Signature Scheme

Hard mathematical problems are at the core of security arguments in cryptography. In this paper, we study mathematical generalizations of the famous Rubik's cube puzzle, namely the factorization, representation and balance problems in non-Abelian groups. These problems arise naturally when describing the security of Cayley hash functions, a class of cryptographic hash functions with very interesting properties. The factorization problem is also strongly related to a famous long-standing conjecture of Babai, at the intersection of group theory and graph theory. A constructive proof of Babai's conjecture would make all Cayley hash functions insecure, but on the other hand it would have many positive applications in graph theory and computer science. In this paper, we classify existing attacks against Cayley hash functions and we review known results on Babai's conjecture. Despite recent cryptanalytic progress on particular instances, we show that the factorization, representation and balance problems presumably remain good sources of cryptographic hard problems. Our study demonstrates that Cayley hash functions deserve further interest by the cryptography community. Disclaimer. This paper contains essentially no new result but it rather collects and organizes all the results that were independently found by two distinct scientific communities on the same problems. Between September 2009 and May 2010, the first author gave a sequence of talks to a cryptographic audience, entitled "Hash functions and Cayley graphs: the end of the story?". Surprisingly, many cryptographers seemed to either ignore the beautiful Cayley hash construction, or believe that it had been definitively broken. The very positive feedback received after these talks motivated us to write this survey and to complete it with known results on Babai's conjecture.

We present the design and implementation of a compiler that automatically generates protocols that perform two-party computations. The input to our protocol is the specification of a computation with secret inputs (e.g., a signature algorithm) expressed using operations in the field Õ of integers modulo a prime Õ and in the multiplicative subgroup of order Õ in £ Ô for Õ Ô ½ with generator . The output of our compiler is an implementation of each party in a two-party protocol to perform the same computation securely, i.e., so that both parties can together compute the function but neither can alone. The protocols generated by our compiler are provably secure, in that their strength can be reduced to that of the original cryptographic computation via simulation arguments. Our compiler can be applied to various cryptographic primitives (e.g., signature schemes, encryption schemes, oblivious transfer protocols) and other protocols that employ a trusted party (e.g., key retrieval, key distribution).

Proxy signature schemes have been invented to delegate signing rights. The paper proposes a new concept of Identify Based Strong Bi-Designated Verifier threshold proxy signature (ID-SBDVTPS) schemes. Such scheme enables an original signer to delegate the signature authority to a group of 'n' proxy signers with the condition that 't' or more proxy signers can cooperatively sign messages on behalf of the original signer and the signatures can only be verified by any two designated verifiers and that they cannot convince anyone else of this fact.

Recently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, simulation soundness, non-malleability, and universal composability. In this paper we show a novel technique to convert a large class of existing honest-verifier zero-knowledge protocols into ones with these stronger properties in the common reference string model. More precisely, our technique utilizes a signature scheme existentially unforgeable against adaptive chosen-message attacks, and transforms any -protocol (which is honest-verifier zero-knowledge) into a simulation sound concurrent zero-knowledge protocol. We also introduce -protocols, a variant of -protocols for which our technique further achieves the properties of nonmalleability and/or universal composability. In addition to its conceptual simplicity, a main advantage of this new technique over previous ones is that it avoids the Cook-Levin theorem, which tends to be rather

The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" ad-hoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts. In the first part of this paper we formalize and confront with the most recent attacks the security of several known multivariate trapdoor functions. For example the signature scheme Quartz is based on a trapdoor function G belonging to a family called HFEv-. It has two independent security parameters, and we claim that if d is big enough, no better method to compute an inverse of G than the exhaustive search is known. This will allow us to formulate our key assumption on which the provable security results can be build. In the second part, we study the security concrete security of signature schemes under our assumption. We study some general constructions, that transform a trapdoor function into a short signature scheme, and in particular these designed to obtain short signatures. On the one hand, we present generic attacks on such constructions. On the other hand, we study the possibility to prove or justify the security with some well chosen assumptions. Unfortunately for Quartz, our lower and upper security bounds do not coincide. Still the best attack known for Quartz is our generic attack using O(2 80 ) computations with O(2 80 ) of memory. We will also propose an alternative way of doing short signatures for which both bounds do coincide. Finally we also apply our results for Flash and Sflash.

Recently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, non-malleability, and universal composability. In this paper, we show a novel technique to convert a large class of existing honest-verifier zero-knowledge protocols into ones with these stronger properties in the common reference string model. More precisely, our technique utilizes a signature scheme existentially unforgeable against adaptive chosen-message attacks, and transforms any Σ-protocol (which is honest-verifier zero-knowledge) into an unbounded simulation sound concurrent zero-knowledge protocol. We also introduce Ω-protocols, a variant of Σ-protocols for which our technique further achieves the properties of non-malleability and/or universal composability. In addition to its conceptual simplicity, a main advantage of this new technique over previous ones is that it avoids the Cook-Levin theorem, which tends to be rather inefficient. Indeed, our technique allows for very efficient instantiation based on the security of some efficient signature schemes and standard number-theoretic assumptions. For instance, one instantiation of our technique yields a universally composable zeroknowledge protocol under the Strong RSA assumption, incurring an overhead of a small constant number of exponentiations, plus the generation of two signatures.

