多人数署名の証明可能安全性に関する研究

筑波大学 (University of Tsukuba)201

Cryptographic Schemes based on Elliptic Curve Pairings

This thesis introduces the concept of certificateless public key cryptography (CLPKC). Elliptic curve pairings are then used to make concrete CL-PKC schemes and are also used to make other efficient key agreement protocols. CL-PKC can be viewed as a model for the use of public key cryptography that is intermediate between traditional certificated PKC and ID-PKC. This is because, in contrast to traditional public key cryptographic systems, CL-PKC does not require the use of certificates to guarantee the authenticity of public keys. It does rely on the use of a trusted authority (TA) who is in possession of a master key. In this respect, CL-PKC is similar to identity-based public key cryptography (ID-PKC). On the other hand, CL-PKC does not suffer from the key escrow property that is inherent in ID-PKC. Applications for the new infrastructure are discussed. We exemplify how CL-PKC schemes can be constructed by constructing several certificateless public key encryption schemes and modifying other existing ID based schemes. The lack of certificates and the desire to prove the schemes secure in the presence of an adversary who has access to the master key or has the ability to replace public keys, requires the careful development of new security models. We prove that some of our schemes are secure, provided that the Bilinear Diffie-Hellman Problem is hard. We then examine Joux’s protocol, which is a one round, tripartite key agreement protocol that is more bandwidth-efficient than any previous three-party key agreement protocol, however, Joux’s protocol is insecure, suffering from a simple man-in-the-middle attack. We show how to make Joux’s protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communication. The security properties of the new protocols are studied. Applications for the protocols are also discussed

Cryptography in privacy-preserving applications.

Tsang Pak Kong.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 95-107).Abstracts in English and Chinese.Abstract --- p.iiAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 1.1 --- Privacy --- p.1Chapter 1.2 --- Cryptography --- p.5Chapter 1.2.1 --- History of Cryptography --- p.5Chapter 1.2.2 --- Cryptography Today --- p.6Chapter 1.2.3 --- Cryptography For Privacy --- p.7Chapter 1.3 --- Thesis Organization --- p.8Chapter 2 --- Background --- p.10Chapter 2.1 --- Notations --- p.10Chapter 2.2 --- Complexity Theory --- p.11Chapter 2.2.1 --- Order Notation --- p.11Chapter 2.2.2 --- Algorithms and Protocols --- p.11Chapter 2.2.3 --- Relations and Languages --- p.13Chapter 2.3 --- Algebra and Number Theory --- p.14Chapter 2.3.1 --- Groups --- p.14Chapter 2.3.2 --- Intractable Problems --- p.16Chapter 2.4 --- Cryptographic Primitives --- p.18Chapter 2.4.1 --- Public-Key Encryption --- p.18Chapter 2.4.2 --- Identification Protocols --- p.21Chapter 2.4.3 --- Digital Signatures --- p.22Chapter 2.4.4 --- Hash Functions --- p.24Chapter 2.4.5 --- Zero-Knowledge Proof of Knowledge --- p.26Chapter 2.4.6 --- Accumulators --- p.32Chapter 2.4.7 --- Public Key Infrastructure --- p.34Chapter 2.5 --- Zero Knowledge Proof of Knowledge Protocols in Groups of Unknown Order --- p.36Chapter 2.5.1 --- The Algebraic Setting --- p.36Chapter 2.5.2 --- Proving the Knowledge of Several Discrete Logarithms . --- p.37Chapter 2.5.3 --- Proving the Knowledge of a Representation --- p.38Chapter 2.5.4 --- Proving the Knowledge of d Out of n Equalities of Discrete Logarithms --- p.39Chapter 2.6 --- Conclusion --- p.42Chapter 3 --- Related Works --- p.43Chapter 3.1 --- Introduction --- p.43Chapter 3.2 --- Group-Oriented Signatures without Spontaneity and/or Anonymity --- p.44Chapter 3.3 --- SAG Signatures --- p.46Chapter 3.4 --- Conclusion --- p.49Chapter 4 --- Linkable Ring Signatures --- p.50Chapter 4.1 --- Introduction --- p.50Chapter 4.2 --- New Notions --- p.52Chapter 4.2.1 --- Accusatory Linking --- p.52Chapter 4.2.2 --- Non-slanderability --- p.53Chapter 4.2.3 --- Linkability in Threshold Ring Signatures --- p.54Chapter 4.2.4 --- Event-Oriented Linking --- p.55Chapter 4.3 --- Security Model --- p.56Chapter 4.3.1 --- Syntax --- p.56Chapter 4.3.2 --- Notions of Security --- p.58Chapter 4.4 --- Conclusion --- p.63Chapter 5 --- Short Linkable Ring Signatures --- p.64Chapter 5.1 --- Introduction --- p.64Chapter 5.2 --- The Construction --- p.65Chapter 5.3 --- Security Analysis --- p.68Chapter 5.3.1 --- Security Theorems --- p.68Chapter 5.3.2 --- Proofs --- p.68Chapter 5.4 --- Discussion --- p.70Chapter 5.5 --- Conclusion --- p.71Chapter 6 --- Separable Linkable Threshold Ring Signatures --- p.72Chapter 6.1 --- Introduction --- p.72Chapter 6.2 --- The Construction --- p.74Chapter 6.3 --- Security Analysis --- p.76Chapter 6.3.1 --- Security Theorems --- p.76Chapter 6.3.2 --- Proofs --- p.77Chapter 6.4 --- Discussion --- p.79Chapter 6.5 --- Conclusion --- p.80Chapter 7 --- Applications --- p.82Chapter 7.1 --- Offline Anonymous Electronic Cash --- p.83Chapter 7.1.1 --- Introduction --- p.83Chapter 7.1.2 --- Construction --- p.84Chapter 7.2 --- Electronic Voting --- p.85Chapter 7.2.1 --- Introduction --- p.85Chapter 7.2.2 --- Construction . --- p.87Chapter 7.2.3 --- Discussions --- p.88Chapter 7.3 --- Anonymous Attestation --- p.89Chapter 7.3.1 --- Introduction --- p.89Chapter 7.3.2 --- Construction --- p.90Chapter 7.4 --- Conclusion --- p.91Chapter 8 --- Conclusion --- p.92A Paper Derivation --- p.94Bibliography --- p.9

