CORE
COnnecting
REpositories

    1,720,980 research outputs found

    Revisiting the Uber Assumption in the Algebraic Group Model: Fine-Grained Bounds in Hidden-Order Groups and Improved Reductions in Bilinear Groups

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    We prove strong security guarantees for a wide array of computational and decisional problems, both in hidden-order groups and in bilinear groups, within the algebraic group model (AGM) of Fuchsbauer, Kiltz and Loss (CRYPTO '18). As our first contribution, we put forth a new fine-grained variant of the Uber family of assumptions in hidden-order groups. This family includes in particular the repeated squaring function of Rivest, Shamir and Wagner, which underlies their time-lock puzzle as well as the main known candidates for verifiable delay functions; and a computational variant of the generalized BBS problem, which underlies the timed commitments of Boneh and Naor (CRYPTO '00). We then provide two results within a variant of the AGM, which show that the hardness of solving problems in this family in a less-than-trivial number of steps is implied by well-studied assumptions. The first reduction may be applied in any group (and in particular, class groups), and is to the RSA assumption; and our second reduction is in RSA groups with a modulus which is the product of two safe primes, and is to the factoring assumption. Additionally, we prove that the hardness of any computational problem in the Uber family of problems in bilinear groups is implied by the hardness of the q-discrete logarithm problem. The parameter q in our reduction is the maximal degree in which a variable appears in the polynomials which define the specific problem within the Uber family. This improves upon a recent result of Bauer, Fuchsbauer and Loss (CRYPTO '20), who obtained a similar implication but for a parameter q which is lower bounded by the maximal total degree of one of the above polynomials. We discuss the implications of this improvement to prominent group key-exchange protocols
    DROPS Dagstuhl Research Online Publication Server
    Cryptology ePrint Archive

    A Fully-Constructive Discrete-Logarithm Preprocessing Algorithm with an Optimal Time-Space Tradeoff

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    Identifying the concrete hardness of the discrete logarithm problem is crucial for instantiating a vast range of cryptographic schemes. Towards this goal, Corrigan-Gibbs and Kogan (EUROCRYPT '18) extended the generic-group model for capturing "preprocessing" algorithms, offering a tradeoff between the space S required for storing their preprocessing information, the time T required for their online phase, and their success probability. Corrigan-Gibbs and Kogan proved an upper bound of Õ(S T²/N) on the success probability of any such algorithm, where N is the prime order of the group, matching the known preprocessing algorithms. However, the known algorithms assume the availability of truly random hash functions, without taking into account the space required for storing them as part of the preprocessing information, and the time required for evaluating them in essentially each and every step of the online phase. This led Corrigan-Gibbs and Kogan to pose the open problem of designing a discrete-logarithm preprocessing algorithm that is fully constructive in the sense that it relies on explicit hash functions whose description lengths and evaluation times are taken into account in the algorithm’s space-time tradeoff. We present a fully constructive discrete-logarithm preprocessing algorithm with an asymptotically optimal space-time tradeoff (i.e., with success probability Ω̃(S T²/N)). In addition, we obtain an algorithm that settles the corresponding tradeoff for the computational Diffie-Hellman problem. Our approach is based on derandomization techniques that provide rather weak independence guarantees. On the one hand, we show that such guarantees can be realized in our setting with only a minor efficiency overhead. On the other hand, exploiting such weak guarantees requires a more subtle and in-depth analysis of the underlying combinatorial structure compared to that of the known preprocessing algorithms and their analyses
    DROPS Dagstuhl Research Online Publication Server
    Cryptology ePrint Archive

    Out-Of-Band Authenticated Group Key Exchange: From Strong Authentication to Immediate Key Delivery

