Proofs of Knowledge on Monotone Predicates and its Application to Attribute-Based Identifications and Signatures

We propose a concrete procedure of the $\Sigma$-protocol introduced by Cramer, Damgård and Schoenmakers at CRYPTO \u2794, which is for proving knowledge that a set of witnesses satisfies a monotone predicate in witness-indistinguishable way; that is, hiding the assignment of truth in the predicate. We provide a detailed procedure by extending the so-called OR-proof

Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease

In this work, we provide the first lattice-based group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this non-trivial feat in a relatively simple manner. Starting with Libert et al.'s fully static construction (Eurocrypt 2016) - which is arguably the most efficient lattice-based group signature to date, we introduce simple-but-insightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zero-knowledge. Our design approach consists of upgrading Libert et al.'s static construction (EUROCRYPT 2016) - which is arguably the most efficient lattice-based group signature to date - into the fully dynamic setting. Somewhat surprisingly, our scheme produces slightly shorter signatures than the former, thanks to a new technique for proving inequality in zero-knowledge without relying on any inequality check. The scheme satisfies the strong security requirements of Bootle et al.'s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions. Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zero-knowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message

Trusted Execution Environments with Architectural Support: Foundations and Implementation

In this project, we added support to the OCaml interpreter to use the protections afforded by Intel’s Software Guard Extensions (SGX). In particular, this is applied to a cryptographic protocol generator to provide provably secure message exchange even in the face of a malicious operating system. We argue from a theoretical and experimental perspective that the modifications presented do not alter program behavior and are not vulnerable to attacks on our use of cryptography or implementation issues. We also provide a set of guidelines for developers working with SGX to prevent security bugs

Anonymous Credentials Light

We define and propose an efficient and provably secure construction of blind signatures with attributes. Prior notions of blind signatures did not yield themselves to the construction of anonymous credential systems, not even if we drop the unlinkability requirement of anonymous credentials. Our new notion in contrast is a convenient building block for anonymous credential systems. The construction we propose is efficient: it requires just a few exponentiations in a prime-order group in which the decisional Diffie-Hellman problem is hard. Thus, for the first time, we give a provably secure construction of anonymous credentials that can work in the elliptic group setting without bilinear pairings. In contrast, prior provably secure constructions were based on the RSA group or on groups with pairings, which made them prohibitively inefficient for mobile devices, RFIDs and smartcards. The only prior efficient construction that could work in such elliptic curve groups, due to Brands, does not have a proof of security

Privacy-Preserving Electronic Ticket Scheme with Attribute-based Credentials

Electronic tickets (e-tickets) are electronic versions of paper tickets, which enable users to access intended services and improve services' efficiency. However, privacy may be a concern of e-ticket users. In this paper, a privacy-preserving electronic ticket scheme with attribute-based credentials is proposed to protect users' privacy and facilitate ticketing based on a user's attributes. Our proposed scheme makes the following contributions: (1) users can buy different tickets from ticket sellers without releasing their exact attributes; (2) two tickets of the same user cannot be linked; (3) a ticket cannot be transferred to another user; (4) a ticket cannot be double spent; (5) the security of the proposed scheme is formally proven and reduced to well known (q-strong Diffie-Hellman) complexity assumption; (6) the scheme has been implemented and its performance empirically evaluated. To the best of our knowledge, our privacy-preserving attribute-based e-ticket scheme is the first one providing these five features. Application areas of our scheme include event or transport tickets where users must convince ticket sellers that their attributes (e.g. age, profession, location) satisfy the ticket price policies to buy discounted tickets. More generally, our scheme can be used in any system where access to services is only dependent on a user's attributes (or entitlements) but not their identities.Comment: 18pages, 6 figures, 2 table

On a New, Efficient Framework for Falsifiable Non-interactive Zero-Knowledge Arguments

