Dario Catalano

University of Catania | UNICT

Functional Commitments (FC) allow one to reveal functions of committed data in a succinct and verifiable way. In this paper we put forward the notion of additive-homomorphic FC and show two efficient, pairing-based, realizations of this primitive supporting multivariate polynomials of constant degree and monotone span programs, respectively. We als...

Vector Commitments allow one to (concisely) commit to a vector of messages so that one can later (concisely) open the commitment at selected locations. In the state of the art of vector commitments, algebraic constructions have emerged as a particularly useful class, as they enable advanced properties, such as stateless updates, subvector openings...

Due to their use in crypto-currencies, threshold ECDSA signatures have received much attention in recent years. Though efficient solutions now exist both for the two party, and the full threshold scenario, there is still much room for improvement, be it in terms of protocol functionality, strengthening security or further optimising efficiency. In...

Threshold Signatures allow n parties to share the power of issuing digital signatures so that any coalition of size at least \(t+1\) can sign, whereas groups of t or less players cannot. Over the last few years many schemes addressed the question of realizing efficient threshold variants for the specific case of EC-DSA signatures. In this paper we...

In this paper we present a new 2-party protocol for secure computation over rings of the form \(\mathbb {Z}_{2^k}\). As many recent efficient MPC protocols supporting dishonest majority, our protocol consists of a heavier (input-independent) pre-processing phase and a very efficient online stage. Our offline phase is similar to BeDOZa (Bendlin et a...

Homomorphic signature schemes allow anyone to perform computation on signed data in such a way that the correctness of computation’s results is publicly certified. In this work we analyze the security notions for this powerful primitive considered in previous work, with a special focus on adaptive security. Motivated by the complications of existin...

Onion routing protocols allow users to establish anonymous channels to preserve their privacy over a public network. Several protocols implementing this primitive have been proposed in recent years, and The onion routing network (Tor), a real-life implementation, provides an onion routing service to thousands of users over the Internet. This paper...

We show a technique to transform a linearly-homomorphic encryption into a scheme capable of evaluating degree-2 computations on ciphertexts. Our transformation is surprisingly simple and requires only one very mild property on the underlying linearly-homomorphic scheme: the message space must be a public ring in which it is possible to sample eleme...

We introduce the notion of asymmetric programmable hash functions (APHFs, for short), which adapts Programmable Hash Functions, introduced by Hofheinz and Kiltz at Crypto 2008, with two main differences. First, an APHF works over bilinear groups, and it is asymmetric in the sense that, while only secretly computable, it admits an isomorphic copy wh...

In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of number-theoretic one-way functions. Informally, a (trapdoor) one way function F:X→Y is said to be algebraic if X and Y are (finite) abelian cyclic groups, the function is homomorphic i.e. F(x)⋅F...

In this paper we introduce new primitives to authenticate computation on data expressed as elements in (cryptographic) groups. As for the case of homomorphic authenticators, our primitives allow to verify the correctness of the computation without having to know of the original data set. More precisely, our contributions are two-fold. First, we int...

Homomorphic message authenticators allow to validate computation on previously signed data. The holder of a dataset {m 1, …, m ℓ} uses her secret key sk to produce corresponding tags (σ 1, …, σ ℓ) and stores the authenticated dataset on a remote server. Later the server can (publicly) compute m = f(m 1, …, m ℓ) together with a succinct tag σ certif...

A homomorphic signature scheme for a class of functions \(\mathcal{C}\) allows a client to sign and upload elements of some data set D on a server. At any later point, the server can derive a (publicly verifiable) signature that certifies that some y is the result computing some \(f\in\mathcal{C}\) on the basic data set D. This primitive has been f...

In this paper we show a relation between the notions of verifiable random functions (VRFs) and identity-based key encapsulation mechanisms (IB-KEMs). In particular, we propose a class of IB-KEMs that we call VRF-suitable, and we propose a direct construction of VRFs from VRF-suitable IB-KEMs. Informally, an IB-KEM is VRF-suitable if it provides wha...

Homomorphic MACs, introduced by Gennaro and Wichs in 2013, allow anyone to validate computations on authenticated data without knowledge of the secret key.Moreover, the secret-key owner can verify the validity of the computation without needing to know the original (authenticated) inputs. Beyond security, homomorphic MACs are required to produce sh...

