols that guarantee privacy of the inputs are still expensive. The only exception is a protocol by the first author et al. [CCS 2014, 844--855 (2014; \url{doi:10.1145/2660267.2660366})] that supports arithmetic circuits of degree at most 2. In this paper we propose new efficient protocols for VC on encrypted data that improve over the state of the art solution of Fiore et al. in multiple aspects. First, we can support computations of degree higher than 2. Second, we achieve public delegatability and public verifiability whereas Fiore et al. need the same secret key to encode inputs and verify outputs. Third, we achieve a new property that guarantees that verifiers can be convinced about the correctness of the outputs without learning information on the inputs. The key tool to obtain our new protocols is a new SNARK that can efficiently handle computations over a quotient polynomial ring, such as the one used by Ring-LWE somewhat homomorphic encryption schemes. This SNARK in turn relies on a new commit-and-prove SNARK for proving evaluations on the same point of several committed polynomials. We propose a construction of this scheme under an extractability assumption over bilinear groups in the random oracle model.
For the entire collection see [Zbl 1481.94004].Revocable hierarchical identity-based encryption with adaptive securityhttps://zbmath.org/1517.681062023-09-22T14:21:46.120933Z"Lee, Kwangsu"https://zbmath.org/authors/?q=ai:lee.kwangsuSummary: Hierarchical identity-based encryption (HIBE) can be extended to revocable HIBE (RHIBE) if a private key of a user can be revoked when the private key is revealed or expired. Previously, many selectively secure RHIBE schemes were proposed, but it is still unsolved problem to construct an adaptively secure RHIBE scheme. In this work, we propose two RHIBE schemes in composite-order bilinear groups and prove their adaptive security under simple static assumptions. To prove the adaptive security, we use the dual system encryption framework, but it is not simple to use the dual system encryption framework in RHIBE since the security model of RHIBE is quite different with that of HIBE. We show that it is possible to solve the problem of the RHIBE security proof by carefully designing hybrid games.Lattice-based weak-key analysis on single-server outsourcing protocols of modular exponentiations and basic countermeasureshttps://zbmath.org/1517.681072023-09-22T14:21:46.120933Z"Zheng, Yunhai"https://zbmath.org/authors/?q=ai:zheng.yunhai"Tian, Chengliang"https://zbmath.org/authors/?q=ai:tian.chengliang"Zhang, Hanlin"https://zbmath.org/authors/?q=ai:zhang.hanlin"Yu, Jia"https://zbmath.org/authors/?q=ai:yu.jia"Li, Fengjun"https://zbmath.org/authors/?q=ai:li.fengjunSummary: We investigate the problem of securely outsourcing the modular exponentiations in cryptography to an untrusted server, and analyze the security and the efficiency of three privacy-preserving outsourcing protocols for exponentiations proposed in [\textit{Y. Ding} et al., ibid. 90, 1--13 (2017; Zbl 1374.68067)]. Based on Coppersmith's lattice-based method, we present heuristic polynomial-time and ciphertext-only weak-key attacks on these protocols, which shows that the recommended size of the secret keys in their protocols can not assure the input privacy of the exponents. Correspondingly, we explicitly estimate the size of the secure secret keys to circumvent our attacks, and analyze the efficiency of the revised protocols with security settings. Our theoretical analysis and experimental results demonstrate that the protocol of single modular exponentiation is unavailable, the protocol of simultaneous modular exponentiations is not so efficient as claimed but still available, and the protocol of multiple modular exponentiations becomes more efficient as the number of exponentiations increases.Isogeny-based key compression without pairingshttps://zbmath.org/1517.681122023-09-22T14:21:46.120933Z"Pereira, Geovandro C. C. F."https://zbmath.org/authors/?q=ai:pereira.geovandro-c-c-f"Barreto, Paulo S. L. M."https://zbmath.org/authors/?q=ai:barreto.paulo-s-l-mSummary: SIDH/SIKE-style protocols benefit from key compression to minimize their bandwidth requirements, but proposed key compression mechanisms rely on computing bilinear pairings. Pairing computation is a notoriously expensive operation, and, unsurprisingly, it is typically one of the main efficiency bottlenecks in SIDH key compression, incurring processing time penalties that are only mitigated at the cost of trade-offs with precomputed tables. We address this issue by describing how to compress isogeny-based keys without pairings. As a bonus, we also substantially reduce the storage requirements of other operations involved in key compression.
For the entire collection see [Zbl 1476.94003].Multiparty cardinality testing for threshold private intersectionhttps://zbmath.org/1517.681322023-09-22T14:21:46.120933Z"Branco, Pedro"https://zbmath.org/authors/?q=ai:branco.pedro"Döttling, Nico"https://zbmath.org/authors/?q=ai:dottling.nico"Pu, Sihang"https://zbmath.org/authors/?q=ai:pu.sihangSummary: Threshold Private Set Intersection (PSI) allows multiple parties to compute the intersection of their input sets if and only if the intersection is larger than \(n-t\), where \(n\) is the size of each set and \(t\) is some threshold. The main appeal of this primitive is that, in contrast to standard PSI, known upper-bounds on the communication complexity only depend on the threshold \(t\) and not on the sizes of the input sets. Current threshold PSI protocols split themselves into two components: A Cardinality Testing phase, where parties decide if the intersection is larger than some threshold; and a PSI phase, where the intersection is computed. The main source of inefficiency of threshold PSI is the former part.
In this work, we present a new Cardinality Testing protocol that allows \(N\) parties to check if the intersection of their input sets is larger than \(n-t\). The protocol incurs in \(\tilde{ \mathcal{O}} (Nt^2)\) communication complexity. We thus obtain a Threshold PSI scheme for \(N\) parties with communication complexity \(\tilde{\mathcal{O}}(Nt^2)\).
For the entire collection see [Zbl 1476.94004].Computational irrelevancy: bridging the gap between pseudo- and real randomness in MPC protocolshttps://zbmath.org/1517.681332023-09-22T14:21:46.120933Z"Heseri, Nariyasu"https://zbmath.org/authors/?q=ai:heseri.nariyasu"Nuida, Koji"https://zbmath.org/authors/?q=ai:nuida.kojiSummary: Due to the fact that classical computers cannot efficiently obtain random numbers, it is common practice to design cryptosystems in terms of real random numbers and then replace them with cryptographically secure pseudorandom ones for concrete implementations. However, as pointed out by the previous work [the second author, Lect. Notes Comput. Sci. 12711, 441--468 (2021; Zbl 1517.68135)], this technique may lead to compromise of security in secure multiparty computation (MPC) protocols, due to the property that a seed for a pseudorandom generator (PRG) is visible by an adversary in the context of MPC. Although this work suggested to use information-theoretically secure protocols (together with PRGs with high min-entropy) to alleviate the problem, yet it is preferable to base the security on computational assumptions rather than the stronger information-theoretic ones. By observing that the contrived constructions in the aforementioned work use MPC protocols and PRGs that are closely related to each other, we notice that it may help to alleviate the problem by using protocols and PRGs that are ``unrelated'' to each other. In this paper, we propose a notion called ``computational irrelevancy'' to formalise the term ``unrelated'' and under this condition provide a security guarantee under computational assumptions.
For the entire collection see [Zbl 1503.68013].Cryptographic pseudorandom generators can make cryptosystems problematichttps://zbmath.org/1517.681352023-09-22T14:21:46.120933Z"Nuida, Koji"https://zbmath.org/authors/?q=ai:nuida.kojiSummary: Randomness is an essential resource for cryptography. For practical randomness generation, the security notion of pseudorandom generators (PRGs) intends to automatically preserve (computational) security of cryptosystems when used in implementation. Nevertheless, some opposite case such as in computational randomness extractors [\textit{B. Barak} et al., Lect. Notes Comput. Sci. 6841, 1--20 (2011; Zbl 1287.94047)] is known (but not yet systematically studied so far) where the security can be lost even by applying secure PRGs. The present paper aims at pushing ahead the observation and understanding about such a phenomenon; we reveal such situations at layers of primitives and protocols as well, not just of building blocks like randomness extractors. We present three typical types of such cases: (1) adversaries can legally see the seed of the PRGs (including the case of randomness extractors); (2) the set of ``bad'' randomness may be not efficiently recognizable; (3) the formulation of a desired property implicitly involves non-uniform distinguishers for PRGs. We point out that the semi-honest security of multiparty computation also belongs to Type 1, while the correctness with negligible decryption error probability for public key encryption belongs to Types 2 and 3. We construct examples for each type where a secure PRG (against uniform distinguishers only, for Type 3) does not preserve the security/correctness of the original scheme; and discuss some countermeasures to avoid such an issue.
For the entire collection see [Zbl 1476.94004].Physical zero-knowledge proof for Suguru puzzlehttps://zbmath.org/1517.681392023-09-22T14:21:46.120933Z"Robert, Léo"https://zbmath.org/authors/?q=ai:robert.leo"Miyahara, Daiki"https://zbmath.org/authors/?q=ai:miyahara.daiki"Lafourcade, Pascal"https://zbmath.org/authors/?q=ai:lafourcade.pascal"Mizuki, Takaaki"https://zbmath.org/authors/?q=ai:mizuki.takaakiSummary: Suguru is a paper and pencil puzzle invented by Naoki Inaba. The goal of the game is to fulfil a grid with numbers between 1 and 5 and to respect three simple constraints. In this paper we design a physical Zero-Knowledge Proof (ZKP) protocol for Suguru. A ZKP protocol allows a prover (P) to prove that he knows a solution of a Suguru grid to a verifier (V) without leaking any information on the solution. For constructing such a physical ZKP protocol, we only rely on a small number of physical cards and an adapted encoding. For a grid of Suguru with \(n\) cells, we only use \(5n+5\) cards. Moreover, we prove the three classical security properties of a ZKP: completeness, extractability, and zero-knowledge.
For the entire collection see [Zbl 1507.68029].Properties of hash functions based on Gluškov product of automatahttps://zbmath.org/1517.681942023-09-22T14:21:46.120933Z"Hannusch, Carolin"https://zbmath.org/authors/?q=ai:hannusch.carolin"Horváth, Géza"https://zbmath.org/authors/?q=ai:horvath.gezaSummary: We investigate the properties of hash functions introduced on Gluškov product of automata. Further, we give some important conditions for the transition matrix of the Gluškov product which make the introduced hash functions secure.Signal convolution logichttps://zbmath.org/1517.682532023-09-22T14:21:46.120933Z"Silvetti, Simone"https://zbmath.org/authors/?q=ai:silvetti.simone"Nenzi, Laura"https://zbmath.org/authors/?q=ai:nenzi.laura"Bartocci, Ezio"https://zbmath.org/authors/?q=ai:bartocci.ezio"Bortolussi, Luca"https://zbmath.org/authors/?q=ai:bortolussi.lucaSummary: We introduce a new logic called \textit{Signal Convolution Logic} (SCL) that combines temporal logic with convolutional filters from digital signal processing. SCL enables to reason about the percentage of time a formula is satisfied in a bounded interval. We demonstrate that this new logic is a suitable formalism to effectively express non-functional requirements in Cyber-Physical Systems displaying noisy and irregular behaviours. We define both a qualitative and quantitative semantics for it, providing an efficient monitoring procedure. Finally, we prove SCL at work to monitor the \textit{artificial pancreas} controllers that are employed to automate the delivery of insulin for patients with type-1 diabetes.
For the entire collection see [Zbl 1396.68018].Distributed minimum error entropy algorithmshttps://zbmath.org/1517.683302023-09-22T14:21:46.120933Z"Guo, Xin"https://zbmath.org/authors/?q=ai:guo.xin"Hu, Ting"https://zbmath.org/authors/?q=ai:hu.ting"Wu, Qiang"https://zbmath.org/authors/?q=ai:wu.qiangSummary: Minimum Error Entropy (MEE) principle is an important approach in Information Theoretical Learning (ITL). It is widely applied and studied in various fields for its robustness to noise. In this paper, we study a reproducing kernel-based distributed MEE algorithm, DMEE, which is designed to work with both fully supervised data and semi-supervised data. The divide-and-conquer approach is employed, so there is no inter-node communication overhead. Similar as other distributed algorithms, DMEE significantly reduces the computational complexity and memory requirement on single computing nodes. With fully supervised data, our proved learning rates equal the minimax optimal learning rates of the classical pointwise kernel-based regressions. Under the semi-supervised learning scenarios, we show that DMEE exploits unlabeled data effectively, in the sense that first, under the settings with weak regularity assumptions, additional unlabeled data significantly improves the learning rates of DMEE. Second, with sufficient unlabeled data, labeled data can be distributed to many more computing nodes, that each node takes only \(O(1)\) labels, without spoiling the learning rates in terms of the number of labels. This conclusion overcomes the saturation phenomenon in unlabeled data size. It parallels a recent results for regularized least squares [\textit{S.-B. Lin} and \textit{D.-X. Zhou}, Constr. Approx. 47, No. 2, 249--276 (2018; Zbl 1390.68542)], and suggests that an inflation of unlabeled data is a solution to the MEE learning problems with decentralized data source for the concerns of privacy protection. Our work refers to pairwise learning and non-convex loss. The theoretical analysis is achieved by distributed U-statistics and error decomposition techniques in integral operators.Efficient multiplication of somewhat small integers using number-theoretic transformshttps://zbmath.org/1517.684242023-09-22T14:21:46.120933Z"Becker, Hanno"https://zbmath.org/authors/?q=ai:becker.hanno"Hwang, Vincent"https://zbmath.org/authors/?q=ai:hwang.vincent"Kannwischer, Matthias J."https://zbmath.org/authors/?q=ai:kannwischer.matthias-j"Panny, Lorenz"https://zbmath.org/authors/?q=ai:panny.lorenz"Yang, Bo-Yin"https://zbmath.org/authors/?q=ai:yang.bo-yinSummary: Conventional wisdom purports that FFT-based integer multiplication methods (such as the Schönhage-Strassen algorithm) begin to compete with Karatsuba and Toom-Cook only for integers of several tens of thousands of bits. In this work, we challenge this belief, leveraging recent advances in the implementation of number-theoretic transforms (NTT) stimulated by their use in post-quantum cryptography. We report on implementations of NTT-based integer arithmetic on two Arm Cortex-M CPUs on opposite ends of the performance spectrum: Cortex-M3 and Cortex-M55. Our results indicate that NTT-based multiplication is capable of outperforming the big-number arithmetic implementations of popular embedded cryptography libraries for integers as small as 2048 bits. To provide a realistic case study, we benchmark implementations of the RSA encryption and decryption operations. Our cycle counts on Cortex-M55 are about \(10\times\) lower than on Cortex-M3.
For the entire collection see [Zbl 1503.68013].Quantum dynamics of a f-deformed opto-mechanical systemhttps://zbmath.org/1517.810202023-09-22T14:21:46.120933Z"Dehghani, A."https://zbmath.org/authors/?q=ai:dehghani.alireza"Mojaveri, B."https://zbmath.org/authors/?q=ai:mojaveri.b"Aryaie, M."https://zbmath.org/authors/?q=ai:aryaie.mSummary: Based on the f-oscillator formalism, we introduce a nonlinear optomechanical framework which is constructed from the standard optomechanical system by deforming the single-mode photonic-field operators. Such a generalized optomechanical system describes an intensity-dependent interaction of a mechanical oscillator with a single-mode electromagnetic field. To gain insight into the effectiveness of the non-linearization processes, we investigate the role of the involving parameters especially the nonlinearity function that controls the entanglement and statistical properties of the photon-phonon state was considered. Thus, we apply the linear entropy measure and the Wigner function to quantify the entanglement and non-classical properties of this composite system and the condition in which quantum entanglement and negativity of the Wigner function can be enhanced and maximized has been identified. Thus, depending on an election of the nonlinearity function, one can observe different non-classical effects. These trends are compared with those obtained for the standard optomechanical system including photon-phonon interaction, too.Quantum conditional probabilities and new measures of quantum informationhttps://zbmath.org/1517.810282023-09-22T14:21:46.120933Z"Barandes, Jacob A."https://zbmath.org/authors/?q=ai:barandes.jacob-a"Kagan, David"https://zbmath.org/authors/?q=ai:kagan.davidSummary: We use a novel form of quantum conditional probability to define new measures of quantum information in a dynamical context. We explore relationships between our new quantities and standard measures of quantum information, such as von Neumann entropy. These quantities allow us to find new proofs of some standard results in quantum information theory, such as the concavity of von Neumann entropy and Holevo's theorem. The existence of an underlying probability distribution helps shed light on the conceptual underpinnings of these results.On quasi-inversion of quantum channels in 2 and in higher dimensionshttps://zbmath.org/1517.810332023-09-22T14:21:46.120933Z"Karimipour, Vahid"https://zbmath.org/authors/?q=ai:karimipour.vahidSummary: We review the concept of the quasi-inverse of qubit channels and of higher dimensional channels. Quasi-inverse is a channel which when concatenaded to the original channel, increases its average fidelity in an optimal way. For qubit channels, we fully characterize the quasi-inverse, while for higher dimensional channels, we prove general theorems and provide bounds for the increased average fidelity. Nevertheless, explicit examples are given when exact quasi-inverses can be found.Multi-proxy signature scheme using five-qubit entangled state based on controlled quantum teleportationhttps://zbmath.org/1517.810342023-09-22T14:21:46.120933Z"Fan, Ting-Ting"https://zbmath.org/authors/?q=ai:fan.tingting"Lu, Dian-Jun"https://zbmath.org/authors/?q=ai:lu.dianjun"You, Min-Guo"https://zbmath.org/authors/?q=ai:you.min-guo"Qian, Si-Jie"https://zbmath.org/authors/?q=ai:qian.si-jieSummary: With the upgrading of communication technology and the rapid development of quantum computing, the classical digital signature schemes are faced with unprecedented challenges, so the research on quantum digital signature is imperative. In this paper, we propose a multi-proxy signature scheme based on controlled quantum teleportation of five-qubit entangled state. In this scheme, quantum fourier transform is used as an encryption method to encrypt message, which improves the quantum efficiency compared with the quantum one-time pad. The five-qubit maximally entangled state which is qubit threshold quantum error correction required is used as the quantum channel to ensure the stability of the scheme. Security analysis shows that our scheme is unforgeable and undeniable, and it can resist the intercept-resend attack.Probabilistic quantum teleportation via 3-qubit non-maximally entangled GHZ state by repeated generalized measurementshttps://zbmath.org/1517.810362023-09-22T14:21:46.120933Z"Javed, Shamiya"https://zbmath.org/authors/?q=ai:javed.shamiya"Pandey, Ravi Kamal"https://zbmath.org/authors/?q=ai:pandey.ravi-kamal"Yadav, Phool Singh"https://zbmath.org/authors/?q=ai:yadav.phool-singh"Prakash, Ranjana"https://zbmath.org/authors/?q=ai:prakash.ranjana"Prakash, Hari"https://zbmath.org/authors/?q=ai:prakash.hariSummary: We propose a scheme of repeated generalized Bell state measurement (GBSM) for probabilistic quantum teleportation of single qubit state of a particle (say, 0) using 3-qubit non-maximally entangled (NME) GHZ state as a quantum channel. Alice keeps two qubits (say, 1 and 2) of the 3-qubit resource and the third qubit (say, 3) goes to Bob. Initially, Alice performs GBSM on qubits 0 and 1 which may lead to either success or failure. On obtaining success, Alice performs projective measurement on qubit 2 in the eigen basis of \(\sigma_x\). Both these measurement outcomes are communicated to Bob classically, which helps him to perform a suitable unitary transformation on qubit 3 to recover the information state. On the other hand, if failure is obtained, the next attempt of GBSM is performed on qubits 0 and 2. This process of repeating GBSM on alternate pair of qubits may continue until perfect teleportation with unit fidelity is achieved. We have obtained analytical expressions for success probability up to three repetitions of GBSM. The success probability is shown to be a polynomial function of bipartite concurrence of the NME resource. The variation of success probability with the bipartite concurrence has been plotted which shows the convergence of success probability to unity with GBSM repetitions.A tree-type multiparty quantum key agreement protocol against collusive attackshttps://zbmath.org/1517.810412023-09-22T14:21:46.120933Z"Yang, Hao"https://zbmath.org/authors/?q=ai:yang.hao.2"Lu, Songfeng"https://zbmath.org/authors/?q=ai:lu.songfeng"Zhu, Jianxin"https://zbmath.org/authors/?q=ai:zhu.jianxin"Wu, Junjun"https://zbmath.org/authors/?q=ai:wu.junjun"Zhou, Qing"https://zbmath.org/authors/?q=ai:zhou.qing"Li, Tong"https://zbmath.org/authors/?q=ai:li.tong|li.tong.1Summary: Multiparty quantum key agreement (MQKA) requires sharing a secure and fair key among participants. However, several malicious participants may collude together to steal the privacy of honest participants or determine the shared key, privately. In this work, we propose a tree-type MQKA protocol against collusive attacks, in which the entanglement swapping technology of multi-particle entangled states is used to construct the shared key. Compared with the previous MQKA protocols against collusive attacks, our scheme consumes fewer qubits and only needs to transmit quantum states once, which significantly reduces the consumption of quantum resources.Quantum private magnitude comparison based on maximum operationhttps://zbmath.org/1517.810432023-09-22T14:21:46.120933Z"Zhou, Lin-tao"https://zbmath.org/authors/?q=ai:zhou.lintao"Lang, Yan-Feng"https://zbmath.org/authors/?q=ai:lang.yan-feng"Zhao, Zi-Hao"https://zbmath.org/authors/?q=ai:zhao.zihaoSummary: Many existed quantum private comparison (QPC) protocols can determine whether two secrets are equal or not, while the quantum private magnitude comparison (QPMC) protocol by Lang can output three results: greater than, equal and less than for two private data. In order to implement the magnitude comparison, it defined the minimum operation. However, if we only rely on this operation to implement QPMC, it may not be efficient at cooperating with some quantum resources. For this reason, it is necessary for us to introduce another operation -- maximum one. With regard to some quantum resources, only by using the maximum operation are we able to realize a simple and efficient QPMC. In this paper, it is the maximum operation that helps us utilize a single Bell state to propose a QPMC protocol in an easy and efficient way. The protocol is fully analysed for its correctness and security. The analyses prove that the presented protocol is not only simple yet efficient but also of low costs. It would be a better alternative for QPMC.Covariant holographic reflected entropy in \(AdS_3/CFT_2\)https://zbmath.org/1517.810652023-09-22T14:21:46.120933Z"Afrasiar, Mir"https://zbmath.org/authors/?q=ai:afrasiar.mir"Chourasiya, Himanshu"https://zbmath.org/authors/?q=ai:chourasiya.himanshu"Raj, Vinayak"https://zbmath.org/authors/?q=ai:raj.vinayak"Sengupta, Gautam"https://zbmath.org/authors/?q=ai:sengupta.gautamSummary: We substantiate a covariant proposal for the holographic reflected entropy in \(CFT\)s dual to non-static \(AdS\) geometries from the bulk extremal entanglement wedge cross section in the literature with explicit computations in the \(AdS_3/CFT_2\) scenario. In this context we obtain the reflected entropy for zero and finite temperature time dependent bipartite mixed states in \(CFT_{1 + 1}\)s with a conserved charge dual to bulk rotating extremal and non-extremal BTZ black holes through a replica technique. Our results match exactly with the corresponding extremal entanglement wedge cross section for these bulk geometries in the literature. This constitutes a significant consistency check for the proposal and its possible extension to the corresponding higher dimensional \(AdS/CFT\) scenario.Heat conduction in general relativityhttps://zbmath.org/1517.830192023-09-22T14:21:46.120933Z"Kim, Hyeong-Chan"https://zbmath.org/authors/?q=ai:kim.hyeong-chan"Lee, Youngone"https://zbmath.org/authors/?q=ai:lee.youngoneSummary: We study the problem of heat conduction in general relativity by using Carter's variational formulation. We write the creation rates of the entropy and the particle as combinations of the vorticities of temperature and chemical potential. We pay attention to the fact that there are two additional degrees of freedom in choosing the relativistic analog of Cattaneo equation for the parts binormal to the caloric and the number flows. Including the contributions from the binormal parts, we find a \textit{new} heat-flow equations and discover their dynamical role in thermodynamic systems. The benefit of introducing the binormal parts is that it allows room for a physical ansatz for describing the whole evolution of the thermodynamic system. Taking advantage of this platform, we propose a proper ansatz that deals with the binormal contributions starting from the physical properties of thermal equilibrium systems. We also consider the stability of a thermodynamic system in a flat background. We find that \textit{new} `Klein' modes exist in addition to the known ones. We also find that the stability requirement is less stringent than those in the literature.Thermal fluctuations evolution of the new Schwarzschild black holehttps://zbmath.org/1517.830272023-09-22T14:21:46.120933Z"Akhtar, Zunaira"https://zbmath.org/authors/?q=ai:akhtar.zunaira"Babar, Rimsha"https://zbmath.org/authors/?q=ai:babar.rimsha"Ali, Riasat"https://zbmath.org/authors/?q=ai:ali.riasatSummary: We study the thermodynamic analysis and logarithm corrections of the new Schwarzschild black hole. We compute the thermodynamic quantities like entropy, Hawking temperature and heat capacity. The area of black holes never decreases because they absorb everything from their surroundings due to high gravity. In this regard, the area-entropy relation proposed by Bekenstein needs to be corrected, leading to the concept of logarithmic corrections. To do so, we obtain the corrected entropy for new Schwarzschild black hole to analyze the effects of thermal fluctuations and we evaluate the thermodynamic quantities like specific heat, internal energy, Helmholtz free energy, Gibbs free energy, enthalpy and pressure in the presence of correction parameter \(\eta\). Furthermore, we check the stability of the system with the help of heat capacity and well known Hessian matrix technique. By our graphical analysis, we observe that the thermal fluctuations effects the stability of small radii black holes (e.g., New Schwarzschild black hole) and therefore, small black holes get unstable regions due to these first order corrections.Noether charge formalism for Weyl transverse gravityhttps://zbmath.org/1517.830282023-09-22T14:21:46.120933Z"Alonso-Serrano, Ana"https://zbmath.org/authors/?q=ai:alonso-serrano.ana"Garay, Luis J."https://zbmath.org/authors/?q=ai:garay.luis-j"Liška, Marek"https://zbmath.org/authors/?q=ai:liska.marekSummary: Weyl transverse gravity (WTG) is a gravitational theory that is invariant under transverse diffeomorphisms and Weyl transformations. It is characterised by having the same classical solutions as general relativity while solving some of its issues with the cosmological constant. In this work, we first find the Noether currents and charges corresponding to local symmetries of WTG as well as a prescription for the symplectic form. We then employ these results to derive the first law of black hole mechanics in WTG (both in vacuum and in the presence of a perfect fluid), identifying the total energy, the total angular momentum, and the Wald entropy of black holes. We further obtain the first law and Smarr formula for Schwarzschild-anti-de Sitter and pure de Sitter spacetimes, discussing the contributions of the varying cosmological constant, which naturally appear in WTG. Lastly, we derive the first law of causal diamonds in vacuum.Weakly isolated horizons: \(3+1\) decomposition and canonical formulations in self-dual variableshttps://zbmath.org/1517.830342023-09-22T14:21:46.120933Z"Corichi, Alejandro"https://zbmath.org/authors/?q=ai:corichi.alejandro"Reyes, Juan D."https://zbmath.org/authors/?q=ai:reyes.juan-d"Vukašinac, Tatjana"https://zbmath.org/authors/?q=ai:vukasinac.tatjanaSummary: The notion of Isolated Horizons has played an important role in gravitational physics, being useful from the characterization of the endpoint of black hole mergers to (quantum) black hole entropy. In particular, the definition of weakly isolated horizons (WIHs) as quasilocal generalizations of event horizons is purely geometrical, and is independent of the variables used in describing the gravitational field. Here we consider a canonical decomposition of general relativity in terms of connection and vierbein variables starting from a first order action. Within this approach, the information about the existence of a (weakly) isolated horizon is obtained through a set of boundary conditions on an internal boundary of the spacetime region under consideration. We employ, for the self-dual action, a generalization of the Dirac algorithm for regions with boundary. While the formalism for treating gauge theories with boundaries is unambiguous, the choice of dynamical variables on the boundary is not. We explore this freedom and consider different canonical formulations for non-rotating black holes as defined by WIHs. We show that both the notion of horizon degrees of freedom and energy associated to the horizon is not unique, even when the descriptions might be self-consistent. This represents a generalization of previous work on isolated horizons both in the exploration of this freedom and in the type of horizons considered. We comment on previous results found in the literature.A new class of regular black hole solutions with quasi-localized sources of matter in \((2 + 1)\) dimensionshttps://zbmath.org/1517.830472023-09-22T14:21:46.120933Z"Maluf, R. V."https://zbmath.org/authors/?q=ai:maluf.roberto-v"Muniz, C. R."https://zbmath.org/authors/?q=ai:muniz.celio-r"Santos, A. C. L."https://zbmath.org/authors/?q=ai:santos.a-c-l"Estrada, Milko"https://zbmath.org/authors/?q=ai:estrada.milkoSummary: This paper investigates a new class of regular black hole solutions in \((2 + 1)\)-dimensions by introducing a generalization of the quasi-localized matter model proposed by \textit{M. Estrada} and \textit{F. Tello-Ortiz} [Europhys. Lett. 135, No. 2, Article ID 20001, 6 p. (2021; \url{doi:10.1209/0295-5075/ac0ed0})]. Initially, we try to physically interpret the matter source encoded in the energy-momentum tensor as originating from nonlinear electrodynamics. We show, however, that the required conditions for the quasi-locality of the energy density are incompatible with the expected behavior of nonlinear electrodynamics, which must tend to Maxwell's theory on the asymptotic limit. Despite this, we propose a generalization for the quasi-localized energy density that encompasses the existing models in the literature and allows us to obtain a class of regular black hole solutions exhibiting remarkable features on the event horizons and their thermodynamic properties. Furthermore, since the usual version of the first law of thermodynamics, due to the presence of the matter fields, leads to incorrect values of entropy and thermodynamics volume for regular black holes, we propose a new version of the first law for regular black holes.An attempt to add Barrow entropy in \(f(R)\) gravityhttps://zbmath.org/1517.830592023-09-22T14:21:46.120933Z"Ens, P. S."https://zbmath.org/authors/?q=ai:ens.p-s"Santos, A. F."https://zbmath.org/authors/?q=ai:santos.alesandro-ferreira|santos.altino-fSummary: In this work, a way to consider together two originally different corrections to the Friedmann equations is presented. The first is the Barrow entropy, which imposes a fractal structure on the black hole horizon area. While the second is the well-known \(f(R)\) gravity, which comes from a generalization of the Einstein-Hilbert action. Using the ideas of gravity-thermodynamics conjecture, these two models are combined. Then the modified Friedmann equation is obtained. Choosing a particular \(f(R)\) model, an application is investigated. The state parameter and the density parameters for matter and dark energy are calculated. With these results, the dynamic evolution of the universe is discussed.On the choice of entropy variables in multifield inflationhttps://zbmath.org/1517.830622023-09-22T14:21:46.120933Z"Cicoli, Michele"https://zbmath.org/authors/?q=ai:cicoli.michele"Guidetti, Veronica"https://zbmath.org/authors/?q=ai:guidetti.veronica"Muia, Francesco"https://zbmath.org/authors/?q=ai:muia.francesco"Pedro, Francisco G."https://zbmath.org/authors/?q=ai:pedro.francisco-g"Vacca, Gian Paolo"https://zbmath.org/authors/?q=ai:vacca.gian-paoloSummary: We discuss the usefulness and theoretical consistency of different entropy variables used in the literature to describe isocurvature perturbations in multifield inflationary models with a generic curved field space. We clarify which is the proper entropy variable to be used to match the evolution of isocurvature modes during inflation to the one after the reheating epoch in order to compare with observational constraints. In particular, we find that commonly used variables, as the relative entropy perturbation or the one associated to the decomposition in tangent and normal perturbations with respect to the inflationary trajectory, even if more useful to perform numerical studies, can lead to results which are wrong by several orders of magnitude, or even to apparent destabilisation effects which are unphysical for cases with light kinetically coupled spectator fields.Statistical approaches and the Bekenstein bound conjecture in Schwarzschild black holeshttps://zbmath.org/1517.830682023-09-22T14:21:46.120933Z"Abreu, Everton M. C."https://zbmath.org/authors/?q=ai:abreu.everton-m-c"Neto, Jorge Ananias"https://zbmath.org/authors/?q=ai:neto.jorge-ananiasSummary: One of the challenges of today's theoretical physics is to fully understand the connection between a geometrical object like area and a thermostatistical one like entropy, since we have theoretical proofs that the area behaves analogously like entropy does. The Bekenstein bound suggests a universal constraint for the entropy in a flat space region. The Bekenstein-Hawking entropy of black holes satisfies the Bekenstein bound conjecture. In this paper we have shown that when we use important non-Gaussian entropies, like the ones of Barrow, Tsallis and Kaniadakis to describe the Schwarzschild black hole, then the Bekenstein bound conjecture seems to fail.Provable phase retrieval with mirror descenthttps://zbmath.org/1517.901112023-09-22T14:21:46.120933Z"Godeme, Jean-Jacques"https://zbmath.org/authors/?q=ai:godeme.jean-jacques"Fadili, Jalal"https://zbmath.org/authors/?q=ai:fadili.jalal-m"Buet, Xavier"https://zbmath.org/authors/?q=ai:buet.xavier"Zerrad, Myriam"https://zbmath.org/authors/?q=ai:zerrad.myriam"Lequime, Michel"https://zbmath.org/authors/?q=ai:lequime.michel"Amra, Claude"https://zbmath.org/authors/?q=ai:amra.claudeSummary: In this paper, we consider the problem of phase retrieval, which consists of recovering an \(n\)-dimensional real vector from the magnitude of its \(m\) linear measurements. We propose a mirror descent (or Bregman gradient descent) algorithm based on a wisely chosen Bregman divergence, hence allowing us to remove the classical global Lipschitz continuity requirement on the gradient of the nonconvex phase retrieval objective to be minimized. We apply the mirror descent for two random measurements: the i.i.d. standard Gaussian and those obtained by multiple structured illuminations through coded diffraction patterns. For the Gaussian case, we show that when the number of measurements \(m\) is large enough, then with high probability, for almost all initializers, the algorithm recovers the original vector up to a global sign change. For both measurements, the mirror descent exhibits a local linear convergence behavior with a dimension-independent convergence rate. Finally, our theoretical results are illustrated with various numerical experiments, including an application to the reconstruction of images in precision optics.Currency stability using blockchain technologyhttps://zbmath.org/1517.912882023-09-22T14:21:46.120933Z"Routledge, Bryan"https://zbmath.org/authors/?q=ai:routledge.bryan-r"Zetlin-Jones, Ariel"https://zbmath.org/authors/?q=ai:zetlin-jones.arielSummary: To date, cryptocurrency prices are volatile and many cryptocurrency developers have adopted ad hoc approaches to stabilize their cryptocurrency price. When these currencies are not 100\% backed by other valued assets, part of their price volatility may arise from self-fulfilling expectations of a speculative attack (as in [\textit{M. Obstfeld}, Eur. Econ. Rev. 40, No. 3--5, 1037-1047 (1996; \url{doi:10.1016/0014-2921(95)00111-5})]). We show that an exchange rate policy, which is less than 100\% backed and dynamically adjusts in response to traders' conversion demand eliminates speculative attacks while, under some conditions, preserving much of the desired exchange rate stability. This dynamic exchange rate policy admits a great deal of discretion to and requires commitment by the party implementing the policy. We demonstrate how to implement this policy using the Ethereum network -- a smart contract blockchain environment -- and how this implementation yields commitment to the policy.Discussion of: ``Currency stability using blockchain technology''https://zbmath.org/1517.912892023-09-22T14:21:46.120933Z"Sultanum, Bruno"https://zbmath.org/authors/?q=ai:sultanum.brunoSummary: The volatility of crypto currencies hinders their ability to be media of exchange or stores of value, leading to the implementation of exchange-rate pegs in an attempt to stabilize these currencies. This strategy has been used by crypto currencies such as US Dollar Tether, Steem Backed Dollar and TrueUSD; and was previously adopted in countries such as Brazil, Mexico and Argentina. However, an exchange-rate peg is vulnerable to speculative attacks if it is not 100\% backed by reserves, as discussed in [\textit{M. Obstfeld}, Eur. Econ. Rev. 40, No. 3--5, 1037-1047 (1996; \url{doi:10.1016/0014-2921(95)00111-5})]. Using insights from the bank-run literature, \textit{B. Routledge} and \textit{A. Zetlin-Jones} [ibid. 141, Article ID 104155, 26 p. (2022; Zbl 1517.91288)] build on [\textit{E. J. Green} and \textit{P. Lin}, J. Econ. Theory 109, No. 1, 1--23 (2003; Zbl 1032.91065)] and propose a model of speculative attacks. They show that adjustments to the exchange rate can prevent speculative attacks in equilibrium. They also show how to implement such contracts using blockchain technology. In this discussion paper, I provide a cautionary tale. I show also in a version of Green and Lin [loc. cit.] that the information content in the blockchain prevents agents from attaining all the gains from risk sharing -- highlighting the downsides of too much public information.Advances in cryptology -- ASIACRYPT 2022. 28th international conference on the theory and application of cryptology and information security, Taipei, Taiwan, December 5--9, 2022. Proceedings. Part IIhttps://zbmath.org/1517.940012023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1510.94004; Zbl 1510.94003; Zbl 1510.94002; Zbl 1511.94004]. For Parts I, III and IV of the proceedings of the present conference see [Zbl 1517.94002; Zbl 1517.94003; Zbl 1517.94004].
Indexed articles:
\textit{Leroux, Antonin}, A new isogeny representation and applications to cryptography, 3-35 [Zbl 07728536]
\textit{Duman, Julien; Hartmann, Dominik; Kiltz, Eike; Kunzweiler, Sabrina; Lehmann, Jonas; Riepel, Doreen}, Group action key encapsulation and non-interactive key exchange in the QROM, 36-66 [Zbl 07728537]
\textit{Castryck, Wouter; Decru, Thomas; Houben, Marc; Vercauteren, Frederik}, Horizontal racewalking using radical isogenies, 67-96 [Zbl 07728538]
\textit{Castagnos, Guilhem; Laguillaumie, Fabien; Tucker, Ida}, Threshold linearly homomorphic encryption on \(\mathrm{Z}/2^k\mathrm{Z}\), 99-129 [Zbl 07728539]
\textit{Liu, Zeyu; Micciancio, Daniele; Polyakov, Yuriy}, Large-precision homomorphic sign evaluation using FHEW/TFHE bootstrapping, 130-160 [Zbl 07728540]
\textit{Kim, Seonghak; Park, Minji; Kim, Jaehyung; Kim, Taekyung; Min, Chohong}, EvalRound algorithm in CKKS bootstrapping, 161-187 [Zbl 07728541]
\textit{Bonte, Charlotte; Iliashenko, Ilia; Park, Jeongeun; Pereira, Hilder V. L.; Smart, Nigel P.}, FINAL: faster FHE instantiated with NTRU and LWE, 188-215 [Zbl 07728542]
\textit{Wang, Nan; Chau, Sid Chi-Kin}, Flashproofs: efficient zero-knowledge arguments of range and polynomial evaluation with transparent setup, 219-248 [Zbl 07728543]
\textit{Lipmaa, Helger; Siim, Janno; Zając, Michał}, Counting vampires: from univariate sumcheck to updatable ZK-SNARK, 249-278 [Zbl 07728544]
\textit{Kondi, Yashvanth; Shelat, Abhi}, Improved straight-line extraction in the random oracle model with applications to signature aggregation, 279-309 [Zbl 07728545]
\textit{De Feo, Luca; Dobson, Samuel; Galbraith, Steven D.; Zobernig, Lukas}, SIDH proof of knowledge, 310-339 [Zbl 07728546]
\textit{Zeng, Gongxian; Lai, Junzuo; Huang, Zhengan; Wang, Yu; Zheng, Zhiming}, DAG-\( \Sigma \): a DAG-based sigma protocol for relations in CNF, 340-370 [Zbl 07728547]
\textit{Feneuil, Thibauld; Maire, Jules; Rivain, Matthieu; Vergnaud, Damien}, Zero-knowledge protocols for the subset sum problem from MPC-in-the-head with rejection, 371-402 [Zbl 07728548]
\textit{Kim, Sungwook; Lee, Hyeonbum; Seo, Jae Hong}, Efficient zero-knowledge arguments in discrete logarithm setting: sublogarithmic proof or sublinear verifier, 403-433 [Zbl 07728549]
\textit{Wang, Yuyu; Pan, Jiaxin}, Unconditionally secure NIZK in the fine-grained setting, 437-465 [Zbl 07728550]
\textit{Canetti, Ran; Sarkar, Pratik; Wang, Xiao}, Triply adaptive UC NIZK, 466-495 [Zbl 07728551]
\textit{Ghosal, Riddhi; Lou, Paul; Sahai, Amit}, Efficient NIZKs from LWE via polynomial reconstruction and ``MPC in the head'', 496-521 [Zbl 07728552]
\textit{Shen, Yaobin; Sibleyras, Ferdinand}, Key-reduced variants of 3Kf9 with beyond-birthday-bound security, 525-554 [Zbl 07728553]
\textit{Băcuieți, Norica; Daemen, Joan; Hoffert, Seth; Van Assche, Gilles; Van Keer, Ronny}, Jammin' on the deck, 555-584 [Zbl 07728554]
\textit{Hosoyamada, Akinori; Isobe, Takanori; Todo, Yosuke; Yasuda, Kan}, A modular approach to the incompressibility of block-cipher-based AEADs, 585-619 [Zbl 07728555]
\textit{Grassi, Lorenzo; Mennink, Bart}, Security of truncated permutation without initial value, 620-650 [Zbl 07728556]
\textit{Backendal, Matilda; Günther, Felix; Paterson, Kenneth G.}, Puncturable key wrapping and its applications, 651-681 [Zbl 07728557]
\textit{Choi, Wonseok; Kim, Hwigyeom; Lee, Jooyoung; Lee, Yeongmin}, Multi-user security of the sum of truncated random permutations, 682-710 [Zbl 07728558]Advances in cryptology -- ASIACRYPT 2022. 28th international conference on the theory and application of cryptology and information security, Taipei, Taiwan, December 5--9, 2022. Proceedings. Part Ihttps://zbmath.org/1517.940022023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1510.94004; Zbl 1510.94003; Zbl 1510.94002; Zbl 1511.94004]. For Parts II, III and IV of the proceedings of the present conference see [Zbl 1517.94001; Zbl 1517.94003; Zbl 1517.94004].
Indexed articles:
\textit{Montgomery, Hart; Zhandry, Mark}, Full quantum equivalence of group action DLog and CDH, and more, 3-32 [Zbl 07731510]
\textit{Alamati, Navid; Patranabis, Sikhar}, Cryptographic primitives with hinting property, 33-62 [Zbl 07731511]
\textit{Chavez-Saab, Jorge; Rodríguez-Henríquez, Francisco; Tibouchi, Mehdi}, \textsc{SwiftEC}: Shallue-van de Woestijne indifferentiable function to elliptic curves. Faster indifferentiable hashing to elliptic curves, 63-92 [Zbl 07731512]
\textit{Ky Nguyen; Duong Hieu Phan; Pointcheval, David}, Multi-client functional encryption with fine-grained access control, 95-125 [Zbl 07731513]
\textit{Datta, Pratish; Pal, Tapas; Takashima, Katsuyuki}, Compact FE for unbounded attribute-weighted sums for logspace from SXDH, 126-159 [Zbl 07731514]
\textit{Ananth, Prabhanjan; Chung, Kai-Min; Fan, Xiong; Qian, Luowen}, Collusion-resistant functional encryption for RAMs, 160-194 [Zbl 07731515]
\textit{Vaikuntanathan, Vinod; Wee, Hoeteck; Wichs, Daniel}, Witness encryption and null-iO from evasive LWE, 195-221 [Zbl 07731516]
\textit{Liu, Fukang; Sarkar, Santanu; Wang, Gaoli; Meier, Willi; Isobe, Takanori}, Algebraic meet-in-the-middle attack on LowMC, 225-255 [Zbl 07731517]
\textit{Coutinho, Murilo; Passos, Iago; Grados Vásquez, Juan C.; de Mendonça, Fábio L. L.; de Sousa, Rafael Timteo jun.; Borges, Fábio}, Latin dances reloaded: improved cryptanalysis against Salsa and ChaCha, and the proposal of Forró, 256-286 [Zbl 07731518]
\textit{Qin, Lingyue; Dong, Xiaoyang; Wang, Anyu; Hua, Jialiang; Wang, Xiaoyun}, Mind the \texttt{TWEAKEY} schedule: cryptanalysis on \texttt{SKINNYe-64-256}, 287-317 [Zbl 07731519]
\textit{Bao, Zhenzhen; Guo, Jian; Liu, Meicheng; Ma, Li; Tu, Yi}, Enhancing differential-neural cryptanalysis, 318-347 [Zbl 07731520]
\textit{Chattopadhyay, Soumya; Jha, Ashwin; Nandi, Mridul}, Towards tight security bounds for \textsf{OMAC, XCBC} and \textsf{TMAC}, 348-378 [Zbl 07731521]
\textit{Chen, Yu Long}, A modular approach to the security analysis of two-permutation constructions, 379-409 [Zbl 07731522]
\textit{Song, Ling; Zhang, Nana; Yang, Qianqian; Shi, Danping; Zhao, Jiahao; Hu, Lei; Weng, Jian}, Optimizing rectangle attacks: a unified and generic framework for key recovery, 410-440 [Zbl 07731523]
\textit{Couteau, Geoffroy; Rosén, Adi}, Random sources in private computation, 443-473 [Zbl 07731524]
\textit{Couteau, Geoffroy; Zarezadeh, Maryam}, Non-interactive secure computation of inner-product from LPN and LWE, 474-503 [Zbl 07731525]
\textit{Bhangale, Amey; Liu-Zhang, Chen-Da; Loss, Julian; Nayak, Kartik}, Efficient adaptively-secure Byzantine agreement for long messages, 504-525 [Zbl 07731526]
\textit{Morgan, Andrew; Pass, Rafael}, Concurrently composable non-interactive secure computation, 526-555 [Zbl 07731527]
\textit{Hegde, Aditya; Koti, Nishat; Kukkala, Varsha Bhat; Patil, Shravani; Patra, Arpita; Paul, Protik}, Attaining GOD beyond honest majority with friends and foes, 556-587 [Zbl 07731528]
\textit{Li, Shuaishuai}, Towards practical topology-hiding computation, 588-617 [Zbl 07731529]
\textit{Brzuska, Chris; Delignat-Lavaud, Antoine; Egger, Christoph; Fournet, Cédric; Kohbrok, Konrad; Kohlweiss, Markulf}, Key-schedule security for the TLS 1.3 standard, 621-650 [Zbl 07731530]
\textit{Cascudo, Ignacio; David, Bernardo; Garms, Lydia; Konring, Anders}, YOLO YOSO: fast and simple encryption and secret sharing in the YOSO model, 651-680 [Zbl 07731531]
\textit{Alexandru, Andreea B.; Blum, Erica; Katz, Jonathan; Loss, Julian}, State machine replication under changing network conditions, 681-710 [Zbl 07731532]
\textit{Fuchsbauer, Georg; Orrù, Michele}, Non-interactive Mimblewimble transactions, revisited, 713-744 [Zbl 07731533]
\textit{Jia, Yanxue; Sun, Shi-Feng; Zhou, Hong-Sheng; Gu, Dawu}, A universally composable non-interactive aggregate cash system, 745-773 [Zbl 07731534]
\textit{Liu-Zhang, Chen-Da; Matt, Christian; Maurer, Ueli; Rito, Guilherme; Thomsen, Søren Eller}, Practical provably secure flooding for blockchains, 774-805 [Zbl 07731535]
\textit{Abusalah, Hamza; Fuchsbauer, Georg; Gaži, Peter; Klein, Karen}, SNACKs: leveraging proofs of sequential work for blockchain light clients, 806-836 [Zbl 07731536]Advances in cryptology -- ASIACRYPT 2022. 28th international conference on the theory and application of cryptology and information security, Taipei, Taiwan, December 5--9, 2022. Proceedings. Part IIIhttps://zbmath.org/1517.940032023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1510.94004; Zbl 1510.94003; Zbl 1510.94002; Zbl 1511.94004]. For Parts I, II and IV of the proceedings of the present conference see [Zbl 1517.94002; Zbl 1517.94001; Zbl 1517.94004.
