Efficient revocable identity-based encryption via subset difference methods

Providing an efficient revocation mechanism for identity-based encryption (IBE) is very important since a user’s credential (or private key) can be expired or revealed. revocable IBE (RIBE) is an extension of IBE that provides an efficient revocation mechanism. Previous RIBE schemes essentially use the complete subtree (CS) scheme of Naor, Naor and Lotspiech (CRYPTO 2001) for key revocation. In this paper, we present a new technique for RIBE that uses the efficient subset difference (SD) scheme of Naor et al. instead of using the CS scheme to improve the size of update keys. Following our new technique, we first propose an efficient RIBE scheme in prime-order bilinear groups by combining the IBE scheme of Boneh and Boyen and the SD scheme and prove its selective security under the standard assumption. Our RIBE scheme is the first RIBE scheme in bilinear groups that has O(r) number of group elements in an update key where r is the number of revoked users. Next, we also propose another RIBE scheme in composite-order bilinear groups and prove its full security under static assumptions. Our RIBE schemes also can be integrated with the layered subset difference scheme of Halevy and Shamir (CRYPTO 2002) to reduce the size of a private key.     

Fully collusion-resistant traitor tracing scheme with shorter ciphertexts

A traitor tracing scheme allows a content distributor to detect at least one of the traitors whose secret key is used to create a pirate decoder. In building efficient traitor tracing schemes, reducing ciphertext size is a significant factor since the traitor tracing scheme must handle a larger number of users. In this paper, we present a fully collusion-resistant traitor tracing scheme where the ciphertext size is 2.8 times shorter and encryption time is 2.6 times faster, compared to the best cases of fully collusion-resistant schemes previously suggested. We can achieve these efficiency results without sacrificing other costs. Also, our scheme supports public tracing and black-box tracing. To achieve our goal, we use asymmetric bilinear maps in prime order groups, and we introduce a new cancellation technique that has the same effect as that in composite order groups.     

Revocable hierarchical identity-based encryption with shorter private keys and update keys

Revocable hierarchical identity-based encryption (RHIBE) is an extension of HIBE that supports the revocation of user’s private keys to manage the dynamic credentials of users in a system. Many different RHIBE schemes were proposed previously, but they are not efficient in terms of the private key size and the update key size since the depth of a hierarchical identity is included as a multiplicative factor. In this paper, we propose efficient RHIBE schemes with shorter private keys and update keys and small public parameters by removing this multiplicative factor. To achieve our goals, we first present a new HIBE scheme with the different generation of private keys such that a private key can be simply derived from a short intermediate private key. Next, we show that two efficient RHIBE schemes can be built by combining our HIBE scheme, an IBE scheme, and a tree based broadcast encryption scheme in a modular way.     

一种灵活的基于身份的签名方案

在基于身份的密钥提取过程中,使密钥生成器在私钥中嵌入随机数,从而使得密钥提取具有较好的灵活性,使得用户对一个身份可具备多个私钥,这无疑会增加密钥使用的安全性;基于这种新的密钥提取思路,给出一个基于身份的签名体制,新的密钥提取方式使得它具有更好的安全性和灵活性;新的基于身份的签名体制中具有最少对运算,因此,与类似的方案相比,其具备较好的计算效率;新签名体制的安全性依赖于k-合谋攻击问题(k-CAAP)的困难性,其在适应性选择消息和ID攻击下具备强不可伪造性,并且其安全性证明具有紧规约性.     

Establishing the broadcast efficiency of the Subset Difference Revocation Scheme

When an organisation chooses a system to make regular broadcasts to a changing user base, there is an inevitable trade off between the number of keys a user must store and the number of keys used in the broadcast. The Complete Subtree and Subset Difference Revocation Schemes were proposed as efficient solutions to this problem. However, all measurements of the broadcast size have been in terms of upper bounds on the worst-case. Also, the bound on the latter scheme is only relevant for small numbers of revoked users, despite the fact that both schemes allow any number of such users. Since the broadcast size can be critical for limited memory devices, we aid comparative analysis of these important techniques by establishing the worst-case broadcast size for both revocation schemes.      

