Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Spontaneous anonymous group cryptography and its applications.

Fung Kar-Yin.Thesis (M.Phil.)--Chinese University of Hong Kong, 2004.Includes bibliographical references (leaves 72-81).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- Introduction --- p.1Chapter 1.1 --- Development of Cryptography --- p.1Chapter 1.2 --- Group Cryptography --- p.3Chapter 1.3 --- Spontaneous Anonymous Group Signature --- p.4Chapter 1.4 --- Blind Signature --- p.5Chapter 1.5 --- Blind SAG Signature --- p.6Chapter 1.6 --- Organization of This Thesis --- p.6Chapter 2 --- Background Study --- p.7Chapter 2.1 --- Six Primitives in Cryptography --- p.7Chapter 2.1.1 --- Symmetric Encryption --- p.8Chapter 2.1.2 --- Asymmetric Encryption --- p.8Chapter 2.1.3 --- Digital Signature --- p.9Chapter 2.1.4 --- Hash Function --- p.9Chapter 2.1.5 --- Digital Certificate --- p.10Chapter 2.1.6 --- Proof of Knowledge --- p.10Chapter 2.2 --- Euler Totient Function --- p.11Chapter 2.3 --- One-Way Function --- p.12Chapter 2.3.1 --- One-Way Trapdoor Function --- p.13Chapter 2.3.2 --- Discrete Logarithm Problem --- p.13Chapter 2.3.3 --- RSA Problem --- p.14Chapter 2.3.4 --- Integer Factorization Problem --- p.15Chapter 2.3.5 --- Quadratic Residuosity Problem --- p.15Chapter 2.3.6 --- Schnorr's ROS assumption --- p.16Chapter 2.4 --- Bilinear Pairing --- p.16Chapter 2.4.1 --- Weil Pairing --- p.18Chapter 2.4.2 --- Tate Pairing --- p.18Chapter 2.5 --- Gap Diffie-Hellman Group --- p.19Chapter 2.5.1 --- GDH --- p.19Chapter 2.5.2 --- Co-GDH --- p.20Chapter 2.6 --- Random Oracle Model --- p.21Chapter 2.6.1 --- Random Permutation --- p.23Chapter 2.6.2 --- Lunchtime Attack --- p.23Chapter 2.6.3 --- Back Patch --- p.23Chapter 2.6.4 --- Rewind Simulation --- p.24Chapter 2.7 --- Generic Group Model --- p.24Chapter 3 --- Digital and Threshold Signatures --- p.26Chapter 3.1 --- Introduction --- p.26Chapter 3.2 --- Notion of Attacks and Security in Signature --- p.28Chapter 3.2.1 --- Types of Signatures --- p.29Chapter 3.3 --- Threshold Signature --- p.31Chapter 3.4 --- Properties in Threshold Signatures --- p.31Chapter 4 --- Blind Signature --- p.33Chapter 4.1 --- Introduction --- p.33Chapter 4.1.1 --- Security Requirements --- p.35Chapter 4.2 --- Transferred Proof of Knowledge --- p.36Chapter 4.3 --- RSA Based Schemes --- p.37Chapter 4.3.1 --- Chaum's RSA Scheme --- p.37Chapter 4.3.2 --- Abe's RSA Scheme --- p.38Chapter 4.4 --- Discrete Logarithm Based Schemes --- p.39Chapter 4.4.1 --- Schnorr Blind Signature --- p.39Chapter 4.4.2 --- Okamoto-Schnorr Blind Signature --- p.40Chapter 4.5 --- Bilinear Mapping Based Schemes --- p.40Chapter 5 --- Spontaneous Anonymous Group Signature --- p.42Chapter 5.1 --- Introduction --- p.42Chapter 5.2 --- Cramer-Damgard-Schoemaker (CDS) SAG Signature --- p.44Chapter 5.2.1 --- (1´ةn)-CDS type SAG Signature --- p.44Chapter 5.2.2 --- "(t, n)-CDS type SAG Signature" --- p.45Chapter 5.3 --- Ring-type SAG Signature Schemes --- p.46Chapter 5.3.1 --- Rivest-Shamir-Tauman --- p.46Chapter 5.3.2 --- Abe's 1-out-of-n Ring Signature --- p.49Chapter 5.4 --- Discussions --- p.51Chapter 6 --- Blind SAG Signature --- p.53Chapter 6.1 --- Introduction --- p.53Chapter 6.2 --- Security Definitions --- p.54Chapter 6.2.1 --- Security Model --- p.55Chapter 6.3 --- "(1,n)-Ring Structured Blind SAG Signature" --- p.57Chapter 6.3.1 --- Signing Protocol --- p.58Chapter 6.3.2 --- Verification Algorithm --- p.58Chapter 6.4 --- CDS-type Blind SAG Signature --- p.59Chapter 6.4.1 --- "(l,n)-CDS-type" --- p.59Chapter 6.5 --- "(t,n)-CDS-type" --- p.60Chapter 6.5.1 --- Signing Protocol --- p.61Chapter 6.5.2 --- Verification Algorithm --- p.61Chapter 6.6 --- Security Analysis --- p.62Chapter 6.7 --- Applications to Credential System --- p.67Chapter 7 --- Conclusion --- p.69A --- p.71Bibliography --- p.8

