Short undeniable signatures:design, analysis, and applications

Digital signatures are one of the main achievements of public-key cryptography and constitute a fundamental tool to ensure data authentication. Although their universal verifiability has the advantage to facilitate their verification by the recipient, this property may have undesirable consequences when dealing with sensitive and private information. Motivated by such considerations, undeniable signatures, whose verification requires the cooperation of the signer in an interactive way, were invented. This thesis is mainly devoted to the design and analysis of short undeniable signatures. Exploiting their online property, we can achieve signatures with a fully scalable size depending on the security requirements. To this end, we develop a general framework based on the interpolation of group elements by a group homomorphism, leading to the design of a generic undeniable signature scheme. On the one hand, this paradigm allows to consider some previous undeniable signature schemes in a unified setting. On the other hand, by selecting group homomorphisms with a small group range, we obtain very short signatures. After providing theoretical results related to the interpolation of group homomorphisms, we develop some interactive proofs in which the prover convinces a verifier of the interpolation (resp. non-interpolation) of some given points by a group homomorphism which he keeps secret. Based on these protocols, we devise our new undeniable signature scheme and prove its security in a formal way. We theoretically analyze the special class of group characters on Z*n. After studying algorithmic aspects of the homomorphism evaluation, we compare the efficiency of different homomorphisms and show that the Legendre symbol leads to the fastest signature generation. We investigate potential applications based on the specific properties of our signature scheme. Finally, in a topic closely related to undeniable signatures, we revisit the designated confirmer signature of Chaum and formally prove the security of a generalized version

Self-pairings on Hyperelliptic Curves

A self-pairing is a pairing computation where both inputs are the same group element. Self-pairings are used in some cryptographic schemes and protocols. In this paper, we show how to compute the Tate-Lichtenbaum pairing (D,\phi(D)) on a curve more efficiently than the general case. The speedup is obtained by requiring a simpler final exponentiation. We also discuss how to use this pairing in cryptographic applications

Pairing-based public-key encryption schemes with backward-and-forward security

Identity-based cryptosystems utilize some arbitrary strings as the participants' public key in the underlying system. The encryptioner will not need to obtain the decryptioner's certificate. That will simplify the certificate management. Therefore, it is still interesting to propose some new identity-based encryption schemes. In this paper we will propose two new different constructions, i.e. receiptor-oriented encryption schemes. They are both identity-based encryption schemes and also based on pairings. The proposed encryption schemes have a new advantage, i.e. backward-and-forward security. In addition, we provide the security analysis for the proposed schemes

Further discussions on the security of a nominative signature scheme

A nominative signature scheme allows a nominator (or signer) and a nominee (or veri¯er) to jointly generate and publish a signature in such a way that only the nominee can verify the signature and if nec- essary, only the nominee can prove to a third party that the signature is valid. In a recent work, Huang and Wang proposed a new nominative signature scheme which, in addition to the above properties, only allows the nominee to convert a nominative signature to a publicly veri¯able one. In ACISP 2005, Susilo and Mu presented several algorithms and claimed that these algorithms can be used by the nominator to verify the validity of a published nominative signature, show to a third party that the signature is valid, and also convert the signature to a publicly veri¯able one, all without any help from the nominee. In this paper, we point out that Susilo and Mu\u27s attacks are actually incomplete and in- accurate. In particular, we show that there exists no e±cient algorithm for a nominator to check the validity of a signature if this signature is generated by the nominator and the nominee honestly and the Decisional Di±e-Hellman Problem is hard. On the other hand, we point out that the Huang-Wang scheme is indeed insecure, since there is an attack that allows the nominator to generate valid nominative signatures alone and prove the validity of such signatures to a third party

Self-pairings on supersingular elliptic curves with embedding degree threethree

Self-pairings are a special subclass of pairings and have interesting applications in cryptographic schemes and protocols. In this paper, we explore the computation of the self-pairings on supersingular elliptic curves with embedding degree $k = 3$. We construct a novel self-pairing which has the same Miller loop as the Eta/Ate pairing. However, the proposed self-pairing has a simple final exponentiation. Our results suggest that the proposed self-pairings are more efficient than the other ones on the corresponding curves. We compare the efficiency of self-pairing computations on different curves over large characteristic and estimate that the proposed self-pairings on curves with $k=3$ require $44\%$ less field multiplications than the fastest ones on curves with $k=2$ at AES 80-bit security level

The Computational Square-Root Exponent Problem- Revisited

In this paper, we revisit the Computational Square-Root Exponent Problem (CSREP), and give a more generic condition such that CSREP is polynomial-time equivalent to the Computational Diffie-Hellman Problem (CDHP) in the group with prime order. The results obtained in this paper contain Zhang \textit{et al.}\u27s results at IWCC2011. We also analyze the existence of such condition. Although primes satisfying such condition are rare (compare to all primes), it can be regarded as an evidence that CSREP may be equivalent to CDHP

Classification of Signature-only Signature Models

We introduce a set of criterions for classifying signature-only signature models. By the criterions, we classify signature models into 5 basic types and 69 general classes. Theoretically, 21140 kinds of signature models can be deduced by appropriately combining different general classes. The result comprises almost existing signature models. We also contribute a lot of new signature models. Moreover, we find the three signature models, i.e., group-nominee signature, multi-nominee signature and threshold-nominee signature, are of great importance in light of our classification