P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems
|
|
- Alfred Fisher
- 5 years ago
- Views:
Transcription
1 P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems ndy Rupp1, Gesine Hinterwälder2, Foteini3 Baldimtsi, Christof Paar2,4 Karlsruhe Institute of Technology University of Massachusetts mherst 3 Brown University 4 Ruhr-University Bochum
2 Outline Motivation ecash Overview Performance Issues P4R Description Evaluation 1
3 Motivation Transportation Payments Large volumes Low cost Have to be executed fast Electronic Payments Throughput and convenience advantages Reduced revenue collection cost Enable dynamic pricing Facilitate maintenance of a system Enable easy collection of meaningful data 2
4 Motivation Hacking the T: MBT sues to keep MIT students from telling how they cracked the CharlieCard Some call T's new Charlie Card an invasion of privacy. But agency insists safeguards in place Hackers Crack London Tube Oyster Card Privacy Concerns Raised Over Clipper Card Passenger Tracking 3
5 Motivation We need payment systems for transportation that are: Secure (unforgeable & secure against doublespending) Private (anonymous) Trusted Efficient Low-cost Usable Reliable 4
6 ecash Bank nk Ba Withdrawal Bank d in en Sp g De po s it ID 5
7 ecash ID Blind signature Bank nk Ba Bank Security Properties of Blind Signatures Blindness: Signer should not be able to view the messages he signs (i.e. Bank cannot link e-coins to specific users) Unforgeability: User should not be able to forge the signer's signatures (i.e. User cannot forge coins) 6
8 ecash Double Spending Double Spending reveals User's ID!!! 7
9 Brands' Untraceable Offline Cash Introduced in 1993 Most efficient scheme during Spending Phase Well-known and implemented (Microsoft U-Prove) [Bra93] S. Brands. Untraceable Off-line Cash in Wallets with Observers (Extended bstract). In Proceedings of the 13th nnual International Cryptology Conference on dvances in Cryptology, CRYPTO 93, pages ,
10 Brands' Untraceable Offline Cash Scheme based on cyclic group G q of prime order Coin size (elements that have to be stored on user device for each coin):, B, z ', a ', b ' G q and Withdrawal r ', s, x 0, x 1 ℤ q 12 exponentiations 2 exponentiations 0 exponentiations 3 exponentiations Spending 9
11 Implementation Results Brands' Base scheme on 160-bit elliptic curve and measure execution time on Moo computational RFID tag Storage space required per coin: 284 bytes Execution time on MSP430F2618, when based on 160-bit curve: Cycle count Brands' withdrawing one coin Brands' spending one coin Execution MHz s s [ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: Batteryless Computational RFID and Sensing Platform
12 Implementation Results Brands' Base scheme on 160-bit elliptic curve and measure execution time on Moo computational RFID tag Storage space required per coin: 284 bytes Execution time on MSP430F2618, when based on 160-bit curve: Users should not have to withdraw Execution time Cycle count coins!!! and store too MHz Brands' withdrawing one coin Brands' spending one coin s s [ZGRF11] H. Zhang, J. Gummeson, B. Ransford, and K. Fu. Moo: Batteryless Computational RFID and Sensing Platform
13 Our pproach Build on Brands' due to efficiency reasons (could use any efficient, anonymous 2-show credential scheme) lleviate its disadvantages (large coin size, inefficient withdrawal) Minimize number of coins needed using novel pre-payments with refunds approach: Use Brands' coin as ticket Ticket price = cost of most expensive trip Cost of actual trip determined on exit Pay refund based on overpayment 11
14 P4R: Main Components Vending Machines (online) Exit Turnstiles (offline) Central Database Entry Turnstiles (offline) Subway 12
15 P4R: Main Components Buy ticket Get piggy bank 12
16 P4R: Main Components et tick ow d Sh pe tam t s et Ge tick 12
17 P4R: Main Components 12
18 P4R: Main Components ed mp sta et ow ick Sh t nd k efu n t r ba Ge iggy p in 12
19 P4R: Main Components Cash piggy bank 12
20 Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) B=g 1x g x2 U 1 2, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 13
