A group signature scheme allows a group member to sign a message anonymously on behalf of the gro... more A group signature scheme allows a group member to sign a message anonymously on behalf of the group. In case of a dispute, the group manager can reveal the actual identity of signer. In this paper, we propose a novel group signature satisfying the regular requirements. Furthermore, it also achieves the following advantages: (1) the size of signature is independent of the number of group members; (2) the group public key is constant; (3) Addition and Revocation of group members are convenient; (4) it enjoys forward security; (5) The total computation cost of signature and verification requires only 7 modular exponentiations. Hence, our scheme is very practical in many applications, especially for the dynamic large group applications.
Blind signatures play a central role in applications such as e-cash and e-voting systems. The not... more Blind signatures play a central role in applications such as e-cash and e-voting systems. The notion of partially blind signature is a more applicable variant such that the part of the message contains some common information pre-agreed by the signer and the signature requester in an unblinded form. In this paper, we propose two efficient partially blind signatures with provable security in the random oracle model. The former is based on witness indistinguishable (WI) signatures. Compared with the state-of-the-art construction due to Abe and Fujisaki [1], our scheme is 25% more efficient while enjoys the same level of security. The latter is a partially blind Schnorr signature without relying on witness indistinguishability. It enjoys the same level of security and efficiency as the underlying blind signature.
In Eurocrypt 2003, Gentry introduced the notion of certificate-based encryption. The merit of cer... more In Eurocrypt 2003, Gentry introduced the notion of certificate-based encryption. The merit of certificate-based encryption lies in the following features: (1) providing more efficient public-key infrastructure (PKI) that requires less infrastructure, (2) solving the certificate revocation problem, and (3) eliminating third-party queries in the traditional PKI. In addition, it also solves the inherent key escrow problem in the identity-based cryptography. In this paper, we first introduce a new attack called the “Key Replacement Attack” in the certificate-based system and refine the security model of certificate-based signature. We show that the certificate-based signature scheme presented by Kang, Park and Hahn in CT-RSA 2004 is insecure against key replacement attacks. We then propose a new certificate-based signature scheme, which is shown to be existentially unforgeable against adaptive chosen message attacks under the computational Diffie-Hellman assumption in the random oracle model. Compared with the certificate-based signature scheme in CT-RSA 2004, our scheme enjoys shorter signature length and less operation cost, and hence, our scheme outperforms the existing schemes in the literature.
Blind group/ring signatures are useful for applications such as e-cash and e-voting systems. In t... more Blind group/ring signatures are useful for applications such as e-cash and e-voting systems. In this paper, we show that the blindness of some existing blind group/ring signature schemes is easy to break by a malicious anonymous signer of dynamic groups. However, this risk has not been pointed out in these proposals, which may cause misuse of the schemes. Fortunately, for static groups, it is possible to integrate the blindness of message into group/ring signatures. An efficient static blind ring signature is proposed with its security provable under the extended ROS assumptions in the random oracle model plus the generic group model. After the group public key is generated, the space, time, and communication complexities of the relevant parameters and operations are constant.
The main advantage of ring signatures is to ensure anonymity in ad hoc groups. However, since a g... more The main advantage of ring signatures is to ensure anonymity in ad hoc groups. However, since a group manager is not present in ad hoc groups, there is no existing way to identify the signer who is responsible for or benefit from a disputed ring signature. In this paper, we address this issue by formalizing the notion of ad hoc group signature. This new notion bridges the gap between the ring signature and group signature schemes. It enjoys the same advantage of ring signatures to provide anonymity whilst not requiring any group manager. Furthermore, it allows a member in an ad hoc group to provably claim that it has (not) issued the anonymous signature on behalf of the group. We propose the first construction of ad hoc group signatures that is provably secure in the random oracle model under the Strong RSA assumption. Our proposal is very simple and additionally, it produces a constant size signature length and requires constant modular exponentiations. This is to ensure that our scheme is very practical for ad hoc applications where a centralized group manager is not present.
