Results 1  10
of
32
Universal OneWay Hash Functions and their Cryptographic Applications
, 1989
"... We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We ..."
Abstract

Cited by 340 (15 self)
 Add to MetaCart
(Show Context)
We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal oneway hash functions exist if any 11 oneway functions exist. Among the various applications of the primitive is a OneWay based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor oneway functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR88 13632. A preliminary version of this work app...
Practical secrecypreserving, verifiably correct and trustworthy auctions
 In ICEC ’06: Proceedings of the 8th International Conference on Electronic Commerce
, 2006
"... We present a practical system for conducting sealedbid auctions that preserves the secrecy of the bids while providing for verifiable correctness and trustworthiness of the auction. The auctioneer must accept all bids submitted and follow the published rules of the auction. No party receives any us ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
(Show Context)
We present a practical system for conducting sealedbid auctions that preserves the secrecy of the bids while providing for verifiable correctness and trustworthiness of the auction. The auctioneer must accept all bids submitted and follow the published rules of the auction. No party receives any useful information about bids before the auction closes and no bidder is able to change or repudiate her 1 bid. Our solution uses Paillier’s homomorphic encryption scheme [25] for zero knowledge proofs of correctness. Only minimal cryptographic technology is required of bidders; instead of employing complex interactive protocols or multiparty computation, the single auctioneer computes optimal auction results and publishes proofs of the results ’ correctness. Any party can check these proofs of correctness via publicly verifiable computations on encrypted bids. The system is illustrated through application to firstprice, uniformprice and secondprice auctions, including multiitem auctions. Our empirical results demonstrate the practicality of our method: auctions with hundreds of bidders are within reach of a single PC, while a modest distributed computing network can accommodate auctions with thousands of bids. 1.
Formalizing human ignorance: Collisionresistant hashing without the keys
 In Proc. Vietcrypt ’06
, 2006
"... Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just t ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
(Show Context)
Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just that us human beings might be unable to write the program down. We explain a simple way to sidestep this difficulty that avoids having to key our hash functions. The idea is to state theorems in a way that prescribes an explicitlygiven reduction, normally a blackbox one. We illustrate this approach using wellknown examples involving digital signatures, pseudorandom functions, and the MerkleDamg˚ard construction. Key words. Collisionfree hash function, Collisionintractable hash function, Collisionresistant hash function, Cryptographic hash function, Provable security. 1
Optimal Treebased Onetime Digital Signature Schemes
 In STACS ’96: Proceedings of the 13th Annual Symposium on Theoretical Aspects of Computer Science
, 1996
"... . A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from s ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
. A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from some vertex in V to the root. Motivated by the design of efficient cryptographic digital signature schemes, the problem of constructing trees with a large number of pairwise incomparable minimal cutsets or, equivalently, with a large antichain in the poset of minimal cutsets, is considered. Keywords. Cryptography, digital signature schemes, trees, partially ordered sets. 1 Introduction We consider trees directed from the leaves to the root where every vertex has at most two predecessors. In this paper, a cutset of such a tree T is defined as a set of vertices which contains at least one vertex of every path from a leaf to the root. A cutset is minimal when it contains exactly one vertex of...
1 Multicast Authentication in Smart Grid With OneTime Signature
"... Abstract — Multicast has been envisioned to be useful in many Smart Grid applications such as demandresponse, wide area protection, insubstation protection, and various operation and control. Since the multicast messages are related to critical control, authentication is necessary to prevent messa ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Abstract — Multicast has been envisioned to be useful in many Smart Grid applications such as demandresponse, wide area protection, insubstation protection, and various operation and control. Since the multicast messages are related to critical control, authentication is necessary to prevent message forgery attacks. In this paper, we first identify the requirements of multicast communication and multicast authentication in Smart Grid. Based on these requirements, we find that onetime signature based multicast authentication is a promising solution, due to its short authentication delay and low computation cost. However, existing onetime signatures are not designed for Smart Grid, and they may have high storage and bandwidth overhead. To address this problem, we propose a new onetime signature scheme which can reduce the storage cost by a factor of 8 and reduce the signature size by 40 % compared with existing schemes. Thus, our scheme is more appropriate for Smart Grid applications where the receivers have limited storage (e.g., home appliances and field devices) or where data communication is frequent and short (e.g., phasor data). These gains are at the cost of increased computations in signature generation and/or verification, and fortunately our scheme can flexibly allocate the computations between the sender and receiver based on their computing resources. We formulate the computation allocation as a nonlinear integer programming problem to minimize the signing cost under a certain verification cost, and propose a heuristic solution to solve it.
