Articles de revista
http://hdl.handle.net/2117/3529
Thu, 06 May 2021 15:22:13 GMT2021-05-06T15:22:13ZImproving the linear programming technique in the search for lower bounds in secret sharing
http://hdl.handle.net/2117/338198
Improving the linear programming technique in the search for lower bounds in secret sharing
Farràs Ventura, Oriol; Kaced, Tarik; Martín Mollevi, Sebastià; Padró Laimon, Carles
We present a new improvement in the linear programming technique to derive lower bounds on the information ratio of secret sharing schemes. We obtain non-Shannon-type bounds without using information inequalities explicitly. Our new technique makes it possible to determine the optimal information ratio of linear secret sharing schemes for all access structures on $5$ participants and all graph-based access structures on $6$ participants. In addition, new lower bounds are presented also for some small matroid ports and, in particular, the optimal information ratios of the linear secret sharing schemes for the ports of the Vamos matroid are determined.
Wed, 10 Feb 2021 09:06:37 GMThttp://hdl.handle.net/2117/3381982021-02-10T09:06:37ZFarràs Ventura, OriolKaced, TarikMartín Mollevi, SebastiàPadró Laimon, CarlesWe present a new improvement in the linear programming technique to derive lower bounds on the information ratio of secret sharing schemes. We obtain non-Shannon-type bounds without using information inequalities explicitly. Our new technique makes it possible to determine the optimal information ratio of linear secret sharing schemes for all access structures on $5$ participants and all graph-based access structures on $6$ participants. In addition, new lower bounds are presented also for some small matroid ports and, in particular, the optimal information ratios of the linear secret sharing schemes for the ports of the Vamos matroid are determined.Attacking pairing-free attribute-based encryption schemes
http://hdl.handle.net/2117/335791
Attacking pairing-free attribute-based encryption schemes
Herranz Sotoca, Javier
Combining several results that have been published in the last years, it is known that it is impossible to design simple and secure attribute-based encryption schemes that work in (classical) settings like the RSA or the pairing-free discrete logarithm ones. The purpose of this article is to broadcast this message through a wide (maybe non-cryptographic) audience, specially now that attribute-based encryption is considered as a useful tool to secure real systems like the Internet of Things. Today, only attribute-based encryption schemes that employ tools like bilinear pairings or lattices can provide some real (and provable) level of security. As an example of the fact that this message is still unknown for many people, we revisit a (maybe non exhaustive) list of articles proposing such insecure attribute-based encryption schemes: we recall which of these schemes have already been attacked and we describe attacks for the other ones.
Fri, 22 Jan 2021 09:58:12 GMThttp://hdl.handle.net/2117/3357912021-01-22T09:58:12ZHerranz Sotoca, JavierCombining several results that have been published in the last years, it is known that it is impossible to design simple and secure attribute-based encryption schemes that work in (classical) settings like the RSA or the pairing-free discrete logarithm ones. The purpose of this article is to broadcast this message through a wide (maybe non-cryptographic) audience, specially now that attribute-based encryption is considered as a useful tool to secure real systems like the Internet of Things. Today, only attribute-based encryption schemes that employ tools like bilinear pairings or lattices can provide some real (and provable) level of security. As an example of the fact that this message is still unknown for many people, we revisit a (maybe non exhaustive) list of articles proposing such insecure attribute-based encryption schemes: we recall which of these schemes have already been attacked and we describe attacks for the other ones.Mixed integration of CDIO skills into telecommunication engineering curricula
http://hdl.handle.net/2117/331222
Mixed integration of CDIO skills into telecommunication engineering curricula
Sayrol Clols, Elisa; Bragós Bardia, Ramon; Alarcón Cot, Eduardo José; Cabrera-Bean, Margarita; Calveras Augé, Anna M.; Comellas Colomé, Jaume; O'Callaghan Castellà, Juan Manuel; Pegueroles Vallés, Josep R.; Pla, Enrique; Prat Viñas, Lluís; Sáez Moreno, Germán; Sardà Ferrer, Joan; Tallon Montoro, Carme
Spain has been intensively involved in designing engineering curricula for the last two years and next academic year all engineering schools will be deploying all bachelor programs adapted to the EHEA and to the Spanish laws. The different frameworks that set the conditions of the process of drawing up new curricula emphasize the use of competency-based learning and the insertion of certain generic skills within the structure of the new plans. In the school of Telecommunication Engineering of Barcelona, the CDIO initiative (Conceive-Design-Implement-Operate) first developed jointly by MIT and some Swedish Universities, has been chosen as paradigm for new engineering curricula design. We used a mixed approximation to integrate CDIO skills into the study plans. In this paper we will explain the approach to include generic skills when designing new curricula.