Et kunnskapsløst bevis er en protokoll mellom en bevisfører og en attestant. Bevisføreren har som mål å overbevise attestanten om at visse utsagn er korrekte, som besittelse av kortnummeret til et gyldig kredittkort, uten å avsløre noen private opplysninger, som for eksempel kortnummeret selv. I mange anvendelser er det ønskelig å bruke IIK-bevis (Ikke-interaktive kunnskapsløse bevis), der bevisføreren produserer kun en enkelt melding som kan bekreftes av mange attestanter. En ulempe er at sikre IIK-bevis for ikke-trivielle språk kun kan eksistere ved tilstedeværelsen av en pålitelig tredjepart som beregner en felles referansestreng som blir gjort tilgjengelig for både bevisføreren og attestanten. Når ingen slik part eksisterer liter man av og til på ikke-interaktiv vitne-uskillbarhet, en svakere form for personvern. Studiet av effektive og sikre IIK-bevis er en kritisk del av kryptografi som har blomstret opp i det siste grunnet anvendelser i blokkjeder. I den første artikkelen konstruerer vi et nytt IIK-bevis for språkene som består av alle felles nullpunkter for en endelig mengde polynomer over en endelig kropp. Vi demonstrerer nytteverdien av beviset ved flerfoldige eksempler på anvendelser. Særlig verdt å merke seg er at det er mulig å gå nesten automatisk fra en beskrivelse av et språk på et høyt nivå til definisjonen av IIK-beviset, som minsker behovet for dedikert kryptografisk ekspertise. I den andre artikkelen konstruerer vi et IIV-bevis ved å bruke en ny kompilator. Vi utforsker begrepet Kunnskapslydighet (et sterkere sikkerhetsbegrep enn lydighet) for noen konstruksjoner av IIK-bevis. I den tredje artikkelen utvider vi arbeidet fra den første artikkelen ved å konstruere et nytt IIK-bevis for mengde-medlemskap som lar oss bevise at et element ligger, eller ikke ligger, i den gitte mengden. Flere nye konstruksjoner har bedre effektivitet sammenlignet med allerede kjente konstruksjoner.A zero-knowledge proof is a protocol between a prover, and a verifier. The prover aims to convince the verifier of the truth of some statement, such as possessing credentials for a valid credit card, without revealing any private information, such as the credentials themselves. In many applications, it is desirable to use NIZKs (Non-Interactive Zero Knowledge) proofs, where the prover sends outputs only a single message that can be verified by many verifiers. As a drawback, secure NIZKs for non-trivial languages can only exist in the presence of a trusted third party that computes a common reference string and makes it available to both the prover and verifier. When no such party exists, one sometimes relies on non interactive witness indistinguishability (NIWI), a weaker notion of privacy. The study of efficient and secure NIZKs is a crucial part of cryptography that has been thriving recently due to blockchain applications. In the first paper, we construct a new NIZK for the language of common zeros of a finite set of polynomials over a finite field. We demonstrate its usefulness by giving a large number of example applications. Notably, it is possible to go from a high-level language description to the definition of the NIZK almost automatically, lessening the need for dedicated cryptographic expertise. In the second paper, we construct a NIWI using a new compiler. We explore the notion of Knowledge Soundness (a security notion stronger than soundness) of some NIZK constructions. In the third paper, we extended the first paper’s work by constructing a new set (non-)membership NIZK that allows us to prove that an element belongs or does not belong to the given set. Many new constructions have better efficiency compared to already-known constructions.Doktorgradsavhandlin

Location Privacy in VANETs: Provably Secure Anonymous Key Exchange Protocol Based on Self-Blindable Signatures

open access articleSecurity and privacy in vehicular ad hoc networks (VANETs) are challenging in terms of Intelligent Transportation Systems (ITS) features. The distribution and decentralisation of vehicles could threaten location privacy and confidentiality in the absence of trusted third parties (TTP)s or if they are otherwise compromised. If the same digital signatures (or the same certificates) are used for different communications, then adversaries could easily apply linking attacks. Unfortunately, most of the existing schemes for VANETs in the literature do not satisfy the required levels of security, location privacy, and efficiency simultaneously. This paper presents a new and efficient end-to-end anonymous key exchange protocol based on Yang et al. 's self-blindable signatures. In our protocol, vehicles first privately blind their own private certificates for each communication outside the mix-zone and then compute an anonymous shared key based on zero-knowledge proof of knowledge (PoK). The efficiency comes from the fact that once the signatures are verified, the ephemeral values in PoK are also used to compute a shared key through an authenticated Diffie-Hellman key exchange protocol. Therefore, the protocol does not require any further external information to generate a shared key. Our protocol also does not require an interference with the Roadside Units or Certificate Authorities, and hence can be securely run outside the mixed-zones. We demonstrate the security of our protocol in an ideal/real simulation paradigm. Hence, our protocol achieves secure authentication, forward unlinkability, and accountability. Furthermore, the performance analysis shows that our protocol is more efficient in terms of computational and communication overheads compared to existing schemes

Security Analysis of Coconut, an Attribute-Based Credential Scheme with Threshold Issuance

Coconut [NDSS 2019] is an attribute-based credential scheme with threshold issuance. We analyze its security properties. To this end, we define an ideal functionality for attribute-based access control with threshold issuance. We describe a construction that realizes our functionality. Our construction follows Coconut with a few changes. In particular, it modifies the protocols for blind issuance of credentials and for credential show so that user privacy holds against computationally unbounded adversaries. The modified protocols are slightly more efficient than those of Coconut. Our construction also extends the public key, which seems necessary to prove unforgeability

Correlation-Intractable Hash Functions via Shift-Hiding

A hash function family $\mathcal{H}$ is correlation intractable for a $t$-input relation $\mathcal{R}$ if, given a random function $h$ chosen from $\mathcal{H}$, it is hard to find $x_1,\ldots,x_t$ such that $\mathcal{R}(x_1,\ldots,x_t,h(x_1),\ldots,h(x_t))$ is true. Among other applications, such hash functions are a crucial tool for instantiating the Fiat-Shamir heuristic in the plain model, including the only known NIZK for NP based on the learning with errors (LWE) problem (Peikert and Shiehian, CRYPTO 2019). We give a conceptually simple and generic construction of single-input CI hash functions from shift-hiding shiftable functions (Peikert and Shiehian, PKC 2018) satisfying an additional one-wayness property. This results in a clean abstract framework for instantiating CI, and also shows that a previously existing function family (PKC 2018) was already CI under the LWE assumption. In addition, our framework transparently generalizes to other settings, yielding new results: - We show how to instantiate certain forms of multi-input CI under the LWE assumption. Prior constructions either relied on a very strong ``brute-force-is-best\u27\u27 type of hardness assumption (Holmgren and Lombardi, FOCS 2018) or were restricted to ``output-only\u27\u27 relations (Zhandry, CRYPTO 2016). - We construct single-input CI hash functions from indistinguishability obfuscation (iO) and one-way permutations. Prior constructions relied essentially on variants of fully homomorphic encryption that are impossible to construct from such primitives. This result also generalizes to more expressive variants of multi-input CI under iO and additional standard assumptions