Policy-based Signature
|
|
- Kristina Booth
- 5 years ago
- Views:
Transcription
1 Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013
2 1 2 3
3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, [GS08] Jens Groth, Amit Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. 3. Abe M, Fuchsbauer G, Groth J, et al. Structure-preserving signatures and commitments to group elements[m]//advances in CryptologyCCRYPTO Springer Berlin Heidelberg, 2010: Groth J. Simulation-sound NIZK proofs for a practical language and constant size group signatures[m]//advances in CryptologyCASIACRYPT Springer Berlin Heidelberg, 2006:
4 s (PBS), where a signer s secret key sk p is associated to a policy p {0, 1} that allows the signer to produce a valid signature σ of a message m only if the message satisfies the policy, meaning (p, m) belongs to a policy language l {0, 1} {0, 1} associated to the scheme.
5 WHY PBS offers value along two fronts, practical and theoretical. On the practical side, the setup of PBS is natural in a corporate or other hierarchical environment. On the theoretical side, PBS decreases rather than increases complexity in the area because it serves as an umbrella notion that unies existing notions by capturing some as special cases and allows others to be derived in simple and natural ways.
6 Structure-preserving signature A signature scheme is structure-preserving if its verification keys, signatures, and messages are elements in a bilinear group, and the verification equation is a conjunction of pairing-product equations.
7 Simulatability Simulatability, that says that real signatures look like ones a simulator could generate without knowledge of the policy or any key derived from the policy. FE, impossibility results show that the strongest and most desirable simulation-based definitions are not achievable. PBS we will show that our simulatability notion is achievable in the standard model under standard assumptions.
8 Simulatability+extractability Simulatability implies indistinguishability, and simulatability+extractability implies unforgeability. Simulatability+extractability emerges as a powerful security notion that enables a wide range of applications.
9 WHAT PBS provide(1)? Consider the example of a company implementing a scheme where each employee gets a signing key and there is one public key which is used by outsiders to verify signatures in the name of the company. A group-signature scheme would allow every employee holding a key to sign on behalf of the company, but there is no ne-grained control over who is allowed to sign which documents.
10 WHAT PBS provide(2)? This can be achieved using attribute-based signatures, where each user is assigned attributes, and a message is signed with respect to a policy like (CEO or (board member and general manager)). However, it is questionable whether a verifier needs to know the company-internal policy used to sign a specific message, and there is no apparent reason he should know; all he needs to be assured of is that the message was signed by someone entitled to, but not who this person is, what she is entitled to sign, nor whether two messages were signed by the same person. This is what PBS provides.
11 Two generic constructions: The first uses ordinary signatures, IND-CPA encryption and standard non-interactive zero-knowledge (NIZK) proofs. Much simpler construction of PBS by relying on a more advanced cryptographic primitive: simulation-extractable (SE) NIZK proofs
12 Use of general NIZKs makes them inefficient Combine Groth-Sahai proofs [GS08] and structure-preserving signatures to design ecient PBS schemes for policy languages expressible via equations over a bilinear group.
13 Efficient Construction via Groth-Sahai Proofs Efficient construction of PBS will be defined over a bilinear group. This is a tuple (p, G, H, T, G, H), where G, H and T are groups of prime order p, generated by G and H, respectively, and e : G H T is a bilinear map such that e(g, H) generates T. We denote the group operation multiplicatively and let 1 G, 1 H and 1 T denote the neutral elements of G, H and T.
14 Pairing-product equation Groth-Sahai proofs [GS08] let us prove that there exists a set of elements (X, Y) = (X 1,, X n, Y 1,, Y l ) G n H l which satisfy equations E(X, Y) of the form k l n n l e(p i, Q i ) e(a j, Y j ) e(x i, B i ) e(x i, Y j ) γ i,j i=1 j=1 i=1 i=1 j=1 = 1 T (1) Such an equation E is called a pairing-product equation (PPE) and is uniquely defined by its constants P, Q, A, B Γ = {γ i,j } i=[n],j=[l].
15 Pairing-product equation In order to hide a policy, we need to swap the roles of constants and variables in an equation, as this will enable us to hide the policy defined by the constants. We first need to transform equations as in (1) into a set of equivalent equations without exponents. To do so, we introduce auxiliary variables Ŷ, add i j new equations and define the set E (no exp) as follows: k e(p i, Q i ) i=1 l e(a j, Y j ) j=1 n e(x i, B i ) i=1 n i=1 j=1 l e(x i, Ŷ i,j ) = 1 T e(g, Ŷ i,j ) = e(g γ i,j, Ŷ j ).(3) A witness (X, Y) satisfies E in (2) iff (X, Y, (Ŷ i,j = Y γ j ) i,j ) satisfies the set of equations E (no exp) in (3).
