Navid Nasr Esfahani

Yujie Gu, Sonata Akao, Navid Nasr Esfahani et al.

All-or-nothing transforms (AONT) were proposed by Rivest as a message preprocessing technique for encrypting data to protect against brute-force attacks, and have numerous applications in cryptography and information security. Later the unconditionally secure AONT and their combinatorial characterization were introduced by Stinson. Informally, a combinatorial AONT is an array with the unbiased requirements and its security properties in general depend on the prior probability distribution on the inputs $s$-tuples. Recently, it was shown by Esfahani and Stinson that a combinatorial AONT has perfect security provided that all the inputs $s$-tuples are equiprobable, and has weak security provided that all the inputs $s$-tuples are with non-zero probability. This paper aims to explore on the gap between perfect security and weak security for combinatorial $(t,s,v)$-AONTs. Concretely, we consider the typical scenario that all the $s$ inputs take values independently (but not necessarily identically) and quantify the amount of information $H(\mathcal{X}|\mathcal{Y})$ about any $t$ inputs $\mathcal{X}$ that is not revealed by any $s-t$ outputs $\mathcal{Y}$. In particular, we establish the general lower and upper bounds on $H(\mathcal{X}|\mathcal{Y})$ for combinatorial AONTs using information-theoretic techniques, and also show that the derived bounds can be attained in certain cases. Furthermore, the discussions are extended for the security properties of combinatorial asymmetric AONTs.

Navid Nasr Esfahani, Douglas Stinson

All-or-nothing transforms (AONTs) were originally defined by Rivest as bijections from $s$ input blocks to $s$ output blocks such that no information can be obtained about any input block in the absence of any output block. Numerous generalizations and extensions of all-or-nothing transforms have been discussed in recent years, many of which are motivated by diverse applications in cryptography, information security, secure distributed storage, etc. In particular, $t$-AONTs, in which no information can be obtained about any $t$ input blocks in the absence of any $t$ output blocks, have received considerable study. In this paper, we study three generalizations of AONTs that are motivated by applications due to Pham et al. and Oliveira et al. We term these generalizations rectangular, range, and restricted AONTs. Briefly, in a rectangular AONT, the number of outputs is greater than the number of inputs. A range AONT satisfies the $t$-AONT property for a range of consecutive values of $t$. Finally, in a restricted AONT, the unknown outputs are assumed to occur within a specified set of "secure" output blocks. We study existence and non-existence and provide examples and constructions for these generalizations. We also demonstrate interesting connections with combinatorial structures such as orthogonal arrays, split orthogonal arrays, MDS codes and difference matrices.

Navid Nasr Esfahani, Douglas R. Stinson

In this paper, we initiate a study of asymmetric all-or-nothing transforms (or asymmetric AONTs). A (symmetric) $t$-all-or-nothing transform is a bijective mapping defined on the set of $s$-tuples over a specified finite alphabet. It is required that knowledge of all but $t$ outputs leaves any $t$ inputs completely undetermined. There have been numerous papers developing the theory of AONTs as well as presenting various applications of AONTs in cryptography and information security. In this paper, we replace the parameter $t$ by two parameters $t_o$ and $t_i$, where $t_i \leq t_o$. The requirement is that knowledge of all but $t_o$ outputs leaves any $t_i$ inputs completely undetermined. When $t_i < t_o$, we refer to the AONT as asymmetric. We give several constructions and bounds for various classes of asymmetric AONTs, especially those with $t_i = 1$ or $t_i = 2$. We pay particular attention to linear transforms, where the alphabet is a finite field $\mathbb{F}_q$ and the mapping is linear.

Navid Nasr Esfahani, Ian Goldberg, Douglas R. Stinson

A $(t, s, v)$-all-or-nothing transform is a bijective mapping defined on $s$-tuples over an alphabet of size $v$, which satisfies the condition that the values of any $t$ input co-ordinates are completely undetermined, given only the values of any $s-t$ output co-ordinates. The main question we address in this paper is: for which choices of parameters does a $(t, s, v)$-all-or-nothing transform (AONT) exist? More specifically, if we fix $t$ and $v$, we want to determine the maximum integer $s$ such that a $(t, s, v)$-AONT exists. We mainly concentrate on the case $t=2$ for arbitrary values of $v$, where we obtain various necessary as well as sufficient conditions for existence of these objects. We consider both linear and general (linear or nonlinear) AONT. We also show some connections between AONT, orthogonal arrays and resilient functions.

Paolo D'Arco, Navid Nasr Esfahani, Douglas R. Stinson

We continue a study of unconditionally secure all-or-nothing transforms (AONT) begun in \cite{St}. An AONT is a bijective mapping that constructs s outputs from s inputs. We consider the security of t inputs, when s-t outputs are known. Previous work concerned the case t=1; here we consider the problem for general t, focussing on the case t=2. We investigate constructions of binary matrices for which the desired properties hold with the maximum probability. Upper bounds on these probabilities are obtained via a quadratic programming approach, while lower bounds can be obtained from combinatorial constructions based on symmetric BIBDs and cyclotomy. We also report some results on exhaustive searches and random constructions for small values of s.