Articles de revista
http://hdl.handle.net/2117/3529
Tue, 27 Jun 2017 10:56:07 GMT
20170627T10:56:07Z

Signcryption schemes with threshold unsigncryption, and applications
http://hdl.handle.net/2117/105873
Signcryption schemes with threshold unsigncryption, and applications
Herranz Sotoca, Javier; Ruiz, Alexandre; Sáez Moreno, Germán
The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multiuser setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.
The final publication is available at link.springer.com
Mon, 26 Jun 2017 15:08:46 GMT
http://hdl.handle.net/2117/105873
20170626T15:08:46Z
Herranz Sotoca, Javier
Ruiz, Alexandre
Sáez Moreno, Germán
The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multiuser setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.

On the efficiency of revocation in RSAbased anonymous systems
http://hdl.handle.net/2117/104254
On the efficiency of revocation in RSAbased anonymous systems
Fueyo, María; Herranz Sotoca, Javier
The problem of revocation in anonymous authentication systems is subtle and has motivated a lot of work. One of the preferable solutions consists in maintaining either a whitelist LW of nonrevoked users or a blacklist LB of revoked users, and then requiring users to additionally prove, when authenticating themselves, that they are in LW (membership proof) or that they are not in LB (nonmembership proof). Of course, these additional proofs must not break the anonymity properties of the system, so they must be zeroknowledge proofs, revealing nothing about the identity of the users. In this paper, we focus on the RSAbased setting, and we consider the case of nonmembership proofs to blacklists L = LB. The existing solutions for this setting rely on the use of universal dynamic accumulators; the underlying zeroknowledge proofs are bit complicated, and thus their efficiency; although being independent from the size of the blacklist L, seems to be improvable. Peng and Bao already tried to propose simpler and more efficient zeroknowledge proofs for this setting, but we prove in this paper that their protocol is not secure. We fix the problem by designing a new protocol, and formally proving its security properties. We then compare the efficiency of the new zeroknowledge nonmembership protocol with that of the protocol, when they are integrated with anonymous authentication systems based on RSA (notably, the IBM product Idemix for anonymous credentials). We discuss for which values of the size k of the blacklist L, one protocol is preferable to the other one, and we propose different ways to combine and implement the two protocols.
c) 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works."
Wed, 10 May 2017 09:52:33 GMT
http://hdl.handle.net/2117/104254
20170510T09:52:33Z
Fueyo, María
Herranz Sotoca, Javier
The problem of revocation in anonymous authentication systems is subtle and has motivated a lot of work. One of the preferable solutions consists in maintaining either a whitelist LW of nonrevoked users or a blacklist LB of revoked users, and then requiring users to additionally prove, when authenticating themselves, that they are in LW (membership proof) or that they are not in LB (nonmembership proof). Of course, these additional proofs must not break the anonymity properties of the system, so they must be zeroknowledge proofs, revealing nothing about the identity of the users. In this paper, we focus on the RSAbased setting, and we consider the case of nonmembership proofs to blacklists L = LB. The existing solutions for this setting rely on the use of universal dynamic accumulators; the underlying zeroknowledge proofs are bit complicated, and thus their efficiency; although being independent from the size of the blacklist L, seems to be improvable. Peng and Bao already tried to propose simpler and more efficient zeroknowledge proofs for this setting, but we prove in this paper that their protocol is not secure. We fix the problem by designing a new protocol, and formally proving its security properties. We then compare the efficiency of the new zeroknowledge nonmembership protocol with that of the protocol, when they are integrated with anonymous authentication systems based on RSA (notably, the IBM product Idemix for anonymous credentials). We discuss for which values of the size k of the blacklist L, one protocol is preferable to the other one, and we propose different ways to combine and implement the two protocols.

