We show how a pseudo-random generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudo-random generators suffices to assure amortized O(1) bits of communication per bit commitment.

In 1992, Dwork and Naor proposed that e-mail messages be accompanied by easy-to-check proofs of computational effort in order to discourage junk e-mail, now known as spam. They proposed specific CPU-bound functions for this purpose. Burrows suggested that, since memory access speeds vary across machines much less than do CPU speeds, memory-bound functions may behave more equitably than CPU-bound functions; this approach was first explored by Abadi, Burrows, Manasse, and Wobber [8].

We show very efficient constructions for a pseudo-random generator and for a universal one-way hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudo-random generators can be used for private key encryption and universal one-way hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed one-way function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88 - 13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...

A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32-00032-1. E-mail: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...

Signature schemes that are derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified ElGamal schemes, and show the "concrete security analysis" of these schemes. We then apply it to the multi-signature schemes.

. Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel one-more-decyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts. 1 Introduction and Summary We analyse a very practical public key cryptosystem in terms of its security against the strong adaptive chosen ciphertext attack (CCA) of [RS92], in which an attacker can access a decryption oracle on arbitrary ciphertexts (ex...

We present a novel parallel one-more signature forgery against blind Okamoto-Schnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following ROS-problem is intractable: find an overdetermined, solvable system of linear equations modulo q with random inhomogenities (right sides). There is an inherent weakness in the security result of Pointcheval and Stern. Theorem 26 [PS00] does not cover attacks with 4 parallel interactions for elliptic curves of order 2 200 . That would require the intractability of the ROS-problem, a plausible but novel complexity assumption. Conversely, assuming the intractability of the ROS-problem, we show that Schnorr signatures are secure in the random oracle and generic group model against the one-more signature forgery.

Blind digital signatures were introduced by Chaum. In this paper, we show how security and blindness properties for blind digital signatures, can be simultaneously defined and satisfied, assuming an arbitrary one-way trapdoor permutation family. Thus, this paper presents the first complexity-based proof of security for blind signatures.

We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timed-commitment scheme is contract signing: two mutually suspicious parties wish to exchange signatures on a contract. We show a two-party protocol that allows them to exchange RSA or Rabin signatures. The protocol is strongly fair: if one party quits the protocol early, then the two parties must invest comparable amounts of time to retrieve the signatures. This statement holds even if one party has many more machines than the other. Other applications, including honesty preserving auctions and collective coin-flipping, are discussed.

Based on a novel proof model we prove security for simple discrete log cryptosystems for which security has been an open problem. We consider a combination of the random oracle (RO) model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal group of prime order q, where the binary encoding of the group elements is useless for cryptographic attacks In this model, we first show that Schnorr signatures are secure against the one-more signature forgery : A generic adversary performing t generic steps including ` sequential interactions with the signer cannot produce `+1 signatures with a better probability than \Gamma t 2 \Delta =q. We also characterize the different power of sequential and of parallel attacks. Secondly, we prove a simple ElGamal based encryption to be secure against the adaptive chosen ciphertext attack, in which an attacker can arbitrarily use a decryption oracle except for the challenge ciphertext. This encryp...