Results 1  10
of
19
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 237 (14 self)
 Add to MetaCart
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Compact ecash
 In EUROCRYPT, volume 3494 of LNCS
, 2005
"... Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and s ..."
Abstract

Cited by 90 (18 self)
 Add to MetaCart
Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and spend operations is O(ℓ + k) andtheuser’s wallet can be stored using O(ℓ + k) bits,wherek is a security parameter. The best previously known schemes require at least one of these complexities to be O(2 ℓ · k). In fact, compared to previous ecash schemes, our whole wallet of 2 ℓ coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has doublespent. We then extend our scheme to our second result, the first ecash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2 ℓ coins in her wallet, all her spendings of these coins can be traced. However, the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(ℓ · k) and O(ℓ · k + k 2) bits, respectively, and wallets take O(ℓ · k) bitsofstorage. All our schemes are secure in the random oracle model.
How to win the clonewars: efficient periodic ntimes anonymous authentication
 In ACM Conference on Computer and Communications Security
, 2006
"... We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes ..."
Abstract

Cited by 55 (11 self)
 Add to MetaCart
We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damg˚ard et al. [30], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damg˚ard et al. also only support one authentication per time period, while we support n. Because our construction is based on ecash, we can use existing techniques to identify a cheating user, trace all of her etokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse etokens. The verifier can always recognize a reused etoken; however, we preserve the anonymity of users who do not reuse etokens too often. 1
A verifiable random function with short proofs and keys
 PKC 2005, LNCS
, 2005
"... Abstract. We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14, 15], it avoids using an inefficient GoldreichLevin transformation, thereby saving several factors in security. Our ..."
Abstract

Cited by 51 (3 self)
 Add to MetaCart
Abstract. We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14, 15], it avoids using an inefficient GoldreichLevin transformation, thereby saving several factors in security. Our proofs of security are based on a decisional bilinear DiffieHellman inversion assumption, which seems reasonable given current state of knowledge. For small message spaces, our VRF’s proofs and keys have constant size. By utilizing a collisionresistant hash function, our VRF can also be used with arbitrary message spaces. We show that our scheme can be instantiated with an elliptic group of very reasonable size. Furthermore, it can be made distributed and proactive. 1
Zaps and Their Applications
 In 41st FOCS
, 2000
"... A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, ..."
Abstract

Cited by 40 (8 self)
 Add to MetaCart
A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, based on the existence of noninteractive zeroknowledge proofs in the shared random string model. The zap is in the standard model, and hence requires no common guaranteed random string.
Breaking and repairing optimistic fair exchange from PODC 2003
 In ACM Workshop on Digital Rights Management (DRM
, 2003
"... ..."
Strongly unforgeable signatures based on computational diffiehellman
 In Public Key Cryptography
, 2006
"... Abstract. A signature system is said to be strongly unforgeable if the signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Strongly unforgeable signatures are used for constructing chosenciphertext secure systems and gro ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract. A signature system is said to be strongly unforgeable if the signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Strongly unforgeable signatures are used for constructing chosenciphertext secure systems and group signatures. Current efficient constructions in the standard model (i.e. without random oracles) depend on relatively strong assumptions such as StrongRSA or StrongDiffieHellman. We construct an efficient strongly unforgeable signature system based on the standard Computational DiffieHellman problem in bilinear groups. 1
Efficient rational secret sharing in standard communication networks
 In TCC
, 2010
"... We propose a new methodology for rational secret sharing leading to various instantiations (in both the twoparty and multiparty settings) that are simple and efficient in terms of computation, share size, and round complexity. Our protocols do not require physical assumptions or simultaneous chann ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
We propose a new methodology for rational secret sharing leading to various instantiations (in both the twoparty and multiparty settings) that are simple and efficient in terms of computation, share size, and round complexity. Our protocols do not require physical assumptions or simultaneous channels, and can even be run over asynchronous, pointtopoint networks. We also propose new equilibrium notions (namely, computational versions of strict Nash equilibrium and stability with respect to trembles) and prove that our protocols satisfy them. These notions guarantee, roughly speaking, that at each point in the protocol there is a unique legal message a party can send. This, in turn, ensures that protocol messages cannot be used as subliminal channels, something achieved in prior work only by making strong assumptions on the communication network. 1
Simulatable VRFs with applications to multitheorem NIZK
 In CRYPTO, LNCS
, 2007
"... Abstract. This paper introduces simulatable verifiable random functions (sVRF). VRFs are similar to pseudorandom functions, except that they are also verifiable: corresponding to each seed SK, there is a public key PK, and for y = FPK(x), it is possible to prove that y is indeed the value of the fun ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. This paper introduces simulatable verifiable random functions (sVRF). VRFs are similar to pseudorandom functions, except that they are also verifiable: corresponding to each seed SK, there is a public key PK, and for y = FPK(x), it is possible to prove that y is indeed the value of the function seeded by SK. A simulatable VRF is a VRF for which this proof can be simulated, so a simulator can pretend that the value of FPK(x) is any y. Our contributions are as follows. We introduce the notion of sVRF. We give two constructions: one from general assumptions (based on NIZK), but inefficient, just as a proof of concept; the other construction is practical and based on a special assumption about compositeorder groups with bilinear maps. We then use an sVRF to get a direct transformation from a singletheorem noninteractive zeroknowledge proof system for a language L to a multitheorem noninteractive proof system for the same language L. 1
Analysis of random oracle instantiation scenarios for OAEP and other practical schemes
 CRYPTO 2005, volume 3621 of LNCS
, 2005
"... www.fischlin.de ..."