Research on a New Signature Scheme on Blockchain

With the rise of Bitcoin, blockchain which is the core technology of Bitcoin has received increasing attention. Privacy preserving and performance on blockchain are two research points in academia and business, but there are still some unresolved issues in both respects. An aggregate signature scheme is a digital signature that supports making signatures on many different messages generated by many different users. Using aggregate signature, the size of the signature could be shortened by compressing multiple signatures into a single signature. In this paper, a new signature scheme for transactions on blockchain based on the aggregate signature was proposed. It was worth noting that elliptic curve discrete logarithm problem and bilinear maps played major roles in our signature scheme. And the security properties of our signature scheme were proved. In our signature scheme, the amount will be hidden especially in the transactions which contain multiple inputs and outputs. Additionally, the size of the signature on transaction is constant regardless of the number of inputs and outputs that the transaction contains, which can improve the performance of signature. Finally, we gave an application scenario for our signature scheme which aims to achieve the transactions of big data on blockchain

Secure Blind Decryption

Abstract. In this work we construct public key encryption schemes that admit a protocol for blindly decrypting ciphertexts. In a blind decryp-tion protocol, a user with a ciphertext interacts with a secret keyholder such that the user obtains the decryption of the ciphertext and the key-holder learns nothing about what it decrypted. While we are not the first to consider this problem, previous works provided only weak secu-rity guarantees against malicious users. We provide, to our knowledge, the first practical blind decryption schemes that are secure under a strong CCA security definition. We prove our construction secure in the stan-dard model under simple, well-studied assumptions in bilinear groups. To motivate the usefulness of this primitive we discuss several applica-tions including privacy-preserving distributed file systems and Oblivious Transfer schemes that admit public contribution.

Practical Group-Signatures with Privacy-Friendly Openings

Group signatures allow creating signatures on behalf of a group, while remaining anonymous. To prevent misuse, there exists a designated entity, named the opener, which can revoke anonymity by generating a proof which links a signature to its creator. Still, many intermediate cases have been discussed in the literature, where not the full power of the opener is required, or the users themselves require the power to claim (or deny) authorship of a signature and (un-)link signatures in a controlled way. However, these concepts were only considered in isolation. We unify these approaches, supporting all these possibilities simultaneously, providing fine-granular openings, even by members. Namely, a member can prove itself whether it has created a given signature (or not), and can create a proof which makes two created signatures linkable (or unlinkable resp.) in a controlled way. Likewise, the opener can show that a signature was not created by a specific member and can prove whether two signatures stem from the same signer (or not) without revealing anything else. Combined, these possibilities can make full openings irrelevant in many use-cases. This has the additional benefit that the requirements on the reachability of the opener are lessened. Moreover, even in the case of an involved opener, our framework is less privacy-invasive, as the opener no longer requires access to the signed message. Our provably secure black-box CCA-anonymous construction with dynamic joins requires only standard building blocks. We prove its practicality by providing a performance evaluation of a concrete instantiation, and show that our non-optimized implementation is competitive compared to other, less feature-rich, notions

A Framework for Efficient Signatures, Ring Signatures and Identity Based Encryption in the Standard Model

In this work, we present a generic framework for constructing efficient signature schemes, ring signature schemes, and identity based encryption schemes, all in the standard model (without relying on random oracles). We start by abstracting the recent work of Hohenberger and Waters (Crypto 2009), and specifically their ``prefix method\u27\u27. We show a transformation taking a signature scheme with a very weak security guarantee (a notion that we call a-priori-message unforgeability under static chosen message attack) and producing a fully secure signature scheme (i.e., existentially unforgeable under adaptive chosen message attack). Our transformation uses the notion of chameleon hash functions, defined by Krawczyk and Rabin (NDSS 2000) and the ``prefix method\u27\u27. Constructing such weakly secure schemes seems to be significantly easier than constructing fully secure ones, and we present {\em simple} constructions based on the RSA assumption, the {\em short integer solution} (SIS) assumption, and the {\em computational Diffie-Hellman} (CDH) assumption over bilinear groups. Next, we observe that this general transformation also applies to the regime of ring signatures. Using this observation, we construct new (provably secure) ring signature schemes: one is based on the {\em short integer solution} (SIS) assumption, and the other is based on the CDH assumption over bilinear groups. As a building block for these constructions, we define a primitive that we call \emph{ring trapdoor functions}. We show that ring trapdoor functions imply ring signatures under a weak definition, which enables us to apply our transformation to achieve full security. Finally, we show a connection between ring signature schemes and identity based encryption (IBE) schemes. Using this connection, and using our new constructions of ring signature schemes, we obtain two IBE schemes: The first is based on the {\em learning with error} (LWE) assumption, and is similar to the recently introduced IBE scheme of Cash-Hofheinz-Kiltz-Peikert; The second is based on the $d$-linear assumption over bilinear groups

