Results 1  10
of
12
Wireless Ad Hoc Networks
, 2002
"... A mobile ad hoc network is a relatively new term for an old technology  a network that does not rely on preexisting infrastructure. Roots of this technology could be traced back to the early 1970s with the DARPA PRNet and the SURAN projects. The new twitch is the application of this technology in ..."
Abstract

Cited by 871 (13 self)
 Add to MetaCart
(Show Context)
A mobile ad hoc network is a relatively new term for an old technology  a network that does not rely on preexisting infrastructure. Roots of this technology could be traced back to the early 1970s with the DARPA PRNet and the SURAN projects. The new twitch is the application of this technology in the nonmilitary communication environments. Additionally, the research community has also recently addressed some extended features of this technology, such as multicasting and security. Also numerous new solutions to the "old" problems of routing and medium access control have been proposed. This survey attempts to summarize the stateofthe art of the ad hoc networking technology in four areas: routing, medium access control, multicasting, and security. Where possible, comparison between the proposed protocols is also discussed.
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 250 (14 self)
 Add to MetaCart
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 132 (5 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
Robust Threshold DSS Signatures
, 1996
"... . We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forg ..."
Abstract

Cited by 131 (12 self)
 Add to MetaCart
. We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forge a signature (in particular, cannot learn the signature key). In addition, we present a robust threshold DSS scheme that can also tolerate n=3 players who refuse to participate in the signature protocol. We can also endure n=4 maliciously faulty players that generate incorrect partial signatures at the time of signature computation. This results in a highly secure and resilient DSS signature system applicable to the protection of the secret signature key, the prevention of forgery, and increased system availability. Our results significantly improve over a recent result by Langford from CRYPTO'95 that presents threshold DSS signatures which can stand much smaller subsets of corrupted player...
Practical threshold RSA signatures without a trusted dealer
, 2001
"... Abstract. We propose a threshold RSA scheme which is as efficient as the fastest previous threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup’s and in previous schemes can be dropped, namely that the modulus must be a product of safe primes and that a trusted dealer generates ..."
Abstract