Efficient cryptosystems from 2kth power residue symbols
http://hdl.handle.net/2117/103661
Efficient cryptosystems from 2kth power residue symbols
Herranz Sotoca, Javier; Libert, Benoit; Joye, Marc; Benhamouda, Fabrice
Goldwasser and Micali (J Comput Syst Sci 28(2):270–299, 1984) highlighted the importance of randomizing the plaintext for publickey encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity modulo a composite number. The Goldwasser–Micali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages. A number of works followed to address this issue and proposed various modifications. This paper revisits the original Goldwasser–Micali cryptosystem using 2kth power residue symbols. The soobtained cryptosystems appear as a very natural generalization for k=2 (the case k=1 corresponds exactly to the Goldwasser–Micali cryptosystem). Advantageously, they are efficient in both bandwidth and speed; in particular, they allow for fast decryption. Further, the cryptosystems described in this paper inherit the useful features of the original cryptosystem (like its homomorphic property) and are shown to be secure under a similar complexity assumption. As a prominent application, this paper describes an efficient lossy trapdoor functionbased thereon.
Mon, 24 Apr 2017 10:25:48 GMT
http://hdl.handle.net/2117/103661
20170424T10:25:48Z
Herranz Sotoca, Javier
Libert, Benoit
Joye, Marc
Benhamouda, Fabrice
Goldwasser and Micali (J Comput Syst Sci 28(2):270–299, 1984) highlighted the importance of randomizing the plaintext for publickey encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity modulo a composite number. The Goldwasser–Micali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages. A number of works followed to address this issue and proposed various modifications. This paper revisits the original Goldwasser–Micali cryptosystem using 2kth power residue symbols. The soobtained cryptosystems appear as a very natural generalization for k=2 (the case k=1 corresponds exactly to the Goldwasser–Micali cryptosystem). Advantageously, they are efficient in both bandwidth and speed; in particular, they allow for fast decryption. Further, the cryptosystems described in this paper inherit the useful features of the original cryptosystem (like its homomorphic property) and are shown to be secure under a similar complexity assumption. As a prominent application, this paper describes an efficient lossy trapdoor functionbased thereon.

The Kernel Matrix DiffieHellman Assumption
http://hdl.handle.net/2117/102936
The Kernel Matrix DiffieHellman Assumption
Morillo Bosch, M. Paz; Rafols Salvador, Carla; Villar Santos, Jorge Luis
We put forward a new family of computational assumptions, the Kernel Matrix DiffieHellman Assumption. Given some matrix A sampled from some distribution D, the kernel assumption says that it is hard to find “in the exponent” a nonzero vector in the kernel of A>. This family is a natural computational analogue of the Matrix Decisional DiffieHellman Assumption (MDDH), proposed by Escala et al. As such it allows to extend the advantages of their algebraic framework to computational assumptions. The kDecisional Linear Assumption is an example of a family of decisional assumptions of strictly increasing hardness when k grows. We show that for any such family of MDDH assumptions, the corresponding Kernel assumptions are also strictly increasingly weaker. This requires ruling out the existence of some blackbox reductions between flexible problems (i.e., computational problems with a non unique solution).
The final publication is available at link.springer.com
Tue, 28 Mar 2017 09:12:06 GMT
http://hdl.handle.net/2117/102936
20170328T09:12:06Z
Morillo Bosch, M. Paz
Rafols Salvador, Carla
Villar Santos, Jorge Luis
We put forward a new family of computational assumptions, the Kernel Matrix DiffieHellman Assumption. Given some matrix A sampled from some distribution D, the kernel assumption says that it is hard to find “in the exponent” a nonzero vector in the kernel of A>. This family is a natural computational analogue of the Matrix Decisional DiffieHellman Assumption (MDDH), proposed by Escala et al. As such it allows to extend the advantages of their algebraic framework to computational assumptions. The kDecisional Linear Assumption is an example of a family of decisional assumptions of strictly increasing hardness when k grows. We show that for any such family of MDDH assumptions, the corresponding Kernel assumptions are also strictly increasingly weaker. This requires ruling out the existence of some blackbox reductions between flexible problems (i.e., computational problems with a non unique solution).

Natural generalizations of threshold secret sharing
http://hdl.handle.net/2117/100003
Natural generalizations of threshold secret sharing
Farràs Ventura, Oriol; Padró Laimon, Carles; Xing, Chaoping; Yang, An
We present new families of access structures that, similarly to the multilevel and compartmented access structures introduced in previous works, are natural generalizations of threshold secret sharing. Namely, they admit ideal linear secret sharing schemes over every large enough finite field, they can be described by a small number of parameters, and they have useful properties for the applications of secret sharing. The use of integer polymatroids makes it possible to find many new such families and it simplifies in great measure the proofs for the existence of ideal secret sharing schemes for them.
© 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes,creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Wed, 25 Jan 2017 10:11:40 GMT
http://hdl.handle.net/2117/100003
20170125T10:11:40Z
Farràs Ventura, Oriol
Padró Laimon, Carles
Xing, Chaoping
Yang, An
We present new families of access structures that, similarly to the multilevel and compartmented access structures introduced in previous works, are natural generalizations of threshold secret sharing. Namely, they admit ideal linear secret sharing schemes over every large enough finite field, they can be described by a small number of parameters, and they have useful properties for the applications of secret sharing. The use of integer polymatroids makes it possible to find many new such families and it simplifies in great measure the proofs for the existence of ideal secret sharing schemes for them.

