Results 1  10
of
20
Tightly secure signatures and publickey encryption
 IN: PROC. OF CRYPTO. (2012) 590–607
, 2012
"... We construct the first publickey encryption scheme whose chosenciphertext (i.e., INDCCA) security can be proved under a standard assumption and does not degrade in either the number of users or the number of ciphertexts. In particular, our scheme can be safely deployed in unknown settings in whic ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
We construct the first publickey encryption scheme whose chosenciphertext (i.e., INDCCA) security can be proved under a standard assumption and does not degrade in either the number of users or the number of ciphertexts. In particular, our scheme can be safely deployed in unknown settings in which no apriori bound on the number of encryptions and/or users is known. As a central technical building block, we devise the first structurepreserving signature scheme with a tight security reduction. (This signature scheme may be of independent interest.) Combining this scheme with GrothSahai proofs yields a tightly simulationsound noninteractive zeroknowledge proof system for group equations. If we use this proof system in the NaorYung double encryption scheme, we obtain a tightly INDCCA secure publickey encryption scheme from the Decision Linear assumption. We point out that our techniques are not specific to publickey encryption security. Rather, we view our signature scheme and proof system as general building blocks that can help to
Déja ̀ Q: Using Dual Systems to Revisit qType Assumptions
"... After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the ass ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the assumptions used to prove security. Many of these assumptions have been gathered under the umbrella of the “uberassumption, ” yet certain classes of these assumptions — namely, qtype assumptions — are stronger and require larger parameter sizes than their static counterparts. In this paper, we show that in certain bilinear groups, many classes of qtype assumptions are in fact implied by subgroup hiding (a wellestablished, static assumption). Our main tool in this endeavor is the dualsystem technique, as introduced by Waters in 2009. As a case study, we first show that in compositeorder groups, we can prove the security of the DodisYampolskiy PRF based solely on subgroup hiding and allow for a domain of arbitrary size (the original proof only allowed a logarithmicallysized domain). We then turn our attention to classes of qtype assumptions and show that they are implied — when instantiated in appropriate groups — solely by subgroup hiding. These classes are quite general and include assumptions such as qSDH. Concretely, our result implies that every construction relying on such assumptions for security (e.g., BonehBoyen signatures) can, when instantiated in appropriate compositeorder bilinear groups, be proved secure under subgroup hiding instead. 1
StructurePreserving Signatures from Type II Pairings
"... Abstract. We investigate structurepreserving signatures in asymmetric bilinear groups with an efficiently computable homomorphism from one source group to the other, i.e., the Type II setting. It has been shown that in the Type I and Type III settings (with maximal symmetry and maximal asymmetry re ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We investigate structurepreserving signatures in asymmetric bilinear groups with an efficiently computable homomorphism from one source group to the other, i.e., the Type II setting. It has been shown that in the Type I and Type III settings (with maximal symmetry and maximal asymmetry respectively), structurepreserving signatures need at least 2 verification equations and 3 group elements. It is therefore natural to conjecture that this would also be required in the intermediate Type II setting, but surprisingly this turns out not to be the case. We construct structurepreserving signatures in the Type II setting that only require a single verification equation and consist of only 2 group elements. This shows that the Type II setting with partial asymmetry is different from the other two settings in a way that permits the construction of cryptographic schemes with unique properties. We also investigate lower bounds on the size of the public verification key in the Type II setting. Previous work in structurepreserving signatures has explored lower bounds on the number of verification equations and the number of group elements in a signature but the size of the verification key has not been investigated before. We show that in the Type II setting it is necessary to have at least 2 group elements in the public verification key in a signature scheme with a single verification equation. Our constructions match the lower bounds so they are optimal with respect to verification complexity, signature sizes and verification key sizes. In fact, in terms of verification complexity, they are the most efficient structure preserving
Unified, minimal and selectively randomizable structurepreserving signatures
 TCC, volume 8349 of LNCS
, 2014
"... Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key s ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key size. State of the art structurepreserving signatures in the asymmetric setting consist of 3 group elements, which is known to be optimal. Our construction preserves the signature size of 3 group elements and also at the same time minimizes the verification key size to 1 group element. Depending on the application, it is sometimes desirable to have strong unforgeability and in other situations desirable to have randomizable signatures. To get the best of both worlds, we introduce the notion of selective randomizability where the signer may for specific signatures provide randomization tokens that enable randomization. Our structurepreserving signature scheme unifies the different pairingbased settings since it can be instantiated in both symmetric and asymmetric groups. Since previously optimal structurepreserving signatures had only been constructed in asymmetric bilinear groups this closes an important gap in our knowledge. Having a unified signature scheme that works in all types of bilinear groups is not just conceptually nice but also gives a hedge against future cryptanalytic attacks. An instantiation of our signature scheme in an asymmetric bilinear group may remain secure even if cryptanalysts later discover an efficiently computable homomorphism between the source groups.
Unique Group Signatures
, 2012
"... We initiate the study of unique group signature such that signatures of the same message by the same user will always have a large common component (i.e., unique identifier). It enables an efficient detection algorithm, revealing the identities of illegal users, which is fundamentally different from ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
We initiate the study of unique group signature such that signatures of the same message by the same user will always have a large common component (i.e., unique identifier). It enables an efficient detection algorithm, revealing the identities of illegal users, which is fundamentally different from previous primitives. We present a number of unique group signature schemes (without random oracles) under a variety of security models that extend the standard security models of ordinary group signatures. Our work is a beneficial step towards mitigating the wellknown group signature paradox, and it also has many other interesting applications and efficiency implications.
Optimally Anonymous and Transferable Conditional Ecash ∗
"... Abstract. Transferable conditional electroniccash (ecash) allows a payer to spend an ecash based on the outcome not known in advance. It also allows a payee to spend the ecash to others, or deposit the ecash to a bank based on the future outcome. Among security properties, the anonymity of the ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Transferable conditional electroniccash (ecash) allows a payer to spend an ecash based on the outcome not known in advance. It also allows a payee to spend the ecash to others, or deposit the ecash to a bank based on the future outcome. Among security properties, the anonymity of the payer has been widely studied. However, the payer is linkable in the existing conditional ecash schemes. This paper presents the first optimally anonymous and transferable conditional electroniccash (ecash) system based on two recent cryptographic primitives, i.e., the GrothSahai(GS) proof system and the commuting signatures, to obtain the user’s unlinkability and optimal anonymity. A publisher is introduced to publish the conditions, and is firstly formalized. By dividing the deposit protocol into two parts, the anonymity of the user is obtained in the deposit protocol. Compared with the existing conditional ecash schemes, this scheme has the constant size for the computation and communication. Finally, we give the security proof in the standard model.
StronglyOptimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds?
"... Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairingproduct equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structurepreserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structurepreserving signatures within a userspecified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structurepreserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification. 1
TYPE 2 STRUCTUREPRESERVING SIGNATURE SCHEMES REVISITED
"... Abstract. Abe, Groth, Ohkubo and Tibouchi recently presented structurepreserving signature schemes using Type 2 pairings. The schemes are claimed to enjoy the fastest signature verification. By properly accounting for subgroup membership testing of group elements in signatures, we show that the sch ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Abe, Groth, Ohkubo and Tibouchi recently presented structurepreserving signature schemes using Type 2 pairings. The schemes are claimed to enjoy the fastest signature verification. By properly accounting for subgroup membership testing of group elements in signatures, we show that the schemes are not as efficient as claimed. We present
On the (im)possibility of projecting property in primeorder setting
 In ASIACRYPT
, 2012
"... Abstract. Projecting bilinear pairings have frequently been used for designing cryptosystems since they were first derived from composite order bilinear groups. There have been only a few studies on the (im)possibility of projecting bilinear pairings. Groth and Sahai (EUROCRYPT 2008) showed that pro ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Projecting bilinear pairings have frequently been used for designing cryptosystems since they were first derived from composite order bilinear groups. There have been only a few studies on the (im)possibility of projecting bilinear pairings. Groth and Sahai (EUROCRYPT 2008) showed that projecting bilinear pairings can be achieved in a primeorder group setting. They constructed both projecting asymmetric bilinear pairings and projecting symmetric bilinear pairings, where a bilinear pairing e is symmetric if it satisfies e(g, h) = e(h, g) for any group elements g and h; otherwise, it is asymmetric. Subsequently, Freeman (EUROCRYPT 2010) generalized GrothSahai’s projecting asymmetric bilinear pairings. In this paper, we provide impossibility results on projecting bilinear pairings in a primeorder group setting. More precisely, we specify the lower bounds of 1. the image size of a projecting asymmetric bilinear pairing 2. the image size of a projecting symmetric bilinear pairing 3. the computational cost for a projecting asymmetric bilinear pairing 4. the computational cost for a projecting symmetric bilinear pairing in a primeorder group setting naturally induced from the klinear assumption, where the computational
Group Signatures with MessageDependent Opening in the Standard Model
"... Abstract. Group signatures allow members of a group to anonymously sign messages in the name of this group. They typically involve an opening authority that can identify the origin of any signature if the need arises. In some applications, such a tracing capability can be excessively strong and it s ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Group signatures allow members of a group to anonymously sign messages in the name of this group. They typically involve an opening authority that can identify the origin of any signature if the need arises. In some applications, such a tracing capability can be excessively strong and it seems desirable to restrict the power of the authority. Sakai et al. recently suggested the notion of group signatures with messagedependent opening (GSMDO), where the opening operation is made contingent on the knowledge of a trapdoor information – generated by a second authority – associated with the message. Sakai et al. showed that their primitive implies identitybased encryption (IBE). In the standard model, efficiently constructing such a system thus requires a structurepreserving IBE scheme, where the plaintext space is the source group G (rather than the target group GT) of a bilinear map e: G × G → GT. Sakai et al. used a structurepreserving IBE which only provides bounded collusionresistance. As a result, their GSMDO construction only provides a weak form of anonymity where the maximal number of trapdoor queries is determined by the length of the group public key. In this paper, we construct the first fully collusionresistant IBE scheme that encrypts messages in G. Using this construction, we obtain a GSMDO system with logarithmic signature size (in the number N of group members) and prove its security in the standard model under simple assumptions.