Results 1  10
of
17
Efficient Blind and Partially Blind Signatures Without Random Oracles
, 2006
"... This paper proposes a new efficient signature scheme from bilinear maps that is secure in the standard model (i.e., without the random oracle model). Our signature scheme is more effective in many applications (e.g., blind signatures, group signatures, anonymous credentials etc.) than the existing ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
This paper proposes a new efficient signature scheme from bilinear maps that is secure in the standard model (i.e., without the random oracle model). Our signature scheme is more effective in many applications (e.g., blind signatures, group signatures, anonymous credentials etc.) than the existing secure signature schemes in the standard model. As typical applications of our signature scheme, this paper presents efficient blind signatures and partially blind signatures that are secure in the standard model. Here, partially blind signatures are a generalization of blind signatures (i.e., blind signatures are a special case of partially blind signatures) and have many applications including electronic cash and voting. Our blind signature scheme is more efficient than the existing secure blind signature schemes in the standard model such as the CamenischKoprowskiWarinsch [9] and JuelsLubyOstrovsky [24] schemes. Our partially blind signature scheme is the first one that is secure in the standard model and it is also efficient (as efficient as our blind signatures). The security proof of our blind and partially blind signature schemes requires the 2SDH assumption, a stronger variant of the SDH assumption introduced by Boneh and Boyen [7]. This paper also presents an efficient way to convert our (partially) blind signature scheme in the standard model to a scheme secure for a concurrent run of users in the common reference string (CRS) model. Finally, we present a blind signature scheme based on the Waters signature scheme.
Security of Blind Discrete Log Signatures against Interactive Attacks
 ICICS 2001, LNCS 2229
, 2001
"... We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following RO ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
(Show Context)
We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following ROSproblem is intractable: find an overdetermined, solvable system of linear equations modulo q with random inhomogenities (right sides). There is an inherent weakness in the security result of Pointcheval and Stern. Theorem 26 [PS00] does not cover attacks with 4 parallel interactions for elliptic curves of order 2 200 . That would require the intractability of the ROSproblem, a plausible but novel complexity assumption. Conversely, assuming the intractability of the ROSproblem, we show that Schnorr signatures are secure in the random oracle and generic group model against the onemore signature forgery.
RoundOptimal Composable Blind Signatures in the Common Reference String Model
 In Advances in Cryptology — CRYPTO 2006, LNCS 4117
, 2006
"... marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user an ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user and the issuing bank to transmit only one message each. We also put forward the definition of universally composable blind signature schemes, and show how to extend our concurrently executable blind signature protocol to derive such universally composable schemes in the common reference string model under general assumptions. While this protocol then guarantees very strong security properties when executed within larger protocols, it still supports signature generation in two moves. 1
Concurrentlysecure blind signatures without random oracles or setup assumptions
 In TCC 2007
, 2007
"... ..."
Concurrent blind signatures without random oracles
 In SCN 2006, volume 4116 of LNCS
, 2006
"... We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocable commitments. The ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocable commitments. The unforgeability of the employed signature scheme is guaranteed by the LRSW assumption while the blindness property of our scheme is guaranteed by the Decisional Linear DiffieHellman assumption. We prove our construction secure under the above assumptions as well as Paillier’s DCR assumption in the concurrent attack model of Juels, Luby and Ostrovsky from Crypto ’97 using a common reference string. Our construction is the first efficient construction for blind signatures in such a concurrent model without random oracles. We present two variants of our basic protocol: first, a blind signature scheme where blindness still holds even if the publickey generation is maliciously controlled; second, a blind signature scheme that incorporates a “publictagging ” mechanism. This latter variant of our scheme gives rise to a partially blind signature with essentially the same efficiency and security properties as our basic scheme. 1
Equivocal Blind Signatures and Adaptive UCSecurity
, 2007
"... We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where a simulator can construct the internal state of the client so that it matches a simulated transcript even after a signature was released. We present a general construction methodology for building practical adaptively secure blind signatures: the starting point is a 2move “lite blind signature”, a lightweight 2party signature protocol that we formalize and implement both generically as well as number theoretically: formalizing a primitive as “lite ” means that the adversary is required to show all private tapes of adversarially controlled parties; this enables us to conveniently separate zeroknowledge (ZK) related security requirements from the remaining security properties in the primitive’s design methodology. We then focus on the exact ZK requirements for building blind signatures. To this effect, we formalize two special ZK ideal functionalities, singleverifierZK (SVZK) and singleproverZK (SPZK) and we investigate the requirements for realizing them in a commitandprove fashion as building blocks for adaptively secure UC blind signatures. SVZK can be realized without relying on a multisession UC commitment; as
On the security of onewitness blind signature schemes. Cryptology ePrint Archive, Report 2012/197
, 2012
"... Abstract. Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous ide ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous identification scheme. Although it was proposed over twenty years ago, its unforgeability remains an open problem, even in the randomoracle model. In this paper, we show that current techniques for proving security in the random oracle model do not work for the Schnorr blind signature by providing a metareduction which we call “personal nemesis adversary”. Our results generalize to other important blind signatures, such as the one due to Brands. Brands ’ blind signature is at the heart of Microsoft’s newly implemented UProve system, which makes this work relevant to cryptographic practice as well.