A Distributed Key Generation (DKG) protocol is an essential component of threshold cryptosystems required to initialize the cryptosystem securely and generate its private and public keys. In the case of discrete-log-based (dlog-based) threshold signature schemes (ElGamal and its derivatives), the DKG protocol is further used in the distributed signature generation phase to generate one-time signature randomizers (r = g k ). In this paper we show that a widely used dlog-based DKG protocol suggested by Pedersen does not guarantee a uniformly random distribution of generated keys: we describe an efficient active attacker controlling a small number of parties which successfully biases the values of the generated keys away from uniform. We then present a new DKG protocol for the setting of dlog-based cryptosystems which we prove to satisfy the security requirements from DKG protocols and, in particular, it ensures a uniform distribution of the generated keys. The new protocol can be used as a secure replacement for the many applications of Pedersen's protocol. Motivated by the fact that the new DKG protocol incurs additional communication cost relative to Pedersen's original protocol, we investigate whether the latter can be used in specific applications which require relaxed security properties from the DKG

In the realm of secure and accessible data storage, the "QR CODE CRYPT'' project emerges as an innovative solution that seamlessly integrates Flutter, Java, and Python to address the challenges of offline data retrieval, verification, and storage. Leveraging Flutter's cross-platform capabilities, the project establishes a user-friendly interface for data collection and QR code generation. The robust ChaCha20-poly encryption algorithm safeguards sensitive demographic data, including name, date of birth, mobile number, gender, and profile image, ensuring data integrity and confidentiality. Additionally, the implementation of Elliptic Curve Cryptography (ECC) empowers users with digital signatures, guaranteeing the authenticity and origin of the stored data. To optimize QR code storage efficiency, the project incorporates image compression techniques, enabling the seamless integration of profile images without compromising code size. The amalgamation of these functionalities culminates in a secure, versatile, and userfriendly solution for offline data management, with potential applications in e-Pramaan National Single Sign On.

In this paper, we introduce Attribute-Based Signatures with User-Controlled Linkability (ABS-UCL). Attribute-based signatures allow a signer who has enough credentials/attributes to anonymously sign a message w.r.t. some public policy revealing neither the attributes used nor his identity. User-controlled linkability is a new feature which allows a user to make some of his signatures directed at the same recipient linkable while still retaining anonymity. Such a feature is useful for many reallife applications. We give a general framework for constructing ABS-UCL and present an efficient instantiation of the construction that supports multiple attribute authorities.

This paper proposes a new efficient signature scheme from bilinear maps that is secure in the standard model (i.e., without the random oracle model). Our signature scheme is more effective in many applications (e.g., blind signatures, group signatures, anonymous credentials etc.) than the existing secure signature schemes in the standard model such as the Boneh-Boyen [6], Camenisch-Lysyanskaya [10], Cramer-Shoup [15] and Waters [33] schemes (and their variants). The security proof of our scheme requires a slightly stronger assumption, the 2SDH assumption, than the SDH assumption used by Boneh-Boyen. As typical applications of our signature scheme, this paper presents efficient blind signatures and partially blind signatures that are secure in the standard model. Here, partially blind signatures are a generalization of blind signatures (i.e., blind signatures are a special case of partially blind signatures) and have many applications including electronic cash and voting. Our blind signature scheme is much more efficient than the existing secure blind signature schemes in the standard model such as the Camenisch-Koprowski-Warinsch [8] and Juels-Luby-Ostrovsky [22] schemes, and is also almost as efficient as the most efficient blind signature schemes whose security has been analyzed heuristically or in the random oracle model. Our partially blind signature scheme is the first one that is secure in the standard model and it is very efficient (almost as efficient as our blind signatures). We also present a blind signature scheme based on the Waters signature scheme.

Universal designated verifier signatures (UDVS) were introduced in 2003 by Steinfeld et al. to allow signature holders to monitor the verification of a given signature in the sense that any plain signature can be publicly turned into a signature which is only verifiable by some specific designated verifier. Privacy issues, like non-dissemination of digital certificates, are the main motivations to study such primitives. In this paper, we propose two fairly efficient UDVS schemes which are secure (in terms of unforgeability and anonymity) in the standard model (i.e. without random oracles). Their security relies on algorithmic assumptions which are much more classical than assumptions involved in the two only known UDVS schemes in standard model to date. The latter schemes, put forth by Zhang et al. in 2005 and Vergnaud in 2006, rely on the Strong Diffie-Hellman assumption and the strange-looking knowledge of exponent assumption (KEA). Our schemes are obtained from Waters's signature and they do not need the KEA assumption. They are also the first random oracle-free constructions with the anonymity property.

