Yu Zhou,Shengli Liu,Shuai Han

DOI: https://doi.org/10.1587/transinf.2022ngi0001

2022-01-01

IEICE Transactions on Information and Systems

Abstract:In a 1-out-of -n oblivious signature scheme, a user pro-vides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of -n oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of -n oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of -n oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construc-tion immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assump-tions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out -of -n oblivious signature schemes based on the standard model.

WANG Ji-lin,CHEN Xiao-feng,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2006.04.010

2006-01-01

Abstract:Exchange of digitally signed certificates was often used to establish mutual trust between strangers that wish to share resources or to conduct business transactions.Automated trust negotiation(ATN) was an approach to regulate the flow of sensitive information during such an exchange.But ATN cannot handle cyclic policy interdependency satisfactorily.Oblivious signature-based envelope(OSBE) is a scheme to solve this problem.However,the existed scheme could only be implemented on a secure channel.An efficient OSBE scheme without the secure channel is proposed using the ideas of identity-based systems and certificate-based encryption,which satisfies all the properties required by OSBE such as soundness and oblivious et al.Also,the scheme can achieve the desired security notations in the random oracle model.

Yang Wei,Liusheng Huang,Qiyan Wang

2006-01-01

WSEAS TRANSACTIONS ON COMPUTERS

Abstract:In an Oblivious Transfer (OT) protocol, Alice has two messages and is willing to send one of them to Bob, with the guarantee that no information about another message will be obtained. Moreover, Bob can freely choose his message and wants to ensure that Alice can obtain no information about which of her message he has picked. A 1-out-of-n OT is the natural extension of normal OT to the case of n messages. The security achieved by previous constructions for this primitive is not desirable. In this paper, we present a new quantum 1-out-of-n Oblivious Transfer scheme, which is unconditionally secure for both participants. We also give a scheme for a related cryptographic task, i.e. All-or-Nothing Disclosure of Secrets (ANDOS), utilizing our new quantum OT protocol.

Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-24316-5_6

2011-01-01

Abstract:During an adaptive oblivious transfer (OT), a sender has n private documents, and a receiver can adaptively fetch k documents from them such that the sender learns nothing about the receiver’s selection and the receiver learns nothing more than those k documents. Most recent fully simulatable adaptive OT schemes are based on so-called “assisted decryption” or “blind decryption”. In this paper, we revisit another technique, “blind permute-decryption”, for designing adaptive OT. We propose an efficient generic fully simulatable oblivious transfer framework with statistical receiver’s privacy that based on “blind permute-decryption” together with three concrete installations. The first one is based on Elgamal, so the corresponding OT is secure under classical DDH assumption. The second one is based on Paillier, so the corresponding OT is secure under Decisional n-th Residuosity assumption. Besides, we introduce an extended zero-knowledge proof framework with several applications.

Qinglong Wang,Jintai Ding

DOI: https://doi.org/10.1080/01611194.2014.915261

2014-01-01

Cryptologia

Abstract:Abstract In this article, the authors cryptanalyze a k-out-of-n oblivious transfer protocol proposed in [12]. Their protocol is one of the most efficient k-out-of-n oblivious transfer protocols and is directly built from a 1-out-of-n oblivious transfer protocol. However, their analysis shows that the proposed k-out-of-n oblivious transfer protocol is insecure, though the primitive 1-out-of-n oblivious transfer protocol is secure. The weakness is that with high probability the receiver in their protocol can get all n secret messages encrypted by the sender. Finally, they fix the serious flaw and introduce an improved k-out-of-n oblivious transfer protocol without increasing any cost.

