No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Practical Verifiable Encryption and Decryption of Discrete Logarithms
Abstract
This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier's decision composite residuosity assumption, along with e#cient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids ine#cient cut-and-choose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures.
... There are multiple challenges. We need generality, to allow multiple types of relation to be supported, not only a single one (as in [CS03,NRSW20,LN17]). Our use case requires verifiable encryption of many types of keys (potentially all the types here [PK22]), and at least ECC, RSA, and AES (the common types supported by cloud providers [AWS22a,AKV22,GK22]). ...
... We also want to minimize the additional assumptions required, ideally not requiring any new assumptions; for example if an AES key is to be exported, encrypted under an RSA key, we should not need to make assumptions in elliptic curve groups (perhaps with a pairing), as might be the case if certain SNARK proof systems were used for verifiability [Gro16, MBKM19, BBB + 18, LCKO19]. We also want flexibility in the receiver's public-key encryption (PKE) scheme, again to minimize new assumptions, but also to support security goals like threshold decryption or post-quantum security, rather than have a VE scheme that dictates the PKE the receiver must use (as in [CS03,NRSW20,LN17]). ...
... We omit a detailed comparison to [CS03] since it only works for discrete logarithms in a group suitable for Paillier's encryption scheme, and the PKE is fixed to Paillier's scheme. The scheme is not suitable for encrypting an ECDSA private key, one of our motivating examples. ...
Verifiable encryption (VE) is a protocol where one can provide assurance that an encrypted plaintext satisfies certain properties, or relations. It is an important building block in cryptography with many useful applications, such as key escrow, group signatures, optimistic fair exchange, and others. However, the majority of previous VE schemes are restricted to instantiation with specific public-key encryption schemes or relations. In this work, we propose a novel framework that realizes VE protocols using zero-knowledge proof systems based on the MPC-in-the-head paradigm (Ishai et al. STOC 2007). Our generic compiler can turn a large class of zero-knowledge proofs into secure VE protocols for any secure public-key encryption scheme with the undeniability property, a notion that essentially guarantees binding of encryption when used as a commitment scheme. Our framework is versatile: because the circuit proven by the MPC-in-the-head prover is decoupled from a complex encryption function, the work of the prover is focused on proving the encrypted data satisfies the relation, not the proof of plaintext knowledge. Hence, our approach allows for instantiation with various combinations of properties about the encrypted data and encryption functions. We then consider concrete applications, to demonstrate the efficiency of our framework, by first giving a new approach and implementation to verifiably encrypt discrete logarithms in any prime order group more efficiently than was previously known. Then we give the first practical verifiable encryption scheme for AES keys with post-quantum security, along with an implementation and benchmarks.
... -CA generates a key pair for verifiable encryption, which will be used for inspection [8]. ...
... 3) CA generates a key pair for verifiable encryption: the CA decrypts an encrypted attribute of misbehaving vehicles. To generate the inspection key pk in , the CA runs the key generation algorithm from the CS-signature scheme [8]. The outputs are public-key pair {pk in , sk in }. ...
... • To broadcast a message m, a vehicle (prover) needs to convince the verifier that it: possesses an ABC issued by the CA while not revealing its attributes, can encrypt a hidden attribute, can generate a signature on m to demonstrate possession of a valid secret that is certified by the CA. • The sender encrypts a hidden attribute a i as m ′ = [a i ] using the CS encryption algorithm [8], and generates the ZKPK of {ABC, N ϵ , m ′ }, which outputs P K : ...
... The proposed OT protocol is based on the Camenisch-Shoup encryption scheme [8]. This encryption scheme uses the following public parameters such as two prime numbers p and q, generator g of the group G , and h = N + 1 (the value of h is used during the encryption and decryption process of the Camenisch-Shoup encryption scheme), where N = pq. ...
... We use the notations E and D, respectively, as encryption and decryption algorithm under Camenisch-Shoup encryption scheme [8]. Suppose that pk is the joint public key of the KGC, and pk d is the ephemeral public key of the doctor. ...
... This protocol uses the OPRF algorithm. In order to preserve the secret keys privacy of the KGC and the attributes privacy of the doctor, the OPRF algorithm uses the Camenisch-Shoup encryption scheme [8]. The doctor executes the ABE.Decryption algorithm on the received secret keys and decrypts the encrypted EHR of the patient. ...
In the Attribute-Based Encryption (ABE) scheme, patients encrypt their electronic health record (EHR), attach the appropriate attributes with it, and outsource them over the cloud. Doctors get the encrypted EHR corresponding to their area of interest (attributes) from the cloud. To decrypt the received encrypted EHR, doctors get the secret keys from the key generation center (KGC). Since the KGC knows the secret keys of all the encrypted EHRs, it may decrypt patients’ records. A decentralized ABE scheme overcomes this issue but requires high computation and communication costs. Moreover, in this scheme, any unauthorized doctor can access the patients’ EHR. Besides, the KGC’s secret keys privacy and the doctor’s attribute privacy are also serious concerns. In this paper, we have proposed a comprehensive privacy-preserving e-health (CP2EH) scheme over the cloud that overcomes the problems of both unauthorized access of patient records by a doctor and a doctor’s attribute privacy in an ABE scheme. In the CP2EH scheme, we have incorporated oblivious transfer (OT) and zero-knowledge proof (ZKP) protocols into the centralized ABE scheme. The OT protocol preserves KGC’s secret keys privacy and the doctor’s attribute privacy. The ZKP protocol preserves the patient’s EHR privacy from unauthorized doctors. Results show that the CP2EH scheme is able to meet all the privacy requirements of e-health applications over the cloud at a lower computation and communication cost as compared to the existing ABE schemes.
... Verifiable encryption [17,19] under the TTP's key is the main cryptographic primitive in an optimistic fair exchange protocol, because if any party cheats (e.g., does not send his item), other parties ask the TTP to decrypt the verifiable encryption and receive the item. One may consider verifiable encryption as an encryption together with a zero knowledge proof that the encrypted value is correct. ...
... Encryption labels are employed to tie different messages together, as well as indicate exchange parameters to the TTP. Below, we give the definition of verifiable escrow, which is the same cryptographic primitive as verifiable encryption [19,17]. We use the name escrow to indicate that the key of the encryption scheme belongs to the TTP. ...
... Definition 7 (Verifiable Escrow [19,17]). Let ψ = [R, W, ∆] be a description of a binary relation R on W × ∆, and M be a message space. ...
Multi-party fair exchange (MFE) considers scenarios where fairness means that either all exchanges as agreed upon between multiple parties take place, or no item changes hands. The two-party case was widely studied starting with the seminal work of Asokan et al. in ACM CCS 1998. The state-of-the-art MFE protocol was shown by Kılınç and Küpçü in CT-RSA 2015. Unfortunately, it only works on items that can be efficiently verifiably encrypted, which, in particular, means that it cannot efficiently handle exchange of large files in a peer-to-peer file sharing scenario. In this work, first, we extend the optimistic two-party fair computation definition of Cachin and Camenisch in CRYPTO 2000 for the MFE setting, and prove the security of our protocol with ideal-real simulation. Secondly, we extend the CT-RSA 2015 solution of Kılınç and Küpçü in a way that our protocol enables parties to exchange any item, be it a large file. While doing so, we employ electronic payments, where if a party does not obtain the desired item at the end of the protocol, the payment of the item’s owner will be obtained instead. Third, we achieve asymptotic optimality with O(1) rounds and \( O(n^2) \) messages, where n is the number of participating parties. Finally, we also provide experimental results from our prototype code.
