| 1. |
- Abidin, Aysajan, 1983, et al.
(författare)
-
Attacks on Privacy-Preserving Biometric Authentication
- 2014
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - 1611-3349 .- 0302-9743. ; 8788:2014, s. 293-294
-
Konferensbidrag (refereegranskat)
|
|
| 2. |
- Aranha, Diego F., et al.
(författare)
-
Count Me In! Extendability for Threshold Ring Signatures
- 2022
-
Ingår i: Public-Key Cryptography - PKC 2022 : 25th IACR International Conference on Practice and Theory of Public-Key Cryptography, Proceedings, Part II - 25th IACR International Conference on Practice and Theory of Public-Key Cryptography, Proceedings, Part II. - Cham : Springer International Publishing. - 0302-9743 .- 1611-3349. - 9783030971304 - 9783030971311 ; 13178, s. 379-406
-
Konferensbidrag (refereegranskat)abstract
- Ring signatures enable a signer to sign a message on behalf of a group anonymously, without revealing her identity. Similarly, threshold ring signatures allow several signers to sign the same message on behalf of a group; while the combined signature reveals that some threshold t of the group members signed the message, it does not leak anything else about the signers’ identities. Anonymity is a central feature in threshold ring signature applications, such as whistleblowing, e-voting and privacy-preserving cryptocurrencies: it is often crucial for signers to remain anonymous even from their fellow signers. When the generation of a signature requires interaction, this is difficult to achieve. There exist threshold ring signatures with non-interactive signing—where signers locally produce partial signatures which can then be aggregated—but a limitation of existing threshold ring signature constructions is that all of the signers must agree on the group on whose behalf they are signing, which implicitly assumes some coordination amongst them. The need to agree on a group before generating a signature also prevents others—from outside that group—from endorsing a message by adding their signature to the statement post-factum. We overcome this limitation by introducing extendability for ring signatures, same-message linkable ring signatures, and threshold ring signatures. Extendability allows an untrusted third party to take a signature, and extend it by enlarging the anonymity set to a larger set. In the extendable threshold ring signature, two signatures on the same message which have been extended to the same anonymity set can then be combined into one signature with a higher threshold. This enhances signers’ anonymity, and enables new signers to anonymously support a statement already made by others. For each of those primitives, we formalize the syntax and provide a meaningful security model which includes different flavors of anonymous extendability. In addition, we present concrete realizations of each primitive and formally prove their security relying on signatures of knowledge and the hardness of the discrete logarithm problem. We also describe a generic transformation to obtain extendable threshold ring signatures from same-message-linkable extendable ring signatures. Finally, we implement and benchmark our constructions.
|
|
| 3. |
- Aranha, Diego, et al.
(författare)
-
LOVE a Pairing
- 2021
-
Ingår i: Progress in Cryptology – LATINCRYPT 2021 : 7th International Conference on Cryptology and Information Security in Latin America, Bogotá, Colombia, October 6–8, 2021, Proceedings - 7th International Conference on Cryptology and Information Security in Latin America, Bogotá, Colombia, October 6–8, 2021, Proceedings. - Cham : Springer International Publishing. - 1611-3349 .- 0302-9743. - 9783030882372 - 9783030882389 ; 12912, s. 320-340
-
Konferensbidrag (refereegranskat)abstract
- The problem of securely outsourcing the computation of a bilinear pairing has been widely investigated in the literature. Designing an efficient protocol with the desired functionality has, however, been an open challenge for a long time. Recently, Di Crescenzo et al. (CARDIS’20) proposed the first suite of protocols for securely and efficiently delegating pairings with online inputs under the presence of a malicious server. We progress along this path with the aim of LOVE (Lowering the cost of Outsourcing and Verifying Efficiently) a pairing. Our contributions are threefold. First, we propose a protocol (LOVE) that improves the efficiency of Di Crescenzo et al.’s proposal for securely delegating pairings with online, public inputs. Second, we provide the first implementation of efficient protocols in this setting. Finally, we evaluate the performance of our LOVE protocol in different application scenarios by benchmarking an implementation using BN, BLS12 and BLS24 pairing-friendly curves. Interestingly, compared to Di Crescenzo et al.’s protocol, LOVE is up to 29.7% faster for the client, up to 24.9% for the server and requires 23–24% less communication cost depending on the choice of parameters. Furthermore, we note that our LOVE protocol is especially suited for subgroup-secure groups: checking the correctness of the delegated pairing requires up to 56.2% less computations than evaluating the pairing locally (no delegation). This makes LOVE the most efficient protocol to date for securely outsourcing the computation of a pairing with online public inputs, even when the server is malicious.
