FORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013
|
|
- Scot Newton
- 5 years ago
- Views:
Transcription
1 FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi University of Bristol ACISP 2013 FORMALIZING GROUP BLIND SIGNATURES...
2 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...
3 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...
4 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...
5 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...
6 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...
7 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...
8 GROUP BLIND SIGNATURES Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the privacy of the message to be signed. Group Blind Signatures [LZ98] combine properties of the above and thus preserve both the anonymity of the signer + the privacy of the message. FORMALIZING GROUP BLIND SIGNATURES... 1
9 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk User Group FORMALIZING GROUP BLIND SIGNATURES... 2
10 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk User Group FORMALIZING GROUP BLIND SIGNATURES... 2
11 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk Sig User Group FORMALIZING GROUP BLIND SIGNATURES... 2
12 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk Sig User Group FORMALIZING GROUP BLIND SIGNATURES... 2
13 HISTORY AND RELATED WORK The primitive which combines the properties of a blind signature [Cha83] and a group signature [CH91] was introduced by Lysyanskaya and Zulfikar [LZ98]. Existing constructions: Lysyanskaya and Zulfikar, Based on Camenisch-Stadler group signatures [CL97]. K. Q. Nguyen, Y. Mu, and V. Varadharajan, Uses divertible zero-knowledge proofs [OO90]. FORMALIZING GROUP BLIND SIGNATURES... 3
14 APPLICATIONS OF GROUP BLIND SIGNATURES Group blind signatures provide bi-directional privacy and are thus useful for applications where such a requirement is needed. Example applications: Distributed e-cash, e.g. [LZ98]: The e-coin reveals neither the identity of its holder nor that of the issuing bank/branch. Other applications include: multi-authority e-voting and e-auction systems. FORMALIZING GROUP BLIND SIGNATURES... 4
15 OUR CONTRIBUTION A formal security model for the primitive. A generic construction. The first instantiations without random oracles. Other useful building blocks and observations. FORMALIZING GROUP BLIND SIGNATURES... 5
16 SECURITY DEFINITION CHALLENGES The signing protocol is blind, i.e. the message is not known to the signer and the signature is not well defined, so: 1 How to define Full Anonymity, i.e. CCA2 Anonymity? How to identify the challenge signature? 2 How to define non-frameability? 3 How to extend blindness to the group setting? FORMALIZING GROUP BLIND SIGNATURES... 6
17 SYNTAX OF GROUP BLIND SIGNATURES A GROUP BLIND SIGNATURE GKg(1 λ ): Outputs gpk, ik and ok. UKg: Outputs a pair of personal secret/public keys (ssk[i], spk[i]) for a signer. Join(gpk, i, ssk[i]), Issue(ik, i, spk[i]) : If successful, Signer i becomes a member and obtains a group signing key gsk[i]. Obtain(gpk, m), Sign(gsk[i]) : If successful, the user obtains a signature Σ; Otherwise, it outputs. GVf(gpk, m, Σ): Verifies if Σ is valid on the message m. Open(gpk, ok, reg, m, Σ): Returns the identity of the signer plus a proof τ. Judge(gpk, i, spk[i], m, Σ, τ): Verifies the Opener s decision. FORMALIZING GROUP BLIND SIGNATURES... 7
18 SECURITY OF GROUP BLIND SIGNATURES Correctness: If all parties are honest, we have that: Signatures are accepted by the GVf algorithm. The Opener can identify the signer. The Judge algorithm accepts the Opener s decision. FORMALIZING GROUP BLIND SIGNATURES... 8