Kui Ma,Yanwei Zhou,Ying Wang,Chunsheng Dong,Zhe Xia,Bo Yang,Mingwu Zhang

DOI: https://doi.org/10.1109/jsyst.2023.3269597

IF: 4.802

2023-01-01

IEEE Systems Journal

Abstract:The Internet of Things (IoT) is helpful in making people's life more convenient and efficient. To ensure that the nodes within IoT can interact securely, a certificateless signature (CLS) can be used to protect message authentication in the IoT. Recently, some concrete constructions of CLS schemes have been proposed in the literature, but through our analyses, we demonstrate that some existing CLS schemes cannot keep their claimed security because of various security flaws. For example, a valid signature can be forged by any Type I adversary by replacing the corresponding user's public key. In this article, we describe the security flaws that need to be addressed and introduce a novel CLS scheme without using bilinear mapping. The existential unforgeability in our proposed scheme can be proved based on the hardness of the elliptic curve discrete logarithm problem in the random oracle model. The comparison with existing CLS schemes shows that our scheme not only enjoys more security features but also is more efficient in computation. Moreover, we introduce an identity authentication protocol as the application of our proposed CLS scheme, which achieves mutual authentication and anonymity in communications.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Bo Mi,Darong Huang,Shaohua Wan,Libo Mi,Jianqiu Cao

DOI: https://doi.org/10.1109/access.2018.2846798

IF: 3.9

2018-01-01

IEEE Access

Abstract:Oblivious transfer (OT) is the most fundamental process in cryptosystems and serves as the basic building block for implementing protocols, such as the secure multi-party computation and the fair electronic contract. However, since most implementations of the Internet of Things are time-sensitive, existing works that are based on traditional public cryptosystems are not efficient or secure under quantum machine attacks. In this paper, we argued that the fastest known 1-out-of-n oblivious transfer (OTn1) protocol, which was proposed by Chou, cannot achieve semantic security and is time-consuming due to exponent arithmetic of large parameters. Utilizing NTRUEncrypt and OT extension, we devised a one-round post-quantum secure OTn1 protocol that is also proved to be active and adaptively secure under the universal composability framework. Compared with Chou's protocol, the computational overheads of our scheme are approximately 6 and 1.7 times smaller on the sender and receiver sides, in line with the standard security level.

Shuichi Katsumata,Yi-Fu Lai,Jason T. LeGrow,Ling Qin

DOI: https://doi.org/10.1007/s10623-024-01441-7

IF: 1.4

2024-07-19

Designs Codes and Cryptography

Abstract:In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the linear identification protocol abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT'19), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme is provably secure in the random oracle model (ROM) against poly-logarithmically-many concurrent sessions assuming the subexponential hardness of the group action inverse problem. In more detail, our blind signature exploits the quadratic twist of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size 128 B and signature size 8 KB under the CSIDH-512 parameter sets—these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new ring variant of the group action inverse problem ( ), we can halve the signature size to 4 KB while increasing the public key size to 512 B. We provide preliminary cryptanalysis of and show that for certain parameter settings, it is essentially as secure as the standard . Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key—constructing such a hash function in the isogeny setting remains an open problem.

mathematics, applied,computer science, theory & methods

Zhelei Zhou,Bingsheng Zhang,Hong-Sheng Zhou,Kui Ren

DOI: https://doi.org/10.1007/978-3-031-30545-0_11

2023-01-01

Abstract:The notion of Endemic Oblivious Transfer (EOT) was introduced by Masny and Rindal (CCS’19). EOT offers a weaker security guarantee than the conventional random OT; namely, the malicious parties can fix their outputs arbitrarily. The authors presented a 1-round UC-secure EOT protocol under a tailor-made and non-standard assumption, Choose-and-Open DDH, in the RO model. In this work, we systematically study EOT in the UC/GUC framework. We present a new 1-round UC-secure EOT construction in the RO model under the DDH assumption. Under the GUC framework, we propose the first 1-round EOT construction under the CDH assumption in the Global Restricted Observable RO (GroRO) model proposed by Canetti et al. (CCS’14). We also provide an impossibility result, showing there exist no 1-round GUC-secure EOT protocols in the Global Restricted Programmable RO (GrpRO) model proposed by Camenisch et al. (Eurocrypt’18). Subsequently, we provide the first round-optimal (2-round) EOT protocol with adaptive security under the DDH assumption in the GrpRO model. Finally, we investigate the relations between EOT and other cryptographic primitives. As side products, we present the first 2-round GUC-secure commitment in the GroRO model as well as a separation between the GroRO and the GrpRO models, which may be of independent interest.

Yang Wang

2014-01-01

Abstract:Fair exchange protocols aim to allow two parties to exchange digital items in a fair manner. Optimistic fair exchange (OFE) is a kind of protocols that solves the fair exchange problem with the help of a trusted third party (TTP), usually referred to as an ‘arbitrator’. The participation of the arbitrator is only required when there is a dispute between the exchanging parties. In the literature, the highest level of security of optimistic fair exchange is the multi-user security in the chosen-key model, proposed by Huang, Yang, Wong and Susilo in CT-RSA 2008. They showed that an efficient optimistic fair exchange scheme, secure in this sense, can be constructed generically from a conventional signature and a ring signature. In particular, the underlying ring signature is required to be unforgeable under an adaptive attack, against a static adversary in the 2-user setting. Concurrent signatures, introduced by Chen, Kudla and Paterson in Eurocrypt 2004, allow two parties to produce two ambiguous signatures until an extra piece of information, the keystone, is released by one of the parties. Upon the release of the keystone, the ambiguity will be revoked and the signatures bind to their true signers concurrently. Concurrent signatures, however, are known to fall just short of fully solving the long standing fair exchange of signatures problem. The price for not requiring any TTP is that the party who holds the keystone always has an advantage over the other party in controlling when and whether the protocol completes or not. In this thesis, the fair exchange of digital signatures problem is studied. In the first part of this thesis, the OFE security is strengthened and a more practical model which is called enhanced chosen-key model is proposed. Unlike the existing multiuser setting and chosen-key model, an adversary in the enhanced chosen-key model is further provided with the signing oracle that outputs full signatures generated by the signer, and may even be allowed to have access to the arbitrator’s secret key. The necessity for the new model is demonstrated. It is shown that two existing

Fuyuki Kitagawa,Ryo Nishimaki

DOI: https://doi.org/10.1007/978-3-031-48624-1%5C_10

2023-02-20

Abstract:The no-cloning principle of quantum mechanics enables us to achieve amazing unclonable cryptographic primitives, which is impossible in classical cryptography. However, the security definitions for unclonable cryptography are tricky. Achieving desirable security notions for unclonability is a challenging task. In particular, there is no indistinguishable-secure unclonable encryption and quantum copy-protection for single-bit output point functions in the standard model. To tackle this problem, we introduce and study relaxed but meaningful security notions for unclonable cryptography in this work. We call the new security notion one-out-of-many unclonable security. We obtain the following results. - We show that one-time strong anti-piracy secure secret key single-decryptor encryption (SDE) implies one-out-of-many indistinguishable-secure unclonable encryption. - We construct a one-time strong anti-piracy secure secret key SDE scheme in the standard model from the LWE assumption. - We construct one-out-of-many copy-protection for single-bit output point functions from one-out-of-many indistinguishable-secure unclonable encryption and the LWE assumption. - We construct one-out-of-many unclonable predicate encryption (PE) from one-out-of-many indistinguishable-secure unclonable encryption and the LWE assumption. Thus, we obtain one-out-of-many indistinguishable-secure unclonable encryption, one-out-of-many copy-protection for single-bit output point functions, and one-out-of-many unclonable PE in the standard model from the LWE assumption. In addition, our one-time SDE scheme is the first SDE scheme that does not rely on any oracle heuristics and strong assumptions such as indistinguishability obfuscation and witness encryption.

