Panini -- Anonymous Anycast and an Instantiation

Anycast messaging (i.e., sending a message to an unspecified receiver) has long been neglected by the anonymous communication community. An anonymous anycast prevents senders from learning who the receiver of their message is, allowing for greater privacy in areas such as political activism and whistleblowing. While there have been some protocol ideas proposed, formal treatment of the problem is absent. Formal definitions of what constitutes anonymous anycast and privacy in this context are however a requirement for constructing protocols with provable guarantees. In this work, we define the anycast functionality and use a game-based approach to formalize its privacy and security goals. We further propose Panini, the first anonymous anycast protocol that only requires readily available infrastructure. We show that Panini allows the actual receiver of the anycast message to remain anonymous, even in the presence of an honest but curious sender. In an empirical evaluation, we find that Panini adds only minimal overhead over regular unicast: Sending a message anonymously to one of eight possible receivers results in an end-to-end latency of 0.76s

Non-conventional digital signatures and their implementations – A review

The final publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-19713-5_36The current technological scenario determines a profileration of trust domains, which are usually defined by validating the digital identity linked to each user. This validation entails critical assumptions about the way users’ privacy is handled, and this calls for new methods to construct and treat digital identities. Considering cryptography, identity management has been constructed and managed through conventional digital signatures. Nowadays, new types of digital signatures are required, and this transition should be guided by rigorous evaluation of the theoretical basis, but also by the selection of properly verified software means. This latter point is the core of this paper. We analyse the main non-conventional digital signatures that could endorse an adequate tradeoff betweeen security and privacy. This discussion is focused on practical software solutions that are already implemented and available online. The goal is to help security system designers to discern identity management functionalities through standard cryptographic software libraries.This work was supported by Comunidad de Madrid (Spain) under the project S2013/ICE-3095-CM (CIBERDINE) and the Spanish Government project TIN2010-19607

Cryptography in privacy-preserving applications.

