Randomizable Proofs and Delegatable Anonymous Credentials

Belenkiy, Mira; Camenisch, Jan; Chase, Melissa; Kohlweiss, Markulf; Lysyanskaya, Anna; Shacham, Hovav

doi:10.1007/978-3-642-03356-8_7

Cited by 180 publications

(155 citation statements)

References 25 publications

Supporting

Mentioning

144

Contrasting

Order By: Relevance

“…As shown in [7], GS proofs have composable randomizability, where randomizability holds even if we switch to the simulation setting.…”

Section: Groth-sahai (Gs) Proofsmentioning

confidence: 97%

“…As formalized by [7], GS proofs can be rerandomized by rerandomizing the associated GS commitments and updating the proofs accordingly so that we obtain fresh proofs that are unlinkable to the original ones. Rerandomizing a proof requires knowledge of neither the witness nor the associated randomness used in the original GS commitments.…”

Section: Groth-sahai (Gs) Proofsmentioning

confidence: 99%

“…Pr Ω ← GSProve(crs Sim , w, y) : A(Ω) = 1 = Pr Ω Sim ← GSSimProve(crs Sim , tr, y) : A(Ω Sim ) = 1 · -Rerandomizability [7]: We have for all p.p.t. adversaries (A 1 , A 2 ), the following probability is negligbly close to 1/2…”

Section: Groth-sahai (Gs) Proofsmentioning

confidence: 99%

“…First, the rerandomizability of the proofs [7]. Second, that they are independent of the public terms in the equations being proven [32,30], which as shown by [32], allows transforming GS NIWI proofs into new NIWI/NIZK proofs by adding some/all of those public terms to the witness without knowledge of the original witness.…”

Section: Blind Ring Signature Constructionmentioning

confidence: 99%

See 3 more Smart Citations

Sub-linear Blind Ring Signatures without Random Oracles

Ghadafi

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Ring signatures allow a signer to anonymously sign a message on behalf of a set of arbitrarily chosen signers called a "ring". Blind signatures, on the other hand, allow a user to obtain a signature on a message while maintaining the privacy of the message. Blind ring signatures combine properties of both primitives and hence provide a strong notion of anonymity where the privacy of both the identity of the signer and the message is preserved. Blind ring signatures find applications in various systems; including multiauthority e-voting and distributed e-cash systems. In this paper we provide the first provably secure blind ring signature construction that does not rely on random oracles, which solves an open problem raised by Herranz and Laguillaumie at ISC 2006. We present different instantiations all of which are round-optimal (i.e. have a two-move signing protocol), yield sub-linear size signatures, and meet strong security requirements. In order to realize our constructions efficiently, we construct a sub-linear size set membership proof which works in the different bilinear group settings, which may be of independent interest. As a secondary contribution, we show how to generically combine our set membership proof with any secure signature scheme meeting some conditions to obtain ring signatures whose security does not rely on random oracles. All our constructions work over the efficient prime-order bilinear group setting and yield signatures of sub-linear size. In addition, our constructions meet strong security requirements: namely, anonymity holds under full key exposure and unforgeability holds against insider-corruption. Finally, we provide some example instantiations of the generic construction.

show abstract

“…As shown in [7], GS proofs have composable randomizability, where randomizability holds even if we switch to the simulation setting.…”

Section: Groth-sahai (Gs) Proofsmentioning

confidence: 97%

Section: Groth-sahai (Gs) Proofsmentioning

confidence: 99%

Section: Groth-sahai (Gs) Proofsmentioning

confidence: 99%

Section: Blind Ring Signature Constructionmentioning

confidence: 99%

See 2 more Smart Citations

Sub-linear Blind Ring Signatures without Random Oracles

Ghadafi

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In addition, GS proofs are known to be malleable which, although useful in certain applications [3,11], is undesirable when NIZK proofs serve as building blocks for nonmalleable protocols. To construct chosen-ciphertext-secure encryption schemes [36], for example, the Naor-Yung/Sahai [32,37] paradigm requires NIZK proofs satisfying a property called simulation-soundness [37]: informally, this property captures the inability of the adversary to prove false statements, even after having observed simulated proofs for possibly false statements of its choice.…”

mentioning

confidence: 99%

Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures

Libert

Peters

Joye

et al. 2014

Advances in Cryptology – EUROCRYPT 2014

View full text Add to dashboard Cite

Abstract. Verifiability is central to building protocols and systems with integrity. Initially, efficient methods employed the Fiat-Shamir heuristics. Since 2008, the Groth-Sahai techniques have been the most efficient in constructing non-interactive witness indistinguishable and zeroknowledge proofs for algebraic relations in the standard model. For the important task of proving membership in linear subspaces, Jutla and Roy (Asiacrypt 2013) gave significantly more efficient proofs in the quasiadaptive setting (QA-NIZK). For membership of the row space of a t × n matrix, their QA-NIZK proofs save Ω(t) group elements compared to Groth-Sahai. Here, we give QA-NIZK proofs made of a constant number group elements -regardless of the number of equations or the number of variables -and additionally prove them unbounded simulation-sound. Unlike previous unbounded simulation-sound Groth-Sahai-based proofs, our construction does not involve quadratic pairing product equations and does not rely on a chosen-ciphertext-secure encryption scheme. Instead, we build on structure-preserving signatures with homomorphic properties. We apply our methods to design new and improved CCA2-secure encryption schemes. In particular, we build the first efficient threshold CCA-secure keyed-homomorphic encryption scheme (i.e., where homomorphic operations can only be carried out using a dedicated evaluation key) with publicly verifiable ciphertexts.

show abstract

Hierarchical Attribute-Based Signatures

Drăgan

Gardham

Manulis

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Attribute-based Signatures (ABS) are a powerful tool allowing users with attributes issued by authorities to sign messages while also proving that their attributes satisfy some policy. ABS schemes provide a flexible and privacy-preserving approach to authentication since the signer's identity and attributes remain hidden within the anonymity set of users sharing policy-conform attributes. Current ABS schemes exhibit some limitations when it comes to the management and issue of attributes. In this paper we address the lack of support for hierarchical attribute management, a property that is prevalent in traditional PKIs where certification authorities are organised into hierarchies and signatures are verified along roots of trust. Hierarchical Attribute-based Signatures (HABS) introduced in this work support delegation of attributes along paths from the top-level authority down to the users while also ensuring that signatures produced by these users do not leak their delegation paths, thus extending the original privacy guarantees of ABS schemes. Our generic HABS construction also ensures unforgeability of signatures in the presence of collusion attacks and contains an extended traceability property allowing a dedicated tracing authority to identify the signer and reveal its attribute delegation paths. We include a public verification procedure for the accountability of the tracing authority. We anticipate that HABS will be useful for privacy-preserving authentication in applications requiring hierarchical delegation of attribute-issuing rights and where knowledge of delegation paths might leak information about signers and their attributes, e.g., in intelligent transport systems where vehicles may require certain attributes to authenticate themselves to the infrastructure but remain untrackable by the latter.

show abstract

Randomizable Proofs and Delegatable Anonymous Credentials

Cited by 180 publications

References 25 publications

Sub-linear Blind Ring Signatures without Random Oracles

Sub-linear Blind Ring Signatures without Random Oracles

Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures

Hierarchical Attribute-Based Signatures

Contact Info

Product

Resources

About