## Identity-Based Chameleon Hash Scheme Without Key Exposure

Citations: | 1 - 0 self |

### BibTeX

@MISC{Chen_identity-basedchameleon,

author = {Xiaofeng Chen and Fangguo Zhang and Haibo Tian and Kwangjo Kim},

title = {Identity-Based Chameleon Hash Scheme Without Key Exposure},

year = {}

}

### OpenURL

### Abstract

Abstract. In this paper, we propose the first identity-based chameleon hash scheme without key exposure, which gives a positive answer for the open problem introduced by Ateniese and de Medeiros in 2004. Key words: Chameleon hashing, Identity-based system, Key exposure. 1

### Citations

1271 | Identity-based encryption from the weil pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...32, 35]. Moreover, we call < P, aP, bP, cP > a valid Diffie-Hellman tuple if c ≡ ab mod q. Since the DDHP in the group G1 is easy, it can not be used to design cryptosystems in G1. Boneh and Franklin =-=[6]-=- introduced a new problem in (G1, G2, e) named Bilinear Diffie-Hellman Problem: – Bilinear Diffie-Hellman Problem (BDHP): Given P, aP, bP, cP for a, b, c ∈ Z ∗ q, to compute e(P, P ) abc ∈ G2. Trivial... |

820 |
Identity-Based Cryptosystems and Signature Schemes
- Shamir
- 1984
(Show Context)
Citation Context ...oblem. Ateniese and de Medeiros [1] first introduced the idea of identity-based chameleon hashing to solve this problem. The concept of identity-based public key system was first introduced by Shamir =-=[37]-=- to simplify key management and remove the necessity of public key certificates. Due to the distinguishing property of identity-based system, the signer can sign a message to an intended recipient, wi... |

631 |
Ecient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...cret number x ∈ Zq wants to show a verifier that x = log g y without exposing x, this is named the proof of knowledge of a discrete logarithm. This proof of knowledge is basically a Schnorr signature =-=[36]-=- on message (g, y): The prover chooses a random number r ∈R Zq, and then computes c = H(g, y, g r ), and s = r − cx mod q, where H : {0, 1} ∗ → {0, 1} k is a collisionresistant hash function. The veri... |

605 | Short Signatures from the Weil Pairing - Boneh, Lynn, et al. - 2001 |

537 | Heyst. Group signatures - Chaum, van - 1991 |

321 | Efficient algorithms for pairing-based cryptosystems - Barreto, Kim, et al. - 2004 |

315 |
Wallet Databases with Observers
- Chaum, Pederson
- 1993
(Show Context)
Citation Context ...ine the proof of knowledge for the equality of two discrete logarithms: A prover with possession a secret number x ∈ Zq wants to show that x = log g u = log h v without exposing x. Chaum and Pedersen =-=[16]-=- firstly proposed the proof as follows: The prover chooses a random number r ∈R Zq, and then computes c = H(g, h, u, v, g r , h r ), and s = r − cx mod q, where H : {0, 1} ∗ → {0, 1} k is a collision-... |

159 | Efficient Identity Based Signature Schemes Based on Pairings - Hess - 2003 |

154 | An Identity-Based Signature from Gap Diffie-Hellman Groups - Cha, Cheon - 2003 |

146 | Designated verifier proofs and their applications - Jakobsson, Sako, et al. |

132 | The Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes - Okamoto, Pointcheval - 1992 |

125 | On the Exact Security of Full-Domain-Hash
- Coron
- 2000
(Show Context)
Citation Context ...order is a prime q, and G2 be a cyclic multiplicative group of the same order q. A bilinear pairing is a map e : G1 × G1 → G2. Let H : {0, 1} ∗ → G1 be a full-domain collision-resistant hash function =-=[7, 14, 34]-=-. PKG picks a random integer x ∈R Z ∗ q and computes Ppub = xP . The system parameters are SP = {G1, G2, q, e, P, Ppub, H, k}. – Extract: Given an identity string ID, computes the trapdoor key SID = x... |

121 | The Weil pairing, and its efficient calculation - Miller - 2004 |

113 |
Chameleon signatures
- Krawczyk, Rabin
- 2000
(Show Context)
Citation Context ...e open problem introduced by Ateniese and de Medeiros in 2004. Key words: Chameleon hashing, Identity-based system, Key exposure. 1 Introduction Chameleon signatures, introduced by Krawczyk and Rabin =-=[28]-=-, are based on well established hash-and-sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. A chameleon hash function is a trapdoor one-way hash functi... |

85 | Designated Confirmer Signatures - Chaum - 1995 |

77 | RSA-based undeniable signatures - Gennaro, Krawczyk, et al. - 1997 |

74 | Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer - Chaum, Heijst, et al. - 1992 |

66 | The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems. ANTS - Joux - 2002 |

64 | Convertible Undeniable Signatures - Boyar, Chaum, et al. - 1991 |

47 |
P.: The exact security of digital signatures-how to sign with RSA
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...order is a prime q, and G2 be a cyclic multiplicative group of the same order q. A bilinear pairing is a map e : G1 × G1 → G2. Let H : {0, 1} ∗ → G1 be a full-domain collision-resistant hash function =-=[7, 14, 34]-=-. PKG picks a random integer x ∈R Z ∗ q and computes Ppub = xP . The system parameters are SP = {G1, G2, q, e, P, Ppub, H, k}. – Extract: Given an identity string ID, computes the trapdoor key SID = x... |