Indexed articles:
\textit{Miracle, Sarah; Yilek, Scott}, New algorithms and analyses for sum-preserving encryption, 3-31 [Zbl 07731537]
\textit{Cosseron, Orel; Hoffmann, Clément; Méaux, Pierrick; Standaert, François-Xavier}, Towards case-optimized hybrid homomorphic encryption. Featuring the \textsf{Elisabeth} stream cipher, 32-67 [Zbl 07731538]
\textit{Derbez, Patrick; Euler, Marie; Fouque, Pierre-Alain; Phuong Hoa Nguyen}, Revisiting related-key boomerang attacks on AES using computer-aided tool, 68-88 [Zbl 07731539]
\textit{Pijnenburg, Jeroen; Poettering, Bertram}, On secure ratcheting with immediate decryption, 89-118 [Zbl 07731540]
\textit{Dowling, Benjamin; Hauck, Eduard; Riepel, Doreen; Rösler, Paul}, Strongly anonymous ratcheted key exchange, 119-150 [Zbl 07731541]
\textit{Campanelli, Matteo; David, Bernardo; Khoshakhlagh, Hamidreza; Konring, Anders; Nielsen, Jesper Buus}, Encryption to the future. A paradigm for sending secret messages to future (anonymous) committees, 151-180 [Zbl 07731542]
\textit{Len, Julia; Grubbs, Paul; Ristenpart, Thomas}, Authenticated encryption with key identification, 181-209 [Zbl 07731543]
\textit{Lyu, You; Liu, Shengli; Han, Shuai; Gu, Dawu}, Privacy-preserving authenticated key exchange in the standard model, 210-240 [Zbl 07731544]
\textit{Cui, Jiamin; Hu, Kai; Wang, Meiqin; Wei, Puwen}, On the field-based division property: applications to MiMC, Feistel MiMC and GMiMC, 241-270 [Zbl 07731545]
\textit{Devillez, Henri; Pereira, Olivier; Peters, Thomas}, Traceable receipt-free encryption, 273-303 [Zbl 07731546]
\textit{Jutla, Charanjit; Patranabis, Sikhar}, Efficient searchable symmetric encryption for join queries, 304-333 [Zbl 07731547]
\textit{Deng, Yi; Zhang, Xinxuan}, Knowledge encryption and its applications to simulatable protocols with low round-complexity, 334-362 [Zbl 07731548]
\textit{Pan, Jiaxin; Zeng, Runzhi}, Compact and tightly selective-opening secure public-key encryption schemes, 363-393 [Zbl 07731549]
\textit{Chen, Jie; Li, Yu; Wen, Jinming; Weng, Jian}, Identity-based matchmaking encryption from standard assumptions, 394-422 [Zbl 07731550]
\textit{Huang, Zhengan; Lai, Junzuo; Han, Shuai; Lyu, Lin; Weng, Jian}, Anonymous public key encryption under corruptions, 423-453 [Zbl 07731551]
\textit{Jaeger, Joseph; Kumar, Akshaya}, Memory-tight multi-challenge security of public-key encryption, 454-484 [Zbl 07731552]
\textit{Arun, Arasu; Bonneau, Joseph; Clark, Jeremy}, Short-lived zero-knowledge proofs and signatures, 487-516 [Zbl 07731553]
\textit{Yang, Kang; Wang, Xiao}, Non-interactive zero-knowledge proofs to multiple verifiers, 517-546 [Zbl 07731554]
\textit{Chen, Brian; Dodis, Yevgeniy; Ghosh, Esha; Goldin, Eli; Kesavan, Balachandar; Marcedone, Antonio; Mou, Merry Ember}, Rotatable zero knowledge sets. Post compromise secure auditable dictionaries with application to key transparency, 547-580 [Zbl 07731555]
\textit{Benedikt, Barbara Jiabao; Fischlin, Marc; Huppert, Moritz}, Nostradamus goes quantum, 583-613 [Zbl 07731556]
\textit{Huang, Zhenyu; Sun, Siwei}, Synthesizing quantum circuits of AES with lower \(T\)-depth and less qubits, 614-644 [Zbl 07731557]
\textit{Guo, Jian; Liu, Guozhen; Song, Ling; Tu, Yi}, Exploring SAT for cryptanalysis: (quantum) collision attacks against 6-round SHA-3, 645-674 [Zbl 07731558]
\textit{Bernard, Olivier; Lesavourey, Andrea; Tuong-Huy Nguyen; Roux-Langlois, Adeline}, Log-\(\mathcal{S}\)-unit lattices using explicit Stickelberger generators to solve approx ideal-SVP, 677-708 [Zbl 07731559]
\textit{Felderhoff, Joël; Pellet-Mary, Alice; Stehlé, Damien}, On module unique-SVP and NTRU, 709-740 [Zbl 07731560]
\textit{Liu, Hanlin; Yu, Yu}, A non-heuristic approach to time-space tradeoffs and optimizations for BKW, 741-770 [Zbl 07731561]
\textit{Xu, Jun; Sarkar, Santanu; Wang, Huaxiong; Hu, Lei}, Improving bounds on elliptic curve hidden number problem for ECDH key exchange, 771-799 [Zbl 07731562]Advances in cryptology -- ASIACRYPT 2022. 28th international conference on the theory and application of cryptology and information security, Taipei, Taiwan, December 5--9, 2022. Proceedings. Part IVhttps://zbmath.org/1517.940042023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1510.94004; Zbl 1510.94003; Zbl 1510.94002; Zbl 1511.94004]. For Parts I, II and III of the proceedings of the present conference see [Zbl 1517.94002; Zbl 1517.94001; 07710676].
Indexed articles:
\textit{Hülsing, Andreas; Kudinov, Mikhail}, Recovering the tight security proof of SPHINCS\textsuperscript{+}, 3-33 [Zbl 07730488]
\textit{Devevey, Julien; Fawzi, Omar; Passelègue, Alain; Stehlé, Damien}, On rejection sampling in Lyubashevsky's signature scheme, 34-64 [Zbl 07730489]
\textit{Ducas, Léo; Postlethwaite, Eamonn W.; Pulles, Ludo N.; van Woerden, Wessel}, \textsc{Hawk}: module LIP makes lattice signatures fast, compact and simple, 65-94 [Zbl 07730490]
\textit{Lyubashevsky, Vadim; Nguyen, Ngoc Khanh}, BLOOM: bimodal lattice one-out-of-many proofs and applications, 95-125 [Zbl 07730491]
\textit{Zhou, Zhelei; Zhang, Bingsheng; Zhou, Hong-Sheng; Ren, Kui}, GUC-secure commitments via random oracles: new impossibility and feasibility, 129-158 [Zbl 07730492]
\textit{Catalano, Dario; Fiore, Dario; Tucker, Ida}, Additive-homomorphic functional commitments and applications to homomorphic signatures, 159-188 [Zbl 07730493]
\textit{Campanelli, Matteo; Nitulescu, Anca; Ràfols, Carla; Zacharakis, Alexandros; Zapico, Arantxa}, Linear-map vector commitments and their practical applications, 189-219 [Zbl 07730494]
\textit{Libert, Benoît; Passelègue, Alain; Riahinia, Mahshid}, PointProofs, revisited, 220-246 [Zbl 07730495]
\textit{Branco, Pedro; Döttling, Nico; Wohnig, Stella}, Universal ring signatures in the standard model, 249-278 [Zbl 07730496]
\textit{Kastner, Julia; Loss, Julian; Xu, Jiayu}, The Abe-Okamoto partially blind signature scheme revisited, 279-309 [Zbl 07730497]
\textit{Zhang, Cong; Zhou, Hong-Sheng; Katz, Jonathan}, An analysis of the algebraic group model, 310-322 [Zbl 07730498]
\textit{Murphy, Alice; O'Neill, Adam; Zaheri, Mohammad}, Instantiability of classical random-oracle-model encryption transforms, 323-352 [Zbl 07730499]
\textit{Apon, Daniel; Cachet, Chloe; Fuller, Benjamin; Hall, Peter; Liu, Feng-Hao}, Nonmalleable digital lockers and robust fuzzy extractors in the plain model, 353-383 [Zbl 07730500]
\textit{Brian, Gianluca; Faust, Sebastian; Micheli, Elena; Venturi, Daniele}, Continuously non-malleable codes against bounded-depth tampering, 384-413 [Zbl 07730501]
\textit{Hövelmanns, Kathrin; Hülsing, Andreas; Majenz, Christian}, Failing gracefully: decryption failures and the Fujisaki-Okamoto transform, 414-443 [Zbl 07730502]
\textit{Flórez-Gutiérrez, Antonio}, Optimising linear key recovery attacks with affine Walsh transform pruning, 447-476 [Zbl 07730503]
\textit{Carrier, Kévin; Debris-Alazard, Thomas; Meyer-Hilfiger, Charles; Tillich, Jean-Pierre}, Statistical decoding 2.0: reducing decoding to LPN, 477-507 [Zbl 07730504]
\textit{Zhou, Yuanyuan; van de Pol, Joop; Yu, Yu; Standaert, François-Xavier}, A third is all you need: extended partial key exposure attack on CRT-RSA with additive exponent blinding, 508-536 [Zbl 07730505]
\textit{He, Jiahui; Hu, Kai; Preneel, Bart; Wang, Meiqin}, Stretching cube attacks: improved methods to recover massive superpolies, 537-566 [Zbl 07730506]
\textit{Kitagawa, Fuyuki; Nishimaki, Ryo}, Functional encryption with secure key leasing, 569-598 [Zbl 07730507]
\textit{Morimae, Tomoyuki; Yamakawa, Takashi}, Classically verifiable NIZK for QMA with preprocessing, 599-627 [Zbl 07730508]
\textit{Yan, Jun}, General properties of quantum bit commitments (extended abstract), 628-657 [Zbl 07730509]4th conference on information-theoretic cryptography, ITC 2023, Aarhus University, Aarhus, Denmark, June 6--8, 2023https://zbmath.org/1517.940052023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1491.94003].Code-based cryptography. 10th international workshop, CBCrypto 2022, Trondheim, Norway, May 29--30, 2022. Revised selected papershttps://zbmath.org/1517.940062023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding workshop see [Zbl 1492.94014].
Indexed articles:
\textit{Hörmann, Felicitas; Bartz, Hannes; Horlemann, Anna-Lena}, Distinguishing and recovering generalized linearized Reed-Solomon codes, 1-20 [Zbl 07729105]
\textit{Brain, Martin; Cid, Carlos; Player, Rachel; Robson, Wrenna}, Verifying classic McEliece: examining the role of formal methods in post-quantum cryptography standardisation, 21-36 [Zbl 07729106]
\textit{Pircher, Sabine; Geier, Johannes; Danner, Julian; Mueller-Gritschneder, Daniel; Wachter-Zeh, Antonia}, Key-recovery fault injection attack on the classic McEliece KEM, 37-61 [Zbl 07729107]
\textit{Aguilar-Melchor, Carlos; Deneuville, Jean-Christophe; Dion, Arnaud; Howe, James; Malmain, Romain; Migliore, Vincent; Nawan, Mamuri; Nawaz, Kashif}, Towards automating cryptographic hardware implementations: a case study of HQC, 62-76 [Zbl 07729108]
\textit{Seck, Boly; Gueye, Cheikh Thiécoumba; Dione, Gilbert Ndollane; Klamti, Jean Belo; Cayrel, Pierre-Louis; Diop, Idy; Ndiaye, Ousmane}, Software implementation of a code-based key encapsulation mechanism from binary QD generalized Srivastava codes, 77-89 [Zbl 07729109]
\textit{Jerkovits, Thomas; Hörmann, Felicitas; Bartz, Hannes}, On decoding high-order interleaved sum-rank-metric codes, 90-109 [Zbl 07729110]
\textit{Bariffi, Jessica; Khathuria, Karan; Weger, Violetta}, Information set decoding for Lee-metric codes using restricted balls, 110-136 [Zbl 07729111]
\textit{Vedenev, Kirill; Kosolapov, Yury}, Cryptanalysis of Ivanov-Krouk-Zyablov cryptosystem, 137-153 [Zbl 07729112]Information security and cryptology. 18th International conference, Inscrypt 2022, Beijing, China, December 11--13, 2022. Revised selected papershttps://zbmath.org/1517.940072023-09-22T14:21:46.120933ZThe articles of mathematical interest will be reviewed individually. For the preceding conference see [Zbl 1490.94006].
Indexed articles:
\textit{Miao, Xin; Guo, Chun; Wang, Meiqin; Wang, Weijia}, How fast can SM4 be in software?, 3-22 [Zbl 07730512]
\textit{Zhang, Lei; Wu, Ruichen; Zhang, Yuhan; Zheng, Yafei; Wu, Wenling}, LLLWBC: a new low-latency light-weight block cipher, 23-42 [Zbl 07730513]
\textit{Cao, Weiwei; Zhang, Wentao; Zhou, Chunning}, New automatic search tool for searching for impossible differentials using undisturbed bits, 43-63 [Zbl 07730514]
\textit{Zhang, Min; Tu, Binbin; Chen, Yu}, You can sign but not decrypt: hierarchical integrated encryption and signature, 67-86 [Zbl 07730515]
\textit{Ma, Wenqiu; Zhang, Rui}, SR-MuSig2: a scalable and reconfigurable multi-signature scheme and its applications, 87-107 [Zbl 07730516]
\textit{Chen, You; Ding, Ning; Gu, Dawu; Bian, Yang}, Correction to: ``Practical multi-party private set intersection cardinality and intersection-sum under arbitrary collusion'', C1 [Zbl 07730511]
\textit{Guo, Wenshuo; Fu, Fang-Wei}, McEliece-type encryption based on Gabidulin codes with no hidden structure, 108-126 [Zbl 07730517]
\textit{Zhu, Chengkai; Huang, Zhenyu}, Optimizing the depth of quantum implementations of linear layers, 129-147 [Zbl 07730518]
\textit{Chen, Zhao; Lu, Xianhui; Jia, Dingding; Li, Bao}, IND-CCA security of Kyber in the quantum random oracle model, revisited, 148-166 [Zbl 07730519]
\textit{Chen, You; Ding, Ning; Gu, Dawu; Bian, Yang}, Practical multi-party private set intersection cardinality and intersection-sum under arbitrary collusion, 169-191 [Zbl 07730520]
\textit{Zhang, Cong; Li, Shuaishuai; Lin, Dongdai}, Amortizing division and exponentiation, 192-210 [Zbl 07730521]
\textit{Li, Chenmeng; Wu, Baofeng; Lin, Dongdai}, Generalized boomerang connectivity table and improved cryptanalysis of GIFT, 213-233 [Zbl 07730522]
\textit{Zhang, Lulu; Liu, Meicheng; Li, Shuaishuai; Lin, Dongdai}, Cryptanalysis of Ciminion, 234-251 [Zbl 07730523]
\textit{Ding, Tianyou; Zhang, Wentao; Zhou, Chunning}, Clustering effect of iterative differential and linear trails, 252-271 [Zbl 07730524]
\textit{Yu, Qingyuan; Jia, Keting; Zou, Guangnan; Zhang, Guoyan}, Differential cryptanalysis of round-reduced \texttt{SPEEDY} family, 272-291 [Zbl 07730525]
\textit{Li, Luying; Yu, Wei}, A note on inverted twisted Edwards curve, 295-304 [Zbl 07730526]
\textit{Li, Xiao; Yu, Wei; Zhu, Yuqing; Pan, Zhizhong}, Efficiently computable complex multiplication of elliptic curves, 305-317 [Zbl 07730527]
\textit{Wu, Yanan; Li, Nian; Zeng, Xiangyong; Cai, Yuhua}, Several classes of Niho type Boolean functions with few Walsh transform values, 318-333 [Zbl 07730528]
\textit{Li, Bohan; Zhang, Hailong; Lin, Dongdai}, Higher-order masking scheme for Trivium hardware implementation, 337-356 [Zbl 07730529]
\textit{Che, Cheng; Tian, Tian}, An experimentally verified attack on 820-round Trivium, 357-369 [Zbl 07730530]
\textit{Li, Yunfan; Yu, Lingjing; Liu, Qingyun}, HinPage: illegal and harmful webpage identification using transductive classification, 373-390 [Zbl 07730531]
\textit{Shen, Qintao; Sun, Hongyu; Meng, Guozhu; Chen, Kai; Zhang, Yuqing}, Detecting API missing-check bugs through complete cross checking of erroneous returns, 391-407 [Zbl 07730532]
\textit{Wang, Qi; Li, Wenxin; Yang, Kang; Zhao, Yiru; Zhao, Lei; Wang, Lina}, Efficient DNN backdoor detection guided by static weight analysis, 408-428 [Zbl 07730533]
\textit{Li, Jing; Zhang, Sisi; Wang, Xingbin; Hou, Rui}, Mimic octopus attack: dynamic camouflage adversarial examples using mimetic feature for 3D humans, 429-444 [Zbl 07730534]
\textit{Dong, Zhili; Tian, Shixin; Wang, Kunpeng; Lv, Chang}, Subfield attacks on HSVP in ideal lattices, 447-462 [Zbl 07730535]
\textit{Zhao, Zishen; Xu, Guangwu}, On the measurement and simulation of the BKZ behavior for \(q\)-ary lattices, 463-482 [Zbl 07730536]
\textit{Gao, Jing; Xu, Jun; Hu, Lei}, Inferring sequences produced by the Quadratic generator, 483-494 [Zbl 07730537]Progress in cryptology -- INDOCRYPT 2022. 23rd international conference on cryptology in India, Kolkata, India, December 11--14, 2022. Proceedingshttps://zbmath.org/1517.940082023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1510.94001].
Indexed articles:
\textit{Abdolmaleki, Behzad; Slamanig, Daniel}, CRS-updatable asymmetric quasi-adaptive NIZK arguments, 3-25 [Zbl 07726557]
\textit{Agrawal, Shashank; Dai, Wei; Luykx, Atul; Mukherjee, Pratyay; Rindal, Peter}, ParaDiSE: efficient threshold authenticated encryption in fully malicious model, 26-51 [Zbl 07726558]
\textit{Dai, Wei; Okamoto, Tatsuaki; Yamamoto, Go}, Stronger security and generic constructions for adaptor signatures, 52-77 [Zbl 07726559]
\textit{Boudgoust, Katharina; Jeudy, Corentin; Roux-Langlois, Adeline; Wen, Weiqiang}, Entropic hardness of Module-LWE from module-NTRU, 78-99 [Zbl 07726560]
\textit{Delaune, Stéphanie; Derbez, Patrick; Gontier, Arthur; Prud'homme, Charles}, New algorithm for exhausting optimal permutations for generalized Feistel networks, 103-124 [Zbl 07726561]
\textit{Xu, Shanjie; Da, Qi; Guo, Chun}, Minimizing Even-Mansour ciphers for sequential indifferentiability (without key schedules), 125-145 [Zbl 07726562]
\textit{Datta, Nilanjan; Dutta, Avijit; Ghosh, Shibam}, INT-RUP security of \textsf{SAEB} and \textsf{TinyJAMBU}, 146-170 [Zbl 07726563]
\textit{Bhattacharjee, Arghya; Bhaumik, Ritam; Nandi, Mridul}, Offset-based BBB-secure tweakable block-ciphers with updatable caches, 171-194 [Zbl 07726564]
\textit{Bhattacharjee, Arghya; Chakraborti, Avik; Datta, Nilanjan; Mancillas-López, Cuauhtemoc; Nandi, Mridul}, \textsf{ISAP+}: \textsf{ISAP} with fast authentication, 195-219 [Zbl 07726565]
\textit{Appan, Ananya; Chandramouli, Anirudh; Choudhury, Ashish}, Revisiting the efficiency of perfectly secure asynchronous multi-party computation against general adversaries, 223-248 [Zbl 07726566]
\textit{Connolly, Aisling; Deschamps, Jérôme; Lafourcade, Pascal; Perez Kempner, Octavio}, Protego: efficient, revocable and auditable anonymous credentials with applications to hyperledger fabric, 249-271 [Zbl 07726567]
\textit{Becker, Hanno; Kannwischer, Matthias J.}, Hybrid scalar/vector implementations of Keccak and SPHINCS\textsuperscript{+} on AArch64, 272-293 [Zbl 07726568]
\textit{Bellini, Emanuele; Chavez-Saab, Jorge; Chi-Domínguez, Jesús-Javier; Esser, Andre; Ionica, Sorina; Rivera-Zamarripa, Luis; Rodríguez-Henríquez, Francisco; Trimoska, Monika; Zweydinger, Floyd}, Parallel isogeny path finding with limited memory, 294-316 [Zbl 07726569]
\textit{Samajder, Subhabrata; Sarkar, Palash}, Distinguishing error of nonlinear invariant attacks, 319-335 [Zbl 07726570]
\textit{Kuijsters, Daniël; Verbakel, Denise; Daemen, Joan}, Weak subtweakeys in SKINNY, 336-348 [Zbl 07726571]
\textit{Dunkelman, Orr; Ghosh, Shibam; Lambooij, Eran}, Full round zero-sum distinguishers on \textsf{TinyJAMBU}-128 and \textsf{TinyJAMBU}-192 keyed-permutation in the known-key setting, 349-372 [Zbl 07726572]
\textit{Bellini, Emanuele; Gerault, David; Protopapa, Matteo; Rossi, Matteo}, Monte Carlo tree search for automatic differential characteristics search: application to SPECK, 373-397 [Zbl 07726573]
\textit{Chakraborty, Debasmita}, Finding three-subset division property for ciphers with complex linear layers, 398-421 [Zbl 07726574]
\textit{Chang, Chengcheng; Wang, Meiqin; Sun, Ling; Wang, Wei}, Improved truncated differential distinguishers of AES with concrete S-box, 422-445 [Zbl 07726575]
\textit{Maitra, Subhamoy; Mandal, Bimal; Roy, Manmatha}, Modifying bent functions to obtain the balanced ones with high nonlinearity, 449-470 [Zbl 07726576]
\textit{Chatterjee, Bikshan; Parikh, Rachit; Maitra, Arpita; Maitra, Subhamoy; Roy, Animesh}, Revisiting \textit{BoolTest} -- on randomness testing using Boolean functions, 471-491 [Zbl 07726577]
\textit{Gini, Agnese; Méaux, Pierrick}, Weightwise almost perfectly balanced functions: secondary constructions for all \(n\) and better weightwise nonlinearities, 492-514 [Zbl 07726578]
\textit{Jang, Kyungbae; Baksi, Anubhab; Kim, Hyunji; Seo, Hwajeong; Chattopadhyay, Anupam}, Improved quantum analysis of SPECK and LowMC, 517-540 [Zbl 07726579]
\textit{Basak, Jyotirmoy; Chakraborty, Kaushik; Maitra, Arpita; Maitra, Subhamoy}, A proposal for device independent probabilistic quantum oblivious transfer, 541-565 [Zbl 07726580]
\textit{Guo, Tingting; Wang, Peng; Hu, Lei; Ye, Dingfeng}, Quantum attacks on PRFs based on public random permutations, 566-591 [Zbl 07726581]
\textit{Chevalier, Céline; Ebrahimi, Ehsan; Vu, Quoc-Huy}, On security notions for encryption in a quantum world, 592-613 [Zbl 07726582]
\textit{Bernstein, Daniel J.}, A one-time single-bit fault leaks all previous NTRU-HRSS session keys to a chosen-ciphertext attack, 617-643 [Zbl 07726583]
\textit{Song, Zijian; Xu, Jun; Li, Zhiwei; Ye, Dingfeng}, An efficient key recovery attack against NTRUReEncrypt from AsiaCCS 2015, 644-657 [Zbl 07726584]
\textit{Castryck, Wouter; Vander Meeren, Natan}, Two remarks on the vectorization problem, 658-678 [Zbl 07726585]
\textit{Chatterjee, Sanjit; Pandit, Tapas}, Efficient IBS from a new assumption in the multivariate-quadratic setting, 679-696 [Zbl 07726586]
\textit{Chatterjee, Sanjit; Das, M. Prem Laxman; Pandit, Tapas}, Revisiting the security of salted UOV signature, 697-719 [Zbl 07726587]Theory of cryptography. 20th international conference, TCC 2022, Chicago, IL, USA, November 7--10, 2022. Proceedings. Part IIhttps://zbmath.org/1517.940092023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1507.94008; Zbl 1508.94003; Zbl 1508.94004]. For Parts I and III of the proceedings of the present conference see [Zbl 1516.94002; Zbl 1517.94010].
Indexed articles:
\textit{Dodis, Yevgeniy; Jost, Daniel; Karthikeyan, Harish}, Forward-secure encryption with fast forwarding, 3-32 [Zbl 07726488]
\textit{Branco, Pedro; Döttling, Nico; Dujmović, Jesko}, Rate-1 incompressible encryption from standard assumptions, 33-69 [Zbl 07726489]
\textit{Akavia, Adi; Gentry, Craig; Halevi, Shai; Vald, Margarita}, Achievable \textsf{CCA2} relaxation for homomorphic encryption, 70-99 [Zbl 07726490]
\textit{Applebaum, Benny; Kachlon, Eliran; Patra, Arpita}, Round-optimal honest-majority MPC in Minicrypt and with everlasting security (extended abstract), 103-120 [Zbl 07726491]
\textit{Boyle, Elette; Couteau, Geoffroy; Meyer, Pierre}, Sublinear secure computation from new assumptions, 121-150 [Zbl 07726492]
\textit{McQuoid, Ian; Rosulek, Mike; Xu, Jiayu}, How to obfuscate MPC inputs, 151-180 [Zbl 07726493]
\textit{Badrinarayanan, Saikrishna; Patranabis, Sikhar; Sarkar, Pratik}, Statistical security in two-party computation revisited, 181-210 [Zbl 07726494]
\textit{Bienstock, Alexander; Dodis, Yevgeniy; Garg, Sanjam; Grogan, Garrison; Hajiabadi, Mohammad; Rösler, Paul}, On the worst-case inefficiency of CGKA, 213-243 [Zbl 07726495]
\textit{Koppula, Venkata; Waters, Brent; Zhandry, Mark}, Adaptive multiparty NIKE, 244-273 [Zbl 07726496]
\textit{Catalano, Dario; Fiore, Dario; Gennaro, Rosario; Giunta, Emanuele}, On the impossibility of algebraic vector commitments in pairing-free groups, 274-299 [Zbl 07726497]
\textit{Ciampi, Michele; Orsini, Emmanuela; Siniscalchi, Luisa}, Four-round black-box non-malleable schemes from one-way permutations, 300-329 [Zbl 07726498]
\textit{Geier, Nathan}, A tight computational indistinguishability bound for product distributions, 333-347 [Zbl 07726499]
\textit{Choi, Seung Geol; Dachman-Soled, Dana; Gordon, S. Dov; Liu, Linsheng; Yerukhimovich, Arkady}, Secure sampling with sublinear communication, 348-377 [Zbl 07726500]
\textit{Khorasgani, Hamidreza Amini; Maji, Hemanta K.; Nguyen, Hai H.}, Secure non-interactive simulation from arbitrary joint distributions, 378-407 [Zbl 07726501]
\textit{Bhushan, Kaartik; Misra, Ankit Kumar; Narayanan, Varun; Prabhakaran, Manoj}, Secure non-interactive reducibility is decidable, 408-437 [Zbl 07726502]
\textit{Ishai, Yuval; Khurana, Dakshita; Sahai, Amit; Srinivasan, Akshayaram}, Round-optimal black-box secure computation from two-round malicious OT, 441-469 [Zbl 07726503]
\textit{Ishai, Yuval; Patra, Arpita; Patranabis, Sikhar; Ravi, Divya; Srinivasan, Akshayaram}, Fully-secure MPC with minimal trust, 470-501 [Zbl 07726504]
\textit{Acharya, Anasuya; Hazay, Carmit; Kolesnikov, Vladimir; Prabhakaran, Manoj}, Scales. MPC with small clients and larger ephemeral servers, 502-531 [Zbl 07726505]
\textit{Alon, Bar; Nissenbaum, Olga; Omri, Eran; Paskin-Cherniavsky, Anat; Patra, Arpita}, On perfectly secure two-party computation for symmetric functionalities with correlated randomness, 532-561 [Zbl 07726506]
\textit{Bogdanov, Andrej; Cueto Noval, Miguel; Hoffmann, Charlotte; Rosen, Alon}, Public-key encryption from homogeneous CLWE, 565-592 [Zbl 07726507]
\textit{Bitansky, Nir; Choudhuri, Arka Rai; Holmgren, Justin; Kamath, Chethan; Lombardi, Alex; Paneth, Omer; Rothblum, Ron D.}, PPAD is as hard as LWE and iterated squaring, 593-622 [Zbl 07726508]
\textit{Freitag, Cody; Pass, Rafael; Sirkin, Naomi}, Parallelizable delegation from LWE, 623-652 [Zbl 07726509]
\textit{Lu, George; Waters, Brent}, How to sample a discrete Gaussian (and more) from a random oracle, 653-682 [Zbl 07726510]
\textit{Agrikola, Thomas; Couteau, Geoffroy; Maier, Sven}, Anonymous whistleblowing over authenticated channels, 685-714 [Zbl 07726511]
\textit{Ando, Megumi; Christ, Miranda; Lysyanskaya, Anna; Malkin, Tal}, Poly Onions: achieving anonymity in the presence of churn, 715-746 [Zbl 07726512]
\textit{Brandt, Nicholas; Hofheinz, Dennis; Kastner, Julia; Ünal, Akin}, The price of verifiability: lower bounds for verifiable random functions, 747-776 [Zbl 07726513]
\textit{Naor, Moni; Oved, Noa}, Bet-or-pass: adversarially robust Bloom filters, 777-808 [Zbl 07726514]Theory of cryptography. 20th international conference, TCC 2022, Chicago, IL, USA, November 7--10, 2022. Proceedings. Part IIIhttps://zbmath.org/1517.940102023-09-22T14:21:46.120933ZThe articles of this volume will be reviewed individually. For the preceding conference see [Zbl 1507.94008; Zbl 1508.94003; Zbl 1508.94004]. For Parts I and II of the proceedings of the present conference see [Zbl 1516.94002; Zbl 1517.94009].
Indexed articles:
\textit{Ben-David, Shany; Kalai, Yael Tauman; Paneth, Omer}, Verifiable private information retrieval, 3-32 [Zbl 07726619]
\textit{Halevi, Shai; Kushilevitz, Eyal}, Random-index oblivious RAM, 33-59 [Zbl 07726620]
\textit{Eriguchi, Reo; Kurosawa, Kaoru; Nuida, Koji}, On the optimal communication complexity of error-correcting multi-server PIR, 60-88 [Zbl 07726621]
\textit{Goyal, Saumya; Narayanan, Varun; Prabhakaran, Manoj}, Oblivious-transfer complexity of noisy coin-toss via secure zero communication reductions, 89-118 [Zbl 07726622]
\textit{Eldridge, Harry; Goel, Aarushi; Green, Matthew; Jain, Abhishek; Zinkus, Maximilian}, One-time programs from commodity hardware, 121-150 [Zbl 07726623]
\textit{Chan, Benjamin; Freitag, Cody; Pass, Rafael}, Universal reductions: reductions relative to stateful oracles, 151-180 [Zbl 07726624]
\textit{Garay, Juan; Kiayias, Aggelos; Shen, Yu}, Permissionless clock synchronization with public setup, 181-211 [Zbl 07726625]
\textit{Bauer, Balthazar; Farshim, Pooya; Harasser, Patrick; O'Neill, Adam}, Beyond Uber: instantiating generic groups via PGGs, 212-242 [Zbl 07726626]On the complexity of anonymous communication through public networkshttps://zbmath.org/1517.940112023-09-22T14:21:46.120933Z"Ando, Megumi"https://zbmath.org/authors/?q=ai:ando.megumi"Lysyanskaya, Anna"https://zbmath.org/authors/?q=ai:lysyanskaya.anna"Upfal, Eli"https://zbmath.org/authors/?q=ai:upfal.eliSummary: Onion routing is the most widely used approach to anonymous communication online. The idea is that Alice wraps her message to Bob in layers of encryption to form an ``onion'' and routes it through a series of intermediaries. Each intermediary's job is to decrypt (``peel'') the onion it receives to obtain instructions for where to send it next. The intuition is that, by the time it gets to Bob, the onion will have mixed with so many other onions that its origin will be hard to trace even for an adversary that observes the entire network and controls a fraction of the participants, possibly including Bob. Despite its widespread use in practice, until now no onion routing protocol was known that simultaneously achieved, in the presence of an active adversary that observes all network traffic and controls a constant fraction of the participants, (a) anonymity; (b) fault-tolerance, where even if a few of the onions are dropped, the protocol still delivers the rest; and (c) reasonable communication and computational complexity as a function of the security parameter and the number of participants.\par In this paper, we give the first onion routing protocol that meets these goals: our protocol (a) achieves anonymity; (b) tolerates a polylogarithmic (in the security parameter) number of dropped onions and still delivers the rest; and (c) requires a polylogarithmic number of rounds and a polylogarithmic number of onions sent per participant per round. We also show that to achieve anonymity in a fault-tolerant fashion via onion routing, this number of onions and rounds is necessary. Of independent interest, our analysis introduces two new security properties of onion routing -- mixing and equalizing -- and we show that together they imply anonymity.
For the entire collection see [Zbl 1465.94005].Soliton orthogonal frequency division multiplexing with phase-frequency coding on the base of inverse scattering transformhttps://zbmath.org/1517.940122023-09-22T14:21:46.120933Z"Bogdanov, Stepan A."https://zbmath.org/authors/?q=ai:bogdanov.stepan-a"Frumin, Leonid L."https://zbmath.org/authors/?q=ai:frumin.leonid-lSummary: We propose a method for increasing the speed and spectral efficiency of information transmission over soliton communication lines, based on algorithms for solving inverse and direct scattering problems, in the frame of a modern soliton orthogonal frequency division multiplexing (SOFDM) approach. The proposed method uses a simultaneous phase and frequency coding. This phase-frequency coding method retains all the technological advantages of the SOFDM method, and due to the additional frequency coding, a noticeable increase in the information transfer rate over the soliton optical lines is expected. Numerical modeling confirmed the proposed method for telecommunication applications' prospects.Beyond the Csiszár-Korner bound: best-possible wiretap coding via obfuscationhttps://zbmath.org/1517.940132023-09-22T14:21:46.120933Z"Ishai, Yuval"https://zbmath.org/authors/?q=ai:ishai.yuval"Korb, Alexis"https://zbmath.org/authors/?q=ai:korb.alexis"Lou, Paul"https://zbmath.org/authors/?q=ai:lou.paul"Sahai, Amit"https://zbmath.org/authors/?q=ai:sahai.amitSummary: A wiretap coding scheme [\textit{A. D. Wyner}, Bell Syst. Tech. J. 54, 1355--1387 (1975; Zbl 0316.94017)] enables Alice to reliably communicate a message \(m\) to an honest Bob by sending an encoding \(c\) over a noisy channel \textsf{ChB}, while at the same time hiding \(m\) from Eve who receives \(c\) over another noisy channel \textsf{ChE}.
Wiretap coding is clearly impossible when \textsf{ChB} is a degraded version of \textsf{ChE}, in the sense that the output of \textsf{ChB} can be simulated using only the output of \textsf{ChE}. A classic work of \textit{I. Csiszar} and \textit{J. Körner} [IEEE Trans. Inf. Theory 24, 339--348 (1978; Zbl 0382.94017)] shows that the converse does not hold. This follows from their full characterization of the channel pairs (\textsf{ChB}, \textsf{ChE}) that enable information-theoretic wiretap coding.
In this work, we show that in fact, the converse does hold when considering computational security; that is, wiretap coding against a computationally bounded Eve is possible if and only if \textsf{ChB} is not a degraded version of \textsf{ChE}. Our construction assumes the existence of virtual black-box (VBB) obfuscation of specific classes of ``evasive'' functions that generalize fuzzy point functions, and can be heuristically instantiated using indistinguishability obfuscation. Finally, our solution has the appealing feature of being universal in the sense that Alice's algorithm depends only on \textsf{ChB} and not on \textsf{ChE}.
For the entire collection see [Zbl 1514.94002].Gossiping for communication-efficient broadcasthttps://zbmath.org/1517.940142023-09-22T14:21:46.120933Z"Tsimos, Georgios"https://zbmath.org/authors/?q=ai:tsimos.georgios"Loss, Julian"https://zbmath.org/authors/?q=ai:loss.julian"Papamanthou, Charalampos"https://zbmath.org/authors/?q=ai:papamanthou.charalamposSummary: Byzantine Broadcast is crucial for many cryptographic protocols such as secret sharing, multiparty computation and blockchain consensus. In this paper we apply gossiping (propagating a message by sending to a few random parties who in turn do the same, until the message is delivered) and propose new communication-efficient protocols, under dishonest majority, for Single-Sender Broadcast (BC) and Parallel Broadcast (PBC), improving the state-of-the-art in several ways.
As our warm-up result, we present a randomized protocol for BC which achieves \(O(n^2\kappa^2)\) communication complexity from plain public key setup assumptions. This is the first protocol with subcubic communication in this setting, but operates only against static adversaries.
Using ideas from our BC protocol, we move to our central contribution and present two protocols for PBC that are secure against adaptive adversaries. To the best of our knowledge we are the first to study PBC specifically: All previous approaches for Parallel Broadcast naively run \(n\) instances of single-sender Broadcast, increasing the communication complexity by an undesirable factor of \(n\). Our insight of avoiding black-box invocations of BC is particularly crucial for achieving our asymptotic improvements. In particular:
\begin{enumerate}
\item Our first PBC protocol achieves \(\tilde{O}(n^3\kappa^2)\) communication complexity and relies only on plain public key setup assumptions.
\item Our second PBC protocol uses trusted setup and achieves nearly optimal communication complexity \(\tilde{O}(n^2\kappa^4)\).
\end{enumerate}
Both PBC protocols yield an almost linear improvement over the best known solutions involving \(n\) parallel invocations of the respective BC protocols such as those of \textit{D. Dolev} and \textit{H. R. Strong} [SIAM J. Comput. 12, 656--666 (1983; Zbl 0524.68021)] and \textit{T. H. H. Chan} et al. [Lect. Notes Comput. Sci. 12111, 246--265 (2020; Zbl 1482.94044)]. Central to our PBC protocols is a new problem that we define and solve, which we name ``Converge''. In Converge, parties must run an adaptively-secure and efficient protocol such that by the end of the protocol, all honest parties that remain possess a superset of the union of the initial honest parties' inputs.
For the entire collection see [Zbl 1514.94003].Z-complementary pairs with flexible lengths and large zero odd-periodic correlation zoneshttps://zbmath.org/1517.940152023-09-22T14:21:46.120933Z"Yao, Liqun"https://zbmath.org/authors/?q=ai:yao.liqun"Ren, Wenli"https://zbmath.org/authors/?q=ai:ren.wenli"Wang, Yong"https://zbmath.org/authors/?q=ai:wang.yong.16|wang.yong.1|wang.yong.11|wang.yong|wang.yong.13|wang.yong.17|wang.yong.8|wang.yong.14|wang.yong.30|wang.yong.27|wang.yong.2|wang.yong.7|wang.yong.6|wang.yong.10|wang.yong.25|wang.yong.5|wang.yong.18|wang.yong.3|wang.yong.15"Tang, Chunming"https://zbmath.org/authors/?q=ai:tang.chunmingSummary: Z-complementary pairs (ZCPs) have been widely used in different communication systems. In this paper, we first investigate the odd-periodic correlation property of ZCPs, and propose a new class of ZCPs, called ZOC-ZCPs with zero correlation zone (ZCZ) width \(Z\) and zero odd-period correlation zone (ZOCZ) width \(Z_{\mathrm{odd}} = Z\) by horizontal concatenation of a certain combination of some known ZCPs. Particularly, based on any known Golay pair, we can generate a class of GCPs of more flexible length whose ZOCZ width is larger than a quarter of the sequence length.WPPNets and WPPFlows: the power of Wasserstein patch priors for superresolutionhttps://zbmath.org/1517.940162023-09-22T14:21:46.120933Z"Altekrüger, Fabian"https://zbmath.org/authors/?q=ai:altekruger.fabian"Hertrich, Johannes"https://zbmath.org/authors/?q=ai:hertrich.johannesSummary: Exploiting image patches instead of whole images has proved to be a powerful approach to tackling various problems in image processing. Recently, Wasserstein patch priors (WPPs), which are based on the comparison of the patch distributions of the unknown image and a reference image, were successfully used as data-driven regularizers in the variational formulation of superresolution. However, for each input image, this approach requires the solution of a nonconvex minimization problem which is computationally costly. In this paper, we propose to learn two kinds of neural networks in an unsupervised way based on WPP loss functions. First, we show how convolutional neural networks (CNNs) can be incorporated. Once the network, called WPPNet, is learned, it can be very efficiently applied to any input image. Second, we incorporate conditional normalizing flows to provide a tool for uncertainty quantification. Numerical examples demonstrate the very good performance of WPPNets for superresolution in various image classes, even if the forward operator is known only approximately.A new image restoration model associated with special elliptic quaternionic least-squares solutions based on LabVIEWhttps://zbmath.org/1517.940172023-09-22T14:21:46.120933Z"Atali, Gokhan"https://zbmath.org/authors/?q=ai:atali.gokhan"Kosal, Hidayet Huda"https://zbmath.org/authors/?q=ai:kosal.hidayet-huda"Pekyaman, Muge"https://zbmath.org/authors/?q=ai:pekyaman.mugeSummary: In this paper, we take advantage of the elliptic complex matrix representation of elliptic quaternion matrices. Then we obtain the methods of the elliptic quaternionic least-squares solution, the pure elliptic quaternionic least-squares solution, and the real least-squares solution with the least norm of the elliptic quaternion matrix equation \(A X = B\). We also apply the newly obtained method of the pure elliptic quaternionic least-squares solution with the least norm to the color image restoration based on the LabVIEW program. In this context, we propose a new image restoration model called ``ELSI image restoration model'' associated with elliptic quaternionic least-squares solutions.Benefiting from duplicates of compressed data: shift-based holographic compression of imageshttps://zbmath.org/1517.940182023-09-22T14:21:46.120933Z"Dar, Yehuda"https://zbmath.org/authors/?q=ai:dar.yehuda"Bruckstein, Alfred M."https://zbmath.org/authors/?q=ai:bruckstein.alfred-marcelSummary: Storage systems often rely on multiple copies of the same compressed data, enabling recovery in case of binary data errors, of course, at the expense of a higher storage cost. In this paper, we show that a wiser method of duplication entails great potential benefits for data types tolerating approximate representations, like images and videos. We propose a method to produce a set of distinct compressed representations for a given signal, such that any subset of them allows reconstruction of the signal at a quality depending only on the number of compressed representations utilized. Essentially, we implement the holographic representation idea, where all the representations are equally important in refining the reconstruction. Here, we propose to exploit the shift sensitivity of common compression processes and generate holographic representations via compression of various shifts of the signal. Two implementations for the idea, based on standard compression methods, are presented: the first is a simple, optimization-free design. The second approach originates in a challenging rate-distortion optimization, mitigated by the alternating direction method of multipliers (ADMM), leading to a process of repeatedly applying standard compression techniques. Evaluation of the approach, in conjunction with the JPEG2000 image compression standard, shows the effectiveness of the optimization in providing compressed holographic representations that, by means of an elementary reconstruction process, enable impressive gains of several dBs in PSNR over exact duplications.3D image reconstruction using C-dual attention network from multi-view imageshttps://zbmath.org/1517.940192023-09-22T14:21:46.120933Z"Kamble, Tanaji Umaji"https://zbmath.org/authors/?q=ai:kamble.tanaji-umaji"Mahajan, Shrinivas Padmakar"https://zbmath.org/authors/?q=ai:mahajan.shrinivas-padmakar3D image reconstruction using multi-view imaging is widely utilized in several application domains: games producion, construction field, disaster management, urban planning, etc. However, the 3D reconstruction from the multi-view image is still challenging due to the high freedom and inaccurate reconstruction. In this paper, the hybrid deep learning technique for reconstructing the 3D image is proposed. In this technique, the C-dual attention layer is proposed for generating the feature map. The proposed 3D image reconstruction the features are extracted from the AlexNet and ResNet-50, automatically. Then, the proposed C-dual attention layer is utilized for generating the inter-channel and inter-spatial relationship among the features to obtain enhanced reconstruction accuracy. The inter-channel relationship is evaluated using the channel attention layer, and the inter-spatial relationship is evaluated using the spatial attention layer of the encoder module. Here, the features generated by the spatial attention layer are combined to form the feature map in a 2D map. The proposed C-dual attention encoder provides enhanced features that help to acquire enhanced 3D image reconstruction. The proposed method is evaluated based on loss, IoU 3D, and IoU 2D.