... Boneh et al. [45] introduced Verifier-local Revocation (VLR) and proposed a short group signature based on this notion in which signers were not directly engaged in the revocation process, and revocation messages are exclusively sent to verifiers. Kiayias et al. [162] presented the first group signature that utilized the BB digital signature [36] and verifiable encryption based on Paillier encryption [58] that allowed for concurrent joining of members using the single message and signature response paradigm. Delerabl et al. [87] improved upon the previous works by addressing the long signature size of [162], the computational cost of [204], and the absence of a revocation procedure in [24] model. ...
... In particular, we need an encryption scheme that support DLOG verification as explained in point 2f. of the key-generation algorithm. A suitable candidate is a variant of the Cramer-Shoup cryptosystem presented in Ref. [44]. This algorithm equipped with a ZKP that allow the sender to prove that the plaintext he encrypted is the discrete logarithm of a public value. ...
We present an EdDSA-compatible multi-party digital signature scheme that supports an offline participant during the key-generation phase, without relying on a trusted third party. Under standard assumptions, we prove our scheme secure against adaptive malicious adversaries. Using a classical game-based argument, we prove that if there is an adversary capable of forging the scheme with non-negligible probability, then we can build a forger for the original EdDSA scheme with non-negligible probability. The scheme requires only two communication rounds in the signature generation phase and avoids expensive multi-party evaluation of cryptographic hash functions. We present our solution in a setting where two parties generate the keys and compute signatures, with a third party which can be brought online after the key generation when one of the other parties becomes unavailable. This setting is a perfect fit for custodial solutions where partially trusted services are employed by a user to increase resiliency. We provide also a possible solution to retain the resiliency of the recovery in the presence of a malicious party.
... To trace the signer, the opener simply decrypts ct to recover vk. Notice that the NIZK proof implicitly defines a verifiable encryption scheme [25,26] since it is proving that ct is a valid encryption for some message vk in R. Below, although our construction can be based on any cryptographically-hard group action, we mainly focus on isogenies for simplicity. ...
We construct an efficient dynamic group signature (or more generally an accountable ring signature) from isogeny and lattice assumptions. Our group signature is based on a simple generic construction that can be instantiated by cryptographically hard group actions such as the CSIDH group action or an MLWE-based group action. The signature is of size O(logN), where N is the number of users in the group. Our idea builds on the recent efficient OR-proof by Beullens, Katsumata, and Pintore (Asiacrypt’20), where we efficiently add a proof of valid ciphertext to their OR-proof and further show that the resulting non-interactive zero-knowledge proof system is online extractable. Our group signatures satisfy more ideal security properties compared to previously known constructions, while simultaneously having an attractive signature size. The signature size of our isogeny-based construction is an order of magnitude smaller than all previously known post-quantum group signatures (e.g., 6.6 KB for 64 members). In comparison, our lattice-based construction has a larger signature size (e.g., either 126 KB or 89 KB for 64 members depending on the satisfied security property). However, since the O(·)-notation hides a very small constant factor, it remains small even for very large group sizes, say 220.
... 2.2]. The encryption scheme satisfying these properties can be instantiated with a semantically-secure variant [87] of the Camenisch-Shoup encryption (CSEnc) [28] scheme, accompanied with suitable zero-knowledge proof systems, as specified in [87]. Here, we denote K + , E + , and D + the key generation, the encryption, and the decryption algorithms of CSEnc, respectively. ...
... The best security for our purposes would be UC security [11], but it may come at an efficiency cost. For efficient and UC-secure Σ-protocols [16], Dodis, Shoup, and Walfish [17] offer a solution, but it relies on verifiable encryption [10] or similar, which adds complexity and setup assumptions. In the random oracle model, Fischlin [19] as well as Bernhard, Fischlin, and Warinschi [3] show how to get an extractor that does not need to rewind, thereby allowing composition. ...
Mercurial signatures are a useful building block for privacy-preserving schemes, such as anonymous credentials, delegatable anonymous credentials, and related applications. They allow a signature σ on a message m under a public key pk to be transformed into a signature σ ′ on an equivalent message m ′ under an equivalent public key pk′ for an appropriate notion of equivalence. For example, pk and pk′ may be unlinkable pseudonyms of the same user, and m and m ′ may be unlinkable pseudonyms of a user to whom some capability is delegated. The only previously known construction of mercurial signatures suffers a severe limitation: in order to sign messages of length ℓ , the signer’s public key must also be of length ℓ . In this paper, we eliminate this restriction and provide an interactive signing protocol that admits messages of any length. We prove our scheme existentially unforgeable under chosen open message attacks (EUF-CoMA) under a variant of the asymmetric bilinear decisional Diffie-Hellman assumption (ABDDH).
... Verifiable decryption. We consider a specific verifiable public key encryption (VPKE) scheme consisting of a tuple of algorithms (VPKE.KGen, VEnc, VDec, ProvePKE, VerifyPKE) and allowing the decryptor to produce the plaintext along with a proof attesting the correct decryption [32]. Specifically, KGen outputs a public-private key pair, i.e., (h, k) ← VPKE.KGen(1 λ ) where λ is a security parameter. ...
Peer-to-peer (p2p) content delivery is promising to reduce the cost of traditional CDNs and complement the decentralized storage networks such as Filecoin. However, reliable p2p delivery requires proper enforcement of delivery fairness, i.e., the deliverers should be rewarded according to their in-time delivery. Unfortunately, most existing studies on delivery fairness are based on non-cooperative game-theoretic assumptions that are arguably unrealistic in the ad-hoc p2p setting. We for the first time put forth the expressive yet still minimalist securities for p2p content delivery, and give two efficient solutions FairDownload and FairStream via the blockchain for p2p downloading and p2p streaming scenarios, respectively. Our designs not only guarantee delivery fairness to ensure deliverers be paid (nearly) proportional to his in-time delivery, but also ensure the content consumers and content providers to be fairly treated. The fairness of each party can be guaranteed when the other two parties collude to arbitrarily misbehave. Moreover, the systems are efficient in the sense of attaining asymptotically optimal on-chain costs and optimal deliverer communication. We implement the protocols to build the prototype systems atop the Ethereum Ropsten network. Extensive experiments done in LAN and WAN settings showcase their high practicality.
We introduce a new primitive called anonymous counting tokens (ACTs) which allows clients to obtain blind signatures or MACs (aka tokens) on messages of their choice, while at the same time enabling issuers to enforce rate limits on the number of tokens that a client can obtain for each message. Our constructions enforce that each client will be able to obtain only one token per message and we show a generic transformation to support other rate limiting as well. We achieve this new property while maintaining the unforgeability and unlinkability properties required for anonymous tokens schemes. We present four ACT constructions with various trade-offs for their efficiency and underlying security assumptions. One construction uses factorization-based primitives and a cyclic group. It is secure in the random oracle model under the q-DDHI assumption (in a cyclic group) and the DCR assumption. Our three other constructions use bilinear maps: one is secure in the standard model under q-DDHI and SXDH, one is secure in the random oracle model under SXDH, and the most efficient of the three is secure in the random oracle model and generic bilinear group model.
Updatable public key encryption has recently been introduced as a solution to achieve forward-security in the context of secure group messaging without hurting efficiency, but so far, no efficient lattice-based instantiation of this primitive is known.
