Efficient revocable identity-based encryption via subset difference methods

Providing an efficient revocation mechanism for identity-based encryption (IBE) is very important since a user’s credential (or private key) can be expired or revealed. revocable IBE (RIBE) is an extension of IBE that provides an efficient revocation mechanism. Previous RIBE schemes essentially use the complete subtree (CS) scheme of Naor, Naor and Lotspiech (CRYPTO 2001) for key revocation. In this paper, we present a new technique for RIBE that uses the efficient subset difference (SD) scheme of Naor et al. instead of using the CS scheme to improve the size of update keys. Following our new technique, we first propose an efficient RIBE scheme in prime-order bilinear groups by combining the IBE scheme of Boneh and Boyen and the SD scheme and prove its selective security under the standard assumption. Our RIBE scheme is the first RIBE scheme in bilinear groups that has O(r) number of group elements in an update key where r is the number of revoked users. Next, we also propose another RIBE scheme in composite-order bilinear groups and prove its full security under static assumptions. Our RIBE schemes also can be integrated with the layered subset difference scheme of Halevy and Shamir (CRYPTO 2002) to reduce the size of a private key.     

A PGM framework for recursive modeling of players in simple sequential Bayesian games

We consider the situation where two agents try to solve each their own task in a common environment. In particular, we study simple sequential Bayesian games with unlimited time horizon where two players share a visible scene, but where the tasks (termed assignments) of the players are private information. We present an influence diagram framework for representing simple type of games, where each player holds private information. The framework is used to model the analysis depth and time horizon of the opponent and to determine an optimal policy under various assumptions on analysis depth of the opponent. Not surprisingly, the framework turns out to have severe complexity problems even in simple scenarios due to the size of the relevant past. We propose two approaches for approximation. One approach is to use Limited Memory Influence Diagrams (LIMIDs) in which we convert the influence diagram into a set of Bayesian networks and perform single policy update. The other approach is information enhancement, where it is assumed that the opponent in a few moves will know your assignment. Empirical results are presented using a simple board game.     

Security of message authentication codes in the presence of key-dependent messages

In recent years, the security of encryption and signature schemes in the presence of key-dependent plaintexts received attention, and progress in understanding such scenarios has been made. In this article we motivate and discuss a setting where an adversary can access tags of a message authentication code (MAC) on key-dependent message inputs, and we propose a way to formalize the security of MACs in the presence of key-dependent messages (KD?EUF). Like signature schemes, MACs have a verification algorithm, and hence the tagging algorithm must be stateful. We present a scheme MAC-ver which offers KD?EUF security and also yields a forward-secure scheme.     

Generalized additive games

A transferable utility (TU) game with n players specifies a vector of \(2^n-1\) real numbers, i.e. a number for each non-empty coalition, and this can be difficult to handle for large n. Therefore, several models from the literature focus on interaction situations which are characterized by a compact representation of a TU-game, and such that the worth of each coalition can be easily computed. Sometimes, the worth of each coalition is computed from the values of single players by means of a mechanism describing how the individual abilities interact within groups of players. In this paper we introduce the class of Generalized additive games (GAGs), where the worth of a coalition \(S { \subseteq } N\) is evaluated by means of an interaction filter, that is a map \(\mathcal {M}\) which returns the valuable players involved in the cooperation among players in S. Moreover, we investigate the subclass of basic GAGs, where the filter \(\mathcal {M}\) selects, for each coalition S, those players that have friends but not enemies in S. We show that well-known classes of TU-games can be represented in terms of such basic GAGs, and we investigate the problem of computing the core and the semivalues for specific families of GAGs.     

Multi-party computation with conversion of secret sharing

Classical results in unconditionally secure multi-party computation (MPC) protocols with a passive adversary indicate that every n-variate function can be computed by n participants, such that no set of size t < n/2 participants learns any additional information other than what they could derive from their private inputs and the output of the protocol. We study unconditionally secure MPC protocols in the presence of a passive adversary in the trusted setup (‘semi-ideal’) model, in which the participants are supplied with some auxiliary information (which is random and independent from the participant inputs) ahead of the protocol execution (such information can be purchased as a “commodity” well before a run of the protocol). We present a new MPC protocol in the trusted setup model, which allows the adversary to corrupt an arbitrary number t < n of participants. Our protocol makes use of a novel subprotocol for converting an additive secret sharing over a field to a multiplicative secret sharing, and can be used to securely evaluate any n-variate polynomial G over a field F, with inputs restricted to non-zero elements of F. The communication complexity of our protocol is O(ℓ · n ²) field elements, where ℓ is the number of non-linear monomials in G. Previous protocols in the trusted setup model require communication proportional to the number of multiplications in an arithmetic circuit for G; thus, our protocol may offer savings over previous protocols for functions with a small number of monomials but a large number of multiplications.     

Groupstrategyproofness of the egalitarian mechanism for constrained rationing problems

Motivated by applications in many economic environments, Bochet et al. (2010) generalize the classic rationing model (Sprumont 1991) as follows: there is a moneyless market, in which a non-storable, homogeneous commodity is reallocated between agents with single-peaked preferences. Agents are either suppliers or demanders. Transfers between a supplier and a demander are feasible only if they are linked, and the links form an arbitrary bipartite graph. Information about individual preferences is private, and so is information about feasible links: an agent may unilaterally close one of her links if it is in her interest to do so. For this problem they propose the egalitarian transfer solution, which equalizes the net transfers of rationed agents as much as permitted by the bilateral constraints. Furthermore, they show that the egalitarian mechanism elicits a truthful report of both preferences and links. In the variant where demanders are not strategic but demands need to be exactly met Bochet et al. (2013), they propose a similar mechanism for which truthfully reporting the peaks is a dominant strategy, but truthful reporting of links is not.The key contribution of the paper is a comprehensive study of the egalitarian mechanism with respect to manipulation by a coalition of agents. Our main result is that the egalitarian mechanism is group strategyproof : no coalition of agents can (weakly) benefit from jointly misreporting their peaks. Furthermore, we show that the egalitarian mechanism cannot be manipulated – by misreporting links or by misreporting peaks – by any coalition of suppliers (or any coalition of demanders) in the model where both the suppliers and demanders are agents. Our proofs shed light on the structure of the two models and simplify some of the earlier proofs of strategyproofness. An implication of our results is that the well known algorithm of Megiddo (1977) to compute a lexicographically optimal flow in a network is group strategyproof with respect to the source capacities and sink capacities.     

Accelerating the cubic regularization of Newton’s method on convex problems

In this paper we propose an accelerated version of the cubic regularization of Newton’s method (Nesterov and Polyak, in Math Program 108(1): 177–205, 2006). The original version, used for minimizing a convex function with Lipschitz-continuous Hessian, guarantees a global rate of convergence of order \(O\big({1 \over k^2}\big)\), where k is the iteration counter. Our modified version converges for the same problem class with order \(O\big({1 \over k^3}\big)\), keeping the complexity of each iteration unchanged. We study the complexity of both schemes on different classes of convex problems. In particular, we argue that for the second-order schemes, the class of non-degenerate problems is different from the standard class.     

The influence of large coalitions

This paper contains two results on influence in collective decision games. The first part deals with general perfect information coin-flipping games as defined in [3].Baton passing (see [8]), ann-player game from this class is shown to have the following property: IfS is a coalition of size at most \(\frac{n}{{3\log n}}\) , then the influence ofS on the game is only \(O\left( {\frac{{\left| S \right|}}{n}} \right)\) . This complements a result from [3] that for everyk there is a coalition of sizek with influence Ω(k/n). Thus the best possible bounds on influences of coalitions of size up to this threshold are known, and there need not be coalitions up to this size whose influence asymptotically exceeds their fraction of the population. This result may be expected to play a role in resolving the most outstanding problem in this area: Does everyn-player perfect information coin flipping game have a coalition ofo(n) players with influence 1?o(1)? (Recently Alon and Naor [1] gave a negative answer to this question.) In a recent paper Kahn, Kalai and Linial [7] showed that for everyn-variable boolean function of expectation bounded away from zero and one, there is a set of \(\frac{{n\omega (n)}}{{\log n}}\) variables whose influence is 1?o(1), wherew(n) is any function tending to infinity withn. They raised the analogous question where 1?o(1) is replaced by any positive constant and speculated that a constant influence may be always achievable by significantly smaller sets of variables. This problem is almost completely solved in the second part of this article where we establish the existence of boolean functions where only sets of at least \(\Omega \left( {\frac{n}{{\log ^2 n}}} \right)\) variables can have influence bounded away from zero.     