Soft and hard modelling methods for decovolution of mixtures of Raman spectra for pigment analysis: a qualitative and quantitative approach
http://hdl.handle.net/2117/98513
Soft and hard modelling methods for decovolution of mixtures of Raman spectra for pigment analysis: a qualitative and quantitative approach
Coma, L; Breitman Mansilla, Mónica Celia; Ruiz Moreno, Sergio
Raman spectroscopy provides a means for the detection and identification of pictorial materials on artworks. As a nondestructive, applicable in situ and nonambiguous technique, it is one of the most preferred to analyse the pigmentation of any kind of artwork: from paintings [1] and papyrus [2] to polychromes on woods [3]. A common problem, however, is lack of spatial resolution on some systems due to large focal distances, which degrades the theoretical high resolution of the system, which involves the resolution of mixtures of individual Raman spectra. In this work, we will present the advantages and disadvantages of two methods for the separation of mixtures of Raman spectra [4] and [5], and we present a new solution to overcome the problems of the above. To such an end, we will provide qualitative (identification of the species) and quantitative (determine their concentration profiles) results of the methods. The experimental analyses have been carried out in two steps: first we calibrate the methods with known mixtures of two compounds prepared in the laboratory. Second, we test the methods with a real artwork supposed to be from ‘El Greco’. Procedures to minimise problems, such as extreme fluorescence and noise, that arise on real artworks are also presented.
Fri, 16 Dec 2016 18:07:04 GMT
http://hdl.handle.net/2117/98513
20161216T18:07:04Z
Coma, L
Breitman Mansilla, Mónica Celia
Ruiz Moreno, Sergio
Raman spectroscopy provides a means for the detection and identification of pictorial materials on artworks. As a nondestructive, applicable in situ and nonambiguous technique, it is one of the most preferred to analyse the pigmentation of any kind of artwork: from paintings [1] and papyrus [2] to polychromes on woods [3]. A common problem, however, is lack of spatial resolution on some systems due to large focal distances, which degrades the theoretical high resolution of the system, which involves the resolution of mixtures of individual Raman spectra. In this work, we will present the advantages and disadvantages of two methods for the separation of mixtures of Raman spectra [4] and [5], and we present a new solution to overcome the problems of the above. To such an end, we will provide qualitative (identification of the species) and quantitative (determine their concentration profiles) results of the methods. The experimental analyses have been carried out in two steps: first we calibrate the methods with known mixtures of two compounds prepared in the laboratory. Second, we test the methods with a real artwork supposed to be from ‘El Greco’. Procedures to minimise problems, such as extreme fluorescence and noise, that arise on real artworks are also presented.

La espectroscopía raman aplicada a la identificación de materiales pictóricos
http://hdl.handle.net/2117/97876
La espectroscopía raman aplicada a la identificación de materiales pictóricos
Ruiz Moreno, Sergio; Yúfera Gomez, José Manuel; Soneira Ferrando, M. José; Breitman Mansilla, Mónica Celia; Morillo Bosch, M. Paz; Gràcia Rivas, Ignacio
Wed, 07 Dec 2016 14:46:16 GMT
http://hdl.handle.net/2117/97876
20161207T14:46:16Z
Ruiz Moreno, Sergio
Yúfera Gomez, José Manuel
Soneira Ferrando, M. José
Breitman Mansilla, Mónica Celia
Morillo Bosch, M. Paz
Gràcia Rivas, Ignacio

