ECash and Anonymous Credentials
|
|
- Moses Gaines
- 5 years ago
- Views:
Transcription
1 ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009
2 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials CL Signatures Camenisch Anonymous Credentials 3 Compact E-cash
3 E-cash properties How is cash different from credit card transactions? Untraceable Verifiable offline
4 Chaum s E-cash First Attempt at e-cash A message with a digital signature: Example (ebill) This bill is legal tender for exactly US$1.00 US Mint How well does this work for our purposes? Traceable: Mint will recognize randomized signature Needs online verification to prevent double spending
5 Chaum s E-cash Blind Signatures [Chaum, Crypto 82] Recall RSA homomorphism: RSA Signature Homomorphism ( (m1 ) d (mod n) ) ( (m 2 ) d (mod n) ) (m 1 m 2 ) d (mod n) We can use this to construct a blind signature: Definition Blind signature 1 Alice picks r R Z n 2 Alice generates blinded message: m = m r e (mod n) and asks the mint to sign it 3 Mint produces signature on m : σ = (m ) d m d r ed m d r (mod n) 4 Alice uses σ = σ /r to obtain a signature on m
6 Chaum s E-cash Blind signature protocol Withdrawal Protocol 1 Alice produces a message: m = H( This bill is legal tender for exactly US$1, ) 2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice s account. Properties Unlinkable: mint cannot link signature on m to signature on m (information-theoretic security) Needs online verification to prevent double spending Alice can change amount
7 Chaum s E-cash Single-denomination keys Mint s public key (n, e) used to only issue $1.00 e-coins. Withdrawal Protocol 1 Alice produces a serial number s, and message m = H(s) 2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice s account. Why does m = H(s)? Prevents existential forgery. Payment protocol requires Alice to produce s and a signature on H(s) How do we support multiple denominations? Multiple public keys: (n $1, e $1 ), (n $5, e $5 ),...
8 Offline E-cash Offline E-cash [Chaum,Fiat, & Naor, Crypto 90] Basic ideas: Encode payer s identity in the coin Payment protocol reveals some function of user s identity Two payments will reveal full identity Zero-knowledge proofs to show that protocol is being followed
9 Offline E-cash Setup Bank s RSA public key: (n, e) as before, every coin worth $1. Each user has an account number u and a counter v. Two collision-resistant hash functions are used: f (x, y) is modeled as a random oracle g(x, y) has the property that g(x, ) is a permutation Note: this guarantees that g(x, ) is collision free
10 Offline E-cash Withdrawal Protocol Withdrawal 1 Alice chooses a, c, d, r R Z n 2 Alice forms a coin: C = f (g(a i, c i ), g(a (u (v + 1)), d)) 3 Alice sends r e C to the bank 4 The bank produces a signature σ = r C d 5 The bank increments v by 1, debits Alice s account $1 Note: Alice s identity is encoded in the coin (in a complex way) Bank needs to verify that Alice is constructing the coin correctly
11 Offline E-cash Cut-and-choose Withdrawal 1 Alice chooses a i, c i, d i, r i R Z n, for i = 1,..., k 2 Alice forms a coin: C i = f (g(a i, c i ), g(a i (u (v + i)), d i )) 3 Alice sends r e i C i to the bank 4 The bank picks a set of k/2 indices, R, and sends them to Alice 5 Alice sends a i, c i, d i, and r i for i R to the bank 6 The bank produces a signature on the remaining C i s: σ = i / R r i C d i 7 Alice generates the final coin: C = σ / i / R r i = i / R C d i 8 The bank increments v by 1, debits Alice s account $1
12 Offline E-cash Payment Protocol Assume without loss of generality that R = {k/2 + 1,..., k}, thus: Payment 1 Alice sends C to Bob. 2 Bob chooses k/2 random bits, z 1,..., z k/2 R {0, 1} 3 For each i, Alice sends: 1 If z i = 1, she sends a i, c i, g(a i (u (v + i)), d i ) 2 If z i = 0, she sends g(a i, c i ), a i (u (v + i)), d i 4 Bob recomputes each C i and verifies that the signature is correct 5 Later, Bob sends C and Alice s responses to the bank 6 Bank verifies the responses and credits Bob s account
13 Offline E-cash Double Spending If the bank receives two copies of the same coin C, it can recover Alice s identity from her responses to two merchant s challenges: z and z With probability 1 2 k/2, i such that z i z i The bank has a i and a i (u (v + i)) Note: if Alice and Charlie collude, Charlie can issue the same challenge as Bob. Fix: make Bob s challenge depend on his identity. Note: To prevent framing by the bank, Alice can use account number u w i for random w i and provide a signature on H(w i ) s to the bank (that the bank checks during cut-and-choose).
