Results 1  10
of
41
Efficient proofs that a committed number lies in an interval
, 2000
"... Abstract. Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or in ..."
Abstract

Cited by 166 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or inexact (i.e. proved membership to a much larger interval). This paper presents a new proof, which is both efficient and exact. Here, “efficient ” means that there are less than 20 exponentiations to perform and less than 2 Kbytes to transmit. The potential areas of application of this proof are numerous (electronic cash, group signatures, publicly verifiable secret encryption, etc...). 1
Proving in ZeroKnowledge that a Number is the Product of Two Safe Primes
, 1998
"... This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime. ..."
Abstract

Cited by 138 (15 self)
 Add to MetaCart
(Show Context)
This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime.
Separability and Efficiency for Generic Group Signature Schemes (Extended Abstract)
, 1999
"... A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member ..."
Abstract

Cited by 77 (13 self)
 Add to MetaCart
A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separable group signature scheme and present an ecient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depe...
Traceable signatures
"... This work presents a new privacy primitive called “Traceable Signatures”, together with an efficient provably secure implementation. To this end, we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its s ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
This work presents a new privacy primitive called “Traceable Signatures”, together with an efficient provably secure implementation. To this end, we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its security proof. Traceable signatures support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signature mechanism. The extended functionality of traceable signatures is needed for proper operation and adequate level of privacy in various settings and applications. For example, the new notion allows (distributed) tracing of all signatures of a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implemented by a state of the art group signature system, such wide opening of all signatures of a single user is a (centralized) operation that requires the opening of all anonymous signatures and revealing the users associated with them, an act that violates the privacy of all users. To allow efficient implementation of our scheme we develop a number of basic tools, zeroknowledge proofs, protocols, and primitives that we use extensively throughout. These novel mechanisms work directly over a group of unknown order, contributing to the efficiency and modularity of our design, and may be of independent interest. The interactive version of our signature scheme yields the notion of “traceable (anonymous) identification.”
An Efficient Group Signature Scheme from Bilinear Maps
, 2006
"... We propose a new group signature scheme which is secure if we assume the Decision DiffieHellman assumption, the qStrong DiffieHellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
We propose a new group signature scheme which is secure if we assume the Decision DiffieHellman assumption, the qStrong DiffieHellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].
Forwardsecure signatures with fast key update
 Security in Communication Networks, LNCS
, 2002
"... In regular digital signatures, once the secret key is compromised, all signatures, even those that were issued by the honest signer before the compromise, will not be trustworthy any more. Forwardsecure signatures have been proposed to address this major shortcoming. We present a new forwardsecure ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
(Show Context)
In regular digital signatures, once the secret key is compromised, all signatures, even those that were issued by the honest signer before the compromise, will not be trustworthy any more. Forwardsecure signatures have been proposed to address this major shortcoming. We present a new forwardsecure signature scheme, called KREUS, with several advantages. It has the most efficient Key Update of all known schemes, requiring just a single modular squaring. Our scheme thus enables more frequent Key Update and hence allows shorter time periods, enhancing security: fewer signatures might become invalid as a result of key compromise. In addition, the online component of Signing is also very efficient, consisting of a single multiplication. We precisely analyze the total signer costs and show that they are lower when the number of signatures per time period is small; the advantage of our scheme increases considerably as the number of time periods grows. Our scheme’s security relies on the StrongRSA assumption and the randomoraclebased FiatShamir transform. 1
Accumulating composites and improved group signing
 Proceedings of Asiacrypt 2003, volume 2894 of LNCS
, 2003
"... Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group mem ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group member, while the actual signer can only be identified (and linked) by a designated entity called a group manager. Currently, the most efficient group signature scheme available is due to Camenisch and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic accumulator with the scheme by Ateniese, et al. [ACJT00]. In this paper, we construct a dynamic accumulator that accumulates composites, as opposed to previous accumulators that accumulated primes. We also present an efficient method for proving knowledge of factorization of a committed value. Based on these (and other) techniques we design a novel provably secure group signature scheme. It operates in the common auxiliary string model and offers two important benefits: 1) the Join process is very efficient: a new member computes only a single exponentiation, and 2) the (unoptimized) cost of generating a group signature is 17 exponentiations which is appreciably less than the stateoftheart. 1
Verifiable encryption of digital signatures and applications
 ACM Trans. Inf. Syst. Secur
, 2004
"... This paper presents a new simple schemes for verifiable encryption of digital signatures. We make use of a trusted third party (TTP) but in an optimistic sense, that is, the TTP takes part in the protocol only if one user cheats or simply crashes. Our schemes can be used as primitives to build effic ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This paper presents a new simple schemes for verifiable encryption of digital signatures. We make use of a trusted third party (TTP) but in an optimistic sense, that is, the TTP takes part in the protocol only if one user cheats or simply crashes. Our schemes can be used as primitives to build efficient fair exchange and certified email protocols.
Separable linkable threshold ring signatures
 IN INDOCRYPT 2004, VOLUME 3348 OF LNCS
, 2004
"... A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. [20], additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are linked). In th ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. [20], additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are linked). In this paper, we present the first separable linkable ring signature scheme, which also supports an efficient thresholding option. We also present the security model and reduce the security of our scheme to wellknown hardness assumptions. In particular, we introduce the security notions of accusatory linkability and nonslanderability to linkable ring signatures. Our scheme supports “eventoriented” linking. Applications to such linking criterion is discussed.
Direct Anonymous Attestation (DAA): Ensuring privacy with corrupt administrators
 IN: ESAS’07: 4TH EUROPEAN WORKSHOP ON SECURITY AND PRIVACY IN AD HOC AND SENSOR NETWORKS, LNCS
, 2007
"... The Direct Anonymous Attestation (DAA) scheme provides a means for remotely authenticating a trusted platform whilst preserving the user’s privacy. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification. In this pa ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
The Direct Anonymous Attestation (DAA) scheme provides a means for remotely authenticating a trusted platform whilst preserving the user’s privacy. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification. In this paper we show DAA places an unnecessarily large burden on the TPM host. We demonstrate how corrupt administrators can exploit this weakness to violate privacy. The paper provides a fix for the vulnerability. Further privacy issues concerning linkability are identified and a framework for their resolution is developed. In addition an optimisation to reduce the number of messages exchanged is proposed.