Sie haben Javascript deaktiviert!
Sie haben versucht eine Funktion zu nutzen, die nur mit Javascript möglich ist. Um sämtliche Funktionalitäten unserer Internetseite zu nutzen, aktivieren Sie bitte Javascript in Ihrem Browser.

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft Show image information

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft

Pairing-based Cryptography

Pairings are bilinear maps that enable the realization of several cryptographic primitives. Pairing-based cryptography offers approaches for numerous interesting problems, such as

Pairing-based cryptography was first known and utilized in the field of identity-based cryptography. Identity-based cryptography deals with special asymmetric encryption and signature schemes. In identity-based schemes, the public key can be directly derived from the owner's identity. For example, this would allow you to encrypt an email using a key locally derived from the recipient's email address. Hence there is no need for the usual process of contacting a central key authority to retrieve the recipient's public key. Instead, the key authority is used to generate the private keys, with the added benefit that it only has be contacted once by every user. Since the key authority generates all private keys in such a system, it represents an especially lucrative target for malicious attacks.

In our group, we develop new schemes in the field of pairing-based cryptography. Furthermore, we analyze implementations of such schemes with respect to efficiency and security.

Attribute-based Cryptography

Development of so-called functional encryption schemes is one of the main visions of modern cryptography. These encryption schemes should overcome the main disadvantages of conventional encryption schemes, namely that data is encrypted for a certain addressee and the access to the encrypted data is all or nothing. In the context of functional encryption schemes, every user receives a secret key which is parameterized with a certain function according to the access rights of the user. The data is encrypted only once and the user learn only the evaluation of their function on data and not necessarily the data themselves. While in general it is difficult to even just define the security requirements for this kind of encryption schemes, efficient encryption schemes for different restricted classes of functions are known. Attribute-based encryption (ABE) is a special case of functional encryption.

An attribute-based system requires a central authority which sets the system up and provides the user with their secret keys. In key-policy ABE (KP-ABE), the owner of data defines a subset of predefined attributes for data and encrypts it once using this set. In order to access the encrypted data, every user in the system receives a user secret key provided with an access policy according to the rights of the user. The key policies are Boolean formulas over predefined attributes. A user will be able to decrypt a ciphertext if and only if the attributes of the ciphertext satisfy the policy of his/her key. For ciphertext-policy ABE (CP-ABE) the roles of attributes and policies are reversed. That is, the data is encrypted under an access policy and the keys are provided for sets of attributes. Systems based on ABE have to model the access rights of the user in terms of attributes and access policies depending on concrete scenarios and concrete access pattern.

In our example, the manager of Map Data Center wants to ensure fine-grained access control to the road maps for its customers (routing services). Therefore, restricting access to the full data base, to the maps of continents, and to the maps of each single country will be realized. Each map is encrypted once with an appropriate policy. For example, the map of Germany's roads is encrypted with the policy "World OR Europe OR Germany". Every customer who gets a key with one of the attributes "World", "Europe", or "Germany", will be able to decrypt the appropriate ciphertext and obtain access to Germany's road maps. Thus, the access control is managed by the encryption itself.

Anonymous Group Signatures and Reputation Systems

In standard signature schemes, the sender computes a signature on his message using his secret key. The receiver can check, using the signature and the sender's public key, that the message was indeed composed by the sender and that it was not modified in transit. To achieve this, the public key must uniquely identify the sender. However, in many scenarios this strict identification is not necessary or even desirable. Whenever an application only needs assurance that the sender belongs to a certain group of possible senders, anonymous group signatures can be used.

Anonymous group signatures allow each member of a group to sign messages without disclosing their identity. For this, each group member gets their own private key that is associated to the group's public key. In contrast to standard digital signature schemes, the message receiver can only check whether some group member signed the message, but not which specific member did it. The actual signer can only be determined by a special entity in the system (the group manager).

Besides anonymity, other properties of group signatures play an important role in some applications. For example, it may be useful to restrict the number of messages that each group member can sign. Furthermore, techniques for revoking group membership are important. In particular, these and other extensions of group signatures can be used to construct anonymous reputation systems.