21 Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 U 1 2, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 Double spending: r 1 r ' 1 (d d ' )id U s id U = = r 2 r ' 2 (d d ' )s r ' 1=d ' (id U s )+x 1 r ' 2 =d ' s+x 2 13
22 Brands-Based TT System Brands' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 U 1 2 P4R' coin: id s =(g 1 g 2 ) x x B=g 1 g 2 C= g 1x' g 2x ' U 1 1, B, sig (, B) Showing coin: r 1 =d (id U s )+x 1 r 2=d s+x 2 Double spending: r ' 1=d ' (id U s )+x 1 r ' 2 =d ' s+x 2 2 2, B, C, sig (, B, C ) First spending: r 1 =d (id U s )+x 1 r 2=d s+x 2 Second spending: r ' 1=d ' (id U s )+x ' 1 r ' 2 =d ' s+x ' 2 13
23 P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) Buy ticket Get piggy bank 14
24 P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) T 0 Buy ticket Get piggy bank 14
25 P4R: BuyTT and GetRT ID ID E-TICKET Ownership (1) Ownership (2) TE-TICKET 0 T (2) TOwnership (1) TOwnership 0 T 0 Buy ticket Get piggy bank 14
26 P4R: ShowTT and GetRCT TE-TICKET (2) TOwnership (1) TOwnership (1) TOwnership TE-TICKET Show ticket Get stamped ticket 15
27 P4R: ShowTT and GetRCT (2) TOwnership (1) TOwnership T Ownership (1) TE-TICKET TE-TICKET (1) TOwnership TE-TICKET Show ticket Get stamped ticket 15
28 P4R: ShowTT and GetRCT er (2) TOwnership e ad R TE-TICKET r ade e R E-TICKET TOrigin: S Bay Time: 8/1/ Re TOE-TICKET rigin: S Bay Time: 8/1/ (2) TOwnership r ad e (1) TOwnership TE-TICKET (1) TOwnership T Ownership (1) TE-TICKET TE-TICKET (1) TOwnership TE-TICKET Origin: S Bay Time: 8/1/ Show ticket Get stamped ticket 15
29 P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/ er (2) TOwnership e ad R TE-TICKET T Ownership (2) 1.31 Origin: S Bay Time: 8/1/ Show stamped ticket Get refund in piggy bank 16
30 P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/ (2) TOwnership er e ad R TE-TICKET Origin: S Bay Time: 8/1/ T Ownership (2) T d er esabay E-TICKET TOrigin: R Time: 8/1/ Ownership (2) 1.31 Show stamped ticket Get refund in piggy bank 16
31 P4R: ShowRCT and GetRefund er ea d R E-TICKET TOrigin: S Bay Time: 8/1/ (2) TOwnership er Origin: S Bay Time: 8/1/ (2) TOwnership e ad R TE-TICKET Origin: S Bay Time: 8/1/ er R TE-TICKET e ad T Ownership (2) T d er esabay E-TICKET TOrigin: R Time: 8/1/ Ownership (2) ,25 Show stamped ticket Get refund in piggy bank 16
32 P4R: RedeemRT Cashing RT 17
33 P4R: RedeemRT valid? In DB & not cashed before? valid! Cashing RT 17
34 P4R: RedeemRT valid? In DB & not cashed before? valid! cashed Cashing RT 17
35 BLS-Signature Based RT System pairing is a bilinear map: e (a u, b v )=e (a,b)uv for all u, v, ℤ p, a, b, G p BLS-signatures requires an efficiently computable, non-degenerate pairing! Boneh-Lynn-Shacham Signatures: Keys: sk=x ℤ p, v=g x Signature on m G: σ :=H (m)x? Verification of (m, σ) : e( g, σ)=e(v, H (m)) 18
36 BLS-Signature Based RT System Refund token: RT = G, R=1, v=0 dding refund w user: r ℤ p, RT ' =RT r, v=v+w, R=R r mod p dding refund w T: RT ' =RT ' d w R dv? Verify claim for refund v : e (, h )=e ( RT ', h) w w 19
37 BLS-Signature Based RT System Refund token: RT = G, R=1, v=0 dding refund w user: r ℤ p, RT ' =RT r, v=v+w, R=R r mod p dding refund w T: RT ' =RT ' d w wi R dv? Verify claim for refund v : e (, h )=e ( RT ', h) w w 19
38 Security of P4R T Security: T does not lose any money User cannot forge tickets User cannot receive reimbursement that exceeds the overall deposit for tickets minus overall fare of trips User Security: passive adversary cannot steal tickets or refunds from a user User Privacy: dversary cannot differentiate between all possible trip sequences leading to the same total refund amount 20
39 User's Side Implementation on Moo Storage space to make 20 trips is at most 7.62 KB! Cycle count BuyTT & GetRT Execution MHz in s 84,585, , ShoeRCT & GetRefund 5,466, RedeemRT* 5,549, ShowTT & GetRCT * Excludes authenticating to the vending machine. 21
40 Thank you for your attention!!!
Cryptographic Theory Meets Practice: Efficient and Privacy-Preserving Payments for Public Transport
