Non-interactive zero-knowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NP-complete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [BSZ05] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulation-sound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security. Keywords: Non-interactive zero-knowledge, simulation-sound extractability, group signatures, decisional linear assumption. ∗ An extended abstract appears at Asiacrypt 2006. This is the full paper.

Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems such as “e-cash ” have been proposed in which users are deanonymized under only certain types of well-defined misbehavior such as “double spending. ” While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior. We present the first anonymous credential system in which services can “blacklist ” misbehaving users without contacting a TTP. Since blacklisted users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP.

We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in particular providing protection against key exposures and not relying on random oracles in the security proof.

Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higher-level protocols. Groups featuring a computable bilinear map are particularly well suited for signature-related primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinear-map–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the Boneh-Lynn-Shacham (BLS) short signature scheme. BLS signatures with 1024-bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present Boneh-Gentry-Lynn-Shacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.

Group signatures allow members to sign on behalf of a group. Recently, several schemes have been proposed, in order to provide more efficient and shorter group signatures. However, this should be performed achieving a strong security level. To this aim, a formal security model has been proposed by Bellare, Shi and Zang, including both dynamic groups and concurrent join. Unfortunately, very few schemes satisfy all the requirements, and namely the shortest ones needed to weaken the anonymity notion. We present an extremely short dynamic group signature scheme, with concurrent join, provably secure in this model. It achieves stronger security notions than BBS, and namely the full anonymity, while still shorter. The proofs hold under the q-SDH and the XDH assumptions, in the random oracle model.

Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems have been proposed in which users are deanonymized if they authenticate “too many times, ” such as “double spending ” with electronic cash. While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior, e.g., it is not possible to block users who “deface too many webpages ” on a website. We present BLAC, the first anonymous credential system in which service providers can revoke the credentials of repeatedly misbehaving users without relying on a TTP. Since revoked users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP. Finally, our construction supports a d-strikes-out revocation policy, whereby users who have been subjectively judged to have repeatedly misbehaved at least d times are revoked from the system.

Abstract. In real life, one requires signatures to be from people who fulfill certain criteria, implying that they should possess specific attributes. For example, Alice might want a signature from an employee in Bobs company who is a member in the IT staff, a senior manager within the biometrics team or at least a junior manager in the cryptography team. In such a case an Attribute Based Group Signature scheme (ABGS) could be applied. Group signature schemes are those where each member of a group can sign on behalf of the others. An ABGS scheme is a type of group signature scheme, where the signing member has to have certain attributes. In [12], the authors introduced the first ABGS but it lacked the ability to revoke. In this paper, we introduce a new scheme that will enable us to remove a member from a group or remove some of his attributes, when needed. 1

We construct a short group signature which is proven secure without random oracles. By making certain reasonable assumptions and applying the technique of non-interactive proof system, we prove that our scheme is full anonymity and full traceability. Compared with other related works, such as BW06 [9], BW07 [10], ours is more practical due to the short size of both public key and group signature.

Abstract. Group encryption (GE) schemes, introduced at Asiacrypt’07, are an encryption analogue of group signatures with a number of interesting applications. They allow a sender to encrypt a message (in the CCA2 security sense) for some member of a PKI group concealing that member’s identity (in a CCA2 security sense, as well); the sender is able to convince a verifier that, among other things, the ciphertext is valid and some anonymous certified group member will be able to decrypt the message. As in group signatures, an opening authority has the power of pinning down the receiver’s identity. The initial GE construction uses interactive proofs as part of the design (which can be made non-interactive using the random oracle model) and the design of a fully non-interactive group encryption system is still an open problem. In this paper, we give the first GE scheme, which is a pure encryption scheme in the standard model, i.e., a scheme where the ciphertext is a single message and proofs are noninteractive (and do not employ the random oracle heuristic). As a building block, we use a new public key certification scheme which incurs the smallest amount of interaction, as well.

Abstract not found