Results 1  10
of
10
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 240 (14 self)
 Add to MetaCart
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 127 (5 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
Robust Threshold DSS Signatures
, 1996
"... . We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forg ..."
Abstract

Cited by 125 (12 self)
 Add to MetaCart
. We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forge a signature (in particular, cannot learn the signature key). In addition, we present a robust threshold DSS scheme that can also tolerate n=3 players who refuse to participate in the signature protocol. We can also endure n=4 maliciously faulty players that generate incorrect partial signatures at the time of signature computation. This results in a highly secure and resilient DSS signature system applicable to the protection of the secret signature key, the prevention of forgery, and increased system availability. Our results significantly improve over a recent result by Langford from CRYPTO'95 that presents threshold DSS signatures which can stand much smaller subsets of corrupted player...
Practical threshold RSA signatures without a trusted dealer
, 2001
"... Abstract. We propose a threshold RSA scheme which is as efficient as the fastest previous threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup’s and in previous schemes can be dropped, namely that the modulus must be a product of safe primes and that a trusted dealer generates ..."
Abstract

Cited by 52 (4 self)
 Add to MetaCart
Abstract. We propose a threshold RSA scheme which is as efficient as the fastest previous threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup’s and in previous schemes can be dropped, namely that the modulus must be a product of safe primes and that a trusted dealer generates the keys. The robustness (but not the unforgeability) of our scheme depends on a new intractability assumption, in addition to security of the underlying standard RSA scheme. 1
Threshold cryptosystems based on factoring
 In Asiacrypt 2002
, 2002
"... 3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, di ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, differing from the typical treatment of RSAbased systems where a “decryption exponent ” is shared among the participants. Our approach yields solutions to some open problems in threshold cryptography; in particular, we obtain the following: 1. Threshold Homomorphic Encryption. A number of applications (e.g., electronic voting or efficient multiparty computation) require threshold homomorphic encryption schemes. We present a protocol for threshold decryption of the homomorphic GoldwasserMicali encryption scheme [34], answering an open question of [21]. 2. Threshold Cryptosystems as Secure as Factoring. We describe a threshold version of a variant of the signature standards ISO 97962 and PKCS#1 v1.5 (cf. [39, Section 11.3.4]), thus giving the first threshold signature scheme whose security (in the random oracle model) is equivalent to the hardness of factoring [12]. Our techniques may be adapted to distribute the Rabin encryption scheme [44] whose semantic security may be reduced to the hardness of factoring. 3. Efficient Threshold Schemes without a Trusted Dealer. Because our schemes only require sharing of N – which furthermore need not be a product of strong primes – our schemes are very efficient (compared to previous schemes) when a trusted dealer is not assumed and key generation is done in a distributed manner. Extensions to achieve robustness and proactivation are also possible with our schemes. 1
A Threshold GQ Signature Scheme
 In International Conference on Applied Cryptography and Network Security (ACNS), LNCS
, 2003
"... We proposed the first threshold GQ signature scheme. The scheme is unforgeable and robust against any adaptive adversary if the base GQ signature scheme is unforgeable under the chosen message attack and computing the discrete logarithm modulo a safe prime is hard. Our scheme achieve optimal res ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We proposed the first threshold GQ signature scheme. The scheme is unforgeable and robust against any adaptive adversary if the base GQ signature scheme is unforgeable under the chosen message attack and computing the discrete logarithm modulo a safe prime is hard. Our scheme achieve optimal resilience, that is, the adversary can corrupt up to a half of the players. As an extension of our work, we proposed a threshold forwardsecure signature scheme, which is the threshold version of the most e#cient forwardsecure signature scheme up to now.
Threshold cryptography secure against the adaptive adversary, concurrently
, 2000
"... A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. We present the ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. We present the novel technique of a committed proof, which is a new general tool that enables security of threshold cryptosystems in the presence of the adaptive adversary. We also put forward a new measure of security for threshold schemes secure in the adaptive adversary model: security under concurrent composition. Using committed proofs, we construct concurrently and adaptively secure threshold protocols for a variety of cryptographic applications. In particular, based on the recent scheme by CramerShoup, we construct adaptively secure threshold cryptosystems secure against adaptive chosen ciphertext attack under the DDH intractability assumption.
H '8.a Rsa 53
"... vt2g6r%3.H RSA !y_k_5@ $;\vvmH'JdK. D )g U vH n r,R U i (i = 1; 2; ; n) Y t syoE B Gp$ f1; 2; ; ng H6r$Y x 2R X G:$ X v[ PYM)"6rPW x D; RSA %c1j< [GJKR96b] *[t2H RSA y_HR c} K<\vHD; 2 Gennaro 9 RSA 64FMCI Gennaro K\ [GJKR96b] ve2gdr>H. ('V/v) Hy RSA %c H ..."
Abstract
 Add to MetaCart
vt2g6r%3.H RSA !y_k_5@ $;\vvmH'JdK. D )g U vH n r,R U i (i = 1; 2; ; n) Y t syoE B Gp$ f1; 2; ; ng H6r$Y x 2R X G:$ X v[ PYM)"6rPW x D; RSA %c1j< [GJKR96b] *[t2H RSA y_HR c} K<\vHD; 2 Gennaro 9 RSA 64FMCI Gennaro K\ [GJKR96b] ve2gdr>H. ('V/v) Hy RSA %c H1j<DF<H%cV94(2\ArD; Gennaro KH=F1j <\k<vj<%cJyQH2%c (sampling partial signature) >\(Q%cHi($ 53Mt2f6<HR $$B m hgUe[ (11) . D )" RSA S }VpSV (e; d) <pS d c\s (d 1 ; d 2 ; ; dn (12) . D )"62 w *X2s2%c w i = w mod N (13) . D d i }c\t,R U i Y< N; e; w; w i yQ W RZ`_VSd\lq (21) ,R U i O+>V m H%cBr&*X S i = m < (22) 1jd V O4* U i H%c m i Kei(B U i n#9< (1) V )" a; b 2R [1; N ] *X2 R = m w mod N < R \Vt U i (2) U i LC R *X2 R = R mod N < R \Vt (3) V LC R uNFKe,b\U m i Kes U i m%c R S i w i mod N: (1) + 1. (lqjnVPak)[GJ
Securing Ad Hoc Networks
, 1999
"... Ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. The military tactical and other securitysensitive operati ..."
Abstract
 Add to MetaCart
Ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. The military tactical and other securitysensitive operations are still the main applications of ad hoc networks, although there is a trend to adopt ad hoc networks for commercial uses due to their unique properties. One main challenge in design of these networks is their vulnerability to security attacks. In this paper, we study the threats an ad hoc network faces and the security goals to be achieved. We identify the new challenges and opportunities posed by this new networking environment and explore new approaches to secure its communication. In particular, we take advantage of the inherent redundancy in ad hoc networks  multiple routes between nodes  to defend routing against denial of service attacks. We also use replication and new cryptographic schemes, such as threshold cryptography, to build a highly secure and highly available key management service, which forms the core of our security framework.
How to Prove That a Committed Number is Prime
, 2000
"... The problem of proving a number is of an arithmetic format of which some elements are prime, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and ..."
Abstract
 Add to MetaCart
The problem of proving a number is of an arithmetic format of which some elements are prime, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and Michels, other works are only limited to some special forms of arithmetic format with prime elements. In Camenisch and Michels's scheme, the main building block is a protocol to prove a committed number to be prime. In this paper, we propose a new protocol to prove a committed number to be prime. Our protocol is O(t) times more ecient than Camenisch and Michels's protocol, where t is the security parameter. This results in O(t) time improvement for the overall scheme.