No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Designated verifier signatures: Anonymity and efficient construction from any bilinear map
Abstract
The concept of Designated Verifier Signatures (DVS) was introduced by Jakobsson, Sako and Impagliazzo at Eurocrypt'96. These signatures are intended to a specific verifier, who is the only one able to check their validity. In this context, we formalize the notion of privacy of signer's identity which captures the strong designated verifier property investigated in their paper. We propose a variant of the pairing-based DVS scheme introduced at Asiacrypt'03 by Steinfeld, Bull, Wang and Pieprzyk. Contrary to their proposal, our new scheme can be used with any admissible bilinear map, especially with the low cost pairings and achieves the new anonymity property (in the random oracle model). Moreover, the unforgeability is tightly related to the Gap-Bilinear Diffie-Hellman assumption, in the random oracle model and the signature length is around 75 % smaller than the original proposal.
... Then many other SDVS were provided [5]- [9]. Specifically, in 2004, Laguillaumie et.al. ...
... Specifically, in 2004, Laguillaumie et.al. [9] gave some new security definitions including unforgeability, untransferability and privacy of signer's identity (undelegateability). In 2007, Li et.al. ...
... In 2007, Li et.al. [8] showed undelegateability of [9] was so strong that no SDVS existed and maybe it was a controversial definition. Hence we don't consider this property in our scheme until a standard definition for protecting privacy of signer's identity is developed. ...
The designated verifier signature (DVS), introduced by Jakobsson
et al.
, has the property that only the designated verifier can verify the generated signature. In order to prevent an eavesdropper to get the signature on-line before the designated verifier receives it, they also proposed strong designated verifier signature (SDVS). In this paper, according to an efficient SDVS proposed by Saeednia
et al.
, we present a post-quantum SDVS in the random oracle model based on lattice assumption. The unforgeability is based on the hardness of the average-case hard problem
SIS
, which is at least as hard as worst-case SVP
over ideal lattices. In addition, compared with existing lattice-based SDVS schemes, our scheme cuts by more than 50 percent repetitions and the size of signature is shorter with 256 bits security.
... However, in some applications, it is desirable that a third party can not tell the signature if it is produced by the signer or by someone else. Thus, a variant of DeVS was proposed that was called strong DeVS (SDeVS) [1,6]. An SDeVS scheme ought to satisfy some essential security requirements [1,6,7]: unforgeability, non-delegatability, non-transferability, privacy of signer's identity. ...
... Thus, a variant of DeVS was proposed that was called strong DeVS (SDeVS) [1,6]. An SDeVS scheme ought to satisfy some essential security requirements [1,6,7]: unforgeability, non-delegatability, non-transferability, privacy of signer's identity. ...
... We also present a security proof that can be reduced to the hardness of discrete logarithm (DL), including nondelegatability, unforgeability, non-transferability and PrSI. The security analysis shows that our proposed SDVSWMR scheme possesses the above security requirements [1,6,7]. Therefore, our proposed scheme overcomes the problem existed in IsBi-SDVSWMR scheme. ...
In a strong designated verifier signature with message recovery (SDVSWMR) scheme, only the designated receiver has the capability to recover and validate the message-signature pair. In 2015, using the bilinear pairing, Islam and Biswas presented an SDVSWMR scheme (we call it: IsBi-SDVSWMR) with non-delegatability, which has better performance than other schemes in terms of communication and computation cost. However, in this study, we address that IsBi-SDVSWM scheme does not satisfy the security property of non-delegatability as they claimed and we present two types of delegatability attack to their scheme. We also propose a new and pairing-free SDVSWMR scheme that possesses the following security requirements: non-delegatability, unforgeability, non-transferability and privacy of signer's identity (PrSI). Compared our scheme with other existing related schemes, our scheme obtains better performance; that is, the computational cost is only 58%(lower) of IsBi-SDVSWM scheme (other schemes), and the communication cost is 800 bits that is only 68%(lower) of IsBi-SDVSWM scheme (other schemes). Copyright © 2017 John Wiley & Sons, Ltd.
... In this case, an adversary can know who is the real signer as there are only two possibilities. Laguillaumie and Vergnaud [13], and Saeednia [20] both formalized the notion. ...
... There are five properties of SDVS, three basic properties and two enhancements. The basic properties include the unforgeability and non-transferability [15], and privacy of signer's identity (PSI) [13]. Informally, the unforgeability means that if an adversary can forge a (strong) DVS, it solves some hard problems. ...
... Lipmaa et al. [17] showed that the construction in [20] was delegatable. Laguillaumie et al. [13] proposed an ID-based SDVS scheme by using the long term symmetric secret of two users. Tso et al. [22] proposed to construct SDVS schemes by using authenticated key agreement protocols. ...
We propose a non-delegatable strong designated verifier signature on elliptic curves. The size of the signature is less than 500 bits considering an 80 bits security strength. It provably satisfies the non-delegatability and signer ambiguity properties. The construction method is a combination of the Schnorr signature and the elliptic curve Diffie-Hellman problem.
... A DVS with this property is called a strong designated verifier signature (SDVS) [13]. The strength of a SDVS as privacy of a signer's identity (PSI) is formalized by Laguillamie and Vergnand in 2004 [16]. A valid designated verifier signature for Bob on behalf of Alice is generated if and only if the secret key of either Alice or Bob is known. ...
... Several variants for DVS such as ring signatures [19,20], universal designated verifier signatures (UDVS) [8,9,14,21,24,27], multi-designated verifier signatures [13,15], and identity-based designated verifier signatures (IBDVS) [4,10,11,23], and (SDVS) [4,10] are proposed. Several DVS schemes [16,17,21,22] are shown to be delegatable since the notion of non-delegatability [18] is introduced, while there are a few non-delegatable DVS schemes [11,18,28] in the random oracle model [2]. Since 2007, two SDVS schemes in the standard model are proposed in [12] and [28], respectively. ...
... 4. Privacy of the Signer's Identity (PSI): A SDVS has the property of PSI if no one can tell signatures generated by the signer S 0 for a V is different from signatures generated by the signer S 1 for the V in case of not knowing the secret key of the V . The formal definition of this property [16] is given in Definition 5, Appendix A. ...
