Ponències/Comunicacions de congressos
http://hdl.handle.net/2117/3531
2018-02-24T00:41:42ZEquivalences and Black-Box Separations of Matrix Diffie-Hellman Problems
http://hdl.handle.net/2117/113265
Equivalences and Black-Box Separations of Matrix Diffie-Hellman Problems
Villar Santos, Jorge Luis
In this paper we provide new algebraic tools to study the relationship between different Matrix Diffie-Hellman (MDDH) Problems, which are recently introduced as a natural generalization of the so-called Linear Problem. Namely, we provide an algebraic criterion to decide whether there exists a generic black-box reduction, and in many cases, when the answer is positive we also build an explicit reduction with the following properties: it only makes a single oracle call, it is tight and it makes use only of operations in the base group. It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing certain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a successful reduction cannot decrease the amount of randomness used in the problem instance description). When comparing MDDH problems of the same size and number of parameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative partial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other. The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest.
The final publication is available at link.springer.com
2018-01-26T13:21:26ZVillar Santos, Jorge LuisIn this paper we provide new algebraic tools to study the relationship between different Matrix Diffie-Hellman (MDDH) Problems, which are recently introduced as a natural generalization of the so-called Linear Problem. Namely, we provide an algebraic criterion to decide whether there exists a generic black-box reduction, and in many cases, when the answer is positive we also build an explicit reduction with the following properties: it only makes a single oracle call, it is tight and it makes use only of operations in the base group. It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing certain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a successful reduction cannot decrease the amount of randomness used in the problem instance description). When comparing MDDH problems of the same size and number of parameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative partial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other. The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest.Ideal hierarchical secret sharing schemes
http://hdl.handle.net/2117/106120
Ideal hierarchical secret sharing schemes
Farràs Ventura, Oriol; Padró Laimon, Carles
Hierarchical secret sharing is among the most natural generalizations of threshold secret sharing, and it has attracted a lot of attention from the invention of secret sharing until nowadays. Several constructions of ideal hierarchical secret sharing schemes have been proposed, but it was not known what access structures admit such a scheme. We solve this problem by providing a natural definition for the family of the hierarchical access structures and, more importantly, by presenting a complete characterization of the ideal hierarchical access structures, that is, the ones admitting an ideal secret sharing scheme. Our characterization deals with the properties of the hierarchically minimal sets of the access structure, which are the minimal qualified sets whose participants are in the lowest possible levels in the hierarchy. By using our characterization, it can be efficiently checked whether any given hierarchical access structure that is defined by its hierarchically minimal sets is ideal. We use the well known connection between ideal secret sharing and matroids and, in particular, the fact that every ideal access structure is a matroid port. In addition, we use recent results on ideal multipartite access structures and the connection between multipartite matroids and integer polymatroids. We prove that every ideal hierarchical access structure is the port of a representable matroid and, more specifically, we prove that every ideal structure in this family admits ideal linear secret sharing schemes over fields of all characteristics. In addition, methods to construct such ideal schemes can be derived from the results in this paper and the aforementioned ones on ideal multipartite secret sharing. Finally, we use our results to find a new proof for the characterization of the ideal weighted threshold access structures that is simpler than the existing one.
