Shortening the Libert-Peters-Yung Revocable Group Signature Scheme by Using the Random Oracle Methodology

At EUROCRYPT 2012, Libert, Peters and Yung (LPY) proposed the first scalable revocable group signature (R-GS) scheme in the standard model which achieves constant signing/verification costs and other costs regarding signers are at most logarithmic in N, where N is the maximum number of group members. However, although the LPY R-GS scheme is asymptotically quite efficient, this scheme is not sufficiently efficient in practice. For example, the signature size of the LPY scheme is roughly 10 times larger than that of an RSA signature (for 160-bit security). In this paper, we propose a compact R-GS scheme secure in the random oracle model that is efficient not only in the asymptotic sense but also in practical parameter settings. We achieve the same efficiency as the LPY scheme in an asymptotic sense, and the signature size is nearly equal to that of an RSA signature (for 160-bit security). It is particularly worth noting that our R-GS scheme has the smallest signature size compared to those of previous R-GS schemes which enable constant signing/verification costs. Our technique, which we call parallel Boneh–Boyen–Shacham group signature technique, helps to construct an R-GS scheme without following the technique used in LPY, i.e., we directly apply the Naor–Naor–Lotspiech framework without using any identity-based encryption

Oblivious Accumulators

A cryptographic accumulator is a succinct set commitment scheme with efficient (non-)membership proofs that typically supports updates (additions and deletions) on the accumulated set. When elements are added to or deleted from the set, an update message is issued. The collection of all the update messages essentially leaks the underlying accumulated set which in certain applications is not desirable. In this work, we define oblivious accumulators, a set commitment with concise membership proofs that hides the elements and the set size from every entity: an outsider, a verifier or other element holders. We formalize this notion of privacy via two properties: element hiding and add-delete indistinguishability. We also define almost-oblivious accumulators, that only achieve a weaker notion of privacy called add-delete unlinkability. Such accumulators hide the elements but not the set size. We consider the trapdoorless, decentralized setting where different users can add and delete elements from the accumulator and compute membership proofs. We then give a generic construction of an oblivious accumulator based on key-value commitments (KVC). We also show a generic way to construct KVCs from an accumulator and a vector commitment scheme. Finally, we give lower bounds on the communication (size of update messages) required for oblivious accumulators and almost-oblivious accumulators

How to win the clonewars: efficient periodic n-times anonymous authentication

We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n e-tokens. She shows an e-token to a verifier to authenticate herself; each e-token can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damg˚ard et al. [30], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damg˚ard et al. also only support one authentication per time period, while we support n. Because our construction is based on e-cash, we can use existing techniques to identify a cheating user, trace all of her e-tokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse etokens. The verifier can always recognize a reused e-token; however, we preserve the anonymity of users who do not reuse e-tokens too often.