In this work, we construct the first LWE-based UPKE scheme with polynomial modulus-to-noise rate, which is CPA-secure in the standard model. At the core of our security analysis is a generalized reduction from the standard LWE problem to (a stronger version of) the Extended LWE problem. We further extend our construction to achieve stronger security notions by proposing two generic transforms. Our first transform allows to obtain CCA security in the random oracle model and adapts the Fujisaki-Okamoto transform to the UPKE setting. Our second transform allows to achieve security against malicious updates by adding a NIZK argument in the update mechanism. In the process, we also introduce the notion of Updatable Key Encapsulation Mechanism (UKEM), as the updatable variant of KEMs. Overall, we obtain a CCA-secure UKEM in the random oracle model whose ciphertext sizes are of the same order of magnitude as that of CRYSTALS-Kyber.
In this work we present a direct construction for verifiable decryption for the BGV encryption scheme by combining existing zero-knowledge proofs for linear relations and bounded values. This is one of the first constructions of verifiable decryption protocols for lattice-based cryptography, and we give a protocol that is simpler and at least as efficient as the state of the art when amortizing over many ciphertexts.To prove its practicality we provide concrete parameters, resulting in proof size of less than \(44 \tau \) KB for \(\tau \) ciphertexts with message space 2048 bits. Furthermore, we provide an open source implementation showing that the amortized cost of the verifiable decryption protocol is only 76 ms per message when batching over \(\tau = 2048\) ciphertexts.Keywordslattice cryptographyverifiable decryptionzero-knowledge
We introduce BICYCL an open-source C++ library that implements arithmetic in the ideal class groups of imaginary quadratic fields, together with a set of cryptographic primitives based on class groups. It is available at https://gite.lirmm.fr/crypto/bicycl under GNU General Public License version 3 or any later version.BICYCL provides significant speed-ups on the implementation of the arithmetic of class groups. Concerning cryptographic applications, BICYCL is orders of magnitude faster than any previous pilot implementation of the \(\textsf{CL}\) linearly encryption scheme, making it faster than Paillier’s encryption scheme at any security level. Linearly homomorphic encryption is the core of many multi-party computation protocols, sometimes involving a huge number of encryptions and homomorphic evaluations: class group-based protocols become the best solution in terms of bandwidth and computational efficiency to rely upon.
If everyone were to use anonymous credentials for all access control needs, it would be impossible to trace wrongdoers, by design. This would make legitimate controls, such as tracing illicit trade and terror suspects, impossible to carry out. Here, we propose a privacy-preserving blueprint capability that allows an auditor to publish an encoding \(\textsf{pk}_{\textsf{A}}\) of the function \(f(x,\cdot )\) for a publicly known function f and a secret input x. For example, x may be a secret watchlist, and f(x, y) may return y if \(y\in x\). On input her data y and the auditor’s \(\textsf{pk}_{\textsf{A}}\), a user can compute an escrow \(Z\) such that anyone can verify that \(Z\) was computed correctly from the user’s credential attributes, and moreover, the auditor can recover f(x, y) from \(Z\). Our contributions are:
We define secure f-blueprint systems; our definition is designed to provide a modular extension to anonymous credential systems.
We show that secure f-blueprint systems can be constructed for all functions f from fully homomorphic encryption and NIZK proof systems. This result is of theoretical interest but is not efficient enough for practical use.
We realize an optimal blueprint system under the DDH assumption in the random-oracle model for the watchlist function.
Authentication and blacklisting mechanisms have a key role for service providers to deliver the service to correct users through digital channels. Nevertheless, there always have been concerns about privacy of the users against such mechanisms. The conditional anonymity concept is proposed as a remedy to these concerns. A recent approach in the literature for conditional anonymity is blacklistable anonymous credentials, which allows service providers to blacklist users for an authentication session without identifying the user. In this paper, we improve user anonymity in conditionally anonymous schemes using two complementary mechanisms. First, we define whitelisting property for blacklistable anonymous credentials and give a construction of this scheme. The whitelisting property can be used to unlink an honestly behaved authentication session from the user. Second, we propose an extension of this scheme for a particular use case, sharing economy services. This scheme allows a service provider to blacklist a user only if the user have not returned the shared asset in due time. We benchmark the performance of our schemes by comparing them with the rival schemes. Our experiments show that both of our scheme have comparable performance to previous works.
Numerous cryptographic applications require efficient non-interactive zero-knowledge proofs of knowledge (NIZKPoK) as a building block. Typically they rely on the Fiat-Shamir heuristic to do so, as security in the random-oracle model is considered good enough in practice. However, there is a troubling disconnect between the stand-alone security of such a protocol and its security as part of a larger, more complex system where several protocols may be running at the same time. Provable security in the general universal composition model (GUC model) of Canetti et al. is the best guarantee that nothing will go wrong when a system is part of a larger whole, even when all parties share a common random oracle. In this paper, we prove the minimal necessary properties of generally universally composable (GUC) NIZKPoK in any global random-oracle model, and show how to achieve efficient and GUC NIZKPoK in both the restricted programmable and restricted observable (non-programmable) global random-oracle models.
Today, authentication massively relies on digital signature mechanisms that act as real electronic stamps. Today, there is a wide variety of advanced signature constructions that reflect the variety of environments and zero‐knowledge proof protocols used in cryptography. This chapter describes some of these more specifically, those that are fairly representative of the state‐of‐the‐art. It shows how they can be used to meet some needs using some primitives that are emblematic of cryptography for the protection of privacy. The notion of anonymous credentials is quite broad because in cryptography it covers all the solutions where a user obtains a certificate on its “attributes” from an entity, so as to then be able to convince, anonymously, any verifier that its attributes satisfy some conditions. It is difficult today to talk of anonymous authentication without mentioning group signatures, since this primitive has become so central within this domain.
Peer-to-peer (P2P) content delivery is up-and-coming to provide benefits comprising cost-saving and scalable peak-demand handling compared with centralized content delivery networks (CDNs), and also complementary to the popular decentralized storage networks such as Filecoin. However, reliable P2P delivery demands proper enforcement of delivery fairness, i.e., the deliverers should be rewarded in line with their in-time delivery. Unfortunately, most existing studies on delivery fairness are on the basis of non-cooperative game-theoretic assumptions that are arguably unrealistic in the ad-hoc P2P setting. We propose an expressive yet still minimalist security requirement for desired fair P2P content delivery, and give two efficient blockchain-enabled and monetary-incentivized solutions
${\mathsf {FairDownload}}$
and
${\mathsf {FairStream}}$
for P2P downloading and P2P streaming scenarios, respectively. Our designs not only ensure delivery fairness where deliverers are paid (nearly) proportional to their in-time delivery, but also guarantee exchange fairness where content consumers and content providers are also fairly treated. The fairness of each party can be assured even when other two parties collude to arbitrarily misbehave. Our protocols provide a general design of fetching content chunk from any specific position so the delivery can be resumed in the presence of unexpected interruption. Further, our systems are efficient in the sense of achieving asymptotically optimal on-chain costs and optimal delivery communication. We implement the prototype and deploy on the Ethereum Ropsten network. Extensive experiments in both LAN and WAN settings are conducted to evaluate the on-chain costs as well as the efficiency of downloading and streaming. Experimental results show the practicality and efficiency of our protocols.
In the digital world, the crypto currency has to do with the use of tokens based on the distributed ledger technology in a secure manner. Crypto currency can be a resource on a block chain network or can be seen as a tool to perform the transactions ensuring the privacy and security. Data may be available in temporal or text format. This paper describes about the distributed architecture for secure and attack-resilient bit coin-based crypto currency transactions for classified temporal and text data. The temporal data may be voice, sound or graphical information basing on the time series. If the data available is temporal this work describes about how it can be classified into a processed form. In this context, this paper describes the process of converting temporal data into text data. Further, the paper describes about the process of ensuring the security. This paper describes about the methodologies of cryptography-based hashing, attack-resilient nonce generation and verifiable encryption techniques for the construction of resilient transactions against stealthy data-integrity attack.