Zero-knowledge proofs have a vast applicability in the domain of cryptography, stemming from the fact that they can be used to force potentially malicious parties to abide by the rules of a protocol, without forcing them to reveal their secrets. Σ-protocols are a class of zero-knowledge proofs that can be implemented efficiently and that suffice for a great variety of practical applications. This paper presents a first machine-checked formalization of a comprehensive theory of Σ-protocols. The development includes basic definitions, relations between different security properties that appear in the literature, and general composability theorems. We show its usefulness by formalizing-and proving the securityof concrete instances of several well-known protocols. The formalization builds on CertiCrypt, a framework that provides support to reason about cryptographic systems in the Coq proof assistant, and that has been previously used to formalize security proofs of encryption and signature schemes.

Efficiency of asynchronous optimistic fair exchange using trusted devices is studied. It is shown that three messages in the optimistic subprotocol are sufficient and necessary for exchanging idempotent items. When exchanging nonidempotent items, however, three messages in the optimistic subprotocol are sufficient only under the assumption that trusted devices have unbounded storage capacity. This assumption is often not satisfiable in practice. It is then proved that exchanging nonidempotent items using trusted devices with a bounded storage capacity requires exactly four messages in the optimistic subprotocol.

Blind signature schemes, as important cryptographic primitives, are useful protocols that guarantee the anonymity of the participants. In this paper, a new blind signature based on the strong RSA assumption is presented. The new blind signature scheme is quite efficient and statefree. It does not require the signer to maintain any state and can be proven secure against adaptive chosen message attack under a reasonable tractability assumption, the so-called Strong RSA assumption. Moreover, a hash function can be incorporated in to the scheme in such a way that it is also secure in the random oracle model under the standard RSA assumption.

Recently, Baseri et al. proposed a secure untraceable off-line electronic cash system. They claimed that their scheme could achieve security requirements of an e-cash system such as, untraceability, anonymity, unlinkability, double spending checking, un-forgeability, date-attachability, and prevent forging coins. They further prove the un-forgeability security feature by using the hardness of discrete logarithm problems. However, after cryptanalysis, we found that the scheme cannot attain the security feature, untraceability. We, therefore, modify it to comprise this desired requirement, which is very important in an e-cash system.

In 2016 and 2017, Shi et al first proposed two protocols for the communication parties to establish a quantum session key. Both work by rotating the angle of one communicator’s private key on the other party's quantum public key. In their approaches, the session key shared by each pair of communicators is fixed after the key generation phase. Thereafter, the key used in each communication does not change, but for security consideration, the session key should be changed in every time usage. In other words, those key agreement protocols do not satisfy the requirement of key security. In view of this, this paper develops a quantum session key establishment based on the Diffie-Hermann style key exchange to produce different quantum session keys in each communications. After analysis, we confirm that our method can resist various attacks and is therefore secure.

In this thesis we present a new method for building pairs of HFE polynomials of high degree, in such a way that the map constructed with this pair is easy to invert. The inversion is accomplished using a low degree polynomial of Hamming weight three, which is derived from a special reduction via Hamming weight three polynomials produced by these two HFE polynomials. This allows us to build new candidates for multivariate trapdoor functions in which we use the pair of HFE polynomials to fabricate the core map. Using this new multivariate trapdoor function we derive an encryption scheme in a similar way as the HFE scheme is created. We show that this encryption scheme is relatively efficient and that it resists the attacks that have threatened the security of HFE. Finally, we propose parameters for a practical implementation of our cryptosystem. 1HFE stands for Hidden Field Equations.

Digital signatures are one of the most important cryptographic primitives. In this work we construct an information-theoretically secure signature scheme which, unlike prior schemes, enjoys a number of advantageous properties such as short signature length and high generation efficiency, to name two. In particular, we extend symmetric-key message authentication codes (MACs) based on universal hashing to make them transferable, a property absent from traditional MAC schemes. Our main results are summarised as follows.