14 Credential Systems Credential: a certified list of attributes. Example (Driver s License) Name John Smith D.O.B. 01/01/1970 Address 123 Main St. Zipcode Eye color Blue Hair color Brown Digital credentials: attribute list signed by some authority (e.g., IL Secretary of State) Privacy issues: reveal all information to demonstrate one attribute.
15 Anonymous Credentials (aka Private Credentials) Properties Selective Disclosure: can reveal only the attributes necessary. E.g.: Over 21 Resident of Illinois Licensed to drive Needs glasses Unlinkability: Issuing and showing credentials should not be linkable, even with cooperation of the CA.
16 Constructions e-cash based Brands private credentials Camenisch et al. s anonymous credentials Noninteractive Anonymous Credentials
17 e-cash-based Credentials Digital Coin as Credential Credential issue: Withdraw Credential show: Payment No double-spending protection Credential attribute: denomination Problems Credential showing are linkable to each other Effectively, credential = pseudonym Limited policy expressivity: conjunction of boolean attributes No protection against credential sharing, combining
18 Brands Credentials Private Credentials [Brands, MIT Press, 1990] Stefan Brand s Ph.D. thesis Constructs a credential with a collection of attributes Blinded credential signed by issuing authority Can selectively disclose a subset of (or a formula over) credentials
19 Brands Credentials DLREP Definition Create generators g 1,..., g l for group of order q in Z p f (x 1,..., x l ) := g x 1 1 g x l l (mod p) Proof of Knowledge of a DLREP for h 1 Alice creates w 1,..., w l R Z q, sends a = H(g w 1 1 g w l l ) 2 Bob sends challenge c 3 Alice computes r i = c x i + w i 4 Bob checks that a = H(g r 1 1 g r l l h c )
20 Brands Credentials Fiat-Shamir Heuristic [Fiat, Shamir, Crypto 86] Given a 3-move ZK protocol: Prover: commit to a Verifier: send challenge c Prover: reveal r to prove commitment Set c = H(a); then (a, r) is a non-interactive ZK proof. Needs random oracle model Can be extended to signature proof of knowledge with c = H(a, M)
21 Brands Credentials Approach Issue Protocol Let g i = g y i mod p, h 0 = g y 0 mod p Use a modified DLREP function: f (α, x 1,..., x l ) = (g x 1 1 g x l l h 0 ) α mod p Obtain a restricted blind signature on h Showing Protocol Reveal value of selected attributes Prove knowledge of DLREP for remaining attributes Never reveal α
22 Brands Credentials Sharing Protection Need to know all attributes to prove DLREP Make one attribute be something sensitive (e.g., SSN, bank account password)
23 Brands Credentials Issue Protocol Alice CA 1. Pre-compute: 1. Pre-compute: α R Z q k R Z q α 2, α 3 R Z q s g k mod p h g x 1 1 g x l l mod p h (h 0 h) α mod p β g α 2 (h 0 h) α 3 mod p 2. Send x 1,...,x l 2. Validate attributes 3. Compute: s 3. Send: s γ βs mod p 4. Compute: u H(h, γ) mod q t (y 0 + x 1 y x l y l ) 1 u u α 2 mod q mod q
24 Brands Credentials Issue Protocol Alice 4. Send: u 5. Compute: v (v + α 3 )α 1 mod q 6. Verify: u? = H(h, (g u (h ) v mod p)) mod q u v CA 5. Compute: v (k u)t mod q 6: Send: v
