Results 1  10
of
10
Unified, minimal and selectively randomizable structurepreserving signatures
 TCC, volume 8349 of LNCS
, 2014
"... Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key s ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We construct a structurepreserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structurepreserving signature scheme is optimal with respect to both signature size and public verification key size. State of the art structurepreserving signatures in the asymmetric setting consist of 3 group elements, which is known to be optimal. Our construction preserves the signature size of 3 group elements and also at the same time minimizes the verification key size to 1 group element. Depending on the application, it is sometimes desirable to have strong unforgeability and in other situations desirable to have randomizable signatures. To get the best of both worlds, we introduce the notion of selective randomizability where the signer may for specific signatures provide randomization tokens that enable randomization. Our structurepreserving signature scheme unifies the different pairingbased settings since it can be instantiated in both symmetric and asymmetric groups. Since previously optimal structurepreserving signatures had only been constructed in asymmetric bilinear groups this closes an important gap in our knowledge. Having a unified signature scheme that works in all types of bilinear groups is not just conceptually nice but also gives a hedge against future cryptanalytic attacks. An instantiation of our signature scheme in an asymmetric bilinear group may remain secure even if cryptanalysts later discover an efficiently computable homomorphism between the source groups.
NonMalleability from Malleability: SimulationSound QuasiAdaptive NIZK Proofs and CCA2Secure Encryption from Homomorphic Signatures
 In Cryptology ePrint Archive: Report 2013/691
"... Abstract. Verifiability is central to building protocols and systems with integrity. Initially, efficient methods employed the FiatShamir heuristics. Since 2008, the GrothSahai techniques have been the most efficient in constructing noninteractive witness indistinguishable and zeroknowledge pr ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Verifiability is central to building protocols and systems with integrity. Initially, efficient methods employed the FiatShamir heuristics. Since 2008, the GrothSahai techniques have been the most efficient in constructing noninteractive witness indistinguishable and zeroknowledge proofs for algebraic relations in the standard model. For the important task of proving membership in linear subspaces, Jutla and Roy (Asiacrypt 2013) gave significantly more efficient proofs in the quasiadaptive setting (QANIZK). For membership of the row space of a t×n matrix, their QANIZK proofs save Ω(t) group elements compared to GrothSahai. Here, we give QANIZK proofs made of a constant number group elements – regardless of the number of equations or the number of variables – and additionally prove them unbounded simulationsound. Unlike previous unbounded simulationsound GrothSahaibased proofs, our construction does not involve quadratic pairing product equations and does not rely on a chosenciphertextsecure encryption scheme. Instead, we build on structurepreserving signatures with homomorphic properties. We apply our methods to design new and improved CCA2secure encryption schemes. In particular, we build the first efficient threshold CCAsecure keyedhomomorphic encryption scheme (i.e., where homomorphic operations can only be carried out using a dedicated evaluation key) with publicly verifiable ciphertexts. 1
Efficiently Verifiable Computation on Encrypted Data
"... Abstract. We study the task of efficient verifiable delegation of computation on encrypted data. First, we improve previous definitions in order to tolerate adversaries that learn whether or not clients accept the result of a delegated computation. Then, in this strong model, we show a scheme for ar ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We study the task of efficient verifiable delegation of computation on encrypted data. First, we improve previous definitions in order to tolerate adversaries that learn whether or not clients accept the result of a delegated computation. Then, in this strong model, we show a scheme for arbitrary computations, and we propose highly efficient schemes for delegation of various classes of functions, such as linear combinations, highdegree univariate polynomials, and multivariate quadratic polynomials. Notably, the latter class includes many useful statistics. Using our solution, a client can store a large encrypted dataset with a server, query statistics over this data, and receive encrypted results that can be efficiently verified and decrypted. As a key contribution for the efficiency of our schemes, we develop a novel homomorphic hashing technique that allows us to efficiently authenticate computations, at the same cost as if the data were in the clear, avoiding a 104 overhead, which would occur with a naive approach. We confirm our theoretical analysis with extensive implementation tests that show the practical feasibility of our
StronglyOptimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds?
"... Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairingproduct equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structurepreserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structurepreserving signatures within a userspecified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structurepreserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification. 1
Concise MultiChallenge CCASecure Encryption and Signatures with Almost Tight Security?
"... Abstract. To gain strong confidence in the security of a publickey scheme, it is most desirable for the security proof to feature a tight reduction between the adversary and the algorithm solving the underlying hard problem. Recently, Chen and Wee (Crypto ’13) described the first IdentityBased En ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. To gain strong confidence in the security of a publickey scheme, it is most desirable for the security proof to feature a tight reduction between the adversary and the algorithm solving the underlying hard problem. Recently, Chen and Wee (Crypto ’13) described the first IdentityBased Encryption scheme with almost tight security under a standard assumption. Here, “almost tight ” means that the security reduction only loses a factor O(λ) – where λ is the security parameter – instead of a factor proportional to the number of adversarial queries. Chen and Wee also gave the shortest signatures whose security almost tightly relates to a simple assumption in the standard model. Also recently, Hofheinz and Jager (Crypto ’12) constructed the first CCAsecure publickey encryption scheme in the multiuser setting with tight security. These constructions give schemes that are significantly less efficient in length (and thus, processing) when compared with the earlier schemes with loose reductions in their proof of security. Hofheinz and Jager’s scheme has a ciphertext of a few hundreds of group elements, and they left open the problem of finding truly efficient constructions. Likewise, Chen and Wee’s signatures and IBE schemes are somewhat less efficient than previous constructions with loose reductions from the same assumptions. In this paper, we consider spaceefficient schemes with security almost tightly related to standard assumptions. As a step in solving the open question by Hofheinz and Jager, we construct an ef
Born and Raised Distributively: Fully Distributed NonInteractive AdaptivelySecure Threshold Signatures with Short Shares
"... Threshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic publickey schemes. It does it by dividing private keys into n shares handed out to distinct servers. In threshold signature schemes, a set of at least t + 1 ≤ ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Threshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic publickey schemes. It does it by dividing private keys into n shares handed out to distinct servers. In threshold signature schemes, a set of at least t + 1 ≤ n servers is needed to produce a valid digital signature. Availability is assured by the fact that any subset of t + 1 servers can produce a signature when authorized. At the same time, the scheme should remain robust (in the fault tolerance sense) and unforgeable (cryptographically) against up to t corrupted servers; i.e., it adds quorum control to traditional cryptographic services and introduces redundancy. Originally, most practical threshold signatures have a number of demerits: They have been analyzed in a
Compactly Hiding Linear Spans Tightly Secure ConstantSize SimulationSound QANIZK Proofs and Applications
"... Abstract. Quasiadaptive noninteractive zeroknowledge (QANIZK) proofs is a recent paradigm, suggested by Jutla and Roy (Asiacrypt ’13), which is motivated by the GrothSahai seminal techniques for efficient noninteractive zeroknowledge (NIZK) proofs. In this paradigm, the common reference strin ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Quasiadaptive noninteractive zeroknowledge (QANIZK) proofs is a recent paradigm, suggested by Jutla and Roy (Asiacrypt ’13), which is motivated by the GrothSahai seminal techniques for efficient noninteractive zeroknowledge (NIZK) proofs. In this paradigm, the common reference string may depend on specific language parameters, a fact that allows much shorter proofs in important cases. It even makes certain standard model applications competitive with the FiatShamir heuristic in the Random Oracle idealization. Such QANIZK proofs were recently optimized to constant size by Jutla and Roy (Crypto ’14) and Libert et al. (Eurocrypt ’14) for the important case of proving that a vector of group elements belongs to a linear subspace. While the QANIZK arguments of Libert et al. provide unbounded simulationsoundness and constant proof length, their simulationsoundness is only loosely related to the underlying assumption (with a gap proportional to the number of adversarial queries) and it is unknown how to alleviate
Programmable Hash Functions go Private: Constructions and Applications to (Homomorphic) Signatures with Shorter Public Keys?
