Results 1  10
of
94
Pseudonym Systems
, 1999
"... Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previou ..."
Abstract

Cited by 123 (12 self)
 Add to MetaCart
Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previous work in this area did not protect the system against dishonest users who collectively use their pseudonyms and credentials, i.e. share an identity. Previous practical schemes also relied very heavily on the involvement of a trusted center. In the present paper we give a formal definition of pseudonym systems where users are motivated not to share their identity, and in which the trusted center's involvement is minimal. We give theoretical constructions for such systems based on any oneway function. We also suggest an efficient and easy to implement practical scheme. This is joint work with Ronald L. Rivest and Amit Sahai.
MerkleDamg˚ard Revisited: How to Construct a Hash Function
 Advances in Cryptology, Crypto 2005
"... The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than col ..."
Abstract

Cited by 84 (8 self)
 Add to MetaCart
(Show Context)
The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than collisionresistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixedlength building block is viewed as a random oracle or an ideal blockcipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixedlength primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA1 and MD5 — the (strengthened) MerkleDamg˚ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain MerkleDamg˚ard construction and are easily implementable in practice.
MultiPropertyPreserving Hash Domain Extension and the EMD Transform
 Advances in Cryptology – ASIACRYPT 2006
, 2006
"... Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be ..."
Abstract

Cited by 63 (7 self)
 Add to MetaCart
(Show Context)
Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be even collisionresistant (CR) even though the compression function to which the transform is applied is CR. Not only is this true in general, but we show that all the transformspresented in [12] have this weakness. We suggest that the appropriate goal of a domain extension transform for the next generation of hash functions is to be multiproperty preserving, namelythat one should have a single transform that is simultaneously at least collisionresistance preserving, pseudorandom function preserving and PROPr. We present an efficient new transformthat is proven to be multiproperty preserving in this sense.
Improved Garbled Circuit: Free XOR Gates and Applications
"... Abstract. We present a new garbled circuit construction for twoparty secure function evaluation (SFE). In our oneround protocol, XOR gates are evaluated “for free”, which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [19]). We build permutati ..."
Abstract

Cited by 54 (11 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new garbled circuit construction for twoparty secure function evaluation (SFE). In our oneround protocol, XOR gates are evaluated “for free”, which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [19]). We build permutation networks [26] and Universal Circuits (UC) [25] almost exclusively of XOR gates; this results in a factor of up to 4 improvement (in both computation and communication) of their SFE. We also improve integer addition and equality testing by factor of up to 2. We rely on the Random Oracle (RO) assumption. Our constructions are proven secure in the semihonest model. 1
Simulationsound nizk proofs for a practical language and constant size group signatures
, 2006
"... Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NP ..."
Abstract

Cited by 51 (10 self)
 Add to MetaCart
(Show Context)
Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NPcomplete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulationsound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.
On the (In)security of the FiatShamir Paradigm
 In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
(Show Context)
In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...
NonInteractive Anonymous Credentials
 AVAILABLE FROM THE IACR CRYPTOLOGY EPRINT ARCHIVE AS REPORT 2007/384.
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 44 (9 self)
 Add to MetaCart
In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for Psignatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of noninteractive proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other
Simulation in quasipolynomial time, and its application to protocol composition
 In EUROCRYPT
, 2003
"... Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concur ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concurrent quasipolynomial time simulatable arguments and show that such arguments can be used in advanced composition operations without any setup assumptions. Our protocols rely on slightly strong, but standard type assumptions (namely the existence of onetoone oneway functions secure against subexponential circuits). 1
From identification to signatures via the FiatShamir transform: Minimizing assumptions for security and forwardsecurity
 Proceedings of Eurocrypt 2002, volume 2332 of LNCS
, 2002
"... The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, ..."
Abstract

Cited by 34 (6 self)
 Add to MetaCart
The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model are determined, both in the usual and in the forwardsecure cases. Specifically, it is shown that the signature scheme is secure (resp. forwardsecure) against chosenmessage attacks in the random oracle model if and only if the underlying identification scheme is secure (resp. forwardsecure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the FiatShamir transform so that the commitment space assumption may be removed. Keywords: Signature schemes, identification schemes, FiatShamir transform, forward security,
Signature Schemes and Applications to Cryptographic Protocol Design
, 2002
"... Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature sch ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature schemes suitable for a broad range of applications. An important