119 research outputs found
A Characterization of Chameleon Hash Functions and New, Efficient Designs
This paper shows that chameleon hash functions and Sigma
protocols are equivalent. We provide a transform of any suitable Sigma protocol
to a chameleon hash function, and also show that any chameleon hash function is
the result of applying our transform to some suitable Sigma protocol. This
enables us to unify previous designs of chameleon hash functions, seeing them
all as emanating from a common paradigm, and also obtain new designs that are
more efficient than previous ones. In particular, via a modified version of the
Fiat-Shamir protocol, we obtain the fastest known chameleon hash function with
a proof of security based on the STANDARD factoring assumption.
The increasing number of applications of
chameleon hash functions,
including on-line/off-line signing, chameleon signatures, designated-verifier
signatures and conversion from weakly-secure to fully-secure
signatures, make our work of
contemporary interest
Energy Accounting and Optimization for Mobile Systems
Energy accounting determines how much a software process contributes
to the total system energy consumption. It is the foundation for
evaluating software and has been widely used by operating system based
energy management. While various energy accounting policies have been
tried, there is no known way to evaluate them directly simply because
it is hard to track every hardware use by software in a heterogeneous
multicore system like modern smartphones and tablets. This work
provides the ground truth for energy accounting based on multi-player
game theory and offers the first evaluation of existing energy
accounting policies, revealing their important flaws. The proposed
ground truth is based on Shapley value, a single value solution to
multi-player games of which four axiomatic properties are natural and
self-evident to energy accounting.
This work further provides a utility optimization formulation of
energy management and shows, surprisingly, that energy accounting does
not matter for existing energy management solutions that control the
energy use of a process by giving it an energy budget, or budget based
energy management (BEM). This work shows an optimal energy management
(OEM) framework can always outperform BEM. While OEM does not require
any form of energy accounting, it is related to Shapley value in that
both require the system energy consumption for all possible
combination of processes under question.
This work reports a prototype implementation of both Shapley
value-based energy accounting and OEM based scheduling. Using this
prototype and smartphone workload, this work experimentally
demonstrates how erroneous existing energy accounting policies can be,
show that existing BEM solutions are unnecessarily complicated yet
underperforming by 20% compared to OEM
On-Line/Off-Line DCR-based Homomorphic Encryption and Applications
On-line/off-line encryption schemes enable the fast encryption of a message from a pre-computed coupon. The paradigm was put forward in the case of digital signatures.
This work introduces a compact public-key additively homomorphic encryption scheme. The scheme is semantically secure under the decisional composite residuosity (DCR) assumption. Compared to Paillier cryptosystem, it merely requires one or two integer additions in the on-line phase and no increase in the ciphertext size. This work also introduces a compact on-line/off-line trapdoor commitment scheme featuring the same fast on-line phase. Finally, applications to chameleon signatures are presented
Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes
Chameleon-hash functions, introduced by Krawczyk and Rabin at NDSS 2000, are trapdoor collision-resistant hash-functions parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash function can be efficiently found. Chameleon-hash functions have prominent applications in the design of cryptographic primitives, such as lifting non-adaptively secure signatures to adaptively secure ones. Recently, this primitive also received a lot of attention as a building block in more complex cryptographic applications ranging from editable blockchains to advanced signature and encryption schemes.
We observe that in latter applications various different notions of collision-resistance are used, and it is not always clear if the respective notion does really cover what seems intuitively required by the application. Therefore, we revisit existing collision-resistance notions in the literature, study their relations, and - using the example of the recent redactable blockchain proposals - discuss which practical impact different notions of collision-resistance might have. Moreover, we provide a stronger, and arguably more desirable, notion of collision-resistance than what is known from the literature. Finally, we present a surprisingly simple and efficient black-box construction of chameleon-hash functions achieving this strong notion
Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications
A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (CHET; Camenisch et al., PKC ’17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash. We extend these ideas and introduce the notion of chameleon-hashes with dual long-term trapdoors (CHDLTT). Here, the second trapdoor is not chosen freshly for each new hash; Rather, the hashing party can decide if it wants to generate a fresh second trapdoor or use an existing one. This primitive generalizes CHETs, extends their applicability and enables some appealing new use-cases, including three-party sanitizable signatures, group-level selectively revocable signatures and break-the-glass signatures. We present two provably secure constructions and an implementation which demonstrates that this extended primitive is efficient enough for use in practice
Chameleon-Hashes with Ephemeral Trapdoors And Applications to Invisible Sanitizable Signatures
A chameleon-hash function is a hash function that involves a trapdoor the knowledge of which allows one to find arbitrary collisions in the domain of the function. In this paper, we introduce the notion of chameleon-hash functions with ephemeral trapdoors. Such hash functions feature additional, i.e., ephemeral, trapdoors which are chosen by the party computing a hash value. The holder of the main trapdoor is then unable to find a second pre-image of a hash value unless also provided with the ephemeral trapdoor used to compute the hash value. We present a formal security model for this new primitive as well as provably secure instantiations. The first instantiation is a generic black-box construction from any secure chameleon-hash function. We further provide three direct constructions based on standard assumptions. Our new primitive has some appealing use-cases, including a solution to the long-standing open problem of invisible sanitizable signatures, which we also present
Blockchain Governance via Sharp Anonymous Multisignatures
Electronic voting has occupied a large part of the cryptographic protocols literature. The recent reality of blockchains---in particular their need for online governance mechanisms---has put new parameters and requirements to the problem. We identify the key requirements of a blockchain governance mechanism, namely correctness (including eliminative double votes), voter anonymity, and traceability, and investigate mechanisms that can achieve them with minimal interaction and under assumptions that fit the blockchain setting.
