暗号要素技術の一般的構成を介した高い安全性・高度な機能を備えた暗号要素技術の構成

Recent years have witnessed an active research on cryptographic primitives with complex functionality beyond simple encryption or authentication. A cryptographic primitive is required to be proposed together with a formal model of its usage and a rigorous proof of security under that model.This approach has suffered from the two drawbacks: (1) security models are defined in a very specific manner for each primitive, which situation causes the relationship between these security models not to be very clear, and (2) no comprehensive ways to confirm that a formal model of security really captures every possible scenarios in practice.This research relaxes these two drawbacks by the following approach: (1) By observing the fact that a cryptographic primitive A should be crucial for constructing another primitive B, we identify an easy-to-understand approach for constructing various cryptographic primitives.(2) Consider a situation in which there are closely related cryptographic primitives A and B, and the primitive A has no known security requirement that corresponds to some wellknown security requirement (b) for the latter primitive B.We argue that this situation suggests that this unknown security requirement for A can capture some practical attack. This enables us to detect unknown threats for various cryptographic primitives that have been missed bythe current security models.Following this approach, we identify an overlooked security threat for a cryptographic primitive called group signature. Furthermore, we apply the methodology (2) to the “revocable”group signature and obtain a new extension of public-key encryption which allows to restrict a plaintext that can be securely encrypted.通常の暗号化や認証にとどまらず, 複雑な機能を備えた暗号要素技術の提案が活発になっている. 暗号要素技術の安全性は利用形態に応じて, セキュリティ上の脅威をモデル化して安全性要件を定め, 新方式はそれぞれ安全性定義を満たすことの証明と共に提案される.既存研究では, 次の問題があった: (1) 要素技術ごとに個別に安全性の定義を与えているため, 理論的な体系化が不十分であった. (2) 安全性定義が実用上の脅威を完全に捉えきれているかの検証が難しかった.本研究は上記の問題を次の考え方で解決する. (1) ある要素技術(A) を構成するには別の要素技術(B) を部品として用いることが不可欠であることに注目し, 各要素技術の安全性要件の関連を整理・体系化して, 新方式を見通し良く構成可能とする. (2) 要素技術(B)で考慮されていた安全性要件(b) に対応する要素技術(A) の安全性要件が未定義なら, それを(A) の新たな安全性要件(a) として定式化する. これにより未知の脅威の検出が容易になる.グループ署名と非対話開示機能付き公開鍵暗号という2 つの要素技術について上記の考え方を適用して, グループ署名について未知の脅威を指摘する.また, 証明書失効機能と呼ばれる拡張機能を持つグループ署名に上記の考え方を適用して, 公開鍵暗号についての新たな拡張機能である, 暗号化できる平文を制限できる公開鍵暗号の効率的な構成法を明らかにする.電気通信大学201

Flexible Long-Term Secure Archiving

Privacy and data protection have always been basic human needs in any society that makes use of written language. From simple personal correspondence over military communication to trade secrets or medical information, confidentiality has been of utmost importance. The implications of a leak of such sensitive information may prove devastating, as the previous examples illustrate perfectly. Furthermore reliability, that is, integrity and authenticitiy of information, is critical with risks reaching from annoying to lethal as can again be seen in the previous examples. This need for data protection has carried over from the analogue to the digital age seamlessly with the amount of data being generated, transmitted and stored increasing steadily and containing more and more personal details. And in regard of the developments in computational technology that recent years have seen, such as the ongoing improvements with respect to quantum computing as well as cryptoanalytical advances, the capabilities of attackers on the security of private information have never been more distinct. Thus the need for privacy and data protection has rarely been more dire

Foundations of Data Availability Sampling

Towards building more scalable blockchains, an approach known as data availability sampling (DAS) has emerged over the past few years. Even large blockchains like Ethereum are planning to eventually deploy DAS to improve their scalability. In a nutshell, DAS allows the participants of a network to ensure the full availability of some data without any one participant downloading it entirely. Despite the significant practical interest that DAS has received, there are currently no formal definitions for this primitive, no security notions, and no security proofs for any candidate constructions. For a cryptographic primitive that may end up being widely deployed in large real-world systems, this is a rather unsatisfactory state of affairs. In this work, we initiate a cryptographic study of data availability sampling. To this end, we define data availability sampling precisely as a clean cryptographic primitive. Then, we show how data availability sampling relates to erasure codes. We do so by defining a new type of commitment schemes which naturally generalizes vector commitments and polynomial commitments. Using our framework, we analyze existing constructions and prove them secure. In addition, we give new constructions which are based on weaker assumptions, computationally more efficient, and do not rely on a trusted setup, at the cost of slightly larger communication complexity. Finally, we evaluate the trade-offs of the different constructions

Probabilistic Arguments in Mathematics

This thesis addresses a question that emerges naturally from some observations about contemporary mathematical practice. Firstly, mathematicians always demand proof for the acceptance of new results. Secondly, the ability of mathematicians to tell if a discourse gives expression to a proof is less than perfect, and the computers they use are subject to a variety of hardware and software failures. So false results are sometimes accepted, despite insistence on proof. Thirdly, over the past few decades, researchers have also developed a variety of methods that are probabilistic in nature. Even if carried out perfectly, these procedures only yield a conclusion that is very likely to be true. In some cases, these chances of error are precisely specifiable and can be made as small as desired. The likelihood of an error arising from the inherently uncertain nature of these probabilistic algorithms can therefore be made vanishingly small in comparison to the chances of an error arising when implementing an equivalent deductive algorithm. Moreover, the structure of probabilistic algorithms tends to minimise these Implementation Errors too. So overall, probabilistic methods are sometimes more reliable than deductive ones. This invites the question: ‘Are mathematicians rational in continuing to reject these probabilistic methods as a means of establishing mathematical claims?

LIPIcs, Volume 261, ICALP 2023, Complete Volume

LIPIcs, Volume 261, ICALP 2023, Complete Volum