Massimiliano Sala

Carla Mascia, Enrico Piccione, Massimiliano Sala

In this paper, we propose a new algebraic attack on stream ciphers. Starting from the well-known attack due to Courtois and Meier, we design an attack especially effective against nonlinear filter generators. We test it on two toy stream ciphers and we show that the level of security of one of stream ciphers submitted to the NIST competition on Lightweight Cryptography, WG-PRNG, is less than that stated before now.

Carla Mascia, Massimiliano Sala, Irene Villa

Functional Encryption (FE) expands traditional public-key encryption in two different ways: it supports fine-grained access control and allows learning a function of the encrypted data. In this paper, we review all FE classes, describing their functionalities and main characteristics. In particular, we mention several schemes for each class, providing their security assumptions and comparing their properties. To our knowledge, this is the first survey that encompasses the entire FE family.

Michele Battagliola, Riccardo Longo, Alessio Meneghetti et al.

A $(t,n)$-threshold signature scheme enables distributed signing among $n$ players such that any subset of size at least $t$ can sign, whereas any subset with fewer players cannot. The goal is to produce threshold digital signatures that are compatible with an existing centralized signature scheme. Starting from the threshold scheme for the ECDSA signature due to Battagliola et al., we present the first protocol that supports EdDSA multi-party signatures with an offline participant during the key-generation phase, without relying on a trusted third party. Under standard assumptions we prove our scheme secure against adaptive malicious adversaries. Furthermore we show how our security notion can be strengthen when considering a rushing adversary. We discuss the resiliency of the recovery in the presence of a malicious party. Using a classical game-based argument, we prove that if there is an adversary capable of forging the scheme with non-negligible probability, then we can build a forger for the centralized EdDSA scheme with non-negligible probability.

Michele Battagliola, Riccardo Longo, Alessio Meneghetti et al.

A $(t,n)-$ threshold signature scheme enables distributed signing among $n$ players such that any subgroup of size $t$ can sign, whereas any group with fewer players cannot. Our goal is to produce signatures that are compatible with an existing centralized signature scheme: the key generation and signature algorithm are replaced by a communication protocol between the parties, but the verification algorithm remains identical to that of a signature issued using the centralized algorithm. Starting from the threshold schemes for the ECDSA signature due to R. Gennaro and S. Goldfeder, we present the first protocol that supports multiparty signatures with an offline participant during the Key Generation Phase, without relying on a trusted third party. Following well-established approaches, we prove our scheme secure against adaptive malicious adversaries.

Augustine Musukwa, Massimiliano Sala

Let $n$ be an even number such that $n\equiv 0 \pmod{4}$. We show that a power function $x^d$, with $d=2^{\frac{n+2}{2}}+2^{\frac{n-2}{2}}-1$, on $\mathbb{F}_{2^n}$ is an APN function of degree $n/2$ which is CCZ-equivalent to Kasami functions of degrees $n/2$ and $(n+4)/2$.

Alessio Meneghetti, Massimiliano Sala, Daniele Taufer

We lay the foundations for a blockchain scheme, whose consensus is reached via a proof of work algorithm based on the solution of consecutive discrete logarithm problems over the point group of elliptic curves. In the considered architecture, the curves are pseudorandomly determined by block creators, chosen to be cryptographically secure and changed every epoch. Given the current state of the chain and a prescribed set of transactions, the curve selection is fully rigid, therefore trust is needed neither in miners nor in the scheme proposers.

Augustine Musukwa, Massimiliano Sala

The set of linear structures of most known balanced Boolean functions is nontrivial. In this paper, some balanced Boolean functions whose set of linear structures is trivial are constructed. We show that any APN function in even dimension must have a component whose set of linear structures is trivial. We determine a general form for the number of bent components in quadratic APN functions in even dimension and some bounds on the number are produced. We also count bent components in any quadratic power functions.

Augustine Musukwa, Massimiliano Sala, Marco Zaninelli

In this paper some cryptographic properties of Boolean functions, including weight, balancedness and nonlinearity, are studied, particularly focusing on splitting functions and cubic Boolean functions. Moreover, we present some quantities derived from the behaviour of second-order derivatives which allow us to determine whether a quadratic or cubic function is APN.