In this study, a novel pairing based strong designated verifier signature scheme based on non-interactive zero knowledge proofs is proposed. The security of the proposal is presented by sequences of games without random oracles; furthermore, this scheme has a security proof for the property of privacy of the signer's identity in comparison with the scheme proposed by Zhang et al. in 2007. In addition, this proposal compared to the scheme presented by Huang et al. in 2011 supports non-delegatability. The non-delegatability of our proposal is achieved since we do not use the common secret key shared between the signer and the designated verifier in our construction. Further-more, if a signer delegates her signing capability which is derived from her secret key on a specific message to a third party, then, the third party cannot generate a valid desig-nated verifier signature due to the relaxed special soundness of the non-interactive zero knowledge proof. To the best of our knowledge, this construction is the first attempt to generate a designated verifier signature scheme with non-delegatability in the standard model, while satisfying of non-delegatability property is loose.
... In 2004, Wang [24] proposed an improvement towards Dai et al.s construction in which proxy signer can designate a receiver. Since Wang, several efficient constructions like [25,26,27,28,29,30] took place. ...
... In last decades, several security attributes like unforgeability, non-transferability and non-delegatability were discussed by researchers [28,29] towards the security of DVS schemes. In [35], Boldyreva et al. demonstrated the security attributes of a PS scheme by considering the strongest from of adversary. ...
Recently, big data collection of e-healthcare monitoring using wireless sensor networks (WSN) have become common in practice. These WSN collect the data such as blood pressure, pH-value, pulse rate, etc. from a remote location based patient and then send to hospital/medical server. Since, the e-healthcare data is associated to a patient and thus, the confidentiality and authentication of data are critical issues. This article introduces a provably secure message recovery designated verifier proxy signature (MRDVPS) scheme to eliminate the issues. The proposed MRDVPS scheme is proven existential unforgeable (EUF) in the random oracle model (ROM), under the intractability of computational Diffie–Hellman (CDH) problem. Efficiency comparison shows that the scheme is the most appealing towards healthcare wireless sensor networks (HWSN).
... Efforts have been taken for solving this issue with the introduction of signature scheme that will not depend on digital certificates for the verification of signatures [10], [11], [12], [13], [14]. In [15] concept of signatures that do not require certificates are proposed which uses benefits of ID based cryptography and it can be widely used in applications where there is less bandwidth like wireless applications [16]. ...
... If inequality (11) . (12) User O uses secret S1 O and computes Symmetric key using DHA (13) User O obtains, where represents a key derivation procedure with as an input. O computes acknowledgement using ...
... Jakobsson et al. also introduced the concept of a strong designated verifier signature (SDVS), which enhances the privacy of a signer [1]. Subsequently, Laguillaumie and Vergnaud formalized the security notion of SDVSs [2]. With a designated verifier signature, the identities of the signer and the verifier are revealed so that users know that the signature is produced either by the signer or by the verifier; however, they cannot determine by which of the two was the signature produced. ...
... In 1996, Jakobsson et al. proposed the first designated verifier signature scheme and a generic method for designing SDVS schemes [1]. In 2004, Laguillaumie and Vergnaud proposed an efficient SDVS scheme on the basis of a bilinear map in the random oracle model [2]. In 2007, Bhaskar et al. proposed an efficient SDVS scheme on the basis of the gap Diffie-Hellman (GDH) assumption in the random oracle model [3]. ...
In a strong designated verifier signature scheme, only the designated verifier can determine the identity of the signer; others cannot identify the signer or the verifier. To date, one strong designated verifier signature scheme from lattices has been proposed, only in the random oracle model. In this paper, we propose the first strong designated verifier signature scheme from lattices in the standard model. The proposed scheme satisfies the requirements of unforgeability, nontransferability, and privacy of the signer's identity. This scheme can be easily extended to an identity-based strong designated verifier signature scheme and an (identity-based) strong multi-designated verifiers signature scheme. Copyright
... The notion of source hiding means an attacker, even if he knows the private keys of both the signer and the verifier, must be (unconditionally) unable to determine who from the signer and the designated verifier produced a given signature. Another anonymity property capturing the concept of strong designated verifier signatures of Jakobsson et al. [JSI96] is privacy of signer's identity [LV05]. It states that given two possible signers and a designated verifier signature, the adversary should not be able to tell which of the two signers actually produced the given signature, without the knowledge of the designated verifier's private key or the private key of one of the signers. ...
... The key space K is given to A. Besides this unforgeability consideration, message authentication codes also have anonymity properties. Following the terminology of [LV05], MACs achieve source hiding. This property is trivially obtained, as a common key is shared between two users : it is unconditionally infeasible for an attacker, even if he knows the secret key, to decide who from the two users produced a signature. ...
Mobile Ad hoc networks are a step closer to the vision of pervasive computing where all devices dynamically discover each other, organize communication networks between themselves and share resources/information to provide seamless service to the end-user. But providing any reliable service over such a network requires a secure and well-functioning network. Lack of infrastructure, energy-constrained nature of devices and high dynamism in the network makes the task of securing such networks quite challenging. In this thesis we propose cryptographic protocols, which are a stepping stone to a secure ad hoc network. In particular, we contribute to the areas of key establishment and secure routing in ad hoc networks. Key establishment is concerned with making available cryptographic keys to the devices, necessary for participating in the security services of the network. On the other hand routing needs to be secured in such networks as almost all nodes need to participate in the routing process (for efficiency reasons) and presence of one malicious node could easily have drastic consequences on the routing performance of the whole network. Thus security checks are required to prevent such malicious nodes from hampering the routing process and to recover from it in case they do succeed. Our rst result is a new group key agreement protocol which is especially suitable for ad hoc networks but also outperforms most known protocols for traditional networks as well. The protocol adapts well to the dynamics of the network and is robust enough to deal with message losses and link failures. It requires little self-organization by the nodes in the network. We present some modied versions of the same and security proofs showing that the security of these protocols is tightly related to the security of the Decisional Diffle-Hellman problem. We also discuss issues related to implementation of this protocol in real scenarios. Our second result is the introduction of the notion of an Aggregate Designated Verifier Signature (ADVS) scheme. An ADVS scheme allows ecient aggregation of multiple signatures on different messages designated to the same verifier. We show how this primitive can be efficiently utilized to secure reactive routing protocols in ad hoc networks. We provide a security model to analyze such schemes and propose an ADVS scheme which aggregates signatures more efficiently than existing schemes.