Cryptographic protocols for privacy-aware and secure e-commerce

Aquesta tesi tracta sobre la investigació i el desenvolupament de tecnologies de millora de la privadesa per a proporcionar als consumidors de serveis de comerç electrònic el control sobre quanta informació privada volen compartir amb els proveïdors de serveis. Fem servir tecnologies existents, així com tecnologies desenvolupades durant aquesta tesi, per a protegir als usuaris de la recoleció excessiva de dades per part dels proveïdors de serveis en aplicacions específiques. En particular, fem servir un nou esquema de signatura digital amb llindar dinàmic i basat en la identitat per a implementar un mecanisme d'acreditació de la mida d'un grup d'usuaris, que només revela el nombre d'integrants del grup, per a implementar descomptes de grup. A continuació, fem servir una nova construcció basada en signatures cegues, proves de coneixement nul i tècniques de generalització per implementar un sistema de descomptes de fidelitat que protegeix la privadesa dels consumidors. Per últim, fem servir protocols de computació multipart per a implementar dos mecanismes d'autenticació implícita que no revelen informació privada de l'usuari al proveïdor de serveis.Esta tesis trata sobre la investigación y desarrollo de tecnologías de mejora de la privacidad para proporcionar a los consumidores de servicios de comercio electrónico el control sobre cuanta información privada quieren compartir con los proveedores de servicio. Utilizamos tecnologías existentes y desarrolladas en esta tesis para proteger a los usuarios de la recolección excesiva de datos por parte de los proveedores de servicio en aplicaciones especfíficas. En particular, utilizamos un nuevo esquema de firma digital basado en la identidad y con umbral dinámico para implementar un sistema de acreditación del tamaño de un grupo, que no desvela ninguna información de los miembros del grupo excepto el número de integrantes, para construir un sistema de descuentos de grupo. A continuación, utilizamos una nueva construcción basada en firmas ciegas, pruebas de conocimiento nulo y técnicas de generalización para implementar un sistema de descuentos de fidelidad que protege la privacidad de los consumidores. Por último, hacemos uso de protocolos de computación multiparte para implementar dos mecanismos de autenticación implícita que no revelan información privada del usuario al proveedor de servicios.This thesis is about the research and development of privacy enhancing techniques to empower consumers of electronic commerce services with the control on how much private information they want to share with the service providers. We make use of known and newly developed technologies to protect users against excessive data collection by service providers in specific applications. Namely, we use a novel identity-based dynamic threshold signature scheme and a novel key management scheme to implement a group size accreditation mechanism, that does not reveal anything about group members but the size of the group, to support group discounts. Next, we use a novel construction based on blind signatures, zero-knowledge proofs and generalization techniques to implement a privacy-preserving loyalty programs construction. Finally, we use multiparty computation protocols to implement implicit authentication mechanisms that do not disclose private information about the users to the service providers

