Results 1  10
of
15
Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying
 In Seventh Australasian Conference on Information Security and Privacy (ACISP 2002
, 2002
"... Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatu ..."
Abstract

Cited by 46 (0 self)
 Add to MetaCart
Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatures. Our scheme is wellsuited for broadcast authentication, and, in fact, can be viewed as an improvement of the BiBa onetime signature (proposed by Perrig in CCS 2001 for broadcast authentication).
An Efficient Existentially Unforgeable Signature Scheme and its Applications
 Journal of Cryptology
, 1994
"... A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) fo ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32000321. Email: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
On the Efficiency of Onetime Digital Signatures
, 1996
"... Digital signature schemes based on a general oneway function without trapdoor offer two potential advantages over digital signature schemes based on trapdoor oneway functions such as the RSA system: higher efficiency and much more freedom in choosing a cryptographic function to base the secur ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Digital signature schemes based on a general oneway function without trapdoor offer two potential advantages over digital signature schemes based on trapdoor oneway functions such as the RSA system: higher efficiency and much more freedom in choosing a cryptographic function to base the security on. Such a scheme is characterized by a directed acyclic computation graph and an antichain in a certain partially ordered set defined by the graph. Several results on the achievable efficiency of such schemes are proved, where the efficiency of a scheme is defined as the ratio of the size of messages that can be signed and the number of oneway function evaluations needed for setting up the system. For instance, the maximal achievable efficiency for trees is shown to be equal to a constant fl 0:4161426 and a family of general graphs with substantially greater efficiency 0:476 is demonstrated. This construction appears to be close to optimal.
Secure Signature Schemes Based on Interactive Protocols
 IN ADVANCES IN CRYPTOLOGY: CRYPTO ’95
, 1994
"... A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such as the discrete logarithm problem. More precisely,
Optimal Treebased Onetime Digital Signature Schemes
 In STACS ’96: Proceedings of the 13th Annual Symposium on Theoretical Aspects of Computer Science
, 1996
"... . A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from s ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
. A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from some vertex in V to the root. Motivated by the design of efficient cryptographic digital signature schemes, the problem of constructing trees with a large number of pairwise incomparable minimal cutsets or, equivalently, with a large antichain in the poset of minimal cutsets, is considered. Keywords. Cryptography, digital signature schemes, trees, partially ordered sets. 1 Introduction We consider trees directed from the leaves to the root where every vertex has at most two predecessors. In this paper, a cutset of such a tree T is defined as a set of vertices which contains at least one vertex of every path from a leaf to the root. A cutset is minimal when it contains exactly one vertex of...
Asymptotically efficient latticebased digital signatures
 IN FIFTH THEORY OF CRYPTOGRAPHY CONFERENCE (TCC
, 2008
"... We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, an ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, and it is also asymptotically efficient: the time complexity of the signing and verification algorithms, as well as key and signature size is almost linear (up to polylogarithmic factors) in the dimension n of the underlying lattice. Since no subexponential (in n) time algorithm is known to solve lattice problems in the worst case, even when restricted to cyclic lattices, our construction gives a digital signature scheme with an essentially optimal performance/security tradeoff.
On the Performance, Feasibility, and Use of ForwardSecure Signatures
 In CCS ’03: Proceedings of the 10th ACM Conference on Computer and Communications security
, 2003
"... Forwardsecure signatures (FSSs) have recently received much attention from the cryptographic theory community as a potentially realistic way to mitigate many of the difficulties digital signatures face with key exposure. However, no previous works have explored the practical performance of these pr ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Forwardsecure signatures (FSSs) have recently received much attention from the cryptographic theory community as a potentially realistic way to mitigate many of the difficulties digital signatures face with key exposure. However, no previous works have explored the practical performance of these proposed constructions in realworld applications, nor have they compared FSS to traditional, nonforward secure, signatures in a nonasymptotic way.
The provable security of graphbased onetime signatures and extensions to algebraic signature schemes
 Advances in Cryptology – ASIACRYPT 2002
, 2002
"... Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, studying the graphs that result in the most efficient schemes (with respect to various efficiency measures, but focusing mostly on key generation time). However, they do not give a proof of security of their generic construction, and they leave open the problem of determining under what assumption security can be formally proved. In this paper we analyze graph based signatures from a security point of view and give sufficient conditions that allow to prove the security of the signature scheme in the standard complexity model (no random oracles). The techniques used to prove the security of graph based onetime signatures are then applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations. 1
Sorting Out Signature Schemes
 In Proc. 1st ACM Conference on Computer and Communications Security
, 1995
"... This paper presents an overview of a general definition of digital signature ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
This paper presents an overview of a general definition of digital signature