Attribute Based Cryptography

Motivated by the problem of establishing a session key among parties based on the possession of certain credentials only, we discuss a notion of attribute-based key establishment. A number of new issues arise in this setting that are not present in the usual settings of group key establishment where unique user identities are assumed to be publicly available. After detailing the security model, we give a two-round solution in the random oracle model. As main technical tool we introduce a notion of attribute-based signcryption, which may be of independent interest. We show that the type of signcryption needed can be realized through the encrypt-then-sign paradigm. Further, we discuss additional guarantees of the proposed protocol, that can be interpreted in terms of deniability and privacy.

Individuals are encouraged to prove their eligibility to access specific services regularly. However, providing various organizations with personal data spreads sensitive information and endangers people's privacy. Hence, privacy-preserving identification systems that enable individuals to prove they are permitted to use specific services are required to fill the gap. Cryptographic techniques are deployed to construct identity proofs across the internet; nonetheless, they do not offer complete control over personal data or prevent users from forging and submitting fake data. In this paper, we design a privacy-preserving identity protocol called "zkFaith." A new approach to obtain a verified zero-knowledge identity unique to each individual. The protocol verifies the integrity of the documents provided by the individuals and issues a zero-knowledge-based id without revealing any information to the authenticator or verifier. The zkFaith leverages an aggregated version of the Camenisch-Lysyanskaya (CL) signature scheme to sign the user's commitment to the verified personal data. Then the users with a zero-knowledge proof system can prove that they own the required attributes of the access criterion of the requested service providers. Vector commitment and their position binding property enables us to, later on, update the commitments based on the modification of the personal data; hence update the issued zkFaith id with no requirement of initiating the protocol from scratch. We show that the design and implementation of the zkFaith with the generated proofs in real-world scenarios are scalable and comparable with the state-of-the-art schemes.

Anonymous Certification (AC) refers to cryptographic mechanisms in which users get certified from trusted issuers, with regard to some pre-defined user attributes, in order to produce presentation tokens. Such tokens satisfy service providers' access policies, without revealing sensitive user information. AC systems are generally classified under two main different categories: (1) one-time show credentials that can be shown once for avoiding their originating user being traced from one transaction to another, and (2) multi-show credentials that can be used many times while avoiding their originating user to be traced. In this paper, we consider eassessment opinion polls scenarios and propose an AC scheme where the one-time show property is relevant for making sure each user cannot hand in more than one poll in order to get significant results. To mitigate cheating, the scheme is provided with two extra procedures: attribute revocation and anonymity removal. The correctness of our scheme, as well as unforgeability, privacy and anonymity removal, are analyzed and demonstrated.

Attribute-based credentials (ABCs) are building blocks for user-centric identity management. They enable the disclosure of a minimum amount of information about their owner to a verifier, typically a service provider, to authorise the credential owner for some service, application, or resource. By directly applying attribute-disclosure protocols, the data is revealed not only to the verifier, but anyone who has access to the communication channel. Moreover, as verifiers are not intrinsically authenticated, one can accidentally reveal attributes to the wrong party. Therefore, a secure channel has to be established between the prover and the verifier. Although efficient ABC smart-card implementations exist, not always can they perform all prover features. An equality proof, for instance, is essential in creating pseudonyms that enable temporary identification and eventually establishing a channel. Without this feature, other techniques have to be developed. In this paper we apply a more general notion of authentication that does not require card identification or pseudonyms. Based on this concept, we propose a security model that includes mutual authentication and setting up a channel between a card and a verifier. We present two efficient and provably secure protocols under standard assumptions in the random oracle model.

A ciphertext-policy attribute-based encryption protocol uses bilinear pairings to provide control access mechanisms, where the set of user's attributes is specified by means of a linear secret sharing scheme. In this paper we present the design of a software cryptographic library that achieves record timings for the computation of a 126-bit security level attribute-based encryption scheme. We developed all the required auxiliary building blocks and compared the computational weight that each of them adds to the overall performance of this protocol. In particular, our single pairing and multi-pairing implementations achieve state-of-the-art time performance at the 126-bit security level.

