Results 1  10
of
59
Efficient noninteractive proof systems for bilinear groups
 In EUROCRYPT 2008, volume 4965 of LNCS
, 2008
"... Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknow ..."
Abstract

Cited by 126 (7 self)
 Add to MetaCart
Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknowledge proofs have been constructed for general NPcomplete languages such as Circuit Satisfiability, causing an expensive blowup in the size of the statement when reducing it to a circuit. The contribution of this paper is a general methodology for constructing very simple and efficient noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs that work directly for groups with a bilinear map, without needing a reduction to Circuit Satisfiability. Groups with bilinear maps have enjoyed tremendous success in the field of cryptography in recent years and have been used to construct a plethora of protocols. This paper provides noninteractive witnessindistinguishable proofs and noninteractive zeroknowledge proofs that can be used in connection with these protocols. Our goal is to spread the use of noninteractive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups.
Converting PairingBased Cryptosystems from CompositeOrder Groups to PrimeOrder Groups
"... Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In p ..."
Abstract

Cited by 56 (0 self)
 Add to MetaCart
Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In particular, we define a generalized version of the subgroup decision problem and give explicit constructions of bilinear groups in which the generalized subgroup decision assumption follows from the decision DiffieHellman assumption, the decision linear assumption, and/or related assumptions in primeorder groups. We apply our framework and our primeorder group constructions to create more efficient versions of cryptosystems that originally required compositeorder groups. Specifically, we consider the BonehGohNissim encryption scheme, the BonehSahaiWaters traitor tracing system, and the KatzSahaiWaters attributebased encryption scheme. We give a security theorem for the primeorder group instantiation of each system, using assumptions of comparable complexity to those used in the compositeorder setting. Our conversion of the last two systems to primeorder groups answers a problem posed by Groth and Sahai.
Fully anonymous group signatures without random oracles
 In ASIACRYPT 2007, volume 4833 of LNCS
, 2007
"... We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in par ..."
Abstract

Cited by 53 (2 self)
 Add to MetaCart
(Show Context)
We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in particular providing protection against key exposures and not relying on random oracles in the security proof.
NonInteractive Anonymous Credentials
 AVAILABLE FROM THE IACR CRYPTOLOGY EPRINT ARCHIVE AS REPORT 2007/384.
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 41 (8 self)
 Add to MetaCart
In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for Psignatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of noninteractive proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other
Automorphic Signatures in Bilinear Groups and an Application to RoundOptimal Blind Signatures
"... We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairingproduct equations. These signatures make ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
(Show Context)
We introduce the notion of automorphic signatures, which satisfy the following properties: the verification keys lie in the message space, messages and signatures consist of elements of a bilinear group, and verification is done by evaluating a set of pairingproduct equations. These signatures make a perfect counterpart to the powerful proof system by Groth and Sahai (Eurocrypt 2008). We provide practical instantiations of automorphic signatures under appropriate assumptions and use them to construct the first efficient roundoptimal blind signatures. By combining them with GrothSahai proofs, we moreover give practical instantiations of various other cryptographic primitives, such as fullysecure group signatures, noninteractive anonymous credentials and anonymous proxy signatures. To do so, we show how to transform signature schemes whose message space is a group to a scheme that signs arbitrarily many messages at once.
A Group Signature Scheme from Lattice Assumptions
"... Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining anonymity (within that group) with respect to an outside observer, yet (2) ensuring traceability of a signer (by the group manager) when needed. In this work we give the first construction of a group sign ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining anonymity (within that group) with respect to an outside observer, yet (2) ensuring traceability of a signer (by the group manager) when needed. In this work we give the first construction of a group signature scheme based on lattices (more precisely, the learning with errors assumption), in the random oracle model. Toward our goal, we construct a new algorithm for sampling orthogonal lattices together with a trapdoor that may be of independent interest.
Group Encryption: NonInteractive Realization in the Standard Model
"... Abstract. Group encryption (GE) schemes, introduced at Asiacrypt’07, are an encryption analogue of group signatures with a number of interesting applications. They allow a sender to encrypt a message (in the CCA2 security sense) for some member of a PKI group concealing that member’s identity (in a ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
Abstract. Group encryption (GE) schemes, introduced at Asiacrypt’07, are an encryption analogue of group signatures with a number of interesting applications. They allow a sender to encrypt a message (in the CCA2 security sense) for some member of a PKI group concealing that member’s identity (in a CCA2 security sense, as well); the sender is able to convince a verifier that, among other things, the ciphertext is valid and some anonymous certified group member will be able to decrypt the message. As in group signatures, an opening authority has the power of pinning down the receiver’s identity. The initial GE construction uses interactive proofs as part of the design (which can be made noninteractive using the random oracle model) and the design of a fully noninteractive group encryption system is still an open problem. In this paper, we give the first GE scheme, which is a pure encryption scheme in the standard model, i.e., a scheme where the ciphertext is a single message and proofs are noninteractive (and do not employ the random oracle heuristic). As a building block, we use a new public key certification scheme which incurs the smallest amount of interaction, as well.
Psignatures and Noninteractive Anonymous Credentials
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for Psignatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of noninteractive proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other privacypreserving authentication mechanisms.
Anonymous proxy signatures
 SCN ’08, LNCS 5229
, 2008
"... Abstract We define a general model for consecutive delegations of signing rights with the following properties: The delegatee actually signing and all intermediate delegators remain anonymous. As for group signatures, in case of misuse, a special authority can open signatures to reveal the chain of ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Abstract We define a general model for consecutive delegations of signing rights with the following properties: The delegatee actually signing and all intermediate delegators remain anonymous. As for group signatures, in case of misuse, a special authority can open signatures to reveal the chain of delegations and the signer’s identity. The scheme satisfies a strong notion of nonframeability generalizing the one for dynamic group signatures. We give formal definitions of security and show them to be satisfiable by constructing an instantiation proven secure under general assumptions in the standard model. Our primitive is a proper generalization of both group signatures and proxy signatures and can be regarded as nonframeable dynamic hierarchical group signatures. 1
Finding composite order ordinary elliptic curves using the CocksPinch method
, 2009
"... We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting. ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting.