Discrete Morse theory for the collapsibility of supremum sections

The Dushnik-Miller dimension of a poset $\le$ is the minimal number $d$ of linear extensions $\le_1, \ldots , \le_d$ of $\le$ such that $\le$ is the intersection of $\le_1, \ldots , \le_d$. Supremum sections are simplicial complexes introduced by Scarf and are linked to the Dushnik-Miller as follows: the inclusion poset of a simplicial complex is of Dushnik-Miller dimension at most $d$ if and only if it is included in a supremum section coming from a representation of dimension $d$. Collapsibility is a topoligical property of simplicial complexes which has been introduced by Whitehead and which resembles to shellability. While Ossona de Mendez proved in that a particular type of supremum sections are shellable, we show in this article that supremum sections are in general collapsible thanks to the discrete Morse theory developped by Forman

Internal Compression of Protocols to Entropy

We study internal compression of communication protocols to their internal entropy, which is the entropy of the transcript from the players\u27 perspective. We provide two internal compression schemes with error. One of a protocol of Feige et al. for finding the first difference between two strings. The second and main one is an internal compression with error epsilon > 0 of a protocol with internal entropy H^{int} and communication complexity C to a protocol with communication at most order (H^{int}/epsilon)^2 * log(log(C)). This immediately implies a similar compression to the internal information of public-coin protocols, which provides an exponential improvement over previously known public-coin compressions in the dependence on C. It further shows that in a recent protocol of Ganor, Kol and Raz, it is impossible to move the private randomness to be public without an exponential cost. To the best of our knowledge, No such example was previously known

On the Inner Product Predicate and a Generalization of Matching Vector Families

Motivated by cryptographic applications such as predicate encryption, we consider the problem of representing an arbitrary predicate as the inner product predicate on two vectors. Concretely, fix a Boolean function P and some modulus q. We are interested in encoding x to x_vector and y to y_vector so that P(x,y) = 1 = 0 mod q, where the vectors should be as short as possible. This problem can also be viewed as a generalization of matching vector families, which corresponds to the equality predicate. Matching vector families have been used in the constructions of Ramsey graphs, private information retrieval (PIR) protocols, and more recently, secret sharing. Our main result is a simple lower bound that allows us to show that known encodings for many predicates considered in the cryptographic literature such as greater than and threshold are essentially optimal for prime modulus q. Using this approach, we also prove lower bounds on encodings for composite q, and then show tight upper bounds for such predicates as greater than, index and disjointness

Discrete Morse theory for the collapsibility of supremum sections

International audienceThe Dushnik-Miller dimension of a poset $\le$ is the minimal number $d$ of linear extensions $\le_1, \ldots , \le_d$ of $\le$ such that $\le$ is the intersection of $\le_1, \ldots , \le_d$. Supremum sections are simplicial complexes introduced by Scarf and are linked to the Dushnik-Miller as follows: the inclusion poset of a simplicial complex is of Dushnik-Miller dimension at most $d$ if and only if it is included in a supremum section coming from a representation of dimension $d$. Collapsibility is a topoligical property of simplicial complexes which has been introduced by Whitehead and which resembles to shellability. While Ossona de Mendez proved in that a particular type of supremum sections are shellable, we show in this article that supremum sections are in general collapsible thanks to the discrete Morse theory developped by Forman

Transferable E-cash: A Cleaner Model and the First Practical Instantiation

Transferable e-cash is the most faithful digital analog of physical cash, as it allows users to transfer coins between them in isolation, that is, without interacting with a bank or a “ledger”. Appropriate protection of user privacy and, at the same time, providing means to trace fraudulent behavior (double-spending of coins) have made instantiating the concept notoriously hard. Baldimtsi et al. (PKC\u2715) gave a first instantiation, but, as it relies on a powerful cryptographic primitive, the scheme is not practical. We also point out a flaw in their scheme. In this paper we revisit the model for transferable e-cash and propose simpler yet stronger security definitions. We then provide the first concrete construction, based on bilinear groups, give rigorous proofs that it satisfies our model, and analyze its efficiency in detail

The Uber-Knowledge Assumption: A Bridge to the AGM

The generic-group model (GGM) and the algebraic-group model (AGM) have been immensely successful in proving the security of many classical and modern cryptosystems. These models, however, come coupled with standard-model uninstantiability results, raising the question whether the schemes analyzed under them can be based on firmer standard-model footing. We formulate the uber-knowledge (UK) assumption, a standard-model assumption that naturally extends the uber-assumption family to knowledge assumptions. We justify the soundness of the UK in both the bilinear GGM and bilinear AGM. Along the way we extend these models to incorporate hashing into groups, an adversarial capability that is available in many concrete groups. (In contrast to standard assumptions, hashing may affect the validity of knowledge assumptions.) These results, in turn, enable a modular approach to security in GGM and AGM. As example applications, we use the UK to prove knowledge-soundness of Groth16 and KZG polynomial commitments in the standard model, where for the former we reuse the existing AGM proof without hashing

