401,538 research outputs found
Short Lattice-based One-out-of-Many Proofs and Applications to Ring Signatures
In this work, we construct a short one-out-of-many proof from (module) lattices, allowing one to prove knowledge of a secret associated with one of the public values in a set. The proof system builds on a combination of ideas from the efficient proposals in the discrete logarithm setting by Groth and Kohlweiss (EUROCRYPT \u2715) and Bootle et al. (ESORICS \u2715), can have logarithmic communication complexity in the set size and does not require a trusted setup.
Our work resolves an open problem mentioned by Libert et al. (EUROCRYPT \u2716) of how to efficiently extend the above discrete logarithm proof techniques to the lattice setting. To achieve our result, we introduce new technical tools for design and analysis of algebraic lattice-based zero-knowledge proofs, which may be of independent interest.
Using our proof system as a building block, we design a short ring signature scheme, whose security relies on ``post-quantum\u27\u27 lattice assumptions. Even for a very large ring size such as 1 billion, our ring signature size is only 3 MB for 128-bit security level compared to 216 MB in the best existing lattice-based result by Libert et al. (EUROCRYPT \u2716)
Towards Non-Interactive Zero-Knowledge for NP from LWE
Non-interactive zero-knowledge (NIZK) is a fundamental primitive that is widely used in the construction of cryptographic schemes and protocols. Despite this, general purpose constructions of NIZK proof systems are only known under a rather limited set of assumptions that are either number-theoretic (and can be broken by a quantum computer) or are not sufficiently well understood, such as obfuscation. Thus, a basic question that has drawn much attention is whether it is possible to construct general-purpose NIZK proof systems based on the learning with errors (LWE) assumption.
Our main result is a reduction from constructing NIZK proof systems for all of NP based on LWE, to constructing a NIZK proof system for a particular computational problem on lattices, namely a decisional variant of the Bounded Distance Decoding (BDD) problem. That is, we show that assuming LWE, every language L in NP has a NIZK proof system if (and only if) the decisional BDD problem has a NIZK proof system. This (almost) confirms a conjecture of Peikert and Vaikuntanathan (CRYPTO, 2008).
To construct our NIZK proof system, we introduce a new notion that we call prover-assisted oblivious ciphertext sampling (POCS), which we believe to be of independent interest. This notion extends the idea of oblivious ciphertext sampling, which allows one to sample ciphertexts without knowing the underlying plaintext. Specifically, we augment the oblivious ciphertext sampler with access to an (untrusted) prover to help it accomplish this task. We show that the existence of encryption schemes with a POCS procedure, as well as some additional natural requirements, suffices for obtaining NIZK proofs for NP. We further show that such encryption schemes can be instantiated based on LWE, assuming the existence of a NIZK proof system for the decisional BDD problem
On the Lattice Isomorphism Problem
We study the Lattice Isomorphism Problem (LIP), in which given two lattices
L_1 and L_2 the goal is to decide whether there exists an orthogonal linear
transformation mapping L_1 to L_2. Our main result is an algorithm for this
problem running in time n^{O(n)} times a polynomial in the input size, where n
is the rank of the input lattices. A crucial component is a new generalized
isolation lemma, which can isolate n linearly independent vectors in a given
subset of Z^n and might be useful elsewhere. We also prove that LIP lies in the
complexity class SZK.Comment: 23 pages, SODA 201
The Minrank of Random Graphs
The minrank of a graph is the minimum rank of a matrix that can be
obtained from the adjacency matrix of by switching some ones to zeros
(i.e., deleting edges) and then setting all diagonal entries to one. This
quantity is closely related to the fundamental information-theoretic problems
of (linear) index coding (Bar-Yossef et al., FOCS'06), network coding and
distributed storage, and to Valiant's approach for proving superlinear circuit
lower bounds (Valiant, Boolean Function Complexity '92).
We prove tight bounds on the minrank of random Erd\H{o}s-R\'enyi graphs
for all regimes of . In particular, for any constant ,
we show that with high probability,
where is chosen from . This bound gives a near quadratic
improvement over the previous best lower bound of (Haviv and
Langberg, ISIT'12), and partially settles an open problem raised by Lubetzky
and Stav (FOCS '07). Our lower bound matches the well-known upper bound
obtained by the "clique covering" solution, and settles the linear index coding
problem for random graphs.
Finally, our result suggests a new avenue of attack, via derandomization, on
Valiant's approach for proving superlinear lower bounds for logarithmic-depth
semilinear circuits
Passive network tomography for erroneous networks: A network coding approach
Passive network tomography uses end-to-end observations of network
communication to characterize the network, for instance to estimate the network
topology and to localize random or adversarial glitches. Under the setting of
linear network coding this work provides a comprehensive study of passive
network tomography in the presence of network (random or adversarial) glitches.