Internet of Things (IoT) applications have become widely popular for academic and industrial purposes in recent years. One of the most important applications in IoT is Home Automation Systems. Home Automation Systems consist of a number of devices in the home network that allow the homeowners to monitor and control their home from anywhere. However, connectivity to the internet and the simplicity of such devices raise a number of security and privacy concerns. In this paper, we propose a privacy preserving and secure identification and authentication model for Home Automation Systems. In our model, a trusted middleware-layer is developed to ensure a secure and scalable communication platform and provide privacy for the users. We propose a zero knowledge mutual verification and authentication protocol. Meanwhile, for privacy preservation we introduce a communication model by implementing fake proofs with the aim of hiding the identity of the IoT devices. Furthermore, the communication over MQTT is obfuscated by the Home Management System to avoid intrusions and to prevent third parties from tracing the communication. Experiments are conducted for different communication scenarios and the security analysis for the protocol is presented.
We construct an efficient dynamic group signature (or more generally an accountable ring signature) from isogeny and lattice assumptions. Our group signature is based on a simple generic construction that can be instantiated by cryptographically hard group actions such as the CSIDH group action or an MLWE-based group action. The signature is of size \(O(\log N)\), where N is the number of users in the group. Our idea builds on the recent efficient OR-proof by Beullens, Katsumata, and Pintore (Asiacrypt’20), where we efficiently add a proof of valid ciphertext to their OR-proof and further show that the resulting non-interactive zero-knowledge proof system is online extractable.Our group signatures satisfy more ideal security properties compared to previously known constructions, while simultaneously having an attractive signature size. The signature size of our isogeny-based construction is an order of magnitude smaller than all previously known post-quantum group signatures (e.g., 6.6 KB for 64 members). In comparison, our lattice-based construction has a larger signature size (e.g., either 126 KB or 89 KB for 64 members depending on the satisfied security property). However, since the \(O(\cdot )\)-notation hides a very small constant factor, it remains small even for very large group sizes, say \(2^{20}\).
The standard model security of the Fiat-Shamir transform has been an active research area for many years. In breakthrough results, Canetti et al. (STOC’19) and Peikert-Shiehian (Crypto’19) showed that, under the Learning-With-Errors (\(\mathsf {LWE}_{}\)) assumption, it provides soundness by applying correlation-intractable (CI) hash functions to so-called trapdoor \(\varSigma \)-protocols. In order to be compatible with CI hash functions based on standard \(\mathsf {LWE}_{}\) assumptions with polynomial approximation factors, all known such protocols have been obtained via parallel repetitions of a basic protocol with binary challenges. In this paper, we consider languages related to Paillier’s composite residuosity assumption (\(\mathsf {DCR}\)) for which we give the first trapdoor \(\varSigma \)-protocols providing soundness in one shot, via exponentially large challenge spaces. This improvement is analogous to the one enabled by Schnorr over the original Fiat-Shamir protocol in the random oracle model. Using the correlation-intractable hash function paradigm, we then obtain simulation-sound NIZK arguments showing that an element of \(\mathbb {Z}_{N^2}^*\) is a composite residue, which opens the door to space-efficient applications in the standard model. As a concrete example, we build logarithmic-size ring signatures (assuming a common reference string) with the shortest signature length among schemes based on standard assumptions in the standard model. We prove security under the \(\mathsf {DCR}\) and \(\mathsf {LWE}_{}\) assumptions, while keeping the signature size comparable with that of random-oracle-based schemes.KeywordsNIZK argumentsCompactnessSimulation-soundnessComposite residuosityFiat-ShamirRing signaturesStandard model
We build the first construction of a partially oblivious pseudorandom function (POPRF) that does not rely on bilinear pairings. Our construction can be viewed as combining elements of the 2HashDH OPRF of Jarecki, Kiayias, and Krawczyk with the Dodis-Yampolskiy PRF. We analyze our POPRF’s security in the random oracle model via reduction to a new one-more gap strong Diffie-Hellman inversion assumption. The most significant technical challenge is establishing confidence in the new assumption, which requires new proof techniques that enable us to show that its hardness is implied by the q-DL assumption in the algebraic group model.Our new construction is as fast as the current, standards-track OPRF 2HashDH protocol, yet provides a new degree of flexibility useful in a variety of applications. We show how POPRFs can be used to prevent token hoarding attacks against Privacy Pass, reduce key management complexity in the OPAQUE password authenticated key exchange protocol, and ensure stronger security for password breach alerting services.KeywordsVerifiable oblivious pseudorandom functionsDiffie-Hellman inversionAnonymous tokensBlind signatures
Non-interactive publicly verifiable secret sharing (PVSS) schemes enables (re-)sharing of secrets in a decentralized setting in the presence of malicious parties. A recently proposed application of PVSS schemes is to enable permissionless proof-of-stake blockchains to “keep a secret” via a sequence of committees that share that secret. These committees can use the secret to produce signatures on the blockchain’s behalf, or to disclose hidden data conditioned on consensus that some event has occurred. That application needs very large committees with thousands of parties, so the PVSS scheme in use must be efficient enough to support such large committees, in terms of both computation and communication. Yet, previous PVSS schemes have large proofs and/or require many exponentiations over large groups. We present a non-interactive PVSS scheme in which the underlying encryption scheme is based on the learning with errors (LWE) problem. While lattice-based encryption schemes are very fast, they often have long ciphertexts and public keys. We use the following two techniques to conserve bandwidth: First, we adapt the Peikert-Vaikuntanathan-Waters (PVW) encryption scheme to the multi-receiver setting, so that the bulk of the parties’ keys is a common random string. The resulting scheme yields Ω(1) amortized plaintext/ciphertext rate, where concretely the rate is ≈1/60 for 100 parties, ≈1/8 for 1000 parties, and approaching 1/2 as the number of parties grows. Second, we use bulletproofs over a DL-group of order about 256 bits to get compact proofs of correct encryption/decryption of shares. Alternating between the lattice and DL settings is relatively painless, as we equate the LWE modulus with the order of the group. We also show how to reduce the the number of exponentiations in the bulletproofs by applying Johnson-Lindenstrauss-like compression to reduce the dimension of the vectors whose properties must be verified. An implementation of our PVSS with 1000 parties showed that it is feasible even at that size, and should remain so even with one or two order of magnitude increase in the committee size.
The Coefficients H technique (also called the H-technique), developed by Patarin circa 1991, is a tool used to obtain the upper bounds on distinguishing advantages. This tool is known to provide relatively simple and (in some cases) tight bound proofs in comparison to some other well-known tools, such as the game-playing technique and random systems methodology. In this systematization of knowledge (SoK) paper, we aim to provide a brief survey on the H-technique. The SoK is presented in four parts. First, we redevelop the necessary nomenclature and tools required to study the security of any symmetric-key design, especially in the H-technique setting. Second, we provide a full description of the H-technique and some related tools. Third, we present (simple) H-technique-based proofs for some popular symmetric-key designs, across different paradigms. Finally, we show that the H-technique can actually provide optimal bounds on distinguishing advantages.
Multi-party fair exchange (MFE) and fair secure multi-party computation (fair SMPC) are under-studied fields of research, with practical importance. In particular, we consider MFE scenarios where at the end of the protocol, either every participant receives every other participant’s item, or no participant receives anything. We analyze the case where a trusted third party (TTP) is optimistically available, although we emphasize that the trust put on the TTP is only regarding the fairness , and our protocols preserve the privacy of the exchanged items against the TTP. In the fair SMPC case, we prove that a malicious TTP can only harm fairness, but not security .
