Results 1  10
of
14
Identity based undeniable signatures
 Topics in Cryptology CTRSA 2004, LNCS 2964
, 2004
"... In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existential ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existentially unforgeable under the Bilinear DiffieHellman assumption in the random oracle model. We also prove that it has the invisibility property under the Decisional Bilinear DiffieHellman assumption and we discuss about the efficiency of the scheme.
TimedRelease Cryptography
 In In Selected Areas in Cryptography VIII (SAC'01
, 2001
"... Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al sugges ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timedrelease crypto problems. We argue the necessity for a zeroknowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log 2 t standard crypto operations, the correctness of (a e ) 2 t (mod n) with respect to a e where e is an RSA encryption exponent. With such a proof, a Timedrelease Encryption of a message M can be given as a 2 t M (mod n) with the assertion that the correct decryption of the RSA ciphertext M e (mod n) can be obtained by performing t squarings modulo n starting from a. Timedrelease RSA signatures can be constructed analogously. Keywords Timedrelease cryptography, Timelock puzzles, Nonparallelisability, Efficient zeroknowledge protocols. 1
The security of the FDH variant of Chaum’s undeniable signature scheme. The full version of this paper. Available from the Cryptology ePrint Archive, http://www.iacr.org
"... Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme ac ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme according to three dimensions, the goal of adversaries, the attacks and the ZK level of confirmation and disavowal protocols. We finally relate each security to some wellknown computational problem. In particular, we prove that the security of the FDH variant of Chaum’s scheme with NIZK confirmation and disavowal protocols is equivalent to the CDH problem, as opposed to the GDH problem as claimed by Okamoto and Pointcheval.
Chameleon Hashing without Key Exposure
, 2004
"... Chameleon signatures are based on well established hashand sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message, i.e., the ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Chameleon signatures are based on well established hashand sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message, i.e., the designated recipient is capable of verifying the validity of the signature, but cannot disclose the contents of the signed information to convince any third party without the signer's consent.
TimeSelective Convertible Undeniable Signatures
 PROC. OF CTRSA’05, SPRINGER LNCS
, 2005
"... Undeniable signatures were introduced in 1989 by Chaum and van Antwerpen to limit the selfauthenticating property of digital signatures. An extended concept  the convertible undeniable signatures  proposed by Boyar, Chaum, Damgard and Pedersen in 1991, allows the signer to convert undeniable ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Undeniable signatures were introduced in 1989 by Chaum and van Antwerpen to limit the selfauthenticating property of digital signatures. An extended concept  the convertible undeniable signatures  proposed by Boyar, Chaum, Damgard and Pedersen in 1991, allows the signer to convert undeniable signatures to ordinary digital signatures. We present a new e#cient convertible undeniable signature scheme based on bilinear maps. Its unforgeability is tightly related, in the random oracle model, to the computational DiffieHellman problem and its anonymity to a nonstandard decisional assumption. The advantages of our scheme are the short length of the signatures, the low computational cost of the signature and the receipt generation. Moreover, a variant of our scheme permits the signer to universally convert signatures pertaining only to a specific time period. We formalize this notion as the timeselective conversion.
Universally Composable Undeniable Signature
"... Abstract. How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UCsecurity, w ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UCsecurity, where UC means universal composability. We next show that there exists a UCsecure undeniable signature scheme which does not satisfy the standard definition of security that has been believed to be adequate so far. More precisely, it does note satisfy the invisibility defined by [19]. We then show a more adequate definition of invisibility which captures a wider class of (naturally secure) undeniable signature schemes. We finally prove that the UCsecurity against nonadaptive adversaries is equivalent to this definition of invisibility and the strong unforgeability in FZKhybrid model, where FZK is the ideal ZK functionality. Our result of equivalence implies that all the known proven secure undeniable signature schemes (including Chaum’s scheme) are UCsecure if the confirmation/disavowal protocols are both UC zeroknowledge.