Construction of polynomials that are orthogonal with respect to a discrete bilinear form

We describe a new algorithm for the computation of recursion coefficients of monic polynomials {p _j } _j ^=0/n that are orthogonal with respect to a discrete bilinear form (f, g) := _k ^=1/m f(x _k )g(x _k )w _k ,m n, with real distinct nodesx _k and real nonvanishing weightsw _k . The algorithm proceeds by applying a judiciously chosen sequence of real or complex Givens rotations to the diagonal matrix diag[x ₁,x ₂, ...,x _m ] in order to determine an orthogonally similar complex symmetric tridiagonal matrixT, from whose entries the recursion coefficients of the monic orthogonal polynomials can easily be computed. Fourier coefficients of given functions can conveniently be computed simultaneously with the recursion coefficients. Our scheme generalizes methods by Elhay et al. [6] based on Givens rotations for updating and downdating polynomials that are orthogonal with respect to a discrete inner product. Our scheme also extends an algorithm for the solution of an inverse eigenvalue problem for real symmetric tridiagonal matrices proposed by Rutishauser [20], Gragg and Harrod [17], and a method for generating orthogonal polynomials based theoron [18]. Computed examples that compare our algorithm with the Stieltjes procedure show the former to generally yield higher accuracy except whenn m. Ifn is sufficiently much smaller thanm, then both the Stieltjes procedure and our algorithm yield accurate results.Research supported in part by the Center for Research on Parallel Computation at Rice University and NSF Grant No. DMS-9002884.     

Secret sharing schemes with partial broadcast channels

In a conventional secret sharing scheme a dealer uses secure point-to-point channels to distribute the shares of a secret to a number of participants. At a later stage an authorised group of participants send their shares through secure point-to-point channels to a combiner who will reconstruct the secret. In this paper, we assume no point-to-point channel exists and communication is only through partial broadcast channels. A partial broadcast channel is a point-to-multipoint channel that enables a sender to send the same message simultaneously and privately to a fixed subset of receivers. We study secret sharing schemes with partial broadcast channels, called partial broadcast secret sharing schemes. We show that a necessary and sufficient condition for the partial broadcast channel allocation of a (t, n)-threshold partial secret sharing scheme is equivalent to a combinatorial object called a cover-free family. We use this property to construct a (t, n)-threshold partial broadcast secret sharing scheme with O(log n) partial broadcast channels. This is a significant reduction compared to n point-to-point channels required in a conventional secret sharing scheme. Next, we consider communication rate of a partial broadcast secret sharing scheme defined as the ratio of the secret size to the total size of messages sent by the dealer. We show that the communication rate of a partial broadcast secret sharing scheme can approach 1/O(log n) which is a significant increase over the corresponding value, 1/n, in the conventional secret sharing schemes. We derive a lower bound on the communication rate and show that for a (t,n)-threshold partial broadcast secret sharing scheme the rate is at least 1/t and then we propose constructions with high communication rates. We also present the case of partial broadcast secret sharing schemes for general access structures, discuss possible extensions of this work and propose a number of open problems.      

Partial spread and vectorial generalized bent functions

In 2007, Sun et al. (IEEE Trans Inf Theory 53(8):2922–2933, 2007) presented new variants of RSA, called Dual RSA, whose key generation algorithm outputs two distinct RSA moduli having the same public and private exponents, with an advantage of reducing storage requirements for keys. These variants can be used in some applications like blind signatures and authentication/secrecy. In this paper, we give an improved analysis on Dual RSA and obtain that when the private exponent is smaller than \(N^{0.368}\), the Dual RSA can be broken, where N is an integer with the same bitlength as the modulus of Dual RSA. The point of our work is based on the observation that we can split the private exponent into two much smaller unknown variables and solve a related modular equation on the two unknown variables and other auxiliary variables by making use of lattice based methods. Moreover, we extend this method to analyze the common private exponent RSA scheme, a variant of Dual RSA, and obtain a better bound than previous analyses. While our analyses cannot be proven to work in general, since we rely on some unproven assumptions, our experimental results have shown they work in practice.     

Finding a minimum-weightk-link path in graphs with the concave Monge property and applications

LetG be a weighted, complete, directed acyclic graph (DAG) whose edge weights obey the concave Monge condition. We give an efficient algorithm for finding the minimum-weightk-link path between a given pair of vertices for any givenk. The time complexity of our algorithm is . Our algorithm uses some properties of DAGs with the concave Monge property together with the parametric search technique. We apply our algorithm to get efficient solutions for the following problems, improving on previous results: (1) Finding the largestk-gon contained in a given convex polygon. (2) Finding the smallestk-gon that is the intersection ofk half-planes out ofn half-planes defining a convexn-gon. (3) Computing maximumk-cliques of an interval graph. (4) Computing length-limited Huffman codes. (5) Computing optimal discrete quantization.     

