Damien Vergnaud

Discrete-Log-Based signatures may not be equivalent to discrete log

We provide evidence that the unforgeability of several discrete-log based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts in nature well-known proofs standing in weakened proof methodologies, in particular proofs employing various formulations of the Forking Lemma in the random oracle Model. Our impossibility proofs apply to many discrete-log-based signatures like ElGamal signatures and their extensions, DSA, ECDSA and KCDSA as well as standard generalizations of these, and even RSA-based signatures like GQ. We stress that our work sheds more light on the provable (in)security of popular signature schemes but does not explicitly lead to actual attacks on these.

Progress in Cryptology – AFRICACRYPT 2011

In this paper we survey new results for rank-based cryptography: cryptosystems which are based on error-correcting codes embedded with the rank metric. These new results results first concern the LRPC cryptosystem, a cryptosystem based on a new class of decodable rank codes: the LRPC codes (for Low Rank Parity Check codes) which can be seen as an analog of the classical LDPC codes but for rank metric. The LRPC cryptosystem can benefit from very small public keys of less than 2,000 bits and is moreover very fast. We also present new optimized attacks for solving the general case of the rank syndrome decoding problem, together with a zero-knowledge authentication scheme and a new signature scheme based on a mixed errors-erasures decoding of LRPC codes, both these systems having public keys of a few thousand bits. These new recent results highlight that rank-based cryptography has many good features that can be used for practical cryptosystems.

Multi-designated verifiers signatures

Designated verifier signatures were introduced in the middle of the 90’s by Jakobsson, Sako and Impagliazzo, and independenty patended by Chaum as private signatures. In this setting, a signature can only be verified by a unique and specific user. At Crypto’03, Desmedt suggested the problem of generalizing the designated verifier signatures. In this case, a signature should be intended to a specific set of different verifiers. In this article, we provide a formal definition of multi-designated verifiers signatures and give a rigorous treatment of the security model for such a scheme. We propose a construction based on ring signatures, which meets our definition, but does not achieve the privacy of signer’s identity property. Finally, we propose a very efficient bi-designated verifiers signature scheme based on bilinear maps, which protects the anonymity of signers.

Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security

Lossy encryption was originally studied as a means of achieving efficient and composable oblivious transfer. Bellare, Hofheinz and Yilek showed that lossy encryption is also selective opening secure. We present new and general constructions of lossy encryption schemes and of cryptosystems secure against selective opening adversaries. We show that every re-randomizable encryption scheme gives rise to efficient encryptions secure against a selective opening adversary. We show that statistically-hiding 2-round Oblivious Transfer implies Lossy Encryption and so do smooth hash proof systems. This shows that private information retrieval and homomorphic encryption both imply Lossy Encryption, and thus Selective Opening Secure Public Key Encryption. Applying our constructions to well-known cryptosystems, we obtain selective opening secure commitments and encryptions from the Decisional Diffie-Hellman, Decisional Composite Residuosity and Quadratic Residuosity assumptions. In an indistinguishability-based model of chosen-ciphertext selective opening security, we obtain secure schemes featuring short ciphertexts under standard number theoretic assumptions. In a simulation-based definition of chosen-ciphertext selective opening security, we also handle non-adaptive adversaries by adapting the Naor-Yung paradigm and using the perfect zero-knowledge proofs of Groth, Ostrovsky and Sahai.

Tracing Malicious Proxies in Proxy Re-encryption

In 1998, Blaze, Bleumer and Strauss put forth a cryptographic primitive, termed proxy re-encryption, where a semi-trusted proxy is given some piece of information that enables the re-encryption of ciphertexts from one key to another. Unidirectional schemes only allow translating from the delegator to the delegatee and not in the opposite direction. In all constructions described so far, although colluding proxies and delegatees cannot expose the delegators long term secret, they can derive and disclose sub-keys that suffice to open all translatable ciphertexts sent to the delegator. They can also generate new re-encryption keys for receivers that are not trusted by the delegator. In this paper, we propose traceable proxy re-encryptionsystems, where proxies that leak their re-encryption key can be identified by the delegator. The primitive does not preclude illegal transfers of delegation but rather strives to deter them. We give security definitions for this new primitive and a construction meeting the formalized requirements. This construction is fairly efficient, with ciphertexts that have logarithmic size in the number of delegations, but uses a non-black-box tracing algorithm. We discuss how to provide the scheme with a black box tracing mechanism at the expense of longer ciphertexts.