25 Brands Credentials Issue Protocol Explained Final signature: u = H(h, γ = (g u (h ) v Let γ = g α 2 (h 0 h) α 3 g k Let v = (k (u α 2 ))(log g (h 0 h)) 1 v = (v + α 3 )α 1 mod p)) mod q (h ) v = ((h 0 h) α ) v = (h 0 h) v+α 3 = g k g u g α 2 (h 0 h) α 3 = γg u
26 CL Signatures Background: Pedersen Commitments Commit to an integer Z q Uses g, h Z p (generators of group of order q) Prover does not know log g h (e.g., verifier chooses h = g a ) Commit to x: send c = g x h r Reveal: show (x, r)
27 CL Signatures Fujisaki-Okamoto Pick RSA modulus n Let h QR n, g h Commit: g x h r mod n Reveal: send (x, r) Secure if prover does not know factorization of n
28 CL Signatures Camenisch-Lysyanskaya Signatures (SCN 2002) A signature scheme designed to be used with anonymous protocols Protocol to generate a signature on a committed value Protocol to prove knowledge of signature on committed value Building block of protocols, along with proofs regarding committed values
29 CL Signatures Signature Scheme Setup RSA modulus n = pq, with p = 2p + 1, q = 2q + 1, p, q, p, q prime Choose a 1,..., a l, b, c QR n PK = (n, a 1,..., a l, b, c), SK = p Signature Message: m 1,..., m l Pick random prime e, random number s v = (a m 1 1 a m l l b s c) 1/e mod n Output (e, s, v)
30 CL Signatures Camenisch-Stadler Notation Example Generic notation for zero-knowledge proofs PK{(vars) : conditions} By convention, Greek letters represent values known to the prover only, other letters represent public values Proof of knowledge of a DLREP for h according to bases g 1,..., g l : PK{(ξ 1,..., ξ l ) : h g ξ 1 1 g ξ l l mod p}
31 CL Signatures Commitment Proofs Proof of a DLREP modulo a composite: { m PK (α 1,..., α m ) : C = i=1 i=1 g α i i mod n Proof of knowledge of equivalent representations: { } m m PK (α 1,..., α i ) : C 1 = g α i i mod n 1 C 2 = h α i i mod n 2 i=1 Proof that a committed value is the product of two other committed values: PK{(α, β, ρ 1, ρ 2, ρ 3 ) : Proof that a value lies within a given range: C a = g α h ρ 1 mod n C b = g β h ρ 2 mod n } C ab = g αβ h ρ 3 mod n} PK {(α, ρ) : C = g α h ρ mod n a α b}
32 CL Signatures Signing a Committed Value Setup Public key: (n, a, b, c), commitment public key (n C, g C, h C ) User: commitment C = g x C hr C C mod n C Protocol 1 Form commitment C x = a x b r mod n 2 Prove C x is equivalent to C 3 Prove knowledge of x, r 4 Signer: pick random r, prime e, let v = (C x b r c) 1/e. 5 Send (r, e, v) to user 6 User: Let s = r + r ; check v e a x b s c mod n
33 Camenisch Anonymous Credentials Anonymous Credentials Similar to private credentials Can be shown arbitrary number of times General Approach Attributes: (x 1,..., x l ) Commit to a DLREP of attributes, prove that attributes are correct Obtain signature on DLREP To show credential, commit to the DLREP (new commitment) Prove commitment has required attributes Prove knowledge of signature over DLREP
34 Camenisch Anonymous Credentials Efficient Anonymous Credentials [Camenisch & Groß, CCS 08] Proofs of attributes are linear in number of attributes Public key needs to pre-specify attribute list Idea: create a single attribute e that encodes all of the credential Let each (binary) attribute be represented by a prime e i e = User has attr i e i k-valued attributes can be supported, too (How?)