Tue, 03 Nov 2020 14:50:27 GMThttp://hdl.handle.net/2117/3312222020-11-03T14:50:27ZSayrol Clols, ElisaBragós Bardia, RamonAlarcón Cot, Eduardo JoséCabrera-Bean, MargaritaCalveras Augé, Anna M.Comellas Colomé, JaumeO'Callaghan Castellà, Juan ManuelPegueroles Vallés, Josep R.Pla, EnriquePrat Viñas, LluísSáez Moreno, GermánSardà Ferrer, JoanTallon Montoro, CarmeSpain has been intensively involved in designing engineering curricula for the last two years and next academic year all engineering schools will be deploying all bachelor programs adapted to the EHEA and to the Spanish laws. The different frameworks that set the conditions of the process of drawing up new curricula emphasize the use of competency-based learning and the insertion of certain generic skills within the structure of the new plans. In the school of Telecommunication Engineering of Barcelona, the CDIO initiative (Conceive-Design-Implement-Operate) first developed jointly by MIT and some Swedish Universities, has been chosen as paradigm for new engineering curricula design. We used a mixed approximation to integrate CDIO skills into the study plans. In this paper we will explain the approach to include generic skills when designing new curricula.Secret sharing schemes for (k, n)-consecutive access structures
http://hdl.handle.net/2117/131021
Secret sharing schemes for (k, n)-consecutive access structures
Herranz Sotoca, Javier; Sáez Moreno, Germán
We consider access structures over a set P of n participants, defined by a parameter k with 1 = k = n in the following way: a subset is authorized if it contains participants i, i + 1,...,i + k - 1, for some i ¿ {1,...,n-k+1}. We call such access structures, which may naturally appear in real applications involving distributed cryptography, (k, n)- consecutive. We prove that these access structures are only ideal when k = 1, n - 1, n. Actually, we obtain the same result that has been obtained for other families of access structures: being ideal is equivalent to being a vector space access structure and is equivalent to having an optimal information rate strictly bigger than 2 3 . For the non-ideal cases, we give either the exact value of the optimal information rate, for k = n - 2 and k = n - 3, or some bounds on it.
Fri, 29 Mar 2019 13:50:04 GMThttp://hdl.handle.net/2117/1310212019-03-29T13:50:04ZHerranz Sotoca, JavierSáez Moreno, GermánWe consider access structures over a set P of n participants, defined by a parameter k with 1 = k = n in the following way: a subset is authorized if it contains participants i, i + 1,...,i + k - 1, for some i ¿ {1,...,n-k+1}. We call such access structures, which may naturally appear in real applications involving distributed cryptography, (k, n)- consecutive. We prove that these access structures are only ideal when k = 1, n - 1, n. Actually, we obtain the same result that has been obtained for other families of access structures: being ideal is equivalent to being a vector space access structure and is equivalent to having an optimal information rate strictly bigger than 2 3 . For the non-ideal cases, we give either the exact value of the optimal information rate, for k = n - 2 and k = n - 3, or some bounds on it.On the information ratio of non-perfect secret sharing schemes
http://hdl.handle.net/2117/114396
On the information ratio of non-perfect secret sharing schemes
Farràs Ventura, Oriol; Hansen, Torben; Kaced, Tarik; Padró Laimon, Carles
A secret sharing scheme is non-perfect if some subsets of players that cannot recover the secret value have partial information about it. The information ratio of a secret sharing scheme is the ratio between the maximum length of the shares and the length of the secret. This work is dedicated to the search of bounds on the information ratio of non-perfect secret sharing schemes and the construction of efficient linear non-perfect secret sharing schemes. To this end, we extend the known connections between matroids, polymatroids and perfect secret sharing schemes to the non-perfect case. In order to study non-perfect secret sharing schemes in all generality, we describe their structure through their access function, a real function that measures the amount of information on the secret value that is obtained by each subset of players. We prove that there exists a secret sharing scheme for every access function. Uniform access functions, that is, access functions whose values depend only on the number of players, generalize the threshold access structures. The optimal information ratio of the uniform access functions with rational values has been determined by Yoshida, Fujiwara and Fossorier. By using the tools that are described in our work, we provide a much simpler proof of that result and we extend it to access functions with real values.
