# Yvo Desmedt's research while affiliated with University of Texas at Dallas and other places

**What is this page?**

This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

## Publications (298)

Most cryptographers believe our modern systems and proven secure protocols cannot be broken. Some are now convincing Treasure Departments to make their own versions of Bitcoin. Today cryptosystems are considered secure as long as academics have not broken them. Earlier we argued that this approach might be badly flawed, by presenting a minority vie...

Secret sharing allows a dealer to distribute a secret among a set of parties such that only authorized subsets, specified by an access structure, can reconstruct the secret. Sehrawat and Desmedt (COCOON 2020) introduced hidden access structures, that remain secret until some authorized subset of parties collaborate. However, their scheme assumes se...

Secret sharing, a well-known cryptographic technique, introduced 40 years ago as a private and reliable variant of classical storage, has now become a major cryptographic primitive with numerous real-world applications. In this paper we consider the digital forensics aspects of secret sharing. We investigate the problem of
framing
which occurs wh...

Secret sharing allows a dealer to distribute a secret among several parties such that only authorized subsets of parties, specified by a (monotone) access structure, can reconstruct the secret. Recently, Sehrawat and Desmedt (COCOON 2020) introduced hidden access structures, that remain secret until some authorized subset of parties collaborate. Ho...

Secret sharing provides a means to distribute shares of a secret such that any authorized subset of shares, specified by an access structure, can be pooled together to recompute the secret. The standard secret sharing model requires public access structures, which violates privacy and facilitates the adversary by revealing the high-value targets. I...

Secret sharing provides a means to distribute shares of a secret such that any authorized subset of shares, specified by an access structure, can be pooled together to recompute the secret. The standard secret sharing model requires public access structures, which violates privacy and facilitates the adversary by revealing high-value targets. In th...

Shamir’s threshold secret sharing scheme gives an efficient way to share a secret among n participants such that any k or more of them can reconstruct the secret. For implementation, Shamir’s scheme requires a finite field. Desmedt et al. (AsiaCrypt ’94) proposed a multiplicative secret sharing scheme over non-abelian groups. In this paper, we exte...

We define a pseudorandom function (PRF) \(F: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y}\) to be bi-homomorphic when it is fully Key homomorphic and partially Input Homomorphic (KIH), i.e., given \(F(k_1, x_1)\) and \(F(k_2, x_2)\), there is an efficient algorithm to compute \(F(k_1 \oplus k_2, x_1 \ominus x_2)\), where \(\oplus \) an...

The study of Rational Secret Sharing initiated by Halpern and Teague regards the reconstruction of the secretin secret sharing as a game. It was shown that participants (parties) may refuse to reveal their shares and so the reconstruction may fail. Moreover, a refusal to reveal the share may be a dominant strategy of a party. In this paper we consi...

We define a pseudorandom function (PRF) $F: \mathcal{K} \times \mathcal{X} \rightarrow \mathcal{Y}$ to be bi-homomorphic when it is fully Key homomorphic and partially Input Homomorphic (KIH), i.e., given $F(k_1, x_1)$ and $F(k_2, x_2)$, there is an efficient algorithm to compute $F(k_1 \oplus k_2, x_1 \ominus x_2)$, where $\oplus$ and $\ominus$ ar...

The study of Rational Secret Sharing initiated by Halpern and Teague regards the reconstruction of the secret in secret sharing as a game. It was shown that participants (parties) may refuse to reveal their shares and so the reconstruction may fail. Moreover, a refusal to reveal the share may be a dominant strategy of a party. In this paper we cons...

Verifiable secret sharing (VSS) allows honest parties to ensure consistency of their shares even if a dealer and/or a subset of parties are corrupt. We focus on perfect VSS, i.e., those providing perfect privacy, correctness and commitment with zero error, in the unconditional (information-theoretic) security setting where no assumption on the comp...

For 35 years the cryptographic community has created the impression that anonymous communication is always possible. Chaum’s dining cryptographer’s solution is regarded as achieving unconditional security. Chaum’s MIX approach, namely applying a uniformly random permutation on the plaintexts to be sent, is often given as a definition for anonymity....

