DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES
|
|
- Cora Atkins
- 5 years ago
- Views:
Transcription
1 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol, 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA 2014 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES
2 OUTLINE 1 BACKGROUND 2 A SECURITY MODEL 3 GENERIC CONSTRUCTIONS 4 INSTANTIATIONS 5 SUMMARY DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES
3 ATTRIBUTE-BASED SIGNATURES Attribute-Based Signatures [Maji et al. 2008]. Users have attributes (e.g. Departmental Manager, Chairman, Finance Department, etc.). A user can sign a message w.r.t. a policy Ψ only if she owns attributes A s.t. Ψ(A) = 1. The verifier learns nothing other than that some signer with attributes satisfying the policy has produced the signature. Sig - Finance Dept. - Manager Chairman OR Manager AND Finance OR Supervisor AND Materials DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 1 / 21
4 APPLICATIONS OF ATTRIBUTE-BASED SIGNATURES Example applications: Attribute-Based Messaging: Recipients are assured the sender satisfies a certain policy. Leaking Secrets: Ring Signatures [RST01] allow a signer to sign a message on behalf of an ad-hoc group. ABS allow more expressive predicates for leaking a secret The leaker satisfies some policy vs. the leaker is in the ring. Many other applications:... DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 2 / 21
5 SECURITY OF ATTRIBUTE-BASED SIGNATURES Security of Attribute-Based Signatures [Maji et al. 2008] (Perfect) Privacy (Anonymity): The signature hides: 1 The identity of the signer. 2 The attributes used in the signing (i.e. how Ψ was satisfied). Unforgeability: A signer cannot forge signatures w.r.t. signing policies her attributes do not satisfy even if she colludes with other signers. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 3 / 21
6 RELATED WORK ON ATTRIBUTE-BASED SIGNATURES Maji et al & Shahandashti and Safavi-Naini Li et al Okamoto and Takashima 2011 & Gagné et al Herranz et al DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 4 / 21
7 TRACEABLE ATTRIBUTE-BASED SIGNATURES Traceable Attribute-Based Signatures (TABS) [Escala et al. 2011]: Extend ABS by adding an anonymity revocation mechanism. A tracing authority can reveal the identity of the signer. Crucial in enforcing accountability and deterring abuse. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 5 / 21
8 OUR CONTRIBUTION 1 A security model for Decentralized Traceable Attribute-Based Signatures (DTABS). 2 Two generic constructions for DTABS. 3 Example instantiations in the standard model. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 6 / 21
9 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Tracing Authority Sig Professor at Bristol OR IACR Member DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 7 / 21
10 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Features of Our Model: Multiple attribute authorities, e.g. Company A, University B, Organization C, Government D, etc. Need not trust one another or even be aware of each other. Signers and attribute authorities can join the system at any time. A tracing authority can reveal the identity of the signer. Tracing correctness is publicly verifiable. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 8 / 21
11 SECURITY OF DTABS Correctness: If all parties are honest: Signatures verify correctly. The tracing authority can identify the signer. The Judge algorithm accepts the tracing decision. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 9 / 21
12 SECURITY OF DTABS Anonymity: Signatures do not reveal the identity of the signer or the attributes used. Add Signer Add Signer param Add Auth Add Auth Add Corrupt Auth Add Corrupt Auth Reveal Signer Key Reveal Signer Key Reveal Auth Key Reveal Auth Key (sid 0,A 0 ),(sid 1,A 1 ),m,ψ σ CH CH b {0,1} b {0,1} Trace Signature Trace Signature b * Adversary wins if: b = b. The CH oracle returns if Ψ(A 0 ) 1 or Ψ(A 1 ) 1. The Trace oracle returns if queried on σ. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 10 / 21
