Results 1 
8 of
8
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 680 (28 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 483 (21 self)
 Add to MetaCart
(Show Context)
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions
, 1995
"... A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. We show several NC¹ implementations of synthesizers based on concrete intractability assumptions as factoring and the DiffieHellman assumption. This yields the first parallel pseudorandom functions (based on standard intractability assumptions) and the only alternative to the original construction of Goldreich, Goldwasser and Micali. In addition, we show parallel constructions of synthesizers based on other primitives such as weak pseudorandom functions or trapdoor oneway permutations. The security of all our constructions is similar to the security of the underlying assumptions. The connection with problems in Computational Learning Theory is discussed.
On certain exponential sums and the distribution of DiffieHellman triples
 J. London Math. Soc
, 1999
"... Let g be a primitive root modulo a prime p. It is proved that the triples (gx,gy,gxy), x,y�1,…,p�1, are uniformly distributed modulo p in the sense of H. Weyl. This result is based on the following upper bound for double exponential sums. Let ε�0 be fixed. Then p−� x,y=� exp0 2πiagx�bgy�cgxy ..."
Abstract

Cited by 28 (14 self)
 Add to MetaCart
Let g be a primitive root modulo a prime p. It is proved that the triples (gx,gy,gxy), x,y�1,…,p�1, are uniformly distributed modulo p in the sense of H. Weyl. This result is based on the following upper bound for double exponential sums. Let ε�0 be fixed. Then p−� x,y=� exp0 2πiagx�bgy�cgxy
Efficient Verifiably Encrypted Signature and Partially Blind Signature from Bilinear Pairings
, 2004
"... Verifiably encrypted signatures are used when Alice wants to sign a message for Bob but does not want Bob to possess her signature on the message until a later date. Such signatures are used in optimistic contact signing to provide fair exchange. Partially blind signature schemes are an extension of ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
Verifiably encrypted signatures are used when Alice wants to sign a message for Bob but does not want Bob to possess her signature on the message until a later date. Such signatures are used in optimistic contact signing to provide fair exchange. Partially blind signature schemes are an extension of blind signature schemes that allows a signer to sign a partially blinded message that include preagreed information such as expiry date or collateral conditions in unblinded form. These signatures are used...
Generic Groups, Collision Resistance, and ECDSA
 Designs, Codes and Cryptography
, 2002
"... Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, ( ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical.
DiffieHellman Problems and Bilinear Maps
, 2002
"... We investigate relations among the discrete logarithm (DL) problem, the DiffieHellman (DH) problem and the bilinear DiffieHellman (BDH) problem when we have an efficient computable nondegenerate bilinear map e : G G ! H. Under a certain assumption on the order of G, we show that the DH problem on ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We investigate relations among the discrete logarithm (DL) problem, the DiffieHellman (DH) problem and the bilinear DiffieHellman (BDH) problem when we have an efficient computable nondegenerate bilinear map e : G G ! H. Under a certain assumption on the order of G, we show that the DH problem on H implies the DH problem on G, and both of them are equivalent to the BDH problem when e is weakinvertible. Moreover, we show that given the bilinear map e an injective homomorphism f : H ! G enables us to solve the DH problem on G eciently, which implies the nonexistence a selfbilinear map e : G G ! G when the DH problem on G is hard. Finally we introduce a sequence of bilinear maps and its applications.
OBSTACLES TO THE TORSIONSUBGROUP ATTACK ON THE DECISION DIFFIEHELLMAN PROBLEM
"... Abstract. Cheng and Uchiyama show that if one is given an elliptic curve, depending on a prime p, that is defined over a number field and has certain properties, then one can solve the Decision DiffieHellman Problem (DDHP) in F ∗ p in polynomial time. We show that it is unlikely that an elliptic cu ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Cheng and Uchiyama show that if one is given an elliptic curve, depending on a prime p, that is defined over a number field and has certain properties, then one can solve the Decision DiffieHellman Problem (DDHP) in F ∗ p in polynomial time. We show that it is unlikely that an elliptic curve with the desired properties exists. 1.