On the Portability of Generalized Schnorr Proofs

All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately

ЗАБЕЗПЕЧЕННЯ КОНФІДЕНЦІЙНОСТІ ПЕРСОНАЛЬНИХ ДАНИХ І ПІДТРИМКИ КІБЕРБЕЗПЕКИ ЗА ДОПОМОГОЮ БЛОКЧЕЙНУ

The recent increase in security breaches and digital surveillance highlights the need to improve privacy and security, especially of users' personal data. Advances in cybersecurity and new legislation promise to improve the protection of personal data. Blockchain and distributed ledger (DTL) technologies provide new opportunities to protect user data through decentralized identification and other privacy mechanisms. These systems can give users greater sovereignty through tools that allow them to own and control their own data. The purpose of the article is to research blockchain technology and mechanisms for achieving reliability in blockchain for the protection and security of personal data. Decentralized and federated identity systems give users control over what, when and how much of their personal information can be shared and with whom. These systems can also reduce cybersecurity threats. Through various consensus algorithms, blockchain-based privacy solutions allow users to better manage their data and ensure that the data and models derived from it are more accurate, honest and reliable.Нещодавнє збільшення кількості порушень безпеки та цифрового стеження підкреслює потребу у покращенні конфіденційності та безпеки, особливо персональних даних користувачів. Прогрес у кібербезпеці та нове законодавство обіцяють покращити захист персональних даних. Технології блокчейну та розподіленої книги (DTL) надають нові можливості для захисту даних користувачів за допомогою децентралізованої ідентифікації та інших механізмів конфіденційності. Ці системи можуть надати користувачам більший суверенітет за допомогою інструментів, які дозволяють їм володіти та контролювати власні дані. Метою статті є дослідження технології блокчейн та механізмів досягнення надійності в блокчейні для захисту та безпеки персональних даних. Децентралізовані та об’єднані системи ідентифікації надають користувачам контроль над тим, якою, коли та якою кількістю їх персональної інформації можна ділитися та з ким. Ці системи також можуть зменшити загрози кібербезпеці. За допомогою різних алгоритмів консенсусу рішення конфіденційності на основі блокчейну, дозволяють користувачам краще керувати своїми даними та гарантує, що дані та моделі, отримані з них, є більш точними, чесними та надійними

Simple Schnorr Signature with Pedersen Commitment as Key

In a transaction-output-based blockchain system, where each transaction spends UTXOs (the previously unspent transaction outputs), a user must provide a signature, or more precisely a $\textit{scriptSig}$ for Bitcoin, to spend an UTXO, which proves the ownership of the spending output. When Pedersen commitment $g^xh^a$ or ElGamal commitment $(g^xh^a,h^x)$ introduced into blockchain as transaction output, for supporting confidential transaction feature, where the input and output amounts in a transaction are hidden, the prior signature schemes such as Schnorr signature scheme and its variants does not directly work here if using the commitment as the public key, since nobody including the committer knows the private key of a $g^xh^a$ when $a$ is not zero, meaning no one knows the $c$ such that $(g^c=g^xh^a)$. This is a signature scheme which is able to use the $C=g^xh^a$ as the signature public key for any value of $a$. The signer, proceeding from a random Pedersen commitment $R=g^{k_1}h^{k_2}$, generates a random bit sequence $e$, by multiplication of a stored private key $x$ with the bit sequence $e$ and by addition of the random number $k_1$ to get the $u$, by multiplication of the committed value $a$ with the bit sequence $e$ and by addition of the random number $k_2$ to get the $v$, finally constructs $\sigma=(R,u,v)$ as the signature, with the corresponding public key $C$. In turn, the verifier calculates a Pedersen commitment $S=g^uh^v$, and accepts the signature if $S=RC^e$. For an electronic signature, a hash value $e$ is calculated from a random Pedersen commitment $R$, the Pedersen commitment $C$, and from the message $m$ to be signed. This signature scheme will be very helpful in the design of a non-interactive transaction in Mimblewimble

Anonymous Single-Sign-On for n designated services with traceability

Anonymous Single-Sign-On authentication schemes have been proposed to allow users to access a service protected by a verifier without revealing their identity which has become more important due to the introduction of strong privacy regulations. In this paper we describe a new approach whereby anonymous authentication to different verifiers is achieved via authorisation tags and pseudonyms. The particular innovation of our scheme is authentication can only occur between a user and its designated verifier for a service, and the verification cannot be performed by any other verifier. The benefit of this authentication approach is that it prevents information leakage of a user's service access information, even if the verifiers for these services collude which each other. Our scheme also supports a trusted third party who is authorised to de-anonymise the user and reveal her whole services access information if required. Furthermore, our scheme is lightweight because it does not rely on attribute or policy-based signature schemes to enable access to multiple services. The scheme's security model is given together with a security proof, an implementation and a performance evaluation.Comment: 3

