Compact E-Cash and Simulatable VRFs Revisited

Abstract. Efficient non-interactive zero-knowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent Groth-Sahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact e-cash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact e-cash scheme that does not rely on a random oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter).

New Techniques for Electronic Voting

This paper presents a novel unifying framework for electronic voting in the universal composability model that includes a property which is new to universal composability but well-known to voting systems: universal verifiability. Additionally, we propose three new techniques for secure electronic voting and prove their security and universal verifiability in the universal composability framework. 1. A tally-hiding voting system, in which the tally that is released consists of only the winner without the vote count. Our proposal builds on a novel solution to the millionaire problem which is of independent interest. 2. A self-tallying vote, in which the tally can be calculated by any observer as soon as the last vote has been cast --- but before this happens, no information about the tally is leaked. 3. Authentication of voting credentials, which is a new approach for electronic voting systems based on anonymous credentials. In this approach, the vote authenticates the credential so that it cannot afterwards be used for any other purpose but to cast that vote. We propose a practical voting system that instantiates this high-level concept

Towards Applying Cryptographic Security Models to Real-World Systems

The cryptographic methodology of formal security analysis usually works in three steps: choosing a security model, describing a system and its intended security properties, and creating a formal proof of security. For basic cryptographic primitives and simple protocols this is a well understood process and is performed regularly. For more complex systems, as they are in use in real-world settings it is rarely applied, however. In practice, this often leads to missing or incomplete descriptions of the security properties and requirements of such systems, which in turn can lead to insecure implementations and consequent security breaches. One of the main reasons for the lack of application of formal models in practice is that they are particularly difficult to use and to adapt to new use cases. With this work, we therefore aim to investigate how cryptographic security models can be used to argue about the security of real-world systems. To this end, we perform case studies of three important types of real-world systems: data outsourcing, computer networks and electronic payment. First, we give a unified framework to express and analyze the security of data outsourcing schemes. Within this framework, we define three privacy objectives: \emph{data privacy}, \emph{query privacy}, and \emph{result privacy}. We show that data privacy and query privacy are independent concepts, while result privacy is consequential to them. We then extend our framework to allow the modeling of \emph{integrity} for the specific use case of file systems. To validate our model, we show that existing security notions can be expressed within our framework and we prove the security of CryFS---a cryptographic cloud file system. Second, we introduce a model, based on the Universal Composability (UC) framework, in which computer networks and their security properties can be described We extend it to incorporate time, which cannot be expressed in the basic UC framework, and give formal tools to facilitate its application. For validation, we use this model to argue about the security of architectures of multiple firewalls in the presence of an active adversary. We show that a parallel composition of firewalls exhibits strictly better security properties than other variants. Finally, we introduce a formal model for the security of electronic payment protocols within the UC framework. Using this model, we prove a set of necessary requirements for secure electronic payment. Based on these findings, we discuss the security of current payment protocols and find that most are insecure. We then give a simple payment protocol inspired by chipTAN and photoTAN and prove its security within our model. We conclude that cryptographic security models can indeed be used to describe the security of real-world systems. They are, however, difficult to apply and always need to be adapted to the specific use case

A Universally Composable Scheme for Electronic Cash

We propose a scheme for electronic cash based on symmetric primitives. The scheme is secure in the framework for universal composability assuming the existence of a symmetric CCA2-secure encryption scheme, a CMA-secure signature scheme, and a family of one-way, collision -free hash functions. In particular, the security proof is not in the random-oracle model. Due to its high e#ciency, the scheme is well-suited for devices such as smart-cards and mobile phones. We also show how the proposed scheme can be used as a group signature scheme with one-time keys