First, we define a signature-like primitive, which we term sharp anonymous multisignatures (in short, #AMS) that tightly meets the needs of blockchain governance. In a nutshell, #AMSs allow any set of parties to generate a signature, e.g., on a proposal to be voted-upon, which if posted on the blockchain hides the identities of the signers/voters, but reveals their number. This can be seen as a (strict) generalization of threshold ring signatures (TRS).
We next turn to constructing such #AMSs and using them in various governance scenarios---e.g., single vs. multiple vote per voter. To this direction, we observe that although the definition of TRS does not imply #AMS, one can compile some of the existing TRS constructions into #AMS. This raises the question: What is the TRS structure that allows such a compilation? To answer the above, we devise templates for TRSs. Our templates encapsulate and abstract the structure that allows for the above compilation---most of the TRS schemes that can be compiled into #AMS are, in fact, instantiations of our template. This abstraction makes our template generic for instantiating TRSs and #AMSs from different cryptographic assumptions (e.g., DDH, LWE, etc). One of our templates is based on chameleon hashing and we explore a framework of lossy chameleon hashes to fully understand its nature.
Finally, we turn to how #AMS schemes can be used in our applications. We provide fast (in some cases non-interactive) #AMS-based blockchain governance mechanisms for a wide spectrum of assumptions on the honesty (semi-honest vs malicious) and availability of voters and proposers
Edge Directionality Improves Learning on Heterophilic Graphs
Graph Neural Networks (GNNs) have become the de-facto standard tool for
modeling relational data. However, while many real-world graphs are directed,
the majority of today's GNN models discard this information altogether by
simply making the graph undirected. The reasons for this are historical: 1)
many early variants of spectral GNNs explicitly required undirected graphs, and
2) the first benchmarks on homophilic graphs did not find significant gain from
using direction. In this paper, we show that in heterophilic settings, treating
the graph as directed increases the effective homophily of the graph,
suggesting a potential gain from the correct use of directionality information.
To this end, we introduce Directed Graph Neural Network (Dir-GNN), a novel
general framework for deep learning on directed graphs. Dir-GNN can be used to
extend any Message Passing Neural Network (MPNN) to account for edge
directionality information by performing separate aggregations of the incoming
and outgoing edges. We prove that Dir-GNN matches the expressivity of the
Directed Weisfeiler-Lehman test, exceeding that of conventional MPNNs. In
extensive experiments, we validate that while our framework leaves performance
unchanged on homophilic datasets, it leads to large gains over base models such
as GCN, GAT and GraphSage on heterophilic benchmarks, outperforming much more
complex methods and achieving new state-of-the-art results
On Adaptive Security of Delayed-Input Sigma Protocols and Fiat-Shamir NIZKs
We study adaptive security of delayed-input Sigma protocols and non-interactive zero-knowledge (NIZK) proof systems in the common reference string (CRS) model. Our contributions are threefold:
- We exhibit a generic compiler taking any delayed-input Sigma protocol and returning a delayed-input Sigma protocol satisfying adaptive-input special honest-verifier zero-knowledge (SHVZK). In case the initial Sigma protocol also satisfies adaptive-input special soundness, our compiler preserves this property.
- We revisit the recent paradigm by Canetti et al. (STOC 2019) for obtaining NIZK proof systems in the CRS model via the Fiat-Shamir transform applied to so-called trapdoor Sigma protocols, in the context of adaptive security. In particular, assuming correlation-intractable hash functions for all sparse relations, we prove that Fiat- Shamir NIZKs satisfy either:
(i) Adaptive soundness (and non-adaptive zero-knowledge), so long as the challenge is obtained by hashing both the prover’s first round and the instance being proven;
(ii) Adaptive zero-knowledge (and non-adaptive soundness), so long as the challenge is obtained by hashing only the prover’s first round, and further assuming that the initial trapdoor Sigma protocol satisfies adaptive-input SHVZK.
- We exhibit a generic compiler taking any Sigma protocol and returning a trapdoor Sigma protocol. Unfortunately, this transform does not preserve the delayed-input property of the initial Sigma protocol (if any). To complement this result, we also give yet another compiler taking any delayed-input trapdoor Sigma protocol and returning a delayed-input trapdoor Sigma protocol with adaptive-input SHVZK.
An attractive feature of our first two compilers is that they allow obtaining efficient delayed-input Sigma protocols with adaptive security, and efficient Fiat-Shamir NIZKs with adaptive soundness (and non-adaptive zero-knowledge) in the CRS model. Prior to our work, the latter was only possible using generic NP reductions
- …