Cryptographic e-Cash

```IACR Summerschool – Blockchain Technologies
Cryptographic e-Cash
Jan Camenisch
IBM Research – Zurich
@JanCamenisch
ibm.biz/jancamenisch
© 2016 IBM Corporation
eCash scenario & requirements
Bank
Withdrawal
Deposit
User
Spend
Merchant
Requirements
●
Anonymity: Withdrawal and Deposit must be unlinkable
●
No Double Spending: Coin is bit-strings, can be spend twice
2
June 1, 2016
© 2016 IBM Corporation
Towards a Solution: do it like paper money
Bank
Withdrawal
100
User
100
100
Deposit
Spend
Merchant
# Sign notes with digital signature scheme
– Note = (serial number #, value)
– Secure because
• signature scheme can not be forged
• bank will accepts some serial number only once → on-line e-cash
– Not anonymous because (cf. paper solution)
• bit-string of signature is unique
• serial number is unique
3
June 1, 2016
© 2016 IBM Corporation
Towards a Solution
Bank
Withdrawal
100
100
100
User
100
100
Deposit
Spend
Merchant
# Use (more) cryptography
– Hide serial number from bank when issuing
• e.g., sign commitment of serial number
– Reveal serial number and proof
• knowledge of signature on
• commitment to serial number
– Anonymous because of commitments scheme and zero-knowledge proof
4
June 1, 2016
© 2016 IBM Corporation
How to implement this?
Signature
Schemes
Encryption
Schemes
Zero-Knowledge
Proofs
Commitment
Schemes
..... challenge is to do all this efficiently!
5
June 1, 2016
© 2016 IBM Corporation
mathematical setting
6
June 1, 2016
© 2016 IBM Corporation
Abelian Groups
A set G with operation ▫ is called a group if:
– closure
for all a,b, in G → a ▫ b in G
– commutativity
for all a,b, in G → a ▫ b = b ▫ a
– associativity
for all a,b,c, in G → (a ▫ b) ▫ c = a ▫ (b ▫ c)
– identity
there exist some e in G, s.t. for all a: a ▫ e = a
– invertibility
for all a in G, there exist a-1 in G: a ▫ a-1 = e
# Example:
integers under addition (Z,+)={...,-2,-1,0,1,2,...} or (Zn,+) = {0,1,2,...,n-1}
identity: e = 0
inverse: a-1 = - a
June 1, 2016
© 2016 IBM Corporation
Cyclic Groups
# exponentiation = repeated application of ∙ , e.g., a3 = a ∙ a ∙ a
# a group is cyclic if every element is power of some fixed element:
– i.e., for each a in G, there is unique i such that gi = a
– g = generator of the group
– define g0= 1 = identity element
G = <g> = {1=g0, g1, g2, ..., ., gq-1}
– q = |G|= order of group
if q is a prime number then G is cyclic
→ computation in exponents can be done modulo q:
gi= gi mod q
# computing with exponents:
gi+j = gi ∙ gj
gij =
June 1, 2016
(gi)
gi-j = gi / gj = gi ∙ (gj )-1
j
i
g-i = (g-1) = (gi)
-1
© 2016 IBM Corporation
The Discrete Logarithm Problem
given g and x it is easy to compute gx, g1/x, ....
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx
it is hard to compute x
Diffie-Hellman Assumption
given gx and gy
it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx, gy, and gz
June 1, 2016
it is hard to decide if gz = gxy
© 2016 IBM Corporation
commitment scheme
10
June 1, 2016
© 2016 IBM Corporation
Commitment Scheme: Functionality
m
m
m, 2-36-17
June 1, 2016
?
mє
m
© 2016 IBM Corporation
Commitment Scheme: Security
Binding
m, 2-36-17
m', 3-21-11
June 1, 2016
?
m є
m
?
m' є
m
© 2016 IBM Corporation
Commitment Scheme: Security
Binding
m, 2-36-17
m', 3-21-11
June 1, 2016
?
m є
m
?
m' є
m
© 2016 IBM Corporation
Commitment Scheme: Security
Hiding: for all message m, m'
m
m'
June 1, 2016
m
m'
© 2016 IBM Corporation
Commitment Scheme: Security
Hiding: for all message m, m'
m
m'
June 1, 2016
m
m'
?
m
m'
m
m'
© 2016 IBM Corporation
Commitment Schemes
Group G = <g> = <h> of order q
To commit to element x Є Zq:
• Pedersen: perfectly hiding, computationally binding
choose r Є Zq
and compute c = gxhr
• ElGamal: computationally hiding, perfectly binding:
choose r Є Zq
and compute c = (gxhr, gr)
To open commitment:
• reveal x and r to verifier
• verifier checks if c = gxhr
June 1, 2016
© 2016 IBM Corporation
Pedersen's Commitment Scheme
Pedersen's Scheme:
Choose r Є Zq
and compute c = gxhr
Perfectly hiding:
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur')+u(r-r')
= gx+ur'hr-r'
for any r'!