Reviewer: Agnieszka Lisowska (Sosnowiec)Time-fractional diffusion equation-based image denoising modelhttps://zbmath.org/1517.940202023-09-22T14:21:46.120933Z"Liao, Xingran"https://zbmath.org/authors/?q=ai:liao.xingran"Feng, Minfu"https://zbmath.org/authors/?q=ai:feng.minfu(no abstract)PDE evolutions for M-smoothers in one, two, and three dimensionshttps://zbmath.org/1517.940212023-09-22T14:21:46.120933Z"Welk, Martin"https://zbmath.org/authors/?q=ai:welk.martin"Weickert, Joachim"https://zbmath.org/authors/?q=ai:weickert.joachimSummary: Local M-smoothers are interesting and important signal and image processing techniques with many connections to other methods. In our paper, we derive a family of partial differential equations (PDEs) that result in one, two, and three dimensions as limiting processes from M-smoothers which are based on local order-\(p\) means within a ball the radius of which tends to zero. The order \(p\) may take any nonzero value \(>-1\), allowing also negative values. In contrast to results from the literature, we show in the space-continuous case that mode filtering does not arise for \(p \rightarrow 0\), but for \(p \rightarrow -1\). Extending our filter class to \(p\)-values smaller than \(-1\) allows to include, e.g. the classical image sharpening flow of Gabor. The PDEs we derive in 1D, 2D, and 3D show large structural similarities. Since our PDE class is highly anisotropic and may contain backward parabolic operators, designing adequate numerical methods is difficult. We present an \(L^\infty\)-stable explicit finite difference scheme that satisfies a discrete maximum-minimum principle, offers excellent rotation invariance, and employs a splitting into four fractional steps to allow larger time step sizes. Although it approximates parabolic PDEs, it consequently benefits from stabilisation concepts from the numerics of hyperbolic PDEs. Our 2D experiments show that the PDEs for \(p<1\) are of specific interest: Their backward parabolic term creates favourable sharpening properties, while they appear to maintain the strong shape simplification properties of mean curvature motion.Blind image deblurring via the weighted Schatten \(p\)-norm minimization priorhttps://zbmath.org/1517.940222023-09-22T14:21:46.120933Z"Xu, Zhenhua"https://zbmath.org/authors/?q=ai:xu.zhenhua"Chen, Huasong"https://zbmath.org/authors/?q=ai:chen.huasong"Li, Zhenhua"https://zbmath.org/authors/?q=ai:li.zhenhuaSummary: In this paper, we propose a new image blind deblurring model, based on a novel low-rank prior. As the low-rank prior, we employ the weighted Schatten \(p\)-norm minimization (WSNM), which can represent both the sparsity and self-similarity of the image structure more accurately. In addition, the \(L_0\)-regularized gradient prior is introduced into our model, to extract significant edges quickly and effectively. Moreover, the WSNM prior can effectively eliminate harmful details and maintain dominant edges, to generate sharper intermediate images, which is beneficial for blur kernel estimation. To optimize the model, an efficient optimization algorithm is developed by combining the half-quadratic splitting strategy with the generalized soft-thresholding algorithm. Extensive experiments have demonstrated the validity of the WSNM prior. Our flexible low-rank prior enables the proposed algorithm to achieve excellent results in various special scenarios, such as the deblurring of text, face, saturated, and noise-containing images. In addition, our method can be extended naturally to non-uniform deblurring. Quantitative and qualitative experimental evaluations indicate that the proposed algorithm is robust and performs favorably against state-of-the-art algorithms.Image encryption algorithm with circle index table scrambling and partition diffusionhttps://zbmath.org/1517.940232023-09-22T14:21:46.120933Z"Zhou, Yang"https://zbmath.org/authors/?q=ai:zhou.yang.1|zhou.yang.2|zhou.yang.4|zhou.yang"Li, Chunlai"https://zbmath.org/authors/?q=ai:li.chunlai"Li, Wen"https://zbmath.org/authors/?q=ai:li.wen.5"Li, Hongmin"https://zbmath.org/authors/?q=ai:li.hongmin"Feng, Wei"https://zbmath.org/authors/?q=ai:feng.wei|feng.wei.1"Qian, Kun"https://zbmath.org/authors/?q=ai:qian.kun(no abstract)Toward single particle reconstruction without particle picking: breaking the detection limithttps://zbmath.org/1517.940242023-09-22T14:21:46.120933Z"Bendory, Tamir"https://zbmath.org/authors/?q=ai:bendory.tamir"Boumal, Nicolas"https://zbmath.org/authors/?q=ai:boumal.nicolas"Leeb, William"https://zbmath.org/authors/?q=ai:leeb.william-e"Levin, Eitan"https://zbmath.org/authors/?q=ai:levin.eitan"Singer, Amit"https://zbmath.org/authors/?q=ai:singer.amitSummary: Single-particle cryo-electron microscopy (cryo-EM) has recently joined X-ray crystallography and NMR spectroscopy as a high-resolution structural method to resolve biological macromolecules. In a cryo-EM experiment, the microscope produces images called micrographs. Projections of the molecule of interest are embedded in the micrographs at unknown locations, and under unknown viewing directions. Standard imaging techniques first locate these projections (detection) and then reconstruct the 3-D structure from them. Unfortunately, high noise levels hinder detection. When reliable detection is rendered impossible, the standard techniques fail. This is a problem, especially for small molecules. In this paper, we pursue a radically different approach: we contend that the structure could, in principle, be reconstructed directly from the micrographs, without intermediate detection. The aim is to bring small molecules within reach for cryo-EM. To this end, we design an autocorrelation analysis technique that allows one to go directly from the micrographs to the sought structures. This involves only one pass over the micrographs, allowing online, streaming processing for large experiments. We show numerical results and discuss challenges that lay ahead to turn this proof-of-concept into a complementary approach to state-of-the-art algorithms.Welch bound equality sets with few distinct inner products from Delsarte-Goethals setshttps://zbmath.org/1517.940252023-09-22T14:21:46.120933Z"Datta, Somantika"https://zbmath.org/authors/?q=ai:datta.somantikaSummary: Sets of signals that meet Welch bounds with equality or near equality are of value in communications and sensing applications, and the construction of such signal sets has been an active research area. Although Welch derived a family of bounds indexed by positive integers \(k\), only the first Welch bound (i.e., for \(k=1)\) has been considered in these constructions. Earlier, a frame-theoretic perspective was introduced on the higher Welch bounds that is valuable in constructing signals that simultaneously meet multiple Welch bounds with equality or near equality. This perspective is used in this paper to examine the existence of signal sets that meet the \(k\)th Welch bound with equality by using second order Reed-Muller codes. Some examples of such signal sets are presented and connections to equiangular lines and \(t\)-designs are discussed.Toeplitz operators for the Gabor spherical mean transformhttps://zbmath.org/1517.940262023-09-22T14:21:46.120933Z"Hammami, Aymen"https://zbmath.org/authors/?q=ai:hammami.aymenSummary: We investigate the Gabor spherical mean transform and demonstrate the quantitative Shapiro dispersion uncertainty principle and the umbrella theorem specifically tailored for this transform. Next, we define the Toeplitz operators \({\mathcal{L}}^{g_1, g_2}_{{\mathcal{S}}}\) in connection with two window functions \(g_1\) and \(g_2\), as well as the symbol \({\mathcal{S}}\). We establish the boundedness and compactness of these operators. Ultimately, we introduce the Schatten-von Neumann class \(S_p\), where \(p \in [1, +\infty]\), and show that the Toeplitz operators are members of the class \(S_p\). Additionally, we provide a proof for a trace formula.An optimization framework for the design of noise shaping loop filters with improved stability propertieshttps://zbmath.org/1517.940272023-09-22T14:21:46.120933Z"Hannigan, Brett C."https://zbmath.org/authors/?q=ai:hannigan.brett-c"Petersen, Christian L."https://zbmath.org/authors/?q=ai:petersen.christian-l"Mallinson, A. Martin"https://zbmath.org/authors/?q=ai:mallinson.a-martin"Dumont, Guy A."https://zbmath.org/authors/?q=ai:dumont.guy-aSummary: A framework using semidefinite programming is proposed to enable the design of sigma delta modulator loop filters at the transfer function level. Both continuous-time and discrete-time, low-pass and band-pass designs are supported. For performance, we use the recently popularized Generalized Kalman-Yakubovič-Popov (GKYP) lemma to place constraints on the \(\mathcal{H}_\infty\) norm of the noise transfer function (NTF) in the frequency band of interest. We expand the approach to incorporate common stability criteria in the form of \(\mathcal{H}_2\) and \(\ell_1\) norm NTF constraints. Furthering the discussion of stability, we introduce techniques from control systems to improve the robustness of the feedback system over a range of quantizer gains. The performance-stability trade-off is examined using this framework and motivated by simulation results.Affine phase retrieval for sparse signals via \(\ell_1\) minimizationhttps://zbmath.org/1517.940282023-09-22T14:21:46.120933Z"Huang, Meng"https://zbmath.org/authors/?q=ai:huang.meng"Sun, Shixiang"https://zbmath.org/authors/?q=ai:sun.shixiang"Xu, Zhiqiang"https://zbmath.org/authors/?q=ai:xu.zhiqiangSummary: Affine phase retrieval is the problem of recovering signals from the magnitude-only measurements with a priori information. In this paper, we use the \(\ell_1\) minimization to exploit the sparsity of signals for affine phase retrieval, showing that \(O(k\log(en/k))\) Gaussian random measurements are sufficient to recover all \(k\)-sparse signals by solving a natural \(\ell_1\) minimization program, where \(n\) is the dimension of signals. For the case where measurements are corrupted by noises, the reconstruction error bounds are given for both real-valued and complex-valued signals. Our results demonstrate that the natural \(\ell_1\) minimization program for affine phase retrieval is stable.An algorithm for estimating the signal frequency at the output of a channel with a controlled information flow under phase noise conditionshttps://zbmath.org/1517.940292023-09-22T14:21:46.120933Z"Kazakov, L. N."https://zbmath.org/authors/?q=ai:kazakov.leonid-nikolaevich"Kubyshkin, E. P."https://zbmath.org/authors/?q=ai:kubyshkin.evgenii-pavlovich"Lukyanov, I. V."https://zbmath.org/authors/?q=ai:lukyanov.ilya-viktorovich(no abstract)Adaptive generalised fractional spectrogram and its applicationshttps://zbmath.org/1517.940302023-09-22T14:21:46.120933Z"Sahay, Peeyush"https://zbmath.org/authors/?q=ai:sahay.peeyush"Teza, B. S."https://zbmath.org/authors/?q=ai:teza.b-s"Kulkarni, Pranav"https://zbmath.org/authors/?q=ai:kulkarni.pranav"Radhakrishna, P."https://zbmath.org/authors/?q=ai:radhakrishna.p"Gadre, Vikram M."https://zbmath.org/authors/?q=ai:gadre.vikram-mSummary: The generalised time-frequency transform (GTFT) is a powerful tool to analyse a large variety of frequency-modulated signals. However, it is not adequate to represent the variation of frequency over time for non-stationary signals. To solve this problem, short-time GTFT and short-time GTFT-based adaptive generalised fractional spectrogram (AGFS) are proposed. The AGFS is capable of providing a high concentration, high resolution, cross-term-free time-frequency distribution for analysing multicomponent frequency-modulated signals. It is also a generalisation of the short-time Fourier transform-based spectrogram and the short-time fractional Fourier transform-based spectrogram. The uncertainty principle for short-time GTFT is derived, and its time-bandwidth product is compared with other time-frequency distributions. With the help of simulated data examples, the effectiveness of AGFS is demonstrated in comparison with other time-frequency distributions for resolving and extracting individual components of multicomponent quadratic chirps. Robustness of AGFS is demonstrated under different input signal-to-noise ratio conditions. A local spectrogram optimisation technique is adopted for AGFS to represent simulated and real chirp signals. Finally, an application of the AGFS is presented to resolve multiple ground moving targets in synthetic aperture radar data and obtain its focused synthetic aperture radar image.Coupled fractional Wigner distribution with applications to LFM signalshttps://zbmath.org/1517.940312023-09-22T14:21:46.120933Z"Teali, Aajaz A."https://zbmath.org/authors/?q=ai:teali.aajaz-a"Shah, Firdous A."https://zbmath.org/authors/?q=ai:shah.firdous-ahmad"Tantary, Azhar Y."https://zbmath.org/authors/?q=ai:tantary.azhar-y"Nisar, Kottakkaran S."https://zbmath.org/authors/?q=ai:sooppy-nisar.kottakkaran(no abstract)A neurodynamic algorithm for sparse signal reconstruction with finite-time convergencehttps://zbmath.org/1517.940322023-09-22T14:21:46.120933Z"Wen, Hongsong"https://zbmath.org/authors/?q=ai:wen.hongsong"Wang, Hui"https://zbmath.org/authors/?q=ai:wang.hui.40|wang.hui|wang.hui.9|wang.hui.41|wang.hui.13|wang.hui.25|wang.hui.42|wang.hui.16|wang.hui.18|wang.hui.17|wang.hui.43|wang.hui.4|wang.hui.10|wang.hui.20|wang.hui.34|wang.hui.27|wang.hui.12|wang.hui.11|wang.hui.6|wang.hui.7|wang.hui.8|wang.hui.23|wang.hui.15|wang.hui.14"He, Xing"https://zbmath.org/authors/?q=ai:he.xingSummary: In this paper, a neurodynamic algorithm with finite-time convergence to solve \({L_{\text{{1}}}} \)-minimization problem is proposed for sparse signal reconstruction which is based on projection neural network (PNN). Compared with the existing PNN, the proposed algorithm is combined with the sliding mode technique in control theory. Under certain conditions, the stability of the proposed algorithm in the sense of Lyapunov is analyzed and discussed, and then the finite-time convergence of the proposed algorithm is proved and the setting time bound is given. Finally, simulation results on a numerical example and a contrast experiment show the effectiveness and superiority of our proposed neurodynamic algorithm.On the additive capacity problem for quantitative information flowhttps://zbmath.org/1517.940332023-09-22T14:21:46.120933Z"Chatzikokolakis, Konstantinos"https://zbmath.org/authors/?q=ai:chatzikokolakis.konstantinosSummary: Preventing information leakage is a fundamental goal in achieving confidentiality. In many practical scenarios, however, eliminating such leaks is impossible. It becomes then desirable to quantify the severity of such leaks and establish bounds on the threat they impose. Aiming at developing measures that are robust wrt a variety of operational conditions, a theory of channel capacity for the \(g\)-leakage model was developed in [\textit{M. S. Alvim} et al., in: Proceedings of the 2014 IEEE 27th computer security foundations symposium, CSF 2014, Vienna, Austria, July 19--22, 2014. Piscataway, NJ: IEEE. 308--322 (2014; \url{doi:10.1109/CSF.2014.29})], providing solutions for several scenarios in both the multiplicative and the additive setting.
This paper continuous this line of work by providing substantial improvements over the results of [Alvim et al., loc. cit.] for additive leakage. The main idea of employing the Kantorovich distance remains, but it is now applied to quasimetrics, and in particular the novel ``convex-separation'' quasimetric. The benefits are threefold: first, it allows to maximize leakage over a larger class of gain functions, most notably including the one of Shannon. Second, a solution is obtained to the problem of maximizing leakage over both priors and gain functions, left open in [Alvim et al, loc. cit.]. Third, it allows to establish an additive variant of the ``Miracle'' theorem from [\textit{M. S. Alvim} et al., in: Proceedings of the 2012 IEEE 25th computer security foundations symposium, CSF 2012, Cambridge, MA, USA, June 25--27, 2012. Piscataway, NJ: IEEE. 265--279 (2012; \url{doi:10.1109/CSF.2012.26})].
For the entire collection see [Zbl 1398.68036].Variability as a better characterization of Shannon entropyhttps://zbmath.org/1517.940342023-09-22T14:21:46.120933Z"Carcassi, Gabriele"https://zbmath.org/authors/?q=ai:carcassi.gabriele"Aidala, Christine A."https://zbmath.org/authors/?q=ai:aidala.christine-a"Barbour, Julian"https://zbmath.org/authors/?q=ai:barbour.julian-bThe main aim of this paper is to consider the notion of variability and to use this notion to deduce a better characterization of the Shannon entropy.
Assume that we have a (finite) set of elements \(E=(e_{\alpha})_{\alpha=1}^{N}\). Further, let us select a property or a set of properties we want to use to characterize the elements. That is, we have a set of possible values \(Q = (q_i)^{I}_{i=1}\) and a map \(q \colon E \to Q\) that associates a value to each element. In such a way, a sequence \((q(e_{\alpha}))_{\alpha=1}^{N}\) of the descriptions that are associated with each element in the set arises.
Having decided what elements to study and the level of description in which we are interested, we bin them; that is, we group them based on that description, disregarding the identity of the particular element. In fact, what is interesting is only the relative frequency
\[
p_i = \frac{N_i}{N} = \frac{\#\left\{e_\alpha \in E\, \vert \, q(e_\alpha) = q_i\right\}}{N}
\]
of the elements within each bin. After this, the next aim is to construct an indicator \(H\) that quantifies how much variability the elements exhibit within the distribution. That is, we want to quantify the degree of diversity that the values can have within the distribution.
The authors conclude that
(1) the Shannon entropy measures the variability of the elements within a given distribution, giving it a crisp intuitive meaning that is general and applicable to all branches of science
(2) the expression is not arbitrary, as it is the only linear indicator for such a concept
(3) it measures the variability by quantifying the number of yes/no questions one must ask to identify an element within the distribution, which corresponds to the number of bits needed to transmit or store that information
(4) when properly applied to statistical mechanics, the variability leads to the Boltzmann, Gibbs, and von Neumann entropies.
Reviewer: Eszter Gselmann (Debrecen)Nonparametric entropy estimation of conditional distribution under length-biased right censored samplehttps://zbmath.org/1517.940352023-09-22T14:21:46.120933Z"G., Rajesh"https://zbmath.org/authors/?q=ai:g.rajesh"Rajesh, Richu"https://zbmath.org/authors/?q=ai:rajesh.richu"Sunoj, S. M."https://zbmath.org/authors/?q=ai:sunoj.sreenarayanapurath-madhavanSummary: This article presents a nonparametric integral estimator for Shannon differential entropy of conditional distribution under length-biased sampling in the right censored case. Asymptotic properties of the estimator are established under suitable regularity conditions. The performance of the proposed estimator is investigated through a simulation study. An application of the estimator to a real data is also established.Fast rates of minimum error entropy with heavy-tailed noisehttps://zbmath.org/1517.940362023-09-22T14:21:46.120933Z"Huang, Shouyou"https://zbmath.org/authors/?q=ai:huang.shouyouSummary: In this paper, we investigate the performance of minimum error entropy (MEE) from a theoretical viewpoint. Owing to resistance of heavy-tailed noise or outliers, as an alternative to traditional robust empirical risk minimization schemes, MEE has drawn particular attention over the last decades and has been successfully used in machine learning. The purpose of this paper is to conduct refined learning theory analysis of MEE and establish its improved rates of convergence without the light-tailed noise. It shows that a new comparison theorem not only characterizes the regression calibration properties of MEE, but also refines the variance of analysis of learning theory.A new measure of general information on pseudo analysishttps://zbmath.org/1517.940372023-09-22T14:21:46.120933Z"Vivona, Doretta"https://zbmath.org/authors/?q=ai:vivona.doretta"Divari, Maria"https://zbmath.org/authors/?q=ai:divari.mariaSummary: The setting of this paper is the general information theory and the pseudo-analysis. We consider the general information measure \(J\), defined without probability for crisp sets or without fuzzy measure for fuzzy sets and we propose a particular information measure for intersection of two sets. The pseudo-analysis is used to generalize the definition of independence and it leads to a functional equation. This equation belongs to a system of functional equations. We present some solutions of this system.
For the entire collection see [Zbl 1396.68010].Do log factors matter? On optimal wavelet approximation and the foundations of compressed sensinghttps://zbmath.org/1517.940382023-09-22T14:21:46.120933Z"Adcock, Ben"https://zbmath.org/authors/?q=ai:adcock.ben"Brugiapaglia, Simone"https://zbmath.org/authors/?q=ai:brugiapaglia.simone"King-Roskamp, Matthew"https://zbmath.org/authors/?q=ai:king-roskamp.matthewCompressed sensing asserts that a vector \(x\in \mathbb{C}^N\) with at most \(s\) nonzero components can be recovered from \(m\) suitably chosen linear measurements \(y = Ax\), where \(A \in \mathbb{C}^{m\times N}\) and \(Y\in \mathbb{C}^m\) with \(m\) satisfying \[ m\geq c \cdot s \log (N/s),\qquad (1)\] which can be achieved using a random Gaussian matrix for \(A.\) Because compressed sensing represents a significant saving in the number of measurements, it has found numerous applications in different fields, in particular, in imaging.
Many imaging modalities, such as MRI, acquire Fourier samples of an image, and not measurements according to a random Gaussian matrix. The measurement condition for \(s\)-term recovery from Fourier measurements has a worse scaling in \(s\) and \( N\) than given in (1). However, in practice, Fourier measurements outperform Gaussian measurements for recovering images.
Motivated by this paradox, the authors investigate the problem of optimal sampling for compressed sensing. The focus is the wavelet approximation of piecewise smooth functions via compressed sensing. The authors investigate the following three questions:
\begin{itemize}
\item Is a random Gaussian sampling an optimal sampling strategy for wavelet approximation of piecewise smooth functions
\item If not, what is an optimal sampling strategy?
\item How close to optimal is Fourier sampling? In particular, why is it that Fourier sampling often outperforms random Gaussian sampling, even though the latter is optimal for recovering sparse vectors?
\end{itemize}
The analysis led to new error bounds in terms of the total number of measurements \(m\) for the approximation of piecewise \(\alpha\)-Hölder functions. One of the main findings of the paper is that Fourier sampling outperforms random Gaussian sampling when the Hölder exponent \(\alpha\) is large enough.
Reviewer: Ahmed I. Zayed (Chicago)Estimate of 4-adic complexity of unified quaternary sequences of length \(2p \)https://zbmath.org/1517.940392023-09-22T14:21:46.120933Z"Edemskiy, Vladimir"https://zbmath.org/authors/?q=ai:edemskiy.vladimir-anatolevich"Koltsova, Sofia"https://zbmath.org/authors/?q=ai:koltsova.sofiaSummary: We derive the 4-adic complexity of unified quaternary sequences with period \(2p \). These sequences with good autocorrelation properties are proposed by \textit{P. Ke} et al. [Adv. Math. Commun. 16, No. 2, 285--302 (2022; Zbl 1500.94010)]. We estimate the 4-adic complexity of aforementioned sequences and show that any of them has high 4-adic complexity, which is good enough to resist the attack of the rational approximation algorithm.The properties of external control sequenceshttps://zbmath.org/1517.940402023-09-22T14:21:46.120933Z"Fomichev, V. M."https://zbmath.org/authors/?q=ai:fomichev.vladimir-mikhailovichSummary: The notion of a sequence \(h\)-periodicity is introduced with a function \(h\) mapping the set of words composing the sequence into a set. The properties of \(h\)-periodic sequences are investigated. In the case of additive \(h\) a connection between the period length and the \(h\)-period length of a sequence is established, and the \(h\)-period length of linear recurring sequences and of de Bruijn sequences are determined. It is stated that cryptoproperties of some gamma generators depend on \(h\)-period length of control sequence where \(h\) is the function marking the symbols of the sequence.Ternary perfect sequences with three-valued cross-correlationhttps://zbmath.org/1517.940412023-09-22T14:21:46.120933Z"Liu, Chenchen"https://zbmath.org/authors/?q=ai:liu.chenchen"Zhang, Wenyi"https://zbmath.org/authors/?q=ai:zhang.wenyi"Yang, Yang"https://zbmath.org/authors/?q=ai:yang.yang|yang.yang.22|yang.yang.9|yang.yang.37|yang.yang.20|yang.yang.7|yang.yang.19|yang.yang.3|yang.yang.14|yang.yang.6|yang.yang.40|yang.yang.29|yang.yang.4|yang.yang.16|yang.yang.5|yang.yang.23|yang.yang.10Summary: The calculation of the cross-correlation between a sequence with good autocorrelation and its decimated sequence has been a longstanding research problem in the field of sequence design. The objective of this paper is to determine the cross-correlation between a class of well-known ternary sequences with perfect autocorrelation and its \(2 \)-decimation. Based on the theory of quadratic forms and exponential sums over finite fields, it is shown that the cross-correlation function takes on three low values.A new class of optimal wide-gap one-coincidence frequency-hopping sequence setshttps://zbmath.org/1517.940422023-09-22T14:21:46.120933Z"Ren, Wenli"https://zbmath.org/authors/?q=ai:ren.wenli"Wang, Feng"https://zbmath.org/authors/?q=ai:wang.feng.2|wang.feng.6|wang.feng.10|wang.feng.15|wang.feng.1|wang.feng.7|wang.feng.3Summary: In this paper, we propose a new class of optimal one-coincidence FHS (OC-FHS) sets with respect to the Peng-Fan bounds, including prime sequence sets and HMC sequence sets as special cases. Thereafter, through investigating their properties, we determine all of the FHS distances in the OC-FHS set. Finally, for a given positive integer, we also propose a new class of wide-gap one-coincidence FHS (WG-OC-FHS) sets where the FHS gap is larger than the given positive integer. Moreover, such a WG-OC-FHS set is optimal with respect to the WG-Lempel-Greenberger bound and the WG-Peng-Fan bounds simultaneously.New classes of asymptotically optimal spectrally-constrained sequences derived from cyclotomyhttps://zbmath.org/1517.940432023-09-22T14:21:46.120933Z"Ye, Zhifan"https://zbmath.org/authors/?q=ai:ye.zhifan"Zhou, Zhengchun"https://zbmath.org/authors/?q=ai:zhou.zhengchun"Yang, Yang"https://zbmath.org/authors/?q=ai:yang.yang.7"Helleseth, Tor"https://zbmath.org/authors/?q=ai:helleseth.torSummary: As numerous applications in wireless communications and radar sensing all rely on the finite and precious spectral resource, contiguous spectrum allocation schemes have become very difficult to continue nowadays. Spectrally constrained sequences (SCSs) are specially designed sequences which display low correlation sidelobes to effectively utilize the increasingly congested and fragmented spectrum. Recently, \textit{Z. Liu} et al. [IEEE Trans. Inf. Theory 64, No. 4, Part 1, 2571--2582 (2018; Zbl 1390.94816)] proposed a lower bound of the maximal correlation for SCSs and constructed two classes of optimal SCSs by using Singer difference sets and perfect ternary sequences. For the application of SCSs, it is desirable that the spectrally constrained position should be as flexible as possible, and the correlation tolerance should be as small as possible. In this paper, we present some systematic constructions based on cyclotomy which generate some asymptotically optimal SCSs with respect to Liu's bound. The proposed constructions result in SCSs with new parameters and are more flexible in terms of the ``position of the null constraint''. In addition, we propose a framework which control the power of new SCSs while maintaining the correlation magnitudes by using cyclic algorithm-new (CAN) algorithm.On the linear complexity and autocorrelation of generalized cyclotomic binary sequences with period \(4p^n \)https://zbmath.org/1517.940442023-09-22T14:21:46.120933Z"Yi, Lin"https://zbmath.org/authors/?q=ai:yi.lin"Zeng, Xiangyong"https://zbmath.org/authors/?q=ai:zeng.xiangyong"Sun, Zhimin"https://zbmath.org/authors/?q=ai:sun.zhimin"Zhang, Shasha"https://zbmath.org/authors/?q=ai:zhang.shashaSummary: In this paper, a new class of generalized cyclotomic binary sequences with period \(4p^n\) is proposed. These sequences are almost balanced, and the explicit formulas of their linear complexity and autocorrelation are presented.An algebraic framework for silent preprocessing with trustless setup and active securityhttps://zbmath.org/1517.940452023-09-22T14:21:46.120933Z"Abram, Damiano"https://zbmath.org/authors/?q=ai:abram.damiano"Damgård, Ivan"https://zbmath.org/authors/?q=ai:damgard.ivan-bjerre"Orlandi, Claudio"https://zbmath.org/authors/?q=ai:orlandi.claudio"Scholl, Peter"https://zbmath.org/authors/?q=ai:scholl.peterSummary: Recently, number-theoretic assumptions including DDH, DCR and QR have been used to build powerful tools for secure computation, in the form of homomorphic secret-sharing (HSS), which leads to secure two-party computation protocols with succinct communication, and pseudorandom correlation functions (PCFs), which allow non-interactive generation of a large quantity of correlated randomness. In this work, we present a group-theoretic framework for these classes of constructions, which unifies their approach to computing distributed discrete logarithms in various groups. We cast existing constructions in our framework, and also present new constructions, including one based on class groups of imaginary quadratic fields. This leads to the first construction of two-party homomorphic secret sharing for branching programs from class group assumptions.
Using our framework, we also obtain pseudorandom correlation functions for generating oblivious transfer and vector-OLE correlations from number-theoretic assumptions. These have a trustless, public-key setup when instantiating our framework using class groups. Previously, such constructions either needed a trusted setup in the form of an RSA modulus with unknown factorisation, or relied on multi-key fully homomorphic encryption from the learning with errors assumption.
We also show how to upgrade our constructions to achieve active security using appropriate zero-knowledge proofs. In the random oracle model, this leads to a one-round, actively secure protocol for setting up the PCF, as well as a 3-round, actively secure HSS-based protocol for secure two-party computation of branching programs with succinct communication.
For the entire collection see [Zbl 1514.94004].Statistical approximation theory for discrete functions with application in cryptanalysis of iterative block ciphershttps://zbmath.org/1517.940462023-09-22T14:21:46.120933Z"Agibalov, G. P."https://zbmath.org/authors/?q=ai:agibalov.gennadii-petrovich"Pankratova, I. A."https://zbmath.org/authors/?q=ai:pankratova.irina-anatolevnaSummary: A statistical approximation of a discrete function is defined as a Boolean equation being satisfied with a probability and accompanied by a Boolean function being statistically independent on a subset of variables. Properties of this notion are studied. A constructive test for the statistical independence is formulated. Methods for designing linear statistical approximations for functions used in iterative block symmetric ciphers are considered. Cryptanalysis algorithms based on solving systems of statistical approximations being linear or nonlinear ones are proposed for symmetric ciphers. The algorithms are based on the maximum likelihood method. Definitions, methods and algorithms are demonstrated by examples taken from DES. Particularly, it is shown that one of the cryptanalysis algorithms proposed in the paper allows to find 34 key bits for full 16-round DES being based on two known nonlinear approximate equations providing 26 key bits only by Matsui's algorithm.LRPC codes with multiple syndromes: near ideal-size KEMs without idealshttps://zbmath.org/1517.940472023-09-22T14:21:46.120933Z"Aguilar-Melchor, Carlos"https://zbmath.org/authors/?q=ai:aguilar-melchor.carlos"Aragon, Nicolas"https://zbmath.org/authors/?q=ai:aragon.nicolas"Dyseryn, Victor"https://zbmath.org/authors/?q=ai:dyseryn.victor"Gaborit, Philippe"https://zbmath.org/authors/?q=ai:gaborit.philippe"Zémor, Gilles"https://zbmath.org/authors/?q=ai:zemor.gillesSummary: We introduce a new rank-based key encapsulation mechanism (KEM) with public key and ciphertext sizes around 3.5 Kbytes each, for 128 bits of security, without using ideal structures. Such structures allow to compress objects, but give reductions to specific problems whose security is potentially weaker than for unstructured problems. To the best of our knowledge, our scheme improves in size upon all the existing unstructured post-quantum lattice or code-based algorithms such as FrodoKEM or Classic McEliece. Our technique, whose efficiency relies on properties of rank metric, is to build upon existing Low Rank Parity Check (LRPC) code-based KEMs and to send multiple syndromes in one ciphertext, allowing to reduce the parameters and still obtain an acceptable decoding failure rate. Our system relies on the hardness of the Rank Support Learning problem, a well-known variant of the Rank Syndrome Decoding problem. The gain on parameters is enough to significantly close the gap between ideal and non-ideal constructions. It also enables to choose an error weight close to the rank Gilbert-Varshamov bound, which is a relatively harder zone for algebraic attacks.
For the entire collection see [Zbl 1514.94001].Lattice-based SNARKs: publicly verifiable, preprocessing, and recursively composable (extended abstract)https://zbmath.org/1517.940482023-09-22T14:21:46.120933Z"Albrecht, Martin R."https://zbmath.org/authors/?q=ai:albrecht.martin-r"Cini, Valerio"https://zbmath.org/authors/?q=ai:cini.valerio"Lai, Russell W. F."https://zbmath.org/authors/?q=ai:lai.russell-w-f"Malavolta, Giulio"https://zbmath.org/authors/?q=ai:malavolta.giulio"Thyagarajan, Sri AravindaKrishnan"https://zbmath.org/authors/?q=ai:thyagarajan.sri-aravinda-krishnanSummary: A succinct non-interactive argument of knowledge (SNARK) allows a prover to produce a short proof that certifies the veracity of a certain NP-statement. In the last decade, a large body of work has studied candidate constructions that are secure against quantum attackers. Unfortunately, no known candidate matches the efficiency and desirable features of (pre-quantum) constructions based on bilinear pairings.
In this work, we make progress on this question. We propose the first lattice-based SNARK that simultaneously satisfies many desirable properties: It (i) is tentatively post-quantum secure, (ii) is publicly-verifiable, (iii) has a logarithmic-time verifier and (iv) has a purely algebraic structure making it amenable to efficient recursive composition. Our construction stems from a general technical toolkit that we develop to translate pairing-based schemes to lattice-based ones. At the heart of our SNARK is a new lattice-based vector commitment (VC) scheme supporting openings to constant-degree multivariate polynomial maps, which is a candidate solution for the open problem of constructing VC schemes with openings to beyond linear functions. However, the security of our constructions is based on a new family of lattice-based computational assumptions which naturally generalises the standard Short Integer Solution (SIS) assumption.
For the entire collection see [Zbl 1514.94002].Estimate all the \(\{\)LWE, NTRU\(\}\) schemes!https://zbmath.org/1517.940492023-09-22T14:21:46.120933Z"Albrecht, Martin R."https://zbmath.org/authors/?q=ai:albrecht.martin-r"Curtis, Benjamin R."https://zbmath.org/authors/?q=ai:curtis.benjamin-r"Deo, Amit"https://zbmath.org/authors/?q=ai:deo.amit"Davidson, Alex"https://zbmath.org/authors/?q=ai:davidson.alex"Player, Rachel"https://zbmath.org/authors/?q=ai:player.rachel"Postlethwaite, Eamonn W."https://zbmath.org/authors/?q=ai:postlethwaite.eamonn-w"Virdia, Fernando"https://zbmath.org/authors/?q=ai:virdia.fernando"Wunderer, Thomas"https://zbmath.org/authors/?q=ai:wunderer.thomasSummary: We consider all LWE- and NTRU-based encryption, key encapsulation, and digital signature schemes proposed for standardisation as part of the post-quantum cryptography process run by the US National Institute of Standards and Technology (NIST). In particular, we investigate the impact that different estimates for the asymptotic runtime of (block-wise) lattice reduction have on the predicted security of these schemes. Relying on the ``LWE estimator'' of \textit{M. R. Albrecht} [Lect. Notes Comput. Sci. 10211, 103--129 (2017; Zbl 1415.94402)], we estimate the cost of running primal and dual lattice attacks against every LWE-based scheme, using every cost model proposed as part of a submission. Furthermore, we estimate the security of the proposed NTRU-based schemes against the primal attack under all cost models for lattice reduction.
For the entire collection see [Zbl 1397.94004].On the insider security of MLShttps://zbmath.org/1517.940502023-09-22T14:21:46.120933Z"Alwen, Joël"https://zbmath.org/authors/?q=ai:alwen.joel"Jost, Daniel"https://zbmath.org/authors/?q=ai:jost.daniel"Mularczyk, Marta"https://zbmath.org/authors/?q=ai:mularczyk.martaSummary: The Messaging Layer Security (MLS) protocol is an open standard for end-to-end (E2E) secure group messaging being developed by the IETF, poised for deployment to consumers, industry, and government. It is designed to provide E2E privacy and authenticity for messages in long-lived sessions whenever possible, despite the participation (at times) of malicious insiders that can adaptively interact with the PKI at will, actively deviate from the protocol, leak honest parties' states, and fully control the network. The core of the MLS protocol (from which it inherits essentially all of its efficiency and security properties) is a Continuous Group Key Agreement (CGKA) protocol. It provides asynchronous E2E group management by allowing group members to agree on a fresh independent symmetric key after every change to the group's state (e.g. when someone joins/leaves the group).
In this work, we make progress towards a precise understanding of the insider security of MLS (Draft 12). On the theory side, we overcome several subtleties to formulate the first notion of insider security for CGKA (or group messaging). Next, we isolate the core components of MLS to obtain a CGKA protocol we dub Insider Secure TreeKEM (ITK). Finally, we give a rigorous security proof for ITK. In particular, this work also initiates the study of insider secure CGKA and group messaging protocols. Along the way we give three new (very practical) attacks on MLS and corresponding fixes. (Those fixes have now been included into the standard.) We also describe a second attack against MLS-like CGKA protocols proven secure under all previously considered security notions (including those designed specifically to analyze MLS). These attacks highlight the pitfalls in simplifying security notions even in the name of tractability.
For the entire collection see [Zbl 1514.94002].Some results on lightweight stream ciphers Fountain v1 \& lizardhttps://zbmath.org/1517.940512023-09-22T14:21:46.120933Z"Anand, Ravi"https://zbmath.org/authors/?q=ai:anand.ravi"Roy, Dibyendu"https://zbmath.org/authors/?q=ai:roy.dibyendu"Sarkar, Santanu"https://zbmath.org/authors/?q=ai:sarkar.santanuSummary: In this paper, we propose cryptanalytic results on two lightweight stream ciphers: Fountain v1 and Lizard. The main results of this paper are the followings:
\begin{itemize}
\item[--] We propose a zero-sum distinguisher on reduced round Fountain v1. In this context, we study the non-randomness of the cipher with a careful selection of cube variables. Our obtained cube provides a zero-sum on Fountain v1 till 188 initialization rounds and significant non-randomness till 189 rounds. This results in a distinguishing attack on Fountain v1 with 189 initialization rounds.
\item[--] Further, we find that the same cipher has a weakness against conditional Time-Memory-Data-Tradeoff (TMDTO). We show that TMDTO attack using sampling resistance has online complexity \(2^{110}\) and offline complexity \(2^{146}\).
\item[--] Finally, we revisit the Time-Memory-Data-Tradeoff attack on Lizard by \textit{S. Maitra} et al. [IEEE Trans. Comput. 67, No. 5, 733--739 (2018; Zbl 1395.94302)] and provide our observations on their work. We show that instead of choosing any random string, some particular strings would provide better results in their proposed attack technique.
\end{itemize}Forward-secure revocable secret handshakes from latticeshttps://zbmath.org/1517.940522023-09-22T14:21:46.120933Z"An, Zhiyuan"https://zbmath.org/authors/?q=ai:an.zhiyuan"Pan, Jing"https://zbmath.org/authors/?q=ai:pan.jing"Wen, Yamin"https://zbmath.org/authors/?q=ai:wen.yamin"Zhang, Fangguo"https://zbmath.org/authors/?q=ai:zhang.fangguoSummary: Secret handshake \((\mathsf{SH})\), as a fundamental privacy-preserving primitive, allows members from the same organization to anonymously authenticate each other. Since its proposal by \textit{D. Balfanz} et al. [in: Proceedings of the 2003 IEEE symposium on security and privacy, Berkeley, CA, USA, Mai 13--14, 2003. Los Alamitos, CA: IEEE Computer Society. 180--196 (2003; \url{doi: 10.1109/SECPRI.2003.1199336})], numerous constructions have been proposed, among which only the ones separately designed by \textit{Z. Zhang} et al. [Lect. Notes Comput. Sci. 12309, 317--335 (2020; Zbl 1511.94164)] over coding and An et al. over lattice are secure against quantum attacks. However, none of known schemes consider the issue of key exposure, which is a common threat to cryptosystem implementations. To guarantee users' privacy against the key exposure attack, forward-secure mechanism is believed to be a promising countermeasure, where secret keys are periodically evolved in such a one-way manner that, past transactions of users are protected even if a break-in happens.
In this work we formalize the model of forward-secure secret handshake and present the first lattice-based instantiation, where ABB \(\mathsf{HIBE}\) is applied to handle key evolution process through regarding time periods as hierarchies. In particular, dynamic revocability is captured by upgrading the static verifier-local revocation techniques into updatable ones. To achieve anonymous handshake with ease, we present a generic way of transforming zero-knowledge argument systems termed as Fiat-Shamir with abort, into mutual authentication protocols. Our scheme is proved secure under the Short Integer Solution \((\mathsf{SIS})\) and Learning With Errors \((\mathsf{LWE})\) assumptions in the random oracle model.
For the entire collection see [Zbl 1514.94001].Revisiting the efficiency of asynchronous MPC with optimal resilience against general adversarieshttps://zbmath.org/1517.940532023-09-22T14:21:46.120933Z"Appan, Ananya"https://zbmath.org/authors/?q=ai:appan.ananya"Chandramouli, Anirudh"https://zbmath.org/authors/?q=ai:chandramouli.anirudh"Choudhury, Ashish"https://zbmath.org/authors/?q=ai:choudhary.ashishSummary: In this paper, we design unconditionally secure multi-party computation (MPC) protocols in the asynchronous communication setting with optimal resilience. Our protocols are secure against a computationally unbounded malicious adversary characterized by an adversary structure \(\mathcal{Z}\), which enumerates all possible subsets of potentially corrupt parties. We present protocols with both perfect-security, as well as with statistical-security. While the protocols in the former class achieve all the security properties in an error-free fashion, the protocols belonging to the latter category achieve all the security properties except with a negligible error. Our perfectly secure protocol incurs an amortized communication of \(\mathcal{O}(|\mathcal{Z}|^2)\) bits per multiplication. This improves upon the protocol of \textit{A. Choudhury} and \textit{N. Pappu} [Lect. Notes Comput. Sci. 12578, 786--809 (2020; Zbl 1492.94080)] with the least known amortized communication complexity of \(\mathcal{O}(|\mathcal{Z}|^3)\) bits per multiplication. On the other hand, our statistically secure protocol incurs an amortized communication of \(\mathcal{O}(|\mathcal{Z}|)\) bits per multiplication. This is the first statistically secure asynchronous MPC protocol against general adversaries. Previously, perfectly secure and statistically secure MPC with an amortized communication cost of \(\mathcal{O}(|\mathcal{Z}|^2)\) and \(\mathcal{O}(|\mathcal{Z}|)\) bits, respectively, per multiplication was known only in the relatively simpler synchronous communication setting [\textit{M. Hirt} and \textit{D. Tschudi}, ibid. 8270, 181--200 (2013; Zbl 1314.94073)].Quadratic multiparty randomized encodings beyond honest majority and their applicationshttps://zbmath.org/1517.940542023-09-22T14:21:46.120933Z"Applebaum, Benny"https://zbmath.org/authors/?q=ai:applebaum.benny"Ishai, Yuval"https://zbmath.org/authors/?q=ai:ishai.yuval"Karni, Or"https://zbmath.org/authors/?q=ai:karni.or"Patra, Arpita"https://zbmath.org/authors/?q=ai:patra.arpitaSummary: Multiparty randomized encodings [\textit{B. Applebaum} et al., SIAM J. Comput. 50, No. 1, 68--97 (2021; Zbl 1509.68076)] reduce the task of securely computing a complicated multiparty functionality \(f\) to the task of securely computing a simpler functionality \(g\). The reduction is non-interactive and preserves information-theoretic security against a passive (semi-honest) adversary, also referred to as privacy. The special case of a degree-2 encoding \(g\) (2MPRE) has recently found several applications to secure multiparty computation (MPC) with either information-theoretic security or making black-box access to cryptographic primitives. Unfortunately, as all known constructions are based on information-theoretic MPC protocols in the plain model, they can only be private with an honest majority.
In this paper, we break the honest-majority barrier and present the first construction of general 2MPRE that remains secure in the presence of a dishonest majority. Our construction encodes every \(n\)-party functionality \(f\) by a 2MPRE that tolerates at most \(t=\lfloor 2n/3\rfloor\) passive corruptions.
We derive several applications including: (1) The first non-interactive client-server MPC protocol with perfect privacy against any coalition of a minority of the servers and up to \(t\) of the \(n\) clients; (2) Completeness of 3-party functionalities under non-interactive \(t\)-private reductions; and (3) A single-round \(t\)-private reduction from general-MPC to an ideal oblivious transfer (OT). These positive results partially resolve open questions that were posed in several previous works. We also show that \(t\)-private 2MPREs are necessary for solving (2) and (3), thus establishing new equivalence theorems between these three notions.
Finally, we present a new approach for constructing fully-private 2MPREs based on multi-round protocols in the OT-hybrid model that achieve perfect privacy against active attacks. Moreover, by slightly restricting the power of the active adversary, we derive an equivalence between these notions. This forms a surprising, and quite unique, connection between a non-interactive passively-private primitive to an interactive actively-private primitive.
For the entire collection see [Zbl 1514.94004].Verifiable relation sharing and multi-verifier zero-knowledge in two rounds: trading NIZKs with honest majority (extended abstract)https://zbmath.org/1517.940552023-09-22T14:21:46.120933Z"Applebaum, Benny"https://zbmath.org/authors/?q=ai:applebaum.benny"Kachlon, Eliran"https://zbmath.org/authors/?q=ai:kachlon.eliran"Patra, Arpita"https://zbmath.org/authors/?q=ai:patra.arpitaSummary: We introduce the problem of Verifiable Relation Sharing (VRS) where a client (prover) wishes to share a vector of secret data items among \(k\) servers (the verifiers) while proving in zero-knowledge that the shared data satisfies some properties. This combined task of sharing and proving generalizes notions like verifiable secret sharing and zero-knowledge proofs over secret-shared data. We study VRS from a theoretical perspective and focus on its round complexity.
As our main contribution, we show that every efficiently-computable relation can be realized by a VRS with an optimal round complexity of two rounds where the first round is input-independent (offline round). The protocol achieves full UC-security against an active adversary that is allowed to corrupt any \(t\)-subset of the parties that may include the client together with some of the verifiers. For a small (logarithmic) number of parties, we achieve an optimal resiliency threshold of \(t<0.5(k+1)\), and for a large (polynomial) number of parties, we achieve an almost-optimal resiliency threshold of \(t<0.5(k+1)(1-\epsilon)\) for an arbitrarily small constant \(\epsilon >0\). Both protocols can be based on sub-exponentially hard injective one-way functions. If the parties have an access to a collision resistance hash function, we can derive statistical everlasting security, i.e., the protocols are secure against adversaries that are computationally bounded during the protocol execution and become computationally unbounded after the protocol execution.
Previous 2-round solutions achieve smaller resiliency thresholds and weaker security notions regardless of the underlying assumptions. As a special case, our protocols give rise to 2-round offline/online constructions of multi-verifier zero-knowledge proofs (MVZK). Such constructions were previously obtained under the same type of assumptions that are needed for NIZK, i.e., public-key assumptions or random-oracle type assumptions (\textit{M. Abe} et al. [Lect. Notes Comput. Sci. 2501, 206--223 (2002; Zbl 1065.94536)]; \textit{J. Groth} and \textit{R. Ostrovsky} [ibid. 4622, 323--341 (2007; Zbl 1215.94048)]; \textit{D. Boneh} et al. [ibid. 11694, 67--97 (2019; Zbl 1436.94043)]). Our work shows, for the first time, that in the presence of an honest majority these assumptions can be replaced with more conservative ``Minicrypt''-type assumptions like injective one-way functions and collision-resistance hash functions. Indeed, our MVZK protocols provide a round-efficient substitute for NIZK in settings where honest-majority is present. Additional applications are also presented.
For the entire collection see [Zbl 1514.94004].On prover-efficient public-coin emulation of interactive proofshttps://zbmath.org/1517.940562023-09-22T14:21:46.120933Z"Arnon, Gal"https://zbmath.org/authors/?q=ai:arnon.gal"Rothblum, Guy N."https://zbmath.org/authors/?q=ai:rothblum.guy-nSummary: A central question in the study of interactive proofs is the relationship between private-coin proofs, where the verifier is allowed to hide its randomness from the prover, and public-coin proofs, where the verifier's random coins are sent to the prover. The seminal work of \textit{S. Goldwasser} and \textit{M. Sipser} [in: Proceedings of the 18th annual ACM symposium on theory of computing, STOC 1986, Berkeley, CA, USA, May 28--30, 1986. New York, NY: Association for Computing Machinery (ACM). 59--68 (1986; \url{doi:10.1145/12130.12137})] showed how to transform private-coin proofs into public-coin ones. However, their transformation incurs a super-polynomial blowup in the running time of the honest prover.\par In this work, we study transformations from private-coin proofs to public-coin proofs that preserve (up to polynomial factors) the running time of the prover. We re-consider this question in light of the emergence of doubly-efficient interactive proofs, where the honest prover is required to run in polynomial time and the verifier should run in near-linear time. Can every private-coin doubly-efficient interactive proof be transformed into a public-coin doubly-efficient proof? Adapting a result of \textit{S. Vadhan} [in: Proceedings of the thirty-second annual ACM symposium on theory of computing, STOC 2000. Portland, Oregon, USA, May 21--23, 2000. New York, NY: ACM Press. 200--207 (2000; Zbl 1296.68061)], we show that, assuming one-way functions exist, there is no general-purpose black-box private-coin to public-coin transformation for doubly-efficient interactive proofs.\par Our main result is a loose converse: if (auxiliary-input infinitely-often) one-way functions do not exist, then there exists a general-purpose efficiency-preserving transformation. To prove this result, we show a general condition that suffices for transforming a doubly-efficient private coin protocol: every such protocol induces an efficiently computable function, such that if this function is efficiently invertible (in the sense of one-way functions), then the proof can be efficiently transformed into a public-coin proof system with a polynomial-time honest prover.\par This result motivates a study of other general conditions that allow for efficiency-preserving private to public coin transformations. We identify an additional (incomparable) condition to that used in our main result. This condition allows for transforming any private coin interactive proof where (roughly) it is possible to efficiently approximate the number of verifier coins consistent with a partial transcript. This allows for transforming any constant-round interactive proof that has this property (even if it is not doubly-efficient). We demonstrate the applicability of this final result by using it to transform a private-coin protocol of \textit{G. N. Rothblum} et al. [in: Proceedings of the 45th annual ACM symposium on theory of computing, STOC '13. Palo Alto, CA, USA, June 1--4, 2013. New York, NY: Association for Computing Machinery (ACM). 793--802 (2013; Zbl 1293.68250)], obtaining a doubly-efficient public-coin protocol for verifying that a given graph is close to bipartite in a setting for which such a protocol was not previously known.
