Colourings of cubic graphs inducing isomorphic monochromatic subgraphs

A $k$-bisection of a bridgeless cubic graph $G$ is a $2$-colouring of its vertex set such that the colour classes have the same cardinality and all connected components in the two subgraphs induced by the colour classes (monochromatic components in what follows) have order at most $k$. Ban and Linial conjectured that every bridgeless cubic graph admits a $2$-bisection except for the Petersen graph. A similar problem for the edge set of cubic graphs has been studied: Wormald conjectured that every cubic graph $G$ with $|E(G)| \equiv 0 \pmod 2$ has a $2$-edge colouring such that the two monochromatic subgraphs are isomorphic linear forests (i.e. a forest whose components are paths). Finally, Ando conjectured that every cubic graph admits a bisection such that the two induced monochromatic subgraphs are isomorphic. In this paper, we give a detailed insight into the conjectures of Ban-Linial and Wormald and provide evidence of a strong relation of both of them with Ando's conjecture. Furthermore, we also give computational and theoretical evidence in their support. As a result, we pose some open problems stronger than the above mentioned conjectures. Moreover, we prove Ban-Linial's conjecture for cubic cycle permutation graphs. As a by-product of studying $2$-edge colourings of cubic graphs having linear forests as monochromatic components, we also give a negative answer to a problem posed by Jackson and Wormald about certain decompositions of cubic graphs into linear forests.Comment: 33 pages; submitted for publicatio

Feedback Numbers of Goldberg Snark, Twisted Goldberg Snarks and Related Graphs

A subset of vertices of a graph G is called a feedback vertex set of G if its removal results in an acyclic subgraph. The minimum cardinality of a feedback vertex set is called the feedback number. In this paper, we determine the exact values of the feedback numbers of the Goldberg snarks Gn and its related graphs Gn*, Twisted Goldberg Snarks TGn and its related graphs TGn*. Let f(n) denote the feedback numbers of these graphs, we prove that f(n)=2n+1, for n≥3

Imaginary Quadratic Class Groups and a Survey of Time-Lock Cryptographic Applications

Imaginary quadratic class groups have been proposed as one of the main hidden-order group candidates for time-lock cryptographic applications such as verifiable delay functions (VDFs). They have the advantage over RSA groups that they do \emph{not} need a trusted setup. However, they have historically been significantly less studied by the cryptographic research community. This survey provides an introduction to the theory of imaginary quadratic class groups and discusses several considerations that need to be taken into account for practical applications. In particular, we describe the relevant computational problems and the main classical and quantum algorithms that can be used to solve them. From this discussion, it follows that choosing a discriminant $\Delta=-p$ with $p\equiv 3\mod{4}$ prime is one of the most promising ways to pick a class group \CL(\Delta) without the need for a trusted setup, while simultaneously making sure that there are no easy to find elements of low order in \CL(\Delta). We provide experimental data on class groups belonging to discriminants of this form, and compare them to the Cohen-Lenstra heuristics which predict the average behaviour of \CL(\Delta) belonging to a random \emph{fundamental} discriminant. Afterwards, we describe the most prominent constructions of VDFs based on hidden-order groups, and discuss their soundness and sequentiality when implemented in imaginary quadratic class groups. Finally, we briefly touch upon the post-quantum security of VDFs in imaginary quadratic class groups, where the time on can use a fixed group is upper bounded by the runtime of quantum polynomial time order computation algorithms

Unlocking the lookup singularity with Lasso

This paper introduces Lasso, a new family of lookup arguments, which allow an untrusted prover to commit to a vector $a \in \mathbb{F}^m$ and prove that all entries of a reside in some predetermined table $t \in \mathbb{F}^n$. Lasso’s performance characteristics unlock the so-called lookup singularity . Lasso works with any multilinear polynomial commitment scheme, and provides the following efficiency properties. For $m$ lookups into a table of size $n$, Lasso’s prover commits to just $m + n$ field elements. Moreover, the committed field elements are small, meaning that, no matter how big the field $\mathbb{F}$ is, they are all in the set $\{0, . . . , m\}$. When using a multiexponentiation-based commitment scheme, this results in the prover’s costs dominated by only $O(m + n)$ group operations (e.g., elliptic curve point additions), plus the cost to prove an evaluation of a multilinear polynomial whose evaluations over the Boolean hypercube are the table entries. This represents a significant improvement in prover costs over prior lookup arguments (e.g., plookup, Halo2’s lookups, lookup arguments based on logarithmic derivatives). Unlike all prior lookup arguments, if the table $t$ is structured (in a precise sense that we define), then no party needs to commit to $t$, enabling the use of much larger tables than prior works (e.g., of size $2^{128}$ or larger). Moreover, Lasso’s prover only pays in runtime for table entries that are accessed by the lookup operations. This applies to tables commonly used to implement range checks, bitwise operations, big-number arithmetic, and even transitions of a full-fledged CPU such as RISC-V. Specifically, for any integer parameter $c > 1$, Lasso’s prover’s dominant cost is committing to $3 \cdot c \cdot m + c \cdot n^{1/c}$ field elements. Furthermore, all these field elements are “small”, meaning they are in the set $\{0, . . . , \max{(m, n^{1/c}, q)} − 1\}$, where $q$ is the maximum value in $a$. Lasso’s starting point is Spark, a time-optimal polynomial commitment scheme for sparse polynomials in Spartan (CRYPTO 2020). We first provide a stronger security analysis for Spark. Spartan’s security analysis assumed that certain metadata associated with a sparse polynomial is committed by an honest party (this is acceptable for its purpose in Spartan, but not for Lasso). We prove that Spark remains secure even when that metadata is committed by a malicious party. This provides the first standard commitment scheme for sparse multilinear polynomials with optimal prover costs. We then generalize Spark to directly support a lookup argument for both structured and unstructured tables, with the efficiency characteristics noted above