Reputation systems are an important tool to allow customers and providers of goods and services to gather useful information about past transactions. In order to receive trustworthy, reliable, and honest ratings, a reputation system should guarantee the customer anonymity and at the same ensure that no customer can submit more than one rating. Of course the ratings should be publicly verifiable by third parties.

Some of the required properties for reputation systems are already known for group signatures. Some, however, are not. For example, a reputation system does not consist of a single group, but rather there is a group for each rateable product (or service). For the security of reputation systems these different groups cannot be analyzed in isolation.

The goal of this research area is the extension of group signature schemes and the construction of anonymous reputation system on the basis of group signatures.

Anonymous Credential Systems

How can you assure a pharmacist that you have a prescription without revealing your identity? How can you show your driver's license without revealing your name? Such scenarios can be realized with anonymous credential systems. In such systems, users obtain credentials that certify attributes. With a credential, a user can access certain resources or services without revealing his identity. For this, he needs to prove that he is in possession of a credential with attributes that fulfill the resource's or service's access policy. We are interested in anonymous credential systems that support complex access policies.

In order for an anonymous credential system to be considered secure, the user must be able to access a resource without revealing his identity. Besides anonymity of users, credential systems must also make sure that users cannot collude and combine their attributes. A group of users must not be able to access to a resource for which none of the users (individually) have access to. Constructions of anonymous credentials usually rely on - among others - pairings and digital signatures.

The goal of this research area is to construct provably secure anonymous credential systems that support complex access policies.

Secure and Efficient Implementations

Because of the many applications of elliptic curves and pairings, increasingly more efficient algorithms to compute pairings have been developed in recent years. By now, pairings can even be computed in reasonably quickly on resource-restricted systems such as chip cards. This is particularly interesting if we want to defend against attackers with physical access to hardware executing computations that depend on a secret key. There are several ways to physically attack hardware which are usually not in the scope of formal security proofs. A physical attacker may try to gain information about the secret key by exploiting side channels. For example, the attacker may actively manipulate an algorithm's execution, or passively measure power consumption and running time. 

Pairings are defined on subgroups of elliptic curves over finite fields. These structures are also the basis for elliptic curve cryptography. There are already many theoretical and practical results on side-channel reistant elliptic curve cryptography. In part, these can be applied to pairing-based cryptography. For example, fault injection attacks on elliptic curve cryptography can be applied to pairing-based cryptography. For passive attacks, analysis methods for extracting information from power consumption can be applied as well. However, what cannot be easily applied to pairing-based cryptography are answers to the question "what manipulations are useful for an attacker?" and "how do I derive a secret key from data gathered through side channels?". This is because of the higher algorithm complexity and the role of the secret key for computations.

The goal of this research area is to improve security of pairing-based cryptography implemenations, to identify relevant side channels and to design efficient countermeasures against physical attackers.


Open list in Research Information System


Rational Secure Multiparty Computation

H. Bröcher, Master's thesis, 2019

Updatable Anonymous Credentials and Applications to Incentive Systems

J. Blömer, J. Bobolz, D.P. Diemert, F. Eidens, in: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS '19, 2019

In this paper, we introduce updatable anonymous credential systems (UACS) and use them to construct a new privacy-preserving incentive system. In a UACS, a user holding a credential certifying some attributes can interact with the corresponding issuer to update his attributes. During this, the issuer knows which update function is run, but does not learn the user's previous attributes. Hence the update process preserves anonymity of the user. One example for a class of update functions are additive updates of integer attributes, where the issuer increments an unknown integer attribute value v by some known value k. This kind of update is motivated by an application of UACS to incentive systems. Users in an incentive system can anonymously accumulate points, e.g. in a shop at checkout, and spend them later, e.g. for a discount.