I.e., given c and x' here exist r' such that c = gx'hr'
Computationally binding:
Let c, (x', r') and (x, r) s.t. c = gx'hr' = gxhr
Then gx'-x = hr-r' and u = logg h = (x'-x)/(r-r') mod q
June 1, 2016
© 2016 IBM Corporation
Commitment Scheme: Extended Features
Proof of Knowledge of Contents
m
Proof
m
true
Proof of Relations among Contents
m, m'
Proof
m = 2 •m'
June 1, 2016
m m'
true
© 2016 IBM Corporation
Commitment Scheme: Extended Features
Let C1 = gmhr and C' = gm'hr then:
m
Proof
m
true
PK{(α,β): C = gβhα }
m, m'
Proof
m = 2 •m'
PK{(α,β,γ):
June 1, 2016
m m'
true
C' = gβhα ⋀ C = (g2)βhγ }
© 2016 IBM Corporation
zero-knowledge proofs
20
June 1, 2016
© 2016 IBM Corporation
Zero-Knowledge Proofs
# interactive proof between a prover and a verifier about the prover's knowledge
Commitment
Challenge
Response
# properties:
zero-knowledge
verifier learns nothing about the prover's secret
proof of knowledge (soundness)
prover can convince verifier only if she knows the secret
completeness
if prover knows the secret she can always convince the verifier
21
June 1, 2016
© 2016 IBM Corporation
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Given group <g> and element y Є <g> .
Prover wants to convince verifier that she knows x s.t. y = gx
such that verifier only learns y and g.
x
Prover:
random r
t := gr
t
c
s := r - cx
y, g
Verifier:
s
random c
t = gs yc ?
notation: PK{(α): y = gα }
22
June 1, 2016
© 2016 IBM Corporation
Zero Knowledge Proofs: Security
Proof of Knowledge Property:
If prover is successful with non-negl. probability, then she “knows” x = log g y ,
i.e., ones can extract x from her.
Assume c ∈ {0,1}k and consider execution tree:
c=0
x
c = 2k-1
x
..
..
x
x
If success probability for any prover (including malicious ones)
is >2
-k
then there are two accepting tuples (t,c1,s1) and
(t,c2,s2) for the same t.
June 1, 2016
© 2016 IBM Corporation
Zero Knowledge Proofs: Security
Prover might do protocol computation in any way it wants & we cannot analyse code.
Thought experiment:
# Assume we have prover as a black box → we can reset and rerun prover
# Need to show how secret can be extracted via protocol interface
t
x
t
c
x
s
t = gs yc = gs' yc'
s'
→
yc'-c = gs-s'
→
y = g(s-s')/(c'-c)
→
June 1, 2016
c'
x = (s-s')/(c'-c) mod q
© 2016 IBM Corporation
Zero Knowledge Proofs: Security
Zero-knowledge property:
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea: One can simulate whatever Bob “sees”.
Choose random c', s'
compute t := g
s' c'
y
t
c
if c = c' send s' = s ,
otherwise restart
s
Problem: if domain of c too large, success probability becomes too small
June 1, 2016
© 2016 IBM Corporation
Zero Knowledge Proofs: Security
One way to modify protocol to get large domain c:
x
y, g
Prover:
Verifier:
random r
random c,v
h := H(c,v)
t := gr
h := H(c,v) ?
s := r - cx
h
t
c,v
s
t = gs yc ?
notation: PK{(α): y = gα }
26
June 1, 2016
© 2016 IBM Corporation
Zero Knowledge Proofs: Security
One way to modify protocol to get large domain c:
Choose random c', s'
compute t' := gs' yc'
after having received c “reboot”
verifier
Choose random s
compute t := gs yc
send s
h
t'
c,v
h
t
c,v
s
June 1, 2016
© 2016 IBM Corporation
From Protocols To Signatures
Signature SPK{(α): y = gα }(m):
Signing a message m:
- chose random r Є Zq and
- compute
- output
c := H(gr||m) = H(t||m)
s := r - cx mod (q)
(c,s)
Verifying a signature (c,s) on a message m:
- check c = H(gs yc||m) ? ↔ t = gs yc ?
