Results 1  10
of
25
Chosenciphertext security from tagbased encryption
, 2005
"... One of the celebrated applications of IdentityBased Encryption (IBE) is the Canetti, Halevi, and Katz (CHK) transformation from any (selectiveidentity secure) IBE scheme into a full chosenciphertext secure encryption scheme. Since such IBE schemes in the standard model are known from previous wor ..."
Abstract

Cited by 68 (12 self)
 Add to MetaCart
One of the celebrated applications of IdentityBased Encryption (IBE) is the Canetti, Halevi, and Katz (CHK) transformation from any (selectiveidentity secure) IBE scheme into a full chosenciphertext secure encryption scheme. Since such IBE schemes in the standard model are known from previous work this immediately provides new chosenciphertext secure encryption schemes in the standard model. This paper revisits the notion of TagBased Encryption (TBE) and provides security definitions for the selectivetag case. Even though TBE schemes belong to a more general class of cryptographic schemes than IBE, we observe that (selectivetag secure) TBE is a sufficient primitive for the CHK transformation and therefore implies chosenciphertext secure encryption. We construct efficient and practical TBE schemes and give tight security reductions in the standard model from the Decisional Linear Assumption in gapgroups. In contrast to all known IBE schemes our TBE construction does not directly deploy pairings. Instantiating the CHK transformation with our TBE scheme results in an encryption scheme whose decryption can be carried out in one single multiexponentiation. Furthermore, we show how to apply the techniques gained from the TBE construction to directly design a new Key Encapsulation Mechanism. Since in this case we can avoid the CHK transformation the scheme results in improved efficiency.
Dynamic kTimes Anonymous Authentication
 In ACNS 2005, number 3531 in LNCS
, 2005
"... ktimes anonymous authentication (kTAA) schemes allow members of a group to be anonymously authenticated by application providers for a bounded number of times. kTAA has application in evoting, ecash, electronic coupons and anonymous trial browsing of content. ..."
Abstract

Cited by 31 (0 self)
 Add to MetaCart
(Show Context)
ktimes anonymous authentication (kTAA) schemes allow members of a group to be anonymously authenticated by application providers for a bounded number of times. kTAA has application in evoting, ecash, electronic coupons and anonymous trial browsing of content.
An Efficient Group Signature Scheme from Bilinear Maps
, 2006
"... We propose a new group signature scheme which is secure if we assume the Decision DiffieHellman assumption, the qStrong DiffieHellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
We propose a new group signature scheme which is secure if we assume the Decision DiffieHellman assumption, the qStrong DiffieHellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].
Short Linkable Ring Signatures for Evoting, Ecash and Attestation
 In ISPEC 2005, volume 3439 of LNCS
, 2004
"... A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup. ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup.
Dynamic Fully Anonymous Short Group Signatures
, 2006
"... Group signatures allow members to sign on behalf of a group. Recently, several schemes have been proposed, in order to provide more efficient and shorter group signatures. However, this should be performed achieving a strong security level. To this aim, a formal security model has been proposed by B ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
Group signatures allow members to sign on behalf of a group. Recently, several schemes have been proposed, in order to provide more efficient and shorter group signatures. However, this should be performed achieving a strong security level. To this aim, a formal security model has been proposed by Bellare, Shi and Zang, including both dynamic groups and concurrent join. Unfortunately, very few schemes satisfy all the requirements, and namely the shortest ones needed to weaken the anonymity notion. We present an extremely short dynamic group signature scheme, with concurrent join, provably secure in this model. It achieves stronger security notions than BBS, and namely the full anonymity, while still shorter. The proofs hold under the qSDH and the XDH assumptions, in the random oracle model.
ktimes Anonymous Authentication with a Constant Proving Cost
"... Abstract. A kTimes Anonymous Authentication (kTAA) scheme allows users to be authenticated anonymously so long as the number of times that they are authenticated is within an allowable number. Some promising applications are evoting, ecash, ecoupons, and trial browsing of contents. However, the ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. A kTimes Anonymous Authentication (kTAA) scheme allows users to be authenticated anonymously so long as the number of times that they are authenticated is within an allowable number. Some promising applications are evoting, ecash, ecoupons, and trial browsing of contents. However, the previous schemes are not efficient in the case where the allowable number k is large, since they require both users and verifiers to compute O(k) exponentiation in each authentication. We propose a kTAA scheme where the numbers of exponentiations required for the entities in an authentication are independent of k. Moreover, we propose a notion of public detectability in a kTAA scheme and present an efficient publicly verifiable kTAA scheme, where the number of modular exponentiations required for the entities is O(log(k)).