Advances in signatures, encryption, and E-Cash from bilinear groups

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2006.Includes bibliographical references (p. 147-161).We present new formal definitions, algorithms, and motivating applications for three natural cryptographic constructions. Our constructions are based on a special type of algebraic group called bilinear groups. 1. Re-Signatures: We present the first public key signature scheme where a semi-trusted proxy, given special information, can translate Alice's signature on a message into Bob's signature on the same message. The special information, however, allows nothing else, i.e., the proxy cannot translate from Bob to Alice, nor can it sign on behalf of either Alice or Bob. We show that a path through a graph can be cheaply authenticated using this scheme, with applications to electronic passports. 2. Re-Encryption: We present the first public key cryptosystem where a semi-trusted proxy, given special information, can translate an encryption of a message under Alice's key into an encryption of the same message under Bob's key. Again, the special information allows nothing else, i.e. the proxy cannot translate from Bob to Alice, decrypt on behalf of either Alice or Bob, or learn anything else about the message. We apply this scheme to create a new mechanism for secure distributed storage.(cont.) 3. Compact; E-Cash with Tracing and Bounded-Anonymity: We present an offline e-cash system where 2 coins can be stored in O(e + k) bits and withdrawn or spent in 0(f + k) time, where k is the security parameter. The best previously known schemes required at least one of these complexities to be 0(2t . k). In our system, a user's transactions are anonymous and unlinkable, unless she performs a forbidden action, such as double-spending a coin. Performing a forbidden action reveals the identity of the user, and optionally allows to trace all of her past transactions. We provide solutions without using a trusted party. We argue why features of our system are likely to be crucial to the adoption of any e-cash system.by Susan Hohenberger.Ph.D

Democracy Enhancing Technologies: Toward deployable and incoercible E2E elections

End-to-end verifiable election systems (E2E systems) provide a provably correct tally while maintaining the secrecy of each voter's ballot, even if the voter is complicit in demonstrating how they voted. Providing voter incoercibility is one of the main challenges of designing E2E systems, particularly in the case of internet voting. A second challenge is building deployable, human-voteable E2E systems that conform to election laws and conventions. This dissertation examines deployability, coercion-resistance, and their intersection in election systems. In the course of this study, we introduce three new election systems, (Scantegrity, Eperio, and Selections), report on two real-world elections using E2E systems (Punchscan and Scantegrity), and study incoercibility issues in one deployed system (Punchscan). In addition, we propose and study new practical primitives for random beacons, secret printing, and panic passwords. These are tools that can be used in an election to, respectively, generate publicly verifiable random numbers, distribute the printing of secrets between non-colluding printers, and to covertly signal duress during authentication. While developed to solve specific problems in deployable and incoercible E2E systems, these techniques may be of independent interest

