### Citations

1621 | Random oracles are practical: A paradigm for designing efficient procotols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... is then usually denoted as pi). The idea is to simply replace the challenge c computed by the verifier with the result of applying a hash function to the inputs (x,R,Cmt). In the random oracle model =-=[5]-=-, where the hash function is assumed to behave as a completely random function, this transformation preserves the security properties of the initial ZKPK protocol. If a message m is included as an add... |

1540 | A public key cryptosystem and a signature scheme based ondiscrete logarithms.IEEE
- ElGamal
- 1985
(Show Context)
Citation Context ... also due to the similarities in their designs, it is natural to consider the new schemes as the attribute-based versions of classical cryptosystems like Schnorr signatures [33] or ElGamal encryption =-=[14]-=-. A positive property of the schemes is that they achieve adaptive security, meaning that the schemes are secure even in front of adversaries that choose the challenge input (messages, policy and subs... |

1016 | How to prove yourself: practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...nguishability [16], which states that given a valid execution of the protocol for statement x, it is computationally hard to distinguish which witness in W (x) was used by the prover. The Fiat-Shamir =-=[17]-=- heuristics can be applied to a Sigma protocol in order to get a non-interactive zeroknowledge proof of knowledge protocol, where the whole elements in the proof are computed by the prover (the transc... |

733 |
Efficient signature generation for smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...ity properties in mind, and also due to the similarities in their designs, it is natural to consider the new schemes as the attribute-based versions of classical cryptosystems like Schnorr signatures =-=[33]-=- or ElGamal encryption [14]. A positive property of the schemes is that they achieve adaptive security, meaning that the schemes are secure even in front of adversaries that choose the challenge input... |

517 | Attribute-based encryption for fine-grained access control of encrypted data
- Goyal, Pandey, et al.
- 2006
(Show Context)
Citation Context ...[26, 28, 15, 4, 22] and in ciphertext-policy attribute-based encryption [7, 24, 25]. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied =-=[20, 29, 9]-=-: here the users’ secret keys are related to policies, and ciphertexts are related to subsets of attributes; the ciphertext can be decrypted by a secret key only if the subset of attributes in the cip... |

433 | Ciphertext-policy attribute-based encryption
- Bethencourt, Sahai, et al.
(Show Context)
Citation Context ...o, even if the union of all their attributes satisfy the policy. This is the usual setting in attribute-based signature schemes [26, 28, 15, 4, 22] and in ciphertext-policy attribute-based encryption =-=[7, 24, 25]-=-. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied [20, 29, 9]: here the users’ secret keys are related to policies, and ciphertexts a... |

371 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...ero-knowledge Sigma protocol (three steps) where the prover proves the knowledge of a witness for such a statement can be constructed by combining existing and well-known techniques (see for instance =-=[12, 13, 10]-=-), as follows. 1. The prover generates the first message (commitment) of the Sigma protocol as follows: • For j = 1, . . . ,M and for i = 1, . . . , n, choose ri, κi, δj R← Zq, and compute Ai = hri · ... |

371 | Security arguments for digital signatures and blind signatures - Pointcheval, Stern - 2000 |

334 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
- Cramer, Damg̊ard, et al.
- 1994
(Show Context)
Citation Context ...ero-knowledge Sigma protocol (three steps) where the prover proves the knowledge of a witness for such a statement can be constructed by combining existing and well-known techniques (see for instance =-=[12, 13, 10]-=-), as follows. 1. The prover generates the first message (commitment) of the Sigma protocol as follows: • For j = 1, . . . ,M and for i = 1, . . . , n, choose ri, κi, δj R← Zq, and compute Ai = hri · ... |

177 | Witness Indistinguishability and Witness Hiding Protocols
- Feige, Shamir
- 1990
(Show Context)
Citation Context ...indistinguishable from the transcript of an execution of the protocol run by a honest prover, with input (x,w) ∈ R, and verifier Ṽ . This zero-knowledge property implies witness indistinguishability =-=[16]-=-, which states that given a valid execution of the protocol for statement x, it is computationally hard to distinguish which witness in W (x) was used by the prover. The Fiat-Shamir [17] heuristics ca... |

170 | Candidate indistinguishability obfuscation and functional encryption for all circuits. Cryptology ePrint Archive, Report 2013/451
- Garg, Gentry, et al.
- 2013
(Show Context)
Citation Context .... As a result, most of the attribute-based cryptosystems proposed up to now make use of lattices or multilinear maps; this includes very general constructions admitting arbitrary circuits as policies =-=[18, 19, 8]-=-. The only exceptions can be found in the area of attribute-based signatures, with [22] based on RSA, and some generic constructions [26, 4] that could in principle be implemented with RSA, as well. H... |

