Results 1  10
of
142
Short group signatures
 In proceedings of CRYPTO ’04, LNCS series
, 2004
"... Abstract. We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong DiffieHellman assumption and a new assumption in bilinear groups called the Decision ..."
Abstract

Cited by 292 (21 self)
 Add to MetaCart
(Show Context)
Abstract. We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong DiffieHellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1
Signature schemes and anonymous credentials from bilinear maps
, 2004
"... We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of th ..."
Abstract

Cited by 198 (25 self)
 Add to MetaCart
We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of the decisional DiffieHellman assumption. We prove security of our scheme under the LRSW assumption for groups with bilinear maps. We then show how our scheme can be used to construct efficient anonymous credential systems as well as group signature and identity escrow schemes. To this end, we provide efficient protocols that allow one to prove in zeroknowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signature on a committed message.
Foundations of Group Signatures: The Case of Dynamic Groups
, 2004
"... Recently, a first step toward establishing foundations for group signatures was taken [5], with a treatment of the case where the group is static. However the bulk of existing practical schemes and applications are for dynamic groups, and these involve important new elements and security issues. Thi ..."
Abstract

Cited by 97 (1 self)
 Add to MetaCart
(Show Context)
Recently, a first step toward establishing foundations for group signatures was taken [5], with a treatment of the case where the group is static. However the bulk of existing practical schemes and applications are for dynamic groups, and these involve important new elements and security issues. This paper treats this case, providing foundations for dynamic group signatures, in the form of a model, strong formal denitions of security, and a construction proven secure under general assumptions. We believe this is an important and useful step because it helps bridge the gap between [5] and the previous practical work, and delivers a basis on which existing practical schemes may in future be evaluated or proven secure.
Group signatures with verifierlocal revocation
 Proceedings of CCS 2004
, 2004
"... Abstract Group signatures have recently become important for enabling privacypreserving attestationin projects such as Microsoft's ..."
Abstract

Cited by 90 (3 self)
 Add to MetaCart
(Show Context)
Abstract Group signatures have recently become important for enabling privacypreserving attestationin projects such as Microsoft's
Compact group signatures without random oracles
 EUROCRYPT 2006, LNCS
, 2006
"... Abstract. We present the first efficient group signature scheme that is provably secure without random oracles. We achieve this result by combining provably secure hierarchical signatures in bilinear groups with a novel adaptation of the recent NonInteractive Zero Knowledge proofs of Groth, Ostrovs ..."
Abstract

Cited by 59 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present the first efficient group signature scheme that is provably secure without random oracles. We achieve this result by combining provably secure hierarchical signatures in bilinear groups with a novel adaptation of the recent NonInteractive Zero Knowledge proofs of Groth, Ostrovsky, and Sahai. The size of signatures in our scheme is logarithmic in the number of signers; we prove it secure under the Computational DiffieHellman and the Subgroup Decision assumptions in the model of Bellare, Micciancio, and Warinshi, as relaxed by Boneh, Boyen, and Shacham. 1
Simulationsound nizk proofs for a practical language and constant size group signatures
, 2006
"... Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NP ..."
Abstract

Cited by 51 (10 self)
 Add to MetaCart
(Show Context)
Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NPcomplete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulationsound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.
Group Signatures: Better Efficiency and New Theoretical Aspects
 In proceedings of SCN ’04, LNCS series
, 2005
"... A group signature scheme allows members of a group to sign messages anonymously. To counter misuse, the socalled group manager can revoke the anonymity. ..."
Abstract

Cited by 47 (7 self)
 Add to MetaCart
A group signature scheme allows members of a group to sign messages anonymously. To counter misuse, the socalled group manager can revoke the anonymity.
Anonymous identification in ad hoc groups
, 2004
"... We introduce Ad Hoc Anonymous Identification schemes, a new multiuser cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with oneway domain, a natur ..."
Abstract

Cited by 46 (1 self)
 Add to MetaCart
(Show Context)
We introduce Ad Hoc Anonymous Identification schemes, a new multiuser cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with oneway domain, a natural extension of cryptographic accumulators we introduce in this work. We provide a formal model for Ad Hoc Anonymous Identification schemes and design secure such schemes both generically (based on any accumulator with oneway domain) and for a specific efficient implementation of such an accumulator based on the Strong RSA Assumption. A salient feature of our approach is that identification protocols take time independent of the size of the ad hoc group. All our schemes and notions can be generally and efficiently amended so that they allow the recovery of the signer’s identity by an authority, if the latter is desired. Using the FiatShamir transform, we also obtain constantsize, signerambiguous group and ring signatures (provably secure in the Random Oracle Model). For ring signatures, this is the first such constantsize scheme, as all the previous proposals had signature size proportional to the size of the ring. For group signatures, we obtain schemes comparable in performance with stateoftheart schemes, with the additional feature that the role of the group manager during key registration is extremely simple and essentially passive: all it does is accept the public key of the new member (and update the constantsize public key of the group).
Ring signatures: Stronger definitions, and constructions without random oracles. Cryptology ePrint Archive
, 2005
"... Abstract. Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group sign ..."
Abstract

Cited by 46 (1 self)
 Add to MetaCart
Abstract. Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely “adhoc ” and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users finegrained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and then give separation results proving that our new notions are strictly stronger than previous ones. Next, we show two constructions of ring signature schemes in the standard model: one based on generic assumptions which satisfies our strongest definitions of security, and a second, more efficient scheme achieving weaker security guarantees and more limited functionality. These are the first constructions of ring signature schemes that do not rely on random oracles or ideal ciphers. 1
Fulldomain subgroup hiding and constantsize group signatures
 In proceedings of PKC 2007
, 2007
"... We give a short constantsize group signature scheme, which we prove fully secure under reasonable assumptions in bilinear groups, in the standard model. We achieve this result by using a new NIZK proof technique, related to the BGN cryptosystem and the GOS proof system, but that allows us to hide i ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
(Show Context)
We give a short constantsize group signature scheme, which we prove fully secure under reasonable assumptions in bilinear groups, in the standard model. We achieve this result by using a new NIZK proof technique, related to the BGN cryptosystem and the GOS proof system, but that allows us to hide integers from the full domain rather than individual bits. 1