The effect of table expansion on the program complexity of perfect hash functions

It has been shown by various researchers that designing a perfect hashing function for a fixed set ofn elements requires (n) bits in the worst case. A possible relaxation of this scheme is to partition the set into pages, and design a hash function which maps keys to page addresses, requiring subsequent binary search of the page. We have shown elsewhere that (nk/2 ^k+1)(1 +o(1)) bits are necessary and sufficient to describe such a hash function where the pages are of size 2 ^k . In this paper we examine the additional scheme of expanding the address space of the table, which does substantially improve the hash function complexity of perfect hashing, and show that in contrast, it does not reduce the hash function complexity of the paging scheme.Research supported by NSF Grant CCR-9017125 and by a grant from Texas Instruments.     

Faster algorithms for string matching with k mismatches

The string matching with mismatches problem is that of finding the number of mismatches between a pattern P of length m and every length m substring of the text T. Currently, the fastest algorithms for this problem are the following. The Galil–Giancarlo algorithm finds all locations where the pattern has at most k errors (where k is part of the input) in time O(nk). The Abrahamson algorithm finds the number of mismatches at every location in time . We present an algorithm that is faster than both. Our algorithm finds all locations where the pattern has at most k errors in time . We also show an algorithm that solves the above problem in time O((n+(nk³)/m)logk).     

Routing in grid graphs by cutting planes

In this paper we study the following problem, which we call the weighted routing problem. Let be given a graphG = (V, E) with non-negative edge weightsw _{e +} and letN,N 1, be a list of node sets. The weighted routing problem consists in finding mutually disjoint edge setsS ₁,...,S _N such that, for eachk {1, ...,N}, the subgraph (V(S _k),S _k) contains an [s, t]-path for alls, t T _k and the sum of the weights of the edge sets is minimal. Our motivation for studying this problem arises from the routing problem in VLSI-design, where given sets of points have to be connected by wires. We consider the weighted routing problem from a polyhedral point of view. We define an appropriate polyhedron and try to (partially) describe this polyhedron by means of inequalities. We describe our separation algorithms for some of the presented classes of inequalities. Based on these separation routines we have implemented a branch and cut algorithm. Our algorithm is applicable to an important subclass of routing problems arising in VLSI-design, namely to switchbox routing problems where the underlying graph is a grid graph and the list of node sets is located on the outer face of the grid. We report on our computational experience with this class of problem instances.     

Rubber bands,convex embeddings and graph connectivity

We give various characterizations ofk-vertex connected graphs by geometric, algebraic, and physical properties. As an example, a graphG isk-connected if and only if, specifying anyk vertices ofG, the vertices ofG can be represented by points of ^k–1 so that nok are on a hyper-plane and each vertex is in the convex hull of its neighbors, except for thek specified vertices. The proof of this theorem appeals to physics. The embedding is found by letting the edges of the graph behave like ideal springs and letting its vertices settle in equilibrium.As an algorithmic application of our results we give probabilistic (Monte-Carlo and Las Vegas) algorithms for computing the connectivity of a graph. Our algorithms are faster than the best known (deterministic) connectivity algorithms for allkn, and for very dense graphs the Monte Carlo algorithm is faster by a linear factor.     

Modular Arithmetic on Elements of Small Norm in Quadratic Fields

We describe an algorithm which rapidly computes the coefficients of elements of small norm in quadraticfields modulo a positive integer. Our method requires that an approximation of the natural logarithm of thatquadratic field element is known to sufficient accuracy. To demonstrate the efficiency and utility of our method,we apply it to eliminate a number of exceptional cases of a theorem of Dujella and Peth [9]involving Diophantine triples. In particular, we are able to show that Theorem 1.2 of [9] isunconditionally true for all k 100 with the possible exception of k = 37, for whichthe theorem holds under the assumption of the Extended Riemann Hypothesis.     