For the entire collection see [Zbl 1465.94005].Adventures in supersingularlandhttps://zbmath.org/1517.940572023-09-22T14:21:46.120933Z"Arpin, Sarah"https://zbmath.org/authors/?q=ai:arpin.sarah"Camacho-Navarro, Catalina"https://zbmath.org/authors/?q=ai:camacho-navarro.catalina"Lauter, Kristin"https://zbmath.org/authors/?q=ai:lauter.kristin-e"Lim, Joelle"https://zbmath.org/authors/?q=ai:lim.joelle"Nelson, Kristina"https://zbmath.org/authors/?q=ai:nelson.kristina"Scholl, Travis"https://zbmath.org/authors/?q=ai:scholl.travis"Sotáková, Jana"https://zbmath.org/authors/?q=ai:sotakova.janaSummary: Supersingular Isogeny Graphs were introduced as a source of hard problems in cryptography by \textit{D. X. Charles} et al. [J. Cryptology 22, No. 1, 93--113 (2009; Zbl 1166.94006)] for the construction of cryptographic hash functions and have been used for key exchange SIKE. The security of such systems depends on the difficulty of finding a path between two random vertices. In this article, we study several aspects of the structure of these graphs. First, we study the subgraph given by \(j\)-invariants in \(\mathbb{F}_p\), using the related isogeny graph consisting of only \(\mathbb{F}_p\)-rational curves and isogenies. We prove theorems on how the connected components thereof attach, stack, and fold when mapped into the full graph. The \(\mathbb{F}_p\)-rational vertices are fixed by the Frobenius involution on the graph, and we call the induced graph the spine. Finding paths to the spine is relevant in cryptanalysis. Second, we present numerous computational experiments and heuristics relating to the position of the spine within the whole graph. These include studying the distance of random vertices to the spine, estimates of the diameter of the graph, how often paths are preserved under the Frobenius involution, and what proportion of vertices are conjugate. We compare some of the heuristics with known results on other Ramanujan graphs.Improving support-minors rank attacks: applications to G\textit{e}MSS and Rainbowhttps://zbmath.org/1517.940582023-09-22T14:21:46.120933Z"Baena, John"https://zbmath.org/authors/?q=ai:baena.john-bayron"Briaud, Pierre"https://zbmath.org/authors/?q=ai:briaud.pierre"Cabarcas, Daniel"https://zbmath.org/authors/?q=ai:cabarcas.daniel"Perlner, Ray"https://zbmath.org/authors/?q=ai:perlner.ray"Smith-Tone, Daniel"https://zbmath.org/authors/?q=ai:smith-tone.daniel"Verbel, Javier"https://zbmath.org/authors/?q=ai:verbel.javier-aSummary: The Support-Minors (SM) method has opened new routes to attack multivariate schemes with rank properties that were previously impossible to exploit, as shown by the recent attacks of
\textit{W. Beullens} [Lect. Notes Comput. Sci. 12696, 348--373 (2021; Zbl 1479.94128)], \textit{C. Tao} et al. [ibid. 12825, 70--93 (2021; Zbl 1485.94148)]
on the Round 3 NIST candidates G\textit{e}MSS and Rainbow respectively. In this paper, we study this SM approach more in depth and we propose a greatly improved attack on G\textit{e}MSS based on this Support-Minors method. Even though G\textit{e}MSS was already affected by
Tao et al. [loc. cit.],
our attack affects it even more and makes it completely unfeasible to repair the scheme by simply increasing the size of its parameters or even applying the recent projection technique from
\textit{M. Øygarden} et al. [ibid. 12841, 98--113 (2021; Zbl 1485.94115)]
whose purpose was to make G\textit{e}MSS immune to
[Tao et al., loc. cit.].
For instance, our attack on the G\textit{e}MSS MSS128 parameter set has estimated time complexity \(2^{72}\), and repairing the scheme by applying
[Øygarden, loc. cit.]
would result in a signature with slower signing time by an impractical factor of \(2^{14}\). Another contribution is to suggest optimizations that can reduce memory access costs for an XL strategy on a large SM system using the Block-Wiedemann algorithm as subroutine when these costs are a concern. In a memory cost model based on
[\textit{D. J. Bernstein} et al., ``NTRU prime: round 3'' (2020), \url{https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf}],
we show that the rectangular MinRank attack from
[Beullens, loc. cit.]
may indeed reduce the security for all Round 3 Rainbow parameter sets below their targeted security strengths, contradicting the lower bound claimed in
[The Rainbow Team, ``Response to recent paper by Ward Beullens'' (2020), \url{https://troll.iis.sinica.edu.tw/by-publ/recent/response-ward.pdf}]
using the same memory cost model.
For the entire collection see [Zbl 1514.94003].Improvement of algebraic attacks for solving superdetermined MinRank instanceshttps://zbmath.org/1517.940592023-09-22T14:21:46.120933Z"Bardet, Magali"https://zbmath.org/authors/?q=ai:bardet.magali"Bertin, Manon"https://zbmath.org/authors/?q=ai:bertin.manonSummary: The MinRank (MR) problem is a computational problem that arises in many cryptographic applications. In [\textit{J. Verbel} et al., Lect. Notes Comput. Sci. 11505, 167--186 (2019; Zbl 1509.94136)], the authors introduced a new way to solve superdetermined instances of the MinRank problem, starting from the bilinear Kipnis-Shamir (KS) modeling. They use linear algebra on specific Macaulay matrices, considering only multiples of the initial equations by one block of variables, the so called ``kernel'' variables. Later, \textit{M. Bardet} et al. [ibid. 12491, 507--536 (2020; Zbl 1511.94051)] introduced a new Support Minors modeling (SM), that consider the Plücker coordinates associated to the kernel variables, i.e. the maximal minors of the Kernel matrix in the KS modeling.
In this paper, we give a complete algebraic explanation of the link between the (KS) and (SM) modelings (for any instance). We then show that superdetermined MinRank instances can be seen as easy instances of the SM modeling. In particular, we show that performing computation at the smallest possible degree (the ``first degree fall'') and the smallest possible number of variables is not always the best strategy. We give complexity estimates of the attack for generic random instances.
We apply those results to the DAGS cryptosystem, that was submitted to the first round of the NIST standardization process. We show that the algebraic attack from \textit{É. Barelli} and \textit{A. Couvreur} [ibid. 11272, 93--118 (2018; Zbl 1446.94098)], improved in \textit{M. Bardet} et al. [ibid 11666, 86--101 (2019; \url{doi.org/10.1007/978-3-030-25922-8_5})], is a particular superdetermined MinRank instance. Here, the instances are not generic, but we show that it is possible to analyse the particular instances from DAGS and provide a way to select the optimal parameters (number of shortened positions) to solve a particular instance.
For the entire collection see [Zbl 1514.94001].Moz\(\mathbb{Z}_{2^k}\)arella: efficient vector-OLE and zero-knowledge proofs over \(\mathbb{Z}_{2^k}\)https://zbmath.org/1517.940602023-09-22T14:21:46.120933Z"Baum, Carsten"https://zbmath.org/authors/?q=ai:baum.carsten"Braun, Lennart"https://zbmath.org/authors/?q=ai:braun.lennart"Munch-Hansen, Alexander"https://zbmath.org/authors/?q=ai:munch-hansen.alexander"Scholl, Peter"https://zbmath.org/authors/?q=ai:scholl.peterSummary: Zero-knowledge proof systems are usually designed to support computations for circuits over \(\mathbb{F}_2\) or \(\mathbb{F}_p\) for large p, but not for computations over \(\mathbb{Z}_{2^k}\), which all modern CPUs operate on. Although \(\mathbb{Z}_{2^k}\)-arithmetic can be emulated using prime moduli, this comes with an unavoidable overhead. Recently, \textit{C. Baum} et al. [Lect. Notes Comput. Sci. 12828, 92--122 (2021; Zbl 1497.94075)] suggested a candidate construction for a designated-verifier zero-knowledge proof system that natively runs over \(\mathbb{Z}_{2^k}\). Unfortunately, their construction requires preprocessed random vector oblivious linear evaluation (VOLE) to be instantiated over \(\mathbb{Z}_{2^k}\). Currently, it is not known how to efficiently generate such random VOLE in large quantities.
In this work, we present a maliciously secure, VOLE extension protocol that can turn a short seed-VOLE over \(\mathbb{Z}_{2^k}\) into a much longer, pseudorandom VOLE over the same ring. Our construction borrows ideas from recent protocols over finite fields, which we non-trivially adapt to work over \(\mathbb{Z}_{2^k}\). Moreover, we show that the approach taken by the QuickSilver zero-knowledge proof system can be generalized to support computations over \(\mathbb{Z}_{2^k}\). This new VOLE-based proof system, which we call \textsf{QuarkSilver}, yields better efficiency than the previous zero-knowledge protocols suggested by Baum et al. Furthermore, we implement both our VOLE extension and our zero-knowledge proof system, and show that they can generate 13--50 million VOLEs per second for 64 bit to 256 bit rings, and evaluate 1.3 million 64 bit multiplications per second in zero-knowledge.
For the entire collection see [Zbl 1514.94004].More efficient commitments from structured lattice assumptionshttps://zbmath.org/1517.940612023-09-22T14:21:46.120933Z"Baum, Carsten"https://zbmath.org/authors/?q=ai:baum.carsten"Damgård, Ivan"https://zbmath.org/authors/?q=ai:damgard.ivan-bjerre"Lyubashevsky, Vadim"https://zbmath.org/authors/?q=ai:lyubashevsky.vadim"Oechsner, Sabine"https://zbmath.org/authors/?q=ai:oechsner.sabine"Peikert, Chris"https://zbmath.org/authors/?q=ai:peikert.chrisSummary: We present a practical construction of an additively homomorphic commitment scheme based on structured lattice assumptions, together with a zero-knowledge proof of opening knowledge. Our scheme is a design improvement over the previous work of \textit{F. Benhamouda} et al. [Lect. Notes Comput. Sci. 8873, 551--572 (2014; Zbl 1306.94026)] in that it is not restricted to being statistically binding. While it is possible to instantiate our scheme to be statistically binding or statistically hiding, it is most efficient when both hiding and binding properties are only computational. This results in approximately a factor of 4 reduction in the size of the proof and a factor of 6 reduction in the size of the commitment over the aforementioned scheme.
For the entire collection see [Zbl 1397.94004].Constructing and deconstructing intentional weaknesses in symmetric ciphershttps://zbmath.org/1517.940622023-09-22T14:21:46.120933Z"Beierle, Christof"https://zbmath.org/authors/?q=ai:beierle.christof"Beyne, Tim"https://zbmath.org/authors/?q=ai:beyne.tim"Felke, Patrick"https://zbmath.org/authors/?q=ai:felke.patrick"Leander, Gregor"https://zbmath.org/authors/?q=ai:leander.gregorSummary: Deliberately weakened ciphers are of great interest in political discussion on law enforcement, as in the constantly recurring crypto wars, and have been put in the spotlight of academics by recent progress. \textit{C. Beierle} et al. [Lect. Notes Comput. Sci. 12697, 155--183 (2021; Zbl 1479.94125)] showed a strong indication that the security of the widely-deployed stream cipher \texttt{GEA-1} was deliberately and secretly weakened to 40 bits in order to fulfill European export restrictions that have been in place in the late 1990s. However, no explanation of how this could have been constructed was given. On the other hand, we have seen the MALICIOUS design framework, published at \textit{T. Peyrin} and \textit{H. Wang} [ibid. 12172, 249--278 (2020; Zbl 1504.94178)] that allows to construct tweakable block ciphers with a backdoor, where the difficulty of recovering the backdoor relies on well-understood cryptographic assumptions. The constructed tweakable block cipher however is rather unusual and very different from, say, general-purpose ciphers like the AES.
In this paper, we pick up both topics. For \texttt{GEA-1} we thoroughly explain how the weakness was constructed, solving the main open question of the work mentioned above. By generalizing \textsf{MALICIOUS} we -- for the first time -- construct backdoored tweakable block ciphers that follow modern design principles for general-purpose block ciphers, i.e., more natural-looking deliberately weakened tweakable block ciphers.
For the entire collection see [Zbl 1514.94003].Provably secure reflection ciphershttps://zbmath.org/1517.940632023-09-22T14:21:46.120933Z"Beyne, Tim"https://zbmath.org/authors/?q=ai:beyne.tim"Chen, Yu Long"https://zbmath.org/authors/?q=ai:chen.yulongSummary: This paper provides the first analysis of reflection ciphers such as \textsc{Prince} from a provable security viewpoint.
As a first contribution, we initiate the study of key-alternating reflection ciphers in the ideal permutation model. Specifically, we prove the security of the two-round case and give matching attacks. The resulting security bound takes form \(\mathcal{O}(qp^2/2^{2n}+q^2/2^n)\), where \(q\) is the number of construction evaluations and \(p\) is the number of direct adversarial queries to the underlying permutation. Since the two-round construction already achieves an interesting security lower bound, this result can also be of interest for the construction of reflection ciphers based on a single public permutation.
Our second contribution is a generic key-length extension method for reflection ciphers. It provides an attractive alternative to the FX construction, which is used by \textsc{Prince} and other concrete key-alternating reflection ciphers. We show that our construction leads to better security with minimal changes to existing designs. The security proof is in the ideal cipher model and relies on a reduction to the two-round Even-Mansour cipher with a single round key. In order to obtain the desired result, we sharpen the bad-transcript analysis and consequently improve the best-known bounds for the single-key Even-Mansour cipher with two rounds. This improvement is enabled by a new sum-capture theorem that is of independent interest.
For the entire collection see [Zbl 1514.94004].Differential cryptanalysis in the fixed-key modelhttps://zbmath.org/1517.940642023-09-22T14:21:46.120933Z"Beyne, Tim"https://zbmath.org/authors/?q=ai:beyne.tim"Rijmen, Vincent"https://zbmath.org/authors/?q=ai:rijmen.vincentSummary: A systematic approach to the fixed-key analysis of differential probabilities is proposed. It is based on the propagation of `quasidifferential trails', which keep track of probabilistic linear relations on the values satisfying a differential characteristic in a theoretically sound way. It is shown that the fixed-key probability of a differential can be expressed as the sum of the correlations of its quasidifferential trails.
The theoretical foundations of the method are based on an extension of the difference-distribution table, which we call the quasidifferential transition matrix. The role of these matrices is analogous to that of correlation matrices in linear cryptanalysis. This puts the theory of differential and linear cryptanalysis on an equal footing.
The practical applicability of the proposed methodology is demonstrated by analyzing several differentials for \textsf{RECTANGLE}, \textsf{KNOT}, \textsf{Speck} and \textsf{Simon}. The analysis is automated and applicable to other SPN and ARX designs. Several attacks are shown to be invalid, most others turn out to work only for some keys but can be improved for weak-keys.
For the entire collection see [Zbl 1514.94003].Statistically sender-private OT from LPN and derandomizationhttps://zbmath.org/1517.940652023-09-22T14:21:46.120933Z"Bitansky, Nir"https://zbmath.org/authors/?q=ai:bitansky.nir"Freizeit, Sapir"https://zbmath.org/authors/?q=ai:freizeit.sapirSummary: We construct a two-message oblivious transfer protocol with statistical sender privacy (SSP OT) based on the Learning Parity with Noise (LPN) Assumption and a standard Nisan-Wigderson style derandomization assumption. Beyond being of interest on their own, SSP OT protocols have proven to be a powerful tool toward minimizing the round complexity in a wide array of cryptographic applications from proofs systems, through secure computation protocols, to hard problems in statistical zero knowledge (SZK).
The protocol is plausibly post-quantum secure. The only other constructions with plausible post quantum security are based on the Learning with Errors (LWE) Assumption. Lacking the geometric structure of LWE, our construction and analysis rely on a different set of techniques.
Technically, we first construct an SSP OT protocol in the common random string model from LPN alone, and then derandomize the common random string. Most of the technical difficulty lies in the first step. Here we prove a robustness property of the inner product randomness extractor to a certain type of linear splitting attacks. A caveat of our construction is that it relies on the so called low noise regime of LPN. This aligns with our current complexity-theoretic understanding of LPN, which only in the low noise regime is known to imply hardness in SZK.
For the entire collection see [Zbl 1514.94003].\(P_4\)-free partition and cover numbers \& applicationshttps://zbmath.org/1517.940662023-09-22T14:21:46.120933Z"Block, Alexander R."https://zbmath.org/authors/?q=ai:block.alexander-r"Brânzei, Simina"https://zbmath.org/authors/?q=ai:branzei.simina"Maji, Hemanta K."https://zbmath.org/authors/?q=ai:maji.hemanta-k"Mehta, Himanshi"https://zbmath.org/authors/?q=ai:mehta.himanshi"Mukherjee, Tamalika"https://zbmath.org/authors/?q=ai:mukherjee.tamalika"Nguyen, Hai H."https://zbmath.org/authors/?q=ai:nguyen.hai-hSummary: \(P_4\)-free graphs also known as cographs, complement-reducible graphs, or hereditary Dacey graphs have been well studied in graph theory. Motivated by computer science and information theory applications, our work encodes (flat) joint probability distributions and Boolean functions as bipartite graphs and studies bipartite \(P_4\)-free graphs. For these applications, the graph properties of edge partitioning and covering a bipartite graph using the minimum number of these graphs are particularly relevant. Previously, such graph properties have appeared in leakage-resilient cryptography and (variants of) coloring problems. Interestingly, our covering problem is closely related to the well-studied problem of product (a.k.a., Prague) dimension of loopless undirected graphs, which allows us to employ algebraic lower-bounding techniques for the product/Prague dimension. We prove that computing these numbers is NP-complete, even for bipartite graphs. We establish a connection to the (unsolved) Zarankiewicz problem to show that there are bipartite graphs with size-\(N\) partite sets such that these numbers are at least \(\varepsilon\cdot N^{1-2 \varepsilon}\), for \(\varepsilon\in \{1/3,1/4,1/5,\dots\}\). Finally, we accurately estimate these numbers for bipartite graphs encoding well-studied Boolean functions from circuit complexity, such as set intersection, set disjointness, and inequality. For applications in information theory and communication \& cryptographic complexity, we consider a system where a setup samples from a (flat) joint distribution and gives the participants, Alice and Bob, their portion from this joint sample. Alice and Bob's objective is to non-interactively establish a shared key and extract the left-over entropy from their portion of the samples as independent private randomness. A genie, who observes the joint sample, provides appropriate assistance to help Alice and Bob with their objective. Lower bounds to the minimum size of the genie's assistance translate into communication and cryptographic lower bounds. We show that (the \(\log_2\) of) the \(P_4\)-free partition number of a graph encoding the joint distribution that the setup uses is equivalent to the size of the genie's assistance. Consequently, the joint distributions corresponding to the bipartite graphs constructed above with high \(P_4\)-free partition numbers correspond to joint distributions requiring more assistance from the genie. As a representative application in non-deterministic communication complexity, we study the communication complexity of nondeterministic protocols augmented by access to the equality oracle at the output. We show that (the \(\log_2\) of) the \(P_4\)-free cover number of the bipartite graph encoding a Boolean function \(f\) is equivalent to the minimum size of the nondeterministic input required by the parties (referred to as the communication complexity of \(f\) in this model). Consequently, the functions corresponding to the bipartite graphs with high \(P_4\)-free cover numbers have high communication complexity. Furthermore, there are functions with communication complexity close to the naïve protocol where the nondeterministic input reveals a party's input. Finally, the access to the equality oracle reduces the communication complexity of computing set disjointness by a constant factor in contrast to the model where parties do not have access to the equality oracle. To compute the inequality function, we show an exponential reduction in the communication complexity, and this bound is optimal. On the other hand, access to the equality oracle is (nearly) useless for computing set intersection.
For the entire collection see [Zbl 1465.94005].Sustained space and cumulative complexity trade-offs for data-dependent memory-hard functionshttps://zbmath.org/1517.940672023-09-22T14:21:46.120933Z"Blocki, Jeremiah"https://zbmath.org/authors/?q=ai:blocki.jeremiah"Holman, Blake"https://zbmath.org/authors/?q=ai:holman.blakeSummary: Memory-hard functions (MHFs) are a useful cryptographic primitive which can be used to design egalitarian proof of work puzzles and to protect low entropy secrets like passwords against brute-force attackers. Intuitively, a memory-hard function is a function whose evaluation costs are dominated by memory costs even if the attacker uses specialized hardware (FPGAs/ASICs), and several cost metrics have been proposed to quantify this intuition. For example, space-time cost looks at the product of running time and the maximum space usage over the entire execution of an algorithm. \textit{J. Alwen} and \textit{V. Serbinenko} [in: Proceedings of the 47th annual ACM symposium on theory of computing, STOC '15, Portland, OR, USA, June 14--17, 2015. New York, NY: Association for Computing Machinery (ACM). 595--603 (2015; Zbl 1321.68374)] observed that the space-time cost of evaluating a function multiple times may not scale linearly in the number of instances being evaluated and introduced the stricter requirement that a memory-hard function has high cumulative memory complexity (CMC) to ensure that an attacker's amortized space-time costs remain large even if the attacker evaluates the function on multiple different inputs in parallel. \textit{J. Alwen} et al. [Lect. Notes Comput. Sci. 10821, 99--130 (2018; Zbl 1423.94045)] observed that the notion of CMC still gives the attacker undesirable flexibility in selecting space-time tradeoffs e.g., while the MHF \texttt{Scrypt} has maximal CMC \(\varOmega (N^2)\), an attacker could evaluate the function with constant \(O(1)\) memory in time \(O(N^2)\). Alwen et al. [loc. cit.] introduced an even stricter notion of Sustained Space complexity and designed an MHF which has \(s=\varOmega (N/\log N)\) sustained complexity \(t=\varOmega (N)\) i.e., any algorithm evaluating the function in the parallel random oracle model must have at least \(t=\varOmega (N)\) steps where the memory usage is at least \(\varOmega (N/\log N)\). In this work, we use dynamic pebbling games and dynamic graphs to explore tradeoffs between sustained space complexity and cumulative memory complexity for data-dependent memory-hard functions such as Argon2id and \texttt{Scrypt}. We design our own dynamic graph (dMHF) with the property that any dynamic pebbling strategy either (1) has \(\varOmega (N)\) rounds with \(\varOmega (N)\) space, or (2) has CMC \(\varOmega (N^{3-\epsilon })\) -- substantially larger than \(N^2\). For Argon2id we show that any dynamic pebbling strategy either(1) has \(\varOmega (N)\) rounds with \(\varOmega (N^{1-\epsilon })\) space, or (2) has CMC \(\omega (N^2)\). We also present a dynamic version of DRSample [\textit{J. Alwen} et al., ibid. 10212, 33--62 (2017; Zbl 1394.94925)] for which any dynamic pebbling strategy either (1) has \(\varOmega (N)\) rounds with \(\varOmega (N/\log N)\) space, or (2) has CMC \(\varOmega (N^3/\log N)\).
For the entire collection see [Zbl 1514.94003].Linear cryptanalysis of reduced-round Speck with a heuristic approach: automatic search for linear trailshttps://zbmath.org/1517.940682023-09-22T14:21:46.120933Z"Bodden, Daniël"https://zbmath.org/authors/?q=ai:bodden.danielSummary: Previous research on linear cryptanalysis with Speck has proved that good linear trails and a meaningful distinguisher for variants of Speck can be found. In this paper we use two different linear approximations of modular addition to search for even better linear trails. Also, we have added a heuristic to search for large bias approximations for the state conversion approach. We will explain how the automatic search works and discuss its performance. Finally we illustrate that linear approximations with large bias exist in variants of Speck.
For the entire collection see [Zbl 1398.68020].Some easy instances of ideal-SVP and implications on the partial Vandermonde knapsack problemhttps://zbmath.org/1517.940692023-09-22T14:21:46.120933Z"Boudgoust, Katharina"https://zbmath.org/authors/?q=ai:boudgoust.katharina"Gachon, Erell"https://zbmath.org/authors/?q=ai:gachon.erell"Pellet-Mary, Alice"https://zbmath.org/authors/?q=ai:pellet-mary.aliceSummary: In this article, we generalize the works of \textit{Y. Pan} et al. [Lect. Notes Comput. Sci. 12696, 559--583 (2021; Zbl 1479.94241)] and \textit{C. Porter} et al. [``Subfield algorithms for ideal and module-SVP based on the decomposition group'', Preprint, \url{arXiv:2105.03219}] and provide a simple condition under which an ideal lattice defines an easy instance of the shortest vector problem. Namely, we show that the more automorphisms stabilize the ideal, the easier it is to find a short vector in it. This observation was already made for prime ideals in Galois fields, and we generalize it to any ideal (whose prime factors are not ramified) of any number field.
We then provide a cryptographic application of this result by showing that particular instances of the partial Vandermonde knapsack problem, also known as partial Fourier recovery problem, can be solved classically in polynomial time. As a proof of concept, we implemented our attack and managed to solve those particular instances for concrete parameter settings proposed in the literature. For random instances, we can halve the lattice dimension with non-negligible probability.
For the entire collection see [Zbl 1514.94002].I want to ride my \texttt{BICYCL} : \texttt{BICYCL} implements cryptography in class groupshttps://zbmath.org/1517.940702023-09-22T14:21:46.120933Z"Bouvier, Cyril"https://zbmath.org/authors/?q=ai:bouvier.cyril"Castagnos, Guilhem"https://zbmath.org/authors/?q=ai:castagnos.guilhem"Imbert, Laurent"https://zbmath.org/authors/?q=ai:imbert.laurent"Laguillaumie, Fabien"https://zbmath.org/authors/?q=ai:laguillaumie.fabienSummary: We introduce \texttt{BICYCL} an open-source C++ library that implements arithmetic in the ideal class groups of imaginary quadratic fields, together with a set of cryptographic primitives based on class groups. It is available at \url{https://gite.lirmm.fr/crypto/bicycl} under GNU General Public License version 3 or any later version. \texttt{BICYCL} provides significant speed-ups on the implementation of the arithmetic of class groups. Concerning cryptographic applications, \texttt{BICYCL} is orders of magnitude faster than any previous pilot implementation of the \(\mathsf{CL}\) linearly encryption scheme, making it faster than \textit{P. Paillier}'s encryption scheme [Lect. Notes Comput. Sci. 1592, 223--238 (1999; Zbl 0933.94027)] at any security level. Linearly homomorphic encryption is the core of many multi-party computation protocols, sometimes involving a huge number of encryptions and homomorphic evaluations: class group-based protocols become the best solution in terms of bandwidth and computational efficiency to rely upon.Offline assisted group key exchangehttps://zbmath.org/1517.940712023-09-22T14:21:46.120933Z"Boyd, Colin"https://zbmath.org/authors/?q=ai:boyd.colin-a"Davies, Gareth T."https://zbmath.org/authors/?q=ai:davies.gareth-t"Gjøsteen, Kristian"https://zbmath.org/authors/?q=ai:gjosteen.kristian"Jiang, Yao"https://zbmath.org/authors/?q=ai:jiang.yaoSummary: We design a group key exchange protocol with forward secrecy where most of the participants remain offline until they wish to compute the key. This is well suited to a cloud storage environment where users are often offline, but have online access to the server which can assist in key exchange. We define and instantiate a new primitive, a blinded KEM, which we show can be used in a natural way as part of our generic protocol construction. Our new protocol has a security proof based on a well-known model for group key exchange. Our protocol is efficient, requiring Diffie-Hellman with a handful of standard public key operations per user in our concrete instantiation.
For the entire collection see [Zbl 1398.68020].Must the communication graph of MPC protocols be an expander?https://zbmath.org/1517.940722023-09-22T14:21:46.120933Z"Boyle, Elette"https://zbmath.org/authors/?q=ai:boyle.elette"Cohen, Ran"https://zbmath.org/authors/?q=ai:cohen.ran"Data, Deepesh"https://zbmath.org/authors/?q=ai:data.deepesh"Hubáček, Pavel"https://zbmath.org/authors/?q=ai:hubacek.pavelSummary: Secure multiparty computation (MPC) on incomplete communication networks has been studied within two primary models: (1) where a partial network is fixed a priori, and thus corruptions can occur dependent on its structure, and (2) where edges in the communication graph are determined dynamically as part of the protocol. Whereas a rich literature has succeeded in mapping out the feasibility and limitations of graph structures supporting secure computation in the fixed-graph model (including strong classical lower bounds), these bounds do not apply in the latter dynamic-graph setting, which has recently seen exciting new results, but remains relatively unexplored. In this work, we initiate a similar foundational study of MPC within the dynamic-graph model. As a first step, we investigate the property of graph expansion. All existing protocols (implicitly or explicitly) yield communication graphs which are expanders, but it is not clear whether this is inherent. Our results consist of two types (for constant fraction of corruptions):
\begin{itemize}
\item Upper bounds: We demonstrate secure protocols whose induced communication graphs are not expander graphs, within a wide range of settings (computational, information theoretic, with low locality, even with low locality and adaptive security), each assuming some form of input-independent setup.
\item Lower bounds: In the plain model (no setup) with adaptive corruptions, we demonstrate that for certain functionalities, no protocol can maintain a non-expanding communication graph against all adversarial strategies. Our lower bound relies only on protocol correctness (not privacy) and requires a surprisingly delicate argument.
\end{itemize}
More generally, we provide a formal framework for analyzing the evolving communication graph of MPC protocols, giving a starting point for studying the relation between secure computation and further, more general graph properties.Correlated pseudorandomness from expand-accumulate codeshttps://zbmath.org/1517.940732023-09-22T14:21:46.120933Z"Boyle, Elette"https://zbmath.org/authors/?q=ai:boyle.elette"Couteau, Geoffroy"https://zbmath.org/authors/?q=ai:couteau.geoffroy"Gilboa, Niv"https://zbmath.org/authors/?q=ai:gilboa.niv"Ishai, Yuval"https://zbmath.org/authors/?q=ai:ishai.yuval"Kohl, Lisa"https://zbmath.org/authors/?q=ai:kohl.lisa"Resch, Nicolas"https://zbmath.org/authors/?q=ai:resch.nicolas"Scholl, Peter"https://zbmath.org/authors/?q=ai:scholl.peterSummary: A pseudorandom correlation generator (PCG) is a recent tool for securely generating useful sources of correlated randomness, such as random oblivious transfers (OT) and vector oblivious linear evaluations (VOLE), with low communication cost.
We introduce a simple new design for PCGs based on so-called expand-accumulate codes, which first apply a sparse random expander graph to replicate each message entry, and then accumulate the entries by computing the sum of each prefix. Our design offers the following advantages compared to state-of-the-art PCG constructions:
\begin{itemize}
\item Competitive concrete efficiency backed by provable security against relevant classes of attacks;
\item An offline-online mode that combines near-optimal cache-friendliness with simple parallelization;
\item Concretely efficient extensions to pseudorandom correlation \textit{functions}, which enable incremental generation of new correlation instances on demand, and to new kinds of correlated randomness that include circuit-dependent correlations.
\end{itemize}
To further improve the concrete computational cost, we propose a method for speeding up a full-domain evaluation of a puncturable pseudorandom function (PPRF). This is independently motivated by other cryptographic applications of PPRFs.
For the entire collection see [Zbl 1514.94002].Non-trivial witness encryption and null-iO from standard assumptionshttps://zbmath.org/1517.940742023-09-22T14:21:46.120933Z"Brakerski, Zvika"https://zbmath.org/authors/?q=ai:brakerski.zvika"Jain, Aayush"https://zbmath.org/authors/?q=ai:jain.aayush"Komargodski, Ilan"https://zbmath.org/authors/?q=ai:komargodski.ilan"Passelègue, Alain"https://zbmath.org/authors/?q=ai:passelegue.alain"Wichs, Daniel"https://zbmath.org/authors/?q=ai:wichs.danielSummary: A witness encryption (WE) scheme can take any NP statement as a public-key and use it to encrypt a message. If the statement is true then it is possible to decrypt the message given a corresponding witness, but if the statement is false then the message is computationally hidden. Ideally, the encryption procedure should run in polynomial time, but it is also meaningful to define a weaker notion, which we call non-trivially exponentially efficient WE (XWE), where the encryption run-time is only required to be much smaller than the trivial \(2^{m}\) bound for NP relations with witness size \(m\). We show how to construct such XWE schemes for all of NP with encryption run-time \(2^{m/2}\) under the sub-exponential Learning with Errors (LWE) assumption. For NP relations that can be verified in \({\textsf{NC}^1}\) (e.g., SAT) we can also construct such XWE schemes under the sub-exponential decisional bilinear Diffie-Hellman (DBDH) assumption. Although we find the result surprising, it follows via a very simple connection to attribute-based encryption.
We also show how to upgrade the above results to get non-trivially exponentially efficient indistinguishability obfuscation for null circuits (niO), which guarantees that the obfuscations of any two circuits that always output 0 are indistinguishable. In particular, under the LWE assumptions we get a XniO scheme where the obfuscation time is \(2^{n/2}\) for all circuits with input size \(n\). It is known that in the case of indistinguishability obfuscation (iO) for all circuits, non-trivially efficient XiO schemes imply fully efficient iO schemes but it remains as a fascinating open problem whether any such connection exists for WE or niO.
Lastly, we explore a potential approach toward constructing fully efficient WE and niO schemes via multi-input ABE.
For the entire collection see [Zbl 1397.94004].On actively secure fine-grained access structures from isogeny assumptionshttps://zbmath.org/1517.940752023-09-22T14:21:46.120933Z"Campos, Fabio"https://zbmath.org/authors/?q=ai:campos.fabio"Muth, Philipp"https://zbmath.org/authors/?q=ai:muth.philippSummary: We present an actively secure threshold scheme in the setting of Hard Homogeneous Spaces (HHS) which allows fine-grained access structures. More precisely, we elevate a passively secure isogeny-based threshold scheme to an actively secure setting. We prove the active security and simulatability of our advanced schemes. By characterising the necessary properties, we open our schemes to a significantly wider field of applicable secret sharing schemes. Furthermore, we show that Shamir's scheme has our generalised properties, and thereby our approach truly represents a less restrictive generalisation.
For the entire collection see [Zbl 1514.94001].Simon's algorithm and symmetric crypto: generalizations and automatized applicationshttps://zbmath.org/1517.940762023-09-22T14:21:46.120933Z"Canale, Federico"https://zbmath.org/authors/?q=ai:canale.federico"Leander, Gregor"https://zbmath.org/authors/?q=ai:leander.gregor"Stennes, Lukas"https://zbmath.org/authors/?q=ai:stennes.lukasSummary: In this paper we deepen our understanding of how to apply Simon's algorithm to break symmetric cryptographic primitives.
On the one hand, we automate the search for new attacks. Using this approach we automatically find the first efficient key-recovery attacks against constructions like 5-round MISTY L-FK or 5-round Feistel-FK (with internal permutation) using Simon's algorithm.
On the other hand, we study generalizations of Simon's algorithm using non-standard Hadamard matrices, with the aim to expand the quantum symmetric cryptanalysis toolkit with properties other than the periods. Our main conclusion here is that none of these generalizations can accomplish that, and we conclude that exploiting non-standard Hadamard matrices with quantum computers to break symmetric primitives will require fundamentally new attacks.
For the entire collection see [Zbl 1514.94003].IPRainbowhttps://zbmath.org/1517.940772023-09-22T14:21:46.120933Z"Cartor, Ryann"https://zbmath.org/authors/?q=ai:cartor.ryann"Cartor, Max"https://zbmath.org/authors/?q=ai:cartor.max"Lewis, Mark"https://zbmath.org/authors/?q=ai:lewis.mark-e|lewis.mark-l|lewis.mark-w|lewis.mark-a"Smith-Tone, Daniel"https://zbmath.org/authors/?q=ai:smith-tone.danielSummary: The Rainbow signature scheme is the only multivariate scheme listed as a finalist in round 3 of the NIST post-quantum standardization process. A few recent attacks, including the intersection attack, rectangular MinRank attacks, and the ``simple attack,'' have changed this landscape; leaving questions about the viability of this scheme for future application.
The purpose of this paper is to analyze the possibility of repairing Rainbow by adding an internal perturbation modifier and to compare its performance with that of UOV at the same security level. While the costly internal perturbation modifier was originally designed with encryption in mind, the use of schemes with performance characteristics similar to Rainbow is most interesting for applications in which short signatures or fast verification is a necessity, while signing can be done offline. We find that Rainbow can be made secure while achieving smaller keys, shorter signatures and faster verification times than UOV, but this advantage comes at significant cost in terms of signing time.
For the entire collection see [Zbl 1514.94001].Designing tweakable enciphering schemes using public permutationshttps://zbmath.org/1517.940782023-09-22T14:21:46.120933Z"Chakraborty, Debrup"https://zbmath.org/authors/?q=ai:chakraborty.debrup"Dutta, Avijit"https://zbmath.org/authors/?q=ai:dutta.avijit"Kundu, Samir"https://zbmath.org/authors/?q=ai:kundu.samirSummary: A tweakable enciphering scheme (TES) is a length preserving (tweakable) encryption scheme that provides (tweakable) strong pseudorandom permutation security on arbitrarily long messages. TES is traditionally built using block ciphers and the security of the mode depends on the strong pseudorandom permutation security of the underlying block cipher. In this paper, we construct TESs using public random permutations. Public random permutations are being considered as a replacement of block cipher in several cryptographic schemes including AEs, MACs, etc. However, to our knowledge, a systematic study of constructing TES using public random permutations is missing. In this paper, we give a generic construction of a TES which uses a public random permutation, a length expanding public permutation based PRF and a hash function which is both almost xor universal and almost regular. Further, we propose a concrete length expanding public permutation based PRF construction. We also propose a single keyed TES using a public random permutation and an AXU and almost regular hash function.Post-quantum simulatable extraction with minimal assumptions: black-box and constant-roundhttps://zbmath.org/1517.940792023-09-22T14:21:46.120933Z"Chia, Nai-Hui"https://zbmath.org/authors/?q=ai:chia.nai-hui"Chung, Kai-Min"https://zbmath.org/authors/?q=ai:chung.kai-min"Liang, Xiao"https://zbmath.org/authors/?q=ai:liang.xiao"Yamakawa, Takashi"https://zbmath.org/authors/?q=ai:yamakawa.takashiSummary: From the minimal assumption of post-quantum semi-honest oblivious transfers, we build the first \(\varepsilon \)-simulatable two-party computation (2PC) against quantum polynomial-time (QPT) adversaries that is both constant-round and black-box (for both the construction and security reduction). A recent work by \textit{N.-H. Chia} et al. [Lect. Notes Comput. Sci. 13509, 533--563 (2022; Zbl 07705205)] shows that post-quantum 2PC with standard simulation-based security is impossible in constant rounds, unless either \({\text{NP}}\subseteq \text{BQP}\) or relying on non-black-box simulation. The \(\varepsilon \)-simulatability we target is a relaxation of the standard simulation-based security that allows for an arbitrarily small noticeable simulation error \(\varepsilon \). Moreover, when quantum communication is allowed, we can further weaken the assumption to post-quantum secure one-way functions (PQ-OWFs), while maintaining the constant-round and black-box property.
Our techniques also yield the following set of constant-round and black-box two-party protocols secure against QPT adversaries, only assuming black-box access to PQ-OWFs:
\begin{itemize}
\item extractable commitments for which the extractor is also an \(\varepsilon \)-simulator;
\item \( \varepsilon \)-zero-knowledge commit-and-prove whose commit stage is extractable with \(\varepsilon \)-simulation;
\item \( \varepsilon \)-simulatable coin-flipping;
\item \( \varepsilon \)-zero-knowledge arguments of knowledge for NP for which the knowledge extractor is also an \(\varepsilon \)-simulator;
\item \( \varepsilon \)-zero-knowledge arguments for QMA.
\end{itemize}
At the heart of the above results is a black-box extraction lemma showing how to efficiently extract secrets from QPT adversaries while disturbing their quantum states in a controllable manner, i.e., achieving \(\varepsilon \)-simulatability of the after-extraction state of the adversary.
For the entire collection see [Zbl 1514.94003].Fast large-scale honest-majority MPC for malicious adversarieshttps://zbmath.org/1517.940802023-09-22T14:21:46.120933Z"Chida, Koji"https://zbmath.org/authors/?q=ai:chida.koji"Hamada, Koki"https://zbmath.org/authors/?q=ai:hamada.koki"Ikarashi, Dai"https://zbmath.org/authors/?q=ai:ikarashi.dai"Kikuchi, Ryo"https://zbmath.org/authors/?q=ai:kikuchi.ryo"Genkin, Daniel"https://zbmath.org/authors/?q=ai:genkin.daniel"Lindell, Yehuda"https://zbmath.org/authors/?q=ai:lindell.yehuda"Nof, Ariel"https://zbmath.org/authors/?q=ai:nof.arielSummary: Protocols for secure multiparty computation enable a set of parties to compute a function of their inputs without revealing anything but the output. The security properties of the protocol must be preserved in the presence of adversarial behavior. The two classic adversary models considered are semi-honest (where the adversary follows the protocol specification but tries to learn more than allowed by examining the protocol transcript) and malicious (where the adversary may follow any arbitrary attack strategy). Protocols for semi-honest adversaries are often far more efficient, but in many cases the security guarantees are not strong enough. In this paper, we present new protocols for securely computing any functionality represented by an arithmetic circuit, assuming an honest majority exists. We utilize a new method for verifying that the adversary does not cheat, that yields a cost of just twice that of semi-honest protocols in some settings. Our protocols are information-theoretically secure in the presence of malicious adversaries. We present protocol variants for small and large fields, and show how to efficiently instantiate them based on replicated secret sharing and Shamir secret sharing. In particular, for large fields, our protocol requires each party to send just 2 field elements per multiplication gate in the three-party setting, and just 12 field elements per multiplication gate for any number of parties. As with previous works in this area aiming to achieve high efficiency, our protocol is secure with abort and does not achieve fairness, meaning that the adversary may receive output while the honest parties do not. We implemented our protocol and ran experiments for different numbers of parties, different network configurations and different circuit depths. Our protocol significantly outperforms the previous best for this setting [\textit{Y. Lindell} and \textit{A. Nof}, in: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, CCS '17, Dallas, TX, USA, October 30 -- November 3, 2017. New York, NY: Association for Computing Machinery (ACM). 259--276 (2017; \url{doi.org/10.1145/3133956.3133999})] for a large number of parties (e.g., 100 parties), our implementation runs almost an order of magnitude faster than theirs.The relationship between structure of the key space and hardness of the McEliece-Sidelnikov public key cryptosystemhttps://zbmath.org/1517.940812023-09-22T14:21:46.120933Z"Chizhov, I. V."https://zbmath.org/authors/?q=ai:chizhov.ivan-vSummary: In the paper a number of the problems connected with the hardness of original McEliece PKC and McEliece-Sidelnikov PKC with restrictions on key space is considered. The polynomial equivalence of breaking problems for McEliece PKC and McEliece-Sidelnikov PKC with restrictions on the key space is proved.Post-compromise security in self-encryptionhttps://zbmath.org/1517.940822023-09-22T14:21:46.120933Z"Choi, Gwangbae"https://zbmath.org/authors/?q=ai:choi.gwangbae"Durak, F. Betül"https://zbmath.org/authors/?q=ai:durak.fatma-betul"Vaudenay, Serge"https://zbmath.org/authors/?q=ai:vaudenay.sergeSummary: In self-encryption, a device encrypts some piece of information for itself to decrypt in the future. We are interested in security of self-encryption when the state occasionally leaks. Applications that use self-encryption include cloud storage, when a client encrypts files to be stored, and in 0-RTT session resumptions, when a server encrypts a resumption key to be kept by the client. Previous works focused on forward security and resistance to replay attacks. In our work, we study post-compromise security (PCS). PCS was achieved in ratcheted instant messaging schemes, at the price of having an inflating state size. An open question was whether state inflation was necessary. In our results, we prove that post-compromise security implies a super-linear state size in terms of the number of active ciphertexts which can still be decrypted. We apply our result to self-encryption for cloud storage, 0-RTT session resumption, and secure messaging. We further show how to construct a secure scheme matching our bound on the state size up to a constant factor.
For the entire collection see [Zbl 1465.94005].Combining private set intersection with secure two-party computationhttps://zbmath.org/1517.940832023-09-22T14:21:46.120933Z"Ciampi, Michele"https://zbmath.org/authors/?q=ai:ciampi.michele"Orlandi, Claudio"https://zbmath.org/authors/?q=ai:orlandi.claudioSummary: Private set intersection (PSI) is one of the most popular and practically relevant secure two-party computation (2PC) tasks. Therefore, designing special-purpose PSI protocols (which are more efficient than generic 2PC solutions) is a very active line of research. In particular, a recent line of work has proposed PSI protocols based on oblivious transfer (OT) which, thanks to recent advances in OT-extension techniques, is nowadays a very cheap cryptographic building block. Unfortunately, these protocols cannot be plugged into larger 2PC applications since in these protocols one party (by design) learns the output of the intersection. Therefore, it is not possible to perform secure post-processing of the output of the PSI protocol. In this paper we propose a novel and efficient OT-based PSI protocol that produces an ``encrypted'' output that can therefore be later used as an input to other 2PC protocols. In particular, the protocol can be used in combination with all common approaches to 2PC including garbled circuits, secret sharing and homomorphic encryption. Thus, our protocol can be combined with the right 2PC techniques to achieve more efficient protocols for computations of the form \(z=f(X\cap Y)\) for arbitrary functions \(f\).
For the entire collection see [Zbl 1397.94004].Formal security proof for a scheme on a topological networkhttps://zbmath.org/1517.940842023-09-22T14:21:46.120933Z"Civino, Roberto"https://zbmath.org/authors/?q=ai:civino.roberto"Longo, Riccardo"https://zbmath.org/authors/?q=ai:longo.riccardoSummary: Key assignment and key maintenance in encrypted networks of resource-limited devices may be a challenging task, due to the permanent need of replacing out-of-service devices with new ones and to the consequent need of updating the key information. Recently, \textit{R. Aragona} et al. [J. Discrete Math. Sci. Cryptography 25, No. 8, 2429--2448 (2022; Zbl 1504.94094)] proposed a new cryptographic scheme, ECTAKS, which provides a solution to this design problem by means of a Diffie-Hellman-like key establishment protocol based on elliptic curves and on a prime field. Even if the authors proved some results related to the security of the scheme, the latter still lacks a formal security analysis. In this paper, we address this issue by providing a security proof for ECTAKS in the setting of computational security, assuming that no adversary can solve the underlying discrete logarithm problems with non-negligible success probability.Low communication complexity protocols, collision resistant hash functions and secret key-agreement protocolshttps://zbmath.org/1517.940852023-09-22T14:21:46.120933Z"Cohen, Shahar P."https://zbmath.org/authors/?q=ai:cohen.shahar-p"Naor, Moni"https://zbmath.org/authors/?q=ai:naor.moniSummary: We study communication complexity in computational settings where bad inputs may exist, but they should be hard to find for any computationally bounded adversary.
We define a model where there is a source of public randomness but the inputs are chosen by a computationally bounded adversarial participant after seeing the public randomness. We show that breaking the known communication lower bounds of the private coins model in this setting is closely connected to known cryptographic assumptions. We consider the simultaneous messages model and the interactive communication model and show that for any non trivial predicate (with no redundant rows, such as equality):
\begin{itemize}
\item[1.] Breaking the \(\varOmega (\sqrt{n})\) bound in the simultaneous message case or the \(\varOmega (\log n)\) bound in the interactive communication case, implies the existence of distributional collision-resistant hash functions (dCRH). This is shown using techniques from \textit{L. Babai} and \textit{P. G. Kimmel} [in: Proceedings of the 12th annual IEEE conference on computational complexity, CCC '97, Ulm, Germany, June 24--27, 1997. Los Alamitos, CA: IEEE Computer Society. 239--246 (1997; \url{doi:10.1109/CCC.1997.612319})]. Note that with a CRH the lower bounds can be broken.
\item[2.] There are no protocols of constant communication in this preset randomness settings (unlike the plain public randomness model).