Still Wrong Use of Pairings in Cryptography

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too ine cient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/e ciency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings

A Survey on Exotic Signatures for Post-Quantum Blockchain: Challenges & Research Directions

Blockchain technology provides efficient and secure solutions to various online activities by utilizing a wide range of cryptographic tools. In this paper, we survey the existing literature on post-quantum secure digital signatures that possess exotic advanced features and which are crucial cryptographic tools used in the blockchain ecosystem for (i) account management, (ii) consensus efficiency, (iii) empowering scriptless blockchain, and (iv) privacy. The exotic signatures that we particularly focus on in this work are the following: multi-/aggregate, threshold, adaptor, blind and ring signatures. Herein the term exotic refers to signatures with properties which are not just beyond the norm for signatures e.g. unforgeability, but also imbue new forms of functionalities. Our treatment of such exotic signatures includes discussions on existing challenges and future research directions in the post-quantum space. We hope that this article will help to foster further research to make post-quantum cryptography more accessible so that blockchain systems can be made ready in advance of the approaching quantum threats

Simple Schnorr Multi-Signatures with Applications to Bitcoin

We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message) called MuSig, provably secure in the plain public-key model (meaning that signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certification authority or to other signers before engaging the protocol), which improves over the state-of-art scheme of Bellare and Neven (ACM-CCS 2006) and its variants by Bagherzandi et al. (ACM-CCS 2008) and Ma et al. (Des. Codes Cryptogr., 2010) in two respects: (i) it is simple and efficient, having the same key and signature size as standard Schnorr signatures; (ii) it allows key aggregation, which informally means that the joint signature can be verified exactly as a standard Schnorr signature with respect to a single ``aggregated\u27\u27 public key which can be computed from the individual public keys of the signers. To the best of our knowledge, this is the first multi-signature scheme provably secure in the plain public-key model which allows key aggregation. As an application, we explain how our new multi-signature scheme could improve both performance and user privacy in Bitcoin

SoK: Privacy-Preserving Signatures

Modern security systems depend fundamentally on the ability of users to authenticate their communications to other parties in a network. Unfortunately, cryptographic authentication can substantially undermine the privacy of users. One possible solution to this problem is to use privacy-preserving cryptographic authentication. These protocols allow users to authenticate their communications without revealing their identity to the verifier. In the non-interactive setting, the most common protocols include blind, ring, and group signatures, each of which has been the subject of enormous research in the security and cryptography literature. These primitives are now being deployed at scale in major applications, including Intel\u27s SGX software attestation framework. The depth of the research literature and the prospect of large-scale deployment motivate us to systematize our understanding of the research in this area. This work provides an overview of these techniques, focusing on applications and efficiency

On the Efficiency and Security of Cryptographic Pairings

Pairing-based cryptography has been employed to obtain several advantageous cryptographic protocols. In particular, there exist several identity-based variants of common cryptographic schemes. The computation of a single pairing is a comparatively expensive operation, since it often requires many operations in the underlying elliptic curve. In this thesis, we explore the efficient computation of pairings. Computation of the Tate pairing is done in two steps. First, a Miller function is computed, followed by the final exponentiation. We discuss the state-of-the-art optimizations for Miller function computation under various conditions. We are able to shave off a fixed number of operations in the final exponentiation. We consider methods to effectively parallelize the computation of pairings in a multi-core setting and discover that the Weil pairing may provide some advantage under certain conditions. This work is extended to the 192-bit security level and some unlikely candidate curves for such a setting are discovered. Electronic Toll Pricing (ETP) aims to improve road tolling by collecting toll fares electronically and without the need to slow down vehicles. In most ETP schemes, drivers are charged periodically based on the locations, times, distances or durations travelled. Many ETP schemes are currently deployed and although these systems are efficient, they require a great deal of knowledge regarding driving habits in order to operate correctly. We present an ETP scheme where pairing-based BLS signatures play an important role. Finally, we discuss the security of pairings in the presence of an efficient algorithm to invert the pairing. We generalize previous results to the setting of asymmetric pairings as well as give a simplified proof in the symmetric setting