... The notion of source hiding means an attacker, even if he knows the private keys of both the signer and the verifier, must be (unconditionally) unable to determine who from the signer and the designated verifier produced a given signature. Another anonymity property capturing the concept of strong designated verifier signatures of Jakobsson et al. [JSI96] is privacy of signer's identity [LV05]. It states that given two possible signers and a designated verifier signature, the adversary should not be able to tell which of the two signers actually produced the given signature, without the knowledge of the designated verifier's private key or the private key of one of the signers. ...
... The key space K is given to A. Besides this unforgeability consideration, message authentication codes also have anonymity properties. Following the terminology of [LV05], MACs achieve source hiding. This property is trivially obtained, as a common key is shared between two users : it is unconditionally infeasible for an attacker, even if he knows the secret key, to decide who from the two users produced a signature. ...
Mobile Ad hoc networks are a step closer to the vision of pervasive computing where all devices dynamically discover each other, organize communication networks between themselves and share resources/information to provide seamless service to the end-user. But providing any reliable service over such a network requires a secure and well-functioning network. Lack of infrastructure, energy-constrained nature of devices and high dynamism in the network makes the task of securing such networks quite challenging. In this thesis we propose cryptographic protocols, which are a stepping stone to a secure ad hoc network. In particular, we contribute to the areas of key establishment and secure routing in ad hoc networks. Key establishment is concerned with making available cryptographic keys to the devices, necessary for participating in the security services of the network. On the other hand routing needs to be secured in such networks as almost all nodes need to participate in the routing process (for eciency reasons) and presence of one malicious node could easily have drastic consequences on the routing performance of the whole network. Thus security checks are required to prevent such malicious nodes from hampering the routing process and to recover from it in case they do succeed. Our rst result is a new group key agreement protocol which is especially suitable for ad hoc networks but also outperforms most known protocols for traditional networks as well. The protocol adapts well to the dynamics of the network and is robust enough to deal with message losses and link failures. It requires little self-organization by the nodes in the network. We present some modied versions of the same and vii tel-00469429, version 1 - 1 Apr 2010 security proofs showing that the security of these protocols is tightly related to the security of the Decisional Die-Hellman problem. We also discuss issues related to implementation of this protocol in real scenarios. Our second result is the introduction of the notion of an Aggregate Designated Verier Signature (ADVS) scheme. An ADVS scheme allows ecient aggregation of multiple signatures on dierent messages designated to the same verier. We show how this primitive can be eciently utilized to secure reactive routing protocols in ad hoc networks. We provide a security model to analyze such schemes and propose an ADVS scheme which aggregates signatures more eciently than existing schemes.
... A DVS with this property is called a strong designated verifier signature (SDVS) [21]. The strength of a SDVS as privacy of a signer's identity (PSI) is formalized by Laguillamie and Vergnand in 2004 [25]. A valid designated verifier signature for Bob on behalf of Alice is generated if and only if the secret key of either Alice or Bob is known. ...
... Besides the aforementioned designated verifier signature schemes and its variants in the conventional public key infrastructure (PKI) setting, another useful variant which is combination of DVS and identity-based encryption [31] is identity-based designated verifier signatures (IBDVS) [3, 8, 22, 17-19, 34, 38]. On the other hand, several DVS schemes [32,8,22,25,26,16,33] are shown to be delegatable since the notion of non-delegatability [27] is introduced, while there are a few DVS schemes [18][19][20]27] which are non-delegatable. Since 2009, two identity-based non-delegatable (S)DVS [18,19] are proposed which their performances are not satisfactory enough to be used wildly. ...
Up to now, several non-delegatable identity-based (strong) designated ver-ifier signature schemes using bilinear pairings are proposed. In these identity-based (strong) designated verifier signature schemes, bilinear pairings are employed either in signing and verifying steps or only in the verifying step. However, the computation cost of pairings at a security level equivalent to a 128-bit symmetric key of AES is approximately 20 times higher than that of exponentiation over an elliptic curve group. Hence, pre-senting a (strong) designated verifier signature scheme which is identity-based without pairings and supports non-delegatability as well is vital. In this study, a non-delegatable identity-based designated verifier signature scheme without bilinear pairings using two concatenated Schnorr signatures is proposed. Our construction not only is approximately 40 times more efficient compared to the existing non-delegatable identity-based (strong) designated verifier signature schemes due to the avoiding bilinear pairings but also it is provable secure in the random oracle.
... A secure and flexible access control scheme and protocol for M-services based on role based access control (RBAC) [6] in the same year. In 2004, Laguillaumie et al. [7] provided the first formal description of the concept of designated verifier signatures and a formal definition of the signer identity privacy property in strong designated verifier signatures. They also improved the designated verifier signature scheme proposed by Steinfeld et al. [8] at Asiacrypt'03 using bilinear pairs and proposed a new signature scheme that possesses lower computational consumption and proved that the scheme can guarantee the privacy of the signer's identity. ...
In an attribute-based strong designated verifier signature, a signer who satisfies the access structure signs the message and assigns it to a verifier who satisfies the access structure to verify it, which enables fine-grained access control for signers and verifiers. Such signatures are used in scenarios where the identity of the signer needs to be protected, or where the public verifiability of the signature is avoided and only the designated recipient can verify the validity of the signature. To address the problem that the overall overhead of the traditional attribute-based strong designated verifier signature scheme is relatively large, an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography is proposed, as well as a security analysis of the new scheme given in the standard model under the difficulty of the elliptic curve discrete logarithm problem (ECDLP). On the one hand, the proposed scheme is based on elliptic curve cryptography and uses scalar multiplication on elliptic curves, which is computationally lighter, instead of bilinear pairing, which has a higher computational overhead in traditional attribute-based signature schemes. This reduces the computational overhead of signing and verification in the system, improves the efficiency of the system, and makes the scheme more suitable for resource-constrained cloud end-user scenarios. On the other hand, the proposed scheme uses LSSS (Linear Secret Sharing Schemes) access structure with stronger access policy expression, which is more efficient than the "And" gate or access tree access structure, making the computational efficiency of the proposed scheme meet the needs of resource-constrained cloud end-users.