Identity-based non-interactive key distribution with forward security

Identity-based non-interactive key distribution (ID-NIKD) is a cryptographic primitive that enables two users to establish a common secret key without exchanging messages. All users of the system have access to public system parameters and a private key, obtained through the help of a trusted key generation center. In this contribution, we discuss how to capture an intuitive form of forward security for ID-NIKD schemes in a security model. Building on results of Sakai et?al. as well as of Paterson and Srinivasan, we discuss how the proposed notion of forward security can be achieved in the random oracle model, using a Bilinear Diffie-Hellman assumption in combination with a forward-secure pseudorandom bit generator. We also show how a forward-secure ID-NIKD scheme can be used to realize forward-secure identity-based encryption.     

Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For \(\ell \)-bit security, our DDH-based KH-PKE scheme yields only \(\ell \)-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.     

Multiround Unconditionally Secure Authentication

Authentication codes are used to protect communication against a malicious adversary. In this paper we investigate unconditionally secure multiround authentication schemes. In a multiround scheme a message is authenticated by passing back and forth several codewords between the sender and receiver. We define a multiround authentication model and show how to calculate the probability of a successful attack for this model. We prove the security for a 3-round scheme and give a construction for the 3-round scheme based on Reed-Solomom codes. This construction has a very small key size for even extremely large messages. Furthermore, a secure scheme for an arbitrary number of rounds is given. We give a new upper bound for the keys size of an n-round scheme.     

Multiple criteria sorting with a set of additive value functions

We present a new multiple criteria sorting method that aims at assigning actions evaluated on multiple criteria to p pre-defined and ordered classes. The preference information supplied by the decision maker (DM) is a set of assignment examples on a subset of actions relatively well known to the DM. These actions are called reference actions. Each assignment example specifies a desired assignment of a corresponding reference action to one or several contiguous classes. The set of assignment examples is used to build a preference model of the DM represented by a set of general additive value functions compatible with the assignment examples. For each action a, the method computes two kinds of assignments to classes, concordant with the DM’s preference model: the necessary assignment and the possible assignment. The necessary assignment specifies the range of classes to which the action can be assigned considering all compatible value functions simultaneously. The possible assignment specifies, in turn, the range of classes to which the action can be assigned considering any compatible value function individually. The compatible value functions and the necessary and possible assignments are computed through the resolution of linear programs.     

Recursive polynomial interpolation algorithm (RPIA)

Two difference schemes are derived for numerically solving the one-dimensional time distributed-order fractional wave equations. It is proved that the schemes are unconditionally stable and convergent in the \(L^{\infty }\) norm with the convergence orders O(τ ² + h ²+Δγ ²) and O(τ ² + h ⁴+Δγ ⁴), respectively, where τ,h, and Δγ are the step sizes in time, space, and distributed order. A numerical example is implemented to confirm the theoretical results.     

Anonymous Membership Broadcast Schemes

A membership broadcast scheme is a method by which a dealer broadcasts a secret identity among a set of users, in such a way that only a single user is sure that he is the intended recipient. Anonymous membership broadcast schemes have several applications, such as anonymous delegation, cheating prevention, etc. In a w-anonymous membership broadcast scheme any coalition of at most w users, which does not include the user chosen by the dealer, has no information about the identity of the chosen user. Wang and Pieprzyk proposed a combinatorial approach to 1-anonymous membership broadcast schemes. In particular, they proposed a 1-anonymous membership broadcast scheme offering a logarithmic complexity for both communication and storage. However, their result is non-constructive. In this paper, we consider w-anonymous membership broadcast schemes. First, we propose a formal model to describe such schemes and show lower bounds on the communication and randomness complexities of the schemes. Afterwards, we show that w-anonymous membership broadcast schemes can be constructed starting from (w + 1)-wise independent families of permutations. The communication and storage complexities of our schemes are logarithmic in the number of users.     

The Nakamura Theorem for coalition structures of quota games

This paper considers a model of society $S$ with a finite number of individuals,n, a finite set off alternatives, Ω effective coalitions that must contain ana priori given numberq of individuals. Its purpose is to extend the Nakamura Theorem (1979) to the quota games where individuals are allowed to form groups of sizeq which are smaller than the grand coalition. Our main result determines the upper bound on the number of alternatives which would guarantee, for a given e andq, the existence of a stable coalition structure for any profile of complete transitive preference relations. Our notion of stability, $S$ -equilibrium, introduced by Greenberg-Weber (1993), combines bothfree entry andfree mobility and represents the natural extension of the core to improper or non-superadditive games where coalition structures, and not only the grand coalition, are allowed to form.     