The notion of off-line/on-line digital signature scheme was introduced by Even, Goldreich and Micali. Informally such signatures schemes are used to reduce the time required to compute a signature using some kind of preprocessing. Even, Goldreich and Micali show how to realize off-line/on-line digital signature schemes by combining regular digital...

Homomorphic message authenticators allow the holder of a (public) evaluation key to perform computations over previously authenticated data, in such a way that the produced tag σ can be used to certify the authenticity of the computation. More precisely, a user knowing the secret key sk used to authenticate the original data, can verify that σ auth...

In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of number-theoretic one-way functions. Informally, a (trapdoor) one way function F: X → Y is said to be algebraic if X and Y are (finite) abelian cyclic groups, the function is homomorphic i.e. F(x...

In this paper we put forward a new onion routing protocol which achieves forward secrecy in a fully non-interactive fashion, without requiring any communication from the router and/or the users and the service provider to update time-related keys. We compare this to TOR which requires O(n 2) rounds of interaction to establish a circuit of size n. I...

In this paper we explore a powerful extension of the notion of pseudo-free groups, proposed by Rivest at TCC 2004. We identify, motivate, and study pseudo-freeness in face of adaptive adversaries who may learn solutions to other non-trivial equations before having to solve a new non-trivial equation. We present a novel, carefully crafted definitio...

Zero knowledge sets (ZKS), introduced by Micali, Rabin, and Kilian in 2003, allow a prover to commit to a secret set S in a way such that it can later prove, non interactively, statements of the form x ∈ S (or x ∉ S ), without revealing any further information (on top of what explicitly revealed by the inclusion/exclusion statements above) on S , n...

In this paper, we introduce a new primitive called identity-based encryption with wildcards, or WIBE for short. It allows a sender to encrypt messages to a whole range of receivers whose identities match a certain pattern. This pattern is defined through a sequence of fixed strings and wildcards, where any string can take the place of a wildcard in...

Network Coding is a routing technique where each node may actively modify the received packets before transmitting them.While this departure from passive networks improves throughput and resilience to packet loss it renders transmission susceptible to pollution attacks where nodes can misbehave and change in a malicious way the messages transmitted...

We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1, . . . , mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the i-th committed message). For security, Vector Commitments are required...

Abstract. We present a privacy preserving protocol for fingerprint based authentication. We consider a scenario where a client equipped with a fingerprint reader is interested into learning if the acquired fingerprint belongs to the database of authorized entities managed by a server. For security, it is required that the client does not learn anyt...

The privacy protection of the biometric data is an important research topic, especially in the case of distributed biometric systems. In this scenario, it is very important to guarantee that biometric data cannot be steeled by anyone, and that the biometric clients are unable to gather any information different from the single user verification/ide...

Abstract. The privacy protection of the biometric data is an important research topic, especially in the case of distributed biometric systems. In this scenario, it is very important to guarantee that biometric data cannot be steeled by anyone, and that the biometric clients are unable to gather any information different from the single user verifi...

We introduce a model for electronic election schemes that involves a more powerful adversary than previous work. In particular, we allow the adversary to demand of coerced voters that they vote in a particular manner, abstain from voting, or even disclose their secret keys. We define a scheme to be coercion-resistant if it is infeasible for the adv...

Onion routing protocols allow users to establish anonymous channels to preserve their privacy over a public network. Several protocols implementing this primitive have been proposed in recent years, and TOR, a real-life implementation, provides an onion routing service to thousands of users over the internet. This paper presents Certificateless Oni...

Adaptively-secure key exchange allows the establishment of secure channels even in the presence of an adversary that can corrupt parties adaptively and obtain their internal states. In this paper, we give a formal definition of contributory protocols and define an ideal functionality for password-based group key exchange with explicit authenticatio...

We propose a methodology to construct verifiable random functions from a class of identity based key encapsulation mechanisms (IB-KEM) that we call VRF suitable. Informally, an IB-KEM is VRF suitable if it provides what we call unique decryption (i.e. given a ciphertext C produced with respect to an identity ID, all the secret keys corresponding to...

We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for public-key encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of Boneh etal. (Advances in Cryptology—EUROCRYPT 2004, ed. by C.Cac...

