20 results sorted by ID
Parameter-Hiding Order-Revealing Encryption without Pairings
Cong Peng, Rongmao Chen, Yi Wang, Debiao He, Xinyi Huang
Cryptographic protocols
Order-Revealing Encryption (ORE) provides a practical solution for conducting range queries over encrypted data. Achieving a desirable privacy-efficiency tradeoff in designing ORE schemes has posed a significant challenge. At Asiacrypt 2018, Cash et al. proposed Parameter-hiding ORE (pORE), which specifically targets scenarios where the data distribution shape is known, but the underlying parameters (such as mean and variance) need to be protected. However, existing pORE constructions rely...
Distributed Fiat-Shamir Transform: from Threshold Identification Protocols to Signatures
Michele Battagliola, Andrea Flamini
Public-key cryptography
The recent surge of distribute technologies caused an increasing interest towards threshold signature protocols, that peaked with the recent NIST First Call for Multi-Party Threshold Schemes.
Since its introduction, the Fiat-Shamir Transform has been the most popular way to design standard digital signature schemes.
Many threshold signature schemes are designed in a way that recalls the structure of digital signatures created using Fiat Shamir, by having the signers generate a common...
Breaking Parallel ROS: Implication for Isogeny and Lattice-based Blind Signatures
Shuichi Katsumata, Yi-Fu Lai, Michael Reichle
Public-key cryptography
Many of the three-round blind signatures based on identification protocols are only proven to be $\ell$-concurrently unforgeable for $\ell = \mathsf{polylog}(\lambda)$. It was only recently shown in a seminal work by Benhamouda et al. (EUROCRYPT'21) that this is not just a limitation of the proof technique. They proposed an elegant polynomial time attack against the $\ell$-concurrently unforgeability of the classical blind Schnorr protocol for $\ell = \mathsf{poly}(\lambda)$.
However,...
CSI-Otter: Isogeny-based (Partially) Blind Signatures from the Class Group Action with a Twist
Shuichi Katsumata, Yi-Fu Lai, Jason T. LeGrow, Ling Qin
Public-key cryptography
In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme.
While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure.
Specifically, our protocol does not fit into the "linear identification protocol" abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT'19), which was used to generically construct...
A Novel Approach to e-Voting with Group Identity Based Identification and Homomorphic Encryption
Apurva K Vangujar, Buvana Ganesh, Alia Umrani, Paolo Palmieri
Public-key cryptography
This paper presents a novel e-voting scheme that combines Group Identity-based Identification (GIBI) with Homomorphic Encryption (HE) based on the discrete logarithmic assumption. The proposed scheme uses the Schnorr-like GIBI scheme for voter identification and authorization using Zero-Knowledge (ZK) proof to ensure the anonymity and eligibility of voters. The use of Distributed ElGamal (DE) provides fairness and receipt-freeness, while the use of partial shares for decryption enables...
Key-and-Signature Compact Multi-Signatures for Blockchain: A Compiler with Realizations
Shaoquan Jiang, Dima Alhadidi, Hamid Fazli Khojir
Cryptographic protocols
Multi-signature is a protocol where a set of signatures jointly sign a message so that the final signature is significantly shorter than concatenating individual signatures together. Recently, it finds applications in blockchain, where several users want to jointly authorize a payment through a multi-signature. However, in this setting, there is no centralized authority and it could suffer from a rogue key attack where the attacker can generate his own keys arbitrarily. Further, to...
Identifiable Cheating Entity Flexible Round-Optimized Schnorr Threshold (ICE FROST) Signature Protocol
Alonso González, Hamy Ratoanina, Robin Salen, Setareh Sharifian, Vladimir Soukharev
Cryptographic protocols
This paper presents an Identifiable Cheating Entity (ICE) FROST signature protocol that is an improvement over the FROST signature scheme (Komlo and Goldberg, SAC 2020) since it can identify cheating participants in its Key Generation protocol. The proposed threshold signature protocol achieves robustness in the Key Generation phase of the threshold signature protocol by introducing a cheating identification mechanism and then excluding cheating participants from the protocol. By enabling...
DualRing: Generic Construction of Ring Signatures with Efficient Instantiations
Tsz Hon Yuen, Muhammed F. Esgin, Joseph K. Liu, Man Ho Au, Zhimin Ding
Public-key cryptography
We introduce a novel generic ring signature construction, called DualRing, which can be built from several canonical identification schemes (such as Schnorr identification). DualRing differs from the classical ring signatures by its formation of two rings: a ring of commitments and a ring of challenges. It has a structural difference from the common ring signature approaches based on accumulators or zero-knowledge proofs of the signer index. Comparatively, DualRing has a number of unique...
Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $\Sigma$-Protocols
Lior Rotem, Gil Segev
The Schnorr identification and signature schemes have been amongst the most influential cryptographic protocols of the past three decades. Unfortunately, although the best-known attacks on these two schemes are via discrete-logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the ``square-root barrier''. In particular, in any group of order $p$ where Shoup's generic hardness result for the discrete logarithm problem...
The One-More Discrete Logarithm Assumption in the Generic Group Model
Balthazar Bauer, Georg Fuchsbauer, Antoine Plouviez
Foundations
The one more-discrete logarithm assumption (OMDL) underlies the security analysis of identification protocols, blind signature and multi-signature schemes, such as blind Schnorr signatures and the recent MuSig2 multi-signatures. As these schemes produce standard Schnorr signatures, they are compatible with existing systems, e.g. in the context of blockchains. OMDL is moreover assumed for many results on the impossibility of certain security reductions.
Despite its wide use, surprisingly,...
Two-Party Adaptor Signatures From Identification Schemes
Andreas Erwig, Sebastian Faust, Kristina Hostáková, Monosij Maitra, Siavash Riahi
Public-key cryptography
Adaptor signatures are a novel cryptographic primitive with important applications for cryptocurrencies. They have been used to construct second layer solutions such as payment channels or cross-currency swaps. The basic idea of an adaptor signature scheme is to tie the signing process to the revelation of a secret value in the sense that, much like a regular signature scheme, an adaptor signature scheme can authenticate messages, but simultaneously leaks a secret to certain parties....
Cryptanalysis of a code-based signature scheme without trapdoors
Marco Baldi, Jean-Christophe Deneuville, Edoardo Persichetti, Paolo Santini
Public-key cryptography
We propose an attack on the recent attempt by Li, Xing and Yeo to produce a code-based signature scheme using the Schnorr-Lyubashevsky approach in the Hamming metric, and verify its effectiveness through numerical simulations. Differently from other (unsuccessful) proposals, this new scheme exploits rejection sampling along with dense noise vectors to hide the secret key structure in produced signatures. We show that these measures, besides yielding very slow signing times and rather long...
The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-Rewinding Proofs for Schnorr Identification and Signatures
Mihir Bellare, Wei Dai
Public-key cryptography
We introduce the Multi-Base Discrete Logarithm (MBDL) problem. We use this to give reductions, for Schnorr and Okamoto identification and signatures, that are non-rewinding and, by avoiding the notorious square-root loss, tighter than the classical ones from the Discrete Logarithm (DL) problem. This fills a well-known theoretical and practical gap regarding the security of these schemes. We show that not only is the MBDL problem hard in the generic group model, but with a bound that matches...
3-Layer Public Key Cryptosystem with Short Tandem Repeat DNA
Shigeo Tsujii, Toshiaki Saisho, Masao Yamasawa, Masahito Gotaishi, Kou Shikata, Koji Sasaki, Nobuharu Suzuki, Masaki Hashiyada
Applications
While the digital technology spreads through the society, reliable personal authentication is becoming an urgent issue.
As shown in digital taxation (e-Tax) and blockchain, etc., high reliable link between the private key of a public key and the owner who has it in card or smartphone etc. is required.
This paper proposes 3 layer public key cryptosystem in which Individual Number (a.k.a. "My Number") and STR (Short Tandem Repeat)
as personal identification data installed.
"Individual Number"...
Anonymous Deniable Identification in Ephemeral Setup & Leakage Scenarios
Łukasz Krzywiecki, Mirosław Kutyłowski, Jakub Pezda, Marcin Słowik
Cryptographic protocols
In this paper we concern anonymous identification, where the verifier
can check that the user belongs to a given group of users (just like in case of
ring signatures), however a transcript of a session executed between a user and a
verifier is deniable. That is, neither the verifier nor the prover can convice a third
party that a given user has been involved in a session but also he cannot prove
that any user has been interacting with the verifier. Thereby one can achieve high
standards for...
