Optimal Data Authentication from Directed Transitive Signatures

An authenticated dictionary of size $N$ is said to be optimal when an update operation or proof computation requires at most $O(\log N)$ accesses to the data-structure, and the size of a proof is $O(1)$ with respect to $N$. In this note we show that an optimal authenticated dictionary (OAD) can be built using transitive signatures for directed graphs (DTS). As the existence of DTS and OAD are both still open, our result can be interpreted as following: if optimal authenticated dictionaries do not exist then transitive signatures for directed graphs do not exist either

Hard isogeny problems over RSA moduli and groups with infeasible inversion

We initiate the study of computational problems on elliptic curve isogeny graphs defined over RSA moduli. We conjecture that several variants of the neighbor-search problem over these graphs are hard, and provide a comprehensive list of cryptanalytic attempts on these problems. Moreover, based on the hardness of these problems, we provide a construction of groups with infeasible inversion, where the underlying groups are the ideal class groups of imaginary quadratic orders. Recall that in a group with infeasible inversion, computing the inverse of a group element is required to be hard, while performing the group operation is easy. Motivated by the potential cryptographic application of building a directed transitive signature scheme, the search for a group with infeasible inversion was initiated in the theses of Hohenberger and Molnar (2003). Later it was also shown to provide a broadcast encryption scheme by Irrer et al. (2004). However, to date the only case of a group with infeasible inversion is implied by the much stronger primitive of self-bilinear map constructed by Yamakawa et al. (2014) based on the hardness of factoring and indistinguishability obfuscation (iO). Our construction gives a candidate without using iO.Comment: Significant revision of the article previously titled "A Candidate Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the constructions by giving toy examples, added "The Parallelogram Attack" (Sec 5.3.2). 54 pages, 8 figure

Short Transitive Signatures for Directed Trees

A transitive signature scheme allows to sign a graph in such a way that, given the signature of edges (a,b) and (b,c), it is possible to compute the signature for the edge (or path) (a,c) without the Signer\u27s secret. Constructions for undirected graphs are known but the case of directed graphs remains open. A first solution for the easier case of directed trees (DTTS) was given by Yi at CT-RSA 2007. In Yi\u27s construction, the signature for an edge is O(n (\log (n \log n))) bits long in the worst case. A year later, Neven designed a simpler scheme where the signature size is reduced to O(n \log n) bits. Although Neven\u27s construction is more efficient, handling O(n \log n) still remains impractical for large n. In this work, we design a new $DTTS$ scheme where for any value \lambda \geq 1 and security parameter \kappa, we have: * A signature for an edge is only $O(\kappa \lambda)$ bits long. * Signing or verifying the signature for an edge requires O(\lambda) cryptographic operations. * Computing a signature for an edge requires \lambda n^{1/\lambda} cryptographic operations. To the best of our knowledge this is the first construction with such trade off. In particular, we achieve O(\kappa\log(n)) bits signatures, as well as O(\log(n)) time to generate edge signatures, verify or even compute edge signatures. Our construction relies on hashing with common-prefix proofs, a new variant of collision resistance hashing. A family \HashFam is collision resistant hashing with common-prefix proofs if for any H \in \HashFam, given two strings X and Y equal up to position i, a Combiner can convince a Verifier that X[1..i] is a prefix of Y by sending only H(X),H(Y), and a small proof. We believe that this new primitive will lead to other interesting applications

A simple transitive signature scheme for directed trees

AbstractTransitive signatures allow a signer to authenticate edges in a graph, in such a way that anyone, given the public key and two signatures on adjacent edges (i,j) and (j,k), can compute a third signature on edge (i,k). A number of schemes have been proposed for undirected graphs, but the case of directed graphs remains an open problem. At CT-RSA 2007, Yi presented a scheme for directed trees based on RSA and a standard signature scheme. We present a new, conceptually simple, and generic construction from standard signatures only. Apart from not relying on any RSA-related security assumptions, our scheme outperforms that of Yi in both computation time and (worst-case) signature length. Our results indicate that the setting envisaged by Yi is much simpler than the general one of directed transitive signatures, which remains an open problem