Additive-Homomorphic Functional Commitments and Applications to Homomorphic Signatures

Functional Commitments (FC) allow one to reveal functions of committed data in a succinct and verifiable way. In this paper we put forward the notion of additive-homomorphic FC and show two efficient, pairing-based, realizations of this primitive supporting multivariate polynomials of constant degree and monotone span programs, respectively. We also show applications of the new primitive in the contexts of homomorphic signatures: we show that additive-homomorphic FCs can be used to realize homomorphic signatures (supporting the same class of functionalities as the underlying FC) in a simple and elegant way. Using our new FCs as underlying building blocks, this leads to the (seemingly) first expressive realizations of multi-input homomorphic signatures not relying on lattices or multilinear maps

Vector commitments over rings and compressed Σ-protocols

Compressed Σ-Protocol Theory (CRYPTO 2020) presents an “alternative” to Bulletproofs that achieves the same communication complexity while adhering more elegantly to existing Σ -protocol theory, which enables their techniques to be directly applicable to other widely used settings in the context of “plug & play” algorithmics. Unfortunately, their techniques are restricted to arithmetic circuits over prime fields, which rules out the possibility of using more machine-friendly moduli such as powers of 2, which have proven to improve efficiency in applications. In this work we show that such techniques can be generalized to the case of arithmetic circuits modulo any number. This enables the use of powers of 2, which can prove to be beneficial for efficiency, but it also facilitates the use of other moduli that might prove useful in different applications. In order to achieve this, we first present an instantiation of the main building block of the theory of compressed Σ -protocols, namely compact vector commitments. Our construction, which may be of independent interest, is homomorphic modulo any positive integer m, a result that was not known in the literature before. Second, we generalize Compressed Σ-Protocol Theory from finite fields to Zm. The main challenge here is ensuring that there are large enough challenge sets as to fulfill the necessary soundness requirements, which is achieved by considering certain ring extensions. Our techniques have direct application for example to verifiable computation on homomorphically encrypted data

New (Zero-Knowledge) Arguments and Their Applications to Verifiable Computation

We study the problem of argument systems, where a computationally weak verifier outsources the execution of a computation to a powerful but untrusted prover, while being able to validate that the result was computed correctly through a proof generated by the prover. In addition, the zero-knowledge property guarantees that proof leaks no information about the potential secret input from the prover. Existing efficient zero-knowledge arguments with sublinear verification time require an expensive preprocessing phase that depends on a particular computation, and incur big overhead on the prover time and prover memory consumption. This thesis proposes new constructions for zero-knowledge arguments that overcome the above problems. The new constructions require only a one time preprocessing and can be used to validate any computations later. They also reduce the overhead on the prover time and memory by orders of magnitude. We apply our new constructions to build a verifiable database system and verifiable RAM programs, leading to significant improvements over prior work

Security, Scalability and Privacy in Applied Cryptography

In the modern digital world, cryptography finds its place in countless applications. However, as we increasingly use technology to perform potentially sensitive tasks, our actions and private data attract, more than ever, the interest of ill-intentioned actors. Due to the possible privacy implications of cryptographic flaws, new primitives’ designs need to undergo rigorous security analysis and extensive cryptanalysis to foster confidence in their adoption. At the same time, implementations of cryptographic protocols should scale on a global level and be efficiently deployable on users’ most common devices to widen the range of their applications. This dissertation will address the security, scalability and privacy of cryptosystems by presenting new designs and cryptanalytic results regarding blockchain cryptographic primitives and public-key schemes based on elliptic curves. In Part I, I will present the works I have done in regards to accumulator schemes. More precisely, in Chapter 2, I cryptanalyze Au et al. Dynamic Universal Accumulator, by showing some attacks which can completely take over the authority who manages the accumulator. In Chapter 3, I propose a design for an efficient and secure accumulator-based authentication mechanism, which is scalable, privacy-friendly, lightweight on the users’ side, and suitable to be implemented on the blockchain. In Part II, I will report some cryptanalytical results on primitives employed or considered for adoption in top blockchain-based cryptocurrencies. In particular, in Chapter 4, I describe how the zero-knowledge proof system and the commitment scheme adopted by the privacy-friendly cryptocurrency Zcash, contain multiple subliminal channels which can be exploited to embed several bytes of tagging information in users’ private transactions. In Chapter 5, instead, I report the cryptanalysis of the Legendre PRF, employed in a new consensus mechanism considered for adoption by the blockchain-based platform Ethereum, and attacks for further generalizations of this pseudo-random function, such as the Higher-Degree Legendre PRF, the Jacobi Symbol PRF, and the Power-Residue PRF. Lastly, in Part III, I present my line of research on public-key primitives based on elliptic curves. In Chapter 6, I will describe a backdooring procedure for primes so that whenever they appear as divisors of a large integer, the latter can be efficiently factored. This technique, based on elliptic curves Complex Multiplication theory, enables to eventually generate non-vulnerable certifiable semiprimes with unknown factorization in a multi-party computation setting, with no need to run a statistical semiprimality test common to other protocols. In Chapter 7, instead, I will report some attack optimizations and specific implementation design choices that allow breaking a reduced-parameters instance, proposed by Microsoft, of SIKE, a post-quantum key-encapsulation mechanism based on isogenies between supersingular elliptic curves