Articles de revista
http://hdl.handle.net/2117/3529
Wed, 21 Mar 2018 03:39:47 GMT2018-03-21T03:39:47ZOn the information ratio of non-perfect secret sharing schemes
http://hdl.handle.net/2117/114396
On the information ratio of non-perfect secret sharing schemes
Farràs Ventura, Oriol; Hansen, Torben; Kaced, Tarik; Padró Laimon, Carles
A secret sharing scheme is non-perfect if some subsets of players that cannot recover the secret value have partial information about it. The information ratio of a secret sharing scheme is the ratio between the maximum length of the shares and the length of the secret. This work is dedicated to the search of bounds on the information ratio of non-perfect secret sharing schemes and the construction of efficient linear non-perfect secret sharing schemes. To this end, we extend the known connections between matroids, polymatroids and perfect secret sharing schemes to the non-perfect case. In order to study non-perfect secret sharing schemes in all generality, we describe their structure through their access function, a real function that measures the amount of information on the secret value that is obtained by each subset of players. We prove that there exists a secret sharing scheme for every access function. Uniform access functions, that is, access functions whose values depend only on the number of players, generalize the threshold access structures. The optimal information ratio of the uniform access functions with rational values has been determined by Yoshida, Fujiwara and Fossorier. By using the tools that are described in our work, we provide a much simpler proof of that result and we extend it to access functions with real values.
The final publication is available at Springer via http://dx.doi.org/10.1007/s00453-016-0217-9
Fri, 23 Feb 2018 09:46:09 GMThttp://hdl.handle.net/2117/1143962018-02-23T09:46:09ZFarràs Ventura, OriolHansen, TorbenKaced, TarikPadró Laimon, CarlesA secret sharing scheme is non-perfect if some subsets of players that cannot recover the secret value have partial information about it. The information ratio of a secret sharing scheme is the ratio between the maximum length of the shares and the length of the secret. This work is dedicated to the search of bounds on the information ratio of non-perfect secret sharing schemes and the construction of efficient linear non-perfect secret sharing schemes. To this end, we extend the known connections between matroids, polymatroids and perfect secret sharing schemes to the non-perfect case. In order to study non-perfect secret sharing schemes in all generality, we describe their structure through their access function, a real function that measures the amount of information on the secret value that is obtained by each subset of players. We prove that there exists a secret sharing scheme for every access function. Uniform access functions, that is, access functions whose values depend only on the number of players, generalize the threshold access structures. The optimal information ratio of the uniform access functions with rational values has been determined by Yoshida, Fujiwara and Fossorier. By using the tools that are described in our work, we provide a much simpler proof of that result and we extend it to access functions with real values.An algebraic framework for Diffie-Hellman assumptions
http://hdl.handle.net/2117/113812
An algebraic framework for Diffie-Hellman assumptions
Escala Ribas, Alex; Herold, Gottfried; Kiltz, Eike; Rafols Salvador, Carla; Villar Santos, Jorge Luis
We put forward a new algebraic framework to generalize and analyze Di e-Hellman like Decisional Assumptions which allows us to argue about security and applications by considering only algebraic properties. Our D`;k-MDDH assumption states that it is hard to decide whether a vector in G` is linearly dependent of the columns of some matrix in G` k sampled according to distribution D`;k. It covers known assumptions such as DDH, 2-Lin (linear assumption), and k-Lin (the k-linear assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in m-linear groups to the irreducibility of certain polynomials which describe the output of D`;k. We use the hardness results to nd new distributions for which the D`;k-MDDH-Assumption holds generically in m-linear groups. In particular, our new assumptions 2-SCasc and 2-ILin are generically hard in bilinear groups and, compared to 2-Lin, have shorter description size, which is a relevant parameter for e ciency in many applications. These results support using our new assumptions as natural replacements for the 2-Lin Assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any MDDH-Assumption. In particular, we can give many instantiations of a primitive in a compact way, including public-key encryption, hash-proof systems, pseudo-random functions, and Groth-Sahai NIZK and NIWI proofs. As an independent contribution we give more e cient NIZK and NIWI proofs for membership in a subgroup of G`. The results imply very signi cant e ciency improvements for a large number of schemes.