We study the two party problem of randomly selecting a string among all the strings of length n. We want the protocol to have the property that the output distribution has high entropy, even when one of the two parties is dishonest and deviates from the protocol. We develop protocols that achieve high, close to n, entropy. In the literature the randomness guarantee is usually expressed as being close to the uniform distribution or in terms of resiliency. The notion of entropy is not directly comparable to that of resiliency, but we establish a connection between the two that allows us to compare our protocols with the existing ones. We construct an explicit protocol that yields entropy n − O(1) and has 4 log * n rounds, improving over the protocol of Goldreich et al. [3] that also achieves this entropy but needs O(n) rounds. Both these protocols need O(n 2) bits of communication. Next we reduce the communication in our protocols. We show the existence, nonexplicitly, of a protocol that has 6 rounds, 2n + 8 log n bits of communication and yields entropy n − O(log n) and min-entropy n/2 − O(log n). Our protocol achieves the same entropy bound as the recent, also non-explicit, protocol of Gradwohl et al. [4], however achieves much higher min-entropy: n/2 − O(log n) versus O(log n). Finally we exhibit very simple explicit protocols. We connect the security parameter of these geometric protocols with the well studied Kakeya problem motivated by harmonic analysis and analytical number theory. We are only able to prove that these protocols have entropy 3n/4 but still n/2 − O(log n) min-entropy. Therefore they do not perform as well with respect to the explicit constructions of Gradwohl et al. [4] entropy-wise, but still have much better min-entropy. We conjecture that these simple protocols achieve n − o(n) entropy. Our geometric construction and its relation to the Kakeya problem follows a new and different approach to the random selection problem than any of the previously known protocols.

A variant of Schnorr's signature scheme called RDSA has been proposed by I. Biehl, J. Buchmann, S. Hamdy and A. Meyer in order to be used in finite abelian groups of unknown order such as the class group of imaginary quadratic orders. We describe in this paper a total break of RDSA under a plain known-message attack for the parameters that were originally proposed. It recovers the secret signature key from the knowledge of less than 10 signatures of known messages, with a very low computational complexity. We also compare a repaired version of RDSA with GPS scheme, another Schnorr variant with similar properties and we show that GPS should be preferred for most of the applications.

After years of almost full confidence in the security of common hash functions such as MD5 and SHA-1, the cryptographic community is now facing the unprecedented threat of seeing practical security applications succumb to concrete attacks. A way to cope with this crisis is to fasten the development of new hash functions, but another crucial task is to assess the implications these attacks on hash functions may have on cryptographic systems. This paper reports a thorough investigation on how recent attacks on hash functions impact the security of signature schemes. We suggest the notion of probabilistic hash-and-sign signatures and further classify signature schemes into various related categories which allow us to identify completely the nature of security relations between signature schemes and their inner hash functions. We also determine how using iterated hash functions a la Merkle-Damgård impacts the security of deterministic (resp. probabilistic) hash-and-sign signatures. We confirm that the security gain inherent to using the probabilistic hash-and-sign paradigm may be lost completely if instantiated with a Merkle-Damgård hash function and unwise operating mode.

Balanced Oil and Vinegar signature schemes and the unbalanced Oil and Vinegar signature schemes are public key signature schemes based on multivariable polynomials. In this paper, we suggest a new signature scheme, which is a generalization of the Oil-Vinegar construction to improve the efficiency of the unbalanced Oil and Vinegar signature scheme. The basic idea can be described as a construction of multi-layer Oil-Vinegar construction and its generalization. We call our system a Rainbow signature scheme. We propose and implement a practical scheme, which works better than Sflash v 2 , in particular, in terms of signature generating time.

� � Abstract. In this paper, we propose a Directed Threshold Multi-Signature Scheme. In this threshold signature scheme, any malicious set of signers cannot impersonate any other set of signers to forge the signatures. In case of forgery, it is possible to trace the signing set. This threshold signature scheme is applicable when the message is sensitive to the signature

Cryptosystems play imperative role in securing and ensuring of confidential information related to the defensive activities of any country or an individual. This short article deals with hybrid cryptosystems to target three objectives. As a first objective it reviews several existing hybrid crypto-models through which symmetric and asymmetric algorithms can be modeled as an ideal hybrid cryptosystem. The second objective of this article is to apply selected hybrid crypto-model to combine different symmetric and asymmetric algorithms in order to assure not only the accuracy but also the confidentiality, false modification and origin authentication of both parties. Finally, as a third objective, the two most trendier hybrid cryptosystems (AESRSA and ECC-AES) have been evaluated and compared through practical experimentations (encryption, decryption and certificate generation) in order to analyze which hybrid cryptosystem is feasible for encrypting large input dataset. The work conduct...

The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) and its variations on attacking black-box cryptosysterns has been recently introduced. The basic definitions, issues, and examples of various setup attacks (called Kleptographic attacks) have also been presented. The goal of this work is to describe a methodological way of attacking cryptosystems which exploits certain relations between cryptosystem instances which exist within cryptosystems. We call such relations "kleptograms'. The identified kleptogram is used as the base for searching for a setup.