MERCAT: Mediated, Encrypted, Reversible, SeCure Asset Transfers

For security token adoption by financial institutions and industry players on the blockchain, there is a need for a secure asset management protocol that enables condential asset issuance and transfers by concealing from the public the transfer amounts and asset types, while on a public blockchain. Flexibly supporting arbitrary restrictions on financial transactions, only some of which need to be supported by zero-knowledge proofs. This paper proposes leveraging a hybrid design approach, by using zero-knowledge proofs, supported by restrictions enforced by trusted mediators. As part of our protocol, we also describe a novel transaction ordering mechanism that can support a flexible transaction workflow without putting any timing constraints on when the transactions should be generated by the users or processed by the network validators. This technique is likely to be of independent interest

One-Shot Verifiable Encryption from Lattices

Verifiable encryption allows one to prove properties about encrypted data and is an important building block in the design of cryptographic protocols, e.g., group signatures, key escrow, fair exchange protocols, etc. Existing lattice-based verifiable encryption schemes, and even just proofs of knowledge of the encrypted data, require parallel composition of proofs to reduce the soundness error, resulting in proof sizes that are only truly practical when amortized over a large number of ciphertexts. In this paper, we present a new construction of a verifiable encryption scheme, based on the hardness of the Ring-LWE problem in the random-oracle model, for short solutions to linear equations over polynomial rings. Our scheme is one-shot , in the sense that a single instance of the proof already has negligible soundness error, yielding compact proofs even for individual ciphertexts. Whereas verifiable encryption usually guarantees that decryption can recover a witness for the original language, we relax this requirement to decrypt a witness of a related but extended language. This relaxation is sufficient for many applications and we illustrate this with example usages of our scheme in key escrow and verifiably encrypted signatures. One of the interesting aspects of our construction is that the decryption algorithm is probabilistic and uses the proof as input (rather than using only the ciphertext). The decryption time for honestly-generated ciphertexts only depends on the security parameter, while the expected running time for decrypting an adversarially-generated ciphertext is directly related to the number of random-oracle queries of the adversary who created it. This property suffices in most practical scenarios, especially in situations where the ciphertext proof is part of an interactive protocol, where the decryptor is substantially more powerful than the adversary, or where adversaries can be otherwise discouraged to submit malformed ciphertexts

Structure Preserving CCA Secure Encryption and Its Application to Oblivious Third Parties

In this paper we present the first public key encryption scheme that is structure preserving, i.e., our encryption scheme uses only algebraic operations. In particular it does not use hash-functions or interpret group elements as bit-strings. This makes our scheme a perfect building block for cryptographic protocols where parties for instance want to prove, to each other, properties about ciphertexts or jointly compute ciphertexts. Our scheme is also very efficient and is secure against \dkg adaptive\blk{} chosen ciphertext attacks. We also provide a few example protocols for our scheme. For instance, a joint computation of a ciphertext\dkg, generated from two secret plaintexts from each party respectively\blk, where in the end, only one of the parties learns the ciphertext. This latter protocol serves as a building block for our second contribution which is a set of protocols that implement the concept of oblivious trusted third parties. This concept has been proposed before, but no concrete realization was known

Anonymity and Rewards in Peer Rating Systems

When peers rate each other, they may choose to rate inaccurately in order to boost their own reputation or unfairly lower another’s. This could be successfully mitigated by having a reputation server incentivise accurate ratings with a reward. However, assigning rewards becomes a challenge when ratings are anonymous, since the reputation server cannot tell which peers to reward for rating accurately. To address this, we propose an anonymous peer rating system in which users can be rewarded for accurate ratings, and we formally define its model and security requirements. In our system ratings are rewarded in batches, so that users claiming their rewards only reveal they authored one in this batch of ratings. To ensure the anonymity set of rewarded users is not reduced, we also split the reputation server into two entities, the Rewarder, who knows which ratings are rewarded, and the Reputation Holder, who knows which users were rewarded. We give a provably secure construction satisfying all the security properties required. For our construction we use a modification of a Direct Anonymous Attestation scheme to ensure that peers can prove their own reputation when rating others, and that multiple feedback on the same subject can be detected. We then use Linkable Ring Signatures to enable peers to be rewarded for their accurate ratings, while still ensuring that ratings are anonymous. Our work results in a system which allows for accurate ratings to be rewarded, whilst still providing anonymity of ratings with respect to the central entities managing the system

VeriVoting: A decentralized, verifiable and privacy-preserving scheme for weighted voting

Decentralization, verifiability, and privacy-preserving are three fundamental properties of modern e-voting. In this paper, we conduct extensive investigations into them and present a novel e-voting scheme, VeriVoting, which is the first to satisfy these properties. More specifically, decentralization is realized through blockchain technology and the distribution of decryption power among competing entities, such as candidates. Furthermore, verifiability is satisfied when the public verifies the ballots and decryption keys. And finally, bidirectional unlinkability is achieved to help preserve privacy by decoupling voter identity from ballot content. Following the ideas above, we first leverage linear homomorphic encryption schemes and non-interactive zero-knowledge argument systems to construct a voting primitive, SemiVoting, which meets decentralization, decryption-key verifiability, and ballot privacy. To further achieve ballot ciphertext verifiability and anonymity, we extend this primitive with blockchain and verifiable computation to finally arrive at VeriVoting. Through security analysis and per-formance evaluations, VeriVoting offers a new trade-off between security and efficiency that differs from all previous e-voting schemes and provides a radically novel practical ap-proach to large-scale elections