The final publication is available at Springer via http://dx.doi.org/10.1007/s00145-015-9220-6
Tue, 06 Feb 2018 13:34:48 GMThttp://hdl.handle.net/2117/1138122018-02-06T13:34:48ZEscala Ribas, AlexHerold, GottfriedKiltz, EikeRafols Salvador, CarlaVillar Santos, Jorge LuisWe put forward a new algebraic framework to generalize and analyze Di e-Hellman like Decisional Assumptions which allows us to argue about security and applications by considering only algebraic properties. Our D`;k-MDDH assumption states that it is hard to decide whether a vector in G` is linearly dependent of the columns of some matrix in G` k sampled according to distribution D`;k. It covers known assumptions such as DDH, 2-Lin (linear assumption), and k-Lin (the k-linear assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in m-linear groups to the irreducibility of certain polynomials which describe the output of D`;k. We use the hardness results to nd new distributions for which the D`;k-MDDH-Assumption holds generically in m-linear groups. In particular, our new assumptions 2-SCasc and 2-ILin are generically hard in bilinear groups and, compared to 2-Lin, have shorter description size, which is a relevant parameter for e ciency in many applications. These results support using our new assumptions as natural replacements for the 2-Lin Assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any MDDH-Assumption. In particular, we can give many instantiations of a primitive in a compact way, including public-key encryption, hash-proof systems, pseudo-random functions, and Groth-Sahai NIZK and NIWI proofs. As an independent contribution we give more e cient NIZK and NIWI proofs for membership in a subgroup of G`. The results imply very signi cant e ciency improvements for a large number of schemes.Equivalences and black-box separations of Matrix Diffie-Hellman problems
http://hdl.handle.net/2117/113268
Equivalences and black-box separations of Matrix Diffie-Hellman problems
Villar Santos, Jorge Luis
In this paper we provide new algebraic tools to study the relationship between different Matrix Diffie-Hellman (MDDH) Problems, which are recently introduced as a natural generalization of the so-called Linear Problem. Namely, we provide an algebraic criterion to decide whether there exists a generic black-box reduction, and in many cases, when the answer is positive we also build an explicit reduction with the following properties: it only makes a single oracle call, it is tight and it makes use only of operations in the base group. It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing cer- tain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a suc- cessful reduction cannot decrease the amount of randomness used in the problem instance description). When comparing MDDH problems of the same size and number of pa- rameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative par- tial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other. The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest.
The final publication is available at link.springer.com
Fri, 26 Jan 2018 13:34:27 GMThttp://hdl.handle.net/2117/1132682018-01-26T13:34:27ZVillar Santos, Jorge LuisIn this paper we provide new algebraic tools to study the relationship between different Matrix Diffie-Hellman (MDDH) Problems, which are recently introduced as a natural generalization of the so-called Linear Problem. Namely, we provide an algebraic criterion to decide whether there exists a generic black-box reduction, and in many cases, when the answer is positive we also build an explicit reduction with the following properties: it only makes a single oracle call, it is tight and it makes use only of operations in the base group. It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing cer- tain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a suc- cessful reduction cannot decrease the amount of randomness used in the problem instance description). When comparing MDDH problems of the same size and number of pa- rameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative par- tial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other. The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest.Attribute-based encryption implies identity-based encryption
http://hdl.handle.net/2117/111526
Attribute-based encryption implies identity-based encryption
Herranz Sotoca, Javier
In this study, the author formally proves that designing attribute-based encryption schemes cannot be easier than designing identity-based encryption schemes. In more detail, they show how an attribute-based encryption scheme which admits, at least, and policies can be combined with a collision-resistant hash function to obtain an identity-based encryption scheme. Even if this result may seem natural, not surprising at all, it has not been explicitly written anywhere, as far as they know. Furthermore, it may be an unknown result for some people: Odelu et al. in 2016 and 2017 have proposed both an attribute-based encryption scheme in the discrete logarithm setting, without bilinear pairings, and an attribute-based encryption scheme in the RSA setting, both admitting and policies. If these schemes were secure, then by using the implication proved in this study, one would obtain secure identity-based encryption schemes in both the RSA and the discrete logarithm settings, without bilinear pairings, which would be a breakthrough in the area. Unfortunately, the author presents here complete attacks of the two schemes proposed by Odelu et al.
