Results 1  10
of
22
Chameleon Hashing without Key Exposure
, 2004
"... Chameleon signatures are based on well established hashand sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message, i.e., the ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
(Show Context)
Chameleon signatures are based on well established hashand sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message, i.e., the designated recipient is capable of verifying the validity of the signature, but cannot disclose the contents of the signed information to convince any third party without the signer's consent.
Identity based undeniable signatures
 Topics in Cryptology CTRSA 2004, LNCS 2964
, 2004
"... In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existential ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existentially unforgeable under the Bilinear DiffieHellman assumption in the random oracle model. We also prove that it has the invisibility property under the Decisional Bilinear DiffieHellman assumption and we discuss about the efficiency of the scheme.
TimedRelease Cryptography
 In In Selected Areas in Cryptography VIII (SAC'01
, 2001
"... Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al sugges ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timedrelease crypto problems. We argue the necessity for a zeroknowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log 2 t standard crypto operations, the correctness of (a e ) 2 t (mod n) with respect to a e where e is an RSA encryption exponent. With such a proof, a Timedrelease Encryption of a message M can be given as a 2 t M (mod n) with the assertion that the correct decryption of the RSA ciphertext M e (mod n) can be obtained by performing t squarings modulo n starting from a. Timedrelease RSA signatures can be constructed analogously. Keywords Timedrelease cryptography, Timelock puzzles, Nonparallelisability, Efficient zeroknowledge protocols. 1
The security of the FDH variant of Chaum’s undeniable signature scheme. The full version of this paper. Available from the Cryptology ePrint Archive, http://www.iacr.org
"... Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme ac ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme according to three dimensions, the goal of adversaries, the attacks and the ZK level of confirmation and disavowal protocols. We finally relate each security to some wellknown computational problem. In particular, we prove that the security of the FDH variant of Chaum’s scheme with NIZK confirmation and disavowal protocols is equivalent to the CDH problem, as opposed to the GDH problem as claimed by Okamoto and Pointcheval.
3Move Undeniable Signature Scheme
 In: Cramer [2005
, 2005
"... Abstract. In undeniable signature schemes, zeroknowledgeness and nontransferability have been identified so far. In this paper, by separating these two notions, we show the first 3move confirmation and disavowal protocols for Chaum’s undeniable signature scheme which is secure against active and ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. In undeniable signature schemes, zeroknowledgeness and nontransferability have been identified so far. In this paper, by separating these two notions, we show the first 3move confirmation and disavowal protocols for Chaum’s undeniable signature scheme which is secure against active and concurrent attacks. Our main observation is that while the signer has one public key and one secret key, there exist two witnesses in the confirmation and disavowal proofs of Chaum’s scheme.
New Approach for Selectively Convertible Undeniable Signature Schemes
 In: Lai & Chen [2006
, 2006
"... Abstract. In this paper, we propose a new approach for constructing selectively convertible undeniable signature schemes, and present two efficient schemes based on RSA. Our approach allows a more direct selective conversion than the previous schemes, and the security can be proved formally. Further ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we propose a new approach for constructing selectively convertible undeniable signature schemes, and present two efficient schemes based on RSA. Our approach allows a more direct selective conversion than the previous schemes, and the security can be proved formally. Further, our disavowal protocols do not require parallelization techniques to reach a significant soundness probability. Also, our second scheme is the first selectively convertible scheme which is provably secure without random oracles.
Universally Composable Undeniable Signature
"... Abstract. How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UCsecurity, w ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. How to define the security of undeniable signature schemes is a challenging task. This paper presents two security definitions of undeniable signature schemes which are more useful or natural than the existing definition. It then proves their equivalence. We first define the UCsecurity, where UC means universal composability. We next show that there exists a UCsecure undeniable signature scheme which does not satisfy the standard definition of security that has been believed to be adequate so far. More precisely, it does note satisfy the invisibility defined by [19]. We then show a more adequate definition of invisibility which captures a wider class of (naturally secure) undeniable signature schemes. We finally prove that the UCsecurity against nonadaptive adversaries is equivalent to this definition of invisibility and the strong unforgeability in FZKhybrid model, where FZK is the ideal ZK functionality. Our result of equivalence implies that all the known proven secure undeniable signature schemes (including Chaum’s scheme) are UCsecure if the confirmation/disavowal protocols are both UC zeroknowledge.
TimeSelective Convertible Undeniable Signatures
 PROC. OF CTRSA’05, SPRINGER LNCS
, 2005
"... Undeniable signatures were introduced in 1989 by Chaum and van Antwerpen to limit the selfauthenticating property of digital signatures. An extended concept  the convertible undeniable signatures  proposed by Boyar, Chaum, Damgard and Pedersen in 1991, allows the signer to convert undeniable ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Undeniable signatures were introduced in 1989 by Chaum and van Antwerpen to limit the selfauthenticating property of digital signatures. An extended concept  the convertible undeniable signatures  proposed by Boyar, Chaum, Damgard and Pedersen in 1991, allows the signer to convert undeniable signatures to ordinary digital signatures. We present a new e#cient convertible undeniable signature scheme based on bilinear maps. Its unforgeability is tightly related, in the random oracle model, to the computational DiffieHellman problem and its anonymity to a nonstandard decisional assumption. The advantages of our scheme are the short length of the signatures, the low computational cost of the signature and the receipt generation. Moreover, a variant of our scheme permits the signer to universally convert signatures pertaining only to a specific time period. We formalize this notion as the timeselective conversion.
Keyexposure free chameleon hashing and signatures based on discrete logarithm sytems, available at: http://eprint.iacr.org/2009/035
"... Abstract. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message. However, the initial constructions of chameleon signatures suffer from the problem of key exposure. This creates a strong disincentive for the recipient to forge sig ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message. However, the initial constructions of chameleon signatures suffer from the problem of key exposure. This creates a strong disincentive for the recipient to forge signatures, partially undermining the concept of nontransferability. Recently, some specific constructions of discrete logarithm based chameleon hashing and signatures without key exposure are presented, while in the setting of gap DiffileHellman groups with pairings. In this paper, we propose the first keyexposure free chameleon hash and signature scheme based on discrete logarithm systems, without using the gap DiffileHellman groups. This provides more flexible constructions of efficient keyexposure free chameleon hash and signature schemes. Moreover, one distinguishing advantage of the resulting chameleon signature scheme is that the property of “message hiding ” or “message recovery ” can be achieved freely by the signer, i.e., the signer can efficiently prove which message was the original one if he desires. Key words: Chameleon hashing, Gap DiffieHellman group, Key exposure. 1
IdentityBased Chameleon Hash Scheme Without Key Exposure
"... Abstract. In this paper, we propose the first identitybased chameleon hash scheme without key exposure, which gives a positive answer for the open problem introduced by Ateniese and de Medeiros in 2004. Key words: Chameleon hashing, Identitybased system, Key exposure. 1 ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In this paper, we propose the first identitybased chameleon hash scheme without key exposure, which gives a positive answer for the open problem introduced by Ateniese and de Medeiros in 2004. Key words: Chameleon hashing, Identitybased system, Key exposure. 1