Cloud Architectures for Searchable Encryption

J. Blömer, N. Löken, in: Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, ACM, 2018, pp. 25:1--25:10

Delegatable Attribute-based Anonymous Credentials from Dynamically Malleable Signatures

J. Blömer, J. Bobolz, in: ACNS 2018 Applied Cryptography & Network security, 2018

In this paper, we introduce the notion of delegatable attribute-based anonymous credentials (DAAC). Such systems offer fine-grained anonymous access control and they give the credential holder the ability to issue more restricted credentials to other users. In our model, credentials are parameterized with attributes that (1) express what the credential holder himself has been certified and (2) define which attributes he may issue to others. Furthermore, we present a practical construction of DAAC. For this construction, we deviate from the usual approach of embedding a certificate chain in the credential. Instead, we introduce a novel approach for which we identify a new primitive we call dynamically malleable signatures (DMS) as the main ingredient. This primitive may be of independent interest. We also give a first instantiation of DMS with efficient protocols.

Enhanced Security of Attribute-Based Signatures

J. Blömer, F. Eidens, J. Juhnke, in: The International Conference on Cryptology And Network Security (CANS), Springer, 2018, pp. 235-255

Fully-Featured Anonymous Credentials with Reputation System

K. Bemmann, J. Blömer, J. Bobolz, H. Bröcher, D.P. Diemert, F. Eidens, L. Eilers, J.F. Haltermann, J. Juhnke, B. Otour, L.A. Porzenheim, S. Pukrop, E. Schilling, M. Schlichtig, M. Stienemeier, in: Proceedings of the 13th International Conference on Availability, Reliability and Security - ARES '18, ACM, 2018

We present CLARC (Cryptographic Library for Anonymous Reputation and Credentials), an anonymous credentials system (ACS) combined with an anonymous reputation system. Using CLARC, users can receive attribute-based credentials from issuers. They can efficiently prove that their credentials satisfy complex (access) policies in a privacy-preserving way. This implements anonymous access control with complex policies. Furthermore, CLARC is the first ACS that is combined with an anonymous reputation system where users can anonymously rate services. A user who gets access to a service via a credential, also anonymously receives a review token to rate the service. If a user creates more than a single rating, this can be detected by anyone, preventing users from spamming ratings to sway public opinion. To evaluate feasibility of our construction, we present an open-source prototype implementation.

Practical, Anonymous, and Publicly Linkable Universally-Composable Reputation Systems

J. Blömer, F. Eidens, J. Juhnke, in: Topics in Cryptology - {CT-RSA} 2018 - The Cryptographers' Track at the {RSA} Conference 2018, Proceedings, Springer International Publishing, 2018, pp. 470-490

Provably Anonymous Communication Based on Trusted Execution Environments

J. Blömer, J. Bobolz, C. Scheideler, A. Setzer, 2018

In this paper, we investigate the use of trusted execution environments (TEEs, such as Intel's SGX) for an anonymous communication infrastructure over untrusted networks. For this, we present the general idea of exploiting trusted execution environments for the purpose of anonymous communication, including a continuous-time security framework that models strong anonymity guarantees in the presence of an adversary that observes all network traffic and can adaptively corrupt a constant fraction of participating nodes. In our framework, a participating node can generate a number of unlinkable pseudonyms. Messages are sent from and to pseudonyms, allowing both senders and receivers of messages to remain anonymous. We introduce a concrete construction, which shows viability of our TEE-based approach to anonymous communication. The construction draws from techniques from cryptography and overlay networks. Our techniques are very general and can be used as a basis for future constructions with similar goals.

    Voronoi Cells of Lattices with Respect to Arbitrary Norms

    J. Blömer, K. Kohn, SIAM Journal on Applied Algebra and Geometry. (2018), 2(2), pp. 314-338


    Attribute-Based Encryption as a Service for Access Control in Large-Scale Organizations

    J. Blömer, P. Günther, V. Krummel, N. Löken, in: Foundations and Practice of Security, Springer International Publishing, 2017, pp. 3-17

    Attribute-based Signatures using Structure Preserving Signatures

    P. Bemmann, Master's thesis, Universität Paderborn, 2017

    CCA-Security for Predicate Encryption Schemes

    G. Liske, Universität Paderborn, 2017

    EAX - An Authenticated Encryption Mode for Block Ciphers

    D. Diemert, Bachelor's thesis, Universität Paderborn, 2017

    Instantiating a Predicate Encryption Scheme via Pair Encodings

    A. Ganesh Athreya, Bachelor's thesis, Universität Paderborn, 2017

    Provably Secure Key-Derivation-Functions for Certain Types of Applications

    M. Jürgens, Bachelor's thesis, Universität Paderborn, 2017

    Semantically Secure Attribute-based Searchable Encryption

    D. Niehus, Master's thesis, Universität Paderborn, 2017

    Subtleties in Security Definitions for Predicate Encryption with Public Index

    J. Blömer, G. Liske, in: Proceedings of the International Conference of Mathematical Aspects of Computer and Information Sciences (MACIS), Springer International Publishing, 2017, pp. 438-453


