Results 1 
4 of
4
Anonymous Credentials Light
"... We define and propose an efficient and provably secure construction of blind signatures with attributes. Prior notions of blind signatures did not yield themselves to the construction of anonymous credential systems, not even if we drop the unlinkability requirement of anonymous credentials. Our ne ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
We define and propose an efficient and provably secure construction of blind signatures with attributes. Prior notions of blind signatures did not yield themselves to the construction of anonymous credential systems, not even if we drop the unlinkability requirement of anonymous credentials. Our new notion in contrast is a convenient building block for anonymous credential systems. The construction we propose is efficient: it requires just a few exponentiations in a primeorder group in which the decisional DiffieHellman problem is hard. Thus, for the first time, we give a provably secure construction of anonymous credentials that can work in the elliptic group setting without bilinear pairings and is based on the DDH assumption. In contrast, prior provably secure constructions were based on the RSA group or on groups with pairings, which made them prohibitively inefficient for mobile devices, RFIDs and smartcards. The only prior efficient construction that could work in such elliptic curve groups, due to Brands, does not have a proof of security.
Short Blind Signatures
"... Abstract Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signe ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signer is minimal and whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the commonreferencestring model without random oracles and under standard assumptions: CDH and the decisionlinear assumption. (We also give variants over asymmetric groups based on similar assumptions.) The blind signatures are Waters signatures, which consist of 2 group elements. Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the signer and a commonly known public part, and schemes achieving perfect blindness. We propose new variants of blind signatures, such as signerfriendly partially blind signatures, where the public part can be chosen by the signer without prior agreement, 3party blind signatures, as well as blind signatures on multiple aggregated messages provided by independent sources. We also extend Waters signatures to nonbinary alphabets by proving a new result on the underlying hash function.
Concurrent Secure Computation via NonBlack Box Simulation
"... Abstract. Recently, Goyal (STOC’13) proposed a new nonblack box simulation techniques for fully concurrent zero knowledge with straightline simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achiev ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Recently, Goyal (STOC’13) proposed a new nonblack box simulation techniques for fully concurrent zero knowledge with straightline simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achieved in the setting of concurrent secure computation using nonblack box simulation techniques, building upon the work of Goyal. The main contribution of our work is a secure computation protocol in the fully concurrent setting with a straightline simulator, that allows us to achieve several new results: – We give first positive results for concurrent blind signatures and verifiable random functions in the plain model as per the ideal/real world security definition. Our positive result is somewhat surprising in light of the impossibility result of Lindell (STOC’03) for blackbox simulation. We circumvent this impossibility using nonblack box simulation. This gives us a quite natural example of a functionality in concurrent
Practical RoundOptimal Blind Signatures in the Standard Model
"... Roundoptimal blind signatures are notoriously hard to construct in the standard model, especially in the malicioussigner model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoreticall ..."
Abstract
 Add to MetaCart
Roundoptimal blind signatures are notoriously hard to construct in the standard model, especially in the malicioussigner model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoretically efficient, by Garg and Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential security loss. We present a construction of practically efficient roundoptimal blind signatures in the standard model. It is conceptually simple and builds on the recent structurepreserving signatures on equivalence classes (SPSEQ) from Asiacrypt’14. While the traditional notion of blindness follows from standard assumptions, we prove blindness under adversarially chosen keys under an interactive variant of DDH. However, we neither require nonuniform assumptions nor complexity leveraging. We then show how to extend our construction to partially blind signatures and to blind signatures on message vectors, which yield a construction of oneshow anonymous credentials a ̀ la “anonymous credentials light ” (CCS’13) in the standard model. Furthermore, we give the first SPSEQ construction under noninteractive assumptions and show how SPSEQ schemes imply conventional structurepreserving signatures, which allows us to apply optimality results for the latter to SPSEQ.