Learn More
Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user's privacy at any time,(More)
Several anonymous authentication schemes allow servers to revoke a misbehaving user's ability to make future accesses. Traditionally, these schemes have relied on powerful TTPs capable of deanonymizing (or linking) users' connections. Recent schemes such as <i>Blacklistable Anonymous Credentials (BLAC)</i> and <i>Enhanced Privacy ID (EPID)</i> support(More)
In an attribute-based signature (ABS), users sign messages with any predicate of their attributes issued from an attribute authority. Under this notion, a signature attests not to the identity of the individual who signed a message, but a claim regarding the attributes the underlying signer possesses. In ABS, users cannot forge signatures with attributes(More)
k-times anonymous authentication (k-TAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic k-TAA allows application providers to independently grant or revoke users from their own access group so as to provide better control over their clients. In terms of time and space(More)
Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user&#8217;s privacy(More)
Identity-based cryptosystems have an inherent key escrow issue, that is, the Key Generation Center (KGC) always knows user secret key. If the KGC is malicious, it can always impersonate the user. Certificateless cryptography, introduced by Al-Riyami and Paterson in 2003, is intended to solve this problem. However, in all the previously proposed(More)
We present the first dynamic universal accumulator that allows (1) the accumulation of elements in a DDH-hard group G and (2) one who knows x such that y = g has — or has not — been accumulated, where g generates G, to efficiently prove her knowledge of such x in zero knowledge, and hence without revealing, e.g., x or y. We introduce the Attribute-Based(More)
Certificateless Public Key Cryptography (CL-PKC) enjoys a number of features of Identity-Based Cryptography (IBC) while without having the problem of key escrow. However, it does suffer to an attack where the adversary, Carol, replaces Alice’s public key by someone’s public key so that Bob, who wants to send an encrypted message to Alice, uses Alice’s(More)
Compact e-cash schemes allow a user to withdraw a wallet containing k coins in a single operation, each of which the user can spend unlinkably. One big open problem for compact e-cash is to allow multiple denominations of coins to be spent efficiently without executing the spend protocol a number of times. In this paper, we give a (partial) solution to this(More)
Very recently, the concept of Traceable Identity-based Encryption (IBE) scheme (or Accountable Authority Identity based Encryption scheme) was introduced in Crypto 2007. This concept enables some mechanisms to reduce the trust of a private key generator (PKG) in an IBE system. The aim of this paper is threefold. First, we discuss some subtleties in the(More)