19 SECURITY OF GROUP BLIND SIGNATURES Anonymity: Signatures do not reveal who signed them. gpk,ik Open Open SSK SSK ModifyReg ModifyReg... CrptS CrptS i 0, i 1 Ch Ch b {0,1} b {0,1} SndToS SndToS b * Adversary wins if: b = b. Similarly to IND-RCCA [CKN03], the Open oracle returns if the signature opens to i 0 or i 1. FORMALIZING GROUP BLIND SIGNATURES... 9
20 SECURITY OF GROUP BLIND SIGNATURES Traceability: The adversary cannot output an untraceable signature. AddS AddS gpk,ok CrptS CrptS SndToI SndToI ReadReg ReadReg SSK SSK Σ,m Adversary wins if all the following holds: Σ verifies on m. Either Σ does not open to a signer in the group or Judge does not accept the Opener s decision on Σ. FORMALIZING GROUP BLIND SIGNATURES... 10
21 SECURITY OF GROUP BLIND SIGNATURES Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it. gpk,ik,ok CrptS CrptS SndToS SndToS ModifyReg ModifyReg SSK SSK OSign... OSign id,σ 1,m 1,...,Σ n+1,m n+1 Adversary wins if all the following holds: i {1,..., n + 1}, Σ i verifies on m i, opens to id and the opening is accepted by Judge. The adversary asked for only n signatures by signer id. If weak unforgeability, the messages are distinct. FORMALIZING GROUP BLIND SIGNATURES... 11
22 SECURITY OF GROUP BLIND SIGNATURES Blindness: Group members do not learn the message being signed. gpk,ik Open Open SSK SSK ModifyReg ReadReg ModifyReg ReadReg CrptS CrptS SndToS SndToS m 0,m 1 (Σ 0,Σ 1 ) or (, ) b * b {0,1} Obtain(gpk,m Obtain(gpk,m b ) b ) Obtain(gpk,m Obtain(gpk,m 1-b ) 1-b ) Σ b Σ 1-b Adversary wins if: b = b. If strong unforgeability, the Open oracle returns if (m, Σ) = (m b, Σ b ) or (m, Σ) = (m 1 b, Σ 1 b ). If weak unforgeability, the Open oracle returns if m {m 0, m 1 }. FORMALIZING GROUP BLIND SIGNATURES... 12
23 CONSTRUCTION CHALLENGES How to realize the subtle dual privacy requirement and 1 Maintain round optimality 2 Avoid idealized assumptions? FORMALIZING GROUP BLIND SIGNATURES... 13
24 (PRIME-ORDER) BILINEAR GROUPS G 1, G 2, G T are finite cyclic groups of prime order p, where G 1 := G 1 and G 2 := G 2. Pairing (e : G 1 G 2 G T ) : The function e must have the following properties: Bilinearity: H 1 G 1, H 2 G 2 x, y Z, we have e(h x 1, Hy 2 ) = e(h 1, H 2 ) xy. Non-degeneracy: The value e(g 1, G 2 ) 1 generates G T. The function e is efficiently computable. Type-3 [GPS08]: G 1 G 2 and no efficiently computable isomorphism between G 1 and G 2. FORMALIZING GROUP BLIND SIGNATURES... 14
25 GROTH-SAHAI PROOFS Groth-Sahai proofs [GS08]: G 1 G 2 f G T ι 1 ρ 1 ι 2 ρ 2 ι T ρ T H 1 := G 2 1 H 2 := G 2 2 F H T := G 4 T The system work by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: The simulation setting perfectly hiding proofs. The extraction setting perfectly sound proofs. The limitations: 1 Can only extract one-way function (i.e. G w i ) of an exponent witness w. 2 Cannot simulate and extract at the same time. FORMALIZING GROUP BLIND SIGNATURES... 15
26 GROTH-SAHAI PROOFS Useful Properties of Groth-Sahai Proofs: Independence of public terms (Also, independently observed by [Fuc11]): Example: n m m n E := e(a j, Y j ) e(x i, B i ) e(x i, Y j ) γi,j = t T, j=1 i=1 i=1 j=1 a proof Π for E is independent of t T we can transform Π into a NIZK/NIWI proof for a related equation without knowledge of the original witness. Re-randomizability of proofs [BCCKLS09]: Re-randomize the GS commitments and update the proofs the new proof is unlinkable to the old one. FORMALIZING GROUP BLIND SIGNATURES... 16
27 A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME NCL is based on the CL signature scheme [CL04]: THE NCL SIGNATURE SCHEME KeyGen: Choose x, y Z p, set sk := (x, y) and pk := (X := G x 2, Y := Gy 2 ). Sign: To sign (M 1, M 2 ) G 1 G 2, return if e(m 1, G 2 ) e(g 1, M 2 ); otherwise, compute σ := ( A := G a 1, B := Ay, C := M ay 1, D := (A C)x) G 4 1. Verify: Check that A 1 G1 and e(b, G 2 ) = e(a, Y) e(c, G 2 ) = e(b, M 2 ) e(d, G 2 ) = e(a C, X) FORMALIZING GROUP BLIND SIGNATURES... 17