Insiders misuse their access to data and are known to pose serious risks to organizations. From a security engineering viewpoint, each insider threat incident is associated to full, or partial, failure of an access control system. Here, we introduce Function-Based Access Control (FBAC). FBAC is inspired by Functional Encryption but takes a system a...

Redundant Array of Independent Disks (RAID) storage architectures provide protection of digital infrastructure against potential disks failures. For example, RAID-5 and RAID-6 architectures provide protection against one and two disk failures, respectively. Recently, the data generation has significantly increased due to the emergence of new techno...

In CANS 2016, Chen, Laing, and Martin proposed an ideal (t, n)-threshold secret sharing scheme (the CLM scheme) based on random linear code. However, in this paper we show that this scheme is essentially same as the one proposed by Karnin, Greene, and Hellman in 1983 (the KGH scheme) from privacy perspective. Further, the authors did not analyzed m...

Cryptographic authentication protects messages against forgeries. In real life, messages carry information of different value and the gain of the adversary in a successful forgery and the corresponding cost of the system designers, depend on the “meaning” of the message. This is easy o see by comparing the successful forgery of a $1,000 transaction...

Current storage systems use RAID-5 and RAID-6 architectures to provide protection against one and two disk failures, respectively. However, as the size of storage system grows rapidly three concurrent disk failures are becoming more frequent. To cope up with three disk failure, we propose a new RAID level, i.e., RAID-7, for which three-column-erasu...

Fully Homomorphic Encryption schemes (FHEs) and Functional Encryption schemes (FunctEs) have a tremendousimpact in cryptography both for the natural questions that they address and for the wide range of applications in which they have been (sometimes critically) used. In this work we put forth the notion of a Controllable Homomorphic Encryption sch...

A recent DDoS attack has shown the limited security of Internet of Things. In this paper we show that Internet of Things are being designed without taking privacy issues into account. We propose the policy "the Need to Know" as an approach to tackle the issue.

The misuse of legitimate access to data is a serious information security concern for both organizations and individuals. From a security engineering viewpoint, this might be due to the failure of access control. Inspired by Functional Encryption, we introduce Function-Based Access Control (FBAC). From an abstract viewpoint, we suggest storing acce...

Secure computation through non standard methods, suitable for users who have to perform the computation without the aid of a computer, or for settings in which the degree of trustworthiness of the hardware and software equipments is very low, are an interesting, very challenging and quite unexplored research topic. In this paper we put forward a co...

Code reuse attacks use snippets of code (called gadgets) from the target program. Software diversity aims to thwart code reuse attacks by increasing the uncertainty regarding the target program. The current practice is to quantify the security impact of software diversity algorithms via the number/percentage of the surviving gadgets. Recent attacks...

Walsh-Hadamard transform is used in a wide variety of scientific and engineering applications, including bent functions and cryptan-alytic optimization techniques in cryptography. In linear cryptanalysis, it is a key question to find a good linear approximation, which holds with probability (1 + d)/2 and the bias d is large in absolute value. Lu an...

To predict the future one should study the past. Kahn has documented the 2000 years of history of cryptography. However, have cryptographers learned their lesson? To answer this question we will take an optimistic as well as pessimistic viewpoint.

Walsh transform is used in a wide variety of scientific and engineering applications, including bent functions and cryptanalytic optimization techniques in cryptography. In linear cryptanalysis, it is a key question to find a good linear approximation, which holds with probability (1+d)/2 and the bias d is large in absolute value. Lu and Desmedt (2...

Code voting was introduced by Chaum as a solution for using a possibly
infected-by-malware device to cast a vote in an electronic voting application.
Chaum's work on code voting assumed voting codes are physically delivered to
voters using the mail system, implicitly requiring to trust the mail system.
This is not necessarily a valid assumption to...

One of the important problems in secret sharing schemes is to establish bounds on the size of the shares to be given to participants in secret sharing schemes. The other important problem in secret sharing schemes is to reduce the computational complexity in both secret distribution phase and secret reconstruction phase. In this paper, we design ef...

We show the first deterministic construction of an unconditionally secure multiparty computation (MPC) protocol in the passive adversarial model over black-box non-Abelian groups which is both optimal (secure against an adversary who possesses any t<n2 inputs) and has subexponential complexity of construction based on coloring of planar graphs. Mor...

DES is a famous 64-bit block cipher with balanced Feistel structure. It consists of 16 rounds. The key has 56 bits and the round key has 48 bits. Two major cryptanalysis techniques (namely, linear cryptanalysis and differential cryptanalysis) were notably developed and successfully applied to the full 16-round DES in the early 1990’s. Davies-Murphy...

After the Snowden leaks, it has become evident that a discussion is needed on how to reorganize the huge intelligence agencies so that they fit a Western thinking and to avoid that they are evolving into a clone of what the KGB and the Stasi used to be. Well before the Snowden leaks, the author had been thinking along this line.
On the 26th of Octo...

Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black-hat hackers and conclude that automation is starting to t...

Private data is leaked more and more in our society. Wikileaks, Facebook, and identity theft are just three examples. So, modeling privacy is important. Cryptographers do not provide methods to address whether data should remain private or not. The use of entropy does not reflect the cost associated with the loss of private data.
In this paper we p...

Usability and security are two very important facets of elec-tronic voting systems. Security ensures that required prop-erties of any election are achieved. Such properties include prevention of ballot stuffing, incoercibility, security against impersonation, amongst others. Usability on the other hand helps to ensure the integrity of elections. Sy...

We study the natural problem of secure n-party computation (in the computationally unbounded attack model) of circuits over an arbitrary finite non-Abelian group (G,⋅), which we call G-circuits. Besides its intrinsic interest, this problem is also motivating by a completeness result of Barrington, stating that such protocols can be applied for gene...

Text Updates and Photo Uploads. Textual updates similar to the ones shown in Table 1 can provide criminals with incentives. 154000 users on Facebook have publicly expressed the possession of a diamond while 2190 expressed losing their keys at a certain place. Any overlap between the two sets, within the geographical reach of the criminal, could giv...

Cortier & Smyth have explored ballot copying in the Helios e-voting platform as an attack against privacy. They also pointed out that their approach to ballot copying could be detected by a modified Helios. We revisit ballot copying from a different viewpoint: as a tool to prevent vote diffusion (the division of votes among multiple weak candidates...

Most previous work on unconditionally secure multiparty computation has focused on computing over a finite field (or ring). Multiparty computation over other algebraic structures has not received much attention, but is an interesting topic whose study may provide new and improved tools for certain applications. At CRYPTO 2007, Desmedt et al introdu...

Perfectly secure message transmission (PSMT) schemes have been studied in the field of cryptography for nearly 20 years.
In this paper we introduce a new aspect to PSMT. We consider the case when the hardware/software used by the receiver might be corrupted by the adversary. To address this, we replace the receiver by a human (the dual of this is w...

In this paper, we use the concept of colored edge graphs to model homogeneous
faults in networks. We then use this model to study the minimum connectivity
(and design) requirements of networks for being robust against homogeneous
faults within certain thresholds. In particular, necessary and sufficient
conditions for most interesting cases are obta...

With over 750 million active users, Facebook is the most famous social networking website. One particular aspect of Facebook widely discussed in the news and heavily researched in academic circles is the privacy of its users. In this paper we introduce a zero day privacy loophole in Facebook. We call this the deactivated friend attack. The concept...

In this paper we demonstrate that widely known identification systems, such as the public-file-based Feige-Fiat-Shamir scheme, can be insecure if proper care is not taken with their implementation. We suggest possible solutions. On the other hand, identity-based versions of the Feige-Fiat-Shamir scheme are conceptually more complicated than necessa...

This paper surveys research jointly with Jean-Jacques Quisquater, primarily the joint work on DES, on exhaustive key search machines, and on information hiding.

In this paper we solve the problem of secure communication in multicast graphs, which has been open for over a decade. At Eurocrypt ’98, Franklin and Wright initiated the study of secure communication against a Byzantine adversary on multicast channels in a neighbor network setting. Their model requires node-disjoint and neighbor-disjoint paths bet...

In this paper we provide a preliminary analysis of Google+ privacy. We
identified that Google+ shares photo metadata with users who can access the
photograph and discuss its potential impact on privacy. We also identified that
Google+ encourages the provision of other names including maiden name, which
may help criminals performing identity theft....

