**Are you an EPFL student looking for a semester project?**

Work with us on data science and visualisation projects, and deploy your project as an app on top of GraphSearch.

Person# Atefeh Mashatan

This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.

Related units

Loading

Courses taught by this person

Loading

Related research domains

Loading

Related publications

Loading

People doing similar research

Loading

Courses taught by this person

No results

Related research domains (3)

Ciphertext

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information becaus

Random oracle

In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repe

Vigenère cipher

The Vigenère cipher (viʒnɛːʁ) is a method of encrypting alphabetic text where each letter of the plaintext is encoded with a different Caesar cipher, whose increment is determined by the correspond

People doing similar research (6)

Related units (2)

Related publications (11)

Loading

Loading

Loading

Asli Bay, Atefeh Mashatan, Serge Vaudenay

Iterated attacks are comprised of iterating adversaries who can make d plaintext queries, in each iteration to compute a bit, and are trying to distinguish between a random cipher C and the perfect cipher C* based on all bits. Vaudenay showed that a 2d-decorrelated cipher resists to iterated attacks of order d. when iterations have almost no common queries. Then, he first asked what the necessary conditions are for a cipher to resist a non-adaptive iterated attack of order d. I.e., whether decorrelation of order 2d-1 could be sufficient. Secondly, he speculated that repeating a plaintext query in different iterations does not provide any advantage to a non-adaptive distinguisher. We close here these two long-standing open problems negatively. For those questions, we provide two counter-intuitive examples. We also deal with adaptive iterated adversaries who can make both plaintext and ciphertext queries in which the future queries are dependent on the past queries. We show that decorrelation of order 2d protects against these attacks of order d. We also study the generalization of these distinguishers for iterations making non-binary outcomes. Finally, we measure the resistance against two well-known statistical distinguishers, namely, differential-linear and boomerang distinguishers and show that 4-decorrelation degree protects against these attacks.

2014Atefeh Mashatan, Serge Vaudenay

A dynamic universal accumulator is an accumulator that allows one to efficiently compute both membership and nonmembership witnesses in a dynamic way. It was first defined and instantiated by Li et al., based on the Strong RSA problem, building on the dynamic accumulator of Camenisch and Lysyanskaya. We revisit their construction and show that it does not provide efficient witness computation in certain cases and, thus, is only achieving the status of a partially dynamic universal accumulator. In particular, their scheme is not equipped with an efficient mechanism to produce non-membership witnesses for a new element, whether a newly deleted element or an element which occurs for the first time. We construct the first fully dynamic universal accumulator based on the Strong RSA assumption, building upon the construction of Li et al., by providing a new proof structure for the non-membership witnesses. In a fully dynamic universal accumulator, we require that not only one can always create a membership witness without having to use the accumulated set for a newly added element, but also one can always create non-membership witnesses for a new element, whether a newly deleted element or an element which occurs for the first time, i.e., a newcomer who is not a member, without using the accumulated set.

2013,

We introduce the notion of forgery-resilience for digital signature schemes, a new paradigm for digital signature schemes exhibiting desirable legislative properties. It evolves around the idea that, for any message, there can only be a unique valid signature, and exponentially many acceptable signatures, all but one of them being spurious. This primitive enables a judge to verify whether an alleged forged signature is indeed a forgery. In particular, the scheme considers an adversary who has access to a signing oracle and an oracle that solves a “hard” problem, and who tries to produce a signature that appears to be acceptable from a verifier’s point of view. However, a judge can tell apart such a spurious signature from a signature that is produced by an honest signer. This property is referred to as validatibility. Moreover, the scheme provides undeniability against malicious signers who try to fabricate spurious signatures and deny them later by showing that they are not valid. Last but not least, trustability refers to the inability of a malicious judge trying to forge a valid signature. This notion for signature schemes improves upon the notion of fail-stop signatures in different ways. For example, it is possible to sign more than one messages with forgery-resilient signatures and once a forgery is found, the credibility of a previously signed signature is not under question. A concrete instance of a forgery-resilient signature scheme is constructed based on the hardness of extracting roots of higher residues, which we show to be equivalent to the factoring assumption. In particular, using collision-free accumulators, we present a tight reduction from malicious signers to adversaries against the factoring problem. Meanwhile, a secure pseudorandom function ensures that no polynomially-bounded cheating verifier, who can still solve hard problems, is able to forge valid signatures. Security against malicious judges is based on the RSA assumption.

2012