Results 1 - 10
of
48
Simulatable adaptive oblivious transfer
- IN EUROCRYPT
, 2007
"... We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k one-after-the-other, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested m ..."
Abstract
-
Cited by 35 (1 self)
- Add to MetaCart
We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k one-after-the-other, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.
On the Generic Construction of Identity-Based Signatures with Additional Properties
, 2006
"... It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identity-based signature schemes can be constructed from any PKI-based signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identity-based signature schemes w ..."
Abstract
-
Cited by 32 (1 self)
- Add to MetaCart
(Show Context)
It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identity-based signature schemes can be constructed from any PKI-based signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identity-based signature schemes with additional properties” (such as identity-based blind signatures, verifiably encrypted signatures,...) from PKI-based signature schemes with the same properties? Our results show that this is possible for great number of properties including proxy signatures; (partially) blind signatures; verifiably encrypted signatures; undeniable signatures; forward-secure signatures; (strongly) key insulated signatures; online/offline signatures; threshold signatures; and (with some limitations) aggregate signatures. Using well-known results for PKI-based schemes, we conclude that such identity-based signature schemes with additional properties can be constructed, enjoying some better properties than specific schemes proposed until know. In particular, our work implies the existence of identity-based signatures with additional properties that are provably secure in the standard model, do not need bilinear pairings, or can be based on general assumptions.
Direct chosen-ciphertext secure identity-based key encapsulation without random oracles
- In ACISP 2006
, 2006
"... We describe a practical identity-based encryption scheme that is secure in the standard model against chosen-ciphertext attacks. Our construction applies “direct chosen-ciphertext techniques ” to Waters ’ chosen-plaintext secure scheme and is not based on hierarchical identity-based encryption. Furt ..."
Abstract
-
Cited by 32 (4 self)
- Add to MetaCart
(Show Context)
We describe a practical identity-based encryption scheme that is secure in the standard model against chosen-ciphertext attacks. Our construction applies “direct chosen-ciphertext techniques ” to Waters ’ chosen-plaintext secure scheme and is not based on hierarchical identity-based encryption. Furthermore, we give an improved concrete security analysis for Waters ’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements. 1
Constant-size dynamic k-TAA
- In Security and CryptographyforNetworks, volume 4116 ofLectureNotesinComputerScience
, 2006
"... Abstract. k-times anonymous authentication (k-TAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic k-TAA allows application providers to independently grant or revoke users from their own access group so as to provide b ..."
Abstract
-
Cited by 29 (7 self)
- Add to MetaCart
(Show Context)
Abstract. k-times anonymous authentication (k-TAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic k-TAA allows application providers to independently grant or revoke users from their own access group so as to provide better control over their clients. In terms of time and space complexity, existing dynamic k-TAA schemes are of complexities O(k), where k is the allowed number of authentication. In this paper, we construct a dynamic k-TAA scheme with space and time complexities of O(log(k)). We also outline how to construct dynamic k-TAA scheme with a constant proving effort. Public key size of this variant, however, is O(k). We then describe a trade-off between efficiency and setup freeness of AP, in which AP does not need to hold any secret while maintaining control over their clients. To build our system, we modify the short group signature scheme into a signature scheme and provide efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature and to obtain a signature on a committed block of messages. We prove that the signature scheme is secure in the standard model under the q-SDH assumption. Finally, we show that our dynamic k-TAA scheme, constructed from bilinear pairing, is secure in the random oracle model.
Round-Optimal Composable Blind Signatures in the Common Reference String Model
- In Advances in Cryptology — CRYPTO 2006, LNCS 4117
, 2006
"... marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user an ..."
