Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model

Strongly unforgeable signature schemes provide a more stringent security guarantee than the standard existential unforgeability. It requires that not only forging a signature on a new message is hard, it is infeasible as well to produce a new signature on a message for which the adversary has seen valid signatures before. Strongly unforgeable signatures are useful both in practice and as a building block in many cryptographic constructions. This work investigates a generic transformation that compiles any existential-unforgeable scheme into a strongly unforgeable one, which was proposed by Teranishi et al. and was proven in the classical random-oracle model. Our main contribution is showing that the transformation also works against quantum adversaries in the quantum random-oracle model. We develop proof techniques such as adaptively programming a quantum random-oracle in a new setting, which could be of independent interest. Applying the transformation to an existential-unforgeable signature scheme due to Cash et al., which can be shown to be quantum-secure assuming certain lattice problems are hard for quantum computers, we get an efficient quantum-secure strongly unforgeable signature scheme in the quantum random-oracle model.Comment: 15 pages, to appear in Proceedings TQC 201

Signcryption schemes with threshold unsigncryption, and applications

The final publication is available at link.springer.comThe goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.Peer ReviewedPostprint (author's final draft

Introducing Accountability to Anonymity Networks

Many anonymous communication (AC) networks rely on routing traffic through proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes risk sanctions by law enforcement if users commit illegal actions through the AC network. We present BackRef, a generic mechanism for AC networks that provides practical repudiation for the proxy nodes by tracing back the selected outbound traffic to the predecessor node (but not in the forward direction) through a cryptographically verifiable chain. It also provides an option for full (or partial) traceability back to the entry node or even to the corresponding user when all intermediate nodes are cooperating. Moreover, to maintain a good balance between anonymity and accountability, the protocol incorporates whitelist directories at exit proxy nodes. BackRef offers improved deployability over the related work, and introduces a novel concept of pseudonymous signatures that may be of independent interest. We exemplify the utility of BackRef by integrating it into the onion routing (OR) protocol, and examine its deployability by considering several system-level aspects. We also present the security definitions for the BackRef system (namely, anonymity, backward traceability, no forward traceability, and no false accusation) and conduct a formal security analysis of the OR protocol with BackRef using ProVerif, an automated cryptographic protocol verifier, establishing the aforementioned security properties against a strong adversarial model

Discovery and Measurement of Sleptons, Binos, and Winos with a Z'

Extensions of the MSSM could significantly alter its phenomenology at the LHC. We study the case in which the MSSM is extended by an additional U(1) gauge symmetry, which is spontaneously broken at a few TeV. The production cross-section of sleptons is enhanced over that of the MSSM by the process $pp\to Z' \to \tilde{\ell} \tilde{\ell}^*$, so the discovery potential for sleptons is greatly increased. The flavor and charge information in the resulting decay, $\tilde{\ell} \to \ell + {LSP}$, provides a useful handle on the identity of the LSP. With the help of the additional kinematical constraint of an on-shell Z', we implement a novel method to measure all of the superpartner masses involved in this channel. For certain final states with two invisible particles, one can construct kinematic observables bounded above by parent particle masses. We demonstrate how output from one such observable, m_T2, can become input to a second, increasing the number of measurements one can make with a single decay chain. The method presented here represents a new class of observables which could have a much wider range of applicability.Comment: 20 pages, 15 figures; v2 references added and minor change

Point symmetries in the Hartree-Fock approach: Symmetry-breaking schemes

We analyze breaking of symmetries that belong to the double point group D2h(TD) (three mutually perpendicular symmetry axes of the second order, inversion, and time reversal). Subgroup structure of the D2h(TD) group indicates that there can be as much as 28 physically different, broken-symmetry mean-field schemes --- starting with solutions obeying all the symmetries of the D2h(TD) group, through 26 generic schemes in which only a non-trivial subgroup of D2h(TD) is conserved, down to solutions that break all of the D2h(TD) symmetries. Choices of single-particle bases and the corresponding structures of single-particle hermitian operators are discussed for several subgroups of D2h(TD).Comment: 10 RevTeX pages, companion paper in nucl-th/991207