The concept of concurrent signatures allows two entities to produce two signatures in such a way that, the signer of each signature is ambiguous from a third party's point of view until the release of a secret, known as the keystone. Once the keystone is released, both signatures become binding to their respective signers concurrently. Previous concurrent signature schemes use the concept of ring signatures in their construction. Ring signatures identify the ring and thus concurrent signatures constructed from ring signature are related and linkable. We propose a new concurrent signature scheme which is independent of the ring signature concept. Our concurrent signatures are anonymous. The ordinary signatures obtained from our concurrent signature protocol are unlinkable and do not reveal which concurrent signature transaction has occurred. The price we pay is our concurrent signatures are asymmetric in the sense that the initial signature and subsequent signatures are not of the same construction.

The Hoffman's algorithm to test equivalency of linear codes is one of the techniques that have been used over the years; it is achieved by a comparison of codewords of the linear codes. However, this comparison technique becomes ineffective in instances where it is applied to linear codes with larger dimensions as it requires much run time complexity, space and size in comparing the codewords of each linear code. This paper proposes an optimised algorithm for testing the equivalency of linear codes, specifically addressing the limitations of the Hoffman method. To assess and compare the efficiencies of the Hoffman algorithm and the optimised algorithm, a set of nine carefully selected linear codes were subjected to equivalency testing. The CPU runtime of both algorithms was recorded using the C++ chrono library. The recorded runtime data was then utilized to create a scatter plot, offering a visual representation of the contrasting trends in CPU runtime between the two algorithms. The plot clearly indicate exponential growth in CPU runtime for the Hoffman algorithm as the length and dimension of the linear codes increases, in contrast, the proposed algorithm showcased a minimal growth in CPU runtime, indicating its superior efficiency and optimised performance.

Goldreich-Goldwasser-Halevi (GGH) public key cryptosystem is an instance of lattice-based cryptosystems whose security is based on the hardness of lattice problems. In fact, GGH cryptosystem is the lattice version of the first code-based cryptosystem, proposed by McEliece. However, it has a number of drawbacks such as; large public key length and low security level. On the other hand, Low Density Lattice Codes (LDLCs) are the practical classes of lattice codes which can achieve capacity on the additive white Gaussian noise (AWGN) channel with low complexity decoding algorithm. This paper introduces a public key cryptosystem based on LDLCs to withdraw the drawbacks of GGH cryptosystem. To reduce the key length, we employ the generator matrix of the used LDLC in Hermite normal form (HNF) as the public key. Also, by exploiting the linear decoding complexity of the used LDLC, the decryption complexity is decreased compared with GGH cryptosystem. These increased efficiencies allow us to use the bigger values of security parameters. Moreover, we exploit the special Gaussian vector whose variance is upper bounded by the Poltyrev limit as the perturbation vector. These techniques can resist the proposed scheme against the most efficient attacks to the GGH-like cryptosystems.

Vehicle Ad-hoc Networks (VANET) are considered among recent wireless communication technologies. Nowadays, vehicles are no more than simple means of transport, they are endowed with a source of intelligence through their interaction with the road environment due to embedded equipment on board vehicles and integrated into stations along roads and highways. The mechanisms of security and protection of messages exchanged in VANET, thus preserving the privacy of users and satisfying the various security requirements, are a prerequisite for the deployment of vehicle networks. Increasingly, several research have been proposed to improve protocols for maintaining security and preserving privacy. This paper presents a hierarchical revocable infrastructure based privacy preservation authentication protocol for vehicles that involves authentication of each vehicle and the corresponding Road Side Unit (RSU) by a Certification Authority (CA). The proposed protocol used Elliptic Curve Diffie Hellman (ECDH) algorithm for reliable key exchange and Edwards-curve Digital Signature Algorithm (EdDSA) to speed up the execution of the authentication process especially at the key management level, message signing and verification of this signature. On the other hand, the creation of sub-lists of revoked certificates based on vehicle type makes it possible to minimize the response time by looking for a certificate if it is revoked or not. Our solution was checked by the security verification tool, Automated Validation of Internet Security Protocols and Applications (AVISPA), which indicated that it is a very secure level. Performance analysis illustrates that the protocol greatly saves computation resources.

Vehicle Ad-hoc Networks (VANET) are considered among recent wireless communication technologies. Nowadays, vehicles are no more than simple means of transport, they are endowed with a source of intelligence through their interaction with the road environment due to embedded equipment on board vehicles and integrated into stations along roads and highways. The mechanisms of security and protection of messages exchanged in VANET, thus preserving the privacy of users and satisfying the various security requirements, are a prerequisite for the deployment of vehicle networks. Increasingly, several research have been proposed to improve protocols for maintaining security and preserving privacy. This paper presents a hierarchical revocable infrastructure based privacy preservation authentication protocol for vehicles that involves authentication of each vehicle and the corresponding Road Side Unit (RSU) by a Certification Authority (CA). The proposed protocol used Elliptic Curve Diffie Hel...

