19,110 research outputs found
Concurrently Non-Malleable Zero Knowledge in the Authenticated Public-Key Model
We consider a type of zero-knowledge protocols that are of interest for their
practical applications within networks like the Internet: efficient
zero-knowledge arguments of knowledge that remain secure against concurrent
man-in-the-middle attacks. In an effort to reduce the setup assumptions
required for efficient zero-knowledge arguments of knowledge that remain secure
against concurrent man-in-the-middle attacks, we consider a model, which we
call the Authenticated Public-Key (APK) model. The APK model seems to
significantly reduce the setup assumptions made by the CRS model (as no trusted
party or honest execution of a centralized algorithm are required), and can be
seen as a slightly stronger variation of the Bare Public-Key (BPK) model from
\cite{CGGM,MR}, and a weaker variation of the registered public-key model used
in \cite{BCNP}. We then define and study man-in-the-middle attacks in the APK
model. Our main result is a constant-round concurrent non-malleable
zero-knowledge argument of knowledge for any polynomial-time relation
(associated to a language in ), under the (minimal) assumption of
the existence of a one-way function family. Furthermore,We show time-efficient
instantiations of our protocol based on known number-theoretic assumptions. We
also note a negative result with respect to further reducing the setup
assumptions of our protocol to those in the (unauthenticated) BPK model, by
showing that concurrently non-malleable zero-knowledge arguments of knowledge
in the BPK model are only possible for trivial languages
Concurrent Knowledge-Extraction in the Public-Key Model
Knowledge extraction is a fundamental notion, modelling machine possession of
values (witnesses) in a computational complexity sense. The notion provides an
essential tool for cryptographic protocol design and analysis, enabling one to
argue about the internal state of protocol players without ever looking at this
supposedly secret state. However, when transactions are concurrent (e.g., over
the Internet) with players possessing public-keys (as is common in
cryptography), assuring that entities ``know'' what they claim to know, where
adversaries may be well coordinated across different transactions, turns out to
be much more subtle and in need of re-examination. Here, we investigate how to
formally treat knowledge possession by parties (with registered public-keys)
interacting over the Internet. Stated more technically, we look into the
relative power of the notion of ``concurrent knowledge-extraction'' (CKE) in
the concurrent zero-knowledge (CZK) bare public-key (BPK) model.Comment: 38 pages, 4 figure
[[alternative]]The Anonymity Design and Application of Current Signature Schemes
計畫編號:NSC96-2221-E032-026研究期間:200708~200807研究經費:543,000[[abstract]]同時簽章法提供不需要公信第三者的有效公平交換協定做法,為了維 護公平交換者的隱私,同時簽章法也必須提供匿名的服務。然而具有匿名 性的同時簽章法沒有提供驗證的服務,反之不具匿名性的同時簽章法可以 提供驗證的服務,因此在交換簽章時,具有匿名性的同時簽章法無法驗證 交換的簽章。這一點讓攻擊者可以透過傳送大量的交換簽章,耗盡某人的 資源。為了解決這一項問題,計畫的第一年研究課題就是設計同時簽章 法,讓同時簽章法在交換簽章時,就可以同時提供匿名與驗證的服務,同 時提供匿名與驗證的服務也是主要的難題。可轉換環簽章與其它環簽章的 不同點在於匿名的撤消,計畫的第二年研究課題就是為可轉換環簽章,設 計新的匿名撤消,適用於植基因數分解之外難題的環簽章法。目前初步的 構想是利用第一年為同時簽章法設計的匿名與匿名撤消,但主要的困難是 環簽章是可以被任何人匿名地驗證,但是同時簽章法只能被某人所驗證。 有鑑於很難為後付款的小額付款法提供匿名性,計畫的最後一年,就是應 用匿名的同時簽章法,設計後付款的匿名小額付款法。[[sponsorship]]行政院國家科學委員
An Identity-Based Group Signature with Membership Revocation in the Standard Model
Group signatures allow group members to sign an arbitrary number\ud
of messages on behalf of the group without revealing their\ud
identity. Under certain circumstances the group manager holding a\ud
tracing key can reveal the identity of the signer from the\ud
signature. Practical group signature schemes should support\ud
membership revocation where the revoked member loses the\ud
capability to sign a message on behalf of the group without\ud
influencing the other non-revoked members. A model known as\ud
\emph{verifier-local revocation} supports membership revocation.\ud
In this model the trusted revocation authority sends revocation\ud
messages to the verifiers and there is no need for the trusted\ud
revocation authority to contact non-revoked members to update\ud
their secret keys. Previous constructions of verifier-local\ud
revocation group signature schemes either have a security proof in the\ud
random oracle model or are non-identity based. A security proof\ud
in the random oracle model is only a heuristic proof and\ud
non-identity-based group signature suffer from standard Public Key\ud
Infrastructure (PKI) problems, i.e. the group public key is not\ud
derived from the group identity and therefore has to be certified.\ud
\ud
\ud
In this work we construct the first verifier-local revocation group\ud
signature scheme which is identity-based and which has a security proof in the standard model. In\ud
particular, we give a formal security model for the proposed\ud
scheme and prove that the scheme has the\ud
property of selfless-anonymity under the decision Linear (DLIN)\ud
assumption and it is fully-traceable under the\ud
Computation Diffie-Hellman (CDH) assumption. The proposed scheme is based on prime order bilinear\ud
groups
CONFLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code
We present an instrumenting compiler for enforcing data confidentiality in
low-level applications (e.g. those written in C) in the presence of an active
adversary. In our approach, the programmer marks secret data by writing
lightweight annotations on top-level definitions in the source code. The
compiler then uses a static flow analysis coupled with efficient runtime
instrumentation, a custom memory layout, and custom control-flow integrity
checks to prevent data leaks even in the presence of low-level attacks. We have
implemented our scheme as part of the LLVM compiler. We evaluate it on the SPEC
micro-benchmarks for performance, and on larger, real-world applications
(including OpenLDAP, which is around 300KLoC) for programmer overhead required
to restructure the application when protecting the sensitive data such as
passwords. We find that performance overheads introduced by our instrumentation
are moderate (average 12% on SPEC), and the programmer effort to port OpenLDAP
is only about 160 LoC.Comment: Technical report for CONFLLVM: A Compiler for Enforcing Data
Confidentiality in Low-Level Code, appearing at EuroSys 201
- …