In this paper we provide a preliminary analysis of Google+ privacy. We identified that Google+ shares photo metadata with users who can access the photograph and discuss its potential impact on privacy. We also identified that Google+ encourages the provision of other names including maiden name, which may help criminals performing identity theft....

In this paper we provide a preliminary analysis of Google+ privacy. We identified that Google+ shares photo metadata with users who can access the photograph and discuss its potential impact on privacy. We also identified that Google+ encourages the provision of other names including maiden name, which may help criminals performing identity theft....

In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate
algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message
injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For...

Recent work in perfectly secure message transmission protocols – such as the work by Kurosawa and Suzuki in EUROCRYPT 2008, seeks to design efficient protocols for the secure transmission of messages from a sender to a receiver. The specific work focused on a single sender and single receiver multi-message transmission protocol. In this work we loo...

In this paper, we use the concept of colored edge graphs to model homogeneous faults in networks. We then use this model to
study the minimum connectivity (and design) requirements of networks for being robust against homogeneous faults within certain
thresholds. In particular, necessary and sufficient conditions for most interesting cases are obta...

At Asiacrypt '10, Yang and Desmedt proposed a number of perfectly secure message transmission protocols in the general adversary model. However, there is a minor flaw in the 2-round protocol in an undirected graph to transmit multiple messages. A small correction solves the problem. Here we fix the protocol and prove its security.

Related Concepts Integer Factoring; RSA Factoring Challenge Definition Rabin's public-key encryption is an asymmetric encryption scheme based on the modular square root problem, an thus related to integer factoring.

Cloud computing has many attractive countenance, because of those countenance; it has become much easier to store large amount of data on it. Hence, preserving the data on cloud helps user to access the data from any place whenever it is needed. Thus due to the vast data, a very big concern emerges i.e. security and privacy. Encryption helps user t...

Helios is a web-based open-audit voting system de-signed using state of the art web technologies and ad-vanced cryptographic techniques to provide integrity of ballots and voter secrecy in an insecure Internet envi-ronment. In this paper, we demonstrate a simple at-tack against Helios 2.0 that takes advantage of the fact that every candidate in Hel...

We study perfectly secure message transmission (PSMT) from a sender S to a receiver R in the general adversary model. In this model, instead of being bounded by a threshold, the Byzantine adversary in a network
is characterized by an adversary structure. By regarding monotone general access structures as linear codes, we introduce
some new properti...

Bias analysis is an important problem in cryptanalysis. When the critical bias can be expressed by the XOR of many terms, it is well-known that we can compute the bias of their sum by the famous Piling-up lemma assuming all the terms are independent. In this paper, we consider the terms of the sum are dependent and we study above bias problem. More...

Rabbit is a stream cipher using a 128-bit key. It outputs one keystream block of 128 bits each time, which consists of eight
sub-blocks of 16 bits. It is among the finalists of ECRYPT Stream Cipher Project (eSTREAM). Rabbit has also been published
as informational RFC 4503 with IETF. Prior to us, the research on Rabbit all focused on the bias analy...

Group key exchange (GKE) allows a group of n parties to share a common secret key over insecure channels. Since key management is important, NIST is now looking for a
standard. The goal of this paper is to redesign GKE using bilinear pairings, proposed by Desmedt and Lange, from the point
of view of arrangement of parties. The arrangement of partie...

In the traditional scenario in cryptography there is one sender, one receiver and an active or passive eavesdropper who is an opponent. Large bank transactions require two people to sign, implying two senders. So the power to generate a valid transaction is shared. Threshold cryptography allows one to share the power of a cryptosystem. Threshold cr...

Recently Kurosawa and Suzuki considered almost secure (1-phase n-channel) message transmission when n = (2t + 1). The authors gave a lower bound on the communication complexity and presented an exponential time algorithm achieving this bound. In this paper we present a polynomial time protocol achieving the same security properties for the same net...

In the traditional voting manipulation literature, it is assumed that a group of manipulators jointly misrepresent their preferences to get a certain candidate elected, while the remaining voters are truthful. In this paper, we depart from this assumption, and consider the setting where all voters are strategic. In this case, the election can be vi...

Intensity-modulated radiation therapy (IMRT) is a modern cancer treatment technique aiming to deliver a prescribed conformal radiation dose to a target tumor while sparing the surrounding normal tissues and critical structures. In this chapter, we consider ...

