Accumulators from Bilinear Pairings and Applications
2005
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.
Related papers
Analysis of bilinear pairing-based accumulator for identity escrowing
IET Information Security, 2008
An accumulator based on bilinear pairings was proposed at CT-RSA'05. Here, it is first demonstrated that the security model proposed by Lan Nguyen does lead to a cryptographic accumulator that is not collision resistant. Secondly, it is shown that collision-resistance can be provided by updating the adversary model appropriately. Finally, an improvement on Nguyen's identity escrow scheme, with membership revocation based on the accumulator, by removing the trusted third party is proposed.
Two Identity-Based Aggregate Signature Schemes from Pairings
2018
An aggregate signature is a short digital signature which is the output of aggregation process. The signature aggregation is done on k signatures of k distinct messages from k distinct users. As the produced signature size is shorter, so it will be efficient to use the schemes in low-bandwidth communication environment. In this paper, we proposed two identity-based aggregate signature schemes from bilinear pairing operations. The proposed schemes are secure against existential forgery under adaptively chosen message and identity attack in the random oracle model based on the assumption of intractability of the computational Diffie–Hellman problem (CDHP). The efficiency analysis of the proposed identity-based aggregate signature schemes with other established identity-based aggregate signature schemes is also done in this paper.
Identity-Based Aggregate Signatures
2006
An aggregate signature is a single short string that convinces any verifier that, for all 1 ≤ i ≤ n, signer S i signed message M i , where the n signers and n messages may all be distinct. The main motivation of aggregate signatures is compactness. However, while the aggregate signature itself may be compact, aggregate signature verification might require potentially lengthy additional information – namely, the (at most) n distinct signer public keys and the (at most) n distinct messages being signed. If the verifier must obtain and/or store this additional information, the primary benefit of aggregate signatures is largely negated. This paper initiates a line of research whose ultimate objective is to find a signature scheme in which the total information needed to verify is minimized. In particular, the verification information should preferably be as close as possible to the theoretical minimum: the complexity of describing which signer(s) signed what message(s). We move toward this objective by developing identity-based aggregate signature schemes. In our schemes, the verifier does not need to obtain and/or store various signer public keys to verify; instead, the verifier only needs a description of who signed what, along with two constant-length “tags”: the short aggregate signature and the single public key of a Private Key Generator. Our scheme is secure in the random oracle model under the computational Diffie-Hellman assumption over pairing-friendly groups against an adversary that chooses its messages and its target identities adaptively.
Provably Secure Identity-Based Aggregate Signature Scheme
2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, 2012
This article proposes a provably secure aggregate signcryption scheme in random oracles. Security of the scheme is based on computational infesibility of solving Decisional Bilinear Diffie-Hellman Problem and Discrete Logarithm Problems. Confidentiality and authenticity are two fundamental security requirement of Public key Cryptography. These are achieved by encryption scheme and digital signatures respectively. Signcryption scheme is a cryptographic primitive that performs signature and encryption simultaneously in a single logical steps. An aggregate signcryption scheme can be constructed of the aggregation of individual signcryption. The aggreagtion is done taking n distinct signcryptions on n messages signed by n distinct users.
A Pairing Free Secure Identity-based Aggregate Signature Scheme Under Random Oracle
Informatica (Slovenia), 2018
The signature aggregation is efficient for the communication links as the time complexity is independent of n different users. The bilinear pairing requires super-singular elliptic curve groups that have a spacious range of elements. Also, the point multiplication over elliptic curve is less computational cost than the pairings, therefore, the pairing-based schemes expose more computational complexity than schemes that without pairings. This paper introduces a new efficient and secure pairing free signature scheme based on the idea of aggregation. Also, the proposed scheme without pairings offers lower computational cost than other schemes from pairings as it saves 68.69% from computations.