147 | On span programs
- Karchmer, Wigderson
- 1993
(Show Context)
Citation Context ...Γ ⊂ P. In the attribute-based signature scheme, in particular in the zero-knowledge proof of knowledge protocol, the idea is to consider a secret sharing scheme (for instance, a monotone span program =-=[23]-=-) that realizes the dual access structure Γ ∗ = {S ⊂ P | P − S /∈ Γ}; the value c will be the secret, and the values {cj}atj∈P will be the shares, that will be computed with the secret sharing scheme ... |

143 | Fully secure functional encryption: Attributebased encryption and (hierarchical) inner product encryption
- Lewko, Okamoto, et al.
- 2010
(Show Context)
Citation Context ...o, even if the union of all their attributes satisfy the policy. This is the usual setting in attribute-based signature schemes [26, 28, 15, 4, 22] and in ciphertext-policy attribute-based encryption =-=[7, 24, 25]-=-. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied [20, 29, 9]: here the users’ secret keys are related to policies, and ciphertexts a... |

128 | Attribute-based encryption with non-monotonic access structures
- Ostrovsky, Sahai, et al.
- 2007
(Show Context)
Citation Context ...[26, 28, 15, 4, 22] and in ciphertext-policy attribute-based encryption [7, 24, 25]. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied =-=[20, 29, 9]-=-: here the users’ secret keys are related to policies, and ciphertexts are related to subsets of attributes; the ciphertext can be decrypted by a secret key only if the subset of attributes in the cip... |

80 | Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer.
- Chaum, Heijst, et al.
- 1991
(Show Context)
Citation Context ...j (Eq.2i) Now looking at equalities (Eq.1i) and (Eq.2i), for each index i = 1, . . . , t, we have two representations of Ai with respect to the basis h, Yi,1, . . . , Yi,M . Using a well-known result =-=[11]-=-, under the assumption that the Discrete Logarithm problem is hard in G, it turns out that the two representations must be the same. Therefore, we have r̂i = ri for all i = 1, . . . , t, and we have a... |

56 | Attribute-based encryption for circuits from multilinear maps
- Garg, Gentry, et al.
- 2013
(Show Context)
Citation Context .... As a result, most of the attribute-based cryptosystems proposed up to now make use of lattices or multilinear maps; this includes very general constructions admitting arbitrary circuits as policies =-=[18, 19, 8]-=-. The only exceptions can be found in the area of attribute-based signatures, with [22] based on RSA, and some generic constructions [26, 4] that could in principle be implemented with RSA, as well. H... |

55 | How to delegate and verify in public: Verifiable computation from attribute-based encryption
- Parno, Raykova, et al.
- 2012
(Show Context)
Citation Context ...policy may seem a bit more realistic, it turns out that key-policy attribute-based encryption has found some interesting applications, for instance in the area of verifiable delegation of computation =-=[30]-=-. The collusion-resistance property required to attribute-based cryptosystems makes it quite difficult to design secure systems. To do so, researchers have taken profit from the additional algebraic p... |

47 | New proof methods for attribute-based encryption: Achieving full security through selective techniques
- Lewko, Waters
- 2012
(Show Context)
Citation Context ...o, even if the union of all their attributes satisfy the policy. This is the usual setting in attribute-based signature schemes [26, 28, 15, 4, 22] and in ciphertext-policy attribute-based encryption =-=[7, 24, 25]-=-. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied [20, 29, 9]: here the users’ secret keys are related to policies, and ciphertexts a... |

44 | Rapid demonstration of linear relations connected by boolean operators.
- Brands
- 1997
(Show Context)
Citation Context ...ero-knowledge Sigma protocol (three steps) where the prover proves the knowledge of a witness for such a statement can be constructed by combining existing and well-known techniques (see for instance =-=[12, 13, 10]-=-), as follows. 1. The prover generates the first message (commitment) of the Sigma protocol as follows: • For j = 1, . . . ,M and for i = 1, . . . , n, choose ri, κi, δj R← Zq, and compute Ai = hri · ... |

22 | Two-tier signatures, strongly unforgeable signatures, and Fiat–Shamir without random oracles, in
- Bellare, Shoup
- 2007
(Show Context)
Citation Context ...ret key and breaks the security of the system. In the digital signature setting, bounding the number of signatures led to the concept of k-times signature (with particular interest in the case k = 1) =-=[32, 6, 27]-=-. Translating this concept to our attribute-based setting, what we will get is a situation where the number of secret key queries is bounded. If we assume that the system can control that each user ma... |

19 | Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits.
- Boneh, Gentry, et al.
- 2014
(Show Context)
Citation Context .... As a result, most of the attribute-based cryptosystems proposed up to now make use of lattices or multilinear maps; this includes very general constructions admitting arbitrary circuits as policies =-=[18, 19, 8]-=-. The only exceptions can be found in the area of attribute-based signatures, with [22] based on RSA, and some generic constructions [26, 4] that could in principle be implemented with RSA, as well. H... |

