Witness Hiding Proofs and Applications

Witness hiding is a basic requirement for most cryptology protocols. The concept was proposed by Feige and Shamir several years ago. This thesis concentrates on witness hiding protocols and its applications.The possibility to divert a witness hiding protocol parallelly had been an open problem for some time. The parallel divertibility is not only of theoretical significance but also a crucial point for the security of some applications, for example, electronic cash, digital signatures, etc. It is proved, in this thesis, that with limited computational power, it is impossible to divert a witness hiding protocol parallelly to two independent verifiers with large probability.The thesis explores the applications of witness hiding protocols in anonymous credentials, election schemes, and group signatures. In an anonymous credential system, one user may have many pseudonyms. The credentials issued on one of a user's pseudonyms can be transferred to other pseudonyms by the user without revealing the links between pseudonyms. Election, as a practical model, is formally defined. Two election schemes are proposed and discussed. Especially the voting scheme is parallelized with electronic cash system so that some new tool can be introduced. Group signature is a kind of digital signature for a group of people such that only members of the group can sign messages on behalf of the group and without revealing which member has signed. But the signer can be identified by either an authority or a certain number of group members who hold some kind of auxiliary information. The new group signature schemes, based on witness hiding proofs, have several advantages, compared with the original scheme proposed by Chaum and Heijst. The most important improvement is that the signers can be identified by a majority of group members, which had been a open problem in the literature. In this thesis, some theoretical results about bounds of secret keys and auxiliary information have been proved

Lattice Blind Signatures with Forward Security

Blind signatures play an important role in both electronic cash and electronic voting systems. Blind signatures should be secure against various attacks (such as signature forgeries). The work puts a special attention to secret key exposure attacks, which totally break digital signatures. Signatures that resist secret key exposure attacks are called forward secure in the sense that disclosure of a current secret key does not compromise past secret keys. This means that forward-secure signatures must include a mechanism for secret-key evolution over time periods. This paper gives a construction of the first blind signature that is forward secure. The construction is based on the SIS assumption in the lattice setting. The core techniques applied are the binary tree data structure for the time periods and the trapdoor delegation for the key-evolution mechanism.Comment: ACISP 202

Fiat-Shamir for highly sound protocols is instantiable

The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto '86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes from a hash function and any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model only, i.e., they assume that the hash function is modeled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model. We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. In the case of NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; in the case of signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks. Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot–Shamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto '81). For the second compiler we require dual-mode commitments. We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable

Anonymous Credentials Light

We define and propose an efficient and provably secure construction of blind signatures with attributes. Prior notions of blind signatures did not yield themselves to the construction of anonymous credential systems, not even if we drop the unlinkability requirement of anonymous credentials. Our new notion in contrast is a convenient building block for anonymous credential systems. The construction we propose is efficient: it requires just a few exponentiations in a prime-order group in which the decisional Diffie-Hellman problem is hard. Thus, for the first time, we give a provably secure construction of anonymous credentials that can work in the elliptic group setting without bilinear pairings. In contrast, prior provably secure constructions were based on the RSA group or on groups with pairings, which made them prohibitively inefficient for mobile devices, RFIDs and smartcards. The only prior efficient construction that could work in such elliptic curve groups, due to Brands, does not have a proof of security

The One-More-RSA-Inversion Problems and the Security of Chaum\u27s Blind Signature Scheme

We introduce a new class of computational problems which we call the ``one-more-RSA-inversion\u27\u27 problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems respectively, have polynomially-equivalent computational complexity. We show how this leads to a proof of security for Chaum\u27s RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for ``one-more-discrete-logarithm\u27\u27 problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well

Efficient Round-Optimal Blind Signatures in the Standard Model

Blind signatures are at the core of e-cash systems and have numerous other applications. In this work we construct efficient blind and partially blind signature schemes over bilinear groups in the standard model. Our schemes yield short signatures consisting of only a couple of elements from the shorter source group and have very short communication overhead consisting of $1$ group element on the user side and $3$ group elements on the signer side. At $80$-bit security, our schemes yield signatures consisting of only $40$ bytes which is $67\%$ shorter than the most efficient existing scheme with the same security in the standard model. Verification in our schemes requires only a couple of pairings. Our schemes compare favorably in every efficiency measure to all existing counterparts offering the same security in the standard model. In fact, the efficiency of our signing protocol as well as the signature size compare favorably even to many existing schemes in the random oracle model. For instance, our signatures are shorter than those of Brands\u27 scheme which is at the heart of the U-Prove anonymous credential system used in practice. The unforgeability of our schemes is based on new intractability assumptions of a ``one-more\u27\u27 type which we show are intractable in the generic group model, whereas their blindness holds w.r.t.~malicious signing keys in the information-theoretic sense. We also give variants of our schemes for a vector of messages

Lattice-based Blind Signatures

Motivated by the need to have secure blind signatures even in the presence of quantum computers, we present two efficient blind signature schemes based on hard worst-case lattice problems. Both schemes are provably secure in the random oracle model and unconditionally blind. The first scheme is based on preimage samplable functions that were introduced at STOC 2008 by Gentry, Peikert, and Vaikuntanathan. The scheme is stateful and runs in 3 moves. The second scheme builds upon the PKC 2008 identification scheme of Lyubashevsky. It is stateless, has 4 moves, and its security is based on the hardness of worst-case problems in ideal lattices

07381 Abstracts Collection -- Cryptography

From 16.09.2007 to 21.09.2007 the Dagstuhl Seminar 07381 ``Cryptography\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available

Spontaneous anonymous group cryptography and its applications.

