CAPYBARA and TSUBAKI: Verifiable Random Functions from Group Actions and Isogenies

In this work, we propose two post-quantum verifiable random functions (VRFs) constructions based on group actions and isogenies, one of which is based on the standard DDH assumption. VRF is a cryptographic tool that enables a user to generate a pseudorandom output along with a publicly verifiable proof. The residual pseudorandomness of VRF ensures the pseudorandomness of unrevealed inputs, even if an arbitrary number of outputs and proofs are revealed. Furthermore, it is infeasible to generate proofs to validate distinct values as outputs for the same input. In practical applications, VRFs have a wide range of uses, including in DNSSEC protocols, blockchain and cryptocurrency. Currently, most VRF constructions rely on elliptic curve cryptography (ECC), pairing, or Decisional Diffie-Hellman (DDH) type assumptions. These assumptions, however, cannot thwart the threats from quantum adversaries. In light of this, there is a growing need for post-quantum VRFs, which are currently less widely developed in the literature. We contribute to the study by presenting two VRF proposals from group actions and isogenies. Our constructions are fairly simple and derived from number-theoretic pseudorandom functions. We present a proof system that allows us to prove the factorization of group actions and set elements, providing a proof for our VRFs. The first one is based on the standard DDH problem. For the proof we introduce a new problem, the master decisional Diffie-Hellman problem over group actions, which we prove to be equivalent to the standard DDH problem. Furthermore, we present a new use of quadratic twists to reduce costs by expanding the input size and relaxing the assumption to the square DDH problem. Additionally, we employ advanced techniques in the isogeny literature to optimize the proof size to 39KB and 34 KB using CSIDH512 without compromising VRF notions. To the best of our knowledge, they are the first two provably secure VRF constructions based on isogenies

A Proposed Framework for Influencing Factors of Partnership in E-Marketplace

This paper attempts to integrate concepts of e-marketplace and inter-organizational relationship to built a framework for influencing factors of e-business partnership and empirically explore it. The importance for five dimensions of the Research Model based on four top representatives of interviewed Taiwanese companies engaged in e-marketplaces is summarized. Fuzzy Delphi Method is used to decide which factors are vital for the success in three phases of partnership in e-marketplace. Data are collected through a survey of organizations that are actively involved in the planning or operation of e-marketplaces. Except exploiting of new market, the result has been shown the influencing factors are not the same in three phases of partnership in e-marketplace. It implies that to manage an e-marketplace must have different strategies to select, develop, and maintain participants

Collusion Resistant Revocable Ring Signatures and Group Signatures from Hard Homogeneous Spaces

Both ring signatures and group signatures are useful privacy tools, allowing signers to hide their identities within a set of other public keys, while allowing their signatures to be validated with respect to the entire set. Group signature schemes and revocable ring signature schemes both provide the additional ability for certain authorized members to revoke the anonymity on a signature and reveal the true signer—allowing management of abuse in the scheme. This work consists of two parts. Firstly, we introduce a stronger security notion—collusion resistance—for revocable ring signatures and show how to derive a group signature scheme from it, which provides a new approach to obtaining group signatures. This improves on the existing weak security model (e.g. with selfless anonymity) which fails to guarantee anonymity of members whose keys are exposed. Our stronger notion requires that the scheme remains secure against full key exposure in the anonymity game, and allows collusion among arbitrary members in the revocability game. Secondly (and more concretely), we construct a practical collusion-resistant revocable ring signature scheme based on hard homogenous spaces (HHS), and thus obtain a group signature scheme based on isogenies. To the best of our knowledge, the schemes given in this work are the first efficient post-quantum (collusion-resistant) revocable ring signature scheme, and the first efficient isogeny-based group signature scheme in the literature

MixFairFace: Towards Ultimate Fairness via MixFair Adapter in Face Recognition

Although significant progress has been made in face recognition, demographic bias still exists in face recognition systems. For instance, it usually happens that the face recognition performance for a certain demographic group is lower than the others. In this paper, we propose MixFairFace framework to improve the fairness in face recognition models. First of all, we argue that the commonly used attribute-based fairness metric is not appropriate for face recognition. A face recognition system can only be considered fair while every person has a close performance. Hence, we propose a new evaluation protocol to fairly evaluate the fairness performance of different approaches. Different from previous approaches that require sensitive attribute labels such as race and gender for reducing the demographic bias, we aim at addressing the identity bias in face representation, i.e., the performance inconsistency between different identities, without the need for sensitive attribute labels. To this end, we propose MixFair Adapter to determine and reduce the identity bias of training samples. Our extensive experiments demonstrate that our MixFairFace approach achieves state-of-the-art fairness performance on all benchmark datasets.Comment: Accepted in AAAI-23; Code: https://github.com/fuenwang/MixFairFac