The notion of a universally utility-maximizing privacy mechanism was recently introduced by Ghosh, Roughgarden, and Sundararajan [STOC 2009]. These are mechanisms that guarantee optimal utility to a large class of information consumers, simultaneously, while preserving Differential Privacy [Dwork, McSherry, Nissim, and Smith, TCC 2006]. Ghosh et al. have demonstrated, quite surprisingly, a case where such a universally-optimal differentially-private mechanisms exists, when the information consumers are Bayesian. This result was recently extended by Gupte and Sundararajan [PODS 2010] to risk-averse consumers. Both positive results deal with mechanisms (approximately) computing a single count query (i.e., the number of individuals satisfying a specific property in a given population), and the starting point of our work is a trial at extending these results to similar settings, such as sum queries with non-binary individual values, histograms, and two (or more) count queries. We show, however, that universally-optimal mechanisms do not exist for all these queries, both for Bayesian and risk-averse consumers. For the Bayesian case, we go further, and give a characterization of those functions that admit universally-optimal mechanisms, showing that a universally-optimal mechanism exists, essentially, only for a (single) count query. At the heart of our proof is a representation of a query function f by its privacy constraint graph G f whose edges correspond to values resulting by applying f to neighboring databases.

We present a streaming problem for which every adversarially-robust streaming algorithm must use polynomial space, while there exists a classical (oblivious) streaming algorithm that uses only polylogarithmic space. This is the first separation between oblivious streaming and adversarially-robust streaming, and resolves one of the central open questions in adversarial robust streaming.

The notion of a universally utility-maximizing privacy mechanism was recently introduced by Ghosh, Roughgarden, and Sundararajan [STOC 2009]. These are mechanisms that guarantee optimal utility to a large class of information consumers, simultaneously, while preserving Differential Privacy [Dwork, McSherry, Nissim, and Smith, TCC 2006]. Ghosh et al. have demonstrated, quite surprisingly, a case where such a universally-optimal differentially-private mechanisms exists, when the information consumers are Bayesian. This result was recently extended by Gupte and Sundararajan [PODS 2010] to risk-averse consumers. Both positive results deal with mechanisms (approximately) computing a single count query (i.e., the number of individuals satisfying a specific property in a given population), and the starting point of our work is a trial at extending these results to similar settings, such as sum queries with non-binary individual values, histograms, and two (or more) count queries. We show, however, that universally-optimal mechanisms do not exist for all these queries, both for Bayesian and risk-averse consumers. For the Bayesian case, we go further, and give a characterization of those functions that admit universally-optimal mechanisms, showing that a universally-optimal mechanism exists, essentially, only for a (single) count query. At the heart of our proof is a representation of a query function f by its privacy constraint graph G f whose edges correspond to values resulting by applying f to neighboring databases.

In recent years there have been several attempts to build white-box block ciphers whose implementations aim to be incompressible. This includes the weak white-box ASASA construction by Bouillaguet, Biryukov and Khovratovich from Asiacrypt 2014, and the recent space-hard construction by Bogdanov and Isobe from CCS 2015. In this article we propose the first constructions aiming at the same goal while offering provable security guarantees. Moreover we propose concrete instantiations of our constructions, which prove to be quite efficient and competitive with prior work. Thus provable security comes with a surprisingly low overhead.

In this paper we introduce a model for studying meet-in-the-middle attacks on block ciphers, and a simple block cipher construction provably resistant to such attacks in this model. A sideresult of this is a proper formalization for an unproven alternative to DESX proposed by Kilian and Rogaway; this construction can now be shown to be sound in our model. Meet-in-the-middle attacks exploit weaknesses in key schedule algorithms, and building constructions resistant to such attacks is an important issue for improving the security of block ciphers. Our construction is generic so that it can be used on top of any block cipher, and it does not require to increase the key-length. We use an exposure resilient function (or ERF) as a building block and we propose a concrete and efficient instantiation strategy based on compression functions.

In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(2 2 √ n) for the first tweak version, which means an attack against SMASH-256 in c • 2 32 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the ideal-cipher model in Ω(2 n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a non-trivial attack in O(2 3n/8) queries. Finally, we also prove that our construction is preimage resistant in Ω(2 n/2) queries, which the best security level that can be reached for 2-permutation based hash functions, as proved in [12].

