Essam Ghadafi CT-RSA 2016
|
|
- Albert Tate
- 5 years ago
- Views:
Transcription
1 SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES
2 OUTLINE 1 BACKGROUND 2 OUR SCHEME 3 EFFICIENCY COMPARISON 4 SOME APPLICATIONS 5 SUMMARY & OPEN PROBLEMS SHORT STRUCTURE-PRESERVING SIGNATURES
3
4 (PRIME-ORDER) BILINEAR GROUPS G, G,Tare finite cyclic groups of prime order p, whereg = G and G = G Pairing(e : G G T) : The function e must have the following properties: Bilinearity: P G, Q G, x, y Z, we have e(p x, Q y ) = e(p, Q) xy Non-Degeneracy: The value e(g, G) 1 generatest The function e is efficiently computable Type-III [GPS08]: G G and no efficiently computable homomorphism betweengand G in either direction SHORT STRUCTURE-PRESERVING SIGNATURES 2 / 19
5 STRUCTURE-PRESERVING SIGNATURES Some History: The term Structure-Preserving was coined by Abe et al Earlier constructions: Groth 2006 and Green and Hohenberger 2008 Many constructions in the 3 different main types of bilinear groups Optimal Type-III constructions are the most efficient SHORT STRUCTURE-PRESERVING SIGNATURES 3 / 19
6 STRUCTURE-PRESERVING SIGNATURES What are they? DEFINITION (A STRUCTURE-PRESERVING SIGNATURE) A signature scheme (defined over bilinear groups) where: m, vk andσ are elements ofgand/or G Verifying signatures only involves deciding group membership and evaluating pairing-product equations (PPE): e(a i, B j ) c i,j = Z, i j where A i G, B j G and Z T are group elements appearing inp, m, vk,σ, whereas c i,j Z p are constants SHORT STRUCTURE-PRESERVING SIGNATURES 4 / 19
7 STRUCTURE-PRESERVING SIGNATURES Why Structure-Preserving Signatures? Compose well with other pairing-based schemes Easy to encrypt Compose well with ElGamal/BBS linear encryption Easy to combine with NIZK proofs Compose well with Groth-Sahai proofs SHORT STRUCTURE-PRESERVING SIGNATURES 5 / 19
8 APPLICATIONS OF STRUCTURE-PRESERVING SIGNATURES Applications of Structure-Preserving Signatures: Blind signatures Group signatures Malleable signatures Tightly secure encryption schemes Anonymous credentials Oblivious transfer Network coding... SHORT STRUCTURE-PRESERVING SIGNATURES 6 / 19
9 EXISTING LOWER BOUNDS Lower Bounds (for unilateral messages) in Type-III Bilinear Groups (Abe et al. 2011): Signatures contain at least 3 group elements Signatures cannot be unilateral (must contain elements from both G and G) Note: Size of elements of G are at least twice as big as those ofg At least 2 PPE verification equations SHORT STRUCTURE-PRESERVING SIGNATURES 7 / 19
10 OUR CONTRIBUTION A new signature scheme in Type-III bilinear groups with shorter signatures than existing ones: Signatures consist of 3 elements fromg(i.e. unilateral) 2 PPE verification equations (5 pairings in total) Message space is the set of Diffie-Hellman pairs (Abe et al. 2010): The setĝ = {(M, Ñ) (M, Ñ) G G, e(m, G) = e(g, Ñ)} More efficient instantiations of some existing cryptographic protocols (e.g. DAA) SHORT STRUCTURE-PRESERVING SIGNATURES 8 / 19
11 OUR SCHEME The Underlying Idea: Can be viewed as an extension of the non-structure-preserving scheme of Pointcheval and Sanders (CT-RSA 2016) Can be viewed as a more efficient variant of Ghadafi (ACISP 2013) Camenisch-Lysyanskaya based structure-preserving scheme SHORT STRUCTURE-PRESERVING SIGNATURES 9 / 19
12 OUR SCHEME The Scheme: KeyGen: Choose x, y Z p, set sk := (x, y) and pk := ( X := G x, Ỹ := G y ) G 2 Sign: To sign(m, Ñ) Ĝ, Choose a Z p,σ := (A := G a, B := M a, C := A x B y ) G 3 Verify: Check that A 1 G and(m, Ñ) Ĝ and e(a, Ñ) = e(b, G) e(c, G) = e(a, X)e(B, Ỹ) Randomize: Choose r Z p, return σ := (A := A r, B := B r, C := C r ) SHORT STRUCTURE-PRESERVING SIGNATURES 10 / 19
13 PROPERTIES OF THE SCHEME Some Properties of the Scheme: The scheme is secure in the generic group model alternatively can be based on an interactive assumption Unilateral signatures (Perfectly) Fully re-randomizable Only M part of the message is needed for signing SHORT STRUCTURE-PRESERVING SIGNATURES 11 / 19
