Fully anonymous attribute tokens from lattices
|
|
- Annice Spencer
- 6 years ago
- Views:
Transcription
1 Fully anonymous attribute tokens from lattices Jan Camenisch (IBM Research Zurich) Gregory Neven (IBM Research Zurich) Markus Rückert
2 Elevator pitch Goal: Anonymous credentials from lattices Starting point: GKV group signatures [Gordon, Katz, Vaikuntanathan, Asiacrypt 2010] Our contributions: Anonymous attribute tokens (AAT) anonymous credentials light Scheme without opening (AAT O) Scheme with opening (AAT+O), full CCA anonymity Extension adding non-frameability Open problems: Constant token size, currently O(#users) Full-fledged anonymous credentials 2
3 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction sketch Our AAT+O scheme: construction idea Conclusion & open problems 3
4 Usage scenario Group Manager John Doe Name: John Doe City: Springfield SSN: User City: Springfield access 2012/09/05 Open Verifier 1 Name: John Doe SSN: I agree to ToS. Verifier 2 unlinkable 4
5 Anonymous attribute tokens without opening (AAT O) Group Manager MKeyGen(1 n,u) (mpk,msk) Issue(msk,u,a 1,,a l ) cred u mpk mpk User u cred u Verifier (a i ) i R,M,t GenToken(mpk,cred u,r,m) t where R [1,l] VToken(mpk,t,R,(a i ) i R,M) 0/1 cf. minimal disclosure tokens (U-Prove), anonymous credentials [Cha81], attribute-based signatures [MPR11] 5
6 Anonymous attribute tokens with opening (AAT+O) Group Manager MKeyGen(1 n,u) (mpk,msk) Issue(msk,u,a 1,,a l ) cred u Open(msk,t,R,(a i ) i R,M) u mpk mpk User u cred u (a i ) i R,M,t Verifier (a i ) i R,M,t GenToken(mpk,cred u,r,m) t where R [1,l] VToken(mpk,t,R,(a i ) i R,M) 0/1 cf. anonymous credentials [Cha81], attribute-based group signatures 6
7 Security of anonymous attribute tokens With opening (AAT+O) Full anonymity (CCA): Tokens are unlinkable, modulo revealed attributes Input mpk Oracles Init(u,a 1,,a l ), Issue(u) cred u, Open(t,R,(a i ) i R,M) u Output (u 0,u 1,R,M) where a 0,i = a 1,i for all i R Challenge t* GenToken(mpk,cred ub,r,m) Guess b Traceability: Can t create token with new attributes or opening to honest user Input mpk Oracles Init, Issue, Open, GenToken(u,R,M) t Output t*, R*, (a i *) i R*, M* such that t* opens to u* and u* was never queried to Issue, or u* was initialized with a i a i * Without opening (AAT O): anonymity & unforgeability 7
8 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction idea Our AAT+O scheme: construction idea Conclusion & open problems 8
9 Lattice preliminaries Trapdoor one-way function from short integer solution (SIS) [GPV08] A Z q n m with trapdoor T Z q m m y = Ax (mod q) for x short, Gaussian distribution invert using trapdoor T short preimage x Gaussian elimination long preimage x FDH-signature: Aσ = H(M) and σ short Verifiable encryption from learning with errors (LWE) [Reg09,GKV10] B Z q n m with trapdoor S Z q m m Enc B (σ) = т such that Aт = H(M) mod q decrypt using S 9
10 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction idea Our AAT+O scheme: construction idea Conclusion & open problems 10
11 GKV group signatures: construction idea Key generation For all users u = 1,,U generate (A u,t u ), (B u,s u ) mpk = (A u,b u ) u=1 U ; msk = (S u ) u=1 U ; sk u = T u Group signature by user u on message M Compute short σ u : A u σ u = H(M) using T u For v u compute long σ v : A v σ v = H(M) using Gaussian elimination For v = 1,,U encrypt т v = Enc Bv (σ v ) Non-interactive witness-indistinguishable proof (NIWIP) π OR NIWIP{т 1 encrypts short σ 1 т U encrypts short σ U} Return (т 1,,т U,π OR ) Verification For v = 1,,U check Aт v = H(M) Verify π OR Opening For v = 1,,U decrypt σ v = Dec Sv (т v ) until σ v short 11
12 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction idea Our AAT+O scheme: construction idea Conclusion & open problems 12
13 Our AAT O scheme: construction sketch Master key generation mpk = A ; msk = T ; common reference string B Issuance for attributes a 1,,a l For i = 1,,l compute short σ u,i : Aσ u,i = H(u,i,a i ) using T Return cred u = (a 1,,a l, σ u,1,,σ u,l ) Token generation by user u revealing attributes R [1,l], message M For i R use σ u,i from cred u For v u, i R compute σ v,i : Aσ v,i = H(v,i,a i ) using Gaussian elimination Same-signer aggregation If Aσ i = H(M i ) with short σ i Then Aα = A σ i = H(M i ) with somewhat short α 13