Practical group signatures without random oracles
2005
We provide a construction for a group signature scheme that is provably secure in a universally composable framework, within the standard model with trusted parameters. Our proposed scheme is fairly simple and its efficiency falls within small factors of the most efficient group signature schemes with provable security in any model (including random oracles). Security of our constructions require new cryptographic assumptions, namely the Strong LRSW, EDH, and Strong SXDH assumptions. Evidence for any assumption we introduce is provided by proving hardness in the generic group model.
An identity based ring signcryption scheme with public verifiability
2010 International Conference on Security and Cryptography (SECRYPT), 2010
Signcryption is a cryptographic primitive which offers authentication and confidentiality simultaneously with a cost lower than signing and encrypting the message independently. Ring signcryption enables a user to anonymously signcrypt a message on behalf of a set of users including himself. Thus a ring signcrypted message has anonymity in addition to authentication and confidentiality. Ring signcryption schemes have no centralized coordination: any user can choose a ring of users, that includes himself and signcrypt any message without any assistance from the other group members. Ring Signcryption is useful for leaking trustworthy secrets in an anonymous, authenticated and confidential way. To the best of our knowledge, ten identity based ring signcryption schemes are reported in the literature. Three of them were proved to be insecure in (Li et al., 2008a), (Zhang et al., 2009a) and (Vivek et al., 2009). Four of them were proved to be insecure in (Selvi et al., 2009). In this pape...
On the Security of Identity Based Ring Signcryption Schemes
Lecture Notes in Computer Science, 2009
Signcryption is a cryptographic primitive which offers authentication and confidentiality simultaneously with a cost lower than signing and encrypting the message independently. Ring signcryption enables a user to signcrypt a message along with the identities of a set of potential senders (that includes him) without revealing which user in the set has actually produced the signcryption. Thus a ring signcrypted message has anonymity in addition to authentication and confidentiality. Ring signcryption schemes have no group managers, no setup procedures, no revocation procedures and no coordination: any user can choose any set of users (ring), that includes himself and signcrypt any message by using his private and public key as well as other users (in the ring) public keys, without getting any approval or assistance from them. Ring Signcryption is useful for leaking trustworthy secrets in an anonymous, authenticated and confidential way.
Identity-Based Ring Signcryption Schemes: Cryptographic Primitives for Preserving Privacy and Authenticity in the Ubiquitous World
19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers), 2005
In this paper, we present a new concept called an identity based ring signcryption scheme (IDRSC). We argue that this is an important cryptographic primitive that must be used to protect privacy and authenticity of a collection of users who are connected through an ad-hoc network, such as Bluetooth. We also present an efficient IDRSC scheme based on bilinear pairing. As a regular signcryption scheme, our scheme combines the functionality of signature and encryption schemes. However, the idea is to have an identity based system. In our scheme, a user can anonymously signcrypts a message on behalf of the group. We show that our scheme outperforms a traditional identity based scheme, that is obtained by a standard sign-then-encrypt mechanism, in terms of the length of the ciphertext. We also provide a formal proof of our scheme with the chosen ciphertext security under the Decisional Bilinear Diffie-Hellman assumption, which is believed to be intractable.
A Schnorr-Like Lightweight Identity-Based Signature Scheme
2009
The use of concatenated Schnorr signatures [Sch91] for the hierarchical delegation of public keys is a well-known technique. In this paper we carry out a thorough analysis of the identity-based signature scheme that this technique yields. The resulting scheme is of interest since it is intuitive, simple and does not require pairings. We prove that the scheme is secure against existential forgery on adaptive chosen message and adaptive identity attacks using a variant of the Forking Lemma [PS00]. The security is proven in the Random Oracle Model under the discrete logarithm assumption. Next, we provide an estimation of its performance, including a comparison with the state of the art on identity-based signatures. We draw the conclusion that the Schnorrlike identity-based signature scheme is arguably the most efficient such scheme known to date.
