Distributed Provers and Verifiable Secret Sharing Based on the Discrete Logarithm Problem

Secret sharing allows a secret key to be distributed among n persons, such that k(1 <= k <= n) of these must be present in order to recover it at a later time. This report first shows how this can be done such that every person can verify (by himself) that his part of the secret is correct even though fewer than k persons get no Shannon information about the secret. However, this high level of security is not needed in public key schemes, where the secret key is uniquely determined by a corresponding public key. It is therefore shown how such a secret key (which can be used to sign messages or decipher cipher texts) can be distributed. This scheme has the property, that even though everybody can verify his own part, sets of fewer than k persons cannot sign/decipher unless they could have done so given just the public key. This scheme has the additional property that more than k persons can use the key without compromising their parts of it. Hence, the key can be reused. This technique is further developed to be applied to undeniable signatures. These signatures differ from traditional signatures as they can only be verified with the signer's assistance. The report shows how the signer can authorize agents who can help verifying signatures, but they cannot sign (unless the signer permits it)

Design and Analysis of Opaque Signatures

Digital signatures were introduced to guarantee the authenticity and integrity of the underlying messages. A digital signature scheme comprises the key generation, the signature, and the verification algorithms. The key generation algorithm creates the signing and the verifying keys, called also the signer’s private and public keys respectively. The signature algorithm, which is run by the signer, produces a signature on the input message. Finally, the verification algorithm, run by anyone who knows the signer’s public key, checks whether a purported signature on some message is valid or not. The last property, namely the universal verification of digital signatures is undesirable in situations where the signed data is commercially or personally sensitive. Therefore, mechanisms which share most properties with digital signatures except for the universal verification were invented to respond to the aforementioned need; we call such mechanisms “opaque signatures”. In this thesis, we study the signatures where the verification cannot be achieved without the cooperation of a specific entity, namely the signer in case of undeniable signatures, or the confirmer in case of confirmer signatures; we make three main contributions. We first study the relationship between two security properties important for public key encryption, namely data privacy and key privacy. Our study is motivated by the fact that opaque signatures involve always an encryption layer that ensures their opacity. The properties required for this encryption vary according to whether we want to protect the identity (i.e. the key) of the signer or hide the validity of the signature. Therefore, it would be convenient to use existing work about the encryption scheme in order to derive one notion from the other. Next, we delve into the generic constructions of confirmer signatures from basic cryptographic primitives, e.g. digital signatures, encryption, or commitment schemes. In fact, generic constructions give easy-to-understand and easy-to-prove schemes, however, this convenience is often achieved at the expense of efficiency. In this contribution, which constitutes the core of this thesis, we first analyze the already existing constructions; our study concludes that the popular generic constructions of confirmer signatures necessitate strong security assumptions on the building blocks, which impacts negatively the efficiency of the resulting signatures. Next, we show that a small change in these constructionsmakes these assumptions drop drastically, allowing as a result constructions with instantiations that compete with the dedicated realizations of these signatures. Finally, we revisit two early undeniable signatures which were proposed with a conjectural security. We disprove the claimed security of the first scheme, and we provide a fix to it in order to achieve strong security properties. Next, we upgrade the second scheme so that it supports a iii desirable feature, and we provide a formal security treatment of the new scheme: we prove that it is secure assuming new reasonable assumptions on the underlying constituents

Universally Composable Undeniable Signature

How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UC-security, where UC means universal composability. We next show that there exists a UC-secure undeniable signature scheme which does not satisfy the standard definition of security that has been believed to be adequate so far. More precisely, it does not satisfy the invisibility defined by \cite{DP96}. We then show a more adequate definition of invisibility which captures a wider class of (naturally secure) undeniable signature schemes. We finally prove that the UC-security against non-adaptive adversaries is equivalent to this definition of invisibility and the strong unforgeability in \cF_{ZK}-hybrid model, where \cF_{ZK} is the ideal ZK functionality. Our result of equivalence implies that all the known proven secure undeniable signature schemes (including Chaum\u27s scheme) are UC-secure if the confirmation/disavowal protocols are both UC zero-knowledge

Research Philosophy of Modern Cryptography

Proposing novel cryptography schemes (e.g., encryption, signatures, and protocols) is one of the main research goals in modern cryptography. In this paper, based on more than 800 research papers since 1976 that we have surveyed, we introduce the research philosophy of cryptography behind these papers. We use ``benefits and ``novelty as the keywords to introduce the research philosophy of proposing new schemes, assuming that there is already one scheme proposed for a cryptography notion. Next, we introduce how benefits were explored in the literature and we have categorized the methodology into 3 ways for benefits, 6 types of benefits, and 17 benefit areas. As examples, we introduce 40 research strategies within these benefit areas that were invented in the literature. The introduced research strategies have covered most cryptography schemes published in top-tier cryptography conferences

Group Signature with Deniability: How to Disavow a Signature

Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, in some situations it is only required to know whether a specific user is the signer of a given signature. In this case, the use of a standard group signature may be problematic since the specified user might not be the signer of the given signature, and hence, the identity of the actual signer will be exposed. Inspired by this problem, we propose the notion of a deniable group signature, where, with respect to a signature and a user, the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We also describe a fairly practical construction by extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme

Short undeniable signatures:design, analysis, and applications

Digital signatures are one of the main achievements of public-key cryptography and constitute a fundamental tool to ensure data authentication. Although their universal verifiability has the advantage to facilitate their verification by the recipient, this property may have undesirable consequences when dealing with sensitive and private information. Motivated by such considerations, undeniable signatures, whose verification requires the cooperation of the signer in an interactive way, were invented. This thesis is mainly devoted to the design and analysis of short undeniable signatures. Exploiting their online property, we can achieve signatures with a fully scalable size depending on the security requirements. To this end, we develop a general framework based on the interpolation of group elements by a group homomorphism, leading to the design of a generic undeniable signature scheme. On the one hand, this paradigm allows to consider some previous undeniable signature schemes in a unified setting. On the other hand, by selecting group homomorphisms with a small group range, we obtain very short signatures. After providing theoretical results related to the interpolation of group homomorphisms, we develop some interactive proofs in which the prover convinces a verifier of the interpolation (resp. non-interpolation) of some given points by a group homomorphism which he keeps secret. Based on these protocols, we devise our new undeniable signature scheme and prove its security in a formal way. We theoretically analyze the special class of group characters on Z*n. After studying algorithmic aspects of the homomorphism evaluation, we compare the efficiency of different homomorphisms and show that the Legendre symbol leads to the fastest signature generation. We investigate potential applications based on the specific properties of our signature scheme. Finally, in a topic closely related to undeniable signatures, we revisit the designated confirmer signature of Chaum and formally prove the security of a generalized version

Special Signature Schemes and Key Agreement Protocols

This thesis is divided into two distinct parts. The first part of the thesis explores various deniable signature schemes and their applications. Such schemes do not bind a unique public key to a message, but rather specify a set of entities that could have created the signature, so each entity involved in the signature can deny having generated it. The main deniable signature schemes we examine are ring signature schemes. Ring signatures can be used to construct designated verifier signature schemes, which are closely related to designated verifier proof systems. We provide previously lacking formal definitions and security models for designated verifier proofs and signatures and examine their relationship to undeniable signature schemes. Ring signature schemes also have applications in the context of fair exchange of signatures. We introduce the notion of concurrent signatures, which can be constructed using ring signatures, and which provide a "near solution" to the problem of fair exchange. Concurrent signatures are more efficient than traditional solutions for fair exchange at the cost of some of the security guaranteed by traditional solutions. The second part of the thesis is concerned with the security of two-party key agreement protocols. It has traditionally been difficult to prove that a key agreement protocol satisfies a formal definition of security. A modular approach to constructing provably secure key agreement protocols was proposed, but the approach generally results in less efficient protocols. We examine the relationships between various well-known models of security and introduce a modular approach to the construction of proofs of security for key agreement protocols in such security models. Our approach simplifies the proof process, enabling us to provide proofs of security for several efficient key agreement protocols in the literature that were previously unproven

Security, privacy and trust in wireless mesh networks

With the advent of public key cryptography, digital signature schemes have been extensively studied in order to minimize the signature sizes and to accelerate their execution while providing necessary security properties. Due to the privacy concerns pertaining to the usage of digital signatures in authentication schemes, privacy-preserving signature schemes, which provide anonymity of the signer, have attracted substantial interest in research community. Group signature algorithms, where a group member is able to sign on behalf of the group anonymously, play an important role in many privacy-preserving authentication/ identification schemes. On the other hand, a safeguard is needed to hold users accountable for malicious behavior. To this end, a designated opening/revocation manager is introduced to open a given anonymous signature to reveal the identity of the user. If the identified user is indeed responsible for malicious activities, then s/he can also be revoked by the same entity. A related scheme named direct anonymous attestation is proposed for attesting the legitimacy of a trusted computing platform while maintaining its privacy. This dissertation studies the group signature and direct anonymous attestation schemes and their application to wireless mesh networks comprising resource-constrained embedded devices that are required to communicate securely and be authenticated anonymously, while malicious behavior needs to be traced to its origin. Privacy-aware devices that anonymously connect to wireless mesh networks also need to secure their communication via efficient symmetric key cryptography, as well. In this dissertation, we propose an efficient, anonymous and accountable mutual authentication and key agreement protocol applicable to wireless mesh networks. The proposed scheme can easily be adapted to other wireless networks. The proposed scheme is implemented and simulated using cryptographic libraries and simulators that are widely deployed in academic circles. The implementation and simulation results demonstrate that the proposed scheme is effective, efficient and feasible in the context of hybrid wireless mesh networks, where users can also act as relaying agents. The primary contribution of this thesis is a novel privacy-preserving anonymous authentication scheme consisting of a set of protocols designed to reconcile user privacy and accountability in an efficient and scalable manner in the same framework. The three-party join protocol, where a user can connect anonymously to the wireless mesh network with the help of two semi-trusted parties (comprising the network operator and a third party), is efficient and easily applicable in wireless networks settings. Furthermore, two other protocols, namely two-party identification and revocation protocols enable the network operator, with the help of the semi-trusted third party, to trace suspected malicious behavior back to its origins and revoke users when necessary. The last two protocols can only be executed when the two semi-trusted parties cooperate to provide accountability. Therefore, the scheme is protected against an omni-present authority (e.g. network operator) violating the privacy of network users at will. We also provide arguments and discussions for security and privacy of the proposed scheme

Non-Binding (Designated Verifier) Signature

We argue that there are some scenarios in which plausible deniability might be desired for a digital signature scheme. For instance, the non-repudiation property of conventional signature schemes is problematic in designing an Instant Messaging system (WPES 2004). In this paper, we formally define a non-binding signature scheme in which the Signer is able to disavow her own signature if she wants, but, the Verifier is not able to dispute a signature generated by the Signer. That is, the Signer is able to convince a third party Judge that she is the owner of a signature without disclosing her secret information. We propose a signature scheme that is non-binding and unforgeable. Our signature scheme is post-quantum secure if the underlying cryptographic primitives are post-quantum secure. In addition, a modification to our nonbinding signature scheme leads to an Instant Messaging system that is of independent interest