... Revoked users who do not know URP need to computeê(g a p , g z p ) s from a tuple of (ê, g z p , g a p , g s p ). However, the possibility of achieving that is negligible under the Decisional Bilinear Diffie-Hellman (DBDH) assumption [210]. Thus, the Basic Encryption scheme is provably secure under the DBDH assumption. ...
Cloud-based data storage and sharing services have been proven successful since the last decades. The underlying model helps users not to expensively spend on hardware to store data while still being able to access and share data anywhere and whenever they desire. In this context, security is vital to protecting users and their resources. Regarding users, they need to be securely authenticated to prove their eligibility to access resources. As for user privacy, showing credentials enables the service provider to detect sharing-related people or build a profile for each. Regarding outsourced data, due to complexity in deploying an effective key management in such services, data is often not encrypted by users but service providers. This enables them to read users’ data. In this thesis, we make a set of contributions which address these issues. First, we design a password-based authenticated key exchange protocol to establish a secure channel between users and service providers over insecure environment. Second, we construct a privacy-enhancing decentralized public key infrastructure which allows building secure authentication protocols while preserving user privacy. Third, we design two revocable ciphertext-policy attribute-based encryption schemes. These provide effective key management systems to help a data owner to encrypt data before outsourcing it while still retaining the capacity to securely share it with others. Fourth, we build a decentralized data sharing platform by leveraging the blockchain technology and the IPFS network. The platform aims at providing high data availability, data confidentiality, secure access control, and user privacy.
... SDVS from HMAC: In the literature, several classical strong designated verifier signature schemes based on HMAC have been proposed, e.g., [31][32][33]. The general construction used in the verification algorithm of message-signature pair (m, σ) uses the verification equation like: ...
Public-key cryptography provides security for digital systems and communication. Traditional cryptographic solutions are constantly improved, e.g., to suppress brute-force attacks. However, Shor’s algorithm suited for quantum computers can break the bedrock of most currently used systems, i.e., the RSA problem and discrete logarithm problem. Post-quantum cryptography can withstand attacks carried out by quantum computers. Several families of post-quantum systems exist; one of them is isogeny-based cryptography. As a main contribution, in this paper, we provide a survey of chosen, fundamental isogeny-based schemes. The target audience of this review is researchers interested in practical aspects of this field of cryptography; therefore the survey contains exemplary implementations. Our goal was not to develop an efficient implementation, but to provide materials that make it easier to analyze isogeny-based cryptography.
... DVS achieves message authenticity with repudiation. 1 To achieve the non-repudiation goal in DVS, the SDVS concept was presented in Jakobsson et al. (1996) . Then, formally defined in Saeednia et al. (2003) and revised in Laguillaumie and Vergnaud (2005) . SDVS schemes mandate the utilization of the private-key of the predetermined verifier in verification process ( Huang et al., 20 06;20 08;Kang et al., 20 09;Laguillaumie and Vergnaud, 2004;Ogata et al., 2005 ). ...
The prosperous advancement in Medical Internet of Things (MIoT) technologies has hastened the development of healthcare systems. MIoT improves the traditional medical facilities through periodically monitor of patient’s health records. Electronic Medical Records (EMRs) are sensitive private data and needs efficient secure and private schemes that interchange these EMRs between healthcare providers and patients. Most of the current privacy preserving schemes do not provide the desired privacy level and suffer from computation and communication overheads.
The length of an IDentity-based Strong Designated Verifier Signature (IDSDVS) is short. IDSDVS has low communication and computational costs. Moreover, it gives the signer (the patient) a control over whom can verify his signature. This feature allows patients to choose the verifier and keep the privacy of their Electronic Medical Records (EMR). This paper presents a new privacy-preserving authentication protocol in Medical Internet of Things (MIOT) that achieves patient privacy in MIoT. Precisely, we propose two new IDSDVS schemes. Utilizing the random oracle model, we show that these two schemes satisfy the security conditions. Furthermore, we evaluate the proposed IDSDVS schemes by comparing them to related schemes in the literature. The proposed schemes achieve lower costs of communication and computation than related schemes.
... For revoked users, who do not know URP, need to computeê(g a p , g z p ) s from a tuple of (ê, g z p , g a p , g s p ). However, the possibility of achieving that is negligible under the Decisional Bilinear Diffie-Hellman (DBDH) assumption [18]. Thus, the PS scheme is provably secure under the DBDH assumption. ...
Cloud-based storage services have been the dominating outsourcing solution for both individuals and organizations to share data digitally. Despite the advantages, users must rely on storage services for data confidentiality, data access control, user privacy, and data availability. Whereas data confidentiality can be protected by advanced encryption algorithms, the rest remain challenging. First, in existing centralized storage services, even though data access controls are mainly defined by data owners, they are maintained and enforced by the services, which can deny data retrieval requests of authorized users or allow requests of illegitimate users. Second, the identity of a user is often known to the services to verify its eligibility to access requested data according to the access control, thus making the user traceable in the system. More importantly, the lack of anonymity may make users reluctant to use such services in sensitive contexts. Third, a huge amount of data is daily generated and stored on a centralized party, simultaneously serving requests from many users, which may cause a collapse of the system during peak periods. To address all these concerns, we propose a privacy-preserving blockchain-based data sharing platform for the InterPlanetary File System (IPFS), a content-addressable peer-to-peer storage system. The platform allows protecting both user anonymity, data confidentiality, and provides high data availability due to being deployed upon the IPFS network.
... In terms of data storage, the limited local storage resources of vehicles inspired researchers to use cloud storage technology. In view of the data security threats faced by the tenant after the introduction of third party audit in the data integrity auditing scheme and the low efficiency of the dynamic updating, this paper proposes a new data integrity auditing scheme based on the data coloring privacy protection method [34] , HMBT data authentication structure, bilinear pairing mapping technique [35] and the BLS Signature Scheme [36] . Specifically, the main contributions of this paper can be summarized as follows: 1) This paper divides the coloring data into twodimensional structure, and further constructs the HMBT as a storage authentication structure to support the more granular data dynamic operations. ...
