Sonderforschungsbereich 901 On-The-Fly Computing

Market transactions are subject to information asymmetry about the delivered value proposition, causing transaction costs and adverse market effects among buyers and sellers. Information systems research has investigated how review systems can reduce information asymmetry in business-to-consumer markets. However, these systems cannot be readily applied to business-to-business markets, are vulnerable to manipulation, and suffer from conceptual weak spots since they use textual data or star ratings. Building on design science research, we conceptualize a new class of reputation systems based on monetary-based payments as quantitative ratings for each transaction stored on a blockchain. Using cryptography, we show that our system assures content confidentiality so that buyers can share and sell their ratings selectively, establishing a reputation ecosystem. Our prescriptive insights advance the design of reputation systems and offer new paths to understanding the antecedents, dynamics, and consequences to reduce information asymmetry in B2B transactions.

In this paper, we introduce updatable anonymous credential systems (UACS) and use them to construct a new privacy-preserving incentive system. In a UACS, a user holding a credential certifying some attributes can interact with the corresponding issuer to update his attributes. During this, the issuer knows which update function is run, but does not learn the user's previous attributes. Hence the update process preserves anonymity of the user. One example for a class of update functions are additive updates of integer attributes, where the issuer increments an unknown integer attribute value v by some known value k. This kind of update is motivated by an application of UACS to incentive systems. Users in an incentive system can anonymously accumulate points, e.g. in a shop at checkout, and spend them later, e.g. for a discount.

In this paper, we introduce the notion of delegatable attribute-based anonymous credentials (DAAC). Such systems offer fine-grained anonymous access control and they give the credential holder the ability to issue more restricted credentials to other users. In our model, credentials are parameterized with attributes that (1) express what the credential holder himself has been certified and (2) define which attributes he may issue to others. Furthermore, we present a practical construction of DAAC. For this construction, we deviate from the usual approach of embedding a certificate chain in the credential. Instead, we introduce a novel approach for which we identify a new primitive we call dynamically malleable signatures (DMS) as the main ingredient. This primitive may be of independent interest. We also give a first instantiation of DMS with efficient protocols.

We present CLARC (Cryptographic Library for Anonymous Reputation and Credentials), an anonymous credentials system (ACS) combined with an anonymous reputation system. Using CLARC, users can receive attribute-based credentials from issuers. They can efficiently prove that their credentials satisfy complex (access) policies in a privacy-preserving way. This implements anonymous access control with complex policies. Furthermore, CLARC is the first ACS that is combined with an anonymous reputation system where users can anonymously rate services. A user who gets access to a service via a credential, also anonymously receives a review token to rate the service. If a user creates more than a single rating, this can be detected by anyone, preventing users from spamming ratings to sway public opinion. To evaluate feasibility of our construction, we present an open-source prototype implementation.

This paper presents a new framework for constructing fully CCA-secure predicate encryption schemes from pair encoding schemes. Our construction is the first in the context of predicate encryption which uses the technique of well-formedness proofs known from public key encryption. The resulting constructions are simpler and more efficient compared to the schemes achieved using known generic transformations from CPA-secure to CCA-secure schemes. The reduction costs of our framework are comparable to the reduction costs of the underlying CPA-secure framework. We achieve this last result by applying the dual system encryption methodology in a novel way.

Reputation systems are used to compute and publish reputation scores for services or products. We consider reputation systems where users are allowed to rate products that they purchased previously. To obtain trustworthy reputations, they are allowed to rate these products only once. As long as users rate products once, they stay anonymous. Everybody is able to detect users deviating from the rate-products-only-once policy and the anonymity of such dishonest users can be revoked by a system manager. In this paper we present formal models for such reputation systems and their security. Based on group signatures presented by Boneh, Boyen, and Shacham we design an efficient reputation system that meets all our requirements.

Group signatures, introduced by Chaum and van Heyst [15], are an important primitive in cryptography. In group signature schemes every group member can anonymously sign messages on behalf of the group. In case of disputes a dedicated opening manager is able to trace signatures - he can extract the identity of the producer of a given signature. A formal model for static group signatures schemes and their security is defined by Bellare, Micciancio, and Warinschi [4], the case of dynamic groups is considered by Bellare, Shi, and Zhang [5]. Both models define group signature schemes with a single opening manager. The main difference between these models is that the number of group members in static schemes is fixed, while in dynamic schemes group members can join the group over time.

Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these have been practically evaluated. We accomplished this task and prove that fault attacks against pairing-based cryptography are indeed possible and are even practical — thus posing a serious threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We injected the first fault into the computation of the Miller Algorithm and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that allowed us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation.

In the last decade pairings have become an important, and often indispensable, ingredient in the construction of identity-based and attribute-based cryptosystems, as well as group signatures and credential systems. Consequently, the applicability of timing, power, or fault attacks to implementations of pairings is an important research topic. We will review some of the known results in this area.

Unattended systems are key ingredients of various critical infrastruc-tures like networks of self service terminals or automated teller machines.For cost and efficiency reasons they should mostly run autonomously.Unattended systems are attractive and lucrative targets for various kindsof attacks, including attacks on the integrity of their components and thecommunication between components. In this paper, we propose a gen-eral cryptographic framework to protect unattended systems. We alsodemonstrate that instantiating the framework with techniques from iden-tity based cryptography is particularly well-suited to efficiently secureunattended systems.