An algebraic framework for Diffie–Hellman assumptions
http://hdl.handle.net/2117/91050
An algebraic framework for Diffie–Hellman assumptions
Escala Ribas, Alex; Herold, Gottfried; Kiltz, Eike; Ràfols Salvador, Carla; Villar Santos, Jorge Luis
We put forward a new algebraic framework to generalize and analyze DiffieHellman like Decisional Assumptions which allows us to argue about security and applications by considering only algebraic properties. Our D`,kMDDH assumption states that it is hard to decide whether a vector in ¿ìs linearly dependent of the columns of some matrix in ¿`×k sampled according to distribution D`,k. It covers known assumptions such as DDH, 2Lin (linear assumption), and kLin (the klinear assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in mlinear groups to the irreducibility of certain polynomials which describe the output of D`,k. We use the hardness results to find new distributions for which the D`,kMDDHAssumption holds generically in mlinear groups. In particular, our new assumptions 2SCasc and 2ILin are generically hard in bilinear groups and, compared to 2Lin, have shorter description size, which is a relevant parameter for efficiency in many applications. These results support using our new assumptions as natural replacements for the 2Lin Assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any MDDHAssumption. In particular, we can give many instantiations of a primitive in a compact way, including publickey encryption, hashproof systems, pseudorandom functions, and GrothSahai NIZK and NIWI proofs. As an independent contribution we give more efficient NIZK and NIWI proofs for membership in a subgroup of ¿` . The results imply very significant efficiency improvements for a large number of schemes.
Tue, 25 Oct 2016 09:11:30 GMT
http://hdl.handle.net/2117/91050
20161025T09:11:30Z
Escala Ribas, Alex
Herold, Gottfried
Kiltz, Eike
Ràfols Salvador, Carla
Villar Santos, Jorge Luis
We put forward a new algebraic framework to generalize and analyze DiffieHellman like Decisional Assumptions which allows us to argue about security and applications by considering only algebraic properties. Our D`,kMDDH assumption states that it is hard to decide whether a vector in ¿ìs linearly dependent of the columns of some matrix in ¿`×k sampled according to distribution D`,k. It covers known assumptions such as DDH, 2Lin (linear assumption), and kLin (the klinear assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in mlinear groups to the irreducibility of certain polynomials which describe the output of D`,k. We use the hardness results to find new distributions for which the D`,kMDDHAssumption holds generically in mlinear groups. In particular, our new assumptions 2SCasc and 2ILin are generically hard in bilinear groups and, compared to 2Lin, have shorter description size, which is a relevant parameter for efficiency in many applications. These results support using our new assumptions as natural replacements for the 2Lin Assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any MDDHAssumption. In particular, we can give many instantiations of a primitive in a compact way, including publickey encryption, hashproof systems, pseudorandom functions, and GrothSahai NIZK and NIWI proofs. As an independent contribution we give more efficient NIZK and NIWI proofs for membership in a subgroup of ¿` . The results imply very significant efficiency improvements for a large number of schemes.

Extending BrickellDavenport theorem to nonperfect secret sharing schemes
http://hdl.handle.net/2117/86923
Extending BrickellDavenport theorem to nonperfect secret sharing schemes
Farràs Ventura, Oriol; Padró Laimon, Carles
One important result in secret sharing is the BrickellDavenport Theorem: every ideal perfect secret sharing scheme de nes a matroid that is uniquely determined by the access structure. Even though a few attempts have been made, there is no satisfactory de nition of ideal secret sharing scheme for the general case, in which nonperfect schemes are considered as well. Without providing another unsatisfactory de nition of ideal nonperfect secret sharing scheme, we present a generalization of the BrickellDavenport Theorem to the general case. After analyzing that result under a new point of view and identifying its combinatorial nature, we present a characterization of the (not necessarily perfect) secret sharing schemes that are associated to matroids. Some optimality properties of such schemes are discussed.
Wed, 11 May 2016 10:34:11 GMT
http://hdl.handle.net/2117/86923
20160511T10:34:11Z
Farràs Ventura, Oriol
Padró Laimon, Carles
One important result in secret sharing is the BrickellDavenport Theorem: every ideal perfect secret sharing scheme de nes a matroid that is uniquely determined by the access structure. Even though a few attempts have been made, there is no satisfactory de nition of ideal secret sharing scheme for the general case, in which nonperfect schemes are considered as well. Without providing another unsatisfactory de nition of ideal nonperfect secret sharing scheme, we present a generalization of the BrickellDavenport Theorem to the general case. After analyzing that result under a new point of view and identifying its combinatorial nature, we present a characterization of the (not necessarily perfect) secret sharing schemes that are associated to matroids. Some optimality properties of such schemes are discussed.

On secret sharing with nonlinear product reconstruction
http://hdl.handle.net/2117/86921
On secret sharing with nonlinear product reconstruction
Cascudo, Ignacio; Cramer, Ronald; Mirandola, Diego; Padró Laimon, Carles; Xing, Chaoping
Multiplicative linear secret sharing is a fundamental notion in the area of secure multi party computation (MPC) and, since recently, in the area of twoparty cryptography as well. In a nutshell, this notion guarantees that \the product of two secrets is obtained as a linear function of the vector consisting of the coordinatewise product of two respective sharevectors
Wed, 11 May 2016 10:22:41 GMT
http://hdl.handle.net/2117/86921
20160511T10:22:41Z
Cascudo, Ignacio
Cramer, Ronald
Mirandola, Diego
Padró Laimon, Carles
Xing, Chaoping
Multiplicative linear secret sharing is a fundamental notion in the area of secure multi party computation (MPC) and, since recently, in the area of twoparty cryptography as well. In a nutshell, this notion guarantees that \the product of two secrets is obtained as a linear function of the vector consisting of the coordinatewise product of two respective sharevectors