2017-07-04T05:40:29ZFarràs Ventura, OriolPadró Laimon, CarlesHierarchical secret sharing is among the most natural generalizations of threshold secret sharing, and it has attracted a lot of attention from the invention of secret sharing until nowadays. Several constructions of ideal hierarchical secret sharing schemes have been proposed, but it was not known what access structures admit such a scheme. We solve this problem by providing a natural definition for the family of the hierarchical access structures and, more importantly, by presenting a complete characterization of the ideal hierarchical access structures, that is, the ones admitting an ideal secret sharing scheme. Our characterization deals with the properties of the hierarchically minimal sets of the access structure, which are the minimal qualified sets whose participants are in the lowest possible levels in the hierarchy. By using our characterization, it can be efficiently checked whether any given hierarchical access structure that is defined by its hierarchically minimal sets is ideal. We use the well known connection between ideal secret sharing and matroids and, in particular, the fact that every ideal access structure is a matroid port. In addition, we use recent results on ideal multipartite access structures and the connection between multipartite matroids and integer polymatroids. We prove that every ideal hierarchical access structure is the port of a representable matroid and, more specifically, we prove that every ideal structure in this family admits ideal linear secret sharing schemes over fields of all characteristics. In addition, methods to construct such ideal schemes can be derived from the results in this paper and the aforementioned ones on ideal multipartite secret sharing. Finally, we use our results to find a new proof for the characterization of the ideal weighted threshold access structures that is simpler than the existing one.Optimal non-perfect uniform secret sharing schemes
http://hdl.handle.net/2117/106119
Optimal non-perfect uniform secret sharing schemes
Farràs Ventura, Oriol; Hansen, Torben; Kaced, Tarik; Padró Laimon, Carles
A secret sharing scheme is non-perfect if some subsets of participants that cannot recover the secret value have partial information about it. The information ratio of a secret sharing scheme is the ratio between the maximum length of the shares and the length of the secret. This work is dedicated to the search of bounds on the information ratio of non-perfect secret sharing schemes. To this end, we extend the known connections between polymatroids and perfect secret sharing schemes to the non-perfect case. In order to study non-perfect secret sharing schemes in all generality, we describe their structure through their access function, a real function that measures the amount of information that every subset of participants obtains about the secret value. We prove that there exists a secret sharing scheme for every access function. Uniform access functions, that is, the ones whose values depend only on the number of participants, generalize the threshold access structures. Our main result is to determine the optimal information ratio of the uniform access functions. Moreover, we present a construction of linear secret sharing schemes with optimal information ratio for the rational uniform access functions.
2017-07-04T05:19:35ZFarràs Ventura, OriolHansen, TorbenKaced, TarikPadró Laimon, CarlesA secret sharing scheme is non-perfect if some subsets of participants that cannot recover the secret value have partial information about it. The information ratio of a secret sharing scheme is the ratio between the maximum length of the shares and the length of the secret. This work is dedicated to the search of bounds on the information ratio of non-perfect secret sharing schemes. To this end, we extend the known connections between polymatroids and perfect secret sharing schemes to the non-perfect case. In order to study non-perfect secret sharing schemes in all generality, we describe their structure through their access function, a real function that measures the amount of information that every subset of participants obtains about the secret value. We prove that there exists a secret sharing scheme for every access function. Uniform access functions, that is, the ones whose values depend only on the number of participants, generalize the threshold access structures. Our main result is to determine the optimal information ratio of the uniform access functions. Moreover, we present a construction of linear secret sharing schemes with optimal information ratio for the rational uniform access functions.The Kernel Matrix Diffie-Hellman assumption
http://hdl.handle.net/2117/103241
The Kernel Matrix Diffie-Hellman assumption
Morillo Bosch, M. Paz; Rafols Salvador, Carla; Villar Santos, Jorge Luis
We put forward a new family of computational assumptions, the Kernel Matrix Diffie-Hellman Assumption. Given some matrix A sampled from some distribution D, the kernel assumption says that it is hard to find “in the exponent” a nonzero vector in the kernel of A¿ . This family is a natural computational analogue of the Matrix Decisional Diffie-Hellman Assumption (MDDH), proposed by Escala et al. As such it allows to extend the advantages of their algebraic framework to computational assumptions. The k-Decisional Linear Assumption is an example of a family of decisional assumptions of strictly increasing hardness when k grows. We show that for any such family of MDDH assumptions, the corresponding Kernel assumptions are also strictly increasingly weaker. This requires ruling out the existence of some black-box reductions between flexible problems (i.e., computational problems with a non unique solution).
