Results 1  10
of
19
How to Sign Digital Streams
, 1997
"... We present a new efficient paradigm for signing digital streams. The problem of signing digital streams to prove their authenticity is substantially different from the problem of signing regular messages. Traditional signature schemes are message oriented and require the receiver to process the enti ..."
Abstract

Cited by 148 (0 self)
 Add to MetaCart
We present a new efficient paradigm for signing digital streams. The problem of signing digital streams to prove their authenticity is substantially different from the problem of signing regular messages. Traditional signature schemes are message oriented and require the receiver to process the entire message before being able to authenticate its signature. However, a stream is a potentially very long ( or infinite) sequence of bits that the sender sends to the receiver and the receiver is required to consumes the received bits at more or less the input rate and without excessive delay. Therefore it is infeasible for the receiver to obtain the entire stream before authenticating and consuming it. Examples of streams include digitized video and audio files, data feeds and applets. We present two solutions to the problem of authenticating digital streams. The first one is for the case of a finite stream which is entirely known to the sender (say a movie). We use this constraint to devise...
Efficient Protocols for Signing Routing Messages
, 1998
"... In this work, we aim to reduce the computational costs of using publickey digital signatures in securing routing protocols. Two protocols (COSP and IOSP) using onetime digital signatures are introduced to provide the functionality of publickey digital signatures. Our protocols are intended to be ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
In this work, we aim to reduce the computational costs of using publickey digital signatures in securing routing protocols. Two protocols (COSP and IOSP) using onetime digital signatures are introduced to provide the functionality of publickey digital signatures. Our protocols are intended to be used in place of publickey digital signatures for signing all kinds of message exchanges among routers. We obtained more than tenfold increase in speed compared with publickey signatures. Our protocols overcome the shortcomings identified in previous works, such as timing constraints, limited applications and high storage and computational costs for volatile environments [12].
Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying
 In Seventh Australasian Conference on Information Security and Privacy (ACISP 2002
, 2002
"... Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatu ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatures. Our scheme is wellsuited for broadcast authentication, and, in fact, can be viewed as an improvement of the BiBa onetime signature (proposed by Perrig in CCS 2001 for broadcast authentication).
Asymptotically efficient latticebased digital signatures
 IN FIFTH THEORY OF CRYPTOGRAPHY CONFERENCE (TCC
, 2008
"... We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, an ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, and it is also asymptotically efficient: the time complexity of the signing and verification algorithms, as well as key and signature size is almost linear (up to polylogarithmic factors) in the dimension n of the underlying lattice. Since no subexponential (in n) time algorithm is known to solve lattice problems in the worst case, even when restricted to cyclic lattices, our construction gives a digital signature scheme with an essentially optimal performance/security tradeoff.
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks,” in CRYPTO, 2004. A Cryptographic Assumptions We define the hardness assumptions that we use in the security proof of our optimized
 Similarly, B recovers Wmid(x) and Ymid(x) such that Wmid = Wmid(s) and Ymid = Ymid(s). Then, it sets H(x) = ((v0(x)+V (x))(w0(x)+W(x))−(y0(x)+Y (x)))/t(x), where V (x) = ∑k∈[N] ckvk(x) +Vmid(x) (and similarly for W(x) and Y (x)). Since the
"... Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumpt ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption. 1
TwoTier Signatures, Strongly Unforgeable Signatures, and FiatShamir without Random Oracles
, 2007
"... We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires secu ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires security of the starting protocol against concurrent attacks. We can show that numerous protocols have the required properties and so obtain numerous efficient twotier schemes. Our first application is an efficient transform of any unforgeable signature scheme into a strongly unforgeable one, which uses as a tool any twotier scheme. (This extends work of Boneh, Shen and Waters whose transform only applies to a limited class of schemes.) The second application is new onetime signature schemes that, compared to oneway function based ones of the same computational cost, have smaller key and signature sizes.
The provable security of graphbased onetime signatures and extensions to algebraic signature schemes
 Advances in Cryptology – ASIACRYPT 2002
, 2002
"... Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, studying the graphs that result in the most efficient schemes (with respect to various efficiency measures, but focusing mostly on key generation time). However, they do not give a proof of security of their generic construction, and they leave open the problem of determining under what assumption security can be formally proved. In this paper we analyze graph based signatures from a security point of view and give sufficient conditions that allow to prove the security of the signature scheme in the standard complexity model (no random oracles). The techniques used to prove the security of graph based onetime signatures are then applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations. 1
Lower Bounds on Signatures From Symmetric Primitives
, 2008
"... We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to 1 by a (computationally unbounded) adversary making 2 (1+o(1))q queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport’s onetime signatures (Lamport ’79) achieves 2 (0.812−o(1))q blackbox security using q queries to the oracle. Our result extends (with a loss of a constant factor in the number of queries) also to the random permutation and idealcipher oracles. Since the symmetric primitives (e.g. block ciphers, hash functions, and message authentication codes) can be constructed by a constant number of queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature schemes from symmetric primitives when the construction is blackbox. This can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives. 1
Efficient Onetime proxy signatures
 ASIACRYPT
, 2003
"... Abstract. Onetime proxy signatures are onetime signatures for which a primary signer can delegate his or her signing capability to a proxy signer. In this work we propose two onetime proxy signature schemes with different security properties. Unlike other existing onetime proxy signatures that a ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. Onetime proxy signatures are onetime signatures for which a primary signer can delegate his or her signing capability to a proxy signer. In this work we propose two onetime proxy signature schemes with different security properties. Unlike other existing onetime proxy signatures that are constructed from public key cryptography, our proposed schemes are based oneway functions without trapdoors and so they inherit the communication and computation efficiency from the traditional onetime signatures. Although from a verifier point of view, signatures generated by the proxy are indistinguishable from those created by the primary signer, a trusted authority can be equipped with an algorithm that allows the authority to settle disputes between the signers. In our constructions, we use a combination of onetime signatures, oblivious transfer protocols and certain combinatorial objects. We characterise these new combinatorial objects and present constructions for them. 1
Bounds and Improvements for BiBa Signature Schemes
, 2002
"... This paper analyzes and improves the recently proposed bins and balls signature (BiBa [23]), a new approach for designing signatures from oneway functions without trapdoors. ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
This paper analyzes and improves the recently proposed bins and balls signature (BiBa [23]), a new approach for designing signatures from oneway functions without trapdoors.