Results 11  20
of
31
Efficient attributes for anonymous credentials
 ACM CCS 08: 15th Conference on Computer and Communications Security
, 2008
"... We extend the CamenischLysyanskaya anonymous credential system such that selective disclosure of attributes becomes highly efficient. The resulting system significantly improves upon existing approaches, which suffer from a linear complexity in the total number of attributes. This limitation makes ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
We extend the CamenischLysyanskaya anonymous credential system such that selective disclosure of attributes becomes highly efficient. The resulting system significantly improves upon existing approaches, which suffer from a linear complexity in the total number of attributes. This limitation makes them unfit for many practical applications, such as electronic identity cards. Our system can incorporate an large number of binary and finiteset attributes without significant performance impact. Our approach compresses all such attributes into a single attribute base and, thus, boosts the efficiency of all proofs of possession. The core idea is to encode discrete binary and finiteset values as prime numbers. We use the divisibility property for efficient proofs of their presence or absence. We contribute efficient methods for conjunctions and disjunctions, in addition. The system builds on the StrongRSA assumption. We demonstrate the aptness of our method in realistic application scenarios, such as electronic identity cards and complex/structured credentials. Our method has crucial advantages in devices with restricted computational capabilities, such as smartcards and cell phones. 1
The Representation Problem Based on Factoring
 In Proceedingsn of CTRSA’02, LNCS 2271
, 2002
"... We review the representation problem based on factoring and show that this problem gives rise to alternative solutions to a lot of cryptographic protocols in the literature. And, while the solutions so far usually either rely on the RSA problem or the intractability of factoring integers of a specia ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
We review the representation problem based on factoring and show that this problem gives rise to alternative solutions to a lot of cryptographic protocols in the literature. And, while the solutions so far usually either rely on the RSA problem or the intractability of factoring integers of a special form (e.g., Blum integers), the solutions here work with the most general factoring assumption. Protocols we discuss include identification schemes secure against parallel attacks, secure signatures, blind signatures and (nonmalleable) commitments.
Balancing accountability and privacy using ecash (Extended Abstract)
 IN SCN, VOLUME 4116 OF LNCS
, 2006
"... In an electronic cash (ecash) system, a user can withdraw coins from the bank, and then spend each coin anonymously and unlinkably. For some applications, it is desirable to set a limit on the dollar amounts of anonymous transactions. For example, governments require that large transactions be rep ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
In an electronic cash (ecash) system, a user can withdraw coins from the bank, and then spend each coin anonymously and unlinkably. For some applications, it is desirable to set a limit on the dollar amounts of anonymous transactions. For example, governments require that large transactions be reported for tax purposes. In this work, we present the first ecash system that makes this possible without a trusted party. In our system, a user’s anonymity is guaranteed so long as she does not: (1) doublespend a coin, or (2) exceed the publiclyknown spending limit with any merchant. The spending limit may vary with the merchant. Violation of either condition can be detected, and can (optionally) lead to identification of the user and discovery of her other activities. While it is possible to balance accountability and privacy this way using ecash, this is impossible to do using regular cash. Our scheme is based on our recent compact ecash system. It is secure under the same complexity assumptions in the randomoracle model. We inherit its efficiency: 2 ℓ coins can be stored in O(ℓ + k) bitsandthe complexity of the withdrawal and spend protocols is O(ℓ + k), where k is the security parameter.
Bringing zeroknowledge proofs of knowledge to practice
 In 17th International Workshop on Security Protocols
, 2009
"... Abstract. Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic Trusted Platform Module (TPM) chip. Implementing systems using ZKPoK turns out to be challenging, since ZKPoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZKPoK are timeconsuming and errorprone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZKPoK to practice by making them accessible to crypto and security engineers. To this end we are developing compilers and related tools that support and partially automate the design, implementation, verification and secure implementation of ZKPoK protocols. 1
Automatic generation of sound zeroknowledge protocols (Extended Poster Abstract)
, 2008
"... Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the re ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM). Implementing systems using ZKPoK turns out to be challenging, since ZKPoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZKPoK are timeconsuming and errorprone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZKPoK to practice by automatically generating sound ZKPoK protocols and make them accessible to crypto and security engineers. To this end we are developing protocols and compilers that support and automate the design and generation of secure and efficient implementation of ZKPoK protocols.
