Authenticated Key Exchange (AKE) protocols enable two parties to establish a shared, cryptographically strong key over an insecure network using various authentication means, such as cryptographic keys, short (i.e., lowentropy) secret keys or credentials. In this paper, we provide a general framework, that encompasses several previous AKE primitives such as (Verifier-based) Password-Authenticated Key Exchange or Secret Handshakes, we call LAKE for Language-Authenticated Key Exchange. We first model this general primitive in the Universal Composability (UC) setting. Thereafter, we show that the Gennaro-Lindell approach can efficiently address this goal. But we need smooth projective hash functions on new languages, whose efficient implementations are of independent interest. We indeed provide such hash functions for languages defficient commitment scheme, that is derived from the highly-efficient UC-secure Lindell's commitment, we obtain a very practical realization of Secret Handshakes, but also Credential-Authenticated Key Exchange protocols. All the protocols are UC-secure, in the standard model with a common reference string, under the classical Decisional Linear assumption.
Public Key Cryptography, 16th International Conference, PKC 2013 Conference (PKC '13),
-> Full Version
Partially-blind signatures find many applications in the area of anonymity, such as in e-cash or e-voting systems. They extend classical blind signatures, with a signed message composed of two parts: a public one (common to the user and the signer) and a private one (chosen by the user, and blindly signed). The signer cannot link later the message-signature to the initial interaction with the user, among other signatures on messages with the same public part. This paper presents a one-round partially-blind signature which achieves perfect blindness in the standard model using a Common Reference String, under classical assumptions: CDH and DLin assumptions in symmetric groups, and similar ones in asymmetric groups. This scheme is more efficient than the previous ones: reduced round complexity and communication complexity, but still weaker complexity assumptions. A great advantage is also to end up with a standard Waters signature, which is quite short. In addition, in all the previous schemes, the public part required a prior agreement between the parties on the public part of the message before running the blind signature protocol. Our protocol does not require such pre-processing: the public part can be chosen by the signer only. Our scheme even allows multiple messages provided from independent sources to be blindly signed. These messages can either be concatenated or aggregated by the signer, without learning any information about them, before returning the blind signature to the recipient. For the aggregation (addition of the messages), we provide a new result, of independent interest, about the Waters hash function over non binary-alphabets.
The 8th Conference on Security in Communication Networks (SCN '12),
-> Full Version
In 2008, Groth and Sahai proposed a powerful suite of techniques for constructing non-interactive zero-knowledge proofs in bilinear groups. Their proof systems have found numerous applications, including group signature schemes, anonymous voting, and anonymous credentials. In this paper, we demonstrate that the notion of smooth projective hash functions can be useful to design round-optimal privacy-preserving interactive protocols. We show that this approach is suitable for designing schemes that rely on standard security assumptions in the standard model with a common-reference string and are more efficient than those obtained using the Groth-Sahai methodology. As an illustration of our design principle, we construct an efficient oblivious signature-based envelope scheme and a blind signature scheme, both round-optimal.
TCC, Ninth IACR Theory of Cryptography Conference, TCC 2012 Conference
-> Springer, Lecture Notes in Computer Science, 2012, Volume 7194/2012, p.94-111 [DOI]:
-> Full Version
-> Slides
Traceable signatures schemes were introduced by Kiayias, Tsiounis and Yung in order to solve traceability issues in group signature schemes. They wanted to enable authorities to delegate some of their detection capabilities to tracing sub-authorities. Instead of opening every single signatures and then threatening privacy, tracing sub-authorities are able to know if a signature was emitted by specific users only. In 2008, Libert and Yung proposed the first traceable signature schemes proven secure in the standard model. We design another scheme in the standard model, with two instantiations based either on the SXDH or the DLin assumptions. Our construction is far more efficient, both in term of group elements for the signature, and pairing computation for the verification. Besides the "step-in" (confirmation) feature that allows a user to prove he was indeed the signer, our construction provides the "step-out" (disavowal) procedure that allows a user to prove he was not the signer. Since list signature schemes are closely related to this primitive, we consider them, and answer an open problem: list signature schemes are possible without random oracles.
Quisquater Festschrift
-> Cryptography and Security 2012, Lecture Notes in Computer Science, 2012, Volume 6805/2012, p.108-131 [DOI]:
-> Full Version
Electronic cash (e-cash) refers to money exchanged electronically. The main features of traditional cash are usually considered de sirable also in the context of e-cash. One such property is online transferability, meaning the recipient of a coin in a transaction can transfer it in a later payment transaction to a third person without contacting a central authority. Among security properties, the anonymity of the payer in such transactions has been widely studied. This paper proposes the first efficient and secure transferable e-cash scheme with the strongest achievable anonymity properties, introduced by Canard and Gouget. In
particular, it should not be possible for adversaries who receive a coin to decide whether they have owned that coin before. Our proposal is based
on two recent cryptographic primitives: the proof system by Groth and Sahai, whose randomizability enables strong anonymity, and the commuting signatures by Fuchsbauer, which allow one to sign values that are only given as encryptions.
AfricaCrypt, 4th International Conference, AfricaCrypt 2011 Conference
-> Springer, Lect. Notes in Comput. Sci. vol. 6737,2011, p. 206-223 [DOI]:
-> Full Version
-> Slides (presented by Georg)
Randomizable encryption allows anyone to transform a ciphertext into a fresh ciphertext of the same message. Analogously, a randomizable signature can be transformed into a new signature on the same message. We combine randomizable encryption and signatures to a new primitive as follows: given a signature on a ciphertext, anyone, knowing neither the signing key nor the encrypted message, can randomize the ciphertext and adapt the signature to the fresh encryption, thus maintaining public verifiability. Moreover, given the decryption key and a signature on a ciphertext, one can compute (``extract'') a signature on the encrypted message. As adapting a signature to a randomized encryption contradicts the standard notion of unforgeability, we introduce a weaker notion stating that no adversary can, after querying signatures on ciphertexts of its choice, output a signature on an encryption of a new message. This is reasonable, since due to extractability a signature on an encrypted message can be interpreted as an encrypted signature on the message. Using Groth-Sahai proofs and Waters signatures, we give several instantiations of our primitive proven secure under classical assumptions in the standard model: the decision-linear assumption in symmetric bilinear groups. As an application, we show how to construct a non-interactive receipt-free universally verifiable e-voting scheme. Besides, our primitive also yields an efficient round-optimal blind signature scheme based on standard assumptions.
Public Key Cryptography, 14th International Conference, PKC 2011 Conference (R. Gennaro ed.)
-> Springer, Lect. Notes Comput. Sci. vol. 6571, 2011, p. 403-422 [DOI]
-> Full Version with a minor correction on the Revisited Waters.
-> Slides
In 2008, Groth and Sahai proposed a general methodology for constructing non-interactive zeroknowledge (and witness-indistinguishable) proofs in bilinear groups. While avoiding expensive NP-reductions, these proof systems are still ine.cient due to a number of pairing computations required for veri.cation. We apply recent techniques of batch veri.cation to the Groth-Sahai proof systems and manage to improve signi.cantly the complexity of proof veri.cation. We give explicit batch veri.cation formulas for generic Groth-Sahai equations (whose cost is less than a tenth of the original) and also for speci.c popular protocols relying on their methodology (namely Groth's group signatures and Belenkiy-Chase-Kohlweiss-Lysyanskaya's P-signatures).Applied Cryptography and Network Security, 8th International Conference, ACNS 2010 (J. Zhou & M. Yung eds.)