Concurrent Knowledge-Extraction in the Public-Key Model

Knowledge extraction is a fundamental notion, modelling machine possession of values (witnesses) in a computational complexity sense. The notion provides an essential tool for cryptographic protocol design and analysis, enabling one to argue about the internal state of protocol players without ever looking at this supposedly secret state. However, when transactions are concurrent (e.g., over the Internet) with players possessing public-keys (as is common in cryptography), assuring that entities ``know'' what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. Here, we investigate how to formally treat knowledge possession by parties (with registered public-keys) interacting over the Internet. Stated more technically, we look into the relative power of the notion of ``concurrent knowledge-extraction'' (CKE) in the concurrent zero-knowledge (CZK) bare public-key (BPK) model.Comment: 38 pages, 4 figure

Rearrangeable Networks with Limited Depth

Rearrangeable networks are switching systems capable of establishing simultaneous independent communication paths in accordance with any one-to-one correspondence between their n inputs and n outputs. Classical results show that Ω( n log n ) switches are necessary and that O( n log n ) switches are sufficient for such networks. We are interested in the minimum possible number of switches in rearrangeable networks in which the depth (the length of the longest path from an input to an output) is at most k, where k is fixed as n increases. We show that Ω( n1 + 1/k ) switches are necessary and that O( n1 + 1/k ( log n )1/k ) switches are sufficient for such networks

Brightest galaxies as halo centre tracers in SDSS DR7

Determining the positions of halo centres in large-scale structure surveys is crucial for many cosmological studies. A common assumption is that halo centres correspond to the location of their brightest member galaxies. In this paper, we study the dynamics of brightest galaxies with respect to other halo members in the Sloan Digital Sky Survey DR7. Specifically, we look at the line-of-sight velocity and spatial offsets between brightest galaxies and their neighbours. We compare those to detailed mock catalogues, constructed from high-resolution, dark-matter-only $N$-body simulations, in which it is assumed that satellite galaxies trace dark matter subhaloes. This allows us to place constraints on the fraction $f_{\rm BNC}$ of haloes in which the brightest galaxy is not the central. Compared to previous studies we explicitly take into account the unrelaxed state of the host haloes, velocity offsets of halo cores and correlations between $f_{\rm BNC}$ and the satellite occupation. We find that $f_{\rm BNC}$ strongly decreases with the luminosity of the brightest galaxy and increases with the mass of the host halo. Overall, in the halo mass range $10^{13} - 10^{14.5} h^{-1} M_\odot$ we find $f_{\rm BNC} \sim 30\%$, in good agreement with a previous study by Skibba et al. We discuss the implications of these findings for studies inferring the galaxy--halo connection from satellite kinematics, models of the conditional luminosity function and galaxy formation in general.Comment: 24 pages, 15 figures. Accepted for publication in MNRA

Generalized Tsirelson Inequalities, Commuting-Operator Provers, and Multi-Prover Interactive Proof Systems

A central question in quantum information theory and computational complexity is how powerful nonlocal strategies are in cooperative games with imperfect information, such as multi-prover interactive proof systems. This paper develops a new method for proving limits of nonlocal strategies that make use of prior entanglement among players (or, provers, in the terminology of multi-prover interactive proofs). Instead of proving the limits for usual isolated provers who initially share entanglement, this paper proves the limits for "commuting-operator provers", who share private space, but can apply only such operators that are commutative with any operator applied by other provers. Commuting-operator provers are at least as powerful as usual isolated but prior-entangled provers, and thus, limits for commuting-operator provers immediately give limits for usual entangled provers. Using this method, we obtain an n-party generalization of the Tsirelson bound for the Clauser-Horne- Shimony-Holt inequality for every n. Our bounds are tight in the sense that, in every n-party case, the equality is achievable by a usual nonlocal strategy with prior entanglement. We also apply our method to a 3-prover 1-round binary interactive proof for NEXP. Combined with the technique developed by Kempe, Kobayashi, Matsumoto, Toner and Vidick to analyze the soundness of the proof system, it is proved to be NP-hard to distinguish whether the entangled value of a 3-prover 1-round binary-answer game is equal to 1 or at most 1-1/p(n) for some polynomial p, where n is the number of questions. This is in contrast to the 2-prover 1-round binary-answer case, where the corresponding problem is efficiently decidable. Alternatively, NEXP has a 3-prover 1-round binary interactive proof system with perfect completeness and soundness 1-2^{-poly}.Comment: 20 pages. v2: An incorrect statement in the abstract about the two-party case is corrected. Relation between this work and a preliminary work by Sun, Yao and Preda is clarifie

A New Family of Implicitly Authenticated Diffie-Hellman Protocols

Cryptography algorithm standards play a key role both to the practice of information security and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in short) are a family of implicitly authenticated Diffie-Hellman key-exchange (DHKE) protocols that are among the most efficient and are widely standardized. In this work, from some new perspectives and under some new design rationales, and also inspired by the security analysis of HMQV, we develop a new family of practical implicitly authenticated DHKE (IA-DHKE) protocols, which enjoy notable performance among security, efficiency, privacy, fairness and easy deployment. We make detailed comparisons between our new protocols and (H)MQV, showing that the newly developed protocols outperform HMQV in most aspects. Very briefly speaking, we achieve: 1. The most efficient provably secure IA-DHKE protocol to date, and the first online-optimal provably secure IA-DHKE protocols. 2. The first IA-DHKE protocol that is provably secure, resilience to the leakage of DH components and exponents, under merely standard assumptions without additionally relying on the knowledge-of-exponent assumption (KEA). 3. The first provably secure privacy-preserving and computationally fair IA-DHKE protocol, with privacy-preserving properties of reasonable deniability and post-ID computability and the property of session-key computational fairness. Guided by our new design rationales, in this work we also formalize and introduce some new concept, say session-key computational fairness (as a complement to session-key security), to the literature

Computationally-Fair Group and Identity-Based Key-Exchange

In this work, we re-examine some fundamental group key-exchange and identity-based key-exchange protocols, specifically the Burmester-Desmedet group key-exchange protocol [7] (re-ferred to as the BD-protocol) and the Chen-Kudla identity-based key-exchange protocol [9] (referred to as the CK-protocol). We identify some new attacks on these protocols, showing in particular that these protocols are not computationally fair. Specifically, with our attacks, an adversary can do the following damages: (1) It can compute the session-key output with much lesser computational complexity than that of the victim honest player, and can maliciously nullify the contributions from the victim honest players. (2) It can set the session-key output to be some pre-determined value, which can be efficiently and publicly computed without knowing any secrecy supposed to be held by the attacker. We remark these attacks are beyond the traditional security models for group key-exchange and identity-based key-exchange. Then, based on the computationally fair Diffie-Hellman key- exchange in [21], we present some fixing approaches, and prove that the fixed protocols are computationally fair