Smooth Projective Hashing for Conditionally Extractable Commitments

Abdalla, Michel; Chevalier, Céline; Pointcheval, David

doi:10.1007/978-3-642-03356-8_39

Cited by 64 publications

(55 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Smooth projective hash function (SPHF) is originally introduced by Cramer and Shoup [19] and extended for constructions of many cryptographic primitives [20,23,24,3,1,5,10,2,11,6]. We start with the original definition.…”

Section: Smooth Projective Hash Functionsmentioning

confidence: 99%

One-Round Strong Oblivious Signature-Based Envelope

Chen

Susilo

et al. 2016

Information Security and Privacy

View full text Add to dashboard Cite

Oblivious Signature-Based Envelope (OSBE) has been widely employed for anonymity-orient and privacypreserving applications. The conventional OSBE execution relies on a secure communication channel to protect against eavesdroppers. In TCC 2012, Blazy, Pointcheval and Vergnaud proposed a framework of OSBE (BPV-OSBE) without requiring any secure channel by clarifying and enhancing the OSBE security notions. They showed how to generically build an OSBE scheme satisfying the new strong security in the standard model with a common-reference string. Their framework requires 2-round interactions and relies on the smooth projective hash function (SPHF) over special languages, i.e., languages from encryption of signatures. In this work, we investigate the study on the strong OSBE and make the following contributions. First, we propose a generic construction of one-round yet strong OSBE system. Compared to the 2-round BPV-OSBE, our one-round construction is more appealing, as its noninteractive setting accommodates more application scenarios in the real word. Moreover, our framework relies on the regular (identity-based) SPHF, which can be instantiated from extensive languages and hence is more general. Second, we also present an efficient instantiation, which is secure under the standard model from classical assumptions, DDH and DBDH, to illustrate the feasibility of our one-round framework. We remark that our construction is the first one-round OSBE with strong security Abstract. Oblivious Signature-Based Envelope (OSBE) has been widely employed for anonymity-orient and privacy-preserving applications. The conventional OSBE execution relies on a secure communication channel to protect against eavesdroppers. In TCC 2012, Blazy, Pointcheval and Vergnaud proposed a framework of OSBE (BPV-OSBE) without requiring any secure channel by clarifying and enhancing the OSBE security notions. They showed how to generically build an OSBE scheme satisfying the new strong security in the standard model with a common-reference string. Their framework requires 2-round interactions and relies on the smooth projective hash function (SPHF) over special languages, i.e., languages from encryption of signatures. In this work, we investigate the study on the strong OSBE and make the following contributions. First, we propose a generic construction of one-round yet strong OSBE system. Compared to the 2-round BPV-OSBE, our one-round construction is more appealing, as its noninteractive setting accommodates more application scenarios in the real word. Moreover, our framework relies on the regular (identity-based) SPHF, which can be instantiated from extensive languages and hence is more general. Second, we also present an efficient instantiation, which is secure under the standard model from classical assumptions, DDH and DBDH, to illustrate the feasibility of our one-round framework. We remark that our construction is the first one-round OSBE with strong security.

show abstract

Section: Smooth Projective Hash Functionsmentioning

confidence: 99%

One-Round Strong Oblivious Signature-Based Envelope

Chen

Susilo

et al. 2016

Information Security and Privacy

View full text Add to dashboard Cite

show abstract

“…The design of the KV-PAKE protocol originates from the KOY protocol [38] and is used in many PAKE construction, e.g., [5,16,32,33,36]. It is therefore safe to assume that some of these protocols, instantiated with an encryption scheme that yields ciphertexts with pseudorandom elements and SPHFs with pseudorandom projection keys, can be used with our compiler.…”

Section: Generalisations and Limitationsmentioning

confidence: 99%

Oblivious PAKE: Efficient Handling of Password Trials

Kiefer

Manulis

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this work we introduce the notion of Oblivious Password based Authenticated Key Exchange (O-PAKE) and a compiler to transform a large class of PAKE into O-PAKE protocols. O-PAKE allows a client that shares one password with a server to use a subset of passwords within one PAKE session. It succeeds if and only if one of those input passwords matches the one stored on the server side. The term oblivious is used to emphasise that no information about any password, input by the client, is made available to the server. O-PAKE protocols can be used to improve the overall efficiency of login attempts using PAKE protocols in scenarios where users are not sure (e.g. no longer remember) which of their passwords has been used at a particular web server. Using special processing techniques, our O-PAKE compiler reaches nearly constant run time on the server side, independent of the size of the client's password set; in contrast, a naive approach to run a new PAKE session for each login attempt would require linear run time for both parties. We prove security of the O-PAKE compiler under standard assumptions using the latest game-based PAKE model by Abdalla, Fouque and Pointcheval (PKC 2005), tailored to our needs. We identify the requirements that PAKE protocols must satisfy in order to suit the compiler and give two concrete O-PAKE instantiation.

show abstract

“…Our particular protocol is probably a bit less efficient than the one in [9]; however, our protocol has the advantage of being secure against adaptive corruptions (assuming erasures). A very different PAKE protocol, with a structure similar to that in [9], that is secure against adaptive corruptions was recently presented in [1].…”

Section: A Protocol For Equality Testing and A Related Problemmentioning

confidence: 99%

“…The first is a practical PAKE protocol that is secure in the adaptive corruption model (with erasures); this is not the first such protocol (this was achieved recently by Abdalla, Chevalier, and Pointcheval [1], using completely different techniques). The second PAKE protocol is a simple variant of the first, but provides security against server compromise: the protocol is an asymmetric protocol run between a client, who knows the password, and a server, who only stores a function of the password; if the server is compromised, it is still hard to recover the password.…”

Section: Introductionmentioning

confidence: 99%

Credential Authenticated Identification and Key Exchange

Camenisch¹,

Casati²,

Groß³

et al. 2010

Advances in Cryptology – CRYPTO 2010

View full text Add to dashboard Cite

Abstract. This paper initiates a study of two-party identification and key-exchange protocols in which users authenticate themselves by proving possession of credentials satisfying arbitrary policies, instead of using the more traditional mechanism of a public-key infrastructure. Definitions in the universal composability framework are given, and practical protocols satisfying these definitions, for policies of practical interest, are presented. All protocols are analyzed in the common reference string model, assuming adaptive corruptions with erasures, and no random oracles. The new security notion includes password-authenticated key exchange as a special case, and new, practical protocols for this problem are presented as well, including the first such protocol that provides resilience against server compromise (without random oracles).

show abstract

Smooth Projective Hashing for Conditionally Extractable Commitments

Cited by 64 publications

References 28 publications

One-Round Strong Oblivious Signature-Based Envelope

One-Round Strong Oblivious Signature-Based Envelope

Oblivious PAKE: Efficient Handling of Password Trials

Credential Authenticated Identification and Key Exchange

Contact Info

Product

Resources

About