|
|
| 4. |
- Boschini, Cecilia, et al.
(författare)
-
Progressive and efficient verification for digital signatures
- 2022
-
Ingår i: Applied Cryptography and Network Security : 20th International Conference, ACNS 2022, Rome, Italy, June 20–23, 2022, Proceedings - 20th International Conference, ACNS 2022, Rome, Italy, June 20–23, 2022, Proceedings. - Cham : Springer International Publishing. - 1611-3349 .- 0302-9743. - 9783031092343 - 9783031092336 ; 13269, s. 440-458
-
Konferensbidrag (refereegranskat)abstract
- Digital signatures are widely deployed to authenticate the source of incoming information, or to certify data integrity. Common signature verification procedures return a decision (accept/reject) only at the very end of the execution. If interrupted prematurely, however, the verification process cannot infer any meaningful information about the validity of the given signature. We notice that this limitation is due to the algorithm design solely, and it is not inherent to signature verification.In this work, we provide a formal framework to handle interruptions during signature verification. In addition, we propose a generic way to devise alternative verification procedures that progressively build confidence on the final decision. Our transformation builds on a simple but powerful intuition and applies to a wide range of existing schemes considered to be post-quantum secure including the NIST finalist Rainbow.While the primary motivation of progressive verification is to mitigate unexpected interruptions, we show that verifiers can leverage it in two innovative ways. First, progressive verification can be used to intentionally adjust the soundness of the verification process. Second, progressive verifications output by our transformation can be split into a computationally intensive offline set-up (run once) and an efficient online verification that is progressive.
|
|
| 5. |
- Boschini, Cecilia, et al.
(författare)
-
Progressive and efficient verification for digital signatures: extensions and experimental results
- 2024
-
Ingår i: Journal of Cryptographic Engineering. - 2190-8508 .- 2190-8516. ; In Press
-
Tidskriftsartikel (refereegranskat)abstract
- Digital signatures are widely deployed to authenticate the source of incoming information, or to certify data integrity. Common signature verification procedures return a decision (accept/reject) only at the very end of the execution. If interrupted prematurely, however, the verification process cannot infer any meaningful information about the validity of the given signature. This limitation is due to the algorithm design solely, and it is not inherent to signature verification. In this work, we provide a formal framework to extract information from prematurely interrupted signature verification, independently of why the process halts: we propose a generic verification procedure that progressively builds confidence on the final decision. Our transformation builds on a simple but powerful intuition and applies to a wide range of existing schemes considered to be post-quantum secure, including some lattice-based and multivariate equations based constructions. We demonstrate the feasibility of our approach through an implementation on off-the-shelf resource-constrained devices. In particular, an intensive testing activity has been conducted measuring the increase of performance on three IoT boards—i.e., Arduino, Raspberry, and Espressif—and a consumer-grade laptop. While the primary motivation of progressive verification is to mitigate unexpected interruptions, we show that verifiers can leverage it in two innovative ways. First, progressive verification can be used to intentionally adjust the soundness of the verification process. Second, our transformation splits verification into a computationally intensive offline set-up (run once), and an efficient online verification that is faster than the original algorithm. We conclude showing how to tweak our compiler for progressive verification to work on a wide range of signatures with properties, on three real-life use cases, and in combination with efficient verification.
|
|
| 6. |
- Brorsson, Joakim, et al.