Practical Delegatable Anonymous Credentials From Equivalence Class Signatures

Anonymous credentials systems (ACs) are a powerful cryptographic tool for privacy-preserving applications and provide strong user privacy guarantees for authentication and access control. ACs allow users to prove possession of attributes encoded in a credential without revealing any information beyond them. A delegatable AC (DAC) system is an enhanced AC system that allows the owners of credentials to delegate the obtained credential to other users. This allows to model hierarchies as usually encountered within public-key infrastructures (PKIs). DACs also provide stronger privacy guarantees than traditional AC systems since the identities of issuers and delegators are also hidden. A credential issuer\u27s identity may convey information about a user\u27s identity even when all other information about the user is protected. We present a novel delegatable anonymous credential scheme that supports attributes, provides anonymity for delegations, allows the delegators to restrict further delegations, and also comes with an efficient construction. In particular, our DAC credentials do not grow with delegations, i.e., are of constant size. Our approach builds on a new primitive that we call structure-preserving signatures on equivalence classes on updatable commitments (SPSEQ-UC). The high-level idea is to use a special signature scheme that can sign vectors of set commitments which can be extended by additional set commitments. Signatures additionally include a user\u27s public key, which can be switched. This allows us to efficiently realize delegation in the DAC. Similar to conventional SPSEQ signatures, the signatures and messages can be publicly randomized and thus allow unlinkable showings in the DAC system. We present further optimizations such as cross-set commitment aggregation that, in combination, enable selective, efficient showings in the DAC without using costly zero-knowledge proofs. We present an efficient instantiation that is proven to be secure in the generic group model and finally demonstrate the practical efficiency of our DAC by presenting performance benchmarks based on an implementation

Aggregate Signatures with Versatile Randomization and Issuer-Hiding Multi-Authority Anonymous Credentials

Anonymous credentials (AC) have emerged as a promising privacy-preserving solu- tion for user-centric identity management. They allow users to authenticate in an anonymous and unlinkable way such that only required information (i.e., attributes) from their credentials are re- vealed. With the increasing push towards decentralized systems and identity, e.g., self-sovereign identity (SSI) and the concept of verifiable credentials, this also necessitates the need for suit- able AC systems. For instance, when relying on existing AC systems, obtaining credentials from different issuers requires the presentation of independent credentials, which can become cum- bersome. Consequently, it is desirable for AC systems to support the so-called multi-authority (MA) feature. It allows a compact and efficient showing of multiple credentials from different is- suers. Another important property is called issuer hiding (IH). This means that showing a set of credentials is not revealed which issuer has issued which credentials but only whether a verifier- defined policy on the acceptable set of issuers is satisfied. This issue becomes particularly acute in the context of MA, where a user could be uniquely identified by the combination of issuers in their showing. Unfortunately, there are no AC schemes that satisfy both these properties simul- taneously. To close this gap, we introduce the concept of Issuer-Hiding Multi-Authority Anonymous Cre- dentials (IhMA). Our proposed solution involves the development of two new signature primi- tives with versatile randomization features which are independent of interest: 1) Aggregate Sig- natures with Randomizable Tags and Public Keys (AtoSa) and 2) Aggregate Mercurial Signatures (ATMS), which extend the functionality of AtoSa to additionally support the randomization of messages and yield the first instance of an aggregate (equivalence-class) structure-preserving sig- nature. These primitives can be elegantly used to obtain IhMA with different trade-offs but have applications beyond. We formalize all notations and provide rigorous security definitions for our proposed primi- tives. We present provably secure and efficient instantiations of the two primitives as well as corresponding IhMA systems. Finally, we provide benchmarks based on an implementation to demonstrate the practical efficiency of our construction

Monnaies numériques : une analyse dans le modèle du groupe algébrique

Transferable e-cash is the most faithful digital analog of physical cash, as it allows users to transfer coins between them without interacting with the bank. Strong anonymity requirements and the need for mechanisms to trace illegal behavior (double-spending of coins) have made instantiating the concept notoriously hard. Baldimtsi et al. (PKC’15) have given a first instantiation, which however relied on a powerful cryptographic primitive that made the scheme non-practical. In this thesis we revisit the model for transferable e-cash, proposing simpler yet stronger security definitions and then give the first concrete instantiation of the primitive, basing it on bilinear groups, and analyze its concrete efficiency. Because to build our scheme, we are using non-standard assumption in a bilinear group context, we analyze the hardness of a broad class of assumptions in a relevant context: the algebraic group model.Les billets électroniques transferables sont l’analogue numérique des monnaies fiducières, étant donné qu’ils donnent la possibilité aux usagers de transférer des pièces entre eux sans interagir avec la banque. L’ambition de rendre un tel système fortement anonyme, et la necessité de détecter les fraudes (en particulier les doubles-dépenses) ont longtemps rendu difficile la construction d’un tel schéma. Baldimisti et coll. (PKC’15) donnèrent une première construction, qui malheureusement se base sur une puissante primitive qui la rend impraticable. Dans cette thèse, on reconsidère les modèles de sécurité en proposant des définitions plus parcimonieuses et plus fortes, puis nous rédigeons un premier schéma ayant l’ambition d’être implantable, et analysons son efficacité. La sécurité de notre schéma reposant sur des hypothèses cryptographiques non standards, on analyse alors la pertinence d’un large ensemble d’hypothèses cryptographiques construites à partir de couplages en utilisant une technique adaptée au contexte : le modèle du groupe algébrique