Results 1  10
of
51
An efficient system for nontransferable anonymous credentials with optional anonymity revocation
, 2001
"... Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical r ..."
Abstract

Cited by 209 (7 self)
 Add to MetaCart
Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional DiffieHellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing allornothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.
Dynamic accumulators and application to efficient revocation of anonymous credentials
 http://eprint.iacr.org/2001, 2001. Jan Camenisch and Anna Lysyanskaya
"... Abstract. We introduce the notion of a dynamic accumulator. Anaccumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value ..."
Abstract

Cited by 168 (11 self)
 Add to MetaCart
Abstract. We introduce the notion of a dynamic accumulator. Anaccumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a construction of a dynamic accumulator and an efficient zeroknowledge proof of knowledge of an accumulated value. We prove their security under the strong RSA assumption. We then show that our construction of dynamic accumulators enables efficient revocation of anonymous credentials, and membership revocation for recent group signature and identity escrow schemes.
Efficient proofs that a committed number lies in an interval
, 2000
"... Abstract. Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or in ..."
Abstract

Cited by 151 (0 self)
 Add to MetaCart
Abstract. Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or inexact (i.e. proved membership to a much larger interval). This paper presents a new proof, which is both efficient and exact. Here, “efficient ” means that there are less than 20 exponentiations to perform and less than 2 Kbytes to transmit. The potential areas of application of this proof are numerous (electronic cash, group signatures, publicly verifiable secret encryption, etc...). 1
Direct Anonymous Attestation
, 2004
"... This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the ..."
Abstract

Cited by 140 (18 self)
 Add to MetaCart
This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the module. Direct anonymous attestation can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable. Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of "known" keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional Di#eHellman assumption.
Practical Verifiable Encryption and Decryption of Discrete Logarithms
, 2003
"... Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protoco ..."
Abstract

Cited by 135 (20 self)
 Add to MetaCart
Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cutandchoose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures. 1
Compact ecash
 In EUROCRYPT, volume 3494 of LNCS
, 2005
"... Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and s ..."
Abstract

Cited by 90 (18 self)
 Add to MetaCart
Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and spend operations is O(ℓ + k) andtheuser’s wallet can be stored using O(ℓ + k) bits,wherek is a security parameter. The best previously known schemes require at least one of these complexities to be O(2 ℓ · k). In fact, compared to previous ecash schemes, our whole wallet of 2 ℓ coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has doublespent. We then extend our scheme to our second result, the first ecash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2 ℓ coins in her wallet, all her spendings of these coins can be traced. However, the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(ℓ · k) and O(ℓ · k + k 2) bits, respectively, and wallets take O(ℓ · k) bitsofstorage. All our schemes are secure in the random oracle model.
An Integer Commitment Scheme based on Groups with Hidden Order
, 2001
"... . We present a commitment scheme allowing commitment to arbitrary size integers, based on any Abelian group with certain properties, most importantly that it is hard for the committer to compute its order. Potential examples include RSA and class groups. We also give e#cient zeroknowledge proto ..."
Abstract

Cited by 71 (0 self)
 Add to MetaCart
. We present a commitment scheme allowing commitment to arbitrary size integers, based on any Abelian group with certain properties, most importantly that it is hard for the committer to compute its order. Potential examples include RSA and class groups. We also give e#cient zeroknowledge protocols for proving knowledge of the contents of a commitment and for verifying multiplicative relations over the integers on committed values. This means that our scheme can support, for instance, the e#cent interval proofs of Boudot[1]. The scheme can be seen as a modification and a generalization of an earlier scheme of Fujisaki and Okamoto [5], and in particular our results show that we can use a much larger class of RSA moduli than the safe prime products proposed in [5]. Also, we correct some mistakes in the proofs of [5] and give what appears to be the first multiplication protocol for a Fujisaki/Okamotolike scheme with a complete proof of soundness. 1
How to win the clonewars: efficient periodic ntimes anonymous authentication
 In ACM Conference on Computer and Communications Security
, 2006
"... We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes ..."
Abstract

Cited by 55 (11 self)
 Add to MetaCart
We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damg˚ard et al. [30], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damg˚ard et al. also only support one authentication per time period, while we support n. Because our construction is based on ecash, we can use existing techniques to identify a cheating user, trace all of her etokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse etokens. The verifier can always recognize a reused etoken; however, we preserve the anonymity of users who do not reuse etokens too often. 1
Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes
, 2000
"... Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group enc ..."
Abstract

Cited by 51 (8 self)
 Add to MetaCart
Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereofindependent ofeach other, even without having these applications in mind. 1
Threshold ring signatures and applications to adhoc groups
 Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. In this paper, we investigate the recent paradigm for group signatures proposed by Rivest et al. at Asiacrypt ’01. We first improve on their ring signature paradigm by showing that it holds under a strictly weaker assumption, namely the random oracle model rather than the ideal cipher. The ..."
Abstract

Cited by 43 (0 self)
 Add to MetaCart
Abstract. In this paper, we investigate the recent paradigm for group signatures proposed by Rivest et al. at Asiacrypt ’01. We first improve on their ring signature paradigm by showing that it holds under a strictly weaker assumption, namely the random oracle model rather than the ideal cipher. Then we provide extensions to make ring signatures suitable in practical situations, such as threshold schemes or adhoc groups. Finally we propose an efficient scheme for threshold scenarios based on a combinatorial method and provably secure in the random oracle model. 1