28 A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME NCL is secure under the (interactive) DH-LRSW assumption: DEFINITION (DUAL-HIDDEN LRSW (DH-LRSW) ASSUMPTION) Given (G x 2, Gy 2 ) for x, y Z p and an oracle that on input a pair (M 1, M 2 ) G 1 G 2 outputs: if e(m 1, G 2 ) e(g 1, M 2 ). A DH-LRSW tuple ( G a 1, Gay otherwise. 1, May 1, Ax M axy ) 1 for a Zp, it is infeasible to compute a DH-LRSW tuple for (M 1, M 2 ) that was never queried to the oracle. FORMALIZING GROUP BLIND SIGNATURES... 18
29 THE BLIND SIGNATURE SCHEME [FUC09] As an example, we use the blind signature scheme by [Fuc09] based on the following automorphic signature scheme: THE AUTOMORPHIC SIGNATURE SCHEME [FUC09] Setup: Given (e, G 1, G 2, G T, G 1, G 2, p), choose F, K, T G 1. KeyGen: Choose s Z p and set pk := (S 1, S 2 ) = (G s 1, Gs 2 ). Sign: To sign (M 1, M 2 ) G 1 G 2 where e(m 1, G 2 ) = e(g 1, M 2 ), choose r, c Z p and compute: H := (K T r M 1 ) 1 x+c, R1 := G r 1, R 2 := G r 2, C 1 := F c, C 2 := G c 2. The signature is σ := (H, R 1, C 1, R 2, C 2 ) G 3 1 G2 2. Verify: Check that e(h, S 2 C 2 ) = e(k M 1, G 2 )e(t, R 2 ) e(c 1, G 2 ) = e(f, C 2 ) e(r 1, G 2 ) = e(g 1, R 2 ) FORMALIZING GROUP BLIND SIGNATURES... 19
30 THE BLIND SIGNATURE SCHEME [FUC09] The automorphic signature scheme is secure under: DEFINITION (AWFCDH ASSUMPTION) Given (G 1, G a 1, G 2) G 2 1 G 2 for a Z p, it is infeasible to output a tuple (G b 1, Gab 1, Gb 2, Gab 2 ) G 2 1 G 2 2 for an arbitrary b Zp. DEFINITION (q-adhsdh ASSUMPTION) Given (G 1, F, K, G x 1, G 2, G x 2 ) G 4 1 G 2 2 for x Zp, and q 1 tuples (A i := (K G r i 1 ) 1 x+c i, C 1,i := F c i, C 2,i := G c i 2, R 1,i := G r i 1, R 2,i := G r i 2 )q 1 i=1, where c i, r i Z p, it is infeasible to output a new tuple (A, C1, C 2, R 1, R 2 ). FORMALIZING GROUP BLIND SIGNATURES... 20
31 FISCHLIN S GENERIC CONSTRUCTION FOR BLIND SIGNATURES To get a round-optimal blind signature, Fischlin s framework [Fis06]: 1 The user sends a commitment C to the message M to the signer. 2 The signer responds with a signature σ on the commitment C. 3 The final blind signature Σ is a NIZK PoK Π of C and σ s.t. 1 σ is a valid signature on C w.r.t. pk. 2 C is a commitment to M. FORMALIZING GROUP BLIND SIGNATURES... 21
32 SIGNER-ANONYMOUS BLIND SIGNATURES In Fischlin s framework If: 1 The PoK used is re-randomizable and independent of the public terms, e.g. Groth-Sahai proofs. 2 The signature scheme has the property that all the terms involving the message in the verification equations are independent of the signature components relying on the signing key, e.g. [Fuc09]., we obtain a signer-anonymous blind signature. FORMALIZING GROUP BLIND SIGNATURES... 22
33 SIGNER-ANONYMOUS BLIND SIGNATURES Modify the Fischlin s framework as follows: 1 The user sends a commitment C to the message M. 2 The signer signs C and responds with a PoK Π of σ and pk s.t. 1 σ is a valid signature on C w.r.t. pk. 3 The user proceeds as follows: 1 Re-randomizes Π into a fresh proof Π. 2 Adds to Π a proof that C is a commitment to M. The final signer-anonymous blind signature Σ is Π. FORMALIZING GROUP BLIND SIGNATURES... 23
34 SIGNER-ANONYMOUS BLIND SIGNATURES Security: Unforgeability: As in Fischlin s framework. Blindness: As in Fischlin s framework + Re-randomizability of the PoK. Anonymity: The hiding (i.e. NIWI/NIZK) properties of the PoK. FORMALIZING GROUP BLIND SIGNATURES... 24
35 FROM A SIGNER-ANONYMOUS BS TO A GBS To extend the signer-anonymous BS to a GBS, we need: 1 A signature scheme CERT to certify members public keys when they join. Give sk CERT to the Issuer as ik. 2 Give the PoK extraction key to the Opener as ok. 3 The signer additionally needs to prove that he has a certificate on his public key w.r.t. pk CERT, i.e. that he is a member of the group. FORMALIZING GROUP BLIND SIGNATURES... 25