Designs in Additive Codes over GF(4)

In this paper we discuss the security of digital signature schemes based on error-correcting codes. Several attacks to the Xinmei scheme are surveyed, and some reasons given to explain why the Xinmei scheme failed, such as the linearity of the signature and the redundancy of public keys. Another weakness is found in the Alabbadi-Wicker scheme, which results in a universal forgery attack against it. This attack shows that the Alabbadi-Wicker scheme fails to implement the necessary property of a digital signature scheme: it is infeasible to find a false signature algorithm D from the public verification algorithm E such that E(D ( )) = for all messages . Further analysis shows that this new weakness also applies to the Xinmei scheme.     

The union of minimal hitting sets: Parameterized combinatorial bounds and counting

A k-hitting set in a hypergraph is a set of at most k vertices that intersects all hyperedges. We study the union of all inclusion-minimal k-hitting sets in hypergraphs of rank r (where the rank is the maximum size of hyperedges). We show that this union is relevant for certain combinatorial inference problems and give worst-case bounds on its size, depending on r and k. For r=2 our result is tight, and for each r3 we have an asymptotically optimal bound and make progress regarding the constant factor. The exact worst-case size for r3 remains an open problem. We also propose an algorithm for counting all k-hitting sets in hypergraphs of rank r. Its asymptotic runtime matches the best one known for the much more special problem of finding one k-hitting set. The results are used for efficient counting of k-hitting sets that contain any particular vertex.     

Smoothing nonlinear subdivision schemes by averaging

In the theory of linear subdivision algorithms, it is well-known that the regularity of a linear subdivision scheme can be elevated by one order (say, from C ^k to C ^k+1) by composing it with an averaging step (equivalently, by multiplying to the subdivision mask a(z) a (1 + z) factor. In this paper, we show that the same can be done to nonlinear subdivision schemes: by composing with it any nonlinear, smooth, 2-point averaging step, the lifted nonlinear subdivision scheme has an extra order of regularity than the original scheme. A notable application of this result shows that the classical Lane-Riesenfeld algorithm for uniform B-Spline, when extended to Riemannian manifolds based on geodesic midpoint, produces curves with the same regularity as their linear counterparts. (In particular, curvature does not obstruct the nonlinear Lane-Riesenfeld algorithm to inherit regularity from the linear algorithm.) Our main result uses the recently developed technique of differential proximity conditions.     

On the Superlinear Convergence Order of the Logarithmic Barrier Algorithm

Since the pioneering work of Karmarkar, much interest was directed to penalty algorithms, in particular to the log barrier algorithm. We analyze in this paper the asymptotic convergence rate of a barrier algorithm when applied to non-linear programs. More specifically, we consider a variant of the SUMT method, in which so called extrapolation predictor steps allowing reducing the penalty parameter r_k +1}k are followed by some Newton correction steps. While obviously related to predictor-corrector interior point methods, the spirit differs since our point of view is biased toward nonlinear barrier algorithms; we contrast in details both points of view. In our context, we identify an asymptotically optimal strategy for reducing the penalty parameter r and show that if r_k+1=r _k with < 8/5, then asymptotically only 2 Newton corrections are required, and this strategy achieves the best overall average superlinear convergence order (1.1696). Therefore, our main result is to characterize the best possible convergence order for SUMT type methods.     

On-line k-Truck Problem and Its Competitive Algorithms

In this paper, based on the Position Maintaining Strategy (PMS for short), on-line scheduling of k-truck problem, which is a generalization of the famous k-server problem, is originally presented by our team. We proposed several competitive algorithms applicable under different conditions for solving the on-line k-truck problem. First, a competitive algorithm with competitive ratio 2k+1/ is given for any 1. Following that, if (c+1)/(c-1) holds, then there must exist a (2k-1)-competitive algorithm for k-truck problem, where c is the competitive ratio of the on-line algorithm about the relevant k-server problem. And then a greedy algorithm with competitive ratio 1+/, where lambda is a parameter related to the structure property of a given graph, is given. Finally, competitive algorithms with ratios 1+1/ are given for two special families of graphs.     

A Construction for Multisecret Threshold Schemes

A multisecret threshold scheme is a system that protects a number of secrets (or keys) among a group of participants, as follows. Given a set of n participants, there is a secret s _K associated with each k–subset K of these participants. The scheme ensures that s _K can be reconstructed by any group of t participants in K ( ). A lower bound has been established on the amount of information that participants must hold in order to ensure that any set of up to w participants cannot obtain any information about a secret with which they are not associated. In this paper, for parameters t=2 and w=n-k+t-1, we give a construction for multisecret threshold schemes that satisfy this bound.