## CryptoDB

### Gregory Neven

#### Affiliation: IBM Research -- Zurich

#### Publications

**Year**

**Venue**

**Title**

2018

ASIACRYPT

Compact Multi-signatures for Smaller Blockchains
Abstract

We construct new multi-signature schemes that provide new functionality. Our schemes are designed to reduce the size of the Bitcoin blockchain, but are useful in many other settings where multi-signatures are needed. All our constructions support both signature compression and public-key aggregation. Hence, to verify that a number of parties signed a common message m, the verifier only needs a short multi-signature, a short aggregation of their public keys, and the message m. We give new constructions that are derived from Schnorr signatures and from BLS signatures. Our constructions are in the plain public key model, meaning that users do not need to prove knowledge or possession of their secret key.In addition, we construct the first short accountable-subgroup multi-signature (ASM) scheme. An ASM scheme enables any subset $$ S $$ of a set of n parties to sign a message m so that a valid signature discloses which subset generated the signature (hence the subset $$ S $$ is accountable for signing m). We construct the first ASM scheme where signature size is only $$O(\kappa )$$ bits over the description of $$ S $$, where $$\kappa $$ is the security parameter. Similarly, the aggregate public key is only $$O(\kappa )$$ bits, independent of n. The signing process is non-interactive. Our ASM scheme is very practical and well suited for compressing the data needed to spend funds from a t-of-n Multisig Bitcoin address, for any (polynomial size) t and n.

2015

EPRINT

2014

CRYPTO

2014

EPRINT

2014

ASIACRYPT

2008

EPRINT

Simulatable Adaptive Oblivious Transfer
Abstract

We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k one-after-the-other, in such a way that (a) the sender learns nothing about the receivers selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes.
Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.

2008

JOFC

2008

EPRINT

Efficient Sequential Aggregate Signed Data
Abstract

We generalize the concept of sequential aggregate signatures (SAS),
proposed by Lysyanskaya, Micali, Reyzin, and Shacham (LMRS) at
Eurocrypt~2004, to a new primitive called "sequential aggregate
signed data" (SASD) that tries to minimize the total amount of
transmitted data, rather than just signature length. We present SAS
and SASD schemes that offer numerous advantages over the LMRS
scheme. Most importantly, our schemes can be instantiated with
uncertified claw-free permutations, thereby allowing
implementations based on low-exponent RSA and factoring, and
drastically reducing signing and verification costs. Our schemes
support aggregation of signatures under keys of different lengths,
and the SASD scheme even has as little as 160~bits of bandwidth
overhead. Finally, we present a multi-signed data scheme that, when
compared to the state-of-the-art multi-signature schemes, is the
first scheme with non-interactive signature generation not based on
pairings. All of our constructions are proved secure in the random
oracle model based on families of claw-free permutations.

2007

EPRINT

Seven-Property-Preserving Iterated Hashing: ROX
Abstract

Nearly all modern hash functions are constructed by iterating a
compression function. At FSE'04, Rogaway and Shrimpton [RS04] formalized seven security notions for hash functions: collision resistance (Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) and preimage resistance (Pre, aPre, ePre). The main contribution of this paper is in determining, by proof or counterexample, which of these seven notions is preserved by each of eleven existing iterations.
Our study points out that none of them preserves more than three
notions from [RSh04]. In particular, only a single iteration preserves Pre, and none preserves Sec, aSec, or aPre. The latter two notions are particularly relevant for practice, because they do not rely on the problematic assumption that practical compression functions be chosen uniformly from a family. In view of this poor state of affairs, even the mere existence of seven-property-preserving iterations seems uncertain.
As a second contribution, we propose the new Random-Oracle XOR(ROX) iteration that is the first to provably preserve all seven notions, but that, quite controversially, uses a random oracle in the iteration. The compression function itself is not modeled as a random oracle though. Rather, ROX uses an auxiliary small-input random oracle (typically 170 bits) that is called only a logarithmic number of times.