Scaling Distributed Ledgers and Privacy-Preserving Applications

This thesis proposes techniques aiming to make blockchain technologies and smart contract platforms practical by improving their scalability, latency, and privacy. This thesis starts by presenting the design and implementation of Chainspace, a distributed ledger that supports user defined smart contracts and execute user-supplied transactions on their objects. The correct execution of smart contract transactions is publicly verifiable. Chainspace is scalable by sharding state; it is secure against subsets of nodes trying to compromise its integrity or availability properties through Byzantine Fault Tolerance (BFT). This thesis also introduces a family of replay attacks against sharded distributed ledgers targeting cross-shard consensus protocols; they allow an attacker, with network access only, to double-spend resources with minimal efforts. We then build Byzcuit, a new cross-shard consensus protocol that is immune to those attacks and that is tailored to run at the heart of Chainspace. Next, we propose FastPay, a high-integrity settlement system for pre-funded payments that can be used as a financial side-infrastructure for Chainspace to support low-latency retail payments. This settlement system is based on Byzantine Consistent Broadcast as its core primitive, foregoing the expenses of full atomic commit channels (consensus). The resulting system has extremely low-latency for both confirmation and payment finality. Finally, this thesis proposes Coconut, a selective disclosure credential scheme supporting distributed threshold issuance, public and private attributes, re-randomization, and multiple unlinkable selective attribute revelations. It ensures authenticity and availability even when a subset of credential issuing authorities are malicious or offline, and natively integrates with Chainspace to enable a number of scalable privacy-preserving applications

Mirror worlds, eclipse attacks and the security of Bitcoin and the RPKI

While distributed databases offer great promise their decentralized nature poses a number of security and privacy issues. In what ways can parties misbehave? If a database is truly distributed can a malicious actor hide their misdeeds by presenting conflicting views of the database? Can we overcome such deceit and either prevent it by eliminating trust assumptions or detect such perfidy and hold the malicious party to account? We study these questions across two distributed databases: RPKI (Resource Public Key Infrastructure), which is used to authenticate the allocation and announcement of IP prefixes; and Bitcoin, a cryptocurrency that utilizes a permissionless database called a blockchain to track the transfer and ownership of bitcoins. The first part of this dissertation focuses on RPKI and the potential of RPKI authorities to misbehave. We consider the methods, motivations, and impact of this misbehavior and how an RPKI authority can present inconsistent views to hide this misbehavior. After studying the problem we propose solutions to detect and identify such misbehavior. Now we turn our attention to Bitcoin. We look at ways an attacker can manipulate Bitcoin's Peer-to-Peer network to cause members of the network to have inconsistent views of Bitcoin's blockchain and subvert Bitcoin's core security guarantees. We then propose countermeasures to harden Bitcoin against such attacks. The final part of this dissertation discusses the problem of privacy in Bitcoin. Many of the protocols developed to address Bitcoin's privacy limitations introduce trusted parties. We instead design privacy enhancing protocols that use an untrusted intermediary to mix \aka anonymize, bitcoin transactions via blind signatures. To do this we must invent a novel blind signature fair-exchange protocol that runs on Bitcoin's blockchain. This dissertation favors a dirty slate design process. We work to layer protections on existing protocols and when we must make changes to the underlying protocol we carefully weigh compatibility and deployment considerations. This philosophy has resulted in some of the research described in this dissertation influencing the design of deployed protocols. In the case of Bitcoin our research is currently used to harden a network controlling approximately a trillion dollars

Provably Secure, Smart Contract-based Naming Services: Design, Implementation and Evaluation

