Ponències/Comunicacions de congressos
http://hdl.handle.net/2117/3531
Tue, 23 May 2017 16:46:45 GMT2017-05-23T16:46:45ZThe Kernel Matrix Diffie-Hellman assumption
http://hdl.handle.net/2117/103241
The Kernel Matrix Diffie-Hellman assumption
Morillo Bosch, M. Paz; Rafols Salvador, Carla; Villar Santos, Jorge Luis
We put forward a new family of computational assumptions, the Kernel Matrix Diffie-Hellman Assumption. Given some matrix A sampled from some distribution D, the kernel assumption says that it is hard to find “in the exponent” a nonzero vector in the kernel of A¿ . This family is a natural computational analogue of the Matrix Decisional Diffie-Hellman Assumption (MDDH), proposed by Escala et al. As such it allows to extend the advantages of their algebraic framework to computational assumptions. The k-Decisional Linear Assumption is an example of a family of decisional assumptions of strictly increasing hardness when k grows. We show that for any such family of MDDH assumptions, the corresponding Kernel assumptions are also strictly increasingly weaker. This requires ruling out the existence of some black-box reductions between flexible problems (i.e., computational problems with a non unique solution).
The final publication is available at https://link.springer.com/chapter/10.1007%2F978-3-662-53887-6_27
Tue, 04 Apr 2017 05:23:07 GMThttp://hdl.handle.net/2117/1032412017-04-04T05:23:07ZMorillo Bosch, M. PazRafols Salvador, CarlaVillar Santos, Jorge LuisWe put forward a new family of computational assumptions, the Kernel Matrix Diffie-Hellman Assumption. Given some matrix A sampled from some distribution D, the kernel assumption says that it is hard to find “in the exponent” a nonzero vector in the kernel of A¿ . This family is a natural computational analogue of the Matrix Decisional Diffie-Hellman Assumption (MDDH), proposed by Escala et al. As such it allows to extend the advantages of their algebraic framework to computational assumptions. The k-Decisional Linear Assumption is an example of a family of decisional assumptions of strictly increasing hardness when k grows. We show that for any such family of MDDH assumptions, the corresponding Kernel assumptions are also strictly increasingly weaker. This requires ruling out the existence of some black-box reductions between flexible problems (i.e., computational problems with a non unique solution).Small primitive roots and malleability of RSA
http://hdl.handle.net/2117/22162
Small primitive roots and malleability of RSA
Jiménez Urroz, Jorge; Dieulefait, Luis Victor
In their paper [9], P. Paillier and J. Villar make a conjectur
e about the
malleability of an RSA modulus. In this paper we present an ex
plicit algo-
rithm refuting the conjecture. Concretely we can factorize
an RSA modulus
n
using very little information on the factorization of a conc
rete
n
′
coprime
to
n
. However, we believe the conjecture might be true, when impo
sing some
extra conditions on the auxiliary
n
′
allowed to be used. In particular, the
paper shows how subtle the notion of malleability is
Mon, 17 Mar 2014 13:51:54 GMThttp://hdl.handle.net/2117/221622014-03-17T13:51:54ZJiménez Urroz, JorgeDieulefait, Luis VictorIn their paper [9], P. Paillier and J. Villar make a conjectur
e about the
malleability of an RSA modulus. In this paper we present an ex
plicit algo-
rithm refuting the conjecture. Concretely we can factorize
an RSA modulus
n
using very little information on the factorization of a conc
rete
n
′
coprime
to
n
. However, we believe the conjecture might be true, when impo
sing some
extra conditions on the auxiliary
n
′
allowed to be used. In particular, the
paper shows how subtle the notion of malleability isCifrado homomorfico de clave publica basado en Residuosidad Cuadratica
http://hdl.handle.net/2117/17225
Cifrado homomorfico de clave publica basado en Residuosidad Cuadratica
Herranz Sotoca, Javier; Sisternes, Juan Ramón
Los esquemas de cifrado de clave p´ ublica con
propiedades homom´orficas tienen muchas utilidades en aplicaciones
reales. Entre los esquemas con propiedades homom´orficas
aditivas existentes, hay una familia (desde el esquema de
Goldwasser-Micali hasta el esquema de Paillier) cuya seguridad
se basa en problemas computacionalmente dif´ıciles relacionados
con el problema de factorizar un n´umero grande N. Los
esquemas de esta familia tienen diferentes propiedades tanto en lo
referente a la eficiencia, como al problema de teor´ıa de n´umeros
concreto en el que basan su seguridad.