Remote data auditing (RDA) protocols enable a cloud server to persuade an auditor that it is storing a data file honestly. Unlike digital signature (DS) schemes, in RDA protocols, the auditor can carry out the auditing procedure without having the entire data file. Therefore, RDA protocols seem to be attractive alternatives to DSs as they can effectively reduce bandwidth consumption. However, existing RDA protocols do not provide adequately powerful tools for user authentication. In this paper, we put forward a novel attribute-based remote data auditing and user authentication scheme. In our proposed scheme, without having a data file outsourced to a cloud server, an auditor can check its integrity and the issuer's authenticity. Indeed, through a challenge-response protocol, the auditor can check whether 1) the cloud server has changed the content of the data file or not; 2) the data owner possesses specific attributes or not. We show that our scheme is secure under the hardness assumption of the bilinear Diffie-Hellman (BDH) problem.

https://www.isecure-journal.com/article_159677.html

Anonymous Certification (AC) refers to cryptographic mechanisms in which users get certified from trusted issuers, with regard to some pre-defined user attributes, in order to produce presentation tokens. Such tokens satisfy service providers' access policies, without revealing sensitive user information. AC systems are generally classified under two main different categories: (1) one-time show credentials that can be shown once for avoiding their originating user being traced from one transaction to another, and (2) multi-show credentials that can be used many times while avoiding their originating user to be traced. In this paper, we consider eassessment opinion polls scenarios and propose an AC scheme where the one-time show property is relevant for making sure each user cannot hand in more than one poll in order to get significant results. To mitigate cheating, the scheme is provided with two extra procedures: attribute revocation and anonymity removal. The correctness of our scheme, as well as unforgeability, privacy and anonymity removal, are analyzed and demonstrated.

This paper presents an efficient anonymous credential system that includes two variants. One is a system that lacks a credential revoking protocol, but provides perfect anonymity-unlinkability and computational unforgeability under the strong Diffie-Hellman assumption. It is more efficient than existing credential systems with no revocation. The other is a system that provides revocation as well as computational anonymity-unlinkability and unforgeability under the strong Diffie-Hellman and decision linear Diffie-Hellman assumptions. This system provides two types of revocation simultaneously: one is to blacklist a user who acted wrong so that he can no longer use his credential, and the other is identifying a user who acted wrong from his usage of credential. Both systems are provably secure under the above-mentioned assumptions in the standard model. Definition of Basic Anonymous Credential System A basic anonymous credential system consists of three parties users, an authority, and verifiers. An anonymous credential system performs the following operations. Key Generation: Authority Auth, given security parameter 1 k , outputs a pair of publickey and secret-key, (pk, sk). Credential Issuing Protocol: A user U has some kind of data m that U wants to obtain a certificate for. Examples of m are properties such as "belongs to some University", "is over the age of 20." or rights such as "can access the secure room". How Auth detects whether m is valid or not with regard to U is outside this protocol. U executes the credential issuing protocol for m with Auth by using U's input m and Auth's secret-keys. At the end of the protocol, U obtains a credential Cred, corresponding to m. Credential Proving Protocol: After U obtains the credential of m, U executes the credential proving protocol of m with a verifier V, that proves U's possession of Cred. At the end of the protocol, V outputs accept if U really has a valid Cred, otherwise outputs reject. Security of Basic Anonymous Credential System In this section, we refer to the definition of the security of the basic anonymous credential system. The security of the basic anonymous credential system is defined as follows. Unforgeability: U cannot forge a valid credential Cred on any value unless Cred was issued by Auth. We show a more formal definition: Let us consider the following game. Let Adv be an adversary. Adv runs in time at most τ. It first executes the credential issuing protocol with Auth at most q Auth times, and obtains valid credentials of adaptively chosen messages. Finally, Adv and V execute the credential proving protocol for message m, which has not been chosen by Adv yet, and V outputs accept or reject. If the probability that V outputs accept at the end of the protocol is at most ϵ for any Adv, the anonymous credential system is (τ, q Auth , ϵ)-unforgeable. 1. Adv outputs its public-key (except some system parameters).

