Results 1  10
of
48
Simulatable adaptive oblivious transfer
 IN EUROCRYPT
, 2007
"... We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested m ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selectivefailure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.
On the Generic Construction of IdentityBased Signatures with Additional Properties
, 2006
"... It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identitybased signature schemes can be constructed from any PKIbased signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identitybased signature schemes w ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
(Show Context)
It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identitybased signature schemes can be constructed from any PKIbased signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identitybased signature schemes with additional properties” (such as identitybased blind signatures, verifiably encrypted signatures,...) from PKIbased signature schemes with the same properties? Our results show that this is possible for great number of properties including proxy signatures; (partially) blind signatures; verifiably encrypted signatures; undeniable signatures; forwardsecure signatures; (strongly) key insulated signatures; online/offline signatures; threshold signatures; and (with some limitations) aggregate signatures. Using wellknown results for PKIbased schemes, we conclude that such identitybased signature schemes with additional properties can be constructed, enjoying some better properties than specific schemes proposed until know. In particular, our work implies the existence of identitybased signatures with additional properties that are provably secure in the standard model, do not need bilinear pairings, or can be based on general assumptions.
Direct chosenciphertext secure identitybased key encapsulation without random oracles
 In ACISP 2006
, 2006
"... We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furt ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
(Show Context)
We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furthermore, we give an improved concrete security analysis for Waters ’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements. 1
Constantsize dynamic kTAA
 In Security and CryptographyforNetworks, volume 4116 ofLectureNotesinComputerScience
, 2006
"... Abstract. ktimes anonymous authentication (kTAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic kTAA allows application providers to independently grant or revoke users from their own access group so as to provide b ..."
Abstract

Cited by 29 (7 self)
 Add to MetaCart
(Show Context)
Abstract. ktimes anonymous authentication (kTAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic kTAA allows application providers to independently grant or revoke users from their own access group so as to provide better control over their clients. In terms of time and space complexity, existing dynamic kTAA schemes are of complexities O(k), where k is the allowed number of authentication. In this paper, we construct a dynamic kTAA scheme with space and time complexities of O(log(k)). We also outline how to construct dynamic kTAA scheme with a constant proving effort. Public key size of this variant, however, is O(k). We then describe a tradeoff between efficiency and setup freeness of AP, in which AP does not need to hold any secret while maintaining control over their clients. To build our system, we modify the short group signature scheme into a signature scheme and provide efficient protocols that allow one to prove in zeroknowledge the knowledge of a signature and to obtain a signature on a committed block of messages. We prove that the signature scheme is secure in the standard model under the qSDH assumption. Finally, we show that our dynamic kTAA scheme, constructed from bilinear pairing, is secure in the random oracle model.
RoundOptimal Composable Blind Signatures in the Common Reference String Model
 In Advances in Cryptology — CRYPTO 2006, LNCS 4117
, 2006
"... marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user an ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user and the issuing bank to transmit only one message each. We also put forward the definition of universally composable blind signature schemes, and show how to extend our concurrently executable blind signature protocol to derive such universally composable schemes in the common reference string model under general assumptions. While this protocol then guarantees very strong security properties when executed within larger protocols, it still supports signature generation in two moves. 1
Par: Payment for anonymous routing
 in Proceedings of the Eighth International Symposium on Privacy Enhancing Technologies (PETS 2008
, 2008
"... Abstract. Despite the growth of the Internet and the increasing concern for privacy of online communications, current deployments of anonymization networks depend on a very small set of nodes that volunteer their bandwidth. We believe that the main reason is not disbelief in their ability to protec ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Despite the growth of the Internet and the increasing concern for privacy of online communications, current deployments of anonymization networks depend on a very small set of nodes that volunteer their bandwidth. We believe that the main reason is not disbelief in their ability to protect anonymity, but rather the practical limitations in bandwidth and latency that stem from limited participation. This limited participation, in turn, is due to a lack of incentives to participate. We propose providing economic incentives, which historically have worked very well. In this paper, we demonstrate a payment scheme that can be used to compensate nodes which provide anonymity in Tor, an existing onion routing, anonymizing network. We show that current anonymous payment schemes are not suitable and introduce a hybrid payment system based on a combination of the Peppercoin Micropayment system and a new type of "one use" electronic cash. Our system claims to maintain users' anonymity, although payment techniques mentioned previouslywhen adopted individually provably fail.
Automorphic Signatures in Bilinear Groups and an Application to RoundOptimal Blind Signatures
"... We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairingproduct equations. These signatures make ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
(Show Context)
We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairingproduct equations. These signatures make a perfect counterpart to the powerful proof system by Groth and Sahai (Eurocrypt 2008). We provide practical instantiations of automorphic signatures under appropriate assumptions and use them to construct the first efficient roundoptimal blind signatures. By combining them with GrothSahai proofs, we moreover give practical instantiations of various other cryptographic primitives, such as fullysecure group signatures, noninteractive anonymous credentials and anonymous proxy signatures. To do so, we show how to transform signature schemes whose message space is a group to a scheme that signs arbitrarily many messages at once.
Concurrentlysecure blind signatures without random oracles or setup assumptions
 In TCC 2007
, 2007
"... ..."
(Show Context)
Blind identitybased encryption and simulatable oblivious transfer
 IN: ADVANCES IN CRYPOTOLOGY – ASIACRYPT 2007. LNCS
, 2007
"... In an identitybased encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fash ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
In an identitybased encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fashion for several known IBE schemes; that is, a user can obtain a secret key for an identity without the master authority learning anything about this identity. We formalize this notion as blind IBE and discuss its many practical applications. In particular, we build upon the recent work of Camenisch, Neven, and shelat [CNS07] to construct oblivious transfer (OT) schemes which achieve full simulatability for both sender and receiver. OT constructions with comparable efficiency prior to Camenisch et al. were proven secure in the weaker halfsimulation model. Our OT schemes are constructed from the blind IBE schemes we propose, which require only static complexity assumptions (e.g., DBDH) whereas prior comparable schemes require dynamic assumptions (e.g., qPDDH).
Transferable constantsize fair ecash
 CANS 2009, volume 5888 of LNCS
"... Abstract. We propose an efficient blind certification protocol with interesting properties. It falls in the GrothSahai framework for witnessindistinguishable proofs, thus extended to a certified signature it immediately yields nonframeable group signatures. We use blind certification to build an ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. We propose an efficient blind certification protocol with interesting properties. It falls in the GrothSahai framework for witnessindistinguishable proofs, thus extended to a certified signature it immediately yields nonframeable group signatures. We use blind certification to build an efficient (offline) ecash system that guarantees user anonymity and transferability of coins without increasing their size. As required for fair ecash, in case of fraud, anonymity can be revoked by an authority, which is also crucial to deter from double spending.