We construct an asymptotically optimal multi-party fair exchange protocol that requires a constant number of rounds (in comparison to linear) and O(n ² ) messages (in comparison to cubic), where n is the number of participating parties. In our protocol, we enable the parties to efficiently exchange any item that can be efficiently put into a verifiable encryption (e.g., signatures on a contract). We show how to apply this protocol on top of any SMPC protocol to achieve fairness with very little overhead (independent of the circuit size). We then generalize our protocol to efficiently handle any exchange topology (participants exchange items with arbitrary other participants). Our protocol guarantees fairness in its strongest sense: even if all n-1 other participants are malicious and colluding with each other, the fairness is still guaranteed.
We introduce verifiable partially-decryptable commitments (VPDC), as a building block for constructing efficient privacy-preserving protocols supporting auditability by a trusted party. A VPDC is an extension of a commitment along with an accompanying proof, convincing a verifier that (i) the given commitment is well-formed and (ii) a certain part of the committed message can be decrypted using a (secret) trapdoor known to a trusted party.We first formalize VPDCs and then introduce a general decryption feasibility result that overcomes the challenges in relaxed proofs arising in the lattice setting. Our general result can be applied to a wide class of Fiat-Shamir based protocols and may be of independent interest.Next, we show how to extend the commonly used lattice-based ‘Hashed-Message Commitment’ (HMC) scheme into a succinct and efficient VPDC. In particular, we devise a novel ‘gadget’-based Regev-style (partial) decryption method, compatible with efficient relaxed lattice-based zero-knowledge proofs. We prove the soundness of our VPDC in the setting of adversarial proofs, where a prover tries to create a valid VPDC output that fails in decryption.To demonstrate the effectiveness of our results, we extend a private blockchain payment protocol, MatRiCT, by Esgin et al. (ACM CCS ’19) into a formally auditable construction, which we call MatRiCT-Au, with very low communication and computation overheads over MatRiCT.KeywordsLatticeZero KnowledgeVerifiable Partially-Decryptable CommitmentAuditable RingCTAccountable Ring Signature
When peers rate each other, they may rate inaccurately to boost their own reputation or unfairly lower another’s. This could be mitigated by having a reputation server incentivise accurate ratings with a reward. However, assigning rewards becomes challenging when ratings are anonymous, since the reputation server cannot tell which peers to reward for rating accurately. To address this, we propose an anonymous peer rating system in which users can be rewarded for accurate ratings, and we formally define its model and security requirements. In our system ratings are rewarded in batches, so that users claiming their rewards only reveal they authored one in this batch of ratings. To ensure the anonymity set of rewarded users is not reduced, we also split the reputation server into two entities, the Rewarder, who knows which ratings are rewarded, and the Reputation Holder, who knows which users were rewarded. We give a provably secure construction satisfying all the security properties required. For our construction we use a modification of a Direct Anonymous Attestation scheme to ensure that peers can prove their own reputation when rating others, and that multiple feedback on the same subject can be detected. We then use Linkable Ring Signatures to enable peers to be rewarded for their accurate ratings, while still ensuring that ratings are anonymous. Our work results in a system which allows accurate ratings to be rewarded, whilst still providing anonymity of ratings with respect to the central entities managing the system.
One of the most important verifiability techniques for mix nets is randomized partial checking (RPC). This method is employed in a number of prominent secure e-voting systems, including Prêt à Voter, Civitas, and Scantegrity II, some of which have also been used for real political elections including in Australia.
Given two ciphertexts generated with a public-key encryption scheme, the problem of plaintext equality consists in determining whether the ciphertexts hold the same value. Similarly, the problem of plaintext inequality consists in deciding whether they hold a different value. Previous work has focused on building new schemes or extending existing ones to include support for plaintext equality/inequality. We propose generic and simple zero-knowledge proofs for both problems, which can be instantiated with various schemes. First, we consider the context where a prover with access to the secret key wants to convince a verifier, who has access to the ciphertexts, on the equality/inequality without revealing information about the plaintexts. We also consider the case where the prover knows the encryption’s randomness instead of the secret key. For plaintext equality, we also propose sigma protocols that lead to non-interactive zero-knowledge proofs. To prove our protocols’ security, we formalize notions related to malleability in the context of public-key encryption and provide definitions of their own interest.
At Eurocrypt 2011, Lindell presented practical static and adaptively UC-secure commitment schemes based on the DDH assumption. Later, Blazy et al. (at ACNS 2013) improved the efficiency of the Lindell's commitment schemes. In this paper, we present static and adaptively UC-secure commitment schemes based on the same assumption and further improve the communication and computational complexity, as well as the size of the common reference string.
The Internet of Vehicles (IoV) was proposed as an approach to enable intelligent traffic management and enhance road safety. In order to achieve the intended objective of improving road safety, vehicles are required to constantly broadcast messages to the traffic management infrastructure as well as to other vehicles in the vicinity. Cybersecurity protection of the IoV system is critical as security attacks on IoV and safety-related messages could be life-threatening. In this connection, it is essential to ensure the authenticity of IoV messages. Whereas, from the angle of privacy protection, it is undesirable to directly authenticate the identities of vehicles that send the IoV messages. To cope with these conflicting requirements, researchers proposed the notion of conditional anonymous authentication, which aims to authenticate message senders anonymously. When necessary, a trusted third party, named tracer, will be allowed to reveal the true identities of malicious vehicles who sent fake messages. However, existing security techniques including pseudonyms and group signatures typically assume that the tracer is trusted. This assumption may not be desirable in situations when a curious tracer may reveal the identities of honest vehicles in the IoV system. To address this challenge, this paper proposes a privacy-preserving authentication scheme with abuse-resistant tracing. Compared with existing conditional anonymous authentication schemes, our scheme prevents a single tracer from revealing the identity of vehicles. Besides, the tracing key is generated in a distributed manner, and hence no single authority in the system can reveal the true identity of a vehicle.
In comparison with conventional content delivery networks, peer-to-peer (p2p) content delivery is promising to save cost and handle high peak-demand, and can also complement the decentralized storage networks such as Filecoin. However, reliable p2p delivery requires proper enforcement of delivery fairness, i.e., the deliverers should be rewarded according to their in-time delivery. Unfortunately, most existing studies on delivery fairness are based on non-cooperative game-theoretic assumptions that are arguably unrealistic in the ad-hoc p2p setting.
EPID systems are anonymous authentication protocols where a device can be revoked by including one of its signatures in a revocation list. Such protocols are today included in the ISO/IEC 20008-2 standard and are embedded in billions of chips, which make them a flagship of advanced cryptographic tools. Yet, their security analysis is based on a model that suffers from several important limitations, which either questions the security assurances EPID can provide in the real world or prevents such systems from achieving their full impact. The most prominent example is the one of revocation lists. Although they could be managed locally by verifiers, which would be natural in most use-cases, the security model assumes that they are managed by a trusted entity, a requirement that is not easily met in practice and that is thus tempting to ignore, as illustrated in the corresponding standard.
We consider threshold public-key encryption, where the decryption servers distributively hold the private key shares, and we need a threshold of these servers to decrypt the message (while the system remains secure when less than the threshold is corrupt). We investigate the notion of chosen-ciphertext secure threshold systems which has been historically hard to achieve. We further require the systems to be, both, adaptively secure (i.e., secure against a strong adversary making corruption decisions dynamically during the protocol), and non-interactive (i.e., where decryption servers do not interact amongst themselves but rather efficiently contribute, each, a single message). To date, only pairing-based implementations were known to achieve security in the standard security model without relaxation (i.e., without assuming the random oracle idealization) under the above stringent requirements. Here, we investigate how to achieve the above using other assumptions (in order to understand what other algebraic building blocks and mathematical assumptions are needed to extend the domain of encryption methods achieving the above). Specifically, we show realizations under the Decision Composite Residuosity (DCR) and Learning-With-Errors (LWE) assumptions.
