Results 1  10
of
53
Ring signatures: Stronger definitions, and constructions without random oracles. Cryptology ePrint Archive
, 2005
"... Abstract. Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group sign ..."
Abstract

Cited by 58 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely “adhoc ” and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users finegrained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and then give separation results proving that our new notions are strictly stronger than previous ones. Next, we show two constructions of ring signature schemes in the standard model: one based on generic assumptions which satisfies our strongest definitions of security, and a second, more efficient scheme achieving weaker security guarantees and more limited functionality. These are the first constructions of ring signature schemes that do not rely on random oracles or ideal ciphers. 1
Generalized identity based and broadcast encryption schemes
 In ASIACRYPT
, 2008
"... Abstract. We provide a general framework for constructing identitybased and broadcast encryption systems. In particular, we construct a general encryption system called spatial encryption from which many systems with a variety of properties follow. The ciphertext size in all these systems is indepe ..."
Abstract

Cited by 38 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We provide a general framework for constructing identitybased and broadcast encryption systems. In particular, we construct a general encryption system called spatial encryption from which many systems with a variety of properties follow. The ciphertext size in all these systems is independent of the number of users involved and is just three group elements. Private key size grows with the complexity of the system. One application of these results gives the first broadcast HIBE system with short ciphertexts. Broadcast HIBE solves a natural problem having to do with identitybased encrypted email. 1
ktimes anonymous authentication (Extended Abstract)
 IN ASIACRYPT, VOLUME 3329 OF LNCS
, 2004
"... We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the all ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the allowable number, and that allow 2) anyone to trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Although identity escrow/group signature schemes allow users to be anonymously authenticated, the authorities in these schemes have the unnecessary ability to trace any user. Moreover, since it is only the authority who is able to trace users, one needs to make cumbersome inquiries to the authority to see how many times a user has been authenticated. Our scheme can be applied to evoting, ecash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users’ participation from protocols and guarantees that they will remain anonymous to everyone.
On Signatures of Knowledge
 In Advances in Cryptology – CRYPTO ’06
, 2006
"... In a traditional signature scheme, a signature σ on a message m is issued under a public key PK, and can be interpreted as follows: “The owner of the public key PK and its corresponding secret key has signed message m. ” In this paper we consider schemes that allow one to issue signatures on behalf ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
(Show Context)
In a traditional signature scheme, a signature σ on a message m is issued under a public key PK, and can be interpreted as follows: “The owner of the public key PK and its corresponding secret key has signed message m. ” In this paper we consider schemes that allow one to issue signatures on behalf of any NP statement, that can be interpreted as follows: “A person in possession of a witness w to the statement that x ∈ L has signed message m. ” We refer to such schemes as signatures of knowledge. We formally define the notion of a signature of knowledge. We begin by extending the traditional definition of digital signature schemes, captured by Canetti’s ideal signing functionality, to the case of signatures of knowledge. We then give an alternative definition in terms of games that also seems to capture the necessary properties one may expect from a signature of knowledge. We then gain additional confidence in our two definitions by proving them equivalent. We construct signatures of knowledge under standard complexity assumptions in the commonrandomstring model. We then extend our definition to allow signatures of knowledge to be nested i.e., a signature of knowledge (or another accepting input to a UCrealizable ideal functionality) can itself serve as a witness for another signature of knowledge. Thus, as a corollary, we obtain the first delegatable anonymous credential system, i.e., a system in which one can use one’s anonymous credentials as a secret key for issuing anonymous credentials to others.
Short Linkable Ring Signatures for Evoting, Ecash and Attestation
 In ISPEC 2005, volume 3439 of LNCS
, 2004
"... A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup. ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup.
Efficient ring signatures without random oracles
 IN PKC07, VOLUME 4450 OF LNCS
, 2006
"... We describe the first efficient ring signature scheme secure, without random oracles, based on standard assumptions. Our ring signatures are based in bilinear groups. For l members of a ring our signatures consist of 2l + 2 group elements and require 2l + 3 pairings to verify. We prove our scheme se ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
(Show Context)
We describe the first efficient ring signature scheme secure, without random oracles, based on standard assumptions. Our ring signatures are based in bilinear groups. For l members of a ring our signatures consist of 2l + 2 group elements and require 2l + 3 pairings to verify. We prove our scheme secure in the strongest security model proposed by Bender, Katz, and Morselli: namely, we show our scheme to be anonymous against full key exposure and unforgeable with respect to insider corruption. A shortcoming of our approach is that all the users’ keys must be defined in the same group.
Concurrently Secure Identification Schemes Based on the WorstCase Hardness of Lattice Problems
, 2008
"... In this paper, we show that two variants of Stern’s identification scheme [IEEE Transaction on Information Theory ’96] are provably secure against concurrent attack under the assumptions on the worstcase hardness of lattice problems. These assumptions are weaker than those for the previous lattice ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
In this paper, we show that two variants of Stern’s identification scheme [IEEE Transaction on Information Theory ’96] are provably secure against concurrent attack under the assumptions on the worstcase hardness of lattice problems. These assumptions are weaker than those for the previous latticebased identification schemes of Micciancio and Vadhan [CRYPTO ’03] and of Lyubashevsky [PKC ’08]. We also construct efficient ad hoc anonymous identification schemes based on the lattice problems by modifying the variants.
Separable linkable threshold ring signatures
 IN INDOCRYPT 2004, VOLUME 3348 OF LNCS
, 2004
"... A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. [20], additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are linked). In th ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. [20], additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are linked). In this paper, we present the first separable linkable ring signature scheme, which also supports an efficient thresholding option. We also present the security model and reduce the security of our scheme to wellknown hardness assumptions. In particular, we introduce the security notions of accusatory linkability and nonslanderability to linkable ring signatures. Our scheme supports “eventoriented” linking. Applications to such linking criterion is discussed.
Ring signatures of sublinear size without random oracles
 In Proceedings of 34th International Colloquium on Automata, Languages and Programming, ICALP 2007, volume 4596 of Lecture Notes in Computer Science
, 2007
"... ..."
(Show Context)
How to leak a secret: Theory and applications of ring signatures
 Essays in Theoretical Computer Science: in Memory of Shimon Even, volume 3895 of LNCS Festschrift
, 2006
"... Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedu ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way that can only be verified by its intended recipient, and to solve other problems in multiparty computations. Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. [CDS94]. Our constructions of such signatures are unconditionally signerambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption. We also describe a large number of extensions, modifications and applications of ring signatures which were published after the original version of this work (in Asiacrypt 2001).