Short Randomizable Signatures
|
|
- Marvin Thornton
- 6 years ago
- Views:
Transcription
1 SESSION ID: CRYP-W02 Short Randomizable Signatures David Pointcheval Senior Researcher ENS/CNRS/INRIA Paris, France Joint work with Olivier Sanders
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27 S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1, David Derler 2, Daniel Slamanig 2, Raphael Spreitzer 2 1 Université de Limoges, XLim, France 2 IAIK, Graz University of Technology, Austria
28 Group Signature Schemes [CvH91] Group Signer i (xi) Signed by someone of group! Group signature σ Verifier (pk) 2
29 Group Signature Schemes [CvH91] Group Group Manager (pk) Issuer (mik) Signer i (xi) Group signature σ Verifier (pk) 2
30 Group Signature Schemes [CvH91] Group Group Manager (pk) Issuer (mik) Opener (mok) Signer i (xi) Group signature σ Verifier (pk) 2
31 Controllable Linkability [HLhC + 11, SSU14] Group Manager (pk) Produced by same signer? Issuer (mik) Verifier (pk) (σ1, M1),(σ2, M2) Opener (mok) No idea who signed them! Linker (mlk) 3
32 Controllable Linkability [HLhC + 11, SSU14] Group Manager (pk) But can I trust the Linker? Issuer (mik) Verifier (pk) (σ1, M1),(σ2, M2) Opener (mok) No idea who signed them! Linker (mlk) 3
33 Verifiable Controllable Linkability Group Manager (pk) Prove it! Issuer (mik) Verifier (pk) (σ1, M1),(σ2, M2) Opener (mok) Still no idea who signed them! Linker (mlk) 4
34 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) 5
35 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) 5
36 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge 5
37 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), 5
38 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, 5
39 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, gmik sk s 5
40 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, gmik sk s Join User s secret: x i 5
41 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, gmik sk s Join User s secret: x i Issuer computes: cert Sign(gmik, f (x i )) 5
42 Sign-Encrypt-Prove Paradigm I Sign T Enc(pk e, cert) 6
43 Sign-Encrypt-Prove Paradigm I Sign T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) 6
44 Sign-Encrypt-Prove Paradigm I Sign T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) σ (T, π) 6
45 Sign-Encrypt-Prove Paradigm I Sign Verify T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) σ (T, π) verification of π 6
46 Sign-Encrypt-Prove Paradigm I Sign Verify Open T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) σ (T, π) verification of π cert Dec(sk e, T ) 6
47 Contributions 1. Generic proof system for plaintext (in-)equality 7
48 Contributions 1. Generic proof system for plaintext (in-)equality 2. Efficient instantiation of this proof system 7
49 Contributions 1. Generic proof system for plaintext (in-)equality 2. Efficient instantiation of this proof system 3. Group signatures with verifiable controllable linkability 7
50 Contributions 1. Generic proof system for plaintext (in-)equality 2. Efficient instantiation of this proof system 3. Group signatures with verifiable controllable linkability 4. Extend GSs with verifiable controllable linkability (VCL) 7
51 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme 8
52 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor 8
53 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor Link: 1/0 Com(T, T, gmlk) 8
54 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor Link: 1/0 Com(T, T, gmlk) Semantic security without trapdoor 8
55 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor Link: 1/0 Com(T, T, gmlk) Semantic security without trapdoor One-way security for trapdoor holders 8
56 Setting certi certj 9
57 Setting =? certi certj Verifier (pk) 9
58 Setting =? certi certj Link (π1, ), (π2, ) Verifier (pk) Linker (mlk) 9
59 Setting =? certi certj Verifier (pk) Link (π1, ), (π2, ) Yes/No, π Linker (mlk) 9
60 Setting =? certi certj Verifier (pk) Link (π1, ), (π2, ) Yes/No, π Linker (mlk) Non-interactive plaintext (in-)equality proofs 9
61 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 10
62 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 1. Prove knowledge of trapdoor tk 10
63 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 1. Prove knowledge of trapdoor tk 2. Com = 1 (membership) or Com = 0 (non-membership) 10
64 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 1. Prove knowledge of trapdoor tk 2. Com = 1 (membership) or Com = 0 (non-membership) 3. Without revealing trapdoor tk 10
65 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] 11
66 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership 11
67 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L 11
68 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L Π 2 : Proof that Π 1 has been computed honestly 11
69 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L Π 2 : Proof that Π 1 has been computed honestly Efficient instantiations (GS and SPHFs) 11
70 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L Π 2 : Proof that Π 1 has been computed honestly Efficient instantiations (GS and SPHFs) Technicalities: m, r must be known [BCV15] 11
71 Smooth Projective Hash Functions (SPHFs) 12