Related topics
Related papers
An Efficient Key Escrow-Free Identity-Based Signature Scheme
2017
There are mainly two drawbacks of identity-based cryptosystem. First one is that it suffers from key escrow problem and the second one is that it uses a secure channel at the stage of private key issuance by the Private Key Generator (PKG). In this paper, we propose a key escrow-free identitybased signature scheme without using secure channel in the process of private key issuance stage. The bilinear pairing is used for the construction of the proposed scheme. The scheme is secure against adaptive chosen message attack and given ID attack under the assumption that the computation DiffieHellman problem is hard.
Identity-Based Aggregate and Multi-Signature Schemes Based on RSA
Lecture Notes in Computer Science, 2010
We propose new identity-based multi-signature (IBMS) and aggregate signature (IBAS) schemes, secure under RSA assumption. Our schemes reduce round complexity of previous RSA-based IBMS scheme of Bellare and Neven [BN07] from three to two rounds. Surprisingly, this improvement comes at virtually no cost, as the computational efficiency and exact security of the new scheme are almost identical to those of [BN07]. The new scheme is enabled by a technical tool of independent interest, a class of zero-knowledge proofs of knowledge of preimages of one-way functions which is straight-line simulatable, enabling concurrency and good exact security, and aggregatable, enabling aggregation of parallel instances of such proofs into short multi/aggregate signatures.
One-Way Signature Chaining: a new paradigm for group cryptosystems
International Journal of Information and Computer Security, 2008
In this paper, we describe a new cryptographic primitive called (One-Way) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by different users. Each signature acts as a "link" of the chain. The one-way-ness implies that the chaining process is one-way in the sense that more links can be easily added to the chain. However, it is computationally infeasible to remove any intermediate links without removing all the links. The signatures so created are called chain signatures (CS). We give precise definitions of chain signatures and discuss some applications in trust transfer. We then present a practical construction of a CS scheme that is secure (in the random oracle model) under the Computational Diffie-Hellman (CDH) assumption in bilinear maps.
An identity-based ring signature scheme with enhanced privacy
… and Workshops, 2006, 2006
There are many applications in which it is necessary to transmit authenticatable messages while achieving certain privacy goals such as signer ambiguity. The emerging area of vehicular ad-hoc network is a good example application domain with this requirement. The ring signature technique that uses an ad-hoc group of signer identities is a widely used method for generating this type of privacy preserving digital signatures. The identity-based cryptographic techniques do not require certificates. The construction of ring signatures using identity-based cryptography allow for privacy preserving digital signatures to be created in application when certificates are not readily available or desirable such as in vehicle area networks. We propose a new designated verifier identitybased ring signature scheme that is secure against full key exposure attacks even for a small group size. This is a general purpose primitive that can be used in many application domains such as ubiquitous computing where signer ambiguity is required in small groups. We consider the usefulness of identity-based cryptographic primitives in vehicular adhoc networks and use a specific example application to illustrate the use of identity-based ring signatures as a tool to create privacy preserving authenticatable messages.
A suite of non-pairing ID-based threshold ring signature schemes with different levels of anonymity (extended abstract)
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2010
Since the introduction of Identity-based (ID-based) cryptography by Shamir in 1984, numerous ID-based signature schemes have been proposed. In 2001, Rivest et al. introduced ring signature that provides irrevocable signer anonymity and spontaneous group formation. In recent years, ID-based ring signature schemes have been proposed and almost all of them are based on bilinear pairings. In this paper, we propose the first ID-based threshold ring signature scheme that is not based on bilinear pairings. We also propose the first ID-based threshold 'linkable' ring signature scheme. We emphasize that the anonymity of the actual signers is maintained even against the private key generator (PKG) of the ID-based system. Finally we show how to add identity escrow to the two schemes. Due to the different levels of signer anonymity they support, the schemes proposed in this paper actually form a suite of ID-based threshold ring signature schemes which is applicable to many real-world applications with varied anonymity requirements.
