On the mean number of encryptions for tree-based broadcast encryption schemes

AbstractThe challenge of stateless-receiver broadcast encryption lies in minimizing storage and the number of encryptions while maintaining system security. Tree-based key distribution schemes offer the best known trade-off between the two parameters. Examples include the complete subtree scheme [D. Wallner, et al., Internet draft, http://www.ietf.org/ID.html [10]; C.K. Wong, et al., in: Proc. SIGCOMM, 1998, pp. 68–79 [11]], the subset difference scheme [D. Naor, et al., in: CRYPTO 2001, Lecture Notes in Comput. Sci., vol. 2139, 2001, pp. 41–62 [7]], and the layered subset difference scheme [D. Halevy, A. Shamir, in: CRYPTO 2002, Lecture Notes in Comput. Sci., vol. 2442, 2002, pp. 47–60 [5]]. We introduce generating functions for this family of schemes, which lead to analysis of the mean number of encryptions over all privileged sets of users. We also derive the mean number of encryptions when the number of privileged users is fixed. We expect that the techniques introduced as well as the results in this work will find applications in related areas

Constructive and destructive use of compilers in elliptic curve cryptography

Although cryptographic software implementation is often performed by expert programmers, the range of performance and security driven options, as well as more mundane software engineering issues, still make it a challenge. The use of domain specific language and compiler techniques to assist in description and optimisation of cryptographic software is an interesting research challenge. In this paper we investigate two aspects of such techniques, focusing on Elliptic Curve Cryptography (ECC) in particular. Our constructive results show that a suitable language allows description of ECC based software in a manner close to the original mathematics; the corresponding compiler allows automatic production of an executable whose performance is competitive with that of a hand-optimised implementation. In contrast, we study the worrying potential for naïve compiler driven optimisation to render cryptographic software insecure. Both aspects of our work are set within the context of CACE, an ongoing EU funded project on this general topic

Diagonally Neighbour Transitive Codes and Frequency Permutation Arrays

Constant composition codes have been proposed as suitable coding schemes to solve the narrow band and impulse noise problems associated with powerline communication. In particular, a certain class of constant composition codes called frequency permutation arrays have been suggested as ideal, in some sense, for these purposes. In this paper we characterise a family of neighbour transitive codes in Hamming graphs in which frequency permutation arrays play a central rode. We also classify all the permutation codes generated by groups in this family

On the automatic construction of indistinguishable operations

An increasingly important design constraint for software running on ubiquitous computing devices is security, particularly against physical methods such as side-channel attack. One well studied methodology for defending against such attacks is the concept of indistinguishable functions which leak no information about program control flow since all execution paths are computationally identical. However, constructing such functions by hand becomes laborious and error prone as their complexity increases. We investigate techniques for automating this process and find that effective solutions can be constructed with only minor amounts of computational effort.Fundação para a Ciência e Tecnologia - SFRH/BPD/20528/2004

New minimal weight representations for left-to-right window methods

Abstract. For an integer w ≥ 2, a radix 2 representation is called a width-w nonadjacent form (w-NAF, for short) if each nonzero digit is an odd integer with absolute value less than 2 w−1, and of any w consecutive digits, at most one is nonzero. In elliptic curve cryptography, the w-NAF window method is used to efficiently compute nP where n is an integer and P is an elliptic curve point. We introduce a new family of radix 2 representations which use the same digits as the w-NAF but have the advantage that they result in a window method which uses less memory. This memory savings results from the fact that these new representations can be deduced using a very simple left-to-right algorithm. Further, we show that like the w-NAF, these new representations have a minimal number of nonzero digits. 1 Window Methods An operation fundamental to elliptic curve cryptography is scalar multiplication; that is, computing nP for an integer, n, and an elliptic curve point, P. A number of different algorithms have been proposed to perform this operation efficiently (see Ch. 3 of [4] for a recent survey). A variety of these algorithms, known as window methods, use the approach described in Algorithm 1.1. For example, suppose D = {0, 1, 3, 5, 7}. Using this digit set, Algorithm 1.1 first computes and stores P, 3P, 5P and 7P. After a D-radix 2 representation of n is computed its digits are read from left to right by the “for ” loop and nP is computed using doubling and addition operations (and no subtractions). One way to compute a D-radix 2 representation of n is to slide a 3-digit window from right to left across the {0, 1}-radix 2 representation of n (see Section 4). Using negative digits takes advantage of the fact that subtracting an elliptic curve point can be done just as efficiently as adding it. Suppose now that D