"... Abstract. We introduce the notion of asymmetric programmable hash functions (APHFs, for short), which adapts Programmable Hash Functions, introduced by Hofheinz and Kiltz at Crypto 2008, with two main differences. First, an APHF works over bilinear groups, and it is asymmetric in the sense that, whi ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of asymmetric programmable hash functions (APHFs, for short), which adapts Programmable Hash Functions, introduced by Hofheinz and Kiltz at Crypto 2008, with two main differences. First, an APHF works over bilinear groups, and it is asymmetric in the sense that, while only secretly computable, it admits an isomorphic copy which is publicly computable. Second, in addition to the usual programmability, APHFs may have an alternative property that we call programmable pseudorandomness. In a nutshell, this property states that it is possible to embed a pseudorandom value as part of the function’s output, akin to a random oracle. In spite of the apparent limitation of being only secretly computable, APHFs turn out to be surprisingly powerful objects. We show that they can be used to generically implement both regular and linearlyhomomorphic signature schemes in a simple and elegant way. More importantly, when instantiating these generic constructions with our concrete realizations of APHFs, we obtain: (1) the first linearlyhomomorphic signature (in the standard model) whose public key is sublinear in both the dataset size and the dimension of the signed vectors; (2) short signatures (in the standard model) whose public key is shorter than those by HofheinzJagerKiltz from Asiacrypt 2011, and essentially the same as those by Yamada, Hannoka, Kunihiro, (CTRSA 2012).
Homomorphic Signature Schemes A Survey
"... Abstract. Homomorphic signature schemes are an important primitive for many applications and since their introduction numerous solutions have been presented. Thus, in this work we provide the first exhaustive, complete, and uptodated survey about the state of the art of homomorphic signature sche ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Homomorphic signature schemes are an important primitive for many applications and since their introduction numerous solutions have been presented. Thus, in this work we provide the first exhaustive, complete, and uptodated survey about the state of the art of homomorphic signature schemes. First, the general framework where homomorphic signatures are defined is described and it is shown how the currently available types of homomorphic signatures, these are the linearly homomorphic signature schemes, the homomorphic schemes supporting polynomial functions, the fully homomorphic signature schemes, and the homomorphic aggregate signature schemes, can then be derived from such a framework. In addition, this work also presents a description of each of the schemes presented so far together with the properties it provides. Furthermore, three use cases, electronic voting, smart grids, and electronic health records, where homomorphic signature schemes can be employed are described. For each of these applications the requirements that a homomorphic signature scheme should fulfill are defined and the suitable schemes already available are listed. This also highlights the shortcomings of current solutions. Thus, this work concludes with several ideas for future research in the direction of homomorphic signature schemes. 1
QuasiAdaptive NIZK for Linear Subspaces Revisited Eike Kiltz? and Hoeteck
"... Abstract. Noninteractive zeroknowledge (NIZK) proofs for algebraic relations in a group, such as the GrothSahai proofs, are an extremely powerful tool in pairingbased cryptography. A series of recent works focused on obtaining very efficient NIZK proofs for linear spaces in a weaker quasiadapti ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Noninteractive zeroknowledge (NIZK) proofs for algebraic relations in a group, such as the GrothSahai proofs, are an extremely powerful tool in pairingbased cryptography. A series of recent works focused on obtaining very efficient NIZK proofs for linear spaces in a weaker quasiadaptive model. We revisit recent quasiadaptive NIZK constructions, providing clean, simple, and improved constructions via a conceptually different approach inspired by recent developments in identitybased encryption. We then extend our techniques also to linearly homomorphic structurepreserving signatures, an object both of independent interest and with many applications. 1