On the Impossibility of Batch Update for Cryptographic Accumulators
|
|
- Brian Houston
- 6 years ago
- Views:
Transcription
1 for Philippe Camacho Alejandro Hevia FMCrypto Workshop: Formal Methods in Cryptography University of Chile March 24, 2010
2 Introduction This work is about an impossibility result... [FN02] Open problem: Can we build accumulators with? [WWP07, WWP08] Construction for accumulators with. Problem: the construction is not secure. 8 papers(without ours) cite [WWP07], two of them build upon [WWP07]. [CH09](our work): is impossible!
3 Notion of Cryptographic Accumulator Problem A set X Given an element x: prove/verify x X Let X = {x 1,..., x n } X will be represented by a short value Acc X Verify(x, w, Acc X ): returns Yes whether x X Vocabulary Acc X is called the accumulated value for X w is called a witness
4 Participants Introduction Manager Computes setup values Computes the accumulated value Acc Computes the witness w x for a given x User Ask for element insertion or deletion to the Manager Ask for witness computation to the Manager Check whether x X using Acc, w x and x
5 Applications Introduction Time-stamping [BdM94] Anonymous Credentials [CL02] Broadcast Encryption [GR04] Certificate Revocation List [LLX07]...
6 Some properties Dynamic / Static Weak / Strong Universal (non-membership proofs) In our case we study dynamic accumulators that are dynamic, not strong and not universal.
7 Operations (1/2) Algorithm Returns Run by KeyGen(1 k ) (PK, SK), Acc Manager AddEle(x, Acc X, SK) Acc X {x} Manager DelEle(x, Acc X, SK) Acc X \{x} Manager WitGen(x, Acc X, SK) witness w for x relative to Acc X Manager Verify(x, w, Acc X, PK) returns Yes whether x X User
8 Operations (2/2) Algorithm Returns Run by UpdWitGen(X, X, SK) Upd X,X for the elements Manager x X X. UpdWit(w, Upd X,X, PK) new witness w for x X User
9 Security Model ([CL02]) Pr [ Verify(x, w, Acc X, PK) = Yes x / X ] = neg(k)
10 The Property ([FN02]) Definition ( for accumulator schemes). Let Acc be an accumulator scheme. Acc has the property if for every pair (X, X ) we have Upd X,X = O(k) where k is the security parameter. In other words, the information needed to update all the user s witnesses should have size independent w.r.t the cardinality of the sets X, X.
11 Problem with the construction of [WWP07] Description of the Attack X 0 = Insert x 1. X 1 = {x 1 } Delete x 1. X 2 = Ask for the update information Upd X1,X 2 With Upd X1,X 2 But x 1 / X 2! I can update my witness w x1
12 Our result Introduction Theorem For an update involving m delete operations in a set of N elements, the size of the information Upd X,X required by the algorithm UpdWit while keeping the dynamic accumulator secure is Ω(m log N m ). In particular if m = N 2 with N even, we have Upd X,X = Ω(m). Corollary Cryptographic accumulators with do not exist. Proof of Corollary. X = p(k) where p is a polynomial. Then Upd X,X = Ω( X ) = Ω(p(k)) = ω(k).
13 Proof of the Theorem Proof. X = {x 1,..., x N } The Manager deletes m elements from X New set X = X \ X d where X d = {x i1, x i2,..., x im } The Manager sends Upd X,X to the User The user runs UpdWit on every witness w x for x X w x = UpdWit(wx, Upd X,X, PK) is valid x X else x / X So only with the information contained in Upd X,X the User can rebuild X d How much information is needed to code X d? ( log( N m) ) ( N m) ( m N )m Upd X,X m log N m
14 Thank you!
15 Josh C Benaloh and Michael de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Signatures. Lecture Notes in Computer Science, 765:274 -??, Philippe Camacho and Alejandro Hevia. On the impossiblity of batch update for cryptographic accumulators. Technical report, Jan Camenisch and Anna Lysyanskaya. Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials. Lecture Notes In Computer Science; Vol. 2442, Nelly Fazio and Antonio Nicolisi. : Definitions, Constructions and Applications. Technical report, Craig Gentry and Zulfikar Ramzan. RSA Accumulator Based Broadcast Encryption. In Information Security, pages Jiangtao Li, Ninghui Li, and Rui Xue. Universal Accumulators with Efficient Nonmembership Proofs. In Applied Cryptography and Network Security, pages Peishun Wang, Huaxiong Wang, and Josef Pieprzyk. A New Dynamic Accumulator for s. In Information and Communications Security, pages Peishun Wang, Huaxiong Wang, and Josef Pieprzyk. Improvement of a Dynamic Accumulator at ICICS 07 and Its Application in Multi-user Keyword-Based Retrieval on Encrypted Data.