Οι υπηρεσίες ονοματοδοσίας παρέχουν τα απαραίτητα θεμέλια για την ανάπτυξη ποικίλων και σημαντικών εφαρμογών, όπως το ηλεκτρονικό εμπόριο και η ηλεκτρονική τραπεζική. Επί του παρόντος, αυτές οι υπηρεσίες ονοματοδοσίας βρίσκονται υπό τον έλεγχο κεντρικοποιημένων οντοτήτων, τις οποίες πρέπει να εμπιστευόμαστε ότι λειτουργούν σωστά. Δυστυχώς, η κεντρικοποίηση (εμπιστοσύνης) επιφέρει πολλά μειονεκτήματα όσον αφορά την ασφάλεια, τη διαθεσιμότητα και την ανοχή σφαλμάτων, όπως φαίνεται από μία πληθώρα περιστατικών ασφάλειας κατά τη διάρκεια των ετών όπου τέτοιες οντότητες έχουν παραβιαστεί. Η αποκέντρωση έχει προταθεί ως εναλλακτική λύση για την αντιμετώπιση αυτών των ζητημάτων. Παρ 'όλα αυτά, η αποκέντρωση εγείρει άλλα προβλήματα όπως, π.χ., η αντιμετώπιση της μη ανταποδοτικότητας και οι Σιβυλλικές επιθέσεις. Σε αυτή τη διατριβή, αξιοποιούμε την επεκτασιμότητα, την ασφάλεια, καθώς και τον ενσωματωμένο μηχανισμό παροχής κινήτρων των συστημάτων blockchain και προτείνουμε τον σχεδιασμό μιας αποκεντρωμένης υπηρεσίας ονοματοδοσίας βασισμένη σε έξυπνα συμβόλαια. Πιο συγκεκριμένα, είμαστε οι πρώτοι που παρουσιάζουμε τον πλήρη φορμαλισμό του προβλήματος σχεδιασμού υπηρεσιών ονοματοδοσίας στο πλαίσιο τoυ μοντέλου Γενικής Σύνθεσης και αποδεικνύουμε την ασφάλεια της κατασκευής μας υπό την ισχυρή υπόθεση RSA στο μοντέλο του Τυχαίου Μαντείου και την ύπαρξη μιας ιδεατής λειτουργικότητας έξυπνου συμβολαίου. Το κύριο εμπόδιο στην πραγματοποίηση μιας υπηρεσίας ονοματοδοσίας βασισμένη σε έξυπνα συμβόλαια είναι το μέγεθος της αποθηκευμένης πληροφορίας σε αυτά η οποία, όντας η πιο δαπανηρή πηγή πρόσβασης και τροποποίησης, θα πρέπει να ελαχιστοποιηθεί για να θεωρηθεί μια κατασκευή βιώσιμη. Επιλύουμε αυτό το ζήτημα ορίζοντας και χρησιμοποιώντας στην υπηρεσία ονοματοδοσίας μας έναν προσθετικό, παγκόσμιο κρυπτογραφικό συσσωρευτή δημόσιας κατάστασης σταθερού μεγέθους, ένα κρυπτογραφικό εργαλείο το οποίο μπορεί να είναι ανεξάρτητου ενδιαφέροντος στο πλαίσιο των πρωτοκόλλων blockchain. Αυτός ο συσσωρευτής προκαλεί αποθήκευση σταθερού μεγέθους πληροφορίας εις βάρος υπολογιστικής πολυπλοκότητας. Για να διερευνήσουμε το αντίκτυπο ανάμεσα σε αυτά τα δύο, προτείνουμε και υλοποιούμε μια δεύτερη κατασκευή, η οποία διατηρεί τις ιδιότητες ασφαλείας της πρώτης και, όπως απεικονίζεται μέσα από την αξιολόγησή μας, είναι η μόνη έκδοση με σταθερού μεγέθους αποθηκευμένη πληροφορία που μπορεί να αναπτυχθεί στη βασική αλυσίδα του Ethereum, της πιο αξιοσημείωτης δημόσιας πλατφόρμας έξυπνων συμβολαίων κατα τη στιγμή αυτής της γραφής. Συγκρίνουμε αυτές τις δύο κατασκευές με την απλή προσέγγιση των περισσότερων προηγούμενων υλοποιήσεων, π.χ., του Ethereum Name Service, όπου όλα τα αρχεία ταυτότητας αποθηκεύονται πάνω στο έξυπνο συμβόλαιο, για να καταδείξουμε αρκετές ελλείψεις του Ethereum και του μοντέλου κοστολόγησής του. Για την αντιμετώπιση αυτών των ζητημάτων, καθώς και άλλων, εισαγάγουμε ένα εναλλακτικό παράδειγμα για την ανάπτυξη εφαρμογών βασισμένες σε έξυπνα συμβόλαια στις οποίες το μέθεγος της αποθηκευμένης πληροφορίας σε αυτά είναι σταθερή και διευκολύνει την επαλήθευση των δεδομένων των εφαρμογών, τα οποία αποθηκεύονται σε και αναζητούνται από ένα εξωτερικό, δυνητικά αναξιόπιστο, δίκτυο αποθήκευσης. Αυτή η προσέγγιση είναι σχετική για ένα ευρύ φάσμα εφαρμογών, όπως κάθε σύστημα αποθήκευσης κλειδιών και τιμών. Δείχνουμε την αποτελεσματικότητα της προσέγγιση μας με την παρουσίαση μιας μελέτης όπου προσαρμόζουμε το πιο ευρέως αναπτυγμένο πρότυπο για ανταλλάξιμα νομίσματα, δηλ., το πρότυπο νομισμάτων ERC20. Αντιμετωπίζουμε τη μονοτονικά αυξανόμενη αποθηκευμένη πληροφορία του Ethereum η οποία, αν δεν ελεγχθεί, θα έχει άμεσο αντίκτυπο στην ασφάλεια του Ethereum και, τελικά, στη μακροζωία του. Εισαγάγουμε επαναλαμβανόμενα τέλη που είναι ανάλογα με την αποθηκευμένη πληροφορία στα έξυπνα συμβόλαια και ρυθμιζόμενα από τους κόμβους που διατηρούν το δίκτυο. Προτείνουμε ένα μοντέλο όπου το κόστος των λειτουργιών αποθήκευσης αντικατοπτρίζει την προσπάθεια που πρέπει να καταβάλουν οι κόμβοι για να τις εκτελέσουν. Δείχνουμε ότι κάτω από ένα τέτοιο σύστημα τιμολόγησης που ενθαρρύνει οικονομία στην αποθηκευμένη πληροφορία στα έξυπνα συμβόλαια, οι κατασκευές που παρουσιάζονται σε αυτή τη διατριβή μειώνουν τα τέλη συναλλαγών κατά μία τάξη μεγέθους. Υποστηρίζουμε ότι αυτές οι βελτιώσεις είναι λογικές για κάθε πλατφόρμα έξυπνων συμβολαίων που επιθυμεί να υποστηρίζει την ανάπτυξη