We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereofindependent ofeach other, even without having these applications in mind.
This paper proposes a bit commitment scheme, BC(·), and efficient statistical zero knowledge (in short, SZK) protocols in which, for any given multi-variable polynomial f(X
1,..,X
t) and any given modulus n, prover P gives (I
1,..,I
t) to verifier V and can convince V that V knows (x
1,..,x
t) satisfying f(x
1,..,x
t) = 0 (mod n) and I
i = BC(x
i), (i = l,..,t). The proposed protocols are O(n) times more efficient than the corresponding previous ones [Dam93, Dam95, Oka95]. The (knowledge) soundness of our protocols holds under a computational assumption, the intractability of a modified RSA problem (see Def.3), while the (statistical) zero-knowledgeness of the protocols needs no computational assumption. The protocols can be employed to construct various practical cryptographic protocols, such as fair exchange, untraceable electronic cash and verifiable secret snaring protocols.
The zero-knowledge proof of knowledge, first defined by Fiat, Fiege and Shamir, was used by Galil, Haber and Yung as a means
of constructing (out of a trapdoor function) an interactive public-key cryptosystem provably secure against chosen ciphertext
attack. We introduce a revised setting which permits the definition of a non-interactive analogue, the non-interactive zero-knowledge
proof of knowledge, and show how it may be constructed in that setting from a non-interactive zero-knowledge proof system
for N P (of the type introduced by Blum, Feldman and Micali). We give a formalization of chosen ciphertext attack in our model which
is stronger than the “lunchtime attack” considered by Naor and Yung, and prove a non-interactive public-key cryptosystem based
on non-interactive zero-knowledge proof of knowledge to be secure against it.
A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature's originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity. This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art. In its interactive, identity escrow form, our scheme is proven secure and coalition-resistant under the strong RSA and the decisional Diffie-Hellman assumptions. The security of the noninteractive variant, i.e., the group signature scheme, relies additionally on the Fiat-Shamir heuristic (also known as the random oracle model).
Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S , we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to a subset of n problem instances corresponding to a qualified set of participants. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, this can lead to witness hiding protocols, even if P did not have this property. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P . Our results use no unproven complexity assumptions. AMS Subject Classification (1991): 94A60 CR Subject Classification (1991): D.4.6 Ke...
We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of (35). We present two de£nitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryp- tion from a signature and encryption scheme. Contrary to what recent results in the symmetric setting (5, 22) might lead one to expect, we show that classical "encrypt-then-sign" (EtS) and "sign-then-encrypt" (StE) methods are both se- cure composition methods in the public-key setting. We also present a new composition method which we call "commit-then-encrypt- and-sign" (CtE&S). Unlike the generic sequential composition methods,CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in ef£ciency over theStE andEtS schemes. We also show that the newCtE&S method elegantly combines with the recent "hash-sign-switch" tech- nique of (30), leading to ef£cient on-line/off-line signcryption. Finally and of independent interest, we discuss the de£nitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2- security (gCCA2). We show that gCCA2-security suf£ces for all known uses of CCA2-secure encryption, while no longer suffering from the de£nitional short- comings of the latter.
This paper investigates a novel computational problem, na- mely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes : a trapdoor permu- tation and two homomorphic probabilistic encryption schemes computa- tionally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.
We show that if any one-way function exists, then 3-round concurrent zero-knowledge arguments for all NP problems can be built in a model where a short auxiliary string with a prescribed distribution is available to the players. We also show that a wide range of known efficient proofs of knowledge using specialized assumptions can be modified to work in this model with no essential loss of efficiency. We argue that the assumptions of the model will be satisfied in many practical scenarios where public key cryptography is used, in particular our construction works given any secure public key infrastructure. Finally, we point out that in a model with preprocessing (and no auxiliary string) proposed earlier, concurrent zero-knowledge for NP can be based on any one-way function.
We generalize and improve the security and eciency of the veriable encryption scheme of Asokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called veriable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identication, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereof independent of each other, even without having these applications in mind.
We present a statistically-hiding commitment scheme allowing commitment to arbitrary size integers, based on any (Abelian) group with certain properties, most importantly, that it is hard for the committer to compute its order. We also give efficient zero-knowledge protocols for proving knowledge of the contents of commitments and for verifying multiplicative relations over the integers on committed values. The scheme can be seen as a generalization, with a slight modification, of the earlier scheme of Fujisaki and Okamoto [14]. The reasons we revisit the earlier scheme and give some modification to it are as follows:
- The earlier scheme [14] has some gaps in the proof of soundness of the associated protocols, one of which presents a non-trivial problem which, to the best of our knowledge, has remained open until now. We fill all the gaps here using additional ideas including minor modification of the form of a commitment.
- Although related works such as |8, 3, 10, 4| do not suffer from the main problem we solve here, the reason for this is that they use “commitments” with a single base (i.e., of form c = g
s
mod n). Such commitments, however, cannot satisfy the standard hiding property for commitments, and hence protocols using them cannot in general be (honest-verifier) zero-knowledge nor witness indistinguishable.
- In a computationally convincing proof of knowledge where the prover produces the common input (which is the type of protocol we look at here), one cannot completely exclude the possibility that a prover manages to produce a common input on which he can cheat easily. This means that the standard definition of proofs of knowledge cannot be satisfied. Therefore we introduce a new definition for computationally convincing proofs of knowledge, designed to handle the case where the common input is chosen by the (possibly cheating) prover.
- Our results apply to any group with suitable properties. In particular, they apply to a much larger class of RSA moduli than the safe prime products proposed in [14] - Potential examples include RSA moduli, class groups and, with a slight modification, even non-Abelian groups.
Our scheme can replace the earlier one in various other constructions, such as the efficient interval proofs of Boudot [4] and the efficient proofs for the product of two safe primes proposed by Camenisch and Michels [9].
We present a new protocol that allows two players to exchange
digital signatures over the Internet in a fair way, so that either each
player gets the other's signature, or neither player does. The obvious
application is where the signatures represent items of value, for
example, an electronic check or airline ticket. The protocol can also be
adapted to exchange encrypted data. It relies on a trusted third party,
but is “optimistic,” in that the third party is only needed
in cases where one player crashes or attempts to cheat. A key feature of
our protocol is that a player can always force a timely and fair
termination, without the cooperation of the other player, even in a
completely asynchronous network. A specialization of our protocol can be
used for contract signing; this specialization is not only more
efficient, but also has the important property that the third party can
be held accountable for its actions: if it ever cheats, this can be
detected and proven
This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiation-based formulae. We consider general predicates built from modular exponentiations of secret values, combined by products and connected with the logical operators “AND”, “OR”, “NOT”. We first show how to deal with non-linear combination of secret exponents. Next,we extend the work by Brands to a strictly larger class of predicates, allowing a more liberal use of the logical operator “NOT”. We sketch two applications by which we enhance group signatures schemes with revocation of identity and multi-signer features. Such features can be useful to protect privacy or for collaborative use of group signatures, respectively.
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the so-called strong RSA assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA assumption.