An unconditionally stable spatial sixth-order CCD-ADI method for the two-dimensional linear telegraph equation

The telegraph equation is one of the important models in many physics and engineering. In this work, we discuss the high-order compact finite difference method for solving the two-dimensional second-order linear hyperbolic equation. By using a combined compact finite difference method for the spatial discretization, a high-order alternating direction implicit method (ADI) is proposed. The method is O(τ² + h⁶) accurate, where τ, h are the temporal step size and spatial size, respectively. Von Neumann linear stability analysis shows that the method is unconditionally stable. Finally, numerical examples are used to illustrate the high accuracy of the new difference scheme.     

Hypergraph decomposition and secret sharing

A secret sharing scheme is a protocol by which a dealer distributes a secret among a set of participants in such a way that only qualified sets of them can reconstruct the value of the secret whereas any non-qualified subset of participants obtain no information at all about the value of the secret. Secret sharing schemes have always played a very important role for cryptographic applications and in the construction of higher level cryptographic primitives and protocols.In this paper we investigate the construction of efficient secret sharing schemes by using a technique called hypergraph decomposition, extending in a non-trivial way the previously studied graph decomposition techniques. A major advantage of hypergraph decomposition is that it applies to any access structure, rather than only structures representable as graphs. As a consequence, the application of this technique allows us to obtain secret sharing schemes for several classes of access structures (such as hyperpaths, hypercycles, hyperstars and acyclic hypergraphs) with improved efficiency over previous results. Specifically, for these access structures, we present secret sharing schemes that achieve optimal information rate. Moreover, with respect to the average information rate, our schemes improve on previously known ones.In the course of the formulation of the hypergraph decomposition technique, we also obtain an elementary characterization of the ideal access structures among the hyperstars, which is of independent interest.     

Super-strong RKA secure MAC,PKE and SE from tag-based hash proof system

\(\mathcal {F}\)-related-key attacks (RKA) on cryptographic systems consider adversaries who can observe the outcome of a system under not only the original key, say k, but also related keys f(k), with f adaptively chosen from \(\mathcal {F}\) by the adversary. In this paper, we define new RKA security notions for several cryptographic primitives including message authentication code (MAC), public-key encryption (PKE) and symmetric encryption (SE). This new kind of RKA notions are called super-strong RKA securities, which stipulate minimal restrictions on the adversary’s forgery or oracle access, thus turn out to be the strongest ones among existing RKA security requirements. We present paradigms for constructing super-strong RKA secure MAC, PKE and SE from a common ingredient, namely Tag-based hash proof system (THPS). We also present constructions for THPS based on the k-linear and the DCR assumptions. When instantiating our paradigms with concrete THPS constructions, we obtain super-strong RKA secure MAC, PKE and SE schemes for the class of restricted affine functions \(\mathcal {F}_{\text {raff}}\), of which the class of linear functions \(\mathcal {F}_{\text {lin}}\) is a subset. To the best of our knowledge, our MACs, PKEs and SEs are the first ones possessing super-strong RKA securities for a non-claw-free function class \(\mathcal {F}_{\text {raff}}\) in the standard model and under standard assumptions. Our constructions are free of pairing and are as efficient as those proposed in previous works. In particular, the keys, tags of MAC and ciphertexts of PKE and SE all consist of only a constant number of group elements.     

Properties and constraints of cheating-immune secret sharing schemes

A secret sharing scheme is a cryptographic protocol by means of which a dealer shares a secret among a set of participants in such a way that it can be subsequently reconstructed by certain qualified subsets. The setting we consider is the following: in a first phase, the dealer gives in a secure way a piece of information, called a share, to each participant. Then, participants belonging to a qualified subset send in a secure way their shares to a trusted party, referred to as a combiner, who computes the secret and sends it back to the participants.Cheating-immune secret sharing schemes are secret sharing schemes in the above setting where dishonest participants, during the reconstruction phase, have no advantage in sending incorrect shares to the combiner (i.e., cheating) as compared to honest participants. More precisely, a coalition of dishonest participants, by using their correct shares and the incorrect secret supplied by the combiner, have no better chance in determining the true secret (that would have been reconstructed if they submitted correct shares) than an honest participant.In this paper we study properties and constraints of cheating-immune secret sharing schemes. We show that a perfect secret sharing scheme cannot be cheating-immune. Then, we prove an upper bound on the number of cheaters tolerated in such schemes. We also repair a previously proposed construction to realize cheating-immune secret sharing schemes. Finally, we discuss some open problems.