The advantages of cloud storage make more and more tenants choose to outsource their data to the cloud. In vehicular ad hoc networks (VANETs), sensors on the vehicle can collect road information which is available for analyzing traffic conditions and their integrity must be guaranteed. Due to the limited storage capability, vehicles tend to store the valid information that was collected on the cloud servers. However, unlike using local storage devices, vehicles no longer have absolute control over the cloud data. Therefore, vehicles as the tenants of cloud are most concerned about the data integrity. Many existing integrity auditing schemes have problems such as low efficiency of data dynamic updating, leakage of data privacy and high auditing cost. To solve these problems, this paper proposes a dynamic data integrity auditing scheme that supports data privacy protection. Firstly, build the Hierarchical Multiple Branches Tree (HMBT) data authentication structure in the initialization phase. Secondly, design a data integrity auditing scheme based on the bilinear pairing mapping technology and the BLS digital signature mechanism, and describe in detail the process of data dynamic updating. Finally, security analysis and performance analysis are carried out in the evaluation of the scheme. The security analysis shows that this scheme can satisfy auditing correctness, support data privacy protection, resist forgery attack and replay attack. In performance analysis, the scheme is compared with the existing scheme. The results show that the scheme reduces the time cost of data integrity auditing and dynamic updating.
... At the same time, hospital A also shares the ability and responsibility to authenticate these hospital records when the patient may not be convenient to do so. Signature schemes such as undeniable signature (Chaum and Antwerpen, 1990), limited verifier signature (Araki et al., 1999), and designated verifier signature (Lguillaumie and Vergnaud, 2004) schemes with verifiability restriction seem to be not suitable for this situation. To meet this requirement, Lim and Lee (1992) proposed a new type of signature called Directed signature. ...
In an ordinary signature scheme any one can verify the validity of a signature produced by the signer. But public verifiability of signatures is not desirable in some applications where the signed message is sensitive to the signature receiver, for example signatures on medical records, tax information. To meet this requirement, the concept of directed signature was introduced. A directed signature scheme is a kind of signature scheme in which the verification ability is controlled by the signer. Many directed signature schemes have been proposed in different cryptographic settings and most of the schemes are using bilinear pairings over elliptic curves. But the computation of a bilinear pairing is very expensive. Hence the schemes which use pairings are less efficient and are not much applicable in practice. In order to improve the computational and communicational efficiency, in this paper, we propose a pairing- free certificateless directed signature scheme. The proposed scheme is proven secure in the random oracle model under the assumption that the elliptic curve discrete logarithm problem is hard. We compare our scheme with well known existing schemes and efficiency analysis shows that the proposed scheme is more efficient.
... In this way the signer's identity can be protected by the encryption function. The formal definition of a SDVS was proposed by Laguillaumie and Vergnaud [14] where the ''privacy of signer's identity'' was formally defined. Some variants of DVS were introduced following the seminal work of Jakobsson et al. [12], such as identity-based DVS (IBDVS) [7,8,13,20], short DVS [10,11] where the size of a DVS is short, and multi-verifier DVS (MDVS) [15], in which the signer can designate multiple parties as verifiers. ...
In this paper, we introduce a new cryptographic primitive named Designated Verifier Proxy Re-Signature (DVPRS). Different from a normal proxy re-signature, our DVPRS is defined based on the notion of Designated Verifier Signature (DVS) which is very useful in many applications that require “deniable authentication”. Since a DVS can only be verified by a designated verifier, in addition to the re-sign algorithm which allows a proxy to use a resign key to change the signer of a DVS on a message, we also define the re-designate-verifier algorithm for DVPRS which allows a proxy to change the designated verifier of a DVS. We present the formal definition, security model, and an efficient construction of DVPRS, and prove its security under some standard assumptions. We show that DVPRS is very useful in many communication and network applications that require deniable and/or anonymous authentication.
... Laguillaumie et.al. [29], presented an anonymous and efficient DVS construction based on the bilinear map. Desmedt [17], introduced the notion of designated multi verifier signature scheme (DMVS), where a set of legitimate users are able to verify the signature. ...
Cloud data owners encrypt their documents before outsourcing to provide their privacy. They could determine a search control policy and delegate the ability of search token generation to the users whose attributes satisfy the search control policy. Verifiable attribute-based keyword search (VABKS) where the users can also verify the accuracy of the cloud functionality is one of such schemes. In this paper, the first generic construction for a VABKS scheme is proposed. To this end, the notion of hierarchical identity-based multi-designated verifier signature (HIB-MDVS) has been introduced and the existential forgery under chosen message attack (EF-CMA) is formally defined for its unforgeability. Furthermore, the anonymity against chosen identity vector set and chosen plaintext attack (Anon-CIVS-CPA) has been defined as the security definition of hierarchical identity-based broadcast encryption (HIBBE) in a formal way. The proposed construction is built in a modular structure by using HIBBE, HIB-MDVS, and Bloom filter as the building blocks. We also propose an anonymous HIBBE and a HIB-MDVS scheme based on HIBBE ans hierarchical identity-based signature and ba prove that the security of proposed construction is based on the unforgeability of HIB-MDVS and the anonymity of HIBBE. Finally, the concept of verifiable ranked keyword search will be introduced and a construction of this primitive will be presented which is based on the proposed VABKS scheme.
... Furthermore, in our proposed scheme we made some changes to make DVPS more compatible with the LTE security architecture and to provide user-to-user mutual authentication and key agreement protocol. Designated verifier signature and proxy signature offers many kinds of security levels as proposed in the literature in the field of DVS [15,17,24,30,33,36]. The rest of the paper is organized as follows: Section 2 introduces the basic EPS-AKA protocol; Section 3 presents briefly the basic EPS-AKA Vulnerabilities and some threats which are the motivations for this paper; Section 4 discusses the preliminaries of our proposed scheme and we introduce the basic principles of bilinear pairing and designated verifier signature; Section 5 presents our proposed system model and we firstly introduce some assumptions and definitions then present the phases of our proposed scheme; in Sections 6 and 7 we evaluate our proposed scheme by analyzing the security and the performance efficiency respectively; Finally Section 8 concludes this work. ...