14 Our AAT O scheme: construction sketch Master key generation mpk = A ; msk = T ; common reference string B Issuance for attributes a 1,,a l For i = 1,,l compute short σ u,i : Aσ u,i = H(u,i,a i ) using T u Return cred u = (a 1,,a l, σ u,1,,σ u,l ) Token generation by user u revealing attributes R [1,l], message M Compute short α u i R σ u,i For v u, compute long α v : Aα v = i R H(v,i,a i ) using Gaussian elim. For v = 1,,U encrypt т v = Enc B (α v ) Not a real encryption linkable! т u = Enc B (α) = B T s + α Encrypt twice т u т u = B T (s s ) is lattice point 14
15 Our AAT O scheme: construction sketch Master key generation mpk = A ; msk = T ; common reference string B Issuance for attributes a 1,,a l For i = 1,,l compute short σ u,i : Aσ u,i = H(u,i,a i ) using T u Return cred u = (a 1,,a l, σ u,1,,σ u,l ) Token generation by user u revealing attributes R [1,l], message M Compute short α u i R σ u,i For v u, compute long α v : Aα v = i R H(v,i,a i ) using Gauss elimination Choose short random x, compute y = Ax For v = 1,,U encrypt т v = Enc B (α v +x) π OR NIWIP{т 1 encrypts short α 1 т U encrypts short α U} Compute signature of knowledge [Lyu08] Return t = (y,т 1,,т U,π OR,π y ) π y SoK{x : Ax = y}(m) 15
16 Our AAT O scheme: construction sketch Token generation by user u revealing attributes R [1,l], message M Compute short α u i R σ u,i For v u, compute long α v : Aα v = i R H(v,i,a i ) using Gauss elimination Choose short random x, compute y = Ax For v = 1,,U encrypt т v = Enc B (α v +x) π OR NIWIP{т 1 encrypts short α 1 т U encrypts short α U} Compute signature of knowledge [Lyu08] Return t = (y,т 1,,т U,π OR,π y ) π y SoK{x : Ax = y}(m) Token verification for revealed attributes (a i ) i R, message M For v = 1,,U check Aт v = i R H(v,i,a i ) + y Verify π OR and π y (M) 16
17 Our AAT O scheme: security Anonymity Learning with errors (LWE) hard in the random-oracle model Unforgeability Short integer solution (SIS) and learning with errors (LWE) hard in the random-oracle model 17
18 Our AAT+O scheme: construction idea Correlated trapdoor one-way function [RS09, Pei09] Enc B0 k (s,ρ 1,, ρ k ) = ( B it s + ρ i ) i=0 k CCA2 encryption: B i = B i,vki for one-time verification key vk AAT+O token generation: For v=1,,u let B vk [ B 0 B 1,vk1 B k,vkk ] ρ v [α v + x ρ v,1 ρ v, vk ] where ρ v,i short random т v B vkt s v + ρ v Then have that ρ u somewhat short, so π OR NIWIP{т 1 encrypts short ρ 1 т U encrypts short ρ U} proves correct correlation for free AAT+O opening: Decrypt т v using S 0 (trapdoor for B 0 ) until ρ v,0 short 18
19 Our AAT+O scheme: security Anonymity Learning with errors (LWE) hard and one-time signature scheme existentially unforgeable in the random-oracle model Traceability Short integer solution (SIS) and learning with errors (LWE) hard in the random-oracle model 19
20 Conclusion & open problems Contributions AAT schemes as anonymous credentials light without opening (AAT O): anonymity cannot be lifted with opening (AAT+O): full anonymity (CCA) first fully anonymous group signature scheme Schemes based on SIS and LWE in the random-oracle model Extension: non-frameability Open problems Full-fledged credential systems from lattices attribute predicates, pseudonyms, blind issuing, Token/signature size independent of total #users 20
21 Lattice preliminaries Trapdoor one-way function from short integer solution (SIS) [GPV08] A Z n m q with trapdoor T Z m m q such that AT 0(mod q) uniform short, Gaussian f A (x) = Ax (mod q), invert using Gaussian elimination long x trapdoor T short x short Encryption from learning with errors (LWE) [Reg09] B Z q n m with trapdoor S Z q m m such that AS 0(mod q) Enc(s) = B T s + e (mod q), decrypt using S short, Gaussian Related trapdoor sampling [GKV10] Given B, generate A with trapdoor T such that AB T 0 (mod q) 21
How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationRelaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs
Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs Cecilia Boschini, Jan Camenisch, and Gregory Neven IBM Research Zurich {bos, jca, nev}@zurich.ibm.com Abstract. Higher-level cryptographic
