Results 1  10
of
10
A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
, 1995
"... We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a ..."
Abstract

Cited by 869 (48 self)
 Add to MetaCart
(Show Context)
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosenmessage attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "clawfree" pair of permutations  a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
Universal OneWay Hash Functions and their Cryptographic Applications
, 1989
"... We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We ..."
Abstract

Cited by 322 (14 self)
 Add to MetaCart
(Show Context)
We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal oneway hash functions exist if any 11 oneway functions exist. Among the various applications of the primitive is a OneWay based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor oneway functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR88 13632. A preliminary version of this work app...
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
(Show Context)
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
How to Sign Given Any Trapdoor Permutation
 JACM
, 1992
"... We present a digital signature scheme which is based on the existence of any trapdoor permutation. Our scheme is secure in the strongest possible natural sense: namely, it is secure against existential forgery under adaptive chosen message attack. ..."
Abstract

Cited by 34 (13 self)
 Add to MetaCart
We present a digital signature scheme which is based on the existence of any trapdoor permutation. Our scheme is secure in the strongest possible natural sense: namely, it is secure against existential forgery under adaptive chosen message attack.
Invariant Signatures and NonInteractive ZeroKnowledge Proofs are Equivalent (Extended Abstract)
 ADVANCES IN CRYPTOLOGY — CRYPTO ’92
, 1992
"... The standard definition of digital signatures allows a document to have many valid signatures. In this paper, we consider a subclass of digital signatures, called invariant signatures, in which all legal signatures of a document must be identical according to some polynomialtime computable function ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
The standard definition of digital signatures allows a document to have many valid signatures. In this paper, we consider a subclass of digital signatures, called invariant signatures, in which all legal signatures of a document must be identical according to some polynomialtime computable function (of a signature) which is hard to predict given an unsigned document. We formalize this notion and show its equivalence to noninteractive zeroknowledge proofs.
Secure Signature Schemes Based on Interactive Protocols
 IN ADVANCES IN CRYPTOLOGY: CRYPTO ’95
, 1994
"... A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such as the discrete logarithm problem. More precisely,
On Shared Randomness and the Size of Secure Signatures
, 1995
"... We present an efficient signature scheme that is not existentially forgeable under adaptively chosen message attacks [3]. The main feature of our scheme is that any practical number of signatures can be made while the size of the signatures remains relatively small, under the condition that all si ..."
Abstract
 Add to MetaCart
(Show Context)
We present an efficient signature scheme that is not existentially forgeable under adaptively chosen message attacks [3]. The main feature of our scheme is that any practical number of signatures can be made while the size of the signatures remains relatively small, under the condition that all signers have access to a list of shared random strings. More precisely, let integers l and d be fixed and let k be a security parameter. Given a list of l random (k \Gamma 1)bit strings shared by all signers, at least l d signatures can be made by each signer in our scheme, where the size of a public key is k bits. The size of a signature does not exceed (4d \Gamma 3)k bits. The first secure signature scheme where such tradeoffs between shared randomness and the size of signatures has been realized was proposed by Dwork and Naor at Crypto '94 [1]. Their scheme is based on RSA, while their method for achieving efficiency relies on special properties of RSA that seem to go beyond the properties of general trapdoor permutations. Our contribution is to show that a secure signature scheme with similar efficiency can be based on a general cryptographic assumption that is potentially weaker than an RSA assumption, namely the existence of a family of clawfree trapdoor permutations [3], which can be constructed under the factoring assumption. AMS Subject Classification (1991): 94A60 CR Subject Classification (1991): D.4.6 Keywords & Phrases: Cryptography, Security, Digital Signatures, ClawFreeness. 1.
Abstract When Won’t Membership Queries Help?
"... We investigate cryptographic limitations on the power of membership queries to help with concept learning. In particular, we use the recent construction of a publickey encryption system secure against chosen cyphertext attack by Naor and Yung [19] (and refinements of it) together with the techniqu ..."
Abstract
 Add to MetaCart
We investigate cryptographic limitations on the power of membership queries to help with concept learning. In particular, we use the recent construction of a publickey encryption system secure against chosen cyphertext attack by Naor and Yung [19] (and refinements of it) together with the techniques of Kearns and Valiant [16] to show that assuming the intractability of (1) quadratic residues modulo a composite, (2) inverting RSA encryption, or (3) factoring Blum integers, there is no polynomial time prediction algorithm with membership queries for booIean formulas, constant depth threshold circuits, 3pboolean formulas, finite unions or intersections of DFAs, 2way DFAs, NFAs, or CFGS. Also, we show that if there exist oneway functions that cannot be inverted by polynomialsized circuits, then Naor and Yung’s [18] and Rompel’s [21] construction of a signature scheme can be used to show that CNF or DNF formulas are either bounded polynomial time predictable without membership queries, or are not polynomial time predictable even with membership queries; so, in effect, membership queries won’t help with predicting CNF or DNF formulas.