Multi-use unidirectional proxy re-signatures

In 1998, Blaze, Bleumer, and Strauss suggested a cryptographic primitive termed proxy re-signature in which a proxy transforms a signature computed under Alices secret key into one from Bob on the same message. The proxy is only semi-trusted in that it cannot learn any signing key or sign arbitrary messages on behalf of Alice or Bob. At CCS 2005, Ateniese and Hohenberger revisited this primitive by providing appropriate security definitions and efficient constructions in the random oracle model. Nonetheless, they left open the problem of constructing a multi-use unidirectional scheme where the proxy is only able to translate in one direction and signatures can be re-translated several times. This paper provides the first steps towards efficiently solving this problem, suggested for the first time 10 years ago, and presents the first multi-hop unidirectional proxy re-signature schemes. Although our proposals feature a linear signature size in the number of translations, they are the first multi-use realizations of the primitive that satisfy the requirements of the Ateniese-Hohenberger security model. The first scheme is secure in the random oracle model. Using the same underlying idea, it readily extends into a secure construction in the standard model (i.e. the security proof of which avoids resorting to the random oracle idealization). Both schemes are computationally efficient but require newly defined Diffie-Hellman-like assumptions in bilinear groups.

New Techniques for SPHFs and Efficient One-Round PAKE Protocols

Password-authenticated key exchange (PAKE) protocols allow two players to agree on a shared high entropy secret key, that depends on their own passwords only. Following the Gennaro and Lindell’s approach, with a new kind of smooth-projective hash functions (SPHFs), Katz and Vaikuntanathan recently came up with the first concrete one-round PAKE protocols, where the two players just have to send simultaneous flows to each other. The first one is secure in the Bellare-Pointcheval-Rogaway (BPR) model and the second one in the Canetti’s UC framework, but at the cost of simulation-sound non-interactive zero-knowledge (SS−NIZK) proofs (one for the BPR-secure protocol and two for the UC-secure one), which make the overall constructions not really efficient.

New extensions of pairing-based signatures into universal designated verifier signatures

The concept of universal designated verifier signatures was introduced by Steinfeld, Bull, Wang and Pieprzyk at Asiacrypt 2003. We propose two new efficient constructions for pairing-based short signatures. The first scheme is based on Boneh-Boyen signatures and, its security can be analyzed in the standard security model. We reduce its resistance to forgery to the hardness of the strong Diffie-Hellman problem, under the knowledge-of-exponent assumption. The second scheme is compatible with the Boneh-Lynn-Shacham signatures and is proven unforgeable, in the random oracle model, under the assumption that the computational bilinear Diffie-Hellman problem is untractable. Both schemes are designed for devices with constrained computation capabilities since the signing and the designation procedure are pairing-free

Transferable Constant-Size Fair E-Cash

We propose a new blind certification protocol that provides interesting properties while remaining efficient. It falls in the Groth-Sahai framework for witness-in distinguishable proofs, thus extended to a certified signature it immediately yields non-frameable group signatures. We then use it to build an efficient (offline) e-cash system that guarantees user anonymity and transferability of coins without increasing their size. As required for fair e-cash, in case of fraud, anonymity can be revoked by an authority, which is also crucial to deter from double spending.

Group Signatures with Verifier-Local Revocation and Backward Unlinkability in the Standard Model

Group signatures allow users to anonymously sign messages in the name of a group. Membership revocation has always been a critical issue in such systems. In 2004, Boneh and Shacham formalized the concept of group signatures with verifier-local revocation where revocation messages are only sent to signature verifiers (as opposed to both signers and verifiers). This paper presents an efficient verifier-local revocation group signature (VLR-GS) providing backward unlinkability (i.e. previously issued signatures remain anonymous even after the signers revocation) with a security proof in the standard model (i.e. without resorting to the random oracle heuristic).