Cryptographic Theory Meets Practice: Efficient and Privacy-Preserving Payments for Public Transport Andy Rupp 1, Foteini Baldimtsi 2, and Gesine Hinterwälder 3 Christof Paar 4 1 Karlsruhe Institute of
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationUncloneable Quantum Money
1 Institute for Quantum Computing University of Waterloo Joint work with Michele Mosca CQISC 2006 1 Supported by NSERC, Sun Microsystems, CIAR, CFI, CSE, MITACS, ORDCF. Outline Introduction Requirements
More informationA FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington
A FEW E-COMMERCE APPLICATIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 9 of Trappe and Washington E-COMMERCE: SET SET = Secure Electronic Transaction Consider a credit
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationFairness realized with Observer
Fairness realized with Observer Heike Neumann Mathematical Institute University of Giessen Arndtstr. 2 G-35392 Giessen Heike.B.Neumann@math.uni-giessen.de Thomas Schwarzpaul Mathematical Institute University
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationAccumulators and U-Prove Revocation
Accumulators and U-Prove Revocation Tolga Acar 1, Sherman S.M. Chow 2, and Lan Nguyen 3 1 Intel Corporation tolga.acar@intel.com 2 Microsoft Research lan.duy.nguyen@microsoft.com 3 Department of Information
More informationIntermediate Math Circles March 7, 2012 Problem Set: Linear Diophantine Equations II Solutions
Intermediate Math Circles March 7, 2012 Problem Set: Linear Diophantine Equations II Solutions 1. Alyssa has a lot of mail to send. She wishes to spend exactly $100 buying 49-cent and 53-cent stamps. Parts
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More informationUnlinkable Divisible Electronic Cash
Unlinkable Divisible Electronic Cash Toru Nakanishi and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University, 3-1-1 Tsushimanaka, Okayama 700-8530,
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationResearch Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension
e Scientific World Journal, Article ID 345686, 4 pages http://dx.doi.org/10.1155/2014/345686 Research Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi Brown University foteini@cs.brown.edu Anna Lysyanskaya Brown University anna@cs.brown.edu ABSTRACT We define and propose an efficient and provably secure construction
More informationis caused by the urgent need to protect against account-holders who doublespend their electronic cash, since hardly anything is easier to copy than di
Untraceable O-line Cash in Wallets with Observers (Extended abstract) Stefan Brands CWI, PO Box 4079 Amsterdam, The Netherlands. E-mail: brands@cwi.nl Abstract. Incorporating the property of untraceability
More informationLecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008
Lecture Notes ee (electronic money/cash) Michael Nüsken b-it (Bonn-Aachen International Center for Information Technology) IPEC winter 2008 c 2008 Michael Nüsken Workshop
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationA METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES
Mathematica Moravica Vol. 7 (2003), 51 59 A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES Constantin Popescu Abstract. A group signature scheme allows any group member to sign on behalf of the group
More informationID-Based Blind Signature and Ring Signature from Pairings
ID-Based Blind Signature and Ring Signature from Pairings Fangguo Zhang and Kwangjo Kim International Research center for Information Security (IRIS) Information and Communications University(ICU), 58-4
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationAbstract of Efficient Cryptography for Information Privacy by Foteini Baldimtsi, Ph.D., Brown
Abstract of Efficient Cryptography for Information Privacy by Foteini Baldimtsi, Ph.D., Brown University, May 2014. In the modern digital society, individuals, businesses and governments perform numerous
More informationColluding Attacks to a Payment Protocol and Two Signature Exchange Schemes
Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes Feng Bao Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 Email: baofeng@i2r.a-star.edu.sg Abstract.
