P-signatures and Noninteractive Anonymous Credentials
نویسندگان
چکیده
In this paper, we introduce P-signatures. A P-signature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a non-interactive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for P-signatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of non-interactive proof techniques due to Groth and Sahai. Our P-signatures enable, for the first time, the design of a practical non-interactive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other privacy-preserving authentication mechanisms.
منابع مشابه
Block-Wise P-Signatures and Non-interactive Anonymous Credentials with Efficient Attributes
Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential possession where credentials are associated with a number of attributes. Following recent results o...
متن کاملPrivacy-Enhancing Proxy Signatures from Non-interactive Anonymous Credentials
Proxy signatures enable an originator to delegate the signing rights for a restricted set of messages to a proxy. The proxy is then able to produce valid signatures only for messages from this delegated set on behalf of the originator. Recently, two variants of privacy-enhancing proxy signatures, namely blank signatures [27] and warrant-hiding proxy signatures [28], have been introduced. In thi...
متن کاملMalleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials
A signature scheme is malleable if, on input a message m and a signature σ, it is possible toefficiently compute a signature σ′ on a related message m′ = T (m), for a transformation T thatis allowable with respect to this signature scheme. Previous work considered various useful flavorsof allowable transformations, such as quoting and sanitizing messages. In this paper, we explore a...
متن کاملBlock-wise P-Signatures and Non-Interactive Anonymous Credentials with Efficient Attributes
Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with non-interactive proofs of credential possession where credentials are associated with a number of attributes. Following recent results ...
متن کاملCommuting Signatures and Verifiable Encryption and an Application to Non-Interactively Delegatable Credentials
Verifiable encryption allows to encrypt a signature and prove that the plaintext is valid. We introduce a new primitive called commuting signature that extends verifiable encryption in multiple ways: a signer can encrypt both signature and message and prove validity; more importantly, given a ciphertext, a signer can create a verifiably encrypted signature on the encrypted message; thus signing...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2008