In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and fine-tunes modulus switching. In general this new technique yields a significant gain in the constant in front of the exponent in the overall complexity. We illustrate this by solving within half a day a LWE instance with dimension n = 128, modulus q = n 2 , Gaussian noise α = 1/(n/π log 2 n) and binary secret, using 2 28 samples, while the previous best result based on BKW claims a time complexity of 2 74 with 2 60 samples for the same parameters. We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential time 2 (ln 2/2+o(1))n/ log log n. This analysis does not require any heuristic assumption, contrary to other algebraic approaches; instead, it uses a variant of an idea by Lyubashevsky to generate many samples from a small number of samples. This makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption). We are also able to solve subset sum problems in subexponential time for density o(1), which is of independent interest: for such density, the previous best algorithm requires exponential time. As a direct application, we can solve in subexponential time the parameters of a cryptosystem based on this problem proposed at TCC 2010. LPN in 2 O(n/ log n). During the first stage of the algorithm, the dimension of a is reduced, at the cost of a (controlled) decrease of the bias of b. During the second stage, the algorithm distinguishes between LWE and uniform by evaluating the bias. Since the introduction of LWE, some variants of the problem have been proposed in order to build more efficient cryptosystems. Some of the most interesting variants are Ring-LWE by Lyubashevsky, Peikert and Regev in [38], which aims to reduce the space of the public key using cyclic samples; and the cryptosystem by Döttling and Müller-Quade [18], which uses short secret and error. In 2013, Micciancio and Peikert [40] as well as Brakerski et al. [13] proposed a binary version of the LWE problem and obtained a hardness result. Related Work. Albrecht et al. have presented an analysis of the BKW algorithm as applied to LWE in [4,5]. It has been recently revisited by Duc et al., who use a multi-dimensional FFT in the second stage of the algorithm [19]. However, the main bottleneck is the first BKW step and since the proposed algorithms do not improve this stage, the overall asymptotic complexity is unchanged. In the case of the BinaryLWE variant, where the error and secret are binary (or sufficiently small), Micciancio and Peikert show that solving this problem using m = n(1 + Ω(1/ log(n))) samples is at least as hard as approximating lattice problems in the worst case in dimension Θ(n/ log(n)) with approximation factorÕ(√ nq). We show in section B that existing lattice reduction techniques require exponential time. Arora and Ge describe a 2Õ (αq) 2-time algorithm when q > n to solve the LWE problem [9]. This leads to a subexponential time algorithm when the error magnitude αq is less than √ n. The idea is to transform this system into a noise-free polynomial system and then use root finding algorithms for multivariate polynomials to solve it, using either relinearization in [9] or Gröbner basis in [3]. In this last work, Albrecht et al. present an algorithm whose time complexity is 2 (ω+o(1))n log log log n 8 log log n

In this paper, we study the side-channel security of the field multiplication in GF(2 n). We particularly focus on GF(2 128) multiplication which is the one used in the authentication part of AES-GCM but the proposed attack also applies to other binary extensions. In a hardware implementation using a 128-bit multiplier, the full 128-bit secret is manipulated at once. In this context, classical DPA attacks based on the divide and conquer strategy cannot be applied. In this work, the algebraic structure of the multiplication is leveraged to recover bits of information about the secret multiplicand without having to perform any key-guess. To do so, the leakage corresponding to the writing of the multiplication output into a register is considered. It is assumed to follow a Hamming weight/distance leakage model. Under these particular, yet easily met, assumption we exhibit a nice connection between the key recovery problem and some classical coding and Learning Parities with Noise problems with certain instance parameters. In our case, the noise is very high, but the length of the secret is rather short. In this work we investigate different solving techniques corresponding to different attacker models and eventually refine the attack when considering particular implementations of the multiplication.

In my first paper on the expansion to Dirichilet's theorem, the "Exemption Rule" allowed for us to identify which terms in an arithmetic progression described by an+b, where gcd(a,b)=1, would be prime. In the RSA algorithm, we require semi-prime numbers, which are products of two prime numbers p and q, where p and q can be either distinct or identical. The exemption rule allows us to generate n-values that would lead an+b to be of the form P(2k+1), a product of two odd numbers, and the exemption rule ensures that the two numbers are prime. To further enhance the security of the algorithm, at the end of the process, we can implement dynamic mapping functions which adds another layer of complexity, and with machine learning capabilities, create a modern enigma machine, in which the configurations are changing periodically.

To establish that a document was created after a given moment in time, it is necessary to report events that could not have been predicted before they happened. To establish that a document was created before a given moment in time, it is necessary to cause an event based on the document, which can be observed by others. Cryptographic hash functions can be used both to report events succinctly, and to cause events based on documents without revealing their contents. Haber and Stornetta have proposed two schemes for digital time-stamping which rely on these principles [HaSt 91]. We reexamine one of those protocols, addressing the resource constraint required for storage and verification of time-stamp certificates. By using trees, we show how to achieve an exponential increase in the publicity obtained for each time-stamping event, while reducing the storage and the computation required in order to validate a given certificate.

