Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors

Fischlin, Marc

doi:10.1007/11535218_10

Cited by 147 publications

(144 citation statements)

References 29 publications

Supporting

Mentioning

143

Contrasting

Order By: Relevance

“…Thus far, several efficient group signature schemes, such as Boneh-Boyen-Shacham [9] (and its CCAanonymous version [20]), Camenisch-Lysyanskaya [12], Delerablée-Pointcheval [19], Furukawa-Imai [21], and Bichsel-Camenisch-Neven-Smart-Warinschi [6], have been proposed. Although these schemes are secure in the random oracle model, Boyen-Waters [10,11] and Groth [25] proposed group signature schemes in the standard model.…”

Section: Related Workmentioning

confidence: 99%

Group Signature with Deniability: How to Disavow a Signature

Ishida

Emura

Hanaoka³

et al. 2016

Cryptology and Network Security

View full text Add to dashboard Cite

Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, in some situations it is only required to know whether a specific user is the signer of a given signature. In this case, the use of a standard group signature may be problematic since the specified user might not be the signer of the given signature, and hence, the identity of the actual signer will be exposed.Inspired by this problem, we propose the notion of a deniable group signature, where, with respect to a signature and a user, the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We also describe a fairly practical construction by extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.

show abstract

Section: Related Workmentioning

confidence: 99%

Group Signature with Deniability: How to Disavow a Signature

Ishida

Emura

Hanaoka³

et al. 2016

Cryptology and Network Security

View full text Add to dashboard Cite

show abstract

“…Bernhard et al proved that (unlike a construction of Fischlin [10]) FiatShamir-Schnorr proofs are not adaptively secure, unless the one-more discrete logarithm (OMDL) problem is easy in the group concerned. Specifically, any adaptive extractor must either take at least 2 n time on an adapted version of Shoup/Gennaro's adversary, or reduce to solving OMDL.…”

Section: State Of the Artmentioning

confidence: 99%

On the Hardness of Proving CCA-Security of Signed ElGamal

Bernhard

Fischlin

Warinschi

2016

Public-Key Cryptography – PKC 2016

Self Cite

View full text Add to dashboard Cite

Abstract. The well-known Signed ElGamal scheme consists of ElGamal encryption with a non-interactive Schnorr proof of knowledge. While this scheme should be intuitively secure against chosen-ciphertext attacks in the random oracle model, its security has not yet been proven nor disproven so far, without relying on further non-standard assumptions like the generic group model. Currently, the best known positive result is that Signed ElGamal is non-malleable under chosen-plaintext attacks. In this paper we provide evidence that Signed ElGamal may not be CCA secure in the random oracle model. That is, building on previous work of Shoup and Gennaro (Eurocrypt'98), Seurin and Treger (CT-RSA 2013), and Bernhard et al. (PKC 2015), we exclude a large class of potential reductions that could be used to establish CCA security of the scheme.

show abstract

“…An alternative to the Fiat-Shamir paradigm was proposed by Fischlin [Fis05]. Fischlin's transformation can be applied to any so called 3-round "Fiat-Shamir proof of knowledge" and can be used to derive non-interactive zero-knowledge proofs of knowledge as well as signature schemes.…”

Section: Introductionmentioning

confidence: 99%

“…As Fischlin remarks [Fis05], "in comparison to the Fiat-Shamir transformation, this construction somewhat decouples the hash function from the protocol flow". In other words, the prover and the verifier messages of the underlying scheme are computed as specified in the underlying scheme; not by making use of the hash function in any way.…”

Section: Introductionmentioning

confidence: 99%

On the (In)security of Fischlin’s Paradigm

Ananth

Bhaskar

Goyal

et al. 2013

Theory of Cryptography

View full text Add to dashboard Cite

The Fiat-Shamir paradigm was proposed as a way to remove interaction from 3-round proof of knowledge protocols and derive secure signature schemes. This generic transformation leads to very efficient schemes and has thus grown quite popular. However, this transformation is proven secure only in the random oracle model. In FOCS 2003, Goldwasser and Kalai showed that this transformation is provably insecure in the standard model by presenting a counterexample of a 3-round protocol, the Fiat-Shamir transformation of which is (although provably secure in the random oracle model) insecure in the standard model, thus showing that the random oracle is uninstantiable. In particular, for every hash function that is used to replace the random oracle, the resulting signature scheme is existentially forgeable. This result was shown by relying on the non-black-box techniques of Barak (FOCS 2001).An alternative to the Fiat-Shamir paradigm was proposed by Fischlin in Crypto 2005. Fischlin's transformation can be applied to any so called 3-round "Fiat-Shamir proof of knowledge'' and can be used to derive non-interactive zero-knowledge proofs of knowledge as well as signature schemes. An attractive property of this transformation is that it provides online extractability (i.e., the extractor works without having to rewind the prover). Fischlin remarks that in comparison to the Fiat-Shamir transformation, his construction tries to "decouple the hash function from the protocol flow" and hence, the counterexample in the work of Goldwaaser and Kalai does not seem to carry over to this setting.In this work, we show a counterexample to the Fischlin's transformation. In particular, we construct a 3-round Fiat-Shamir proof of knowledge (on which Fischlin's transformation is applicable), and then, present an adversary against both -the soundness of the resulting non-interactive zero-knowledge, as well as the unforegeability of the resulting signature scheme. Our attacks are successful except with negligible probability for any hash function, that is used to instantiate the random oracle, provided that there is an apriori (polynomial) bound on the running time of the hash function. By choosing the right bound, secure instantiation of Fischlin transformation with most practical cryptographic hash functions can be ruled out.The techniques used in our work are quite unrelated to the ones used in the work of Goldwasser and Kalai. Our primary technique is to bind the protocol flow with the hash function if the code of the hash function is available. We believe that our ideas are of independent interest and maybe applicable in other related settings.

show abstract

Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors

Cited by 147 publications

References 29 publications

Group Signature with Deniability: How to Disavow a Signature

Group Signature with Deniability: How to Disavow a Signature

On the Hardness of Proving CCA-Security of Signed ElGamal

On the (In)security of Fischlin’s Paradigm

Contact Info

Product

Resources

About