14 EFFICIENCY COMPARISON Scheme Size Verification R? Assumptions σ vk P m PPE Pairing [GH08] a G 4 G G 2 - G Y q-hlrsw 4 8 [Fuc09] G 3 G 2 G G G 3 Ĝ N q-adhsdh+awfcdh 3 9 [AFG+10] I G 5 G 2 G 10 G 4 - G P q-sfp 2 12 [AFG+10] II G 2 G 5 G 10 G 4 - G P q-sfp 2 12 [AGH+11] I G 2 G G G 3 - G G N GGM 2 7 [AGH+11] II G 2 G G G - G Y GGM 2 5 [Gha13] G 4 G 2 - Ĝ Y DH-LRSW 3 7 [CM14] I G G 2 G 2 - G N GGM 2 5 [CM14] II G G 2 G 2 - G Y GGM 2 6 [CM14] III G 2 G G 2 - G Y GGM 2 6 [AGO+14] I G 3 G G G G Y GGM 2 6 [AGO+14] II G 2 G G G G N GGM 2 6 [BFF15] G G 2 G 2 - G Y GGM 2 5 [Gro15] I G G 2 G G G Y GGM 2 6 [Gro15] II G G 2 G G G N GGM 2 7 Ours G 3 G 2 - Ĝ Y GGM 2 5 a This scheme is only secure against a random message attack. SHORT STRUCTURE-PRESERVING SIGNATURES 12 / 19
15 EFFICIENCY COMPARISON Comparison with schemes with the same message space Scheme Size Verification R? Assumptions σ vk P PPE Pairing [Fuc09] G 3 G 2 G G G 3 N q-adhsdh+awfcdh 3 9 or (7 & 2 ECAdd) [Gha13] G 4 G 2 - Y DH-LRSW 3 7 or (6 & 1 ECAdd) Ours G 3 G 2 - Y GGM 2 5 * Cost does not include checking well-formedness of the message SHORT STRUCTURE-PRESERVING SIGNATURES 13 / 19
16 GENERIC CONSTRUCTION OF DAA Bernhard et al gave a generic construction of DAA which requires the following tools: Randomizable Weakly Blind Signatures (RwBS) Used by the Issuer to issue certificates as credentials when users join the group Linkable Indistinguishable Tags (LIT) Needed to provide the linkability of signatures when the same basename is signed by the same user Signatures of Knowledge (SoK) Used by users to prove they have a credential and that the signature on the basename verifies w.r.t. thier certified secret key SHORT STRUCTURE-PRESERVING SIGNATURES 14 / 19
17 BLIND SIGNATURES SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19
18 BLIND SIGNATURES Sig SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19
19 BLIND SIGNATURES Sig Sig Security Requirements: Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19
20 BLIND SIGNATURES Sig Sig Security Requirements: Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19
21 RANDOMIZABLE WEAKLY BLIND SIGNATURES (RWBS) Similar to blind signatures but: Randomizability: Given a signatureσ, anyone can produce a new signatureσ on the same message Weak Blindness: Same as blindness but the adversary never sees the messages The adversary cannot tell if he was given a signature on a different message or a re-randomization of a signature on the same message SHORT STRUCTURE-PRESERVING SIGNATURES 16 / 19
22 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19
23 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19
24 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19
25 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19
26 EFFICIENT RWBS WITHOUT RANDOM ORACLES Security of the RwBS Scheme: Unforgeability of the SPS Scheme+SXDH Efficiency of the RwBS Scheme: Scheme Signature Verification PPE Pairing Bernhard et al I G or (6&1ECAdd) Ours G SHORT STRUCTURE-PRESERVING SIGNATURES 18 / 19
27 SUMMARY & OPEN PROBLEMS Summary: A new unilateral SPS scheme with short signatures More efficient instantiations of building blocks for DAA without random oracles Open Problems: More efficient constructions of unilateral structure-preserving signatures Constructions based on standard assumptions (e.g. DDH, DLIN, etc.) (Constant-size?) constructions for a vector of Diffie-Hellman pairs SHORT STRUCTURE-PRESERVING SIGNATURES 19 / 19
28 THE END Thank you for your attention! Questions? SHORT STRUCTURE-PRESERVING SIGNATURES
Short Structure-Preserving Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2016). Short Structure-Preserving Signatures Essam Ghadafi University
More informationCommuting Signatures and Verifiable Encryption
Commuting Signatures and Verifiable Encryption Georg Fuchsbauer Dept. Computer Science, University of Bristol, UK georg@cs.bris.ac.uk Abstract. Verifiable encryption allows one to encrypt a signature while
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationAutomorphic Signatures and Applications
