Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Related Work
References
All Topics
Computer Science
Cryptography

Signatures on Randomizable Ciphertexts

Profile image of Olivier BlazyOlivier Blazy

2011, Lecture Notes in Computer Science

https://doi.org/10.1007/978-3-642-19379-8_25
visibility

description

29 pages

link

1 file

Abstract

Randomizable encryption allows anyone to transform a ciphertext into a fresh ciphertext of the same message. Analogously, a randomizable signature can be transformed into a new signature on the same message. We combine randomizable encryption and signatures to a new primitive as follows: given a signature on a ciphertext, anyone, knowing neither the signing key nor the encrypted message, can randomize the ciphertext and adapt the signature to the fresh encryption, thus maintaining public verifiability. Moreover, given the decryption key and a signature on a ciphertext, one can compute ("extract") a signature on the encrypted plaintext. As adapting a signature to a randomized encryption contradicts the standard notion of unforgeability, we introduce a weaker notion stating that no adversary can, after querying signatures on ciphertexts of its choice, output a signature on an encryption of a new message. This is reasonable since, due to extractability, a signature on an encrypted message can be interpreted as an encrypted signature on the message. Using Groth-Sahai proofs and Waters signatures, we give several instantiations of our primitive and prove them secure under classical assumptions in the standard model and the CRS setting. As an application, we show how to construct an efficient non-interactive receipt-free universally verifiable e-voting scheme. In such a scheme a voter cannot prove what his vote was, which precludes vote selling. Besides, our primitive also yields an efficient roundoptimal blind signature scheme based on standard assumptions, and namely for the classical Waters signature. Work done while atÉcole normale supérieure, Paris, France.

Related papers

Efficient Sanitizable Signatures Without Random Oracles
Sherman S.M. Chow

Computer Security – ESORICS 2016, 2016

Sanitizable signatures, introduced by Ateniese et al. (ESORICS '05), allow the signer to delegate the sanitization right of signed messages. The sanitizer can modify the message and update the signature accordingly, so that the sanitized part of the message is kept private. For stronger protection of sensitive information, it is desirable that no one can link sanitized message-signature pairs of the same document. This idea was formalized by Brzuska et al. (PKC '10) as unlinkability, which was followed up recently by Fleischhacker et al. (PKC '16). Unfortunately, these generic constructions of sanitizable signatures, unlinkable or not, are based on building blocks with specially crafted features which efficient (standard model) instantiations are absent. Basing on existing primitives or a conceptually simple primitive is more desirable. In this work, we present two such generic constructions, leading to efficient instantiations in the standard model. The first one is based on rerandomizable tagging, a new primitive which may find independent interests. It captures the core accountability mechanism of sanitizable signatures. The second one is based on accountable ring signatures (CARDIS '04, ESORICS '15). As an intermediate result, we propose the first accountable ring signature scheme in the standard model.

View PDFchevron_right
Certificate-based signatures revisited
Willy Susilo

2009

Certificate-based encryption was introduced in Eurocrypt'03 to solve the certificate management problem in public key encryption. Recently, this idea was extended to certificate-based signatures. Several new schemes and security models of certificate-based signatures have been proposed. In this paper, we first take a closer look at the certificate-based signature by comparing it with digital signatures in other popular public key systems. We introduce a new security model of certificate-based signature, which defines several new types of adversaries against certificate-based signatures, along with the security model of certificate-based signatures against them. The new model is clearer and more elaborated compared with other existing ones. We then investigate the relationship between certificate-based signatures and certificateless signatures, and propose a generic construction of certificate-based signatures. We prove that the generic construction is secure (in the random oracle model) against all types of adversaries defined in this paper, assuming the underlying certificateless signatures satisfying certain security notions. Based on our generic construction, we are able to construct new certificate-based signature schemes, which are more efficient in comparison with other schemes with similar security levels.

