On shared randomness and the size of secure signatures

We present an efficient signature scheme that is not existentially forgeable under adaptively chosen message attacks cite{gmr. The main feature of our scheme is that any practical number of signatures can be made while the size of the signatures remains relatively small, under the condition that all signers have access to a list of shared random strings. More precisely, let integers $l$ and $d$ be fixed and let $k$ be a security parameter. Given a list of $l$ random $(k-1)$-bit strings shared by all signers, at least $l^d$ signatures can be made by each signer in our scheme, where the size of a public key is $k$ bits. The size of a signature does not exceed $(4d-3)k$ bits. The first secure signature scheme where such trade-offs between shared randomness and the size of signatures has been realized was proposed by Dwork and Naor at Crypto '94 [1]. Their scheme is based on RSA, while their method for achieving efficiency relies on special properties of RSA that seem to go beyond the properties of general trapdoor permutations. Our contribution is to show that a secure signature scheme with similar efficiency can be based on a general cryptographic assumption that is potentially weaker than an RSA assumption, namely the existence of a family of claw-free trapdoor permutations [3

New generation of secure and practical RSA-based signatures

For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collision-intractability of certain hash-functions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the scheme is proven to be not existentially forgeable under adaptively chosen message attacks. Furthermore, we identify some electronic devices where our scheme can be conveniently implemented using dedicated smartcards that are available today

Proofs of partial knowledge and simplified design of witness hiding protocols

Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S , we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets defined by S . For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, we get a witness hiding protocol, even if P did not have this property. Our results can be used to efficiently implement general forms of group oriented identification and signatures. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P . Our results use no unproven complexity assumptions

Efficient multi-point local decoding of Reed-Muller codes via interleaved codex

Reed-Muller codes are among the most important classes of locally correctable codes. Currently local decoding of Reed-Muller codes is based on decoding on lines or quadratic curves to recover one single coordinate. To recover multiple coordinates simultaneously, the naive way is to repeat the local decoding for recovery of a single coordinate. This decoding algorithm might be more expensive, i.e., require higher query complexity. In this paper, we focus on Reed-Muller codes with usual parameter regime, namely, the total degree of evaluation polynomials is d=Θ {q), where q is the code alphabet size (in fact, d can be as big as q/4 in our setting). By introducing a novel variation of codex, i.e., interleaved codex (the concept of codex has been used for arithmetic secret sharing), we are able to locally recover arbitrarily large number k of coordinates of a Reed-Muller code simultaneously with error probability exp (-Ω (k)) at the cost of querying merely O(q2k) coordinates. It turns out that our local decoding of Reed-Muller codes shows (perhaps surprisingly) that accessing k locations is in fact cheaper than repeating the procedure for accessing a single location for k times. Precisely speaking, to get the same success probability by repeating the local decoding algorithm of a single coordinate, one has to query Ω (qk2) coordinates. Thus, the query complexity of our local decoding is smaller for k=Ω (q). If we impose the same query complexity constraint on both algorithm, our local decoding algorithm yields smaller error probability when k=Ω (qq). In addition, our local decoding is efficient, i.e., the decoding complexity is Poly(k,q). Construction of an interleaved codex is based on concatenation of a codex with a multiplication friendly pair, while the main tool to realize codex is based on algebraic function fields (or more precisely, algebraic geometry codes)

On monotone function closure of perfect and statistical zero-knowledge

Assume we are given a language $L$ with an honest verifier perfect zero-knowledge proof system. Assume also that the proof system is a $leq 3$ move Arthur-Merlin game. The class of such languages includes all random self-reducible language, and also any language with a perfect zero-knowledge non-interactive proof. We show that such a language satisfies a certain closure property, namely that languages constructed from $L$ by applying certain monotone functions to statements on membership in $L$ have perfect zero-knowledge proof systems. The new set of languages we can build includes $L$ itself, but also for example languages consisting of $n$ words of which at least $tleq n$ are in $L$. A similar closure property is shown to hold for the complement of $L$ and for statistical zero-knowledge. The property we need fo