École normale supérieure Département d Informatique Université Paris 7 Denis Diderot Automorphic Signatures and Applications PhD thesis Georg Fuchsbauer 13 October 2010 Abstract We advocate modular design
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationEfficient Two-Move Blind Signatures in the Common Reference String Model
Efficient Two-Move Blind Signatures in the Common Reference String Model E. Ghadafi and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationA Pairing-Based DAA Scheme Further Reducing TPM Resources
A Pairing-Based DAA Scheme Further Reducing TPM Resources Ernie Brickell Intel Corporation ernie.brickell@intel.com Jiangtao Li Intel Labs jiangtao.li@intel.com Abstract Direct Anonymous Attestation (DAA)
More informationUniversally Composable Adaptive Oblivious Transfer
Universally Composable Adaptive Oblivious Transfer Matthew Green Susan Hohenberger Johns Hopkins University {mgreen,susan}@cs.jhu.edu September 14, 2013 Abstract In an oblivious transfer (OT) protocol,
More informationPractical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain
Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain Jan Camenisch IBM Research - Zurich jca@zurich.ibm.com Manu Drijvers IBM Research - Zurich & ETH Zurich mdr@zurich.ibm.com
More informationShort Signatures From Diffie-Hellman: Realizing Short Public Key
Short Signatures From Diffie-Hellman: Realizing Short Public Key Jae Hong Seo Department of Mathematics, Myongji University Yongin, Republic of Korea jaehongseo@mju.ac.kr Abstract. Efficient signature
More informationEUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes
EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes Georg Fuchsbauer Christian Hanser 2 Daniel Slamanig 2 IST Austria georg.fuchsbauer@ist.ac.at 2 Institute for Applied Information Processing
More informationLimitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman
More informationPolicy-based Signature
Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013 1 2 3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, 2013. 2. [GS08] Jens Groth, Amit Sahai.
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationShort Randomizable Signatures
SESSION ID: CRYP-W02 Short Randomizable Signatures David Pointcheval Senior Researcher ENS/CNRS/INRIA Paris, France Joint work with Olivier Sanders S C I E N C E P A S S I O N
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationImproved Structure Preserving Signatures under Standard Bilinear Assumptions
Improved Structure Preserving Signatures under Standard Bilinear Assumptions Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center, Yorktown Heights, NY, USA csjutla@us.ibm.com 2 Fujitsu
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationAttribute-Based Signatures for Circuits from Bilinear Map
Attribute-Based Signatures for Circuits from Bilinear Map Yusuke Sakai, Nuttapong Attrapadung, and Goichiro Hanaoka AIST, Japan {yusuke.sakai,n.attrapadung,hanaoka-goichiro}@aist.go.jp Abstract. In attribute-based
More informationSignatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)
Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz
More informationStructure-Preserving Signatures from Type II Pairings
Structure-Preserving Signatures from Type II Pairings Masayuki Abe 1, Jens Groth 2, Miyako Ohkubo 3, and Mehdi Tibouchi 1 1 NTT Secure Platform Laboratories, Japan 2 University College London, UK 3 Security
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationFair Multiple-bank E-cash in the Standard Model
Fair Multiple-bank E-cash in the Standard Model Jiangxiao Zhang 1, Yanwu Gao 1, Chunhui Feng 1, Hua Guo 2, Zhoujun Li 2 1 Mathematics and Information Technology Institute, Xingtai University, Xingtai,
More informationAttribute-Based Signatures
Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek Abstract We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings 1 Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationA DAA Scheme Requiring Less TPM Resources