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationAn Efficient ID-based Digital Signature with Message Recovery Based on Pairing
An Efficient ID-based Digital Signature with Message Recovery Based on Pairing Raylin Tso, Chunxiang Gu, Takeshi Okamoto, and Eiji Okamoto Department of Risk Engineering Graduate School of Systems and
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationPractical Compact E-Cash
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2007 Practical Compact E-Cash Man Ho Au University of Wollongong, aau@uow.edu.au
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationA Anonymous Split E-Cash Towards Mobile Anonymous Payments
A Anonymous Split E-Cash Towards Mobile Anonymous Payments MARIJN SCHEIR, KU Leuven ESAT/COSIC and iminds JOSEP BALASCH, KU Leuven ESAT/COSIC and iminds ALFREDO RIAL, IBM Research Zürich BART PRENEEL,
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationSecurity Arguments for Digital Signatures and Blind Signatures
J. Cryptology (2000) 13: 361 396 DOI: 10.1007/s001450010003 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures David Pointcheval and
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationA Pairing-Based DAA Scheme Further Reducing TPM Resources
A Pairing-Based DAA Scheme Further Reducing TPM Resources Ernie Brickell Intel Corporation ernie.brickell@intel.com Jiangtao Li Intel Labs jiangtao.li@intel.com Abstract Direct Anonymous Attestation (DAA)
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationRisk Management for E-Cash Systems with Partial Real-Time Audit
Netnomics 3, 119 127, 2001 2001 Kluwer Academic Publishers. Manufactured in The Netherlands. Risk Management for E-Cash Systems with Partial Real-Time Audit YACOV YACOBI Microsoft Research, One Microsoft
More informationPARTIALLY BLIND SIGNATURE SCHEME BASED ON CHAOTIC MAPS AND FACTORING PROBLEMS
ITALIAN JOURNAL OF PURE AND APPLIED MATHEMATICS N. 39 2018 (165 177) 165 PARTIALLY BLIND SIGNATURE SCHEME BASED ON CHAOTIC MAPS AND FACTORING PROBLEMS Nedal Tahat Department of Mathematics Faculty of Sciences
More informationA handy multi-coupon system
A handy multi-coupon system Sébastien Canard 1, Aline Gouget 2, and Emeline Hufschmitt 1 1 France Telecom, R&D Division 42 rue des Coutures, BP 6243, 14066 Caen Cedex, France {sebastien.canard,emeline.hufschmitt}@orange-ft.com
More informationGroup Blind Digital Signatures: A Scalable Solution to Electronic Cash
Group Blind Digital Signatures: A Scalable Solution to Electronic Cash Anna Lysyanskaya 1 and Zulfikar Ramzan 1 Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge MA 02139,
More informationTampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationAccountability. User Guide
Accountability User Guide The information in this document is subject to change without notice and does not represent a commitment on the part of Horizon. The software described in this document is furnished
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationA Direct Anonymous Attestation Scheme for Embedded Devices
A Direct Anonymous Attestation Scheme for Embedded Devices He Ge 1 and Stephen R. Tate 2 1 Microsoft Corporation, One Microsoft Way, Redmond 98005 hege@microsoft.com 2 Department of Computer Science and
More informationPrivacy of Numeric Queries Via Simple Value Perturbation. The Laplace Mechanism
Privacy of Numeric Queries Via Simple Value Perturbation The Laplace Mechanism Differential Privacy A Basic Model Let X represent an abstract data universe and D be a multi-set of elements from X. i.e.