A suite of id-based threshold ring signature schemes with different levels of anonymity
2005
Abstract. Since the introduction of Identity-based (ID-based) cryptography by Shamir in 1984, numerous ID-based signature schemes have been proposed. In 2001, Rivest et al. introduced ring signature that provides irrevocable signer anonymity and spontaneous group formation. In recent years, ID-based ring signature schemes have been proposed and all of them are based on bilinear pairings. In this paper, we propose the first ID-based threshold ring signature scheme that is not based on bilinear pairings.
A Pairing-Based Anonymous Credential System with Efficient Attribute Proofs
Journal of Information Processing, 2012
To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. The typical application is the privacy-enhancing electronic ID (eID). Although a previously proposed system achieves the constant complexity in the number of finiteset attributes of the user, it requires the use of RSA. In this paper, we propose a pairing-based anonymous credential system excluding RSA that achieves the constant complexity. The key idea of our proposal is the adoption of a pairingbased accumulator that outputs a constant-size value from a large set of input values. Using zero-knowledge proofs of pairing-based certificates and accumulators, any AND and OR relation can be proved with the constant complexity in the number of finite-set attributes. We implement the proposed system using the fast pairing library, compare the efficiency with the conventional systems, and show the practicality in a mobile eID application.
Identity based partial aggregate signature scheme without pairing
2012
An identity based signature allows users to sign their documents using their private keys and the signature can be verified by any one, using the identity of the signer and public parameters of the system. An aggregate signature scheme is a digital signature scheme which allows aggregation of different signatures by different users on different messages. The primary objective of aggregate signature scheme is to achieve both computational and communication efficiency. Here, we propose an identity based aggregate signature scheme, which uses a variation of light weight Schnorr type identity based signature scheme, where in the signers need not agree upon a common randomness and the aggregation is done without having any kind of interaction among the signers. The scheme is pairing free even for aggregate signature verification. The scheme is computationally efficient because it avoids costly bilinear pairing operation. It should be noted that our signature achieves only partial aggregation because the private key of each user is generated by a randomized extract algorithm and hence a random value is to be propagated with each single signature generated.
A provably secure identity-based proxy ring signature based on RSA
Security and Communication Networks, 2014
Proxy ring (anonymous proxy) signatures allow an entity to delegate its signing capability to a group of entities (proxy group) such that only one of the members in the proxy group can generate a proxy signature on behalf of the delegator while privacy of the proxy signer is protected. Identity-based versions of proxy ring signatures employ identity strings in place of randomly generated public keys. Our contribution is two-fold. First, we formalize a security model for identity-based proxy ring signatures. We note that there exists no formal security model for identity-based proxy ring signatures prior to our work. Second, we present the rst provably secure identity-based proxy ring signature scheme using a new paradigm called sequential aggregation. The construction is proved secure, under the one-wayness assumption of RSA, in the random oracle model by presenting a new forking lemma.We should highlight that the proxy key exposure attack cannot be applied to our scheme. Further, in contrast to the existing schemes that are based on pairings, our scheme is based on RSA; therefore, it outperforms the existing schemes in terms of eciency and practicality.
SECURITY EVALUATION OF AN ORDER-SPECIFIED, IDENTITY-BASED AGGREGATE SIGNATURE SCHEME
This paper considers the security of ordered identity-based aggregate signatures that work in the Gap-Diffie-Hellman (GDH) group. By adapting a signature scheme, an identity-based signature verification key, and other identifying information, it is possible to facilitate the identification of the owner of the verification key. It has been shown that an aggregate signature can efficiently aggregate the signatures of multiple signers, and further, identity-based aggregate signatures can be used in a variety of applications. In this paper, considering the security of identity-based aggregate signatures, the subsequent signer cannot chooses a string that has been used by the previous signer to create a signature, and these signatures are sequentially combined to obtain the ordered identity-based aggregate signature.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.