Security:
- underlying protocol is zero-knowledge proof of knowledge
- hash function H(.) behaves as a “random oracle.”
28
June 1, 2016
© 2016 IBM Corporation
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Many Exponents:
PK{(α,β,γ,δ): y = gα hβzγkδuβ }
Logical combinations:
PK{(α,β): y = gα ∧ z = gβ ∧ u = gβhα }
PK{(α,β): y = gα ∨ z = gβ }
Intervals and groups of different order (under SRSA):
PK{(α): y = gα ∧ α Є [A,B] }
PK{(α): y = gα ∧ z = gα ∧ α Є [0,min{ord(g),ord(g)}] }
Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures):
PK{(α): y = gα }(m)
29
June 1, 2016
© 2016 IBM Corporation
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does
PK{(α1,β1,α2,β2, α3, β3):
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3∧ C3 = gα1gα2hβ3 }
mean?
→ Prover knows values α1, β1, α2, β2, β3 such that
C1= gα1hβ1
, C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what about:
PK{(α1,...,β3):
→
C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2
30
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 ∧ C3 = gα1 (g5)α2hβ3 }
June 1, 2016
(mod q)
© 2016 IBM Corporation
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 ∧ C3 = C2α1hβ3 } mean?
PK{(α1,..,β3):
→ Prover knows values α1, β1, α2, β2, β3 such that
C1= gα1hβ1
, C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2·α1hβ3+β2·α1
C3 = gα2·α1 hβ3+β2·α1 = gα3 hβ3'
a3 = a1 · a2 (mod q)
And what about
PK{(α1,β1 β2):
→
31
C1= gα1hβ1 ∧
C2= gα2hβ2 ∧ C2 = C1α1hβ2 }
a2 = a12 (mod q)
June 1, 2016
© 2016 IBM Corporation
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does
PK{(α1,..,β2):
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ g = (C2/C1)α1hβ2 } mean?
→ Prover knows values α, β1, β2 such that
C1= gα1hβ1
g = (C2/C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
→
g1/α1 = C2 g-α1h-β1 hβ2/α1
C2 = gα1 hβ1 h-β2/α1 g1/α1 = gα1 + 1/α1 hβ1-β2/α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
32
June 1, 2016
© 2016 IBM Corporation
signature schemes
33
June 1, 2016
© 2016 IBM Corporation
Signature Scheme: Functionality
Key Generation
June 1, 2016
© 2016 IBM Corporation
Signature Scheme: Functionality
Signing
(m1,..., mk)
σ = sig((m1,..., mk), )
June 1, 2016
© 2016 IBM Corporation
Signature Scheme: Functionality
Verification
(m1,..., mk)
σ
σ = sig((m1,..., mk), )
ver(σ,(m1,..., mk), ) = true
June 1, 2016
© 2016 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
June 1, 2016
σ1
© 2016 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
ml
June 1, 2016
σ1
σl
© 2016 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
ml
σ1
σl
σ' and m'≠ mi s.t.
ver(σ', m',
June 1, 2016
) = true
© 2016 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
ml
σ1
σl
σ' and m'≠ mi s.t.
ver(σ', m',
June 1, 2016
) = true
© 2016 IBM Corporation
signature schemes with protocols
41
June 1, 2016
© 2016 IBM Corporation
Signature Scheme: Signing Hidden Messages
( m1
m,... ,
m
m,jmj+1,..., mk)
σ
ver(σ,(m1,..., mk), ) = true
σ = sig((( m1
mj, mj+1,..., mk), )
m,... , m
Verification remains unchanged!
