In this paper we propose an algorithm of factoring any integer N which has k different prime factors with the same bit-length, when about ()log2 N high-order bits of each prime factor are given. For a fixed ε, the running time of our algorithm is heuristic polynomial in (log2 N). Our factoring algorithm is based on a lattice-based algorithm of solving any k-variate polynomial equation over Z, which might be an independent interest.

Most aggregate signature schemes are relying on pairings, but high computational and storage costs of pairings limit the feasibility of those schemes in practice. Zhao proposed the first pairing-free aggregate signature scheme (AsiaCCS 2019). However, the security of Zhao's scheme is based on the hardness of a newly introduced non-standard computational problem. The recent impossibility results of Drijvers et al. (IEEE S&P 2019) on two-round pairing-free multi-signature schemes whose security based on the standard discrete logarithm (DL) problem have strengthened the view that constructing a pairing-free aggregate signature scheme which is proven secure based on standard problems such as DL problem is indeed a challenging open problem. In this paper, we offer a novel solution to this open problem. We introduce a new paradigm of aggregate signatures, i.e., aggregate signatures with an additional pre-communication stage. In the pre-communication stage, each signer interacts with the aggregator to agree on a specific random value before deciding messages to be signed. We also discover that the impossibility results of Drijvers et al. take effect if the adversary can decide the whole randomness part of any individual signature. Based on the new paradigm and our discovery of the applicability of the impossibility result, we propose a pairing-free aggregate signature scheme such that any individual signature includes a random nonce which can be freely generated by the signer. We prove the security of our scheme based on the hardness of the standard DL problem. As a trade-off, in contrast to the plain public-key model, which Zhao's scheme uses, we employ a more restricted key setup model, i.e., the knowledge of secret-key model.

The existing discrete-logarithm-based two-round multi-signature schemes without using the idealized model, i.e., the Algebraic Group Model (AGM), have quite large reduction loss. This means that an implementation of these schemes requires an elliptic curve (EC) with a very large order for the standard 128-bit security when we consider concrete security. Indeed, the existing standardized ECs have orders too small to ensure 128-bit security of such schemes. Recently, Pan and Wagner proposed two two-round schemes based on the Decisional Diffie-Hellman (DDH) assumption (EUROCRYPT 2023). For 128-bit security in concrete security, the first scheme can use the NIST-standardized EC P-256 and the second can use P-384. However, with these parameter choices, they do not improve the signature size and the communication complexity over the existing non-tight schemes. Therefore, there is no two-round scheme that (i) can use a standardized EC for 128-bit security and (ii) has high efficiency. In this paper, we construct a two-round multi-signature scheme achieving both of them from the DDH assumption. We prove that an EC with at least a 321-bit order is sufficient for our scheme to ensure 128-bit security. Thus, we can use the NIST-standardized EC P-384 for 128-bit security. Moreover, the signature size and the communication complexity per one signer of our proposed scheme under P-384 are 1152 bits and 1535 bits, respectively. These are most efficient among the existing two-round schemes without using the AGM including Pan-Wagner’s schemes and non-tight schemes which do not use the AGM. Our experiment on an ordinary machine shows that for signing and verification, each can be completed in about 65 ms under 100 signers. This shows that our scheme has sufficiently reasonable running time in practice.

GPS is an efficient identification (ID) scheme based on Schnorr ID scheme designed for applications where low cost devices with limited resources are used and a very-short authentication time is required. Let P and V be a prover and a verifier in GPS and < g > be a multiplicative group. P holds a secret key S∈[0,S) and publishes I=g-s. In each elementary round: (1) P sends to Vx=gr where r is chosen randomly from [0,A), (2) V sends to P a random C∈[0,B), and (3) P sends y=r+cs (no modulus computation). Since there is no modular reduction on y, a key issue is whether GPS leaks information about s. It has been proved that GPS is statistical zero-knowledge, if in asymptotic sense, BS/A is negligible, where is the number of elementary rounds in one complete identification trial. In this paper, first we will show the followings. (1) We can construct a concrete attack procedure which reveals one bit of secret key s from the specified value range of y unless BS/A is negligible. We reconfirm that we must set A extremely large compared to BS. (2) This drawback can be avoided by modifying GPS into a new scheme, GPS+, in which P does not send the value of y in the specified range where y reveals some information about s. GPS+ ensures perfect ZK only by requiring both A > BS and A being a multiple of the order of g, while it allows an honest P to be rejected with probability at most BS/(2A) in one elementary round. Under the standard recommended parameters for 80-bit security where =1, |S|=160, and |B|=35, |A|=275 is recommended for GPS in GPS' paper. On the other hand, GPS+ can guarantee 80-bit security and less than one false rejection on average in 100 identifications with only |A|=210 with the same parameters as above. In practice, this implies 275-210=65 bits (≈24%) reductions on storage requirement. We have confirmed that the reduce of A also reduces approximately 4% of running time for online response using a certain implementation technique for GPS+ by machine experiment.

The isomorphism of polynomials with two secret (IP2S) problem is one candidate of computational assumptions for post-quantum cryptography. The idea of identification scheme based on IP2S is firstly introduced in 1996 by Patarin. However, the scheme was not described concretely enough and no more details are provided on how to transcribe the idea into a real-world implementation. Moreover, the security of the scheme has not been formally proven and the originally proposed security parameters are no longer secure based on the most recent research. In this paper, we propose a concrete identification scheme based on IP2S with the idea of Patarin as the starting point. We provide formal security proof of the proposed scheme against impersonation under passive attack, sequential active attack, and concurrent active attack. We also propose techniques to reduce the implementation cost such that we are able to cut the storage cost and average communication cost to an extent that under parameters for the standard 80-bit security, the scheme is implementable even on the lightweight devices in the current market.

We present a new methodology for constructing an efficient identification scheme, and based on it, we propose a lightweight identification scheme whose computational and storage costs are sufficiently low even for cheap devices such as RFID tags. First, we point out that the efficiency of a scheme with statistical zero-knowledgeness can be significantly improved by enhancing its zero-knowledgeness to perfect zero-knowledge. Then, we apply this technique to the Girault-Poupard-Stern (GPS) scheme which has been standardized by ISO/IEC. The resulting scheme shows a perfect balance between communication cost, storage cost, and circuit size (computational cost), which are crucial factors for implementation on RFID tags. Compared to GPS, the communication and storage costs are reduced, while the computational cost is kept sufficiently low so that it is implementable on a circuit nearly as small as GPS. Under standard parameters, the prover's response is shortened 80 bits from 275 bits to 195 bits and in application using coupons, storage for one coupon is also reduced 80 bits, whereas the circuit size is estimated to be larger by only 335 gates. Hence, we believe that the new scheme is a perfect solution for fast authentication of RFID tags.

A sanitizable signature scheme is a signature scheme which, after the signer generates a valid signature of a message, allows a specific entity (sanitizer) to modify the message for hiding several parts. Existing sanitizable signature schemes require the message to be divided into pre-defined blocks before signing so that each block can be sanitized independently. However, there are cases where the parts of the message which are needed to be sanitized can not be determined in the time of signing. Thus, it is difficult to decide the partition of the blocks in such cases. Since the length of the signature is usually proportional to the number of blocks, signing every bit independently will make the signature too long. In this paper, we propose a solution by introducing a new concept called sequential bitwise sanitizable signature schemes, where any sequence of bits of the signed document can be made sanitizable without pre-defining them, and without increasing the length of signature. We also show that a one-way permutation suffices to get a secure construction, which is theoretically interesting in its own right, since all the other existing schemes are constructed using stronger assumptions.