More informationAn ID-based Server-aided Verification Short Signature Scheme Avoid Key Escrow
An ID-based Server-aided Verification Short Signature Scheme Avoid Key Escrow Jianhong Zhang 1,2 and Zhibin Sun 1 1 College of Science, North China University of Technology,, Beijing 100144, P.R.China,
More informationNo#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability
No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2 Secure Authentication
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationLimitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationBalancing Accountability and Privacy Using E-Cash (Extended Abstract)
Balancing Accountability and Privacy Using E-Cash (Extended Abstract) Jan Camenisch 1 and Susan Hohenberger 1, and Anna Lysyanskaya 2 1 IBM Research, Zurich Research Laboratory, CH-8803 Rüschlikon 2 Computer
More informationVerifier-Local Revocation Group Signature Schemes with Backward Unlinkability from Bilinear Maps
Verifier-Local Revocation Group Signature Schemes with Backward Unlinkability from Bilinear Maps Toru Nakanishi and Nobuo Funabiki Department of Communication Network Engineering, Okayama University, 3-1-1
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationSecurity of Blind Signatures Revisited
Security of Blind Signatures Revisited Dominique Schröder 1 and Dominique Unruh 2 1 University of Maryland, USA 2 University of Tartu, Estonia Abstract. We revisit the definition of unforgeability of blind
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More information[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex
Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationISeCure. The ISC Int'l Journal of Information Security. An Efficient Blind Signature Scheme Based on the Elliptic Curve Discrete Logarithm Problem
The ISC Int'l Journal of Information Security July 2009, Volume 1, Number 2 (pp. 125 131) http://www.isecure-journal.org An Efficient Blind Signature Scheme Based on the Elliptic Curve Discrete Logarithm
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationA Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing
Proceedings on Privacy Enhancing Technologies 2015; 2015 (2):25 45 Ghada rfaoui, Jean-François Lalande, Jacques Traoré, Nicolas Desmoulins, Pascal Berthomé, and Saïd Gharout Practical Set-Membership Proof
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationA New Approach to Practical Active-Secure Two-Party Computation
A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1, Peter Sebastian Nordholt 1, Claudio Orlandi 1, Sai Sheshank Burra 2 1 Aarhus University, Denmark 2 Indian Institute
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationAnonymous Transferable E-Cash
Anonymous Transferable E-Cash Foteini aldimtsi 1, Melissa Chase 2, Georg Fuchsbauer 3, and Markulf Kohlweiss 2 1 oston University foteini@cs.bu.edu 2 Microsoft Research {melissac, markulf}@microsoft.com
More informationA Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing
Ghada rfaoui, Jean-François Lalande, Jacques Traoré, Nicolas Desmoulins, Pascal Berthomé, and Saïd Gharout Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing arxiv:1505.03048v1
More informationSynchronized Aggregate Signatures from the RSA Assumption
Synchronized Aggregate Signatures from the RSA Assumption Susan Hohenberger Johns Hopkins University susan@cs.jhu.edu Brent Waters UT Austin bwaters@cs.utexas.edu January 18, 2018 Abstract In this work
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More information