Anonymous Certification (AC) refers to cryptographic mechanisms in which users get certified from trusted issuers, with regard to some pre-defined user attributes, in order to produce presentation tokens. Such tokens satisfy service providers' access policies, without revealing sensitive user information. AC systems are generally classified under two main different categories: (1) one-time show credentials that can be shown once for avoiding their originating user being traced from one transaction to another, and (2) multi-show credentials that can be used many times while avoiding their originating user to be traced. In this paper, we consider eassessment opinion polls scenarios and propose an AC scheme where the one-time show property is relevant for making sure each user cannot hand in more than one poll in order to get significant results. To mitigate cheating, the scheme is provided with two extra procedures: attribute revocation and anonymity removal. The correctness of our scheme, as well as unforgeability, privacy and anonymity removal, are analyzed and demonstrated.

This paper presents an anonymous certification (AC) scheme, built over an attribute based signature (ABS). After identifying properties and core building blocks of anonymous certification schemes, we identify ABS limitations to fulfill AC properties, and we propose a new system model along with a concrete mathematical construction based on standard assumptions and the random oracle model. Our solution has several advantages. First, it provides a data minimization cryptographic scheme, permitting the user to reveal only required information to any service provider. Second, it ensures unlinkability between the different authentication sessions, while preserving the anonymity of the user. Third, the derivation of certified attributes by the issuing authority relies on a non interactive protocol which provides an interesting communication overhead.

Cloud computing provides remote users a flexible and convenient way to obtain cloud services on demand such as cloud storage service, which has been facing great security and privacy challenges, especially insider attacks. However, most of the previous work on the cloud security focusing on the storage security can't be effective against insider threats. Wei's scheme on the cloud storage, which is based on an ID-based strong designated verifier signature (IBSDVS) protocol, takes privacy and confidentiality into consideration. But it also can't be against insider attacks and its confidentiality exists security flaws. Hence, in this paper, we propose an efficient data storage protocol in the cloud computing, which can be against insider attacks as well as providing privacy preserving and confidentiality. Similar to Wei's scheme, our protocol adopts an IBSDVS scheme that has the secure property of nondelegatability. Then the analysis of security and performance are described in detail.

The Internet of Things (IoT), in spite of its innumerable advantages, brings many challenges namely issues about users' privacy preservation and constraints about lightweight cryptography. Lightweight cryptography is of capital importance since IoT devices are qualified to be resource-constrained. To address these challenges, several Attribute-Based Credentials (ABC) schemes have been designed including I2PA, U-prove, and Idemix. Even though these schemes have very strong cryptographic bases, their performance in resource-constrained devices is a question that deserves special attention. This paper aims to conduct a performance evaluation of these schemes on issuance and verification protocols regarding memory usage and computing time. Recorded results show that both I2PA and U-prove present very interesting results regarding memory usage and computing time while Idemix presents very low performance with regard to computing time.

Up to date, a large number of ID-based signature (IBS) schemes based on bilinear pairings have been proposed. Most of these IBS schemes possess existential unforgeability under adaptive chosen-message attacks, among which some offer strong unforgeability. An IBS scheme is said to be strongly unforgeable if it possesses existential unforgeability and an adversary who is given signatures of the IBS scheme on some message m is unable to generate a new signature on m. Strong unforgeable IBS schemes can be used to construct many important ID-based cryptographic schemes. However, the existing strongly unforgeable IBS schemes lack efficiency for the signature size and the computation cost of verification phase. In this paper, we propose an efficient strongly unforgeable IBS scheme without random oracles. Under the computational Diffie-Hellman and collision resistant hash assumptions, we demonstrate that the proposed IBS scheme possesses strong unforgeability against adaptive chosen-message attacks. When compared with previously proposed strongly unforgeable IBS schemes, our scheme has better performance in terms of signature size and computation cost.

The growing role of mobile devices in previously face to face interactions presents new domains for cryptographic applications. At the same, time the increased role of digital systems raises new security and privacy issues. With some thirty thousand notifications sent, inSPOT. org's electronic notification of exposure to sexually transmitted infections is one such concerning development. This paper explores those concerns, the features of an ideal service for both notification and certification, and outlines protocols for cryptographic ...