View PDFchevron_right
Generic Constructions for Verifiably Encrypted Signatures without Random Oracles or NIZKs
Dominique Schröder

Lecture Notes in Computer Science, 2010

Verifiably encrypted signature schemes (VES) allow a signer to encrypt his or her signature under the public key of a trusted third party, while maintaining public signature verifiability. With our work, we propose two generic constructions based on Merkle authentication trees that do not require non-interactive zero-knowledge proofs (NIZKs) for maintaining verifiability. Both are stateful and secure in the standard model. Furthermore, we extend the specification for VES, bringing it closer to real-world needs. We also argue that statefulness can be a feature in common business scenarios. Our constructions rely on the assumption that CPA (even slightly weaker) secure encryption, "maskable" CMA secure signatures, and collision resistant hash functions exist. "Maskable" means that a signature can be hidden in a verifiable way using a secret masking value. Unmasking the signature is hard without knowing the secret masking value. We show that our constructions can be instantiated with a broad range of efficient signature and encryption schemes, including two lattice-based primitives. Thus, VES schemes can be based on the hardness of worstcase lattice problems, making them secure against subexponential and quantum-computer attacks. Among others, we provide the first efficient pairing-free instantiation in the standard model.

View PDFchevron_right
A generalization of Paillier’s public-key system with applications to electronic voting
Ivan Damgård

International Journal of Information Security, 2010

We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secure as Paillier's original system and propose several ways to optimize implementations of both the generalized and the original scheme. We construct a threshold variant of the generalized scheme as well as zero-knowledge protocols to show that a given ciphertext encrypts one of a set of given plaintexts, and protocols to verify multiplicative relations on plaintexts. We then show how these building blocks can be used for applying the scheme to efficient electronic voting. This reduces dramatically the work needed to compute the final result of an election, compared to the previously best known schemes. We show how the basic scheme for a yes/no vote can be easily adapted to casting a vote for up to t out of L candidates. The same basic building blocks can also be adapted to provide receipt-free elections, under appropriate physical assumptions. The scheme for 1 out of L elections can be optimized such that for a certain range of the other parameter values, the ballotsize is logarithmic in L.

View PDFchevron_right
Signatures dont des falsifications sont prouvables, et leur application
Birgit Pfitzmann

The unforgeability of conventional digital signatures is necessarily based on complexity theoretic assumptions, i.e. even the most secure schemes can be broken by an adversary with unexpected computing abilities. Thus we introduce fail-stop signatures: They are as unforgeable as the best conventional signatures, but if a signature is forged nevertheless, the supposed signer can prove the forgery unconditionally (i.e. without assumptions), with arbitrarily high probability.

View PDFchevron_right
Copyright: 2009, Common Ground Publishing Certificate-based Signatures Revisited1
Willy Susilo

2016

Abstract: Certificate-based encryption was introduced in Eurocrypt’03 to solve the certificate management problem in public key encryption. Recently, this idea was ex-tended to certificate-based signatures. Several new schemes and security models of certificate-based signatures have been proposed. In this paper, we first take a closer look at the certificate-based signature by comparing it with digital signatures in other popular public key systems. We introduce a new security model of certificate-based signature, which defines several new types of adversaries against certificate-based sig-natures, along with the security model of certificate-based signatures against them. The new model is clearer and more elaborated compared with other existing ones. We then investigate the relationship between certificate-based signatures and certificate-less signatures, and propose a generic construction of certificate-based signatures. We prove that the generic construction is secure (in the ran...

View PDFchevron_right
Generic Constructions for Verifiably Encrypted Signatures Without Random Oracles or NIZKs–preliminary draft–
Dominique Schröder

eprint.iacr.org

Verifiably encrypted signature schemes (VES) allow a signer to encrypt his or her signature under the public key of a trusted third party, while maintaining public signature verifiability. With our work, we propose two generic constructions based on Merkle authentication trees that do not require non-interactive zero-knowledge proofs (NIZKs) for maintaining verifiability. Both are stateful and secure in the standard model. Furthermore, we extend the specification for VES, bringing it closer to real-world needs. We also argue that statefulness can be a feature in common business scenarios. Our constructions rely on the assumption that CPA (even slightly weaker) secure encryption, "maskable" CMA secure signatures, and collision resistant hash functions exist. "Maskable" means that a signature can be hidden in a verifiable way using a secret masking value. Unmasking the signature is hard without knowing the secret masking value. We show that our constructions can be instantiated with a broad range of efficient signature and encryption schemes, including two lattice-based primitives. Thus, VES schemes can be based on the hardness of worstcase lattice problems, making them secure against subexponential and quantum-computer attacks. Among others, we provide the first efficient pairing-free instantiation in the standard model.