Quantum Physics,Cryptography and Security

Tony K. Chan,Karyin Fung,Joseph K. Liu,Victor K. Wei

DOI: https://doi.org/10.1007/978-3-540-30496-8_8

2005-01-01

Abstract:Spontaneous anonymous group (SAG) cryptography is a fundamental alternative to achieve thresholding without group secret or setup. It has gained wide interests in applications to ad hoc groups. We present a general construction of blind SAG 1-out-of-n and t-out-of-n signature schemes from essentially any major blind signature. In the case when our scheme is built from blind Schnorr (resp. Okamoto-Schnorr) signature, the parallel one-more unforgeability is reduced to Schnorr’s ROS Problem in the random oracle model plus the generic group model. In the process of our derivations, we obtain a generalization of Schnorr’s result [17] from single public key to multiple public keys.

Tomoyuki Morimae,Takashi Yamakawa

2024-05-08

Abstract:The existence of one-way functions is one of the most fundamental assumptions in classical cryptography. In the quantum world, on the other hand, there are evidences that some cryptographic primitives can exist even if one-way functions do not exist. We therefore have the following important open problem in quantum cryptography: What is the most fundamental element in quantum cryptography? In this direction, Brakerski, Canetti, and Qian recently defined a notion called EFI pairs, which are pairs of efficiently generatable states that are statistically distinguishable but computationally indistinguishable, and showed its equivalence with some cryptographic primitives including commitments, oblivious transfer, and general multi-party computations. However, their work focuses on decision-type primitives and does not cover search-type primitives like quantum money and digital signatures. In this paper, we study properties of one-way state generators (OWSGs), which are a quantum analogue of one-way functions. We first revisit the definition of OWSGs and generalize it by allowing mixed output states. Then we show the following results. (1) We define a weaker version of OWSGs, weak OWSGs, and show that they are equivalent to OWSGs. (2) Quantum digital signatures are equivalent to OWSGs. (3) Private-key quantum money schemes (with pure money states) imply OWSGs. (4) Quantum pseudo one-time pad schemes imply both OWSGs and EFI pairs. (5) We introduce an incomparable variant of OWSGs, which we call secretly-verifiable and statistically-invertible OWSGs, and show that they are equivalent to EFI pairs.

Quantum Physics,Cryptography and Security

Xiaofeng Chen,Fangguo Zhang,Shengli Liu

DOI: https://doi.org/10.1016/j.jss.2006.02.046

IF: 3.5

2007-01-01

Journal of Systems and Software

Abstract:Restrictive blind signatures allow a recipient to receive a blind signature on a message not known to the signer but the choice of message is restricted and must conform to certain rules. Partially blind signatures allow a signer to explicitly include necessary information (expiration date, collateral conditions, or whatever) in the resulting signatures under some agreement with receiver. Restrictive partially blind signatures incorporate the advantages of these two blind signatures. The existing restrictive partially blind signature scheme was constructed under certificate-based (CA-based) public key systems. In this paper we follow Brand's construction to propose the first identity-based (ID-based) restrictive blind signature scheme from bilinear pairings. Furthermore, we first propose an ID-based restrictive partially blind signature scheme, which is provably secure in the random oracle model. As an application, we use the proposed signature scheme to build an untraceable off-line electronic cash system followed the Brand's construction. (C) 2006 Elsevier Inc. All rights reserved.

Zhide Chen,Tianming Bu,Hong Zhu

DOI: https://doi.org/10.48550/arXiv.quant-ph/0401057

2004-08-29

Abstract:This paper has been withdrawn.

Quantum Physics

Debiao He,Baojun Huang,Jianhua Chen

DOI: https://doi.org/10.1049/iet-ifs.2012.0176

2013-01-01

IET Information Security

Abstract:The certificateless public key cryptography has attracted wide attention since it could solve the certificate management problem in the traditional public key cryptography and the key escrow problem in the identity-based public key cryptography. Recently, several certificateless short signature schemes, which could satisfy the requirement of low-bandwidth communication environments, have been proposed. However, most of them are not secure against either the Type I adversary or the Type II adversary. In this study, the authors propose a new efficient certificateless short signature scheme. The analysis shows the authors' scheme has better performance than the related schemes and is secure against both of the super Type I and the super Type II adversaries.