Limited verifier signature from bilinear pairings, manuscript
, 2004
"... Abstract. Motivated by the conflict between authenticity and privacy in the digital signature, the notion of limited verifier signature was introduced [1]. The signature can be verified by a limited verifier, who will try to preserve the privacy of the signer if the signer follows some specified rul ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Motivated by the conflict between authenticity and privacy in the digital signature, the notion of limited verifier signature was introduced [1]. The signature can be verified by a limited verifier, who will try to preserve the privacy of the signer if the signer follows some specified rules. Also, the limited verifier can provide a proof to convince a judge that the signer has indeed generated the signature if he violated the predetermined rule. However, the judge cannot transfer this proof to convince any other party. Also, the limited verifier signature should be converted into an ordinary one for public verification if required. In this paper, we first present the precise definition and clear security notions for (convertible) limited verifier signature, and then propose two efficient (convertible) limited verifier signature schemes from bilinear pairings. Our schemes were proved to achieve the desired security notions under the random oracle model.
The Sampling Twice Technique for the RSAbased Cryptosystems with Anonymity
 In Public Key Cryptography – PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography (Les Diablerets
, 2005
"... We say that an encryption scheme or a signature scheme provides anonymity when it is infeasible to determine which user generated a ciphertext or a signature. To construct the schemes with anonymity, it is necessary that the space of ciphertexts or signatures is common to each user. In this paper, w ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
We say that an encryption scheme or a signature scheme provides anonymity when it is infeasible to determine which user generated a ciphertext or a signature. To construct the schemes with anonymity, it is necessary that the space of ciphertexts or signatures is common to each user. In this paper, we focus on the techniques which can be used to obtain this anonymity property, and propose a new technique for obtaining the anonymity property on RSAbased cryptosystem, which we call “sampling twice. ” It generates the uniform distribution over [0, 2 k) by sampling the two elements from ZN where N  = k. Then, by applying the sampling twice technique, we construct the schemes for encryption, undeniable and confirmer signature, and ring signature, which have some advantages to the previous schemes.
New Constructions of Convertible Undeniable Signature Schemes without Random Oracles
"... In Undeniable Signature, a signature’s validity can only be confirmed or disavowed with the help of an alleged signer via a confirmation or disavowal protocol. A Convertible undeniable signature further allows the signer to release some additional information which can make an undeniable signature b ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In Undeniable Signature, a signature’s validity can only be confirmed or disavowed with the help of an alleged signer via a confirmation or disavowal protocol. A Convertible undeniable signature further allows the signer to release some additional information which can make an undeniable signature become publicly verifiable. In this work we introduce a new kind of attacks, called claimability attacks, in which a dishonest/malicious signer both disavows a signature via the disavowal protocol and confirms it via selective conversion. Conventional security requirement does not capture the claimability attacks. We show that some convertible undeniable signature schemes are vulnerable to this kind of attacks. We then propose a new efficient construction of fully functional convertible undeniable signature, which supports both selective conversion and universal conversion, and is immune to the claimability attacks. To the best of our knowledge, it is the most efficient convertible undeniable signature scheme with provable security in the standard model. A signature is comprised of three elements of a bilinear group. Both the selective converter of a signature and the universal converter consist of one group element only. Besides, the confirmation and disavowal protocols are also very simple and
A Cautionary Note Regarding Cryptographic Protocols Based on Composite Integers
"... These days it is rather common in cryptology to see ideas which originated in the setting of nite elds being extended to Z N . However, the security results do not necessarily generalise to Z N . In this paper we illustrate this phenomenon by pointing out a aw in the soundness proof of a ..."
Abstract
 Add to MetaCart
These days it is rather common in cryptology to see ideas which originated in the setting of nite elds being extended to Z N . However, the security results do not necessarily generalise to Z N . In this paper we illustrate this phenomenon by pointing out a aw in the soundness proof of a zeroknowledge protocol in a timed commitment scheme of Boneh and Naor.