16 In Asia-Pacific Conference on Services Computing IEEE, volume 0, pages , Washington, DC, USA, IEEE Computer Society.
On the Impossibility of Batch Update for Cryptographic Accumulators. Philippe Camacho and Alejandro Hevia University of Chile
On the Impossibility of Batch Update for Cryptographic Accumulators Philippe Camacho and Alejandro Hevia University of Chile Certificate Authority Bob CA Bob Bob Alice Certificate Authority CRL/OSCP Bob
More informationA Fully Dynamic Universal Accumulator
A Fully Dynamic Universal Accumulator Atefeh Mashatan and Serge Vaudenay EPFL, Lausanne, Switzerland http://lasec.epfl.ch Abstract. A dynamic universal accumulator is an accumulator that allows one to
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationUniversal Accumulators with Efficient Nonmembership Proofs
Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li 1, Ninghui Li 2, and Rui Xue 3 1 Intel Corporation jiangtao.li@intel.com 2 Purdue University ninghui@cs.purdue.edu 3 University of
More informationIndistinguishability of One-Way Accumulators
Indistinguishability of One-Way Accumulators Hermann de Meer, Manuel Liedel, Henrich C. Pöhls, Joachim Posegga, Kai Samelin demeer@uni-passau.de, manuel.liedel@wiwi.uni-regensburg.de, {hp,jp,ks}@sec.uni-passau.de,
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationDynamic Universal Accumulators for DDH Groups and Their Application to Attribute-Based Anonymous Credential Systems
Dynamic Universal Accumulators for DDH Groups and Their Application to Attribute-Based Anonymous Credential Systems Man Ho Au Patrick P. Tsang Willy Susilo Yi Mu Dartmouth Computer Science Technical Report
More informationAccumulators and U-Prove Revocation
Accumulators and U-Prove Revocation Tolga Acar 1, Sherman S.M. Chow 2, and Lan Nguyen 3 1 Intel Corporation tolga.acar@intel.com 2 Microsoft Research lan.duy.nguyen@microsoft.com 3 Department of Information
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationAccumulators with Applications to Anonymity-Preserving Revocation
Accumulators with Applications to Anonymity-Preserving Revocation Foteini Baldimtsi 1, Jan Camenisch 2, Maria Dubovitskaya 2, Anna Lysyanskaya 3, Leonid Reyzin 4, Kai Samelin 2,5, and Sophia Yakoubov 4
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationDynamic universal accumulators for DDH groups and their application to attribute-based anonymous credential systems
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2009 Dynamic universal accumulators for DDH groups and their application
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationPerformances of Cryptographic Accumulators
Performances of Cryptographic Accumulators Amrit Kumar, Pascal Lafourcade, Cédric Lauradoux To cite this version: Amrit Kumar, Pascal Lafourcade, Cédric Lauradoux. Performances of Cryptographic Accumulators.
More informationOptimal Verification of Operations on Dynamic Sets
Optimal Verification of Operations on Dynamic Sets Charalampos Papamanthou Brown University Providence RI Roberto Tamassia Brown University Providence RI Nikos Triandopoulos RSA Laboratories Cambridge
More informationAdditive Combinatorics and Discrete Logarithm Based Range Protocols
Additive Combinatorics and Discrete Logarithm Based Range Protocols Rafik Chaabouni 1 Helger Lipmaa 2,3 abhi shelat 4 1 EPFL LASEC, Switzerland 2 Cybernetica AS, Estonia 3 Tallinn University, Estonia 4
More informationOn the Impossibility of Structure-Preserving Deterministic Primitives
On the Impossibility of Structure-Preserving Deterministic Primitives Masayuki Abe 1, Jan Camenisch 2, Rafael Dowsley 3, and Maria Dubovitskaya 2,4 1 NTT Corporation, Japan, abe.masayuki@lab.ntt.co.jp
More informationTowards a Smart Contract-based, Decentralized, Public-Key Infrastructure
Towards a Smart Contract-based, Decentralized, Public-Key Infrastructure Christos Patsonakis 1, Katerina Samari 1, Mema Roussopoulos 1, and Aggelos Kiayias 2 1 National and Kapodistrian University of Athens,
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationA Provably Secure Group Signature Scheme from Code-Based Assumptions
A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationTowards Append-Only Authenticated Dictionaries. Vivek Bhupatiraju, CS-PRIMES 2017
Towards Append-Only Authenticated Dictionaries Vivek Bhupatiraju, CS-PRIMES 27 Public-key Cryptography PK M e(m, PK SK Secure Channels - Having secure channels is becoming more and more necessary - Many
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationAccumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation
Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation 1 Lan Nguyen Centre for Information Security, University of Wollongong, Wollongong 2522,
More informationA Fully-Functional group signature scheme over only known-order group
A Fully-Functional group signature scheme over only known-order group Atsuko Miyaji and Kozue Umeda 1-1, Asahidai, Tatsunokuchi, Nomi, Ishikawa, 923-1292, Japan {kozueu, miyaji}@jaist.ac.jp Abstract. The
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationZero-knowledge Argument for Polynomial Evaluation with Application to Blacklists
Zero-knowledge Argument for Polynomial Evaluation with Application to Blacklists Stephanie Bayer and Jens Groth University College London {s.bayer,j.groth}@cs.ucl.ac.uk Abstract. Verification of a polynomial
More informationEncuentro de tesistas - 13 of november 2012 Valparaiso. Predicate Preserving Collision-Resistant Hashing. Philippe Camacho
Encuentro de tesistas - 13 of november 2012 Valparaiso Predicate Preserving Collision-Resistant Hashing Philippe Camacho Motivation I need to outsource my database for scaling reasons How can I be sure
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More informationEfficient Protocols for Set Membership and Range Proofs
Efficient Protocols for Set Membership and Range Proofs Jan Camenisch 1 Rafik Chaabouni 1,2 abhi shelat 3 1 IBM ZRL 2 EPFL LASEC 3 U. of Virginia ASIACRYPT 2008 December 9, 2008 Introduction Our Focus
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationZero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1, San Ling 2, Khoa Nguyen 2, and Huaxiong Wang 2 1 Ecole
More informationInformation Disclosure in Identity Management
Information Disclosure in Identity Management all of us Abstract User Controlled Identity Management Systems have the goal to hinder the linkability between the different digital identities of a user.
