On the Parikh-de-Bruijn grid

We introduce the Parikh-de-Bruijn grid, a graph whose vertices are fixed-order Parikh vectors, and whose edges are given by a simple shift operation. This graph gives structural insight into the nature of sets of Parikh vectors as well as that of the Parikh set of a given string. We show its utility by proving some results on Parikh-de-Bruijn strings, the abelian analog of de-Bruijn sequences.Comment: 18 pages, 3 figures, 1 tabl

A note on Low Order assumptions in RSA groups

In this short note, we show that substantially weaker Low Order assumptions are sufficient to prove the soundness of Pietrzak’s protocol for proof of exponentiation in groups of unknown order. This constitutes the first step to a better understanding of the asymptotic computational complexity of breaking the soundness of the protocol. Furthermore, we prove the equivalence of the (weaker) Low Order assumption(s) and the Factoring assumption in RSA groups for a non-negligible portion of moduli. We argue that in practice our reduction applies for a considerable amount of deployed moduli. Our results have cryptographic applications, most importantly in the theory of recently proposed verifiable delay function constructions. Finally, we describe how to certify RSA moduli free of low order elements

Multi party computation motivated by the birthday problem

The birthday problem is a widely known observation, can be found in most of the textbooks on probability. In this talk we are focusing on the following case of the problem: there are n people in a classroom and we want to decide if there are two people who were born on the same day of the year. During the decision making process, we want to keep all information secret. We consider multiple ways to securely solve the decision problem and compare them by computational and communication aspects

The method of double chains for largest families with excluded subposets

For a given finite poset $P$, $La(n,P)$ denotes the largest size of a family $\mathcal{F}$ of subsets of $[n]$ not containing $P$ as a weak subposet. We exactly determine $La(n,P)$ for infinitely many $P$ posets. These posets are built from seven base posets using two operations. For arbitrary posets, an upper bound is given for $La(n,P)$ depending on $|P|$ and the size of the longest chain in $P$. To prove these theorems we introduce a new method, counting the intersections of $\mathcal{F}$ with double chains, rather than chains.Comment: 8 pages, 5 figures. Submitted to The Electronic Journal of Graph Theory and Applications (EJGTA

Multi party computation motivated by the birthday problem

Suppose there are n people in a classroom and we want to decide if there are two of them who were born on the same day of the year. The wellknown birthday paradox is concerned with the probability of this event and is discussed in many textbooks on probability. In this paper we focus on cryptographic aspects of the problem: how can we decide if there is a collision of birthdays without the participants disclosing their respective date of birth. We propose several procedures for solving this generally in a privacypreserving way and compare them according to their computational and communication complexity

How (not) to hash into class groups of imaginary quadratic fields?

Class groups of imaginary quadratic fields (class groups for short) have seen a resurgence in cryptography as transparent groups of unknown order. They are a prime candidate for being a trustless alternative to RSA groups because class groups do not need a (distributed) trusted setup to sample a cryptographically secure group of unknown order. Class groups have recently found many applications in verifiable secret sharing, secure multiparty computation, transparent polynomial commitments, and perhaps most importantly, in time-based cryptography, i.e., verifiable delay functions, (homomorphic) time-lock puzzles, timed commitments, etc. However, there are various roadblocks to making class groups widespread in practical cryptographic deployments. We initiate the rigorous study of hashing into class groups. Specifically, we want to sample a uniformly distributed group element in a class group such that nobody knows its discrete logarithm with respect to any public parameter. We point out several flawed algorithms in numerous publicly available class group libraries. We further illustrate the insecurity of these hash functions by showing concrete attacks against cryptographic protocols, i.e., verifiable delay functions, if they were deployed with one of those broken hash-to-class group functions. We propose two families of cryptographically secure hash functions into class groups. We implement these constructions and evaluate their performance. We release our implementation as an open-source library

Behemoth: transparent polynomial commitment scheme with constant opening proof size and verifier time

Polynomial commitment schemes are fundamental building blocks in numerous cryptographic protocols such as verifiable secret sharing, zero-knowledge succinct non-interactive arguments, and many more. The most efficient polynomial commitment schemes rely on a trusted setup which is undesirable in trust-minimized applications, e.g., cryptocurrencies. However, transparent polynomial commitment schemes are inefficient (polylogarithmic opening proofs and/or verification time) compared to their trusted counterparts. It has been an open problem to devise a transparent, succinct polynomial commitment scheme or prove an impossibility result in the transparent setting. In this work, for the first time, we create a transparent, constant-size polynomial commitment scheme called Behemoth with constant-size opening proofs and a constant-time verifier. The downside of Behemoth is that it employs a cubic prover in the degree of the committed polynomial. We prove the security of our scheme in the generic group model and discuss parameter settings in which it remains practical even for the prover