Results 1  10
of
23
Trapdoors for Hard Lattices and New Cryptographic Constructions
, 2007
"... We show how to construct a variety of “trapdoor ” cryptographic tools assuming the worstcase hardness of standard lattice problems (such as approximating the shortest nonzero vector to within small factors). The applications include trapdoor functions with preimage sampling, simple and efficient “ha ..."
Abstract

Cited by 186 (25 self)
 Add to MetaCart
We show how to construct a variety of “trapdoor ” cryptographic tools assuming the worstcase hardness of standard lattice problems (such as approximating the shortest nonzero vector to within small factors). The applications include trapdoor functions with preimage sampling, simple and efficient “hashandsign ” digital signature schemes, universally composable oblivious transfer, and identitybased encryption. A core technical component of our constructions is an efficient algorithm that, given a basis of an arbitrary lattice, samples lattice points from a Gaussianlike probability distribution whose standard deviation is essentially the length of the longest vector in the basis. In particular, the crucial security property is that the output distribution of the algorithm is oblivious to the particular geometry of the given basis. ∗ Supported by the Herbert Kunzel Stanford Graduate Fellowship. † This material is based upon work supported by the National Science Foundation under Grants CNS0716786 and CNS0749931. Any opinions, findings, and conclusions or recommedations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. ‡ The majority of this work was performed while at SRI International. 1 1
Sequential aggregate signatures from trapdoor permutations
 Advances in Cryptology – EUROCRYPT 2004
, 2004
"... An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, inwhichthesetof signers is ordered. The aggrega ..."
Abstract

Cited by 59 (3 self)
 Add to MetaCart
(Show Context)
An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, inwhichthesetof signers is ordered. The aggregate signature is computed by having each signer, in turn, add his signature to it. We show how to realize this in such a way that the size of the aggregate signature is independent of n. This makes sequential aggregate signatures a natural primitive for certificate chains, whose length can be reduced by aggregating all signatures in a chain. We give a construction in the random oracle model based on families of certified trapdoor permutations, and show how to instantiate our scheme based on RSA. 1
Strong KeyInsulated Signature Schemes
, 2002
"... Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the se ..."
Abstract

Cited by 53 (14 self)
 Add to MetaCart
(Show Context)
Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the secrecy of the private key.
Efficiency Improvements for Signature Schemes with Tight Security Reductions
, 2003
"... Much recent work has focused on constructing efficient digital signature schemes whose security is tightly related to the hardness of some underlying cryptographic assumption. With this motivation in mind, we show here two approaches which improve both the computational efficiency and signature leng ..."
Abstract

Cited by 40 (0 self)
 Add to MetaCart
Much recent work has focused on constructing efficient digital signature schemes whose security is tightly related to the hardness of some underlying cryptographic assumption. With this motivation in mind, we show here two approaches which improve both the computational efficiency and signature length of some recentlyproposed schemes: DiffieHellman signatures. Goh and Jarecki [18] recently analyzed a signature scheme which has a tight security reduction to the computational DiffieHellman problem. Unfortunately, their scheme is less efficient in both computation and bandwidth than previous schemes relying on the (related) discrete logarithm assumption. We present a modification of their scheme in which signing is 33% more efficient and signatures are 75% shorter; the security of this scheme is tightly related to the decisional DiffieHellman problem. PSS. The...
Discretelogbased signatures may not be equivalent to discrete log
 ASIACRYPT 2005, LNCS 3788
, 2005
"... Abstract. We provide evidence that the unforgeability of several discretelog based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts in nature wellknown proofs standing in weakened proof methodologies, in particular proofs e ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We provide evidence that the unforgeability of several discretelog based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts in nature wellknown proofs standing in weakened proof methodologies, in particular proofs employing various formulations of the Forking Lemma in the random oracle Model. Our impossibility proofs apply to many discretelogbased signatures like ElGamal signatures and their extensions, DSA, ECDSA and KCDSA as well as standard generalizations of these, and even RSAbased signatures like GQ. We stress that our work sheds more light on the provable (in)security of popular signature schemes but does not explicitly lead to actual attacks on these. 1
How Risky is the RandomOracle Model?
"... Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Be ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
(Show Context)
Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the IDbased cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the RabinWilliams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/RabinWilliams, an appropriate PSS padding is more robust than all other paddings known. 1
Mercurial commitments: Minimal assumptions and efficient constructions
 In Third Theory of Cryptography Conference (TCC
, 2006
"... Abstract. (Noninteractive) Trapdoor Mercurial Commitments (TMCs) were introduced by Chase et al. [8] and form a key building block for constructing zeroknowledge sets (introduced by Micali, Rabin and Kilian [28]). TMCs are quite similar and certainly imply ordinary (noninteractive) trapdoor commit ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
(Show Context)
Abstract. (Noninteractive) Trapdoor Mercurial Commitments (TMCs) were introduced by Chase et al. [8] and form a key building block for constructing zeroknowledge sets (introduced by Micali, Rabin and Kilian [28]). TMCs are quite similar and certainly imply ordinary (noninteractive) trapdoor commitments (TCs). Unlike TCs, however, they allow for some additional freedom in the way the message is opened: informally, by allowing one to claim that “if this commitment can be opened at all, then it would open to this message”. Prior to this work, it was not clear if this addition is critical or not, since all the constructions of TMCs presented in [8] and [28] used strictly stronger assumptions than TCs. We give an affirmative answer to this question, by providing simple constructions of TMCs from any trapdoor bit commitment scheme. Moreover, by plugging in various trapdoor bit commitment schemes, we get, in the trusted parameters (TP) model, all the efficient constructions from [28] and [8], as well as several immediate new (either generic or efficient) constructions. In particular, we get a construction of TMCs from any oneway function in the TP model, and, by using a special flavor of TCs, called hybrid TCs [6], even in the (weaker) shared random string (SRS) model. Our results imply that (a) mercurial commitments can be viewed as surprisingly simple variations of trapdoor commitments; and (b) the existence of noninteractive zeroknowledge sets is equivalent to the existence of collisionresistant hash functions. Of independent interest, we also give a stronger and yet much simpler definition of mercurial commitments than that of [8], which is also met by our constructions in the TP model. 1
How to repair ESIGN
, 2002
"... The ESIGN signature scheme was provided with an inadequate proof of security. We propose two techniques to repair the scheme, which we name DESIGN and RESIGN. ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
The ESIGN signature scheme was provided with an inadequate proof of security. We propose two techniques to repair the scheme, which we name DESIGN and RESIGN.
Efficient signature schemes with tight reductions to the DiffieHellman problems
 Journal of Cryptology
"... We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient than the first — is based on the hardness of the decisional DiffieHellman problem, a stronger assumption. Given current state of the art, it is as difficult to solve the DiffieHellman problems as it is to solve the discrete logarithm problem in many groups of cryptographic interest. Thus, the signature schemes shown here can currently offer substantially better efficiency (for a given level of provable security) than existing schemes based on the discrete logarithm assumption. The techniques we introduce can be also applied in a wide variety of settings to yield more efficient cryptographic schemes (based on various numbertheoretic assumptions) with tight security reductions. 1
New Paradigms in Signature Schemes
, 2005
"... Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only con ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinearmap–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the BonehLynnShacham (BLS) short signature scheme. BLS signatures with 1024bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present BonehGentryLynnShacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.