The Random Oracle Methodology, Revisited

We take a critical look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the security of the schemes that result from implementing the random oracle by so called "cryptographic hash functions". The main result of this paper is a negative one: There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes. In the process of devising the above schemes, we consider possible definitions for the notion of a "good implementation" of a random oracle, pointing out limitations and challenges.Comment: 31 page

Empirical risk minimization as parameter choice rule for general linear regularization methods.

We consider the statistical inverse problem to recover f from noisy measurements Y = Tf + sigma xi where xi is Gaussian white noise and T a compact operator between Hilbert spaces. Considering general reconstruction methods of the form (f) over cap (alpha) = q(alpha) (T*T)T*Y with an ordered filter q(alpha), we investigate the choice of the regularization parameter alpha by minimizing an unbiased estiate of the predictive risk E[parallel to T f - T (f) over cap (alpha)parallel to(2)]. The corresponding parameter alpha(pred) and its usage are well-known in the literature, but oracle inequalities and optimality results in this general setting are unknown. We prove a (generalized) oracle inequality, which relates the direct risk E[parallel to f - (f) over cap (alpha pred)parallel to(2)] with the oracle prediction risk inf(alpha>0) E[parallel to T f - T (f) over cap (alpha)parallel to(2)]. From this oracle inequality we are then able to conclude that the investigated parameter choice rule is of optimal order in the minimax sense. Finally we also present numerical simulations, which support the order optimality of the method and the quality of the parameter choice in finite sample situations

A Machine-Checked Formalization of the Generic Model and the Random Oracle Model

Most approaches to the formal analyses of cryptographic protocols make the perfect cryptography assumption, i.e. the hypothese that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. Ideally, one would prefer to rely on a weaker hypothesis on the computational cost of gaining information about the plaintext pertaining to a ciphertext without knowing the key. Such a view is permitted by the Generic Model and the Random Oracle Model which provide non-standard computational models in which one may reason about the computational cost of breaking a cryptographic scheme. Using the proof assistant Coq, we provide a machine-checked account of the Generic Model and the Random Oracle Mode

An Identity-Based Group Signature with Membership Revocation in the Standard Model

Group signatures allow group members to sign an arbitrary number\ud of messages on behalf of the group without revealing their\ud identity. Under certain circumstances the group manager holding a\ud tracing key can reveal the identity of the signer from the\ud signature. Practical group signature schemes should support\ud membership revocation where the revoked member loses the\ud capability to sign a message on behalf of the group without\ud influencing the other non-revoked members. A model known as\ud \emph{verifier-local revocation} supports membership revocation.\ud In this model the trusted revocation authority sends revocation\ud messages to the verifiers and there is no need for the trusted\ud revocation authority to contact non-revoked members to update\ud their secret keys. Previous constructions of verifier-local\ud revocation group signature schemes either have a security proof in the\ud random oracle model or are non-identity based. A security proof\ud in the random oracle model is only a heuristic proof and\ud non-identity-based group signature suffer from standard Public Key\ud Infrastructure (PKI) problems, i.e. the group public key is not\ud derived from the group identity and therefore has to be certified.\ud \ud \ud In this work we construct the first verifier-local revocation group\ud signature scheme which is identity-based and which has a security proof in the standard model. In\ud particular, we give a formal security model for the proposed\ud scheme and prove that the scheme has the\ud property of selfless-anonymity under the decision Linear (DLIN)\ud assumption and it is fully-traceable under the\ud Computation Diffie-Hellman (CDH) assumption. The proposed scheme is based on prime order bilinear\ud groups

Laplace deconvolution and its application to Dynamic Contrast Enhanced imaging

In the present paper we consider the problem of Laplace deconvolution with noisy discrete observations. The study is motivated by Dynamic Contrast Enhanced imaging using a bolus of contrast agent, a procedure which allows considerable improvement in {evaluating} the quality of a vascular network and its permeability and is widely used in medical assessment of brain flows or cancerous tumors. Although the study is motivated by medical imaging application, we obtain a solution of a general problem of Laplace deconvolution based on noisy data which appears in many different contexts. We propose a new method for Laplace deconvolution which is based on expansions of the convolution kernel, the unknown function and the observed signal over Laguerre functions basis. The expansion results in a small system of linear equations with the matrix of the system being triangular and Toeplitz. The number $m$ of the terms in the expansion of the estimator is controlled via complexity penalty. The advantage of this methodology is that it leads to very fast computations, does not require exact knowledge of the kernel and produces no boundary effects due to extension at zero and cut-off at $T$. The technique leads to an estimator with the risk within a logarithmic factor of $m$ of the oracle risk under no assumptions on the model and within a constant factor of the oracle risk under mild assumptions. The methodology is illustrated by a finite sample simulation study which includes an example of the kernel obtained in the real life DCE experiments. Simulations confirm that the proposed technique is fast, efficient, accurate, usable from a practical point of view and competitive