Mon, 04 Dec 2017 11:07:37 GMThttp://hdl.handle.net/2117/1115262017-12-04T11:07:37ZHerranz Sotoca, JavierIn this study, the author formally proves that designing attribute-based encryption schemes cannot be easier than designing identity-based encryption schemes. In more detail, they show how an attribute-based encryption scheme which admits, at least, and policies can be combined with a collision-resistant hash function to obtain an identity-based encryption scheme. Even if this result may seem natural, not surprising at all, it has not been explicitly written anywhere, as far as they know. Furthermore, it may be an unknown result for some people: Odelu et al. in 2016 and 2017 have proposed both an attribute-based encryption scheme in the discrete logarithm setting, without bilinear pairings, and an attribute-based encryption scheme in the RSA setting, both admitting and policies. If these schemes were secure, then by using the implication proved in this study, one would obtain secure identity-based encryption schemes in both the RSA and the discrete logarithm settings, without bilinear pairings, which would be a breakthrough in the area. Unfortunately, the author presents here complete attacks of the two schemes proposed by Odelu et al.On the optimization of bipartite secret sharing schemes
http://hdl.handle.net/2117/105969
On the optimization of bipartite secret sharing schemes
Farràs Ventura, Oriol; Metcalf-Burton, Jessica Ruth; Padró Laimon, Carles; Vázquez González, Leonor
Optimizing the ratio between the maximum length of the shares and the length of the secret value in secret sharing schemes for general access structures is an extremely difficult and long-standing open problem. In this paper, we study it for bipartite access structures, in which the set of participants is divided in two parts, and all participants in each part play an equivalent role. We focus on the search of lower bounds by using a special class of polymatroids that is introduced here, the tripartite ones. We present a method based on linear programming to compute, for every given bipartite access structure, the best lower bound that can be obtained by this combinatorial method. In addition, we obtain some general lower bounds that improve the previously known ones, and we construct optimal secret sharing schemes for a family of bipartite access structures.
Thu, 29 Jun 2017 08:25:56 GMThttp://hdl.handle.net/2117/1059692017-06-29T08:25:56ZFarràs Ventura, OriolMetcalf-Burton, Jessica RuthPadró Laimon, CarlesVázquez González, LeonorOptimizing the ratio between the maximum length of the shares and the length of the secret value in secret sharing schemes for general access structures is an extremely difficult and long-standing open problem. In this paper, we study it for bipartite access structures, in which the set of participants is divided in two parts, and all participants in each part play an equivalent role. We focus on the search of lower bounds by using a special class of polymatroids that is introduced here, the tripartite ones. We present a method based on linear programming to compute, for every given bipartite access structure, the best lower bound that can be obtained by this combinatorial method. In addition, we obtain some general lower bounds that improve the previously known ones, and we construct optimal secret sharing schemes for a family of bipartite access structures.Ideal hierarchical secret sharing schemes
http://hdl.handle.net/2117/105968
Ideal hierarchical secret sharing schemes
Farràs Ventura, Oriol; Padró Laimon, Carles
Hierarchical secret sharing is among the most natural generalizations of threshold secret sharing, and it has attracted a lot of attention since the invention of secret sharing until nowadays. Several constructions of ideal hierarchical secret sharing schemes have been proposed, but it was not known what access structures admit such a scheme. We solve this problem by providing a natural definition for the family of the hierarchical access structures and, more importantly, by presenting a complete characterization of the ideal hierarchical access structures, that is, the ones admitting an ideal secret sharing scheme. Our characterization is based on the well known connection between ideal secret sharing schemes and matroids and, more specifically, on the connection between ideal multipartite secret sharing schemes and integer polymatroids. In particular, we prove that every hierarchical matroid port admits an ideal linear secret sharing scheme over every large enough finite field. Finally, we use our results to present a new proof for the existing characterization of the ideal weighted threshold access structures.
