Results 1  10
of
20
Bit Commitment Using PseudoRandomness
 Journal of Cryptology
, 1991
"... We show how a pseudorandom generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudorandom generators suffices to assure amortized O(1) bits of communicat ..."
Abstract

Cited by 228 (15 self)
 Add to MetaCart
We show how a pseudorandom generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudorandom generators suffices to assure amortized O(1) bits of communication per bit commitment.
On MemoryBound Functions for Fighting Spam
 In Crypto
, 2002
"... In 1992, Dwork and Naor proposed that email messages be accompanied by easytocheck proofs of computational effort in order to discourage junk email, now known as spam. They proposed specific CPUbound functions for this purpose. Burrows suggested that, since memory access speeds vary across ma ..."
Abstract

Cited by 82 (2 self)
 Add to MetaCart
In 1992, Dwork and Naor proposed that email messages be accompanied by easytocheck proofs of computational effort in order to discourage junk email, now known as spam. They proposed specific CPUbound functions for this purpose. Burrows suggested that, since memory access speeds vary across machines much less than do CPU speeds, memorybound functions may behave more equitably than CPUbound functions; this approach was first explored by Abadi, Burrows, Manasse, and Wobber [8].
Efficient Cryptographic Schemes Provably as Secure as Subset Sum
 Journal of Cryptology
, 1993
"... We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for sign ..."
Abstract

Cited by 78 (8 self)
 Add to MetaCart
We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed oneway function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88  13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...
An Efficient Existentially Unforgeable Signature Scheme and its Applications
 Journal of Cryptology
, 1994
"... A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) fo ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32000321. Email: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...
On Concrete Security Treatment of Signatures Derived from Identification
 In Crypto '98, LNCS 1462
, 1998
"... Signature schemes that are derived from three move identification schemes such as the FiatShamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature sche ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
Signature schemes that are derived from three move identification schemes such as the FiatShamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified ElGamal schemes, and show the "concrete security analysis" of these schemes. We then apply it to the multisignature schemes.
Security of Signed ElGamal Encryption
 In Asiacrypt ’2000, LNCS 1976
, 2000
"... . Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target c ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
. Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel onemoredecyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts. 1 Introduction and Summary We analyse a very practical public key cryptosystem in terms of its security against the strong adaptive chosen ciphertext attack (CCA) of [RS92], in which an attacker can access a decryption oracle on arbitrary ciphertexts (ex...
Security of Blind Discrete Log Signatures against Interactive Attacks
 ICICS 2001, LNCS 2229
, 2001
"... We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following RO ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following ROSproblem is intractable: find an overdetermined, solvable system of linear equations modulo q with random inhomogenities (right sides). There is an inherent weakness in the security result of Pointcheval and Stern. Theorem 26 [PS00] does not cover attacks with 4 parallel interactions for elliptic curves of order 2 200 . That would require the intractability of the ROSproblem, a plausible but novel complexity assumption. Conversely, assuming the intractability of the ROSproblem, we show that Schnorr signatures are secure in the random oracle and generic group model against the onemore signature forgery.
Security of Blind Digital Signatures (Extended Abstract)
 IN CRYPTO ’97: PROCEEDINGS OF THE 17TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE ON ADVANCES IN CRYPTOLOGY
, 1997
"... Blind digital signatures were introduced by Chaum. In this paper, we show how security and blindness properties for blind digital signatures, can be simultaneously defined and satisfied, assuming an arbitrary oneway trapdoor permutation family. Thus, this paper presents the first complexityba ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
Blind digital signatures were introduced by Chaum. In this paper, we show how security and blindness properties for blind digital signatures, can be simultaneously defined and satisfied, assuming an arbitrary oneway trapdoor permutation family. Thus, this paper presents the first complexitybased proof of security for blind signatures.
Timed commitments (Extended Abstract)
 IN ADVANCES IN CRYPTOLOGY— CRYPTO ’00
, 2000
"... We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timedcommitment sche ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timedcommitment scheme is contract signing: two mutually suspicious parties wish to exchange signatures on a contract. We show a twoparty protocol that allows them to exchange RSA or Rabin signatures. The protocol is strongly fair: if one party quits the protocol early, then the two parties must invest comparable amounts of time to retrieve the signatures. This statement holds even if one party has many more machines than the other. Other applications, including honesty preserving auctions and collective coinflipping, are discussed.
Security of Discrete Log Cryptosystems in the Random Oracle + Generic Model
 In The Mathematics of PublicKey Cryptography. The Fields Institute
, 1999
"... Based on a novel proof model we prove security for simple discrete log cryptosystems for which security has been an open problem. We consider a combination of the random oracle (RO) model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal gro ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Based on a novel proof model we prove security for simple discrete log cryptosystems for which security has been an open problem. We consider a combination of the random oracle (RO) model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal group of prime order q, where the binary encoding of the group elements is useless for cryptographic attacks In this model, we first show that Schnorr signatures are secure against the onemore signature forgery : A generic adversary performing t generic steps including ` sequential interactions with the signer cannot produce `+1 signatures with a better probability than \Gamma t 2 \Delta =q. We also characterize the different power of sequential and of parallel attacks. Secondly, we prove a simple ElGamal based encryption to be secure against the adaptive chosen ciphertext attack, in which an attacker can arbitrarily use a decryption oracle except for the challenge ciphertext. This encryp...