Impossibility of Blind Signatures From OneWay Permutations
"... Abstract. A seminal result in cryptography is that signature schemes can be constructed (in a blackbox fashion) from any oneway function. The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out blackbox constructions of blind signatur ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A seminal result in cryptography is that signature schemes can be constructed (in a blackbox fashion) from any oneway function. The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out blackbox constructions of blind signature schemes from oneway functions. In fact, we rule out constructions even from a random permutation oracle, and our results hold even for blind signature schemes for 1bit messages that achieve security only against honestbutcurious behavior. 1
Enhancing the Security of Perfect Blind DLSignatures.
, 2004
"... Preliminary Version Abstract. We enhance the security of Schnorr blind signatures against the novel onemoreforgery of Schnorr [Sc01] and Wagner [W02] which is possible even if the discrete logarithm is hard to compute. We show two limitations of this attack. Firstly, replacing the group G by the s ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Preliminary Version Abstract. We enhance the security of Schnorr blind signatures against the novel onemoreforgery of Schnorr [Sc01] and Wagner [W02] which is possible even if the discrete logarithm is hard to compute. We show two limitations of this attack. Firstly, replacing the group G by the sfold direct product G ×s increases the work of the attack, for a given number of signer interactions, to the spower while increasing the work of the blind signature protocol merely by a factor s. Secondly, we bound the number of additional signatures per signer interaction that can be efficiently forged by known methods. That fraction of the additional forged signatures can be made arbitrarily small. Our security proofs assume both the random oracle and the generic group model. 1
Efficient ecash in practice: Nfcbased payments for public transportation systems
 In PETS
, 2013
"... Abstract. Near field communication (NFC) is a recent popular technology that will facilitate many aspects of payments with mobile tokens. In the domain of public transportation payment systems electronic payments have many benefits, including improved throughput, new capabilities (congestionbased p ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Near field communication (NFC) is a recent popular technology that will facilitate many aspects of payments with mobile tokens. In the domain of public transportation payment systems electronic payments have many benefits, including improved throughput, new capabilities (congestionbased pricing etc.) and user convenience. A common concern when using electronic payments is that a user’s privacy is sacrificed. However, cryptographic ecash schemes provide provable guarantees for both security and user privacy. Even though ecash protocols have been proposed three decades ago, there are relatively few actual implementations, since their computation complexity makes an execution on lightweight devices rather difficult. This paper presents an efficient implementation of Brands [11] and ACL [4] ecash schemes on an NFC smartphone: the BlackBerry Bold 9900. Due to their efficiency during the spending phase, when compared to other schemes, and the fact that payments can be verified offline, these schemes are especially suited for, but not limited to, use in public transport. Additionally, the encoding of validated attributes (e.g. a user’s age range, zip code etc.) is possible in the coins being withdrawn, which allows for additional features such as variable pricing (e.g. reduced fare for senior customers) and privacypreserving data collection. We present a subtle technique to make use of the ECDHKeyAgreement class that is available in the BlackBerry API (and in the API of other systems) and show how the schemes can be implemented efficiently to satisfy the tight timing imposed by the transportation setting. 1