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    Given the inherent ad-hoc nature of popular communication platforms, out-of-band authenticated key-exchange protocols are becoming widely deployed: Key exchange protocols that enable users to detect man-in-the-middle attacks by manually authenticating one short value. In this work we put forward the notion of immediate key delivery for such protocols, requiring that even if some users participate in the protocol but do not complete it (e.g., due to losing data connectivity or to other common synchronicity issues), then the remaining users should still agree on a shared secret. A property of a similar flavor was introduced by Alwen, Coretti and Dodis (EUROCRYPT '19) asking for immediate decryption of messages in user-to-user messaging while assuming that a shared secret has already been established - but the underlying issue is crucial already during the initial key exchange and goes far beyond the context of messaging. Equipped with our immediate key delivery property, we formalize strong notions of security for out-of-band authenticated group key exchange, and demonstrate that the existing protocols either do not satisfy our notions of security or are impractical (these include, in particular, the protocols deployed by Telegram, Signal and WhatsApp). Then, based on the existence of any passively-secure key-exchange protocol (e.g., the Diffie-Hellman protocol), we construct an out-of-band authenticated group key-exchange protocol satisfying our notions of security. Our protocol is inspired by techniques that have been developed in the context of fair string sampling in order to minimize the effect of adversarial aborts, and offers the optimal tradeoff between the length of its out-of-band value and its security
    DROPS Dagstuhl Research Online Publication Server
    Cryptology ePrint Archive

    Author Instructions

    Author
    Publication venue
    Publication date
    Field of study
    No full text
    Crossref
    Cartographic Perspectives (E-Journal - North American Cartographic Information Society, NACIS)

    Going Beyond Counting First Authors in Author Co-citation Analysis

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    The present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
    E-LIS

    Variations on the Author

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    “Variations on the Author” discusses two of Eduardo Coutinho’s recent films (Um Dia na Vida, from 2010, and Últimas Conversas, posthumously released in 2015) and their contribution to the general question of documentary authorship. The director’s filmography is characterized by a consistent yet self-effacing form of authorial self-inscription: Coutinho often features as an interviewer that rather than express opinions propels discourses; an interviewer that is good at listening. This mode of self-inscription characterizes him as an author who is not expressive but who is nonetheless markedly present on the screen. In Um Dia na Vida, however, Coutinho is completely absent form the image, while Últimas Conversas, on the contrary, includes a confessional prologue that moves the director from the margins to the center of his films. This article examines the ways in which these works stand out in the filmography of a director who offers new insights into the notion of cinematic authorship
    Crossref
    Kent Academic Repository

    Appropriate Similarity Measures for Author Cocitation Analysis

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    We provide a number of new insights into the methodological discussion about author cocitation analysis. We first argue that the use of the Pearson correlation for measuring the similarity between authors’ cocitation profiles is not very satisfactory. We then discuss what kind of similarity measures may be used as an alternative to the Pearson correlation. We consider three similarity measures in particular. One is the well-known cosine. The other two similarity measures have not been used before in the bibliometric literature. Finally, we show by means of an example that our findings have a high practical relevance.information science;Pearson correlation;cosine;similarity measure;author cocitation analysis
    Research Papers in Economics

    Post-Quantum Single Secret Leader Election (SSLE) from Publicly Re-Randomizable Commitments

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    A Single Secret Leader Election (SSLE) enables a group of parties to randomly choose exactly one leader from the group with the restriction that the identity of the leader will be known to the chosen leader and nobody else. At a later time, the elected leader should be able to publicly reveal her identity and prove that she is the elected leader. The election process itself should work properly even if many registered users are passive and do not send any messages. SSLE is used to strengthen the security of proof-of-stake consensus protocols by ensuring that the identity of the block proposer remains unknown until the proposer publishes a block. Boneh, Eskandarian, Hanzlik, and Greco (AFT'20) defined the concept of an SSLE and gave several constructions. Their most efficient construction is based on the difficulty of the Decision Diffie-Hellman problem in a cyclic group. In this work we construct the first efficient SSLE protocols based on the standard Learning With Errors (LWE) problem on integer lattices, as well as the Ring-LWE problem. Both are believed to be post-quantum secure. Our constructions generalize the paradigm of Boneh et al. by introducing the concept of a re-randomizable commitment (RRC). We then construct several post-quantum RRC schemes from lattice assumptions and prove the security of the derived SSLE protocols. Constructing a lattice-based RRC scheme is non-trivial, and may be of independent interest
    DROPS Dagstuhl Research Online Publication Server

    Simple and Efficient Batch Verification Techniques for Verifiable Delay Functions