35 Camenisch Anonymous Credentials Showing Possession of Attribute Proof of Knowledge of Signature PK{(σ, ɛ, ν, µ) : ν ɛ = a µ b σ c mod n} For attribute set E, show signature on E/e i using base a e i Proof of Possession of Attribute e i PK{(σ, ɛ, ν, µ) : ν ɛ = (a e i ) µ b σ c mod n} Note: can prove combination of attributes by using (a e i e j e k )
36 Camenisch Anonymous Credentials Showing Absence of Attribute e j Find two numbers a, b such that ae + be j = 1 by extended Euclidian algorithm. Let D = g E h r mod n Proof PK{(σ, ɛ, µ, ρ 1, ρ 2, α, β) : ν ɛ = a µ b σ c mod n D = g µ h ρ 1 mod n g = D α (g e j ) β h ρ 2 mod n}
37 Camenisch Anonymous Credentials Showing an OR relation Show that one of attributes {e 1,..., e m } is present. Note: can be done generically (How?) Approach: commit to e j (D = g e j h r ) show that e j l i=1 e i and e j E. Proof D = g e j h r PK{(σ, ɛ, µ, ρ 1, ρ 2, ρ 3, α, β, δ) : ν ɛ = a µ b σ c mod n D = g δ h ρ 1 g Q m i=1 e i = D α h ρ 2 1 = D β g µ h ρ 3 }
38 Compact E-cash Camenisch, Hohenberger, Lysanskaya, 2005 Generate a compact wallet Wallet contains 2 l coins Wallet length, withdrawal protocol: O(l) Two constructions Definition of Security
39 Syntax KeyGen: generate keys for user and bank Withdraw: obtain a coin from the bank Spend: spend a coin at a merchant Deposit: deposit a coin at a bank Identify: used by bank to identify double-spender VerifyGuilt: verifies that double-spending occurred
40 Security Properties Correctness: protocols with honest parties work as expected Balance: any collection of users and merchants cannot successfully deposit more coins than have been withdrawn Double-spending identification: double-spenders will be identified and a proof that fits VerifyGuilt will be generated Anonymity: users cannot be identified (simulator-based definition) Exculpability: bank cannot frame a user
18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationA FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington
A FEW E-COMMERCE APPLICATIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 9 of Trappe and Washington E-COMMERCE: SET SET = Secure Electronic Transaction Consider a credit
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationCompact E-Cash.
Compact E-Cash Jan Camenisch 1, Susan Hohenberger 2,, and Anna Lysyanskaya 3, 1 IBM Research, Zurich Research Laboratory, CH-8803 Rüschlikon, Switzerland jca@zurich.ibm.com 2 CSAIL, Massachusetts Institute
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationFairness realized with Observer
Fairness realized with Observer Heike Neumann Mathematical Institute University of Giessen Arndtstr. 2 G-35392 Giessen Heike.B.Neumann@math.uni-giessen.de Thomas Schwarzpaul Mathematical Institute University
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationGroup Blind Digital Signatures: A Scalable Solution to Electronic Cash
Group Blind Digital Signatures: A Scalable Solution to Electronic Cash Anna Lysyanskaya 1 and Zulfikar Ramzan 1 Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge MA 02139,
More informationUniversal Accumulators with Efficient Nonmembership Proofs
Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li 1, Ninghui Li 2, and Rui Xue 3 1 Intel Corporation jiangtao.li@intel.com 2 Purdue University ninghui@cs.purdue.edu 3 University of
More informationUncloneable Quantum Money
1 Institute for Quantum Computing University of Waterloo Joint work with Michele Mosca CQISC 2006 1 Supported by NSERC, Sun Microsystems, CIAR, CFI, CSE, MITACS, ORDCF. Outline Introduction Requirements
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationBalancing Accountability and Privacy Using E-Cash (Extended Abstract)
Balancing Accountability and Privacy Using E-Cash (Extended Abstract) Jan Camenisch 1 and Susan Hohenberger 1, and Anna Lysyanskaya 2 1 IBM Research, Zurich Research Laboratory, CH-8803 Rüschlikon 2 Computer
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationUnlinkable Divisible Electronic Cash
Unlinkable Divisible Electronic Cash Toru Nakanishi and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University, 3-1-1 Tsushimanaka, Okayama 700-8530,
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationPractical Compact E-Cash
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2007 Practical Compact E-Cash Man Ho Au University of Wollongong, aau@uow.edu.au
More informationis caused by the urgent need to protect against account-holders who doublespend their electronic cash, since hardly anything is easier to copy than di
Untraceable O-line Cash in Wallets with Observers (Extended abstract) Stefan Brands CWI, PO Box 4079 Amsterdam, The Netherlands. E-mail: brands@cwi.nl Abstract. Incorporating the property of untraceability
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi Brown University foteini@cs.brown.edu Anna Lysyanskaya Brown University anna@cs.brown.edu ABSTRACT We define and propose an efficient and provably secure construction
More informationA handy multi-coupon system
A handy multi-coupon system Sébastien Canard 1, Aline Gouget 2, and Emeline Hufschmitt 1 1 France Telecom, R&D Division 42 rue des Coutures, BP 6243, 14066 Caen Cedex, France {sebastien.canard,emeline.hufschmitt}@orange-ft.com
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationA METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES
Mathematica Moravica Vol. 7 (2003), 51 59 A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES Constantin Popescu Abstract. A group signature scheme allows any group member to sign on behalf of the group
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationColluding Attacks to a Payment Protocol and Two Signature Exchange Schemes
Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes Feng Bao Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 Email: baofeng@i2r.a-star.edu.sg Abstract.
