15 research outputs found
Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications
A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (CHET; Camenisch et al., PKC ’17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash. We extend these ideas and introduce the notion of chameleon-hashes with dual long-term trapdoors (CHDLTT). Here, the second trapdoor is not chosen freshly for each new hash; Rather, the hashing party can decide if it wants to generate a fresh second trapdoor or use an existing one. This primitive generalizes CHETs, extends their applicability and enables some appealing new use-cases, including three-party sanitizable signatures, group-level selectively revocable signatures and break-the-glass signatures. We present two provably secure constructions and an implementation which demonstrates that this extended primitive is efficient enough for use in practice
Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based
Blockchain technologies recently received a considerable amount
of attention. While the initial focus was mainly on the use of
blockchains in the context of cryptocurrencies such as Bitcoin, application
scenarios now go far beyond this. Most blockchains have the property
that once some object, e.g., a block or a transaction, has been registered
to be included into the blockchain, it is persisted and there are
no means to modify it again. While this is an essential feature of most
blockchain scenarios, it is still often desirable - at times it may be even
legally required - to allow for breaking this immutability in a controlled
way.
Only recently, Ateniese et al. (EuroS&P 2017) proposed an elegant
solution to this problem on the block level. Thereby, the authors replace
standard hash functions with so-called chameleon-hashes (Krawczyk and
Rabin, NDSS 2000). While their work seems to offer a suitable solution to
the problem of controlled re-writing of blockchains, their approach is too
coarse-grained in that it only offers an all-or-nothing solution. We revisit
this idea and introduce the novel concept of policy-based chameleonhashes
(PCH). PCHs generalize the notion of chameleon-hashes by giving
the party computing a hash the ability to associate access policies to the
generated hashes. Anyone who possesses enough privileges to satisfy the
policy can then find arbitrary collisions for a given hash. We then apply
this concept to transaction-level rewriting within blockchains, and thus
support fine-grained and controlled modifiability of blockchain objects.
Besides modeling PCHs, we present a generic construction of PCHs (using
a strengthened version of chameleon-hashes with ephemeral trapdoors
which we also introduce), rigorously prove its security, and instantiate it
with efficient building blocks. We report first implementation results
Policy-Based Sanitizable Signatures
Sanitizable signatures are a variant of signatures which allow a single, and signer-defined, sanitizer to modify signed messages in a controlled way without invalidating the respective signature. They turned out to be a versatile primitive, proven by different variants and extensions, e.g., allowing multiple sanitizers or adding
new sanitizers one-by-one. However, existing constructions are very restricted regarding their flexibility in specifying potential sanitizers.
We propose a different and more powerful approach: Instead of using sanitizers\u27 public keys directly,
we assign attributes to them. Sanitizing is then based on policies, i.e., access structures defined over attributes.
A sanitizer can sanitize, if, and only if, it holds a secret key to attributes satisfying the policy associated to a signature,
while offering full-scale accountability
RSA and redactable blockchains
A blockchain is redactable if a private key holder (e.g. a central authority)
can change any single block without violating integrity of the whole
blockchain, but no other party can do that. In this paper, we offer a simple
method of constructing redactable blockchains inspired by the ideas underlying
the well-known RSA encryption scheme. Notably, our method can be used in
conjunction with any reasonable hash function that is used to build a
blockchain. Public immutability of a blockchain in our construction is based on
the computational hardness of the RSA problem and not on properties of the
underlying hash function. Corruption resistance is based on the computational
hardness of the discrete logarithm problem.Comment: 5 page
Fully post-quantum protocols for e-voting, coercion resistant cast as intended and mixing networks
In an electronic election several cryptographic proofs are implemented to guarantee that all the process has been fair. Many cryptographic primitives are based on the hardness of the discrete logarithm, factorization and other related problems. However, these problems are efficiently computable with a quantum computer, and new proofs are needed based on different assumptions not broken by quantum computers. Lattice based cryptography seems one of the most promising post-quantum alternatives. In this thesis we present a coercion resistant cast as intended proof and a proof of a shuffle, both completely based on lattice problems as Inhomogeneous Short Integer Solution (ISIS) and Ring Learning With Errors (RLWE). With the first we prove to the voter that his vote correctly encodes his voting option, without allowing him to prove to a third party that he has chosen a specific option, to avoid the possibility of vote selling. Shuffles are permutations and re-encryptions of casted votes performed by mixing network nodes (mix- net nodes), so that the output can not be related with the input and nobody can link a decrypted vote with the voter who casted it. Given that the goal is to make the output not linkable to the input it is essential to provide a proof of it being a correct shuffle that has preserved the integrity of the votes, without deleting, adding of modifying any of them. To prove both things we have constructed non interactive zero-knowledge proofs, from which anyone can be convinced that a statement is true (with overwhelming probability over a security parameter) with- out revealing any information about the elements that witness it being true
Fully Collision-Resistant Chameleon-Hashes from Simpler and Post-Quantum Assumptions
Chameleon-hashes are collision-resistant hash-functions parametrized
by a public key. If the corresponding secret key is known, arbitrary collisions for the hash can be found.
