Group signature schemes and payment systems based on the discrete logarithm problem

The security of many cryptographic systems relies on the difficulty of computing discrete logarithms in certain finite groups. This dissertation studies existing cryptographic protocols which are based on this problem. These protocols are then unified and extended to create a framework for designing cryptographic systems. Using this framework, new and efficient realizations of digital group signature schemes and digital payment systems are developed. Group signature schemes allow a member of a group to sign messages anonymously on the group’s behalf. In the case of later dispute, a designated group manager can reveal the signer’s identity. An efficient realization of this concept is proposed. Furthermore, the concept of generalized group signatures is developed and realized. This type of scheme allows the definition of sets of group members which can jointly sign on the group’s behalf. Anonymous digital payment systems allow a customer to pay digitally and anonymously. Unfortunately, anonymity also opens the path to criminal misuse, for instance to launder money. As a compromise between the protection of privacy and the possibility of surveillance for crime inspection, the concept of revocable anonymity has been proposed. It introduces a trustworthy third-party which can reveal the identity of a payer in cases of misuse. From an operational point of view, it can be an important requirement that this third-party is not involved in ordinary transactions, but only in anonymity revocation. In this work we present an efficient anonymous digital payment systems satisfying this requirement.

[1]  M. D. MacLaren The Art of Computer Programming. Volume 2: Seminumerical Algorithms (Donald E. Knuth) , 1970 .

[2]  J. Pollard A monte carlo method for factorization , 1975 .

[3]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[4]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[6]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[7]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[8]  David Chaum,et al.  Blind Signature System , 1983, CRYPTO.

[9]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[10]  Rolf Blom,et al.  An Optimal Class of Symmetric Key Generation Systems , 1985, EUROCRYPT.

[11]  Adi Shamir,et al.  Efficient Signature Schemes Based on Polynomial Equations , 1984, CRYPTO.

[12]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[13]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[14]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[15]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[16]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[17]  Carl Wmerance THE QUADRATIC SIEVE FACTORING ALGORITHM , 1985 .

[18]  David Chaum,et al.  Demonstrating That a Public Predicate Can Be Satisfied Without Revealing Any Information About How , 1986, CRYPTO.

[19]  Evangelos Kranakis Primality and cryptography , 1986, Wiley-Teubner series in computer science.

[20]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[21]  Gilles Brassard,et al.  Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[22]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[23]  N. Koblitz A Course in Number Theory and Cryptography , 1987 .

[24]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[25]  L. Adleman,et al.  Solving bivariate quadratic congruences in random polynomial time , 1987 .

[26]  Claus-Peter Schnorr,et al.  An efficient solution of the congruence x2+ky2=mpmod{n} , 1987, IEEE Trans. Inf. Theory.

[27]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[28]  Josh Benaloh,et al.  Generalized Secret Sharing and Monotone Functions , 1990, CRYPTO.

[29]  László Babai,et al.  Arthur-Merlin Games: A Randomized Proof System, and a Hierarchy of Complexity Classes , 1988, J. Comput. Syst. Sci..

[30]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[31]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..

[32]  Bert den Boer Diffie-Hellman is as Strong as Discrete Log for Certain Primes , 1988, CRYPTO.

[33]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[34]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[35]  Gilles Brassard,et al.  Sorting out Zero-Knowledge , 1990, EUROCRYPT.

[36]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[37]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[38]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[39]  Kevin S. Mccurley,et al.  The discrete logarithm problem , 1990 .

[40]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[41]  Kevin S. Mccurley,et al.  Odds and ends from cryptology and computational number theory , 1990 .

[42]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[43]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[44]  Tatsuaki Okamoto,et al.  Universal Electronic Cash , 1991, CRYPTO.

[45]  Xuejia Lai,et al.  On the design and security of block ciphers , 1992 .

[46]  David Chaum,et al.  Achieving Electronic Privacy , 1992 .

[47]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[48]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[49]  David Naccache,et al.  On blind signatures and perfect crimes , 1992, Comput. Secur..

[50]  Douglas R. Stinson,et al.  An explication of secret sharing schemes , 1992, Des. Codes Cryptogr..

[51]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[52]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[53]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[54]  A. Odlyzko Discrete Logarithms and Smooth Polynomials , 1993 .

[55]  Ross Anderson,et al.  The Classification of Hash Functions , 1993 .

[56]  Rainer A. Rueppel,et al.  A new signature scheme based on the DSA giving message recovery , 1993, CCS '93.