13 SECURITY OF DTABS Full Unforgeability: Even if signers collude, they cannot produce a signature on behalf of a signer whose attributes do not satisfy the policy. Covers non-frameability. Add Signer Add Signer Param, tk Add Auth Add Auth Add Corrupt Auth Add Corrupt Auth Reveal Signer Key Reveal Signer Key Reveal Auth Key Reveal Auth Key Sign Sign m *, σ *, ψ *, sid *, π * Adversary wins if: σ is valid and π accepted by Judge. No corrupt subset of attributes A sid s.t. Ψ (A sid )=1. (sid,, m, σ, Ψ ) was not obtained from the signing oracle. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 11 / 21
14 SECURITY OF DTABS Traceability: Signatures are traceable, i.e. the tracing authority can always identify the signer. Add Signer Add Signer Param, tk Add Auth Add Auth Reveal Signer Key Reveal Signer Key Sign Sign Adversary wins if all the following holds: σ is a valid signature on m w.r.t. Ψ and either: σ opens to a signer who was never added. The Judge algorithm rejects the tracing proof. m *, σ *, ψ * DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 12 / 21
15 GENERIC CONSTRUCTIONS Construction I Tools used: Two NIZK systems N IZK 1 and N IZK 2. N IZK 1 needs to be simulation-sound and a proof of knowledge. A tagged signature scheme T S: a digital signature scheme that signs a tag and a message. A digital signature scheme DS. An IND-CCA2 public key encryption scheme PKE. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 13 / 21
16 GENERIC CONSTRUCTIONS (CONSTRUCTION I) Setup: Generate (epk, esk) for PKE, (vk, sk) for DS, crs 1 for N IZK 1, and crs 2 for N IZK 2. Set tk := esk and param := (crs 1, crs 2, vk, epk, H). Attribute Authority Join: Generate (aavk aid, assk aid ) for T S. Attribute Key Generation: To generate a key sk sid,a for attribute a for signer sid, compute sk sid,a T S.Sign(assk aid(a), sid, a). DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 14 / 21
17 GENERIC CONSTRUCTIONS (CONSTRUCTION I) Signing: To sign m w.r.t. Ψ: 1 C PKE.Enc(epk, sid). 2 Produce a proof π of A and sid that: 1 C is an encryption of sid. 2 Either owns attributes A s.t. Ψ(A) = 1 Has a valid tagged signature on (sid, a) for each a A OR Has a special digital signature on H(Ψ, m, C), i.e. a pseudo-attribute. The signature is σ := (C, π). Tracing: The tracing authority uses esk to decrypt C to obtain sid. Produces a proof π Trace of esk that decryption was done correctly. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 15 / 21
18 GENERIC CONSTRUCTIONS Construction II Changes from Construction I: N IZK 1 need not be simulation-sound. Replace PKE with a selective-tag weakly IND-CCA tag-based encryption scheme T PKE. Need a strongly unforgeable one-time signature OT S. Another collision-resistant hash function Ĥ to hash into the tag space of T PKE. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 16 / 21
19 GENERIC CONSTRUCTIONS (CONSTRUCTION II) Signing: To sign m w.r.t. Ψ: 1 Choose a fresh key pair (otsvk, otssk) for OT S. 2 C tbe T PKE.Enc(epk, Ĥ(otsvk), sid). 3 Produce a proof π of A and sid that: 1 C tbe is an encryption of sid under tag Ĥ(otsvk). 2 Either owns attributes A s.t. Ψ(A) = 1 Has a valid tagged signature on (sid, a) for each a A OR Has a special digital signature on H(Ψ, m, C tbe, Ĥ(otsvk)). 4 Compute σ ots OT S.Sign(otssk, (π, C tbe, otsvk)). The signature is σ := (σ ots, π, C tbe, otsvk). Tracing: The tracing authority uses esk to decrypt C tbe to obtain sid. Produces a proof π Trace of esk that decryption was done correctly. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 17 / 21
20 GENERIC CONSTRUCTIONS (CONSTRUCTION II) Security of the Construction: Anonymity: NIZK of N IZK 1 and N IZK 2. ST-IND-CCA of T PKE. Unforgeability of OT S. Collision-resistance of H and Ĥ. Full Unforgeability: Soundness of N IZK 1 and N IZK 2. Unforgeability of T S, DS and OT S. Collision-resistance of H and Ĥ. Traceability: Soundness of N IZK 1. Unforgeability of T S and DS. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 18 / 21
21 GENERIC CONSTRUCTIONS How to prove that one owns A s.t. Ψ(A) = 1? Use a span program: Represent Ψ by a Ψ β span matrix S. Prove you know a vector z s.t. z S = [1, 0,..., 0] {a i z i 0} satisfies Ψ. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 19 / 21