Monero Mining: CryptoNight Analysis

Το κρυπτονόμισμα Bitcoin αποτελεί την πρώτη πετυχημένη εφαρμογή της ιδέας του ηλεκτρονικού χρήματος χωρίς την διαμεσολάβηση τρίτων. Στην πορεία, πολλά κρυπτο- νομίσματα βασίστηκαν στην συγκεκριμένη τεχνολογία, εστιάζοντας το καθένα στους δικούς του στόχους και σκοπούς. Το κρυπτονόμισμα Monero είναι ένα τέτοιο εγχείρημα, βασικός σκοπός του οποίου είναι η διασφάλιση της ιδιωτικότητας και της ανωνυμίας. Σε έναν κόσμο όπου η παρακολούθηση εντείνεται, το εγχείρημα του Monero σημαίνει τον συναγερμό για την διαρκή καταπάτηση ενός εκ των θεμελιωδών ανθρώπινων δικαιωμάτων. Επιπλέον, καθώς οι επιχειρήσεις έχουν περιορίσει δραματικά τον υγιή ανταγωνισμό σχεδόν σε όλα τα διαδεδομένα κρυπτονομίσματα, το Monero προσπαθεί να τον διατηρήσει στην κοινότητά του. Ένα από τα δομικά στοιχεία του Monero είναι η διατήρηση της ισότητας μεταξύ των "ανθρακωρύχων" (miners), η οποία επιτυγχάνεται μέσω της ισονομίας (egalitarianism). Η ισονομία είναι συνέπεια μιας ιδιότητας της κρυπτογραφικής συνάρτησης που χρησιμοποιείται για την "εξόρυξη" νομισμάτων. Η συνάρτηση που χρησιμοποιείται στο Monero για αυτόν τον σκοπό λέγεται CryptoNight και είναι μέρος του CryptoNote πρωτοκόλλου. Το στοιχείο της συνάρτησης που επιτυγχάνει την ισονομία είναι μια κρυπτογραφική ιδιότητα, η οποία ονομάζεται memory-hardness. Η CryptoNight συνάρ- τηση θεωρείται ότι διαθέτει αυτήν την ιδιότητα. Όμως, μέχρι σήμερα αυτό παραμένει ισχυρισμός. Απ' όσο γνωρίζουμε, δεν υπάρχει μαθηματική απόδειξη για αυτόν τον ισχυρισμό αλλά ούτε και κάποια επίθεση που να τον διαψεύδει. Θέλοντας να ελέγξουμε την ορθότητα αυτού του ισχυρισμού, προσπαθήσαμε να κατασκευάσουμε μια μαθηματική απόδειξη. Αναφέρουμε τους λόγους για τους οποίους αποτυγχάνουμε να διατυπώσουμε μία τέτοια απόδειξη και προσπαθούμε να τους χρησι- μοποιήσουμε για να καταρρίψουμε αυτόν τον ισχυρισμό. Απ' όσο γνωρίζουμε, η παρού- σα εργασία είναι η πρώτη που μελετά αυτήν την ιδιότητα για την συνάρτηση CryptoNight και παρουσιάζεται για πρώτη φορά γραφικά η εσωτερική δομή της. Τέλος, παρουσιάζουμε την γνώση που αποκτήσαμε και ελπίζουμε αυτή η εργασία να φανεί χρήσιμη μελλοντικά σε συναδέλφους που θέλουν να συμβάλλουν στην έρευνα στο ευρύτερο πεδίο. Στόχος αυτής της έρευνας είναι να συνεισφέρει στην προσπάθεια του εγχειρήματος Monero για την διασφάλιση της ιδιωτικότητας, της ανωνυμίας και της ισότητας.Bitcoin has been a successful implementation of the concept of peer-to-peer electronic cash. Based on this technology several cryptocurrency projects have arisen, each one focusing on its purposes and goals. Monero is a decentralized cryptocurrency focusing on privacy and anonymity. In a world of surveillance, Monero raises the alarm about one of the fundamental human rights, which is continuously violated: Privacy. In addition, Monero is built to achieve equality between miners. Corporations are taking over almost every successful cryptocurrency, by making mining participation harder and harder for the hobbyists and supporters. Monero tries to keep its community clean of unhealthy competition. This is achieved through egalitarianism, which is based οn a cryptographic mining function. This function is called CryptoNight and is part of the CryptoNote protocol, the heart of Monero's structure. The feature of this function that makes it egalitarian is a cryptographic property, named memory-hardness. CryptoNight is alleged to be memory-hard. But, still today, this is just a claim. We put to the test this claim, trying to construct a formal mathematical proof, but we fail to do so. We discuss the reasons for our failure and try to use them to construct an attack on this feature. To our knowledge, we are the first to study this CryptoNight's property and the first to present graphically all the stages of CryptoNight's functionality. Finally, we present the knowledge gained and wish for this document to be useful in the future to colleagues that want to contribute in this field. The aim of this work is to contribute to Monero's fight for privacy, anonymity and equality

