Round Optimal Robust Distributed Key Generation

Protocols for distributed key generation (DKG) in the discrete-logarithm setting have received a tremendous amount of attention in the past few years. Several synchronous DKG protocols have been proposed, but most such protocols are either not fully secure (in the sense of simulatability) or are not robust in that they allow even a single malicious party to prevent successful generation of a key. In this paper we explore the round complexity of (robust) DKG in the honest-majority setting where robust DKG is feasible. On the negative side, we show the impossibility of one-round (robust) DKG protocols regardless of any prior setup the parties have. On the positive side, we show various two-round---and hence, round-optimal---protocols for robust DKG offering tradeoffs in terms of their efficiency, necessary setup, and required assumptions

Attribute-Based Signatures

We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained control over identifying information. In ABS, a signer, who possesses a set of attributes from the authority, can sign a message with a predicate that is satisfied by his attributes. The signature reveals no more than the fact that a single user with some set of attributes satisfying the predicate has attested to the message. In particular, the signature hides the attributes used to satisfy the predicate and any identifying information about the signer (that could link multiple signatures as being from the same signer). Furthermore, users cannot collude to pool their attributes together. We give a general framework for constructing ABS schemes, then show several practical instantia-tions based on groups with bilinear pairing operations, under standard assumptions. We describe several practical problems that motivated this work, and how ABS can be used to solve them

Security-Preserving Distributed Samplers: How to Generate any CRS in One Round without Random Oracles

A distributed sampler is a way for several mutually distrusting parties to non-interactively generate a common reference string (CRS) that all parties trust. Previous work constructs distributed samplers in the random oracle model, or in the standard model with very limited security guarantees. This is no accident, as standard model distributed samplers with full security were shown impossible. In this work, we provide new definitions for distributed samplers which we show achieve meaningful security guarantees in the standard model. In particular, our notion implies that the hardness of a wide range of security games is preserved when the CRS is replaced with a distributed sampler. We also show how to realize our notion of distributed samplers. A core technical tool enabling our construction is a new notion of single-message zero knowledge

Identity-Based Zero-Knowledge

Abstract. We introduce and define the notion of identity-based zeroknowledge, concentrating on the non-interactive setting. In this setting, our notion allows any prover to widely disseminate a proof of a statement while protecting the prover from plagiarism in the following sense: although proofs are transferable (i.e., publicly verifiable), they are also bound to the identity of the prover in a way which is recognizable to any verifier. Furthermore, an adversary is unable to change this identity (i.e., to claim the proof as his own, or to otherwise change the authorship), unless he could have proved the statement on his own. While we view the primary contribution of this work as a formal definition of the above notion, we also explore the relation of this notion to that of non-malleable (non-interactive) zero-knowledge. On the one hand, we show that these two notions are incomparable: that is, there are proof systems which are non-malleable but not identity-based, and vice versa. On the other hand, we show that a proof system of either type essentially implies a proof system of the other type. ⋆ Work done while this author was at Columbia University. ⋆ ⋆ Supported in part by a gift from Teradata and Intel equipment gran