Multisignature schemes are digital signature schemes that permit one to determine a unique signature for a given message, depending on the signatures of all the members of a specific group. In this work, we present a new semi-short multisignature scheme based on the Subgroup Discrete Logarithm Problem (SDLP) and on the Integer Factorization Problem (IFP). The scheme can be carried out in an on-and off-line basis, is efficient, and the bitlength of the multisignature does not depend on the number of signers.

This paper identifies certain privacy threats that apply to anonymous credential systems. The focus is on timing attacks that apply even if the system is cryptographically secure. The paper provides some simple heuristics that aim to mitigate the exposure to the threats and identifies directions for further research.

In the attribute typed signature scheme the user can sign a document with any predicate that is satisfied by his attributes issued from the attribute agency. Based on this assumption, the signature shows not to an identity of a user signed the document, other than the demand concerning the attributes underlying signer possesses. In attribute based signature, participants cannot forge signature with attributes they are not have even by conspiring. Alternatively, an authorized signer stays anonymous without a concern of revocation and is identical between the participants whose attributes convincing a predicate specified in a signature. Attribute based signature is functional in various uses for example, in anonymous authentication and attribute typed message schemes. In this paper, we describe the characteristics of security of certain attribute typed signature scheme. Also, we illustrate multiple attacks in a presented threshold attribute typed signature scheme. We show that a schem...

Sigurnost računarskih sistema oduvek je bitna, a danas postaje još važnija, jer sve više korisnika na sve više načina koristi sve više informacija u sadašnjem informatičkom svetu. Sa razvojem informacionih tehnologija i telekomunikacionih sistema i sve većom rasprostranjenošću ljudskog društva u geografskom smislu raste i mogućnost zloupotreba podataka koji se prenose otvorenim komunikacijskim putevima, što zahteva efikasniju zaštitu. U sistemu prenosa podataka napadači mogu lako da unište podatke, da ih modifikuju ili da informacije dođu u posed neovlašćenim osobama ili organizacijama, što može imati vrlo teške posledice. Problem je posebno izražen kod nekih organizacija kao što su državne administracije, kao i komparativna analiza njihovog rada, a dati su i konkretni primeri njihovog korišćenja. Ključne reči: kriptografija, simetrični i asimetrični sistemi, digitalni potpis, CrypTool, CryptoWork flow.

PCA su i dalje u stadiju razvoja, na što ponajviše ukazuje činjenica da se na tržištu nudi samo nekoliko rješenja koja koriste IBE, ABE ili BBE. Kao ključna prednost ovih algoritama ističe se nepotrebnost kompleksne infrastrukture upravljanja kriptografskim ključevima kakvu koristi PKI kao trenutačno najrašireniji koncept kriptografije javnim ključevima. Ključni nedostatak PCA su zahtijevano vrijeme i računalni resursi potrebni za generiranje privatnih ključeva. Ovaj će se nedostatak u skoroj budućnost zanemariti obzirom na brzi razvoj kvantnog računalstva.
IBE gotovo savršeno rješava problem komunikacije 1 na 1, stoga će se njegova primjena primarno nalaziti u sustavima za slanje e-mail poruka, privatnim chatovima i komunikacijskim kanalima s manjim brojem sudionika. Obzirom na to da je ključ sigurnosti IBE matematički algoritam unutar PKG-a, vrlo je vjerojatno da će PCA bazirani na IBE još neko vrijeme ostati privatna rješenja softverskih poduzeća umjesto algoritama otvorenog kôda. ABE uspijeva riješiti problem ovisnosti sigurnosti o PKG-u zbog čega se i neka od rješenja nude kao otvoreni kôd (OpenABE i Zeutro Toolkit), a istovremeno rješava i problem komunikacije 1 na više u smislu da skalabilnost broja sudionika komunikacijskog kanala za ABE ne predstavlja problem. Još uvijek nije riješen problem varijabilnih podataka kao ulaznih parametara za generiranje PCK u BBE, stoga je na tom području potreban znatan dodatni razvoj.
Iako se gotovo 20 godina može činiti kao dugo vrijeme za razvoj softvera, kod razvoja kriptografskih algoritama to razdoblje predstavlja tek početak razvoja kompleksnih kriptografskih algoritama kao koji bi uz PCA iskoristili i prednosti kognitivne kriptografije kako bi se algoritmi automatizirano prilagođavali sudionicima komunikacije i prirodi predmeta kriptiranja. Kognitivna kriptografija stoga i dalje ostaje isključivo teoretski pristup s nedostatkom dokazivosti semantičkih algoritama koji pospješuju rad PCA. Zaključuje se stoga da je razvoj IBE i ABE došao na dovoljnu razinu da se koristi u komercijalnim softverima, dok je potreban dodatni razvoj BBE što će vrlo vjerojatno biti daleko više potaknuto skorom dostupnošću kvantnog računalstva običnim korisnicima diljem svijeta.