Statistics of Multiple Sign Changes in a Discrete Non-Markovian Sequence

We study analytically the statistics of multiple sign changes in a discrete non-Markovian sequence ,\psi_i=\phi_i+\phi_{i-1} (i=1,2....,n) where \phi_i's are independent and identically distributed random variables each drawn from a symmetric and continuous distribution \rho(\phi). We show that the probability P_m(n) of m sign changes upto n steps is universal, i.e., independent of the distribution \rho(\phi). The mean and variance of the number of sign changes are computed exactly for all n>0. We show that the generating function {\tilde P}(p,n)=\sum_{m=0}^{\infty}P_m(n)p^m\sim \exp[-\theta_d(p)n] for large n where the `discrete' partial survival exponent \theta_d(p) is given by a nontrivial formula, \theta_d(p)=\log[{{\sin}^{-1}(\sqrt{1-p^2})}/{\sqrt{1-p^2}}] for 0\le p\le 1. We also show that in the natural scaling limit when m is large, n is large but but keeping x=m/n fixed, P_m(n)\sim \exp[-n \Phi(x)] where the large deviation function \Phi(x) is computed. The implications of these results for Ising spin glasses are discussed.Comment: 4 pages revtex, 1 eps figur

Persistence of a Continuous Stochastic Process with Discrete-Time Sampling: Non-Markov Processes

We consider the problem of `discrete-time persistence', which deals with the zero-crossings of a continuous stochastic process, X(T), measured at discrete times, T = n(\Delta T). For a Gaussian Stationary Process the persistence (no crossing) probability decays as exp(-\theta_D T) = [\rho(a)]^n for large n, where a = \exp[-(\Delta T)/2], and the discrete persistence exponent, \theta_D, is given by \theta_D = \ln(\rho)/2\ln(a). Using the `Independent Interval Approximation', we show how \theta_D varies with (\Delta T) for small (\Delta T) and conclude that experimental measurements of persistence for smooth processes, such as diffusion, are less sensitive to the effects of discrete sampling than measurements of a randomly accelerated particle or random walker. We extend the matrix method developed by us previously [Phys. Rev. E 64, 015151(R) (2001)] to determine \rho(a) for a two-dimensional random walk and the one-dimensional random acceleration problem. We also consider `alternating persistence', which corresponds to a < 0, and calculate \rho(a) for this case.Comment: 14 pages plus 8 figure

Persistence in a Stationary Time-series

We study the persistence in a class of continuous stochastic processes that are stationary only under integer shifts of time. We show that under certain conditions, the persistence of such a continuous process reduces to the persistence of a corresponding discrete sequence obtained from the measurement of the process only at integer times. We then construct a specific sequence for which the persistence can be computed even though the sequence is non-Markovian. We show that this may be considered as a limiting case of persistence in the diffusion process on a hierarchical lattice.Comment: 8 pages revte

A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic

International audienceIn the present work, we present a new discrete logarithm algorithm, in the same vein as in recent works by Joux, using an asymptotically more efficient descent approach. The main result gives a quasi-polynomial heuristic complexity for the discrete logarithm problem in finite field of small characteristic. By quasi-polynomial, we mean a complexity of type $n^{O(\log n)}$ where $n$ is the bit-size of the cardinality of the finite field. Such a complexity is smaller than any $L(\varepsilon)$ for $\epsilon>0$. It remains super-polynomial in the size of the input, but offers a major asymptotic improvement compared to $L(1/4+o(1))$