Page 1. Informatica 29 (2005) 321325 321 A New Efficient Group Signature With Forward Security J... more Page 1. Informatica 29 (2005) 321325 321 A New Efficient Group Signature With Forward Security Jianhong Zhang, Qianhong Wu and Yumin Wang State key Lab. of Integrated Service Networks, Xidian Univ, Xi'an Shannxi ...
In this paper, we focus on lowering the complexity of t-out-of-n string/bit OTs for large t. The ... more In this paper, we focus on lowering the complexity of t-out-of-n string/bit OTs for large t. The notion of oblivious public-key cryptosystem (OPKC) is introduced, in which Bob possesses n public keys but only t private keys and no one knows which t private keys Bob possesses. If the sender, say, Alice, encrypts each message using the n oblivious public keys, resp., the receiver, Bob, can obtain only t messages by t decryptions with his known t private keys. This approach can be directly applied to t-out-of-n bit OT. However, it is very inefficient due to heavy message expansion and many encryption/decryption operations. To construct t-out-of-n bit OT, we introduce bit oblivious public-key cryptosystem (BOPKC), which is a special public-key cryptosystem with a message space of n bits, and the private key only enables its owner to decrypt t bits of n secret bits. After an offline generation of such a BOPKC, it requires only one encryption, one decryption and one ciphertext. Finally, we show the concrete implementations of OPKC/BOPKC based on ElGamal/Paillier cryptosystem, and efficient t-out-of-n string/bit OTs are achieved.
Known compact e-cash schemes are constructed from signature schemes with efficient protocols and ... more Known compact e-cash schemes are constructed from signature schemes with efficient protocols and verifiable random functions. In this paper, we introduce a different approach. We construct compact e-cash schemes from bounded accumulators. A bounded accumulator is an accumulator with a limit on the number of accumulated values. We show a generic construction of compact e-cash schemes from bounded accumulators and signature schemes with certain properties and instantiate it using an existing pairing-based accumulator and a new signature scheme. Our scheme revokes the secret key of the double-spender directly and thus supports more efficient coin tracing. The new signature scheme has an interesting property that is has the message space of a cyclic group \(\mathbb{G}_1\) equipped with a bilinear pairing, with efficient protocol to show possession of a signature without revealing the signature nor the message. We show that the new scheme is secure in the generic group model. The new signature scheme may be of independent interest.
A group key agreement (GKA) protocol allows a set of users to establish a common secret via open ... more A group key agreement (GKA) protocol allows a set of users to establish a common secret via open networks. Observing that a major goal of GKAs for most applications is to establish a confidential channel among group members, we revisit the group key agreement definition and distinguish the conventional (symmetric) group key agreement from asymmetric group key agreement (ASGKA) protocols. Instead of a common secret key, only a shared encryption key is negotiated in an ASGKA protocol. This encryption key is accessible to attackers and corresponds to different decryption keys, each of which is only computable by one group member. We propose a generic construction of one-round ASGKAs based on a new primitive referred to as aggregatable signature-based broadcast (ASBB), in which the public key can be simultaneously used to verify signatures and encrypt messages while any signature can be used to decrypt ciphertexts under this public key. Using bilinear pairings, we realize an efficient ASBB scheme equipped with useful properties. Following the generic construction, we instantiate a one-round ASGKA protocol tightly reduced to the decision Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model.
Vehicular ad hoc networks (VANETs) will improve traffic safety and efficiency provided that car-t... more Vehicular ad hoc networks (VANETs) will improve traffic safety and efficiency provided that car-to-car communication stays trustworthy. Therefore, it is crucial to ensure that the information conveyed by vehicle-generated messages is reliable. A sensible option is to request that the content of a message originated by a certain vehicle be endorsed by nearby peer vehicles. However, neither message generation nor message endorsement should entail any privacy loss on the part of vehicles co-operating in it. This chapter surveys the available solutions to this security-privacy tension and analyzes their limitations. A new privacy-preserving system is sketched which guarantees message authentication through both a priori and a posteriori countermeasures.
