5,219 research outputs found
Constant Size Ring Signature Without Random Oracle
Ring signature enables an user to anonymously sign a message on behalf of a group of users termed as ‘ring’ formed in an ‘ad-hoc’ manner. A naive scheme produces a signature linear in the size of the ring, but this is extremely inefficient when ring size is large. Dodis et al. proposed a constant size scheme in EUROCRYPT’13, but provably secure in random oracle model. Best known result without random oracle is a sub-linear size construction by Chandran et al. in ICALP’07 and a follow-up work by Essam Ghadafi in IMACC’13. Therefore, construction of a constant size ring signature scheme without random oracle meeting stringent security requirement still remains as an
interesting open problem.
Our first contribution is a generic technique to convert a compatible signature scheme to a constantsized ring signature scheme. The technique employs a constant size set membership check that may be of independent interest. Our construction is instantiated over asymmetric pairing of composite order and optimally efficient. The scheme meets strongest security requirements, viz. anonymity under full key exposure and unforgeability against insider-corruption without using random oracle under simple hardness assumptions. We also provide a concrete instantiation of the scheme based on Full Boneh-Boyen signatures
Constant Size Traceable Ring Signature Scheme without Random Oracles
Currently several traceable (or linkable) identity-based ring signature schemes have been proposed. However, most of them are constructed in the random oracle model. In this paper, we present a fully traceable ring signature (TRS) scheme without random oracles, which has the constant size signature and a security reduction to the computational Diffie-Hellman (CDH) assumption. Also, we give a formal security model for traceable ring signature and prove that the proposed scheme has the properties of traceability and anonymity
Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease
In this work, we provide the first lattice-based group signature that offers
full dynamicity (i.e., users have the flexibility in joining and leaving the
group), and thus, resolve a prominent open problem posed by previous works.
Moreover, we achieve this non-trivial feat in a relatively simple manner.
Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -
which is arguably the most efficient lattice-based group signature to date, we
introduce simple-but-insightful tweaks that allow to upgrade it directly into
the fully dynamic setting. More startlingly, our scheme even produces slightly
shorter signatures than the former, thanks to an adaptation of a technique
proposed by Ling et al. (PKC 2013), allowing to prove inequalities in
zero-knowledge. Our design approach consists of upgrading Libert et al.'s
static construction (EUROCRYPT 2016) - which is arguably the most efficient
lattice-based group signature to date - into the fully dynamic setting.
Somewhat surprisingly, our scheme produces slightly shorter signatures than the
former, thanks to a new technique for proving inequality in zero-knowledge
without relying on any inequality check. The scheme satisfies the strong
security requirements of Bootle et al.'s model (ACNS 2016), under the Short
Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.
Furthermore, we demonstrate how to equip the obtained group signature scheme
with the deniability functionality in a simple way. This attractive
functionality, put forward by Ishida et al. (CANS 2016), enables the tracing
authority to provide an evidence that a given user is not the owner of a
signature in question. In the process, we design a zero-knowledge protocol for
proving that a given LWE ciphertext does not decrypt to a particular message
KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures
Email breaches are commonplace, and they expose a wealth of personal,
business, and political data that may have devastating consequences. The
current email system allows any attacker who gains access to your email to
prove the authenticity of the stolen messages to third parties -- a property
arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This
exacerbates the problem of email breaches by greatly increasing the potential
for attackers to damage the users' reputation, blackmail them, or sell the
stolen information to third parties.
In this paper, we introduce "non-attributable email", which guarantees that a
wide class of adversaries are unable to convince any third party of the
authenticity of stolen emails. We formally define non-attributability, and
present two practical system proposals -- KeyForge and TimeForge -- that
provably achieve non-attributability while maintaining the important protection
against spam and spoofing that is currently provided by DKIM. Moreover, we
implement KeyForge and demonstrate that that scheme is practical, achieving
competitive verification and signing speed while also requiring 42% less
bandwidth per email than RSA2048
A New Cryptosystem Based On Hidden Order Groups
Let be a cyclic multiplicative group of order . It is known that the
Diffie-Hellman problem is random self-reducible in with respect to a
fixed generator if is known. That is, given and
having oracle access to a `Diffie-Hellman Problem' solver with fixed generator
, it is possible to compute in polynomial time (see
theorem 3.2). On the other hand, it is not known if such a reduction exists
when is unknown (see conjuncture 3.1). We exploit this ``gap'' to
construct a cryptosystem based on hidden order groups and present a practical
implementation of a novel cryptographic primitive called an \emph{Oracle Strong
Associative One-Way Function} (O-SAOWF). O-SAOWFs have applications in
multiparty protocols. We demonstrate this by presenting a key agreement
protocol for dynamic ad-hoc groups.Comment: removed examples for multiparty key agreement and join protocols,
since they are redundan
Hang With Your Buddies to Resist Intersection Attacks
Some anonymity schemes might in principle protect users from pervasive
network surveillance - but only if all messages are independent and unlinkable.
Users in practice often need pseudonymity - sending messages intentionally
linkable to each other but not to the sender - but pseudonymity in dynamic
networks exposes users to intersection attacks. We present Buddies, the first
systematic design for intersection attack resistance in practical anonymity
systems. Buddies groups users dynamically into buddy sets, controlling message
transmission to make buddies within a set behaviorally indistinguishable under
traffic analysis. To manage the inevitable tradeoffs between anonymity
guarantees and communication responsiveness, Buddies enables users to select
independent attack mitigation policies for each pseudonym. Using trace-based
simulations and a working prototype, we find that Buddies can guarantee
non-trivial anonymity set sizes in realistic chat/microblogging scenarios, for
both short-lived and long-lived pseudonyms.Comment: 15 pages, 8 figure
Pairing-based identification schemes
We propose four different identification schemes that make use of bilinear
pairings, and prove their security under certain computational assumptions.
Each of the schemes is more efficient and/or more secure than any known
pairing-based identification scheme
Ring Signature from Bonsai Tree: How to Preserve the Long-Term Anonymity
Signer-anonymity is the central feature of ring signatures, which enable a
user to sign messages on behalf of an arbitrary set of users, called the ring,
without revealing exactly which member of the ring actually generated the
signature. Strong and long-term signer-anonymity is a reassuring guarantee for
users who are hesitant to leak a secret, especially if the consequences of
identification are dire in certain scenarios such as whistleblowing. The notion
of \textit{unconditional anonymity}, which protects signer-anonymity even
against an infinitely powerful adversary, is considered for ring signatures
that aim to achieve long-term signer-anonymity. However, the existing
lattice-based works that consider the unconditional anonymity notion did not
strictly capture the security requirements imposed in practice, this leads to a
realistic attack on signer-anonymity.
In this paper, we present a realistic attack on the unconditional anonymity
of ring signatures, and formalize the unconditional anonymity model to strictly
capture it. We then propose a lattice-based ring signature construction with
unconditional anonymity by leveraging bonsai tree mechanism. Finally, we prove
the security in the standard model and demonstrate the unconditional anonymity
through both theoretical proof and practical experiments
- …