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    We study the problem of batch verification for verifiable delay functions (VDFs), focusing on proofs of correct exponentiation (PoCE), which underlie recent VDF constructions. We show how to compile any PoCE into a batch PoCE, offering significant savings in both communication and verification time. Concretely, given any PoCE with communication complexity cc, verification time tt and soundness error δ\delta, and any pseudorandom function with key length kprf{\sf k}_{\sf prf} and evaluation time tprf t_{\sf prf}, we construct: -- A batch PoCE for verifying nn instances with communication complexity mc+kprfm\cdot c +{\sf k}_{\sf prf}, verification time mt+nmO(top+tprf)m\cdot t + n\cdot m\cdot O(t_{\sf op} + t_{\sf prf}) and soundness error δ+2m\delta + 2^{-m}, where λ\lambda is the security parameter, mm is an adjustable parameter that can take any integer value, and topt_{\sf op} is the time required to evaluate the group operation in the underlying group. This should be contrasted with the naive approach, in which the communication complexity and verification time are ncn \cdot c and ntn \cdot t, respectively. The soundness of this compiler relies only on the soundness of the underlying PoCE and the existence of one-way functions. -- An improved batch PoCE based on the low order assumption. For verifying nn instances, the batch PoCE requires communication complexity c+kprfc +{\sf k}_{\sf prf} and verification time t+n(tprf+log(s)O(top))t + n\cdot (t_{\sf prf} + \log(s)\cdot O(t_{\sf op})), and has soundness error δ+1/s\delta + 1/s. The parameter ss can take any integer value, as long as it is hard to find group elements of order less than ss in the underlying group. We discuss instantiations in which ss can be exponentially large in the security parameter λ\lambda. If the underlying PoCE is constant round and public coin (as is the case for existing protocols), then so are all of our batch PoCEs. This implies that they can be made non-interactive using the Fiat-Shamir transform. Additionally, for RSA groups with moduli which are the products of two safe primes, we show how to efficiently verify that certain elements are not of order 22. This protocol, together with the second compiler above and any (single-instance) PoCE in these groups, yields an efficient batch PoCE in safe RSA groups. To complete the picture, we also show how to extend Pietrzak\u27s protocol (which is statistically sound in the group QRN+QR_N^+ when NN is the product of two safe primes) to obtain a statistically-sound PoCE in safe RSA groups
    Cryptology ePrint Archive

    Goldreich-Krawczyk Revisited: A Note on the Zero Knowledge of Proofs of Knowledge

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    The seminal work of Goldreich and Krawczyk (SIAM Journal on Computing) shows that any constant-round public-coin interactive proof for languages not in BPP{\sf BPP} cannot be black-box zero knowledge. Their result says nothing, however, about proofs (or arguments) of knowledge for languages in BPP{\sf BPP}. As a special case, their work leaves open the question of whether Schnorr\u27s protocol for proving knowledge of discrete logarithms in cyclic groups is black-box zero knowledge.In this work we focus on the zero knowledge of proofs of knowledge, centering on Schnorr\u27s protocol as a prominent example. We prove two lower bounds, ruling out two different classes of simulators through which Schnorr\u27s protocol can be proven zero knowledge: We prove that if a relation R\mathcal{R} has a public-coin interactive proof of knowledge that is black-box zero knowledge and this protocol is compatible with the Fiat-Shamir transform in the random oracle model, then R\mathcal{R} must be efficiently searchable. As an immediate corollary, we deduce that Schnorr\u27s protocol cannot be black-box zero knowledge in groups in which discrete log is hard. We define a new class of simulators for Schnorr\u27s protocol, which we call generic simulators. A generic simulator is one that works in any cyclic group, and does not use the representation of the specific group in which Schnorr\u27s protocol is instantiated. We prove that Schnorr\u27s protocol cannot have generic simulators. As an additional contribution, we generalize the original lower bound of Goldreich and Krawczyk, to prove that a language not in BPP{\sf BPP} cannot have an interactive proof (not necessarily of knowledge) that is both black-box zero knowledge and compatible with the Fiat-Shamir transform in the random oracle model. In conjunction with recent works, this extends the Goldreich-Krawczyk lower bound to public-coin protocols that are not constant-round but have round-by-round soundness, including the parallel repetition of any public-coin interactive proof. </p
    IACR Communications in Cryptology
    corecore