Lookup Protocols and Techniques for Anonymity

This dissertation covers two topics of interest for network applications: lookup protocols, a basic building block for distributed systems, and ring signatures, a powerful primitive for anonymous communication. In the first part of this work, we review lookup protocols, distributed algorithms that allow users to publish a document as well as to look up a published document that matches a given name. Our first major contribution is to design Local Minima Search (LMS), a new efficient lookup protocol for a model in which a node is physically connected to a few other nodes and may only communicate directly with them. Our second major contribution is the formulation of a new model in which we allow an arbitrary number of misbehaving nodes, but we assume a restriction on their network addresses. We then design a new lookup protocol for this setting. In the second part of this dissertation, we present our work on ring signatures, a variant of digital signatures, which enables a user to sign a message so that a set of possible signers is identified, without revealing which member of that set actually generated the signature. Our first contribution on this topic is new definitions of security which address attacks not taken into account by previous work. As our second contribution, we design the first provably secure ring signature schemes in the standard model

The Cryptographic Security of the German Electronic Identity Card

In November 2010, the German government started to issue the new electronic identity card (eID) to its citizens. Besides its original utilization as a ’visual’ identification document, the eID card can be used by the cardholder to prove one’s identity at border control and to enhance security of authentication processes over the Internet, with the eID card serving as a token to reliably transmit personal data to service providers or terminals, respectively. To this end, the German Federal Office for Information Security (BSI) proposed several cryptographic protocols now deployed on the eID card. The Password Authenticated Connection Establishment (PACE) protocol secures the wireless communication between the eID card and the user’s local card reader, based on a cryptographically weak password like the PIN chosen by the card owner. Subsequently, the Extended Access Control (EAC) protocol is executed by the chip and the service provider to mutually authenticate and agree on a shared secret session key. This key is then used in the secure channel protocol, called Secure Messaging (SM). Finally, an optional protocol, called Restricted Identification (RI), provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not by malicious ones). This thesis consists of two parts. First, we present the above protocols and provide a rigorous analysis on their security from a cryptographic point of view. We show that the Germen eID card provides reasonable security for authentication and exchange of sensitive information allaying concerns regarding its usage. In the second part of this thesis, we introduce two possible modifications to enhance the security of these protocols even further. Namely, we show how to (a) add to PACE an additional efficient chip authentication step, and (b) augment RI to allow also for signatures under pseudonyms