We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical "encryptthen-sign" (EtS) and "sign-then-encrypt" (StE) methods are both secure composition methods in the public-key setting. We also present a new composition method which we call "commit-thenencrypt-and-sign" (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent "hash-sign-switch" technique of [30], leading to efficient on-line/off- line signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2-security (gCCA2). We show that gCCA2-security suffices for all known uses of CCA2-secure encryption, while no longer suffering from the definitional shortcomings of the latter.
We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an "ideal commitment service," even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more. Unfortunately, two-party uc commitment protocols do not exist in the plain model. However, we construct two-party uc commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver.
We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an “ideal commitment service,” even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more.
Unfortunately, two-party uc commitment protocols do not exist in the plain model. However, we construct two-party uc commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver.
We show that if any one-way function exists, then 3-round concurrent zero-knowledge arguments for all NP problems can be built in a model where a short auxiliary string with a prescribed distribution is available to the players. We also show that a wide range of known ecien t proofs of knowledge using specialized assumptions can be modied to work in this model with no essential loss of eciency . We argue that the assumptions of the model will be satised in many practical scenarios where public key cryptography is used, in particular our construction works given any secure public key infrastructure. Finally, we point out that in a model with preprocessing (and no auxiliary string) proposed earlier, concurrent zero-knowledge for NP can be based on any one-way function.
A cryptographic protocol possesses separability if the par- ticipants can choose their keys independently of each other. This is ad- vantageous from a key-management as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separa- ble group signature scheme and present an ecient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depend on the number of group member. Its eciency is comparable to the most ecient schemes that do not oer separability and is an order of magnitude more ecient than a previous scheme that provides partial separability. As a side result, we provide ecient proofs of the equality of two discrete logarithms from dierent groups and, more general, of the validity of polynomial relations in among discrete logarithms from dierent groups.
This paper proposes a simple threshold Public-Key Cryptosystem (PKC) which is secure against adaptive chosen ciphertext attack, under the Decisional Diffie-Hellman
(DDH) intractability assumption.
Previously, it was shown how to design non-interactive threshold PKC secure under chosen ciphertext attack, in the random-oracle
model and under the DDH intractability assumption [25]. The random-oracle was used both in the proof of security and to eliminate interaction. General completeness results for
multi-party computations [6,13] enable in principle converting any single server PKC secure against CCA (e.g., [19,17]) into a threshold one, but the conversions are inefficient and require much interaction among the servers for each ciphertext
decrypted. The recent work by Cramer and Shoup [17] on single server PKC secure against adaptive CCA is the starting point for the new proposal.
It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking with other
persons. Any k of these persons can later find the secret (1 ≤ k ≤ n), whereas fewer than k persons get no (Shannon) information about the secret. The information rate of the scheme is 1/2 and the distribution as
well as the verification requires approximately 2k modular multiplications pr. bit of the secret. It is also shown how a number of persons can choose a secret “in the well”
and distribute it verifiably among themselves.
Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions:
(1) the tamper-proof module, such as a smart card, that the person cannot modify or probe; and (2) the personal workstation
whose inner working is totally under control of the individual. The first part of this article argues that a particular combination
of these two kinds of mechanism can overcome the limitations of each alone, providing both security and correctness for organizations
as well as privacy and even anonymity for individuals.
Then it is shown how this combined device, called a wallet, can carry a database containing personal information. The construction
presented ensures that no single part of the device (i.e. neither the tamper-proof part nor the workstation) can learn the
contents of the database — this information can only be recovered by the two parts together.
The main problem arising in value exchange over a network, e.g. in the exchange of digital money for other valuable information, is the lack of simultaneity of the exchange, yielding a temporary advantage for one party, who could then stop communication. The situation is even worse when this party is anonymous. This is normally the case when digital payment systems enabling unobservability are used. But third parties can be used to overcome this problem. We compare two rather different approaches using third parties. The first tries to provide security by third parties identifying perpetrators in cases of detected fraud, whereas the second uses a third party as trustee who takes an active part in the value exchange and can be completely controlled by each absolutely anonymous party.
In present day cashless payment systems, the banks and (by installing a Trojan horse) even the manufacturers of the computer equipment used could easily observe who pays what amount to whom and when. With the increasing digitization of these systems, e.g. point-of-sale terminals and home banking, the amount of transaction data and their computerization drastically increases. Therefore these payment systems become completely unacceptable, since compiling dossiers on the lifestyle and whereabouts of all clients will become easy.We describe the digital payment systems enabling unobservability of clients and arrange them in a general model to compare their different degrees of unobservability and their different levels of security. Since no single system has all desired features, we propose a suitable synthesis.
We describe a generic protocol for fair exchange of electronic goods with non-repudiation. Goods can be signatures (i.e., non-repudiation tokens of public data), confidential data, or payments. The protocol does not involve a third party in the exchange in the fault-less case but only for recovery. Many commercial transactions can be modelled as a sequence of exchanges of electronic goods involving two or more parties. An exchange among several parties begins with an understanding about what item each party will contribute to the exchange and what it expects to receive at the end of it. A desirable requirement for exchange is fairness. A fair exchange should guarantee that at the end of the exchange, either each party has received what it expects to receive or no party has received anything. One example for fair exchange is non-repudiation of message transmission which is, in essence, a fair exchange of the message and a non-repudiation of receipt token for the message. In several draft documents, ISO (ISO1, ISO2, ISO3) defines non- repudiation services for transmission of messages and describes protocols that provide th em. In particular they define: • non-repudiation of origin which guarantees that the originator of a message cannot later falsely repudiate having originated that message, and • non-repudiation of receipt which guarantees that the recipient of a message cannot falsely repudiate having received that message (the ISO draft documents use the term "non-repudiation of delivery").
We introduce the notion of Resettable Zero-Knowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zero-knowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing it to use the same random tape. All known examples of zero-knowledge proofs and arguments are trivially breakable in this setting. Moreover, by definition, all zero-knowledge proofs of knowledge are breakable in this setting. Under general complexity assumptions, which hold for example if the Discrete Logarithm Problem is hard, we construct: • Resettable Zero-Knowledge proof-systems for NP with non-constant number of rounds. * Five-round Resettable Witness-Indistinguishable proofsystems for NP. e Four-round Resettabie Zero-Knowledge arguments for NP in the public key model: where verifiers have fixed, public keys associated with them. In addition to shedding new light on what makes zero knowledge possible (by constructing ZK protocols that use randomness in a dramatically weaker way than before), rZK has great relevance to applications. Firstly, rZK protocols are closed under parallel and concurrent execution and thus are guaranteed to be secure when implemented in fully asynchronous networks, even if an adversary schedules the arrival of every message sent so as to foil security. Secondly, rZK protocols enlarge the range of physical ways in which provers of ZK protocols can be securely implemented, including devices which cannot reliably toss coins on line, nor keep state
A cryptographic protocol possesses separability if the par- ticipants can choose their keys independently of each other. This is ad- vantageous from a key-management as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separa- ble group signature scheme and present an ecient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depend on the number of group member. Its eciency
Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions: (1) the tamper-proof module, such as a smart card, that the person cannot modify or probe: and (2) the personal workstation whose inner working is totally under control of the individual. The first part of this article argues that a particular combination of these two kinds of mechanism can overcome the limitations of each alone, providing both security and correctness for organizations as well as privacy and even anonymity for individuals.Then it is shown how this combined device, called a wallet, ran carry a database containing personal information. The construction presented ensures that no single part of the device (i.e. neither the tamper-proof part nor the workstation) can learn the contents of the database -- this information can only be recovered by the two parts together.
A group signature scheme allows members of a group to sign messages on the group's behalf such that the resulting signature
does not reveal their identity. Only a designated group manager is able to identify the group member who issued a given signature.
