Advances in signatures, encryption, and E-Cash from bilinear groups

We present new formal definitions, algorithms, and motivating applications for three natural cryptographic constructions. Our constructions are based on a special type of algebraic group called bilinear groups . (1) Re-signatures. We present the first public key signature scheme where a semi-trusted proxy, given special information, can translate Alice's signature on a message into Bob's signature on the same message. The special information, however, allows nothing else, i.e., the proxy cannot translate from Bob to Alice, nor can it sign on behalf of either Alice or Bob. We show that a path through a graph can be cheaply authenticated using this scheme, with applications to electronic passports. (2) Re-encryption. We present the first public key cryptosystem where a semi-trusted proxy, given special information, can translate an encryption of a message under Alice's key into an encryption of the same message under Bob's key. Again, the special information allows nothing else, i.e. the proxy cannot translate from Bob to Alice, decrypt on behalf of either Alice or Bob, or learn anything else about the message. We apply this scheme to create a new mechanism for secure distributed storage. (3) Compact e-cash with tracing and bounded-anonymity . We present an offline e-cash system where 2e coins can be stored in O(e + k) bits and withdrawn or spent in O(e + k) time, where k is the security parameter. The best previously known schemes required at least one of these complexities to be O(2 e · k). In our system, a user's transactions are anonymous and unlinkable, unless she performs a forbidden action, such as double-spending a coin. Performing a forbidden action reveals the identity of the user, and optionally allows to trace all of her past transactions. We provide solutions without using a trusted party. We argue why features of our system are likely to be crucial to the adoption of any e-cash system. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

[1]  David Mandell Freeman,et al.  Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10 , 2006, ANTS.

[2]  Vitaly Shmatikov,et al.  Probabilistic Escrow of Financial Transactions with Cumulative Threshold Disclosure , 2005, Financial Cryptography.

[3]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[4]  Matthew K. Franklin,et al.  A Generic Construction for Intrusion-Resilient Public-Key Encryption , 2004, CT-RSA.

[5]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[6]  Yevgeniy Dodis,et al.  Proxy cryptography revisted , 2003 .

[7]  Mihir Bellare,et al.  Transitive signatures: new schemes and proofs , 2005, IEEE Transactions on Information Theory.

[8]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[9]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[10]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[11]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[12]  Kazue Sako,et al.  k-Times Anonymous Authentication (Extended Abstract) , 2004, ASIACRYPT.

[13]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[14]  Yevgeniy Dodis,et al.  Proxy Cryptography Revisited , 2003, NDSS.

[15]  Holger Vogt,et al.  Fair Tracing without Trustees , 2002, Financial Cryptography.

[16]  Yevgeniy Dodis,et al.  Efficient Construction of (Distributed) Verifiable Random Functions , 2003, Public Key Cryptography.

[17]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[18]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2001, Journal of Cryptology.

[19]  Matthew K. Franklin,et al.  Intrusion-Resilient Public-Key Encryption , 2003, CT-RSA.

[20]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[21]  Kazue Sako,et al.  k-Times Anonymous Authentication with a Constant Proving Cost , 2006, Public Key Cryptography.

[22]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures and Multisignatures Without Random Oracles , 2006, EUROCRYPT.

[23]  Hoeteck Wee,et al.  On obfuscating point functions , 2005, STOC '05.

[24]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[25]  Jan Camenisch,et al.  Blind Signatures Based on the Discrete Logarithm Problem , 1994, EUROCRYPT.

[26]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[27]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[28]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[29]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[30]  Christian Damsgaard Jensen,et al.  Cryptographic access control in a distributed file system , 2003, SACMAT '03.

[31]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[32]  M. Mambo,et al.  Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts (Special Section on Cryptography and Information Security) , 1997 .

[33]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[34]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[35]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[36]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[37]  Ivan Damgård,et al.  An Integer Commitment Scheme based on Groups with Hidden Order , 2001, IACR Cryptol. ePrint Arch..

[38]  Susan Rae Hohenberger,et al.  The cryptographic impact of groups with infeasible inversion , 2003 .

[39]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[40]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[41]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[42]  Kazuo Ohta,et al.  Disposable Zero-Knowledge Authentications and Their Applications to Untraceable Electronic Cash , 1989, CRYPTO.

[43]  Moni Naor,et al.  Non-Malleable Cryptography (Extended Abstract) , 1991, STOC 1991.

[44]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[45]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[46]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[47]  Steven D. Galbraith,et al.  Easy decision-Diffie-Hellman groups , 2004, IACR Cryptol. ePrint Arch..

[48]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[49]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[50]  Miguel Castro,et al.  Farsite: federated, available, and reliable storage for an incompletely trusted environment , 2002, OPSR.

[51]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[52]  Brent Waters,et al.  Compact Group Signatures Without Random Oracles , 2006, EUROCRYPT.

[53]  Ran Canetti,et al.  Universally Composable Commitments (Extended Abstract) , 2001, CRYPTO 2001.

[54]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[55]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[56]  Ernest F. Brickell,et al.  Trustee-based tracing extensions to anonymous cash and the making of anonymous change , 1995, SODA '95.

[57]  Vivek Kapoor,et al.  Elliptic curve cryptography , 2008, UBIQ.

[58]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[59]  Kevin Fu,et al.  Integrity and access control in untrusted content distribution networks , 2005 .

[60]  A. Juels,et al.  Universal Re-encryption for Mixnets , 2004, CT-RSA.

[61]  Hovav Shacham,et al.  SiRiUS: Securing Remote Untrusted Storage , 2003, NDSS.

[62]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[63]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[64]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[65]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[66]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[67]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[68]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[69]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[70]  Stefan Brands,et al.  Rapid Demonstration of Linear Relations Connected by Boolean Operators , 1997, EUROCRYPT.

[71]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[72]  Ntt Laboratorics,et al.  Universal Electronic Cash , 1992 .

[73]  David Chaum,et al.  Online Cash Checks , 1990, EUROCRYPT.

[74]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[75]  Silvio Micali,et al.  Amortized E-Cash , 2001, Financial Cryptography.

[76]  Jan Camenisch,et al.  Practical Group Signatures without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[77]  B. Adida,et al.  Obfuscated Ciphertext Mixing , 2005 .

[78]  Dong Hoon Lee,et al.  Diffie-Hellman Problems and Bilinear Maps , 2002, IACR Cryptol. ePrint Arch..

[79]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[80]  Ran Canetti,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[81]  Ran Canetti,et al.  Studies in secure multiparty computation and applications , 1995 .

[82]  Stefan A. Brands,et al.  An Efficient Off-line Electronic Cash System Based On The Representation Problem. , 1993 .

[83]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[84]  Yevgeniy Dodis,et al.  Breaking and repairing optimistic fair exchange from PODC 2003 , 2003, DRM '03.

[85]  K. Ohta,et al.  Multi-Signature Schemes Secure against Active Insider Attacks (Special Section on Cryptography and Information Security) , 1999 .

[86]  Alexandra Boldyreva,et al.  Efficient threshold signature , multisignature and blind signature schemes based on the Gap-Diffie-Hellman-group signature scheme , 2002 .

[87]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[88]  M. Rabin,et al.  Randomized algorithms in number theory , 1985 .

[89]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[90]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[91]  Stefan BrandsCWI,et al.  Untraceable Oo-line Cash in Wallets with Observers , 1993 .

[92]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[93]  Eiji Okamoto,et al.  Proxy signatures for delegating signing operation , 1996, CCS '96.

[94]  Clifford C. Cocks An Identity Based Encryption Scheme Based on Quadratic Residues , 2001, IMACC.

[95]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[96]  David Pointcheval,et al.  Public Traceability in Traitor Tracing Schemes , 2005, EUROCRYPT.

[97]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[98]  Jan Camenisch,et al.  Balancing accountability and privacy using E-cash , 2006 .

[99]  Mihir Bellare,et al.  Transitive Signatures Based on Factoring and RSA , 2002, ASIACRYPT.

[100]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[101]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[102]  David Chaum,et al.  Transferred Cash Grows in Size , 1992, EUROCRYPT.

[103]  Jan Camenisch,et al.  Separability and Efficiency for Generic Group Signature Schemes , 1999, CRYPTO.

[104]  Jan Camenisch,et al.  Fair Blind Signatures , 1995, EUROCRYPT.

[105]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[106]  Vitaly Shmatikov,et al.  Handcuffing Big Brother: an Abuse-Resilient Transaction Escrow Scheme , 2004, EUROCRYPT.

[107]  Yiannis Tsiounis,et al.  Efficient Electronic Cash: New Notions and Techniques , 1997 .

[108]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[109]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[110]  Tatsuaki Okamoto,et al.  An Efficient Divisible Electronic Cash Scheme , 1995, CRYPTO.

[111]  Yuliang Zheng,et al.  Signcryption and Its Applications in Efficient Public Key Solutions , 1997, ISW.

[112]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[113]  David Molnar,et al.  Provably Secure Subsitution of Cryptographic Tools , 2006, IACR Cryptol. ePrint Arch..

[114]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[115]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[116]  Yiannis Tsiounis,et al.  Easy Come - Easy Go Divisible Cash , 1998, EUROCRYPT.

[117]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[118]  Mike Scott,et al.  Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number , 2002, IACR Cryptol. ePrint Arch..

[119]  Markus Jakobsson,et al.  On Quorum Controlled Asymmetric Proxy Re-encryption , 1999, Public Key Cryptography.

[120]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[121]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[122]  Annegret Weng,et al.  Elliptic Curves Suitable for Pairing Based Cryptography , 2005, Des. Codes Cryptogr..

[123]  Susan Hohenberger,et al.  Proxy re-signatures: new definitions, algorithms, and applications , 2005, CCS '05.

[124]  Reihaneh Safavi-Naini,et al.  Dynamic k-Times Anonymous Authentication , 2005, ACNS.

[125]  Yiannis Tsiounis,et al.  "Indirect Discourse Proof": Achieving Efficient Fair Off-Line E-cash , 1996, ASIACRYPT.

[126]  Jan Camenisch,et al.  Group signature schemes and payment systems based on the discrete logarithm problem , 1998 .

[127]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[128]  Denis Xavier Charles On the existence of distortion maps on ordinary elliptic curves , 2006, IACR Cryptol. ePrint Arch..

[129]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[130]  Franz Pichler,et al.  Advances in Cryptology — EUROCRYPT’ 85 , 2000, Lecture Notes in Computer Science.

[131]  Mihir Bellare,et al.  GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks , 2002, CRYPTO.

[132]  Lea Kissner Provably Secure Substitution of Cryptographic Tools , 2005 .

[133]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[134]  Yael Tauman Kalai,et al.  On the impossibility of obfuscation with auxiliary input , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[135]  Anna Lysyanskaya,et al.  Signature schemes and applications to cryptographic protocol design , 2002 .

[136]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[137]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[138]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[139]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[140]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[141]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[142]  D. Kahn The codebreakers : the story of secret writing , 1968 .

[143]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[144]  B. Kaliski,et al.  TWIRL and RSA Key Size , 2003 .

[145]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[146]  Antoine Joux,et al.  Separating Decision Diffie–Hellman from Computational Diffie–Hellman in Cryptographic Groups , 2003, Journal of Cryptology.

[147]  David A. Wagner,et al.  Security and Privacy Issues in E-passports , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[148]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[149]  Tatsuaki Okamoto,et al.  A digital multisignature scheme using bijective public-key cryptosystems , 1988, TOCS.

[150]  Security Rsa,et al.  TWIRL and RSA Key Size , 2003 .

[151]  Ahmad-Reza Sadeghi,et al.  Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference , 2001, EUROCRYPT.

[152]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[153]  Amnon Ta-Shma,et al.  Flow Control: A New Approach for Anonymity Control in Electronic Cash Systems , 1999, Financial Cryptography.

[154]  Silvio Micali,et al.  Micropayments Revisited , 2002, CT-RSA.

[155]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[156]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[157]  David Chaum,et al.  Convertible Undeniable Signatures , 1990, CRYPTO.

[158]  Paulo S. L. M. Barreto,et al.  A New Two-Party Identity-Based Authenticated Key Agreement , 2005, CT-RSA.

[159]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[160]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[161]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[162]  Jan Camenisch,et al.  Group Signatures: Better Efficiency and New Theoretical Aspects , 2004, SCN.

[163]  Alexander W. Dent,et al.  Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model , 2002, ASIACRYPT.

[164]  Liba Svobodova,et al.  A distributed data storage system for a local network , 1980 .

[165]  NaorMoni,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004 .

[166]  Joonsang Baek,et al.  Formal Proofs for the Security of Signcryption , 2002, Journal of Cryptology.

[167]  S. Micali,et al.  Accountable-Subgroup Multisignatures , 2001 .

[168]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[169]  Kevin Fu,et al.  Group Sharing and Random Access in Cryptographic Storage File Systems , 1999 .

[170]  Antoine Joux,et al.  Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups , 2001, IACR Cryptology ePrint Archive.

[171]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.