72 Construction - Non-Membership Proof 13
73 Construction - Non-Membership Proof 13
74 Construction - Non-Membership Proof 13
75 Construction - Non-Membership Proof 13
76 Construction - Non-Membership Proof 13
77 Construction - Non-Membership Proof 13
78 Construction - Non-Membership Proof 13
79 Construction - Non-Membership Proof 13
80 Construction - Non-Membership Proof 13
81 Construction - Non-Membership Proof 13
82 Construction - Non-Membership Proof 13
83 Construction - Non-Membership Proof 13
84 Construction - Non-Membership Proof 13
85 Construction - Non-Membership Proof 13
86 Example of Efficient Instantiation ElGamal with equality tests (as in [SSU14]) Keypair: (sk, pk) (x, g x ) Z p G 1 Trapdoor: (ˆr, ˆr x ) G 2 G 2 Encryption of m: (g r, m g x r ) G 1 G 1 14
87 Example of Efficient Instantiation ElGamal with equality tests (as in [SSU14]) Keypair: (sk, pk) (x, g x ) Z p G 1 Trapdoor: (ˆr, ˆr x ) G 2 G 2 Encryption of m: (g r, m g x r ) G 1 G 1 Pairing-based equality test Ciphertexts: (g r, m g x r ), (g r, m g x r ) m = m e(m gx r, ˆr) e(g r, ˆr x ) = e(m g x r, ˆr) e(g r, ˆr x ) 14
88 Instantiation of Π Com = 1: plaintext equality proof ((g r, m g x r ), (g r, m g x r ), g x ) L e(m g x r, ˆr) e(g r, ˆr x ) = e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) 15
89 Instantiation of Π Com = 1: plaintext equality proof ((g r, m g x r ), (g r, m g x r ), g x ) L e(m g x r, ˆr) e(g r, ˆr x ) = e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) 2 e(a i, Ŷi) = i=1 e(m gx r (m g x r ) 1, ˆr) e(g r g r, ˆr x ) = 1 GT 15
90 Instantiation of Π / Com = 0: plaintext inequality proof ((g r, m g x r ), (g r, m g x r ), g x ) L / e(m g x r, ˆr) e(g r, ˆr x ) e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) 16
91 Instantiation of Π / Com = 0: plaintext inequality proof ((g r, m g x r ), (g r, m g x r ), g x ) L / e(m g x r, ˆr) e(g r, ˆr x ) e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) Our construction for non-membership proofs 16
92 NIPEI Proof System Proof system Π = (Π, Π / ) 17
93 NIPEI Proof System Proof system Π = (Π, Π / ) =? certi certj Verifier (pk) Link (π1, ), (π2, ) Yes/No, π Linker (mlk) 17
94 GSSs with Verifiable Controllable Linkability Extended security model for VCL-GS Algorithms: Link and Link Judge Property: linking soundness 18
95 GSSs with Verifiable Controllable Linkability Extended security model for VCL-GS Algorithms: Link and Link Judge Property: linking soundness Instantiation based on NIPEI Link: Π.Proof Link Judge : Π.Verify 18
96 Take-Home Message Proposed generic approach for (in-)equality proof 19
97 Take-Home Message Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting 19
98 Take-Home Message Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting Rather independent of encryption scheme Various DDH/DLIN ElGamal variants CCA2: Naor-Yung and Cramer-Shoup (for free) 19
99 Take-Home Message Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting Rather independent of encryption scheme Various DDH/DLIN ElGamal variants CCA2: Naor-Yung and Cramer-Shoup (for free) Novel application GSSs with verifiable controllable linkability 19
100 S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1, David Derler 2, Daniel Slamanig 2, Raphael Spreitzer 2 1 Université de Limoges, XLim, France 2 IAIK, Graz University of Technology, Austria
101 Bibliography I [BCV15] Olivier Blazy, Céline Chevalier, and Damien Vergnaud. Non-Interactive Zero-Knowledge Proofs of Non-Membership. In CT-RSA, [CvH91] David Chaum and Eugène van Heyst. Group Signatures. In EUROCRYPT, [GS08] Jens Groth and Amit Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. In EUROCRYPT, [HLhC + 11] Jung Yeon Hwang, Sokjoon Lee, Byung ho Chung, Hyun Sook Cho, and DaeHun Nyang. Short Group Signatures with Controllable Linkability. In LightSec. IEEE, [SSU14] Daniel Slamanig, Raphael Spreitzer, and Thomas Unterluggauer. Adding Controllable Linkability to Pairing-Based Group Signatures for Free. In ISC, [Tan12] Qiang Tang. Public Key Encryption Supporting Plaintext Equality Test and User-Specified Authorization. Security and Communication Networks, 5(12),
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1, David Derler 2,, Daniel Slamanig 2,, and Raphael Spreitzer 2, 1 Université
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz 1 and Vinod Vaikuntanathan 2 1 University of Maryland, USA jkatz@cs.umd.edu 2 Microsoft Research vinodv@alum.mit.edu Abstract. We show
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationShort Structure-Preserving Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2016). Short Structure-Preserving Signatures Essam Ghadafi University
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationProtean Signature Schemes
Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1 Digital Signatures 2 Digital Signatures
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationSignatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)
Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationPolicy-based Signature
Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013 1 2 3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, 2013. 2. [GS08] Jens Groth, Amit Sahai.
