Sebastià Martín

Linear broadcast encryption schemes

A new family of broadcast encryption schemes, which will be called linear broadcast encryption schemes (LBESs), is presented in this paper by using linear algebraic techniques. This family generalizes most previous proposals and provides a general framework to the study of broadcast encryption schemes. We present a method to construct, for a general specification structure, LBESs with a good trade-off between the amount of secret information stored by every user and the length of the broadcast message. In this way, we are able to find schemes that fit in situations that have not been considered before.

Improving the trade-off between storage and communication in broadcast encryption schemes

The most important point in the design of broadcast encryption schemes (BESs) is to obtain a good trade-off between the amount of secret information that must be stored by every user and the length of the broadcast message, which are measured, respectively, by the information rate ρ and the broadcast information rate ρB. In this paper, we present a simple method to combine two given BESs in order to improve the trade-off between ρ and ρB by finding BESs with good information rate ρ for arbitrarily many different values of the broadcast information rate ρB. We apply this technique to threshold (R,T)-BESs and we present a method to obtain, for every rational value 1/R ≤ ρB ≤ 1, a (R,T)-BES with optimal information rate ρ among all (R,T)-BESs that can be obtained by combining two of the (R,T)-BESs proposed by Blundo et al. (Lecture Notes in Comput. Sci. 1190 (1996) 387-400).

Secret Sharing, Rank Inequalities, and Information Inequalities

Beimel and Orlov proved that all information inequalities on four or five variables, together with all information inequalities on more than five variables that are known to date, provide lower bounds on the size of the shares in secret sharing schemes that are at most linear on the number of participants. We present here another two negative results about the power of information inequalities in the search for lower bounds in secret sharing. First, we prove that all information inequalities on a bounded number of variables can only provide lower bounds that are polynomial on the number of participants. Second, we prove that the rank inequalities that are derived from the existence of two common informations can provide only lower bounds that are at most cubic in the number of participants.

Fujisaki–Okamoto hybrid encryption revisited

At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model, which has been extensively used in several cryptographic scenarios. The work we present here forms part of the careful revision of the provable security techniques initiated by Shoup in [25] insofar as we find some ambiguities in the proof of this generic conversion, which can lead to false claims. Consequently, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Furthermore, the concept of easily verifiable primitive is formalized, showing its connection with the gap problems introduced in [18]. Using these ideas, a completely new security proof for the modified transformation is given, which is phrased using currently widely accepted techniques. The reduction thereby obtained turns out to be tight, enhancing the concrete security claimed in the original work for the easily verifiable primitives. For the remaining primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the resistance of the new conversion against reject timing attacks is addressed.

Improving the Linear Programming Technique in the Search for Lower Bounds in Secret Sharing.

We present a new improvement in the linear programming technique to derive lower bounds on the information ratio of secret sharing schemes. We obtain non-Shannon-type bounds without using information inequalities explicitly. Our new technique makes it possible to determine the optimal information ratio of linear secret sharing schemes for all access structures on 5 participants and all graph-based access structures on 6 participants. In addition, new lower bounds are presented also for some small matroid ports and, in particular, the optimal information ratios of the linear secret sharing schemes for the ports of the Vamos matroid are determined.

Easy Verifiable Primitives and Practical Public Key Cryptosystems

At Crypto’99, Fujisaki and Okamoto [8] presented a nice generic transformation from weak asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model. Two specific candidates for standardization were designed from this transformation: PSEC-2 [14] and EPOC-2 [7], based on El Gamal and Okamoto-Uchiyama primitives, respectively. Since then, several cryptanalysis of EPOC have been published, one in the Chosen Ciphertext Attack game, and others making use of a poor implementation that is vulnerable to reject timing attacks. The aim of this work is to prevent such attacks from generic transformation by identifying the properties that an asymmetric scheme must have in order to obtain a secure hybrid scheme. To achieve this, some ambiguities in the proof of the generic transformation [8] which could lead to false claims are described. As a result, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Secondly, the concept of Easy Verifiable Primitive is formalized, showing its connection with Gap problems. Using these ideas, a new security proof for the modified transformation is given. The good news is that the reduction is tight, improving the concrete security claimed in the original work for the Easy Verifiable Primitives. For the rest of primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the new conversion’s resistance to reject timing attacks is addressed.

Linear threshold multisecret sharing schemes

In a multisecret sharing scheme, several secret values are distributed among a set of n users, and each secret may have a different associated access structure. We consider here unconditionally secure schemes with multithreshold access structures. Namely, for every subset P of k users there is a secret key that can only be computed when at least t of them put together their secret information. Coalitions with at most w users with less than t of them in P cannot obtain any information about the secret associated to P . The main parameters to optimize are the length of the shares and the amount of random bits that are needed to set up the distribution of shares, both in relation to the length of the secret. In this paper, we provide lower bounds on this parameters. Moreover, we present an optimal construction for t = 2 and k = 3, and a construction that is valid for all w, t, k and n. The models presented use linear algebraic techniques.

Computing the order of points on an elliptic curve modulo N is as difficult as factoring N

Abstract Given a square-free integer N , the group of points on an elliptic curve over the ring Z N is defined in the natural way. We prove that computing the order of points on elliptic curves over Z N is as difficult as factoring N , in the sense of randomly polynomial time reduction. Therefore, cryptosystems based on the difficulty of computing the order of points on elliptic curves over the ring Z N will be at least as robust as those based on the difficulty of factoring N .

A provably secure elliptic curve scheme with fast encryption

We present a new elliptic curve cryptosystem with fast encryption and key generation, which is provably secure against passive adversaries in the standard model. The scheme uses arithmetic modulo n2, where n is an RSA modulus, and merges ideas from Paillier and Rabin related schemes. Despite the typical bit length of n, our encryption algorithm is the fastest elliptic curve based encryption algorithm to the best of our knowledge, even faster than El Gamal elliptic curve encryption. The one-wayness (OW-CPA) of the new cryptosystem is as hard as factoring n while the semantic security (IND-CPA) is proved under a reasonable decisional assumption. Two new length-preserving trapdoor permutations equivalent to factoring are also described.

A Linear Algebraic Approach to Metering Schemes

A metering scheme is a method by which an audit agency is able to measure the interaction between servers and clients during a certain number of time frames. Naor and Pinkas (Vol. 1403 of LNCS, pp. 576–590) proposed metering schemes where any server is able to compute a proof (i.e., a value to be shown to the audit agency at the end of each time frame), if and only if it has been visited by a number of clients larger than or equal to some threshold h during the time frame. Masucci and Stinson (Vol. 1895 of LNCS, pp. 72–87) showed how to construct a metering scheme realizing any access structure, where the access structure is the family of all subsets of clients which enable a server to compute its proof. They also provided lower bounds on the communication complexity of metering schemes. In this paper we describe a linear algebraic approach to design metering schemes realizing any access structure. Namely, given any access structure, we present a method to construct a metering scheme realizing it from any linear secret sharing scheme with the same access structure. Besides, we prove some properties about the relationship between metering schemes and secret sharing schemes. These properties provide some new bounds on the information distributed to clients and servers in a metering scheme. According to these bounds, the optimality of the metering schemes obtained by our method relies upon the optimality of the linear secret sharing schemes for the given access structure.