A group signature scheme allows a group member to sign a message anonymously on behalf of the gro... more A group signature scheme allows a group member to sign a message anonymously on behalf of the group. In case of a dispute, the group manager can reveal the actual identity of signer. In this paper, we propose a novel group signature satisfying the regular requirements. Furthermore, it also achieves the following advantages: (1) the size of signature is independent of the number of group members; (2) the group public key is constant; (3) Addition and Revocation of group members are convenient; (4) it enjoys forward security; (5) The total computation cost of signature and verification requires only 7 modular exponentiations. Hence, our scheme is very practical in many applications, especially for the dynamic large group applications.
Blind signatures play a central role in applications such as e-cash and e-voting systems. The not... more Blind signatures play a central role in applications such as e-cash and e-voting systems. The notion of partially blind signature is a more applicable variant such that the part of the message contains some common information pre-agreed by the signer and the signature requester in an unblinded form. In this paper, we propose two efficient partially blind signatures with provable security in the random oracle model. The former is based on witness indistinguishable (WI) signatures. Compared with the state-of-the-art construction due to Abe and Fujisaki [1], our scheme is 25% more efficient while enjoys the same level of security. The latter is a partially blind Schnorr signature without relying on witness indistinguishability. It enjoys the same level of security and efficiency as the underlying blind signature.
In Eurocrypt 2003, Gentry introduced the notion of certificate-based encryption. The merit of cer... more In Eurocrypt 2003, Gentry introduced the notion of certificate-based encryption. The merit of certificate-based encryption lies in the following features: (1) providing more efficient public-key infrastructure (PKI) that requires less infrastructure, (2) solving the certificate revocation problem, and (3) eliminating third-party queries in the traditional PKI. In addition, it also solves the inherent key escrow problem in the identity-based cryptography. In this paper, we first introduce a new attack called the “Key Replacement Attack” in the certificate-based system and refine the security model of certificate-based signature. We show that the certificate-based signature scheme presented by Kang, Park and Hahn in CT-RSA 2004 is insecure against key replacement attacks. We then propose a new certificate-based signature scheme, which is shown to be existentially unforgeable against adaptive chosen message attacks under the computational Diffie-Hellman assumption in the random oracle model. Compared with the certificate-based signature scheme in CT-RSA 2004, our scheme enjoys shorter signature length and less operation cost, and hence, our scheme outperforms the existing schemes in the literature.
Blind group/ring signatures are useful for applications such as e-cash and e-voting systems. In t... more Blind group/ring signatures are useful for applications such as e-cash and e-voting systems. In this paper, we show that the blindness of some existing blind group/ring signature schemes is easy to break by a malicious anonymous signer of dynamic groups. However, this risk has not been pointed out in these proposals, which may cause misuse of the schemes. Fortunately, for static groups, it is possible to integrate the blindness of message into group/ring signatures. An efficient static blind ring signature is proposed with its security provable under the extended ROS assumptions in the random oracle model plus the generic group model. After the group public key is generated, the space, time, and communication complexities of the relevant parameters and operations are constant.
The main advantage of ring signatures is to ensure anonymity in ad hoc groups. However, since a g... more The main advantage of ring signatures is to ensure anonymity in ad hoc groups. However, since a group manager is not present in ad hoc groups, there is no existing way to identify the signer who is responsible for or benefit from a disputed ring signature. In this paper, we address this issue by formalizing the notion of ad hoc group signature. This new notion bridges the gap between the ring signature and group signature schemes. It enjoys the same advantage of ring signatures to provide anonymity whilst not requiring any group manager. Furthermore, it allows a member in an ad hoc group to provably claim that it has (not) issued the anonymous signature on behalf of the group. We propose the first construction of ad hoc group signatures that is provably secure in the random oracle model under the Strong RSA assumption. Our proposal is very simple and additionally, it produces a constant size signature length and requires constant modular exponentiations. This is to ensure that our scheme is very practical for ad hoc applications where a centralized group manager is not present.