16 Pairing-product equation we can show that a (clear) message (M, N) satisfies a hidden policy defined by equation E, witnessed by elements (V, W), since we can express policies as sets of group elements.
17 Policy checkers for PPEs. e(mi, N j ) γ i,j e(m i, W j ) δ i,j e(v i, N j ) φ i,j e(v i, W j ) ψ i,j = 1 T Consider a policy p describing (for simplicity) a single equation defined by p = (P, Q, A, B, K, L, Γ = γ i,j, = δ i,j, Φ = φ i,j, Ψ = ψ i,j ) Let m = (M, N) G nm H lm be a message ω = (V, W) G nω H lω be a witness. Then the policy checker PC for our construction is defined as follows: PC((p, m), ω) e(pi, Q i ) e(a j, N j ) e(m i, B i ) e(k j, W j ) e(v i, L i )
18 Policy checkers for PPEs. which is the most general form of a PPE over variables M,N,V,W. Assume that all policies are of a fixed length, since we cannot hide the form of the set of equations they define.
19 Policy checkers for PPEs. We start with expressing a policy in terms of group elements only. Abusing notation slightly, we replace the matrices Γ = γ i,j, = δ i,j, Φ = φ i,j, Ψ = ψ i,j Z n l p in the policy description by matrices of G-elementsΓ = (Γ i,j := G γ i,j ), = ( i,j := G δ i,j ), Φ = (Φ i,j := G φ i,j ), Ψ = (Ψ i,j := G ψ i,j ). Applying the transformation E E (no exp) from Equation PC no exp ((p, m), ω) e(pi, Q i ) e(a j, N j ) e(m i, B i ) e(k j, W j ) e(v i, L i ) e(mi, ˆN (1) ) e(m i, Ŵ (1) ) δ i,j e(v i, ˆN (1) ) e(v i, Ŵ (1) ) = 1 T i,j e(g, ˆN (1) ) = e(g γ i,j, N ) i,j e(g, Ŵ (1) ) = e(g δ i,j, W )
20 Policy checkers for PPEs i,j e(g, ˆN (2) ) = e(g φ i,j, N ) i,j e(g, Ŵ (2) ) = e(g ψ i,j, W ) where we introduced new variables ˆN (1), ˆN (2), Ŵ (1), Ŵ (2) and corresponding equations. Note that these equations contain the elements from Γ,, Φ, Ψ as variables.
21 Policy checkers for PPEs PC no exp ((p, m), ω)(t ) e(pi, Q i ) e(a j, N j i) e(m i, B i ) e(k j, W j ) e(v i, L i ) e(mi, ˆN (1) ) e(m i, Ŵ (1) ) δ i,j e(v i, ˆN (1) ) e(v i, Ŵ (1) ) = 1 T i,j i,j e(t, ˆN (1) ) = e(γ i,j, N ) i,j e(t, ˆN (2) ) = e(φ i,j, N ) i,j e(t, Ŵ (1) ) = e( i,j, W ) e(t, Ŵ (2) ) = e(ψ i,j, W )
22 Policy checkers for PPEs E (disj) (mvk, p, S 1, S 2, ω, ovk, T 1, T 2 ) : e(t 1 T 2 G 1, H) = 1 V (Sim) (mvk, (G, P, Q, A, B, K, L, Γ,, Φ, Ψ,S 1 ))(T 1 ) = 1 PC (Sim) ((P, Q, A, B, K, L, Γ,, Φ, Ψ,), (M, N), (V, W))(T 1 ) = 1 V (sim) (mvk, (1, ovk), S 2 )(T 2 ) = 1
23 Thank you Rongxing s Homepage: PPT Ximeng s Homepage:
Policy-Based Signatures
Policy-Based Signatures Mihir Bellare Georg Fuchsbauer Abstract We introduce signatures where signers can only sign messages that conform to some policy, yet privacy of the policy is maintained. We provide
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationShort Structure-Preserving Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2016). Short Structure-Preserving Signatures Essam Ghadafi University
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationk-nearest Neighbor Classification over Semantically Secure Encry
k-nearest Neighbor Classification over Semantically Secure Encrypted Relational Data Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU May 9, 2014 1 2 3 4 5 Outline 1. Samanthula B K, Elmehdwi
More informationImproved Structure Preserving Signatures under Standard Bilinear Assumptions
Improved Structure Preserving Signatures under Standard Bilinear Assumptions Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center, Yorktown Heights, NY, USA csjutla@us.ibm.com 2 Fujitsu
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationMalleable Signatures: New Definitions and Delegatable Anonymous Credentials
Malleable Signatures: New Definitions and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Email: melissac@microsoft.com Markulf Kohlweiss Microsoft Research Email: markulf@microsoft.com
More informationCommuting Signatures and Verifiable Encryption
Commuting Signatures and Verifiable Encryption Georg Fuchsbauer Dept. Computer Science, University of Bristol, UK georg@cs.bris.ac.uk Abstract. Verifiable encryption allows one to encrypt a signature while
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationAutomorphic Signatures and Applications
École normale supérieure Département d Informatique Université Paris 7 Denis Diderot Automorphic Signatures and Applications PhD thesis Georg Fuchsbauer 13 October 2010 Abstract We advocate modular design
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationOn the Impossibility of Structure-Preserving Deterministic Primitives
On the Impossibility of Structure-Preserving Deterministic Primitives Masayuki Abe 1, Jan Camenisch 2, Rafael Dowsley 3, and Maria Dubovitskaya 2,4 1 NTT Corporation, Japan, abe.masayuki@lab.ntt.co.jp
