Adding Linkability to Ring Signatures with One-Time Signatures

We propose a generic construction that adds linkability to any ring signature scheme with one-time signature scheme. Our construction has both theoretical and practical interest. In theory, the construction gives a formal and cleaner description for constructing linkable ring signature from ring signature directly. In practice, the transformation incurs a tiny overhead in size and running time. By instantiating our construction using the ring signature scheme (ACNS 2019) and the one-time signature scheme (TCHES 2018), we obtain a lattice-based linkable ring signature scheme whose signature size is logarithmic in the number of ring members. This scheme is practical, especially the signature size is very short: for $2^{30}$ ring members and 100 bit security, our signature size is only 4 MB. In addition, when proving the linkability we develop a new proof technique in the random oracle model, which might be of independent interes

Group Signature with relaxed-privacy and revocability for VANET

This paper adapts a new group signature (GS) scheme to the specific needs of certain application e.g., a vehicular adhoc network (VANET). Groth GS is the first efficient GS scheme in the BSZ-model with security proofs in the standard model. We modify the Groth GS in order to meet a restricted, but arguably sufficient set of privacy proper-ties. Although there are some authentication schemes using GS none of them satisfy all the desirable security and privacy properties. Either they follow GSs that rely on Random Oracle Model, or unable to satisfy potential application requirements. In particular, link management which allows any designated entities to link messages, whether they are coming from the same member or a certain group of members without revealing their identities; opening soundness that prevents malicious accusations by the opener against some honest member of the group; revocation system that privileges from fraudulent member like the traditional Public Key infrastructure (PKI). In order to achieve the aforementioned security properties together, we propose a new GS model where linkability, sound opening and revocability properties are assembled in a single scheme. The novelty of our proposal stems from extending the Groth GS by relaxing strong privacy properties to a scheme with a lightly lesser privacy in order to fit an existing VANET application requirements. In addition, we partially minimize the Groth GS scheme to expedite efficiency

Division of Regulatory Power: Collaborative Regulation for Privacy-Preserving Blockchains

Decentralized anonymous payment schemes may be exploited for illicit activities, such as money laundering, bribery and blackmail. To address this issue, several regulatory friendly decentralized anonymous payment schemes have been proposed. However, most of these solutions lack restrictions on the regulator’s authority, which could potentially result in power abuse and privacy breaches. In this paper, we present a decentralized anonymous payment scheme with collaborative regulation (DAPCR). Unlike existing solutions, DAPCR reduces the risk of power abuse by distributing regulatory authority to two entities: Filter and Supervisor, neither of which can decode transactions to access transaction privacy without the assistance of the other one. Our scheme enjoys three major advantages over others: ① Universality, achieved by using zk-SNARK to extend privacy-preserving transactions for regulation. ② Collab orative regulation, attained by adding the ring signature with controllable linkability to the transaction. ③ Efficient aggregation of payment amounts, achieved through amount tags. As a key technology for realizing collaborative regulation in DAPCR, the ring signature with controllable linkability (CLRS) is proposed, where a user needs to specify a linker and an opener to generate a signature. The linker can extract pseudonyms from signatures and link signatures submitted by the same signer based on pseudonyms, without leaking the signer’s identity. The opener can recover the signer’s identity from a given pseudonym. The experimental results reflect the efficiency of DAPCR. The time overhead for transaction generation is 1231.2 ms, representing an increase of less than 50 % compared to ZETH. Additionally, the time overhead for transaction verification is only 1.2 ms

Road-to-Vehicle Communications with Time-Dependent Anonymity: A Light Weight Construction and its Experimental Results

This paper describes techniques that enable vehicles to collect local information (such as road conditions and traffic information) and report it via road-to-vehicle communications. To exclude malicious data, the collected information is signed by each vehicle. In this communications system, the location privacy of vehicles must be maintained. However, simultaneously linkable information (such as travel routes) is also important. That is, no such linkable information can be collected when full anonymity is guaranteed using cryptographic tools such as group signatures. Similarly, continuous linkability (via pseudonyms, for example) may also cause problem from the viewpoint of privacy. In this paper, we propose a road-to-vehicle communication system with relaxed anonymity via group signatures with time-token dependent linking (GS-TDL). Briefly, a vehicle is unlinkable unless it generates multiple signatures in the same time period. We provide our experimental results (using the RELIC library on a cheap and constrained computational power device, Raspberry Pi), and simulate our system by using a traffic simulator (PTV), a radio wave propagation analysis tool (RapLab), and a network simulator (QualNet). Though a similar functionality of time-token dependent linking was proposed by Wu, Domingo-Ferrer and Gonzälez-Nicoläs (IEEE T. Vehicular Technology 2010), we can show an attack against the scheme where anyone can forge a valid group signature without using a secret key. In contrast, our GS-TDL scheme is provably secure. In addition to the time-dependent linking property, our GS-TDL scheme supports verifier-local revocation (VLR), where a signer (vehicle) is not involved in the revocation procedure. It is particularly worth noting that no secret key or certificate of a signer (vehicle) must be updated whereas the security credential management system (SCMS) must update certificates frequently for vehicle privacy. Moreover, our technique maintains constant signing and verification costs by using the linkable part of signatures. This might be of independent interest

