*16:17* [Pub][ePrint]
Fine Tuning the Function Field Sieve Algorithm for the Medium Prime Case, by Palash Sarkar and Shashank Singh
This work builds on the variant of the function field sieve (FFS) algorithm for the medium prime case introduced by Joux and Lercier in 2006. We make two contributions. The first contribution introduces a divisility and smoothness technique which

is similar to that of the special-q technique used in integer factorisation algorithms. Such a technique, though, has not

been earlier used in the context of discrete log computations and provides concrete speed-ups in the practical run-time of

the relation collection and the descent phases of the FFS algorithm. The second contribution is to improve the

descent phase of the algorithm. The improvements are based on increasing the degree of freedom and the use of a walk

technique. As a consequence, we show that it is feasible to carry out discrete log computations for certain fields which are

excluded by the analysis of Joux and Lercier. In concrete terms, we present record computations of discrete logs for fields

with 16 and 18-bit prime characteristic. Further, we provide concrete analysis of the effectiveness of the FFS algorithm for

certain fields with medium sized prime characteristic.

*19:17* [Pub][ePrint]
Verifiable Computation in Multiparty Protocols with Honest Majority, by Peeter Laud and Alisa Pankova
A lot of cryptographic protocols have been proposed for semi-honest model. In general, they are much more efficient than those proposed for the malicious model. In this paper, we propose a method that allows to detect the parties that have violated the protocol rules after the computation has ended, thus making the protocol secure against covert attacks. This approach can be useful in the settings where for any party it is fatal to be accused in violating protocol rules. In this way, up to the verification, all the computation can be performed in semi-honest model, which makes it very efficient in practice. The verification is statistical zero-knowledge, and it is based on linear probabilistically checkable proofs ($\\PCP$) for verifiable computation. Each malicious party is detected with probability $1 - \\varepsilon$ for a negligible $\\varepsilon$ that is defined by the failure of the corresponding linear $\\PCP$. The initial protocol has to be executed only once, and the verification requires in total $3$ additional rounds (if some parties act dishonestly, in the worst case they may force the protocol to substitute each round with $4$ rounds, due to the transmission functionality that prevents the protocol from stopping). The verification also ensures that all the parties have sampled all the randomness from an appropriate distribution. Its efficiency does not depend on whether the inputs of the parties have been shared, or each party uses its own private input.The major drawback of the proposed scheme is that the number of values sent before and after the protocol is exponential in the number of parties. Nevertheless, the settings make the verification very efficient for a small number of parties.

*19:17* [Pub][ePrint]
Bounded-Collusion Identity-Based Encryption from Semantically-Secure Public-Key Encryption: Generic Constructions with Short Ciphertexts, by Stefano Tessaro and David A. Wilson
Identity-based encryption (IBE) is a special case of public-key encryption where user identities replace public keys. Every user is given a corresponding secret key for decryp- tion, and encryptions for his or her identity must remain confidential even to attackers who learn the secret keys associated with other identities. Several IBE constructions are known to date, but their security relies on specific assumptions, such as quadratic residuosity, as well as different pairing-based and lattice-based assumptions.To circumvent the lack of generic constructions, Dodis et al. (EUROCRYPT \'02) introduced the notion of bounded-collusion IBE (BC-IBE), where attackers only learn secret keys of an a-priori bounded number t of identities. They provided a generic BC-IBE construction from any semantically-secure encryption scheme which, however, suffers from a ω(t) blow-up in ciphertext size. Goldwasser et al. (TCC 2012) recently presented a generic construction with no ciphertext-length blow-up. Their construction requires an underlying public-key scheme with a key homomorphism, as well as a hash-proof-style security definition that is strictly stronger than semantic security. This latter requirement in particular reduces the applicability of their construction to existing schemes.

In this paper, we present the first generic constructions of BC-IBE from semantically-secure encryption schemes with no ciphertext-length blow-up. Our constructions require different degrees of key-homomorphism and malleability properties that are usually easy to verify. We provide concrete instantiations based on the DDH, QR, NTRU, and LWE assumptions. For all of these assumptions, our schemes present the smallest BC-IBE ciphertext size known to date. Our NTRU-based construction is particularly interesting, due to the lack of NTRU- based IBE constructions as well as the fact that it supports fully-homomorphic evaluation. Our results also yield new constructions of bounded CCA-secure cryptosystems.

*19:17* [Pub][ePrint]
A Comparison of the Homomorphic Encryption Schemes FV and YASHE, by Tancrède Lepoint and Michael Naehrig
We conduct a theoretical and practical comparison of two Ring-LWE-based, scale-invariant, leveled homomorphic encryption schemes -- Fan and Vercauteren\'s adaptation of BGV and the YASHE scheme proposed by Bos, Lauter, Loftus and Naehrig. In particular, we explain how to choose parameters to ensure correctness and security against lattice attacks. Our parameter selection improves the approach of van de Pol and Smart to choose parameters for schemes based on the Ring-LWE problem by using the BKZ-2.0 simulation algorithm.We implemented both schemes in C++, using the arithmetic library FLINT, and compared them in practice to assess their respective strengths and weaknesses. In particular, we performed a homomorphic evaluation of the lightweight block cipher SIMON. Combining block ciphers with homomorphic encryption allows to solve the gargantuan ciphertext expansion in cloud applications.

*04:47* [PhD][Update]
Constantin Catalin Dragan: Security of CRT-based Secret Sharing Schemes
Name: Constantin Catalin Dragan

Topic: Security of CRT-based Secret Sharing Schemes

Category:(no category)

Description: The Chinese Remainder Theorem (CRT) is a very useful tool in many areas of theoretical and practical cryptography. One of these areas is the theory of threshold secret sharing schemes. A *(t+1,n)*-threshold secret sharing scheme is a method of partitioning a secret among *n* users by providing each user with a share of the secret such that any *t+1* users can uniquely reconstruct the secret by pulling together their shares. Several threshold schemes based on CRT are known. These schemes use sequences of pairwise co-prime positive integers with special properties. The shares are obtained by dividing the secret or a secret-dependent quantity by the numbers in the sequence and collecting the remainders. The secret can be reconstructed by some sufficient number of shares by using CRT. It is well-known that the CRT-based threshold secret sharing schemes are not perfect (and, therefore, not ideal) but some of them are asymptotically perfect and asymptotically ideal and perfect zero-knowledge if sequences of consecutive primes are used for defining them.

In this thesis we introduce *(k-)compact sequences of co-primes* and their applications to the security of CRT-based threshold secret sharing schemes is thorough investigated. Compact sequences of co-primes may be significantly denser than sequences of consecutive primes of the same length, and their use in the construction of CRT-based threshold secret sharing schemes may lead to better security properties. Concerning the asymptotic idealness property for CRT-based threshold schemes, we have shown there exists a necessary and sufficient condition for the Goldreich-Ron-Sudan (GRS) scheme and Asmuth-Bloom scheme if and only if *(1-)compact sequences of co-primes* are used. Moreover, the GRS and Asmuth-Bloom schemes based on *k*-compact sequences of co-primes are asymptotically perfect and perfect zero-knowledge. The Mignotte scheme is far from being asymptotically perfect and pe[...]