More informationAttribute-Based Signatures for Unbounded Languages from Standard Assumptions
Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) GoichiroHanaoka
More informationMalleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials
Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Redmond melissac@microsoft.com Markulf Kohlweiss Microsoft Research Cambridge
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationEUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes
EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes Georg Fuchsbauer Christian Hanser 2 Daniel Slamanig 2 IST Austria georg.fuchsbauer@ist.ac.at 2 Institute for Applied Information Processing
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationEfficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications
Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications by Kristiyan Haralambiev A dissertation submitted in partial fulfillment of the requirements for the degree
More informationSignatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)
Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz
More informationLimitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman
More informationTowards a Unified Theory of Cryptographic Agents
Towards a Unified Theory of Cryptographic Agents Shashank Agrawal Shweta Agrawal Manoj Prabhakaran Abstract In recent years there has been a fantastic boom of increasingly sophisticated cryptographic objects
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationCompactly Hiding Linear Spans
Published in T. Iwata and J. H. Cheon, Eds., Advances in Cryptology ASIACYPT 2015, Part I, vol. 9452 of Lecture Notes in Computer Science, pp. 681-707, Springer, 2015. Compactly Hiding Linear Spans Tightly
More informationAttribute-Based Signatures
Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek Abstract We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained
More informationWe recommend you cite the published version. The publisher s URL is:
El Kaafarani, A., Ghadafi, E. and Khader, D. (2014) Decentralized traceable attribute-based signatures. Cryptographers Track at the RSA Conference, 8366. pp. 327-348. ISSN 0302-9743 Available from: http://eprints.uwe.ac.uk/31222
More informationA New Approach to Threshold Attribute Based Signatures
A New Approach to Threshold Attribute Based Signatures S Sharmila Deva Selvi, Subhashini Venugopalan, C. Pandu Rangan Theoretical Computer Science Laboratory Department of Computer Science and Engineering
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationAttribute-Based Signatures for Circuits from Bilinear Map
Attribute-Based Signatures for Circuits from Bilinear Map Yusuke Sakai, Nuttapong Attrapadung, and Goichiro Hanaoka AIST, Japan {yusuke.sakai,n.attrapadung,hanaoka-goichiro}@aist.go.jp Abstract. In attribute-based
More informationConstructing Witness PRF and Offline Witness Encryption Without Multilinear Maps
Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps Tapas Pal, Ratna Dutta Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur-721302, India tapas.pal@iitkgp.ac.in,ratna@maths.iitkgp.ernet.in
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationGroth Sahai proofs revisited
Groth Sahai proofs revisited E. Ghadafi, N.P. Smart, and B. Warinschi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi,nigel,bogdan}@cs.bris.ac.uk
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationPolicy-based Signatures for Predicates
International Journal of Network Security, Vol.19, No.5, PP.811-822, Sept. 2017 (DOI: 10.6633/IJNS.201709.19(5).19) 811 Policy-based Signatures for Predicates Fei Tang, Yousheng Zhou (Corresponding authors:
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationShort Randomizable Signatures
SESSION ID: CRYP-W02 Short Randomizable Signatures David Pointcheval Senior Researcher ENS/CNRS/INRIA Paris, France Joint work with Olivier Sanders S C I E N C E P A S S I O N
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More information(Convertible) Undeniable Signatures without Random Oracles
Convertible) Undeniable Signatures without Random Oracles Tsz Hon Yuen 1, Man Ho Au 1, Joseph K. Liu 2, and Willy Susilo 1 1 Centre for Computer and Information Security Research School of Computer Science
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationAttribute-Based Encryption Optimized for Cloud Computing
ttribute-based Encryption Optimized for Cloud Computing Máté Horváth 27 January 1 / 17 Roadmap 1 Encryption in the Cloud 2 User Revocation 3 Background 4 The Proposed Scheme 5 Conclusion 2 / 17 Traditional
