Results 1  10
of
30
Sequential aggregate signatures and multisignatures without random oracles
 In EUROCRYPT, 2006. (Cited on
, 2006
"... Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature schem ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature scheme are sequentially constructed, but knowledge of the order in which messages were signed is not necessary for verification. The aggregate signatures obtained are shorter than Lysyanskaya et al. sequential aggregates and can be verified more efficiently than Boneh et al. aggregates. We also consider applications to secure routing and proxy signatures. 1
Converting PairingBased Cryptosystems from CompositeOrder Groups to PrimeOrder Groups
"... Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In p ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In particular, we define a generalized version of the subgroup decision problem and give explicit constructions of bilinear groups in which the generalized subgroup decision assumption follows from the decision DiffieHellman assumption, the decision linear assumption, and/or related assumptions in primeorder groups. We apply our framework and our primeorder group constructions to create more efficient versions of cryptosystems that originally required compositeorder groups. Specifically, we consider the BonehGohNissim encryption scheme, the BonehSahaiWaters traitor tracing system, and the KatzSahaiWaters attributebased encryption scheme. We give a security theorem for the primeorder group instantiation of each system, using assumptions of comparable complexity to those used in the compositeorder setting. Our conversion of the last two systems to primeorder groups answers a problem posed by Groth and Sahai.
Perfect nizk with adaptive soundness
 In proceedings of TCC ’07, LNCS series
, 2007
"... Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with statistical or even perfect ZK? Groth, Ostrovsky and Sahai recently answered this question in the affirmative. However, in order to achieve adaptive soundness, i.e., soundness against dishonest provers who may choose the target statement depending on the common reference string (CRS), their schemes require some restriction to be put upon the statements to be proven, e.g. an apriori bound on its size. In this work, we first present a very simple and efficient adaptivelysound perfect NIZK argument system for any NPlanguage. Besides being the first adaptivelysound statistical NIZK argument for all NP that does not pose any restriction on the statements to be proven, it enjoys a number of additional desirable properties: it allows to reuse the CRS, it can handle arithmetic circuits, and the CRS can be setup very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NPreductions. The security of the proposed schemes is based on a strong nonstandard assumption, an extended version of the socalled KnowledgeofExponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonlyused approach for proving NIZK arguments sound does not allow for adaptivelysound statistical NIZK arguments (unless NP ⊂ P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the nonstandard assumption in a preprocessing model.
Randomizable proofs and delegatable anonymous credentials. Cryptology ePrint Archive, Report 2008/428
, 2008
"... Abstract. We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and t ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
Abstract. We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to compute it) is O(Lk), where k is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general noninteractive proofs for NPcomplete languages of size kΩ(2 L). We revise the entire approach to constructing anonymous credentials and identify randomizable zeroknowledge proof of knowledge systems as the key building block. We formally define the notion of randomizable noninteractive zeroknowledge proofs, and give the first instance of controlled rerandomization of noninteractive zeroknowledge proofs by a thirdparty. Our construction uses GrothSahai proofs (Eurocrypt 2008). 1
HonestVerifier Private Disjointness Testing without Random Oracles
 In Workshop on Privacy Enhahcing Technologies
, 2006
"... Abstract. We present an efficient construction of a private disjointness testing protocol that is secure against malicious provers and honestbutcurious (semihonest) verifiers, without the use of random oracles. In a completely semihonest setting, this construction implements a private intersecti ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We present an efficient construction of a private disjointness testing protocol that is secure against malicious provers and honestbutcurious (semihonest) verifiers, without the use of random oracles. In a completely semihonest setting, this construction implements a private intersection cardinality protocol. We formally define both private intersection cardinality and private disjointness testing protocols. We prove that our construction is secure under the subgroup decision and subgroup computation assumptions. A major advantage of our construction is that it does not require bilinear groups, random oracles, or noninteractive zero knowledge proofs. Applications of private intersection cardinality and disjointness testing protocols include privacypreserving data mining and anonymous login systems.
Efficient ring signatures without random oracles
 IN PKC07, VOLUME 4450 OF LNCS
, 2006
"... We describe the first efficient ring signature scheme secure, without random oracles, based on standard assumptions. Our ring signatures are based in bilinear groups. For l members of a ring our signatures consist of 2l + 2 group elements and require 2l + 3 pairings to verify. We prove our scheme se ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
We describe the first efficient ring signature scheme secure, without random oracles, based on standard assumptions. Our ring signatures are based in bilinear groups. For l members of a ring our signatures consist of 2l + 2 group elements and require 2l + 3 pairings to verify. We prove our scheme secure in the strongest security model proposed by Bender, Katz, and Morselli: namely, we show our scheme to be anonymous against full key exposure and unforgeable with respect to insider corruption. A shortcoming of our approach is that all the users’ keys must be defined in the same group.
Simulatable VRFs with applications to multitheorem NIZK
 In CRYPTO, LNCS
, 2007
"... Abstract. This paper introduces simulatable verifiable random functions (sVRF). VRFs are similar to pseudorandom functions, except that they are also verifiable: corresponding to each seed SK, there is a public key PK, and for y = FPK(x), it is possible to prove that y is indeed the value of the fun ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. This paper introduces simulatable verifiable random functions (sVRF). VRFs are similar to pseudorandom functions, except that they are also verifiable: corresponding to each seed SK, there is a public key PK, and for y = FPK(x), it is possible to prove that y is indeed the value of the function seeded by SK. A simulatable VRF is a VRF for which this proof can be simulated, so a simulator can pretend that the value of FPK(x) is any y. Our contributions are as follows. We introduce the notion of sVRF. We give two constructions: one from general assumptions (based on NIZK), but inefficient, just as a proof of concept; the other construction is practical and based on a special assumption about compositeorder groups with bilinear maps. We then use an sVRF to get a direct transformation from a singletheorem noninteractive zeroknowledge proof system for a language L to a multitheorem noninteractive proof system for the same language L. 1
ZeroKnowledge from Secure Multiparty Computation
 SIAM JOURNAL ON COMPUTING (SICOMP) SPECIAL ISSUE DEVOTED TO STOC2007
, 2007
"... A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zeroknowledge proof for an NP relation R(x, w) which only makes a blackbox use of any secure protocol for a related multiparty functionality f. The latter protocol is only required to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zeroknowledge, improving over previous constructions of efficient zeroknowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming oneway functions exist, we get the following types of zeroknowledge proof
Noninteractive ZeroKnowledge from Homomorphic Encryption
 In TCC 2006
"... Abstract. We propose a method for compiling a class of Σprotocols (3move publiccoin protocols) into noninteractive zeroknowledge arguments. The method is based on homomorphic encryption and does not use random oracles. It only requires that a private/public key pair is set up for the verifier. ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Abstract. We propose a method for compiling a class of Σprotocols (3move publiccoin protocols) into noninteractive zeroknowledge arguments. The method is based on homomorphic encryption and does not use random oracles. It only requires that a private/public key pair is set up for the verifier. The method applies to all known discretelog based Σprotocols. As applications, we obtain noninteractive threshold RSA without random oracles, and noninteractive zeroknowledge for NP more efficiently than by previous methods. 1
Finding composite order ordinary elliptic curves using the cockspinch method. Cryptology ePrint Archive, Report 2009/533
, 2009
"... Abstract. We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting. 1. ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting. 1.