Results 1  10
of
21
Optimal StructurePreserving Signatures in Asymmetric Bilinear Groups
"... Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist n ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist nature structurepreserving signatures blend well with other pairingbased protocols. We show that structurepreserving signatures must consist of at least 3 group elements when the signer uses generic group operations. Usually, the generic group model is used to rule out classes of attacks by an adversary trying to break a cryptographic assumption. In contrast, here we use the generic group model to prove a lower bound on the complexity of digital signature schemes. We also give constructions of structurepreserving signatures that consist of 3 group elements only. This improves significantly on previous structurepreserving signatures that used 7 group elements and matches our lower bound. Our structurepreserving signatures have additional nice properties such as strong existential unforgeability and can sign multiple group elements at once. Keywords: StructurePreservation, Digital Signatures, Generic Group Model. 1
Fair blind signatures without random oracles
 AFRICACRYPT, volume 6055 of LNCS
, 2010
"... Abstract. A fair blind signature is a blind signature with revocable anonymity and unlinkability, i.e., an authority can link an issuing session to the resulting signature and trace a signature to the user who requested it. In this paper we first revisit the security model for fair blind signatures ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. A fair blind signature is a blind signature with revocable anonymity and unlinkability, i.e., an authority can link an issuing session to the resulting signature and trace a signature to the user who requested it. In this paper we first revisit the security model for fair blind signatures given by Hufschmitt and Traore ́ in 2007. We then give the first practical fair blind signature scheme with a security proof in the standard model. Our scheme satisfies a stronger variant of the HufschmittTraore ́ model.
Commuting signatures and verifiable encryption and an application to noninteractively delegatable credentials. Cryptology ePrint Archive, Report 2010/233
, 2010
"... Verifiable encryption allows to encrypt a signature and prove that the plaintext is valid. We introduce a new primitive called commuting signature that extends verifiable encryption in multiple ways: a signer can encrypt both signature and message and prove validity; more importantly, given a cipher ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Verifiable encryption allows to encrypt a signature and prove that the plaintext is valid. We introduce a new primitive called commuting signature that extends verifiable encryption in multiple ways: a signer can encrypt both signature and message and prove validity; more importantly, given a ciphertext, a signer can create a verifiably encrypted signature on the encrypted message; thus signing and encrypting commute. We instantiate commuting signatures using the proof system by Groth and Sahai (EUROCRYPT ’08) and the automorphic signatures by Fuchsbauer (ePrint report 2009/320). As an application, we give an instantiation of delegatable anonymous credentials, a powerful primitive introduced by Belenkiy et al. (CRYPTO ’09). Our instantiation is arguably simpler than theirs and it is the first to provide noninteractive issuing and delegation, which is a standard requirement for nonanonymous credentials. Moreover, the size of our credentials and the cost of verification are less than half of those of the only previous construction, and efficiency of issuing and delegation is increased even more significantly. All our constructions are proved secure in the standard model. 1
Unified, minimal and selectively randomizable structurepreserving signatures
 TCC, volume 8349 of LNCS
, 2014
"... Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key s ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key size. State of the art structurepreserving signatures in the asymmetric setting consist of 3 group elements, which is known to be optimal. Our construction preserves the signature size of 3 group elements and also at the same time minimizes the verification key size to 1 group element. Depending on the application, it is sometimes desirable to have strong unforgeability and in other situations desirable to have randomizable signatures. To get the best of both worlds, we introduce the notion of selective randomizability where the signer may for specific signatures provide randomization tokens that enable randomization. Our structurepreserving signature scheme unifies the different pairingbased settings since it can be instantiated in both symmetric and asymmetric groups. Since previously optimal structurepreserving signatures had only been constructed in asymmetric bilinear groups this closes an important gap in our knowledge. Having a unified signature scheme that works in all types of bilinear groups is not just conceptually nice but also gives a hedge against future cryptanalytic attacks. An instantiation of our signature scheme in an asymmetric bilinear group may remain secure even if cryptanalysts later discover an efficiently computable homomorphism between the source groups.
Formalizing group blind signatures and practical constructions without random oracles
 IN CRYPTOLOGY EPRINT ARCHIVE, REPORT 2011/402, HTTP://EPRINT.IACR.ORG/2011/402.PDF
, 2011
"... Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. Their applications include multiauthority evoting and distributed ecash systems. The primitive has been introduced with only info ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. Their applications include multiauthority evoting and distributed ecash systems. The primitive has been introduced with only informal definitions for its required security properties. We offer two main contributions: first, we provide foundations for the primitive where we present formal security definitions offering various flavors of anonymity relevant to this setting. In the process, we identify and address some subtle issues which were not considered by previous constructions and (informal) security definitions. Our second main contribution is a generic construction that yields practical schemes with roundoptimal signing and constantsize signatures. Our constructions permit dynamic and concurrent enrollment of new members, satisfy strong security requirements, and do not rely on random oracles. In addition, we introduce some new building blocks which may be of independent interest.