En este art´ıculo proponemos un nuevo esquema a a˜nadir a
esta familia. La hip´otesis computacional en la que se basa la
seguridad de nuestro esquema es la hip´otesis de la Residuosidad
Cuadr´atica m´odulo N. En t´erminos de eficiencia, por un lado
nuestro esquema mejora todos los esquemas anteriores cuya
seguridad se basa en la hip´otesis de la Residuosidad d-´esima
m´odulo N, para d 2; por otro lado, nuestro esquema es
en general menos eficiente (tiempo de descifrado) que algunos
esquemas como el de Paillier, cuya seguridad se basa en otra
hip´otesis (Residuosidad N-´esima m´odulo N2). Sin embargo, si
los mensajes a cifrar son cortos, la eficiencia de nuestro esquema
es esencialmente la misma que la del esquema de Paillier
Wed, 09 Jan 2013 10:09:28 GMThttp://hdl.handle.net/2117/172252013-01-09T10:09:28ZHerranz Sotoca, JavierSisternes, Juan RamónLos esquemas de cifrado de clave p´ ublica con
propiedades homom´orficas tienen muchas utilidades en aplicaciones
reales. Entre los esquemas con propiedades homom´orficas
aditivas existentes, hay una familia (desde el esquema de
Goldwasser-Micali hasta el esquema de Paillier) cuya seguridad
se basa en problemas computacionalmente dif´ıciles relacionados
con el problema de factorizar un n´umero grande N. Los
esquemas de esta familia tienen diferentes propiedades tanto en lo
referente a la eficiencia, como al problema de teor´ıa de n´umeros
concreto en el que basan su seguridad.
En este art´ıculo proponemos un nuevo esquema a a˜nadir a
esta familia. La hip´otesis computacional en la que se basa la
seguridad de nuestro esquema es la hip´otesis de la Residuosidad
Cuadr´atica m´odulo N. En t´erminos de eficiencia, por un lado
nuestro esquema mejora todos los esquemas anteriores cuya
seguridad se basa en la hip´otesis de la Residuosidad d-´esima
m´odulo N, para d 2; por otro lado, nuestro esquema es
en general menos eficiente (tiempo de descifrado) que algunos
esquemas como el de Paillier, cuya seguridad se basa en otra
hip´otesis (Residuosidad N-´esima m´odulo N2). Sin embargo, si
los mensajes a cifrar son cortos, la eficiencia de nuestro esquema
es esencialmente la misma que la del esquema de PaillierFirmas digitales con verificación distribuida en el modelo de seguridad estándar
http://hdl.handle.net/2117/17224
Firmas digitales con verificación distribuida en el modelo de seguridad estándar
Herranz Sotoca, Javier; Ruiz Rodríguez, Alexandre; Sáez Moreno, Germán
Las firmas digitales con verificaci´on distribuida
protegen en cierta manera el nivel de anonimato o privacidad
del firmante, ya que un subconjunto autorizado de usuarios
deben colaboran para verificar la (in)validez de una firma. En
trabajos anteriores se propusieron esquemas de este tipo pero
que o no alcanzaban el nivel m´aximo de seguridad o bien lo
hac´ıan en el modelo del or´aculo aleatorio. Proponemos aqu´ı el
primer esquema de firma digital con verificaci´on distribuida que
consigue seguridad m´axima, en t´erminos de infalsificabilidad
y privacidad, y con seguridad demostrable en el modelo de
computaci´on est´andar.