Zero Knowledge Sets, introduced by Micali, Rabin and Kilian in [17], allow a prover to commit to a secret set S in a way such that it can later prove, non interactively, statements of the form x ∈ S (or x ∉ S), without revealing any further information (on top of what explicitly revealed by the inclusion/exclusion statements above) on S, not even i...

This paper presents some theoretical and experimental results about off-line/on-line digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combining regular digital signatures with efficient one-ti...

Most of the existing password-based authenticated key exchange protocols have proofs either in the indistinguishability-based security model of Bellare, Pointcheval, and Rogaway (BPR) or in the simulation-based of Boyko, MacKenzie, and Patel (BMP). Though these models provide a security level that is sufficient for most applications, they fail to c...

In the security chain the weakest link is definitely the human one: human beings cannot remember long secrets and often resort to rather insecure solutions to keep track of their passwords or pass-phrases. For this reason it is very desirable to have protocols that do not require long passwords to guarantee security, even in the case in which exhau...

We introduce the notion of hybrid trapdoor commitment schemes. Intuitively a hybrid trapdoor commitment scheme is a primitive which can be either an unconditionally binding commitment scheme or a trapdoor commitment scheme depending on the distribution of commitment parameters. Moreover, such two possible distributions are computationally indisting...

At Crypto 96 Cramer and Damgård proposed an efficient, tree-based, signature scheme that is provably secure against adaptive chosen message attacks under the assumption that inverting RSA is computationally infeasible. In this paper we show how to modify their basic construction in order to achieve a scheme that is provably secure under the assumpt...

At PKC 2006 Crutchfield, Molnar, Turner and Wagner pro- posed a generic threshold version of on-line/o-line signature schemes based on the "hash-sign-switch" paradigm introduced by Shamir and Tauman. Such a paradigm strongly relies on chameleon hash functions which are collision-resistant functions, with a secret trapdoor which actu- ally allows to...

In this paper we introduce the notion of identity based encryption with wildcards, or WIBE for short. This allows the encryption of messages to multiple parties with common fields in their identity strings, for example email groups in a corporate hierarchy. We propose a full security notion and give efficient implementations meeting this notion in...

(Non-interactive) Trapdoor Mercurial Commitments (TMCs) were introduced by Chase et al. [8] and form a key building block for constructing zero-knowledge sets (introduced by Micali, Rabin and Kilian [28]). TMCs are quite similar and certainly imply ordinary (non-interactive) trapdoor commitments (TCs). Unlike TCs, however, they allow for some addit...

In secure multiparty computation, a set of mutually mistrusting players engage in a protocol to compute an arbitrary, publicly known polynomial-sized function of the party's pri- vate inputs, in a way that does not reveal (to an adversary controlling some of the players) any knowledge about the remaining inputs, beyond what can be deduced from the...

A peer-to-peer market place is likely to be based on some underlying micro-payment scheme where each user can act both as a customer and as a merchant. Such systems, even when designed for largely distributed domains, may be implemented according to hybrid topologies where trusted third intermediaries (e.g. the broker) are single points of failures...

We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for public-key encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of [7] is computationally consistent, and provide a new scheme that...

We introduce the notion of hybrid trapdoor commitment schemes. Intuitively an hybrid trapdoor commitment scheme is a primitive which can be either an unconditionally binding commitment scheme or a trapdoor commitment scheme depending on the distribution of commitment parameters. Moreover, such two distributions are computationally indistinguishable...

R. Cramer and I. M. Damgård [Lect. Notes Comput. Sci. 1109, 173–185 (1996)] proposed an efficient, tree-based, signature scheme that is provably secure against adaptive chosen message attacks under the assumption that inverting RSA is computationally infeasible. In this paper we show how to modify their basic construction in order to achieve a sche...

The book here reviewed consists of several articles written by different au-thors. We provide below short characteristics of each of the articles in the book.

Despite their large success, file sharing and peer to peer systems are used mainly for illegal actions, such as violations of author's copyright. Many commercial proposals have been made available, but at the present time, there is a lack o/inherently legal file sharing tools which remain attractive for all the involved parties. In this paper we pr...