\end{itemize}
The other model we study is that of a stateful ``free talk'', where participants can communicate freely before the inputs are chosen and may maintain a state, and the communication complexity is measured only afterwards. We show that efficient protocols for equality in this model imply secret key-agreement protocols in a constructive manner. On the other hand, secret key-agreement protocols imply optimal (in terms of error) protocols for equality.
For the entire collection see [Zbl 1514.94003].Accelerating the Delfs-Galbraith algorithm with fast subfield root detectionhttps://zbmath.org/1517.940862023-09-22T14:21:46.120933Z"Corte-Real Santos, Maria"https://zbmath.org/authors/?q=ai:corte-real-santos.maria"Costello, Craig"https://zbmath.org/authors/?q=ai:costello.craig"Shi, Jia"https://zbmath.org/authors/?q=ai:shi.jiaSummary: We give a new algorithm for finding an isogeny from a given supersingular elliptic curve \(E/\mathbb{F}_{p^2}\) to a subfield elliptic curve \(E'/\mathbb{F}_p\), which is the bottleneck step of the Delfs-Galbraith algorithm for the general supersingular isogeny problem. Our core ingredient is a novel method of rapidly determining whether a polynomial \(f \in L[X]\) has any roots in a subfield \(K \subset L\), while avoiding expensive root-finding algorithms. In the special case when \(f=\Phi_{\ell ,p}(X,j) \in \mathbb{F}_{p^2}[X]\), i.e., when \(f\) is the \(\ell \)-th modular polynomial evaluated at a supersingular \(j\)-invariant, this provides a means of efficiently determining whether there is an \(\ell \)-isogeny connecting the corresponding elliptic curve to a subfield curve. Together with the traditional Delfs-Galbraith walk, inspecting many \(\ell \)-isogenous neighbours in this way allows us to search through a larger proportion of the supersingular set per unit of time. Though the asymptotic \(\tilde{O}(p^{1/2})\) complexity of our improved algorithm remains unchanged from that of the original Delfs-Galbraith algorithm, our theoretical analysis and practical implementation both show a significant reduction in the runtime of the subfield search. This sheds new light on the concrete hardness of the general supersingular isogeny problem (i.e. the foundational problem underlying isogeny-based cryptography), and has immediate implications on the bit-security of schemes like B-SIDH and SQISign for which Delfs-Galbraith is the best known classical attack.
For the entire collection see [Zbl 1514.94003].Latin dances reloaded: improved cryptanalysis against Salsa and ChaCha, and the proposal of Forróhttps://zbmath.org/1517.940872023-09-22T14:21:46.120933Z"Coutinho, Murilo"https://zbmath.org/authors/?q=ai:coutinho.murilo-g"Passos, Iago"https://zbmath.org/authors/?q=ai:passos.iago"Grados Vásquez, Juan C."https://zbmath.org/authors/?q=ai:vasquez.juan-c-grados"Sarkar, Santanu"https://zbmath.org/authors/?q=ai:sarkar.santanu"de Mendonça, Fábio L. L."https://zbmath.org/authors/?q=ai:de-mendonca.fabio-l-l"de Sousa, Rafael T. jun."https://zbmath.org/authors/?q=ai:de-sousa.rafael-timteo-jun"Borges, Fábio"https://zbmath.org/authors/?q=ai:borges.fabioSummary: In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers:
\begin{itemize}
\item[(a)] We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the algorithm in terms of simpler subrounds. Using this idea, we show that it is possible to derive almost all linear approximations from previous works from just 3 simple rules. Furthermore, we show that with one extra rule, it is possible to improve the linear approximations proposed by \textit{M. Coutinho} and \textit{T. C. Souza Neto} [Lect. Notes Comput. Sci. 12696, 711--740 (2021; Zbl 1479.94150)].
\item[(b)] We propose a technique called Bidirectional Linear Expansions (BLE) to improve attacks against Salsa. While previous works only considered linear expansions moving forward into the rounds, BLE explores the expansion of a single bit in both forward and backward directions. Applying BLE, we propose the first differential-linear distinguishers reaching 7 and 8 rounds of Salsa and we improve Probabilistic Neutral Bit (PNB) key-recovery attacks against 8 rounds of Salsa.
\item[(c)] \textit{S. Dey} et al. [ibid. 13277, 86--114 (2022; \url{doi.org/10.1007/978-3-031-07082-2_4})] proposed a technique to combine two input-output positions in a PNB attack. In this paper, we generalize this technique for an arbitrary number of input-output positions. Combining this approach with BLE, we are able to improve key recovery attacks against 7 rounds of Salsa.
\item[(d)] Using all the knowledge acquired studying the cryptanalysis of these ciphers, we propose some modifications in order to provide better diffusion per round and higher resistance to cryptanalysis, leading to a new stream cipher named Forró. We show that Forró has higher security margin; this allows us to reduce the total number of rounds while maintaining the security level, thus creating a faster cipher in many platforms, especially in constrained devices.
\item[(e)] Finally, we developed \textit{CryptDances}, a new tool for the cryptanalysis of Salsa, ChaCha, and Forró designed to be used in high performance environments with several GPUs. With \textit{CryptDances} it is possible to compute differential correlations, to derive new linear approximations for ChaCha automatically, to automate the computation of the complexity of PNB attacks, among other features. We make \textit{CryptDances} available for the community at \url{https://github.com/murcoutinho/cryptDances}.
\end{itemize}More communication lower bounds for information-theoretic MPChttps://zbmath.org/1517.940882023-09-22T14:21:46.120933Z"Damgård, Ivan Bjerre"https://zbmath.org/authors/?q=ai:damgard.ivan-bjerre"Li, Boyang"https://zbmath.org/authors/?q=ai:li.boyang"Schwartzbach, Nikolaj Ignatieff"https://zbmath.org/authors/?q=ai:schwartzbach.nikolaj-ignatieffSummary: We prove two classes of lower bounds on the communication complexity of information-theoretically secure multiparty computation. The first lower bound applies to perfect passive secure multiparty computation in the standard model with \(n=2t+1\) parties of which \(t\) are corrupted. We show a lower bound that applies to secure evaluation of any function, assuming that each party can choose to learn or not learn the output. Specifically, we show that there is a function \(H^\ast\) such that for any protocol that evaluates \(y_i=b_i\cdot f(x_1,\dots,x_n)\) with perfect passive security (where \(b_i\) is a private Boolean input), the total communication must be at least \(\frac{1}{2}\sum^n_{i = 1} H_f^\ast(x_i)\) bits of information.\par The second lower bound applies to the perfect maliciously secure setting with \(n=3t+1\) parties. We show that for any \(n\) and all large enough \(S\), there exists a reactive functionality \(F_S\) taking an \(S\)-bit string as input (and with short output) such that any protocol implementing \(F_S\) with perfect malicious security must communicate \(\Omega(nS)\) bits. Since the functionalities we study can be implemented with linear size circuits, the result can equivalently be stated as follows: for any \(n\) and all large enough \(g\in\mathbb{N}\) there exists a reactive functionality \(F_C\) doing computation specified by a Boolean circuit \(C\) with \(g\) gates, where any perfectly secure protocol implementing \(F_C\) must communicate \(\Omega(ng)\) bits. The results easily extends to constructing similar functionalities defined over any fixed finite field. Using known techniques, we also show an upper bound that matches the lower bound up to a constant factor (existing upper bounds are a factor \(\lg n\) off for Boolean circuits).\par Both results also extend to the case where the threshold \(t\) is suboptimal. Namely if \(n=kt+s\) the bound is weakened by a factor \(O(s)\), which corresponds to known optimizations via packed secret-sharing.
For the entire collection see [Zbl 1465.94005].Overloading the nonce: rugged PRPs, nonce-set AEAD, and order-resilient channelshttps://zbmath.org/1517.940892023-09-22T14:21:46.120933Z"Degabriele, Jean Paul"https://zbmath.org/authors/?q=ai:degabriele.jean-paul"Karadžić, Vukašin"https://zbmath.org/authors/?q=ai:karadzic.vukasinSummary: We introduce a new security notion that lies right in between pseudorandom permutations (PRPs) and strong pseudorandom permutations (SPRPs). We call this new security notion and any (tweakable) cipher that satisfies it a rugged pseudorandom permutation (RPRP). Rugged pseudorandom permutations lend themselves to some interesting applications, have practical benefits, and lead to novel cryptographic constructions. Our focus is on variable-length tweakable RPRPs, and analogous to the encode-then-encipher paradigm of \textit{M. Bellare} and \textit{P. Rogaway} [Lect. Notes Comput. Sci. 1976, 317--330 (2000; Zbl 0974.94008)], we can generically transform any such cipher into different AEAD schemes with varying security properties. However, the benefit of RPRPs is that they can be constructed more efficiently as they are weaker primitives than SPRPs (the notion traditionally required by the encode-then-encipher paradigm). We can construct RPRPs using only two layers of processing, whereas SPRPs typically require three layers of processing over the input data. We also identify a new transformation that yields RUP-secure AEAD schemes with more compact ciphertexts than previously known. Further extending this approach, we arrive at a new generalized notion of authenticated encryption and a matching construction, which we refer to as nonce-set AEAD. Nonce-set AEAD is particularly well-suited in the context of secure channels, like QUIC and DTLS, that operate over unreliable transports and employ a window mechanism at the receiver's end of the channel. We conclude by presenting a generic construction for transforming a nonce-set AEAD scheme into an order-resilient secure channel. Our channel construction sheds new light on order-resilient channels and additionally leads to more compact ciphertexts when instantiated from RPRPs.
For the entire collection see [Zbl 1514.94004].Code offset in the exponenthttps://zbmath.org/1517.940902023-09-22T14:21:46.120933Z"Demarest, Luke"https://zbmath.org/authors/?q=ai:demarest.luke"Fuller, Benjamin"https://zbmath.org/authors/?q=ai:fuller.benjamin"Russell, Alexander"https://zbmath.org/authors/?q=ai:russell.alexander-c|russell.alexander.1Summary: Fuzzy extractors derive stable keys from noisy sources. They are a fundamental tool for key derivation from biometric sources. This work introduces a new construction, code offset in the exponent. This construction is the first reusable fuzzy extractor that simultaneously supports structured, low entropy distributions with correlated symbols and confidence information. These properties are specifically motivated by the most pertinent applications -- key derivation from biometrics and physical unclonable functions -- which typically demonstrate low entropy with additional statistical correlations and benefit from extractors that can leverage confidence information for efficiency.\par Code offset in the exponent is a group encoding of the code offset construction [\textit{A. Juels} and \textit{M. Wattenberg}, in: Proceedings of the 6th ACM conference on computer and communications security, CCS '99, Kent Ridge Digital Labs, Singapore, November 1--4, 1999. New York, NY: Association for Computing Machinery (ACM). 28--36 (1999; \url{doi:10.1145/319709.319714})]. A random codeword of a linear error-correcting code is used as a one-time pad for a sampled value from the noisy source. Rather than encoding this directly, code offset in the exponent encodes by exponentiation of a generator in a cryptographically strong group. We introduce and characterize a condition on noisy sources that directly translates to security of our construction in the generic group model. Our condition requires the inner product between the source distribution and all vectors in the null space of the code to be unpredictable.
For the entire collection see [Zbl 1465.94005].Authenticated garbling from simple correlationshttps://zbmath.org/1517.940912023-09-22T14:21:46.120933Z"Dittmer, Samuel"https://zbmath.org/authors/?q=ai:dittmer.samuel-j"Ishai, Yuval"https://zbmath.org/authors/?q=ai:ishai.yuval"Lu, Steve"https://zbmath.org/authors/?q=ai:lu.steve"Ostrovsky, Rafail"https://zbmath.org/authors/?q=ai:ostrovsky.rafailSummary: We revisit the problem of constant-round malicious secure two-party computation by considering the use of simple correlations, namely sources of correlated randomness that can be securely generated with sublinear communication complexity and good concrete efficiency. The current state-of-the-art protocol of \textit{J. Katz} et al. [Lect. Notes Comput. Sci. 10993, 365--391 (2018; Zbl 1457.94147)] achieves malicious security by realizing a variant of the authenticated garbling functionality of \textit{X. Wang} et al. [in: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, CCS '17, Dallas, TX, USA, October 30 -- November 3, 2017. New York, NY: Association for Computing Machinery (ACM). 21--37 (2017; \url{doi.org/10.1145/3133956.3134053})]. Given oblivious transfer correlations, the communication cost of this protocol (with 40 bits of statistical security) is comparable to roughly 10 garbled circuits (GCs). This protocol inherently requires more than 2 rounds of interaction.
In this work, we use other kinds of simple correlations to realize the authenticated garbling functionality with better efficiency. Concretely, we get the following reduced costs in the random oracle model:
\begin{itemize}
\item[--] Using variants of both vector oblivious linear evaluation (VOLE) and multiplication triples (MT), we reduce the cost to 1.31 GCs.
\item[--] Using only variants of VOLE, we reduce the cost to 2.25 GCs.
\item[--] Using only variants of MT, we obtain a non-interactive (i.e., 2-message) protocol with cost comparable to 8 GCs.
\end{itemize}
Finally, we show that by using recent constructions of pseudorandom correlation generators [\textit{E. Boyle} et al., Lect. Notes Comput. Sci. 11694, 489--518 (2019; Zbl 1498.68048)], the simple correlations consumed by our protocols can be securely realized without forming an efficiency bottleneck.
For the entire collection see [Zbl 1514.94004].Line-point zero knowledge and its applicationshttps://zbmath.org/1517.940922023-09-22T14:21:46.120933Z"Dittmer, Samuel"https://zbmath.org/authors/?q=ai:dittmer.samuel-j"Ishai, Yuval"https://zbmath.org/authors/?q=ai:ishai.yuval"Ostrovsky, Rafail"https://zbmath.org/authors/?q=ai:ostrovsky.rafailSummary: We introduce and study a simple kind of proof system called line-point zero knowledge (LPZK). In an LPZK proof, the prover encodes the witness as an affine line \(\mathfrak{v}(t) : = at+\mathfrak{b}\) in a vector space \(\mathbb{F}^n\), and the verifier queries the line at a single random point \(t = \alpha\). LPZK is motivated by recent practical protocols for vector oblivious linear evaluation (VOLE), which can be used to compile LPZK proof systems into lightweight designated-verifier NIZK protocols.\par We construct LPZK systems for proving satisfiability of arithmetic circuits with attractive efficiency features. These give rise to designated-verifier NIZK protocols that require only 2--5 times the computation of evaluating the circuit in the clear (following an input-independent preprocessing phase), and where the prover communicates roughly 2 field elements per multiplication gate, or roughly 1 element in the random oracle model with a modestly higher computation cost. On the theoretical side, our LPZK systems give rise to the first linear interactive proofs [\textit{N. Bitansky} et al., Lect. Notes Comput. Sci. 7785, 315--333 (2013; Zbl 1316.68056)] that are zero knowledge against a malicious verifier.\par We then apply LPZK towards simplifying and improving recent constructions of reusable non-interactive secure computation (NISC) from VOLE [\textit{M. Chase} et al., ibid. 11694, 462--488 (2019; Zbl 1506.68014)]. As an application, we give concretely efficient and reusable NISC protocols over VOLE for bounded inner product, where the sender's input vector should have a bounded \(L_2\)-norm.
For the entire collection see [Zbl 1465.94005].Post-quantum signal key agreement from SIDHhttps://zbmath.org/1517.940932023-09-22T14:21:46.120933Z"Dobson, Samuel"https://zbmath.org/authors/?q=ai:dobson.samuel"Galbraith, Steven D."https://zbmath.org/authors/?q=ai:galbraith.steven-dSummary: In the effort to transition cryptographic primitives and protocols to quantum-resistant alternatives, an interesting and useful challenge is found in the Signal protocol. The initial key agreement component of this protocol, called X3DH, has so far proved more subtle to replace -- in part due to the unclear security model and properties the original protocol is designed for. This paper defines a formal security model for the original Signal protocol, in the context of the standard eCK and CK+ type models, which we call the Signal-adapted-CK model. We then propose a replacement for the Signal X3DH key exchange protocol based on SIDH, and provide a proof of security in the Signal-adapted-CK model, showing our protocol satisfies all security properties of the original Signal X3DH. We call this new protocol SI-X3DH. Our protocol shows that SIDH can be used to construct a secure X3DH replacement despite the existence of adaptive attacks against it. Unlike the generic constructions proposed in the literature, our protocol achieves deniability without expensive machinery such as post-quantum ring signatures. It also benefits from the small key sizes of SIDH, and its efficiency as a key-exchange protocol compared to other isogeny-based protocols such as CSIDH.
For the entire collection see [Zbl 1514.94001].Online linear extractors for independent sourceshttps://zbmath.org/1517.940942023-09-22T14:21:46.120933Z"Dodis, Yevgeniy"https://zbmath.org/authors/?q=ai:dodis.yevgeniy"Guo, Siyao"https://zbmath.org/authors/?q=ai:guo.siyao"Stephens-Davidowitz, Noah"https://zbmath.org/authors/?q=ai:stephens-davidowitz.noah"Xie, Zhiye"https://zbmath.org/authors/?q=ai:xie.zhiyeSummary: In this work, we characterize linear online extractors. In other words, given a matrix \(A\in \mathbb{F}_2^{n\times n}\), we study the convergence of the iterated process \(S\leftarrow AS\oplus X\), where \(X\sim D\) is repeatedly sampled independently from some fixed (but unknown) distribution \(D\) with (min)-entropy \(k\). Here, we think of \(S \in\{0,1\}^n\) as the state of an online extractor, and \(X\in\{0,1\}^n\) as its input.\par As our main result, we show that the state \(S\) converges to the uniform distribution for all input distributions \(D\) with entropy \(k>0\) if and only if the matrix \(A\) has no non-trivial invariant subspace (i.e., a non-zero subspace \(V\subsetneq \mathbb{F}_2^n\) such that \(AV\subseteq V\). In other words, a matrix \(A\) yields a linear online extractor if and only if \(A\) has no non-trivial invariant subspace. For example, the linear transformation corresponding to multiplication by a generator of the field \(\mathbb{F}_{2^n}\) yields a good linear online extractor. Furthermore, for any such matrix convergence takes at most \(\widetilde{O}(n^2(k+1)/k^2)\) steps.\par We also study the more general notion of condensing -- that is, we ask when this process converges to a distribution with entropy at least \(\ell\), when the input distribution has entropy at least \(k\). (Extractors corresponding to the special case when \(\ell=n\).) We show that a matrix gives a good condenser if there are relatively few vectors \(w\in\mathbb{F}_2^n\) such that \(w, A^Tw,\dots, (A^T)^{n-k}w\) are linearly dependent. As an application, we show that the very simple cyclic rotation transformation \(A(x_1,\dots, x_n) = (x_n,x_1,\dots,x_{n-1})\) condenses to \(\ell=n-1\) bits for any \(k>1\) if \(n\) is a prime satisfying a certain simple number-theoretic condition.\par Our proofs are Fourier-analytic and rely on a novel lemma, which gives a tight bound on the product of certain Fourier coefficients of any entropic distribution.
For the entire collection see [Zbl 1465.94005].Doubly-affine extractors, and their applicationshttps://zbmath.org/1517.940952023-09-22T14:21:46.120933Z"Dodis, Yevgeniy"https://zbmath.org/authors/?q=ai:dodis.yevgeniy"Yeo, Kevin"https://zbmath.org/authors/?q=ai:yeo.kevinSummary: In this work we challenge the common misconception that information-theoretic (IT) privacy is too impractical to be used in the real-world: we propose to build simple and reusable IT-encryption solutions whose only efficiency penalty (compared to computationally-secure schemes) comes from a large secret key size, which is often a rather minor inconvenience, as storage is cheap. In particular, our solutions are stateless and locally computable at the optimal rate, meaning that honest parties do not maintain state and read only (optimally) small portions of their large keys with every use.\par Moreover, we also propose a novel architecture for outsourcing the storage of these long keys to a network of semi-trusted servers, trading the need to store large secrets with the assumption that it is hard to simultaneously compromise too many publicly accessible ad-hoc servers. Our architecture supports everlasting privacy and post-application security of the derived one-time keys, resolving two major limitations of a related model for outsourcing key storage, called bounded storage model.\par Both of these results come from nearly optimal constructions of so called doubly-affine extractors: locally-computable, seeded extractors Ext\((X,S)\) which are linear functions of \(X\) (for any fixed seed \(S\)), and protect against bounded affine leakage on \(X\). This holds unconditionally, even if (a) affine leakage may adaptively depend on the extracted key \(R=\text{ Ext}(X,S)\); and (b) the seed \(S\) is only computationally secure. Neither of these properties are possible with general-leakage extractors.
For the entire collection see [Zbl 1465.94005].Efficient NIZKs and signatures from commit-and-open protocols in the QROMhttps://zbmath.org/1517.940962023-09-22T14:21:46.120933Z"Don, Jelle"https://zbmath.org/authors/?q=ai:don.jelle"Fehr, Serge"https://zbmath.org/authors/?q=ai:fehr.serge"Majenz, Christian"https://zbmath.org/authors/?q=ai:majenz.christian"Schaffner, Christian"https://zbmath.org/authors/?q=ai:schaffner.christianSummary: Commit-and-open \(\Sigma \)-protocols are a popular class of protocols for constructing non-interactive zero-knowledge arguments and digital-signature schemes via the Fiat-Shamir transformation. Instantiated with hash-based commitments, the resulting non-interactive schemes enjoy tight online-extractability in the random oracle model. Online extractability improves the tightness of security proofs for the resulting digital-signature schemes by avoiding lossy rewinding or forking-lemma based extraction.
In this work, we prove tight online extractability in the quantum random oracle model (QROM), showing that the construction supports post-quantum security. First, we consider the default case where committing is done by element-wise hashing. In a second part, we extend our result to Merkle-tree based commitments. Our results yield a significant improvement of the provable post-quantum security of the digital-signature scheme Picnic.
Our analysis makes use of a recent framework by \textit{K.-M. Chung} et al. [Lect. Notes Comput. Sci. 12697, 598--629 (2021; Zbl 1479.94145)] for analysing quantum algorithms in the QROM using purely classical reasoning. Therefore, our results can to a large extent be understood and verified without prior knowledge of quantum information science.
For the entire collection see [Zbl 1514.94002].Estimating the hidden overheads in the BDGL lattice sieving algorithmhttps://zbmath.org/1517.940972023-09-22T14:21:46.120933Z"Ducas, Léo"https://zbmath.org/authors/?q=ai:ducas.leoSummary: The lattice sieving algorithm based on list-decoding of \textit{A. Becker} et al. [in: Proceedings of the 27th annual ACM-SIAM symposium on discrete algorithms, SODA 2016, Arlington, VA, USA, January 10--12, 2016. Philadelphia, PA: Society for Industrial and Applied Mathematics (SIAM); New York, NY: Association for Computing Machinery (ACM). 10--24 (2016; Zbl 1410.68093)] is currently at the center of cryptanalysis cost estimates of candidate lattice schemes for post-quantum standardization.
Yet, only an idealized version of this algorithm has been carefully modelled, i.e. given an efficient list-decoding oracle for a perfectly random spherical code. In this work, we propose an experimental analysis of the actual algorithm. The difficulty lies in estimating the probabilistic defect with respect to perfectly random spherical codes for the task at hand. While it should be in principle infeasible to run the algorithm in cryptographically relevant dimensions, a few tricks allow to nevertheless measure experimentally the relevant quantity.
Concretely, we conclude on an overhead factor of about \(2^6\) on the number of gates in the RAM model compared to the idealized model for dimensions around 380 after an appropriate re-parametrization. Part of this overhead can be traded for extra memory, at a costly rate. We also clarify that these overheads apply to an internal routine, and discuss how they can be partially mitigated in the whole attack.
For the entire collection see [Zbl 1514.94001].Snapshot-oblivious RAMs: sub-logarithmic efficiency for short transcriptshttps://zbmath.org/1517.940982023-09-22T14:21:46.120933Z"Du, Yang"https://zbmath.org/authors/?q=ai:du.yang"Genkin, Daniel"https://zbmath.org/authors/?q=ai:genkin.daniel"Grubbs, Paul"https://zbmath.org/authors/?q=ai:grubbs.paulSummary: Oblivious RAM (ORAM) is a powerful technique to prevent harmful data breaches. Despite tremendous progress in improving the concrete performance of ORAM, it remains too slow for use in many practical settings; recent breakthroughs in lower bounds indicate this inefficiency is inherent for ORAM and even some natural relaxations.
This work introduces snapshot-oblivious RAMs, a new secure memory access primitive. Snapshot-oblivious RAMs bypass lower bounds by providing security only for transcripts whose length (call it \(c)\) is fixed and known ahead of time. Intuitively, snapshot-oblivious RAMs provide strong security for attacks of short duration, such as the snapshot attacks targeted by many encrypted databases.
We give an ORAM-style definition of this new primitive, and present several constructions. The underlying design principle of our constructions is to store the history of recent operations in a data structure that can be accessed obliviously. We instantiate this paradigm with data structures that remain on the client, giving a snapshot-oblivious RAM with constant bandwidth overhead. We also show how these data structures can be stored on the server and accessed using oblivious memory primitives. Our most efficient instantiation achieves \(\mathcal{O}(\log c)\) bandwidth overhead. By extending recent ORAM lower bounds, we show this performance is asymptotically optimal. Along the way, we define a new hash queue data structure -- essentially, a dictionary whose elements can be modified in a first-in-first-out fashion -- which may be of independent interest.
For the entire collection see [Zbl 1514.94004].Partial key exposure attacks on BIKE, Rainbow and NTRUhttps://zbmath.org/1517.940992023-09-22T14:21:46.120933Z"Esser, Andre"https://zbmath.org/authors/?q=ai:esser.andre"May, Alexander"https://zbmath.org/authors/?q=ai:may.alexander"Verbel, Javier"https://zbmath.org/authors/?q=ai:verbel.javier-a"Wen, Weiqiang"https://zbmath.org/authors/?q=ai:wen.weiqiangSummary: In a so-called partial key exposure attack one obtains some information about the secret key, e.g. via some side-channel leakage. This information might be a certain fraction of the secret key bits (erasure model) or some erroneous version of the secret key (error model). The goal is to recover the secret key from the leaked information.
There is a common belief that, as opposed to e.g. the RSA cryptosystem, most post-quantum cryptosystems are usually resistant against partial key exposure attacks. We strongly question this belief by constructing partial key exposure attacks on code-based, multivariate, and lattice-based schemes (BIKE, Rainbow and NTRU). Our attacks exploit the redundancy that modern PQ cryptosystems inherently use for efficiency reasons. The application and development of techniques from information set decoding plays a crucial role for achieving our results.
On the theoretical side, we show non-trivial information leakage bounds that allow for a polynomial time key recovery attack. As an example, for all schemes the knowledge of a constant fraction of the secret key bits suffices to reconstruct the full key in polynomial time.
Even if we no longer insist on polynomial time attacks, most of our attacks extend well and remain feasible up to large erasure and error rates. In the case of BIKE for example we obtain attack complexities around 60 bits when half of the secret key bits are erased, or a quarter of the secret key bits are faulty.
Our results show that even highly error-prone key leakage of modern PQ cryptosystems may lead to full secret key recoveries.
For the entire collection see [Zbl 1514.94003].Ofelimos: combinatorial optimization via proof-of-useful-work. A provably secure blockchain protocolhttps://zbmath.org/1517.941002023-09-22T14:21:46.120933Z"Fitzi, Matthias"https://zbmath.org/authors/?q=ai:fitzi.matthias"Kiayias, Aggelos"https://zbmath.org/authors/?q=ai:kiayias.aggelos"Panagiotakos, Giorgos"https://zbmath.org/authors/?q=ai:panagiotakos.giorgos"Russell, Alexander"https://zbmath.org/authors/?q=ai:russell.alexander-cSummary: Minimizing the energy cost and carbon footprint of the Bitcoin blockchain and related protocols is one of the most widely identified open questions in the cryptocurrency space. Substituting the proof-of-work (PoW) primitive in Nakamoto's longest-chain protocol with a proof of useful work (PoUW) has been long theorized as an ideal solution in many respects but, to this day, the concept still lacks a convincingly secure realization.
In this work we put forth Ofelimos, a novel PoUW-based blockchain protocol whose consensus mechanism simultaneously realizes a decentralized optimization-problem solver. Our protocol is built around a novel local search algorithm, which we call Doubly Parallel Local Search (DPLS), that is especially crafted to suit implementation as the PoUW component of our blockchain protocol. We provide a thorough security analysis of our protocol and additionally present metrics that reflect the usefulness of the system. DPLS can be used to implement variants of popular local search algorithms such as WalkSAT that are used for real world combinatorial optimization tasks. In this way, our work paves the way for safely using blockchain systems as generic optimization engines for a variety of hard optimization problems for which a publicly verifiable solution is desired.
For the entire collection see [Zbl 1514.94002].Attack on SHealS and HealS: the second wave of GPSThttps://zbmath.org/1517.941012023-09-22T14:21:46.120933Z"Galbraith, Steven D."https://zbmath.org/authors/?q=ai:galbraith.steven-d"Lai, Yi-Fu"https://zbmath.org/authors/?q=ai:lai.yi-fuSummary: We cryptanalyse the isogeny-based public key encryption schemes SHealS and HealS, and the key exchange scheme HealSIDH of \textit{T. B. Fouotsa} and \textit{C. Petit} [Lect. Notes Comput. Sci. 13093, 279--307 (2021; Zbl 1514.94082)].
For the entire collection see [Zbl 1514.94001].Secure two-party computation over unreliable channelshttps://zbmath.org/1517.941022023-09-22T14:21:46.120933Z"Gelles, Ran"https://zbmath.org/authors/?q=ai:gelles.ran"Paskin-Cherniavsky, Anat"https://zbmath.org/authors/?q=ai:paskin-cherniavsky.anat"Zikas, Vassilis"https://zbmath.org/authors/?q=ai:zikas.vassilisSummary: We consider information-theoretic secure two-party computation in the plain model where no reliable channels are assumed, and all communication is performed over the binary symmetric channel (BSC) that flips each bit with fixed probability. In this reality-driven setting we investigate feasibility of communication-optimal noise-resilient semi-honest two-party computation i.e., efficient computation which is both private and correct despite channel noise.
We devise an information-theoretic technique that converts any correct, but not necessarily private, two-party protocol that assumes reliable channels, into a protocol which is both correct and private against semi-honest adversaries, assuming BSC channels alone. Our results also apply to other types of noisy-channels such as the elastic-channel.
Our construction combines tools from the cryptographic literature with tools from the literature on interactive coding, and achieves, to our knowledge, the best known communication overhead. Specifically, if \(f\) is given as a circuit of size \(s\), our scheme communicates \(O(s+\kappa)\) bits for \(\kappa\) a security parameter. This improves the state of the art [\textit{Y. Ishai} et al., Lect. Notes Comput. Sci. 6841, 667--684 (2011; Zbl 1290.94092)] where the communication is \(O(s)+\operatorname{poly}(\kappa\cdot\text{depth}(s))\).
For the entire collection see [Zbl 1397.94004].Compact IBBE and fuzzy IBE from simple assumptionshttps://zbmath.org/1517.941032023-09-22T14:21:46.120933Z"Gong, Junqing"https://zbmath.org/authors/?q=ai:gong.junqing"Libert, Benoît"https://zbmath.org/authors/?q=ai:libert.benoit"Ramanna, Somindu C."https://zbmath.org/authors/?q=ai:ramanna.somindu-cSummary: We propose new constructions for identity-based broadcast encryption (IBBE) and fuzzy identity-based encryption (FIBE) in bilinear groups of composite order. Our starting point is the IBBE scheme of \textit{C. Delerablée} [Lect. Notes Comput. Sci. 4833, 200--215 (2007; Zbl 1153.94366)] and the FIBE scheme of \textit{J. Herranz} et al. [ibid. 6056, 19--34 (2010; Zbl 1271.94021)] proven secure under parameterised assumptions called generalised decisional bilinear Diffie-Hellman (GDDHE) and augmented multi-sequence of exponents Diffie-Hellman (aMSE-DDH) respectively. The two schemes are described in the prime-order pairing group. We transform the schemes into the setting of (symmetric) composite-order groups and prove security from two static assumptions (subgroup decision).
The Déjà Q framework of \textit{M. Chase} et al. [ibid. 10032, 655--681 (2016; Zbl 1380.94078)] is known to cover a large class of parameterised assumptions (dubbed über assumption), that is, these assumptions, when defined in asymmetric composite-order groups, are implied by subgroup decision assumptions in the underlying composite-order groups. We argue that the GDDHE and aMSE-DDH assumptions are not covered by the Déjà Q über assumption framework. We therefore work out direct security reductions for the two schemes based on subgroup decision assumptions. Furthermore, our proofs involve novel extensions of Déjà Q techniques of \textit{H. Wee} [ibid. 9563, 237--258 (2016; Zbl 1377.94067)] and \textit{M. Chase} and \textit{S. Meiklejohn} [ibid. 8441, 622--639 (2014; Zbl 1290.94054)].
Our constructions have constant-size ciphertexts. The IBBE has constant-size keys as well and guarantees stronger security as compared to Delerablée's IBBE, thus making it the first compact IBBE known to be selectively secure without random oracles under simple assumptions. The fuzzy IBE scheme is the first to simultaneously feature constant-size ciphertexts and security under standard assumptions.
For the entire collection see [Zbl 1397.94004].Tight bounds on the randomness complexity of secure multiparty computationhttps://zbmath.org/1517.941042023-09-22T14:21:46.120933Z"Goyal, Vipul"https://zbmath.org/authors/?q=ai:goyal.vipul"Ishai, Yuval"https://zbmath.org/authors/?q=ai:ishai.yuval"Song, Yifan"https://zbmath.org/authors/?q=ai:song.yifanSummary: We revisit the question of minimizing the randomness complexity of protocols for secure multiparty computation (MPC) in the setting of perfect information-theoretic security. \textit{E. Kushilevitz} and \textit{Y. Mansour} [SIAM J. Discrete Math. 10, No. 4, 647--661 (1997; Zbl 1049.94510)] studied the case of \(n\)-party semi-honest MPC for the XOR function with security threshold \(t<n\), showing that \(O(t^2\log (n/t))\) random bits are sufficient and \(\varOmega (t)\) random bits are necessary. Their positive result was obtained via a non-explicit protocol, whose existence was proved using the probabilistic method.
We essentially close the question by proving an \(\varOmega (t^2)\) lower bound on the randomness complexity of XOR, matching the previous upper bound up to a logarithmic factor (or constant factor when \(t=\varOmega (n))\). We also obtain an explicit protocol that uses \(O(t^2\cdot \log^2n)\) random bits, matching our lower bound up to a polylogarithmic factor. We extend these results from XOR to general symmetric Boolean functions and to addition over a finite Abelian group, showing how to amortize the randomness complexity over multiple additions.
Finally, combining our techniques with recent randomness-efficient constructions of private circuits, we obtain an explicit protocol for evaluating a general circuit \(C\) using only \(O(t^2\cdot \log |C|)\) random bits, by employing additional ``helper parties'' who do not contribute any inputs. This upper bound too matches our lower bound up to a logarithmic factor.
For the entire collection see [Zbl 1514.94004].A new key recovery side-channel attack on HQC with chosen ciphertexthttps://zbmath.org/1517.941052023-09-22T14:21:46.120933Z"Goy, Guillaume"https://zbmath.org/authors/?q=ai:goy.guillaume"Loiseau, Antoine"https://zbmath.org/authors/?q=ai:loiseau.antoine"Gaborit, Philippe"https://zbmath.org/authors/?q=ai:gaborit.philippeSummary: Hamming Quasi-Cyclic (HQC) is a code-based candidate of NIST post-quantum standardization procedure. The decoding steps of code-based cryptosystems are known to be vulnerable to side-channel attacks and HQC is no exception to this rule. In this paper, we present a new key recovery side-channel attack on HQC with chosen ciphertext. Our attack takes advantage of the reuse of a static secret key on a micro-controller with a physical access. The goal is to retrieve the static secret key by targeting the Reed-Muller decoding step of the decapsulation and more precisely the Hadamard transform. This function is known for its diffusion property, a property that we exploit through side-channel analysis. The side-channel information is used to build an Oracle that distinguishes between several decoding patterns of the Reed-Muller codes. We show how to query the Oracle such that the responses give a full information about the static secret key. Experiments show that less than 20.000 electromagnetic attack traces are sufficient to retrieve the whole static secret key used for the decapsulation. Finally, we present a masking-based countermeasure to thwart our attack.
For the entire collection see [Zbl 1514.94001].Card-based secure sorting protocolhttps://zbmath.org/1517.941062023-09-22T14:21:46.120933Z"Haga, Rikuo"https://zbmath.org/authors/?q=ai:haga.rikuo"Toyoda, Kodai"https://zbmath.org/authors/?q=ai:toyoda.kodai"Shinoda, Yuto"https://zbmath.org/authors/?q=ai:shinoda.yuto"Miyahara, Daiki"https://zbmath.org/authors/?q=ai:miyahara.daiki"Shinagawa, Kazumasa"https://zbmath.org/authors/?q=ai:shinagawa.kazumasa"Hayashi, Yuichi"https://zbmath.org/authors/?q=ai:hayashi.yuichi"Mizuki, Takaaki"https://zbmath.org/authors/?q=ai:mizuki.takaakiSummary: The research area of card-based cryptography, which relies on a deck of physical cards to perform cryptographic functionalities, has been growing in recent years, ranging from basic secure computations, such as secure AND and XOR evaluations, to more complex tasks, such as Yao's Millionaires' problem and zero-knowledge proof. In this paper, we propose a card-based ``secure sorting'' protocol; although sorting is probably the most fundamental problem in computer science, secure sorting has not been addressed in the field of card-based cryptography yet. Given a sequence of face-down cards representing a collection of keys with values (to be sorted), our proposed protocol sorts them without leaking any information. As imagined, secure sorting provides many applications; for instance, we show how to apply our protocol to implementing an auction. Since many algorithms for computational problems (say, graph algorithms) use sorting as subroutines, we expect that our secure sorting protocol will be useful when constructing card-based secure computations regarding computational problems.
For the entire collection see [Zbl 1503.68013].Lower bound on SNARGs in the random oracle modelhttps://zbmath.org/1517.941072023-09-22T14:21:46.120933Z"Haitner, Iftach"https://zbmath.org/authors/?q=ai:haitner.iftach"Nukrai, Daniel"https://zbmath.org/authors/?q=ai:nukrai.daniel"Yogev, Eylon"https://zbmath.org/authors/?q=ai:yogev.eylonSummary: Succinct non-interactive arguments (SNARGs) have become a fundamental primitive in the cryptographic community. The focus of this work is constructions of SNARGs in the Random Oracle Model (ROM). Such SNARGs enjoy post-quantum security and can be deployed using lightweight cryptography to heuristically instantiate the random oracle. A ROM-SNARG is \((t,\varepsilon )\)-sound if no \(t\)-query malicious prover can convince the verifier to accept a false statement with probability larger than \(\varepsilon \). Recently, \textit{A. Chiesa} and \textit{E. Yogev} [Lect. Notes Comput. Sci. 12825, 711--741 (2021; Zbl 1485.94073)] presented a ROM-SNARG of length \({\varTheta }(\log (t/\varepsilon ) \cdot \log t)\) (ignoring \(\log n\) factors, for \(n\) being the instance size). This improvement, however, is still far from the (folklore) lower bound of \(\varOmega (\log (t/\varepsilon ))\).
Assuming the randomized exponential-time hypothesis, we prove a tight lower bound of \({\varOmega }(\log (t/\varepsilon ) \cdot \log t)\) for the length of \((t,\varepsilon )\)-sound ROM-SNARGs. Our lower bound holds for constructions with non-adaptive verifiers and strong soundness notion called salted soundness, restrictions that hold for all known constructions (ignoring contrived counterexamples). We prove our lower bound by transforming any short ROM-SNARG (of the considered family) into a same length ROM-SNARG in which the verifier asks only a few oracles queries, and then apply the recent lower bound of \textit{A. Chiesa} and \textit{E. Yogev} [ibid. 12551, 47--76 (2020; Zbl 1485.94072)] for such SNARGs.
For the entire collection see [Zbl 1514.94003].How to backdoor (classic) McEliece and how to guard against backdoorshttps://zbmath.org/1517.941082023-09-22T14:21:46.120933Z"Hemmert, Tobias"https://zbmath.org/authors/?q=ai:hemmert.tobias"May, Alexander"https://zbmath.org/authors/?q=ai:may.alexander"Mittmann, Johannes"https://zbmath.org/authors/?q=ai:mittmann.johannes"Schneider, Carl Richard Theodor"https://zbmath.org/authors/?q=ai:schneider.carl-richard-theodorSummary: We show how to backdoor the McEliece cryptosystem such that a backdoored public key is indistinguishable from a usual public key, but allows to efficiently retrieve the underlying secret key.
For good cryptographic reasons, McEliece uses a small random seed \(\delta\) that generates via some pseudo random generator (PRG) the randomness that determines the secret key. Our backdoor mechanism works by encoding an encryption of \(\delta\) into the public key. Retrieving \(\delta\) then allows to efficiently recover the (backdoored) secret key. Interestingly, McEliece can be used itself to encrypt \(\delta\), thereby protecting our backdoor mechanism with strong post-quantum security guarantees.
Our construction also works for the current Classic McEliece NIST standard proposal for non-compressed secret keys, and therefore opens the door for widespread maliciously backdoored implementations.
Fortunately, our backdoor mechanism can be detected by the owner of the (backdoored) secret key if \(\delta\) is stored after key generation as specified by the Classic McEliece proposal. Thus, our results provide strong advice for implementers to store \(\delta\) inside the secret key and use \(\delta\) to guard against backdoor mechanisms.
For the entire collection see [Zbl 1514.94001].Practical statistically-sound proofs of exponentiation in any grouphttps://zbmath.org/1517.941092023-09-22T14:21:46.120933Z"Hoffmann, Charlotte"https://zbmath.org/authors/?q=ai:hoffmann.charlotte"Hubáček, Pavel"https://zbmath.org/authors/?q=ai:hubacek.pavel"Kamath, Chethan"https://zbmath.org/authors/?q=ai:kamath.chethan"Klein, Karen"https://zbmath.org/authors/?q=ai:klein.karen"Pietrzak, Krzysztof"https://zbmath.org/authors/?q=ai:pietrzak.krzysztofSummary: A proof of exponentiation (PoE) in a group \({\mathbb{G}}\) of unknown order allows a prover to convince a verifier that a tuple \((x,q,T,y)\in{\mathbb{G}}\times{\mathbb{N}}\times{\mathbb{N}}\times{\mathbb{G}}\) satisfies \(x^{q^T}=y\). This primitive has recently found exciting applications in the constructions of verifiable delay functions and succinct arguments of knowledge. The most practical PoEs only achieve soundness either under computational assumptions, i.e., they are arguments [\textit{B. Wesolowski}, J. Cryptology 33, No. 4, 2113--2147 (2020; Zbl 1453.94125)], or in groups that come with the promise of not having any small subgroups [\textit{K. Pietrzak}, LIPIcs -- Leibniz Int. Proc. Inform. 124, Article 60, 15 p. (2019; Zbl 07559103)]. The only statistically-sound PoE in general groups of unknown order is due to \textit{A. R. Block} et al. [Lect. Notes Comput. Sci. 12828, 123--152 (2021; Zbl 1489.94088)], and can be seen as an elaborate parallel repetition of Pietrzak's PoE: to achieve \(\lambda\) bits of security, say \(\lambda =80\), the number of repetitions required (and thus the blow-up in communication) is as large as \(\lambda \).
In this work, we propose a statistically-sound PoE for the case where the exponent \(q\) is the product of all primes up to some bound \(B\). We show that, in this case, it suffices to run only \(\lambda /\log (B)\) parallel instances of Pietrzak's PoE [loc. cit.], which reduces the concrete proof-size compared to Block et al. [loc. cit.] by an order of magnitude. Furthermore, we show that in the known applications where PoEs are used as a building block such structured exponents are viable. Finally, we also discuss batching of our PoE, showing that many proofs (for the same \(\mathbb{G}\) and \(q\) but different \(x\) and \(T\)) can be batched by adding only a single element to the proof per additional statement.
For the entire collection see [Zbl 1514.94002].Constructing the classes of Boolean functions with guaranteed cryptographic properties on the base of coordinate functions of the finite field power mappingshttps://zbmath.org/1517.941102023-09-22T14:21:46.120933Z"Ivanov, A. V."https://zbmath.org/authors/?q=ai:ivanov.alexey-v|ivanov.aleksei-valerevich|ivanov.anton-valerevich|ivanov.aleksandr-vladimirovich|ivanov.aleksei-valerevich.1|ivanov.aleksei-vladimirovich|ivanov.andrey-v"Romanov, V. N."https://zbmath.org/authors/?q=ai:romanov.vyacheslav-nSummary: In the paper an approach to constructing the nonlinear approximations of Boolean functions is offered. The approximations are constructed by using the coordinate functions of the finite field power mapping. The effectiveness of such approximations for bent functions is shown.Sponge-based authenticated encryption: security against quantum attackershttps://zbmath.org/1517.941112023-09-22T14:21:46.120933Z"Janson, Christian"https://zbmath.org/authors/?q=ai:janson.christian"Struck, Patrick"https://zbmath.org/authors/?q=ai:struck.patrickSummary: In this work, we study the security of sponge-based authenticated encryption schemes against quantum attackers. In particular, we analyse the sponge-based authenticated encryption scheme \textsc{Slae} as put forward by \textit{J. P. Degabriele} et al. [Lect. Notes Comput. Sci. 11922, 209--240 (2019; Zbl 1456.94071)] due to its modularity. We show that the scheme achieves security in the post-quantum (QS1) setting in the quantum random oracle model by using the one-way to hiding lemma. Furthermore, we analyse the scheme in a fully-quantum (QS2) setting. There we provide a set of attacks showing that \textsc{Slae} does not achieve ciphertext indistinguishability and hence overall does not provide the desired level of security.
For the entire collection see [Zbl 1514.94001].Function-revealing encryption (definitions and constructions)https://zbmath.org/1517.941122023-09-22T14:21:46.120933Z"Joye, Marc"https://zbmath.org/authors/?q=ai:joye.marc"Passelègue, Alain"https://zbmath.org/authors/?q=ai:passelegue.alainSummary: Multi-input functional encryption is a paradigm that allows an authorized user to compute a certain function -- and nothing more -- over multiple plaintexts given only their encryption. The particular case of two-input functional encryption has very exciting applications, including comparing the relative order of two plaintexts from their encrypted form (order-revealing encryption).
While being extensively studied, multi-input functional encryption is not ready for a practical deployment, mainly for two reasons. First, known constructions rely on heavy cryptographic tools such as multilinear maps. Second, their security is still very uncertain, as revealed by recent devastating attacks.
In this work, we investigate a simpler approach towards obtaining practical schemes for functions of particular interest. We introduce the notion of function-revealing encryption, a generalization of order-revealing encryption to any multi-input function as well as a relaxation of multi-input functional encryption. We then propose a simple construction of order-revealing encryption based on function-revealing encryption for simple functions, namely orthogonality testing and intersection cardinality. Our main result is an efficient order-revealing encryption scheme with limited leakage based on the standard DLin assumption.
For the entire collection see [Zbl 1397.94004].Cryptographic multilinear maps using pro-\(p\) groupshttps://zbmath.org/1517.941132023-09-22T14:21:46.120933Z"Kahrobaei, Delaram"https://zbmath.org/authors/?q=ai:kahrobaei.delaram"Stanojkovski, Mima"https://zbmath.org/authors/?q=ai:stanojkovski.mimaSummary: In [\textit{D. Kahrobaei} et al., in: Elementary theory of groups and group rings, and related topics. Proceedings of the conference held at Fairfield University and at the Graduate Center, CUNY, New York, NY, USA, November 1--2, 2018. Berlin: De Gruyter. 127--134 (2020; Zbl 1455.94168)], the authors show how, to any nilpotent group of class \(n\), one can associate a non-interactive key exchange protocol between \(n+1\) users. The multilinear commutator maps associated to nilpotent groups play a key role in this protocol. In the present paper, we explore some alternative platforms, such as pro-\(p\) groups.A new approach to efficient non-malleable zero-knowledgehttps://zbmath.org/1517.941142023-09-22T14:21:46.120933Z"Kim, Allen"https://zbmath.org/authors/?q=ai:kim.allen"Liang, Xiao"https://zbmath.org/authors/?q=ai:liang.xiao"Pandey, Omkant"https://zbmath.org/authors/?q=ai:pandey.omkantSummary: Non-malleable zero-knowledge, originally introduced in the context of man-in-the-middle attacks, serves as an important building block to protect against concurrent attacks where different protocols may coexist and interleave. While this primitive admits almost optimal constructions in the plain model, they are several orders of magnitude slower in practice than standalone zero-knowledge. This is in sharp contrast to non-malleable commitments where practical constructions (under the DDH assumption) have been known for a while.
