Results 1 - 10
of
171
Chosen-Ciphertext Security from Identity-Based Encryption. Adv
- in Cryptology — Eurocrypt 2004, LNCS
, 2004
"... We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes secure against adaptive chosen-ciphertext attacks) based on any identity-based encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a n ..."
Abstract
-
Cited by 279 (14 self)
- Add to MetaCart
(Show Context)
We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes secure against adaptive chosen-ciphertext attacks) based on any identity-based encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a new paradigm for achieving CCA-security; this paradigm avoids “proofs of well-formedness ” that have been shown to underlie previous constructions. Second, instantiating our construction using known IBE constructions we obtain CCA-secure encryption schemes whose performance is competitive with the most efficient CCA-secure schemes to date. Our techniques extend naturally to give an efficient method for securing also IBE schemes (even hierarchical ones) against adaptive chosen-ciphertext attacks. Coupled with previous work, this gives the first efficient constructions of CCA-secure IBE schemes. 1
Signature schemes and anonymous credentials from bilinear maps
, 2004
"... We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discrete-logarithm-based assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of th ..."
Abstract
-
Cited by 235 (25 self)
- Add to MetaCart
We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discrete-logarithm-based assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of the decisional Diffie-Hellman assumption. We prove security of our scheme under the LRSW assumption for groups with bilinear maps. We then show how our scheme can be used to construct efficient anonymous credential systems as well as group signature and identity escrow schemes. To this end, we provide efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signature on a committed message.
Direct Anonymous Attestation
, 2004
"... This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the ..."
Abstract
-
Cited by 205 (21 self)
- Add to MetaCart
This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the module. Direct anonymous attestation can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable. Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of "known" keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional Di#e-Hellman assumption.
Sequences of Games: A Tool for Taming Complexity in Security Proofs
, 2004
"... This paper is brief tutorial on a technique for structuring security proofs as sequences games. ..."
Abstract
-
Cited by 169 (0 self)
- Add to MetaCart
This paper is brief tutorial on a technique for structuring security proofs as sequences games.
Compact e-cash
- In EUROCRYPT, volume 3494 of LNCS
, 2005
"... Abstract. This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the y-DDHI assumptions, where the complexity of the withdrawal and s ..."
Abstract
-
Cited by 123 (18 self)
- Add to MetaCart
(Show Context)
Abstract. This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the y-DDHI assumptions, where the complexity of the withdrawal and spend operations is O(ℓ + k) andtheuser’s wallet can be stored using O(ℓ + k) bits,wherek is a security parameter. The best previously known schemes require at least one of these complexities to be O(2 ℓ · k). In fact, compared to previous e-cash schemes, our whole wallet of 2 ℓ coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has double-spent. We then extend our scheme to our second result, the first e-cash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2 ℓ coins in her wallet, all her spendings of these coins can be traced. However, the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(ℓ · k) and O(ℓ · k + k 2) bits, respectively, and wallets take O(ℓ · k) bitsofstorage. All our schemes are secure in the random oracle model.
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
, 2004
"... Recently, Canetti, Halevi, and Katz showed a general method for constructing CCA-secure encryption schemes from identity-based encryption schemes in the standard model. We improve the efficiency of their construction, and show two specific instantiations of our resulting scheme which offer the most ..."
Abstract
-
Cited by 88 (9 self)
- Add to MetaCart
(Show Context)
Recently, Canetti, Halevi, and Katz showed a general method for constructing CCA-secure encryption schemes from identity-based encryption schemes in the standard model. We improve the efficiency of their construction, and show two specific instantiations of our resulting scheme which offer the most efficient encryption (and, in one case, key generation) of any CCA-secure encryption scheme to date.
Anonymous identification in ad hoc groups
, 2004
"... We introduce Ad Hoc Anonymous Identification schemes, a new multi-user cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with one-way domain, a natur ..."
Abstract
-
Cited by 53 (0 self)
- Add to MetaCart
(Show Context)
We introduce Ad Hoc Anonymous Identification schemes, a new multi-user cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with one-way domain, a natural extension of cryptographic accumulators we introduce in this work. We provide a formal model for Ad Hoc Anonymous Identification schemes and design secure such schemes both generically (based on any accumulator with one-way domain) and for a specific efficient implementation of such an accumulator based on the Strong RSA Assumption. A salient feature of our approach is that identification protocols take time independent of the size of the ad hoc group. All our schemes and notions can be generally and efficiently amended so that they allow the recovery of the signer’s identity by an authority, if the latter is desired. Using the Fiat-Shamir transform, we also obtain constant-size, signer-ambiguous group and ring signatures (provably secure in the Random Oracle Model). For ring signatures, this is the first such constant-size scheme, as all the previous proposals had signature size proportional to the size of the ring. For group signatures, we obtain schemes comparable in performance with state-of-the-art schemes, with the additional feature that the role of the group manager during key registration is extremely simple and essentially passive: all it does is accept the public key of the new member (and update the constant-size public key of the group).
Blacklistable anonymous credentials: Blocking misbehaving users without TTPs
- In ACM Conference on Computer and Communications Security. ACM
, 2007
"... Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The abi ..."
Abstract
-
Cited by 53 (7 self)
- Add to MetaCart
Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems such as “e-cash ” have been proposed in which users are deanonymized under only certain types of well-defined misbehavior such as “double spending. ” While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior. We present the first anonymous credential system in which services can “blacklist ” misbehaving users without contacting a TTP. Since blacklisted users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP.
A formal treatment of onion routing
- In Advances in Cryptology—CRYPTO 2005, Lecture Notes in Computer Science 3621
, 2005
"... Abstract. Anonymous channels are necessary for a multitude of privacy-protecting protocols. Onion routing is probably the best known way to achieve anonymity in practice. However, the cryptographic aspects of onion routing have not been sufficiently explored: no satisfactory definitions of security ..."
Abstract
-
Cited by 49 (0 self)
- Add to MetaCart
Abstract. Anonymous channels are necessary for a multitude of privacy-protecting protocols. Onion routing is probably the best known way to achieve anonymity in practice. However, the cryptographic aspects of onion routing have not been sufficiently explored: no satisfactory definitions of security have been given, and existing constructions have only had ad-hoc security analysis for the most part. We provide a formal definition of onion-routing in the universally composable framework, and also discover a simpler definition (similar to CCA2 security for encryption) that implies security in the UC framework. We then exhibit an efficient and easy to implement construction of an onion routing scheme satisfying this definition. 1
Code-Based Game-Playing Proofs and the Security of Triple Encryption
- Eurocrypt 2006, LNCS
"... (Draft 3.0) The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key triple-encryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates t ..."
Abstract
-
Cited by 47 (10 self)
- Add to MetaCart
(Draft 3.0) The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key triple-encryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary’s maxi-mal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for game-playing proofs and dis-cussing techniques used within such proofs. To further exercise the game-playing framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