Security requirements basically the same, but
• Signer should not learn any information about m1, ..., mj
• Forgery w.r.t. message clear parts and opening of commitments
June 1, 2016
© 2016 IBM Corporation
Proving Possession of a Signature
σ on (m1,..., mk)
June 1, 2016
© 2016 IBM Corporation
Proving Possession of a Signature
σ on (m1,..., mk)
{mi | i є S}
June 1, 2016
© 2016 IBM Corporation
Proving Possession of a Signature
σ on (m1,..., mk)
{mi | i є S}
σ, {mi | i є/ S}
{mi | i є S},
Proof
protocol
true
Variation:
● Send also
mi to verifier and
●
Prove that committed messages are signed
● Prove properties about hidden/committed m
i
June 1, 2016
© 2016 IBM Corporation
Blind Signatures vs Signatures with Protocols
can be used multiple times
can be used only once
Damgaard,Camenisch&Lysyanska
ya
Chaum, Brands, et al.
Discrete Logs, RSA,..
Strong RSA, DL-ECC,..
June 1, 2016
© 2016 IBM Corporation
Some signature schemes
47
June 1, 2016
© 2016 IBM Corporation
RSA Signature Scheme – For Reference
Rivest, Shamir, and Adlemann 1978
Secret Key: two random primes p and q
Public Key: n := pq, prime e,
and collision-free hash function
H: {0,1}* -> {0,1}ℓ
Computing signature on a message m Є {0,1}*
d := 1/e mod (p-1)(q-1)
s := H(m) d mod n
Verification of signature s on a message m Є {0,1}*
se = H(m)
Correctness: se = (H(m)d)e = H(m)d·e = H(m)
48
June 1, 2016
(mod n)
(mod n)
© 2016 IBM Corporation
RSA Signature Scheme – for reference
Verification signature on a message m Є {0,1}*
e
s := H(m)
(mod n)
Wanna do proof of knowledge of signature on a message, e.g.,
PK{ (m,s): se = H(m) (mod n) }
But this is not a valid proof expression!!!! :-(
49
June 1, 2016
© 2016 IBM Corporation
CL-Signature Scheme
Public key of signer: RSA modulus n and ai, b, d Є QRn,
Secret key: factors of n
To sign k messages m1, ..., mk Є {0,1}ℓ :
●
choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s ≈ n
●
compute c :
c = (d / (a m1·...· a mk bs ))1/e mod n
1
●
50
k
signature is (c,e,s)
June 1, 2016
© 2016 IBM Corporation
CL-Signature Scheme
To verify a signature (c,e,s) on messages m1, ..., mk:
●
m1, ..., mk Є {0,1}ℓ:
●
e > 2ℓ+1
●
d = ce a
m1
1
·...· a
mk
k
bs mod n
Theorem: Signature scheme is secure against adaptively
chosen message attacks under Strong RSA assumption.
51
June 1, 2016
© 2016 IBM Corporation
Sign blindly with CL signatures
( m1
m,... ,
m
m,jmj+1,..., mk)
σ
σ = sig((( m1
mj, mj+1,..., mk), )
m,... , m
C=a
m1
a
1
m2
2
bs’
m2
m1
C + PK{(m1,m2,s’): C = a1 a2
s’
b }
Choose e,s”
(c,e,s’’)
e
d= c a
52
June 1, 2016
m1
1
a
2
m2
a
m3
3
b
s’+s’’
c = (d/(C a
3
m3
bs”))1/e mod n
mod n
© 2016 IBM Corporation
Proving Knowledge of a CL-signature
Recall:
d = ce a1m1a2m2 bs mod n
Observe:
# Let c' = c btmod n with randomly chosen t
# Then d = c'e a1m1a2m2 bs-et (mod n), i.e.,
(c',e, s* = s-et) is also signature on m1 and m2
To prove knowledge of signature (c',e, s*) on m2 and some m1
# provide c'
# PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ ∧ µ Є {0,1}ℓ ∧ ε > 2ℓ+1 }
→ proves d := c'ε a1µ1 a2m2b σ
53
June 1, 2016
© 2016 IBM Corporation
Realizing On-Line eCash
54
June 1, 2016
© 2016 IBM Corporation
Recall basic idea
Bank
Withdrawal
100
100
100
User
100
100
Deposit
Spend
Merchant
# Issue coin: Hide serial number from bank when issuing
– sign commitment of random serial number
# Spend coin: reveal serial number and proof
– knowledge of signature on
– commitment to serial number
55
June 1, 2016
© 2016 IBM Corporation
On-line E-cash: Withdrawal
Choose e,s”
c = (d/(C bs”))1/e mod n
choose random #, s'
and compute
C=a
1
#
bs'
p
+
C
of
o
r
”)
s
,
e
(c,
(c,e,s”+s') s.t.
d = ce a
June 1, 2016
1
#
bs” + s' (mod n)
© 2016 IBM Corporation
On-line E-cash: Payment
(c,e,s”+s') s.t.
e
d= c a
1
#
b
s” + s'
(mod n)
compute
s'
c' = c b mod n
proof = PK{(ε, µ, ρ, σ) :
June 1, 2016
#,
c',
pro
of
d/a
#
1
= c'ε b σ (mod n) }
© 2016 IBM Corporation
On-line E-cash: Payment
(c,e,s”+s') s.t.
