Zero-Knowledge Arguments for Subverted RSA Groups

This work investigates zero-knowledge protocols in subverted RSA groups where the prover can choose the modulus and where the verifier does not know the group order. We introduce a novel technique for extracting the witness from a general homomorphism over a group of unknown order that does not require parallel repetitions. We present a NIZK range proof for general homomorphisms such as Paillier encryptions in the designated verifier model that works under a subverted setup. The key ingredient of our proof is a constant sized NIZK proof of knowledge for a plaintext. Security is proven in the ROM assuming an IND-CPA additively homomorphic encryption scheme. The verifier\u27s public key is reusable, can be maliciously generated and is linear in the number of proofs to be verified

UC Non-Interactive, Proactive, Threshold ECDSA

Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS ’18), we present a threshold ECDSA protocol, for any number of signatories and any threshold, that improves as follows over the state of the art: * Signature generation takes only 4 rounds (down from the current 8 rounds), with a comparable computational cost. Furthermore, 3 of these rounds can take place in a preprocessing stage before the signed message is known, lending to a non-interactive threshold ECDSA protocol. * The protocol withstands adaptive corruption of signatories. Furthermore, it includes a periodic refresh mechanism and offers full proactive security. * The protocol realizes an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA. These properties (low latency, compatibility with cold-wallet architectures, proactive security, and composable security) make the protocol ideal for threshold wallets for ECDSA-based cryptocurrencies

Secure and Efficient Delegation of a Single and Multiple Exponentiations to a Single Malicious Server

Group exponentiation is an important operation used in many cryptographic protocols, specifically public-key cryptosystems such as RSA, Diffie Hellman, ElGamal, etc. To expand the applicability of group exponentiation to computationally weaker devices, procedures were established by which to delegate this operation from a computationally weaker client to a computationally stronger server. However, solving this problem with a single, possibly malicious, server, has remained open since a formal cryptographic model was introduced by Hohenberger and Lysyanskaya in 2005. Several later attempts either failed to achieve privacy or only achieved constant security probability. In this dissertation, we study and solve this problem for discrete log type groups and RSA type groups for both single and multiple (batch) exponentiations and apply our solution in several protocols. Each of our protocols satisfies natural correctness, security, privacy, and efficiency requirements, where security holds with exponentially small probability

UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts

Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS \u2718), we present threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art: * Only the last round of our protocols requires knowledge of the message, and the other rounds can take place in a preprocessing stage, lending to a non-interactive threshold ECDSA protocol. * Our protocols withstand adaptive corruption of signatories. Furthermore, they include a periodic refresh mechanism and offer full proactive security. * Our protocols realize an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, DDH, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA. * Both protocols achieve accountability by identifying corrupted signatories in case of failure to generate a valid signature. The protocols provide a tradeoff between the number of rounds to generate a signature and the computational and communication overhead for the identification of corrupted signatories. Namely: * For one protocol, signature generation takes only 4 rounds (down from the current state of the art of 8 rounds), but the identification process requires computation and communication that is quadratic in the number of parties. * For the other protocol, the identification process requires computation and communication that is only linear in the number of parties, but signature generation takes 7 rounds. These properties (low latency, compatibility with cold-wallet architectures, proactive security, identifiable abort and composable security) make the two protocols ideal for threshold wallets for ECDSA-based cryptocurrencies

Secure fingerprinting on sound foundations

The rapid development and the advancement of digital technologies open a variety of opportunities to consumers and content providers for using and trading digital goods. In this context, particularly the Internet has gained a major ground as a worldwiede platform for exchanging and distributing digital goods. Beside all its possibilities and advantages digital technology can be misuesd to breach copyright regulations: unauthorized use and illegal distribution of intellectual property cause authors and content providers considerable loss. Protections of intellectual property has therefore become one of the major challenges of our information society. Fingerprinting is a key technology in copyright protection of intellectual property. Its goal is to deter people from copyright violation by allowing to provably identify the source of illegally copied and redistributed content. As one of its focuses, this thesis considers the design and construction of various fingerprinting schemes and presents the first explicit, secure and reasonably efficient construction for a fingerprinting scheme which fulfills advanced security requirements such as collusion-tolerance, asymmetry, anonymity and direct non-repudiation. Crucial for the security of such s is a careful study of the underlying cryptographic assumptions. In case of the fingerprinting scheme presented here, these are mainly assumptions related to discrete logarithms. The study and analysis of these assumptions is a further focus of this thesis. Based on the first thorough classification of assumptions related to discrete logarithms, this thesis gives novel insights into the relations between these assumptions. In particular, depending on the underlying probability space we present new reuslts on the reducibility between some of these assumptions as well as on their reduction efficency.Die Fortschritte im Bereich der Digitaltechnologien bieten Konsumenten, Urhebern und Anbietern große Potentiale für innovative Geschäftsmodelle zum Handel mit digitalen Gütern und zu deren Nutzung. Das Internet stellt hierbei eine interessante Möglichkeit zum Austausch und zur Verbreitung digitaler Güter dar. Neben vielen Vorteilen kann die Digitaltechnik jedoch auch missbräuchlich eingesetzt werden, wie beispielsweise zur Verletzung von Urheberrechten durch illegale Nutzung und Verbreitung von Inhalten, wodurch involvierten Parteien erhebliche Schäden entstehen können. Der Schutz des geistigen Eigentums hat sich deshalb zu einer der besonderen Herausforderungen unseres Digitalzeitalters entwickelt. Fingerprinting ist eine Schlüsseltechnologie zum Urheberschutz. Sie hat das Ziel, vor illegaler Vervielfältigung und Verteilung digitaler Werke abzuschrecken, indem sie die Identifikation eines Betrügers und das Nachweisen seines Fehlverhaltens ermöglicht. Diese Dissertation liefert als eines ihrer Ergebnisse die erste explizite, sichere und effiziente Konstruktion, welche die Berücksichtigung besonders fortgeschrittener Sicherheitseigenschaften wie Kollusionstoleranz, Asymmetrie, Anonymität und direkte Unabstreitbarkeit erlaubt. Entscheidend für die Sicherheit kryptographischer Systeme ist die präzise Analyse der ihnen zugrunde liegenden kryptographischen Annahmen. Den im Rahmen dieser Dissertation konstruierten Fingerprintingsystemen liegen hauptsächlich kryptographische Annahmen zugrunde, welche auf diskreten Logarithmen basieren. Die Untersuchung dieser Annahmen stellt einen weiteren Schwerpunkt dieser Dissertation dar. Basierend auf einer hier erstmals in der Literatur vorgenommenen Klassifikation dieser Annahmen werden neue und weitreichende Kenntnisse über deren Zusammenhänge gewonnen. Insbesondere werden, in Abhängigkeit von dem zugrunde liegenden Wahrscheinlichkeitsraum, neue Resultate hinsichtlich der Reduzierbarkeit dieser Annahmen und ihrer Reduktionseffizienz erzielt