Results 1  10
of
78
The exact security of digital signatures: How to sign with RSA and Rabin
, 1996
"... We describe an RSAbased signing scheme called PSS which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. ..."
Abstract

Cited by 352 (14 self)
 Add to MetaCart
(Show Context)
We describe an RSAbased signing scheme called PSS which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not only provably secure, but are so in a tight way — an ability to forge signatures with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with about the same computational effort. Furthermore, we provide a second scheme which maintains all of the above features and in addition provides message recovery. These ideas extend to provide schemes for Rabin signatures with analogous properties; in particular their security can be tightly related to the hardness of factoring.
Evidence and Nonrepudiation
 JOURNAL OF NETWORK AND COMPUTER APPLICATIONS
, 1997
"... The ultimate purpose of a nonrepudiation service is to resolve disputes about the occurrence or nonoccurrence of a claimed event or action. Dispute resolution relies on the evidence held by the participants. This paper discusses types of nonrepudiation evidence, elements of nonrepudiation evide ..."
Abstract

Cited by 38 (5 self)
 Add to MetaCart
The ultimate purpose of a nonrepudiation service is to resolve disputes about the occurrence or nonoccurrence of a claimed event or action. Dispute resolution relies on the evidence held by the participants. This paper discusses types of nonrepudiation evidence, elements of nonrepudiation evidence and validity of nonrepudiation evidence. We also investigate and compare a number of protocols aiming at fair exchange of nonrepudiation evidence.
Authentication and Payment in Future Mobile Systems
"... This article presents an efficient publickey protocol for mutual authentication and key exchange designed for third generation mobile communications systems. The paper also demonstrates how a micropayment scheme can be integrated into the authentication protocol; this payment protocol allows for th ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
(Show Context)
This article presents an efficient publickey protocol for mutual authentication and key exchange designed for third generation mobile communications systems. The paper also demonstrates how a micropayment scheme can be integrated into the authentication protocol; this payment protocol allows for the provision of incontestable charging. The problem of establishing authenticated public keys through crosscertification is addressed.
Security Proof of SakaiKasahara's IdentityBased Encryption Scheme
 In Proceedings of Cryptography and Coding 2005, LNCS 3706
, 2005
"... Identitybased encryption (IBE) is a special asymmetric encryption method where a public encryption key can be an arbitrary identifier and the corresponding private decryption key is created by binding the identifier with a system's master secret. In 2003 Sakai and Kasahara proposed a new I ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
(Show Context)
Identitybased encryption (IBE) is a special asymmetric encryption method where a public encryption key can be an arbitrary identifier and the corresponding private decryption key is created by binding the identifier with a system's master secret. In 2003 Sakai and Kasahara proposed a new IBE scheme, which has the potential to improve performance.
PSS: Provably Secure Encoding Method for Digital Signatures
, 1998
"... We describe two encoding methods: EMSAPSS, for signing with appendix, and EMSRPSS, for signing with message recovery. These encodings are appropriate for signatures based on the RSA or Rabin/Williams primitive. The methods are as simple and efficient as the methods in the current P1363 draft (base ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
We describe two encoding methods: EMSAPSS, for signing with appendix, and EMSRPSS, for signing with message recovery. These encodings are appropriate for signatures based on the RSA or Rabin/Williams primitive. The methods are as simple and efficient as the methods in the current P1363 draft (based on X9.31 and ISO 9796), but they have better demonstrated security. In particular, treating the underlying hash function as ideal, EMSAPSS and EMSRPSS give rise to provablysecure schemes: the ability to forge implies the ability to invert the underlying trapdoor permutation. In fact, when the underlying primitive is RSA, the schemes are not only provably secure, but are so in a tight way: the ability to forge with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with essentially the same computational resources. Additional benefits are described in the body of this paper. The methods described in this contribution are from our Euro...
Signing on a Postcard
 In Proceedings of Financial Cryptography
, 2000
"... We investigate the problem of signing short messages using a scheme that minimizes the total length of the original message and the appended signature. This line of research was motivated by several postal services interested by stamping machines capable of producing digital signatures. Although ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
We investigate the problem of signing short messages using a scheme that minimizes the total length of the original message and the appended signature. This line of research was motivated by several postal services interested by stamping machines capable of producing digital signatures. Although several message recovery schemes exist, their security is questionable. This paper proposes variants of DSA and ECDSA allowing partial recovery: the signature is appended to a truncated message and the discarded bytes are recovered by the verification algorithm.
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
(Show Context)
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
Secure Billing for Mobile Information Services in UMTS
"... . This paper presents solutions developed in the ACTS ASPeCT project for advanced security features in UMTS. In particular, a secure billing scheme for valueadded information services using micropayments is presented. The solutions will be validated in a trial to be conducted over an experimental U ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
. This paper presents solutions developed in the ACTS ASPeCT project for advanced security features in UMTS. In particular, a secure billing scheme for valueadded information services using micropayments is presented. The solutions will be validated in a trial to be conducted over an experimental UMTS platform. 1 Introduction It is clear that adequate security features must form an integral part of a mobile telecommunications system. In second generation systems such as GSM and DECT, security features based on cryptographic techniques have been included in a systematic way for the first time [1, 2]. Their success is undeniable: second generation systems are much less susceptible to fraud than their predecessors. However, the increasing, and increasingly diverse, demand for security by users, operators and regulatory bodies calls for more advanced security features in third generation systems, such as the Universal Mobile Telecommunications System (UMTS). It is the goal of the ACTS Ad...
Channel Coding as a Cryptography Enhancer
 Proceedings of the 11th WSEAS International Conference on Communications, Agios Nikolaos
"... Abstract: In this work, channel decoding is considered as a promising way for improvement of cryptographic functions. Use of MAC/HMAC values and digital signatures is analyzed in a context of code concatenation, together with convolutional codes using MAP decoding algorithm. Soft Input Decryption ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Abstract: In this work, channel decoding is considered as a promising way for improvement of cryptographic functions. Use of MAC/HMAC values and digital signatures is analyzed in a context of code concatenation, together with convolutional codes using MAP decoding algorithm. Soft Input Decryption method, which uses Lvalues from channel decoder, presents an efficient method for integrating cryptography into decoding. The results of computer simulations that implement this method have been also presented. Additionally, the number of Lvalues verifications has been tested and compared with the theoretical results.