16 | Attribute-based signatures.
- Maji, Prabhakaran, et al.
- 2011
(Show Context)
Citation Context ... collude and try to perform the secret operation, they must fail to do so, even if the union of all their attributes satisfy the policy. This is the usual setting in attribute-based signature schemes =-=[26, 28, 15, 4, 22]-=- and in ciphertext-policy attribute-based encryption [7, 24, 25]. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied [20, 29, 9]: here t... |

15 | Efficient attribute-based signatures for non-monotone predicates in the standard model
- Okamoto, Takashima
(Show Context)
Citation Context ... collude and try to perform the secret operation, they must fail to do so, even if the union of all their attributes satisfy the policy. This is the usual setting in attribute-based signature schemes =-=[26, 28, 15, 4, 22]-=- and in ciphertext-policy attribute-based encryption [7, 24, 25]. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied [20, 29, 9]: here t... |

14 | Attribute-based functional encryption on lattices
- Boyen
- 2013
(Show Context)
Citation Context ...[26, 28, 15, 4, 22] and in ciphertext-policy attribute-based encryption [7, 24, 25]. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied =-=[20, 29, 9]-=-: here the users’ secret keys are related to policies, and ciphertexts are related to subsets of attributes; the ciphertext can be decrypted by a secret key only if the subset of attributes in the cip... |

14 | Linear algebra with sub-linear zero-knowledge arguments.
- Groth
- 2009
(Show Context)
Citation Context ...ret values associated to attribute ati. The linear dependence on M in the efficiency of our zero-knowledge proof of knowledge protocol can be reduced to √ M or even log(M), by using the techniques in =-=[21, 3]-=- for the polynomial evaluation part of the resulting zero-knowledge proof of knowledge. The unforgeability proof has to be slightly modified, and in particular a loss factor of 1NL appears in the redu... |

12 |
Multiple-time signature schemes against adaptive chosen message attacks
- Pieprzyk, Wang, et al.
- 2003
(Show Context)
Citation Context ...ret key and breaks the security of the system. In the digital signature setting, bounding the number of signatures led to the concept of k-times signature (with particular interest in the case k = 1) =-=[32, 6, 27]-=-. Translating this concept to our attribute-based setting, what we will get is a situation where the number of secret key queries is bounded. If we assume that the system can control that each user ma... |

8 | P.: Revocable attribute-based signatures with adaptive security in the standard model
- Escala, Herranz, et al.
- 2011
(Show Context)
Citation Context ... collude and try to perform the secret operation, they must fail to do so, even if the union of all their attributes satisfy the policy. This is the usual setting in attribute-based signature schemes =-=[26, 28, 15, 4, 22]-=- and in ciphertext-policy attribute-based encryption [7, 24, 25]. For encryption, the dual version of key-policy attribute-based encryption has also been defined and widely studied [20, 29, 9]: here t... |

7 | Anonymous credentials light
- Baldimtsi, Lysyanskaya
- 2013
(Show Context)
Citation Context ...les where the same problem of building cryptographic protocols in the Discrete Logarithm pairing-free setting has been considered, in scenarios quite close to that of attribute-based cryptography. In =-=[2]-=-, for the problem of anonymous credentials systems, which is very related to attributebased signatures; and in [1], for the problem of inner-product encryption, which is another particular case of fun... |

6 | One-time signatures and chameleon hash functions
- Mohassel
- 2011
(Show Context)
Citation Context ...ret key and breaks the security of the system. In the digital signature setting, bounding the number of signatures led to the concept of k-times signature (with particular interest in the case k = 1) =-=[32, 6, 27]-=-. Translating this concept to our attribute-based setting, what we will get is a situation where the number of secret key queries is bounded. If we assume that the system can control that each user ma... |

3 | Simple functional encryption schemes for inner products
- Abdalla, Bourse, et al.
(Show Context)
Citation Context ...been considered, in scenarios quite close to that of attribute-based cryptography. In [2], for the problem of anonymous credentials systems, which is very related to attributebased signatures; and in =-=[1]-=-, for the problem of inner-product encryption, which is another particular case of functional encryption. 1.1 Our Contributions We propose in this work the first (to the best of our knowledge) attribu... |

2 | Zero-knowledge argument for polynomial evaluation with application to blacklists
- Bayer, Groth
- 2013
(Show Context)
Citation Context ...ret values associated to attribute ati. The linear dependence on M in the efficiency of our zero-knowledge proof of knowledge protocol can be reduced to √ M or even log(M), by using the techniques in =-=[21, 3]-=- for the polynomial evaluation part of the resulting zero-knowledge proof of knowledge. The unforgeability proof has to be slightly modified, and in particular a loss factor of 1NL appears in the redu... |

2 | Policy-based signatures
- Bellare, Fuchsbauer
- 2014
(Show Context)
Citation Context |

1 |
Attribute-based signatures from RSA
- Herranz
- 2014
(Show Context)
Citation Context |