    Commitment Schemes - Definitions, Variants, and Security

    K.S. Bemmann, Bachelor's thesis, Universität Paderborn, 2016

    Comparison of different Definitions of Chosen-Ciphertext Security in Encryption schemes

    L. Porzenheim, Bachelor's thesis, Universität Paderborn, 2016

    Construction of Fully CCA-Secure Predicate Encryptions from Pair Encoding Schemes

    J. Blömer, G. Liske, in: Proceedings of the CT-RSA 2016, 2016, pp. 431-447

    This paper presents a new framework for constructing fully CCA-secure predicate encryption schemes from pair encoding schemes. Our construction is the first in the context of predicate encryption which uses the technique of well-formedness proofs known from public key encryption. The resulting constructions are simpler and more efficient compared to the schemes achieved using known generic transformations from CPA-secure to CCA-secure schemes. The reduction costs of our framework are comparable to the reduction costs of the underlying CPA-secure framework. We achieve this last result by applying the dual system encryption methodology in a novel way.

      Physical attacks on pairing-based cryptography

      P. Günther, Universität Paderborn, 2016

      Short Randomizable Aggregatable Signatures: Constructions and Security Analysis

      F. Dallmeier, Bachelor's thesis, Universität Paderborn, 2016

      Symmetric Anonymous Credentials with Protocols for Relations on Attributes

      J. Hamm, Master's thesis, Universität Paderborn, 2016


      A group signature scheme based on the LSRW assumption

      F. Heihoff, Bachelor's thesis, Universität Paderborn, 2015

      Anonymous and Publicly Linkable Reputation Systems

      J. Blömer, J. Juhnke, C. Kolb, in: Proceedings of the 18th International Conference on Financial Cryptography and Data Security (FC), 2015, pp. 478--488

      Reputation systems are used to compute and publish reputation scores for services or products. We consider reputation systems where users are allowed to rate products that they purchased previously. To obtain trustworthy reputations, they are allowed to rate these products only once. As long as users rate products once, they stay anonymous. Everybody is able to detect users deviating from the rate-products-only-once policy and the anonymity of such dishonest users can be revoked by a system manager. In this paper we present formal models for such reputation systems and their security. Based on group signatures presented by Boneh, Boyen, and Shacham we design an efficient reputation system that meets all our requirements.

      Anonymous credential system based on q-Strong Diffie-Hellman Assumption

      F. Eidens, Master's thesis, Universität Paderborn, 2015

      Constructions of Fully Secure Predicate Encryption Schemes

      P. Schleiter, Master's thesis, Universität Paderborn, 2015

      Efficient Attributes for Pairing-Based Anonymous Credentials

      C. Stroh, Master's thesis, Universität Paderborn, 2015

      Elektromagnetische Seitenkanalangriffe auf paarungsbasierte Kryptographie

      B. Gerken, Master's thesis, Universität Paderborn, 2015

      Evaluation of Pairing Optimization for Embedded Platforms

      M. Sosniak, Master's thesis, Universität Paderborn, 2015

      Implementierung eines hybriden Verschlüsselungsverfahrens nach Cramer und Shoup

      B. Kalde, Bachelor's thesis, Universität Paderborn, 2015

      Number of Voronoi-relevant vectors in lattices with respect to arbitrary norms

      K. Kohn, Master's thesis, Universität Paderborn, 2015

      Protokolle zur authentifizierten Schüsselvereinbarung

      T. Eisenhofer, Bachelor's thesis, Universität Paderborn, 2015

      Short Group Signatures with Distributed Traceability

      J. Blömer, J. Juhnke, N. Löken, in: Proceedings of the Sixth International Conference on Mathematical Aspects of Computer and Information Sciences (MACIS), 2015, pp. 166-180