暗号要素技術の一般的構成を介した高い安全性・高度な機能を備えた暗号要素技術の構成

Recent years have witnessed an active research on cryptographic primitives with complex functionality beyond simple encryption or authentication. A cryptographic primitive is required to be proposed together with a formal model of its usage and a rigorous proof of security under that model.This approach has suffered from the two drawbacks: (1) security models are defined in a very specific manner for each primitive, which situation causes the relationship between these security models not to be very clear, and (2) no comprehensive ways to confirm that a formal model of security really captures every possible scenarios in practice.This research relaxes these two drawbacks by the following approach: (1) By observing the fact that a cryptographic primitive A should be crucial for constructing another primitive B, we identify an easy-to-understand approach for constructing various cryptographic primitives.(2) Consider a situation in which there are closely related cryptographic primitives A and B, and the primitive A has no known security requirement that corresponds to some wellknown security requirement (b) for the latter primitive B.We argue that this situation suggests that this unknown security requirement for A can capture some practical attack. This enables us to detect unknown threats for various cryptographic primitives that have been missed bythe current security models.Following this approach, we identify an overlooked security threat for a cryptographic primitive called group signature. Furthermore, we apply the methodology (2) to the “revocable”group signature and obtain a new extension of public-key encryption which allows to restrict a plaintext that can be securely encrypted.通常の暗号化や認証にとどまらず, 複雑な機能を備えた暗号要素技術の提案が活発になっている. 暗号要素技術の安全性は利用形態に応じて, セキュリティ上の脅威をモデル化して安全性要件を定め, 新方式はそれぞれ安全性定義を満たすことの証明と共に提案される.既存研究では, 次の問題があった: (1) 要素技術ごとに個別に安全性の定義を与えているため, 理論的な体系化が不十分であった. (2) 安全性定義が実用上の脅威を完全に捉えきれているかの検証が難しかった.本研究は上記の問題を次の考え方で解決する. (1) ある要素技術(A) を構成するには別の要素技術(B) を部品として用いることが不可欠であることに注目し, 各要素技術の安全性要件の関連を整理・体系化して, 新方式を見通し良く構成可能とする. (2) 要素技術(B)で考慮されていた安全性要件(b) に対応する要素技術(A) の安全性要件が未定義なら, それを(A) の新たな安全性要件(a) として定式化する. これにより未知の脅威の検出が容易になる.グループ署名と非対話開示機能付き公開鍵暗号という2 つの要素技術について上記の考え方を適用して, グループ署名について未知の脅威を指摘する.また, 証明書失効機能と呼ばれる拡張機能を持つグループ署名に上記の考え方を適用して, 公開鍵暗号についての新たな拡張機能である, 暗号化できる平文を制限できる公開鍵暗号の効率的な構成法を明らかにする.電気通信大学201

Data auditing and security in cloud computing: issues, challenges and future directions

Cloud computing is one of the significant development that utilizes progressive computational power and upgrades data distribution and data storing facilities. With cloud information services, it is essential for information to be saved in the cloud and also distributed across numerous customers. Cloud information repository is involved with issues of information integrity, data security and information access by unapproved users. Hence, an autonomous reviewing and auditing facility is necessary to guarantee that the information is effectively accommodated and used in the cloud. In this paper, a comprehensive survey on the state-of-art techniques in data auditing and security are discussed. Challenging problems in information repository auditing and security are presented. Finally, directions for future research in data auditing and security have been discusse

Data Auditing and Security in Cloud Computing: Issues, Challenges and Future Directions

Cloud computing is one of the significant development that utilizes progressive computational power and upgrades data distribution and data storing facilities. With cloud information services, it is essential for information to be saved in the cloud and also distributed across numerous customers. Cloud information repository is involved with issues of information integrity, data security and information access by unapproved users. Hence, an autonomous reviewing and auditing facility is necessary to guarantee that the information is effectively accommodated and used in the cloud. In this paper, a comprehensive survey on the state-of-art techniques in data auditing and security are discussed. Challenging problems in information repository auditing and security are presented. Finally, directions for future research in data auditing and security have been discussed

Identity and identification in an information society: Augmenting formal systems of identification with technological artefacts

Information and Communication Technology (ICT) are transforming society’s information flows. These new interactive environments decouple agents, information and actions from their original contexts and this introduces challenges when evaluating trustworthiness and intelligently placing trust.This thesis develops methods that can extend institutional trust into digitally enhanced interactive settings. By applying privacy-preserving cryptographic protocols within a technical architecture, this thesis demonstrates how existing human systems of identification that support institutional trust can be augmented with ICT in ways that distribute trust, respect privacy and limit the potential for abuse. Importantly, identification systems are located within a sociologically informed framework of interaction where identity is more than a collection of static attributes.A synthesis of the evolution and systematisation of cryptographic knowledge is presented and this is juxtaposed against the ideas developed within the digital identity community. The credential mechanism, first conceptualised by David Chaum, has matured into a number of well specified mathematical protocols. This thesis focuses on CL-RSA and BBS+, which are both signature schemes with efficient protocols that can instantiate a credential mechanism with strong privacy-preserving properties.The processes of managing the identification of healthcare professionals as they navigate their careers within the Scottish Healthcare Ecosystem provide a concrete case study for this work. The proposed architecture mediates the exchange of verifiable, integrity-assured evidence that has been cryptographically signed by relevant healthcare institutions, but is stored, managed and presented by the healthcare professionals to whom the evidence pertains.An evaluation of the integrity-assured transaction data produced by this architecture demonstrates how it could be integrated into digitally augmented identification processes, increasing the assurance that can be placed in these processes. The technical architecture is shown to be practical through a series of experiments run under realistic production-like settings.This work demonstrates that designing decentralised, standards-based, privacy-preserving identification systems for trusted professionals within highly assured social contexts can distribute institutionalised trust to trustworthy individuals and empower these individuals to interface with society’s increasingly socio-technical systems

