Results 1  10
of
30
Algebraic MACs and KeyedVerification Anonymous Credentials
, 2013
"... We consider the problem of constructing anonymous credentials for use in a setting where the issuer of credentials is also the verifier, or more generally where the issuer and verifier have a shared key. In this setting we can use message authentication codes (MACs) instead of public key signatures ..."
Abstract
 Add to MetaCart
We consider the problem of constructing anonymous credentials for use in a setting where the issuer of credentials is also the verifier, or more generally where the issuer and verifier have a shared key. In this setting we can use message authentication codes (MACs) instead of public key signatures
NonInteractive Anonymous Credentials
 AVAILABLE FROM THE IACR CRYPTOLOGY EPRINT ARCHIVE AS REPORT 2007/384.
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 41 (8 self)
 Add to MetaCart
proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other
MAC Schemes with Efficient Protocols and KeyedVerification Anonymous Credentials
, 2013
"... We consider the problem of constructing anonymous credentials for use in a setting where the issuer of credentials is also the verifier, or where the issuer and verifier have a shared key. In this setting we can use message authentication codes (MACs) instead of public key signatures as the basis of ..."
Abstract
 Add to MetaCart
We consider the problem of constructing anonymous credentials for use in a setting where the issuer of credentials is also the verifier, or where the issuer and verifier have a shared key. In this setting we can use message authentication codes (MACs) instead of public key signatures as the basis
Blockwise PSignatures and NonInteractive Anonymous Credentials with Efficient Attributes
"... Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential ..."
Abstract
 Add to MetaCart
Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential
PrivacyEnhancing Proxy Signatures from NonInteractive Anonymous Credentials
, 2014
"... Proxy signatures enable an originator to delegate the signing rights for a restricted set of messages to a proxy. The proxy is then able to produce valid signatures only for messages from this delegated set on behalf of the originator. Recently, two variants of privacyenhancing proxy signatures, ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
that this principle bears similarities with functionality provided by anonymous credentials. Inspired by this observation, we examine blackbox constructions of the two aforementioned proxy signatures from noninteractive anonymous credentials, i.e., anonymous credentials with a noninteractive showing protocol
Blockwise Psignatures and noninteractive anonymous . . .
"... Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
signature, that allows a user to obtain a signature on a committed vector of messages and makes it possible to generate a short witness that serves as a proof that the signed vector satisfies the predicate. A noninteractive anonymous credential is obtained by combining our blockwise Psignature scheme with the Groth
Randomizable proofs and delegatable anonymous credentials
, 2009
"... We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
to compute it) is O(Lk), where k is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general noninteractive proofs for NPcomplete languages of size kΩ(2L). We revise the entire approach to constructing anonymous
Psignatures and Noninteractive Anonymous Credentials
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
of noninteractive proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other privacy
Randomizable Proofs and Delegatable Anonymous Credentials
, 2009
"... We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to com ..."
Abstract
 Add to MetaCart
to compute it) is O(Lk), where k is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general noninteractive proofs for NPcomplete languages of size kΩ(2L). We revise the entire approach to constructing anonymous
Randomizable Proofs and Delegatable Anonymous Credentials
, 2011
"... We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to com ..."
Abstract
 Add to MetaCart
to compute it) is O(Lk), where k is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general noninteractive proofs for NPcomplete languages of size kΩ(2L). We revise the entire approach to constructing anonymous
Results 1  10
of
30