The Diffie–Hellman Protocol

The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor one-way function, a public-key cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the so-called Diffie–Hellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.     

Security improvement on an anonymous key agreement protocol based on chaotic maps

In 2009, Tseng et al. proposed a password sharing and chaotic map based key agreement protocol (Tseng et al.’s protocol). They claimed that the protocol provided mutual authentication between a server and a user, and allowed the user to anonymously interact with the server to establish a shared session key. However, in 2011, Niu et al. have proved that Tseng et al.’s protocol cannot guarantee user anonymity and protocol security when there is an internal adversary who is a legitimate user. Also it cannot provide perfect forward secrecy. Then Niu et al. introduced a trust third party (TTP) into their protocol designing (Niu et al.’s protocol). But according to our research, Niu et al.’s protocol is found to have several unsatisfactory drawbacks. Based on reconsidering Tseng et al.’s protocol without introducing TTP, we give some improvements to meet the original security and performance requirements. Meanwhile our proposed protocol overcomes the security flaws of Tseng et al.’s protocol.     

基于身份的门限密码体制

描述一个公钥密码体制,其中参与者的公钥是一个公开值,例如他的身份,这个体制由很多可信中心联合产生一个大合数N=pq,p,q为素数且p≡q≡3(mod 4),任意其中一个可信中心都不知道N的分解.另外,每一个可信中心拥有一个秘密指数的一个分享,这样产生一个门限解密.本文将讨论所提出的方案的安全性,并证明它与解决二次剩余问题的困难性有关.     

Signcryption schemes with threshold unsigncryption,and applications

The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.     

An Efficient Protocol for Authenticated Key Agreement

This paper proposes an efficient two-pass protocol for authenticated key agreement in the asymmetric (public-key) setting. The protocol is based on Diffie-Hellman key agreement and can be modified to work in an arbitrary finite group and, in particular, elliptic curve groups. Two modifications of this protocol are also presented: a one-pass authenticated key agreement protocol suitable for environments where only one entity is on-line, and a three-pass protocol in which key confirmation is additionally provided. Variants of these protocols have been standardized in IEEE P1363 [17], ANSI X9.42 [2], ANSI X9.63 [4] and ISO 15496-3 [18], and are currently under consideration for standardization and by the U.S. government's National Institute for Standards and Technology [30].     

Efficient RFID authentication protocols based on pseudorandom sequence generators

In this paper, we introduce a new class of PRSGs, called partitioned pseudorandom sequence generators(PPRSGs), and propose an RFID authentication protocol using a PPRSG, called S-protocol. Since most existing stream ciphers can be regarded as secure PPRSGs, and stream ciphers outperform other types of symmetric key primitives such as block ciphers and hash functions in terms of power, performance and gate size, S-protocol is expected to be suitable for use in highly constrained environments such as RFID systems. We present a formal proof that guarantees resistance of S-protocol to desynchronization and tag-impersonation attacks. Specifically, we reduce the availability of S-protocol to pseudorandomness of the underlying PPRSG, and the security of the protocol to the availability. Finally, we give a modification of S-protocol, called S*-protocol, that provides mutual authentication of tag and reader.      

Asymptotic bias of some election methods

Consider an election where N seats are distributed among parties with proportions p ₁,…,p _m of the votes. We study, for the common divisor and quota methods, the asymptotic distribution, and in particular the mean, of the seat excess of a party, i.e. the difference between the number of seats given to the party and the (real) number Np _i that yields exact proportionality. Our approach is to keep p ₁,…,p _m fixed and let N→∞, with N random in a suitable way. In particular, we give formulas showing the bias favouring large or small parties for the different election methods.     

Government formation in a two dimensional policy space

Given any allocation of parliament seats among parties, we characterize all the stable government configurations (supported by at least a majority of the parliament) in terms of winning coalitions and policy outcomes. We consider a two dimensional policy space and we assume that there are four parties that care mainly about holding office, and only instrumentally about policy. We find that for any distribution of seats in the parliament only two scenarios are possible: either there is a party that is a member of almost all equilibrium coalitions (dominant party scenario) or there is a party that is never a member of an equilibrium coalition (dominated party scenario). We characterize the key party for each possible scenario and we show that it is sufficient that the key party has intense preferences over one the issues to guarantee the formation of a stable government coalition.     

Two-party competition with many constituences

The paper considers a single member district, simple plurality political system with n districts. There are two political parties, each consisting of n candidates. Individual candidates seek to win their district per se, but voters appreciate that final policy outcomes will depend upon: (1) which party wins control of the legislature, and (2) how party policy is derived from the party members' policies. Candidates take account of such voter deliberations in choosing their election strategies. A set of minimal sufficient conditions for an equilibrium to exist in this game is provided and the equilibrium characterized. While party policies are shown to converge in equilibrium, candidate policies in general do not - either across or within parties.     