(författare)
-
PAPR : Publicly Auditable Privacy Revocation for Anonymous Credentials
- 2023
-
Ingår i: Topics in Cryptology – CT-RSA 2023 - Cryptographers’ Track at the RSA Conference 2023, Proceedings. - 1611-3349 .- 0302-9743. - 9783031308710 ; 13871 LNCS, s. 163-190
-
Konferensbidrag (refereegranskat)abstract
- We study the notion of anonymous credentials with Publicly Auditable Privacy Revocation (PAPR). PAPR credentials simultaneously provide conditional user privacy and auditable privacy revocation. The first property implies that users keep their identity private when authenticating unless and until an appointed authority requests to revoke this privacy, retroactively. The second property enforces that auditors can verify whether or not this authority has revoked privacy from an issued credential (i.e. learned the identity of the user who owns that credential), holding the authority accountable. In other words, the second property enriches conditionally anonymous credential systems with transparency by design, effectively discouraging such systems from being used for mass surveillance. In this work, we introduce the notion of a PAPR anonymous credential scheme, formalize it as an ideal functionality, and present constructions that are provably secure under standard assumptions in the Universal Composability framework. The core tool in our PAPR construction is a mechanism for randomly selecting an anonymous committee which users secret share their identity information towards, while hiding the identities of the committee members from the authority. As a consequence, in order to initiate the revocation process for a given credential, the authority is forced to post a request on a public bulletin board used as a broadcast channel to contact the anonymous committee that holds the keys needed to decrypt the identity connected to the credential. This mechanism makes the user de-anonymization publicly auditable.
|
|
| 7. |
- Fiore, Dario, et al.
(författare)
-
Matrioska: A Compiler for Multi-Key Homomorphic Signatures
- 2018
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - Cham : Springer International Publishing. - 1611-3349 .- 0302-9743. ; 11035 LNCS, s. 43-62
-
Konferensbidrag (refereegranskat)abstract
- Multi-Key Homomorphic Signatures (MK-HS) enable clients in a system to sign and upload messages to an untrusted server. At any later point in time, the server can perform a computation C on data provided by t different clients, and return the output y and a short signature vouching for the correctness of y as the output of the function C on the signed data. Interestingly, MK-HS enable verifiers to check the validity of the signature using solely the public keys of the signers whose messages were used in the computation. Moreover, the signatures are succinct, namely their size depends at most linearly in the number of clients, and only logarithmically in the total number of inputs of C. Existing MK-HS are constructed based either on standard assumptions over lattices (Fiore et al., ASIACRYPT’16), or on non-falsifiable assumptions (SNARKs) (Lai et al., ePrint’16). In this paper, we investigate connections between single-key and multi-key homomorphic signatures. We propose a generic compiler, called Matrioska, which turns any (sufficiently expressive) single-key homomorphic signature scheme into a multi-key scheme. Matrioska establishes a formal connection between these two primitives and is the first alternative to the only known construction under standard falsifiable assumptions. Our result relies on a novel technique that exploits the homomorphic property of a single-key HS scheme to compress an arbitrary number of signatures from t different users into only t signatures.
|
|
| 8. |
- Fiore, Dario, et al.
(författare)
-
Multi-Key Homomorphic Authenticators
- 2016
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - Berlin, Heidelberg : Springer Berlin Heidelberg. - 1611-3349 .- 0302-9743. ; 10032:2, s. 499-530
-
Konferensbidrag (refereegranskat)abstract
- Homomorphic authenticators (HAs) enable a client to authenticate a large collection of data elements m1, …, mt and outsource them, along with the corresponding authenticators, to an untrusted server. At any later point, the server can generate a short authenticator vouching for the correctness of the output y of a function f computed on the outsourced data, i.e., y = f(m1, …, mt). Recently researchers have focused on HAs as a solution, with minimal communication and interaction, to the problem of delegating computation on outsourced data. The notion of HAs studied so far, however, only supports executions (and proofs of correctness) of computations over data authenticated by a single user. Motivated by realistic scenarios (ubiquitous computing, sensor networks, etc.) in which large datasets include data provided by multiple users, we study the concept of multi-key homomorphic authenticators. In a nutshell, multi-key HAs are like HAs with the extra feature of allowing the holder of public evaluation keys to compute on data authenticated under different secret keys. In this paper, we introduce and formally define multi-key HAs. Secondly, we propose a construction of a multi-key homomorphic signature based on standard lattices and supporting the evaluation of circuits of bounded polynomial depth. Thirdly, we provide a construction of multi-key homomorphic MACs based only on pseudorandom functions and supporting the evaluation of low-degree arithmetic circuits. Albeit being less expressive and only secretly verifiable, the latter construction presents interesting efficiency properties.