More informationGeneric Conversions from CPA to CCA secure Functional Encryption
Generic Conversions from CPA to CCA secure Functional Encryption Mridul Nandi and Tapas Pandit Indian Statistical Institute, Kolkata mridul@isical.ac.in and tapasgmmath@gmail.com Abstract. In 2004, Canetti-Halevi-Katz
More informationMulti-key Hierarchical Identity-Based Signatures
Multi-key Hierarchical Identity-Based Signatures Hoon Wei Lim Nanyang Technological University 9 June 2010 Outline 1 Introduction 2 Preliminaries 3 Multi-key HIBS 4 Security Analysis 5 Discussion 6 Open
More informationGroth-Sahai Proofs Revisited Again: A Bug in Optimized Randomization
Groth-Sahai Proofs Revisited Again: A Bug in Optimized Randomization Keita Xagawa TT Secure Platform Laboratories xagawa.keita@lab.ntt.co.jp May 20, 2016 Abstract. The Groth-Sahai proof system (EUROCRYPT
More informationConcise Multi-Challenge CCA-Secure Encryption and Signatures with Almost Tight Security
Concise Multi-Challenge CCA-Secure Encryption and Signatures with Almost Tight Security Benoît Libert 1, Marc Joye 2, Moti Yung 3, and Thomas Peters 4 1 Ecole Normale Supérieure de Lyon, Laboratoire de
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationA New Constant-size Accountable Ring Signature Scheme Without Random Oracles
New Constant-size ccountable Ring Signature Scheme Without Random Oracles Sudhakar Kumawat 1 and Souradyuti Paul 2 1 Indian Institute of Technology Gandhinagar 2 Indian Institute of Technology Bhilai {sudhakar.bm07,souradyuti.paul}@gmail.com
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationThe Kernel Matrix Diffie-Hellman Assumption
The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationEfficient Fully-Leakage Resilient One-More Signature Schemes
Efficient Fully-Leakage Resilient One-More Signature Schemes Antonio Faonio IMDEA Software Institute, Madrid, Spain In a recent paper Faonio, Nielsen and Venturi (ICALP 2015) gave new constructions of
More informationRing Signatures without Random Oracles
Ring Signatures without Random Oracles Sherman S. M. Chow 1, Joseph K. Liu 2, Victor K. Wei 3 and Tsz Hon Yuen 3 1 Department of Computer Science Courant Institute of Mathematical Sciences New York University,
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationPractical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain
Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain Jan Camenisch IBM Research - Zurich jca@zurich.ibm.com Manu Drijvers IBM Research - Zurich & ETH Zurich mdr@zurich.ibm.com
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationPROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED
PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED SANJIT CHATTERJEE AND M. PREM LAXMAN DAS Abstract. At Eurocrypt 12, Pandey and Rouselakis [PR12a] proposed the notion of property preserving symmetric
More informationConstant Size Ring Signature Without Random Oracle
Constant Size Ring Signature Without Random Oracle Priyanka Bose, Dipanjan Das, and C. Pandu Rangan Indian Institute of Technology, Madras {priyab,dipanjan,rangan}@cse.iitm.ac.in Abstract. Ring signature
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationOffline Witness Encryption
Offline Witness Encryption Hamza Abusalah, Georg Fuchsbauer, and Krzysztof Pietrzak IST Austria {habusalah, gfuchsbauer, pietrzak}@ist.ac.at Abstract. Witness encryption (WE) was introduced by Garg et
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationEfficient Two-Move Blind Signatures in the Common Reference String Model
Efficient Two-Move Blind Signatures in the Common Reference String Model E. Ghadafi and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8
More informationGroup Signatures with Verifier-Local Revocation and Backward Unlinkability in the Standard Model
Group Signatures with Verifier-Local Revocation and Backward Unlinkability in the Standard Model Benoît Libert 1 and Damien Vergnaud 2 1 Université Catholique de Louvain, Microelectronics Laboratory, Crypto
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationBlack-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way
Proceedings on Privacy Enhancing Technologies ; 2016 (3):62 82 Tibor Jager and Andy Rupp* Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way Abstract: We formalize and construct
More informationRing Signatures of Sub-linear Size without Random Oracles
Ring Signatures of Sub-linear Size without Random Oracles Nishanth Chandran, Jens Groth, and Amit Sahai UCLA Computer Science Department 4732 Boelter Hall, Los Angeles CA 90095, USA E-mail: {nishanth,jg,sahai}@cs.ucla.edu
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More information