Page 1. Informatica 29 (2005) 321325 321 A New Efficient Group Signature With Forward Security J... more Page 1. Informatica 29 (2005) 321325 321 A New Efficient Group Signature With Forward Security Jianhong Zhang, Qianhong Wu and Yumin Wang State key Lab. of Integrated Service Networks, Xidian Univ, Xi'an Shannxi ...
In this paper, we focus on lowering the complexity of t-out-of-n string/bit OTs for large t. The ... more In this paper, we focus on lowering the complexity of t-out-of-n string/bit OTs for large t. The notion of oblivious public-key cryptosystem (OPKC) is introduced, in which Bob possesses n public keys but only t private keys and no one knows which t private keys Bob possesses. If the sender, say, Alice, encrypts each message using the n oblivious public keys, resp., the receiver, Bob, can obtain only t messages by t decryptions with his known t private keys. This approach can be directly applied to t-out-of-n bit OT. However, it is very inefficient due to heavy message expansion and many encryption/decryption operations. To construct t-out-of-n bit OT, we introduce bit oblivious public-key cryptosystem (BOPKC), which is a special public-key cryptosystem with a message space of n bits, and the private key only enables its owner to decrypt t bits of n secret bits. After an offline generation of such a BOPKC, it requires only one encryption, one decryption and one ciphertext. Finally, we show the concrete implementations of OPKC/BOPKC based on ElGamal/Paillier cryptosystem, and efficient t-out-of-n string/bit OTs are achieved.
Known compact e-cash schemes are constructed from signature schemes with efficient protocols and ... more Known compact e-cash schemes are constructed from signature schemes with efficient protocols and verifiable random functions. In this paper, we introduce a different approach. We construct compact e-cash schemes from bounded accumulators. A bounded accumulator is an accumulator with a limit on the number of accumulated values. We show a generic construction of compact e-cash schemes from bounded accumulators and signature schemes with certain properties and instantiate it using an existing pairing-based accumulator and a new signature scheme. Our scheme revokes the secret key of the double-spender directly and thus supports more efficient coin tracing. The new signature scheme has an interesting property that is has the message space of a cyclic group \(\mathbb{G}_1\) equipped with a bilinear pairing, with efficient protocol to show possession of a signature without revealing the signature nor the message. We show that the new scheme is secure in the generic group model. The new signature scheme may be of independent interest.
A group key agreement (GKA) protocol allows a set of users to establish a common secret via open ... more A group key agreement (GKA) protocol allows a set of users to establish a common secret via open networks. Observing that a major goal of GKAs for most applications is to establish a confidential channel among group members, we revisit the group key agreement definition and distinguish the conventional (symmetric) group key agreement from asymmetric group key agreement (ASGKA) protocols. Instead of a common secret key, only a shared encryption key is negotiated in an ASGKA protocol. This encryption key is accessible to attackers and corresponds to different decryption keys, each of which is only computable by one group member. We propose a generic construction of one-round ASGKAs based on a new primitive referred to as aggregatable signature-based broadcast (ASBB), in which the public key can be simultaneously used to verify signatures and encrypt messages while any signature can be used to decrypt ciphertexts under this public key. Using bilinear pairings, we realize an efficient ASBB scheme equipped with useful properties. Following the generic construction, we instantiate a one-round ASGKA protocol tightly reduced to the decision Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model.
Vehicular ad hoc networks (VANETs) will improve traffic safety and efficiency provided that car-t... more Vehicular ad hoc networks (VANETs) will improve traffic safety and efficiency provided that car-to-car communication stays trustworthy. Therefore, it is crucial to ensure that the information conveyed by vehicle-generated messages is reliable. A sensible option is to request that the content of a message originated by a certain vehicle be endorsed by nearby peer vehicles. However, neither message generation nor message endorsement should entail any privacy loss on the part of vehicles co-operating in it. This chapter surveys the available solutions to this security-privacy tension and analyzes their limitations. A new privacy-preserving system is sketched which guarantees message authentication through both a priori and a posteriori countermeasures.
Uploads
Papers