Results 1  10
of
36
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 447 (22 self)
 Add to MetaCart
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
CollisionFree Accumulators and FailStop Signature Schemes Without Trees
, 1997
"... . Oneway accumulators, introduced by Benaloh and de Mare, can be used to accumulate a large number of values into a single one, which can then be used to authenticate every input value without the need to transmit the others. However, the oneway property does is not sufficient for all applications ..."
Abstract

Cited by 164 (0 self)
 Add to MetaCart
. Oneway accumulators, introduced by Benaloh and de Mare, can be used to accumulate a large number of values into a single one, which can then be used to authenticate every input value without the need to transmit the others. However, the oneway property does is not sufficient for all applications. In this paper, we generalize the definition of accumulators and define and construct a collisionfree subtype. As an application, we construct a failstop signature scheme in which many onetime public keys are accumulated into one short public key. In contrast to previous constructions with tree authentication, the length of both this public key and the signatures can be independent of the number of messages that can be signed. 1 Introduction The security of digital signature schemes depends on socalled computational assumptions, e.g., the factoring assumption. If somebody can break the assumption on which the system is based, and if he can therefore get the private key of the signer, h...
Secure hashandsign signatures without the random oracle
, 1999
"... We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the ..."
Abstract

Cited by 121 (9 self)
 Add to MetaCart
We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the cryptographic hash function in use are well defined and reasonable (although nonstandard). In particular, we do not model this function as a random oracle. We construct our proof of security in steps. First we describe and prove a construction which operates in the random oracle model. Then we show that the random oracle in this construction can be replaced by a hash function which satisfies some strong (but well defined!) computational assumptions. Finally,we demonstrate that these assumptions are reasonable, by proving that a function satisfying them exists under standard intractability assumptions.
On MemoryBound Functions for Fighting Spam
 In Crypto
, 2002
"... In 1992, Dwork and Naor proposed that email messages be accompanied by easytocheck proofs of computational effort in order to discourage junk email, now known as spam. They proposed specific CPUbound functions for this purpose. Burrows suggested that, since memory access speeds vary across ma ..."
Abstract

Cited by 82 (2 self)
 Add to MetaCart
In 1992, Dwork and Naor proposed that email messages be accompanied by easytocheck proofs of computational effort in order to discourage junk email, now known as spam. They proposed specific CPUbound functions for this purpose. Burrows suggested that, since memory access speeds vary across machines much less than do CPU speeds, memorybound functions may behave more equitably than CPUbound functions; this approach was first explored by Abadi, Burrows, Manasse, and Wobber [8].
Authenticated DiffieHellman Key Agreement Protocols
, 1998
"... This paper surveys recent work on the design and analysis of key agreement protocols that are based on the intractability of the DiffieHellman problem. The focus is on protocols that have been standardized, or are in the process of being standardized, by organizations such as ANSI, IEEE, ISO/IEC, a ..."
Abstract

Cited by 67 (1 self)
 Add to MetaCart
This paper surveys recent work on the design and analysis of key agreement protocols that are based on the intractability of the DiffieHellman problem. The focus is on protocols that have been standardized, or are in the process of being standardized, by organizations such as ANSI, IEEE, ISO/IEC, and NIST. The practical and provable security aspects of these protocols are discussed.
Optimal Security Proofs for PSS and other Signature Schemes
, 2002
"... The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter r ..."
Abstract

Cited by 49 (2 self)
 Add to MetaCart
The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log 2 qsig bits suce, where qsig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log 2 qsig bits are used, then PSS is still provably secure but it cannot have a tight security proof.
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
Access control and signatures via quorum secret sharing
 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
, 1998
"... We suggest a method of controlling the access to a secure database via quorum systems. A quorum system is a collection of sets (quorums) every two of which have a nonempty intersection. Quorum systems have been used for a number of applications in the area of distributed systems. We propose a separ ..."
Abstract

Cited by 34 (13 self)
 Add to MetaCart
We suggest a method of controlling the access to a secure database via quorum systems. A quorum system is a collection of sets (quorums) every two of which have a nonempty intersection. Quorum systems have been used for a number of applications in the area of distributed systems. We propose a separation between access servers, which are protected and trustworthy, but may be outdated, and the data servers, which may all be compromised. The main paradigm is that only the servers in a complete quorum can collectively grant (or revoke) access permission. The method we suggest ensures that, after authorization is revoked, a cheating user Alice will not be able to access the data even if many access servers still consider her authorized and even if the complete raw database is available to her. The method has a low overhead in terms of communication and computation. It can also be converted into a distributed system for issuing secure signatures. An important building block in our method is the use of secret sharing schemes that realize the access structures of quorum systems. We provide several efficient constructions of such schemes which may be of interest in their own right.
Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques
 Security Protocols Workshop '97
, 1997
"... . This paper investigates security proofs for protocols that employ asymmetric (publickey) techniques to solve two problems: entity authentication and authenticated key transport. A formal model is provided, and a definition of the goals within this model is supplied. Two protocols are presented an ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
. This paper investigates security proofs for protocols that employ asymmetric (publickey) techniques to solve two problems: entity authentication and authenticated key transport. A formal model is provided, and a definition of the goals within this model is supplied. Two protocols are presented and proven secure within this framework, given the existence of certain cryptographic primitives. The practical implementation of these protocols is discussed. We emphasize the relevance of these theoretical results to the security of systems used in practice. In particular, our results imply the security of some protocols standardized by ISO [15, 16] and NIST [20] in the model proposed. This work is heavily influenced by the work of Bellare and Rogaway [1, 5], who demonstrate proven secure protocols for these problems using symmetric cryptosystems. Our paper is an extension of their work to the publickey setting. 1 Introduction The key transport problem is stated as follows: one entity wis...
Batch RSA
, 1996
"... We present a variant of the RSA algorithm called Batch RSA with two important properties: • The cost per private operation is exponentially smaller than other number theoretic schemes ([9, 23, 22, 11, 13, 12], etc.). In practice, the new variant effectively performs several modular exponentiati ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
We present a variant of the RSA algorithm called Batch RSA with two important properties: • The cost per private operation is exponentially smaller than other number theoretic schemes ([9, 23, 22, 11, 13, 12], etc.). In practice, the new variant effectively performs several modular exponentiations at the cost of a single modular exponentiation. This leads to a very fast RSAlike scheme whenever RSA is to be performed at some central site or when pureRSA encryption (vs. hybrid encryption) is to be performed. • An additional important feature of Batch RSA is the possibility of using a distributed Batch RSA process that isolates the private key from the system, irrespective of the size of the system, the number of sites, or the number of private operations that need be performed.