Optimal Security Proofs for Signatures from Identification Schemes
Eike Kiltz, Daniel Masny, Jiaxin Pan
Public-key cryptography
We perform a concrete security treatment of digital signature schemes obtained from canonical identification schemes via the Fiat-Shamir transform. If the identification scheme is rerandomizable and satisfies the weakest possible security notion (key-recoverability), then the implied signature scheme is unforgeability against chosen-message attacks in the multi-user setting in the random oracle model. The reduction loses a factor of roughly Qh, the number of hash queries. Previous security...
Analysis and Construction of Efficient RFID Authentication Protocol with Backward Privacy
Shaohui Wang, Sujuan Liu, Danwei Chen
Applications
Privacy of RFID systems is receiving increasing attentions in the
RFID community and an important issue required as to the security of RFID system. Backward privacy means the adversary can not trace the tag later even if he reveals the internal states of the tag sometimes before. In this paper, we analyze two recently proposed RFID authentication schemes: Randomized GPS and Randomized Hashed GPS scheme. We show both of them can not provide backward privacy in Juels and Weis privacy model,...
On The Security of One-Witness Blind Signature Schemes
Foteini Baldimtsi, Anna Lysyanskaya
Blind signatures have proved an essential building block for applications that protect privacy while
ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind
signature schemes is the one due to Schnorr that is based on his famous identification scheme. Although it
was proposed over twenty years ago, its unforgeability remains an open problem, even in the random-oracle
model. In this paper, we show that current techniques for proving...
HMQV: A High-Performance Secure Diffie-Hellman Protocol
Hugo Krawczyk
Cryptographic protocols
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most efficient of all known authenticated Diffie-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying ``the next generation cryptography to protect US government...
A forward-secure digital signature scheme
Mihir Bellare, Sara Miner
We describe a digital signature scheme in which the
public key is fixed but the secret signing key is updated at regular
intervals so as to provide a <i>forward security</i> property:
compromise of the current secret key does not enable an adversary to
forge signatures pertaining to the past. This can be useful to
mitigate the damage caused by key exposure without requiring
distribution of keys. Our construction uses ideas from the
Fiat-Shamir and Ong-Schnorr identification and
signature...
Order-Revealing Encryption (ORE) provides a practical solution for conducting range queries over encrypted data. Achieving a desirable privacy-efficiency tradeoff in designing ORE schemes has posed a significant challenge. At Asiacrypt 2018, Cash et al. proposed Parameter-hiding ORE (pORE), which specifically targets scenarios where the data distribution shape is known, but the underlying parameters (such as mean and variance) need to be protected. However, existing pORE constructions rely...
The recent surge of distribute technologies caused an increasing interest towards threshold signature protocols, that peaked with the recent NIST First Call for Multi-Party Threshold Schemes. Since its introduction, the Fiat-Shamir Transform has been the most popular way to design standard digital signature schemes. Many threshold signature schemes are designed in a way that recalls the structure of digital signatures created using Fiat Shamir, by having the signers generate a common...
Many of the three-round blind signatures based on identification protocols are only proven to be $\ell$-concurrently unforgeable for $\ell = \mathsf{polylog}(\lambda)$. It was only recently shown in a seminal work by Benhamouda et al. (EUROCRYPT'21) that this is not just a limitation of the proof technique. They proposed an elegant polynomial time attack against the $\ell$-concurrently unforgeability of the classical blind Schnorr protocol for $\ell = \mathsf{poly}(\lambda)$. However,...
In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the "linear identification protocol" abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT'19), which was used to generically construct...
This paper presents a novel e-voting scheme that combines Group Identity-based Identification (GIBI) with Homomorphic Encryption (HE) based on the discrete logarithmic assumption. The proposed scheme uses the Schnorr-like GIBI scheme for voter identification and authorization using Zero-Knowledge (ZK) proof to ensure the anonymity and eligibility of voters. The use of Distributed ElGamal (DE) provides fairness and receipt-freeness, while the use of partial shares for decryption enables...
Multi-signature is a protocol where a set of signatures jointly sign a message so that the final signature is significantly shorter than concatenating individual signatures together. Recently, it finds applications in blockchain, where several users want to jointly authorize a payment through a multi-signature. However, in this setting, there is no centralized authority and it could suffer from a rogue key attack where the attacker can generate his own keys arbitrarily. Further, to...