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationAutomorphic Signatures and Applications
École normale supérieure Département d Informatique Université Paris 7 Denis Diderot Automorphic Signatures and Applications PhD thesis Georg Fuchsbauer 13 October 2010 Abstract We advocate modular design
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationGroup Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationEfficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption
Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public
More informationLattice-based Multi-signature with Linear Homomorphism
Copyright c 2016 The Institute of Electronics, Information and Communication Engineers SCIS 2016 2016 Symposium on Cryptography and Information Security Kumamoto, Japan, Jan. 19-22, 2016 The Institute
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationBonsai Trees (or, Arboriculture in Lattice-Based Cryptography)
Bonsai Trees (or, Arboriculture in Lattice-Based Cryptography) Chris Peikert Georgia Institute of Technology July 20, 2009 Abstract We introduce bonsai trees, a lattice-based cryptographic primitive that
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationIdentity-Based Identification Schemes
Identity-Based Identification Schemes Guomin Yang Centre for Computer and Information Security Research School of Computing and Information Technology University of Wollongong G. Yang (CCISR, SCIT, UOW)
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationLattice Signatures Without Trapdoors
Lattice Signatures Without Trapdoors Vadim Lyubashevsky INRIA / École Normale Supérieure Abstract. We provide an alternative method for constructing lattice-based digital signatures which does not use
More informationLattice-Based Group Signatures: Achieving Full Dynamicity with Ease
Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationFloppy-Sized Group Signatures from Lattices
Floppy-Sized Group Signatures from Lattices Cecilia Boschini 1,2( ), Jan Camenisch 1, and Gregory Neven 1 1 IBM Research, Zurich, Switzerland 2 Università della Svizzera Italiana, Lugano, Switzerland {bos,jca,nev}@zurich.ibm.com
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London j.groth@ucl.ac.uk March 25, 2013 Abstract We construct a new group signature scheme using bilinear groups. The
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London E-mail: j.groth@ucl.ac.uk September 7, 2007 Abstract We construct a new group signature scheme using bilinear
More informationRiding on Asymmetry: Efficient ABE for Branching Programs
Riding on Asymmetry: Efficient ABE for Branching Programs Sergey Gorbunov and Dhinakaran Vinayagamurthy Abstract. In an Attribute-Based Encryption ABE scheme the ciphertext encrypting a message µ, is associated
More informationBonsai Trees, or How to Delegate a Lattice Basis
Bonsai Trees, or How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz Chris Peikert March 19, 2010 Abstract We introduce a new lattice-based cryptographic structure called a bonsai tree,
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationAttribute-Based Signatures for Circuits from Bilinear Map
Attribute-Based Signatures for Circuits from Bilinear Map Yusuke Sakai, Nuttapong Attrapadung, and Goichiro Hanaoka AIST, Japan {yusuke.sakai,n.attrapadung,hanaoka-goichiro}@aist.go.jp Abstract. In attribute-based
More informationPractical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain
Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain Jan Camenisch IBM Research - Zurich jca@zurich.ibm.com Manu Drijvers IBM Research - Zurich & ETH Zurich mdr@zurich.ibm.com
More informationBonsai Trees, or How to Delegate a Lattice Basis
Bonsai Trees, or How to Delegate a Lattice Basis David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert Abstract. We introduce a new lattice-based cryptographic structure called a bonsai tree, and
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationEfficient Group Signatures without Trapdoors
