10 research outputs found
Zero-Knowledge Arguments for Subverted RSA Groups
This work investigates zero-knowledge protocols in subverted RSA groups where the prover can choose the modulus and where the verifier does not know the group order. We introduce a novel technique for extracting the witness from a general homomorphism over a group of unknown order that does not require parallel repetitions. We present a NIZK range proof for general homomorphisms such as Paillier encryptions in the designated verifier model that works under a subverted setup. The key ingredient of our proof is a constant sized NIZK proof of knowledge for a plaintext. Security is proven in the ROM assuming an IND-CPA additively homomorphic encryption scheme. The verifier\u27s public key is reusable, can be maliciously generated and is linear in the number of proofs to be verified
UC Non-Interactive, Proactive, Threshold ECDSA
Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS ’18), we present a threshold ECDSA protocol, for any number of signatories and any threshold, that improves as follows over the state of the art:
* Signature generation takes only 4 rounds (down from the current 8 rounds), with a comparable computational cost. Furthermore, 3 of these rounds can take place in a preprocessing stage before the signed message is known, lending to a non-interactive threshold ECDSA protocol.
* The protocol withstands adaptive corruption of signatories. Furthermore, it includes a periodic refresh mechanism and offers full proactive security.
* The protocol realizes an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA.
These properties (low latency, compatibility with cold-wallet architectures, proactive security, and composable security) make the protocol ideal for threshold wallets for ECDSA-based cryptocurrencies
Secure and Efficient Delegation of a Single and Multiple Exponentiations to a Single Malicious Server
Group exponentiation is an important operation used in many cryptographic protocols, specifically public-key cryptosystems such as RSA, Diffie Hellman, ElGamal, etc. To expand the applicability of group exponentiation to computationally weaker devices, procedures were established by which to delegate this operation from a computationally weaker client to a computationally stronger server. However, solving this problem with a single, possibly malicious, server, has remained open since a formal cryptographic model was introduced by Hohenberger and Lysyanskaya in 2005. Several later attempts either failed to achieve privacy or only achieved constant security probability.
In this dissertation, we study and solve this problem for discrete log type groups and RSA type groups for both single and multiple (batch) exponentiations and apply our solution in several protocols. Each of our protocols satisfies natural correctness, security, privacy, and efficiency requirements, where security holds with exponentially small probability
UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts
Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS \u2718), we present threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art:
* Only the last round of our protocols requires knowledge of the message, and the other rounds can take place in a preprocessing stage, lending to a non-interactive threshold ECDSA protocol.
* Our protocols withstand adaptive corruption of signatories. Furthermore, they include a periodic refresh mechanism and offer full proactive security.
* Our protocols realize an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, DDH, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA.
* Both protocols achieve accountability by identifying corrupted signatories in case of failure to generate a valid signature.
The protocols provide a tradeoff between the number of rounds to generate a signature and the computational and communication overhead for the identification of corrupted signatories. Namely:
* For one protocol, signature generation takes only 4 rounds (down from the current state of the art of 8 rounds), but the identification process requires computation and communication that is quadratic in the number of parties.
* For the other protocol, the identification process requires computation and communication that is only linear in the number of parties, but signature generation takes 7 rounds.
These properties (low latency, compatibility with cold-wallet architectures, proactive security, identifiable abort and composable security) make the two protocols ideal for threshold wallets for ECDSA-based cryptocurrencies
Secure fingerprinting on sound foundations
The rapid development and the advancement of digital technologies open a variety of opportunities to consumers and content providers for using and trading digital goods. In this context, particularly the Internet has gained a major ground as a worldwiede platform for exchanging and distributing digital goods. Beside all its possibilities and advantages digital technology can be misuesd to breach copyright regulations: unauthorized use and illegal distribution of intellectual property cause authors and content providers considerable loss. Protections of intellectual property has therefore become one of the major challenges of our information society. Fingerprinting is a key technology in copyright protection of intellectual property. Its goal is to deter people from copyright violation by allowing to provably identify the source of illegally copied and redistributed content. As one of its focuses, this thesis considers the design and construction of various fingerprinting schemes and presents the first explicit, secure and reasonably efficient construction for a fingerprinting scheme which fulfills advanced security requirements such as collusion-tolerance, asymmetry, anonymity and direct non-repudiation. Crucial for the security of such s is a careful study of the underlying cryptographic assumptions. In case of the fingerprinting scheme presented here, these are mainly assumptions related to discrete logarithms. The study and analysis of these assumptions is a further focus of this thesis. Based on the first thorough classification of assumptions related to discrete logarithms, this thesis gives novel insights into the relations between these assumptions. In particular, depending on the underlying probability space we present new reuslts on the reducibility between some of these assumptions as well as on their reduction efficency.Die Fortschritte im Bereich der Digitaltechnologien bieten Konsumenten,
Urhebern und Anbietern große Potentiale für innovative Geschäftsmodelle
zum Handel mit digitalen GĂĽtern und zu deren Nutzung. Das Internet stellt
hierbei eine interessante Möglichkeit zum Austausch und zur Verbreitung
digitaler GĂĽter dar. Neben vielen Vorteilen kann die Digitaltechnik jedoch
auch missbräuchlich eingesetzt werden, wie beispielsweise zur Verletzung
von Urheberrechten durch illegale Nutzung und Verbreitung von Inhalten,
wodurch involvierten Parteien erhebliche Schäden entstehen können. Der
Schutz des geistigen Eigentums hat sich deshalb zu einer der besonderen
Herausforderungen unseres Digitalzeitalters entwickelt.
Fingerprinting ist eine SchlĂĽsseltechnologie zum Urheberschutz. Sie hat
das Ziel, vor illegaler Vervielfältigung und Verteilung digitaler Werke abzuschrecken, indem sie die Identifikation eines Betrügers und das Nachweisen
seines Fehlverhaltens ermöglicht. Diese Dissertation liefert als eines ihrer Ergebnisse die erste explizite, sichere und effiziente Konstruktion, welche die
BerĂĽcksichtigung besonders fortgeschrittener Sicherheitseigenschaften wie
Kollusionstoleranz, Asymmetrie, Anonymität und direkte Unabstreitbarkeit
erlaubt.
Entscheidend für die Sicherheit kryptographischer Systeme ist die präzise
Analyse der ihnen zugrunde liegenden kryptographischen Annahmen. Den
im Rahmen dieser Dissertation konstruierten Fingerprintingsystemen liegen
hauptsächlich kryptographische Annahmen zugrunde, welche auf diskreten
Logarithmen basieren. Die Untersuchung dieser Annahmen stellt einen weiteren
Schwerpunkt dieser Dissertation dar. Basierend auf einer hier erstmals
in der Literatur vorgenommenen Klassifikation dieser Annahmen werden
neue und weitreichende Kenntnisse über deren Zusammenhänge gewonnen.
Insbesondere werden, in Abhängigkeit von dem zugrunde liegenden Wahrscheinlichkeitsraum, neue Resultate hinsichtlich der Reduzierbarkeit dieser
Annahmen und ihrer Reduktionseffizienz erzielt