Long Term Evolution LTE is the first technology that pro-vides exclusively packet-switched data and modifies the security architecture of the 2G and 3G systems. The LTE security architecture offers confidentiality, access control, a kind of obscurity and mutual authentication. However, numerous types of attacks can be encountered during the mutual authentication process which is a challenge-response based technique. Therefore, a high secure public key algorithm can be implemented to improve the network security services. As the network operator is often con-sidered as not being a highly trusted party and can thus face threats, the communications ends are the only secure parties to provide such security features. This paper pro-poses a secure mutual authentication and key agreement scheme for LTE cellular system with user-to-user secu-rity. The network side in this scheme operates as a proxy and non-trusted party to provide the security architecture with more exibility and reliability. This is achieved by using designated verifier proxy signature and key agree-ment protocol based bilinear pairing with some changes in both security algorithms and LTE security architecture withinthe LTE standardization. Our security and perfor-mance analysis demonstrated that the proposed scheme is more secure compared to the basic authentication and key agreements schemes.
... To avoid situations where Bob can convince the third party, by other means, that he has not produced the signature, strong Designated Verifier Signature (SDVS) has been introduced in [4], formalized in [5], and revisited in many other works such as [6]. SDVS schemes force the designated verifier to utilize his private key at the time of verification. ...
Kang, Boyd, and Dawson (Journal of Systems and Software, Vol. 82, 2009) proposed an identity-based strong designated verifier signature scheme which has a short signature size, and low communication and computational costs. In this paper, we show that this signature scheme does not satisfy the required authentication property. In particular, we present an attack that allows an adversary to impersonate the signer or designated verifier of a previously intercepted message-signature pair by forging valid signatures on arbitrary messages designated to one of them on behalf of the other.
... Saeednia et al. [2] gave the formal definition of strong designated verifier signature in 2003. Laguillaumie et al. [3] revisited the strong designated verifier signature in 2005. Since then, many designated verifier signature schemes and their variants were proposed, including multi-designated verifiers signature scheme [4], identity -based designated verifier signature schemes [5][6][7], certificateless-based designated verifier signature schemes [8][9][10] and universal designated verifier signature schemes [11][12]. ...
Strong designated verifier signature shows that only designated user can verify the validity of the signature, others who have not signer’s private key or verifier’s private key cannot judge the signature’s originator. Lee et al. presented a designated verifier signature scheme to realize signature’s verification in the limited time. We demonstrate that Lee et al.’s scheme is insecure. Other legal users can forge valid signatures which convince designated verifier. In this paper, we show a concrete forgery attack of Lee et al.’s scheme and propose a new strong designated verifier signature scheme with time limit. In our new scheme, message and time stamp don’t need transmit in public, which are embedded in signature via the method of signcryption. Only signer and designated verifier can recover those secrete values. Based on the Bilinear Diffie-Hellman problem and Pre-Image Resistance assumption, it is proved that new strong designated verifier signature scheme can resist the ordinary forgery attack and replay attack, and enforce signature verification with time limit. © 2015, Kauno Technologijos Universitetas. All rights reserved.
... Here, the validity means that a signature has been generated either by a signer or by a designated verifier. This security property is formally known as non-transferability or simulatability [2]. In this sense, the nontransferability property provides signer ambiguity. ...
... This setting is clearly different from private identification where one wants to protect the privacy of tags identifying to one reader (verifier). Laguillaumie and Vergnaud [102] proposed strong designated verifier signatures, based on the privacy of the signer's identity. In this setting any non-designated verifier cannot tell apart signatures from different signers to the same designated verifier. ...
Strong designated verifier signature schemes rely on sender-privacy to hide the identity of the creator of a signature to all but the intended recipient. This property can be invaluable in, for example, the context of deniability, where the identity of a party should not be deducible from the communication sent during a protocol execution. In this work, we explore the technical definition of sender-privacy and extend it from a 2-party setting to an n-party setting. Afterwards, we show in which cases this extension provides stronger security and in which cases it does not.
Sharing data has evolved into an essential component of today's society as a direct result of the proliferation of new technologies and the growing prevalence of digitalization. Traditional methods of data sharing, on the other hand, frequently encounter considerable hurdles in terms of both privacy and security.With its immutability and indestructibility, blockchain technology has emerged as the most reliable all-in-one cryptosystem for protecting online transactions. Some businesses, IT managers, and programmers have taken an interest in the blockchain network because of its potential as a decentralized infrastructure. In addition to safeguarding transactions from modification, this solution also serves as a historical audit trail for the network. This paper presents a decentralized data sharing architecture that uses blockchain technology and protects users' privacy. The goal is to address the problems that have been identified. The framework that has been proposed makes use of a combination of cryptographic methods and the technology of blockchains in order to enable secure, efficient, and decentralized data sharing while still maintaining users' anonymity. In order to improve data privacy and scalability, the framework makes use of a hybrid blockchain method. This technique incorporates the positive aspects of both public and private blockchains. The usefulness of the suggested framework in maintaining data privacy and security while also enabling efficient and decentralized data exchange is demonstrated by the results of an evaluation that uses a prototype implementation as the basis for the evaluation.
This paper introduces a new type of public-key encryption scheme, called Multi-Designated Receiver Signed Public Key Encryption (), which allows a sender to select a set of designated receivers and both encrypt and sign a message that only these receivers will be able to read and authenticate (confidentiality and authenticity). An scheme provides several additional security properties which allow for a fundamentally new type of communication not considered before. Namely, it satisfies consistency—a dishonest sender cannot make different receivers receive different messages—off-the-record—a dishonest receiver cannot convince a third party of what message was sent (e.g., by selling their secret key), because dishonest receivers have the ability to forge signatures—and anonymity—parties that are not in the set of designated receivers cannot identify who the sender and designated receivers are.We give a construction of an scheme from standard assumptions. At the core of our construction lies yet another new type of public-key encryption scheme, which is of independent interest: Public Key Encryption for Broadcast () which provides all the security guarantees of schemes, except authenticity.We note that schemes give strictly more guarantees than Multi-Designated Verifier Signature () schemes with privacy of identities. This in particular means that our construction yields the first scheme with privacy of identities from standard assumptions. The only prior construction of such schemes was based on Verifiable Functional Encryption for general circuits (Damgård et al., TCC ’20).