36 INSTANTIATIONS Instantiation I The Join Protocol: Uses the NCL signature scheme. The Signing Protocol: Based on the BS by [Fuc09] (i.e. The automorphic signature scheme + GS proofs). Assumptions: DH-LRSW, SXDH, AWFCDH and q-adhsdh. The Pros : More efficient (signature size is G G36 2 ). The Cons : Involves some interactive intractability assumptions (i.e. the DH-LRSW assumption). FORMALIZING GROUP BLIND SIGNATURES... 26
37 INSTANTIATIONS Instantiation II The Join Protocol: Uses the automorphic signature scheme [Fuc 09]. The Signing Protocol: Based on the BS by [Fuc09] (i.e. the automorphic signature scheme [Fuc09] + GS proofs). Assumptions: SXDH, AWFCDH and q-adhsdh. The Pros : Only relies on falsifiable intractability assumptions. The Cons : Less efficient (signature size is G G38 2 ). FORMALIZING GROUP BLIND SIGNATURES... 27
38 ACHIEVING FULL ANONYMITY Groth-Sahai proofs are not simulation-sound when simulating, we can no longer answer Open queries. Q: How to achieve full anonymity? A: One way is to combine Groth-Sahai proofs with an IND-CCA2 encryption scheme. The signer additionally encrypts the witness and proves that it was done correctly. When simulating, decrypt the ciphertext to recover the witness. The encryption scheme needs to be re-randomizable, e.g. maybe we could use an IND-RCCA encryption scheme. FORMALIZING GROUP BLIND SIGNATURES... 28
39 ACHIEVING FULL ANONYMITY Groth-Sahai proofs are not simulation-sound when simulating, we can no longer answer Open queries. Q: How to achieve full anonymity? A: One way is to combine Groth-Sahai proofs with an IND-CCA2 encryption scheme. The signer additionally encrypts the witness and proves that it was done correctly. When simulating, decrypt the ciphertext to recover the witness. The encryption scheme needs to be re-randomizable, e.g. maybe we could use an IND-RCCA encryption scheme. FORMALIZING GROUP BLIND SIGNATURES... 28
40 SUMMARY A formal security model for the primitive. Round-optimal constructions. The first constructions without idealized assumptions. FORMALIZING GROUP BLIND SIGNATURES... 29
41 OPEN PROBLEMS Efficient fully-anonymous instantiations. More efficient constructions without idealized assumptions. FORMALIZING GROUP BLIND SIGNATURES... 30
42 THE END Thank you for your attention! Questions? FORMALIZING GROUP BLIND SIGNATURES... 31
STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS
STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 STRONGER SECURITY
More informationDECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES
DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol, 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig, IAIK,
More informationStructure-Preserving Certificateless Encryption and Its Application
SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow
More informationEfficient Round Optimal Blind Signatures
Efficient Round Optimal Blind Signatures Sanjam Garg IBM T.J. Watson Divya Gupta UCLA Complexity Leveraging Highly theoretical tool Used to obtain feasibility results Gives inefficient constructions Is
More informationAdding Controllable Linkability to Pairing-Based Group Signatures For Free
Adding Controllable Linkability to Pairing-Based Group Signatures For Free Daniel Slamanig, Raphael Spreitzer, and Thomas Unterluggauer IAIK, Graz University of Technology, Austria {daniel.slamanig raphael.spreitzer
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch
More informationDecentralized Traceable Attribute-Based Signatures
Decentralized Traceable Attribute-Based Signatures Ali El Kaafarani 1, Essam Ghadafi 2, and Dalia Khader 3 1 University of Bath, UK 2 University of Bristol, UK 3 Interdisciplinary Centre for Security,
More informationUnique Group Signatures
