Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
|
|
- Randall Webb
- 5 years ago
- Views:
Transcription
1 Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
2 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
3 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
4 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
5 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
6 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
7 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous After verifying a proxy signature one knows that someone entitled signed but nothing more. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
8 Application: GRID computing User authenticates herself and starts process which needs to authenticate to resources / start subprocesses Delegation and re-delegation of signing rights No need to know that it was not the user herself to be authenticated Relation to Other Primitives Anonymous proxy signatures are a generalization of Proxy signatures (consecutive delegation) formalized by [BPW03] (Dynamic) Group signatures (anonymity) formalized by [BSZ05] and satisfy the respective security notions. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
9 Application: GRID computing User authenticates herself and starts process which needs to authenticate to resources / start subprocesses Delegation and re-delegation of signing rights No need to know that it was not the user herself to be authenticated Relation to Other Primitives Anonymous proxy signatures are a generalization of Proxy signatures (consecutive delegation) formalized by [BPW03] (Dynamic) Group signatures (anonymity) formalized by [BSZ05] and satisfy the respective security notions. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
10 Application: GRID computing User authenticates herself and starts process which needs to authenticate to resources / start subprocesses Delegation and re-delegation of signing rights No need to know that it was not the user herself to be authenticated Relation to Other Primitives Anonymous proxy signatures are a generalization of Proxy signatures (consecutive delegation) formalized by [BPW03] (Dynamic) Group signatures (anonymity) formalized by [BSZ05] and satisfy the respective security notions. recently: Delegatable Anonymous Credentials [BCCKLS09] Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
11 (Dynamic) Group Signatures Group public key: pk Issuer (ik) Opener (ok) Reg Group members (sk i ) open Verication: Verify(pk, msg, σ) = 1 sign msg σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
12 Proxy Signatures Delegator (pk D ) delegate Verify(pk D, msg, σ) Delegatee/Signer msg sign σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
13 Proxy Signatures, Consecutive Delegations Delegator (pk D ) 3 Delegator 2 3 Delegator 3 3 Proxy Signer σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
14 Proxy Signatures, Consecutive Delegations Delegator (pk D ) 3 Delegator 2 3 Delegator 3 3 ANONYMOUS Proxy Signer σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
15 Proxy Signatures, Consecutive Delegations Delegator (pk D ) 3 Delegator 2 3 Delegator 3 ANONYMOUS 3 Proxy Signer Opener (ok) open σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
16 Algorithms of Anonymous Proxy Signature Scheme 1 λ Setup pp, ik, ok Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
17 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
18 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
19 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y sk y, warr x... y, M PSig σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
20 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y sk y, warr x... y, M PSig σ pk x, M, σ PVer b {0, 1} Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
21 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y sk y, warr x... y, M PSig σ pk x, M, σ PVer b {0, 1} ok, M, σ Open a list of users or (failure) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
22 Security for Anonymous Proxy Signatures Anonymity Traceability Non-Frameability intermediate delegators and proxy signer remain anonymous every valid signature can be traced to its intermediate delegators and proxy signer no one can produce a signature that, when opened, wrongfully reveals a delegator or signer Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
23 Security for Anonymous Proxy Signatures Anonymity Traceability Non-Frameability intermediate delegators and proxy signer remain anonymous every valid signature can be traced to its intermediate delegators and proxy signer no one can produce a signature that, when opened, wrongfully reveals a delegator or signer Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
24 Security for Anonymous Proxy Signatures Anonymity Traceability Non-Frameability intermediate delegators and proxy signer remain anonymous every valid signature can be traced to its intermediate delegators and proxy signer no one can produce a signature that, when opened, wrongfully reveals a delegator or signer Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
