Giuseppe D'Alconzo, Alessio Meneghetti, Paolo Piasenti
We analyse the security of some variants of the CFS code-based digital signature scheme. We show how the adoption of some code-based hash-functions to improve the efficiency of CFS leads to the ability of an attacker to produce a forgery compatible to the rightful user's public key.
Andrea Flamini, Riccardo Longo, Alessio Meneghetti
In this paper we extend the \emph{Multidimensional Byzantine Agreement (MBA) Protocol}, a {leaderless} Byzantine agreement for lists of arbitrary values, into a protocol suitable for wide gossiping networks: \emph{Cob}. This generalization allows the consensus process to be run by an incomplete network of nodes provided with (non-synchronized) same-speed clocks. Not all nodes are active in every step, so the network size does not hamper the efficiency, as long as the gossiping broadcast delivers the messages to every node in reasonable time. These network assumptions model more closely real-life communication channels, so the Cob protocol may be applicable to a variety of practical problems, such as blockchain platforms implementing sharding. Cob has the same Bernoulli-like distribution that upper-bounds the number of steps as the MBA protocol. We prove its correctness and security assuming a supermajority of honest nodes in the network, and compare its performance with Algorand.
Nicola Di Chiano, Riccardo Longo, Alessio Meneghetti et al.
Shor's shockingly fast quantum algorithm for solving the period-finding problem is a threat for the most common public-key primitives, as it can be efficiently applied to solve both the Integer Factorisation Problem and the Discrete Logarithm Problem. In other words, many once-secure protocols have to be replaced by still-secure alternatives. Instead of relying, for example, on the RSA protocol, the Diffie-Hellman key-exchange or the (Elliptic Curve) Digital Signature Algorithm, many researchers moved their attention to the design and analysis of primitives which are yet to be broken by quantum algorithms. The urgency of the threat imposed by quantum computers led the U.S. National Institute of Standards and Technology (NIST) to open calls for both Post-Quantum Public-Keys Exchange Algorithms and Post-Quantum Digital Signature Algorithms. In this brief survey we focus on the round 3 finalists and alternate candidates for Digital Signatures: CRYSTALS-DILITHIUM, FALCON, Rainbow, SPHINCS+, GeMSS, Picnic.
Andrea Flamini, Riccardo Longo, Alessio Meneghetti
In this paper we will present the Multidimensional Byzantine Agreement (MBA) Protocol, a leaderless Byzantine agreement protocol defined for complete and synchronous networks that allows a network of nodes to reach consensus on a vector of relevant information regarding a set of observed events. The consensus process is carried out in parallel on each component, and the output is a vector whose components are either values with wide agreement in the network (even if no individual node agrees on every value) or a special value $\bot$ that signals irreconcilable disagreement. The MBA Protocol is probabilistic and its execution halts with probability 1, and the number of steps necessary to halt follows a Bernoulli-like distribution. The design combines a Multidimensional Graded Consensus and a Multidimensional Binary Byzantine Agreement, the generalization to the multidimensional case of two protocols by Micali and Feldman. We prove the correctness and security of the protocol assuming a synchronous network where less than a third of the nodes are malicious.
Michele Battagliola, Riccardo Longo, Alessio Meneghetti et al.
A $(t,n)$-threshold signature scheme enables distributed signing among $n$ players such that any subset of size at least $t$ can sign, whereas any subset with fewer players cannot. The goal is to produce threshold digital signatures that are compatible with an existing centralized signature scheme. Starting from the threshold scheme for the ECDSA signature due to Battagliola et al., we present the first protocol that supports EdDSA multi-party signatures with an offline participant during the key-generation phase, without relying on a trusted third party. Under standard assumptions we prove our scheme secure against adaptive malicious adversaries. Furthermore we show how our security notion can be strengthen when considering a rushing adversary. We discuss the resiliency of the recovery in the presence of a malicious party. Using a classical game-based argument, we prove that if there is an adversary capable of forging the scheme with non-negligible probability, then we can build a forger for the centralized EdDSA scheme with non-negligible probability.
Michele Battagliola, Riccardo Longo, Alessio Meneghetti et al.
A $(t,n)-$ threshold signature scheme enables distributed signing among $n$ players such that any subgroup of size $t$ can sign, whereas any group with fewer players cannot. Our goal is to produce signatures that are compatible with an existing centralized signature scheme: the key generation and signature algorithm are replaced by a communication protocol between the parties, but the verification algorithm remains identical to that of a signature issued using the centralized algorithm. Starting from the threshold schemes for the ECDSA signature due to R. Gennaro and S. Goldfeder, we present the first protocol that supports multiparty signatures with an offline participant during the Key Generation Phase, without relying on a trusted third party. Following well-established approaches, we prove our scheme secure against adaptive malicious adversaries.
Alessio Meneghetti, Massimiliano Sala, Daniele Taufer
We lay the foundations for a blockchain scheme, whose consensus is reached via a proof of work algorithm based on the solution of consecutive discrete logarithm problems over the point group of elliptic curves. In the considered architecture, the curves are pseudorandomly determined by block creators, chosen to be cryptographically secure and changed every epoch. Given the current state of the chain and a prescribed set of transactions, the curve selection is fully rigid, therefore trust is needed neither in miners nor in the scheme proposers.
Alessio Meneghetti, Tommaso Parise, Massimiliano Sala et al.
The main problem faced by smart contract platforms is the amount of time and computational power required to reach consensus. In a classical blockchain model, each operation is in fact performed by each node, both to update the status and to validate the results of the calculations performed by others. In this short survey we sketch some state-of-the-art approaches to obtain an efficient and scalable computation of smart contracts. Particular emphasis is given to sharding, a promising method that allows parallelization and therefore a more efficient management of the computational resources of the network.
Alessio Meneghetti, Armanda Ottaviano Quintavalle, Massimiliano Sala et al.
Digital notarization is one of the most promising services offered by modern blockchain-based solutions. We present a digital notary design with incremental security and cost reduced with respect to current solutions. A client of the service receives evidence in three steps. In the first step, evidence is received almost immediately, but a lot of trust is required. In the second step, less trust is required, but evidence is received seconds later. Finally, in the third step evidence is received within minutes via a public blockchain.
Riccardo Aragona, Alessio Meneghetti
We provide a new property, called Non-Type-Preserving, for a mixing layer which guarantees protection against algebraic attacks based on the imprimitivity of the group generated by the round functions. Our main result is to present necessary and sufficient conditions on the structure of the binary matrix associated to the mixing layer, so that it has this property. Then we show how several families of linear maps are Non-Type-Preserving, including the mixing layers of AES, GOST and PRESENT. Finally we prove that the group generated by the round functions of an SPN cipher with addition modulo a power of 2 as key mixing function is primitive if its mixing layer satisfies this property. Moreover we generalise the definition of a GOST-like cipher using a Non-Type-Preserving matrix as mixing layer and we show, under the only assumption of invertibility of the S-Boxes, that the corresponding group is primitive.