An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contract-signing protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.

Abstract—Multicast communication is becoming the basis for a growing number of applications. It is therefore critical to provide sound security mechanisms for multicast communication. Yet, existing security protocols for multicast offer only partial solutions. We first present a taxonomy of multicast scenarios on the Internet and point out relevant security concerns. Next we address two major security problems of multicast communication: source authentication, and key revocation. Maintaining authenticity in multicast protocols is a much more complex problem than for unicast; in particular, known solutions are prohibitively inefficient in many cases. We present a solution that is reasonable for a range of scenarios. Our approach can be regarded as a ‘midpoint ’ between traditional Message Authentication Codes and digital signatures. We also present an improved solution to the key revocation problem. I.

Abstract. We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O ( √ n) for any subset of receivers. We discuss several applications of these systems. 1

The ITTC project (Intrusion Tolerance via Threshold Cryptography) provides tools and an infrastructure for building intrusion tolerant applications. Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the compromise of a few system components does not compromise sensitive security information. To do so we protect cryptographic keys by distributing them across a few servers. The keys are never reconstructed at a single location. Our designs are intended to simplify the integration of ITTC into existing applications. We give examples of embedding ITTC into the Apache web server and into a Certication Authority (CA). Performance measurements on both the modied web server and the modied CA show that the architecture works and performs well. 1 Introduction To combat intrusions into a networked system one often installs intrusion detection software to monitor system behavior. Whenever an \irregular" behavior is observed the software noties an admi...

Abstract. A signature system is said to be strongly unforgeable if the signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Strongly unforgeable signatures are used for constructing chosen-ciphertext secure systems and group signatures. Current efficient constructions in the standard model (i.e. without random oracles) depend on relatively strong assumptions such as Strong-RSA or Strong-Diffie-Hellman. We construct an efficient strongly unforgeable signature system based on the standard Computational Diffie-Hellman problem in bilinear groups. 1

Abstract. We present a non-interactive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure construction of Canetti, Halevi, and Katz.

We present a new approach for fine-grained control over users ’ security privileges (fast revocation of credentials) centered around the concept of an on-line semi-trusted mediator (SEM). The use of a SEM in conjunction with a simple threshold variant of the RSA cryptosystem (mediated RSA) offers a number of practical advantages over current revocation techniques. The benefits include simplified validation of digital signatures, efficient certificate revocation for legacy systems and fast revocation of signature and decryption capabilities. This paper discusses both the architecture and the implementation of our approach as well as its performance and compatibility with the existing infrastructure. Experimental results demonstrate its practical aspects.

We propose a key-evolving paradigm to deal with the key exposure problem of public key encryption schemes. The key evolving paradigm is like the one used for forward-secure digital signature schemes. Let time be divided into time periods such that at time period j, the decryptor holds the secret key SKj, while the public key PK is fixed during its lifetime. At time period j, a sender encrypts a message m as 〈j, c〉, which can be decrypted only with the private key SKj. When the time makes a transit from period j to j + 1, the decryptor updates its private key from SKj to SKj+1 and deletes SKj immediately. The key-evolving paradigm assures that compromise of the private key SKj does not jeopardize the message encrypted at the other time periods. We propose two key-evolving public key encryption schemes with z-resilience such that compromise of z private keys does not affect confidentiality of messages encrypted in other time periods. Assuming that the DDH problem is hard, we show one scheme semantically secure against passive adversaries and the other scheme semantically secure against the adaptive chosen ciphertext attack under the random oracle.

Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higher-level protocols. Groups featuring a computable bilinear map are particularly well suited for signature-related primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinear-map–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the Boneh-Lynn-Shacham (BLS) short signature scheme. BLS signatures with 1024-bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present Boneh-Gentry-Lynn-Shacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.

We describe protocols for three or more parties to jointly generate a composite N = pqr which is the product of three primes. After our protocols terminate N is publicly known, but neither party knows the factorization of N . Our protocols require the design of a new type of distributed primality test for testing that a given number is a product of three primes. We explain the cryptographic motivation and origin of this problem.