25 Generic Construction, Ingredients Generic Construction using Digital signatures (EUF-CMA) Public-key encryption (IND-CPA) Non-interactive zero-knowledge proofs Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
26 Generic Construction, Ingredients Generic Construction using Digital signatures (EUF-CMA) Public-key encryption (IND-CPA) Non-interactive zero-knowledge proofs (existence follows from trapdoor permutations) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
27 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
28 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
29 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
30 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
31 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
32 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
33 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
34 The Subgroup Decision Assumption and BGN Encryption Let G = (n, G, G T, e, g) be a bilinear group of order G = n = pq, where p, q prime. Subgroup Decision Assumption (SD) No p.p.t. adversary can distinguish a random element of G from a random element of G q, the subgroup of order q. Boneh-Goh-Nissim (BGN) Encryption [TCC'05] KeyGen Generate bilinear group G with G = n = pq, choose h G q. sk = q. Encrypt Choose r Z n Set C := g m h r. Decrypt C q = (g m h r ) q = (g q ) m, thus log g q C q = m. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
35 The Subgroup Decision Assumption and BGN Encryption Let G = (n, G, G T, e, g) be a bilinear group of order G = n = pq, where p, q prime. Subgroup Decision Assumption (SD) No p.p.t. adversary can distinguish a random element of G from a random element of G q, the subgroup of order q. Boneh-Goh-Nissim (BGN) Encryption [TCC'05] KeyGen Generate bilinear group G with G = n = pq, choose h G q. sk = q. Encrypt Choose r Z n Set C := g m h r. Decrypt C q = (g m h r ) q = (g q ) m, thus log g q C q = m. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
36 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
37 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
38 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
39 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
40 Boyen Waters Group Signatures [PKC'07] II Group Signatures Setup Choose a bilinear group G of order n = pq Choose keys pp and mk for hybrid scheme Publish an additional element h G q Set the tracing key as tk = q Z Enroll Choose s i Z p, s.t. ω + s i Z n Return K i = ((g α ) 1 ω+s i, g s i, g s i ) 2 Sign Make hybrid signature (S 1, S 2, S 3, S 4 ) BGN-encrypt components: S i := S i h ρ i for ρ i Z n Add proofs π 1, π 2 for each verication relation Verify e(s 1, S 2 Ω) A 1? = e(h, π 1 ) e(s 2, g 2) 1 e(g, S 3 ) e(s 4, F(M))? = e(h, π 2 ) Trace for each s i, check (S 2 )q? = (g s i ) q Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
41 Boyen Waters Group Signatures [PKC'07] III Security of Group Signature Anonymity. Replace h by a random element in G (indist. by SD). Lemma: If h G then signer id is statistically hidden, i.e. π 1 and π 2 do not leak information. Full Traceability. Reduction to unforgeability of hybrid signatures in G p Get parameters, build twin scheme in G q. Parameters of group signature are products of parameters of schemes in G p and G q. Forgery (S 1, S 2, S 3, S 4 ) is projected to G p by raising elements to the power of θ with θ 1 (mod p) and θ 0 (mod q). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
42 Boyen Waters Group Signatures [PKC'07] III Security of Group Signature Anonymity. Replace h by a random element in G (indist. by SD). Lemma: If h G then signer id is statistically hidden, i.e. π 1 and π 2 do not leak information. Full Traceability. Reduction to unforgeability of hybrid signatures in G p Get parameters, build twin scheme in G q. Parameters of group signature are products of parameters of schemes in G p and G q. Forgery (S 1, S 2, S 3, S 4 ) is projected to G p by raising elements to the power of θ with θ 1 (mod p) and θ 0 (mod q). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
43 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
44 The Leak-Tightness Lemma I Let (n, G, G T, e, g) be a bilinear group, and let a j, b j G, δ j,i, ε j,i Z n for 1 j l, 1 i m. Let (X i ) m i=1 Gm satisfy a pairing-product that is equation E (aj,b j ) j E (aj,b j ) j (X 1,..., X m ) : l ( e m a j j=1 i=1 X δ j,i i, b j m i=1 X ε j,i i ) = 1. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
45 The Leak-Tightness Lemma I Let (n, G, G T, e, g) be a bilinear group, and let a j, b j G, δ j,i, ε j,i Z n for 1 j l, 1 i m. Let (X i ) m i=1 Gm satisfy a pairing-product that is equation E (aj,b j ) j E (aj,b j ) j (X 1,..., X m ) : l ( e m a j j=1 i=1 X δ j,i i, b j m i=1 X ε j,i i ) = 1. 1 Form of a proof Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