To be concrete, this work is developed along two directions: 1. Tomographic
upper and lower bounds (i.e., the most adverse conditions in each problem
setting under which network tomography is possible, and corresponding schemes
(computationally efficient, if possible) that achieve this performance) are
presented for random linear network coding (RLNC). We consider RLNC designed
with common randomness, i.e., the receiver knows the random code-books all
nodes. (To justify this, we show an upper bound for the problem of topology
estimation in networks using RLNC without common randomness.) In this setting
we present the first set of algorithms that characterize the network topology
exactly. Our algorithm for topology estimation with random network errors has
time complexity that is polynomial in network parameters. For the problem of
network error localization given the topology information, we present the first
computationally tractable algorithm to localize random errors, and prove it is
computationally intractable to localize adversarial errors. 2. New network
coding schemes are designed that improve the tomographic performance of RLNC
while maintaining the desirable low-complexity, throughput-optimal, distributed
linear network coding properties of RLNC. In particular, we design network
codes based on Reed-Solomon codes so that a maximal number of adversarial
errors can be localized in a computationally efficient manner even without the
information of network topology.Comment: 40 pages, under submission for IEEE Trans. on Information Theor
Online Matrix Completion and Online Robust PCA
This work studies two interrelated problems - online robust PCA (RPCA) and
online low-rank matrix completion (MC). In recent work by Cand\`{e}s et al.,
RPCA has been defined as a problem of separating a low-rank matrix (true data),
and a sparse
matrix (outliers), from their
sum, . Our work uses this definition of RPCA. An important application
where both these problems occur is in video analytics in trying to separate
sparse foregrounds (e.g., moving objects) and slowly changing backgrounds.
While there has been a large amount of recent work on both developing and
analyzing batch RPCA and batch MC algorithms, the online problem is largely
open. In this work, we develop a practical modification of our recently
proposed algorithm to solve both the online RPCA and online MC problems. The
main contribution of this work is that we obtain correctness results for the
proposed algorithms under mild assumptions. The assumptions that we need are:
(a) a good estimate of the initial subspace is available (easy to obtain using
a short sequence of background-only frames in video surveillance); (b) the
's obey a `slow subspace change' assumption; (c) the basis vectors for
the subspace from which is generated are dense (non-sparse); (d) the
support of changes by at least a certain amount at least every so often;
and (e) algorithm parameters are appropriately setComment: Presented at ISIT (IEEE Intnl. Symp. on Information Theory), 2015.
Submitted to IEEE Transactions on Information Theory. This version: changes
are in blue; the main changes are just to explain the model assumptions
better (added based on ISIT reviewers' comments
Naor-Yung paradigm with shared randomness and applications
The Naor-Yung paradigm (Naor and Yung, STOC’90) allows to generically boost security under chosen-plaintext attacks (CPA) to security against chosen-ciphertext attacks (CCA) for public-key encryption (PKE) schemes. The main idea is to encrypt the plaintext twice (under independent public keys), and to append a non-interactive zero-knowledge (NIZK) proof that the two ciphertexts indeed encrypt the same message. Later work by Camenisch, Chandran, and Shoup (Eurocrypt’09) and Naor and Segev (Crypto’09 and SIAM J. Comput.’12) established that the very same techniques can also be used in the settings of key-dependent message (KDM) and key-leakage attacks (respectively). In this paper we study the conditions under which the two ciphertexts in the Naor-Yung construction can share the same random coins. We find that this is possible, provided that the underlying PKE scheme meets an additional simple property. The motivation for re-using the same random coins is that this allows to design much more efficient NIZK proofs. We showcase such an improvement in the random oracle model, under standard complexity assumptions including Decisional Diffie-Hellman, Quadratic Residuosity, and Subset Sum. The length of the resulting ciphertexts is reduced by 50%, yielding truly efficient PKE schemes achieving CCA security under KDM and key-leakage attacks. As an additional contribution, we design the first PKE scheme whose CPA security under KDM attacks can be directly reduced to (low-density instances of) the Subset Sum assumption. The scheme supports keydependent messages computed via any affine function of the secret ke
Consensus Computation in Unreliable Networks: A System Theoretic Approach
This work addresses the problem of ensuring trustworthy computation in a
linear consensus network. A solution to this problem is relevant for several
tasks in multi-agent systems including motion coordination, clock
synchronization, and cooperative estimation. In a linear consensus network, we
allow for the presence of misbehaving agents, whose behavior deviate from the
nominal consensus evolution. We model misbehaviors as unknown and unmeasurable
inputs affecting the network, and we cast the misbehavior detection and
identification problem into an unknown-input system theoretic framework. We
consider two extreme cases of misbehaving agents, namely faulty (non-colluding)
and malicious (Byzantine) agents. First, we characterize the set of inputs that
allow misbehaving agents to affect the consensus network while remaining
undetected and/or unidentified from certain observing agents. Second, we
provide worst-case bounds for the number of concurrent faulty or malicious
agents that can be detected and identified. Precisely, the consensus network
needs to be 2k+1 (resp. k+1) connected for k malicious (resp. faulty) agents to
be generically detectable and identifiable by every well behaving agent. Third,
we quantify the effect of undetectable inputs on the final consensus value.
Fourth, we design three algorithms to detect and identify misbehaving agents.
The first and the second algorithm apply fault detection techniques, and
affords complete detection and identification if global knowledge of the
network is available to each agent, at a high computational cost. The third
algorithm is designed to exploit the presence in the network of weakly
interconnected subparts, and provides local detection and identification of
misbehaving agents whose behavior deviates more than a threshold, which is
quantified in terms of the interconnection structure
- …