Linkable ring signatures is a useful cryptographic tool for constructing applications such as ones relative to electronic voting (e-voting), digital cashes (e-cashes) as well as cloud computing. Equipped with linkable ring signatures, e-voting, e-cash systems can simultaneously enjoy the privacy and the unreusability properties thanks to the anonymity and the linkability of linkable ring signatures. Likewise, cloud servers can enjoy a privacy-preserving ability, a flexible access control and an efficient security management with linkable ring signatures. Moreover, linkable ring signatures built in the identity-based setting would help to remove the expense of using the conventional public key infrastructure and also could be applied to the user management. This primitive hence would be suitable for huge-scale applications. In this paper, we present the first identity-based linkable ring signatures (IdLRS) in both integer lattice and ideal lattice setting. The proposed IdLRS is proved secure in the random oracle model and based on the hardness of the short integer solution and ring short integer solution assumption. We also implement the proposed idLRS as a proof of concept and then do some experiments to evaluate the running times and the sizes. INDEX TERMS Identity-based linkable ring signatures, e-voting, e-cash, cloud computing, lattices.

Linkable ring signatures is a useful cryptographic tool for constructing applications such as ones relative to electronic voting (e-voting), digital cashes (e-cashes) as well as cloud computing. Equipped with linkable ring signatures, e-voting, e-cash systems can simultaneously enjoy the privacy and the unreusability properties thanks to the anonymity and the linkability of linkable ring signatures. Likewise, cloud servers can enjoy a privacy-preserving ability, a flexible access control and an efficient security management with linkable ring signatures. Moreover, linkable ring signatures built in the identity-based setting would help to remove the expense of using the conventional public key infrastructure and also could be applied to the user management. This primitive hence would be suitable for huge-scale applications. In this paper, we present the first identity-based linkable ring signatures (IdLRS) in both integer lattice and ideal lattice setting. The proposed IdLRS is proved secure in the random oracle model and based on the hardness of the short integer solution and ring short integer solution assumption. We also implement the proposed idLRS as a proof of concept and then do some experiments to evaluate the running times and the sizes. INDEX TERMS Identity-based linkable ring signatures, e-voting, e-cash, cloud computing, lattices.

The traditional method for generating new transforms is based on a set of special orthogonal funckions. By using the principle of dyadic symmetry and by maximising a particular transform performance index like transform elliciency used in image coding, an infinite number of transforms can be obtained. A number of new, order4 transforms with transform efficiency better than that of the discrete cosine transform (DCT) has been obtained through the proposed procedure. Introduction: The principle of dyadic symmetry has been successfully applied to the developments of high correlation transforms (HCT), low correlation transforms (LCT) and integer cosine transforms (ICTs).'.' Some of the order-8 ICTs obtained have higher transform efficiencies than that of the DCT. This suggests that there could exist other new transforms with performance better than the DCT. This letter extends the use of the principle of dyadic symmetry for generating 'real' transforms instead of integer transforms as previously proposed.'.' The new transforms obtained have higher transform efficiencies and the same basis restriction meansquare-errors performance' compared with that of the DCT.

We present a simple to implement and efficient pseudorandom generator based on the factoring assumption. It outputs more than pn/2 pseudorandom bits per p exponentiations, each with the same base and an exponent shorter than n/2 bits. Our generator is based on results by Håstad, Schrift and Shamir [HSS93], but unlike their generator and its improvement by Goldreich and Rosen [GR00], it does not use hashing or extractors, and is thus simpler and somewhat more efficient. In addition, we present a general technique that can be used to speed up pseudorandom generators based on iterating one-way permutations. We construct our generator by applying this technique to results of [HSS93]. We also show how the generator given by Gennaro [Gen00] can be simply derived from results of Patel and Sundaram [PS98] using our technique.

In this paper, we study quantum query complexity of the following rather natural tripartite generalisations (in the spirit of the 3-sum problem) of the hidden shift and the set equality problems, which we call the 3-shift-sum and the 3-matching-sum problems. The 3-shift-sum problem is as follows: given a table of 3 × n elements, is it possible to circularly shift its rows so that the sum of the elements in each column becomes zero? It is promised that, if this is not the case, then no 3 elements in the table sum up to zero. The 3-matching-sum problem is defined similarly, but it is allowed to arbitrarily permute elements within each row. For these problems, we prove lower bounds of Ω(n 1/3) and Ω(√ n), respectively. The second lower bound is tight. The lower bounds are proven by a novel application of the dual learning graph framework and by using representation-theoretic tools from [6].

Sanitizable signatures provide several security features which are useful in many scenarios including military and medical applications. Sanitizable signatures allow a semi-trusted party to update some part of the digitally signed document without interacting with the original signer. Such schemes, where the verifier cannot identify whether the message has been sanitized, are said to possess strong transparency. In this paper, we have described the first efficient and provably secure sanitizable signature scheme having strong transparency under the standard model.