Wed, 09 Jan 2013 10:02:20 GMThttp://hdl.handle.net/2117/172242013-01-09T10:02:20ZHerranz Sotoca, JavierRuiz Rodríguez, AlexandreSáez Moreno, GermánLas firmas digitales con verificaci´on distribuida
protegen en cierta manera el nivel de anonimato o privacidad
del firmante, ya que un subconjunto autorizado de usuarios
deben colaboran para verificar la (in)validez de una firma. En
trabajos anteriores se propusieron esquemas de este tipo pero
que o no alcanzaban el nivel m´aximo de seguridad o bien lo
hac´ıan en el modelo del or´aculo aleatorio. Proponemos aqu´ı el
primer esquema de firma digital con verificaci´on distribuida que
consigue seguridad m´axima, en t´erminos de infalsificabilidad
y privacidad, y con seguridad demostrable en el modelo de
computaci´on est´andar.On method-specific record linkage for risk assessment
http://hdl.handle.net/2117/16248
On method-specific record linkage for risk assessment
Nin Guerrero, Jordi; Herranz Sotoca, Javier; Torra i Reventós, Vicenç
Nowadays, the need for privacy motivates the use of methods that permit us to protect a microdata file both minimizing the disclosure risk and preserving the statistical utility. Nevertheless, research is usually focused on how data utility is preserved, and much less research effort is dedicated to the study of the tools that an intruder might use to compromise the privacy of the data or, in other words, to increase the disclosure risk. Record linkage is a standard mechanism used to measure the disclosure risk of a microdata protection method. In this paper we present some improvements for the (standard) distance based record linkage. In particular, we test our improvements to evaluate the disclosure risk of rank swapping, which is higher than what was believed up to now. We will also present the results of the application of this approach to microaggregation.
Fri, 13 Jul 2012 07:56:15 GMThttp://hdl.handle.net/2117/162482012-07-13T07:56:15ZNin Guerrero, JordiHerranz Sotoca, JavierTorra i Reventós, VicençNowadays, the need for privacy motivates the use of methods that permit us to protect a microdata file both minimizing the disclosure risk and preserving the statistical utility. Nevertheless, research is usually focused on how data utility is preserved, and much less research effort is dedicated to the study of the tools that an intruder might use to compromise the privacy of the data or, in other words, to increase the disclosure risk. Record linkage is a standard mechanism used to measure the disclosure risk of a microdata protection method. In this paper we present some improvements for the (standard) distance based record linkage. In particular, we test our improvements to evaluate the disclosure risk of rank swapping, which is higher than what was believed up to now. We will also present the results of the application of this approach to microaggregation.Anonymous subscription schemes : a flexible fonstruction for on-line services access
http://hdl.handle.net/2117/15611
Anonymous subscription schemes : a flexible fonstruction for on-line services access
González Vasco, Maria Isabel; Heidarvand, Somayed; Villar Santos, Jorge Luis
In traditional e-cash systems, the tradeoff between anonymity and fraud-detection is solved by hiding the identity of the user into the e-coin, and providing an additional triggering mechanism that opens this identity in case of double spending. Hence, fraud detection implies loss of anonymity. This seems to be a somewhat natural solution when universality of the e-coin is required (i.e., the use of the coin is not determined at the time the coin is generated). However, much simpler protocols may suffice if we only want to prevent that payments for accessing certain services are over-used, even when users' anonymity is perfectly preserved. In this paper we propose a simple and efficient Subscription Scheme, allowing a set of users to anonymously pay for and request access to different services offered by a number of service providers. In our approach, the use of the token is completely determined at issuing time, yet this final aim remains hidden to the issuing authority. Moreover, fraud detection here implies no loss of anonymity; as we make access tokens independent of the owner in a quite simple and efficient way. On the other hand, if different usages of the same token are allowed, these are fully traceable by the service providers.
Mon, 19 Mar 2012 10:50:53 GMThttp://hdl.handle.net/2117/156112012-03-19T10:50:53ZGonzález Vasco, Maria IsabelHeidarvand, SomayedVillar Santos, Jorge LuisIn traditional e-cash systems, the tradeoff between anonymity and fraud-detection is solved by hiding the identity of the user into the e-coin, and providing an additional triggering mechanism that opens this identity in case of double spending. Hence, fraud detection implies loss of anonymity. This seems to be a somewhat natural solution when universality of the e-coin is required (i.e., the use of the coin is not determined at the time the coin is generated). However, much simpler protocols may suffice if we only want to prevent that payments for accessing certain services are over-used, even when users' anonymity is perfectly preserved. In this paper we propose a simple and efficient Subscription Scheme, allowing a set of users to anonymously pay for and request access to different services offered by a number of service providers. In our approach, the use of the token is completely determined at issuing time, yet this final aim remains hidden to the issuing authority. Moreover, fraud detection here implies no loss of anonymity; as we make access tokens independent of the owner in a quite simple and efficient way. On the other hand, if different usages of the same token are allowed, these are fully traceable by the service providers.A fair and abuse-free contract signing protocol from Boneh-Boyen signature
http://hdl.handle.net/2117/15610
A fair and abuse-free contract signing protocol from Boneh-Boyen signature
Heidarvand, Somayed; Villar Santos, Jorge Luis
A fair contract signing protocol is used to enable two mistrusted parties to exchange two signatures on a given contract, in such
a way that either both of them get the other party’s signature, or none of them gets anything. A new signature scheme is presented, which is a variant of Boneh and Boyen’s scheme, and building on it, we propose a new signature fair exchange protocol for which all the properties of being optimistic, setup-free and abuse-free can be proved without random oracles, and it is more efficient than the known schemes with comparable properties.
Mon, 19 Mar 2012 10:22:07 GMThttp://hdl.handle.net/2117/156102012-03-19T10:22:07ZHeidarvand, SomayedVillar Santos, Jorge LuisA fair contract signing protocol is used to enable two mistrusted parties to exchange two signatures on a given contract, in such
a way that either both of them get the other party’s signature, or none of them gets anything. A new signature scheme is presented, which is a variant of Boneh and Boyen’s scheme, and building on it, we propose a new signature fair exchange protocol for which all the properties of being optimistic, setup-free and abuse-free can be proved without random oracles, and it is more efficient than the known schemes with comparable properties.A cryptographic solution for private distributed simple meeting scheduling
http://hdl.handle.net/2117/14700
A cryptographic solution for private distributed simple meeting scheduling
Herranz Sotoca, Javier; Matwin, Stan; Meseguer González, Pedro; Nin Guerrero, Jordi
Meeting scheduling is a suitable application for distributed computation motivated by its privacy requirements. Previous work on this problem have considered some cryptographic and conceptually clear approach to solve a simple case of Meeting Scheduling, even achieving complete privacy.
Fri, 20 Jan 2012 11:59:25 GMThttp://hdl.handle.net/2117/147002012-01-20T11:59:25ZHerranz Sotoca, JavierMatwin, StanMeseguer González, PedroNin Guerrero, JordiMeeting scheduling is a suitable application for distributed computation motivated by its privacy requirements. Previous work on this problem have considered some cryptographic and conceptually clear approach to solve a simple case of Meeting Scheduling, even achieving complete privacy.Attribute selection in multivariate microaggregation
http://hdl.handle.net/2117/12909
Attribute selection in multivariate microaggregation
Nin Guerrero, Jordi; Herranz Sotoca, Javier; Torra i Reventós, Vicenç
Microaggregation is one of the most employed microdata protection methods. The idea is to build clusters of at least k original records, and then replace them with the centroid of the cluster. When the number of attributes of the dataset is large, a common practice is to split the dataset into smaller
blocks of attributes. Microaggregation is successively and independently applied to each block. In this way, the effect of the noise introduced by microaggregation is reduced, but at the cost of losing the k-anonymity property. The goal of this work is to show that, besides of the specific microaggregation method employed, the value of the parameter k, and the number of blocks in which the dataset is split, there exists another factor which can influence the quality of the microaggregation: the way in which the attributes are grouped to form the blocks. When correlated attributes are grouped in the same block, the statistical utility of the protected dataset is higher. In contrast, when correlated attributes are dispersed into different blocks, the achieved anonymity is higher, and, so, the disclosure risk is lower. We present quantitative evaluations of such statements
based on different experiments on real datasets.
