Filters

50 Hits in 1.3 sec

### Computing the distance distribution of systematic non-linear codes [article]

Eleonora Guerrini, Emmanuela Orsini, Massimiliano Sala
2009 arXiv   pre-print
The most important families of non-linear codes are systematic. A brute-force check is the only known method to compute their weight distribution and distance distribution. On the other hand, it outputs also all closest word pairs in the code. In the black-box complexity model, the check is optimal among closest-pair algorithms. In this paper we provide a Groebner basis technique to compute the weight/distance distribution of any systematic non-linear code. Also our technique outputs all
more » ... pairs. Unlike the check, our method can be extended to work on code families.

### Decoding Cyclic Codes: the Cooper Philosophy [chapter]

Teo Mora, Emmanuela Orsini
2009 Gröbner Bases, Coding, and Cryptography
In 1990, Cooper [6, 7] suggested to use Gröbner basis computation in order to deduce error locator polynomials of cyclic codes. Following his idea, Chen et al. [3, 4, 5] suggested a general algorithm to pursue Cooper's approach. The aim of the talk is to follow, on an illuminating example, the arguments which, through a series of papers [8, 2, 9] , led to the following result: Theorem 1. For each [n, k, d] binary cyclic code C with n odd, denoting F the splitting field of x n − 1 over Z 2 , a
more » ... oper Gröbner basis computation allows to produce a polynomial L ∈ Z 2 [X, z], where X = (x 1 , . . . , x n−k ) which satisfies the following properties: 1. L(X, z) = z t + a t−1 (X)z t−1 + · · · + a 0 (X), with a j ∈ Z 2 [X], 0 ≤ j ≤ t − 1; 2. given a syndrome vector s = (s 1 , . . . , s n−k ) ∈ (F) n−k corresponding to an error with weight µ ≤ t, if we evaluate the X variables in s, then the t roots of L(s, z) are the µ error locations plus zero counted with multiplicity t − µ. We illustrate the efficiency of this approach on the recent results discussed in  and we also discuss an alternative approach to the solution of the Cooper problem proposed in [4, 1] .

### Actively Secure OT Extension with Optimal Overhead [chapter]

Marcel Keller, Emmanuela Orsini, Peter Scholl
2015 Lecture Notes in Computer Science
We describe an actively secure OT extension protocol in the random oracle model with efficiency very close to the passively secure IKNP protocol of Ishai et al. (Crypto 2003). For computational security parameter κ, our protocol requires κ base OTs, and is the first practical, actively secure protocol to match the cost of the passive IKNP extension in this regard. The added communication cost is only additive in O(κ), independent of the number of OTs being created, while the computation cost is
more » ... essentially two finite field operations per extended OT. We present implementation results that show our protocol takes no more than 5% more time than the passively secure IKNP extension, in both LAN and WAN environments, and thus is essentially optimal with respect to the passive protocol.

### An Introduction to Linear and Cyclic Codes [chapter]

Daniel Augot, Emanuele Betti, Emmanuela Orsini
2009 Gröbner Bases, Coding, and Cryptography
Our purpose is to recall some basic aspects about linear and cyclic codes. We first briefly describe the role of error-correcting codes in communication. To do this we introduce, with examples, the concept of linear codes and their parameters, in particular the Hamming distance. A fundamental subclass of linear codes is given by cyclic codes, that enjoy a very interesting algebraic structure. In fact, cyclic codes can be viewed as ideals in a residue classes ring of univariate polynomials. BCH
more » ... odes are the most studied family of cyclic codes, for which some efficient decoding algorithms are known, as the method of Sugiyama.