View PDFchevron_right
Committing Encryption and Publicly-Verifiable SignCryption
Amir Herzberg

IACR Cryptol. ePrint Arch., 2003

Encryption is often conceived as a committing process, in the sense that the ciphertext may serve as a commitment to the plaintext. But this does not follow from the standard definitions of secure encryption. We define and construct symmetric and asymmetric committing encryption schemes, enabling publicly verifiable non-repudiation. Committing encryption eliminates key-spoofing attacks and has also the robustness to be signed afterwards. Our constructions are very efficient and practical. In particular, we show that most popular asymmetric encryption schemes, e.g. RSA, are committing encryption schemes; we also have an (efficient) construction given an arbitrary asymmetric encryption scheme. Our construction of symmetric committing encryption retains the efficiency of the symmetric encryption for realtime operations, although it uses few public key signatures in the setup phase. Finally, we investigate how to achieve both confidentiality and non-repudiation, and present a publicly v...

View PDFchevron_right
On the security of the Courtois-Finiasz-Sendrier signature
Kirill Morozov

Open Mathematics

We prove that a variant of the Courtois-Finiasz-Sendrier signature is strongly existentially unforgeable under chosen message attack in the random oracle model, assuming hardness of the Permuted Goppa Syndrome Decoding Problem (also known as the Niederreiter problem). In addition, we explicitly show that security against key substitution attacks can be arranged by a standard technique of Menezes and Smart, hashing the public key.

View PDFchevron_right
Practical fair anonymous undeniable signatures
Xiaotie Deng

2004

We present a new model for undeniable signatures:

View PDFchevron_right

References (23)