22 INSTANTIATIONS OF CONSTRUCTION II NIZKs Groth-Sahai proofs [GS08] secure under DLIN (or SXDH). T S A variant of the automorphic signature scheme [Fuc09,Fuc10]: tag space is G 1 G 2 and message space is Z p secure under q-adhsdh and WFCDH (or q-adhsdh and AWFCDH). T PKE Kiltz [Kil06] tag-based encryption scheme secure under DLIN or (SDLIN in group G i ). DS The full Boneh-Boyen signature scheme secure under q-sdh. Need not hide the integer component. OT S The full Boneh-Boyen signature scheme secure under q-sdh. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 20 / 21
23 SUMMARY A security model for decentralized traceable attribute-based signatures. Two generic constructions. Instantiations in the standard model. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 21 / 21
24 THE END Thank you for your attention! Questions? DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES
STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS
STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 STRONGER SECURITY
More informationGroup Signatures with Message-Dependent Opening in the Standard Model
Group Signatures with Message-Dependent Opening in the Standard Model Benoît Libert Marc Joye Group Signatures with Message-Dependent Opening in the Standard Model Benoît Libert Marc Joye Outline 1 Background
More informationDecentralized Traceable Attribute-Based Signatures
Decentralized Traceable Attribute-Based Signatures Ali El Kaafarani 1, Essam Ghadafi 2, and Dalia Khader 3 1 University of Bath, UK 2 University of Bristol, UK 3 Interdisciplinary Centre for Security,
More informationFORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013
FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 FORMALIZING GROUP BLIND SIGNATURES... OUTLINE
More informationHierarchical Attribute-based Signatures
Hierarchical Attribute-based Signatures Constantin-Cǎtǎlin Drǎgan, Daniel Gardham and Mark Manulis Surrey Centre for Cyber Security, University of Surrey, UK c.dragan@surrey.ac.uk, d.gardham@surrey.ac.uk,
More informationAn Exploration of Group and Ring Signatures
An Exploration of Group and Ring Signatures Sarah Meiklejohn February 4, 2011 Abstract Group signatures are a modern cryptographic primitive that allow a member of a specific group (e.g., the White House
More informationEfficient Round Optimal Blind Signatures
Efficient Round Optimal Blind Signatures Sanjam Garg IBM T.J. Watson Divya Gupta UCLA Complexity Leveraging Highly theoretical tool Used to obtain feasibility results Gives inefficient constructions Is
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationAPPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1
APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 1 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch
More informationAttribute-Based Signatures
Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek Abstract We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationAdding Controllable Linkability to Pairing-Based Group Signatures For Free
Adding Controllable Linkability to Pairing-Based Group Signatures For Free Daniel Slamanig, Raphael Spreitzer, and Thomas Unterluggauer IAIK, Graz University of Technology, Austria {daniel.slamanig raphael.spreitzer
More informationPublicly-verifiable proof of storage: a modular construction. Federico Giacon
Publicly-verifiable proof of storage: a modular construction Federico Giacon Ruhr-Universita t Bochum federico.giacon@rub.de 6th BunnyTN, Trent 17 December 2015 Proof of Storage Proof of Storage (PoS)
More informationUnique Group Signatures
Unique Group Signatures Matthew Franklin and Haibin Zhang Dept. of Computer Science, University of California, Davis, California 95616, USA {franklin,hbzhang}@cs.ucdavis.edu Abstract. We initiate the study
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationHomomorphic encryption (whiteboard)
Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs
More informationStructure-Preserving Certificateless Encryption and Its Application
SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow
More informationAttribute-Based Signatures: Achieving Attribute-Privacy and Collusion-Resistance