Untraceable Electronic Cash (Extended Abstract)
, 1989
"... ) David Chaum 1 Amos Fiat 2 Moni Naor 3 1 Center for Mathematics and Computer Science Kruislaan 413, 1098 SJ Amsterdam, The Netherlands 2 TelAviv University TelAviv, Israel 3 IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120 Introduction The use of credit cards today ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
) David Chaum 1 Amos Fiat 2 Moni Naor 3 1 Center for Mathematics and Computer Science Kruislaan 413, 1098 SJ Amsterdam, The Netherlands 2 TelAviv University TelAviv, Israel 3 IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120 Introduction The use of credit cards today is an act of faith on the part of all concerned. Each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance. Paper cash is considered to have a significant advantage over credit cards with respect to privacy, although the serial numbers on cash make it traceable in principle. Chaum has introduced unconditionally untraceable electronic money([C85] and [C88]). But what is to prevent anyone from making several copies of an electronic coin and using them at different shops? Online clearing is one possible solution though a rather expensive y Work done while the second and third authors were at the University of California at Berkele...
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
Revocable Anonymity
 In Günter Müller (Ed.): ETRICS 2006, Lecture Notes in Computer Science
, 2006
"... Abstract. Anonymity services in the EU may be forced by the new EU data retention directive to collect connection data and deanonymise some of their users in case of serious crimes. For this purpose, we propose a new privacyfriendly solution for incorporating revocation in an anonymous communicatio ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Anonymity services in the EU may be forced by the new EU data retention directive to collect connection data and deanonymise some of their users in case of serious crimes. For this purpose, we propose a new privacyfriendly solution for incorporating revocation in an anonymous communication system. In contrast to other known methods, our scheme does not reveal the identity of a user to any other entity involved in the revocation procedure but the law enforcement agency. Another advantage is, that no user will need to provide more identifying information than his connection (IP) address, that is what he needs to communicate with the system anyway. The proposed scheme is based mainly on threshold group signatures and threshold atomic proxy reencryption. 1
OffLine/OnLine Signatures: Theoretical aspects and Experimental Results
, 2008
"... This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combin ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combining regular digital signatures with efficient onetime signatures. Later Shamir and Tauman presented an alternative construction (which produces shorter signatures) by combining regular signatures with chameleon hash functions. We first unify the ShamirTauman and Even et al. approaches by showing that they can be considered different instantiations of the same paradigm. We do this by showing that the onetime signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing are in effect a type of onetime signatures which satisfy this weaker security notion. In the process we study the relationship between onetime signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call twotrapdoor) is a fully secure onetime signature. Finally we ran experimental tests using OpenSSL libraries to test the difference between the two approaches. In our implementation we make extensive use of the observation that offline/online digital signatures do not require collisionresistant hash functions to compress the message, but can be safely implemented with universal oneway hashing in both the offline and the online step. The main application of this observation is that both the steps can be applied to shorter digests. This has particular relevance if blockciphers or hash functions based onetime signatures are used since these are very sensitive to the length of the message. Interestingly, we show that (mostly due to the above observation about hashing), the two approaches are comparable in efficiency and signature length.
The preimage security of doubleblocklength compression functions. Cryptology ePrint Archive, Report 2011/210, 2011. http: //eprint.iacr.org
 16 Gatan Leurent, Charles Bouillaguet, and PierreAlain Fouque. SIMD Is a Message Digest
"... Abstract. We give improved bounds on the preimage security of the three “classical ” doubleblocklength, doublecall, blockcipherbased compression functions, these being AbreastDM, TandemDM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 2 2n−5 blockcipher q ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We give improved bounds on the preimage security of the three “classical ” doubleblocklength, doublecall, blockcipherbased compression functions, these being AbreastDM, TandemDM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 2 2n−5 blockcipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For AbreastDM and TandemDM we show that at least 2 2n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n) queries, and are optimal up to a constant factor since the compression functions in question have range of size 2 2n. 1