Previously proposed realizations of group signature schemes have the undesirable property that the length of the public key
is linear in the size of the group. In this paper we propose the first group signature scheme whose public key and signatures
have length independent of the number of group members and which can therefore also be used for large groups. Furthermore,
the scheme allows the group manager to add new members to the group without modifying the public key. The realization is based
on methods for proving the knowledge of signatures.
We introduce the concept of escrowed identity, an application of key-escrow ideas to the problem of authentication. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's identity. However, B receives a guarantee that E can indeed determine A's identity. We consider a number of possible features of escrowed identity schemes, and describe a variety of implementations that achieve various subsets of these features. In particular, we observe that group signature schemes can be used to escrow identities, achieving most (though not all) of the desired features. The most interesting feature we consider is separability. The escrow agency is not involved in the day to day operation of the identification system, but is only called in when anonymity must be revoked. In the extreme case, there exist identity escrow schemes in which an arbitrary party (possessing a public key) can be designated an escrow agent without any knowledge or participation on their part until they are asked to revoke someone's anonymity.
We present the first efficient statistical zero-knowledge protocols to prove statements such as:
- A committed number is a prime.
- A committed (or revealed) number is the product of two safe primes, i.e., primes p and q such that (p - 1)/2 and (q - 1)/2 are prime.
- A given integer has large multiplicative order modulo a composite number that consists of two safe prime factors.
The main building blocks of our protocols are statistical zero-knowledge proofs of knowledge that are of independent interest. We show how to prove the correct computation of a modular addition, a modular multiplication, and a modular exponentiation, where all values including the modulus are committed to but not publicly known. Apart from the validity of the equations, no other information about the modulus (e.g., a generator whose order equals the modulus) or any other operand is exposed. Our techniques can be generalized to prove that any multivariate modular polynomial equation is satisfied, where only commitments to the variables of the polynomial and to the modulus need to be known. This improves previous results, where the modulus is publicly known. We show how these building blocks allow to prove statements such as those listed earlier.
The main difference between confirmer signatures and ordinary digital signatures is that a confirmer signature can be verified only with the assistance of a semitrusted third party, the confirmer. Additionally, the confirmer can selectively convert single confirmer signatures into ordinary signatures.
This paper points out that previous models for confirmer signature schemes are too restricted to address the case where several signers share the same confirmer. More seriously, we show that various proposed schemes (some of which are provably secure in these restricted models) are vulnerable to an adaptive signature-transformation attack. We define a new stronger model that covers this kind of attack and provide a generic solution based on any secure ordinary signature scheme and public key encryption scheme. We also exhibit a concrete instance thereof.
This paper introduces a new kind of signature authentication and gives practical protocols that implement it. The technique can be used in ways that approach the functionality of known techniques, such as ordinary digital signatures and zero-knowledge proofs. But more importantly, it opens up a whole space of possibilities in between them. The technique works in essence by allowing the signer to prove to the signature’s recipient that designated parties can confirm the signature without the signer. But the signer is protected, since unless sufficient designated parties cooperate in confirmation, the signature is no more convincing than any other number.
We introduce Verifiable Signature Sharing (VCS), a cryp- tographic primitive for protecting digital signatures. VCS enables the holder of a digitally signed document, who may or may not be the origi- nal signer, to share the signature among a set of proxies so that the honest proxies can later reconstruct it. We present efficient VCS schemes for ex- ponentiation based signatures (e.g., RSA, Rabin) and discrete log based signatures (e.g., ElGamal, Schnorr, DSA) that can tolerate the malicious (Byzantine) failure of the sharer and a constant fraction of the proxies. We also describe our implementation of these schemes and evaluate their performance. Among the applications of VXS is the incorporation of dig- ital cash into multiparty protocols, e.g., to enable cash escrow and secure distributed auctions.
Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a toolforprovingthatacommittednumberliesinaspeciflcinterval.Upto now, such tools were either ine‐cient (too many bits to compute and to transmit) or inexact (i.e. proved membership to a much larger interval). Thispaperpresentsanewproof,whichisbothe‐cientandexact.Here, \e‐cient" means that there are less than 20 exponentiations to perform and less than 2 Kbytes to transmit. The potential areas of application of this proof are numerous (electronic cash, group signatures, publicly veriflable secret encryption, etc...).
A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these cre- dentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of provid- ing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing or- ganization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryp- tographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by in- troducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.
In contrast to ordinary digital signatures, the verification of undeniable signatures and of confirmer signatures requires
the cooperation of the signer or of a designated confirmer, respectively. Various schemes have been proposed so far, from
practical solutions based on specific number-theoretic assumptions to theoretical constructions using basic cryptographic
primitives. To motivate the necessity of new and provably secure constructions for confirmer signatures, we first describe
a flaw in a previous realization by Okamoto. We then present two generic constructions for designing provably secure and efficient
confirmer variants of many well-known signature schemes, including the schemes by Schnorr, Fiat and Shamir, ElGamal, and the
RSA scheme. The constructions employ a new tool called confirmer commitment schemes. In this concept the ability to open the
committed value is delegated to a designated confirmer. We present an efficient realization based on the Decision-Diffie-Hellman
assumption.
This document should be viewed less as a rst draft of a standard for public-key encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.
It is shown that the large-scale automated transaction systems of the near future can be designed to protect the privacy and maintain the security of both individuals and organizations. A new approach is described in which: (1) an individual uses a different account number or 'digital pseudonym' with each organization; (2) individuals conduct transactions using personal card computers that might take a form similar to a credit-card-sized calculator, and include a character display, keyboard, and a limited distance communication capability; (3) individuals keep secret keys from organizations and organizations devise other secret keys that are kept from individuals.
Proefschrift : Amsterdam : 1997. Bibliogr. : p. [175]-184 et index.
We present protocols for fair exchange of electronic data (digital signatures, payment and confidential data) between two parties A and B. Novel properties of the proposed protocols include: 1) offline trusted third party (TTP), i.e., TTP does not take part in the exchange unless one of the parties behaves improperly; 2) only three message exchanges are required in the normal situation; 3) true fair exchange, i.e., either A and B obtain each other's data or no party receives anything useful; no loss can be incurred to a party no matter how maliciously the other party behaves during the exchange. This last property is in contrast to previously proposed protocols with offline TTP ([1] and [21]), where a misbehaving party may get another party's data while refusing to send his document to the other party, and the TTP can provide affidavits attesting to what happened during the exchange. To our knowledge, the protocols presented here are the first exchange protocols which use offline TTP and at the same time guarantee true fair exchange of digital messages. We introduce a novel cryptographic primitive, called the Certificate of Encrypted Message Being a Signature (CEMBS), as the basic building block of the fair exchange protocols. It is used to prove that an encrypted message is a certain party's signature on a public file, without revealing the signature. We also give two examples to show in detail how the certificate can be constructed
This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.
Introduction In this work 1 we assume that we are given an interactive proof where the prover P convinces the verifier V that P knows some secret. Typically, the secret is the preimage under some one-way function of a publicly known piece of information. Thus the secret could be for example a discrete log or an RSA root. Such a proof is called a proof of knowledge [5], and can be used in practice to design identification schemes or signature systems. 1 Partly done during Cramer's and Schoenmaker's visit at Aarhus University. We assume in the following that the proof of knowledge has a special form in that the verifier only sends uniformly chosen bits. This is also known as a public coin protocol. For simplicity, we restrict ourselves to 3-round protocols, where the prover speaks first (generalization of our results to any number of rounds is possible). We also