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings 1 Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationInteractive and Non-Interactive Proofs of Knowledge
Interactive and Non-Interactive Proofs of Knowledge Olivier Blazy ENS / CNRS / INRIA / Paris 7 RUB Sept 2012 O. Blazy (ENS RUB) INIPoK Sept 2012 1 / 63 1 General Remarks 2 Building blocks 3 Non-Interactive
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationHow not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios
How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios David Bernhard 1, Olivier Pereira 2, and Bogdan Warinschi 1 1 University of Bristol, {csxdb,csxbw}@bristol.ac.uk
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationDistributed Smooth Projective Hashing and its Application to Two-Server PAKE
Distributed Smooth Projective Hashing and its Application to Two-Server PAKE Franziskus Kiefer and Mark Manulis Department of Computing, University of Surrey, UK mail@franziskuskiefer.de, mark@manulis.eu
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationEfficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications
Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications by Kristiyan Haralambiev A dissertation submitted in partial fulfillment of the requirements for the degree
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationCommuting Signatures and Verifiable Encryption
Commuting Signatures and Verifiable Encryption Georg Fuchsbauer Dept. Computer Science, University of Bristol, UK georg@cs.bris.ac.uk Abstract. Verifiable encryption allows one to encrypt a signature while
More informationNew Constructions of Convertible Undeniable Signature Schemes without Random Oracles
New Constructions of Convertible Undeniable Signature Schemes without Random Oracles Qiong Huang Duncan S. Wong Abstract In Undeniable Signature, a signature s validity can only be confirmed or disavowed
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationAutomorphic Signatures and Applications
École normale supérieure Département d Informatique Université Paris 7 Denis Diderot Automorphic Signatures and Applications PhD thesis Georg Fuchsbauer 13 October 2010 Abstract We advocate modular design
More informationA New Randomness Extraction Paradigm for Hybrid Encryption
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 09, Lecture Notes in Computer Science Vol.????, A. Joux ed., Springer-Verlag, 2009. This is the full version. A New Randomness
More informationPassword-Authenticated Key Exchange David Pointcheval
Password-Authenticated Key Exchange Privacy and Contactless Services May 27th, 2015 AKE AKE: Authenticated Key Exchange allows two players to agree on a common key authentication of partners 2 Diffie-Hellman
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London E-mail: j.groth@ucl.ac.uk September 7, 2007 Abstract We construct a new group signature scheme using bilinear
More informationTraceability, Linkability and Policy Hiding in Attribute-Based Signature Schemes. Ali El Kaafarani. University of Bath
Traceability, Linkability and Policy Hiding in Attribute-Based Signature Schemes submitted by Ali El Kaafarani for the degree of Doctor of Philosophy of the University of Bath Department of Computer Science
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London j.groth@ucl.ac.uk March 25, 2013 Abstract We construct a new group signature scheme using bilinear groups. The
More informationEfficient Chosen-Ciphertext Security via Extractable Hash Proofs
Efficient Chosen-Ciphertext Security via Extractable Hash Proofs Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We introduce the notion of an extractable hash proof system. Essentially,
More informationEnhanced Chosen-Ciphertext Security and Applications
Enhanced Chosen-Ciphertext Security and Applications Dana Dachman-Soled 1 Georg Fuchsbauer 2 Payman Mohassel 3 Adam O Neill 4 Abstract We introduce and study a new notion of enhanced chosen-ciphertext
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationPolicy-Based Signatures
Policy-Based Signatures Mihir Bellare Georg Fuchsbauer Abstract We introduce signatures where signers can only sign messages that conform to some policy, yet privacy of the policy is maintained. We provide
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationOffline Witness Encryption
Offline Witness Encryption Hamza Abusalah, Georg Fuchsbauer, and Krzysztof Pietrzak IST Austria {habusalah, gfuchsbauer, pietrzak}@ist.ac.at Abstract. Witness encryption (WE) was introduced by Garg et
More informationKey-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems
Key-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems Xiaofeng Chen, Fangguo Zhang, Haibo Tian, Baodian Wei, and Kwangjo Kim 1 School of Information Science and Technology,