On the portability of generalized Schnorr proofs
 In EUROCRYPT 2009, LNCS
, 2009
"... The notion of Zero Knowledge Proofs (of knowledge) [ZKP] is central to cryptography; it provides a set of security properties that proved indispensable in concrete protocol design. These properties are defined for any given input and also for any auxiliary verifier private state, as they are aimed a ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
The notion of Zero Knowledge Proofs (of knowledge) [ZKP] is central to cryptography; it provides a set of security properties that proved indispensable in concrete protocol design. These properties are defined for any given input and also for any auxiliary verifier private state, as they are aimed at any use of the protocol as a subroutine in a bigger application. Many times, however, moving the theoretical notion to practical designs has been quite problematic. This is due to the fact that the most efficient protocols fail to provide the above ZKP properties for all possible inputs and verifier states. This situation has created various problems to protocol designers who have often either introduced imperfect protocols with mistakes or with lack of security arguments, or they have been forced to use much less efficient protocols in order to achieve the required properties. In this work we address this issue by introducing the notion of “protocol portability, ” a property that identifies input and verifier state distributions under which a protocol becomes a ZKP when called as a subroutine in a sequential execution of a larger application. We then concentrate on the very efficient and heavily employed “Generalized Schnorr Proofs ” (GSP) and identify the portability of such protocols. We also point to previous protocol weaknesses and errors that have been made in numerous applications throughout the years, due to employment of GSP instances while lacking the notion of portability (primarily in the case of unknown order
A Framework for Practical Universally Composable ZeroKnowledge Protocols
"... Zeroknowledge proofs of knowledge (ZKPoK) for discrete logarithms and related problems are indispensable for practical cryptographic protocols. Recently, Camenisch, Kiayias, and Yung provided a specification language (the CKYlanguage) for such protocols which allows for a modular design and prot ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Zeroknowledge proofs of knowledge (ZKPoK) for discrete logarithms and related problems are indispensable for practical cryptographic protocols. Recently, Camenisch, Kiayias, and Yung provided a specification language (the CKYlanguage) for such protocols which allows for a modular design and protocol analysis: for every zeroknowledge proof specified in this language, protocol designers are ensured that there exists an efficient protocol which indeed proves the specified statement. However, the protocols resulting from their compilation techniques only satisfy the classical notion of ZKPoK, which is not retained are when they used as building blocks for higherlevel applications or composed with other protocols. This problem can be tackled by moving to the Universal Composability (UC) framework, which guarantees retention of security when composing protocols in arbitrary ways. While there exist generic transformations from Σprotocols to UCsecure protocols, these transformation are often too inefficient for practice. In this paper we introduce a specification language akin to the CKYlanguage and a compiler such that the resulting protocols are UCsecure and efficient. To this end, we propose an extension of the UCframework addressing the issue that UCsecure zeroknowledge proofs are by definition proofs of knowledge, and state a special composition theorem which allows one to use the weaker – but more efficient and often sufficient – notion of proofs of membership in the UCframework. We believe that our contributions enable the design of practically efficient protocols that are UCsecure and thus themselves can be used as building blocks.
Zerocoin: Anonymous Distributed ECash from Bitcoin
 IEEE Symposium on Security and Privacy
, 2013
"... Abstract—Bitcoin is the first ecash system to see widespread adoption. While Bitcoin offers the potential for new types of financial interaction, it has significant limitations regarding privacy. Specifically, because the Bitcoin transaction log is completely public, users ’ privacy is protected on ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract—Bitcoin is the first ecash system to see widespread adoption. While Bitcoin offers the potential for new types of financial interaction, it has significant limitations regarding privacy. Specifically, because the Bitcoin transaction log is completely public, users ’ privacy is protected only through the use of pseudonyms. In this paper we propose Zerocoin, a cryptographic extension to Bitcoin that augments the protocol to allow for fully anonymous currency transactions. Our system uses standard cryptographic assumptions and does not introduce new trusted parties or otherwise change the security model of Bitcoin. We detail Zerocoin’s cryptographic construction, its integration into Bitcoin, and examine its performance both in terms of computation and impact on the Bitcoin protocol. I.
Automatic Generation of SigmaProtocols
, 2009
"... Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation (SMPC). Currently, first applications that essentially rely on ZKPoKs are being deploye ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation (SMPC). Currently, first applications that essentially rely on ZKPoKs are being deployed in the real world. The most prominent example is the Direct Anonymous Attestation (DAA) protocol, which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM). Implementing systems using ZKPoK turns out to be challenging, since ZKPoK are significantly more complex than standard crypto primitives (e.g., encryption and signature schemes). As a result, the designimplementation cycles of ZKPoK are timeconsuming and errorprone. To overcome this, we present a compiler with corresponding languages for the automatic generation of sound and efficient ZKPoK based on Σprotocols. The protocol designer using our compiler formulates the goal of a ZKPoK proof in a highlevel protocol specification language, which abstracts away unnecessary technicalities from the designer. The compiler then automatically generates the protocol implementation in Java code; alternatively, the compiler can output a description of the protocol in LATEX which can be used for documentation or verification.
On the design and implementation of efficient zeroknowledge proofs of knowledge
 In Software Performance Enhancements for Encryption and Decryption and Cryptographic Compilers – SPEEDCC 09
"... Abstract. Zeroknowledge proofs of knowledge (ZKPoK) play an important role in many cryptographic applications. Direct anonymous attestation (DAA) and the identity mixer anonymous authentication system are first real world applications using ZKPoK as building blocks. But although being used for ma ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. Zeroknowledge proofs of knowledge (ZKPoK) play an important role in many cryptographic applications. Direct anonymous attestation (DAA) and the identity mixer anonymous authentication system are first real world applications using ZKPoK as building blocks. But although being used for many years now, design and implementation of sound ZKPoK remains challenging. In fact, there are security flaws in various protocols found in literatur. Especially for nonexperts in the field it is often hard to design ZKPoK, since a unified and easy to use theoretical framework on ZKPoK is missing. With this paper we overcome important challenges and facilitate the design and implementation of efficient and sound ZKPoK in practice. First, Camenisch et al. have presented at EUROCRYPT 2009 a first unified and modular theoretical framework for ZKPoK. This is compelling, but makes use of a rather inefficient 6move protocol. We extend and improve their framework in terms of efficiency and show how to realize it using efficient 3move Σprotocols. Second, we perform an exact security and efficiency analysis for our new protocol and various protocols found in the literature. The analysis yields novel and perhaps surprising results and insights. It reveals for instance that using a 2048 bit RSA modulus, as specified in the DAA standard, only guarantees an upper bound on the success probability of a malicious prover between 1/2 4 and 1/2 24. Also, based on that analysis we show how to select the most efficient protocol to realize a given proof goal. Finally, we also provide lowlevel support to a designer by presenting a compiler realizing our framework and optimization techniques, allowing easy implementation of efficient and sound protocols.