Tsang Pak Kong.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 95-107).Abstracts in English and Chinese.Abstract --- p.iiAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 1.1 --- Privacy --- p.1Chapter 1.2 --- Cryptography --- p.5Chapter 1.2.1 --- History of Cryptography --- p.5Chapter 1.2.2 --- Cryptography Today --- p.6Chapter 1.2.3 --- Cryptography For Privacy --- p.7Chapter 1.3 --- Thesis Organization --- p.8Chapter 2 --- Background --- p.10Chapter 2.1 --- Notations --- p.10Chapter 2.2 --- Complexity Theory --- p.11Chapter 2.2.1 --- Order Notation --- p.11Chapter 2.2.2 --- Algorithms and Protocols --- p.11Chapter 2.2.3 --- Relations and Languages --- p.13Chapter 2.3 --- Algebra and Number Theory --- p.14Chapter 2.3.1 --- Groups --- p.14Chapter 2.3.2 --- Intractable Problems --- p.16Chapter 2.4 --- Cryptographic Primitives --- p.18Chapter 2.4.1 --- Public-Key Encryption --- p.18Chapter 2.4.2 --- Identification Protocols --- p.21Chapter 2.4.3 --- Digital Signatures --- p.22Chapter 2.4.4 --- Hash Functions --- p.24Chapter 2.4.5 --- Zero-Knowledge Proof of Knowledge --- p.26Chapter 2.4.6 --- Accumulators --- p.32Chapter 2.4.7 --- Public Key Infrastructure --- p.34Chapter 2.5 --- Zero Knowledge Proof of Knowledge Protocols in Groups of Unknown Order --- p.36Chapter 2.5.1 --- The Algebraic Setting --- p.36Chapter 2.5.2 --- Proving the Knowledge of Several Discrete Logarithms . --- p.37Chapter 2.5.3 --- Proving the Knowledge of a Representation --- p.38Chapter 2.5.4 --- Proving the Knowledge of d Out of n Equalities of Discrete Logarithms --- p.39Chapter 2.6 --- Conclusion --- p.42Chapter 3 --- Related Works --- p.43Chapter 3.1 --- Introduction --- p.43Chapter 3.2 --- Group-Oriented Signatures without Spontaneity and/or Anonymity --- p.44Chapter 3.3 --- SAG Signatures --- p.46Chapter 3.4 --- Conclusion --- p.49Chapter 4 --- Linkable Ring Signatures --- p.50Chapter 4.1 --- Introduction --- p.50Chapter 4.2 --- New Notions --- p.52Chapter 4.2.1 --- Accusatory Linking --- p.52Chapter 4.2.2 --- Non-slanderability --- p.53Chapter 4.2.3 --- Linkability in Threshold Ring Signatures --- p.54Chapter 4.2.4 --- Event-Oriented Linking --- p.55Chapter 4.3 --- Security Model --- p.56Chapter 4.3.1 --- Syntax --- p.56Chapter 4.3.2 --- Notions of Security --- p.58Chapter 4.4 --- Conclusion --- p.63Chapter 5 --- Short Linkable Ring Signatures --- p.64Chapter 5.1 --- Introduction --- p.64Chapter 5.2 --- The Construction --- p.65Chapter 5.3 --- Security Analysis --- p.68Chapter 5.3.1 --- Security Theorems --- p.68Chapter 5.3.2 --- Proofs --- p.68Chapter 5.4 --- Discussion --- p.70Chapter 5.5 --- Conclusion --- p.71Chapter 6 --- Separable Linkable Threshold Ring Signatures --- p.72Chapter 6.1 --- Introduction --- p.72Chapter 6.2 --- The Construction --- p.74Chapter 6.3 --- Security Analysis --- p.76Chapter 6.3.1 --- Security Theorems --- p.76Chapter 6.3.2 --- Proofs --- p.77Chapter 6.4 --- Discussion --- p.79Chapter 6.5 --- Conclusion --- p.80Chapter 7 --- Applications --- p.82Chapter 7.1 --- Offline Anonymous Electronic Cash --- p.83Chapter 7.1.1 --- Introduction --- p.83Chapter 7.1.2 --- Construction --- p.84Chapter 7.2 --- Electronic Voting --- p.85Chapter 7.2.1 --- Introduction --- p.85Chapter 7.2.2 --- Construction . --- p.87Chapter 7.2.3 --- Discussions --- p.88Chapter 7.3 --- Anonymous Attestation --- p.89Chapter 7.3.1 --- Introduction --- p.89Chapter 7.3.2 --- Construction --- p.90Chapter 7.4 --- Conclusion --- p.91Chapter 8 --- Conclusion --- p.92A Paper Derivation --- p.94Bibliography --- p.9

Two results on spontaneous anonymous group signatures.