The final publication is available at https://link.springer.com/chapter/10.1007%2F978-3-662-53887-6_27
2017-04-04T05:23:07ZMorillo Bosch, M. PazRafols Salvador, CarlaVillar Santos, Jorge LuisWe put forward a new family of computational assumptions, the Kernel Matrix Diffie-Hellman Assumption. Given some matrix A sampled from some distribution D, the kernel assumption says that it is hard to find “in the exponent” a nonzero vector in the kernel of A¿ . This family is a natural computational analogue of the Matrix Decisional Diffie-Hellman Assumption (MDDH), proposed by Escala et al. As such it allows to extend the advantages of their algebraic framework to computational assumptions. The k-Decisional Linear Assumption is an example of a family of decisional assumptions of strictly increasing hardness when k grows. We show that for any such family of MDDH assumptions, the corresponding Kernel assumptions are also strictly increasingly weaker. This requires ruling out the existence of some black-box reductions between flexible problems (i.e., computational problems with a non unique solution).Small primitive roots and malleability of RSA
http://hdl.handle.net/2117/22162
Small primitive roots and malleability of RSA
Jiménez Urroz, Jorge; Dieulefait, Luis Victor
In their paper [9], P. Paillier and J. Villar make a conjectur
e about the
malleability of an RSA modulus. In this paper we present an ex
plicit algo-
rithm refuting the conjecture. Concretely we can factorize
an RSA modulus
n
using very little information on the factorization of a conc
rete
n
′
coprime
to
n
. However, we believe the conjecture might be true, when impo
sing some
extra conditions on the auxiliary
n
′
allowed to be used. In particular, the
paper shows how subtle the notion of malleability is
2014-03-17T13:51:54ZJiménez Urroz, JorgeDieulefait, Luis VictorIn their paper [9], P. Paillier and J. Villar make a conjectur
e about the
malleability of an RSA modulus. In this paper we present an ex
plicit algo-
rithm refuting the conjecture. Concretely we can factorize
an RSA modulus
n
using very little information on the factorization of a conc
rete
n
′
coprime
to
n
. However, we believe the conjecture might be true, when impo
sing some
extra conditions on the auxiliary
n
′
allowed to be used. In particular, the
paper shows how subtle the notion of malleability isCifrado homomorfico de clave publica basado en Residuosidad Cuadratica
http://hdl.handle.net/2117/17225
Cifrado homomorfico de clave publica basado en Residuosidad Cuadratica
Herranz Sotoca, Javier; Sisternes, Juan Ramón
Los esquemas de cifrado de clave p´ ublica con
propiedades homom´orficas tienen muchas utilidades en aplicaciones
reales. Entre los esquemas con propiedades homom´orficas
aditivas existentes, hay una familia (desde el esquema de
Goldwasser-Micali hasta el esquema de Paillier) cuya seguridad
se basa en problemas computacionalmente dif´ıciles relacionados
con el problema de factorizar un n´umero grande N. Los
esquemas de esta familia tienen diferentes propiedades tanto en lo
referente a la eficiencia, como al problema de teor´ıa de n´umeros
concreto en el que basan su seguridad.
En este art´ıculo proponemos un nuevo esquema a a˜nadir a
esta familia. La hip´otesis computacional en la que se basa la
seguridad de nuestro esquema es la hip´otesis de la Residuosidad
Cuadr´atica m´odulo N. En t´erminos de eficiencia, por un lado
nuestro esquema mejora todos los esquemas anteriores cuya
seguridad se basa en la hip´otesis de la Residuosidad d-´esima
m´odulo N, para d 2; por otro lado, nuestro esquema es
en general menos eficiente (tiempo de descifrado) que algunos
esquemas como el de Paillier, cuya seguridad se basa en otra
hip´otesis (Residuosidad N-´esima m´odulo N2). Sin embargo, si
los mensajes a cifrar son cortos, la eficiencia de nuestro esquema
es esencialmente la misma que la del esquema de Paillier
2013-01-09T10:09:28ZHerranz Sotoca, JavierSisternes, Juan RamónLos esquemas de cifrado de clave p´ ublica con
propiedades homom´orficas tienen muchas utilidades en aplicaciones
reales. Entre los esquemas con propiedades homom´orficas
aditivas existentes, hay una familia (desde el esquema de
Goldwasser-Micali hasta el esquema de Paillier) cuya seguridad
se basa en problemas computacionalmente dif´ıciles relacionados
con el problema de factorizar un n´umero grande N. Los
esquemas de esta familia tienen diferentes propiedades tanto en lo
referente a la eficiencia, como al problema de teor´ıa de n´umeros
concreto en el que basan su seguridad.