Unique Group Signatures Matthew Franklin and Haibin Zhang Dept. of Computer Science, University of California, Davis, California 95616, USA {franklin,hbzhang}@cs.ucdavis.edu Abstract. We initiate the study
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationAnonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove you re over 21, or
More informationAn Exploration of Group and Ring Signatures
An Exploration of Group and Ring Signatures Sarah Meiklejohn February 4, 2011 Abstract Group signatures are a modern cryptographic primitive that allow a member of a specific group (e.g., the White House
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationA Novel Identity-based Group Signature Scheme from Bilinear Maps
MM Research Preprints, 250 255 MMRC, AMSS, Academia, Sinica, Beijing No. 22, December 2003 A Novel Identity-based Group Signature Scheme from Bilinear Maps Zuo-Wen Tan, Zhuo-Jun Liu 1) Abstract. We propose
More informationHierarchical Attribute-based Signatures
Hierarchical Attribute-based Signatures Constantin-Cǎtǎlin Drǎgan, Daniel Gardham and Mark Manulis Surrey Centre for Cyber Security, University of Surrey, UK c.dragan@surrey.ac.uk, d.gardham@surrey.ac.uk,
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationSecurity Remarks on a Convertible Nominative Signature Scheme
Security Remarks on a Convertible Nominative Signature Scheme Guilin Wang and Feng Bao Institute for Infocomm Research (I 2 R) 21 Heng Mui Keng Terrace, Singapore 119613 {glwang,baofeng}@i2r.a-star.edu.sg
More informationGroup Signatures with Message-Dependent Opening in the Standard Model
Group Signatures with Message-Dependent Opening in the Standard Model Benoît Libert Marc Joye Group Signatures with Message-Dependent Opening in the Standard Model Benoît Libert Marc Joye Outline 1 Background
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationA Decade of Direct Anonymous Attestation
A Decade of Direct Anonymous Attestation From Research to Standard and Back Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com
More informationDAA: Fixing the pairing based protocols
DAA: Fixing the pairing based protocols Liqun Chen 1, Paul Morrissey 2 and Nigel P. Smart 2 1 Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationCompact and Anonymous Role-Based Authorization Chain
Compact and Anonymous Role-Based Authorization Chain DANFENG YAO Computer Science Department Brown University Providence, RI 02912 dyao@cs.brown.edu and ROBERTO TAMASSIA Computer Science Department Brown
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationPractical Anonymous Subscriptions! Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara Schmidt, Brent Waters, Emmett Witchel"
Practical Anonymous Subscriptions! Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara Schmidt, Brent Waters, Emmett Witchel" Practical Anonymous Subscriptions! Alan Dunn, Jonathan Katz, Sangman Kim,
More informationPlaintext-Checkable Encryption
This paper appears in Orr Dunkelman, editor, CT-RSA 2012, Springer-Verlag LNCS 7178, 332 348, 2012. Plaintext-Checkable Encryption Sébastien Canard 1, Georg Fuchsbauer 2, Aline Gouget 3, and Fabien Laguillaumie
More informationHow to Construct Identity-Based Signatures without the Key Escrow Problem
How to Construct Identity-Based Signatures without the Key Escrow Problem Tsz Hon Yuen, Willy Susilo, and Yi Mu University of Wollongong, Australia {thy738, wsusilo, ymu}@uow.edu.au Abstract. The inherent
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationDecentralized Blacklistable Anonymous Credentials with Reputation
Decentralized Blacklistable Anonymous Credentials with Reputation Rupeng Yang 1,2, Man Ho Au 2, Qiuliang Xu 1, and Zuoxia Yu 2 1 School of Computer Science and Technology, Shandong University, Jinan, 250101,
More informationCertificateless Onion Routing