Chan Kwok Leong.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 72-78).Abstracts in English and Chinese.Chapter 1 --- Introduction --- p.1Chapter 2 --- Preliminaries --- p.4Chapter 2.1 --- Notation --- p.4Chapter 2.2 --- Cryptographic Primitives --- p.5Chapter 2.2.1 --- Symmetric Key Cryptography --- p.5Chapter 2.2.2 --- Asymmetric Key Cryptosystem --- p.6Chapter 2.2.3 --- Secure Hash Function --- p.7Chapter 2.2.4 --- Digital Signature --- p.8Chapter 2.2.5 --- Digital Certificate and Public Key Infrastructure --- p.8Chapter 2.3 --- Provable Security and Security Model --- p.9Chapter 2.3.1 --- Mathematics Background --- p.9Chapter 2.3.2 --- One-Way Function --- p.10Chapter 2.3.3 --- Candidate One-way Functions --- p.12Chapter 2.4 --- Proof Systems --- p.15Chapter 2.4.1 --- Zero-knowledge Protocol --- p.15Chapter 2.4.2 --- Proof-of-Knowledge Protocol --- p.17Chapter 2.4.3 --- Honest-Verifier Zero-Knowledge (HVZK) Proof of Knowl- edge Protocols (PoKs) --- p.18Chapter 2.5 --- Security Model --- p.19Chapter 2.5.1 --- Random Oracle Model --- p.19Chapter 2.5.2 --- Generic group model (GGM) --- p.20Chapter 3 --- Signature Scheme --- p.21Chapter 3.1 --- Introduction --- p.21Chapter 3.2 --- Security Notation for Digital Signature --- p.23Chapter 3.3 --- Security Proof for Digital Signature --- p.24Chapter 3.3.1 --- Random Oracle Model for Signature Scheme --- p.24Chapter 3.3.2 --- Adaptive Chosen Message Attack --- p.24Chapter 3.4 --- Schnorr Identification and Schnorr Signature --- p.25Chapter 3.4.1 --- Schnorr's ROS assumption --- p.26Chapter 3.5 --- Blind Signature --- p.27Chapter 4 --- Spontaneous Anonymous Group (SAG) Signature --- p.30Chapter 4.1 --- Introduction --- p.30Chapter 4.2 --- Background --- p.30Chapter 4.2.1 --- Group Signature --- p.30Chapter 4.2.2 --- Threshold Signature --- p.31Chapter 4.3 --- SAG signatures --- p.33Chapter 4.4 --- Formal Definitions and Constructions --- p.35Chapter 4.4.1 --- Ring-type construction --- p.36Chapter 4.4.2 --- CDS-type construction --- p.36Chapter 4.5 --- Discussion --- p.37Chapter 5 --- Blind Spontaneous Anonymous Signature --- p.39Chapter 5.1 --- Introduction --- p.39Chapter 5.2 --- Definition --- p.40Chapter 5.2.1 --- Security Model --- p.41Chapter 5.2.2 --- Definitions of security notions --- p.41Chapter 5.3 --- Constructing blind SAG signatures --- p.43Chapter 5.3.1 --- Blind SAG signature: CDS-type [1] --- p.43Chapter 5.3.2 --- "Blind SAG signature: ring-type [2, 3]" --- p.44Chapter 5.4 --- Security Analysis --- p.44Chapter 5.4.1 --- Multi-key parallel one-more unforgeability of blind signature --- p.45Chapter 5.4.2 --- Security of our blind SAG signatures --- p.47Chapter 5.5 --- Discussion --- p.49Chapter 6 --- Linkable Spontaneous Anonymous Group Signature --- p.51Chapter 6.1 --- introduction --- p.51Chapter 6.2 --- Related work --- p.51Chapter 6.3 --- Basic Building Blocks --- p.52Chapter 6.3.1 --- Proving the Knowledge of Several Discrete Logarithms --- p.53Chapter 6.3.2 --- Proving the Knowledge of d Out of n Equalities of Discrete Logarithms --- p.55Chapter 6.4 --- Security Model --- p.57Chapter 6.4.1 --- Syntax --- p.57Chapter 6.4.2 --- Notions of Security --- p.59Chapter 6.5 --- Our Construction --- p.63Chapter 6.5.1 --- An Linkable Threshold SAG Signature Scheme --- p.63Chapter 6.5.2 --- Security --- p.65Chapter 6.5.3 --- Discussions --- p.67Chapter 7 --- Conclusion --- p.70Bibliography --- p.7

Hang With Your Buddies to Resist Intersection Attacks

Some anonymity schemes might in principle protect users from pervasive network surveillance - but only if all messages are independent and unlinkable. Users in practice often need pseudonymity - sending messages intentionally linkable to each other but not to the sender - but pseudonymity in dynamic networks exposes users to intersection attacks. We present Buddies, the first systematic design for intersection attack resistance in practical anonymity systems. Buddies groups users dynamically into buddy sets, controlling message transmission to make buddies within a set behaviorally indistinguishable under traffic analysis. To manage the inevitable tradeoffs between anonymity guarantees and communication responsiveness, Buddies enables users to select independent attack mitigation policies for each pseudonym. Using trace-based simulations and a working prototype, we find that Buddies can guarantee non-trivial anonymity set sizes in realistic chat/microblogging scenarios, for both short-lived and long-lived pseudonyms.Comment: 15 pages, 8 figure

Non-Slanderability of Linkable Spontaneous Anonymous Group Signature (LSAG)

In this paper, we formally prove the non-slanderability property of the first linkable ring signature paper in ACISP 2004 (in which the notion was called linkable spontaneous anonymous group signature (LSAG)). The rigorous security analysis will give confidence to any future construction of Ring Confidential Transaction (RingCT) protocol for blockchain systems which may use this signature scheme as the basis