Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (lattice ringct v1.0)

Proceedings of Information Security and Privacy - 23rd Australasian Conference, ACISP 2018, Wollongong, NSW, Australia, July 11-13, 2018info:eu-repo/semantics/publishe

(Quantum) Collision Attacks on Reduced Simpira v2

Simpira v2 is an AES-based permutation proposed by Gueron and Mouha at ASIACRYPT 2016. In this paper, we build an improved MILP model to count the differential and linear active Sboxes for Simpira v2, which achieves tighter bounds of the minimum number of active Sboxes for a few versions of Simpira v2. Then, based on the new model, we find some new truncated differentials for Simpira v2 and give a series (quantum) collision attacks on two versions of reduced Simpira v2

Lattice-Based Linkable Ring Signature in the Standard Model

Ring signatures enable a user to sign messages on behalf of an arbitrary set of users, called the ring. The anonymity property guarantees that the signature does not reveal which member of the ring signed the message. The notion of linkable ring signatures (LRS) is an extension of the concept of ring signatures such that there is a public way of determining whether two signatures have been produced by the same signer. Lattice-based LRS is an important and active research line since lattice-based cryptography has attracted more attention due to its distinctive features, especially the quantum-resistant. However, all the existing lattice-based LRS relied on random oracle heuristics, i.e., no lattice-based LRS in the standard model has been introduced so far. In this paper, we present a lattice-based LRS scheme in the standard model. Toward our goal, we present a lattice basis extending algorithm which is the key ingredient in our construction, that may be of indepen- dent interes

The MILP-Aided Conditional Differential Attack and Its Application to Trivium

Conditional differential attacks were proposed by Knellwolf et al. at ASIACRYPT 2010 which targeted at cryptographic primitives based on non-linear feedback shift registers. The main idea of conditional differential attacks lies in controlling the propagation of a difference through imposing some conditions on public/key variables. In this paper, we improve the conditional differential attack by introducing the mixed integer linear programming (MILP) method to it. Let $J=\{f_i(\boldsymbol{x},\boldsymbol{v})=\gamma_i| 1\le i\le N\}$ be a set of conditions that we want to impose, where $\boldsymbol{x}=(x_1,x_2,\ldots,x_n)$ (resp. $\boldsymbol{v}=(v_1,v_2,\ldots,v_n)$) represents key (resp. public) variables and $\gamma_i \in\{0,1\}$ needs evaluating. Previous automatic conditional differential attacks evaluate $\gamma_1,\gamma_2,\ldots,\gamma_N$ just in order with the preference to zero. Based on the MILP method, conditions in $J$ could be automatically analysed together. In particular, to enhance the effect of conditional differential attacks, in our MILP models, we are concerned with minimizing the number of 1\u27s in $\{\gamma_1,\gamma_2,\ldots,\gamma_N\}$ and maximizing the number of weak keys. ~~~We apply our method to analyse the security of Trivium. As a result, key-recovery attacks are preformed up to the 978-round Trivium and non-randomness is detected up to the 1108-round Trivium of its 1152 rounds both in the weak-key setting. All the results are the best known so far considering the number of rounds and could be experimentally verified. Hopefully, the new method would provide insights on conditional differential attacks and the security evaluation of Trivium

ROYALE: A Framework for Universally Composable Card Games with Financial Rewards and Penalties Enforcement

While many tailor made card game protocols are known, the vast majority of those suffer from three main issues: lack of mechanisms for distributing financial rewards and punishing cheaters, lack of composability guarantees and little flexibility, focusing on the specific game of poker. Even though folklore holds that poker protocols can be used to play any card game, this conjecture remains unproven and, in fact, does not hold for a number of protocols (including recent results). We both tackle the problem of constructing protocols for general card games and initiate a treatment of such protocols in the Universal Composability (UC) framework, introducing an ideal functionality that captures general card games constructed from a set of core card operations. Based on this formalism, we introduce Royale, the first UC-secure general card games which supports financial rewards/penalties enforcement. We remark that Royale also yields the first UC-secure poker protocol. Interestingly, Royale performs better than most previous works (that do not have composability guarantees), which we highlight through a detailed concrete complexity analysis and benchmarks from a prototype implementation

New Conditional Privacy-preserving Encryption Schemes in Communication Network

Nowadays the communication networks have acted as nearly the most important fundamental infrastructure in our human society. The basic service provided by the communication networks are like that provided by the ubiquitous public utilities. For example, the cable television network provides the distribution of information to its subscribers, which is much like the water or gas supply systems which distribute the commodities to citizens. The communication network also facilitates the development of many network-based applications such as industrial pipeline controlling in the industrial network, voice over long-term evolution (VoLTE) in the mobile network and mixture reality (MR) in the computer network, etc. Since the communication network plays such a vital role in almost every aspect of our life, undoubtedly, the information transmitted over it should be guarded properly. Roughly, such information can be categorized into either the communicated message or the sensitive information related to the users. Since we already got cryptographical tools, such as encryption schemes, to ensure the confidentiality of communicated messages, it is the sensitive personal information which should be paid special attentions to. Moreover, for the benefit of reducing the network burden in some instances, it may require that only communication information among legitimated users, such as streaming media service subscribers, can be stored and then relayed in the network. In this case, the network should be empowered with the capability to verify whether the transmitted message is exchanged between legitimated users without leaking the privacy of those users. Meanwhile, the intended receiver of a transmitted message should be able to identify the exact message sender for future communication. In order to cater to those requirements, we re-define a notion named conditional user privacy preservation. In this thesis, we investigate the problem how to preserve user conditional privacy in pubic key encryption schemes, which are used to secure the transmitted information in the communication networks. In fact, even the term conditional privacy preservation has appeared in existing works before, there still have great differences between our conditional privacy preservation definition and the one proposed before. For example, in our definition, we do not need a trusted third party (TTP) to help tracing the sender of a message. Besides, the verification of a given encrypted message can be done without any secret. In this thesis, we also introduce more desirable features to our redefined notion user conditional privacy preservation. In our second work, we consider not only the conditional privacy of the message sender but also that of the intended message receiver. This work presents a new encryption scheme which can be implemented in communication networks where there exists a blacklist containing a list of blocked communication channels, and each of them is established by a pair of sender and receiver. With this encryption scheme, a verifier can confirm whether one ciphertext is belonging to a legitimated communication channel without knowing the exact sender and receiver of that ciphertext. With our two previous works, for a given ciphertext, we ensure that no one except its intended receiver can identify the sender. However, the receiver of one message may behave dishonest when it tries to retrieve the real message sender, which incurs the problem that the receiver of a message might manipulate the origin of the message successfully for its own benefit. To tackle this problem, we present a novel encryption scheme in our third work. Apart from preserving user conditional privacy, this work also enforces the receiver to give a publicly verifiable proof so as to convince others that it is honest during the process of identifying the actual message sender. In our forth work, we show our special interest in the access control encryption, or ACE for short, and find this primitive can inherently achieve user conditional privacy preservation to some extent. we present a newly constructed ACE scheme in this work, and our scheme has advantages over existing ACE schemes in two aspects. Firstly, our ACE scheme is more reliable than existing ones since we utilize a distributed sanitizing algorithm and thus avoid the so called single point failure happened in ACE systems with only one sanitizer. Then, since the ciphertext and key size of our scheme is more compact than that of the existing ACE schemes, our scheme enjoys better scalability

マルチパーティー計算の効率的な構成と実装

電気通信大学201