Abstract
-
Cited by 26 (0 self)
- Add to MetaCart
(Show Context)
marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user and the issuing bank to transmit only one message each. We also put forward the definition of universally composable blind signature schemes, and show how to extend our concurrently executable blind signature protocol to derive such universally composable schemes in the common reference string model under general assumptions. While this protocol then guarantees very strong security properties when executed within larger protocols, it still supports signature generation in two moves. 1
Par: Payment for anonymous routing
- in Proceedings of the Eighth International Symposium on Privacy Enhancing Technologies (PETS 2008
, 2008
"... Abstract. Despite the growth of the Internet and the increasing concern for privacy of online communications, current deployments of anonymization networks depend on a very small set of nodes that volunteer their bandwidth. We believe that the main reason is not disbelief in their ability to protec ..."
Abstract
-
Cited by 22 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Despite the growth of the Internet and the increasing concern for privacy of online communications, current deployments of anonymization networks depend on a very small set of nodes that volunteer their bandwidth. We believe that the main reason is not disbelief in their ability to protect anonymity, but rather the practical limitations in bandwidth and latency that stem from limited participation. This limited participation, in turn, is due to a lack of incentives to participate. We propose providing economic incentives, which historically have worked very well. In this paper, we demonstrate a payment scheme that can be used to compensate nodes which provide anonymity in Tor, an existing onion routing, anonymizing network. We show that current anonymous payment schemes are not suitable and introduce a hybrid payment system based on a combination of the Peppercoin Micropayment system and a new type of "one use" electronic cash. Our system claims to maintain users' anonymity, although payment techniques mentioned previouslywhen adopted individually -provably fail.
Automorphic Signatures in Bilinear Groups and an Application to Round-Optimal Blind Signatures
"... We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairing-product equations. These signatures make ..."
Abstract
-
Cited by 21 (4 self)
- Add to MetaCart
(Show Context)
We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairing-product equations. These signatures make a perfect counterpart to the powerful proof system by Groth and Sahai (Eurocrypt 2008). We provide practical instantiations of automorphic signatures under appropriate assumptions and use them to construct the first efficient round-optimal blind signatures. By combining them with Groth-Sahai proofs, we moreover give practical instantiations of various other cryptographic primitives, such as fully-secure group signatures, non-interactive anonymous credentials and anonymous proxy signatures. To do so, we show how to transform signature schemes whose message space is a group to a scheme that signs arbitrarily many messages at once.
Concurrently-secure blind signatures without random oracles or setup assumptions
- In TCC 2007
, 2007
"... ..."
(Show Context)
Blind identity-based encryption and simulatable oblivious transfer
- IN: ADVANCES IN CRYPOTOLOGY – ASIACRYPT 2007. LNCS
, 2007
"... In an identity-based encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fash ..."
Abstract
-
Cited by 15 (0 self)
- Add to MetaCart
In an identity-based encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fashion for several known IBE schemes; that is, a user can obtain a secret key for an identity without the master authority learning anything about this identity. We formalize this notion as blind IBE and discuss its many practical applications. In particular, we build upon the recent work of Camenisch, Neven, and shelat [CNS07] to construct oblivious transfer (OT) schemes which achieve full simulatability for both sender and receiver. OT constructions with comparable efficiency prior to Camenisch et al. were proven secure in the weaker half-simulation model. Our OT schemes are constructed from the blind IBE schemes we propose, which require only static complexity assumptions (e.g., DBDH) whereas prior comparable schemes require dynamic assumptions (e.g., q-PDDH).
Transferable constant-size fair e-cash
- CANS 2009, volume 5888 of LNCS
"... Abstract. We propose an efficient blind certification protocol with interesting properties. It falls in the Groth-Sahai framework for witness-indistinguishable proofs, thus extended to a certified signature it immediately yields non-frameable group signatures. We use blind certification to build an ..."
Abstract
-
Cited by 11 (1 self)
- Add to MetaCart
Abstract. We propose an efficient blind certification protocol with interesting properties. It falls in the Groth-Sahai framework for witness-indistinguishable proofs, thus extended to a certified signature it immediately yields non-frameable group signatures. We use blind certification to build an efficient (offline) e-cash system that guarantees user anonymity and transferability of coins without increasing their size. As required for fair e-cash, in case of fraud, anonymity can be revoked by an authority, which is also crucial to deter from double spending.