The key exchange protocol that establishes initial shared secrets in the handshake of the Signal end-to-end encrypted messaging protocol has several important characteristics: (1) it runs asynchronously (without both parties needing to be simultaneously online), (2) it provides implicit mutual authentication while retaining deniability (transcripts cannot be used to prove either party participated in the protocol), and (3) it retains security even if some keys are compromised (forward secrecy and beyond). All of these properties emerge from clever use of the highly flexible Diffie–Hellman protocol.While quantum-resistant key encapsulation mechanisms (KEMs) can replace Diffie–Hellman key exchange in some settings, there is no replacement for the Signal handshake solely from KEMs that achieves all three aforementioned properties, in part due to the inherent asymmetry of KEM operations. In this paper, we show how to construct asynchronous deniable key exchange by combining KEMs and designated verifier signature (DVS) schemes, matching the characteristics of Signal. There are several candidates for post-quantum DVS schemes, either direct constructions or via ring signatures. This yields a template for an efficient post-quantum realization of the Signal handshake with the same asynchronicity and security properties as the original Signal protocol.KeywordsAuthenticated key exchangeDeniabilityAsynchronousSignal protocolPost-quantumDesignated verifier signatures
When defining a security notion, one typically specifies what dishonest parties cannot achieve. For example, communication is confidential if a third party cannot learn anything about the messages being transmitted, and it is authentic if a third party cannot impersonate the real (honest) sender. For certain applications, however, security crucially relies on giving dishonest parties certain capabilities. As an example, in Designated Verifier Signature (DVS) schemes, one captures that only the designated verifier can be convinced of the authenticity of a message by guaranteeing that any dishonest party can forge signatures which look indistinguishable (to a third party) from original ones created by the sender.
Strong designated verifier signatures (SDVS) allows users to produce signatures that are not publicly verifiable, such that no one other than the signer and the designated verifier can check the validity of a given signature, which preserves the privacy of the signer. This cryptographic primitive is very useful in different real life scenarios such as e-voting and e-bidding. In this paper, we propose a strong designated verifier signature scheme (SDVS) based on rank metric error correcting codes. Our construction makes a trade-off between efficiency and security requirements, for instance we achieve a signature of size 3510 bits and a public key of size equal to 23088 bits for the 80 security level. Furthermore, our proposal is quantum computer resistant since it is based on coding theory.
Content moderation is crucial for stopping abusive and harassing messages in online platforms. Existing moderation mechanisms, such as message franking, require platform providers to be able to associate user identifiers to encrypted messages. These mechanisms fail in metadata-private messaging systems, such as Signal, where users can hide their identities from platform providers. The key technical challenge preventing moderation is achieving cryptographic accountability while preserving deniability.
The revelation in April 2018 on Mark Zuckerberg's testimony to the congress raises the question about how much control people have over their data in the cloud. The big data privacy risks lead to the question of how to securely share the information among an assigned group or set of peoples. Furthermore, anonymity is an equally important issue in which the disclosed information should not be linked to the owner. The policy controlled signature and signcryption were presented in this paper to provide an affirmative answer to the aforementioned privacy issues. The primitives ensure the user's privacy, especially confidentiality and anonymity. Limiting only the permitted verifiers constricted by a verifier policy to validate a signature without revealing the identity of a signer, our policy controlled signature schemes provide both privacy and anonymity. An additional property of our policy controlled signcryption scheme provides not only privacy and anonymity, but also the confidentiality, where the information delivered to the receiver is encrypted and cannot be traced back to the sender's identity. Furthermore, our policy controlled signature scheme was proven to be secure against unforgeability and collision-resistant. Additionally, our policy controlled signcryption scheme was proven to be secure against indistinguishability and it is equivalent to a adaptive chosen ciphertext attack model of an encryption scheme, which is the strongest model in the existing literature.
The concept of undeniable signatures has been introduced at Crypto'89 by Chaum and van Antwerpen. It has been revisited several times since, in particular by Jakobsson, Sako and Impagliazzo at Eurocrypt'96 who introduced designated verifier signatures and by Steinfeld, Bull, Wang and Pieprzyk at Asiacrypt'03 who designed universal designated verifier signatures. Behind all those notions lies the idea to produce some kind of signature that can be verified only by a targeted verifier. However the verifier should not be able to convince anyone that the signature is valid. In this paper, we present an efficient way to solve those three problems, under classical assumptions, namely DLin and CDH in the standard model. Once we propose such construction, we generalize our approach to a framework showing how to build efficient ID-based Designated Verifier Signature, in the standard model under classical assumptions.
In this paper, we present a new cryptographic primitive called “policy-controlled signatures”. In this notion, a signer can sign a message and attach it with some policies. Only a verifier who satisfies the policies attached can verify the authenticity of the message. This type of signature schemes has many applications, in particular to deal with sensitive data, where the signer does not want to allow anyone who is unauthorized to verify the authenticity of the messages. The notion of policy-controlled signatures resembles some similarities with designated verifier signatures, as it can also be used to designate a signature to multiple recipients. Nevertheless, we shall demonstrate that the notion of policy-controlled signatures generalize the notion of designated verifier signatures. A concrete scheme that is secure in our model is also provided. Furthermore, we also present an extension to “universal policy-controlled signature”. In this extended notion, we combine the idea of universal designated verifier signatures with policy-controlled signatures to allow more flexible delegations. We also provide a concrete scheme that is secure in our model.
A non-delegatable strong designated verifier signature (NSDVS) enforces verification of a signature by a designated verifier only. The concept is useful in various commercial cryptographic applications such as copyright protection, e-voting, and e-libraries. This paper reports the shortest NSDVS so far that consists of only two elements. The scheme is inspired by an identification scheme and Cramer et al.'s OR-proof technique where a prover can prove that he knows at least one out two secrets. It is solidified by a symmetric key based group to group encryption algorithm. Two implementations of the algorithm are reported. The scheme is provably secure with respect to its properties of unforgeability, non-transferability, privacy of signer's identity, and non-delegatability. © 2013 Higher Education Press and Springer-Verlag Berlin Heidelberg.
A strong multiple designated verifiers signature (SMDVS) enables a signer to convince a set of verifiers by generating one signature, of which the verification needs a private key of a verifier. After a brief survey of current SMDVS schemes, we find no schemes suitable to a broadcast propagation, where the simulation needs only one verifier's private key. Motivated by this discovery, we propose a broadcast SMDVS scheme. The new scheme is proven secure in the random oracle model.