Authentication and authenticated key exchanges

We discuss two-party mutual authentication protocols providing authenticated key exchange, focusing on those using asymmetric techniques. A simple, efficient protocol referred to as the station-to-station (STS) protocol is introduced, examined in detail, and considered in relation to existing protocols. The definition of a secure protocol is considered, and desirable characteristics of secure protocols are discussed.This work was done while Whitfield Diffie was with Northern Telecom, Mountain View, California.     

Multivariate public key cryptosystems from diophantine equations

Wang et al. introduced in (A medium-field multivariate public-key encryption scheme. Topics in Cryptology—CTRSA 2006: The Cryptographers’ Track at the RSA Conference, 2006) a multivariate public key cryptosystem, called MFE cryptosystem, and it is appealing as it is based on a simple polynomial identity. Their system, however, was subsequently broken by Ding et al. in (High order linearization equation (hole) attack on multivariate public key cryptosystems. Public key cryptography—PKC 2007: 10th international conference on practice and theory in public-key cryptography, 2007a, ?-Invertible cycles for multivariate quadratic public key cryptography. Public key cryptography—PKC 2007: 10th international conference on practice and theory in public-key cryptography, 2007b). Inspired by their work, we present a more general framework for multivariate public key cryptosystems, which combines ideas from both triangular and oil-vinegar schemes. Within this framework, we propose a new public key cryptosystem based on a solution of a Diophantine equation over polynomial rings.     

Two-party graphs and monotonicity properties of the Poincaré mapping

The local differential of a system of nonlinear differential equations with a T-periodic right-hand side is representable as a directed sign interaction graph. Within the class of balanced graphs, where all paths between two fixed vertices have the same signs, it is possible to estimate the sign structure of the differential of the global Poincaré mapping (a shift in time T). In this case all vertices of a strongly connected graph naturally break into two sets (two parties). As appeared, the influence of variables within one party is positive, while that of variables from different parties is negative. Even having simplified the structure of a local two-party graph (by eliminating its edges), one can still exactly describe the sign structure of the differential of the Poincaré mapping. The obtained results are applicable in the mathematical competition theory.     

Downsian Competition When No Policy is Unbeatable

This paper studies two-party electoral competition in a setting where no policy is unbeatable. It is shown that if parties take turns in choosing policy platforms and observe eachother’s choices, for one party to change position so as to win is pointless since the other party never accepts an outcome where it is sure to loose. If there is any cost to changing platform, the prediction is that the game ends in the first period with the parties converging on whatever platform the incumbent chooses. If, however, there is a slight chance of a small mistake, the incumbent does best in choosing a local equilibrium platform. This suggests that local equilibrium policies can be the predicted outcome even if the voting process is not myopic in any way.     

Linear spaces and transversal designs: k-anonymous combinatorial configurations for anonymous database search notes

Anonymous database search protocols allow users to query a database anonymously. This can be achieved by letting the users form a peer-to-peer community and post queries on behalf of each other. In this article we discuss an application of combinatorial configurations (also known as regular and uniform partial linear spaces) to a protocol for anonymous database search, as defining the key-distribution within the user community that implements the protocol. The degree of anonymity that can be provided by the protocol is determined by properties of the neighborhoods and the closed neighborhoods of the points in the combinatorial configuration that is used. Combinatorial configurations with unique neighborhoods or unique closed neighborhoods are described and we show how to attack the protocol if such configurations are used. We apply k-anonymity arguments and present the combinatorial configurations with k-anonymous neighborhoods and with k-anonymous closed neighborhoods. The transversal designs and the linear spaces are presented as optimal configurations among the configurations with k-anonymous neighborhoods and k-anonymous closed neighborhoods, respectively.     

A construction for optimal <Emphasis Type="Italic">c</Emphasis>-splitting authentication and secrecy codes

Authentication and secrecy codes which provide both secrecy and authentication have been intensively studied in the case where there is no splitting; however the results concerning the case where there is splitting are far fewer. In this paper, we focus on the case with c-splitting, and obtain a bound on the number of encoding rules required in order to obtain maximum levels of security. A c-splitting authentication and secrecy code is called optimal if it obtains maximum levels of security and has the minimum number of encoding rules. We define a new design, called an authentication perpendicular multi-array, and prove that the existence of authentication perpendicular multi-arrays implies the existence of optimal c-splitting authentication and secrecy codes. Further, we study the constructions and existence of authentication perpendicular multi-arrays, and then obtain two new infinite classes of optimal c-splitting authentication and secrecy codes.     