In this paper we revisit one of the most popular password-based key exchange protocols, namely the OKE (for Open Key Exchange) scheme, proposed by Luck in 1997. Our results can be highlighted as follows. First we define a new primitive that we call trapdoor hard-to-invert isomorphisms, and give some candidates. Then we present a generic password-ba...

A group key agreement protocol allows a set of users, communi- cating over a public network, to agree on a private session key. Most of the schemes proposed so far require a linear number (with respect to the number of participants) of communication rounds to securely achieve this goal. In this paper we propose a new constant-round group key exchan...

At Eurocrypt ‘02 Cramer and Shoup [7] proposed a general paradigm to construct practical public-key cryptosystems secure against adaptive chosen-ciphertext attacks as well as several concrete examples. Among the others they presented a variant of Paillier’s [21] scheme achieving such a strong security requirement and for which two, independent, dec...

At ACM CCS’ 01, Catalano et al. proposed a mix of the RSA cryptosystem with the Paillier cryptosystem from Eurocrypt ’99. The resulting scheme, which we call RSAP, is a probabilistic cryptosystem which is both semantically secure under an appropriate decisional assumption and as efficient as RSA, but without the homomorphic property of the Paillier...

We re-examine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the efficiency of the scheme. The semantic security is now based on a new...

At EUROCRYPT ’99 P. Paillier proposed a new encryption scheme based on higher residuosity classes [Lect. Notes Comput. Sci. 1592, 223-238 (1999; Zbl 0933.94027)]. The new scheme was proven to be one-way under the assumption that computing N-residuosity classes in ℤ N 2 * is hard. Similarly the scheme can be proven to be semantically secure under a...

We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several applications, among which the construction of threshold vari...

At EuroCrypt'99, Paillier proposed a new encryption scheme based on higher residuosity classes. The new scheme was proven to be one-way under the assumption that computing N-residuosity classes in Z *N 2 is hard. Similarly the scheme can be proven to be semantically secure under a much stronger decisional assumption: given w ∈ Z *N 2 it is hard to...

At EuroCrypt'99, Paillier proposed a new encryption scheme based on higher residuosity classes. The new scheme was proven to be one-way under the assumption that computing N-residuosity classes in ZN2* is hard. Similarly the scheme can be proven to be semantically secure under a much stronger decisional assumption: given w ∈ ZN2 it is hard to decid...

We discuss the following problem: Given an integer OE shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e Gamma1 mod OE. The most interesting case is when OE is the Euler function of a known RSA modulus N , OE = OE(N ). The problem has several applications, among which the construction of thr...

In this paper we present a novel watermarking scheme to generalize a previous proposal by the same authors. In that paper to watermark, the image amounts to process the colors in the picture as points in the Color Opponency space and to offset each one of them by a random vector. As an extra constraint, in order to avoid picture quality degradation...

We present an efficient algorithm for the approximate median selection problem. The algorithm works in-place; it is fast and easy to implement. For a large array it returns, with high probability, a very close estimate of the true median. The running time is linear in the length n of the input. The algorithm performs fewer than \( \frac{4} {3}n \)...

We present an efficient algorithm for the approximate median selection problem. The algorithm works in-place

In this paper we present a new efficient watermarking scheme for im- ages. The basic idea of our method is to alter the colors of the given image in a suitable but imperceptible way. This is accomplished by moving the coordinates of each color in the color opponency space. The scheme is shown to be robust against a large class of image manipulation...

Verifiable Signature Sharing (VσS) enables the recipient of a digital signature, who is not necessarily the original signer, to share such signature among n proxies so that a subset of them can later reconstruct it. The original RSA and Rabin VσS protocols were subsequently broken and the original DSS VσS lacks a formal proof of security. We presen...

We study the problem of learning Sat-k-DNF formulas from membership queries. We show that Sat-k-DNF are PAC learnable with membership queries by proving that k-ambiguous automata are PAC learnable with membership queries and by establishing a PAC reduction that preserves membership queries between these two classes of concepts. We also give a posit...

At Eurocrypt 2005 Chase et al. introduced the notion of mercurial commitment schemes. The main application of mercurial commitments is that, used together with collision resistant hash functions, they suffice to construct zero-knowledge sets (ZKS), introduced by Micali et al. at FOCS 2003. In particular, Chase et al. show how to construct non-inter...