Attack on SHealS and HealS: the Second Wave of GPST

We cryptanalyse the isogeny-based public key encryption schemes SHealS and HealS, and the key exchange scheme HealSIDH of Fouotsa and Petit from Asiacrypt 2021

Breaking Parallel ROS: Implication for Isogeny and Lattice-based Blind Signatures

Many of the three-round blind signatures based on identification protocols are only proven to be $\ell$-concurrently unforgeable for $\ell = \mathsf{polylog}(\lambda)$. It was only recently shown in a seminal work by Benhamouda et al. (EUROCRYPT\u2721) that this is not just a limitation of the proof technique. They proposed an elegant polynomial time attack against the $\ell$-concurrently unforgeability of the classical blind Schnorr protocol for $\ell = \mathsf{poly}(\lambda)$. However, there are still many blind signatures following a similar recipe to blind Schnorr where the attack by Benhamouda et al. does not apply. This includes for instance the isogeny-based blind signature CSI-Otter by Katsumata et al (CRYPTO\u2723), the lattice-based blind signatures Blaze+ by Alkeilani et al. (ACISP\u2720) and BlindOR by Alkeilani et al. (CANS\u2720). In this work, we provide a simple and novel attack on blind signatures based on identification protocols performing parallel repetition to reduce the soundness error. Our attack translates to a polynomial time break for the $\ell$-concurrent unforgeability of CSI-Otter, Blaze+, and BlindOR for $\ell = \mathsf{poly}(\lambda)$. More formally, we define an intermediate problem called Parallel Random inhomogeneities in an Overdetermined Solvable system of linear equations (pROS) problem and show that an attack against pROS implies an attack to the above blind signatures. One takeaway of our finding is that while parallel repetition allows to exponentially reduce the soundness error of an identification protocol, this has minimal effect on the resulting blind signature. Our attack is concretely very efficient and for instance breaks $4$-concurrent unforgeability of CSI-Otter in time roughly $2^{34}$ hash computations

Efficient Isogeny Proofs Using Generic Techniques

Generating supersingular elliptic curves of unknown endomorphism ring has been a problem vexing isogeny-based cryptographers for several years. A recent development has proposed a trusted setup protocol to generate such a curve, where each participant generates and proves knowledge of an isogeny. Thus, the construction of efficient proofs of knowledge of isogeny has developed new interest. Historically, the isogeny community has assumed that obtaining isogeny proofs of knowledge from generic proof systems, such as zkSNARKs, was not a practical approach. We contribute the first concrete result in this area by applying Aurora (EUROCRYPT\u2719), Ligero (CCS\u2717) and Limbo (CCS\u2721) to an isogeny path relation, and comparing their performance to a state-of-the-art, tailor-made protocol for the same relation. In doing so, we show that modern generic proof systems are competitive when applied to isogeny assumptions, and provide an order of magnitude ($3\textrm{-}10\times$) improvement to proof and verification times, with similar proof sizes. In addition, these proofs provide a stronger notion of soundness, and statistical zero-knowledge; a property that has only recently been achieved in isogeny PoKs. Independently, this technique shows promise as a component in the design of future isogeny-based or other post-quantum protocols

CSI-Otter: Isogeny-based (Partially) Blind Signatures from the Class Group Action with a Twist

In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the linear identification protocol abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT\u2719), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme is provably-secure in the poly-logarithmic (in the number of security parameter) concurrent execution and does not seem susceptible to the recent efficient ROS attack exploiting the linear nature of the underlying mathematical tool. In more detail, our blind signature exploits the quadratic twist of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size $128$~B and signature size $8$~KB under the CSIDH-512 parameter sets---these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new ring variant of the group action inverse problem rGAIP, we can halve the signature size to 4~KB while increasing the public key size to 512~B. We provide preliminary cryptanalysis of rGAIP and show that for certain parameter settings, it is essentially as secure as the standard GAIP. Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key---constructing such a hash function in the isogeny setting remains an open problem