We present a new approach for constructing efficient non-malleable zero-knowledge for all languages in NP, based on a new primitive called instance-based non-malleable commitment (\textsf{IB-NMC}). We show how to construct practical \textsf{IB-NMC} by leveraging the fact that simulators of sub-linear zero-knowledge protocols can be much faster than the honest prover algorithm. With an efficient implementation of \textsf{IB-NMC}, our approach yields the first general-purpose non-malleable zero-knowledge protocol that achieves practical efficiency in the plain model.
All of our protocols can be instantiated from symmetric primitives such as block-ciphers and collision-resistant hash functions, have reasonable efficiency in practice, and are general-purpose. Our techniques also yield the first efficient non-malleable commitment scheme without public-key assumptions.
For the entire collection see [Zbl 1514.94004].Function-hiding inner product encryption is practicalhttps://zbmath.org/1517.941152023-09-22T14:21:46.120933Z"Kim, Sam"https://zbmath.org/authors/?q=ai:kim.sam-tae|kim.sam-myo"Lewi, Kevin"https://zbmath.org/authors/?q=ai:lewi.kevin"Mandal, Avradip"https://zbmath.org/authors/?q=ai:mandal.avradip"Montgomery, Hart"https://zbmath.org/authors/?q=ai:montgomery.hart"Roy, Arnab"https://zbmath.org/authors/?q=ai:roy.arnab"Wu, David J."https://zbmath.org/authors/?q=ai:wu.david-jSummary: In a functional encryption scheme, secret keys are associated with functions and ciphertexts are associated with messages. Given a secret key for a function \(f\), and a ciphertext for a message \(x\), a decryptor learns \(f(x)\) and nothing else about \(x\). Inner product encryption is a special case of functional encryption where both secret keys and ciphertext are associated with vectors. The combination of a secret key for a vector \(\mathfrak{x}\) and a ciphertext for a vector \(\mathfrak{y}\) reveal \(\langle{\mathfrak{x}},\mathfrak{y}\rangle\) and nothing more about \(\mathfrak{y}\). An inner product encryption scheme is function-hiding if the keys and ciphertexts reveal no additional information about both \(\mathfrak{x}\) and \(\mathfrak{y}\) beyond their inner product.
In the last few years, there has been a flurry of works on the construction of function-hiding inner product encryption, starting with the work of \textit{A. Bishop} et al. [Lect. Notes Comput. Sci. 9452, 470--491 (2015; Zbl 1396.94061)] to the more recent work of \textit{J. Tomida} et al. [ibid. 9866, 408--425 (2016; Zbl 1397.68064)]. In this work, we focus on the practical applications of this primitive. First, we show that the parameter sizes and the run-time complexity of the state-of-the-art construction can be further reduced by another factor of 2, though we compromise by proving security in the generic group model. We then show that function privacy enables a number of applications in biometric authentication, nearest-neighbor search on encrypted data, and single-key two-input functional encryption for functions over small message spaces. Finally, we evaluate the practicality of our encryption scheme by implementing our function-hiding inner product encryption scheme. Using our construction, encryption and decryption operations for vectors of length 50 complete in a tenth of a second in a standard desktop environment.
For the entire collection see [Zbl 1397.94004].On the reduction of key space for A5/1https://zbmath.org/1517.941162023-09-22T14:21:46.120933Z"Kiselev, S. A."https://zbmath.org/authors/?q=ai:kiselev.s-aSummary: We give a new way to reduce the size of key space of the stream cipher A5/1 that can be applied in cryptanalysis.NIZK from SNARGshttps://zbmath.org/1517.941172023-09-22T14:21:46.120933Z"Kitagawa, Fuyuki"https://zbmath.org/authors/?q=ai:kitagawa.fuyuki"Matsuda, Takahiro"https://zbmath.org/authors/?q=ai:matsuda.takahiro"Yamakawa, Takashi"https://zbmath.org/authors/?q=ai:yamakawa.takashiSummary: We give a construction of a non-interactive zero-knowledge (NIZK) argument for all NP languages based on a succinct non-interactive argument (SNARG) for all NP languages and a one-way function. The succinctness requirement for the SNARG is rather mild: We only require that the proof size be \(|\pi |={\mathsf{poly}}(\lambda)(|x|+|w|)^\delta\) for some constant \(\delta <1\), where \(|x|\) is the statement length, \(|w|\) is the witness length, and \(\lambda\) is the security parameter. Especially, we do not require the efficiency of the verification to be sublinear in \(|x|\) or \(|w|\). As a corollary, we give a generic conversion from a SNARK to a zero-knowledge SNARG assuming the existence of one-way functions where SNARK is a SNARG with knowledge-extractability. For this conversion, we require the SNARK to be fully succinct, i.e., the proof size is \({\mathsf{poly}}(\lambda)(|x|+|w|)^{o(1)}\). Before this work, such a conversion was only known if we additionally assume the existence of a NIZK. Along the way of obtaining our result, we give a generic compiler to upgrade a NIZK for all NP languages with non-adaptive zero-knowledge to one with adaptive zero-knowledge. Though this can be shown by carefully combining known results, to the best of our knowledge, no explicit proof of this generic conversion has been presented.\(\log^\ast\)-round game-theoretically-fair leader electionhttps://zbmath.org/1517.941182023-09-22T14:21:46.120933Z"Komargodski, Ilan"https://zbmath.org/authors/?q=ai:komargodski.ilan"Matsuo, Shin'ichiro"https://zbmath.org/authors/?q=ai:matsuo.shinichiro"Shi, Elaine"https://zbmath.org/authors/?q=ai:shi.elaine"Wu, Ke"https://zbmath.org/authors/?q=ai:wu.ke.1Summary: It is well-known that in the presence of majority coalitions, strongly fair coin toss is impossible. A line of recent works have shown that by relaxing the fairness notion to game theoretic, we can overcome this classical lower bound. In particular, \textit{K.-M. Chung} et al. [Lect. Notes Comput. Sci. 11239, 563--596 (2018; Zbl 1443.94051)] showed how to achieve approximately (game-theoretically) fair leader election in the presence of majority coalitions, with round complexity as small as \(O(\log \log n)\) rounds.
In this paper, we revisit the round complexity of game-theoretically fair leader election. We construct \(O(\log^\ast n)\) rounds leader election protocols that achieve \((1-o(1))\)-approximate fairness in the presence of \((1-o(1)) n\)-sized coalitions. Our protocols achieve the same round-fairness trade-offs as Chung et al.'s [loc. cit.] and have the advantage of being conceptually simpler. Finally, we also obtain game-theoretically fair protocols for committee election which might be of independent interest.
For the entire collection see [Zbl 1514.94003].Nova: recursive zero-knowledge arguments from folding schemeshttps://zbmath.org/1517.941192023-09-22T14:21:46.120933Z"Kothapalli, Abhiram"https://zbmath.org/authors/?q=ai:kothapalli.abhiram"Setty, Srinath"https://zbmath.org/authors/?q=ai:setty.srinath"Tzialla, Ioanna"https://zbmath.org/authors/?q=ai:tzialla.ioannaSummary: We introduce a new approach to realize incrementally verifiable computation (IVC), in which the prover recursively proves the correct execution of incremental computations of the form \(y=F^{(\ell)}(x)\), where \(F\) is a (potentially non-deterministic) computation, \(x\) is the input, \(y\) is the output, and \(\ell > 0\). Unlike prior approaches to realize IVC, our approach avoids succinct non-interactive arguments of knowledge (SNARKs) entirely and arguments of knowledge in general. Instead, we introduce and employ folding schemes, a weaker, simpler, and more efficiently realizable primitive, which reduces the task of checking two instances in some relation to the task of checking a single instance. We construct a folding scheme for a characterization of NP and show that it implies an IVC scheme with improved efficiency characteristics: (1) the ``recursion overhead'' (i.e., the number of steps that the prover proves in addition to proving the execution of \(F\)) is a constant and it is dominated by two group scalar multiplications expressed as a circuit (this is the smallest recursion overhead in the literature), and (2) the prover's work at each step is dominated by two multiexponentiations of size \(O(|F|)\), providing the fastest prover in the literature. The size of a proof is \(O(|F|)\) group elements, but we show that using a variant of an existing zkSNARK, the prover can prove the knowledge of a valid proof succinctly and in zero-knowledge with \(O(\log{|F|})\) group elements. Finally, our approach neither requires a trusted setup nor FFTs, so it can be instantiated efficiently with any cycles of elliptic curves where DLOG is hard.
For the entire collection see [Zbl 1514.94004].MPClan: protocol suite for privacy-conscious computationshttps://zbmath.org/1517.941202023-09-22T14:21:46.120933Z"Koti, Nishat"https://zbmath.org/authors/?q=ai:koti.nishat"Patil, Shravani"https://zbmath.org/authors/?q=ai:patil.shravani"Patra, Arpita"https://zbmath.org/authors/?q=ai:patra.arpita"Suresh, Ajith"https://zbmath.org/authors/?q=ai:suresh.ajithSummary: The growing volumes of data being collected and its analysis to provide better services are creating worries about digital privacy. To address privacy concerns and give practical solutions, the literature has relied on secure multiparty computation techniques. However, recent research over rings has mostly focused on the small-party honest-majority setting of up to four parties tolerating single corruption, noting efficiency concerns. In this work, we extend the strategies to support higher resiliency in an honest-majority setting with efficiency of the online phase at the centre stage. Our semi-honest protocol improves the online communication of the protocol of \textit{I. Damgård} and \textit{J. B. Nielsen} [Lect. Notes Comput. Sci. 4622, 572--590 (2007; Zbl 1215.94041)] without inflating the overall communication. It also allows shutting down almost half of the parties in the online phase, thereby saving up to 50\% in the system's operational costs. Our maliciously secure protocol also enjoys similar benefits and requires only half of the parties, except for one-time verification towards the end, and provides security with fairness. To showcase the practicality of the designed protocols, we benchmark popular applications such as deep neural networks, graph neural networks, genome sequence matching, and biometric matching using prototype implementations. Our protocols, in addition to improved communication, aid in bringing up to 60--80\% savings in monetary cost over prior work.Efficiently masking polynomial inversion at arbitrary orderhttps://zbmath.org/1517.941212023-09-22T14:21:46.120933Z"Krausz, Markus"https://zbmath.org/authors/?q=ai:krausz.markus"Land, Georg"https://zbmath.org/authors/?q=ai:land.georg"Richter-Brockmann, Jan"https://zbmath.org/authors/?q=ai:richter-brockmann.jan"Güneysu, Tim"https://zbmath.org/authors/?q=ai:guneysu.timSummary: Physical side-channel analysis poses a huge threat to post-quantum cryptographic schemes implemented on embedded devices. Still, secure implementations are missing for many schemes. In this paper, we present an efficient solution for masked polynomial inversion, a main component of the key generation of multiple post-quantum Key Encapsulation Mechanisms (KEMs). For this, we introduce a polynomial-multiplicative masking scheme with efficient arbitrary order conversions from and to additive masking. Furthermore, we show how to integrate polynomial inversion and multiplication into the masking schemes to reduce costs considerably. We demonstrate the performance of our algorithms for two different post-quantum cryptographic schemes on the Cortex-M4. For NTRU, we measure an overhead of 35\% for the first-order masked inversion compared to the unmasked inversion while for BIKE the overhead is as little as 11\%. Lastly, we verify the security of our algorithms for the first masking order by measuring and performing a TVLA based side-channel analysis.
For the entire collection see [Zbl 1514.94001].How to construct physical zero-knowledge proofs for puzzles with a ``single loop'' conditionhttps://zbmath.org/1517.941222023-09-22T14:21:46.120933Z"Lafourcade, Pascal"https://zbmath.org/authors/?q=ai:lafourcade.pascal"Miyahara, Daiki"https://zbmath.org/authors/?q=ai:miyahara.daiki"Mizuki, Takaaki"https://zbmath.org/authors/?q=ai:mizuki.takaaki"Robert, Léo"https://zbmath.org/authors/?q=ai:robert.leo"Sasaki, Tatsuya"https://zbmath.org/authors/?q=ai:sasaki.tatsuya"Sone, Hideaki"https://zbmath.org/authors/?q=ai:sone.hideakiSummary: We propose a technique to construct physical Zero-Knowledge Proof (ZKP) protocols for puzzles that require a single loop draw feature. Our approach is based on the observation that a loop has only one hole and this property remains stable by some simple transformations. Using this trick, we can transform a simple big loop, which is visible to anyone, into the solution loop by using transformations that do not disclose any information about the solution. We illustrate our technique by applying it to construct physical ZKP protocols for two Nikoli puzzles: Slitherlink and Masyu.Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoorshttps://zbmath.org/1517.941232023-09-22T14:21:46.120933Z"Libert, Benoît"https://zbmath.org/authors/?q=ai:libert.benoit"Ling, San"https://zbmath.org/authors/?q=ai:ling.san"Khoa Nguyen"https://zbmath.org/authors/?q=ai:khoa-nguyen."Wang, Huaxiong"https://zbmath.org/authors/?q=ai:wang.huaxiongSummary: An accumulator is a function that hashes a set of inputs into a short, constant-size string while preserving the ability to efficiently prove the inclusion of a specific input element in the hashed set. It has proved useful in the design of numerous privacy-enhancing protocols, in order to handle revocation or simply prove set membership. In the lattice setting, currently known instantiations of the primitive are based on Merkle trees, which do not interact well with zero-knowledge proofs. In order to efficiently prove the membership of some element in a zero-knowledge manner, the prover has to demonstrate knowledge of a hash chain without revealing it, which is not known to be efficiently possible under well-studied hardness assumptions. In this paper, we provide an efficient method of proving such statements using involved extensions of Stern's protocol. Under the Small Integer Solution assumption, we provide zero-knowledge arguments showing possession of a hash chain. As an application, we describe new lattice-based group and ring signatures in the random oracle model. In particular, we obtain: (i) the first lattice-based ring signatures with logarithmic size in the cardinality of the ring and (ii) the first lattice-based group signature that does not require any GPV trapdoor and thus allows for a much more efficient choice of parameters.Adaptive oblivious transfer with access control from lattice assumptionshttps://zbmath.org/1517.941242023-09-22T14:21:46.120933Z"Libert, Benoît"https://zbmath.org/authors/?q=ai:libert.benoit"Ling, San"https://zbmath.org/authors/?q=ai:ling.san"Mouhartem, Fabrice"https://zbmath.org/authors/?q=ai:mouhartem.fabrice"Nguyen, Khoa"https://zbmath.org/authors/?q=ai:nguyen.khoa"Wang, Huaxiong"https://zbmath.org/authors/?q=ai:wang.huaxiongSummary: Adaptive oblivious transfer (OT) is a protocol where a sender initially commits to a database \(\{ M_i \}_{i = 1}^N\). Then, a receiver can query the sender up to \(k\) times with private indexes \(\rho_1, \ldots, \rho_k\) so as to obtain \(M_{\rho_1}, \ldots, M_{\rho_k}\) and nothing else. Moreover, for each \(i \in [k]\), the receiver's choice \(\rho_i\) may depend on previously obtained messages \(\{ M_{\rho_j} \}_{j < i}\). Oblivious transfer with access control (OT-AC) is a flavor of adaptive OT where database records are protected by distinct access control policies that specify which credentials a receiver should obtain in order to access each \(M_i\). So far, all known OT-AC protocols only support access policies made of conjunctions or rely on ad hoc assumptions in pairing-friendly groups (or both). In this paper, we provide an OT-AC protocol where access policies may consist of any branching program of polynomial length, which is sufficient to realize any access policy in \(\mathsf{NC1} \). The security of our protocol is proved under the Learning-with-Errors \(( \mathsf{LWE} )\) and Short-Integer-Solution \(( \mathsf{SIS} )\) assumptions. As a result of independent interest, we provide protocols for proving the correct evaluation of a committed branching program on a committed input.Efficient public-key encryption with equality test from latticeshttps://zbmath.org/1517.941252023-09-22T14:21:46.120933Z"Li, Qinyi"https://zbmath.org/authors/?q=ai:li.qinyi"Boyen, Xavier"https://zbmath.org/authors/?q=ai:boyen.xavierSummary: Public-key encryption with equality (PKEET) test enables testing if two ciphertexts, possibly under two different public keys, encrypt the same messages. Recent research on PKEET considers the setting where the testing ability is delegated to semi-trusted parties to negate unfettered chosen-plaintext attacks. In this work, we revise and enhance the PKEET security model, and introduce a new property of unmaskability which further prevents an attacker from skirting the test. We then propose a simple and efficient PKEET system with adaptive chosen-ciphertext security, provably secure under our revised security model, from either plain or ring lattice assumptions. The construction adopts a direct approach which significantly departs from the existing way of building such systems. Compared with existing literature, our system relies on weaker learning-with-errors assumptions while also being more efficient and providing better security.CCA-security from adaptive all-but-one lossy trapdoor functionshttps://zbmath.org/1517.941262023-09-22T14:21:46.120933Z"Li, Qinyi"https://zbmath.org/authors/?q=ai:li.qinyi"Boyen, Xavier"https://zbmath.org/authors/?q=ai:boyen.xavier"Foo, Ernest"https://zbmath.org/authors/?q=ai:foo.ernestSummary: In this paper, we propose the notion of adaptive all-but-one lossy trapdoor functions (aABO-LTFs), a variant of all-but-one lossy trapdoor functions. An aABO-LTF is parameterised by a set of branches. Given the lossy branch, the function statistically loses the information of its inputs. Given injective branches, the function is injective, and there is a trapdoor that enables efficient function inversion. What differentiates an aABO-LTF and an ABO-LTF is that for an aABO-LTF, the lossy branch is indistinguishable from the other branches even if the adversary gets to ask for function inversions on any injective branches apart from the lossy branch. We demonstrate the usefulness of the adaptivity of aABO-LTFs by providing generic and efficient constructions of an adaptively chosen-ciphertext secure (CCA-secure) public-key encapsulation mechanism (KEM) and an adaptive deterministic public-key encryption (DPKE) without random oracles using aABO-LTFs in a very simple black-box way. Our constructions are direct in the sense of that it avoids generic transformations using one-time signatures or message authentication codes typically found in standard model CCA-secure constructions. Moreover, we show that aABO-LTFs can be instantiated generically by lossy trapdoor primitives, including lossy trapdoor functions (LTFs) and identity-based (lossy) trapdoor functions (IB-LTFs). We also demonstrate that the lattice-based ABO-LTFs proposed by \textit{J. Alwen} et al. [Lect. Notes Comput. Sci. 8042, 57--74 (2013; Zbl 1310.94123)] are aABO-LTFs. Several existing CCA-secure KEM and DPKE schemes can be described by our generic constrictions. Therefore, our work unifies these seemingly unrelated schemes and explains the design principles behind these schemes.Fooling an unbounded adversary with a short key, repeatedly: the honey encryption perspectivehttps://zbmath.org/1517.941272023-09-22T14:21:46.120933Z"Li, Xinze"https://zbmath.org/authors/?q=ai:li.xinze"Tang, Qiang"https://zbmath.org/authors/?q=ai:tang.qiang"Zhang, Zhenfeng"https://zbmath.org/authors/?q=ai:zhang.zhenfeng.1|zhang.zhenfengSummary: This article is motivated by the classical results from \textit{C. E. Shannon} [Bell Syst. Tech. J. 28, 656--715 (1949; Zbl 1200.94005)] that put the simple and elegant one-time pad away from practice: key length has to be as large as message length and the same key could not be used more than once. In particular, we consider encryption algorithm to be defined relative to specific message distributions in order to trade for unconditional security. Such a notion named honey encryption (HE) was originally proposed for achieving best possible security for password based encryption where secrete key may have very small amount of entropy.\par Exploring message distributions as in HE indeed helps circumvent the classical restrictions on secret keys. We give a new and very simple honey encryption scheme satisfying the unconditional semantic security (for the targeted message distribution) in the standard model (all previous constructions are in the random oracle model, even for message recovery security only). Our new construction can be paired with an extremely simple yet ``tighter'' analysis, while all previous analyses (even for message recovery security only) were fairly complicated and require stronger assumptions. We also show a concrete instantiation further enables the secret key to be used for encrypting multiple messages.
For the entire collection see [Zbl 1465.94005].Canonical narrowing with irreducibility and SMT constraints as a generic symbolic protocol analysis methodhttps://zbmath.org/1517.941282023-09-22T14:21:46.120933Z"López-Rueda, Raúl"https://zbmath.org/authors/?q=ai:lopez-rueda.raul"Escobar, Santiago"https://zbmath.org/authors/?q=ai:escobar.santiagoSummary: Nowadays, formal cryptographic protocol analysis relies on symbolic techniques such as narrowing and equational unification, e.g. Maude-NPA, Tamarin or AKISS crypto tools. In previous works, we developed a new narrowing strategy, called canonical narrowing, which manages to reduce the state explosion problem by introducing irreducibility constraints. In this paper, we extend canonical narrowing to handle conditional rules with SMT constraints. We demonstrate the viability of this method with the Brands and Chaum protocol [\textit{S. Brands} and \textit{D. Chaum}, Lect. Notes Comput. Sci. 765, 344--359 (1994; Zbl 0951.94511)] using time and location information described as SMT constraints on the real numbers.
For the entire collection see [Zbl 1499.68008].Verifiable decryption for fully homomorphic encryptionhttps://zbmath.org/1517.941292023-09-22T14:21:46.120933Z"Luo, Fucai"https://zbmath.org/authors/?q=ai:luo.fucai"Wang, Kunpeng"https://zbmath.org/authors/?q=ai:wang.kunpengSummary: Verifiable decryption allows one to prove the correct decryption of encrypted data. When the encrypted data is derived from homomorphic evaluations in the context of fully homomorphic encryption (FHE), verifiable decryption will be very useful in cloud computing or cryptographic protocols, e.g., secure medical computation, cryptographically verifiable election, etc. In this paper, we consider the problem of proving the correct decryption of an FHE ciphertext. Namely, we are interested in zero-knowledge proofs of knowledge of triples \((m, \mathfrak{s}, \mathfrak{c})\) such that the message \(m\) is the correct decryption of a ciphertext \(\mathfrak{c}\) for a secret key \(\mathfrak{s} \). While analogous statements admit efficient zero-knowledge proof protocols in the discrete logarithm setting, they have never been addressed in FHE so far. We provide such verifiable decryption for Brakerski-Gentry-Vaikuntanathan (BGV) scheme [\textit{Z. Brakerski} et al., in: Proceedings of the 3rd conference on innovations in theoretical computer science, ITCS'12, Cambridge, MA, USA, January 8--10, 2012. New York, NY: Association for Computing Machinery (ACM). 309--325 (2012; Zbl 1347.68120)], since this scheme was recognized as one of the most efficient leveled FHE schemes. Our solution is nearly ``one shot'', in the sense that a single instance of the proof already has negligible soundness error, yielding compact proofs even for individual ciphertexts. Furthermore, to illustrate the applicability of verifiable decryption, we also give two example instantiations.
For the entire collection see [Zbl 1398.68020].Lattice-based zero-knowledge proofs and applications: shorter, simpler, and more generalhttps://zbmath.org/1517.941302023-09-22T14:21:46.120933Z"Lyubashevsky, Vadim"https://zbmath.org/authors/?q=ai:lyubashevsky.vadim"Nguyen, Ngoc Khanh"https://zbmath.org/authors/?q=ai:nguyen.ngoc-khanh"Plançon, Maxime"https://zbmath.org/authors/?q=ai:plancon.maximeThe authors present a much-improved practical protocol, based on the hardness of Module-SIS and Module-LWE problems, for proving knowledge of a short vector $\vec{s}$ satisfying $A\vec{s} =t \bmod q$. The currently most efficient technique for constructing such a proof works by showing that the $l_\infty$ norm of $\vec{s}$ is small. It creates a commitment to a polynomial vector $m$ whose CRT coefficients are the coefficients of $s$ and then shows that (1) $A\cdot CRT(m) = \vec{t}\bmod q$ and (2) in the case that they want to prove that the $l_\infty$-norm is at most 1, the polynomial product $(m - 1).m. (m + 1)$ equals to 0. While these schemes are already quite practical, the requirement of using the CRT embedding and only being naturally adapted to proving the $l_\infty$-norm somewhat hinders the efficiency of this approach. In this work, the authors show that there is a more direct and more efficient way to prove that the coefficients of $\vec{s}$ have a small $l_2$ norm which does not require an equivocation with the $l_\infty$ norm, nor any conversion to the CRT representation. They observe that the inner product between two vectors $\vec{r}$ and $\vec{s}$ can be made to appear as a coefficient of a product (or sum of products) between polynomials which are functions of $\vec{r}$ and $\vec{s}$. Thus, using a polynomial product proof system and hiding all but one coefficient, they are able to prove knowledge of the inner product of two vectors (or of a vector with itself) modulo $q$. Using a cheap, ``approximate range proof'', one can then lift the proof to be over $Z$ instead of $Zq$. Their protocols for proving short norms work over all (interesting) polynomial rings, but are particularly efficient for rings like $Z[X]/(X^n + 1)$ in which the function relating the inner product of vectors and polynomial products happens to be a ``nice'' automorphism. The new proof system can be plugged into constructions of various lattice-based privacy primitives in a black-box manner. As examples, they instantiate a verifiable encryption scheme and a group signature scheme which are more than twice as compact as the previously best solutions.
For the entire collection see [Zbl 1514.94002].
Reviewer: Janaka Alawatugoda (Peradeniya)A survey on functional encryptionhttps://zbmath.org/1517.941312023-09-22T14:21:46.120933Z"Mascia, Carla"https://zbmath.org/authors/?q=ai:mascia.carla"Sala, Massimiliano"https://zbmath.org/authors/?q=ai:sala.massimiliano"Villa, Irene"https://zbmath.org/authors/?q=ai:villa.ireneSummary: Functional Encryption (FE) expands traditional public-key encryption in two different ways: it supports fine-grained access control and allows learning a function of the encrypted data. In this paper, we review all FE classes, describing their functionalities and main characteristics. In particular, we mention several schemes for each class, providing their security assumptions and comparing their properties. To our knowledge, this is the first survey that encompasses the entire FE family.Cryptographic systems based on an algebraic structurehttps://zbmath.org/1517.941322023-09-22T14:21:46.120933Z"Matysiak, Łukasz"https://zbmath.org/authors/?q=ai:matysiak.lukasz"Chrzaniuk, Monika"https://zbmath.org/authors/?q=ai:chrzaniuk.monika"Duda, Maximilian"https://zbmath.org/authors/?q=ai:duda.maximilian"Hanc, Marta"https://zbmath.org/authors/?q=ai:hanc.marta"Kowalski, Sebastian"https://zbmath.org/authors/?q=ai:kowalski.sebastian"Skotnicka, Zoja"https://zbmath.org/authors/?q=ai:skotnicka.zoja"Waldoch, Martin"https://zbmath.org/authors/?q=ai:waldoch.martinSummary: In this paper cryptographic systems based on the Dedekind and Galois structures are considered. We supplement the created cryptosystems based on the Dedekind structure with programs written in C++ and discuss the inner structure of Galois in cryptography. It is well-known that such a structure is based on finite fields only. Our results reveal something more internal. The final section contains additional information about square-free and radical factorizations in monoids consisting in searching for a minimal list of counterexamples. As an open problem, we leave creating a program that would generate such a list and how to use such a list to create a cryptosystem.A hardware implementation of the cryptosystem based on the Zakrevskij FSMhttps://zbmath.org/1517.941332023-09-22T14:21:46.120933Z"Miloshenko, A. V."https://zbmath.org/authors/?q=ai:miloshenko.a-vSummary: This paper presents a hardware implementation in FPGA (field-programmable gate array) of the Zakrevskij FSM-based cryptosystem. Using developed software, we generate a FSM (Finite State Machine) and build the VHDL code for the FSM. Then using Xilinx WebPack Design Software, we program an FPGA integrated circuit. We have evaluated the implementation in FPGA of the FSM-based cryptosystem from the point of view of state encoding style.Dynamic local searchable symmetric encryptionhttps://zbmath.org/1517.941342023-09-22T14:21:46.120933Z"Minaud, Brice"https://zbmath.org/authors/?q=ai:minaud.brice"Reichle, Michael"https://zbmath.org/authors/?q=ai:reichle.michaelSummary: In this article, we tackle for the first time the problem of dynamic memory-efficient Searchable Symmetric Encryption (SSE). In the term ``memory-efficient'' SSE, we encompass both the goals of local SSE, and page-efficient SSE. The centerpiece of our approach is a novel connection between those two goals. We introduce a map, called the Generic Local Transform, which takes as input a page-efficient SSE scheme with certain special features, and outputs an SSE scheme with strong locality properties. We obtain several results. (1) First, for page-efficient SSE with page size \(p\), we build a dynamic scheme with storage efficiency \(\mathcal{O}({1})\) and page efficiency \(\widetilde{\mathcal{O}}\left({\log \log (N/p)}\right)\), called \(\mathsf{LayeredSSE}\). The main technical innovation behind \(\mathsf{LayeredSSE}\) is a novel weighted extension of the two-choice allocation process, of independent interest. (2) Second, we introduce the Generic Local Transform, and combine it with \(\mathsf{LayeredSSE}\) to build a dynamic SSE scheme with storage efficiency \(\mathcal{O}({1})\), locality \(\mathcal{O}({1})\), and read efficiency \(\widetilde{\mathcal{O}}\left({\log\log N}\right)\), under the condition that the longest list is of size \(\mathcal{O}({N^{1-1/\log \log \lambda}})\). This matches, in every respect, the purely static construction of \textit{G. Asharov} et al. [in: Proceedings of the 48th annual ACM SIGACT symposium on theory of computing, STOC '16, Cambridge, MA, USA, June 19--21, 2016. New York, NY: Association for Computing Machinery (ACM). 1101--1114 (2016; Zbl 1373.68211)]: dynamism comes at no extra cost. (3) Finally, by applying the Generic Local Transform to a variant of the Tethys scheme by \textit{A. Bossuat} et al. [Lect. Notes Comput. Sci. 12827, 157--184 (2021; Zbl 07512098)], we build an unconditional static SSE with storage efficiency \(\mathcal{O}({1})\), locality \(\mathcal{O}({1})\), and read efficiency \(\mathcal{O}({\log^\varepsilon N})\), for an arbitrarily small constant \(\varepsilon > 0\). To our knowledge, this is the construction that comes closest to the lower bound presented by \textit{D. Cash} and \textit{S. Tessaro} [ibid. 8441, 351--368 (2014; Zbl 1332.94061)].
For the entire collection see [Zbl 1514.94004].Secret can be public: low-memory AEAD mode for high-order maskinghttps://zbmath.org/1517.941352023-09-22T14:21:46.120933Z"Naito, Yusuke"https://zbmath.org/authors/?q=ai:naito.yusuke"Sasaki, Yu"https://zbmath.org/authors/?q=ai:sasaki.yu"Sugawara, Takeshi"https://zbmath.org/authors/?q=ai:sugawara.takeshiSummary: We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An \(s\)-bit key-dependent state is necessary for achieving \(s\)-bit security, and the conventional schemes always protect the entire \(s\) bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode \textsf{HOMA} that achieves \(s\)-bit security using a tweakable block cipher with the \(s/2\)-bit block size. We also propose a new primitive for instantiating \textsf{HOMA} with \(s=128\) by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a \((256+3)\)-bit tweak. We make hardware performance evaluation by implementing \textsf{HOMA} with high-order masking for \(d \le 5\). For any \(d > 0\), \textsf{HOMA} outperforms the current state-of-the-art \textsf{PFB\_Plus} by reducing the circuit area larger than that of the entire S-box.
For the entire collection see [Zbl 1514.94003].New complexity estimation on the rainbow-band-separation attackhttps://zbmath.org/1517.941362023-09-22T14:21:46.120933Z"Nakamura, Shuhei"https://zbmath.org/authors/?q=ai:nakamura.shuhei"Ikematsu, Yasuhiko"https://zbmath.org/authors/?q=ai:ikematsu.yasuhiko"Wang, Yacheng"https://zbmath.org/authors/?q=ai:wang.yacheng"Ding, Jintai"https://zbmath.org/authors/?q=ai:ding.jintai"Takagi, Tsuyoshi"https://zbmath.org/authors/?q=ai:takagi.tsuyoshiSummary: Multivariate public key cryptography is a candidate for post-quantum cryptography, and it allows generating particularly short signatures and fast verification. The Rainbow signature scheme proposed by \textit{J. Ding} and \textit{D. Schmidt} [Lect. Notes Comput. Sci. 3531, 164--175 (2005; Zbl 1126.68393)] is such a multivariate cryptosystem, and it is considered secure against all known attacks. The Rainbow-Band-Separation attack recovers a secret key of Rainbow by solving certain systems of quadratic equations, and its complexity is estimated by the well-known theoretical value called the degree of regularity. However, the degree of regularity is generally larger than the solving degree in experiments, and an accurate estimation cannot be obtained. In this article, we propose a new theoretical value for the complexity of the Rainbow-Band-Separation attack using a Gröbner basis algorithm, which provides a more precise estimation compared to that using the degree of regularity. This theoretical value is deduced by the two-variable power series \(\frac{ \prod_{i = 1}^m ( 1 - t_1^{d_{i 1}} t_2^{d_{i 2}} )}{ ( 1 - t_1 )^{n_1} ( 1 - t_2 )^{n_2}} .\) Since the two-variable power series coincides with the one-variable power series at \(t_1 = t_2\) deriving the degree of regularity, the theoretical value is less than or equal to the degree of regularity under a certain condition. Moreover, we show a relation between the Rainbow-Band-Separation attack using the hybrid approach and the HighRank attack. By considering this relation and our theoretical value, we obtain a new complexity estimation for the Rainbow-Band-Separation attack. Furthermore, applying our theoretical value to the complexity formula used in the NIST PQC 2nd round, we show that a slight modification of the proposed Rainbow parameter sets is required. Consequently, we provide a new theoretical value for generally estimating the solving degree of a bi-graded polynomial system, which can influence the parameter selection of Rainbow in the NIST PQC standardization project.A note on the \(c\)-differential spectrum of an AP\(c\)N functionhttps://zbmath.org/1517.941372023-09-22T14:21:46.120933Z"Pang, Tingting"https://zbmath.org/authors/?q=ai:pang.tingting"Li, Nian"https://zbmath.org/authors/?q=ai:li.nian"Zeng, Xiangyong"https://zbmath.org/authors/?q=ai:zeng.xiangyong"Zhu, Haiying"https://zbmath.org/authors/?q=ai:zhu.haiyingSummary: Motivated by a recent work of \textit{H. Yan} and \textit{K. Zhang} [Des. Codes Cryptography 90, No. 10, 2385--2405 (2022; Zbl 1506.14057)] on the \(c \)-differential spectrum of some power functions over finite fields, we further study an AP\(c\)N function and express its \(c \)-differential spectrum in terms of \((i, j, k)_2 \), i.e., the cardinality of the intersection \((\mathcal{C}^{(2)}_i+1)\cap\mathcal{C}^{(2)}_j\cap(\mathcal{C}^{(2)}_k-1)\) for \(i, j, k\in\{0, 1\} \), where \(\mathcal{C}^{(2)}_0, \mathcal{C}^{(2)}_1\) are the cyclotomic classes of order two over the finite field \(\mathbb{F}_{p^n} , p\) is an odd prime and \(n\) is a positive integer. By virtue of the cyclotomic numbers of orders two and four, we determine the values of \((i, j, k)_2\) for \(i, j, k\in\{0, 1\} \), which may be of independent interest. As an application, we give another proof of the \(c \)-differential spectrum of an AP\(c\)N function over finite fields with characteristic \(5 \). Further, we refine the result of Zhang and Yan [loc. cit.] in the sense that we completely characterize the conditions when the \(c \)-differential equation of the AP\(c\)N function has one solution and two solutions, respectively.Almost fully anonymous attribute-based group signatures with verifier-local revocation and member registration from lattice assumptionshttps://zbmath.org/1517.941382023-09-22T14:21:46.120933Z"Perera, Maharage Nisansala Sevwandi"https://zbmath.org/authors/?q=ai:perera.maharage-nisansala-sevwandi"Nakamura, Toru"https://zbmath.org/authors/?q=ai:nakamura.toru"Hashimoto, Masayuki"https://zbmath.org/authors/?q=ai:hashimoto.masayuki"Yokoyama, Hiroyuki"https://zbmath.org/authors/?q=ai:yokoyama.hiroyuki"Sakurai, Kouichi"https://zbmath.org/authors/?q=ai:sakurai.kouichiSummary: Attribute-Based Group Signature (ABGS) schemes permit any group member with required attributes to generate signatures for the sake of the group anonymously. Even though existing ABGS schemes with Verifier-local Revocation (VLR) method facilitate efficient user and attribute revocation, they cannot achieve stronger security for the users and user attributes. In this paper, we present a new approach to overcome this weakness delivering a new ABGS scheme with VLR that achieves stronger security, almost full anonymity, for both users and their attributes. We construct our scheme from lattices as lattice cryptography is quantum resist. Moreover, we present a simple member joining protocol and a new zero-knowledge argument system that supports the new scheme. Finally, we prove that the proposed scheme meets the security requirements of almost full anonymity, traceability, and non-frameability.Complexity estimation for a differential attack on a block cipher with given parametershttps://zbmath.org/1517.941392023-09-22T14:21:46.120933Z"Pestunov, A. I."https://zbmath.org/authors/?q=ai:pestunov.a-i|pestunov.andrei-igorevichSummary: In this paper we describe a differential attack on a block cipher in a general case. We calculate the attack complexity for different cipher parameters.Group structure in correlations and its applications in cryptographyhttps://zbmath.org/1517.941402023-09-22T14:21:46.120933Z"Policharla, Guru-Vamsi"https://zbmath.org/authors/?q=ai:policharla.guru-vamsi"Prabhakaran, Manoj"https://zbmath.org/authors/?q=ai:prabhakaran.manoj-m"Raghunath, Rajeev"https://zbmath.org/authors/?q=ai:raghunath.rajeev"Vyas, Parjanya"https://zbmath.org/authors/?q=ai:vyas.parjanyaSummary: Correlated random variables are a key tool in cryptographic applications like secure multi-party computation. We investigate the power of a class of correlations that we term group correlations: A group correlation is a uniform distribution over pairs \((x,y)\in G^2\) such that \(x+y\in S\), where \(G\) is a (possibly non-abelian) group and \(S\) is a subset of \(G\). We also introduce bi-affine correlation{s}, and show how they relate to group correlations. We present several structural results, new protocols and applications of these correlations. The new applications include a completeness result for black box group computation, perfectly secure protocols for evaluating a broad class of black box ``mixed-groups'' circuits with bi-affine homomorphisms, and new information-theoretic results. Finally, we uncover a striking structure underlying OLE: In particular, we show that OLE over \(\mathbb{F}_{2^n}\), is isomorphic to a group correlation over \(\mathbb{Z}_4^n\).
For the entire collection see [Zbl 1465.94005].On weak key-scheduling algorithms relatively the related-key attackhttps://zbmath.org/1517.941412023-09-22T14:21:46.120933Z"Pudovkina, M. A."https://zbmath.org/authors/?q=ai:pudovkina.marina-aleksandrovnaSummary: In this paper key-scheduling algorithms having the defined recurrent property are considered. For this class of algorithms we describe related-key attacks. The complexity of the attack is equal to the exhaustive search of one round key. It requires a little number of plaintexts.Differential attack on 6-round Whirlpool-like block ciphershttps://zbmath.org/1517.941422023-09-22T14:21:46.120933Z"Pudovkina, M. A."https://zbmath.org/authors/?q=ai:pudovkina.marina-aleksandrovnaSummary: In this paper the family of Whirlpool-like block ciphers is introduced. We mount the differential attack on 6-round Whirlpool-like block ciphers. In particular, for the block cipher of the hash-function Whirlpool the complexity of the attack is equal to \(2^{236,3}\).Attacks on full block cipher GOST 28147-89 with 2 or 4 related keyshttps://zbmath.org/1517.941432023-09-22T14:21:46.120933Z"Pudovkina, M. A."https://zbmath.org/authors/?q=ai:pudovkina.marina-aleksandrovna"Khoruzhenko, G. I."https://zbmath.org/authors/?q=ai:khoruzhenko.g-iSummary: In this paper we describe the attacks on the full block cipher GOST 28147-89. This attack consists of related-key, differential and boomerang attacks. For the attack we need 2 or 4 related keys depending on properties of \(s\)-boxes.On steganographic system selection rulehttps://zbmath.org/1517.941442023-09-22T14:21:46.120933Z"Razinkov, E. V."https://zbmath.org/authors/?q=ai:razinkov.e-v"Latypov, R. Kh."https://zbmath.org/authors/?q=ai:latypov.r-khSummary: In this paper we propose an approach to steganographic system optimization. Corresponding cover message model is explained. Our method is aimed at steganographic security and capacity maximization and can be adapted to different types of digital cover messages.A theoretical analysis of generalized invariants of bijective S-boxeshttps://zbmath.org/1517.941452023-09-22T14:21:46.120933Z"Rodríguez, René"https://zbmath.org/authors/?q=ai:rodriguez.rene-s"Wei, Yongzhuang"https://zbmath.org/authors/?q=ai:wei.yongzhuang"Pasalic, Enes"https://zbmath.org/authors/?q=ai:pasalic.enesSummary: This article provides a rigorous mathematical treatment of generalized (GNI) and closed-loop invariants (CLI), which extend the standard notion of nonlinear invariants used in the cryptanalysis of block ciphers. We first introduce the concept of an active cycle set, which is useful for defining standard invariants of concatenated S-boxes. We also present an algorithm for finding the cycle decomposition of a substitution layer provided the knowledge of the cycle decomposition of the constituent S-boxes. Employing the cycle decomposition of a bijective S-box, we precisely characterize the cardinality of its generalized and CLIs. We demonstrate that quadratic invariants (especially useful for mounting practical attacks in cases when the linear layer is an orthogonal matrix) might not exist for many S-boxes used in practice, whereas there are many quadratic invariants of generalized type. For generalized invariants, we draw an important conclusion that these invariants are not affine invariant, and therefore for two affine permutations \(A_1,A_2\) over \(\mathbb{F}_2^m\) the set of generalized invariants of \(S\) is not necessarily the same as for \(A_1\circ S\circ A_2\). In the context of closed-loop invariants, it is shown that the inverse mapping \(S(x)=x^{- 1}\) over \(\mathbb{F}_{2^4}\) admits quadratic CLIs that additionally possess linear structures, whereas for \(m>4\) there are no quadratic CLIs of \(S(x)=x^{-1}\) over \(\mathbb{F}_{2^m}\). Moreover, we identify the existence of both standard and closed-loop invariants for the so-called MiMC \textit{M. Albrecht} et al. [Lect. Notes Comput. Sci. 10031, 191--219 (2016; Zbl 1404.94035)] design, which uses an S-box layer based on the permutation \(S(x)=x^3\) over \(\mathbb{F}_{2^m}(m\)\,odd). We present a method to specify these invariants even when \(m\) is prime, for which the authors [loc. cit.] claimed resistance against a type of invariant attacks -- subfield attacks.Securely computing the \(n\)-variable equality function with \(2n\) cardshttps://zbmath.org/1517.941462023-09-22T14:21:46.120933Z"Ruangwises, Suthee"https://zbmath.org/authors/?q=ai:ruangwises.suthee"Itoh, Toshiya"https://zbmath.org/authors/?q=ai:itoh.toshiyaSummary: Research in the area of secure multi-party computation using a deck of playing cards, often called card-based cryptography, started from the introduction of the five-card trick protocol to compute the logical AND function by
\textit{B. den Boer} [Lect. Notes Comput. Sci. 434, 208--217 (1990; Zbl 1434.94064)]. Since then, many card-based protocols to compute various functions have been developed. In this paper, we propose two new protocols that securely compute the \(n\)-variable equality function (determining whether all inputs are equal) \(E : \{ 0 , 1 \}^n \to \{0, 1 \}\) using \(2n\) cards. The first protocol can be generalized to compute any doubly symmetric function \(f : \{ 0 , 1 \}^n \to \mathbb{Z}\) using \(2n\) cards, and any symmetric function \(f : \{ 0 , 1 \}^n \to \mathbb{Z}\) using \(2 n + 2\) cards. The second protocol can be generalized to compute the \(k\)-candidate \(n\)-variable equality function \(E : ( \mathbb{Z} / k \mathbb{Z} )^n \to \{0, 1 \}\) using \(2 \lceil \lg k \rceil n\) cards.Physical zero-knowledge proof for ripple effecthttps://zbmath.org/1517.941472023-09-22T14:21:46.120933Z"Ruangwises, Suthee"https://zbmath.org/authors/?q=ai:ruangwises.suthee"Itoh, Toshiya"https://zbmath.org/authors/?q=ai:itoh.toshiyaSummary: Ripple Effect is a logic puzzle with an objective to fill numbers into a rectangular grid divided into rooms. Each room must contain consecutive integers starting from 1 to its size. Also, if two cells in the same row or column have the same number \(x\), the space separating the two cells must be at least \(x\) cells. In this paper, we propose a physical protocol of zero-knowledge proof for Ripple Effect puzzle using a deck of cards, which allows a prover to physically show that he/she knows a solution without revealing it. In particular, we develop a physical protocol that, given a secret number \(x\) and a list of numbers, verifies that \(x\) does not appear among the first \(x\) numbers in the list without revealing \(x\) or any number in the list.
