Toward Practical Group Encryption

Aimani, Laila El; Joye, Marc

doi:10.1007/978-3-642-38980-1_15

Cited by 12 publications

(6 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Group encryption [2,15,28] is the encryption analog of the group signature, where an encryptor can make a ciphertext for a group member and can establish a proof that the receiver is a group member without any identification. Moreover, the opener can identify who the actual receiver is, as in the case of a group signature.…”

Section: Related Workmentioning

confidence: 99%

Group Signature with Deniability: How to Disavow a Signature

Ishida

Emura

Hanaoka³

et al. 2016

Cryptology and Network Security

View full text Add to dashboard Cite

Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, in some situations it is only required to know whether a specific user is the signer of a given signature. In this case, the use of a standard group signature may be problematic since the specified user might not be the signer of the given signature, and hence, the identity of the actual signer will be exposed.Inspired by this problem, we propose the notion of a deniable group signature, where, with respect to a signature and a user, the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We also describe a fairly practical construction by extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.

show abstract

Section: Related Workmentioning

confidence: 99%

Group Signature with Deniability: How to Disavow a Signature

Ishida

Emura

Hanaoka³

et al. 2016

Cryptology and Network Security

View full text Add to dashboard Cite

show abstract

“…In order to keep users accountable for their actions, an opening authority (OA) is further empowered with some information allowing it to un-anonymize signatures/ciphertexts. Kiayias, Tsiounis and Yung [34] formalized GE schemes as a primitive allowing the sender to generate publicly verifiable guarantees that: (1) The ciphertext is well-formed and intended for some registered group member who will be able to decrypt; (2) the opening authority will be able identify the receiver if necessary; (3) The plaintext satisfies certain properties such as being a witness for some public relation or the private key that underlies a given public key. In the model of Kiayias et al [34], the message secrecy and anonymity properties are required to withstand active adversaries, which are granted access to decryption oracles in all security experiments.…”

Section: Introductionmentioning

confidence: 99%

“…Cathalo, Libert and Yung [18] designed a non-interactive system in the standard model under non-interactive pairing-related assumptions. El Aimani and Joye [3] suggested various efficiency improvements with both interactive and non-interactive proofs.…”

Section: Introductionmentioning

confidence: 99%

Zero-knowledge arguments for matrix–vector relations and lattice-based group encryption

Libert

Ling

Mouhartem

et al. 2019

Theoretical Computer Science

View full text Add to dashboard Cite

Group encryption (GE) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), GE is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interaction in the proving phase) under the Learning-With-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about LWE relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of X ∈ Z m×n q , s ∈ Z n q and a small-norm e ∈ Z m which underlie a public vector b = X · s + e ∈ Z m q while simultaneously proving that the matrix X ∈ Z m×n q has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting.

show abstract

Section: Introductionmentioning

confidence: 99%

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption

Libert

Ling

Mouhartem

et al. 2016

Advances in Cryptology – ASIACRYPT 2016

View full text Add to dashboard Cite

International audienceGroup encryption (GE) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), GE is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interaction in the proving phase) under the Learning-With-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about LWE relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of X ∈ Z m×n q , s ∈ Z n q and a small-norm e ∈ Z m which underlie a public vector b = X · s + e ∈ Z m q while simultaneously proving that the matrix X ∈ Z m×n q has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting

show abstract

Toward Practical Group Encryption

Cited by 12 publications

References 26 publications

Group Signature with Deniability: How to Disavow a Signature

Group Signature with Deniability: How to Disavow a Signature

Zero-knowledge arguments for matrix–vector relations and lattice-based group encryption

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption

Contact Info

Product

Resources

About