### Efficient Secure Multiparty Computation with Identifiable Abort [chapter]

Carsten Baum, Emmanuela Orsini, Peter Scholl
2016 Lecture Notes in Computer Science
We study secure multiparty computation (MPC) in the dishonest majority setting providing security with identifiable abort, where if the protocol aborts, the honest parties can agree upon the identity of a corrupt party. All known constructions that achieve this notion require expensive zero-knowledge techniques to obtain active security, so are not practical. In this work, we present the first efficient MPC protocol with identifiable abort. Our protocol has an information-theoretic online phase
more » ... with message complexity O(n 2 ) for each secure multiplication (where n is the number of parties), similar to the BDOZ protocol (Bendlin et al., Eurocrypt 2011), and a factor in the security parameter lower than the identifiable abort protocol of Ishai et al. (Crypto 2014). A key component of our protocol is a linearly homomorphic information-theoretic signature scheme, for which we provide the first definitions and construction based on a previous non-homomorphic scheme. We then show how to implement the preprocessing for our protocol using somewhat homomorphic encryption, similarly to the SPDZ protocol (Damgård et al., Crypto 2012) and other recent works with applicable efficiency improvements.

### MASCOT

Marcel Keller, Emmanuela Orsini, Peter Scholl
2016 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16
., Orsini, E., Scholl, P., and Smart, N. P. High performance multi-party computation for binary circuits based on oblivious transfer. A Security of the Π COPEe Protocol Lemma 1.  ...

### Limbo: Efficient Zero-knowledge MPCitH-based Arguments [article]

Cyprien Delpech de Saint Guilhem, Emmanuela Orsini, Titouan Tanguy
2021 IACR Cryptology ePrint Archive
This work introduces a new interactive oracle proof system based on the MPC-in-the-Head paradigm. To improve concrete efficiency and offer flexibility between computation time and communication size, a generic proof construction based on multi-round MPC protocols is proposed, instantiated with a specific protocol and implemented and compared to similar proof systems. Performance gains over previous work derive from a multi-party multiplication check optimized for the multi-round and
more » ... ead settings. Of most interest among implementation optimizations is the use of identical randomness across repeated MPC protocol executions in order to accelerate computation without excessive cost to the soundness error. The new system creates proofs of SHA-256 pre-images of 43KB in 53ms with 16 MPC parties, or 23KB in 188ms for 128 parties. As a signature scheme, the non-interactive variant produces signatures, based on the AES-128 circuit, of 18KB in about 4ms; this is 20% faster and 32 % larger than the Picnic3 scheme (13kB in 5.3ms for 16 parties) which is based on the 90% smaller LowMC circuit.

### Dishonest Majority Multi-Party Computation for Binary Circuits [chapter]

Enrique Larraia, Emmanuela Orsini, Nigel P. Smart
2014 Lecture Notes in Computer Science
We extend the Tiny-OT two party protocol of Nielsen et al (CRYPTO 2012) to the case of n parties in the dishonest majority setting. This is done by presenting a novel way of transferring pairwise authentications into global authentications. As a by product we obtain a more efficient manner of producing globally authenticated shares, in the random oracle model, which in turn leads to a more efficient two party protocol than that of Nielsen et al.

### Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs [article]

Carsten Baum, Robin Jadoul, Emmanuela Orsini, Peter Scholl, Nigel P. Smart
2022 IACR Cryptology ePrint Archive
Orsini ID , Peter Scholl ID , and Nigel P.  ...  nW + 2n1 + n2 + 2], i.e. each Vj obtains the share s Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs . . . . . . . . . . . . . . . . . . . . 1 Carsten Baum ID , Robin Jadoul ID , Emmanuela  ...