αυθαίρετων κατανεμημένων εφαρμογών από τους χρήστες της.Naming services provide the necessary foundations of developing diverse and important applications, such as e-commerce and e-banking. Currently, these naming services are operated by centralized authorities, which have to be trusted for their correct operation. Unfortunately, centralization (of trust) incurs several downsides in terms of security, availability and fault tolerance, as illustrated by numerous security incidents throughout the years where such authorities have been compromised. Decentralization has been proposed as an alternative to deal with these issues. Nevertheless, decentralization raises other concerns, such as dealing with free-riding and Sybil attacks. In this thesis, we leverage the scalability, security, as well as, the built-in incentive mechanism of blockchain systems and propose the design of a decentralized, smart contract-based naming service. More specifically, we are the first to fully formalize the naming service design problem in the Universal Composability (UC) framework and formally prove the security of our construction under the strong RSA assumption in the Random Oracle model and the existence of an ideal smart contract functionality. The main barrier in realizing a smart contract-based naming service is the size of the contract’s state which, being its most expensive resource to access and modify, should be minimized for a construction to be viable. We resolve this issue by defining and using in our naming service a public-state cryptographic accumulator with constant size, a cryptographic tool which may be of independent interest in the context of blockchain protocols. This accumulator incurs constant-sized storage at the expense of computational complexity. To explore this tradeoff, we propose and implement a second construction, which preserves the security properties of the first and, as illustrated through our evaluation, is the only version with constant-sized state that can be deployed on the live chain of Ethereum, the most notable public smart contract platform at the time of this writing. We compare these two constructions with the simple approach of most prior works, e.g., the Ethereum Name Service, where all identity records are stored on the smart contract’s state, to illustrate several shortcomings of Ethereum and its cost model. To address these issues, and others, we introduce an alternative paradigm for developing smart contract-based applications in which their state is of constant size and facilitates the verification of application data that are stored to and queried from an external, potentially unreliable, storage network. This approach is relevant for a wide range of applications, such as any key-value store. We illustrate the efficacy of our approach by presenting a case study where we adapt the most widely deployed standard for fungible tokens, i.e., the ERC20 token standard, to our paradigm. We address Ethereum’s monotonically increasing state which, if left unchecked, will have a direct impact on Ethereum's security and, ultimately, its longevity. We introduce recurring fees that are proportional to the state of smart contracts and adjustable by the nodes (miners) that maintain the network. We propose a scheme where the cost of storage-related operations reflects the effort that miners have to expend to execute them. We show that under such a pricing scheme that encourages economy in the state consumed by smart contracts, the constructions presented in this work reduce the incurred transaction fees by up to an order of magnitude. We argue that these improvements are sensible for any smart contract platform that wishes to support user developed distributed applications

Mobile Ad-Hoc Networks

Being infrastructure-less and without central administration control, wireless ad-hoc networking is playing a more and more important role in extending the coverage of traditional wireless infrastructure (cellular networks, wireless LAN, etc). This book includes state-of the-art techniques and solutions for wireless ad-hoc networks. It focuses on the following topics in ad-hoc networks: vehicular ad-hoc networks, security and caching, TCP in ad-hoc networks and emerging applications. It is targeted to provide network engineers and researchers with design guidelines for large scale wireless ad hoc networks