|
|
| 9. |
- Fiore, Dario, et al.
(författare)
-
Multi-key homomorphic authenticators
- 2019
-
Ingår i: IET Information Security. - : Institution of Engineering and Technology (IET). - 1751-8717 .- 1751-8709. ; 13:6, s. 618-638
-
Tidskriftsartikel (refereegranskat)abstract
- Homomorphic authenticators (HAs) enable a client to authenticate a large collection of data elements m1, …, mt and outsource them, along with the corresponding authenticators, to an untrusted server. At any later point, the server can generate a short authenticator σf, y vouching for the correctness of the output y of a function f computed on the outsourced data, i.e. y = f(m1, …, mt). The notion of HAs studied so far, however, only supports executions of computations over data authenticated by a single user. Motivated by realistic scenarios in which large datasets include data provided by multiple users, we study the concept of multi-key homomorphic authenticators. In a nutshell, multi-key HAs are like HAs with the extra feature of allowing the holder of public evaluation keys to compute on data authenticated under different secret keys. In this paper, we introduce and formally define multi-key HAs. Secondly, we propose a construction of a multi-key homomorphic signature based on standard lattices and supporting the evaluation of circuits of bounded polynomial depth. Thirdly, we provide a construction of multi-key homomorphic MACs based only on pseudorandom functions and supporting the evaluation of low-degree arithmetic circuits. © The Institution of Engineering and Technology 2019
|
|
| 10. |
- Lucani, Daniel E., et al.
(författare)
-
Secure generalized deduplication via multi-key revealing encryption
- 2020
-
Ingår i: Security and Cryptography for Networks - 12th International Conference, SCN 2020, Proceedings. - Cham : Springer International Publishing. - 1611-3349 .- 0302-9743. - 9783030579890 ; 12238 LNCS, s. 298-318
-
Konferensbidrag (refereegranskat)abstract
- Cloud Storage Providers (CSPs) offer solutions to relieve users from locally storing vast amounts of data, including personal and sensitive ones. While users may desire to retain some privacy on the data they outsource, CSPs are interested in reducing the total storage space by employing compression techniques such as deduplication. We propose a new cryptographic primitive that simultaneously realizes both requirements: Multi-Key Revealing Encryption (MKRE). The goal of MKRE is to disclose the result of a pre-defined function over multiple ciphertexts, even if the ciphertexts were generated using different keys, while revealing nothing else about the data. We present a formal model and a security definition for MKRE and provide a construction of MKRE for generalized deduplication that only uses symmetric key primitives in a black-box way. Our construction allows (a) cloud providers to reduce the storage space by using generalized deduplication to compress encrypted data across users, and (b) each user to maintain a certain privacy level for the outsourced information. Our scheme can be proven secure in the random oracle model (and we argue that this is a necessary evil). We develop a proof-of-concept implementation of our solution. For a test data set, our MKRE construction achieves secure generalized deduplication with a compression ratio of 87% for 1 KB file chunks and 82.2% for 8 KB chunks. Finally, our experiments show that, compared to generalized deduplication setup with un-encrypted files, adding privacy via MKRE introduces a compression overhead of less than $$3\%$$ and reduces the storage throughput by at most $$6.9\%$$.
|
|