### Error Term Checking: Towards Chosen Ciphertext Security without Re-encryption [article]

Jan-Pieter D'Anvers, Emmanuela Orsini, Frederik Vercauteren
2021 IACR Cryptology ePrint Archive
Chosen ciphertext security for lattice based encryption schemes is generally achieved through a generic transformation such as the Fujisaki-Okamoto transformation. This method requires full re-encryption of the plaintext during decapsulation, which typically dominates the cost of the latter procedure. In this work we show that it is possible to develop alternative transformations specifically designed for lattice based encryption schemes. We propose two novel chosen ciphertext transformations,
more » ... TC1 and ETC2, in which re-encryption is replaced by checking the error term of the input ciphertext. We show that our new ciphertext validity check can be securely applied to lattice based encryption schemes under specific conditions. For the NIST post-quantum standardization candidate Threebears we show a speedup for decapsulation of up to 37.4%. Moreover, as our method only changes the validation check during decapsulation, it is fully backwards compatible with existing implementations of the Fujisaki-Okamoto transformation. Fujisaki-Okamoto (FO) transformation [FO13, Den03]. Classical and quantum secure versions of this transformation have been proposed with increasingly tighter security bounds in [TU16,HHK17,AOP + 17,JZC + 18,SXY18,BHH + 19]. Decapsulation of a ciphertext in a FO compiled primitive roughly consists of two parts: decryption of the ciphertext into the message which was used as a random seed during encryption, and re-encryption of the plaintext into the valid ciphertext. The legitimacy of the input ciphertext is then checked by comparing the input ciphertext with the regenerated valid one. While this is a generic off-the-shelf procedure that works for a wide range of encryption schemes, it can be rather expensive if the cost of re-encryption is higher than the cost of decryption. This is typically the case for schemes based on the learning with errors problem. The generic nature of this transformation also means that specific properties of the underlying encryption primitive are completely ignored. However, for other families of encryption schemes there exist specifically designed transformations exploiting properties of the underlying encryption that outperform the standard FO transformation, as is for example the case in RSA-OAEP+ [BR95,Sho01]. Our Contribution. Our goal is to show it is possible to design chosen ciphertext transformations tailored for lattice based cryptography by taking into account specific properties of the underlying encryption scheme. We propose a novel methodology to design chosen ciphertext secure KEMs out of lattice based encryption schemes and reduce the cost of validating an input ciphertext by replacing the generic check using a complete re-encryption of the ciphertext by a faster alternative. Our approach is based on checking the validity of the error term, which is the consolidation of the noise introduced by both parties as a result of the learning with errors (LWE) paradigm. As such, the error term is a combination of the secret terms of the two communicating parties which makes it hard to predict. We argue that for some lattice based schemes it is hard, or sometimes even impossible, to construct a non-valid ciphertext with the same error term as the corresponding valid ciphertext of the same message. Using this observation we develop two new chosen ciphertext transformations and bound their security. Our transformation relies on a new computational problem: Search Inner Product from Mod-LWE (SIP-LWE), in which an adversary is given l Mod-LWE samples (A A A,b b b :=A A As s s+e e e) and is challenged to generate a new pair (a a a * ,b b b * ) where b b b * is the inner product of a a a * and the secret key s s s, i.e. b b b * =a a a T * s s s. Note that is equivalent to generating a Mod-LWE sample (or reusing a given one) with zero error. We also consider the special case where b b b * is required to be 0 0 0, i.e. the problem now becomes generating a vector a a a * that is orthogonal to s s s. We denote this as the SIP0-LWE problem. We discuss the hardness of both problems, and show that for some parameter settings it is hard or even impossible for an adversary to distinguish the outcome of our transformation from a generic transformation with re-encryption. Our transformation avoids the regeneration of the uniformly random public element of the public key Mod-LWE sample. Furthermore it changes the

### Secure Oblivious Transfer from Semi-Commutative Masking [article]

Cyprien Delpech de Saint Guilhem, Emmanuela Orsini, Christophe Petit, Nigel P. Smart
2018 IACR Cryptology ePrint Archive
We define semi-commutative invertible masking structures which aim to capture the methodology of exponentiation-only protocol design (such as discrete logarithm and isogeny-based cryptography). We discuss two instantiations: the first is based on commutative group actions and captures both the action of exponentiation in the discrete logarithm setting and the action of the class group of commutative endomorphism rings of elliptic curves, in the style of the CSIDH key-exchange protocol; the
more » ... d is based on the semi-commutative action of isogenies of supersingular elliptic curves, in the style of the SIDH key-exchange protocol. We then construct two oblivious transfer protocols using this new structure and prove that these UC-securely realise the oblivious transfer functionality in the random-oracle-hybrid model against passive adversaries with static corruptions. Moreover, by starting from one of these two protocols and using the compiler introduced by Döttling et al. (Eurocrypt 2020), we achieve the first fully UC-secure two-round OT protocol based on supersingular isogenies.