Thu, 29 Jun 2017 08:18:46 GMThttp://hdl.handle.net/2117/1059682017-06-29T08:18:46ZFarràs Ventura, OriolPadró Laimon, CarlesHierarchical secret sharing is among the most natural generalizations of threshold secret sharing, and it has attracted a lot of attention since the invention of secret sharing until nowadays. Several constructions of ideal hierarchical secret sharing schemes have been proposed, but it was not known what access structures admit such a scheme. We solve this problem by providing a natural definition for the family of the hierarchical access structures and, more importantly, by presenting a complete characterization of the ideal hierarchical access structures, that is, the ones admitting an ideal secret sharing scheme. Our characterization is based on the well known connection between ideal secret sharing schemes and matroids and, more specifically, on the connection between ideal multipartite secret sharing schemes and integer polymatroids. In particular, we prove that every hierarchical matroid port admits an ideal linear secret sharing scheme over every large enough finite field. Finally, we use our results to present a new proof for the existing characterization of the ideal weighted threshold access structures.Finding lower bounds on the complexity of secret sharing schemes by linear programming
http://hdl.handle.net/2117/105967
Finding lower bounds on the complexity of secret sharing schemes by linear programming
Padró Laimon, Carles; Vázquez González, Leonor; Yang, An
Optimizing the maximum, or average, length of the shares in relation to the length of the secret for every given access structure is a difficult and long-standing open problem in cryptology. Most of the known lower bounds on these parameters have been obtained by implicitly or explicitly using that every secret sharing scheme defines a polymatroid related to the access structure. The best bounds that can be obtained by this combinatorial method can be determined by using linear programming, and this can be effectively done for access structures on a small number of participants.
By applying this linear programming approach, we improve some of the known lower bounds for the access structures on five participants and the graph access structures on six participants for which these parameters were still undetermined. Nevertheless, the lower bounds that are obtained by this combinatorial method are not tight in general. For some access structures, they can be improved by adding to the linear program non-Shannon information inequalities as new constraints. We obtain in this way new separation results for some graph access structures on eight participants and for some ports of non-representable matroids. Finally, we prove that, for two access structures on five participants, the combinatorial lower bound cannot be attained by any linear secret sharing scheme
Thu, 29 Jun 2017 07:37:30 GMThttp://hdl.handle.net/2117/1059672017-06-29T07:37:30ZPadró Laimon, CarlesVázquez González, LeonorYang, AnOptimizing the maximum, or average, length of the shares in relation to the length of the secret for every given access structure is a difficult and long-standing open problem in cryptology. Most of the known lower bounds on these parameters have been obtained by implicitly or explicitly using that every secret sharing scheme defines a polymatroid related to the access structure. The best bounds that can be obtained by this combinatorial method can be determined by using linear programming, and this can be effectively done for access structures on a small number of participants.
By applying this linear programming approach, we improve some of the known lower bounds for the access structures on five participants and the graph access structures on six participants for which these parameters were still undetermined. Nevertheless, the lower bounds that are obtained by this combinatorial method are not tight in general. For some access structures, they can be improved by adding to the linear program non-Shannon information inequalities as new constraints. We obtain in this way new separation results for some graph access structures on eight participants and for some ports of non-representable matroids. Finally, we prove that, for two access structures on five participants, the combinatorial lower bound cannot be attained by any linear secret sharing schemeSigncryption schemes with threshold unsigncryption, and applications
http://hdl.handle.net/2117/105873
Signcryption schemes with threshold unsigncryption, and applications
Herranz Sotoca, Javier; Ruiz, Alexandre; Sáez Moreno, Germán
The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.
The final publication is available at link.springer.com
Mon, 26 Jun 2017 15:08:46 GMThttp://hdl.handle.net/2117/1058732017-06-26T15:08:46ZHerranz Sotoca, JavierRuiz, AlexandreSáez Moreno, GermánThe goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.On the efficiency of revocation in RSA-based anonymous systems
http://hdl.handle.net/2117/104254
On the efficiency of revocation in RSA-based anonymous systems
Fueyo, María; Herranz Sotoca, Javier
The problem of revocation in anonymous authentication systems is subtle and has motivated a lot of work. One of the preferable solutions consists in maintaining either a whitelist L-W of non-revoked users or a blacklist L-B of revoked users, and then requiring users to additionally prove, when authenticating themselves, that they are in L-W (membership proof) or that they are not in L-B (non-membership proof). Of course, these additional proofs must not break the anonymity properties of the system, so they must be zero-knowledge proofs, revealing nothing about the identity of the users. In this paper, we focus on the RSA-based setting, and we consider the case of non-membership proofs to blacklists L = L-B. The existing solutions for this setting rely on the use of universal dynamic accumulators; the underlying zero-knowledge proofs are bit complicated, and thus their efficiency; although being independent from the size of the blacklist L, seems to be improvable. Peng and Bao already tried to propose simpler and more efficient zero-knowledge proofs for this setting, but we prove in this paper that their protocol is not secure. We fix the problem by designing a new protocol, and formally proving its security properties. We then compare the efficiency of the new zero-knowledge non-membership protocol with that of the protocol, when they are integrated with anonymous authentication systems based on RSA (notably, the IBM product Idemix for anonymous credentials). We discuss for which values of the size k of the blacklist L, one protocol is preferable to the other one, and we propose different ways to combine and implement the two protocols.