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationMinimal Design for Decentralized Wallet. Omer Shlomovits
Minimal Design for Decentralized Wallet Omer Shlomovits 1 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationAttribute-Based Encryption Optimized for Cloud Computing
ttribute-based Encryption Optimized for Cloud Computing Máté Horváth 27 January 1 / 17 Roadmap 1 Encryption in the Cloud 2 User Revocation 3 Background 4 The Proposed Scheme 5 Conclusion 2 / 17 Traditional
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationConstructing Verifiable Random Number in Finite Field
Jun Ye 1, Xiaofeng Chen 2, and Jianfeng Ma 2 1 School of Science, Sichuan University of Science and Engineering Zigong, Sichuan, China yejun@suseeducn 2 School of Telecommunication Engineering, Xidian
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationBatch Verification of Short Signatures
Batch Verification of Short Signatures Jan Camenisch 1, Susan Hohenberger 2, and Michael Østergaard Pedersen 3 1 IBM Research, Zürich Research Laboratory jca@zurich.ibm.com 2 The Johns Hopkins University
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationA METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES
Mathematica Moravica Vol. 7 (2003), 51 59 A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES Constantin Popescu Abstract. A group signature scheme allows any group member to sign on behalf of the group
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationShort Structure-Preserving Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2016). Short Structure-Preserving Signatures Essam Ghadafi University
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationRemote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationShort Signatures From Diffie-Hellman: Realizing Short Public Key
Short Signatures From Diffie-Hellman: Realizing Short Public Key Jae Hong Seo Department of Mathematics, Myongji University Yongin, Republic of Korea jaehongseo@mju.ac.kr Abstract. Efficient signature
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationA DAA Scheme Requiring Less TPM Resources
A DAA Scheme Requiring Less TPM Resources Liqun Chen Hewlett-Packard Laboratories liqun.chen@hp.com Abstract. Direct anonymous attestation (DAA) is a special digital signature primitive, which provides
More informationProtean Signature Schemes
Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1 Digital Signatures 2 Digital Signatures
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationProvable Security for Program Obfuscation
for Program Obfuscation Black-box Mathematics & Mechanics Faculty Saint Petersburg State University Spring 2005 SETLab Outline 1 Black-box Outline 1 2 Black-box Outline Black-box 1 2 3 Black-box Perfect
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCryptographically Enforced RBAC
Cryptographically Enforced RBAC Anna Lisa Ferrara 1, Georg Fuchsbauer 2, and Bogdan Warinschi 1 1 University of Bristol, UK, anna.lisa.ferrara@bristol.ac.uk,bogdan@cs.bris.ac.uk 2 Institute of Science
More informationPrivate Intersection of Certified Sets
Private Intersection of Certified Sets Jan Camenisch 1 and Gregory M. Zaverucha 2 1 IBM Research Zürich Research Laboratory CH-8803 Rüschlikon jca@zurich.ibm.com 2 Cheriton School of Computer Science University
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationPrivacy Preserving Verifiable Key Directories
Privacy Preserving Verifiable Key Directories Melissa Chase Microsoft Research melissac@microsoft.com Apoorvaa Deshpande Brown University acdeshpa@cs.brown.edu Esha Ghosh Microsoft Research esha.ghosh@microsoft.com
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationInsecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications
Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications Xi-Jun Lin and Lin Sun November 8, 03 Abstract: The Internet of Things (IoT) will be formed by smart objects
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationPolynomial Commitments
Polynomial Commitments Aniket Kate Gregory M. Zaverucha Ian Goldberg MPI-SWS Certicom Research University of Waterloo aniket@mpi-sws.org gzaverucha@rim.com iang@cs.uwaterloo.ca December 01, 2010 Abstract
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationA New Hard Problem over Non- Commutative Finite Groups for Cryptographic Protocols
Moldovyan D.N., Moldovyan N.A. St.etersburg, Russia, SPIIRAS A New Hard Problem over Non- Commutative Finite Groups for Cryptographic Protocols Reporter: Moldovyan N.A. Structure of the report 1. Hard
More informationTamper and Leakage Resilience in the Split-State Model
Tamper and Leakage Resilience in the Split-State Model Feng-Hao Liu and Anna Lysyanskaya May 4, 2012 Abstract It is notoriously difficult to create hardware that is immune from side channel and tampering
More information