SoK: Privacy-Preserving Signatures

Modern security systems depend fundamentally on the ability of users to authenticate their communications to other parties in a network. Unfortunately, cryptographic authentication can substantially undermine the privacy of users. One possible solution to this problem is to use privacy-preserving cryptographic authentication. These protocols allow users to authenticate their communications without revealing their identity to the verifier. In the non-interactive setting, the most common protocols include blind, ring, and group signatures, each of which has been the subject of enormous research in the security and cryptography literature. These primitives are now being deployed at scale in major applications, including Intel\u27s SGX software attestation framework. The depth of the research literature and the prospect of large-scale deployment motivate us to systematize our understanding of the research in this area. This work provides an overview of these techniques, focusing on applications and efficiency

Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications

A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (CHET; Camenisch et al., PKC ’17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash. We extend these ideas and introduce the notion of chameleon-hashes with dual long-term trapdoors (CHDLTT). Here, the second trapdoor is not chosen freshly for each new hash; Rather, the hashing party can decide if it wants to generate a fresh second trapdoor or use an existing one. This primitive generalizes CHETs, extends their applicability and enables some appealing new use-cases, including three-party sanitizable signatures, group-level selectively revocable signatures and break-the-glass signatures. We present two provably secure constructions and an implementation which demonstrates that this extended primitive is efficient enough for use in practice

Design, modeling, and simulation of secure X.509 certificate revocation

TLS communication over the internet has risen rapidly in the last seven years (2015--2022), and there were over 156M active SSL certificates in 2022. The state-of-the-art Public Key Infrastructure (PKI), encompassing protocols, computational resources, and digital certificates, has evolved for 24 years to become the de-facto choice for encrypted communication over the Internet even on newer platforms such as mobile devices and Internet-of-Things (IoT) (despite being low powered with computational constraints). However, certificate revocation is one sub-protocol in TLS communication that fails to meet the rising scalability demands and remains open to exploitation. In this dissertation, the standard for X.509 revocation is systematically reviewed and critically evaluated to identify its limitations and assess their impact on internet security. Because of fragmented revocation information and limited scalability, even the latest version of the X.509 revocation standard is susceptible to Man-in-the-Middle (MiTM) attacks. Blockchain technology can provide a decentralized and peer-to-peer distributed ledger to enable a unified, tamper-proof platform for X.509 certificate authorities to collaborate securely in a trustless environment. To understand blockchain technology\u27s capabilities and limitations in distributing X.509 revocation information, different blockchain platforms are explored and compared in terms of scalability, degree of decentralization, and cost of operation. Moreover, the unification of the revocation lists leads to a massive expansion in the number of revoked certificates to query by a verifying client thus increasing the latency during revocation lookup. And, to minimize revocation-status lookup times, cryptographic constructions and approximate set-membership data structures are prototyped and analyzed. The key contributions of this dissertation are twofold: 1) the novel design of a secure and robust system for distributing X.509 certificate revocation information; and, 2) the prototype, experimentation, and optimization of cascading XOR filter, fuse filter, and cuckoo filter for quick lookup with zero false positives (and zero false negatives). The Secure Certificate Revocation as a Peer Service (SCRaaPS) is designed using the Lightweight Mining consensus algorithm-based Scrybe blockchain protocol to store and distribute certificate revocation lists. And, the cascading fuse filter (demonstrating the highest space efficiency and fastest build time) is applied to minimize the revocation lookup time with zero false positives