1
#
b
s” + s'
(mod n)
compute
s'
c' = c b mod n
proof = PK{(ε, µ, ρ, σ) :
June 1, 2016
#,
c',
pro
of
d/a
#
1
#, c', proof
e
d= c a
# Є L?
OK/ not OK
= c'ε b σ (mod n) }
© 2016 IBM Corporation
Security
# Anonymity
– Bank does not learn # during withdrawal
– Bank & Shop do not learn c, e when spending
(c
”)
s
,
,e
#,
c',
pro
of
June 1, 2016
#, c', proof
C
of
o
r
p
+
# Є L?
OK/ not OK
© 2016 IBM Corporation
Security
Double Spending:
# Spending = Compute
–c' = c bs'mod n
–proof = PK{(ε, µ, ρ, σ) :
d/a
#
1
= c'ε b σ (mod n) }
# Can use the same # only once....
– If more #'s are presented than withdrawals:
• Proofs would not sound
• Signature scheme would not secure
June 1, 2016
© 2016 IBM Corporation
Realizing Off-Line eCash
61
June 1, 2016
© 2016 IBM Corporation
Recall On-Line E-Cash
On-Line Solution:
1. Coin = random serial # (chosen by user) signed by Bank
2. Banks signs blindly
3. Spending by sending # and prove knowledge of
signature to Merchant
4. Merchant checks validy w/ Bank
100
5. Bank accepts each serial # only once.
100
100
Off-Line:
- Can check serial # only after the fact
- … but at that point user will have been disappeared...
June 1, 2016
© 2016 IBM Corporation
Towards off-line signatures
Goal:
– spending coin once: OK
– spending coin twice: anonymity revoked
kabl
n
i
L
t
No
100
No
t
Lin
ka
b
Link
abl
e
100
e
le
100
Seems like a paradox, but crypto is all about solving paradoxical problems :-)
63
June 1, 2016
© 2016 IBM Corporation
Off-line E-cash
Main Idea:
– Include #, id, r
– Upon spending:
reveal #, and t = id + r u,
with c randomly chosen by merchant
– t won't reveal anything about id!
– However, given two equations (for the same #, id, r)
t1 = id + r u1
t2 = id + r u2
one can solve for id.
June 1, 2016
© 2016 IBM Corporation
Off-line E-cash: Withdrawal
choose random #, r, s'
and compute
C=a
1
#
a
2
r
bs'
p
+
C
of
o
r
d = ce C a
3
nym
bs” mod n
”)
s
,
e
(c,
(c,e,s”+s') s.t.
d = ce a
June 1, 2016
1
#
a
2
r
a
3
nym
bs” + s' (mod n)
© 2016 IBM Corporation
Off-line E-cash: Payment
Let G=<g> be a group of order q
(c,e,s”+s') s.t.
e
d= c a
#
a
1
2
r
a
3
nym
b
s” + s'
t, #
, c'
compute
t = r + u nym mod q
c' = c bs'mod n
proof = PK{(ε, µ, ρ, σ) :
d/a
June 1, 2016
1
#
(mod n)
u
, pr
oo f
= c'ε a ρa µ b σ (mod n)
2
3
choose random u
⋀ gt = gρ (gu)µ }
© 2016 IBM Corporation
Off-line E-cash: Payment
PK{(ε, µ, ρ, σ) :
d/a
1. d = c'ε a
1
#
1
= c'ε a ρa µ b σ (mod n) ⋀ gt = gρ (gu)µ }
#
2
3
a ρa µ b σ (mod n)
2
=> (c', ε, σ)
3
is a signature on (#, µ, ρ)
2. gt = gρ+uµ
=> t = ρ + u µ mod q,
i.e., t was computed correctly!