### Linear Overhead Optimally-Resilient Robust MPC Using Preprocessing [chapter]

Ashish Choudhury, Emmanuela Orsini, Arpita Patra, Nigel P. Smart
2016 Lecture Notes in Computer Science
We present a new technique for robust secret reconstruction with O(n) communication complexity. By applying this technique, we achieve O(n) communication complexity per multiplication for a wide class of robust practical Multi-Party Computation (MPC) protocols. In particular our technique applies to robust threshold computationally secure protocols in the case of t < n/2 in the pre-processing model. Previously in the pre-processing model, O(n) communication complexity per multiplication was

### TinyKeys: A New Approach to Efficient Multi-Party Computation [chapter]

Carmit Hazay, Emmanuela Orsini, Peter Scholl, Eduardo Soria-Vazquez
2018 Lecture Notes in Computer Science
We present a new approach to designing concretely efficient MPC protocols with semi-honest security in the dishonest majority setting. Motivated by the fact that within the dishonest majority setting the efficiency of most practical protocols does not depend on the number of honest parties, we investigate how to construct protocols which improve in efficiency as the number of honest parties increases. Our central idea is to take a protocol which is secure for n − 1 corruptions and modify it to
more » ... se short symmetric keys, with the aim of basing security on the concatenation of all honest parties' keys. This results in a more efficient protocol tolerating fewer corruptions, whilst also introducing an LPN-style syndrome decoding assumption. We first apply this technique to a modified version of the semi-honest GMW protocol, using OT extension with short keys, to improve the efficiency of standard GMW with fewer corruptions. We also obtain more efficient constantround MPC, using BMR-style garbled circuits with short keys, and present an implementation of the online phase of this protocol. Our techniques start to improve upon existing protocols when there are around n = 20 parties with h = 6 honest parties, and as these increase we obtain up to a 13 times reduction (for n = 400, h = 120) in communication complexity for our GMW variant, compared with the best-known GMW-based protocol modified to use the same threshold.

### Correcting errors and erasures via the syndrome variety

Emmanuela Orsini, Massimiliano Sala
2005 Journal of Pure and Applied Algebra
We propose a new syndrome variety, which can be used to decode cyclic codes. We present also a generalization to erasure and error decoding. We can exhibit a polynomial whose roots give the error locations, once it has been specialized to a given syndrome. This polynomial has degree t in the variable corresponding to the error locations and its coefficients are polynomials in the syndromes. Observe that I = I X I XW I XW Z I XW ZU I XW ZU Y and that G = G X G XW G XW Z G XW ZU G XW ZU Y (
more » ... s disjoint union). Remark 2.6. We extend our notation to the case = 0, meaning that the variable sets W and U are void, e.g. P XW Z = P XZ = F q [X, Z]\F q [X]. When convenient, we enclose the ideal name within brackets, e.g. (I ) X = I X . Assume G is a Gröbner basis for an ideal I ⊂ K[S, Z, T ], S = (s 1 , . . . , s H ), Z = (z 1 , . . . , z L ), T = (t 1 , . . . , t M ) w.r.t. a block order with S < Z < T and with the Z-variables

### A Unified Approach to MPC with Preprocessing Using OT [chapter]

Tore Kasper Frederiksen, Marcel Keller, Emmanuela Orsini, Peter Scholl
2015 Lecture Notes in Computer Science
SPDZ, TinyOT and MiniMAC are a family of MPC protocols based on secret sharing with MACs, where a preprocessing stage produces multiplication triples in a finite field. This work describes new protocols for generating multiplication triples in fields of characteristic two using OT extensions. Before this work, TinyOT, which works on binary circuits, was the only protocol in this family using OT extensions. Previous SPDZ protocols for triples in large finite fields require somewhat homomorphic
more » ... cryption, which leads to very inefficient runtimes in practice, while no dedicated preprocessing protocol for MiniMAC (which operates on vectors of small field elements) was previously known. Since actively secure OT extensions can be performed very efficiently using only symmetric primitives, it is highly desirable to base MPC protocols on these rather than expensive public key primitives. We analyze the practical efficiency of our protocols, showing that they should all perform favorably compared with previous works; we estimate our protocol for SPDZ triples in F 2 40 will perform around 2 orders of magnitude faster than the best known previous protocol.
« Previous Showing results 1 — 15 out of 50 results