Maria Dubovitskaya

Oblivious transfer with access control

We present a protocol for anonymous access to a database where the different records have different access control permissions. These permissions could be attributes, roles, or rights that the user needs to have in order to access the record. Our protocol offers maximal security guarantees for both the database and the user, namely (1) only authorized users can access the record; (2) the database provider does not learn which record the user accesses; and (3) the database provider does not learn which attributes or roles the user has when she accesses the database. We prove our protocol secure in the standard model (i.e., without random oracles) under the bilinear Diffie-Hellman exponent and the strong Diffie-Hellman assumptions.

Unlinkable priced oblivious transfer with rechargeable wallets

We present the first truly unlinkable priced oblivious transfer protocol. Our protocol allows customers to buy database records while remaining fully anonymous, i.e., (1) the database does not learn who purchases a record, and cannot link purchases by the same customer; (2) the database does not learn which record is being purchased, nor the price of the record that is being purchased; (3) the customer can only obtain a single record per purchase, and cannot spend more than his account balance; (4) the database does not learn the customer’s remaining balance. In our protocol customers keep track of their own balances, rather than leaving this to the database as done in previous protocols. Our priced oblivious transfer protocol is also the first to allow customers to (anonymously) recharge their balances. Finally, we prove our protocol secure in the standard model (i.e., without random oracles).

Concepts and Languages for Privacy-Preserving Attribute-Based Authentication

Existing cryptographic realizations of privacy-friendly authentication mechanisms such as anonymous credentials, minimal disclosure tokens, selfblindable credentials, and group signatures vary largely in the features they offer and in how these features are realized. Some features such as revocation or de-anonymization even require the combination of several cryptographic protocols. These differences and the complexity of the cryptographic protocols hinder the deployment of these mechanisms for practical applications and also make it almost impossible to switch the underlying cryptographic algorithms once the application has been designed. In this paper, we aim to overcome this issue and simplify both the design and deployment of privacy-friendly authentication mechanisms. We define and unify the concepts and features of privacy-preserving attribute-based credentials (Privacy-ABCs) and provide a language framework in XML schema. Our language framework enables application developers to use Privacy-ABCs with all their features without having to consider the specifics of the underlying cryptographic algorithms—similar to as they do today for digital signatures, where they do not need to worry about the particulars of the RSA and DSA algorithms either.

Composable and Modular Anonymous Credentials: Definitions and Practical Constructions

It takes time for theoretical advances to get used in practical schemes. Anonymous credential schemes are no exception. For instance, existing schemes suited for real-world use lack formal, composable definitions, partly because they do not support straight-line extraction and rely on random oracles for their security arguments. To address this gap, we propose unlinkable redactable signatures URS, a new building block for privacy-enhancing protocols, which we use to construct the first efficient UC-secure anonymous credential system that supports multiple issuers, selective disclosure of attributes, and pseudonyms. Our scheme is one of the first such systems for which both the size of a credential and its presentation proof are independent of the number of attributes issued in a credential. Moreover, our new credential scheme does not rely on random oracles. As an important intermediary step, we address the problem of building a functionality for a complex credential system that can cover many different features. Namely, we design a core building block for a single issuer that supports credential issuance and presentation with respect to pseudonyms and then show how to construct a full-fledged credential system with multiple issuers in a modular way. We expect this definitional approach to be of independent interest.