En este art´ıculo proponemos un nuevo esquema a a˜nadir a
esta familia. La hip´otesis computacional en la que se basa la
seguridad de nuestro esquema es la hip´otesis de la Residuosidad
Cuadr´atica m´odulo N. En t´erminos de eficiencia, por un lado
nuestro esquema mejora todos los esquemas anteriores cuya
seguridad se basa en la hip´otesis de la Residuosidad d-´esima
m´odulo N, para d 2; por otro lado, nuestro esquema es
en general menos eficiente (tiempo de descifrado) que algunos
esquemas como el de Paillier, cuya seguridad se basa en otra
hip´otesis (Residuosidad N-´esima m´odulo N2). Sin embargo, si
los mensajes a cifrar son cortos, la eficiencia de nuestro esquema
es esencialmente la misma que la del esquema de PaillierFirmas digitales con verificación distribuida en el modelo de seguridad estándar
http://hdl.handle.net/2117/17224
Firmas digitales con verificación distribuida en el modelo de seguridad estándar
Herranz Sotoca, Javier; Ruiz Rodríguez, Alexandre; Sáez Moreno, Germán
Las firmas digitales con verificaci´on distribuida
protegen en cierta manera el nivel de anonimato o privacidad
del firmante, ya que un subconjunto autorizado de usuarios
deben colaboran para verificar la (in)validez de una firma. En
trabajos anteriores se propusieron esquemas de este tipo pero
que o no alcanzaban el nivel m´aximo de seguridad o bien lo
hac´ıan en el modelo del or´aculo aleatorio. Proponemos aqu´ı el
primer esquema de firma digital con verificaci´on distribuida que
consigue seguridad m´axima, en t´erminos de infalsificabilidad
y privacidad, y con seguridad demostrable en el modelo de
computaci´on est´andar.
2013-01-09T10:02:20ZHerranz Sotoca, JavierRuiz Rodríguez, AlexandreSáez Moreno, GermánLas firmas digitales con verificaci´on distribuida
protegen en cierta manera el nivel de anonimato o privacidad
del firmante, ya que un subconjunto autorizado de usuarios
deben colaboran para verificar la (in)validez de una firma. En
trabajos anteriores se propusieron esquemas de este tipo pero
que o no alcanzaban el nivel m´aximo de seguridad o bien lo
hac´ıan en el modelo del or´aculo aleatorio. Proponemos aqu´ı el
primer esquema de firma digital con verificaci´on distribuida que
consigue seguridad m´axima, en t´erminos de infalsificabilidad
y privacidad, y con seguridad demostrable en el modelo de
computaci´on est´andar.On method-specific record linkage for risk assessment
http://hdl.handle.net/2117/16248
On method-specific record linkage for risk assessment
Nin Guerrero, Jordi; Herranz Sotoca, Javier; Torra i Reventós, Vicenç
Nowadays, the need for privacy motivates the use of methods that permit us to protect a microdata file both minimizing the disclosure risk and preserving the statistical utility. Nevertheless, research is usually focused on how data utility is preserved, and much less research effort is dedicated to the study of the tools that an intruder might use to compromise the privacy of the data or, in other words, to increase the disclosure risk. Record linkage is a standard mechanism used to measure the disclosure risk of a microdata protection method. In this paper we present some improvements for the (standard) distance based record linkage. In particular, we test our improvements to evaluate the disclosure risk of rank swapping, which is higher than what was believed up to now. We will also present the results of the application of this approach to microaggregation.