      Group signatures, introduced by Chaum and van Heyst [15], are an important primitive in cryptography. In group signature schemes every group member can anonymously sign messages on behalf of the group. In case of disputes a dedicated opening manager is able to trace signatures - he can extract the identity of the producer of a given signature. A formal model for static group signatures schemes and their security is defined by Bellare, Micciancio, and Warinschi [4], the case of dynamic groups is considered by Bellare, Shi, and Zhang [5]. Both models define group signature schemes with a single opening manager. The main difference between these models is that the number of group members in static schemes is fixed, while in dynamic schemes group members can join the group over time.

        Voronoi Cells of Lattices with Respect to Arbitrary Norms

        J. Blömer, K. Kohn, Universität Paderborn, 2015

        Motivated by the deterministic single exponential time algorithm of Micciancio and Voulgaris for solving the shortest and closest vector problem for the Euclidean norm, we study the geometry and complexity of Voronoi cells of lattices with respect to arbitrary norms.On the positive side, we show that for strictly convex and smooth norms the geometry of Voronoi cells of lattices in any dimension is similar to the Euclidean case, i.e., the Voronoi cells are defined by the so-called Voronoi-relevant vectors and the facets of a Voronoi cell are in one-to-one correspondence with these vectors. On the negative side, we show that combinatorially Voronoi cells for arbitrary strictly convex and smooth norms are much more complicated than in the Euclidean case.In particular, we construct a family of three-dimensional lattices whose number of Voronoi-relevant vectors with respect to the l_3-norm is unbounded.Since the algorithm of Micciancio and Voulgaris and its run time analysis crucially dependonthefactthatfortheEuclidean normthenumber of Voronoi-relevant vectors is single exponential in the lattice dimension, this indicates that the techniques of Micciancio and Voulgaris cannot be extended to achieve deterministic single exponential time algorithms for lattice problems with respect to arbitrary l_p-norms.


        A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

        J. Blömer, R. Gomes da Silva, P. Günther, J. Krämer, J. Seifert, in: Proceedings of Fault Tolerance and Diagnosis in Cryptography(FDTC), 2014, pp. 123--136

        Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these have been practically evaluated. We accomplished this task and prove that fault attacks against pairing-based cryptography are indeed possible and are even practical — thus posing a serious threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We injected the first fault into the computation of the Miller Algorithm and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that allowed us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation.

          Constructing CCA-secure predicate encapsulation schemes from CPA-secure schemes and universal one-way hash functions

          J. Blömer, G. Liske, 2014

          We present a new transformation of chosen-plaintext secure predicate encryption schemes with public index into chosen-ciphertext secure schemes. Our construction requires only a universal one-way hash function and is selectively secure in the standard model. The transformation is not generic but can be applied to various existing schemes constructed from bilinear groups. Using common structural properties of these schemes we provide an efficient and simple transformation without overhead in form of one-time signatures or message authentication codes as required in the known generic transformations.