DualDory: Logarithmic-Verifier Linkable Ring Signatures through Preprocessing

A linkable ring signature allows a user to sign anonymously on behalf of a group while ensuring that multiple signatures from the same user are detected. Applications such as privacy-preserving e-voting and e-cash can leverage linkable ring signatures to significantly improve privacy and anonymity guarantees. To scale to systems involving large numbers of users, short signatures with fast verification are a must. Concretely efficient ring signatures currently rely on a trusted authority maintaining a master secret, or follow an accumulator-based approach that requires a trusted setup. In this work, we construct the first linkable ring signature with both logarithmic signature size and verification that does not require any trusted mechanism. Our scheme, which relies on discrete-log type assumptions and bilinear maps, improves upon a recent concise ring signature called DualRing by integrating improved preprocessing arguments to reduce the verification time from linear to logarithmic in the size of the ring. Our ring signature allows signatures to be linked based on what message is signed, ranging from linking signatures on any message to only signatures on the same message. We provide benchmarks for our scheme and prove its security under standard assumptions. The proposed linkable ring signature is particularly relevant to use cases that require privacy-preserving enforcement of threshold policies in a fully decentralized context, and e-voting

Enhancing The Anonymity Of Electronic Transactions

Πολλοί διαφορετικοί τύποι διαδικτυακών πληρωμών έχουν αναπτυχτεί τις περασμένες δεκαετίες. Μέσα από αυτά τα συστήματα δίνεται η δυνατότητα στις συναλλαγές να πραγματοποιούνται αποτελεσματικότερα από τις παραδοσιακές συναλλαγές. Επίσης, οι συναλλαγές ολοκληρώνονται χωρίς να απαιτείται η χρήση φυσικού χρήματος. Παρόλα αυτά, όλα τα διαδικτυακά συστήματα πληρωμών χρησιμοποιούν υποχρεωτικά μια κεντρική οντότητα, η οποία έχει την δυνατότητα να αντιστοιχίσει μια συναλλαγή στους χρήστες που συμμετέχουν σε αυτή. Από το 2009, ένα νέο και καινοτόμο είδος διαδικτυακών πληρωμών σχεδιάστηκε, γνωστό ως κρυπτονόμισμα. Το συγκεκριμένο μοντέλο επέτρεπε στους πελάτες να πραγματοποιούν συναλλαγές με άλλους χρηστές χωρίς να απαιτείται η παρουσία και η χρήση της κεντρικής οντότητας. Αντίθετα με τα πρότερα συστήματα, στα κρυπτονομίσματα οι συναλλαγές υπογράφονται με κρυπτογραφικές τεχνικές και επιβεβαιώνονται από τα υπόλοιπα άτομα του δικτύου. Εξαιτίας του γεγονότος ότι οι συναλλαγές επιβεβαιώνονται από τους χρηστές του δικτύου και όχι από μια κεντρική οντότητα, κάθε συναλλαγή αποθηκεύεται σε ένα δημόσιο πίνακα. Σε αυτόν τον πίνακα έχουν πρόσβαση όλοι οι χρήστες που αποτελούν μέρος του δικτύου. Για να μπορέσουν τα κρυπτονομίσματα να προσφέρουν μια κάποια μορφή ανωνυμίας, τα σχετικά πρωτόκολλα έχουν σχεδιαστεί με τέτοιο τρόπο ώστε οι χρηστές να αντιπροσωπεύονται από ψευδώνυμα. Όμως η τεχνική αυτή εγγυάται μόνο ότι όταν ένας χρηστής εκκινήσει μια συναλλαγή δεν θα είναι δυνατόν να χάσει την ανωνυμία του, από έναν επιτιθέμενο που παρατηρεί αποκλειστικά αυτή τη συναλλαγή. Σε θεωρητικό επίπεδο, από τη στιγμή που όλες οι συναλλαγές αποθηκεύονται στο δημόσιο πίνακα, οι επιτιθέμενοι μπορούν να παραβιάσουν την ανωνυμία τους εκμεταλλευόμενοι τις υπόλοιπες πληροφορίες που τους παρέχει το δίκτυο. Η εργασία αυτή αναλύει σε βάθος τρόπους για να ενισχύσουμε την ανωνυμία των χρηστών στα δίκτυα των κρυπτονομισμάτων, έτσι ώστε οι επιτιθέμενοι να μην μπορούν να αντιστοιχίσουν συναλλαγές με χρήστες. Η κύρια τεχνική που εξετάζουμε είναι τα mixing services.Many kinds of online payment systems have been invented during the last decades that allow transactions to be implemented in a more efficient way than the traditional purchases. Also, the online payments do not require physical money. Nevertheless, all such systems utilize a central authority that has the ability to link transactions back to payees and payers. Since 2009, a new type of independent online monetary system known as cryptocurrency has emerged, permitting clients and recipients to create transactions that are not controlled by a central entity. Such transactions are cryptographically signed transfers of money from client to recipient confirmed by other peers in a global payment network. Due to the fact that confirmation is offered by peers in the network, rather than a central entity, every transaction has to be recorded on a public ledger. This ledger is accessible from every peer inside the network. To offer some form of anonymity to users in the network, cryptocurrencies like Bitcoin and Ethereum have created their protocols to be pseudo-anonymous. However, this technique only guarantees that a user that generates a transaction cannot be deanonymized if the attacker is observing only one transaction. From a theoretical point of view, since all transactions are visible by peers, attackers can expose the real identities of peers by utilizing other information that is revealed by the network. In this thesis we perform an in depth analysis of ways to enhance anonymity in cryptocurrencies, and make the de-anonymization of the peers participating in the corresponding network impossible or at least very hard. The main way to achieve this is through mixing services