End-to-End Encrypted Group Messaging with Insider Security

Our society has become heavily dependent on electronic communication, and preserving the integrity of this communication has never been more important. Cryptography is a tool that can help to protect the security and privacy of these communications. Secure messaging protocols like OTR and Signal typically employ end-to-end encryption technology to mitigate some of the most egregious adversarial attacks, such as mass surveillance. However, the secure messaging protocols deployed today suffer from two major omissions: they do not natively support group conversations with three or more participants, and they do not fully defend against participants that behave maliciously. Secure messaging tools typically implement group conversations by establishing pairwise instances of a two-party secure messaging protocol, which limits their scalability and makes them vulnerable to insider attacks by malicious members of the group. Insiders can often perform attacks such as rendering the group permanently unusable, causing the state of the group to diverge for the other participants, or covertly remaining in the group after appearing to leave. It is increasingly important to prevent these insider attacks as group conversations become larger, because there are more potentially malicious participants. This dissertation introduces several new protocols that can be used to build modern communication tools with strong security and privacy properties, including resistance to insider attacks. Firstly, the dissertation addresses a weakness in current two-party secure messaging tools: malicious participants can leak portions of a conversation alongside cryptographic proof of authorship, undermining confidentiality. The dissertation introduces two new authenticated key exchange protocols, DAKEZ and XZDH, with deniability properties that can prevent this type of attack when integrated into a secure messaging protocol. DAKEZ provides strong deniability in interactive settings such as instant messaging, while XZDH provides deniability for non-interactive settings such as mobile messaging. These protocols are accompanied by composable security proofs. Secondly, the dissertation introduces Safehouse, a new protocol that can be used to implement secure group messaging tools for a wide range of applications. Safehouse solves the difficult cryptographic problems at the core of secure group messaging protocol design: it securely establishes and manages a shared encryption key for the group and ephemeral signing keys for the participants. These keys can be used to build chat rooms, team communication servers, video conferencing tools, and more. Safehouse enables a server to detect and reject protocol deviations, while still providing end-to-end encryption. This allows an honest server to completely prevent insider attacks launched by malicious participants. A malicious server can still perform a denial-of-service attack that renders the group unavailable or "forks" the group into subgroups that can never communicate again, but other attacks are prevented, even if the server colludes with a malicious participant. In particular, an adversary controlling the server and one or more participants cannot cause honest participants' group states to diverge (even in subtle ways) without also permanently preventing them from communicating, nor can the adversary arrange to covertly remain in the group after all of the malicious participants under its control are removed from the group. Safehouse supports non-interactive communication, dynamic group membership, mass membership changes, an invitation system, and secure property storage, while offering a variety of configurable security properties including forward secrecy, post-compromise security, long-term identity authentication, strong deniability, and anonymity preservation. The dissertation includes a complete proof-of-concept implementation of Safehouse and a sample application with a graphical client. Two sub-protocols of independent interest are also introduced: a new cryptographic primitive that can encrypt multiple private keys to several sets of recipients in a publicly verifiable and repeatable manner, and a round-efficient interactive group key exchange protocol that can instantiate multiple shared key pairs with a configurable knowledge relationship

Ad hoc group signatures

The main advantage of ring signatures is to ensure anonymity in ad hoc groups. However, since a group manager is not present in ad hoc groups, there is no existing way to identify the signer who is responsible for or benefit from a disputed ring signature. In this paper, we address this issue by formalizing the notion of ad hoc group signature. This new notion bridges the gap between the ring signature and group signature schemes. It enjoys the same advantage of ring signatures to provide anonymity whilst not requiring any group manager. Furthermore, it allows a member in an ad hoc group to provably claim that it has (not) issued the anonymous signature on behalf of the group. We propose the first construction of ad hoc group signatures that is provably secure in the random oracle model under the Strong RSA assumption. Our proposal is very simple and additionally, it produces a constant size signature length and requires constant modular exponentiations. This is to ensure that our scheme is very practical for ad hoc applications where a centralized group manager is not present

Ad-hoc-group signatures from hijacked keypairs. Available at http://theory.lcs.mit.edu/~srhohen/papers/AHR.pdf

Ad-hoc-group signatures enable an individual to sign on behalf of a group without requiring prior group membership setup. Such signatures are used to provide credibility – the signer must be one of the group members – combined with some degree of anonymity – the identity of the signer within the group cannot be determined. Thus, in many instances, other group members might not cooperate in the creation of such a signature. They may even wish to interfere with its creation, refusing to generate keypairs of a form that might facilitate such activity. We present a combination of techniques for efficiently coercing any user into an ad-hoc signatory group, using only that user’s public key. This public key may correspond to almost any signature or encryption scheme, as long as there exists an efficient Special Honest Verifier Zero Knowledge Proof of Knowledge protocol for the secret key, or, alternatively, a hash-and-sign algorithm for that keypair type. Our approach effectively hijacks any public key for the purpose of building an ad-hoc group signature. We also present a new proof protocol that enables, within our framework, the hijacking of Boneh-Franklin and Waters identity-based encryption keys, as well as Camenisch-Lysyanskaya signature keys.