Efficient Cryptographic Primitives for NonInteractive ZeroKnowledge Proofs and Applications
, 2011
"... Noninteractive zeroknowledge (NIZK) proofs have enjoyed much interest in cryptography since they were introduced more than twenty years ago by Blum et al. [BFM88]. While quite useful when designing modular cryptographic schemes, until recently NIZK could be realized efficiently only using certain ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Noninteractive zeroknowledge (NIZK) proofs have enjoyed much interest in cryptography since they were introduced more than twenty years ago by Blum et al. [BFM88]. While quite useful when designing modular cryptographic schemes, until recently NIZK could be realized efficiently only using certain heuristics. However, such heuristic schemes have been widely criticized. In this work we focus on designing schemes which avoid them. In [GS08], Groth and Sahai presented the first efficient (and currently the only) NIZK proof system in the standard model. The construction is based on bilinear maps and is limited to languages of certain satisfiable system of equations. Given this expressibility limitation of the system of equations, we are interested incryptographic primitives that are “compatible” with it. Equipped with such primitives and the GrothSahai proof system, we show how to construct cryptographic schemes efficiently in a modular fashion. In this work, we describe properties required by any cryptographic scheme to mesh well with GrothSahai proofs. Towards this, we introduce the notion of “structurepreserving” cryptographic schemes. We present the first constantsize structurepreserving
Round optimal blind signatures
 In CRYPTO 2011, volume 6841 of LNCS
, 2011
"... Abstract. Constructing roundoptimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of threemove blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Constructing roundoptimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of threemove blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding security proofs for the wellknown blind signature schemes by Chaum, and by Pointcheval and Stern in the standard model via blackbox reductions is hard. In this work we propose the first roundoptimal, i.e., twomove, blind signature scheme in the standard model (i.e., without assuming random oracles or the existence of a common reference string). Our scheme relies on the Decisional Diffie Hellman assumption and the existence of subexponentially hard 1to1 one way functions. This scheme is also secure in the concurrent setting. 1
Unique Group Signatures
, 2012
"... We initiate the study of unique group signature such that signatures of the same message by the same user will always have a large common component (i.e., unique identifier). It enables an efficient detection algorithm, revealing the identities of illegal users, which is fundamentally different from ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We initiate the study of unique group signature such that signatures of the same message by the same user will always have a large common component (i.e., unique identifier). It enables an efficient detection algorithm, revealing the identities of illegal users, which is fundamentally different from previous primitives. We present a number of unique group signature schemes (without random oracles) under a variety of security models that extend the standard security models of ordinary group signatures. Our work is a beneficial step towards mitigating the wellknown group signature paradox, and it also has many other interesting applications and efficiency implications.
Efficient TwoMove Blind Signatures in the Common Reference String Model
 Information Security – ISC 2012, Springer LNCS 7483
, 2012
"... Abstract. Blind signatures provide a mechanism for achieving privacy and anonymity whereby a user gets the signer to sign a message of his choice without the signer learning the content of the message, nor linking message/signature request pairs when he sees the final signature. In this paper, we co ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Blind signatures provide a mechanism for achieving privacy and anonymity whereby a user gets the signer to sign a message of his choice without the signer learning the content of the message, nor linking message/signature request pairs when he sees the final signature. In this paper, we construct a blind signature that requires minimal interaction (two moves) between the user and the signer, and which results in a signature which is a signature with respect to a standard (i.e. nonblind) signature scheme. The signature request protocol is akin to the classic, blindunblind methodology used for RSA blind signatures in the random oracle model; whilst the output signature is a standard CamenischLysyanskaya signature in bilinear groups. The scheme is secure in the common reference string model, assuming a discrete logarithm related assumption in bilinear groups; namely a new variant of the LRSW assumption. We provide evidence for the hardness of our new variant of the LRSW by showing it is intractable in the generic group model. 1
Blockwise Psignatures and noninteractive anonymous . . .
"... Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential possession where credentials are associated with a number of attributes. Following recent results of Camenisch and Groß (CCS 2008), the proof simultaneously convinces the verifier that certified attributes satisfy a certain predicate. Our construction relies on a new kind of Psignature, termed blockwise Psignature, that allows a user to obtain a signature on a committed vector of messages and makes it possible to generate a short witness that serves as a proof that the signed vector satisfies the predicate. A noninteractive anonymous credential is obtained by combining our blockwise Psignature scheme with the GrothSahai proof system. It allows efficiently proving possession of a credential while simultaneously demonstrating that underlying attributes satisfy a predicate corresponding to the evaluation of inner products (and therefore disjunctions or polynomial evaluations). The security of our scheme is proved in the standard model under noninteractive assumptions.