[57]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[58]  Ronald Cramer,et al.  Improved Privacy in Wallets with Observers (Extended Abstract) , 1994, EUROCRYPT.

[59]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[60]  Ivan Damgård Practical and Provably Secure Release of a Secret and Exchange of Signatures , 1993, EUROCRYPT.

[61]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[62]  Stefan A. Brands,et al.  An Efficient Off-line Electronic Cash System Based On The Representation Problem. , 1993 .

[63]  Ueli Maurer,et al.  Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms , 1994, CRYPTO.

[64]  Bart Preneel Cryptographic hash functions , 1994, Eur. Trans. Telecommun..

[65]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[66]  Lidong Chen,et al.  New Group Signature Schemes (Extended Abstract) , 1994, EUROCRYPT.

[67]  Lidong Chen,et al.  Witness hiding proofs and applications , 1994, DAIMI PB.

[68]  Jan Camenisch,et al.  An Efficient Electronic Payment System Protecting Privacy , 1994, ESORICS.

[69]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[70]  Matthew Franklin,et al.  Complexity and security of distributed protocols , 1994 .

[71]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[72]  Ernest F. Brickell,et al.  Trustee-based tracing extensions to anonymous cash and the making of anonymous change , 1995, SODA '95.

[73]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[74]  Jan Camenisch,et al.  Fair Blind Signatures , 1995, EUROCRYPT.

[75]  Ran Canetti,et al.  Studies in secure multiparty computation and applications , 1995 .

[76]  Jan Camenisch,et al.  Faire anonyme Zahlungssysteme , 1995, GI Jahrestagung.

[77]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[78]  Seung Joo Kim,et al.  Convertible Group Signatures , 1996, ASIACRYPT.

[79]  Markus Jakobsson,et al.  Revokable and versatile electronic money (extended abstract) , 1996, CCS '96.

[80]  Holger Petersen Digitale Signaturverfahren auf der Basis des diskreten Logarithmusproblems und ihre Anwendungen , 1996 .

[81]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[82]  Rosario Gennaro,et al.  Theory and practice of verifiable secret sharing , 1996 .

[83]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[84]  Daniel Bleichenbacher,et al.  Generating EIGamal Signatures Without Knowing the Secret Key , 1996, EUROCRYPT.

[85]  Markus Stadler,et al.  Cryptographic protocols for revocable privacy , 1996 .

[86]  Jan Camenisch,et al.  An efficient fair payment system , 1996, CCS '96.

[87]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[88]  Matthew K. Franklin,et al.  Low-Exponent RSA with Related Messages , 1996, EUROCRYPT.

[89]  Ueli Maurer,et al.  Digital Payment Systems with Passive Anonymity-Revoking Trustees , 1996, ESORICS.

[90]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[91]  Eiji Okamoto,et al.  Proxy signatures for delegating signing operation , 1996, CCS '96.

[92]  U. Maurer,et al.  On the complexity of breaking the Diffie-Hellman protocol , 1996 .

[93]  Serge Vaudenay,et al.  Minding your p's and q's , 1996, ASIACRYPT.

[94]  Hans Dobbertin Cryptanalysis of MD5 Compress , 1996 .

[95]  D. Pointcheval Les preuves de connaissance et leurs preuves de sécurité , 1996 .

[96]  Masayuki Abe,et al.  How to Date Blind Signatures , 1996, ASIACRYPT.

[97]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[98]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[99]  Tatsuaki Okamoto Threshold Key-Recovery Systems for RSA , 1997, Security Protocols Workshop.

[100]  Jan Camenisch,et al.  Efficient and Generalized Group Signatures , 1997, EUROCRYPT.

[101]  R. Cramer,et al.  Span Programs and General Secure Multi-Party Computation , 1997 .

[102]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[103]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[104]  Ivan Damgård,et al.  Linear zero-knowledge—a note on efficient zero-knowledge proofs and arguments , 1997, STOC '97.

[105]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[106]  Holger Petersen,et al.  How to Convert any Digital Signature Scheme into a Group Signature Scheme , 1997, Security Protocols Workshop.

[107]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[108]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[109]  Stefan Brands,et al.  Rapid Demonstration of Linear Relations Connected by Boolean Operators , 1997, EUROCRYPT.

[110]  J. Camenisch,et al.  Proof systems for general statements about discrete logarithms , 1997 .

[111]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[112]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .