28 research outputs found

    How to Validate a Verification?

    Get PDF
    This paper introduces \textsl{signature validation}, a primitive allowing any \underline{t}hird party TT (\underline{T}hĂ©odore) to verify that a \underline{v}erifier VV (\underline{V}adim) computationally verified a signature ss on a message mm issued by a \underline{s}igner SS (\underline{S}arah). A naive solution consists in sending by Sarah x={m,σs}x=\{m,\sigma_s\} where σs\sigma_s is Sarah\u27s signature on mm and have Vadim confirm reception by a signature σv\sigma_v on xx. Unfortunately, this only attests \textsl{proper reception} by Vadim, i.e. that Vadim \textsl{could have checked} xx and not that Vadim \textsl{actually verified} xx. By ``actually verifying\u27\u27 we mean providing a proof or a convincing argument that a program running on Vadim\u27s machine checked the correctness of xx. This paper proposes several solutions for doing so, thereby providing a useful building-block in numerous commercial and legal interactions for proving informed consent

    How to Physically Hold Your Bitcoins ?

    Get PDF
    The rise of virtual currencies has revolutionized the way we conduct financial transactions. These digital assets, governed by intricate online protocols, have rapidly gained prominence as a viable medium of exchange, offering convenience and security. However, as we delve deeper into the digital realm, a challenge persists: How can we bridge the gap between the virtual and the physical? This paper tackles this challenge by proposing a way to materialize virtual coins and make them physically exchangeable offline at the cost of some plausible trust assumptions

    Slow Motion Zero Knowledge Identifying With Colliding Commitments

    Get PDF
    Discrete-logarithm authentication protocols are known to present two interesting features: The first is that the prover\u27s commitment, x=grx=g^r, claims most of the prover\u27s computational effort. The second is that xx does not depend on the challenge and can hence be computed in advance. Provers exploit this feature by pre-loading (or pre-computing) ready to use commitment pairs ri,xir_i,x_i. The rir_i can be derived from a common seed but storing each xix_i still requires 160 to 256 bits when implementing DSA or Schnorr. This paper proposes a new concept called slow motion zero-knowledge. SM-ZK allows the prover to slash commitment size (by a factor of 4 to 6) by combining classical zero-knowledge and a timing side-channel. We pay the conceptual price of requiring the ability to measure time but, in exchange, obtain communication-efficient protocols

    Thrifty Zero-Knowledge - When Linear Programming Meets Cryptography

    Get PDF
    We introduce “thrifty” zero-knowledge protocols, or TZK. These protocols are constructed by introducing a bias in the challenge send by the prover. This bias is chosen so as to maximize the security versus effort trade-off. We illustrate the benefits of this approach on several well-known zero-knowledge protocols

    New Number-Theoretic Cryptographic Primitives

    Get PDF
    This paper introduces new prqp^r q-based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat--Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli ni=pi2qin_i = p_i^2 q_i and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the nin_i\u27s match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. Given of their very unique design the proposed signature schemes seem to be overlooked missing species in the corpus of known signature algorithms

    Process Table Covert Channels: Exploitation and Countermeasures

    Get PDF
    How to securely run untrusted software? A typical answer is to try to isolate the actual effects this software might have. Such counter-measures can take the form of memory segmentation, sandboxing or virtualisation. Besides controlling potential damage this software might do, such methods try to prevent programs from peering into other running programs\u27 operation and memory. As programs, no matter how many layers of indirection in place, are really being run, they consume resources. Should this resource usage be precisely monitored, malicious programs might be able to communicate in spite of software protections. We demonstrate the existence of such a covert channel bypassing isolations techniques and IPC policies. This covert channel that works over all major consumer OSes (Windows, Linux, MacOS) and relies on exploitation of the process table. We measure the bandwidth of this channel and suggest countermeasures

    Backtracking-Assisted Multiplication

    Get PDF
    This paper describes a new multiplication algorithm, particularly suited to lightweight microprocessors when one of the operands is known in advance. The method uses backtracking to find a multiplicationfriendly encoding of the operand known in advance. A 68HC05 microprocessor implementation shows that the new algorithm indeed yields a twofold speed improvement over classical multiplication for 128-byte numbers

    Recovering Secrets From Prefix-Dependent Leakage

    Get PDF
    We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm. Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to kk-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA

    Backtracking-assisted multiplication

    Get PDF
    International audienceAbstract This paper introduces new p r q -based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat–Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli n i = p i 2 q i and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the n i ’s match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. Given of their very unique design, the proposed signature schemes seem to be overlooked “missing species” in the corpus of known signature algorithms

    Legally Fair Contract Signing Without Keystones

    Get PDF
    International audienceIn two-party computation, achieving both fairness and guaranteed output delivery is well known to be impossible. Despite this limitation , many approaches provide solutions of practical interest by weakening somewhat the fairness requirement. Such approaches fall roughly in three categories: " gradual release " schemes assume that the aggrieved party can eventually reconstruct the missing information; " optimistic schemes " assume a trusted third party arbitrator that can restore fairness in case of litigation; and " concurrent " or " legally fair " schemes in which a breach of fairness is compensated by the aggrieved party having a digitally signed cheque from the other party (called the keystone). In this paper we describe and analyse a new contract signing paradigm that doesn't require keystones to achieve legal fairness, and give a concrete construction based on Schnorr signatures which is compatible with standard Schnorr signatures and provably secure
    corecore