For the entire collection see [Zbl 1470.68028].Physical zero-knowledge proof for ripple effecthttps://zbmath.org/1517.941482023-09-22T14:21:46.120933Z"Ruangwises, Suthee"https://zbmath.org/authors/?q=ai:ruangwises.suthee"Itoh, Toshiya"https://zbmath.org/authors/?q=ai:itoh.toshiyaSummary: Ripple Effect is a logic puzzle where the player has to fill numbers into empty cells in a rectangular grid. The grid is divided into rooms, and each room must contain consecutive integers starting from 1 to its size. Also, if two cells in the same row or column contain the same number \(x\), there must be a space of at least \(x\) cells separating the two cells. In this paper, we develop a physical zero-knowledge proof for the Ripple Effect puzzle using a deck of cards, which allows a prover to convince a verifier that he/she knows a solution without revealing it. In particular, given a secret number \(x\) and a list of numbers, our protocol can physically verify that \(x\) does not appear among the first \(x\) numbers in the list without revealing \(x\) or any number in the list.An attack on \(N = p^2q\) with partially known bits on the multiple of the prime factorshttps://zbmath.org/1517.941492023-09-22T14:21:46.120933Z"Ruzai, W. N. A."https://zbmath.org/authors/?q=ai:ruzai.wan-nur-aqlili-wan-mohd"Adenan, N. N. H."https://zbmath.org/authors/?q=ai:adenan.nurul-nur-hanisah"Ariffin, M. R. K."https://zbmath.org/authors/?q=ai:ariffin.mahammad-rezal-kamel|ariffin.muhamad-rezal-kamel"Ghaffar, A. H. A."https://zbmath.org/authors/?q=ai:ghaffar.a-h-a"Johari, M. A. M."https://zbmath.org/authors/?q=ai:johari.m-a-mohamatSummary: This paper presents a cryptanalytic study upon the modulus \(N=p^2q\) consisting of two large primes that are in the same-bit size. In this work, we show that the modulus \(N\) is factorable if \(e\) satisfies the Diophantine equation of the form \(ed - k(N - (ap)^2 - apbq+ap) = 1\) where \(\frac{a}{b}\) is an unknown approximation of \(\frac{q}{p}\). Our attack is feasible when some amount of Least Significant Bits (LSBs) of \(ap\) and \(bq\) is known. By utilising the Jochemsz-May strategy as our main method, we manage to prove that the modulus \(N\) can be factored in polynomial time under certain specified conditions.Learn from your faults: leakage assessment in fault attacks using deep learninghttps://zbmath.org/1517.941502023-09-22T14:21:46.120933Z"Saha, Sayandeep"https://zbmath.org/authors/?q=ai:saha.sayandeep"Alam, Manaar"https://zbmath.org/authors/?q=ai:alam.manaar"Bag, Arnab"https://zbmath.org/authors/?q=ai:bag.arnab"Mukhopadhyay, Debdeep"https://zbmath.org/authors/?q=ai:mukhopadhyay.debdeep"Dasgupta, Pallab"https://zbmath.org/authors/?q=ai:dasgupta.pallabSummary: Generic vulnerability assessment of cipher implementations against Fault Attacks (FA) is a largely unexplored research area. Security assessment against FA is critical for FA countermeasures. On several occasions, countermeasures fail to fulfil their sole purpose of preventing FA due to flawed design or implementation. This paper proposes a generic, simulation-based, statistical yes/no experiment for evaluating fault-assisted information leakage based on the principle of non-interference. It builds on an initial idea called ALAFA that utilizes \(t\)-test and its higher-order variants for detecting leakage at different moments of ciphertext distributions. In this paper, we improve this idea with a Deep Learning (DL)-based leakage detection test. The DL-based detection test is not specific to only moment-based leakages. It thus can expose leakages in several cases where \(t\)-test-based technique demands a prohibitively large number of ciphertexts. Further, we present two generalizations of the leakage assessment experiment -- one for evaluating against the statistical ineffective fault model and another for assessing fault-induced leakages originating from ``non-cryptographic'' peripheral components of a security module. Finally, we explore techniques for efficiently covering the fault space of a block cipher by exploiting logic-level and cipher-level fault equivalences. The efficacy of our proposals has been evaluated on a rich test suite of hardened implementations, including an open-source Statistical Ineffective Fault Attack countermeasure and a hardware security module called Secured-Hardware-Extension.Classical reduction of gap SVP to LWE: a concrete security analysishttps://zbmath.org/1517.941512023-09-22T14:21:46.120933Z"Sarkar, Palash"https://zbmath.org/authors/?q=ai:sarkar.palash"Singha, Subhadip"https://zbmath.org/authors/?q=ai:singha.subhadipSummary: \textit{O. Regev} [in: Proceedings of the 37th annual ACM symposium on theory of computing, STOC'05. Baltimore, MD, USA, May 22--24, 2005. New York, NY: Association for Computing Machinery (ACM). 84--93 (2005; Zbl 1192.94106)] introduced the learning with errors (LWE) problem and showed a quantum reduction from a worst case lattice problem to LWE. Building on the work of \textit{C. Peikert} [in: Proceedings of the 41st annual ACM symposium on theory of computing, STOC '09. Bethesda, MD, USA, May 31 -- June 2, 2009. New York, NY: Association for Computing Machinery (ACM). 333--342 (2009; Zbl 1304.94079)], a classical reduction from the gap shortest vector problem to LWE was obtained by \textit{Z. Brakerski} et al. [in: Proceedings of the 45th annual ACM symposium on theory of computing, STOC '13. Palo Alto, CA, USA, June 1--4, 2013. New York, NY: Association for Computing Machinery (ACM). 575--584 (2013; Zbl 1293.68159)]. A concrete security analysis of Regev's reduction by \textit{S. Chatterjee} et al. [Lect. Notes Comput. Sci. 10311, 21--55 (2017; Zbl 1410.94056)] identified a huge tightness gap. The present work performs a concrete analysis of the tightness gap in the classical reduction of Brakerski et al. [loc. cit.]. It turns out that the tightness gap in the Brakerski et al. [loc. cit.] classical reduction is even larger than the tightness gap in the quantum reduction of Regev [loc. cit.]. This casts doubts on the implication of the reduction to security assurance of practical cryptosystems.Simplified MITM modeling for permutations: new (quantum) attackshttps://zbmath.org/1517.941522023-09-22T14:21:46.120933Z"Schrottenloher, André"https://zbmath.org/authors/?q=ai:schrottenloher.andre"Stevens, Marc"https://zbmath.org/authors/?q=ai:stevens.marcSummary: Meet-in-the-middle (MITM) is a general paradigm where internal states are computed along two independent paths (`forwards' and `backwards') that are then matched. Over time, MITM attacks improved using more refined techniques and exploiting additional freedoms and structure, which makes it more involved to find and optimize such attacks. This has led to the use of detailed attack models for generic solvers to automatically search for improved attacks, notably a MILP model developed by \textit{Z. Bao} et al. [Lect. Notes Comput. Sci. 12696, 771--804 (2021; Zbl 1479.94121)].
In this paper, we study a simpler MILP modeling combining a greatly reduced attack representation as input to the generic solver, together with a theoretical analysis that, for any solution, proves the existence and complexity of a detailed attack. This modeling allows to find both classical and quantum attacks on a broad class of cryptographic permutations. First, Present-like constructions, with the permutations from the Spongent hash functions: we improve the MITM step in distinguishers by up to 3 rounds. Second, AES-like designs: despite being much simpler than Bao et al.'s [loc. cit.], our model allows to recover the best previous results. The only limitation is that we do not use degrees of freedom from the key schedule. Third, we show that the model can be extended to target more permutations, like Feistel networks. In this context we give new Guess-and-determine attacks on reduced \textsf{Simpira v2} and \textsc{Sparkle}.
Finally, using our model, we find several new quantum preimage and pseudo-preimage attacks (e.g. \textsf{Haraka v2}, \textsf{Simpira v2}\dots) targeting the same number of rounds as the classical attacks.
For the entire collection see [Zbl 1514.94003].Generic-group identity-based encryption: a tight impossibility resulthttps://zbmath.org/1517.941532023-09-22T14:21:46.120933Z"Schul-Ganz, Gili"https://zbmath.org/authors/?q=ai:schul-ganz.gili"Segev, Gil"https://zbmath.org/authors/?q=ai:segev.gilSummary: Following the pioneering work of \textit{D. Boneh} and \textit{M. Franklin} [Lect. Notes Comput. Sci. 2139, 213--229 (2001; Zbl 1002.94023)], the challenge of constructing an identity-based encryption scheme based on the Diffie-Hellman assumption remained unresolved for more than 15 years. Evidence supporting this lack of success was provided by \textit{P. A. Papakonstantinou} et al. [``How powerful are the DDH hard groups?'', Preprint, \url{https://eprint.iacr.org/2012/653}], who ruled out the existence of generic-group identity-based encryption schemes supporting an identity space of sufficiently large polynomial size. Nevertheless, the breakthrough result of \textit{N. Döttling} and \textit{S. Garg} [Lect. Notes Comput. Sci. 10401, 537--569 (2017; Zbl 1385.94033)] settled this long-standing challenge via a non-generic construction.\par We prove a tight impossibility result for generic-group identity-based encryption, ruling out the existence of any non-trivial construction: We show that any scheme whose public parameters include \(n_{pp}\) group elements may support at most \(n_{pp}\) identities. This threshold is trivially met by any generic-group public-key encryption scheme whose public keys consist of a single group element (e.g., ElGamal encryption).\par In the context of algebraic constructions, generic realizations are often both conceptually simpler and more efficient than non-generic ones. Thus, identifying exact thresholds for the limitations of generic groups is not only of theoretical significance but may in fact have practical implications when considering concrete security parameters.
For the entire collection see [Zbl 1465.94005].SQLite encryption method for embedded databases based on chaos algorithmhttps://zbmath.org/1517.941542023-09-22T14:21:46.120933Z"Shi, Junlong"https://zbmath.org/authors/?q=ai:shi.junlongSummary: With the widespread use of embedded systems, chaos is a nonlinear system with certainty and complexity. It is an important topic in the field of information security at present, and it is an effective way to apply to embedded systems. It has great practical value in theory and in practice. This research mainly focuses on the encryption technology of SQLite embedded database and proposes an improved sparrow algorithm (Logistic Chaos Sparrow Search Algorithm, LCSSA) based on Logistic Chaos Map. It shows that the security level of SQLite in web development is higher than that of conventional Access. The population is initialized by the logistic chaotic mapping method, which improves the quality of the initial solution, increases the diversity of the population, and reduces the risk of premature maturity of the algorithm. The initial value \(y_0\) determines the encryption method of the nonlinear function. Taking the integer variable (int) as an example, the value range is \(-2^{31}\sim231\). It can be seen that the key space is sufficient to prevent various conventional attacks. When the key is the wrong key, decryption will not yield any data. It can be found that encryption and decryption are very sensitive to the key, which is also determined by the sensitivity of chaotic encryption system to the initial value. The benchmark function compares the performance of the improved algorithm with the algorithm before the improvement and compares it with the SSA. The LCSSA has better convergence performance, higher accuracy, and better stability.On extension of evaluation algorithms in keyed-homomorphic encryptionhttps://zbmath.org/1517.941552023-09-22T14:21:46.120933Z"Shinoki, Hirotomo"https://zbmath.org/authors/?q=ai:shinoki.hirotomo"Nuida, Koji"https://zbmath.org/authors/?q=ai:nuida.kojiSummary: Homomorphic encryption (HE) is public key encryption that enables computation over ciphertexts without decrypting them, while it is known that HE cannot achieve IND-CCA2 security. To overcome this issue, the notion of keyed-homomorphic encryption (KH-PKE) was introduced, which has a separate homomorphic evaluation key and can achieve stronger security.
The contributions of this paper are twofold. First, the syntax of KH-PKE assumes that homomorphic evaluation is performed for single operations, and its security notion called KH-CCA security was formulated based on this syntax. Consequently, if the homomorphic evaluation algorithm is enhanced in a way of gathering up sequential operations as a single evaluation, then it is not obvious whether or not KH-CCA security is preserved. In this paper, we show that KH-CCA security is in general not preserved under such modification, while KH-CCA security is preserved when the original scheme additionally satisfies circuit privacy.
Secondly, \textit{D. Catalano} and \textit{D. Fiore} [in: Proceedings of the 22nd ACM conference on computer and communications security, CCS'15, Denver, CO, USA, October 12--16, 2015. New York, NY: Association for Computing Machinery (ACM). 1518--1529 (2015; \url{doi.org/10.1145/2810103.2813624})] proposed a conversion method from linearly HE schemes into two-level HE schemes, the latter admitting addition and a single multiplication for ciphertexts. In this paper, we extend the conversion to the case of linearly KH-PKE schemes to obtain two-level KH-PKE schemes.
For the entire collection see [Zbl 1503.68013].Symmetric cipher on the base of non-commutative algebra of polynomialshttps://zbmath.org/1517.941562023-09-22T14:21:46.120933Z"Shirokov, I. V."https://zbmath.org/authors/?q=ai:shirokov.igor-victorovich|shirokov.igor-vSummary: Simple symmetric cryptosystem based on the properties of non-commutative algebra of polynomials is presented in the article.About the fact of detecting the noise in finite Markov chain with an unknown transition probability matrixhttps://zbmath.org/1517.941572023-09-22T14:21:46.120933Z"Shoĭtov, A. M."https://zbmath.org/authors/?q=ai:shoytov.aleksandr-m|shoitov.a-mSummary: The known square root law of steganographic capacity spreads to Markov chains with unknown transition probability matrix.2F -- a new method for constructing efficient multivariate encryption schemeshttps://zbmath.org/1517.941582023-09-22T14:21:46.120933Z"Smith-Tone, Daniel"https://zbmath.org/authors/?q=ai:smith-tone.danielSummary: The Support Minors method of solving the MinRank problem has contributed to several new cryptanalyses of post-quantum cryptosystems including some of the most efficient multivariate cryptosystems. While there are a few viable multivariate schemes that are secure against rank methods, the most prominent schemes, particularly for encryption, are not particularly efficient.
In this article we present a new generic construction for building efficient multivariate encryption schemes. Such schemes can be built from maps having rank properties that would otherwise be damaging, but are immune to traditional rank attack. We then construct one such efficient multivariate encryption scheme and show it to be about 100 times faster than other secure multivariate encryption schemes in the literature.
For the entire collection see [Zbl 1514.94001].A Wiener-type attack on an RSA-like cryptosystem constructed from cubic Pell equationshttps://zbmath.org/1517.941592023-09-22T14:21:46.120933Z"Susilo, Willy"https://zbmath.org/authors/?q=ai:susilo.willy"Tonien, Joseph"https://zbmath.org/authors/?q=ai:tonien.josephSummary: This paper investigates a novel RSA-like cryptosystem proposed by \textit{N. Murru} and \textit{F. M. Saettone} [Lect. Notes Comput. Sci. 10737, 91--103 (2018; Zbl 1423.94091)]. This cryptosystem is constructed from a cubic field connected to the cubic Pell equation and Redei rational functions. The scheme is claimed to be secure against the Wiener-type attack. However, in this paper, we show a Wiener-type attack that can recover the secret key from the continued fraction constructed from public information.\textsf{Hide the modulus}: a secure non-interactive fully verifiable delegation scheme for modular exponentiations via CRThttps://zbmath.org/1517.941602023-09-22T14:21:46.120933Z"Uzunkol, Osmanbey"https://zbmath.org/authors/?q=ai:uzunkol.osmanbey"Rangasamy, Jothi"https://zbmath.org/authors/?q=ai:rangasamy.jothi"Kuppusamy, Lakshmi"https://zbmath.org/authors/?q=ai:kuppusamy.lakshmiSummary: Security protocols using public-key cryptography often requires large number of costly modular exponentiations MEs. With the proliferation of resource-constrained (mobile) devices and advancements in cloud computing, delegation of such expensive computations to powerful server providers has gained lots of attention. In this paper, we address the problem of verifiably secure delegation of MEs using two servers, where at most one of which is assumed to be malicious (the OMTUP-model). We first show verifiability issues of two recent schemes: We show that a scheme from [\textit{L. Kuppusamy} and \textit{J. Rangasamy}, Lect. Notes Comput. Sci. 10095, 81--98 (2016; Zbl 1411.94072)] does not offer full verifiability, and that a scheme for \(n\) simultaneous MEs from [\textit{Y. Ren} et al., in: Proceedings of the 11th ACM on Asia conference on computer and communications security, ASIA CCS '16, Xi'an, China, May 30 -- June 3, 2016. New York, NY: Association for Computing Machinery (ACM). 293--303 (2016; \url{doi:10.1145/2897845.2897881})] is verifiable only with a probability 0.5909 instead of the author's claim with a probability 0.9955 for \(n=10\). Then, we propose the first non-interactive fully verifiable secure delegation scheme by hiding the modulus via Chinese Remainder Theorem (CRT). Our scheme improves also the computational efficiency of the previous schemes considerably. Hence, we provide a lightweight delegation enabling weak clients to securely and verifiably delegate MEs without any expensive local computation (neither online nor offline). The proposed scheme is highly useful for devices having (a) only ultra-lightweight memory, and (b) limited computational power (e.g. sensor nodes, RFID tags).
For the entire collection see [Zbl 1398.68020].On constructing pairing-free identity-based encryptionshttps://zbmath.org/1517.941612023-09-22T14:21:46.120933Z"Wang, Xin"https://zbmath.org/authors/?q=au:Wang, Xin"Liang, Bei"https://zbmath.org/authors/?q=ai:liang.bei"Li, Shimin"https://zbmath.org/authors/?q=ai:li.shimin"Xue, Rui"https://zbmath.org/authors/?q=ai:xue.ruiSummary: In this paper, we focus on constructing IBE from hardness assumptions without pairings. Especially, we propose two IBE schemes that are provably secure under new number theoretic assumptions over the group \(\mathbb{Z}_{N^2}^\ast\), in the Random Oracle (RO) model. We essentially take advantage of the underlying algebraic structure to overcome the difficulties in devising an IBE scheme.
More precisely, our contributions are two-fold and can be summarised as follows: (i) We give two concrete pairing-free constructions of IBE based on a variant of DDH assumption and Paillier's \textsf{DCR} assumption respectively over the group \(\mathbb{Z}_{N^2}^\ast\). These schemes are quite efficient and easily to be proven \textsf{IND-ID-CPA} in the random oracle model. (ii) We also provide a generic construction of selectively secure IBE from DDH group with a \textsf{DL}-solvable subgroup in the standard model by employing puncturable PRFs and indistinguishability obfuscation.
For the entire collection see [Zbl 1398.68020].Automatic search for related-key differential trails in SIMON-like block ciphers based on MILPhttps://zbmath.org/1517.941622023-09-22T14:21:46.120933Z"Wang, Xuzi"https://zbmath.org/authors/?q=ai:wang.xuzi"Wu, Baofeng"https://zbmath.org/authors/?q=ai:wu.baofeng"Hou, Lin"https://zbmath.org/authors/?q=ai:hou.lin"Lin, Dongdai"https://zbmath.org/authors/?q=ai:lin.dongdaiSummary: In this paper, we revisit the relationship between the probability of differential trails and the input difference of each round for SIMON-like block ciphers. The key observation is that not only the Hamming weight but also the positions of active bits of the input difference have effect on the probability. Based on this, our contributions are mainly twofold. Firstly, we rebuild the MILP model for SIMON-like block ciphers without quadratic constraints. Accordingly, we give the accurate objective function and reduce its degree to one by adding auxiliary variants to make the model easy to solve. Secondly, we search for optimal differential trails for SIMON and SIMECK based on this model. To the best of our knowledge, this is the first time that related-key differential trails have been obtained. Besides, we not only recover the single-key results in [\textit{Z. Liu} and \textit{Y. Li}, ``Optimal differential trails in SIMON-like ciphers'', IACR Trans. Symmetric Cryptol. 1, 358--379 (2017; \url{doi:10.13154/tosc.v2017.i1.358-37911}], but also obtain impossible differentials through this method.
For the entire collection see [Zbl 1398.68020].Multi-authority ABE from lattices without random oracleshttps://zbmath.org/1517.941632023-09-22T14:21:46.120933Z"Waters, Brent"https://zbmath.org/authors/?q=ai:waters.brent"Wee, Hoeteck"https://zbmath.org/authors/?q=ai:wee.hoeteck"Wu, David J."https://zbmath.org/authors/?q=ai:wu.david-jSummary: Attribute-based encryption (ABE) extends public-key encryption to enable fine-grained control to encrypted data. However, this comes at the cost of needing a central trusted authority to issue decryption keys. A multi-authority ABE (MA-ABE) scheme decentralizes ABE and allows anyone to serve as an authority. Existing constructions of MA-ABE only achieve security in the random oracle model.
In this work, we develop new techniques for constructing MA-ABE for the class of subset policies (which captures policies such as conjunctions and DNF formulas) whose security can be based in the plain model without random oracles. We achieve this by relying on the recently-proposed ``evasive'' learning with errors (LWE) assumption by \textit{H. Wee} [Lect. Notes Comput. Sci. 13276, 217--241 (2022; Zbl 1496.94069)] and \textit{R. Tsabary} [ibid. 13507, 535--559 (2022; Zbl 1516.94056)].
Along the way, we also provide a modular view of the MA-ABE scheme for DNF formulas by \textit{P. Datta} et al. [ibid. 12696, 177--209 (2021; Zbl 1479.94153)] in the random oracle model. We formalize this via a general version of a related-trapdoor LWE assumption by \textit{Z. Brakerski} and \textit{V. Vaikuntanathan} [LIPIcs 215, 28:1--28:20 (2022; \url{doi:10.4230/LIPIcs.ITCS.2022.28})], which can in turn be reduced to the plain LWE assumption. As a corollary, we also obtain an MA-ABE scheme for subset policies from plain LWE with a polynomial modulus-to-noise ratio in the random oracle model. This improves upon the Datta et al. [loc. cit.] construction which relied on LWE with a sub-exponential modulus-to-noise ratio. Moreover, we are optimistic that the generalized related-trapdoor LWE assumption will also be useful for analyzing the security of other lattice-based constructions.
For the entire collection see [Zbl 1516.94002].CPA/CCA2-secure PKE with squared-exponential DFR from low-noise LPNhttps://zbmath.org/1517.941642023-09-22T14:21:46.120933Z"Xu, Shengfeng"https://zbmath.org/authors/?q=ai:xu.shengfeng"Li, Xiangxue"https://zbmath.org/authors/?q=ai:li.xiangxue"Qian, Haifeng"https://zbmath.org/authors/?q=ai:qian.haifeng"Chen, Kefei"https://zbmath.org/authors/?q=ai:chen.kefeiSummary: LPN (learning parity with noise) problem is a good candidate for post-quantum cryptography which enjoys simplicity and suitability for weak-power devices. \textit{N. Döttling} et al. [Lect. Notes Comput. Sci. 7658, 485--503 (2012; Zbl 1292.94056)] initiated the first secure public key encryption (PKE) under the low-noise LPN assumption. \textit{E. Kiltz} et al. [ibid. 8383, 1--18 (2014; Zbl 1335.94059)] proposed a simpler and more efficient scheme using double-trapdoor technique from the same assumption. Both schemes abide the decoding failure rate (DFR) \( 2^{- {\Theta} ( k )}\) (\(k\) is the security parameter) and there exists CPA/CCA2-secure PKE with squared-exponential DFR \(2^{- {\Theta} ( k^2 )}\) from constant-noise LPN [\textit{Y. Yu} and \textit{J. Zhang}, Lect. Notes Comput. Sci. 9814, 214--243 (2016; Zbl 1378.94071)]. In this work, we give a positive answer with squared-exponential DFR in the low-noise setting.
More precisely, we first introduce a variant (VxLPN) of the low-noise Exact LPN (xLPN, proposed by \textit{A. Jain} et al. [ibid. 7658, 663--680 (2012; Zbl 1292.94082)] and used as building block in commitments and zero-knowledge proofs), where the coefficient matrix \(\mathfrak{A}\) follows the uniform distribution over \(\{ 0 , 1 \}^{q \times n}\) (\(n = {\Theta}( k^2)\), \(q = {\Theta}(n)\)), the secret \(\mathfrak{x}\) is sampled from \(\mathcal{B}_\mu^n\) (\(\mathcal{B}_\mu\) is the Bernoulli distribution with noise rate \(\mu = {\Theta}(\frac{ 1}{ \sqrt{ q}}))\), and the noise \(\mathfrak{e}\) follows a column vector distribution uniform over \(\{\mathfrak{z} \in \{ 0 , 1 \}^q : | \mathfrak{z} | = q \mu \} \). A series of reductions show that VxLPN is at least as hard as the standard LPN for the same noise rate \(\mu \). We then construct from the VxLPN CPA/CCA2 secure PKE schemes with squared-exponential DFR \(2^{- {\Theta} ( k^2 )}\) which share the common structure extrinsically with Kiltz et al. [loc. cit.] and Yu-Zhang schemes [loc. cit.]. The secret key(s) in our schemes are simply sampled from the Bernoulli distribution, and comparatively, the secret key(s) in Yu-Zhang schemes must be chosen from a tailored version of Bernoulli distribution (along with the coefficient matrix \(\mathfrak{A}\) that follows a distribution \(\mathcal{D}_\lambda^{n \times n} = U_{n \times \lambda} \cdot U_{\lambda \times n}\) induced by multiplying two random matrices in the public key, \( \lambda = {\Theta}( \log^2 n))\) in order to guarantee the correctness of their schemes. Consider the performance on 128-bit security level, our CCA2-secure scheme only holds 117.79 MB public keys, 67.31 MB secret keys and 10.15 KB ciphertexts, and thus is more efficient than the schemes of Döttling et al. [loc. cit.] and Kiltz et al. [loc. cit.] ((14.53 GB, 14.48 GB, 14.06 KB) and (161.78 MB, 92.45 MB, 13.60 KB) respectively).Two classes of power mappings with boomerang uniformity 2https://zbmath.org/1517.941652023-09-22T14:21:46.120933Z"Yan, Haode"https://zbmath.org/authors/?q=ai:yan.haode"Li, Zhen"https://zbmath.org/authors/?q=ai:li.zhen.2"Song, Zhitian"https://zbmath.org/authors/?q=ai:song.zhitian"Feng, Rongquan"https://zbmath.org/authors/?q=ai:feng.rongquanSummary: Let \(q\) be an odd prime power. Let \(F_1(x) = x^{d_1}\) and \(F_2(x) = x^{d_2}\) be power mappings over \(\mathrm{GF}(q^2) \), where \(d_1 = q-1\) and \(d_2 = d_1+\frac{q^2-1}{2} = \frac{(q-1)(q+3)}{2} \). In this paper, we study the boomerang uniformity of \(F_1\) and \(F_2\) via their differential properties. It is shown that the boomerang uniformity of \(F_i\) \(( i = 1,2 )\) is 2 with some conditions on \(q \).Multi-key homomorphic proxy re-encryptionhttps://zbmath.org/1517.941662023-09-22T14:21:46.120933Z"Yasuda, Satoshi"https://zbmath.org/authors/?q=ai:yasuda.satoshi"Koseki, Yoshihiro"https://zbmath.org/authors/?q=ai:koseki.yoshihiro"Hiromasa, Ryo"https://zbmath.org/authors/?q=ai:hiromasa.ryo"Kawai, Yutaka"https://zbmath.org/authors/?q=ai:kawai.yutakaSummary: In this paper, we propose a new notion of multi-key homomorphic proxy re-encryption (MH-PRE) in which inputs of homomorphic evaluation are encrypted by different public keys and the evaluated ciphertext is decrypted by a single secret key. We obtain it by adding the re-encryption property of proxy re-encryption to multi-key homomorphic encryption (MHE). MHE, firstly proposed by \textit{A. López-Alt} et al. [in: Proceedings of the 44th annual ACM symposium on theory of computing, STOC 2012. New York, NY, USA, May 19--22, 2012. New York, NY: Association for Computing Machinery (ACM). 1219--1234 (2012; Zbl 1286.68114)], can perform homomorphic evaluations on ciphertexts from different keys, but decrypting the output ciphertext of the homomorphic evaluation requires all the secret keys associated to the input ciphertexts. In order to decrypt the output ciphertext with a single secret key, we introduce the notion of the re-encryption to MHE. In particular, we construct an MH-PRE scheme by applying the key switching technique to the MHE scheme of \textit{C. Peikert} and \textit{S. Shiehian} [Lect. Notes Comput. Sci. 9986, 217--238 (2016; Zbl 1397.94093)].
For the entire collection see [Zbl 1398.68020].Replacing probability distributions in security games via Hellinger distancehttps://zbmath.org/1517.941672023-09-22T14:21:46.120933Z"Yasunaga, Kenji"https://zbmath.org/authors/?q=ai:yasunaga.kenjiSummary: Security of cryptographic primitives is usually proved by assuming ``deal'' probability distributions. We need to replace them with approximated ``real'' distributions in the real-world systems without losing the security level. We demonstrate that the Hellinger distance is useful for this problem, while the statistical distance is mainly used in the cryptographic literature. First, we show that for preserving \(\lambda\)-bit security of a given security game, the closeness of \(2^{-\lambda/2}\) to the ideal distribution is sufficient for the Hellinger distance, whereas \(2^{-\lambda}\) is generally required for the statistical distance. The result can be applied to both search and decision primitives through the bit security framework of \textit{D. Micciancio} and \textit{M. Walter} [Lect. Notes Comput. Sci. 10820, 3--28 (2018; Zbl 1423.94090)]. We also show that the Hellinger distance gives a tighter evaluation of closeness than the max-log distance when the distance is small. Finally, we show that the leftover hash lemma can be strengthened to the Hellinger distance. Namely, a universal family of hash functions gives a strong randomness extractor with optimal entropy loss for the Hellinger distance. Based on the results, a \(\lambda\)-bit entropy loss in randomness extractors is sufficient for preserving \(\lambda\)-bit security. The current understanding based on the statistical distance is that a \(2 \lambda\)-bit entropy loss is necessary.
For the entire collection see [Zbl 1465.94005].Augmented random oracleshttps://zbmath.org/1517.941682023-09-22T14:21:46.120933Z"Zhandry, Mark"https://zbmath.org/authors/?q=ai:zhandry.markSummary: We propose a new paradigm for justifying the security of random oracle-based protocols, which we call the Augmented Random Oracle Model (AROM). We show that the AROM captures a wide range of important random oracle impossibility results. Thus a proof in the AROM implies some resiliency to such impossibilities. We then consider three ROM transforms which are subject to impossibilities: Fiat-Shamir (FS), Fujisaki-Okamoto (FO), and Encrypt-with-Hash (EwH). We show in each case how to obtain security in the AROM by strengthening the building blocks or modifying the transform.
Along the way, we give a couple other results. We improve the assumptions needed for the FO and EwH impossibilities from indistinguishability obfuscation to circularly secure LWE; we argue that our AROM still captures this improved impossibility. We also demonstrate that there is no ``best possible'' hash function, by giving a pair of security properties, both of which can be instantiated in the standard model separately, which cannot be simultaneously satisfied by a single hash function.
For the entire collection see [Zbl 1514.94003].To label, or not to label (in generic groups)https://zbmath.org/1517.941692023-09-22T14:21:46.120933Z"Zhandry, Mark"https://zbmath.org/authors/?q=ai:zhandry.markSummary: Generic groups are an important tool for analyzing the feasibility and in-feasibility of group-based cryptosystems. There are two distinct wide-spread versions of generic groups, \textit{V. Shoup}'s [Lect. Notes Comput. Sci. 1233, 256--266 (1997; \url{doi.org/10.1007/3-540-69053-0_18})] and \textit{U. Maurer}'s [ibid. 3796, 1--12 (2005; Zbl 1122.94040)], the main difference being whether or not group elements are given explicit labels. The two models are often treated as equivalent. In this work, however, we demonstrate that the models are in fact quite different, and care is needed when stating generic group results:
\begin{itemize}
\item We show that numerous textbook constructions are not captured by Maurer, but are captured by Shoup. In the other direction, any construction captured by Maurer is captured by Shoup.
\item For constructions that exist in both models, we show that security is equivalent for ``single stage'' games, but Shoup security is strictly stronger than Maurer security for some ``multi-stage'' games.
\item The existing generic group un-instantiability results do not apply to Maurer. We fill this gap with a new un-instantiability result.
\item We explain how the known black box separations between generic groups and identity-based encryption do not fully apply to Shoup, and resolve this by providing such a separation.
\item We give a new un-instantiability result for the algebraic group model.
\end{itemize}
For the entire collection see [Zbl 1514.94003].Speeding up MILP aided differential characteristic search with Matsui's strategyhttps://zbmath.org/1517.941702023-09-22T14:21:46.120933Z"Zhang, Yingjie"https://zbmath.org/authors/?q=ai:zhang.yingjie"Sun, Siwei"https://zbmath.org/authors/?q=ai:sun.siwei"Cai, Jiahao"https://zbmath.org/authors/?q=ai:cai.jiahao"Hu, Lei"https://zbmath.org/authors/?q=ai:hu.leiSummary: Being the first generic algorithm for finding the best differential and linear characteristics, \textit{M. Matsui}'s branch and bound search algorithm [Lect. Notes Comput. Sci. 950, 366--375 (1995; Zbl 0879.94024)] and its variants have played an important role in the security analysis of symmetric-key primitives. However, Matsui's algorithm is difficult to implement, optimize, and be applied to different ciphers with reusable code. Another approach getting popular in recent years is to encode the search problem as a Mixed Integer Linear Programming (MILP) model which can be solved by open-source or commercially available optimizers. In this work, we show how to tweak the objective functions of the MILP models for finding differential characteristics such that a set of constraints derived from the bounding condition of Matsui's algorithm can be incorporated into the models. We apply the new modeling strategy to PRESENT (S-box based SPN design), SIMON (Feistel structure), and SPECK (ARX construction). For PRESENT, the resolution time is significantly reduced. For example, the time to prove that the exact lower bound of the probabilities of the differential characteristics for 7-round PRESENT is reduced from 48638 s to 656 s. For SIMON, obvious acceleration is also observed, and for the ARX cipher SPECK, the new model is unable to speed up the resolution. In the future, it is interesting to investigate how to integrate other search heuristics proposed in the literature of symmetric-key cryptanalysis into the MILP models, and how to accelerate the resolution of MILP models for finding characteristics of ARX ciphers.
For the entire collection see [Zbl 1398.68020].Functional encryption for cubic polynomials and implementationhttps://zbmath.org/1517.941712023-09-22T14:21:46.120933Z"Zhang, Zheng"https://zbmath.org/authors/?q=ai:zhang.zheng.8"Zhang, Fangguo"https://zbmath.org/authors/?q=ai:zhang.fangguoSummary: Functional encryption (FE), which provides fine-grained access control on encrypted data, is becoming a new hot spot in the field of cryptography. Recent applications, such as outsourcing computation, searchable encryption and so on, suggest that FE has unlimited possibilities. It especially shows great feasibility to construct indistinguishability obfuscation and reuseable garbled circuits. Furthermore, bounded collusion functional encryption is an extension of FE which is against more than one key query and protects the security of messages under more than one function keys. In this paper, we proposed a bounded collusion FE for cubic polynomials, which follows from \textit{S. Agrawal} and \textit{A. Rosen}'s work [Lect. Notes Comput. Sci. 10677, 173--205 (2017; Zbl 1410.94036)]. Our construction only invokes the Regev public key encryption and a linear FE scheme which avoids complex encodings defined recursively. What's more, we proposes an FE scheme for all circuit with \textsf{FULL-SIM} security. Finally, we also implement these schemes and do some analyses on parameters' size, time and space performance.Improved cube-attack-like cryptanalysis of reduced-round Ketje-Jr and Keccak-MAChttps://zbmath.org/1517.941722023-09-22T14:21:46.120933Z"Zhao, Zishen"https://zbmath.org/authors/?q=ai:zhao.zishen"Chen, Shiyao"https://zbmath.org/authors/?q=ai:chen.shiyao"Wang, Meiqin"https://zbmath.org/authors/?q=ai:wang.meiqin"Wang, Wei"https://zbmath.org/authors/?q=ai:wang.wei.23Summary: \textit{I. Dinur} et al. [Lect. Notes Comput. Sci. 9056, 733--761 (2015; Zbl 1370.94506)] proposed cube-attack-like cryptanalysis on reduced-round Keccak. The process of recovering the key is divided into the preprocessing and the online phase. The preprocessing phase is setting a look-up table by computing the cube sum of involved key bits. The online phase is computing the cube sum of auxiliary variables and recording the matching values in the table as candidates. Auxiliary variables help balance the complexity of the two phases by reducing the number of involved key bits. Following this idea, a series of works has been presented, mainly focusing on a better selection of cube variables, auxiliary variables and involved key bits.
We provide new methods to select auxiliary variables and involved key bits. The first step is to get a precise algebraic expression of each bit after one round permutation. Then, combined with the corresponding constraints on these variables, we can construct a Mixed-integer Linear Programming (MILP) model. Secondly, unlike the previous idea that auxiliary variables are chosen to satisfy the CP-kernel property just for the consideration of controlling diffusion, we cancel this restriction and adopt a more skilled selection of auxiliary variables. Based on these two steps, we improve the cube-attack-like cryptanalysis in terms of the complexity.Cryptanalysis of the RSA variant based on cubic Pell equationhttps://zbmath.org/1517.941732023-09-22T14:21:46.120933Z"Zheng, Mengce"https://zbmath.org/authors/?q=ai:zheng.mengce"Kunihiro, Noboru"https://zbmath.org/authors/?q=ai:kunihiro.noboru"Yao, Yuanzhi"https://zbmath.org/authors/?q=ai:yao.yuanzhiSummary: RSA (Rivest-Shamir-Adleman) cryptosystem is the most popular asymmetric key cryptographic algorithm used in computer science and information security. Recently, an RSA-like cryptosystem was proposed using a novel product that arises from a cubic field connected to the cubic Pell equation. The relevant key equation is \(ed\equiv 1\pmod{(p^2+p+1)(q^2+q+1)}\) with \(N=pq\). This RSA variant is claimed to be robust against the Wiener's attack and hence the bit-size of the private key could be shorter, namely \(d < N^{1/4}\). In this paper, we explore the further security analysis and investigate the potential small private exponent attack. We show that such RSA variant is particularly vulnerable to the lattice-based method. To be specific, we can carry out the lattice-based small private exponent attack if \(d < N^{2-\sqrt{2}}\), which is less secure than the standard RSA. Furthermore, we conduct numerical experiments to verify the validity of the proposed attack.Novel generic construction of leakage-resilient PKE scheme with CCA securityhttps://zbmath.org/1517.941742023-09-22T14:21:46.120933Z"Zhou, Yanwei"https://zbmath.org/authors/?q=ai:zhou.yanwei"Yang, Bo"https://zbmath.org/authors/?q=ai:yang.bo.1"Xia, Zhe"https://zbmath.org/authors/?q=ai:xia.zhe"Zhang, Mingwu"https://zbmath.org/authors/?q=ai:zhang.mingwu"Mu, Yi"https://zbmath.org/authors/?q=ai:mu.yiSummary: Leakage of private state information (e.g. the secret keys) through various leakage attacks (e.g. side channel attacks, cold-boot attacks, etc) has become a serious threat to the security of computer systems in practice. Nowadays, it has become a common requirement that cryptographic schemes should withstand the leakage attacks. Although some research progresses have been made towards designing leakage-resilient cryptographic schemes, there are still some unsolved issues. For example, the computational costs of the existing generic construction of leakage-resilient public-key encryption (PKE) schemes is generally very high. One of the main reasons is that the underlying building blocks, e.g. non-interactive zero-knowledge argument, one-time lossy filter or one-time signature, are computationally expensive. Moreover, the above constructions of PKE with leakage resilience normally require the upper bound of leakage to be fixed. However, in many real-world applications, this requirement cannot provide sufficient protection against various leakage attacks. In order to mitigate the above problems, this paper presents a generic method of designing leakage amplified PKE schemes with leakage resilience and chosen-ciphertext attacks (CCA) security. Firstly, we define a new cryptography primitive, called identity-based hash proof system with two encapsulated key (T-IB-HPS). Then, two generic constructions of leakage-resilient PKE schemes are proposed using T-IB-HPS and message authentication code (MAC). The CCA security of our proposed constructions can be reduced to the security of the underlying T-IB-HPS and MAC. In the proposed generic method, the leakage parameter has an arbitrary length that can be flexibly adjusted according to the specific leakage requirements. In order to demonstrate the practicability of our generic method, two instantiations of T-IB-HPS are introduced. The first instantiation is proved based on the truncated augmented bilinear Diffie-Hellman exponent assumption, and the second instantiation is proved based on the related security assumptions over the composite order bilinear group.Password-authenticated key exchange from group actionshttps://zbmath.org/1517.941752023-09-22T14:21:46.120933Z"Abdalla, Michel"https://zbmath.org/authors/?q=ai:abdalla.michel"Eisenhofer, Thorsten"https://zbmath.org/authors/?q=ai:eisenhofer.thorsten"Kiltz, Eike"https://zbmath.org/authors/?q=ai:kiltz.eike"Kunzweiler, Sabrina"https://zbmath.org/authors/?q=ai:kunzweiler.sabrina"Riepel, Doreen"https://zbmath.org/authors/?q=ai:riepel.doreenSummary: We present two provably secure password-authenticated key exchange (PAKE) protocols based on a commutative group action. To date the most important instantiation of isogeny-based group actions is given by CSIDH. To model the properties more accurately, we extend the framework of cryptographic group actions [\textit{N. Alamati} et al., Lect. Notes Comput. Sci. 12492, 411--439 (2020; Zbl 1508.94055)] by the ability of computing the quadratic twist of an elliptic curve. This property is always present in the CSIDH setting and turns out to be crucial in the security analysis of our PAKE protocols.
Despite the resemblance, the translation of Diffie-Hellman based PAKE protocols to group actions either does not work with known techniques or is insecure [\textit{R. Azarderakhsh} et al., ibid. 12146, 169--186 (2020; Zbl 07314282)]. We overcome the difficulties mentioned in previous work by using a ``bit-by-bit'' approach, where each password bit is considered separately.
Our first protocol \(\mathsf{X-GA-PAKE}_\ell\) can be executed in a single round. Both parties need to send two set elements for each password bit in order to prevent offline dictionary attacks. The second protocol \(\mathsf{Com-GA-PAKE}_\ell\) requires only one set element per password bit, but one party has to send a commitment on its message first. We also discuss different optimizations that can be used to reduce the computational cost. We provide comprehensive security proofs for our base protocols and deduce security for the optimized versions.
For the entire collection see [Zbl 1514.94002].An efficient publicly verifiable and proactive secret sharing schemehttps://zbmath.org/1517.941762023-09-22T14:21:46.120933Z"Bagherpour, Bagher"https://zbmath.org/authors/?q=ai:bagherpour.bagherSummary: A verifiable proactive secret sharing (VPSS) scheme is a verifiable secret sharing scheme with the property that the shareholders can renew their shares without reconstructing the secret and interacting with the dealer. In this paper, we propose a new VPSS scheme using homogeneous linear recursions and prove its security in a standard model. Our scheme is more efficient than the previous VPSS schemes and is secure against mobile and active adversaries. Furthermore, anyone, not only the shareholders of the scheme, can verify the correctness of the produced shares and sub-shares without observing them and interacting with the dealer and shareholders.Linear threshold secret-sharing with binary reconstructionhttps://zbmath.org/1517.941772023-09-22T14:21:46.120933Z"Ball, Marshall"https://zbmath.org/authors/?q=ai:ball.marshall"Çkanan, Alper"https://zbmath.org/authors/?q=ai:ckanan.alper"Malkin, Tal"https://zbmath.org/authors/?q=ai:malkin.tal-gSummary: Motivated in part by applications in lattice-based cryptography, we initiate the study of the size of linear threshold (\(`t\)-out-of-\(n'\)) secret-sharing where the linear reconstruction function is restricted to coefficients in \(\{0,1\}\). We also study the complexity of such schemes with the additional requirement that the joint distribution of the shares of any unauthorized set of parties is not only independent of the secret, but also uniformly distributed. We prove upper and lower bounds on the share size of such schemes, where the size is measured by the total number of field elements distributed to the parties. We prove our results by defining and investigating an equivalent variant of Karchmer and Wigderson's Monotone Span Programs [\textit{M. Karchmer} and \textit{A. Wigderson}, in: Proceedings of the 25th annual ACM symposium on theory of computing, STOC '93. San Diego, CA, USA, May 16--18, 1993. New York, NY: Association for Computing Machinery (ACM). 532--540 (1993; Zbl 1310.68112)].
\par One ramification of our results is that a natural variant of \textit{A. Shamir}'s [Commun. ACM 22, 612--613 (1979; Zbl 0414.94021)] classic scheme, where bit-decomposition is applied to each share, is optimal for when the underlying field has characteristic \(2\). Another ramification is that schemes obtained from monotone formulae are optimal for certain threshold values when the field's characteristic is any constant.\par For schemes with the uniform distribution requirement, we show that they must use \(\Omega(n\log n)\) field elements, for all thresholds \(2<t<n\) and regardless of the field. Moreover, this is tight up to constant factors for the special cases where any \(t=n-1\) parties can reconstruct, as well as for any threshold when the field characteristic is \(2\).
For the entire collection see [Zbl 1465.94005].Evolving ramp secret-sharing schemeshttps://zbmath.org/1517.941782023-09-22T14:21:46.120933Z"Beimel, Amos"https://zbmath.org/authors/?q=ai:beimel.amos"Othman, Hussien"https://zbmath.org/authors/?q=ai:othman.hussienSummary: Evolving secret-sharing schemes, introduced by \textit{I. Komargodski} et al. [Lect. Notes Comput. Sci. 9986, 485--514 (2016; Zbl 1412.94225)], are secret-sharing schemes in which the dealer does not know the number of parties that will participate. The parties arrive one by one and when a party arrives the dealer gives it a share; the dealer cannot update this share when other parties arrive. \textit{I. Komargodski} and \textit{A. Paskin-Cherniavsky} [ibid. 10678, 379--393 (2017; Zbl 1412.94226)] constructed evolving \(a\cdot i\)-threshold secret-sharing schemes (for every \(0<a<1\)), where any set of parties whose maximum party is the \(i\)-th party and contains at least \(ai\) parties can reconstruct the secret; any set such that all its prefixes are not an \(a\)-fraction of the parties should not get any information on the secret. The length of the share of the \(i\)-th party in their scheme is \(O(i^4\log i)\). As the number of parties is unbounded, this share size can be quite large.
In this work we suggest studying a relaxation of evolving threshold secret-sharing schemes; we consider evolving \((a,b)\)-ramp secret-sharing schemes for \(0<b<a<1\). Again, we require that any set of parties whose maximum party is the \(i\)-th party and contains at least \(ai\) parties can reconstruct the secret; however, we only require that any set such that all its prefixes are not a \(b\)-fraction of the parties should not get any information on the secret. For all constants \(0<b<a<1\), we construct an evolving \((a,b)\)-ramp secret-sharing scheme where the length of the share of the \(i\)-th party is \(O(1)\). Thus, we show that evolving ramp secret-sharing schemes offer a big improvement compared to the known constructions of evolving \(a\cdot i\)-threshold secret-sharing schemes.
For the entire collection see [Zbl 1397.94004].Better than advertised security for non-interactive threshold signatureshttps://zbmath.org/1517.941792023-09-22T14:21:46.120933Z"Bellare, Mihir"https://zbmath.org/authors/?q=ai:bellare.mihir"Crites, Elizabeth"https://zbmath.org/authors/?q=ai:crites.elizabeth-c"Komlo, Chelsea"https://zbmath.org/authors/?q=ai:komlo.chelsea"Maller, Mary"https://zbmath.org/authors/?q=ai:maller.mary"Tessaro, Stefano"https://zbmath.org/authors/?q=ai:tessaro.stefano"Zhu, Chenzhi"https://zbmath.org/authors/?q=ai:zhu.chenzhiSummary: We give a unified syntax, and a hierarchy of definitions of security of increasing strength, for non-interactive threshold signature schemes. These are schemes having a single-round signing protocol, possibly with one prior round of message-independent pre-processing. We fit FROST1 and BLS, which are leading practical schemes, into our hierarchy, in particular showing they meet stronger security definitions than they have been shown to meet so far. We also fit in our hierarchy a more efficient version FROST2 of FROST1 that we give. These definitions and results, for simplicity, all assume trusted key generation. Finally, we prove the security of FROST2 with key generation performed by an efficient distributed key generation protocol.
For the entire collection see [Zbl 1514.94004].MR-DSS -- smaller MinRank-based (ring-)signatureshttps://zbmath.org/1517.941802023-09-22T14:21:46.120933Z"Bellini, Emanuele"https://zbmath.org/authors/?q=ai:bellini.emanuele"Esser, Andre"https://zbmath.org/authors/?q=ai:esser.andre"Sanna, Carlo"https://zbmath.org/authors/?q=ai:sanna.carlo"Verbel, Javier"https://zbmath.org/authors/?q=ai:verbel.javier-aSummary: In the light of NIST's announced reopening of the call for digital signature proposals in 2023 due to lacking diversity, there is a strong need for constructions based on other established hardness assumptions. In this work we construct a new post-quantum secure digital signature scheme based on the \textit{MinRank} problem, a problem with a long history of applications in cryptanalysis that led to a strong belief in its hardness. Initially following a design by \textit{N. T. Courtois} [Lect. Notes Comput. Sci. 2248, 402--421 (2001; Zbl 1064.94544)] based on the Fiat-Shamir transform, we make use of several recent developments in the design of sigma protocols to reduce signature size and improve efficiency. This includes the recently introduced sigma protocol with helper paradigm [\textit{W. Beullens}, ibid. 12107, 183--211 (2020; Zbl 1479.94295)] and combinations with cut-and-choose techniques. Moreover, we introduce several improvements to the core of the scheme to further reduce its signature size.