Riccardo Longo, Massimiliano Sala

Satoshi Nakamoto's Blockchain allows to build publicly verifiable and almost immutable ledgers, but sometimes privacy has to be factored in. In this work an original protocol is presented that allows sensitive data to be stored on a ledger where its integrity may be publicly verified, but its privacy is preserved and owners can tightly manage the sharing of their information with efficient revocation.

Alessio Meneghetti, Tommaso Parise, Massimiliano Sala et al.

The main problem faced by smart contract platforms is the amount of time and computational power required to reach consensus. In a classical blockchain model, each operation is in fact performed by each node, both to update the status and to validate the results of the calculations performed by others. In this short survey we sketch some state-of-the-art approaches to obtain an efficient and scalable computation of smart contracts. Particular emphasis is given to sharding, a promising method that allows parallelization and therefore a more efficient management of the computational resources of the network.

Alessio Meneghetti, Armanda Ottaviano Quintavalle, Massimiliano Sala et al.

Digital notarization is one of the most promising services offered by modern blockchain-based solutions. We present a digital notary design with incremental security and cost reduced with respect to current solutions. A client of the service receives evidence in three steps. In the first step, evidence is received almost immediately, but a lot of trust is required. In the second step, less trust is required, but evidence is received seconds later. Finally, in the third step evidence is received within minutes via a public blockchain.

Riccardo Aragona, Marco Calderini, Roberto Civino et al.

Round functions used as building blocks for iterated block ciphers, both in the case of Substitution-Permutation Networks and Feistel Networks, are often obtained as the composition of different layers which provide confusion and diffusion, and key additions. The bijectivity of any encryption function, crucial in order to make the decryption possible, is guaranteed by the use of invertible layers or by the Feistel structure. In this work a new family of ciphers, called wave ciphers, is introduced. In wave ciphers, round functions feature wave functions, which are vectorial Boolean functions obtained as the composition of non-invertible layers, where the confusion layer enlarges the message which returns to its original size after the diffusion layer is applied. This is motivated by the fact that relaxing the requirement that all the layers are invertible allows to consider more functions which are optimal with regard to non-linearity. In particular it allows to consider injective APN S-boxes. In order to guarantee efficient decryption we propose to use wave functions in Feistel Networks. With regard to security, the immunity from some group-theoretical attacks is investigated. In particular, it is shown how to avoid that the group generated by the round functions acts imprimitively, which represent a serious flaw for the cipher.

Riccardo Longo, Massimiliano Sala, Riccardo Aragona

In this paper we propose a tokenization algorithm of Reversible Hybrid type, as defined in PCI DSS guidelines for designing a tokenization solution, based on a block cipher with a secret key and (possibly public) additional input. We provide some formal proofs of security for it, which imply our algorithm satisfies the most significant security requirements described in PCI DSS tokenization guidelines. Finally, we give an instantiation with concrete cryptographic primitives and fixed length of the PAN, and we analyze its efficiency and security.

Riccardo Longo, Federico Pintore, Giancarlo Rinaldo et al.

The BIX protocol is a blockchain-based protocol that allows distribution of certificates linking a subject with his public key, hence providing a service similar to that of a PKI but without the need of a CA. In this paper we analyze the security of the BIX protocol in a formal way, in four steps. First, we identify formal security assumptions which are well-suited to this protocol. Second, we present some attack scenarios against the BIX protocol. Third, we provide a formal security proof that some of these attacks are not feasible under our previously established assumptions. Finally, we show how another attack may be carried on.

Federico Giacon, Riccardo Aragona, Massimiliano Sala

A revocable-storage attribute-based encryption (RS-ABE) scheme is an encryption scheme which extends attribute-based encryption by intro- ducing user revocation. A key-policy RS-ABE scheme links each key to an access structure. We propose a new key-policy RS-ABE scheme whose security we prove in term of indistinguishability under a chosen-plaintext attack (IND-CPA).

Riccardo Longo, Chiara Marcolla, Massimiliano Sala

Bilinear groups are often used to create Attribute-Based Encryption (ABE) algorithms. In particular, they have been used to create an ABE system with multi authorities, but limited to the ciphertext-policy instance. Here, for the first time, we propose a multi-authority key-policy ABE system. In our proposal, the authorities may be set up in any moment and without any coordination. A party can simply act as an ABE authority by creating its own public parameters and issuing private keys to the users. A user can thus encrypt data choosing both a set of attributes and a set of trusted authorities, maintaining full control unless all his chosen authorities collude against him. We prove our system secure under the bilinear Diffie-Hellman assumption.