Results 1  10
of
20
Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying
 In Seventh Australasian Conference on Information Security and Privacy (ACISP 2002
, 2002
"... Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatu ..."
Abstract

Cited by 65 (0 self)
 Add to MetaCart
(Show Context)
Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatures. Our scheme is wellsuited for broadcast authentication, and, in fact, can be viewed as an improvement of the BiBa onetime signature (proposed by Perrig in CCS 2001 for broadcast authentication).
An Efficient Existentially Unforgeable Signature Scheme and its Applications
 Journal of Cryptology
, 1994
"... A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) fo ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
(Show Context)
A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32000321. Email: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
On the Efficiency of Onetime Digital Signatures
, 1996
"... Digital signature schemes based on a general oneway function without trapdoor offer two potential advantages over digital signature schemes based on trapdoor oneway functions such as the RSA system: higher efficiency and much more freedom in choosing a cryptographic function to base the secur ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
Digital signature schemes based on a general oneway function without trapdoor offer two potential advantages over digital signature schemes based on trapdoor oneway functions such as the RSA system: higher efficiency and much more freedom in choosing a cryptographic function to base the security on. Such a scheme is characterized by a directed acyclic computation graph and an antichain in a certain partially ordered set defined by the graph. Several results on the achievable efficiency of such schemes are proved, where the efficiency of a scheme is defined as the ratio of the size of messages that can be signed and the number of oneway function evaluations needed for setting up the system. For instance, the maximal achievable efficiency for trees is shown to be equal to a constant fl 0:4161426 and a family of general graphs with substantially greater efficiency 0:476 is demonstrated. This construction appears to be close to optimal.
Secure Signature Schemes Based on Interactive Protocols
 IN ADVANCES IN CRYPTOLOGY: CRYPTO ’95
, 1994
"... A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such as the discrete logarithm problem. More precisely,
Asymptotically efficient latticebased digital signatures
 IN FIFTH THEORY OF CRYPTOGRAPHY CONFERENCE (TCC
, 2008
"... We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, an ..."
Abstract

Cited by 28 (9 self)
 Add to MetaCart
(Show Context)
We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, and it is also asymptotically efficient: the time complexity of the signing and verification algorithms, as well as key and signature size is almost linear (up to polylogarithmic factors) in the dimension n of the underlying lattice. Since no subexponential (in n) time algorithm is known to solve lattice problems in the worst case, even when restricted to cyclic lattices, our construction gives a digital signature scheme with an essentially optimal performance/security tradeoff.
Time valid onetime signature for timecritical multicast data authentication
 in INFOCOM 2009, IEEE
, 2009
"... Abstract—It is challenging to provide authentication to timecritical multicast data, where low endtoend delay is of crucial importance. Consequently, it requires not only efficient authentication algorithms to minimize computational cost, but also avoidance of buffering packets so that the data ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Abstract—It is challenging to provide authentication to timecritical multicast data, where low endtoend delay is of crucial importance. Consequently, it requires not only efficient authentication algorithms to minimize computational cost, but also avoidance of buffering packets so that the data can be immediately processed once being presented. Desirable properties for a multicast authentication scheme also include small communication overhead, tolerance to packet loss, and resistance against malicious attacks. In this paper, we propose a novel signature model – Time Valid OneTime Signature (TVOTS) – to boost the efficiency of regular onetime signature schemes. Based on the TVOTS model, we design an efficient multicast authentication scheme “TVHORS” to meet the above needs. TVHORS combines oneway hash chains with TVOTS to avoid frequent public key distribution. It provides fast signing/verification and bufferingfree data processing, which make it one of the fastest multicast authentication schemes to date in terms of endtoend computational latency (on the order of microseconds). In addition, TVHORS has perfect tolerance to packet loss and strong robustness against malicious attacks. The communication overhead of TVHORS is much smaller than regular OTS schemes, and even smaller than RSA signature. The only drawback of TVHORS is a relatively large public key of size 8KB to 10KB, depending on parameters. I.
Optimal Treebased Onetime Digital Signature Schemes
 In STACS ’96: Proceedings of the 13th Annual Symposium on Theoretical Aspects of Computer Science
, 1996
"... . A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from s ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
(Show Context)
. A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from some vertex in V to the root. Motivated by the design of efficient cryptographic digital signature schemes, the problem of constructing trees with a large number of pairwise incomparable minimal cutsets or, equivalently, with a large antichain in the poset of minimal cutsets, is considered. Keywords. Cryptography, digital signature schemes, trees, partially ordered sets. 1 Introduction We consider trees directed from the leaves to the root where every vertex has at most two predecessors. In this paper, a cutset of such a tree T is defined as a set of vertices which contains at least one vertex of every path from a leaf to the root. A cutset is minimal when it contains exactly one vertex of...
1 Multicast Authentication in Smart Grid With OneTime Signature
"... Abstract — Multicast has been envisioned to be useful in many Smart Grid applications such as demandresponse, wide area protection, insubstation protection, and various operation and control. Since the multicast messages are related to critical control, authentication is necessary to prevent messa ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Abstract — Multicast has been envisioned to be useful in many Smart Grid applications such as demandresponse, wide area protection, insubstation protection, and various operation and control. Since the multicast messages are related to critical control, authentication is necessary to prevent message forgery attacks. In this paper, we first identify the requirements of multicast communication and multicast authentication in Smart Grid. Based on these requirements, we find that onetime signature based multicast authentication is a promising solution, due to its short authentication delay and low computation cost. However, existing onetime signatures are not designed for Smart Grid, and they may have high storage and bandwidth overhead. To address this problem, we propose a new onetime signature scheme which can reduce the storage cost by a factor of 8 and reduce the signature size by 40 % compared with existing schemes. Thus, our scheme is more appropriate for Smart Grid applications where the receivers have limited storage (e.g., home appliances and field devices) or where data communication is frequent and short (e.g., phasor data). These gains are at the cost of increased computations in signature generation and/or verification, and fortunately our scheme can flexibly allocate the computations between the sender and receiver based on their computing resources. We formulate the computation allocation as a nonlinear integer programming problem to minimize the signing cost under a certain verification cost, and propose a heuristic solution to solve it.
On the Performance, Feasibility, and Use of ForwardSecure Signatures
 In CCS ’03: Proceedings of the 10th ACM Conference on Computer and Communications security
, 2003
"... Forwardsecure signatures (FSSs) have recently received much attention from the cryptographic theory community as a potentially realistic way to mitigate many of the difficulties digital signatures face with key exposure. However, no previous works have explored the practical performance of these pr ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Forwardsecure signatures (FSSs) have recently received much attention from the cryptographic theory community as a potentially realistic way to mitigate many of the difficulties digital signatures face with key exposure. However, no previous works have explored the practical performance of these proposed constructions in realworld applications, nor have they compared FSS to traditional, nonforward secure, signatures in a nonasymptotic way.