Results 1  10
of
22
Optimal StructurePreserving Signatures in Asymmetric Bilinear Groups
"... Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist n ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist nature structurepreserving signatures blend well with other pairingbased protocols. We show that structurepreserving signatures must consist of at least 3 group elements when the signer uses generic group operations. Usually, the generic group model is used to rule out classes of attacks by an adversary trying to break a cryptographic assumption. In contrast, here we use the generic group model to prove a lower bound on the complexity of digital signature schemes. We also give constructions of structurepreserving signatures that consist of 3 group elements only. This improves significantly on previous structurepreserving signatures that used 7 group elements and matches our lower bound. Our structurepreserving signatures have additional nice properties such as strong existential unforgeability and can sign multiple group elements at once. Keywords: StructurePreservation, Digital Signatures, Generic Group Model. 1
Semantic security under relatedkey attacks and applications
 Cited on page 4.) 16 M. Bellare. New proofs for NMAC and HMAC: Security without collisionresistance. In C. Dwork, editor, CRYPTO 2006, volume 4117 of LNCS
, 2011
"... In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general de ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
(Show Context)
In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the adversary can choose the linear relation adaptively during the attack. More concretely, we present two approaches for constructing RKAsecure encryption schemes. The first is based on standard randomized encryption schemes which additionally satisfy a natural “keyhomomorphism” property. We instantiate this approach under numbertheoretic or latticebased assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is based on RKAsecure pseudorandom generators. This approach can yield either deterministic, onetime use schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by constructing a simple RKAsecure pseurodandom generator
Groth–Sahai proofs revisited
"... Abstract. Since their introduction in 2008, the non interactive zeroknowledge (NIZK) and non interactive witness indistinguishable (NIWI) proofs designed by Groth and Sahai have been used in numerous applications. In this paper we offer two contributions to the study of these proof systems. First we ..."
Abstract

Cited by 17 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Since their introduction in 2008, the non interactive zeroknowledge (NIZK) and non interactive witness indistinguishable (NIWI) proofs designed by Groth and Sahai have been used in numerous applications. In this paper we offer two contributions to the study of these proof systems. First we identify and correct some errors, present in the oringal online manuscript, that occur in two of the three instantiations of the GrothSahai NIWI proofs for which the equation checked by the verifier is not valid for honest executions of the protocol. (In particular, implementations of these proofs would not work correctly.) We explain why, perhaps surprisingly, the NIZK proofs that are built from these NIWI proofs do not suffer from a similar problem. Secondly, we study the efficiency of existing instantiations and note that only one of the three instantiations has the potential of being practical. We therefore propose a natural extension of an existing assumption from symmetric pairings to asymmetric ones which in turn enables GrothSahai proofs based on new classes of efficient pairings. 1
Blind identitybased encryption and simulatable oblivious transfer
 IN: ADVANCES IN CRYPOTOLOGY – ASIACRYPT 2007. LNCS
, 2007
"... In an identitybased encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fash ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
In an identitybased encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fashion for several known IBE schemes; that is, a user can obtain a secret key for an identity without the master authority learning anything about this identity. We formalize this notion as blind IBE and discuss its many practical applications. In particular, we build upon the recent work of Camenisch, Neven, and shelat [CNS07] to construct oblivious transfer (OT) schemes which achieve full simulatability for both sender and receiver. OT constructions with comparable efficiency prior to Camenisch et al. were proven secure in the weaker halfsimulation model. Our OT schemes are constructed from the blind IBE schemes we propose, which require only static complexity assumptions (e.g., DBDH) whereas prior comparable schemes require dynamic assumptions (e.g., qPDDH).
Tagged OneTime Signatures: Tight Security and Optimal Tag Size
 In PKC 2013, volume 7778 of LNCS
"... Abstract. We present an efficient structurepreserving tagged onetime signature scheme with tight security reductions to the decisionlinear assumption. Our scheme features short tags consisting of a single group element and gives rise to the currently most efficient structurepreserving signature ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present an efficient structurepreserving tagged onetime signature scheme with tight security reductions to the decisionlinear assumption. Our scheme features short tags consisting of a single group element and gives rise to the currently most efficient structurepreserving signature scheme based on the decisionliner assumption with constantsize signatures of only 14 group elements, where the recordsofar was 17 elements. To demonstrate the advantages of our scheme, we revisit the work by Hofheinz and Jager (CRYPTO 2012) and present the currently most efficient tightly secure publickey encryption scheme. We also obtain the first structurepreserving publickey encryption scheme featuring both tight security and public verifiability.