Fung Kar-Yin.Thesis (M.Phil.)--Chinese University of Hong Kong, 2004.Includes bibliographical references (leaves 72-81).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- Introduction --- p.1Chapter 1.1 --- Development of Cryptography --- p.1Chapter 1.2 --- Group Cryptography --- p.3Chapter 1.3 --- Spontaneous Anonymous Group Signature --- p.4Chapter 1.4 --- Blind Signature --- p.5Chapter 1.5 --- Blind SAG Signature --- p.6Chapter 1.6 --- Organization of This Thesis --- p.6Chapter 2 --- Background Study --- p.7Chapter 2.1 --- Six Primitives in Cryptography --- p.7Chapter 2.1.1 --- Symmetric Encryption --- p.8Chapter 2.1.2 --- Asymmetric Encryption --- p.8Chapter 2.1.3 --- Digital Signature --- p.9Chapter 2.1.4 --- Hash Function --- p.9Chapter 2.1.5 --- Digital Certificate --- p.10Chapter 2.1.6 --- Proof of Knowledge --- p.10Chapter 2.2 --- Euler Totient Function --- p.11Chapter 2.3 --- One-Way Function --- p.12Chapter 2.3.1 --- One-Way Trapdoor Function --- p.13Chapter 2.3.2 --- Discrete Logarithm Problem --- p.13Chapter 2.3.3 --- RSA Problem --- p.14Chapter 2.3.4 --- Integer Factorization Problem --- p.15Chapter 2.3.5 --- Quadratic Residuosity Problem --- p.15Chapter 2.3.6 --- Schnorr's ROS assumption --- p.16Chapter 2.4 --- Bilinear Pairing --- p.16Chapter 2.4.1 --- Weil Pairing --- p.18Chapter 2.4.2 --- Tate Pairing --- p.18Chapter 2.5 --- Gap Diffie-Hellman Group --- p.19Chapter 2.5.1 --- GDH --- p.19Chapter 2.5.2 --- Co-GDH --- p.20Chapter 2.6 --- Random Oracle Model --- p.21Chapter 2.6.1 --- Random Permutation --- p.23Chapter 2.6.2 --- Lunchtime Attack --- p.23Chapter 2.6.3 --- Back Patch --- p.23Chapter 2.6.4 --- Rewind Simulation --- p.24Chapter 2.7 --- Generic Group Model --- p.24Chapter 3 --- Digital and Threshold Signatures --- p.26Chapter 3.1 --- Introduction --- p.26Chapter 3.2 --- Notion of Attacks and Security in Signature --- p.28Chapter 3.2.1 --- Types of Signatures --- p.29Chapter 3.3 --- Threshold Signature --- p.31Chapter 3.4 --- Properties in Threshold Signatures --- p.31Chapter 4 --- Blind Signature --- p.33Chapter 4.1 --- Introduction --- p.33Chapter 4.1.1 --- Security Requirements --- p.35Chapter 4.2 --- Transferred Proof of Knowledge --- p.36Chapter 4.3 --- RSA Based Schemes --- p.37Chapter 4.3.1 --- Chaum's RSA Scheme --- p.37Chapter 4.3.2 --- Abe's RSA Scheme --- p.38Chapter 4.4 --- Discrete Logarithm Based Schemes --- p.39Chapter 4.4.1 --- Schnorr Blind Signature --- p.39Chapter 4.4.2 --- Okamoto-Schnorr Blind Signature --- p.40Chapter 4.5 --- Bilinear Mapping Based Schemes --- p.40Chapter 5 --- Spontaneous Anonymous Group Signature --- p.42Chapter 5.1 --- Introduction --- p.42Chapter 5.2 --- Cramer-Damgard-Schoemaker (CDS) SAG Signature --- p.44Chapter 5.2.1 --- (1´ةn)-CDS type SAG Signature --- p.44Chapter 5.2.2 --- "(t, n)-CDS type SAG Signature" --- p.45Chapter 5.3 --- Ring-type SAG Signature Schemes --- p.46Chapter 5.3.1 --- Rivest-Shamir-Tauman --- p.46Chapter 5.3.2 --- Abe's 1-out-of-n Ring Signature --- p.49Chapter 5.4 --- Discussions --- p.51Chapter 6 --- Blind SAG Signature --- p.53Chapter 6.1 --- Introduction --- p.53Chapter 6.2 --- Security Definitions --- p.54Chapter 6.2.1 --- Security Model --- p.55Chapter 6.3 --- "(1,n)-Ring Structured Blind SAG Signature" --- p.57Chapter 6.3.1 --- Signing Protocol --- p.58Chapter 6.3.2 --- Verification Algorithm --- p.58Chapter 6.4 --- CDS-type Blind SAG Signature --- p.59Chapter 6.4.1 --- "(l,n)-CDS-type" --- p.59Chapter 6.5 --- "(t,n)-CDS-type" --- p.60Chapter 6.5.1 --- Signing Protocol --- p.61Chapter 6.5.2 --- Verification Algorithm --- p.61Chapter 6.6 --- Security Analysis --- p.62Chapter 6.7 --- Applications to Credential System --- p.67Chapter 7 --- Conclusion --- p.69A --- p.71Bibliography --- p.8