2007

EPRINT

Generalized Key Delegation for Hierarchical Identity-Based Encryption
Abstract

In this paper, we introduce a new primitive called identity-based encryption with wildcard key derivation (WKD-IBE, or "wicked IBE") that enhances the concept of hierarchical identity-based encryption (HIBE) by allowing more general key delegation patterns. A secret key is derived for a vector of identity strings, where entries can be left blank using a wildcard. This key can then be used to derive keys for any pattern that replaces wildcards with concrete identity strings. For example, one may want to allow the university's head system administrator to derive secret keys (and hence the ability to decrypt) for all departmental sysadmin email addresses sysadmin@*.univ.edu, where * is a wildcard that can be replaced with any string. We provide appropriate security notions and provably secure instantiations with different tradeoffs in terms of ciphertext size and efficiency. We also present a generic construction of identity-based broadcast encryption (IBBE) from any WKD-IBE scheme. One of our instantiation yields an IBBE scheme with constant ciphertext size.

2006

EPRINT

Identity-Based Encryption Gone Wild
Abstract

In this paper we introduce a new primitive called identity-based encryption with wildcards, or WIBE for short. It allows to encrypt messages to a whole range of users simultaneously whose identities match a certain pattern. This pattern is defined through a sequence of fixed strings and wildcards, where any string can take the place of a wildcard in a matching identity. Our primitive can be applied to provide an intuitive way to send encrypted email to groups of users in a corporate hierarchy. We propose a full security notion and give efficient implementations meeting this notion under different pairing-related assumptions, both in the random oracle model and in the standard model.

2006

EPRINT

Efficient Chosen-Ciphertext Secure Identity-Based Encryption with Wildcards
Abstract

We propose new instantiations of chosen-ciphertext secure identity-based encryption schemes with wildcards (WIBE). Our schemes outperform all existing alternatives in terms of efficiency as well as security. We achieve these results by extending the hybrid encryption (KEM--DEM) framework to the case of WIBE schemes. We propose and prove secure one generic construction in the random oracle model, and one direct construction in the standard model.

2006

EPRINT

Unrestricted Aggregate Signatures
Abstract

Secure use of the BGLS aggregate signature schemes is restricted to the aggregation of distinct messages (for the basic scheme) or per-signer distinct messages (for the enhanced, prepend-public-key version of the scheme). We argue that these restrictions preclude interesting applications, make usage of the schemes error-prone and are generally undesirable in practice. Via a new analysis and proof, we show how the restrictions can be lifted, yielding the first truly unrestricted aggregate signature scheme. Via another new analysis and proof, we show that the distinct signer restriction on the sequential aggregate signature schemes of Lysyanskaya et al. can also be dropped, yielding an unrestricted sequential aggregate signature scheme. Finally, we present variants of these schemes with tight security reductions.

2005

CRYPTO

2005

EPRINT

Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
Abstract

We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for public-key encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of Boneh et al. in Eurocrypt 2004 is computationally consistent, and provide a new scheme that is statistically consistent. We also provide a transform of an anonymous IBE scheme to a secure PEKS scheme that, unlike the previous one, guarantees consistency. Finally, we suggest three extensions of the basic notions considered here, namely anonymous HIBE, public-key encryption with temporary keyword search, and identity-based encryption with keyword search.

#### Program Committees

- Eurocrypt 2015
- Eurocrypt 2008

#### Coauthors

- Michel Abdalla (9)
- Elena Andreeva (2)
- Mihir Bellare (9)
- Fabrice Benhamouda (1)
- James Birkett (2)
- Dan Boneh (1)
- Jan Camenisch (10)
- Dario Catalano (5)
- Alexander W. Dent (4)
- Manu Drijvers (2)
- Maria Dubovitskaya (1)
- Robert R. Enderlein (2)
- Tommaso Gagliardoni (1)
- Eike Kiltz (4)
- Tadayoshi Kohno (3)
- Stephan Krenn (1)
- Tanja Lange (3)
- Anja Lehmann (4)
- Anna Lysyanskaya (2)
- Vadim Lyubashevsky (2)
- John Malone-Lee (6)
- Chanathip Namprempre (3)
- Pascal Paillier (3)
- Duong Hieu Phan (1)
- Bart Preneel (2)
- Alfredo Rial (1)
- Jacob C. N. Schuldt (2)
- Abhi Shelat (2)
- Haixia Shi (3)
- Thomas Shrimpton (2)
- Nigel P. Smart (3)
- Gregory M. Zaverucha (1)