Efficient Group Signatures without Trapdoors Giuseppe Ateniese and Breno de Medeiros The Johns Hopkins University Department of Computer Science Baltimore, MD 21218, USA ateniese@cs.jhu.edu, breno.demedeiros@acm.org
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationAn Equivalence Between Attribute-Based Signatures and Homomorphic Signatures, and New Constructions for Both
An Equivalence Between Attribute-Based Signatures and Homomorphic Signatures, and New Constructions for Both Rotem Tsabary January 24, 2018 Abstract In Attribute-Based Signatures (ABS; first defined by
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationA Fully-Functional group signature scheme over only known-order group
A Fully-Functional group signature scheme over only known-order group Atsuko Miyaji and Kozue Umeda 1-1, Asahidai, Tatsunokuchi, Nomi, Ishikawa, 923-1292, Japan {kozueu, miyaji}@jaist.ac.jp Abstract. The
More informationMalleable Signatures: New Definitions and Delegatable Anonymous Credentials
Malleable Signatures: New Definitions and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Email: melissac@microsoft.com Markulf Kohlweiss Microsoft Research Email: markulf@microsoft.com
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationImproved Zero-knowledge Proofs of Knowledge for the ISIS Problem, and Applications
Improved Zero-knowledge Proofs of Knowledge for the ISIS Problem, and Applications San Ling 1, Khoa Nguyen 1, Damien Stehlé 2, Huaxiong Wang 1 1 Division of Mathematical Sciences, School of Physical and
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationLattice Signatures Without Trapdoors
Lattice Signatures Without Trapdoors Vadim Lyubashevsky INRIA / École Normale Supérieure Abstract. We provide an alternative method for constructing lattice-based digital signatures which does not use
More informationBetter Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures
Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures Fabrice Benhamouda 1, Jan Camenisch 2, Stephan Krenn 2, Vadim Lyubashevsky 3,1, Gregory Neven 2 1 Département
More informationUniversal Designated Verifier Signature Proof (or How to Efficiently Prove Knowledge of a Signature)
Universal Designated Verifier Signature Proof (or How to Efficiently Prove Knowledge of a Signature) Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo Centre for Information Security, School of Information
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationRSA and Rabin Signatures Signcryption
T-79.5502 Advanced Course in Cryptology RSA and Rabin Signatures Signcryption Alessandro Tortelli 26-04-06 Overview Introduction Probabilistic Signature Scheme PSS PSS with message recovery Signcryption
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationPolicy-Based Signatures
Policy-Based Signatures Mihir Bellare Georg Fuchsbauer Abstract We introduce signatures where signers can only sign messages that conform to some policy, yet privacy of the policy is maintained. We provide
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationarxiv: v1 [cs.cr] 25 Jan 2018
Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu arxiv:1801.08323v1 [cs.cr] 25 Jan 2018 Division of Mathematical Sciences, School of Physical and Mathematical
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationCommuting Signatures and Verifiable Encryption
Commuting Signatures and Verifiable Encryption Georg Fuchsbauer Dept. Computer Science, University of Bristol, UK georg@cs.bris.ac.uk Abstract. Verifiable encryption allows one to encrypt a signature while
More informationRevocable Group Signature Schemes with Constant Costs for Signing and Verifying
Revocable Group Signature Schemes with Constant Costs for Signing and Verifying Toru Nakanishi, Hiroki Fujii, Yuta Hira, and Nobuo Funabiki Department of Communication Network Engineering, Okayama University,
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationWe recommend you cite the published version. The publisher s URL is:
El Kaafarani, A., Ghadafi, E. and Khader, D. (2014) Decentralized traceable attribute-based signatures. Cryptographers Track at the RSA Conference, 8366. pp. 327-348. ISSN 0302-9743 Available from: http://eprints.uwe.ac.uk/31222
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More information