A DAA Scheme Requiring Less TPM Resources Liqun Chen Hewlett-Packard Laboratories liqun.chen@hp.com Abstract. Direct anonymous attestation (DAA) is a special digital signature primitive, which provides
More informationGeneralizing Efficient Multiparty Computation
Generalizing Efficient Multiparty Computation Bernardo David 1, Ryo Nishimaki 2, Samuel Ranellucci 1, and Alain Tapp 3 1 Department of Computer Science Aarhus University, Denmark {bernardo,samuel}@cs.au.dk
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationEfficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications
Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications by Kristiyan Haralambiev A dissertation submitted in partial fulfillment of the requirements for the degree
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationConcise Multi-Challenge CCA-Secure Encryption and Signatures with Almost Tight Security
Concise Multi-Challenge CCA-Secure Encryption and Signatures with Almost Tight Security Benoît Libert 1, Marc Joye 2, Moti Yung 3, and Thomas Peters 4 1 Ecole Normale Supérieure de Lyon, Laboratoire de
More informationWe recommend you cite the published version. The publisher s URL is:
El Kaafarani, A., Ghadafi, E. and Khader, D. (2014) Decentralized traceable attribute-based signatures. Cryptographers Track at the RSA Conference, 8366. pp. 327-348. ISSN 0302-9743 Available from: http://eprints.uwe.ac.uk/31222
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Ernie Brickell Intel Corporation ernie.brickell@intel.com Jan Camenisch IBM Research jca@zurich.ibm.com Liqun Chen HP Laboratories liqun.chen@hp.com February 11, 2004 Abstract
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationAnonymous Attestation Using the Strong Diffie Hellman Assumption Revisited
Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited Jan Camenisch 1, Manu Drijvers 1,2, and Anja Lehmann 1 1 IBM Research Zurich, Säumerstrasse 4, 8803 Rüschlikon, Switzerland {jca,mdr,anj}@zurich.ibm.com
More informationAlgebraic MACs and Keyed-Verification Anonymous Credentials
This is the full version of an extended abstract published in ACM CCS 2014. Posted as Report 2013/516 on 19 August 2013; revised 8 September 2014. Algebraic MACs and Keyed-Verification Anonymous Credentials
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi Brown University foteini@cs.brown.edu Anna Lysyanskaya Brown University anna@cs.brown.edu ABSTRACT We define and propose an efficient and provably secure construction
More informationBlack-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way
Proceedings on Privacy Enhancing Technologies ; 2016 (3):62 82 Tibor Jager and Andy Rupp* Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way Abstract: We formalize and construct
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationPolicy-Based Signatures
Policy-Based Signatures Mihir Bellare Georg Fuchsbauer Abstract We introduce signatures where signers can only sign messages that conform to some policy, yet privacy of the policy is maintained. We provide
More informationStructure-Preserving Signatures from Standard Assumptions, Revisited
Structure-Preserving Signatures from Standard Assumptions, Revisited Eike Kiltz, Jiaxin Pan, and Hoeteck Wee 1 Ruhr-Universität Bochum 2 Ruhr-Universität Bochum 3 ENS, Paris {eike.kiltz,jiaxin.pan}@rub.de,
More informationThe Kernel Matrix Diffie-Hellman Assumption
The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada
More informationGroth Sahai proofs revisited
Groth Sahai proofs revisited E. Ghadafi, N.P. Smart, and B. Warinschi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi,nigel,bogdan}@cs.bris.ac.uk
More informationShort Randomizable Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 16) (29 February 4 March 2016, San Francisco, CA, USA) Kazue Sako
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationComputing on Authenticated Data: New Privacy Definitions and Constructions
Computing on Authenticated Data: New Privacy Definitions and Constructions Nuttapong Attrapadung, Benoit Libert, Thomas Peters To cite this version: Nuttapong Attrapadung, Benoit Libert, Thomas Peters.