Certificateless Onion Routing Dario Catalano Dipartimento di Matematica e Informatica Università di Catania - Italy catalano@dmi.unict.it Dario Fiore Dipartimento di Matematica e Informatica Università
More informationDYNAMIC PRIVACY PROTECTING SHORT GROUP SIGNATURE SCHEME
DYNAMIC PRIVACY PROTECTING SHORT GROUP SIGNATURE SCHEME Ashy Eldhose 1 and Thushara Sukumar 2 1 Student, Department of Computer Science and Engineering, MBITS Nellimattom 2 Assistant Professor, Department
More informationEnhanced Privacy ID from Bilinear Pairing
Enhanced Privacy ID from Bilinear Pairing Ernie Brickell Intel Corporation ernie.brickell@intel.com Jiangtao Li Intel Corporation jiangtao.li@intel.com Abstract Enhanced Privacy ID (EPID) is a cryptographic
More informationCross-Unlinkable Hierarchical Group Signatures
Cross-Unlinkable Hierarchical Group Signatures Julien Bringer 1, Hervé Chabanne 12, and Alain Patey 12 1 Morpho 2 Télécom ParisTech Identity & Security Alliance (The Morpho and Télécom ParisTech Research
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationPlaintext-Checkable Encryption
Plaintext-Checkable Encryption Sébastien Canard, Georg Fuchsbauer, Aline Gouget, Fabien Laguillaumie To cite this version: Sébastien Canard, Georg Fuchsbauer, Aline Gouget, Fabien Laguillaumie. Plaintext-Checkable
More informationTANDEM: Securing Keys by Using a Central Server While Preserving Privacy
TANDEM: Securing Keys by Using a Central Server While Preserving Privacy Wouter Lueks SPRING Lab, EPFL wouter.lueks@epfl.ch Brinda Hampiholi Radboud University brinda@cs.ru.nl Greg Alpár Open University
More informationAPPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1
APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 1 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationDeniable Unique Group Authentication CS380S Project Report
Deniable Unique Group Authentication CS380S Project Report Matteo Pontecorvi, Subhashini Venugopalan Abstract Deniable unique authentication is desirable in a number of scenarios. Electronic voting would
More informationKey Escrow free Identity-based Cryptosystem
Key Escrow free Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university, located in capital of Gujarat state in India. DA-IICT offers undergraduate and postgraduate
More informationDelegatable Functional Signatures
Delegatable Functional Signatures Michael Backes MPI-SWS Saarland University Germany Sebastian Meiser Saarland University Germany October 10, 2013 Dominique Schröder Saarland University Germany Abstract
More informationIdentity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation
Identity Mixer: From papers to pilots and beyond Gregory Neven, IBM Research Zurich Motivation Online security & trust today: SSL/TLS for encryption and server authentication Username/password for client
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationAnonymous Attestation with Subverted TPMs
Anonymous Attestation with Subverted TPMs Jan Camenisch 1, Manu Drijvers 1,2, and Anja Lehmann 1 1 IBM Research Zurich, Säumerstrasse 4, 8803 Rüschlikon, Switzerland {jca,mdr,anj}@zurich.ibm.com 2 Department
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationSecurity Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13
Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13 Payal Chaudhari, Manik Lal Das, Anish Mathuria DA-IICT, Gandhinagar, India {payal chaudhari, maniklal das, anish mathuria}@daiict.ac.in
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationPrivacy-Preserving & User-Auditable Pseudonym Systems. Jan Camenisch, Anja Lehmann IBM Research Zurich
Privacy-Preserving & User-Auditable Pseudonym Systems Jan Camenisch, Anja Lehmann IBM Research Zurich Motivation: How to maintain related yet distributed data? examples: social security system, ehealth