  1. M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo. Structure-preserving signatures and commitments to group elements. In T. Rabin, editor, Advances in Cryptology -CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, pages 209-236. Springer, Aug. 2010.
  2. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. Franklin, editor, Advances in Cryptology - CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 41-55. Springer, Aug. 2004.
  3. BCC + 09] M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, and H. Shacham. Randomizable proofs and delegatable anonymous credentials. In S. Halevi, editor, Advances in Cryptology -CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 108-125. Springer, Aug. 2009.
  4. O. Baudron, P.-A. Fouque, D. Pointcheval, J. Stern, and G. Poupard. Practical multi-candidate election system. In 20th ACM Symposium Annual on Principles of Distributed Computing, pages 274-283. ACM Press, Aug. 2001.
  5. M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko. The power of RSA inversion oracles and the security of Chaum's RSA-based blind signature scheme. In P. F. Syverson, editor, FC 2001: 5th International Conference on Financial Cryptography, volume 2339 of Lecture Notes in Computer Science, pages 319-338. Springer, Feb. 2001.
  6. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In V. Ashby, editor, ACM CCS 93: 1st Conference on Computer and Communications Security, pages 62-73. ACM Press, Nov. 1993.
  7. X. Boyen and B. Waters. Compact group signatures without random oracles. In S. Vaudenay, editor, Advances in Cryptology -EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages 427-444. Springer, May / June 2006.
  8. D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R. L. Rivest, and A. T. Sherman, editors, Advances in Cryptology -CRYPTO'82, pages 199-203. Plenum Press, New York, USA, 1983.
  9. I. Damgård, N. Fazio, and A. Nicolosi. Non-interactive zero-knowledge from homomorphic encryption. In S. Halevi and T. Rabin, editors, TCC 2006: 3rd Theory of Cryptography Conference, volume 3876 of Lecture Notes in Computer Science, pages 41-59. Springer, Mar. 2006.
  10. M. Fischlin. Round-optimal composable blind signatures in the common reference string model. In C. Dwork, editor, Advances in Cryptology -CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pages 60-77. Springer, Aug. 2006.
  11. G. Fuchsbauer and D. Pointcheval. Proofs on encrypted values in bilinear groups and an application to anonymity of signatures. In H. Shacham and B. Waters, editors, PAIRING 2009: 3rd International Conference on Pairing-based Cryptography, volume 5671 of Lecture Notes in Computer Science, pages 132-149. Springer, Aug. 2009.
  12. G. Fuchsbauer. Automorphic signatures in bilinear groups and an application to round-optimal blind signatures. Cryptology ePrint Archive, Report 2009/320, 2009. http://eprint.iacr.org/.
  13. G. Fuchsbauer. Commuting signatures and verifiable encryption and an application to non-interactively delegatable credentials. Cryptology ePrint Archive, Report 2010/233, 2010. http://eprint.iacr.org/.
  14. K. Gjøsteen and L. Kråkmo. Round-optimal blind signatures from Waters signatures. In J. Baek, F. Bao, K. Chen, and X. Lai, editors, ProvSec, volume 5324 of Lecture Notes in Computer Science, pages 112-126. Springer, 2008.
  15. S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281-308, Apr. 1988.
  16. J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In N. P. Smart, editor, Advances in Cryptology -EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 415-432. Springer, Apr. 2008.
  17. D. Hofheinz and E. Kiltz. Programmable hash functions and their applications. In D. Wagner, editor, Advances in Cryptology -CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pages 21-38. Springer, Aug. 2008.
  18. S. Meiklejohn, H. Shacham, and D. M. Freeman. Limitations on transformations from composite-order to prime-order groups: The case of round-optimal blind signatures. In M. Abe, editor, Proceedings of Asiacrypt 2010, volume 6477 of Lecture Notes in Computer Science, pages 519-538. Springer, 2010.
  19. D. Pointcheval and J. Stern. Provably secure blind signature schemes. In K. Kim and T. Matsumoto, editors, Advances in Cryptology -ASIACRYPT'96, volume 1163 of Lecture Notes in Computer Science, pages 252-265. Springer, Nov. 1996.
  20. D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361-396, 2000.
  21. R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signature and public-key cryptosystems. Communications of the Association for Computing Machinery, 21(2):120-126, 1978.
  22. M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In L. C. Guillou and J.-J. Quisquater, edi- tors, Advances in Cryptology -EUROCRYPT'95, volume 921 of Lecture Notes in Computer Science, pages 209-219. Springer, May 1995.
  23. B. R. Waters. Efficient identity-based encryption without random oracles. In R. Cramer, editor, Advances in Cryptology -EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 114-127. Springer, May 2005.

Related papers

Security of verifiably encrypted signatures and a construction without random oracles
Dominique Schröder

Pairing-Based Cryptography–Pairing 2009, 2009

In a verifiably encrypted signature scheme, signers encrypt their signature under the public key of a trusted third party and prove that they did so correctly. The security properties, due to Boneh et al. (Eurocrypt 2003), are unforgeability and opacity. This paper proposes two novel fundamental requirements for verifiably encrypted signatures, called extractability and abuse-freeness, and analyzes its effects on the established security model. Extractability ensures that the trusted third party is always able to extract a valid signature from a valid verifiably encrypted signature and abuse-freeness guarantees that a malicious signer, who cooperates with the trusted party, is not able to forge a verifiably encrypted signature. We further show that both properties are not covered by the model of Boneh et al. The second main contribution of this paper is a verifiably encrypted signature scheme, provably secure without random oracles, that is more efficient and greatly improves the public key size of the only other construction in the standard model by Lu et al. (Eurocrypt 2006). Moreover, we present strengthened definitions for unforgeability and opacity in the spirit of strong unforgeability of digital signature schemes.

View PDFchevron_right
Anonymous Signatures Revisited
Vishal Saraswat

Lecture Notes in Computer Science, 2009

We revisit the notion of the anonymous signature, first formalized by Yang, Wong, Deng and Wang [12], and then further developed by Fischlin [6] and Zhang and Imai . We present a new formalism of anonymous signature, where instead of the message, a part of the signature is withheld to maintain anonymity. We introduce the notion unpretendability to guarantee infeasibility for someone other than the correct signer to pretend authorship of the message and signature. Our definition retains applicability for all previous applications of the anonymous signature, provides stronger security, and is conceptually simpler. We give a generic construction from any ordinary signature scheme, and also show that the short signature scheme by Boneh and Boyen [4] can be naturally regarded as such a secure anonymous signature scheme according to our formalism.

