Philippe Camacho

Short transitive signatures for directed trees

A transitive signature scheme allows us to sign a graph in such a way that, given signatures on edges (a,b) and (b,c), it is possible to compute the signature on edge (a,c) without the signers secret. Constructions for undirected graphs are known but the case of directed graphs remains open. A first solution for the particular case of directed trees (DTTS) was given by Yi at CT-RSA 2007. In Yis construction, the signature for an edge is O(n log(n logn)) bits long in the worst case where n is the number of nodes. A year later in Theoretical Computer Science 396, Neven proposed a simpler scheme where the signature size is reduced to O(n logn) bits. Although this construction is more efficient, O(n logn)-bit long signatures still remain impractical for large n. In this work, we propose a new DTTS scheme such that, for any value λ≥1 and security parameter κ: (a) edge signatures are only O(κλ) bits long, (b) signing or verifying an edge signature requires O(λ) cryptographic operations, and (c) computing (without the secret key) an edge signature in the transitive closure of the tree requires O(λn1/λ) cryptographic operations. To the best of our knowledge this is the first construction with such a trade off. Our construction relies on hashing with common-prefix proofs, a new variant of collision resistance hashing. A family

Strong Accumulators from Collision-Resistant Hashing

\cal H

On the impossibility of batch update for cryptographic accumulators

provides hashing with common-prefix proofs if for any

Fair exchange of short signatures without trusted third party

H \in \cal H

Evaluation of Chess Position by Modular Neural Network Generated by Genetic Algorithm

, given two strings X and Y equal up to position i, a prover can convince anyone that X[1..i] is a prefix of Y by sending only H(X),H(Y), and a small proof. We believe that this new primitive will lead to other interesting applications.

Asynchronous Provably-Secure Hidden Services.

Accumulator schemes were introduced in order to represent a large set of values as one short value called the accumulator. These schemes allow one to generate membership proofs, i.e. short witnesses that a certain value belongs to the set. In universal accumulator schemes, efficient proofs of non-membership can also be created. Li, Li and Xue [11], building on the work of Camenisch and Lysyanskaya [5], proposed an efficient accumulator scheme which relies on a trusted accumulator manager. Specifically, a manager that correctly performs accumulator updates. In this work we introduce the notion of strong universal accumulator schemeswhich are similar in functionality to universal accumulator schemes, but do not assume the accumulator manager is trusted. We also formalize the security requirements for such schemes. We then give a simple construction of a strong universal accumulator scheme which is provably secure under the assumption that collision-resistant hash functions exist. The weaker requirement on the accumulator manager comes at a price; our scheme is less efficient than known universal accumulator schemes -- the size of (non)membership witnesses is logarithmic in the size of the accumulated set in contrast to constant in the scheme of Camenisch and Lysyanskaya. Finally, we show how to use strong universal accumulators to solve a practical concern, the so called e-Invoice Factoring Problem.

Strong accumulators from collision-resistant hashing

A cryptographic accumulator is a scheme where a set of elements is represented by a single short value. This value, along with another value called witness, allows to prove membership into the set. If new values are added or existent values are deleted from the accumulator, then the accumulated value changes and the witnesses need to be updated. In their survey on accumulators [6], Fazio and Nicolosi noted that Camenisch and Lysyanskayas construction [3] was such that the time to update a witness after m changes to the accumulated value was proportional to m. They posed the question whether batch update was possible, namely if a cryptographic accumulator where the time to update witnesses is independent from the number of changes in the accumulated set exists. Recently, Wang et al. answered positively by giving a construction for an accumulator with batch update [9,10]. In this work, we show that the construction is not secure by exhibiting an attack. Moreover, we prove it cannot be fixed. If the accumulated value has been updated m times then the time to update a witness must be at least Ω(m) in the worst case.

Short Transitive Signatures for Directed Trees.

We propose a protocol to exchange Boneh-Boyen short signatures in a fair way and without relying on a trusted third party. Our protocol is quite practical and is the first of the sort to the best of our knowledge. Our construction uses a new non-interactive zero-knowledge (NIZK) argument to prove that a commitment is the encryption of a bit vector. We also design a NIZK argument to prove that a commitment to a bit vector v=(b1,b2,...,bκ) is such that ∑i∈[κ]bi2i−1=θ where θ is the discrete logarithm of some public value D=gθ. These arguments may be of independent interest.

On the Impossibility of Batch Update for Cryptographic Accumulators.

In this article we present our chess engine Tempo. One of the major difficulties for this type of program lies in the function for evaluating game positions. This function is composed of a large number of parameters which have to be determined and then adjusted. We propose an alternative which consists in replacing this function by an artificial neuron network (ANN). Without topological knowledge of this complex network, we use the evolutionist methods for its inception, thus enabling us to obtain, among other things, a modular network. Finally, we present our results: reproduction of the XOR function which validates the method used generation of an evaluation function

Asynchronous provably-secure hidden services.

The client-server architecture is one of the most widely used in the Internet for its simplicity and flexibility. In practice the server is assigned a public address so that its services can be consumed. This makes the server vulnerable to a number of attacks such as Distributed Denial of Service (DDoS), censorship from authoritarian governments or exploitation of software vulnerabilities.