Group Signatures are Suitable for Constrained Devices

Canard, Sébastien; Coisel, Iwen; Meulenaer, Giacomo de; Pereira, Olivier

doi:10.1007/978-3-642-24209-0_9

Cited by 6 publications

(12 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…But as already remarked, one does not require to enforce anonymity of the TPM with respect to the host, since the latter already knows which TPM is inserted (or even sees the signature which is sent outside). And as explained in [7], in DAA schemes and in server-aided version of group signatures, the host is not adversarially-controlled in the anonymity experiment, but just for the impersonation or frameability.…”

Section: Discussionmentioning

confidence: 99%

“…This increases the contrast between the important needs to embed these protocols in such lightweight devices and their practical limitations when performing many exponentiations or pairing evaluations. A common way to overcome this problem is to delegate (when possible) some computations to a more powerful, but not fully trusted, delegatee as in [5,7,3,8]. Since the latter entity cannot have access to secret values, most of the computations on the prover's side have to be performed by the constrained device, which reduces the benefits of server-aided cryptography.…”

Section: Delegation Of Computationmentioning

confidence: 99%

“…As in [5,7,3], we will split the prover into a trusted device which has a limited computational power and a more powerful, but untrusted, machine. As in DAA [5] schemes, the trusted device will be called the TPM (Trusted Platform Module) and the untrusted machine will be called the host.…”

Section: Delegating Proofs Of Knowledgementioning

confidence: 99%

See 2 more Smart Citations

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting

Canard

Pointcheval

Sanders

2014

Public-Key Cryptography – PKC 2014

Self Cite

View full text Add to dashboard Cite

Abstract. Since their introduction in 1985, by Goldwasser, Micali and Rackoff, followed by Feige, Fiat and Shamir, zero-knowledge proofs have played a significant role in modern cryptography: they allow a party to convince another party of the validity of a statement (proof of membership) or of its knowledge of a secret (proof of knowledge). Cryptographers frequently use them as building blocks in complex protocols since they offer quite useful soundness features, which exclude cheating players. In most of modern telecommunication services, the execution of these protocols involves a prover on a portable device, with limited capacities, and namely distinct trusted part and more powerful part. The former thus has to delegate some computations to the latter. However, since the latter is not fully trusted, it should not learn any secret information.This paper focuses on proofs of knowledge of discrete logarithm relations sets (DLRS), and the delegation of some prover's computations, without leaking any critical information to the delegatee. We will achieve various efficient improvements ensuring perfect zero-knowledge against the verifier and partial zero-knowledge, but still reasonable in many contexts, against the delegatee.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Delegation Of Computationmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting

Canard

Pointcheval

Sanders

2014

Public-Key Cryptography – PKC 2014

Self Cite

View full text Add to dashboard Cite

show abstract

“…When dealing with more complicated protocols, especially those dealing with anonymity, a lot of research has also been carried out. For group signature schemes [12], Maitland and Boyd [24] and then Canard et al [9] proposed variants of existing schemes where the group member is helped by some semi-trusted entity to produce a group signature. This trick is also part of the Direct Anonymous Attestation framework (see e.g.…”

Section: Introductionmentioning

confidence: 99%

“…We finally provide an algorithm which outputs the best possible secure variant, depending on the time performances of both T and I. All along the paper, we use as a running example the case of group signatures (to make a comparison with the work in [9]) but our method can also be applied to most existing cryptographic primitives.…”

Section: Introductionmentioning

confidence: 99%

Toward Generic Method for Server-Aided Cryptography

Canard

Coisel

Devigne

et al. 2013

Information and Communications Security

Self Cite

View full text Add to dashboard Cite

Portable devices are very useful to access services from anywhere at any time. However, when the security underlying the service requires complex cryptography, implying the execution of several costly mathematical operations, these devices may become inadequate because of their limited capabilities. In this case, it is desirable to adapt the way to use cryptography. One possibility, which has been widely studied in many particular cases, is to propose a server-aided version of the executed cryptographic algorithm, where some well-chosen parts of the algorithm are delegated to a more powerful entity. As far as we know, nothing has been done to generically change a given well-known secure instance of a cryptographic primitive in its initial form to a secure server-aided version where the server (called the intermediary) may be corrupted by the adversary. In this paper, we propose an almost generic method to simplify the work of the operator who wants to construct this secure server-aided instance. In particular, we take into account the efficiency of the resulting server-aided instance by giving the best possible way to separate the different tasks of the instance so that the resulting time efficiency is optimal. Our methodology can be applied to most of public key cryptographic schemes.

show abstract