Constant-size dynamic k-times anonymous authentication

Dynamic k-times anonymous authentication (k-TAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times, where application providers can independently and dynamically grant or revoke access right to members in their own group. In this paper, we construct a dynamic k-TAA scheme with space and time complexities of O(log(k)) and a variant, in which the authentication protocol only requires constant time and space complexities at the cost of O(k) -sized public key. We also describe some tradeoff issues between different system characteristics. We detail all the zero-knowledge proof-of-knowledge protocols involved and show that our construction is secure in the random oracle model under the q-strong Diffie-Hellman assumption and q-decisional Diffie-Hellman inversion assumption. We provide a proof-of-concept implementation, experiment on its performance, and show that our scheme is practical

Linking-Based Revocation for Group Signatures: A Pragmatic Approach for Efficient Revocation Checks

Group signature schemes (GSS) represent an important privacy-enhancing technology. However, their practical applicability is restricted due to inefficiencies of existing membership revocation mechanisms that often place a too large computational burden and communication overhead on the involved parties. Moreover, it seems that the general belief (or unwritten law) of avoiding online authorities by all means artificially and unnecessarily restricts the efficiency and practicality of revocation mechanisms in GSSs. While a mindset of preventing online authorities might have been appropriate more than 10 years ago, today the availability of highly reliable cloud computing infrastructures could be used to solve open challenges. More specifically, in order to overcome the inefficiencies of existing revocation mechanisms, we propose an alternative approach denoted as linking-based revocation (LBR) which is based on the concept of controllable linkability. The novelty of LBR is its transparency for signers and verifiers that spares additional computations as well as updates. We therefore introduce dedicated revocation authorities (RAs) that can be contacted for efficient (constant time) revocation checks. In order to protect these RAs and to reduce the trust in involved online authorities, we additionally introduce distributed controllable linkability. Using latter, RAs cooperate with multiple authorities to compute the required linking information, thus reducing the required trust. Besides efficiency, an appealing benefit of LBR is its generic applicability to pairing-based GSSs secure in the BSZ model as well as GSSs with controllable linkability. This includes the XSGS scheme, and the GSSs proposed by Hwang et al., one of which has been standardized in the recent ISO 20008-2 standard

MixCT: Mixing Confidential Transactions from Homomorphic Commitment

Mixing protocols serve as a promising solution to the unlinkability in blockchains. They work by hiding one transaction among a set of transactions and enjoy the advantage of high compatibility with the underlying system. However, due to the inherently public nature of the blockchains built on the account-based model, the unlinkability is highly restricted to non-confidential transactions. In the account-based model, blockchains supporting confidential payments need to trade their compatibility for unlinkability. In this paper, we propose MixCT, a generic protocol that provides the mixing service for confidential payment systems built from homomorphic commitment in the account-based model. We formally define the security goals including safety and availability, and prove that our generic construction satisfies them. Furthermore, we provide an efficient instantiation of MixCT by the Pedersen commitment and the one-out-of-many proof. The evaluation results show that MixCT introduces a small cost for its users while being highly compatible with the underlying confidential blockchain

Anonymous and Publicly Linkable Reputation Systems

We consider reputation systems where users are allowed to rate products that they purchased previously. To obtain trustworthy reputations, they are allowed to rate these products only once. As long as they do so, the users stay anonymous. Everybody is able to detect users deviating from the rate-products-only-once policy and the anonymity of such dishonest users can be revoked by a system manager. In this paper we present formal models for such reputation systems and their security. Based on group signatures we design an efficient reputation system that meets all our requirements