Advanced Cryptographic Techniques for Protecting Log Data

This thesis examines cryptographic techniques providing security for computer log files. It focuses on ensuring authenticity and integrity, i.e. the properties of having been created by a specific entity and being unmodified. Confidentiality, the property of being unknown to unauthorized entities, will be considered, too, but with less emphasis. Computer log files are recordings of actions performed and events encountered in computer systems. While the complexity of computer systems is steadily growing, it is increasingly difficult to predict how a given system will behave under certain conditions, or to retrospectively reconstruct and explain which events and conditions led to a specific behavior. Computer log files help to mitigate the problem of retracing a system’s behavior retrospectively by providing a (usually chronological) view of events and actions encountered in a system. Authenticity and integrity of computer log files are widely recognized security requirements, see e.g. [Latham, ed., "Department of Defense Trusted Computer System Evaluation Criteria", 1985, p. 10], [Kent and Souppaya, "Guide to Computer Security Log Management", NIST Special Publication 800-92, 2006, Section 2.3.2], [Guttman and Roback, "An Introduction to Computer Security: The NIST Handbook", superseded NIST Special Publication 800-12, 1995, Section 18.3.1], [Nieles et al., "An Introduction to Information Security" , NIST Special Publication 800-12, 2017, Section 9.3], [Common Criteria Editorial Board, ed., "Common Criteria for Information Technology Security Evaluation", Part 2, Section 8.6]. Two commonly cited ways to ensure integrity of log files are to store log data on so-called write-once-read-many-times (WORM) drives and to immediately print log records on a continuous-feed printer. This guarantees that log data cannot be retroactively modified by an attacker without physical access to the storage medium. However, such special-purpose hardware may not always be a viable option for the application at hand, for example because it may be too costly. In such cases, the integrity and authenticity of log records must be ensured via other means, e.g. with cryptographic techniques. Although these techniques cannot prevent the modification of log data, they can offer strong guarantees that modifications will be detectable, while being implementable in software. Furthermore, cryptography can be used to achieve public verifiability of log files, which may be needed in applications that have strong transparency requirements. Cryptographic techniques can even be used in addition to hardware solutions, providing protection against attackers who do have physical access to the logging hardware, such as insiders. Cryptographic schemes for protecting stored log data need to be resilient against attackers who obtain control over the computer storing the log data. If this computer operates in a standalone fashion, it is an absolute requirement for the cryptographic schemes to offer security even in the event of a key compromise. As this is impossible with standard cryptographic tools, cryptographic solutions for protecting log data typically make use of forward-secure schemes, guaranteeing that changes to log data recorded in the past can be detected. Such schemes use a sequence of authentication keys instead of a single one, where previous keys cannot be computed efficiently from latter ones. This thesis considers the following requirements for, and desirable features of, cryptographic logging schemes: 1) security, i.e. the ability to reliably detect violations of integrity and authenticity, including detection of log truncations, 2) efficiency regarding both computational and storage overhead, 3) robustness, i.e. the ability to verify unmodified log entries even if others have been illicitly changed, and 4) verifiability of excerpts, including checking an excerpt for omissions. The goals of this thesis are to devise new techniques for the construction of cryptographic schemes that provide security for computer log files, to give concrete constructions of such schemes, to develop new models that can accurately capture the security guarantees offered by the new schemes, as well as to examine the security of previously published schemes. This thesis demands that cryptographic schemes for securely storing log data must be able to detect if log entries have been deleted from a log file. A special case of deletion is log truncation, where a continuous subsequence of log records from the end of the log file is deleted. Obtaining truncation resistance, i.e. the ability to detect truncations, is one of the major difficulties when designing cryptographic logging schemes. This thesis alleviates this problem by introducing a novel technique to detect log truncations without the help of third parties or