Results 1  10
of
27
The exact security of digital signatures: How to sign with RSA and Rabin
, 1996
"... We describe an RSAbased signing scheme called PSS which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. ..."
Abstract

Cited by 328 (14 self)
 Add to MetaCart
We describe an RSAbased signing scheme called PSS which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not only provably secure, but are so in a tight way — an ability to forge signatures with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with about the same computational effort. Furthermore, we provide a second scheme which maintains all of the above features and in addition provides message recovery. These ideas extend to provide schemes for Rabin signatures with analogous properties; in particular their security can be tightly related to the hardness of factoring.
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage
, 1998
"... Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For ..."
Abstract

Cited by 183 (12 self)
 Add to MetaCart
Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For longlived and sensitive secrets this protection may be insufficient. We propose an efficient proactive secret sharing scheme, where shares are periodically renewed (without changing the secret) in such a way that information gained by the adversary in one time period is useless for attacking the secret after the shares are renewed. Hence, the adversary willing to learn the secret needs to break to all k locations during the same time period (e.g., one day, a week, etc.). Furthermore, in order to guarantee the availability and integrity of the secret, we provide mechanisms to detect maliciously (or accidentally) corrupted shares, as well as mechanisms to secretly recover the correct...
Digital Signatures for Flows and Multicasts
, 1998
"... We present chaining techniques for signing/verifying multiple packets using a single signing/verification operation. We then present flow signing and verification procedures based upon a tree chaining technique. Since a single signing/verification operation is amortized over many packets, these proc ..."
Abstract

Cited by 138 (2 self)
 Add to MetaCart
We present chaining techniques for signing/verifying multiple packets using a single signing/verification operation. We then present flow signing and verification procedures based upon a tree chaining technique. Since a single signing/verification operation is amortized over many packets, these procedures improve signing and verification rates by one to two orders of magnitude compared to the approach of signing/verifying packets individually. Our procedures do not depend upon reliable delivery of packets, provide delaybounded signing, and are thus suitable for delaysensitive flows and multicast applications. To further improve our procedures, we propose several extensions to the FeigeFiatShamir digital signature scheme to substantially speed up both the signing and verification operations, as well as to allow "adjustable and incremental" verification. The extended scheme, called eFFS, is compared to four other digital signature schemes (RSA, DSA, ElGamal, Rabin). We compare their ...
Proactive Public Key and Signature Systems
, 1996
"... Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for worldwide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of p ..."
Abstract

Cited by 85 (18 self)
 Add to MetaCart
Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for worldwide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of private keys is a security bottleneck in these sensitive applications. This problem is further worsened in the cases where a single and unchanged private key must be kept secret for very long time (such is the case of certification authority keys, bank and ecash keys, etc.). One crucial defense against exposure of private keys is offered by threshold cryptography where the private key functions (like signatures or decryption) are distributed among several parties such that a predetermined number of parties must cooperate in order to correctly perform these operations. This protects keys from any single point of failure. An attacker needs to break into a multiplicity of locations before it ca...
An Efficient Existentially Unforgeable Signature Scheme and its Applications
 Journal of Cryptology
, 1994
"... A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) fo ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32000321. Email: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...
Parallel Algorithms for Integer Factorisation
"... The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends o ..."
Abstract

Cited by 41 (17 self)
 Add to MetaCart
The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiplepolynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.
Reducing the Cost of Security in LinkState Routing
, 1997
"... Security in link state routing protocols is a feature that is both desirable and costly. This paper examines the cost of security and presents two techniques for efficient and secure processing of link state updates. The first technique is geared towards a relatively stable internetwork environment ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
Security in link state routing protocols is a feature that is both desirable and costly. This paper examines the cost of security and presents two techniques for efficient and secure processing of link state updates. The first technique is geared towards a relatively stable internetwork environment while the second is designed with a more volatile environment in mind. 1 Introduction It is hardly necessary to motivate the need for security in a large, distributed internetwork environment. Since routing is a critical internetwork function, security of routing protocols is of the utmost importance. This has been widely recognized by the designers of many existing routing protocols. Sound security, however, often comes at a high price. Naturally, it is desirable to minimize the associated costs. This paper concentrates on reducing the costs of security in link state routing protocols. We begin with a brief discussion of current security methods (Section 2) and an overview of the general s...
Traitor Tracing with Constant Transmission Rate
, 2002
"... Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor T ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two publickey traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of “copyrighted function ” which was presented by Naccache, Shamir and Stern. We first solve the open problem of discretelogbased and publickeybased “copyrighted function.” Then, we observe the simple yet crucial relation between (publickey) copyrighted encryption and (publickey) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant
The Exact Security of an Identity Based Signature and its Applications
, 2004
"... This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, Namprempre and Neven through a general framework applying to a large family of schemes. We show that their modified SOKIBS scheme can be viewed as a onelevel instantiation of Gentry and Silverberg's alternative hierarchical IBS the exact security of which was never considered before. We also show that this signature is as secure as the onemore DiffieHellman problem. As an application, we propose a modification of Boyen's "Swiss Army Knife" identity based signature encryption (IBSE) that presents better security reductions and satisfies the same strong security requirements with a similar efficiency.
A Universally Composable MixNet
, 2004
"... A mixnet is a cryptographic protocol executed by a set of mixservers that provides anonymity for a group of senders. The main application is electronic voting. ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
A mixnet is a cryptographic protocol executed by a set of mixservers that provides anonymity for a group of senders. The main application is electronic voting.