Recently, Derler et al. (PKC \u2720) introduced the notion of fully collision-resistant chameleon-hashes.
Full collision-resistance requires the intractability of finding collisions,
even with full-adaptive access to a collision-finding oracle. Their construction combines simulation-sound extractable (SSE)
NIZKs with perfectly correct IND-CPA secure public-key encryption (PKE) schemes.
We show that, instead of perfectly correct PKE, non-interactive commitment schemes are sufficient. For the first time, this gives rise to efficient instantiations from plausible post-quantum assumptions and thus candidates of chameleon-hashes with strong collision-resistance guarantees and long-term security guarantees. On the more theoretical side, our results relax the requirement to not being dependent on public-key encryption
Adaptive Oblivious Transfer and Generalization
International audienceOblivious Transfer (OT) protocols were introduced in the seminal paper of Rabin, and allow a user to retrieve a given number of lines (usually one) in a database, without revealing which ones to the server. The server is ensured that only this given number of lines can be accessed per interaction, and so the others are protected; while the user is ensured that the server does not learn the numbers of the lines required. This primitive has a huge interest in practice, for example in secure multi-party computation, and directly echoes to Symmetrically Private Information Retrieval (SPIR). Recent Oblivious Transfer instantiations secure in the UC framework suf- fer from a drastic fallback. After the first query, there is no improvement on the global scheme complexity and so subsequent queries each have a global complexity of O(|DB|) meaning that there is no gain compared to running completely independent queries. In this paper, we propose a new protocol solving this issue, and allowing to have subsequent queries with a complexity of O(log(|DB|)), and prove the protocol security in the UC framework with adaptive corruptions and reliable erasures. As a second contribution, we show that the techniques we use for Obliv- ious Transfer can be generalized to a new framework we call Oblivi- ous Language-Based Envelope (OLBE). It is of practical interest since it seems more and more unrealistic to consider a database with uncontrolled access in access control scenarii. Our approach generalizes Oblivious Signature-Based Envelope, to handle more expressive credentials and requests from the user. Naturally, OLBE encompasses both OT and OSBE, but it also allows to achieve Oblivious Transfer with fine grain access over each line. For example, a user can access a line if and only if he possesses a certificate granting him access to such line. We show how to generically and efficiently instantiate such primitive, and prove them secure in the Universal Composability framework, with adaptive corruptions assuming reliable erasures. We provide the new UC ideal functionalities when needed, or we show that the existing ones fit in our new framework. The security of such designs allows to preserve both the secrecy of the database values and the user credentials. This symmetry allows to view our new approach as a generalization of the notion of Symmetrically PIR
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions
International audienceA recent line of works – initiated by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010) – gave lattice-based realizations of privacy-preserving protocols allowing users to authenticate while remaining hidden in a crowd. Despite five years of efforts, known constructions remain limited to static populations of users, which cannot be dynamically updated. For example, none of the existing lattice-based group signatures seems easily extendable to the more realistic setting of dynamic groups. This work provides new tools enabling the design of anonymous authen-tication systems whereby new users can register and obtain credentials at any time. Our first contribution is a signature scheme with efficient protocols, which allows users to obtain a signature on a committed value and subsequently prove knowledge of a signature on a committed message. This construction, which builds on the lattice-based signature of Böhl et al. (Eurocrypt'13), is well-suited to the design of anonymous credentials and dynamic group signatures. As a second technical contribution, we provide a simple, round-optimal joining mechanism for introducing new members in a group. This mechanism consists of zero-knowledge arguments allowing registered group members to prove knowledge of a secret short vector of which the corresponding public syndrome was certified by the group manager. This method provides similar advantages to those of structure-preserving signatures in the realm of bilinear groups. Namely, it allows group members to generate their public key on their own without having to prove knowledge of the underlying secret key. This results in a two-round join protocol supporting concurrent enrollments, which can be used in other settings such as group encryption
A Generic Construction of an Anonymous Reputation System and Instantiations from Lattices
With an anonymous reputation system one can realize the process of rating sellers anonymously in an online shop.
While raters can stay anonymous, sellers still have the guarantee that they can be only be reviewed by raters who bought their product.
We present the first generic construction of a reputation system from basic building blocks, namely digital signatures, encryption schemes, non-interactive zero-knowledge proofs, and linking indistinguishable tags.
We then show the security of the reputation system in a strong security model.
Among others, we instantiate the generic construction with building blocks based on lattice problems, leading to the first module lattice-based reputation system
On Cryptographic Building Blocks and Transformations
Cryptographic building blocks play a central role in cryptography, e.g., encryption or digital signatures with their security notions. Further, cryptographic building blocks might be constructed modularly, i.e., emerge out of other cryptographic building blocks. Essentially, one cryptographically transforms the underlying block(s) and their (security) properties into the emerged block and its properties. This thesis considers cryptographic building blocks and new cryptographic transformations