June 1, 2016
© 2016 IBM Corporation
Off-line E-cash: Deposit
#
Є
L?
If so:
1. t = ρ + u µ (mod q)
2. t' = ρ + u' µ (mod q)
solve for ρ and µ.
=> µ = nym because of proof
u, t, #,
proof
June 1, 2016
© 2016 IBM Corporation
Off-line E-cash: Security
# Unforgeable:
– no more coins than #'s,
• otherwise one can forge signatures
• or proofs are not sound
– if coins with same # appears with different u's => reveals nym
# Anonymity:
– # and r are hidden from signer upon withdrawal
– t does not reveal anything about nym (is blinded by r)
– proof proof does not reveal anything
June 1, 2016
© 2016 IBM Corporation
Extensions and more
e-Cash
# K-spendable cash
– Multiple serial numbers and randomizers per coin
– Use PRF to generate serial number and randomizers from seed in coin
# Money laundering preventions
– Must not spend more that \$10000 dollars with same party
– Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks, essentially anything with authentication and
privacy
# Anonymous credentials, eVoting, ....
Alternative building blocks
# A number of signatures scheme that fit the same bill
# (Verifiable) encryption schemes that work along as well
# Alternative framework: Groth-Sahai proofs plus “structure-preserving” schemes
June 1, 2016
© 2016 IBM Corporation
Thank you!
# eMail: [email protected]
# Links:
– www.abc4trust.eu
– www.futureID.eu
– www.au2eu.eu
– www.PrimeLife.eu
– www.zurich.ibm.com/idemix
– idemixdemo.zurich.ibm.com
# Code
– github.com/p2abcengine & abc4trust.eu/idemix
71
June 1, 2016
© 2016 IBM Corporation
References
# D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and
some generalizations. In EUROCRYPT ’87, vol. 304 of LNCS, pp. 127–141. Springer-Verlag, 1988.
# S. Brands. Rapid demonstration of linear relations connected by boolean operators.In EUROCRYPT ’97, vol. 1233 of LNCS, pp.
318–333. Springer Verlag, 1997.
# Mihir Bellare: Computational Number Theory
http://www-cse.ucsd.edu/~mihir/cse207/w-cnt.pdf
# Camenisch, Lysanskaya: Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials. Crypto
2002, Lecture Notes in Computer Science, Springer Verlag.
# Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in
Computer Science, Springer Verlag.
# Jan Camenisch, Natalie Casati, Thomas Gross, Victor Shoup: Credential Authenticated Identification and Key Exchange.
CRYPTO 2010:255-276
# Jan Camenisch, Maria Dubovitskaya, Gregory Neven: Oblivious transfer with access control. ACM Conference on Computer and
Communications Security 2009: 131-140
# Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in
Computer Science, Springer Verlag.
# M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko: The One-More-RSA-Inversion Problems and the Security of
Chaum's Blind Signature Scheme. Journal of Cryptology, Volume 16, Number 3. Pages 185 -215, Springer-Verlag, 2003.
# E. Bangerter, J. Camenisch and A. Lyskanskaya: A Cryptographic Framework for the Controlled Release Of Certified Data. In
Twelfth International Workshop on Security Protocols 2004. www.zurich.ibm.com/~jca/publications
# Stefan Brands: Untraceable Off-line Cash in Wallets With Observers: In Advances in Cryptology – CRYPTO '93. Springer Verlag,
1993.
June 1, 2016
© 2016 IBM Corporation
References
# J. Camenisch and A. Lyskanskaya: Efficient Non-transferable Anonymous Multi-show Credential System with Optional
Anonymity Revocation. www.zurich.ibm.com/~jca/publications
# David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM, Vol. 24
No. 2, pp. 84—88, 1981.
# David Chaum: Blind Signatures for Untraceable Payments. In Advances in Cryptology – Proceedings of CRYPTO '82, 1983.
# David Chaum: Security Without Identification: Transaction Systems to Make Big Brother obsolete: in Communications of the
ACM, Vol. 28 No. 10, 1985.
# Camenisch, Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003: 126-144
# Victor Shoup: A computational introduction to Number Theory and Algebra. Available from: http://www.shoup.net/ntb/
# D. Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM.
# D. Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, 1988.
# J. Camenisch and V. Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Advances in Cryptology CRYPTO 2003.
# T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology CRYPTO '84.
June 1, 2016
© 2016 IBM Corporation
```