c) 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works."
Wed, 10 May 2017 09:52:33 GMThttp://hdl.handle.net/2117/1042542017-05-10T09:52:33ZFueyo, MaríaHerranz Sotoca, JavierThe problem of revocation in anonymous authentication systems is subtle and has motivated a lot of work. One of the preferable solutions consists in maintaining either a whitelist L-W of non-revoked users or a blacklist L-B of revoked users, and then requiring users to additionally prove, when authenticating themselves, that they are in L-W (membership proof) or that they are not in L-B (non-membership proof). Of course, these additional proofs must not break the anonymity properties of the system, so they must be zero-knowledge proofs, revealing nothing about the identity of the users. In this paper, we focus on the RSA-based setting, and we consider the case of non-membership proofs to blacklists L = L-B. The existing solutions for this setting rely on the use of universal dynamic accumulators; the underlying zero-knowledge proofs are bit complicated, and thus their efficiency; although being independent from the size of the blacklist L, seems to be improvable. Peng and Bao already tried to propose simpler and more efficient zero-knowledge proofs for this setting, but we prove in this paper that their protocol is not secure. We fix the problem by designing a new protocol, and formally proving its security properties. We then compare the efficiency of the new zero-knowledge non-membership protocol with that of the protocol, when they are integrated with anonymous authentication systems based on RSA (notably, the IBM product Idemix for anonymous credentials). We discuss for which values of the size k of the blacklist L, one protocol is preferable to the other one, and we propose different ways to combine and implement the two protocols.Efficient cryptosystems from 2k-th power residue symbols
http://hdl.handle.net/2117/103661
Efficient cryptosystems from 2k-th power residue symbols
Herranz Sotoca, Javier; Libert, Benoit; Joye, Marc; Benhamouda, Fabrice
Goldwasser and Micali (J Comput Syst Sci 28(2):270–299, 1984) highlighted the importance of randomizing the plaintext for public-key encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity modulo a composite number. The Goldwasser–Micali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages. A number of works followed to address this issue and proposed various modifications. This paper revisits the original Goldwasser–Micali cryptosystem using 2k-th power residue symbols. The so-obtained cryptosystems appear as a very natural generalization for k=2 (the case k=1 corresponds exactly to the Goldwasser–Micali cryptosystem). Advantageously, they are efficient in both bandwidth and speed; in particular, they allow for fast decryption. Further, the cryptosystems described in this paper inherit the useful features of the original cryptosystem (like its homomorphic property) and are shown to be secure under a similar complexity assumption. As a prominent application, this paper describes an efficient lossy trapdoor function-based thereon.
Mon, 24 Apr 2017 10:25:48 GMThttp://hdl.handle.net/2117/1036612017-04-24T10:25:48ZHerranz Sotoca, JavierLibert, BenoitJoye, MarcBenhamouda, FabriceGoldwasser and Micali (J Comput Syst Sci 28(2):270–299, 1984) highlighted the importance of randomizing the plaintext for public-key encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity modulo a composite number. The Goldwasser–Micali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages. A number of works followed to address this issue and proposed various modifications. This paper revisits the original Goldwasser–Micali cryptosystem using 2k-th power residue symbols. The so-obtained cryptosystems appear as a very natural generalization for k=2 (the case k=1 corresponds exactly to the Goldwasser–Micali cryptosystem). Advantageously, they are efficient in both bandwidth and speed; in particular, they allow for fast decryption. Further, the cryptosystems described in this paper inherit the useful features of the original cryptosystem (like its homomorphic property) and are shown to be secure under a similar complexity assumption. As a prominent application, this paper describes an efficient lossy trapdoor function-based thereon.