Citation Context

...nowledge fashion with the Schnorr identification protocol [25]. Moreover, several digital signature systems can be based on the user public, private key pairs mentioned above, e.g., DSA [15], ElGamal =-=[14]-=- and Schnorr [25]. Finally, a certificate issued by a trust provider with public key h, h z on a user public key g x takes the form: {g x , g xz }. Note that the above certificate is based on the vari...

Citation Context

...lled a distortion map in [27]) on Ca that maps a point (x, y) on the curve to the point (ω · x, y) also on the curve (over GF(p 2 )) and where eq(., .) is the so-called Weil pairing. See [1], [20] or =-=[26]-=-. As the Weil pairing is efficiently computable, the DDH problem is also efficiently computable in this situation. It is well-known that the DL problem in the group of points on the curve in GF(p) red...

Citation Context

... will delve no further into this property in this paper. In the terminology we introduced above, we formulate the security assumption that we require for our variant of the Chaum-Pedersen scheme (cf. =-=[8]-=-, [9]). Assumption 21 If the Diffie-Hellman problem with respect to g is hard, then without knowledge of the private signing key z, the only forged message an attacker can make on the basis of signed ...

Citation Context

...e certificates. Such certificates can be constructed using the Weil pairing in supersingular elliptic curves. 1 Introduction Credential pseudonymous certificates (CPCs) were introduced by David Chaum =-=[7]-=- in 1985 to counter some of the privacy problems related to identity certificates. One such problem is that service providers know exactly who they are servicing when a user employs an identity certif...

Citation Context

...private keys. There is a subtle reason why x = 0 is principally not allowed, see below. Note that a user can prove possession of x in a zero-knowledge fashion with the Schnorr identification protocol =-=[25]-=-. Moreover, several digital signature systems can be based on the user public, private key pairs mentioned above, e.g., DSA [15], ElGamal [14] and Schnorr [25]. Finally, a certificate issued by a trus...

Citation Context

...ed to the special case of a credential certificate system. As a final note, we remark that the privacy of our scheme can be further improved by the use of “Wallet with Observer” techniques, cf., [5], =-=[11]-=-.s538 Eric R. Verheul Outline of the paper – In Section 2, we describe a variant of the Chaum-Pedersen digital signature scheme which is of crucial importance for our constructions of self-blindable c...

Citation Context

... = g x ∈ G, with 0 ≤ x < q, find x = DL(α). The DL problem is at least as difficult as the DH problem. It is widely assumed that if the DL problem G is hard, then so is the DH problem. Currently, cf. =-=[16]-=-, [27], [17], a large class of groups has been discovered in which the DDH problem is simple, while the Diffie-Hellman and discrete logarithm problems are presumably not. This class consists of certai...

Citation Context

...hism (called a distortion map in [27]) on Ca that maps a point (x, y) on the curve to the point (ω · x, y) also on the curve (over GF(p 2 )) and where eq(., .) is the so-called Weil pairing. See [1], =-=[20]-=- or [26]. As the Weil pairing is efficiently computable, the DDH problem is also efficiently computable in this situation. It is well-known that the DL problem in the group of points on the curve in G...

Citation Context

...ctively implies sharing a credential that is highly valuable to the user, most notably one enabling him to take over the user’s identity and digitally sign contracts that legally binds the user (cf., =-=[6]-=-, [5]). Revocation of pseudonymous certificates and credentials Under certain circumstances, it should be possible for the user and trust providers to revoke pseudonymous certificates as well as crede...

Citation Context

...ansfer), one needs to trust devices resistant to user tampering. 4.2 A more robust construction This construction is based on the technique in Brands’ e-cash scheme to trace double spenders (cf. from =-=[4]-=-). Just as in the previous section our construction is based on the variant of the Chaum-Pedersen signature scheme as introduced in Section 2. So, again, let G = 〈g〉 be a group of prime order q in whi...

Citation Context

...ly implies sharing a credential that is highly valuable to the user, most notably one enabling him to take over the user’s identity and digitally sign contracts that legally binds the user (cf., [6], =-=[5]-=-). Revocation of pseudonymous certificates and credentials Under certain circumstances, it should be possible for the user and trust providers to revoke pseudonymous certificates as well as credential...

Citation Context

...erent users. Damg˚ard’s scheme [13], is based on general complexity-theoretic primitives and is therefore not applicable for practical use. The scheme developed by Lysyanskaya, Rivest, Sahai and Wolf =-=[19]-=- is based on one-way functions and general zero-knowledge proofs which also makes it inappropriate for practical use. Our CPC system can be considered as the opposite of the credential scheme [6] cons...