46 The Leak-Tightness Lemma I Let (n, G, G T, e, g) be a bilinear group, and let a j, b j G, δ j,i, ε j,i Z n for 1 j l, 1 i m. Let (X i ) m i=1 Gm satisfy a pairing-product that is equation E (aj,b j ) j E (aj,b j ) j (X 1,..., X m ) : l ( e m a j j=1 i=1 X δ j,i i, b j m i=1 X ε j,i i ) = 1. 1 Let H G, (ρ i ) m Z m i=1 n. Then X i := X i H ρ i for 1 i m satisfy (a j e X δ ) ( j,i j i i, b X ε ( j,i j i i = e H, P E (Xi ), (ρ i ) )), (Ẽ ) ( where P E (Xi ), (ρ i ) ) := ((a j j i X δ j,i i ) P ε j,i ρ i (b j i X ε j,i i ) P δ j,i ρ i H (P δ j,i ρ i )( P ε j,i ρ i ) ). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
47 The Leak-Tightness Lemma II 2 Proofs do not leak info on plaintexts Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
48 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
49 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Simulation Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
50 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Let G = pq, let a j, b j, X i G p ; c j, d j, Y i G q for all i, j. If (X i ) satisfy E (aj,b j ) j and (Y i ) satisfy E (cj,d j ) j, then (X i Y i ) satisfy E (aj c j,b j d j ) j. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
51 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Let G = pq, let a j, b j, X i G p ; c j, d j, Y i G q for all i, j. If (X i ) satisfy E (aj,b j ) j and (Y i ) satisfy E (cj,d j ) j, then (X i Y i ) satisfy E (aj c j,b j d j ) j. 4 Projection Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
52 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Let G = pq, let a j, b j, X i G p ; c j, d j, Y i G q for all i, j. If (X i ) satisfy E (aj,b j ) j and (Y i ) satisfy E (cj,d j ) j, then (X i Y i ) satisfy E (aj c j,b j d j ) j. 4 Let furthermore H G q and θ N be such that θ 1 (mod p) and θ 0 (mod q). If ( X i ) G satisfy Ẽ (aj c j,b j d j ) j for some P E, then ( X θ i ) satisfy E (aj,b j ) j. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
53 Re-randomization (X i ) satisfy ( X i ) satisfy j e (a j j e (a j i X δ j,i i i X δ j,i i, b j i X ε j,i, b j i X ε j,i i i ) = 1 ) ( = e (H, P E (Xi ), (ρ i ) )) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
54 Re-randomization (X i ) satisfy ( X i ) satisfy j e (a j j e (a j i X δ j,i i i X δ j,i i, b j i X ε j,i, b j i X ε j,i i i ) = e(h, P ) ) = e (H, P P ( E (Xi ), (ρ i ) )) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
55 Re-randomization (X i ) satisfy ( X i ) satisfy j e (a j j e (a j i X δ j,i i i X δ j,i i, b j i X ε j,i, b j i X ε j,i i i ) = e(h, P ) ) = e (H, P P ( E (Xi ), (ρ i ) )) So, given a proof P for ( X i ) satisfying Ẽ, one can re-randomize the ( X i ): X i := X i H ρ i with ρ i Z p and adapt the proof (without knowledge of the plaintexts!): P new := P P E (( X ), (ρ i)) If (( X i ), P) and ((Ỹi), P ) both satisfy Ẽ, then their re-randomizations are indistinguishable by SD and the Lemma. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
56 Application of Re-randomization Intermediate Delegator Anonymity Even the delegatee cannot distinguish warrants from dierent previous delegators. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
57 Compatible Signature Scheme A signature scheme with the following properties: EUF-CMA secure verication keys lie in message space messages and signatures are G-elements verication by checking pairing-product equations. (ecient?) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
58 Compatible Signature Scheme A signature scheme with the following properties: EUF-CMA secure verication keys lie in message space messages and signatures are G-elements verication by checking pairing-product equations. (ecient?) This paper: not quite ecient, based on new kind of assumption. Ecient implementation: F: Automorphic Signatures in Bilinear Groups Messages and public keys in G 2. Signatures in G 5 Verication: 7 pairing evaluations. q-sdh-style Assumption Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
59 Thank you! Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24
Automorphic Signatures and Applications
École normale supérieure Département d Informatique Université Paris 7 Denis Diderot Automorphic Signatures and Applications PhD thesis Georg Fuchsbauer 13 October 2010 Abstract We advocate modular design
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationCommuting Signatures and Verifiable Encryption
Commuting Signatures and Verifiable Encryption Georg Fuchsbauer Dept. Computer Science, University of Bristol, UK georg@cs.bris.ac.uk Abstract. Verifiable encryption allows one to encrypt a signature while
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationPolicy-based Signature
Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013 1 2 3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, 2013. 2. [GS08] Jens Groth, Amit Sahai.