The final publication is available at Springer via http://dx.doi.org/10.1007/s00453-016-0217-9
Fri, 23 Feb 2018 09:46:09 GMThttp://hdl.handle.net/2117/1143962018-02-23T09:46:09ZFarràs Ventura, OriolHansen, TorbenKaced, TarikPadró Laimon, CarlesA secret sharing scheme is non-perfect if some subsets of players that cannot recover the secret value have partial information about it. The information ratio of a secret sharing scheme is the ratio between the maximum length of the shares and the length of the secret. This work is dedicated to the search of bounds on the information ratio of non-perfect secret sharing schemes and the construction of efficient linear non-perfect secret sharing schemes. To this end, we extend the known connections between matroids, polymatroids and perfect secret sharing schemes to the non-perfect case. In order to study non-perfect secret sharing schemes in all generality, we describe their structure through their access function, a real function that measures the amount of information on the secret value that is obtained by each subset of players. We prove that there exists a secret sharing scheme for every access function. Uniform access functions, that is, access functions whose values depend only on the number of players, generalize the threshold access structures. The optimal information ratio of the uniform access functions with rational values has been determined by Yoshida, Fujiwara and Fossorier. By using the tools that are described in our work, we provide a much simpler proof of that result and we extend it to access functions with real values.An algebraic framework for Diffie-Hellman assumptions
http://hdl.handle.net/2117/113812
An algebraic framework for Diffie-Hellman assumptions
Escala Ribas, Alex; Herold, Gottfried; Kiltz, Eike; Ràfols Salvador, Carla; Villar Santos, Jorge Luis
We put forward a new algebraic framework to generalize and analyze Di e-Hellman like Decisional Assumptions which allows us to argue about security and applications by considering only algebraic properties. Our D`;k-MDDH assumption states that it is hard to decide whether a vector in G` is linearly dependent of the columns of some matrix in G` k sampled according to distribution D`;k. It covers known assumptions such as DDH, 2-Lin (linear assumption), and k-Lin (the k-linear assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in m-linear groups to the irreducibility of certain polynomials which describe the output of D`;k. We use the hardness results to nd new distributions for which the D`;k-MDDH-Assumption holds generically in m-linear groups. In particular, our new assumptions 2-SCasc and 2-ILin are generically hard in bilinear groups and, compared to 2-Lin, have shorter description size, which is a relevant parameter for e ciency in many applications. These results support using our new assumptions as natural replacements for the 2-Lin Assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any MDDH-Assumption. In particular, we can give many instantiations of a primitive in a compact way, including public-key encryption, hash-proof systems, pseudo-random functions, and Groth-Sahai NIZK and NIWI proofs. As an independent contribution we give more e cient NIZK and NIWI proofs for membership in a subgroup of G`. The results imply very signi cant e ciency improvements for a large number of schemes.