As a second contribution, we formalize the natural extension of our construction to a ring signature scheme and show that it achieves desired anonymity and unforgeability guarantees. Our ring signature is characterized by a sublinear scaling of the signature size in the number of users. Moreover, we achieve competitive practical signature sizes for moderate amount of users in comparison to recent ring signature proposals.
For the entire collection see [Zbl 1514.94001].Breaking rainbow takes a weekend on a laptophttps://zbmath.org/1517.941812023-09-22T14:21:46.120933Z"Beullens, Ward"https://zbmath.org/authors/?q=ai:beullens.wardSummary: This work introduces new key recovery attacks against the Rainbow signature scheme, which is one of the three finalist signature schemes still in the NIST Post-Quantum Cryptography standardization project. The new attacks outperform previously known attacks for all the parameter sets submitted to NIST and make a key-recovery practical for the SL 1 parameters. Concretely, given a Rainbow public key for the SL 1 parameters of the second-round submission, our attack returns the corresponding secret key after on average 53 h (one weekend) of computation time on a standard laptop.
For the entire collection see [Zbl 1514.94002].Threshold signatures with private accountabilityhttps://zbmath.org/1517.941822023-09-22T14:21:46.120933Z"Boneh, Dan"https://zbmath.org/authors/?q=ai:boneh.dan"Komlo, Chelsea"https://zbmath.org/authors/?q=ai:komlo.chelseaSummary: Existing threshold signature schemes come in two flavors: (i) fully private, where the signature reveals nothing about the set of signers that generated the signature, and (ii) accountable, where the signature completely identifies the set of signers. In this paper we propose a new type of threshold signature, called TAPS, that is a hybrid of privacy and accountability. A TAPS signature is fully private from the public's point of view. However, an entity that has a secret tracing key can trace a signature to the threshold of signers that generated it. A TAPS makes it possible for an organization to keep its inner workings private, while ensuring that signers are accountable for their actions. We construct a number of TAPS schemes. First, we present a generic construction that builds a TAPS from any accountable threshold signature. This generic construction is not efficient, and we next focus on efficient schemes based on standard assumptions. We build two efficient TAPS schemes (in the random oracle model) based on the Schnorr signature scheme. We conclude with a number of open problems relating to efficient TAPS.
For the entire collection see [Zbl 1514.94004].Relaxed lattice-based signatures with short zero-knowledge proofshttps://zbmath.org/1517.941832023-09-22T14:21:46.120933Z"Boschini, Cecilia"https://zbmath.org/authors/?q=ai:boschini.cecilia"Camenisch, Jan"https://zbmath.org/authors/?q=ai:camenisch.jan-l"Neven, Gregory"https://zbmath.org/authors/?q=ai:neven.gregorySummary: Advanced cryptographic protocols such as anonymous credentials, voting schemes, and e-cash are typically constructed by suitably combining signature, commitment, and encryption schemes with zero-knowledge proofs. Indeed, a large body of protocols have been constructed in that manner from Camenisch-Lysyanskaya signatures and generalized Schnorr proofs. In this paper, we build a similar framework for lattice-based schemes by presenting a signature and commitment scheme that are compatible with Lyubashevsky's Fiat-Shamir proofs with abort, currently the most efficient zero-knowledge proofs for lattices. The latter proofs provide a weaker, relaxed form of soundness, i.e., the witnesses that the knowledge extractor can obtain are guaranteed to lie only in a domain that is larger than the one from which the inputs of honest provers need to come. To cope with this soundness problem, we define corresponding notions of relaxed signature and commitment schemes. We demonstrate the flexibility and efficiency of our new primitives by constructing a new lattice-based anonymous attribute token scheme and providing concrete parameters to securely instantiate this scheme.
For the entire collection see [Zbl 1398.68020].MuSig-L: lattice-based multi-signature with single-round online phasehttps://zbmath.org/1517.941842023-09-22T14:21:46.120933Z"Boschini, Cecilia"https://zbmath.org/authors/?q=ai:boschini.cecilia"Takahashi, Akira"https://zbmath.org/authors/?q=ai:takahashi.akira"Tibouchi, Mehdi"https://zbmath.org/authors/?q=ai:tibouchi.mehdiSummary: Multi-signatures are protocols that allow a group of signers to jointly produce a single signature on the same message. In recent years, a number of practical multi-signature schemes have been proposed in the discrete-log setting, such as \textsf{MuSig2} and \textsf{DWMS}. The main technical challenge in constructing a multi-signature scheme is to achieve a set of several desirable properties, such as (1) security in the plain public-key (PPK) model, (2) concurrent security, (3) low online round complexity, and (4) key aggregation. However, previous lattice-based, post-quantum counterparts to Schnorr multi-signatures fail to satisfy these properties.
In this paper, we introduce \textsf{MuSig-L}, a lattice-based multi-signature scheme simultaneously achieving these design goals for the first time. Unlike the recent, round-efficient proposal of \textit{I. Damgård} et al. [Lect. Notes Comput. Sci. 12710, 99--130 (2021; Zbl 1479.94305)], which had to rely on lattice-based trapdoor commitments, we do not require any additional primitive in the protocol, while being able to prove security from the standard module-SIS and LWE assumptions. The resulting output signature of our scheme, therefore, looks closer to the usual Fiat-Shamir-with-abort signatures.
For the entire collection see [Zbl 1514.94002].PI-Cut-Choo and friends: compact blind signatures via parallel instance cut-and-choose and morehttps://zbmath.org/1517.941852023-09-22T14:21:46.120933Z"Chairattana-Apirom, Rutchathon"https://zbmath.org/authors/?q=ai:chairattana-apirom.rutchathon"Hanzlik, Lucjan"https://zbmath.org/authors/?q=ai:hanzlik.lucjan"Loss, Julian"https://zbmath.org/authors/?q=ai:loss.julian"Lysyanskaya, Anna"https://zbmath.org/authors/?q=ai:lysyanskaya.anna"Wagner, Benedikt"https://zbmath.org/authors/?q=ai:wagner.benediktSummary: Blind signature schemes are one of the best-studied tools for privacy-preserving authentication. Unfortunately, known constructions of provably secure blind signatures either rely on non-standard hardness assumptions, or require parameters that grow linearly with the number of concurrently issued signatures, or involve prohibitively inefficient general techniques such as general secure two-party computation.
Recently, \textit{J. Katz} et al. [Lect. Notes Comput. Sci. 13093, 468--492 (2021; Zbl 1514.94153)] gave a technique that, for the security parameter \(n\), transforms blind signature schemes secure for \(O(\log n)\) concurrent executions of the blind signing protocol into ones that are secure for any \(\mathsf{poly}(n)\) concurrent executions.
This transform has two drawbacks that we eliminate in this paper: 1) the communication complexity of the resulting blind signing protocol grows linearly with the number of signing interactions; 2) the resulting schemes inherit a very loose security bound from the underlying scheme and, as a result, require impractical parameter sizes.
In this work, we give an improved transform for obtaining a secure blind signing protocol tolerating any \(\mathsf{poly}(n)\) concurrent executions from one that is secure for \(O(\log n)\) concurrent executions. While preserving the advantages of the original transform, the communication complexity of our new transform only grows logarithmically with the number of interactions. Under the CDH and RSA assumptions, we improve on this generic transform in terms of concrete efficiency and give (1) a BLS-based blind signature scheme over a standard-sized group where signatures are of size roughly 3 KB and communication per signature is roughly 120 KB; and (2) an Okamoto-Guillou-Quisquater-based blind signature scheme with signatures and communication of roughly 9 KB and 8 KB, respectively.
For the entire collection see [Zbl 1514.94003].CHIP and CRISP: protecting all parties against compromise through identity-binding PAKEshttps://zbmath.org/1517.941862023-09-22T14:21:46.120933Z"Cremers, Cas"https://zbmath.org/authors/?q=ai:cremers.cas-j-f"Naor, Moni"https://zbmath.org/authors/?q=ai:naor.moni"Paz, Shahar"https://zbmath.org/authors/?q=ai:paz.shahar"Ronen, Eyal"https://zbmath.org/authors/?q=ai:ronen.eyalSummary: Recent advances in password-based authenticated key exchange (PAKE) protocols can offer stronger security guarantees for globally deployed security protocols. Notably, the OPAQUE protocol [\textit{S. Jarecki} et al., Lect. Notes Comput. Sci. 10822, 456--486 (2018; Zbl 1415.94443)] realizes Strong Asymmetric PAKE (saPAKE), strengthening the protection offered by aPAKE to compromised servers: after compromising an saPAKE server, the adversary still has to perform a full brute-force search to recover any passwords or impersonate users. However, (s)aPAKEs do not protect client storage, and can only be applied in the so-called asymmetric setting, in which some parties, such as servers, do not communicate with each other using the protocol.
Nonetheless, passwords are also widely used in symmetric settings, where a group of parties share a password and can all communicate (e.g., Wi-Fi with client devices, routers, and mesh nodes; or industrial IoT scenarios). In these settings, the (s)aPAKE techniques cannot be applied, and the state-of-the-art still involves handling plaintext passwords.
In this work, we propose the notions of (strong) identity-binding PAKEs that improve this situation: they protect against compromise of any party, and can also be applied in the symmetric setting. We propose counterparts to state-of-the-art security notions from the asymmetric setting in the UC model, and construct protocols that provably realize them. Our constructions bind the local storage of all parties to abstract identities, building on ideas from identity-based key exchange, but without requiring a third party.
Our first protocol, CHIP, generalizes the security of aPAKE protocols to all parties, forcing the adversary to perform a brute-force search to recover passwords or impersonate others. Our second protocol, CRISP, additionally renders any adversarial pre-computation useless, thereby offering saPAKE-like guarantees for all parties, instead of only the server.
We evaluate prototype implementations of our protocols and show that even though they offer stronger security for real-world use cases, their performance is in line with, or even better than, state-of-the-art protocols.
For the entire collection see [Zbl 1514.94002].Broadcast secret-sharing, bounds and applicationshttps://zbmath.org/1517.941872023-09-22T14:21:46.120933Z"Damgård, Ivan Bjerre"https://zbmath.org/authors/?q=ai:damgard.ivan-bjerre"Larsen, Kasper Green"https://zbmath.org/authors/?q=ai:larsen.kasper-green"Yakoubov, Sophia"https://zbmath.org/authors/?q=ai:yakoubov.sophiaSummary: Consider a sender \(\mathcal{S}\) and a group of n recipients. \( \mathcal{S}\) holds a secret message \(\mathrm{m}\) of length \(l\) bits and the goal is to allow \(\mathcal{S}\) to create a secret sharing of \(\mathrm{m}\) with privacy threshold \(t\) among the recipients, by broadcasting a single message \(\mathrm{c}\) to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset \(\mathcal{A}\) of recipients of size \(q\), \( \mathcal{S}\) may share a random key with all recipients in \(\mathcal{A}\). (The keys shared with different subsets \(\mathcal{A}\) must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters \(l\), \(n\), \(t\) and \(q\).\par Our main question is: how large must \(\mathrm{c}\) be, as a function of the parameters? We show that \(\frac{n-t}{q}-\neg l(\lambda)\) is a lower bound, and we show an upper bound of \((\frac{n(t+1)}{q+t} -t)l\), matching the lower bound whenever \(t=0\), or when \(q=1\) or \(n-t\).\par When \(q= n-t\), the size of \(\mathrm{c}\) is exactly \(l\) which is clearly minimal. The protocol demonstrating the upper bound in this case requires \(\mathcal{S}\) to share a key with every subset of size \(n-t\). We show that this overhead cannot be avoided when \(\mathrm{c}\) has minimal size.\par We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes \(\frac{(n-t)}{q}\lambda+l - \neg l(\lambda)\) (where \(\lambda\) is the length of the input to the PRG). The upper bound becomes \(((n(t+1))/(q+t) -t)\lambda+l\).\par BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives.
For the entire collection see [Zbl 1465.94005].Delegating signing rights in a multivariate proxy signature schemehttps://zbmath.org/1517.941882023-09-22T14:21:46.120933Z"Debnath, Sumit Kumar"https://zbmath.org/authors/?q=ai:debnath.sumit-kumar"Choudhury, Tanmay"https://zbmath.org/authors/?q=ai:choudhury.tanmay"Stănică, Pantelimon"https://zbmath.org/authors/?q=ai:stanica.pantelimon"Dey, Kunal"https://zbmath.org/authors/?q=ai:dey.kunal"Kundu, Nibedita"https://zbmath.org/authors/?q=ai:kundu.nibeditaSummary: In the context of digital signatures, the proxy signature holds a significant role of enabling an original signer to delegate its signing ability to another party (i.e., proxy signer). It has significant practical applications. Particularly it is useful in distributed systems, where delegation of authentication rights is quite common. For example, key sharing protocol, grid computing, and mobile communications. Currently, a large portion of existing proxy signature schemes are based on the hardness of problems like integer factoring, discrete logarithms, and/or elliptic curve discrete logarithms. However, with the rising of quantum computers, the problem of prime factorization and discrete logarithm will be solvable in polynomial-time, due to Shor's algorithm [\textit{P. W. Shor}, SIAM Rev. 41, No. 2, 303--332 (1999; Zbl 1005.11507)], which dilutes the security features of existing ElGamal, RSA, ECC, and the proxy signature schemes based on these problems. As a consequence, construction of secure and efficient post-quantum proxy signature becomes necessary. In this work, we develop a post-quantum proxy signature scheme Mult-proxy, relying on multivariate public key cryptography (MPKC), which is one of the most promising candidates of post-quantum cryptography. We employ a 5-pass identification protocol to design our proxy signature scheme. Our work attains the usual proxy criterion and a one-more-unforgeability criterion under the hardness of the Multivariate Quadratic polynomial (MQ) problem. It produces optimal size proxy signatures and optimal size proxy shares in the field of MPKC.A revocable group signature scheme with scalability from simple assumptions and its implementationhttps://zbmath.org/1517.941892023-09-22T14:21:46.120933Z"Emura, Keita"https://zbmath.org/authors/?q=ai:emura.keita"Hayashi, Takuya"https://zbmath.org/authors/?q=ai:hayashi.takuya|hayashi.takuya.1Summary: Group signatures are signatures providing signer anonymity where signers can produce signatures on behalf of the group that they belong to. Although such anonymity is quite attractive considering privacy issues, it is not trivial to check whether a signer has been revoked or not. Thus, how to revoke the rights of signers is one of the major topics in the research on group signatures. In particular, scalability, where the signing and verification costs and the signature size are constant in terms of the number of signers \(N\), and other costs regarding signers are at most logarithmic in \(N\), is quite important. In this paper, we propose a revocable group signature scheme which is currently more efficient compared to previous all scalable schemes. Moreover, our revocable group signature scheme is secure under simple assumptions (in the random oracle model), whereas all scalable schemes are secure under \(q\)-type assumptions. Finally, we implemented our scheme by employing the Barreto-Lynn-Scott curves over a 455-bit prime field (\texttt{BLS455}), and the Barreto-Naehrig curves over a 382-bit prime field (\texttt{BN382}), respectively, by using the RELIC library. We showed that the running times of our signing algorithm were approximately 21 ms (\texttt{BLS455}) and 17 ms (\texttt{BN382}), and those of our verification algorithm were approximately 31 ms (\texttt{BLS455}) and 24 ms (\texttt{BN382}), respectively.
For the entire collection see [Zbl 1398.68020].Shorter hash-and-sign lattice-based signatureshttps://zbmath.org/1517.941902023-09-22T14:21:46.120933Z"Espitau, Thomas"https://zbmath.org/authors/?q=ai:espitau.thomas"Tibouchi, Mehdi"https://zbmath.org/authors/?q=ai:tibouchi.mehdi"Wallet, Alexandre"https://zbmath.org/authors/?q=ai:wallet.alexandre"Yu, Yang"https://zbmath.org/authors/?q=ai:yu.yangSummary: Lattice-based digital signature schemes following the hash-and-sign design paradigm of Gentry, Peikert and Vaikuntanathan (GPV) [\textit{C. Gentry} et al., in: Proceedings of the 40th annual ACM symposium on theory of computing, STOC 2008. Victoria, Canada, May 17--20, 2008. New York, NY: Association for Computing Machinery (ACM). 197--206 (2008; Zbl 1231.68124)] tend to offer an attractive level of efficiency, particularly when instantiated with structured compact trapdoors. In particular, NIST postquantum finalist \textsc{Falcon} is both quite fast for signing and verification and quite compact: NIST notes that it has the smallest bandwidth (as measured in combined size of public key and signature) of all round 2 digital signature candidates. Nevertheless, while \textsc{Falcon}-512, for instance, compares favorably to ECDSA-384 in terms of speed, its signatures are well over 10 times larger. For applications that store large number of signatures, or that require signatures to fit in prescribed packet sizes, this can be a critical limitation.
In this paper, we explore several approaches to further improve the size of hash-and-sign lattice-based signatures, particularly instantiated over NTRU lattices like \textsc{Falcon} and its recent variant \textsc{Mitaka}. In particular, while GPV signatures are usually obtained by sampling lattice points according to some spherical discrete Gaussian distribution, we show that it can be beneficial to sample instead according to a suitably chosen ellipsoidal discrete Gaussian: this is because only half of the sampled Gaussian vector is actually output as the signature, while the other half is recovered during verification. Making the half that actually occurs in signatures shorter reduces signature size at essentially no security loss (in a suitable range of parameters). Similarly, we show that reducing the modulus \(q\) with respect to which signatures are computed can improve signature size as well as verification key size almost ``for free''; this is particularly true for constructions like \textsc{Falcon} and \textsc{Mitaka} that do not make substantial use of NTT-based multiplication (and rely instead on transcendental FFT). Finally, we show that the Gaussian vectors in signatures can be represented in a more compact way with appropriate coding-theoretic techniques, improving signature size by an additional 7 to 14\%. All in all, we manage to reduce the size of, e.g., \textsc{Falcon} signatures by 30-40\% at the cost of only 4-6 bits of Core-SVP security.
For the entire collection see [Zbl 1514.94002].A new fault attack on UOV multivariate signature schemehttps://zbmath.org/1517.941912023-09-22T14:21:46.120933Z"Furue, Hiroki"https://zbmath.org/authors/?q=ai:furue.hiroki"Kiyomura, Yutaro"https://zbmath.org/authors/?q=ai:kiyomura.yutaro"Nagasawa, Tatsuya"https://zbmath.org/authors/?q=ai:nagasawa.tatsuya"Takagi, Tsuyoshi"https://zbmath.org/authors/?q=ai:takagi.tsuyoshiSummary: The unbalanced oil and vinegar signature scheme (UOV), which is one of the multivariate signature schemes, is expected to be secure against quantum attacks. To achieve cryptosystem security in a practical manner, we need to deal with security against physical attacks such as fault attacks, which generate computational errors to lead to security failures. In this study, we propose a new fault attack on UOV using faults occurring on the secret key. The proposed attack first recovers a part of the linear map of the secret key by utilizing faults occurring on the secret key, and then transforms the public key system. As a result, the proposed attack reduces a given public key system into one with fewer variables than the original system. After applying our proposed attack, the secret key can be recovered with less complexity than the original system by using an existing key recovery attack. Our simulation results show that, for two practical parameter sets satisfying 100-bit security, the proposed attack can reduce the given system into one with only 90-bit security with a probability of approximately \(80\sim 90\)\%. We also show that the proposed attack achieves a smaller resulting system than the above case with lower probability, and that such a system can be broken even more efficiently.
For the entire collection see [Zbl 1514.94001].Locally verifiable signature and key aggregationhttps://zbmath.org/1517.941922023-09-22T14:21:46.120933Z"Goyal, Rishab"https://zbmath.org/authors/?q=ai:goyal.rishab"Vaikuntanathan, Vinod"https://zbmath.org/authors/?q=ai:vaikuntanathan.vinodSummary: Aggregate signatures enable compressing a set of \(N\) signatures on \(N\) different messages into a short aggregate signature. This reduces the space complexity of storing the signatures from linear in \(N\) to a fixed constant (that depends only on the security parameter). However, verifying the aggregate signature requires access to all \(N\) messages, resulting in the complexity of verification being at least \(\varOmega (N)\).
In this work, we introduce the notion of locally verifiable aggregate signatures that enable efficient verification: given a short aggregate signature \(\sigma \) (corresponding to a set \(\mathcal{M}\) of \(N\) messages), the verifier can check whether a particular message \(m\) is in the set, in time independent of \(N\). Verification does not require knowledge of the entire set \(\mathcal{M} \). We demonstrate many natural applications of locally verifiable aggregate signature schemes: in the context of certificate transparency logs; in blockchains; and for redacting signatures, even when all the original signatures are produced by a single user.
We provide two constructions of single-signer locally verifiable aggregate signatures, the first based on the RSA assumption and the second on the bilinear Diffie-Hellman inversion assumption, both in the random oracle model.
As an additional contribution, we introduce the notion of compressing cryptographic keys in identity-based encryption (IBE) schemes, show applications of this notion, and construct an IBE scheme where the secret keys for \(N\) identities can be compressed into a single aggregate key, which can then be used to decrypt ciphertexts sent to any of the \(N\) identities.
For the entire collection see [Zbl 1514.94002].Sharing transformation and dishonest majority MPC with packed secret sharinghttps://zbmath.org/1517.941932023-09-22T14:21:46.120933Z"Goyal, Vipul"https://zbmath.org/authors/?q=ai:goyal.vipul"Polychroniadou, Antigoni"https://zbmath.org/authors/?q=ai:polychroniadou.antigoni"Song, Yifan"https://zbmath.org/authors/?q=ai:song.yifanSummary: In the last few years, the efficiency of secure multi-party computation (MPC) in the dishonest majority setting has increased by several orders of magnitudes starting with the SPDZ protocol family which offers a speedy information-theoretic online phase in the prepossessing model. However, state-of-the-art \(n\)-party MPC protocols in the dishonest majority setting incur online communication complexity per multiplication gate which is linear in the number of parties, i.e. \(O(n)\), per gate across all parties. In this work, we construct the first MPC protocols in the preprocessing model for dishonest majority with sub-linear communication complexity per gate in the number of parties n. To achieve our results, we extend the use of packed secret sharing to the dishonest majority setting. For a constant fraction of corrupted parties (i.e. if 99 percent of the parties are corrupt), we can achieve a communication complexity of \(O(1)\) field elements per multiplication gate across all parties.
At the crux of our techniques lies a new technique called sharing transformation. The sharing transformation technique allows us to transform shares under one type of linear secret sharing scheme into another, and even perform arbitrary linear maps on the secrets of (packed) secret sharing schemes with optimal communication complexity. This technique can be of independent interest since transferring shares from one type of scheme into another (e.g., for degree reduction) is ubiquitous in MPC. Furthermore, we introduce what we call sparsely packed Shamir sharing which allows us to address the issue of network routing efficiently, and packed Beaver triples which is an extension of the widely used technique of Beaver triples for packed secret sharing (for dishonest majority).
For the entire collection see [Zbl 1514.94004].Tightly secure ring signatures in the standard modelhttps://zbmath.org/1517.941942023-09-22T14:21:46.120933Z"Hara, Keisuke"https://zbmath.org/authors/?q=ai:hara.keisuke"Tanaka, Keisuke"https://zbmath.org/authors/?q=ai:tanaka.keisukeSummary: Ring signatures allow a user to sign messages as a member of a set of users, which is called the ring. This primitive ensures that nobody can detect which member in the ring signs the message. \textit{B. Libert} et al. [Lect. Notes Comput. Sci. 11099, 288--308 (2018; Zbl 1500.94073)] proposed the first tightly secure ring signature scheme with \(\mathcal{O}(\log n)\) signature size in the random oracle model, where \(n\) is the size of a ring. To our knowledge, a tightly secure ring signature scheme has never been reported without depending on the random oracle methodology. In this paper, we propose two generic constructions of tightly secure ring signatures in the standard model. Our first (resp., second) construction is secure in the common reference string model (resp., the plain model). Both of our constructions are secure under the decisional linear assumption over the pairing groups. Our first generic construction has a more efficient instantiation than our second one. While our second generic construction does not have an efficient instantiation, its signature size achieves \(\mathcal{O}(\log n)\) asymptotically, which is the same as one of the Libert et al.'s scheme [loc. cit.].ZK-PCPs from leakage-resilient secret sharinghttps://zbmath.org/1517.941952023-09-22T14:21:46.120933Z"Hazay, Carmit"https://zbmath.org/authors/?q=ai:hazay.carmit"Venkitasubramaniam, Muthuramakrishnan"https://zbmath.org/authors/?q=ai:venkitasubramaniam.muthuramakrishnan"Weiss, Mor"https://zbmath.org/authors/?q=ai:weiss.morSummary: Zero-Knowledge PCPs (ZK-PCPs; [\textit{J. Kilian} et al., in: Proceedings of the 29th annual ACM symposium on theory of computing, STOC '97. El Paso, TX, USA, May 4--6, 1997. New York, NY: ACM, Association for Computing Machinery. 496--505 (1999; Zbl 0963.68192)]) are PCPs with the additional zero-knowledge guarantee that the view of any (possibly malicious) verifier making a bounded number of queries to the proof can be efficiently simulated up to a small statistical distance. Similarly, ZK-PCPs of Proximity (ZK-PCPPs; [\textit{Y. Ishai} and \textit{M. Weiss}, Lect. Notes Comput. Sci. 8349, 121--145 (2014; Zbl 1323.94117)]). Probabilistically checkable are PCPPs in which the view of an adversarial verifier can be efficiently simulated with few queries to the input.\par Previous ZK-PCP constructions obtained an exponential gap between the query complexity q of the honest verifier, and the bound \(q^\ast\) on the queries of a malicious verifier (i.e., \(q=\text{poly\,log}(q^\ast)\)), but required either exponential-time simulation, or adaptive honest verification. This should be contrasted with standard PCPs, that can be verified non-adaptively (i.e., with a single round of queries to the proof). The problem of constructing such ZK-PCPs, even when \(q^*=q\), has remained open since they were first introduced more than 2 decades ago. This question is also open for ZK-PCPPs, for which no construction with non-adaptive honest verification is known (not even with exponential-time simulation).\par We resolve this question by constructing the first ZK-PCPs and ZK-PCPPs which simultaneously achieve efficient zero-knowledge simulation and non-adaptive honest verification. Our schemes have a square-root query gap, namely \(q^\ast /q= O(\sqrt{n})\) where \(n\) is the input length.\par Our constructions combine the ``MPC-in-the-head'' technique [\textit{Y. Ishai} et al., in: Proceedings of the 39th annual ACM symposium on theory of computing, STOC 2007. San Diego, CA, USA, June 11--13, 2007. New York, NY: Association for Computing Machinery (ACM). 21--30 (2007; Zbl 1232.68044)] with leakage-resilient secret sharing. Specifically, we use the MPC-in-the-head technique to construct a ZK-PCP variant over a large alphabet, then employ leakage-resilient secret sharing to design a new alphabet reduction for ZK-PCPs which preserves zero-knowledge.
For the entire collection see [Zbl 1465.94005].Round-reduced modular construction of asymmetric password-authenticated key exchangehttps://zbmath.org/1517.941962023-09-22T14:21:46.120933Z"Hwang, Jung Yeon"https://zbmath.org/authors/?q=ai:hwang.jung-yeon"Jarecki, Stanislaw"https://zbmath.org/authors/?q=ai:jarecki.stanislaw"Kwon, Taekyoung"https://zbmath.org/authors/?q=ai:kwon.taekyoung"Lee, Joohee"https://zbmath.org/authors/?q=ai:lee.joohee"Shin, Ji Sun"https://zbmath.org/authors/?q=ai:shin.ji-sun"Xu, Jiayu"https://zbmath.org/authors/?q=ai:xu.jiayuSummary: Password-authenticated key exchange (PAKE) establishes a shared key between two parties who hold the same password, assuring security against offline password-guessing attacks. The asymmetric PAKE (a.k.a. augmented or verifier-based PAKE) strengthens this notion by allowing one party, typically a server, to hold a one-way hash of the password, with the property that a compromise of the server allows the adversary to recover the password only via the offline dictionary attack against this hashed password. Today's client-to-server Internet authentication is asymmetric, with the server holding only a (salted) password hash, but it relies on client's trust in the server's public key certificate. By contrast, cryptographic PAKE literature addresses the password-only setting, without assuming certified public keys, but it commonly does not address the asymmetric PAKE setting which is required for client-to-server authentication.
The asymmetric PAKE (aPAKE) was defined in the universally composable (UC) framework by the work of \textit{C. Gentry} et al. [Lect. Notes Comput. Sci. 4117, 142--159 (2006; Zbl 1161.68440)], who also provided a generic method of converting a UC PAKE to UC aPAKE, at the cost of two additional communication rounds. Motivated by practical applications of aPAKEs, in this paper we propose alternative methods for converting a UC PAKE to UC aPAKE, which use only one additional round. Moreover, since this extra message is sent from client to server, it does not add any round overhead in applications which require explicit client-to-server authentication. Importantly, this round-complexity reduction in the compiler comes at virtually no cost, since with respect to local computation and security assumptions our constructions are comparable to that of Gentry et al. [loc. cit.].
For the entire collection see [Zbl 1397.94004].Strongly unforgeable signature resilient to polynomially hard-to-invert leakage under standard assumptionshttps://zbmath.org/1517.941972023-09-22T14:21:46.120933Z"Ishizaka, Masahito"https://zbmath.org/authors/?q=ai:ishizaka.masahito"Matsuura, Kanta"https://zbmath.org/authors/?q=ai:matsuura.kantaSummary: A signature scheme is said to be weakly unforgeable, if it is hard to forge a signature on a message not signed before. A signature scheme is said to be strongly unforgeable, if it is hard to forge a signature on any message. In some applications, the weak unforgeability is not enough and the strong unforgeability is required, e.g., the Canetti, Halevi and Katz transformation [\textit{R. Canetti} et al., Lect. Notes Comput. Sci. 3027, 207--222 (2004; \url{doi.org/10.1007/978-3-540-24676-3_13})].
Leakage-resilience is a property which guarantees that even if secret information such as the secret-key is partially leaked, the security is maintained. Some security models with leakage-resilience have been proposed. The auxiliary (input) leakage model, or hard-to-invert leakage model, proposed by \textit{Y. Dodis} et al. [in: Proceedings of the 41st annual ACM symposium on theory of computing, STOC '09. Bethesda, MD, USA, May 31 -- June 2, 2009. New York, NY: Association for Computing Machinery (ACM). 621--630 (2009; Zbl 1304.94046)] is especially meaningful one, since the leakage caused by a function which information-theoretically reveals the secret-key, e.g., one-way permutation, is considered.
In this work, we propose a generic construction of a signature scheme strongly unforgeable and resilient to polynomially hard-to-invert leakage which can be instantiated under standard assumptions such as the decisional linear assumption. We emphasize that our signature scheme is not only the first one resilient to polynomially hard-to-invert leakage under standard assumptions, but also the first one which is strongly unforgeable and has hard-to-invert leakage-resilience.
For the entire collection see [Zbl 1398.68020].On group-characterizability of homomorphic secret sharing schemeshttps://zbmath.org/1517.941982023-09-22T14:21:46.120933Z"Kaboli, Reza"https://zbmath.org/authors/?q=ai:kaboli.reza"Khazaei, Shahram"https://zbmath.org/authors/?q=ai:khazaei.shahram"Parviz, Maghsoud"https://zbmath.org/authors/?q=ai:parviz.maghsoudSummary: A group-characterizable (GC) random variable is induced by a finite group, called main group, and a collection of its subgroups. The notion extends directly to secret sharing schemes (SSSs). It is known that linear and abelian SSSs can be equivalently described in terms of GC SSSs. In this paper, we present a necessary and sufficient condition for a SSS to be equivalent to a GC one. Using this result, we show that homomorphic SSSs (HSSSs) are equivalent to GC SSSs whose subgroups are normal in the main group. We also present two applications for this equivalent description of HSSSs. One concerns lower bounding the information ratio of access structures for the class of HSSSs, and the other is about the coincidence between statistical, almost-perfect and perfect security notions for the same class.On ideal and weakly-ideal access structureshttps://zbmath.org/1517.941992023-09-22T14:21:46.120933Z"Kaboli, Reza"https://zbmath.org/authors/?q=ai:kaboli.reza"Khazaei, Shahram"https://zbmath.org/authors/?q=ai:khazaei.shahram"Parviz, Maghsoud"https://zbmath.org/authors/?q=ai:parviz.maghsoudSummary: For more than two decades, proving or refuting the following statement has remained a challenging open problem in the theory of secret sharing schemes (SSSs): every ideal access structure admits an ideal perfect multi-linear SSS. The class of group-characterizable (GC) SSSs include the multi-linear ones. Hence, if the above statement is true, then so is the following weaker statement: every ideal access structure admits an ideal perfect GC SSS. One contribution of this paper is to show that ideal SSSs are not necessarily GC. Our second contribution is to study the above two statements with respect to several variations of weakly-ideal access structures. Recently, \textit{C. Mejia} and \textit{J. A. Montoya} [J. Inf. Optim. Sci. 39, No. 7, 1463--1482 (2018; \url{doi.org/10.1080/02522667.2017.1367513})] studied ideal access structures that admit ideal multi-linear schemes and provided a classification-like theorem for them. We additionally present some tools that are useful to extend their result.Locally reconstructable non-malleable secret sharinghttps://zbmath.org/1517.942002023-09-22T14:21:46.120933Z"Kanukurthi, Bhavana"https://zbmath.org/authors/?q=ai:kanukurthi.bhavana"Obbattu, Sai Lakshmi Bhavana"https://zbmath.org/authors/?q=ai:obbattu.sai-lakshmi-bhavana"Sekar, Sruthi"https://zbmath.org/authors/?q=ai:sekar.sruthi"Tomy, Jenit"https://zbmath.org/authors/?q=ai:tomy.jenitSummary: Non-malleable secret sharing (NMSS) schemes, introduced by \textit{V. Goyal} and \textit{A. Kumar} [in: Proceedings of the 50th annual ACM SIGACT symposium on theory of computing, STOC '18, Los Angeles, CA, USA, June 25--29, 2018. New York, NY: Association for Computing Machinery (ACM). 685--698 (2018; Zbl 1428.94105)], ensure that a secret \(m\) can be distributed into shares \(m_1,\dots,m_n\) (for some \(n\)), such that any \(t\) (a parameter \(\leq n\)) shares can be reconstructed to recover the secret \(m\), any \(t-1\) shares doesnť leak information about \(m\) and even if the shares that are used for reconstruction are tampered, it is guaranteed that the reconstruction of these tampered shares will either result in the original \(m\) or something independent of \(m\). Since their introduction, non-malleable secret sharing schemes sparked a very impressive line of research.\par In this work, we introduce a feature of local reconstructability in NMSS, which allows reconstruction of any portion of a secret by reading just a few locations of the shares. This is a useful feature, especially when the secret is long or when the shares are stored in a distributed manner on a communication network. In this work, we give a compiler that takes in any non-malleable secret sharing scheme and compiles it into a locally reconstructable non-malleable secret sharing scheme. To secret share a message consisting of \(k\) blocks of length \(\rho\) each, our scheme would only require reading \(\rho +\log k\) bits (in addition to a few more bits, whose quantity is independent of \(\rho\) and \(k\)) from each party's share (of a reconstruction set) to locally reconstruct a single block of the message.\par We show an application of our locally reconstructable non-malleable secret sharing scheme to a computational non-malleable secure message transmission scheme in the pre-processing model, with an improved communication complexity, when transmitting multiple messages.
For the entire collection see [Zbl 1465.94005].Anonymous yet traceable strong designated verifier signaturehttps://zbmath.org/1517.942012023-09-22T14:21:46.120933Z"Kuchta, Veronika"https://zbmath.org/authors/?q=ai:kuchta.veronika"Sahu, Rajeev Anand"https://zbmath.org/authors/?q=ai:sahu.rajeev-anand"Saraswat, Vishal"https://zbmath.org/authors/?q=ai:saraswat.vishal"Sharma, Gaurav"https://zbmath.org/authors/?q=ai:sharma.gaurav"Sharma, Neetu"https://zbmath.org/authors/?q=ai:sharma.neetu"Markowitch, Olivier"https://zbmath.org/authors/?q=ai:markowitch.olivierSummary: In many privacy-preserving protocols, protection of the user's identity, called anonymity, is a desirable feature. Another issue is that, if a signed document is leaked then anyone can be convinced of the authenticated data, which is strictly not allowed for sensitive data, instead the authentication only by a designated receiver is recommended. There are many scenarios in real life, for example e-auction, where both the functionalities -- anonymity and designated verification are required simultaneously. For such an objective, in this paper we introduce a compact scheme of identity-based strong designated verifier group signature (ID-SDVGS) by combining the good features of strong designated verifier signature and group signature in ID-based setting. This scheme provides anonymity to the signer of a designated verifier signature with the feature of the revocation of signer's identity in case of misuse or dispute. Moreover, our scheme fulfils all the security properties of the individual components. We have obtained an ID-based instantiation of the generic group signature given by \textit{M. Bellare} et al. [Lect. Notes Comput. Sci. 2656, 614--629 (2003; Zbl 1038.94552)], and have proposed our scheme on that framework. To the best of our knowledge, this is the first construction of ID-SDVGS.
For the entire collection see [Zbl 1398.68020].Generic construction for tightly-secure signatures from discrete loghttps://zbmath.org/1517.942022023-09-22T14:21:46.120933Z"Lai, Jianchang"https://zbmath.org/authors/?q=ai:lai.jianchang"Wu, Ge"https://zbmath.org/authors/?q=ai:wu.ge"Jiang, Peng"https://zbmath.org/authors/?q=ai:jiang.peng"Zhao, Zhen"https://zbmath.org/authors/?q=ai:zhao.zhen"Susilo, Willy"https://zbmath.org/authors/?q=ai:susilo.willy"Guo, Fuchun"https://zbmath.org/authors/?q=ai:guo.fuchunSummary: Tightly secure signature plays a significant role in the research of cryptography and has been studied extensively in the literature. In this paper, we present a generic construction for tightly-secure signatures from the discrete log (DL) assumption in the existential-unforgeability against key only attacks (EUF-KOA) security model, where the adversary is allowed to obtain only the public key, but not any sample signature. Moreover, the generic construction can also be extended into the multi-user setting with corruptions (MU-C) model. Roughly speaking, given any signature scheme, we can efficiently convert it into a signature scheme that features tight security under the DL assumption in the MU-EUF-KOA-C security model with random oracles. Our transformation shows it is easy to construct a DL-equivalent signature in the EUF-KOA security model, although many known DL-based signatures are not equivalent to DL. If the given signature scheme is key-re-randomizable, the transformed scheme is also key-re-randomizable. Hence, our result provides a supplement to Bader et al.'s work [\textit{C. Bader} et al., Lect. Notes Comput. Sci. 9014, 629--658 (2015; Zbl 1359.94571)].Multimodal private signatureshttps://zbmath.org/1517.942032023-09-22T14:21:46.120933Z"Nguyen, Khoa"https://zbmath.org/authors/?q=ai:nguyen.khoa"Guo, Fuchun"https://zbmath.org/authors/?q=ai:guo.fuchun"Susilo, Willy"https://zbmath.org/authors/?q=ai:susilo.willy"Yang, Guomin"https://zbmath.org/authors/?q=ai:yang.guominSummary: We introduce Multimodal Private Signature (MPS) -- an anonymous signature system that offers a novel accountability feature: it allows a designated opening authority to learn some partial information \textsf{op} about the signer's identity \textsf{id}, and nothing beyond. Such partial information can flexibly be defined as \(\mathsf{op} = \mathsf{id} \) (as in group signatures), or as \(\mathsf{op} = 0 \) (like in ring signatures), or more generally, as \(\mathsf{op} = G_j(\mathsf{id})\), where \(G_j(\cdot )\) is a certain disclosing function. Importantly, the value of \textsf{op} is known in advance by the signer, and hence, the latter can decide whether she/he wants to disclose that piece of information. The concept of MPS significantly generalizes the notion of tracing in traditional anonymity-oriented signature primitives, and can enable various new and appealing privacy-preserving applications.
We formalize the definitions and security requirements for MPS. We next present a generic construction to demonstrate the feasibility of designing MPS in a modular manner and from commonly used cryptographic building blocks (ordinary signatures, public-key encryption and NIZKs). We also provide an efficient construction in the standard model based on pairings, and a lattice-based construction in the random oracle model.
For the entire collection see [Zbl 1514.94002].Authentication in multi-tier systems using proxy signatureshttps://zbmath.org/1517.942042023-09-22T14:21:46.120933Z"Pautov, P. A."https://zbmath.org/authors/?q=ai:pautov.p-aSummary: Two authentication protocols for multi-tier system based on proxy signatures are provided. Implementation of these protocols using certificates is considered. In the first protocol, proxy signature is only used for the authentication of a client, but in the second one, it is also used for the authentication of requests inside the system. This makes the second protocol more secure.Extremal set theory and LWE based access structure hiding verifiable secret sharing with malicious-majority and free verificationhttps://zbmath.org/1517.942052023-09-22T14:21:46.120933Z"Sehrawat, Vipin Singh"https://zbmath.org/authors/?q=ai:sehrawat.vipin-singh"Yeo, Foo Yee"https://zbmath.org/authors/?q=ai:yeo.foo-yee"Desmedt, Yvo"https://zbmath.org/authors/?q=ai:desmedt.yvo-gSummary: Secret sharing allows a dealer to distribute a secret among a set of parties such that only authorized subsets, specified by an access structure, can reconstruct the secret. \textit{V. S. Sehrawat} and \textit{Y. Desmedt} [Lect. Notes Comput. Sci. 12273, 246--261 (2020; Zbl 07336109)] introduced hidden access structures , that remain secret until some authorized subset of parties collaborate. However, their scheme assumes semi-honest parties and supports only restricted access structures. We address these shortcomings by constructing a novel access structure hiding verifiable secret sharing scheme that supports all monotone access structures. Our scheme is the first secret sharing solution to support malicious behavior identification and share verifiability in malicious-majority settings. Furthermore, the verification procedure of our scheme incurs no communication overhead, and is therefore ``free''. As the building blocks of our scheme, we introduce and construct the following:
\begin{itemize}
\item a set-system with greater than \(\exp\left(c\frac{2(\log h)^2}{(\log\log h)}\right)+2\exp\left(c\frac{(\log h)^2}{(\log\log h)}\right)\) subsets of a set of \(h\) elements. Our set-system, \(\mathcal{H}\), is defined over \(\mathbb{Z}_m\), where \(m\) is a non-prime-power. The size of each set in \(\mathcal{H}\) is divisible by \(m\) while the sizes of the pairwise intersections of different sets are not divisible by \(m\) unless one set is a (proper) subset of the other,
\item a new variant of the learning with errors (LWE) problem, called \textsf{PRIM-LWE}, wherein the secret matrix is sampled such that its determinant is a generator of \(\mathbb{Z}_q^\ast \), where \(q\) is the LWE modulus.
\end{itemize}
Our scheme arranges parties as nodes of a directed acyclic graph and employs modulus switching during share generation and secret reconstruction. For a setting with \(\mathfrak{l}\) parties, our (non-linear) scheme supports all \(2^{2^{\ell-O(\log \ell)}}\) monotone access structures, and its security relies on the hardness of the LWE problem. Our scheme's maximum share size, for any access structure, is:
\[
(1+o(1))\frac{ 2^\ell}{\sqrt{\pi\ell /2}}(2q^{\varrho+0.5}+\sqrt{q}+\Theta(h)),
\]
where \(\varrho\leq 1\) is a constant. We provide directions for future work to reduce the maximum share size to:
\[
\frac{1}{l+1}\left((1+o(1))\frac{2^\ell}{\sqrt{\pi\ell/2}}(2q^{\varrho+0.5}+2\sqrt{q})\right),
\]
where \(l\geq 2\). We also discuss three applications of our secret sharing scheme.Goppa codes over the \(p\)-adic integers and integers modulo \(p^e\)https://zbmath.org/1517.942072023-09-22T14:21:46.120933Z"Epelde, Markel"https://zbmath.org/authors/?q=ai:epelde.markelIn this paper, Goppa codes over the ring of \(p\)-adic integers and the ring \(\mathbb{Z}_{p^e}\) are defined, based on the original idea from Goppa. Their basic properties are studied, the creation of chains of Goppa codes over different rings and the relations between their parity check matrices are described. Furthermore, it is shown how to get isomorphic Goppa codes over different rings by changing one of the parameters of the code. Moreover, the McEliece and Niederreiter cryptosystems which are based on Goppa codes are generalised to the above rings, and it is proved that the distinguishability problems for Goppa codes over \(\mathbb{Z}_{p}\) and \(\mathbb{Z}_{p^e}\) are equivalent.
Reviewer: Dimitros Poulakis (Thessaloniki)On cryptographic weaknesses of some classes of binary sequence transformationshttps://zbmath.org/1517.942182023-09-22T14:21:46.120933Z"Smyshlyaev, S. V."https://zbmath.org/authors/?q=ai:smyshlyaev.stanislav-vSummary: The paper is dedicated to some issues of using perfectly balanced Boolean functions as filtering functions and to some weaknesses in corresponding cryptographic primitives.A new construction of odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and higher nonlinearityhttps://zbmath.org/1517.942192023-09-22T14:21:46.120933Z"Su, Sihong"https://zbmath.org/authors/?q=ai:su.sihong"Li, Jingjing"https://zbmath.org/authors/?q=ai:li.jingjing"Wang, Bingxin"https://zbmath.org/authors/?q=ai:wang.bingxinSummary: Rotation symmetric Boolean functions are potentially rich in functions of cryptographic significance. In this paper, a new construction of odd-variable rotation symmetric Boolean functions with optimal algebraic immunity is presented. By a direct calculation, the nonlinearity of the newly constructed functions is higher than the nonlinearities of all the known odd-variable rotation symmetric Boolean functions with optimal algebraic immunity. The algebraic degree and the fast algebraic immunity of our functions are also considered.A unified construction of weightwise perfectly balanced Boolean functionshttps://zbmath.org/1517.942212023-09-22T14:21:46.120933Z"Zhao, Qinglan"https://zbmath.org/authors/?q=ai:zhao.qinglan"Li, Mengran"https://zbmath.org/authors/?q=ai:li.mengran"Chen, Zhixiong"https://zbmath.org/authors/?q=ai:chen.zhixiong.1|chen.zhixiong"Qin, Baodong"https://zbmath.org/authors/?q=ai:qin.baodong"Zheng, Dong"https://zbmath.org/authors/?q=ai:zheng.dongSummary: At Eurocrypt 2016, \textit{P. Méaux} et al. [Lect. Notes Comput. Sci. 9665, 311--343 (2016; Zbl 1384.94086)] presented FLIP, a new family of stream ciphers that aimed to enhance the efficiency of homomorphic encryption frameworks. Motivated by FLIP, recent research has focused on the study of Boolean functions with good cryptographic properties when restricted to subsets of the space \(\mathbb{F}_2^n\). If an \(n\)-variable Boolean function has the property of balancedness when restricted to each set of vectors with fixed Hamming weight between 1 and \(n - 1\), it is a weightwise perfectly balanced (WPB) Boolean function. In the literature, a few algebraic constructions of WPB functions are known, in which there are some constructions that use iterative method based on functions with low degrees of 1, 2, or 4. In this paper, we generalize the iterative method and contribute a unified construction of WPB functions based on functions with algebraic degrees that can be any power of 2. For any given positive integer \(d\) not larger than \(m\), we first provide a class of \(2^m\)-variable Boolean functions with a degree of \(2^{d - 1} \). Utilizing these functions, we then present a construction of \(2^m\)-variable WPB functions \(g_{m ; d} \). In particular, \( g_{m ; d}\) includes four former classes of WPB functions as special cases when \(d = 1 , 2 , 3 , m\). When \(d\) takes other integer values, \( g_{m ; d}\) has never appeared before. In addition, we prove the algebraic degree of the constructed WPB functions and compare the weightwise nonlinearity of WPB functions known so far in 8 and 16 variables.