Development of so-called functional encryption schemes is one of the main visions of modern cryptography. These encryption schemes should overcome the main disadvantages of conventional encryption schemes, namely that data is encrypted for a certain addressee and the access to the encrypted data is all or nothing. In the context of functional encryption schemes, every user receives a secret key which is parameterized with a certain function according to the access rights of the user. The data is encrypted only once and the user learn only the evaluation of their function on data and not necessarily the data themselves. While in general it is difficult to even just define the security requirements for this kind of encryption schemes, efficient encryption schemes for different restricted classes of functions are known. Attribute-based encryption (ABE) is a special case of functional encryption.
An attribute-based system requires a central authority which sets the system up and provides the user with their secret keys. In key-policy ABE (KP-ABE), the owner of data defines a subset of predefined attributes for data and encrypts it once using this set. In order to access the encrypted data, every user in the system receives a user secret key provided with an access policy according to the rights of the user. The key policies are Boolean formulas over predefined attributes. A user will be able to decrypt a ciphertext if and only if the attributes of the ciphertext satisfy the policy of his/her key. For ciphertext-policy ABE (CP-ABE) the roles of attributes and policies are reversed. That is, the data is encrypted under an access policy and the keys are provided for sets of attributes. Systems based on ABE have to model the access rights of the user in terms of attributes and access policies depending on concrete scenarios and concrete access pattern.
In our example, the manager of Map Data Center wants to ensure fine-grained access control to the road maps for its customers (routing services). Therefore, restricting access to the full data base, to the maps of continents, and to the maps of each single country will be realized. Each map is encrypted once with an appropriate policy. For example, the map of Germany's roads is encrypted with the policy "World OR Europe OR Germany". Every customer who gets a key with one of the attributes "World", "Europe", or "Germany", will be able to decrypt the appropriate ciphertext and obtain access to Germany's road maps. Thus, the access control is managed by the encryption itself.
Anonymous Group Signatures and Reputation Systems
In standard signature schemes, the sender computes a signature on his message using his secret key. The receiver can check, using the signature and the sender's public key, that the message was indeed composed by the sender and that it was not modified in transit. To achieve this, the public key must uniquely identify the sender. However, in many scenarios this strict identification is not necessary or even desirable. Whenever an application only needs assurance that the sender belongs to a certain group of possible senders, anonymous group signatures can be used.
Anonymous group signatures allow each member of a group to sign messages without disclosing their identity. For this, each group member gets their own private key that is associated to the group's public key. In contrast to standard digital signature schemes, the message receiver can only check whether some group member signed the message, but not which specific member did it. The actual signer can only be determined by a special entity in the system (the group manager).
Besides anonymity, other properties of group signatures play an important role in some applications. For example, it may be useful to restrict the number of messages that each group member can sign. Furthermore, techniques for revoking group membership are important. In particular, these and other extensions of group signatures can be used to construct anonymous reputation systems.
Reputation systems are an important tool to allow customers and providers of goods and services to gather useful information about past transactions. In order to receive trustworthy, reliable, and honest ratings, a reputation system should guarantee the customer anonymity and at the same ensure that no customer can submit more than one rating. Of course the ratings should be publicly verifiable by third parties.
Some of the required properties for reputation systems are already known for group signatures. Some, however, are not. For example, a reputation system does not consist of a single group, but rather there is a group for each rateable product (or service). For the security of reputation systems these different groups cannot be analyzed in isolation.
The goal of this research area is the extension of group signature schemes and the construction of anonymous reputation system on the basis of group signatures.
Open list in Research Information System
Fully-Featured Anonymous Credentials with Reputation System
K. Bemmann, J. Blömer, J. Bobolz, H. Bröcher, D.P. Diemert, F. Eidens, L. Eilers, J.F. Haltermann, J. Juhnke, B. Otour, L.A. Porzenheim, S. Pukrop, E. Schilling, M. Schlichtig, M. Stienemeier, in: Proceedings of the 13th International Conference on Availability, Reliability and Security - ARES '18, ACM, 2018
Voronoi Cells of Lattices with Respect to Arbitrary Norms
J. Blömer, K. Kohn, SIAM Journal on Applied Algebra and Geometry. (2018), 2(2), pp. 314-338
Open list in Research Information System