Fair Traceable MultiGroup Signatures
"... Abstract. This paper presents fair traceable multigroup signatures (FTMGS), which have enhanced capabilities, compared to group and traceable signatures, that are important in real world scenarios combining accountability and anonymity. The main goal of the primitive is to allow multiple groups tha ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents fair traceable multigroup signatures (FTMGS), which have enhanced capabilities, compared to group and traceable signatures, that are important in real world scenarios combining accountability and anonymity. The main goal of the primitive is to allow multiple groups that are managed separately (managers are not even aware of the other ones), yet allowing users (in the spirit of the Identity 2.0 initiative) to manage what they reveal about their identity with respect to these groups by themselves. This new primitive incorporates the following additional features. – While considering multiple groups it discourages users from sharing their private membership keys through two orthogonal and complementary approaches. In fact, it merges functionality similar to credential systems with anonymous type of signing with revocation. – The group manager now mainly manages joining procedures, and new entities (called fairness authorities and consisting of various representatives, possibly) are involved in opening and revealing procedures. In many systems scenario assuring fairness in anonymity revocation is required. We specify the notion and implement it in the random oracle model. 1
Anonymity 2.0: X.509 extensions supporting privacyfriendly authentication
 In CANS
, 2007
"... Abstract. We present a semantic extension to X.509 certificates that allows incorporating new anonymity signature schemes into the X.509 framework. This fact entails advantages to both components. On the one hand, anonymous signature schemes benefit from all the protocols and infrastructure that the ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a semantic extension to X.509 certificates that allows incorporating new anonymity signature schemes into the X.509 framework. This fact entails advantages to both components. On the one hand, anonymous signature schemes benefit from all the protocols and infrastructure that the X.509 framework provides. On the other hand, the X.509 framework incorporates anonymity as a very interesting new feature. This semantic extension is part of a system that provides user’s controlled anonymous authorization under the X.509 framework. Additionally, the proposal directly fits the much active Identity 2.0 effort, where anonymity is a major supplementary feature that increases the selfcontrol of one’s identity and privacy which is at the center of the activity. Keywords: Anonymous authentication, X.509 certificates, group signatures, ring signatures, traceable signatures.
More Compact ECash with Efficient Coin Tracing
, 2005
"... In 1982, Chaum [21] pioneered the anonymous ecash which finds many applications in ecommerce. In 1993, Brands [810] and Ferguson [30, 31] published on singleterm offline anonymous ecash which were the first practical ecash. Their constructions used blind signatures and were inefficient to impl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
In 1982, Chaum [21] pioneered the anonymous ecash which finds many applications in ecommerce. In 1993, Brands [810] and Ferguson [30, 31] published on singleterm offline anonymous ecash which were the first practical ecash. Their constructions used blind signatures and were inefficient to implement multispendable ecash. In 1995, Camenisch, Hohenberger, and Lysyanskaya [12] gave the first compact 2 spendable ecash, using zeroknowledgeproof techniques. They left an open problem of the simultaneous attainment of O(1)unit wallet size and efficient coin tracing. The latter property is needed to revoke bad coins from overspenders. In this paper, we solve [12]'s open problem, and thus enable the first practical compact ecash. We use a new technique whose security reduces to a new intractability assumption: the Decisional HarmonicallyTipped DiffieHellman (DHTDH) Assumption.
Shorter VerifierLocal Revocation Group Signatures from Bilinear Maps
, 2006
"... We propose a new computational complexity assumption from bilinear map, based on which we construct VerifierLocal Revocation group signatures with shorter lengths than previous ones. ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We propose a new computational complexity assumption from bilinear map, based on which we construct VerifierLocal Revocation group signatures with shorter lengths than previous ones.