Bo Mi,Darong Huang,Shaohua Wan,Yu Hu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.compeleceng.2019.01.021

IF: 4.152

2019-01-01

Computers & Electrical Engineering

Abstract:Security is a key concern in any loT deployment, particularly if we have to take into consideration future attacks facilitated by the use of quantum computers. Therefore, in this paper, we present a post-quantum lightweight 1-out-n oblivious transfer (OT) protocol, based on the NTRU cryptographic primitive. Compared to the OT scheme proposed by Chou and Orlandi in LATINCRYPT 2015, our protocol is more suitable for deployment in heterogeneous and distributed environment, due to the reusability of encoded data set. Findings from the performance evaluation indicate that the proposed protocol outperforms that of Chou and Orlandi [13] protocol, in terms of computation and communication costs. (C) 2019 Elsevier Ltd. All rights reserved.

Huafeng Wu,Haiguang Chen,Qiang Zhou,Chuanshan Gao

DOI: https://doi.org/10.1109/snpd.2007.33

2007-01-01

Abstract:We present an efficient improvement of the strong RSA signature scheme [1], which is very similar to Fischlin sig nature [2]. Both two signatures are based on strong RSA assumption. In the original scheme, the signer has to choose a prime with prescribed length in signing phase. Except that, three generators of QRn should be chosen in the set-up phase. Our scheme removes or relaxes these restrictions. It only needs to choose two generators of QRn and an odd. Our scheme saves about 1/2 computational cost of the original scheme. Moreover, we propose a blind signature scheme and a partially blind signature scheme based on the basic scheme. To the best of our knowledge, it's the first time to propose such a blind signature scheme and a partially blind signature scheme based on strong RSA assumption.

Miaomiao Tian,Liusheng Huang,Wei Yang

DOI: https://doi.org/10.1504/ijict.2014.057968

2012-01-01

Abstract:Currently, short signature is receiving significant attention since it is particularly useful in low-bandwidth communication environments. However, most of the short signature schemes are only based on one intractable assumption. Recently, Su presented an identity-based short signature scheme based on knapsack and bilinear pairing. He claimed that the signature scheme is secure in the random oracle model. Unfortunately, in this paper, we show that his scheme is insecure. Concretely, an adversary can forge a valid signature on any message with respect to any identity in Su's scheme.

Bessie C. Hu,Duncan S. Wong,Zhenfeng Zhang,Xiaotie Deng

DOI: https://doi.org/10.1007/s10623-006-9022-9

IF: 1.4

2006-01-01

Designs Codes and Cryptography

Abstract:Certificateless cryptography involves a Key Generation Center (KGC) which issues a partial key to a user and the user also independently generates an additional public/secret key pair in such a way that the KGC who knows only the partial key but not the additional secret key is not able to do any cryptographic operation on behalf of the user; and a third party who replaces the public/secret key pair but does not know the partial key cannot do any cryptographic operation as the user either. We call this attack launched by the third party as the key replacement attack. In ACISP 2004, Yum and Lee proposed a generic construction of digital signature schemes under the framework of certificateless cryptography. In this paper, we show that their generic construction is insecure against key replacement attack. In particular, we give some concrete examples to show that the security requirements of some building blocks they specified are insufficient to support some of their security claims. We then propose a modification of their scheme and show its security in a new and simplified security model. We show that our simplified definition and adversarial model not only capture all the distinct features of certificateless signature but are also more versatile when compared with all the comparable ones. We believe that the model itself is of independent interest.A conventional certificateless signature scheme only achieves Girault's Level 2 security. For achieving Level 3 security, that a conventional signature scheme in Public Key Infrastructure does, we propose an extension to our definition of certificateless signature scheme and introduce an additional security model for this extension. We show that our generic construction satisfies Level 3 security after some appropriate and simple modification.