Citation Context

...ew, this is undesirable. Chen’s scheme [12], envisions a trusted party who, amongst other things, should be trusted to refrain from transferring credentials between different users. Damg˚ard’s scheme =-=[13]-=-, is based on general complexity-theoretic primitives and is therefore not applicable for practical use. The scheme developed by Lysyanskaya, Rivest, Sahai and Wolf [19] is based on one-way functions ...

Citation Context

... ∈ G, with 0 ≤ x < q, find x = DL(α). The DL problem is at least as difficult as the DH problem. It is widely assumed that if the DL problem G is hard, then so is the DH problem. Currently, cf. [16], =-=[27]-=-, [17], a large class of groups has been discovered in which the DDH problem is simple, while the Diffie-Hellman and discrete logarithm problems are presumably not. This class consists of certain grou...

Citation Context

...It is shown in [27] that inverting such embeddings is hard; in fact, as hard as the DH problem in the group G. Note that by using a specific choice of G, the group G ′ could be the XTR group. Compare =-=[18]-=- and [27]. A group of points on a (supersingular) elliptic curve over a finite field used in cryptography is typically chosen in such a way that its order is a prime number times a small number (e.g.,...

Citation Context

...with 0 ≤ x < q, find x = DL(α). The DL problem is at least as difficult as the DH problem. It is widely assumed that if the DL problem G is hard, then so is the DH problem. Currently, cf. [16], [27], =-=[17]-=-, a large class of groups has been discovered in which the DDH problem is simple, while the Diffie-Hellman and discrete logarithm problems are presumably not. This class consists of certain groups of ...

Citation Context

... also efficiently computable in this situation. It is well-known that the DL problem in the group of points on the curve in GF(p) reduces to the DL problem in a subgroup of order q in GF(p 2 ) ∗ (cf. =-=[21]-=- ). That is, to make the DH and DL problems practically intractable against attacks known today, the length of the prime number q should be at least 160 bit and the length of the prime number should b...

Citation Context

...d Work As we could probably write an entire paper just discussing and comparing all of the CPC schemes that have been published, we will be brief. The first scheme was introduced by Chaum and Evertse =-=[10]-=- and is based on having a semi-trusted third party involved in all credential translations. Both from an efficiency and a security point of view, this is undesirable. Chen’s scheme [12], envisions a t...

Citation Context

...bit prime number p of type p = 6q − 1 where q is also a prime number and consider the curve C1 : y 2 = x 3 + 1. Let P be any GF(p)-rational point on the curve of order q. This construction is used in =-=[2]-=- in the setting of an identity-based encryption scheme that is also based on the Weil pairing. This paper also analyzes the work needed to solve the DDH problem in the group 〈P 〉, which amounts to a s...

Citation Context

...um and Evertse [10] and is based on having a semi-trusted third party involved in all credential translations. Both from an efficiency and a security point of view, this is undesirable. Chen’s scheme =-=[12]-=-, envisions a trusted party who, amongst other things, should be trusted to refrain from transferring credentials between different users. Damg˚ard’s scheme [13], is based on general complexity-theore...

Citation Context

...ents in the subgroup without knowledge of relative discrete logarithms is very simple, e.g., by mapping a hash value into a point on the curve and then mapping it to a point in the subgroup. See also =-=[3]-=-. 2.2 The ‘proofless’ variant of the Chaum-Pedersen scheme As explained in the previous section, we consider a group, G, of prime order q, with generator g, in which the DDH problem is simple, while t...

Citation Context

...ire that g x1 1 gx2 2 be unequal to the unity element. Note that a participant can prove possession of x1, x2 in a zero-knowledge fashion with the Okamoto variant of Schnorr’s identification protocol =-=[22]-=-. In the same paper, a variant of Schnorr’s signature scheme is described based on the user public, private key pairs mentioned above. Finally, a certificate issued by a trust provider with public key...

Citation Context

...of the (credential) pseudonymous certificate to the service provider. This functionality resembles the use of an On-line Certificate Status Protocol (OCSP) request, commonly used on the Internet (cf. =-=[23]-=-). Of course, the service provider still needs to verify that the user is in possession of the private key referenced in the used randomized CPC. The second revocation technique can be supplemented wi...

Citation Context

...pseudonymous certificate. Also note that the pseudonym of a user is in fact the user’s public key in its certificate, which is reminiscent of the SPKI (Simple Public Key Infrastructure) approach, cf. =-=[24]-=-.sSelf-Blindable Credential Certificates from the Weil Pairing 543 Note that the self-blinding properties of the certificates enable the users themselves to generate a new pseudonymous certificate val...