Review on multisignature schemes based upon DLP

In digital signature schemes a user is allowed to sign a document by using a public key infrastructure (PKI). For signing a document, the sender encrypts the hash of the document by using his private key. Then, the verifier uses the signer’s public key to decrypt the received signature and to check if it matches the document hash. Generally a digital signature scheme demands only one signer to sign a message so that the validity of the signature can be checked later. But under some situations a group of signers is required to sign a message cooperatively, so that a single verifier or a group of verifiers can check the validity of the given signature. This scheme is known as a multisignature. A multisignature scheme is one of the tools in which plural entities can sign a document more efficiently than they realize it by trivially constructing single signatures. In general, in a multisignature scheme, the total signature size and the verification cost are smaller than those in the trivially constructed scheme. Thus, plural signers can collectively and efficiently sign an identical message. There are different base primitives describing the type of numerical problems upon which the underlying security scheme is based on. In this thesis, some of the most important DLP based multisignature schemes are presented. A categorization between these different existing schemes has been shown, along with their pros and cons

Remarks on Saeednia\u27s Identity-based Society Oriented Signature Scheme with Anonymous Signers

Recently, based on Guillou-Quisquater signature scheme, Saeednia proposed an identity-based society oriented signature scheme. However, in this note, we point out that Saeednia\u27s scheme does not satisfy the claimed properties

Witness Hiding Proofs and Applications

Witness hiding is a basic requirement for most cryptology protocols. The concept was proposed by Feige and Shamir several years ago. This thesis concentrates on witness hiding protocols and its applications.The possibility to divert a witness hiding protocol parallelly had been an open problem for some time. The parallel divertibility is not only of theoretical significance but also a crucial point for the security of some applications, for example, electronic cash, digital signatures, etc. It is proved, in this thesis, that with limited computational power, it is impossible to divert a witness hiding protocol parallelly to two independent verifiers with large probability.The thesis explores the applications of witness hiding protocols in anonymous credentials, election schemes, and group signatures. In an anonymous credential system, one user may have many pseudonyms. The credentials issued on one of a user's pseudonyms can be transferred to other pseudonyms by the user without revealing the links between pseudonyms. Election, as a practical model, is formally defined. Two election schemes are proposed and discussed. Especially the voting scheme is parallelized with electronic cash system so that some new tool can be introduced. Group signature is a kind of digital signature for a group of people such that only members of the group can sign messages on behalf of the group and without revealing which member has signed. But the signer can be identified by either an authority or a certain number of group members who hold some kind of auxiliary information. The new group signature schemes, based on witness hiding proofs, have several advantages, compared with the original scheme proposed by Chaum and Heijst. The most important improvement is that the signers can be identified by a majority of group members, which had been a open problem in the literature. In this thesis, some theoretical results about bounds of secret keys and auxiliary information have been proved

MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces

MuSig is a multi-signature scheme for Schnorr signatures, which supports key aggregation and is secure in the plain public key model. Standard derandomization techniques for discrete logarithm-based signatures such as RFC 6979, which make the signing procedure immune to catastrophic failures in the randomness generation, are not applicable to multi-signatures as an attacker could trick an honest user into producing two different partial signatures with the same randomness, which would reveal the user\u27s secret key. In this paper, we propose a variant of MuSig in which signers generate their nonce deterministically as a pseudorandom function of the message and all signers\u27 public keys and prove that they did so by providing a non-interactive zero-knowledge proof to their cosigners. The resulting scheme, which we call MuSig-DN, is the first Schnorr multi-signature scheme with deterministic signing. Therefore its signing protocol is robust against failures in the randomness generation as well as attacks trying to exploit the statefulness of the signing procedure, e.g., virtual machine rewinding attacks. As an additional benefit, a signing session in MuSig-DN requires only two rounds instead of three as required by all previous Schnorr multi-signatures including MuSig. To instantiate our construction, we identify a suitable algebraic pseudorandom function and provide an efficient implementation of this function as an arithmetic circuit. This makes it possible to realize MuSig-DN efficiently using zero-knowledge proof frameworks for arithmetic circuits which support inputs given in Pedersen commitments, e.g., Bulletproofs. We demonstrate the practicality of our technique by implementing it for the secp256k1 elliptic curve used in Bitcoin

Advanced Remote Attestation Protocols for Embedded Systems

Small integrated computers, so-called embedded systems, have become a ubiquitous and indispensable part of our lives. Every day, we interact with a multitude of embedded systems. They are, for instance, integrated in home appliances, cars, planes, medical devices, or industrial systems. In many of these applications, embedded systems process privacy-sensitive data or perform safety-critical operations. Therefore, it is of high importance to ensure their secure and safe operation. However, recent attacks and security evaluations have shown that embedded systems frequently lack security and can often be compromised and misused with little effort. A promising technique to face the increasing amount of attacks on embedded systems is remote attestation. It enables a third party to verify the integrity of a remote device. Using remote attestation, attacks can be effectively detected, which allows to quickly respond to them and thus minimize potential damage. Today, almost all servers, desktop PCs, and notebooks have the required hardware and software to perform remote attestation. By contrast, a secure and efficient attestation of embedded systems is considerably harder to achieve, as embedded systems have to encounter several additional challenges. In this thesis, we tackle three main challenges in the attestation of embedded systems. First, we address the issue that low-end embedded devices typically lack the required hardware to perform a secure remote attestation. We present an attestation protocol that requires only minimal secure hardware, which makes our protocol applicable to many existing low-end embedded devices while providing high security guarantees. We demonstrate the practicality of our protocol in two applications, namely, verifying code updates in mesh networks and ensuring the safety and security of embedded systems in road vehicles. Second, we target the efficient attestation of multiple embedded devices that are connected in challenging network conditions. Previous attestation protocols are inefficient or even inapplicable when devices are mobile or lack continuous connectivity. We propose an attestation protocol that particularly targets the efficient attestation of many devices in highly dynamic and disruptive networks. Third, we consider a more powerful adversary who is able to physically tamper with the hardware of embedded systems. Existing attestation protocols that address physical attacks suffer from limited scalability and robustness. We present two protocols that are capable of verifying the software integrity as well as the hardware integrity of embedded devices in an efficient and robust way. Whereas the first protocol is optimized towards scalability, the second protocol aims at robustness and is additionally suited to be applied in autonomous networks. In summary, this thesis contributes to enhancing the security, efficiency, robustness, and applicability of remote attestation for embedded systems

hinTS: Threshold Signatures with Silent Setup

We propose hinTS --- a new threshold signature scheme built on top of the widely used BLS signatures. Our scheme enjoys the following attractive features: \begin{itemize} \item A {\em silent setup} process where the joint public key of the parties is computed as a deterministic function of their locally computed public keys. \item Support for {\em dynamic} choice of thresholds and signers, after the silent setup, without further interaction. \item Support for {\em general} access policies; in particular, native support for {\em weighted} thresholds with zero additional overhead over standard threshold setting. \item Strong security guarantees, including proactive security and forward security. \end{itemize}We prove the security of our scheme in the algebraic group model and provide implementation and extensive evaluation. Our scheme outperforms all prior proposals that aim to avoid distributed key generation in terms of aggregation time, signature size, and verification time. As an example, the aggregation time for 1000 signers is under 0.5 seconds, while both signing and verification are constant time algorithms, taking roundly 1 ms and 17.5 ms respectively. The key technical contribution of our work involves the design of special-purpose succinct proofs to {\em efficiently} prove the well-formedness of aggregated public keys. Our solution uses public ``hints\u27\u27 released by the signers as part of their public keys (hence the name hinTS)