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London E-mail: j.groth@ucl.ac.uk September 7, 2007 Abstract We construct a new group signature scheme using bilinear
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings 1 Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London j.groth@ucl.ac.uk March 25, 2013 Abstract We construct a new group signature scheme using bilinear groups. The
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationImproved Structure Preserving Signatures under Standard Bilinear Assumptions
Improved Structure Preserving Signatures under Standard Bilinear Assumptions Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center, Yorktown Heights, NY, USA csjutla@us.ibm.com 2 Fujitsu
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationProtean Signature Schemes
Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1 Digital Signatures 2 Digital Signatures
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationPrivacy-enhanced Designated Confirmer Signature without Random Oracles
International Journal of Network Security, Vol.16, No.4, PP.261-269, July 2014 261 Privacy-enhanced Designated Confirmer Signature without Random Oracles Shengke Zeng 1,2 and Hu Xiong 1 (Corresponding
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationInteractive and Non-Interactive Proofs of Knowledge
Interactive and Non-Interactive Proofs of Knowledge Olivier Blazy ENS / CNRS / INRIA / Paris 7 RUB Sept 2012 O. Blazy (ENS RUB) INIPoK Sept 2012 1 / 63 1 General Remarks 2 Building blocks 3 Non-Interactive
More informationNon-interactive deniable ring signature without random oracles
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 206; 9:80 89 Published online 26 July 203 in Wiley Online Library (wileyonlinelibrary.com). DOI: 0.002/sec.859 SPECIAL ISSUE PAPER Non-interactive
More informationAttribute-Based Ring Signatures
Attribute-Based Ring Signatures Jin Li and Kwangjo Kim International Research center for Information Security (IRIS) Information and Communications University(ICU) 103-6 Munji-Dong, Yuseong-Gu, Daejeon,
More informationLattice-based Multi-signature with Linear Homomorphism
Copyright c 2016 The Institute of Electronics, Information and Communication Engineers SCIS 2016 2016 Symposium on Cryptography and Information Security Kumamoto, Japan, Jan. 19-22, 2016 The Institute
More informationNew Constructions of Convertible Undeniable Signature Schemes without Random Oracles
New Constructions of Convertible Undeniable Signature Schemes without Random Oracles Qiong Huang Duncan S. Wong Abstract In Undeniable Signature, a signature s validity can only be confirmed or disavowed
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationShort Group Signatures with Efficient Flexible Join
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationPolicy-Based Signatures
Policy-Based Signatures Mihir Bellare Georg Fuchsbauer Abstract We introduce signatures where signers can only sign messages that conform to some policy, yet privacy of the policy is maintained. We provide
More informationA Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System
A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System Zhengjun Cao 1, Lihua Liu 2, Abstract. In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK
More informationPractical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain
Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain Jan Camenisch IBM Research - Zurich jca@zurich.ibm.com Manu Drijvers IBM Research - Zurich & ETH Zurich mdr@zurich.ibm.com
More informationAccumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation
Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation 1 Lan Nguyen Centre for Information Security, University of Wollongong, Wollongong 2522,
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationWe recommend you cite the published version. The publisher s URL is:
El Kaafarani, A., Ghadafi, E. and Khader, D. (2014) Decentralized traceable attribute-based signatures. Cryptographers Track at the RSA Conference, 8366. pp. 327-348. ISSN 0302-9743 Available from: http://eprints.uwe.ac.uk/31222
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationShort Signatures From Diffie-Hellman: Realizing Short Public Key
Short Signatures From Diffie-Hellman: Realizing Short Public Key Jae Hong Seo Department of Mathematics, Myongji University Yongin, Republic of Korea jaehongseo@mju.ac.kr Abstract. Efficient signature
More informationGeneric Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit
Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationDecentralized Evaluation of Quadratic Polynomials on Encrypted Data
Decentralized Evaluation of Quadratic Polynomials on Encrypted Data Chloé Hébant 1,2, Duong Hieu Phan 3, and David Pointcheval 1,2 1 DIENS, École normale supérieure, CNRS, PSL University, Paris, France
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationFair Blind Signatures without Random Oracles
Fair Blind Signatures without Random Oracles Georg Fuchsbauer and Damien Vergnaud École normale supérieure, LIENS - CNRS - INRIA, Paris, France http://www.di.ens.fr/{~fuchsbau,~vergnaud} Abstract. A fair
More informationA New Constant-size Accountable Ring Signature Scheme Without Random Oracles
New Constant-size ccountable Ring Signature Scheme Without Random Oracles Sudhakar Kumawat 1 and Souradyuti Paul 2 1 Indian Institute of Technology Gandhinagar 2 Indian Institute of Technology Bhilai {sudhakar.bm07,souradyuti.paul}@gmail.com
More informationA Profitable Sub-Prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups
Full version of an extended abstract published in Proceedings of PKC 2015, Springer-Verlag, 2015. Available from the IACR Cryptology eprint Archive as Report 2013/300. A Profitable Sub-Prime Loan: Obtaining
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationMalleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials
Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Redmond melissac@microsoft.com Markulf Kohlweiss Microsoft Research Cambridge
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationHow to Shuffle in Public
How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationRevocable Group Signature Schemes with Constant Costs for Signing and Verifying
Revocable Group Signature Schemes with Constant Costs for Signing and Verifying Toru Nakanishi, Hiroki Fujii, Yuta Hira, and Nobuo Funabiki Department of Communication Network Engineering, Okayama University,
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationMulti-Key Homomorphic Signatures Unforgeable under Insider Corruption
Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2, Raymond K. H. Tai 1, Harry W. H. Wong 1, and Sherman S. M. Chow 1 1 Chinese University of Hong Kong, Hong Kong
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationAttribute-Based Signatures
Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek Abstract We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationStructure-Preserving Signatures from Type II Pairings
Structure-Preserving Signatures from Type II Pairings Masayuki Abe 1, Jens Groth 2, Miyako Ohkubo 3, and Mehdi Tibouchi 1 1 NTT Secure Platform Laboratories, Japan 2 University College London, UK 3 Security
More information