The final publication is available at Springer via http://dx.doi.org/10.1007/s00145-015-9220-6
Tue, 06 Feb 2018 13:34:48 GMThttp://hdl.handle.net/2117/1138122018-02-06T13:34:48ZEscala Ribas, AlexHerold, GottfriedKiltz, EikeRàfols Salvador, CarlaVillar Santos, Jorge LuisWe put forward a new algebraic framework to generalize and analyze Di e-Hellman like Decisional Assumptions which allows us to argue about security and applications by considering only algebraic properties. Our D`;k-MDDH assumption states that it is hard to decide whether a vector in G` is linearly dependent of the columns of some matrix in G` k sampled according to distribution D`;k. It covers known assumptions such as DDH, 2-Lin (linear assumption), and k-Lin (the k-linear assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in m-linear groups to the irreducibility of certain polynomials which describe the output of D`;k. We use the hardness results to nd new distributions for which the D`;k-MDDH-Assumption holds generically in m-linear groups. In particular, our new assumptions 2-SCasc and 2-ILin are generically hard in bilinear groups and, compared to 2-Lin, have shorter description size, which is a relevant parameter for e ciency in many applications. These results support using our new assumptions as natural replacements for the 2-Lin Assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any MDDH-Assumption. In particular, we can give many instantiations of a primitive in a compact way, including public-key encryption, hash-proof systems, pseudo-random functions, and Groth-Sahai NIZK and NIWI proofs. As an independent contribution we give more e cient NIZK and NIWI proofs for membership in a subgroup of G`. The results imply very signi cant e ciency improvements for a large number of schemes.Equivalences and black-box separations of Matrix Diffie-Hellman problems
http://hdl.handle.net/2117/113268
Equivalences and black-box separations of Matrix Diffie-Hellman problems
Villar Santos, Jorge Luis
In this paper we provide new algebraic tools to study the relationship between different Matrix Diffie-Hellman (MDDH) Problems, which are recently introduced as a natural generalization of the so-called Linear Problem. Namely, we provide an algebraic criterion to decide whether there exists a generic black-box reduction, and in many cases, when the answer is positive we also build an explicit reduction with the following properties: it only makes a single oracle call, it is tight and it makes use only of operations in the base group. It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing cer- tain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a suc- cessful reduction cannot decrease the amount of randomness used in the problem instance description). When comparing MDDH problems of the same size and number of pa- rameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative par- tial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other. The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest.
The final publication is available at link.springer.com
Fri, 26 Jan 2018 13:34:27 GMThttp://hdl.handle.net/2117/1132682018-01-26T13:34:27ZVillar Santos, Jorge LuisIn this paper we provide new algebraic tools to study the relationship between different Matrix Diffie-Hellman (MDDH) Problems, which are recently introduced as a natural generalization of the so-called Linear Problem. Namely, we provide an algebraic criterion to decide whether there exists a generic black-box reduction, and in many cases, when the answer is positive we also build an explicit reduction with the following properties: it only makes a single oracle call, it is tight and it makes use only of operations in the base group. It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing cer- tain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a suc- cessful reduction cannot decrease the amount of randomness used in the problem instance description). When comparing MDDH problems of the same size and number of pa- rameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative par- tial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other. The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest.Attribute-based encryption implies identity-based encryption
http://hdl.handle.net/2117/111526
Attribute-based encryption implies identity-based encryption
Herranz Sotoca, Javier
In this study, the author formally proves that designing attribute-based encryption schemes cannot be easier than designing identity-based encryption schemes. In more detail, they show how an attribute-based encryption scheme which admits, at least, and policies can be combined with a collision-resistant hash function to obtain an identity-based encryption scheme. Even if this result may seem natural, not surprising at all, it has not been explicitly written anywhere, as far as they know. Furthermore, it may be an unknown result for some people: Odelu et al. in 2016 and 2017 have proposed both an attribute-based encryption scheme in the discrete logarithm setting, without bilinear pairings, and an attribute-based encryption scheme in the RSA setting, both admitting and policies. If these schemes were secure, then by using the implication proved in this study, one would obtain secure identity-based encryption schemes in both the RSA and the discrete logarithm settings, without bilinear pairings, which would be a breakthrough in the area. Unfortunately, the author presents here complete attacks of the two schemes proposed by Odelu et al.