Intensity-modulated radiation therapy (IMRT) is a modern cancer treatment technique aiming to deliver a prescribed conformal radiation dose to a target tumor while sparing the surrounding normal tissues and critical structures. In this chapter, we consider ...

We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message usin...

In the context of secure point-to-point message transmission in networks with minimal connectivity, previous studies showed
that feedbacks from the receiver to the sender can be used to reduce the requirements of network connectivity. We observe
that the way how feedbacks were used in previous work does not guarantee perfect privacy to the transmit...

Key distribution schemes play a significant role in key assignment schemes which allow participants in a network to communicate by means of symmetric cryptography in a secure way without the need of a unique key for every pair of participants. It is assumed that an adversary can eavesdrop on all communication and can corrupt up to t vertices in the...

Approximate message authentication codes (AMAC) arise naturally in biometric and multimedia applications where plaintexts
are fuzzy and a tagged message (x′, t) where t is the calculated tag for a message x that is ‘close’ to x′ should pass the verification test. Fuzziness of plaintexts can be due to a variety of factors including applying acceptab...

In the context of secure point-to-point message transmission in networks with minimal connectivity, previous studies showed that feedbacks from the receiver to the sender can be used to reduce the requirements of network connectivity. We observe that the way how feedbacks were used in previous work does not guarantee perfect privacy to the transmit...

In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For...

## Citations

... LWE is known to be hard based on the worst-case hardness of standard lattice problems such as GapSVP (decision version of the Shortest Vector Problem) and SIVP (Shortest Independent Vectors Problem) [1], [183]. Multiple variants of LWE such as ring LWE [184], module LWE [185], cyclic LWE [186], continuous LWE [187], PRIM LWE [188], middle-product LWE [189], group LWE [190], entropic LWE [191], universal LWE [192], and polynomial-ring LWE [193] have been developed since 2010. Many versatile cryptosystems rely on the hardness of LWE [2], [194], [195]. ...

... Thus, it is imperative to limit such capabilities and/or size of any such coalition when constructing a combinatorial RTS. The concept of frameproofness was examined by Desmedt et al. in their recent paper [10]. In this paper, we improve the extension scheme so that no framing is possible for any coalition of smaller size than the threshold. ...

... Generally, the cryptographic techniques deployed for privacy protection in recommendation systems are as follows: homomorphic encryption [8,39], secure multiparty computation [8,40], proxy re-encryption [41], secret sharing [42], attribute-based encryption [41,43], and zero-knowledge proofs [40,44]. ...

... A summarized comparison of the constructions with other relevant works is available in Table 1. Further studies like cheating variants of evolving secret sharing [6,7,22,24,30,45] schemes where share size is grows over time but in ramp setup are left as open problems. Introducing variants of new paradigms such as in [34] might be interesting. ...

... Alwen et al. [210], Bogdanov et al. [211], and Bai et al. [212] made further improvements on the range of parameters and hardness proofs for LWR. LWR has been used to construct pseudorandom generators/functions [4], [95], [96], [213]- [215], and probabilistic [216], [217] and deterministic [218] encryption schemes. ...

... To prevent insider threats in organizations a function-based AC method inspired by functional encryption is proposed in [35]. It stores access authorizations as a threedimensional tensor where users can invoke authorized commands at different levels such as data segments. ...

... In addition, an adaptive regulation continually adjusts a current climate regulation and a heat load throughout the year. Such effective regulation can save up households and companies lots of money [3]. ...

Reference: Smart Thermostat as a Part of IoT Attack

... The point that tag lengths can vary depending on the application has been noted in [24] where the problem of determining an economically optimal tag length has been considered from a game theoretic point of view. This is completely different from the work reported in the present paper. ...

... Although this attempt is attractive, it is not proved that the modified Gentry-Sahai-Waters scheme is IND-CCA1 secure. Desmedt et al. [31] have proposed controlled homomorphic encryption where a token is required for evaluation. This also introduces the designated evaluation setting but does not consider any CCA security. ...

... An asymmetric system uses variable keys for encryption and decryption of the message. The paper [1] has reviewed the progress in the field of visual cryptography focusing on models, open issues, applications and perspective of cryptography. ...

Reference: Major Developments in Visual Cryptography