Results 1  10
of
53
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 321 (13 self)
 Add to MetaCart
(Show Context)
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Provable Data Possession at Untrusted Stores
, 2007
"... We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the serv ..."
Abstract

Cited by 279 (9 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking supports large data sets in widelydistributed storage systems. We present two provablysecure PDP schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation.
Efficient threshold signature, multisignature and blind signature schemes based on the GapDiffieHellmanGroup signature scheme
 PROCEEDINGS OF PKC 2003, VOLUME 2567 OF LNCS
, 2003
"... We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap DiffieHellman (GDH) group (where the Computational DiffieHellman problem is hard but the Decisional DiffieHellman problem is easy). Our constructions are based on t ..."
Abstract

Cited by 196 (0 self)
 Add to MetaCart
(Show Context)
We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap DiffieHellman (GDH) group (where the Computational DiffieHellman problem is hard but the Decisional DiffieHellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [8]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.
Sequential aggregate signatures from trapdoor permutations
 Advances in Cryptology – EUROCRYPT 2004
, 2004
"... An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, inwhichthesetof signers is ordered. The aggrega ..."
Abstract

Cited by 59 (3 self)
 Add to MetaCart
(Show Context)
An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, inwhichthesetof signers is ordered. The aggregate signature is computed by having each signer, in turn, add his signature to it. We show how to realize this in such a way that the size of the aggregate signature is independent of n. This makes sequential aggregate signatures a natural primitive for certificate chains, whose length can be reduced by aggregating all signatures in a chain. We give a construction in the random oracle model based on families of certified trapdoor permutations, and show how to instantiate our scheme based on RSA. 1
Sequential aggregate signatures and multisignatures without random oracles
 In EUROCRYPT, 2006. (Cited on
, 2006
"... Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature schem ..."
Abstract

Cited by 51 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature scheme are sequentially constructed, but knowledge of the order in which messages were signed is not necessary for verification. The aggregate signatures obtained are shorter than Lysyanskaya et al. sequential aggregates and can be verified more efficiently than Boneh et al. aggregates. We also consider applications to secure routing and proxy signatures. 1
Multisignatures in the plain publickey model and a general forking lemma
 In ACM CCS 06
, 2006
"... A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol a ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
(Show Context)
A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol amongst potential signers, or assuming strong, concurrent zeroknowledge proofs of knowledge of secret keys done to the CA at key registration. These requirements limit the use of the schemes. We provide a new scheme that is proven secure in the plain publickey model, meaning requires nothing more than that each signer has a (certified) public key. Furthermore, the important simplification in key management achieved is not at the cost of efficiency or assurance: our scheme matches or surpasses known ones in terms of signing time, verification time and signature size, and is proven secure in the randomoracle model under a standard (not bilinear map related) assumption. The proof is based on a simplified and general Forking Lemma that may be of independent interest.
Breaking and repairing optimistic fair exchange from PODC 2003
 In ACM Workshop on Digital Rights Management (DRM
, 2003
"... ..."
(Show Context)
Constructing fair exchange protocols for ecommerce via distributed computation of RSA signatures
 in PODC 2003
, 2003
"... Applications such as ecommerce payment protocols, electronic contract signing, and certified email delivery require that fair exchange be assured. A fairexchange protocol allows two parties to exchange items in a fair way so that either each party gets the other's item, or neither party do ..."
Abstract

Cited by 31 (2 self)
 Add to MetaCart
(Show Context)
Applications such as ecommerce payment protocols, electronic contract signing, and certified email delivery require that fair exchange be assured. A fairexchange protocol allows two parties to exchange items in a fair way so that either each party gets the other's item, or neither party does. We describe a novel method of constructing very efficient fairexchange protocols by distributing the computation of RSA signatures. Specifically, we employ multisignatures based on the RSAsignature scheme. To date, the vast majority of fairexchange protocols require the use of zeroknowledge proofs, which is the most computationally intensive part of the exchange protocol. Using the intrinsic features of our multisignature model, we construct protocols that require no zeroknowledge proofs in the exchange protocol. Use of zeroknowledge proofs is needed only in the protocol setup phasethis is a onetime cost. Furthermore, our scheme uses multisignatures that are compatible with the underlying standard (singlesigner) signature scheme, which makes it possible to readily integrate the fairexchange feature with existing ecommerce systems.
Remote Data Checking Using Provable Data Possession
, 2011
"... We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling ran ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking is lightweight and supports large data sets in distributed storage systems. The model is also robust in that it incorporates mechanisms for mitigating arbitrary amounts of data corruption. We present two provablysecure PDP schemes that are more efficient than previous solutions. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. We then propose a generic transformation that adds robustness to any remote data checking scheme based on spot checking. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation. Finally, we conduct an indepth experimental evaluation to study the tradeoffs in performance, security, and space overheads when
Admission Control in Peer Groups
 In IEEE International Symposium on Network Computing and Applications (NCA
, 2003
"... Security in collaborative peer groups is an active research topic. Most previous work focused on key management without addressing an important prerequisite: admission control, i.e., how to securely admit a new member. This paper represents an initial attempt to sketch out an admission control fram ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
(Show Context)
Security in collaborative peer groups is an active research topic. Most previous work focused on key management without addressing an important prerequisite: admission control, i.e., how to securely admit a new member. This paper represents an initial attempt to sketch out an admission control framework suitable for di#erent flavors of peer groups and match them with appropriate cryptographic techniques and protocols. Open problems and directions for future work are identified and discussed.