Attribute-Based Signatures: Achieving Attribute-Privacy and Collusion-Resistance Hemanta Mai Mano Prabhakaran Mike Rosulek April 15, 2008 Abstract We introduce a new and versatile cryptographic primitive
More informationAmbiguous Optimistic Fair Exchange
Ambiguous Optimistic Fair Exchange Qiong Huang 1, Guomin Yang 1, Duncan S. Wong 1, and Willy Susilo 2 1 City University of Hong Kong, Hong Kong, China {csqhuang@student., csyanggm@cs., duncan@}cityu.edu.hk
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationHow to Construct Identity-Based Signatures without the Key Escrow Problem
How to Construct Identity-Based Signatures without the Key Escrow Problem Tsz Hon Yuen, Willy Susilo, and Yi Mu University of Wollongong, Australia {thy738, wsusilo, ymu}@uow.edu.au Abstract. The inherent
More informationCompact and Anonymous Role-Based Authorization Chain
Compact and Anonymous Role-Based Authorization Chain DANFENG YAO Computer Science Department Brown University Providence, RI 02912 dyao@cs.brown.edu and ROBERTO TAMASSIA Computer Science Department Brown
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig, IAIK,
More informationShare-Deterring Public Key Cryptography
Share-Deterring Public Key Cryptography Aggelos Kiayias 1 and Qiang Tang 2 1 National and Kapodistrian University of Athens aggelos@di.uoa.gr 2 Cornell University qt44@cornell.edu Abstract. How is it possible
More informationAnonymous Consecutive Delegation of Signing Rights: Unifying Group and Proxy Signatures
Appears in Special Issue on Computer Security LNCS 5458, pages??????. V. Cortier Ed. Springer-Verlag. Anonymous Consecutive Delegation of Signing Rights: Unifying Group and Proxy Signatures Georg Fuchsbauer
More informationTimed-Release Certificateless Encryption
Timed-Release Certificateless Encryption Toru Oshikiri Graduate School of Engineering Tokyo Denki University Tokyo, Japan Taiichi Saito Tokyo Denki University Tokyo, Japan Abstract Timed-Release Encryption(TRE)
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY CONTENT Introduction Problem statements Literature Review Existing system Proposed system Application Conclusion Future work MOTIVATIONS
More informationSecuring Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh
Securing Distributed Computation via Trusted Quorums Yan Michalevsky, Valeria Nikolaenko, Dan Boneh Setting Distributed computation over data contributed by users Communication through a central party
More informationDYNAMIC PRIVACY PROTECTING SHORT GROUP SIGNATURE SCHEME
DYNAMIC PRIVACY PROTECTING SHORT GROUP SIGNATURE SCHEME Ashy Eldhose 1 and Thushara Sukumar 2 1 Student, Department of Computer Science and Engineering, MBITS Nellimattom 2 Assistant Professor, Department
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationComputer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1
Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs 1 Readings for This Lecture Optional: Haveli and Micali: Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationPlaintext-Checkable Encryption
Plaintext-Checkable Encryption Sébastien Canard, Georg Fuchsbauer, Aline Gouget, Fabien Laguillaumie To cite this version: Sébastien Canard, Georg Fuchsbauer, Aline Gouget, Fabien Laguillaumie. Plaintext-Checkable
More informationA Decade of Direct Anonymous Attestation
A Decade of Direct Anonymous Attestation From Research to Standard and Back Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com
More informationNon-Interactive Conference Key Distribution and Its Applications
Non-Interactive Conference Key Distribution and Its Applications Reihaneh Safavi-Naini and Shaoquan Jiang Department of Computer Science University of Calgary {rei,sqjiang}@ucalgary.ca Abstract. A non-interactive
More informationPlaintext-Checkable Encryption
This paper appears in Orr Dunkelman, editor, CT-RSA 2012, Springer-Verlag LNCS 7178, 332 348, 2012. Plaintext-Checkable Encryption Sébastien Canard 1, Georg Fuchsbauer 2, Aline Gouget 3, and Fabien Laguillaumie
More informationSome Advances in. Broadcast Encryption and Traitor Tracing
Some Advances in Broadcast Encryption and Traitor Tracing Duong Hieu Phan (Séminaire LIPN - 18 Novembre 2014 ) Duong Hieu Phan Some Advances in BE&TT Séminaire LIPN 1 / 42 Multi-receiver Encryption From
