k-times anonymous authentication (k-TAA) schemes allow members of a group to be anonymously authenticated by application providers for a bounded number of times. k-TAA has application in evoting, e-cash, electronic coupons and anonymous trial browsing of content.

Abstract. We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We also use the schemes to construct a traceable signature scheme. 1

Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems such as “e-cash ” have been proposed in which users are deanonymized under only certain types of well-defined misbehavior such as “double spending. ” While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior. We present the first anonymous credential system in which services can “blacklist ” misbehaving users without contacting a TTP. Since blacklisted users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP.

Hash tables are fundamental data structures that optimally answer membership queries. Suppose a client stores n elements in a hash table that is outsourced at a remote server so that the client can save space or achieve load balancing. Authenticating the hash table functionality, i.e., verifying the correctness of queries answered by the server and ensuring the integrity of the stored data, is crucial because the server, lying outside the administrative control of the client, can be malicious. We design efficient and secure protocols for optimally authenticating membership queries on hash tables: for any fixed constants 0 < ǫ < 1 and κ> 1/ǫ, the server can provide a proof of integrity of the answer to a (non-)membership query in constant time, requiring O ( n ǫ / log κǫ−1 n) time to treat updates, yet keeping the communication and verification costs constant. This is the first construction for authenticating a hash table with constant query cost and sublinear update cost. Our solution employs the RSA accumulator in a nested way over the stored data, strictly improving upon previous accumulator-based solutions. Our construction applies to two concrete data authentication models and lends itself to a scheme that achieves different trade-offs—namely, constant update time and O(n ǫ / log κǫ n) query time for fixed ǫ> 0 and κ> 0. An experimental evaluation of our solution shows very good scalability.

We address the problem of jamming-resistant communication in scenarios in which the communicating parties do not share secret keys. This includes scenarios where the communicating parties are not known in advance or where not all parties can be trusted (e.g., jamming-resistant key establishment or anti-jamming broadcast to a large set of unknown receivers). In these cases, the deployment of shared secret keys is unrealistic, and therefore this problem cannot be solved using existing anti-jamming solutions like FHSS and DSSS that depend on pre-shared keys. Recently, a solution to this problem has been proposed that introduces Uncoordinated Frequency Hopping (UFH), a new spread-spectrum anti-jamming technique that does not rely on secret keys. In this work, we investigate the efficiency of UFH-based communication: we identify optimal strategies for the UFH frequency channel selection and we propose a set of new UFHbased anti-jamming schemes that, compared to the original UFH proposal, reduce the communication latency up to one-half (i.e., increase UFH communication throughput up to two times).

Abstract. k-times anonymous authentication (k-TAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic k-TAA allows application providers to independently grant or revoke users from their own access group so as to provide better control over their clients. In terms of time and space complexity, existing dynamic k-TAA schemes are of complexities O(k), where k is the allowed number of authentication. In this paper, we construct a dynamic k-TAA scheme with space and time complexities of O(log(k)). We also outline how to construct dynamic k-TAA scheme with a constant proving effort. Public key size of this variant, however, is O(k). We then describe a trade-off between efficiency and setup freeness of AP, in which AP does not need to hold any secret while maintaining control over their clients. To build our system, we modify the short group signature scheme into a signature scheme and provide efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature and to obtain a signature on a committed block of messages. We prove that the signature scheme is secure in the standard model under the q-SDH assumption. Finally, we show that our dynamic k-TAA scheme, constructed from bilinear pairing, is secure in the random oracle model.

Abstract not found

We address the problem of allowing authorized users, who have yet to establish a secret key, to securely and efficiently exchange key establishment messages over an insecure channel in the presence of jamming and message insertion attacks. This problem was first introduced by Strasser, Pöpper, Čapkun, and Čagalj in their recent work, leaving joint consideration of security and efficiency as an open problem. In this paper, we present three approaches based on coding theory which reduce the overall time required to verify the packets and reconstruct the original message in the presence of jamming and malicious insertion. We first present the Hashcluster scheme which reduces the total overhead included in the short packets. We next present the Merkleleaf scheme which uses erasure coding to reduce the average number of packet receptions required to reconstruct the message. We then present the Witnesscode scheme which uses one-way accumulators to individually verify packets and reduce redundancy. We demonstrate through analysis and simulation that our candidate protocols can significantly decrease the amount of time required for key establishment in comparison to existing approaches without degrading the guaranteed level of security.

Several anonymous authentication schemes allow servers to revoke a misbehaving user’s ability to make future accesses. Traditionally, these schemes have relied on powerful TTPs capable of deanonymizing (or linking) users ’ connections. Recent schemes such as Blacklistable Anonymous Credentials (BLAC) and Enhanced Privacy ID (EPID) support “privacy-enhanced revocation ” — servers can revoke misbehaving users without a TTP’s involvement, and without learning the revoked users ’ identities. In BLAC and EPID, however, the computation required for authentication at the server is linear in the size (L) of the revocation list. We propose PEREA, a new anonymous authentication scheme for which this bottleneck computation is independent of the size of the revocation list. Instead, the time complexity of authentication is linear in the size (K ≪ L) of a revocation window, the number of subsequent authentications before which a user’s misbehavior must be recognized if the user is to be revoked. We prove the security of our construction, and have developed a prototype implementation of PEREA to validate its efficiency experimentally.

Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems have been proposed in which users are deanonymized if they authenticate “too many times, ” such as “double spending ” with electronic cash. While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior, e.g., it is not possible to block users who “deface too many webpages ” on a website. We present BLAC, the first anonymous credential system in which service providers can revoke the credentials of repeatedly misbehaving users without relying on a TTP. Since revoked users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP. Finally, our construction supports a d-strikes-out revocation policy, whereby users who have been subjectively judged to have repeatedly misbehaved at least d times are revoked from the system.