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationPrivacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich
Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous Credentials privacy-preserving (user) authentication Pseudonym Systems privacy-preserving
More informationAttribute-based Credentials on Smart Cards
Attribute-based Credentials on Smart Cards ir. Pim Vullers p.vullers@cs.ru.nl Privacy & Identity Lab Institute for Computing and Information Sciences Digital Security SaToSS Research Meeting 28th February
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationPrivacy-Enhancing Proxy Signatures from Non-Interactive Anonymous Credentials
Privacy-Enhancing Proxy Signatures from Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig Institute for Applied Information Processing and Communications (IAIK),
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationCascaded Authorization with Anonymous-Signer Aggregate Signatures
Cascaded Authorization with Anonymous-Signer Aggregate Signatures Danfeng Yao Computer Science Department Brown University Providence, RI 02912 dyao@cs.brown.edu Roberto Tamassia Computer Science Department
More information1 Introduction. Markulf Kohlweiss and Ian Miers* Accountable Metadata-Hiding Escrow: A Group Signature Case Study
Proceedings on Privacy Enhancing Technologies 2015; 2015 (2):206 221 Markulf Kohlweiss and Ian Miers* Accountable Metadata-Hiding Escrow: A Group Signature Case Study Abstract: A common approach to demands
More informationAnonymous Consecutive Delegation of Signing Rights: Unifying Group and Proxy Signatures
Appears in Special Issue on Computer Security LNCS 5458, pages??????. V. Cortier Ed. Springer-Verlag. Anonymous Consecutive Delegation of Signing Rights: Unifying Group and Proxy Signatures Georg Fuchsbauer
More informationOn the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption
D. Nuñez, I. Agudo, and J. Lopez, On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption, Security and Communication Networks, vol. 9, pp. 1769-1785, 2016. http://doi.org/10.1002/sec.1434
More informationProceedings of the 5th Smart Card Research and Advanced Application Conference
USENIX Association Proceedings of the 5th Smart Card Research and Advanced Application Conference San Jose, California, USA November 21 22, 2002 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION 2002 by The USENIX
More informationAmbiguous Optimistic Fair Exchange
Ambiguous Optimistic Fair Exchange Qiong Huang 1, Guomin Yang 1, Duncan S. Wong 1, and Willy Susilo 2 1 City University of Hong Kong, Hong Kong, China {csqhuang@student., csyanggm@cs., duncan@}cityu.edu.hk
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationAPOD: Anonymous Physical Object Delivery
APOD: Anonymous Physical Object Delivery Elli Androulaki and Steven Bellovin {elli,smb}@cs.columbia.edu Columbia University Abstract. Delivery of products bought online can violate consumers privacy, although
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationSecurity of Blind Signatures Under Aborts
Security of Blind Signatures Under Aborts Marc Fischlin and Dominique Schröder Darmstadt University of Technology, Germany www.minicrypt.de marc.fischlin @ gmail.com schroeder @ me.com Abstract. We explore
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationRing Signatures: Stronger Definitions, and Constructions without Random Oracles
Ring Signatures: Stronger Definitions, and Constructions without Random Oracles Adam Bender Jonathan Katz Ruggero Morselli Abstract Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable
More informationRound-Optimal Composable Blind Signatures in the Common Reference String Model
Round-Optimal Composable Blind Signatures in the Common Reference String Model Marc Fischlin Darmstadt University of Technology, Germany marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently
More informationCPSC 467b: Cryptography and Computer Security
Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19
More informationFunctional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic
More informationSignature schemes variations
Signature schemes variations Multisignatures: several signers create a signature on a single message, that is shorter and faster to verify than when a standard signature scheme is used in a straightforward
More informationAn Identity Escrow Scheme with Appointed Verifiers
An Identity Escrow Scheme with Appointed Verifiers Jan Camenisch 1 and Anna Lysyanskaya 2 1 IBM Research Zurich Research Laboratory CH 8803 Rüschlikon jca@zurich.ibm.com 2 MIT LCS 545 Technology Square
More informationSecure Multi-Party Computation. Lecture 13
Secure Multi-Party Computation Lecture 13 Must We Trust? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data
More informationAn Efficient Certificateless Proxy Re-Encryption Scheme without Pairing
An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing Presented By: Arinjita Paul Authors: S. Sharmila Deva Selvi, Arinjita Paul, C. Pandu Rangan TCS Lab, Department of CSE, IIT Madras.
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationFair E-cash: Be Compact, Spend Faster
Fair E-cash: Be Compact, Spend Faster Sébastien Canard 1, Cécile Delerablée 2, Aline Gouget 3, Emeline Hufschmitt 4, Fabien Laguillaumie 5, Hervé Sibert 6, Jacques Traoré 1, and Damien Vergnaud 7 1 Orange
More informationImprovement of Camenisch-Neven-Shelat Oblivious Transfer Scheme
Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,
More informationA robust smart card-based anonymous user authentication protocol for wireless communications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 A robust smart card-based anonymous user authentication
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationA Light-Weight Group Signature Scheme for Wireless Networks Based-on BBS Short Group Signature
A Light-Weight Group Signature Scheme for Wireless Networks Based-on BBS Short Group Signature Amang Sudarsono and Mike Yuliana Division of Telecommunication Engineering, Dept. of Electrical Engineering,
More informationApplied cryptography
Applied cryptography Electronic Cash Andreas Hülsing 29 November 2016 1 / 61 Classical Cash - Life Cycle Mint produces money (coins / bank notes) Sent to bank User withdraws money (reduces account balance)
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationPublic-Key Encryption
Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March 2016 1 / 24 Warmup: crossword puzzle! Please
More informationRevisiting optimistic fair exchange based on ring signatures
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 Revisiting optimistic fair exchange based
More informationAnonymity and Privacy
Computer Security Spring 2008 Anonymity and Privacy Aggelos Kiayias University of Connecticut Anonymity in networks Anonymous Credentials Anonymous Payments Anonymous E-mail and Routing E-voting Group,
More informationPart II Bellare-Rogaway Model (Active Adversaries)
Part II Bellare-Rogaway Model (Active Adversaries) 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 Active Attacks Adversary may tamper, drop,
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationA Universally Composable Scheme for Electronic Cash
A Universally Composable Scheme for Electronic Cash Mårten Trolin Royal Institute of Technology (KTH) Stockholm, Sweden marten@nada.kth.se Abstract We propose a scheme for electronic cash based on symmetric
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il
More informationCompletely Non-Malleable Schemes
Completely Non-Malleable Schemes Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/ Abstract An encryption scheme is non-malleable
More information