Efficient structure-preserving signature scheme from standard assumptions

We present an efficient signature scheme that facilitates Groth-Sahai proofs [25] of knowledge of a message, a verification key, and a valid signature on the message, without the need to reveal any of them. Such schemes are called structure-preserving. More precisely, the structure-preserving property of the signature scheme requires that verification keys, messages, and signatures are group elements and the verification predicate is a conjunction of pairing product equations. Our structure-preserving signature scheme supports multiple messages and is proven secure under the DLIN assumption. The signature consists of 53 + 6n group elements, where n is the number of messages signed, and to the best of our knowledge is the most efficient one secure under a standard assumption. We build the scheme from a CCA-2 secure structure-preserving encryption scheme which supports labels, non-interactive zero-knowledge (NIZK) proofs, and a suitable hard relation. We provide a concrete realization using the encryption scheme by Camenisch et al. [12], Groth- Sahai (GS) NIZK proofs, and an instance of the computational Diffie- Hellman (CDH) problem [17]. To optimize the scheme and achieve better efficiency, we also revisit the Camenisch et al. structure-preserving encryption scheme and GS NIZK proofs, and present a new technique for doing more efficient proofs for mixed types of equations, namely, for multi-exponentiation and pairing product equations, using pairing randomization techniques. Together with non-interactive zero-knowledge proofs, our scheme can be used as a building block for constructing efficient pairing-based cryptographic protocols that can be proven secure without assuming random oracles, such as anonymous credential systems [4], oblivious transfer [23,11], e-cash schemes [13], range and set membership proofs [9], blind signatures [20,3], group signatures [5].

Concepts and languages for privacy-preserving attribute-based authentication

Existing cryptographic realizations of privacy-friendly authentication mechanisms such as anonymous credentials, minimal disclosure tokens, self-blindable credentials, and group signatures vary largely in the features they offer and in how these features are realized. Some features such as revocation or de-anonymization even require the combination of several cryptographic protocols. The variety and complexity of the cryptographic protocols hinder the understanding and hence the adoption of these mechanisms in practical applications. They also make it almost impossible to change the underlying cryptographic algorithms once the application has been designed. In this paper, we aim to overcome these issues and simplify both the design and deployment of privacy-friendly authentication mechanisms. We define and unify the concepts and features of privacy-preserving attribute-based credentials (Privacy-ABCs), provide a language framework in XML schema, and present the API of a Privacy-ABC system that supports all the features we describe. Our language framework and API enable application developers to use Privacy-ABCs with all their features without having to consider the specifics of the underlying cryptographic algorithms-similar to as they do today for digital signatures, where they do not need to worry about the particulars of the RSA and DSA algorithms either.

Open Research Problems in Network Security

This book constitutes the refereed post-conference proceedings of the IFIP WG 11.4 International Workshop, iNetSec 2010, held in Sofia, Bulgaria, in March 2010. The 14 revised full papers presented together with an invited talk were carefully reviewed and selected during two rounds of refereeing. The papers are organized in topical sections on scheduling, adversaries, protecting resources, secure processes, and security for clouds.

Cryptographic Mechanisms for Privacy

With the increasing use of electronic media for our daily transactions, we widely distribute our personal information. Once released, controlling the dispersal of this information is virtually impossible. Privacy-enhancing technologies can help to minimise the amount of information that needs to be revealed in transactions, on the one hand, and to limit the dispersal, on the other hand. Unfortunately, these technologies are hardly used today. In this paper, we aim to foster the adoption of such technologies by providing a summary of what they can achieve. We hope that by this, policy makers, system architects, and security practitioners will be able to employ privacy-enhancing technologies.

On the Impossibility of Structure-Preserving Deterministic Primitives

Complex cryptographic protocols are often constructed in a modular way from primitives such as signatures, commitments, and encryption schemes, verifiable random functions, etc. together with zero-knowledge proofs ensuring that these primitives are properly orchestrated by the protocol participants. Over the past decades a whole framework of discrete logarithm based primitives has evolved. This framework, together with so-called generalized Schnorr proofs, gave rise to the construction of many efficient cryptographic protocols.

An Architecture for Privacy-ABCs

One of the main objectives of the ABC4Trust project was to define a common, unified architecture for Privacy-ABC systems to allow comparing their respective features and combining them into common platforms. The chapter presents an overview of features and concepts of Privacy-ABCs and introduces the architecture proposed by ABC4Trust, describing the layers and components as well as the highlevel APIs. We also present the language framework of ABC4Trust through an example scenario. Furthermore, this chapter investigates integration of Privacy-ABCs with the existing Identity Management protocols and also analyses the required trust relationships in the ecosystem of Privacy-ABCs.