Cloud computing provides remote users a flexible and convenient way to obtain cloud services on demand such as cloud storage service, which has been facing great security and privacy challenges, especially insider attacks. However, most of the previous work on the cloud security focusing on the storage security can't be effective against insider threats. Wei's scheme on the cloud storage, which is based on an ID-based strong designated verifier signature (IBSDVS) protocol, takes privacy and confidentiality into consideration. But it also can't be against insider attacks and its confidentiality exists security flaws. Hence, in this paper, we propose an efficient data storage protocol in the cloud computing, which can be against insider attacks as well as providing privacy preserving and confidentiality. Similar to Wei's scheme, our protocol adopts an IBSDVS scheme that has the secure property of non-delegatability. Then the analysis of security and performance are described in detail.

Optimistic fair exchange (OFE) allows two parties to exchange their digital items in a fair way. As one of the fundamental problems in secure electronic business and digital rights management, OFE has been studied intensively since its introduction. This paper introduces and defines a new property for OFE: Strong Resolution-Ambiguity. We show that many existing OFE protocols have the new property, but its formal investigation has been missing in those protocols. We prove that in the certified-key model, an OFE protocol is secure in the multi-user setting if it is secure in the single-user setting and has the property of strong resolution-ambiguity. Our result not only simplifies the security analysis of OFE protocols in the multiuser setting but also provides a new approach for the design of multi-user secure OFE protocols. Following this approach, a new OFE protocol with strong resolution-ambiguity is proposed. Our analysis shows that the protocol is setup-free, stand-alone and multi-user secure without random oracles.