designated logging hardware. Moreover, this work presents new formal security notions capturing truncation resistance. The technique mentioned above is applied to obtain cryptographic logging schemes which can be shown to satisfy these notions under mild assumptions, making them the first schemes with formally proven truncation security. Furthermore, this thesis develops a cryptographic scheme for the protection of log files which can support the creation of excerpts. For this thesis, an excerpt is a (not necessarily contiguous) subsequence of records from a log file. Excerpts created with the scheme presented in this thesis can be publicly checked for integrity and authenticity (as explained above) as well as for completeness, i.e. the property that no relevant log entry has been omitted from the excerpt. Excerpts provide a natural way to preserve the confidentiality of information that is contained in a log file, but not of interest for a specific public analysis of the log file, enabling the owner of the log file to meet confidentiality and transparency requirements at the same time. The scheme demonstrates and exemplifies the technique for obtaining truncation security mentioned above. Since cryptographic techniques to safeguard log files usually require authenticating log entries individually, some researchers [Ma and Tsudik, "A New Approach to Secure Logging", LNCS 5094, 2008; Ma and Tsudik, "A New Approach to Secure Logging", ACM TOS 2009; Yavuz and Peng, "BAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems", ACSAC 2009] have proposed using aggregatable signatures [Boneh et al., "Aggregate and Verifiably Encrypted Signatures from Bilinear Maps", EUROCRYPT 2003] in order to reduce the overhead in storage space incurred by using such a cryptographic scheme. Aggregation of signatures refers to some “combination” of any number of signatures (for distinct or equal messages, by distinct or identical signers) into an “aggregate” signature. The size of the aggregate signature should be less than the total of the sizes of the orginal signatures, ideally the size of one of the original signatures. Using aggregation of signatures in applications that require storing or transmitting a large number of signatures (such as the storage of log records) can lead to significant reductions in the use of storage space and bandwidth. However, aggregating the signatures for all log records into a single signature will cause some fragility: The modification of a single log entry will render the aggregate signature invalid, preventing the cryptographic verification of any part of the log file. However, being able to distinguish manipulated log entries from non-manipulated ones may be of importance for after-the-fact investigations. This thesis addresses this issue by presenting a new technique providing a trade-off between storage overhead and robustness, i.e. the ability to tolerate some modifications to the log file while preserving the cryptographic verifiability of unmodified log entries. This robustness is achieved by the use of a special kind of aggregate signatures (called fault-tolerant aggregate signatures), which contain some redundancy. The construction makes use of combinatorial methods guaranteeing that if the number of errors is below a certain threshold, then there will be enough redundancy to identify and verify the non-modified log entries. Finally, this thesis presents a total of four attacks on three different schemes intended for securely storing log files presented in the literature [Yavuz et al., "Efficient, Compromise Resilient and Append-Only Cryptographic Schemes for Secure Audit Logging", Financial Cryptography 2012; Ma, "Practical Forward Secure Sequential Aggregate Signatures", ASIACCS 2008]. The attacks allow for virtually arbitrary log file forgeries or even recovery of the secret key used for authenticating the log file, which could then be used for mostly arbitrary log file forgeries, too. All of these attacks exploit weaknesses of the specific schemes. Three of the attacks presented here contradict the security properties of the schemes claimed and supposedly proven by the respective authors. This thesis briefly discusses these proofs and points out their flaws. The fourth attack presented here is outside of the security model considered by the scheme’s authors, but nonetheless presents a realistic threat. In summary, this thesis advances the scientific state-of-the-art with regard to providing security for computer log files in a number of ways: by introducing a new technique for obtaining security against log truncations, by providing the first scheme where excerpts from log files can be verified for completeness, by describing the first scheme that can achieve some notion of robustness while being able to aggregate log record signatures, and by analyzing the security of previously proposed schemes