Cited by 53 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a threshold RSA scheme which is as efficient as the fastest previous threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup’s and in previous schemes can be dropped, namely that the modulus must be a product of safe primes and that a trusted dealer generates the keys. The robustness (but not the unforgeability) of our scheme depends on a new intractability assumption, in addition to security of the underlying standard RSA scheme. 1
Fully distributed threshold RSA under standard assumptions
 ADVANCES IN CRYPTOLOGY — ASIACRYPT 2001, VOLUME ??? OF LNCS
, 2001
"... The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup propo ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup proposed a practical RSA threshold signature scheme that allows to share the ability to sign between a set of players. This scheme can be used for decryption as well. However, Shoup’s protocol assumes a trusted dealer to generate and distribute the keys. This comes from the fact that the scheme needs a special assumption on the RSA modulus and this kind of RSA moduli cannot be easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin’s protocol but it seems difficult to modify it in order to generate the kind of RSA moduli that Shoup’s protocol requires. The present work takes a different path by proposing a method to enhance the key generation with some additional properties and revisits Shoup’s protocol to work with the resulting RSA moduli. Both of these enhancements decrease the performance of the basic protocols. However, we think that in the applications we target, these enhancements provide practical solutions. Indeed, the key generation protocol is usually run only once and the number of players used to sign or decrypt is not very large. Moreover, these players have time to perform their task so that the communication or time complexity are not overly important.
Threshold cryptosystems based on factoring
 In Asiacrypt 2002
, 2002
"... 3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, di ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, differing from the typical treatment of RSAbased systems where a “decryption exponent ” is shared among the participants. Our approach yields solutions to some open problems in threshold cryptography; in particular, we obtain the following: 1. Threshold Homomorphic Encryption. A number of applications (e.g., electronic voting or efficient multiparty computation) require threshold homomorphic encryption schemes. We present a protocol for threshold decryption of the homomorphic GoldwasserMicali encryption scheme [34], answering an open question of [21]. 2. Threshold Cryptosystems as Secure as Factoring. We describe a threshold version of a variant of the signature standards ISO 97962 and PKCS#1 v1.5 (cf. [39, Section 11.3.4]), thus giving the first threshold signature scheme whose security (in the random oracle model) is equivalent to the hardness of factoring [12]. Our techniques may be adapted to distribute the Rabin encryption scheme [44] whose semantic security may be reduced to the hardness of factoring. 3. Efficient Threshold Schemes without a Trusted Dealer. Because our schemes only require sharing of N – which furthermore need not be a product of strong primes – our schemes are very efficient (compared to previous schemes) when a trusted dealer is not assumed and key generation is done in a distributed manner. Extensions to achieve robustness and proactivation are also possible with our schemes. 1
A Threshold GQ Signature Scheme
 In International Conference on Applied Cryptography and Network Security (ACNS), LNCS
, 2003
"... We proposed the first threshold GQ signature scheme. The scheme is unforgeable and robust against any adaptive adversary if the base GQ signature scheme is unforgeable under the chosen message attack and computing the discrete logarithm modulo a safe prime is hard. Our scheme achieve optimal res ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We proposed the first threshold GQ signature scheme. The scheme is unforgeable and robust against any adaptive adversary if the base GQ signature scheme is unforgeable under the chosen message attack and computing the discrete logarithm modulo a safe prime is hard. Our scheme achieve optimal resilience, that is, the adversary can corrupt up to a half of the players. As an extension of our work, we proposed a threshold forwardsecure signature scheme, which is the threshold version of the most e#cient forwardsecure signature scheme up to now.
Threshold cryptography secure against the adaptive adversary, concurrently
, 2000
"... A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. We present the ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. We present the novel technique of a committed proof, which is a new general tool that enables security of threshold cryptosystems in the presence of the adaptive adversary. We also put forward a new measure of security for threshold schemes secure in the adaptive adversary model: security under concurrent composition. Using committed proofs, we construct concurrently and adaptively secure threshold protocols for a variety of cryptographic applications. In particular, based on the recent scheme by CramerShoup, we construct adaptively secure threshold cryptosystems secure against adaptive chosen ciphertext attack under the DDH intractability assumption.
H '8.a Rsa 53
"... vt2g6r%3.H RSA !y_k_5@ $;\vvmH'JdK. D )g U vH n r,R U i (i = 1; 2; ; n) Y t syoE B Gp$ f1; 2; ; ng H6r$Y x 2R X G:$ X v[ PYM)"6rPW x D; RSA %c1j< [GJKR96b] *[t2H RSA y_HR c} K<\vHD; 2 Gennaro 9 RSA 64FMCI Gennaro K\ [GJKR96b] ve2gdr>H. ('V/v) Hy RSA %c H ..."
Abstract
 Add to MetaCart
vt2g6r%3.H RSA !y_k_5@ $;\vvmH'JdK. D )g U vH n r,R U i (i = 1; 2; ; n) Y t syoE B Gp$ f1; 2; ; ng H6r$Y x 2R X G:$ X v[ PYM)"6rPW x D; RSA %c1j< [GJKR96b] *[t2H RSA y_HR c} K<\vHD; 2 Gennaro 9 RSA 64FMCI Gennaro K\ [GJKR96b] ve2gdr>H. ('V/v) Hy RSA %c H1j<DF<H%cV94(2\ArD; Gennaro KH=F1j <\k<vj<%cJyQH2%c (sampling partial signature) >\(Q%cHi($ 53Mt2f6<HR $$B m hgUe[ (11) . D )" RSA S }VpSV (e; d) <pS d c\s (d 1 ; d 2 ; ; dn (12) . D )"62 w *X2s2%c w i = w mod N (13) . D d i }c\t,R U i Y< N; e; w; w i yQ W RZ`_VSd\lq (21) ,R U i O+>V m H%cBr&*X S i = m < (22) 1jd V O4* U i H%c m i Kei(B U i n#9< (1) V )" a; b 2R [1; N ] *X2 R = m w mod N < R \Vt U i (2) U i LC R *X2 R = R mod N < R \Vt (3) V LC R uNFKe,b\U m i Kes U i m%c R S i w i mod N: (1) + 1. (lqjnVPak)[GJ