More informationUniversally Composable Two-Server PAKE
Universally Composable Two-Server PAKE Franziskus Kiefer 1 and Mark Manulis 2 1 Mozilla Berlin, Germany mail@franziskuskiefer.de 2 Surrey Center for Cyber Security Department of Computer Science, University
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationImplicit Zero-Knowledge Arguments and Applications to the Malicious Setting
Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting Fabrice Benhamouda, Geoffroy Couteau, David Pointcheval, and Hoeteck Wee ENS, CNRS, INRIA, and PSL, Paris, France firstname.lastname@ens.fr
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationConcise Multi-Challenge CCA-Secure Encryption and Signatures with Almost Tight Security
Concise Multi-Challenge CCA-Secure Encryption and Signatures with Almost Tight Security Benoît Libert 1, Marc Joye 2, Moti Yung 3, and Thomas Peters 4 1 Ecole Normale Supérieure de Lyon, Laboratoire de
More informationChosen-Ciphertext Secure RSA-type Cryptosystems
Published in J. Pieprzyk and F. Zhang, Eds, Provable Security (ProvSec 2009), vol 5848 of Lecture Notes in Computer Science, pp. 32 46, Springer, 2009. Chosen-Ciphertext Secure RSA-type Cryptosystems Benoît
More informationPublic-Key Cryptosystems Resilient to Key Leakage
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Abstract Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture
More informationRemoving Erasures with Explainable Hash Proof Systems
Removing Erasures with Explainable Hash Proof Systems Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France firstname.lastname@ens.fr www.di.ens.fr/~{abdalla,fbenhamo,pointche} October
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPost-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler 1, Sebastian Ramacher 1, and Daniel Slamanig 2 1 IAIK, Graz University
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationSecure Blind Decryption
Secure Blind Decryption Matthew Green Johns Hopkins University 3400 N. Charles St. Baltimore, MD 21218 mgreen@cs.jhu.edu Abstract In this work we construct public key encryption schemes that admit a protocol
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationHighly-Efficient Universally-Composable Commitments based on the DDH Assumption
Highly-Efficient Universally-Composable Commitments based on the DDH Assumption Yehuda Lindell March 6, 2013 Abstract Universal composability (or UC security) provides very strong security guarantees for
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationConstructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks
Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks Dingding Jia 1,2, Xianhui Lu 1,2, and Bao Li 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationTwo-Round PAKE from Approximate SPH and Instantiations from Lattices
Two-Round PAKE from Approximate SPH and Instantiations from Lattices Jiang Zhang 1 and Yu Yu 2,1,3 1 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 2 Department of Computer Science
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationDual-System Simulation-Soundness with Applications to UC-PAKE and More
Dual-System Simulation-Soundness with Applications to UC-PAKE and More Charanjit S. Jutla IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com Arnab Roy Fujitsu Laboratories
More informationWe recommend you cite the published version. The publisher s URL is:
El Kaafarani, A., Ghadafi, E. and Khader, D. (2014) Decentralized traceable attribute-based signatures. Cryptographers Track at the RSA Conference, 8366. pp. 327-348. ISSN 0302-9743 Available from: http://eprints.uwe.ac.uk/31222
More informationGroup Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationNon-malleable encryption with proofs of plaintext knowledge and applications to voting
Non-malleable encryption with proofs of plaintext knowledge and applications to voting Ben Smyth 1 and Yoshikazu Hanatani 2 1 Interdisciplinary Centre for Security, Reliability and Trust, University of
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationShortening the Libert-Peters-Yung Revocable Group Signature Scheme by Using the Random Oracle Methodology
Shortening the Libert-Peters-Yung Revocable Group Signature Scheme by Using the Random Oracle Methodology Kazuma Ohara, Keita Emura, Goichiro Hanaoka, i Ishida, Kazuo Ohta, and Yusuke Sakai The University
More informationZero-Knowledge Proofs with Witness Elimination
Zero-Knowledge Proofs with Witness Elimination Aggelos Kiayias and Hong-Sheng Zhou Computer Science and Engineering University of Connecticut Storrs, CT, USA {aggelos,hszhou}@cse.uconn.edu Abstract. Zero-knowledge
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More information