More informationA Direct Anonymous Attestation Scheme for Embedded Devices
A Direct Anonymous Attestation Scheme for Embedded Devices He Ge 1 and Stephen R. Tate 2 1 Microsoft Corporation, One Microsoft Way, Redmond 98005 hege@microsoft.com 2 Department of Computer Science and
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London E-mail: j.groth@ucl.ac.uk September 7, 2007 Abstract We construct a new group signature scheme using bilinear
More informationInteractive and Non-Interactive Proofs of Knowledge
Interactive and Non-Interactive Proofs of Knowledge Olivier Blazy ENS / CNRS / INRIA / Paris 7 RUB Sept 2012 O. Blazy (ENS RUB) INIPoK Sept 2012 1 / 63 1 General Remarks 2 Building blocks 3 Non-Interactive
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationFully Anonymous Group Signatures without Random Oracles
Fully Anonymous Group Signatures without Random Oracles Jens Groth University College London j.groth@ucl.ac.uk March 25, 2013 Abstract We construct a new group signature scheme using bilinear groups. The
More informationAttribute-Based Signatures for Unbounded Languages from Standard Assumptions
Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) GoichiroHanaoka
More informationA Fully-Functional group signature scheme over only known-order group
A Fully-Functional group signature scheme over only known-order group Atsuko Miyaji and Kozue Umeda 1-1, Asahidai, Tatsunokuchi, Nomi, Ishikawa, 923-1292, Japan {kozueu, miyaji}@jaist.ac.jp Abstract. The
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationP-signatures and Noninteractive Anonymous Credentials
P-signatures and Noninteractive Anonymous Credentials Mira Belenkiy 1, Melissa Chase 1, Markulf Kohlweiss 2, and Anna Lysyanskaya 1 1 Brown University {mira, melissa, anna}@cs.brown.edu 2 KU Leuven mkohlwei@esat.kuleuven.be
More informationMulti-key Hierarchical Identity-Based Signatures
Multi-key Hierarchical Identity-Based Signatures Hoon Wei Lim Nanyang Technological University 9 June 2010 Outline 1 Introduction 2 Preliminaries 3 Multi-key HIBS 4 Security Analysis 5 Discussion 6 Open
More informationA New Constant-size Accountable Ring Signature Scheme Without Random Oracles
New Constant-size ccountable Ring Signature Scheme Without Random Oracles Sudhakar Kumawat 1 and Souradyuti Paul 2 1 Indian Institute of Technology Gandhinagar 2 Indian Institute of Technology Bhilai {sudhakar.bm07,souradyuti.paul}@gmail.com
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationEfficient Group Signatures without Trapdoors
Efficient Group Signatures without Trapdoors Giuseppe Ateniese and Breno de Medeiros The Johns Hopkins University Department of Computer Science Baltimore, MD 21218, USA ateniese@cs.jhu.edu, breno.demedeiros@acm.org
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationTight Proofs for Signature Schemes without Random Oracles
Tight Proofs for Signature Schemes without Random Oracles Sven Schäge Horst Görtz Institute for IT-Security Ruhr-University of Bochum sven.schaege@rub.de Abstract. We present the first tight security proofs
More informationConstant Size Ring Signature Without Random Oracle
Constant Size Ring Signature Without Random Oracle Priyanka Bose, Dipanjan Das, and C. Pandu Rangan Indian Institute of Technology, Madras {priyab,dipanjan,rangan}@cse.iitm.ac.in Abstract. Ring signature
More informationShort and Stateless Signatures from the RSA Assumption
Short and Stateless Signatures from the RSA Assumption Susan Hohenberger 1, and Brent Waters 2, 1 Johns Hopkins University, susan@cs.jhu.edu 2 University of Texas at Austin, bwaters@cs.utexas.edu Abstract.
More informationRevocation for Delegatable Anonymous Credentials MSR-TR
Revocation for Delegatable Anonymous Credentials MSR-TR-2010-170 Tolga Acar and Lan Nguyen Microsoft Research One Microsoft Way, Redmond, WA 98052, USA tolga@microsoft.com, languyen@microsoft.com http://research.microsoft.com/en-us/people/{tolga,languyen}
More information