Mon, 11 Jul 2011 09:33:15 GMThttp://hdl.handle.net/2117/129092011-07-11T09:33:15ZNin Guerrero, JordiHerranz Sotoca, JavierTorra i Reventós, VicençMicroaggregation is one of the most employed microdata protection methods. The idea is to build clusters of at least k original records, and then replace them with the centroid of the cluster. When the number of attributes of the dataset is large, a common practice is to split the dataset into smaller
blocks of attributes. Microaggregation is successively and independently applied to each block. In this way, the effect of the noise introduced by microaggregation is reduced, but at the cost of losing the k-anonymity property. The goal of this work is to show that, besides of the specific microaggregation method employed, the value of the parameter k, and the number of blocks in which the dataset is split, there exists another factor which can influence the quality of the microaggregation: the way in which the attributes are grouped to form the blocks. When correlated attributes are grouped in the same block, the statistical utility of the protected dataset is higher. In contrast, when correlated attributes are dispersed into different blocks, the achieved anonymity is higher, and, so, the disclosure risk is lower. We present quantitative evaluations of such statements
based on different experiments on real datasets.Constant size ciphertexts in threshold attribute-based encryption
http://hdl.handle.net/2117/12612
Constant size ciphertexts in threshold attribute-based encryption
Herranz Sotoca, Javier; Laguillaumie, Fabien; Ràfols Salvador, Carla
Attribute-based cryptography has emerged in the last years as a promising primitive for digital security. For instance, it provides good solutions to the problem of anonymous access control. In a ciphertextpolicy attribute-based encryption scheme, the secret keys of the users depend on their attributes. When encrypting a message, the sender chooses which subset of attributes must be held by a receiver in order to be able to decrypt.
All current attribute-based encryption schemes that admit reasonably expressive decryption policies produce ciphertexts whose size depends at least linearly on the number of attributes involved in the policy. In this paper we propose the first scheme whose ciphertexts have constant size.
Our scheme works for the threshold case: users authorized to decrypt are those who hold at least t attributes among a certain universe of attributes, for some threshold t chosen by the sender. An extension to the
case of weighted threshold decryption policies is possible. The security of the scheme against selective chosen plaintext attacks can be proven in the standard model by reduction to the augmented multi-sequence of exponents decisional Diffie-Hellman (aMSE-DDH) problem.
Thu, 19 May 2011 16:20:47 GMThttp://hdl.handle.net/2117/126122011-05-19T16:20:47ZHerranz Sotoca, JavierLaguillaumie, FabienRàfols Salvador, CarlaAttribute-based cryptography has emerged in the last years as a promising primitive for digital security. For instance, it provides good solutions to the problem of anonymous access control. In a ciphertextpolicy attribute-based encryption scheme, the secret keys of the users depend on their attributes. When encrypting a message, the sender chooses which subset of attributes must be held by a receiver in order to be able to decrypt.
All current attribute-based encryption schemes that admit reasonably expressive decryption policies produce ciphertexts whose size depends at least linearly on the number of attributes involved in the policy. In this paper we propose the first scheme whose ciphertexts have constant size.
Our scheme works for the threshold case: users authorized to decrypt are those who hold at least t attributes among a certain universe of attributes, for some threshold t chosen by the sender. An extension to the
case of weighted threshold decryption policies is possible. The security of the scheme against selective chosen plaintext attacks can be proven in the standard model by reduction to the augmented multi-sequence of exponents decisional Diffie-Hellman (aMSE-DDH) problem.