Mon, 04 Dec 2017 11:07:37 GMThttp://hdl.handle.net/2117/1115262017-12-04T11:07:37ZHerranz Sotoca, JavierIn this study, the author formally proves that designing attribute-based encryption schemes cannot be easier than designing identity-based encryption schemes. In more detail, they show how an attribute-based encryption scheme which admits, at least, and policies can be combined with a collision-resistant hash function to obtain an identity-based encryption scheme. Even if this result may seem natural, not surprising at all, it has not been explicitly written anywhere, as far as they know. Furthermore, it may be an unknown result for some people: Odelu et al. in 2016 and 2017 have proposed both an attribute-based encryption scheme in the discrete logarithm setting, without bilinear pairings, and an attribute-based encryption scheme in the RSA setting, both admitting and policies. If these schemes were secure, then by using the implication proved in this study, one would obtain secure identity-based encryption schemes in both the RSA and the discrete logarithm settings, without bilinear pairings, which would be a breakthrough in the area. Unfortunately, the author presents here complete attacks of the two schemes proposed by Odelu et al.On the optimization of bipartite secret sharing schemes
http://hdl.handle.net/2117/105969
On the optimization of bipartite secret sharing schemes
Farràs Ventura, Oriol; Metcalf-Burton, Jessica Ruth; Padró Laimon, Carles; Vázquez González, Leonor
Optimizing the ratio between the maximum length of the shares and the length of the secret value in secret sharing schemes for general access structures is an extremely difficult and long-standing open problem. In this paper, we study it for bipartite access structures, in which the set of participants is divided in two parts, and all participants in each part play an equivalent role. We focus on the search of lower bounds by using a special class of polymatroids that is introduced here, the tripartite ones. We present a method based on linear programming to compute, for every given bipartite access structure, the best lower bound that can be obtained by this combinatorial method. In addition, we obtain some general lower bounds that improve the previously known ones, and we construct optimal secret sharing schemes for a family of bipartite access structures.
Thu, 29 Jun 2017 08:25:56 GMThttp://hdl.handle.net/2117/1059692017-06-29T08:25:56ZFarràs Ventura, OriolMetcalf-Burton, Jessica RuthPadró Laimon, CarlesVázquez González, LeonorOptimizing the ratio between the maximum length of the shares and the length of the secret value in secret sharing schemes for general access structures is an extremely difficult and long-standing open problem. In this paper, we study it for bipartite access structures, in which the set of participants is divided in two parts, and all participants in each part play an equivalent role. We focus on the search of lower bounds by using a special class of polymatroids that is introduced here, the tripartite ones. We present a method based on linear programming to compute, for every given bipartite access structure, the best lower bound that can be obtained by this combinatorial method. In addition, we obtain some general lower bounds that improve the previously known ones, and we construct optimal secret sharing schemes for a family of bipartite access structures.Ideal hierarchical secret sharing schemes
http://hdl.handle.net/2117/105968
Ideal hierarchical secret sharing schemes
Farràs Ventura, Oriol; Padró Laimon, Carles
Hierarchical secret sharing is among the most natural generalizations of threshold secret sharing, and it has attracted a lot of attention since the invention of secret sharing until nowadays. Several constructions of ideal hierarchical secret sharing schemes have been proposed, but it was not known what access structures admit such a scheme. We solve this problem by providing a natural definition for the family of the hierarchical access structures and, more importantly, by presenting a complete characterization of the ideal hierarchical access structures, that is, the ones admitting an ideal secret sharing scheme. Our characterization is based on the well known connection between ideal secret sharing schemes and matroids and, more specifically, on the connection between ideal multipartite secret sharing schemes and integer polymatroids. In particular, we prove that every hierarchical matroid port admits an ideal linear secret sharing scheme over every large enough finite field. Finally, we use our results to present a new proof for the existing characterization of the ideal weighted threshold access structures.
Thu, 29 Jun 2017 08:18:46 GMThttp://hdl.handle.net/2117/1059682017-06-29T08:18:46ZFarràs Ventura, OriolPadró Laimon, CarlesHierarchical secret sharing is among the most natural generalizations of threshold secret sharing, and it has attracted a lot of attention since the invention of secret sharing until nowadays. Several constructions of ideal hierarchical secret sharing schemes have been proposed, but it was not known what access structures admit such a scheme. We solve this problem by providing a natural definition for the family of the hierarchical access structures and, more importantly, by presenting a complete characterization of the ideal hierarchical access structures, that is, the ones admitting an ideal secret sharing scheme. Our characterization is based on the well known connection between ideal secret sharing schemes and matroids and, more specifically, on the connection between ideal multipartite secret sharing schemes and integer polymatroids. In particular, we prove that every hierarchical matroid port admits an ideal linear secret sharing scheme over every large enough finite field. Finally, we use our results to present a new proof for the existing characterization of the ideal weighted threshold access structures.