          Fujisaki-Okamoto Transformation

          J. Lippert, Bachelor's thesis, Universität Paderborn, 2014

          Group Signature Schemes with Strong Exculpability

          P. Bemmann, Bachelor's thesis, Universität Paderborn, 2014

          Hiding software components using functional encryption

          J. Jochheim, Master's thesis, Universität Paderborn, 2014

          RSA-Full Domain Hash Revisited

          T. Rath, Bachelor's thesis, Universität Paderborn, 2014

          RSA Full Domain Hash ist im Zufallsorakelmodell ein EUF-CMA sicheres Signaturverfahren (existentially unforgeable under chosen-message attacks). Der Sicherheitsbeweis wird unter anderem in der Vorlesung Einf{\"u}hrung in die Kryptographie vorgestellt. Auch bei einer genaueren Analyse verliert man bei der Reduktion einen Faktor \nicefrac{1}{q_{s}}(wobei q_{s}die Anzahl der Anfragen an das Signaturorakel darstellt), was f{\"u}r die Praxis in relativ großen Systemparametern (RSA-Modul) resultiert [1].Seit der Ver{\"o}ffentlichung von [2] wurde geglaubt, dass der Faktor \nicefrac{1}{q_{s}}optimal ist. Erst zehn Jahre sp{\"a}ter offenbarten die Autoren von [3] einen Fehler in [2] und zeigten eine bessere Reduktion allerdings unter einer etwas st{\"a}rkeren Sicherheitsannahme.Die Ergebnisse aus [3] lassen sich auf PSS-Verfahren (Probabilistic Signature Scheme), das z.B. in PKCS #1 benutzt wird, {\"u}bertragen und sind somit von großer Bedeutung f{\"u}r die Praxis. Weiterhin sind die in den Beweisen verwendete Techniken n{\"u}tzlich auch bei anderen kryptographischen Verfahren.In Rahmen dieser Arbeit sollen die entsprechenden Sicherheitsbeweise aufgearbeitet und dessen Auswirkungen f{\"u}r die Praxis analysiert werden.[1] J.S. Coron, “On the Exact Security of Full Domain Hash”, CRYPTO 2000. LNCS 1880, pp. 229-235, 2000.[2] J.S. Coron, “Optimal security proofs for PPS and other signature schemes”, EUROCRYPT 2002. LNCS 2332, pp 272-287, 2002.[3] S.A. Kakvi and E. Kiltz, “Optimal Security Proofs for Full Domain Hash, Revisited”, in EUROCRYPT 2012. LNCS 7237, pp 537-553, 2012.

            Tampering attacks in pairing-based cryptography

            J. Blömer, P. Günther, G. Liske, in: Proceedings of Fault Tolerance and Diagnosis in Cryptography(FDTC), 2014, pp. 1--7

            In the last decade pairings have become an important, and often indispensable, ingredient in the construction of identity-based and attribute-based cryptosystems, as well as group signatures and credential systems. Consequently, the applicability of timing, power, or fault attacks to implementations of pairings is an important research topic. We will review some of the known results in this area.


              Direct Chosen-Ciphertext Secure Attribute-Based Key Encapsulations without Random Oracles

              J. Blömer, G. Liske, 2013

              We present a new technique to realize attribute-based encryption (ABE) schemes secure in the standard model against chosen-ciphertext attacks (CCA-secure). Our approach is to extend certain concrete chosen-plaintext secure (CPA-secure) ABE schemes to achieve more efficient constructions than the known generic constructions of CCA-secure ABE schemes. We restrict ourselves to the construction of attribute-based key encapsulation mechanisms (KEMs) and present two concrete CCA-secure schemes: a key-policy attribute-based KEM that is based on Goyal's key-policy ABE and a ciphertext-policy attribute-based KEM that is based on Waters' ciphertext-policy ABE. To achieve our goals, we use an appropriate hash function and need to extend the public parameters and the ciphertexts of the underlying CPA-secure encryption schemes only by a single group element. Moreover, we use the same hardness assumptions as the underlying CPA-secure encryption schemes.

              Securing Critical Unattended Systems with Identity Based Cryptography - A Case Study

              J. Blömer, P. Günther, V. Krummel, in: Proceedings of the 5th International Conference on Mathematical Aspects of Computer and Information Sciences (MACIS), 2013, pp. 98-105

              Unattended systems are key ingredients of various critical infrastruc-tures like networks of self service terminals or automated teller machines.For cost and efficiency reasons they should mostly run autonomously.Unattended systems are attractive and lucrative targets for various kindsof attacks, including attacks on the integrity of their components and thecommunication between components. In this paper, we propose a gen-eral cryptographic framework to protect unattended systems. We alsodemonstrate that instantiating the framework with techniques from iden-tity based cryptography is particularly well-suited to efficiently secureunattended systems.

                Seitenkanalresistenz paarungsbasierter Kryptographie

                O. Otte, Bachelor's thesis, Universität Paderborn, 2013


                Attribute-basierte Verschlüsselung

                P. Schleiter, Bachelor's thesis, Universität Paderborn, 2012


                Fault attacks in pairing-based cryptography

                G. Liske, Master's thesis, Universität Paderborn, 2011


                Open list in Research Information System

                The University for the Information Society