40 | Confirmer Signature Schemes Secure against Adaptive Adversaries - Camenisch, Michels - 2000 |

39 | Invisibility and anonymity of undeniable and confirmer signatures - Galbraith, Mao - 2003 |

34 | Identity-based threshold decryption
- Baek, Zheng
(Show Context)
Citation Context ...uality of two discrete logarithms of elements u, v with respect to the base g, h.The identity-based proof of knowledge for the equality of two discrete logarithms, first introduced by Baek and Zheng =-=[8]-=- from bilinear pairings. Define g = e(P, P ), u = e(P, SID), h = e(Q, P ) and v = e(Q, SID), where P and Q are independent elements of G1. The following non-interactive protocol presents a proof of kn... |

21 | Rsa-based undeniable signatures for general moduli - Galbraith, Mao, et al. - 2002 |

20 | Identity-based Chameleon Hash and Applications
- Ateniese, Medeiros
(Show Context)
Citation Context ...lts in the signer recovering the recipient’s trapdoor information, i.e., the private key. This is named as the key exposure problem of chameleon hashing, firstly addressed by Ateniese and de Medeiros =-=[1]-=- in Financial Cryptography 2004. If the signer knows the recipient’s trapdoor information, he then can use2 it to deny other signatures given to the recipient. In the worst case, the signer could col... |

19 | Multi-trapdoor commitments and their applications to proofs of knowledge Secure under Concurrent Man-in-the-Middle Attacks
- Gennaro
- 2004
(Show Context)
Citation Context ...ee. As pointed out by Ateniese and de Medeiros, the single-trapdoor commitment schemes are not sufficient for the construction of key-exposure free chameleon hashing and the double-trapdoor mechanism =-=[24]-=- can either be used to construct an identity-based chameleon hash scheme or a key-exposure free one, but not both. Therefore, an interesting open problem is whether there is an efficient construction ... |

18 | Generic homomorphic undeniable signatures - Monnerat, Vaudenay - 2004 |

16 | The security of the FDH variant of Chaum’s undeniable signature scheme
- Ogata, Kurosawa, et al.
(Show Context)
Citation Context ...order is a prime q, and G2 be a cyclic multiplicative group of the same order q. A bilinear pairing is a map e : G1 × G1 → G2. Let H : {0, 1} ∗ → G1 be a full-domain collision-resistant hash function =-=[7, 14, 34]-=-. PKG picks a random integer x ∈R Z ∗ q and computes Ppub = xP . The system parameters are SP = {G1, G2, q, e, P, Ppub, H, k}. – Extract: Given an identity string ID, computes the trapdoor key SID = x... |

14 | Chameleon hashing without key exposure
- Chen, Zhang, et al.
- 2004
(Show Context)
Citation Context ...public/secret key pair of the recipient must be changed for each transaction. We argue that this idea only provides a partial solution for the key exposure problem of chameleon hashing. 1 Chen et al. =-=[18]-=- proposed the first full construction of a key-exposure free chameleon hash function in the gap Diffie-Hellman (GDH) groups with bilinear pairings. Ateniese and de Medeiros [2] then presented three ke... |

14 | 3-Move undeniable signature scheme - Kurosawa, Heng - 2005 |

12 | Id-based chameleon hashes from bilinear pairings. Cryptology ePrint Archive, Report 2003/208
- Zhang, Safavi-Naini, et al.
- 2003
(Show Context)
Citation Context ...e logarithm based key-exposure free chameleon hash scheme without using the GDH groups. However, all of the above constructions are presented in the setting of certificate-based systems. Zhang et al. =-=[38]-=- presented two identity-based chameleon hash schemes from bilinear pairings, but neither of them is key-exposure free. As pointed out by Ateniese and de Medeiros, the single-trapdoor commitment scheme... |

7 | Relations among security notions for undeniable signature schemes - Kurosawa, Heng - 2006 |

5 |
Identity-based Undeniable Signatures
- Libert, Quisquater
- 2004
(Show Context)
Citation Context ... intractable. Proof. Loosely speaking, the ephemeral trapdoor e(H(L), SID) can be viewed as the partial signature on message L in the Libert and Quisquater’s identitybased undeniable signature scheme =-=[31]-=-. Also, in the random oracle model, the Hundeniable signature scheme is proved secure against existential forgery on adaptively chosen message and ID attacks under the assumption that the BDHP in (G1... |

3 |
On the key exposure problem
- Ateniese, Medeiros
- 2005
(Show Context)
Citation Context ...sed systems, SID is actually a signature of PKG on message ID with the secret key x). Given a collision of the chameleon hash function, the trapdoor key SID will be revealed. Ateniese and de Medeiros =-=[2]-=- thus concluded that the double-trapdoor mechanism can not be used to construct an efficient chameleon hash scheme that is simultaneously identity-based and key-exposure free, but the multiple-trapdoo... |

3 | Key-exposure free chameleon hashing and signatures based on discrete logarithm systems. Cryptology ePrint Archive, Report 2009/035
- Chen, Zhang, et al.
- 2009
(Show Context)
Citation Context ...sed on the Schnorr signature. However, it requires an interactive protocol between the signer and the recipient and thus violates the basic definition of chameleon hashing and signatures. Chen et al. =-=[19]-=- propose the first discrete logarithm based key-exposure free chameleon hash scheme without using the GDH groups. However, all of the above constructions are presented in the setting of certificate-ba... |