More informationRevisiting optimistic fair exchange based on ring signatures
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 Revisiting optimistic fair exchange based
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationAttribute Based Encryption with Privacy Protection in Clouds
Attribute Based Encryption with Privacy Protection in Clouds Geetanjali. M 1, Saravanan. N 2 PG Student, Department of Information Technology, K.S.R College of Engineering, Tiruchengode, Tamilnadu, India
More informationSecurely Combining Public-Key Cryptosystems
Securely Combining Public-Key Cryptosystems Stuart Haber Benny Pinkas STAR Lab, Intertrust Tech. 821 Alexander Road Princeton, NJ 08540 {stuart,bpinkas}@intertrust.com Abstract It is a maxim of sound computer-security
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationCCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts
CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts Vanesa Daza 1, Javier Herranz 2, az Morillo 3 and Carla Ràfols 3 1 Dept. D Enginyeria Informàtica i Matemàtiques, Universitat Rovira
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationSecure Multiparty Computation
Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare
More informationScalable privacy-enhanced traffic monitoring in vehicular ad hoc networks
Scalable privacy-enhanced traffic monitoring in vehicular ad hoc networks Yi Liu1,2,3 Jie Ling 1 Qianhong Wu4,6 Bo Qin5 Presented By Khaled Rabieh Introduction & Problem Statement In traffic monitoring
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationAttribute-based encryption with encryption and decryption outsourcing
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationOn the Joint Security of Encryption and Signature, Revisited
On the Joint Security of Encryption and Signature, Revisited Kenneth G. Paterson 1, Jacob C.N. Schuldt 2, Martijn Stam 3, and Susan Thomson 1 1 Royal Holloway, University of London 2 Research Center for
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Exchanging keys and public key encryption Public Key Encryption pk sk Public Key Encryption pk cß Enc(pk,m) sk m Public
More informationSecure digital certificates with a blockchain protocol
Secure digital certificates with a blockchain protocol Federico Pintore 1 Trento, 10 th February 2017 1 University of Trento Federico Pintore Blockchain and innovative applications Trento, 10 th February
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationOn the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption
D. Nuñez, I. Agudo, and J. Lopez, On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption, Security and Communication Networks, vol. 9, pp. 1769-1785, 2016. http://doi.org/10.1002/sec.1434
More informationOptimistic Fair Exchange in a Multi-User Setting
Optimistic Fair Exchange in a Multi-User Setting Yevgeniy Dodis 1, Pil Joong Lee 2, and Dae Hyun Yum 2 1 Department of Computer Science, New York University, NY, USA dodis@cs.nyu.edu 2 Department of Electronic
More informationAttribute-Based Encryption. Allison Lewko, Microsoft Research
Attribute-Based Encryption Allison Lewko, Microsoft Research The Cast of Characters This talk will feature work by: Brent Waters Amit Sahai Vipul Goyal Omkant Pandey With special guest appearances by:
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationWAVE: A Decentralized Authorization Framework with Transitive Delegation
WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam Kumar, H y u n g-sin Kim, John Kolb, Kaifei C h e n, Moustafa AbdelBaky, Gabe Fierro, David E. Culler, R
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationOblivious Signature-Based Envelope
Oblivious Signature-Based Envelope Ninghui Li Department of Computer Sciences and CERIAS Purdue University 656 Oval Dr, West Lafayette, IN 47907-2086 ninghui@cs.purdue.edu Wenliang Du Department of Electrical
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationAnonymous Signature Schemes
Anonymous Signature Schemes Guomin Yang 1, Duncan S. Wong 1, Xiaotie Deng 1, and Huaxiong Wang 2 1 Department of Computer Science City University of Hong Kong Hong Kong, China {csyanggm,duncan,deng}@cs.cityu.edu.hk
More informationCryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies
Intro to Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public Keys and Identities Let s design us some Digital Cash! Intro to Cryptographic
More informationAnonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove you re over 21, or
More informationP2OFE: Privacy-preserving optimistic fair exchange of digital signatures
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 P2OFE: Privacy-preserving optimistic fair
More informationAccess Control Encryption for General Policies from Standard Assumptions
Access Control Encryption for General Policies from Standard Assumptions Sam Kim Stanford University skim13@cs.stanford.edu David J. Wu Stanford University dwu4@cs.stanford.edu Abstract Functional encryption
More informationThreshold Cryptosystems from Threshold Fully Homomorphic Encryption
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Sam Kim Stanford University Joint work with Dan Boneh, Rosario Gennaro, Steven Goldfeder, Aayush Jain, Peter M. R. Rasmussen, and Amit
More informationCascaded Authorization with Anonymous-Signer Aggregate Signatures
Cascaded Authorization with Anonymous-Signer Aggregate Signatures Danfeng Yao Computer Science Department Brown University Providence, RI 02912 dyao@cs.brown.edu Roberto Tamassia Computer Science Department
More informationCascaded Authorization with Anonymous-Signer Aggregate Signatures
Proceedings of the 2006 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY, 21-23 June 2006 Cascaded Authorization with Anonymous-Signer Aggregate Signatures Danfeng
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationNotes for Lecture 21. From One-Time Signatures to Fully Secure Signatures
U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently
More informationTANDEM: Securing Keys by Using a Central Server While Preserving Privacy
TANDEM: Securing Keys by Using a Central Server While Preserving Privacy Wouter Lueks SPRING Lab, EPFL wouter.lueks@epfl.ch Brinda Hampiholi Radboud University brinda@cs.ru.nl Greg Alpár Open University
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationAnonymous Attestation with Subverted TPMs
Anonymous Attestation with Subverted TPMs Jan Camenisch 1, Manu Drijvers 1,2, and Anja Lehmann 1 1 IBM Research Zurich, Säumerstrasse 4, 8803 Rüschlikon, Switzerland {jca,mdr,anj}@zurich.ibm.com 2 Department
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationCOMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes
COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationCertificateless Public Key Cryptography
Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationShort-term Linkable Group Signatures with Categorized Batch Verification
Short-term Linkable Group Signatures with Categorized Batch Verification Lukas Malina 1, Jordi Castella-Rocà 2, Arnau Vives-Guasch 2, Jan Hajny 1 1 Department of Telecommunications Faculty of Electrical
More informationAnonymous Proxy Signatures
This extended abstract appeared in Proceedings of the 6th Conference on Security and Cryptography for Networks (SCN 08) September 10 12, 2008, Amalfi, Italy R. Ostrovsky Eds. Springer-Verlag, LNCS 5229,
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationCollusion-Resistant Group Key Management Using Attributebased
Collusion-Resistant Group Key Management Using Attributebased Encryption Presented by: Anurodh Joshi Overview of the Paper Presents a ciphertext-policy attribute-based encryption (CP-ABE) scheme to solve
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationInter-domain Identity-based Proxy Re-encryption
Inter-domain Identity-based Proxy Re-encryption Qiang Tang, Pieter Hartel, Willem Jonker Faculty of EWI, University of Twente, the Netherlands {q.tang, pieter.hartel, jonker}@utwente.nl August 19, 2008
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationA Novel Identity-based Group Signature Scheme from Bilinear Maps
MM Research Preprints, 250 255 MMRC, AMSS, Academia, Sinica, Beijing No. 22, December 2003 A Novel Identity-based Group Signature Scheme from Bilinear Maps Zuo-Wen Tan, Zhuo-Jun Liu 1) Abstract. We propose
More information