A third party-based data storage audit service is a developing branch where a user may use its mobile devices with limited energy to trigger a third party to audit the user's data in a cloud service provider. A basic tool for a third party to check the integrity of a user's data is the designated verifier signature (DVS), which allows a designated verifier to simulate a signer's signatures. However, the cloud computing is a technique that may be used a long time in the future, the development of quantum computation shows threats to basic building blocks of cloud computing services. It is then desirable to design DVS schemes potentially secure against quantum attacks. We here give a lattice-based DVS scheme to satisfy the requirement. It is based on Lyubashevsky's signature scheme in EUROCRYPT 2012 and has a shorter signature size.
Based on the bilinear inverse Diffie-Hellman problem (BIDHP), we first propose a provably secure probabilistic signature scheme. Furthermore, we extend it into two universal designated verifier signature (UDVS) schemes under the same computational assumption. The first one is a conventional UDVS scheme for one designated verifier while the other is designed for cooperative multi-verifier. UDVS schemes aim at protecting the privacy of signature holders and have practical benefits to the applications, e.g., the certificate for medical records and income summary, etc. The comparison results demonstrate that the signature generation and designation of our scheme are both pairing-free, which could benefit the application of devices with constrained computation. We also give formal security proofs of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) in the random oracle model.
An identity-based strong designated verifier signature scheme provides restricted verifiability only for a verifier designated by a signer and proper privacy for the signer. In this paper, we show that strong designated verifier signature schemes do not satisfy the self-unverifiability requirement in the sense that not only exposure of the verifier's secret key but also of the signer's secret key enables an attacker to verify signatures, which should have been the exclusive right of the verifier. We also present a generic method to construct a strong identitybased designated verifier signature scheme with selfunverifiability from identity-based key encapsulation and identity-based key sharing schemes. We prove that a scheme constructed from our method achieves unforgeability, non-transferability, and self-unverifiability if the two underlying components are secure. To show the advantage of our method, we present an example that outputs short signatures and we analyze its performance.
It's necessary to equip WSNs with authentication mechanism accounts for that the nodes of WSNs are vulnerable to various attacks since they are open and resource-limited. However, the traditional authentication such as signature cannot be utilized to achieve this goal, because of its heavy computation. On-line/off-line signature can be considered as a practical solution for authentication WSNs, because the WSNs nodes only need to perform lightweight on-line sign, while the heavy computation can be performed off-sign phase using efficient computational devices, but it is not perfect for certain circumstances. For example, the signer unwilling to expose the message of the signatures, such as personal health records, to others. How to achieve confidence and efficiency simultaneously remains a problem for WSNs. In this paper, we present a strong designated on-line/off-line signature scheme for WSNs, which can ensure the confidence as well as security simultaneously. The proposed scheme is proven to be secure under the BDH assumption and its computation cost is acceptable for the nodes of WNSs.
In this paper, we propose an identity-based authenticated key exchange (ID-AKE) protocol that is secure in the identity-based extended Canetti-Krawczyk (id-eCK) model in the random oracle model under the gap Bilinear Diffie-Hellman assumption. The proposed ID-AKE protocol is the most efficient among the existing ID-AKE protocols that is id-eCK secure, and it can be extended to use in asymmetric pairing.
A strong designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party, and no third party can even verify the validity of a designated verifier signature. In 2008, Zhang and Mao proposed a novel ID- based strong designated verifier signature scheme based on bilinear pairings by combining ID-based cryptosystem with the designated verifier signature. However, Kang et al. pointed out that Zhang-Mao scheme did not satisfy the strong designated verifier signature property and then proposed an efficient ID-based designated verifier signature scheme that is strong and unforgeable. Nevertheless, this paper demonstrates that Kang et al.'s scheme is still vulnerable to universal forgery attacks and then proposes an improved scheme that not only can overcome such forgery attacks but also can provide more efficiency.
Non-delegatability is an interesting property of designated verifier signatures (DVS) as it technically makes a signer responsible for the signer’s actions and protects the privacy of the signer. This property is critical for some financial scenarios when a user is required to do something by itself. As more financial applications are running in a mobile and ubiquitous computing environment, an efficient scheme with a non-delegatability property is desirable. This paper proposes such a scheme in an identity-based setting with detailed proofs. Technically, the scheme combines an identity-based Schnorr style signature and an identification method with an OR proof technique gluing the two parts. It is the second scheme secure in a strict model proposed by Huang et al. And it saves about half the communication and computation costs of the first one.
Designated Verifier Signatures (DVS) is a special sort of digital signatures. These signatures are different because they are intended to a specific, unique and designated verifier. There are a number of techniques to design such signatures, in this paper we show how to design a DVS using secret sharing technique and prove its security.
Strong designated verifier signature (SDVS) makes it possible for a signer to convince a designated verifier that he or she has signed a message in such a way that the designated verifier cannot transfer the signature to any third party and no third party can even verify the validity of the signature. Recently, Kang et al. proposed an identity-based SDVS (IBSDVS) scheme that is claimed to be unforgeable and strong. However, in this paper, we show that their scheme is actually forgeable, delegatable, and not strong. We then propose an improved efficient IBSDVS scheme with short signature size and provide formal security proofs based on the computational Diffie–Hellman assumption in the random oracle model. We also show that the performance of our scheme outperforms all the existing IBSDVS schemes known in the literature. Furthermore, we propose an extension of our scheme achieving the stronger notion of nondelegatability and provide formal security proofs. The extended scheme is also showed to achieve high efficiency and short signature size. Copyright © 2012 John Wiley & Sons, Ltd.
Lipmaa et al. introduced a new security notion of designated verifier signature schemes, non-delegatability: neither a signer nor a designated verifier can delegate the signing rights to any third party without revealing their secret keys. In this paper, we classify designated verifier signature schemes into three types and then discuss delegatability of existing designated verifier signature schemes, strong designated verifier signature schemes and universal designated verifier signature schemes, and open research issues.
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations - a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
We argue that the random oracle model ---where all parties have access to a public random oracle--- provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the random oracle model, and then replacing oracle accesses by the computation of an "appropriately chosen" function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zero-knowledge proofs. Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093. E-mail: mihir@cs.ucsd.edu y Department of Computer Science, University of California at Davis, Davis, CA 95616, USA. E-mail: rogaway@cs.davis.edu 1 1 Introduction Cryptographic theory has provided a p...