Zaštita podataka i prenos podataka je star problem. Najjednostavniji oblik bi mogao biti došaptavanje-informaciju dobija samo jedna osoba i drugi ne znaju sadržaj poruke. Prednost je jednostavnost, a mana je kratka udaljenost na koju se takvim načinom poruka može preneti. Pojavom pisma otvorile su se nove mogućnosti, pre svega slanje poruka po glasniku na, za ono vreme, proizvoljne udaljenosti. Najveća je primena bila u vojne svrhe, a to je donelo i veću opasnost za glasnika i za poruku. Glasnika je mogla spasiti ili velika brzina ili borbena veština, ali kada je jednom savladan onda poruka dospeva u ruke neprijatelju. Jednostavni trik Rimljana je bio da se poruka napiše na traci koja je omotana oko štapa tačno određenog promera, pa su takvu poruku mogli razumeti samo vlasnici takvog štapa. Neprijatelj je dobio samo traku s nerazumljivim redosledom znakova, a poruku nije znao čak ni glasnik. Kad se jednom sazna da je poruka zaštićena na taj način, isprobavanjem se relativno lako može doći do štapa odgovarajuće veličine. Drugi način je, na primer, svako slovo zameniti nekim drugim. Primalac i pošiljalac poruke moraju imati istu tablicu zamena kako bi poruku mogli napisati, odnosno pročitati. Ko nema tablicu može isprobavati, ali za trideset slova ima čak 30! (faktorijel) mogućih tablica. Mana ovakvog načina zaštite je da se nekako mora poslati i tablica, pa ako neprijatelj ima sreću da je presreo glasnika s tablicom može ubuduće pročitati sve poruke! Štaviše, može sam napisati šifrovanu poruku, pa poslati lažnog glasnika. Ako primalac poruke poznaje rukopis ili barem potpis pošiljaoca znaće da je poruka lažna. Isto tako može zatražiti od glasnika da se identififikuje, na primer, posebnim prstenom ili medaljonom, a najbolje ličnom potvrdom. Pojavom masovnih komunikacija, posebno Interneta, potreba za zaštićenim prenosom je naglo porasla. Sada je potreban, ne samo generalima i vladarima, nego i poslovnim ljudima, i običnim građanima. Bilo da je reč o vojnoj ili industrijskoj tajni, broju kreditne kartice ili ljubavnom pismu, zaštita podataka je postala svakodnevna potreba. Kako uglavnom ne znamo kojim putem putuju naši podaci i kroz čije ruke prolaze, zaštićeni prenos podataka je neophodan za svaki posao gde se traži tajnost ili privatnost. Secure Sockets Layer (SSL) je protokol za sigurno slanje poruka (komuniciranje) putem Interneta, koji omogućuje slanje poverljivih podataka (npr. broj kreditne kartice) putem Interneta u šifrovanom i sigurnom obliku. SSL protokol ostvaruje poseban komunikacioni sloj, koji je smešten na pouzdan transportni sloj (npr. TCP/IP), dok se na SSL smešta aplikacijski sloj. Od aplikacijskog sloja prima poruku koju treba poslati, rastavi je u manje delove prikladne za šifrovanje, dodaje kontrolni broj, šifruje, eventualno kompresuje, a zatim te delove pošalje. Primalac primi delove, dekompresuje, dešifruje, proveri kontrolne brojeve, sastavi delove poruke, pa ih preda aplikacijskom sloju. Na taj način se putem SSL-a ostvaruje zaštićeni kanal prenosa kroz mrežu. Ukoliko su klijent i server neaktivni duže vreme ili razgovor sa istim atributima zaštite potraje predugo, atributi se menjaju.

New zero-knowledge proofs are given for some number-theoretic problems. All of the problems are in NP, but the proofs given here are much more e cient than the previously known proofs. In addition, these proofs do not require the prover to be super-polynomial in power. A probabilistic polynomial time prover with the appropriate trap-door knowledge is su cient. The proofs are perfect or statistical zero-knowledge in all cases except one.

Halpern, Moses and Tuttle presented a definition of interactive proofs using a notion they called practical knowledge, but left open the question of finding an epistemic formula that completely characterizes zero knowledge; that is, a formula that holds iff a proof is zero knowledge. We present such a formula, and show that it does characterize zero knowledge. Moreover, we show that variants of the formula characterize variants of zero knowledge such as concurrent zero knowledge ] and proofs of knowledge . and systems framework ). In addition, we introduce some of the notation that will be needed for our new results.

Halpern, Moses and Tuttle presented a definition of interactive proofs using a notion they called practical knowledge, but left open the question of finding an epistemic formula that completely characterizes zero knowledge; that is, a formula that holds iff a proof is zero knowledge. We present such a formula, and show that it does characterize zero knowledge. Moreover, we show that variants of the formula characterize variants of zero knowledge such as concurrent zero knowledge ] and proofs of knowledge . and systems framework ). In addition, we introduce some of the notation that will be needed for our new results.

In pseudonym systems, users by means of pseudonyms anonymously interact with organizations to obtain credentials. The credential scheme constructed by Lysyanskaya and Camenisch is among the most complete credential systems, in which "all-or-nothing" sharing scheme is used to prevent users sharing their credentials. If a user cannot directly show a credential issued by an organization, she or he has to give her or his own secret key to someone else as a proxy; afterward, the proxy can show the credential on behalf of the user. Thus, according to the all-or-nothing property of the system, having the user's secret key, the proxy can use all credentials of the user for itself. To solve this problem, in this paper, we present proxy zero-knowledge proof and utilize it in Lysyanskaya and Camenisch anonymous credential system. In our proposed system, instead of giving the secret key to the proxy, the user generates a proxy key based on the desired credential particularly for the proxy. Therefore, the proxy neither is the owner of the user's credential nor uses his or her other credentials.

Abstract : A ring signature system is strongly unforgeable if the ring signature is existential unforgeable and, given ring signatures on some message m, the adversary can not produce a new ring signature on m. Strongly unforgeable ring signatures are useful for constructing chosen-ciphertext secure cryptographic system. For example, it can be used to design the ring signcryptionscheme.In this paper, we analyse the safety of Au et al.'s ID-based ring signature scheme, then we construct a strongly unforgeable ID-based ring signature scheme in the standard model based on the standard discrete logarithm problem (DLP). Keywords: Strong unforgeability, ring signature, bilinear pairings, standard model

In their seminal work for identity-based identification (IBI) schemes in 2004, Bellare et al. left open the question of whether the Beth identification scheme, and consequently the derived IBI scheme, can be proven secure against active and concurrent attackers. In 2008, Crescenzo answered the question in the positive by presenting a modified version of the Beth identification scheme as well as the corresponding derived IBI scheme. In this paper, we show that while the modified version of the Beth identification scheme proposed by Crescenzo is secure, an attack exists on the corresponding Beth-IBI scheme.

Anonymous credentials allow people to authenticate to an organisation without being identified. While there are some approaches trying to ensure non-transferability we want to improve the methods relying on biometric authentication. In this working paper we present a first step of embedding biometric attributes into anonymous credentials. There are only slight changes to existing approaches, but the main purpose of this working paper is to establish a basis, which can be improved in the future to solve some of the problems addressed in the "future work section".

Abstarct. Inspired by the recent developments in attribute-based encryption, in this paper we propose threshold attribute-based signatures (t-ABS). In a t-ABS, signers are associated with a set of attributes and verification of a signed document against a verification attribute set succeeds if the signer has a threshold number of (at least t) attributes in common with the verification attribute set. A t-ABS scheme enables a signature holder to prove possession of signatures by revealing only the relevant (to the verification attribute set) attributes of the signer, hence providing signer-attribute privacy for the signature holder. We define t-ABS schemes, formalize their security and propose two t-ABS schemes: a basic scheme that is selectively unforgeable and a second one that is existentially unforgeable, both provable in the standard model, assuming hardness of the computational Diffie-Hellman problem. We show that our basic t-ABS scheme can be augmented with two extra protocols that are used for efficiently issuing and verifying t-ABS signatures on committed values. We call the augmented scheme a threshold attribute based c-signature scheme (t-ABCS). We show how a t-ABCS scheme can be used to realize a secure threshold attribute-based anonymous credential system (t-ABACS) providing signer-attribute privacy. We propose a security model for t-ABACS and give a concrete scheme using t-ABCS scheme. Using the simulation paradigm, we prove that the credential system is secure if the t-ABCS scheme is secure.

A basic question concerning zero-knowledge proof systems is whether their (sequential and/or parallel) composition is zero-knowledge too. This question is not only of natural theoretical interest, but is also of great practical importance as it concerns the use of zero-knowledge proofs as subroutines in cryptographic protocols. We prove that the original formulation of zero-knowledge as appearing in the pioneering work of Goldwasser, Micali and Rackoff is not closed under sequential composition. This fact was conjectured by many researchers leading to the introduction of stronger formulations of zero-knowledge (e.g. black-box simulation). We also prove that the parallel composition of zero-knowledge protocols does not necessarily result in a new zero-knowledge protocol: we present two protocols, both being zero-knowledge in a strong sense yet their parallel composition is not zero-knowledge (not even in a weak sense). We present a lower bound on the round complexity of zero-knowledge proofs. We prove that only BPP languages have 3-round interactive proofs which are black-box simulation zero-knowledge. Moreover, we show that languages having constant-round Arthur-Merlin proofs that are black-box simulation zero-knowledge are in BPP. These results have significant implications to the parallelization of zero-knowledge proofs. In particular it follows that the "parallel versions" of the original interactive proofs systems for quadratic residuosity, graph isomorphism and any language in NP, are not black-box simulation zero-knowledge, unless the corresponding languages are in BPP. This resolves an open problem arising from the early works on zero-knowledge. Other consequences are a proof of optimality for the round complexity of various known zero-knowledge protocols, and a structure theorem for the hierarchy of Arthur-Merlin zero-knowledge languages.