View PDFchevron_right
The Joint Signature and Encryption Revisited ∗
Laila El Aimani

2013

We study the Sign then Encrypt, Commit then Encrypt and Sign, and Encrypt then Sign paradigms in the context of three cryptographic primitives, namely designated confirmer signatures, signcryption, and verifiably encrypted signatures. Our study identifies weaknesses in those paradigms which impose the use of expensive encryption (as a building block) in order to meet a reasonable security level. Next, we propose some optimizations which annihilate the found weaknesses and allow consequently cheap encryption without compromising the overall security. Our optimizations further enjoy verifiability, a property profoundly needed in many real-life applications of the studied primitives.

View PDFchevron_right
Sanitizable Signatures Revisited
Willy Susilo
View PDFchevron_right
Security of sanitizable signatures revisited
Dominique Schröder

… Key Cryptography–PKC …, 2009

Sanitizable signature schemes, as defined by Ateniese et al. (ESORICS 2005), allow a signer to partly delegate signing rights to another party, called the sanitizer. That is, the sanitizer is able to modify a predetermined part of the original message such that the integrity and authenticity of the unchanged part is still verifiable. Ateniese et al. identify five security requirements for such schemes (unforgeability, immutability, privacy, transparency and accountability) but do not provide formal specifications for these properties. They also present a scheme that is supposed to satisfy these requirements.

View PDFchevron_right

Related topics

  • Blind Signature

    • Cited by

    Efficient ID-based Designated Verifier Signature
    Amandine Jambert

    Proceedings of the 12th International Conference on Availability, Reliability and Security, 2017

    View PDFchevron_right
    Round-Optimal Privacy-Preserving Protocols with Smooth Projective Hash Functions
    Olivier Blazy

    Theory of Cryptography, 2012

    In 2008, Groth and Sahai proposed a powerful suite of techniques for constructing non-interactive zero-knowledge proofs in bilinear groups. Their proof systems have found numerous applications, including group signature schemes, anonymous voting, and anonymous credentials. In this paper, we demonstrate that the notion of smooth projective hash functions can be useful to design round-optimal privacy-preserving interactive protocols. We show that this approach is suitable for designing schemes that rely on standard security assumptions in the standard model with a common-reference string and are more efficient than those obtained using the Groth-Sahai methodology. As an illustration of our design principle, we construct an efficient oblivious signature-based envelope scheme and a blind signature scheme, both round-optimal.

    View PDFchevron_right
    Compact Round-Optimal Partially-Blind Signatures
    Olivier Blazy

    Lecture Notes in Computer Science, 2012

    Partially-blind signatures find many applications in the area of anonymity, such as in e-cash or e-voting systems. They extend classical blind signatures, with a signed message composed of two parts: a public one (common to the user and the signer) and a private one (chosen by the user, and blindly signed). The signer cannot link later the message-signature to the initial interaction with the user, among other signatures on messages with the same public part. This paper presents a one-round partially-blind signature which achieves perfect blindness in the standard model using a Common Reference String, under classical assumptions: CDH and DLin assumptions in symmetric groups, and similar ones in asymmetric groups. This scheme is more efficient than the previous ones: reduced round complexity and communication complexity, but still weaker complexity assumptions. A great advantage is also to end up with a standard Waters signature, which is quite short. In addition, in all the previous schemes, the public part required a prior agreement between the parties on the public part of the message before running the blind signature protocol. Our protocol does not require such pre-processing: the public part can be chosen by the signer only. Our scheme even allows multiple messages provided from independent sources to be blindly signed. These messages can either be concatenated or aggregated by the signer, without learning any information about them, before returning the blind signature to the recipient. For the aggregation (addition of the messages), we provide a new result, of independent interest, about the Waters hash function over non binary-alphabets.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved