Stronger security notions for decentralized traceable attribute-based signatures and more efficient constructions

We revisit the notion of Decentralized Traceable Attribute-Based Signatures (DTABS) introduced by El Kaafarani et al. (CT-RSA 2014) and improve the state-of-the-art in three dimensions: Firstly, we provide a new stronger security model which circumvents some shortcomings in existing models. Our model minimizes the trust placed in attribute authorities and hence provides, among other things, a stronger definition for non-frameability. In addition, our model captures the notion of tracing soundness which is important for many applications of the primitive. Secondly, we provide a generic construction that is secure w.r.t. our strong security model and show two example instantiations in the standard model which are more efficient than existing constructions (secure under weaker security definitions). Finally, we dispense with the need for the expensive zero-knowledge proofs required for proving tracing correctness by the tracing authority. As a result, tracing a signature in our constructions is significantly more efficient than existing constructions, both in terms of the size of the tracing proof and the computational cost required to generate and verify it. For instance, verifying tracing correctness in our constructions requires only 4 pairings compared to 34 pairings in the most efficient existing construction

Foundations of Fully Dynamic Group Signatures

Group signatures allow members of a group to anonymously sign on behalf of the group. Membership is administered by a designated group manager. The group manager can also reveal the identity of a signer if and when needed to enforce accountability and deter abuse. For group signatures to be applicable in practice, they need to support fully dynamic groups, i.e., users may join and leave at any time. Existing security definitions for fully dynamic group signatures are informal, have shortcomings, and are mutually incompatible. We fill the gap by providing a formal rigorous security model for fully dynamic group signatures. Our model is general and is not tailored toward a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our definitions are stringent and when possible incorporate protection against maliciously chosen keys. We consider both the case where the group management and tracing signatures are administered by the same authority, i.e., a single group manager, and also the case where those roles are administered by two separate authorities, i.e., a group manager and an opening authority. We also show that a specialization of our model captures existing models for static and partially dynamic schemes. In the process, we identify a subtle gap in the security achieved by group signatures using revocation lists. We show that in such schemes new members achieve a slightly weaker notion of traceability. The flexibility of our security model allows to capture such relaxation of traceability

Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease

In this work, we provide the first lattice-based group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this non-trivial feat in a relatively simple manner. Starting with Libert et al.'s fully static construction (Eurocrypt 2016) - which is arguably the most efficient lattice-based group signature to date, we introduce simple-but-insightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zero-knowledge. Our design approach consists of upgrading Libert et al.'s static construction (EUROCRYPT 2016) - which is arguably the most efficient lattice-based group signature to date - into the fully dynamic setting. Somewhat surprisingly, our scheme produces slightly shorter signatures than the former, thanks to a new technique for proving inequality in zero-knowledge without relying on any inequality check. The scheme satisfies the strong security requirements of Bootle et al.'s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions. Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zero-knowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message

Versatile ABS: Usage Limited, Revocable, Threshold Traceable, Authority Hiding, Decentralized Attribute Based Signatures

In this work, we revisit multi-authority attribute based signatures (MA-ABS), and elaborate on the limitations of the current MA-ABS schemes to provide a hard to achieve (yet very useful) combination of features, i.e., decentralization, periodic usage limitation, dynamic revocation of users and attributes, reliable threshold traceability, and authority hiding. In contrast to previous work, we disallow even the authorities to de-anonymize an ABS, and only allow joint tracing by threshold-many tracing authorities. Moreover, in our solution, the authorities cannot sign on behalf of users. In this context, first we define a useful and practical attribute based signature scheme (versatile ABS or VABS) along with the necessary operations and security games to accomplish our targeted functionalities. Second, we provide the first VABS scheme in a modular design such that any application can utilize a subset of the features endowed by our VABS, while omitting the computation and communication overhead of the features that are not needed. Third, we prove the security of our VABS scheme based on standard assumptions, i.e., Strong RSA, DDH, and SDDHI, in the random oracle model. Fourth, we implement our signature generation and verification algorithms, and show that they are practical (for a VABS with 20 attributes, Sign and Verify times are below 1.2 seconds, and the generated signature size is below 0.5 MB)

Cryptographic Enforcement of Attribute-based Authentication

Doktorgradsavhandling,This dissertation investigates on the cryptographic enforcement about attributebased authentication (ABA) schemes. ABA is an approach to authenticate users via attributes, which are properties of users to be authenticated, environment conditions such as time and locations. By using attributes in place of users’ identity information, ABA can provide anonymous authentication, or more specifically, ABA enables to keep users anonymous from their authenticators. In addition, the property of least information leakage provides better protection for users’ privacy compared with public key based authentication approaches. These properties make it possible to apply ABA schemes in privacy preserving scenarios, for instance, cloud-based applications. The most important security requirements of ABA schemes consist of anonymity, traceability, unforgeability, unlinkability and collision resistance. In this dissertation, we combine these security requirements with other properties such as hierarchy to divide ABA schemes into different categories, based on which we use examples to demonstrate how to construct these schemes cryptographically. The main contributions of this dissertation include the following aspects: We categorize ABA schemes into different types and describe their structures as well as workflows, such that readers can gain a big picture and a clear view of different ABA schemes and their relations. This categorization serves as a guideline how to design and construct ABA schemes. We provide two examples to demonstrate how to construct ciphertext-policy attribute-based authentication (CP-ABA) schemes via two different approaches. Different from key-policy attribute-based authentication (KP-ABA) schemes, attribute keys generated in CP-ABA schemes are comparatively independent of relations among attributes. Thus compared with KP-ABA, CP-ABA extends the flexibility and usage scope of ABA schemes. We extend the core ABA schemes to hierarchical ABA (HABA) schemes by adding the property of hierarchy. Then we propose two different types of hierarchical structures, i.e., user related hierarchical ABA (U-HABA) and attribute related hierarchical ABA (A-HABA). According to these two hierarchical structures, an example is provided for each type to show how to use cryptographic primitives to build HABA schemes. All ABA schemes discussed above and proposed in this dissertation can be implemented to assist users to achieve anonymous authentication from their authenticators. Therefore, these schemes can offer more opportunities to protect users’ privacy, for example, in attribute-based access control (ABAC) and cloud-based services

Anonymous Single-Sign-On for n designated services with traceability

Anonymous Single-Sign-On authentication schemes have been proposed to allow users to access a service protected by a verifier without revealing their identity which has become more important due to the introduction of strong privacy regulations. In this paper we describe a new approach whereby anonymous authentication to different verifiers is achieved via authorisation tags and pseudonyms. The particular innovation of our scheme is authentication can only occur between a user and its designated verifier for a service, and the verification cannot be performed by any other verifier. The benefit of this authentication approach is that it prevents information leakage of a user's service access information, even if the verifiers for these services collude which each other. Our scheme also supports a trusted third party who is authorised to de-anonymise the user and reveal her whole services access information if required. Furthermore, our scheme is lightweight because it does not rely on attribute or policy-based signature schemes to enable access to multiple services. The scheme's security model is given together with a security proof, an implementation and a performance evaluation.Comment: 3

Advances in Information Security and Privacy

With the recent pandemic emergency, many people are spending their days in smart working and have increased their use of digital resources for both work and entertainment. The result is that the amount of digital information handled online is dramatically increased, and we can observe a significant increase in the number of attacks, breaches, and hacks. This Special Issue aims to establish the state of the art in protecting information by mitigating information risks. This objective is reached by presenting both surveys on specific topics and original approaches and solutions to specific problems. In total, 16 papers have been published in this Special Issue

Privacy-preserving PKI design based on group signature

Nowadays, Internet becomes a part of our life. We can make use of numerous services with personal computer, Lap-top, tablet, smart phone or smart TV. These devices with network make us enjoy ubiquitous computing life. Sometimes, on-line services request us authentication or identification for access control and authorization, and PKI technology is widely used because of its security. However the possibility of privacy invasion will increase, if We’re identified with same certificate in many services and these identification data are accumulated. For privacy-preserving authentication or anonymous authentication, there have been many researches such as Group signatures, anonymous credentials, etc. Among these researches, group signatures are very practical Because they provide unlinkability and traceability as well as anonymity. In this paper, we propose a privacy-preserving PKI based on group signature, with which users’ privacy can be Kept in services. Because of traceability, their identities can be traced if they abuse anonymity such as cybercrime. Moreover, we will also discuss open issues for further studies