This paper presents an Identifiable Cheating Entity (ICE) FROST signature protocol that is an improvement over the FROST signature scheme (Komlo and Goldberg, SAC 2020) since it can identify cheating participants in its Key Generation protocol. The proposed threshold signature protocol achieves robustness in the Key Generation phase of the threshold signature protocol by introducing a cheating identification mechanism and then excluding cheating participants from the protocol. By enabling...
We introduce a novel generic ring signature construction, called DualRing, which can be built from several canonical identification schemes (such as Schnorr identification). DualRing differs from the classical ring signatures by its formation of two rings: a ring of commitments and a ring of challenges. It has a structural difference from the common ring signature approaches based on accumulators or zero-knowledge proofs of the signer index. Comparatively, DualRing has a number of unique...
The Schnorr identification and signature schemes have been amongst the most influential cryptographic protocols of the past three decades. Unfortunately, although the best-known attacks on these two schemes are via discrete-logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the ``square-root barrier''. In particular, in any group of order $p$ where Shoup's generic hardness result for the discrete logarithm problem...
The one more-discrete logarithm assumption (OMDL) underlies the security analysis of identification protocols, blind signature and multi-signature schemes, such as blind Schnorr signatures and the recent MuSig2 multi-signatures. As these schemes produce standard Schnorr signatures, they are compatible with existing systems, e.g. in the context of blockchains. OMDL is moreover assumed for many results on the impossibility of certain security reductions. Despite its wide use, surprisingly,...
Adaptor signatures are a novel cryptographic primitive with important applications for cryptocurrencies. They have been used to construct second layer solutions such as payment channels or cross-currency swaps. The basic idea of an adaptor signature scheme is to tie the signing process to the revelation of a secret value in the sense that, much like a regular signature scheme, an adaptor signature scheme can authenticate messages, but simultaneously leaks a secret to certain parties....
We propose an attack on the recent attempt by Li, Xing and Yeo to produce a code-based signature scheme using the Schnorr-Lyubashevsky approach in the Hamming metric, and verify its effectiveness through numerical simulations. Differently from other (unsuccessful) proposals, this new scheme exploits rejection sampling along with dense noise vectors to hide the secret key structure in produced signatures. We show that these measures, besides yielding very slow signing times and rather long...
We introduce the Multi-Base Discrete Logarithm (MBDL) problem. We use this to give reductions, for Schnorr and Okamoto identification and signatures, that are non-rewinding and, by avoiding the notorious square-root loss, tighter than the classical ones from the Discrete Logarithm (DL) problem. This fills a well-known theoretical and practical gap regarding the security of these schemes. We show that not only is the MBDL problem hard in the generic group model, but with a bound that matches...
While the digital technology spreads through the society, reliable personal authentication is becoming an urgent issue. As shown in digital taxation (e-Tax) and blockchain, etc., high reliable link between the private key of a public key and the owner who has it in card or smartphone etc. is required. This paper proposes 3 layer public key cryptosystem in which Individual Number (a.k.a. "My Number") and STR (Short Tandem Repeat) as personal identification data installed. "Individual Number"...
In this paper we concern anonymous identification, where the verifier can check that the user belongs to a given group of users (just like in case of ring signatures), however a transcript of a session executed between a user and a verifier is deniable. That is, neither the verifier nor the prover can convice a third party that a given user has been involved in a session but also he cannot prove that any user has been interacting with the verifier. Thereby one can achieve high standards for...
We perform a concrete security treatment of digital signature schemes obtained from canonical identification schemes via the Fiat-Shamir transform. If the identification scheme is rerandomizable and satisfies the weakest possible security notion (key-recoverability), then the implied signature scheme is unforgeability against chosen-message attacks in the multi-user setting in the random oracle model. The reduction loses a factor of roughly Qh, the number of hash queries. Previous security...
Privacy of RFID systems is receiving increasing attentions in the RFID community and an important issue required as to the security of RFID system. Backward privacy means the adversary can not trace the tag later even if he reveals the internal states of the tag sometimes before. In this paper, we analyze two recently proposed RFID authentication schemes: Randomized GPS and Randomized Hashed GPS scheme. We show both of them can not provide backward privacy in Juels and Weis privacy model,...
Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous identification scheme. Although it was proposed over twenty years ago, its unforgeability remains an open problem, even in the random-oracle model. In this paper, we show that current techniques for proving...
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most efficient of all known authenticated Diffie-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying ``the next generation cryptography to protect US government...
We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a <i>forward security</i> property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the Fiat-Shamir and Ong-Schnorr identification and signature...