Results 1  10
of
32
Signature schemes and anonymous credentials from bilinear maps
, 2004
"... We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of th ..."
Abstract

Cited by 234 (23 self)
 Add to MetaCart
We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of the decisional DiffieHellman assumption. We prove security of our scheme under the LRSW assumption for groups with bilinear maps. We then show how our scheme can be used to construct efficient anonymous credential systems as well as group signature and identity escrow schemes. To this end, we provide efficient protocols that allow one to prove in zeroknowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signature on a committed message.
Direct Anonymous Attestation
, 2004
"... This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the ..."
Abstract

Cited by 215 (24 self)
 Add to MetaCart
This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the module. Direct anonymous attestation can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable. Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of "known" keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional DiffieHellman assumption.
How to Win the Clone Wars: Efficient Periodic nTimes Anonymous Authentication
, 2006
"... We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes e ..."
Abstract

Cited by 66 (14 self)
 Add to MetaCart
(Show Context)
We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damg˚ard et al. [29], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damg˚ard et al. also only support one authentication per time period, while we support n. Because our construction is based on ecash, we can use existing techniques to identify a cheating user, trace all of her etokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse etokens. The verifier can always recognize a reused etoken; however, we preserve the anonymity of users who do not reuse etokens too often.
Group Signatures: Better Efficiency and New Theoretical Aspects
 In proceedings of SCN ’04, LNCS series
, 2005
"... A group signature scheme allows members of a group to sign messages anonymously. To counter misuse, the socalled group manager can revoke the anonymity. ..."
Abstract

Cited by 63 (7 self)
 Add to MetaCart
A group signature scheme allows members of a group to sign messages anonymously. To counter misuse, the socalled group manager can revoke the anonymity.
A cryptographic framework for the controlled release of certified data
 In Security Protocols Workshop
, 2004
"... Abstract. It is usually the case that before a transaction can take place, some mutual trust must be established between the participants. Online, doing so requires the exchange of some certified information about the participants. The easy solution is to disclose one’s identity and reveal all of o ..."
Abstract

Cited by 47 (6 self)
 Add to MetaCart
(Show Context)
Abstract. It is usually the case that before a transaction can take place, some mutual trust must be established between the participants. Online, doing so requires the exchange of some certified information about the participants. The easy solution is to disclose one’s identity and reveal all of one’s certificates to establish such a trust relationship. However, it is clear that such an approach is unsatisfactory from a privacy point of view. In fact, often revealing any information that uniquely corresponds to a given individual is a bad idea from the privacy point of view. In this survey paper we describe a framework where for each transaction there is a precise specification of what pieces of certified data is revealed to each participant. We show how to specify transactions in this framework, give examples of transactions that use it, and describe the cryptographic building blocks that this framework is built upon. We conclude with bibliographic notes on the stateoftheart in this area. 1
NonInteractive Anonymous Credentials
 AVAILABLE FROM THE IACR CRYPTOLOGY EPRINT ARCHIVE AS REPORT 2007/384.
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 41 (8 self)
 Add to MetaCart
In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for Psignatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of noninteractive proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other
On Signatures of Knowledge
 In Advances in Cryptology – CRYPTO ’06
, 2006
"... In a traditional signature scheme, a signature σ on a message m is issued under a public key PK, and can be interpreted as follows: “The owner of the public key PK and its corresponding secret key has signed message m. ” In this paper we consider schemes that allow one to issue signatures on behalf ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
In a traditional signature scheme, a signature σ on a message m is issued under a public key PK, and can be interpreted as follows: “The owner of the public key PK and its corresponding secret key has signed message m. ” In this paper we consider schemes that allow one to issue signatures on behalf of any NP statement, that can be interpreted as follows: “A person in possession of a witness w to the statement that x ∈ L has signed message m. ” We refer to such schemes as signatures of knowledge. We formally define the notion of a signature of knowledge. We begin by extending the traditional definition of digital signature schemes, captured by Canetti’s ideal signing functionality, to the case of signatures of knowledge. We then give an alternative definition in terms of games that also seems to capture the necessary properties one may expect from a signature of knowledge. We then gain additional confidence in our two definitions by proving them equivalent. We construct signatures of knowledge under standard complexity assumptions in the commonrandomstring model. We then extend our definition to allow signatures of knowledge to be nested i.e., a signature of knowledge (or another accepting input to a UCrealizable ideal functionality) can itself serve as a witness for another signature of knowledge. Thus, as a corollary, we obtain the first delegatable anonymous credential system, i.e., a system in which one can use one’s anonymous credentials as a secret key for issuing anonymous credentials to others.
Mercurial commitments with applications to zeroknowledge sets (Extended Abstract)
 ADVANCES IN CRYPTOLOGY—EUROCRYPT 2005
, 2005
"... We introduce a new flavor of commitment schemes, which we call mercurial commitments. Informally, mercurial commitments are standard commitments that have been extended to allow for soft decommitment. Soft decommitments, on the one hand, are not binding but, on the other hand, cannot be in conflict ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
We introduce a new flavor of commitment schemes, which we call mercurial commitments. Informally, mercurial commitments are standard commitments that have been extended to allow for soft decommitment. Soft decommitments, on the one hand, are not binding but, on the other hand, cannot be in conflict with true decommitments. We then demonstrate that a particular instantiation of mercurial commitments has been implicitly used by Micali, Rabin and Kilian to construct zeroknowledge sets. (Azeroknowledge set scheme allows a Prover to (1) commit to a set S in a way that reveals nothing about S and (2) prove to a Verifier, in zeroknowledge, statements of the form x ∈ S and x / ∈ S.) The rather complicated construction of Micali et al. becomes easy to understand when viewed as a more general construction with mercurial commitments as an underlying building block. By providing mercurial commitments based on various assumptions, we obtain several different new zeroknowledge set constructions.
Psignatures and Noninteractive Anonymous Credentials
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for Psignatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of noninteractive proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other privacypreserving authentication mechanisms.
Direct Anonymous Attestation (DAA): Ensuring privacy with corrupt administrators
 IN: ESAS’07: 4TH EUROPEAN WORKSHOP ON SECURITY AND PRIVACY IN AD HOC AND SENSOR NETWORKS, LNCS
, 2007
"... The Direct Anonymous Attestation (DAA) scheme provides a means for remotely authenticating a trusted platform whilst preserving the user’s privacy. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification. In this pa ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
The Direct Anonymous Attestation (DAA) scheme provides a means for remotely authenticating a trusted platform whilst preserving the user’s privacy. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification. In this paper we show DAA places an unnecessarily large burden on the TPM host. We demonstrate how corrupt administrators can exploit this weakness to violate privacy. The paper provides a fix for the vulnerability. Further privacy issues concerning linkability are identified and a framework for their resolution is developed. In addition an optimisation to reduce the number of messages exchanged is proposed.