New definitions and separations for circular security
 In Public Key Cryptography
, 2012
"... Traditional definitions of encryption security guarantee secrecy for any plaintext that can be computed by an outside adversary. In some settings, such as anonymous credential or disk encryption systems, this is not enough, because these applications encrypt messages that depend on the secret key. A ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Traditional definitions of encryption security guarantee secrecy for any plaintext that can be computed by an outside adversary. In some settings, such as anonymous credential or disk encryption systems, this is not enough, because these applications encrypt messages that depend on the secret key. A natural question to ask is do standard definitions capture these scenarios? One area of interest is ncircular security where the ciphertexts E(pk1, sk2), E(pk2, sk3),..., E(pkn−1, skn), E(pkn, sk1) must be indistinguishable from encryptions of zero. Acar et al. (Eurocrypt 2010) provided a CPAsecure public key cryptosystem that is not 2circular secure due to a distinguishing attack. In this work, we consider a natural relaxation of this definition. Informally, a cryptosystem is nweak circular secure if an adversary given the cycle E(pk1, sk2), E(pk2, sk3),..., E(pkn−1, skn), E(pkn, sk1) has no significant advantage in the regular security game, (e.g., CPA or CCA) where ciphertexts of chosen messages must be distinguished from ciphertexts of zero. Since this definition is sufficient for some practical applications and the Acar et al. counterexample no longer applies, the hope is that it would be easier to realize, or perhaps even implied by standard definitions. We show that this is unfortunately not the case: even this weaker notion is not implied by standard definitions. Specifically,
Unified, minimal and selectively randomizable structurepreserving signatures
 TCC, volume 8349 of LNCS
, 2014
"... Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key s ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key size. State of the art structurepreserving signatures in the asymmetric setting consist of 3 group elements, which is known to be optimal. Our construction preserves the signature size of 3 group elements and also at the same time minimizes the verification key size to 1 group element. Depending on the application, it is sometimes desirable to have strong unforgeability and in other situations desirable to have randomizable signatures. To get the best of both worlds, we introduce the notion of selective randomizability where the signer may for specific signatures provide randomization tokens that enable randomization. Our structurepreserving signature scheme unifies the different pairingbased settings since it can be instantiated in both symmetric and asymmetric groups. Since previously optimal structurepreserving signatures had only been constructed in asymmetric bilinear groups this closes an important gap in our knowledge. Having a unified signature scheme that works in all types of bilinear groups is not just conceptually nice but also gives a hedge against future cryptanalytic attacks. An instantiation of our signature scheme in an asymmetric bilinear group may remain secure even if cryptanalysts later discover an efficiently computable homomorphism between the source groups.
CPA and CCASecure Encryption Systems that are not 2Circular Secure
"... Traditional definitions of encryption guarantee security for plaintexts which can be derived by the adversary. In some settings, such as anonymous credential or disk encryption systems, one may need to reason about the security of messages potentially unknown to the adversary, such as secret keys en ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Traditional definitions of encryption guarantee security for plaintexts which can be derived by the adversary. In some settings, such as anonymous credential or disk encryption systems, one may need to reason about the security of messages potentially unknown to the adversary, such as secret keys encrypted in a selfloop or a cycle. A publickey cryptosystem is ncircular secure if it remains secure when the ciphertexts E(pk 1, sk 2), E(pk 2, sk 3),..., E(pk n−1, sk n), E(pk n, sk 1) are revealed, for independent key pairs. A natural question to ask is what does it take to realize circular security in the standard model? Are all CPAsecure (or CCAsecure) cryptosystems also ncircular secure for n> 1? One way to resolve this question is to produce a CPAsecure (or CCAsecure) cryptosystem which is demonstrably insecure for key cycles larger than selfloops. Recently and independently, Acar, Belenkiy, Bellare and Cash provided a CPAsecure cryptosystem, under the SXDH assumption, that is not 2circular secure. In this paper, we present a different CPAsecure counterexample (under SXDH) as well as the first CCAsecure counterexample (under SXDH and the existence of certain NIZK proof systems) for n> 1. Moreover, our 2circular attacks recover the secret keys of both parties and thus exhibit a catastrophic failure of the system whereas the attack in Acar et al. provides a test whereby the adversary can distinguish whether it is given a 2cycle or two random ciphertexts. These negative results are an important step in answering deep questions about which attacks are prevented by commonlyused definitions and systems of encryption. 1
Formalizing group blind signatures and practical constructions without random oracles
 In Cryptology ePrint Archive, Report 2011/402, http://eprint.iacr.org/2011/402.pdf
"... Abstract. Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. Their applications include multiauthority evoting and distributed ecash systems. The primitive has been introduced with o ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. Their applications include multiauthority evoting and distributed ecash systems. The primitive has been introduced with only informal definitions for its required security properties. We offer two main contributions: first, we provide foundations for the primitive where we present formal security definitions offering various flavors of anonymity relevant to this setting. In the process, we identify and address some subtle issues which were not considered by previous constructions and (informal) security definitions. Our second main contribution is a generic construction that yields practical schemes with roundoptimal signing and constantsize signatures. Our constructions permit dynamic and concurrent enrollment of new members, satisfy strong security requirements, and do not rely on random oracles. In addition, we introduce some new building blocks which may be of independent interest.
Unique Group Signatures
, 2012
"... We initiate the study of unique group signature such that signatures of the same message by the same user will always have a large common component (i.e., unique identifier). It enables an efficient detection algorithm, revealing the identities of illegal users, which is fundamentally different from ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We initiate the study of unique group signature such that signatures of the same message by the same user will always have a large common component (i.e., unique identifier). It enables an efficient detection algorithm, revealing the identities of illegal users, which is fundamentally different from previous primitives. We present a number of unique group signature schemes (without random oracles) under a variety of security models that extend the standard security models of ordinary group signatures. Our work is a beneficial step towards mitigating the wellknown group signature paradox, and it also has many other interesting applications and efficiency implications.