Adaptive proofs of knowledge in the random oracle model

Bernhard, David; Fischlin, Marc; Warinschi, Bogdan

doi:10.1049/iet-ifs.2015.0506

Cited by 5 publications

(4 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For efficient and UC-secure Σ-protocols [16], Dodis, Shoup, and Walfish [17] offer a solution, but it relies on verifiable encryption [10] or similar, which adds complexity and setup assumptions. In the random oracle model, Fischlin [19] as well as Bernhard, Fischlin, and Warinschi [3] show how to get an extractor that does not need to rewind, thereby allowing composition. If all we want is sequential composition, then we can rely on the fact that proofs of knowledge compose under sequential composition, but that means that in our unforgeability game, the signer can only respond to one signature query at a time.…”

Section: B Zero-knowledge Proofsmentioning

confidence: 99%

Mercurial Signatures for Variable-Length Messages

Crites¹,

Lysyanskaya

2021

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Mercurial signatures are a useful building block for privacy-preserving schemes, such as anonymous credentials, delegatable anonymous credentials, and related applications. They allow a signature σ on a message m under a public key pk to be transformed into a signature σ′ on an equivalent message m′ under an equivalent public key pk′ for an appropriate notion of equivalence. For example, pk and pk′ may be unlinkable pseudonyms of the same user, and m and m′ may be unlinkable pseudonyms of a user to whom some capability is delegated. The only previously known construction of mercurial signatures suffers a severe limitation: in order to sign messages of length ℓ, the signer’s public key must also be of length ℓ. In this paper, we eliminate this restriction and provide an interactive signing protocol that admits messages of any length. We prove our scheme existentially unforgeable under chosen open message attacks (EUF-CoMA) under a variant of the asymmetric bilinear decisional Diffie-Hellman assumption (ABDDH).

show abstract

Section: B Zero-knowledge Proofsmentioning

confidence: 99%

Mercurial Signatures for Variable-Length Messages

Crites¹,

Lysyanskaya

2021

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…-(Adaptive Multi-theorem) Computational zero-knowledge [BFW15]. A proof system is computational zero-knowledge 10 in the RO model if the proofs do not reveal any information about the witnesses to a bounded adversary.…”

Section: Nizk In the Romentioning

confidence: 99%

“…The Cramer et al's sigma protocol can prove that v i is either 0 or 1 without revealing which. Using the Fiat-Shamir's heuristic [FS87] (see also [BFW15] for discussions about adaptiveness) it can be converted in a NIZK in the RO model.…”

Section: Nizk In the Romentioning

confidence: 99%

On the Possibility of Non-interactive E-Voting in the Public-Key Setting

Giustolisi

Iovino

Rønne

2016

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. In 2010 Hao, Ryan and Zielinski proposed a simple decentralized evoting protocol that only requires 2 rounds of communication. Thus, for k elections their protocol needs 2k rounds of communication.Observing that the first round of their protocol is aimed to establish the publickeys of the voters, we propose an extension of the protocol as a non-interactive e-voting scheme in the public-key setting (NIVS) in which the voters, after having published their public-keys, can use the corresponding secret-keys to participate in an arbitrary number of one-round elections. We first construct a NIVS with a standard tally function where the number of votes for each candidate is counted. Further, we present constructions for two alternative types of elections. Specifically in the first type (dead or alive elections) the tally shows if at least one voter cast a vote for the candidate. In the second one (elections by unanimity), the tally shows if all voters cast a vote for the candidate. Our constructions are based on bilinear groups of prime order. As definitional contribution we provide formal computational definitions for privacy and verifiability of NIVSs. We conclude by showing intriguing relations between our results, secure computation, electronic exams and conference management systems.

show abstract

“…Because we address a class of human ignorance, similar techniques (i.e., meta‐reduction techniques under key‐preserving black‐box reductions) to theirs are also used in this paper. More recently, impossibility results based on meta‐reductions techniques have appeared in a number of works, for exmaple, , to name a few. See for a good survey on this topic.…”

Section: Introductionmentioning

confidence: 99%

A limitation on security evaluation of cryptographic primitives with fixed keys

Kawai

Hanaoka

Ohta

et al. 2016

Security Comm Networks

View full text Add to dashboard Cite

In this paper, we discuss security of public-key cryptographic primitives in the case that the public key is fixed. In the standard argument, security of cryptographic primitives are evaluated by estimating the average probability of being successfully attacked where keys are treated as random variables. In contrast to this, in practice, a user is mostly interested in the security under his specific public key, which has been already fixed. However, it is obvious that such security cannot be mathematically guaranteed because for any given public key, there always potentially exists an adversary, which breaks its security. Therefore, the best what we can do is just to use a public key such that its effective adversary is not likely to be constructed in the real life and, thus, it is desired to provide a method for evaluating this possibility. The motivation of this work is to investigate (in)feasibility of predicting whether for a given fixed public key, its successful adversary will actually appear in the real life or not. As our main result, we prove that for any digital signature scheme or public key encryption scheme, it is impossible to reduce any fixed key adversary in any weaker security notion than the de facto ones (i.e., existential unforgery against adaptive chosen message attacks or indistinguishability against adaptive chosen ciphertext attacks) to fixed key adversaries in the de facto security notion in a black-box manner. This result means that, for example, for any digital signature scheme, impossibility of extracting the secret key from a fixed public key will never imply existential unforgery against chosen message attacks under the same key as long as we consider only black-box analysis.

show abstract

Adaptive proofs of knowledge in the random oracle model

Cited by 5 publications

References 28 publications

Mercurial Signatures for Variable-Length Messages

Mercurial Signatures for Variable-Length Messages

On the Possibility of Non-interactive E-Voting in the Public-Key Setting

A limitation on security evaluation of cryptographic primitives with fixed keys

Contact Info

Product

Resources

About