2012-07-13T07:56:15ZNin Guerrero, JordiHerranz Sotoca, JavierTorra i Reventós, VicençNowadays, the need for privacy motivates the use of methods that permit us to protect a microdata file both minimizing the disclosure risk and preserving the statistical utility. Nevertheless, research is usually focused on how data utility is preserved, and much less research effort is dedicated to the study of the tools that an intruder might use to compromise the privacy of the data or, in other words, to increase the disclosure risk. Record linkage is a standard mechanism used to measure the disclosure risk of a microdata protection method. In this paper we present some improvements for the (standard) distance based record linkage. In particular, we test our improvements to evaluate the disclosure risk of rank swapping, which is higher than what was believed up to now. We will also present the results of the application of this approach to microaggregation.Anonymous subscription schemes : a flexible fonstruction for on-line services access
http://hdl.handle.net/2117/15611
Anonymous subscription schemes : a flexible fonstruction for on-line services access
González Vasco, Maria Isabel; Heidarvand, Somayed; Villar Santos, Jorge Luis
In traditional e-cash systems, the tradeoff between anonymity and fraud-detection is solved by hiding the identity of the user into the e-coin, and providing an additional triggering mechanism that opens this identity in case of double spending. Hence, fraud detection implies loss of anonymity. This seems to be a somewhat natural solution when universality of the e-coin is required (i.e., the use of the coin is not determined at the time the coin is generated). However, much simpler protocols may suffice if we only want to prevent that payments for accessing certain services are over-used, even when users' anonymity is perfectly preserved. In this paper we propose a simple and efficient Subscription Scheme, allowing a set of users to anonymously pay for and request access to different services offered by a number of service providers. In our approach, the use of the token is completely determined at issuing time, yet this final aim remains hidden to the issuing authority. Moreover, fraud detection here implies no loss of anonymity; as we make access tokens independent of the owner in a quite simple and efficient way. On the other hand, if different usages of the same token are allowed, these are fully traceable by the service providers.
2012-03-19T10:50:53ZGonzález Vasco, Maria IsabelHeidarvand, SomayedVillar Santos, Jorge LuisIn traditional e-cash systems, the tradeoff between anonymity and fraud-detection is solved by hiding the identity of the user into the e-coin, and providing an additional triggering mechanism that opens this identity in case of double spending. Hence, fraud detection implies loss of anonymity. This seems to be a somewhat natural solution when universality of the e-coin is required (i.e., the use of the coin is not determined at the time the coin is generated). However, much simpler protocols may suffice if we only want to prevent that payments for accessing certain services are over-used, even when users' anonymity is perfectly preserved. In this paper we propose a simple and efficient Subscription Scheme, allowing a set of users to anonymously pay for and request access to different services offered by a number of service providers. In our approach, the use of the token is completely determined at issuing time, yet this final aim remains hidden to the issuing authority. Moreover, fraud detection here implies no loss of anonymity; as we make access tokens independent of the owner in a quite simple and efficient way. On the other hand, if different usages of the same token are allowed, these are fully traceable by the service providers.A fair and abuse-free contract signing protocol from Boneh-Boyen signature
http://hdl.handle.net/2117/15610
A fair and abuse-free contract signing protocol from Boneh-Boyen signature
Heidarvand, Somayed; Villar Santos, Jorge Luis
A fair contract signing protocol is used to enable two mistrusted parties to exchange two signatures on a given contract, in such
a way that either both of them get the other party’s signature, or none of them gets anything. A new signature scheme is presented, which is a variant of Boneh and Boyen’s scheme, and building on it, we propose a new signature fair exchange protocol for which all the properties of being optimistic, setup-free and abuse-free can be proved without random oracles, and it is more efficient than the known schemes with comparable properties.
2012-03-19T10:22:07ZHeidarvand, SomayedVillar Santos, Jorge LuisA fair contract signing protocol is used to enable two mistrusted parties to exchange two signatures on a given contract, in such
a way that either both of them get the other party’s signature, or none of them gets anything. A new signature scheme is presented, which is a variant of Boneh and Boyen’s scheme, and building on it, we propose a new signature fair exchange protocol for which all the properties of being optimistic, setup-free and abuse-free can be proved without random oracles, and it is more efficient than the known schemes with comparable properties.