Results 11  20
of
371
Efficient threshold signature, multisignature and blind signature schemes based on the GapDiffieHellmanGroup signature scheme
 PROCEEDINGS OF PKC 2003, VOLUME 2567 OF LNCS
, 2003
"... We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap DiffieHellman (GDH) group (where the Computational DiffieHellman problem is hard but the Decisional DiffieHellman problem is easy). Our constructions are based on t ..."
Abstract

Cited by 157 (0 self)
 Add to MetaCart
We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap DiffieHellman (GDH) group (where the Computational DiffieHellman problem is hard but the Decisional DiffieHellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [8]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.
A verifiable secret shuffle and its application to EVoting
, 2001
"... We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers, and discuss its application to secure, universally verifiable, multiauthority election schemes. The output of the shuffle operation is another sequence of k modular in ..."
Abstract

Cited by 154 (0 self)
 Add to MetaCart
We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers, and discuss its application to secure, universally verifiable, multiauthority election schemes. The output of the shuffle operation is another sequence of k modular integers, each of which is the same secret power of a corresponding input element, but the order of elements in the output is kept secret. Though it is a trivial matter for the “shuffler ” (who chooses the permutation of the elements to be applied) to compute the output from the input, the construction is important because it provides a linear size proof of correctness for the output sequence (i.e. a proof that it is of the form claimed) that can be checked by an arbitrary verifiers. The complexity of the protocol improves on that of FurukawaSako[16] both measured by number of exponentiations and by overall size. The protocol is shown to be honestverifier zeroknowledge in a special case, and is computational zeroknowledge in general. On the way to the final result, we also construct a generalization of the well known ChaumPedersen protocol for knowledge of discrete logarithm equality ([10], [7]). In fact, the generalization specializes exactly to the ChaumPedersen protocol in the case k = 2. This result may be of interest on its own. An application to electronic voting is given that matches the features of the best current protocols with significant efficiency improvements. An alternative application to electronic voting is also given that introduces an entirely new paradigm for achieving Universally Verifiable elections.
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
Direct Anonymous Attestation
, 2004
"... This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the ..."
Abstract

Cited by 140 (18 self)
 Add to MetaCart
This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the module. Direct anonymous attestation can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable. Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of "known" keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional Di#eHellman assumption.
Digital Signcryption or How to Achieve Cost(Signature
, 1997
"... Abstract. Secure and authenticated message delivery/storage is one of the major aims of computer and communication security research. The current standard method to achieve this aim is “(digital) signature followed by encryption”. In this paper, we address a question on the cost of secure and authen ..."
Abstract

Cited by 138 (19 self)
 Add to MetaCart
Abstract. Secure and authenticated message delivery/storage is one of the major aims of computer and communication security research. The current standard method to achieve this aim is “(digital) signature followed by encryption”. In this paper, we address a question on the cost of secure and authenticated message delivery/storage, namely, whether it is possible to transport/store messages of varying length in a secure and authenticated way with an expense less than that required by “signature followed by encryption”. This question seems to have never been addressed in the literature since the invention of public key cryptography. We then present a positive answer to the question. In particular, we discover a new cryptographic primitive termed as “signcryption ” which simultaneously fulfills both the functions of digital signature and public key encryption in a logically single step, and with a cost significantly lower than that required by “signature followed by encryption”. For typical security parameters for high level security applications (size of public moduli = 1536 bits), signcryption costs 50 % (31%, respectively) less in computation time and 85 % (91%, respectively) less in message expansion than does “signature followed by encryption ” based on the discrete logarithm problem (factorization problem, respectively).
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 138 (6 self)
 Add to MetaCart
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
An Efficient Offline Electronic Cash System Based On The Representation Problem
, 1993
"... We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some technique ..."
Abstract

Cited by 136 (3 self)
 Add to MetaCart
We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than previously proposed systems. Another
Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions
, 2003
"... This paper provides theoretical foundations for the group signature primitive. We introduce strong, formal definitions for the core requirements of anonymity and traceability. We then show that these imply the large set of sometimes ambiguous existing informal requirements in the literature, thereb ..."
Abstract

Cited by 129 (6 self)
 Add to MetaCart
This paper provides theoretical foundations for the group signature primitive. We introduce strong, formal definitions for the core requirements of anonymity and traceability. We then show that these imply the large set of sometimes ambiguous existing informal requirements in the literature, thereby unifying and simplifying the requirements for this primitive. Finally we prove the existence of a construct meeting our definitions based only on the assumption that trapdoor permutations exist.
The gapproblems: a new class of problems for the security of cryptographic schemes
 Proceedings of PKC 2001, volume 1992 of LNCS
, 1992
"... Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical ins ..."
Abstract

Cited by 122 (11 self)
 Add to MetaCart
Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the DiffieHellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10year old open security problem: the Chaum’s undeniable signature.
Robust Threshold DSS Signatures
, 1996
"... . We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forg ..."
Abstract

Cited by 122 (12 self)
 Add to MetaCart
. We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forge a signature (in particular, cannot learn the signature key). In addition, we present a robust threshold DSS scheme that can also tolerate n=3 players who refuse to participate in the signature protocol. We can also endure n=4 maliciously faulty players that generate incorrect partial signatures at the time of signature computation. This results in a highly secure and resilient DSS signature system applicable to the protection of the secret signature key, the prevention of forgery, and increased system availability. Our results significantly improve over a recent result by Langford from CRYPTO'95 that presents threshold DSS signatures which can stand much smaller subsets of corrupted player...