Results 1  10
of
21
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 321 (13 self)
 Add to MetaCart
(Show Context)
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Multicast security: A taxonomy and some efficient constructions
, 1999
"... Abstract—Multicast communication is becoming the basis for a growing number of applications. It is therefore critical to provide sound security mechanisms for multicast communication. Yet, existing security protocols for multicast offer only partial solutions. We first present a taxonomy of multicas ..."
Abstract

Cited by 247 (10 self)
 Add to MetaCart
(Show Context)
Abstract—Multicast communication is becoming the basis for a growing number of applications. It is therefore critical to provide sound security mechanisms for multicast communication. Yet, existing security protocols for multicast offer only partial solutions. We first present a taxonomy of multicast scenarios on the Internet and point out relevant security concerns. Next we address two major security problems of multicast communication: source authentication, and key revocation. Maintaining authenticity in multicast protocols is a much more complex problem than for unicast; in particular, known solutions are prohibitively inefficient in many cases. We present a solution that is reasonable for a range of scenarios. Our approach can be regarded as a ‘midpoint ’ between traditional Message Authentication Codes and digital signatures. We also present an improved solution to the key revocation problem. I.
Collusion resistant broadcast encryption with short ciphertexts and private keys
"... We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public ke ..."
Abstract

Cited by 190 (19 self)
 Add to MetaCart
We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O (√n) for any subset of receivers. We discuss several applications of these systems.
Building Intrusion Tolerant Applications
 In Proceedings of the 8th USENIX Security Symposium
, 1999
"... The ITTC project (Intrusion Tolerance via Threshold Cryptography) provides tools and an infrastructure for building intrusion tolerant applications. Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the compromise of a few system components does not compromis ..."
Abstract

Cited by 68 (0 self)
 Add to MetaCart
(Show Context)
The ITTC project (Intrusion Tolerance via Threshold Cryptography) provides tools and an infrastructure for building intrusion tolerant applications. Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the compromise of a few system components does not compromise sensitive security information. To do so we protect cryptographic keys by distributing them across a few servers. The keys are never reconstructed at a single location. Our designs are intended to simplify the integration of ITTC into existing applications. We give examples of embedding ITTC into the Apache web server and into a Certication Authority (CA). Performance measurements on both the modied web server and the modied CA show that the architecture works and performs well. 1 Introduction To combat intrusions into a networked system one often installs intrusion detection software to monitor system behavior. Whenever an \irregular" behavior is observed the software noties an admi...
Strongly unforgeable signatures based on computational diffiehellman
 In Public Key Cryptography
, 2006
"... Abstract. A signature system is said to be strongly unforgeable if the signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Strongly unforgeable signatures are used for constructing chosenciphertext secure systems and gro ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A signature system is said to be strongly unforgeable if the signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Strongly unforgeable signatures are used for constructing chosenciphertext secure systems and group signatures. Current efficient constructions in the standard model (i.e. without random oracles) depend on relatively strong assumptions such as StrongRSA or StrongDiffieHellman. We construct an efficient strongly unforgeable signature system based on the standard Computational DiffieHellman problem in bilinear groups. 1
Chosen ciphertext secure public key threshold encryption without random oracles
 in Proceedings of RSACT 2006
, 2006
"... Abstract. We present a noninteractive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure const ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We present a noninteractive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure construction of Canetti, Halevi, and Katz.
FineGrained Control of Security Capabilities
 ACM Transactions on Internet Technology
, 2004
"... We present a new approach for finegrained control over users ’ security privileges (fast revocation of credentials) centered around the concept of an online semitrusted mediator (SEM). The use of a SEM in conjunction with a simple threshold variant of the RSA cryptosystem (mediated RSA) offers a ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
(Show Context)
We present a new approach for finegrained control over users ’ security privileges (fast revocation of credentials) centered around the concept of an online semitrusted mediator (SEM). The use of a SEM in conjunction with a simple threshold variant of the RSA cryptosystem (mediated RSA) offers a number of practical advantages over current revocation techniques. The benefits include simplified validation of digital signatures, efficient certificate revocation for legacy systems and fast revocation of signature and decryption capabilities. This paper discusses both the architecture and the implementation of our approach as well as its performance and compatibility with the existing infrastructure. Experimental results demonstrate its practical aspects.
Robust KeyEvolving Public Key Encryption Schemes. Available at http://eprint.iacr.org/2001/009
, 2001
"... We propose a keyevolving paradigm to deal with the key exposure problem of public key encryption schemes. The key evolving paradigm is like the one used for forwardsecure digital signature schemes. Let time be divided into time periods such that at time period j, the decryptor holds the secret key ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
We propose a keyevolving paradigm to deal with the key exposure problem of public key encryption schemes. The key evolving paradigm is like the one used for forwardsecure digital signature schemes. Let time be divided into time periods such that at time period j, the decryptor holds the secret key SKj, while the public key PK is fixed during its lifetime. At time period j, a sender encrypts a message m as 〈j, c〉, which can be decrypted only with the private key SKj. When the time makes a transit from period j to j + 1, the decryptor updates its private key from SKj to SKj+1 and deletes SKj immediately. The keyevolving paradigm assures that compromise of the private key SKj does not jeopardize the message encrypted at the other time periods. We propose two keyevolving public key encryption schemes with zresilience such that compromise of z private keys does not affect confidentiality of messages encrypted in other time periods. Assuming that the DDH problem is hard, we show one scheme semantically secure against passive adversaries and the other scheme semantically secure against the adaptive chosen ciphertext attack under the random oracle.
New Paradigms in Signature Schemes
, 2005
"... Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only con ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinearmap–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the BonehLynnShacham (BLS) short signature scheme. BLS signatures with 1024bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present BonehGentryLynnShacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.
Generating a Product of Three Primes with an Unknown Factorization
 Proc. 3rd Algorithmic Number Theory Symposium (ANTSIII
, 1998
"... We describe protocols for three or more parties to jointly generate a composite N = pqr which is the product of three primes. After our protocols terminate N is publicly known, but neither party knows the factorization of N . Our protocols require the design of a new type of distributed primality te ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
We describe protocols for three or more parties to jointly generate a composite N = pqr which is the product of three primes. After our protocols terminate N is publicly known, but neither party knows the factorization of N . Our protocols require the design of a new type of distributed primality test for testing that a given number is a product of three primes. We explain the cryptographic motivation and origin of this problem.