Properties and constraints of cheating-immune secret sharing schemes

A secret sharing scheme is a cryptographic protocol by means of which a dealer shares a secret among a set of participants in such a way that it can be subsequently reconstructed by certain qualified subsets. The setting we consider is the following: in a first phase, the dealer gives in a secure way a piece of information, called a share, to each participant. Then, participants belonging to a qualified subset send in a secure way their shares to a trusted party, referred to as a combiner, who computes the secret and sends it back to the participants.Cheating-immune secret sharing schemes are secret sharing schemes in the above setting where dishonest participants, during the reconstruction phase, have no advantage in sending incorrect shares to the combiner (i.e., cheating) as compared to honest participants. More precisely, a coalition of dishonest participants, by using their correct shares and the incorrect secret supplied by the combiner, have no better chance in determining the true secret (that would have been reconstructed if they submitted correct shares) than an honest participant.In this paper we study properties and constraints of cheating-immune secret sharing schemes. We show that a perfect secret sharing scheme cannot be cheating-immune. Then, we prove an upper bound on the number of cheaters tolerated in such schemes. We also repair a previously proposed construction to realize cheating-immune secret sharing schemes. Finally, we discuss some open problems.     

One-way multiparty communication lower bound for pointer jumping with applications

In this paper we study the one-way multiparty communication model, in which every party speaks exactly once in its turn. For every k, we prove a tight lower bound of Ω(n ^1/(k?1)}) on the probabilistic communication complexity of pointer jumping in a k-layered tree, where the pointers of the i-th layer reside on the forehead of the i-th party to speak. The lower bound remains nontrivial even for k = (logn)^1/2?? parties, for any constant ? > 0. Previous to our work a lower bound was known only for k =3 (Wigderson, see [7]), and in restricted models for k>3 [2},24,18,4,13]. Our results have the following consequences to other models and problems, extending previous work in several directions. The one-way model is strong enough to capture general (not one-way) multiparty protocols with a bounded number of rounds. Thus we generalize two problem areas previously studied in the 2-party model (cf. [30,21,29]). The first is a rounds hierarchy: we give an exponential separation between the power of r and 2r rounds in general probabilistic k-party protocols, for any k and r. The second is the relative power of determinism and nondeterminism: we prove an exponential separation between nondeterministic and deterministic communication complexity for general k-party protocols with r rounds, for any k,r. The pointer jumping function is weak enough to be a special case of the well-studied disjointness function. Thus we obtain a lower bound of Ω(n ^1/(k?1)) on the probabilistic complexity of k-set disjointness in the one-way model, which was known only for k = 3 parties. Our result also extends a similar lower bound for the weaker simultaneous model, in which parties simultaneously send one message to a referee [12]. Finally, we infer an exponential separation between the power of any two different orders in which parties send messages in the one-way model, for every k. Previous results [29, 7] separated orders based on who speaks first. Our lower bound technique, which handles functions of high discrepancy over cylinder intersections, provides a “party-elimination” induction, based on a restricted form of a direct-product result, specific to the pointer jumping function.     

Secure collaborative supply chain planning and inverse optimization – The JELS model

It is a well-acknowledged fact that collaboration between different members of a supply chain yields a significant potential to increase overall supply chain performance. Sharing private information has been identified as prerequisite for collaboration and, at the same time, as one of its major obstacles. One potential avenue for overcoming this obstacle is Secure Multi-Party Computation (SMC). SMC is a cryptographic technique that enables the computation of any (well-defined) mathematical function by a number of parties without any party having to disclose its input to another party. In this paper, we show how SMC can be successfully employed to enable joint decision-making and benefit sharing in a simple supply chain setting. We develop secure protocols for implementing the well-known “Joint Economic Lot Size (JELS) Model” with benefit sharing in such a way that none of the parties involved has to disclose any private (cost and capacity) data. Thereupon, we show that although computation of the model’s outputs can be performed securely, the approach still faces practical limitations. These limitations are caused by the potential of “inverse optimization”, i.e., a party can infer another party’s private data from the output of a collaborative planning scheme even if the computation is performed in a secure fashion. We provide a detailed analysis of “inverse optimization” potentials and introduce the notion of “stochastic security”, a novel approach to assess the additional information a party may learn from joint computation and benefit sharing. Based on our definition of “stochastic security” we propose a stochastic benefit sharing rule, develop a secure protocol for this benefit sharing rule, and assess under which conditions stochastic benefit sharing can guarantee secure collaboration.     

Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For \(\ell \)-bit security, our DDH-based KH-PKE scheme yields only \(\ell \)-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.     

Practical unconditionally secure two-channel message authentication

We investigate unconditional security for message authentication protocols that are designed using two-channel cryptography. (Two-channel cryptography employs a broadband, insecure wireless channel and an authenticated, narrow-band manual channel at the same time.) We study both noninteractive message authentication protocols (NIMAPs) and interactive message authentication protocols (IMAPs) in this setting. First, we provide a new proof of nonexistence of nontrivial unconditionally secure NIMAPs. This proof consists of a combinatorial counting argument and is much shorter than the previous proof by Wang and Safavi-Naini, which was based on probability distribution arguments. We also prove a new result which holds in a weakened attack model. Further, we propose a generalization of an unconditionally secure 3-round IMAP due to Naor, Segev and Smith. The IMAP is based on two ?-Δ universal hash families. With a careful choice of parameters, our scheme improves that of Naor et al. Our scheme is very close to optimal for most parameter situations of practical interest. Finally, a variation of the 3-round IMAP is presented, in which only one hash family is required.