More informationSecurity Arguments for Digital Signatures and Blind Signatures
J. Cryptology (2000) 13: 361 396 DOI: 10.1007/s001450010003 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures David Pointcheval and
More informationA Direct Anonymous Attestation Scheme for Embedded Devices
A Direct Anonymous Attestation Scheme for Embedded Devices He Ge 1 and Stephen R. Tate 2 1 Microsoft Corporation, One Microsoft Way, Redmond 98005 hege@microsoft.com 2 Department of Computer Science and
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationLecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008
Lecture Notes ee (electronic money/cash) Michael Nüsken b-it (Bonn-Aachen International Center for Information Technology) IPEC winter 2008 c 2008 Michael Nüsken Workshop
More informationMultiple Denominations in E-cash with Compact Transaction Data
Multiple Denominations in E-cash with Compact Transaction Data Sébastien Canard 1 and Aline Gouget 2 1 Orange Labs R&D, 42 rue des Coutures, F-14066 Caen, France. 2 Gemalto, 6, rue de la Verrerie, F-92190
More informationA Fully-Functional group signature scheme over only known-order group
A Fully-Functional group signature scheme over only known-order group Atsuko Miyaji and Kozue Umeda 1-1, Asahidai, Tatsunokuchi, Nomi, Ishikawa, 923-1292, Japan {kozueu, miyaji}@jaist.ac.jp Abstract. The
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationA Signature Scheme with Efficient Protocols
A Signature Scheme with Efficient Protocols Jan Camenisch IBM Research Zurich Research Laboratory CH 8803 Rüschlikon jca@zurich.ibm.com Anna Lysyanskaya Computer Science Department Brown University Providence,
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationABSTRACT. Haejung Park, Master of Arts, Department of Mathematics
ABSTRACT Title of thesis: VARIOUS ASPECTS OF DIGITAL CASH Haejung Park, Master of Arts, 2008 Thesis directed by: Professor Lawrence C. Washington Department of Mathematics In this thesis, we study various
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationThe Cramer-Shoup Strong-RSA Signature Scheme Revisited
The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Ernie Brickell Intel Corporation ernie.brickell@intel.com Jan Camenisch IBM Research jca@zurich.ibm.com Liqun Chen HP Laboratories liqun.chen@hp.com February 11, 2004 Abstract
More informationPrivacy-Preserving Predicate Proof of Attributes with CL-Anonymous Credential
Privacy-Preserving Predicate Proof of Attributes with CL-Anonymous Credential Nan Guo 1, Jia Wang 1, Tianhan Gao 1, and Kangbin Yim 2 1 Northeastern University, Shenyang, China guonan@mail.neu.edu.cn,
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationA Practical and Provably Secure Coalition-Resistant Group Signature Scheme
A Practical and Provably Secure Coalition-Resistant Group Signature Scheme Giuseppe Ateniese 1, Jan Camenisch 2, Marc Joye 3, and Gene Tsudik 4 1 Department of Computer Science, The Johns Hopkins University
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationAlgebraic MACs and Keyed-Verification Anonymous Credentials
This is the full version of an extended abstract published in ACM CCS 2014. Posted as Report 2013/516 on 19 August 2013; revised 8 September 2014. Algebraic MACs and Keyed-Verification Anonymous Credentials
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationEfficient Group Signatures without Trapdoors
Efficient Group Signatures without Trapdoors Giuseppe Ateniese and Breno de Medeiros The Johns Hopkins University Department of Computer Science Baltimore, MD 21218, USA ateniese@cs.jhu.edu, breno.demedeiros@acm.org
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationHow to Win the Clone Wars: Efficient Periodic n-times Anonymous Authentication
Full version of an extended abstract published in Proceedings of ACM CCS 2006, ACM Press, 2006. Available from the IACR Cryptology eprint Archive as Report 2006/454. How to Win the Clone Wars: Efficient
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More information