Results 1  10
of
20
How to leak a secret
 PROCEEDINGS OF THE 7TH INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATION OF CRYPTOLOGY AND INFORMATION SECURITY: ADVANCES IN CRYPTOLOGY
, 2001
"... In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and ..."
Abstract

Cited by 1754 (4 self)
 Add to MetaCart
In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is unconditionally signerambiguous, provably secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.
A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
, 1995
"... We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a ..."
Abstract

Cited by 827 (48 self)
 Add to MetaCart
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosenmessage attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "clawfree" pair of permutations  a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
Oblivious SignatureBased Envelope
 In Proceedings of the 22nd ACM Symposium on Principles of Distributed Computing (PODC 2003
, 2003
"... Exchange of digitally signed certificates is often used to establish mutual trust between strangers that wish to share resources or to conduct business transactions. Automated Trust Negotiation (ATN) is an approach to regulate the flow of sensitive information during such an exchange. Previous work ..."
Abstract

Cited by 51 (6 self)
 Add to MetaCart
Exchange of digitally signed certificates is often used to establish mutual trust between strangers that wish to share resources or to conduct business transactions. Automated Trust Negotiation (ATN) is an approach to regulate the flow of sensitive information during such an exchange. Previous work on ATN are based on access control techniques, and cannot handle cyclic policy interdependency satisfactorily. We show that the problem can be modelled as a 2party secure function evaluation (SFE) problem, and propose a scheme called oblivious signaturebased envelope (OSBE) for efficiently solving the SFE problem. We develop a provably secure and efficient OSBE protocol for certificates signed using RSA signatures. We also build provably secure and efficient oneround OSBE for Rabin and BLS signatures from recent constructions for identitybased encryption. We also discuss other applications of OSBE.
How to Prove All NP Statements in ZeroKnowledge and a Methodology of Cryptographic Protocol Design (Extended Abstract)
 PROC. OF CRYPTO 1986, THE 6TH ANN. INTL. CRYPTOLOGY CONF., VOLUME 263 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1998
"... ..."
Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks
 In Advances in Cryptology–Crypto ’92
, 1992
"... Abstract. This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the e ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
Abstract. This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the exact object ciphertext to be cryptanalyzed. The rst strengthening method is based on the use of oneway hash functions, the second on the use of universal hash functions and the third on the use of digital signature schemes. Each method is illustrated by an example ofapublickey cryptosystem based on the intractability ofcomputing discrete logarithms in nite elds. Two other issues, namely applications of the methods to public key cryptosystems based on other intractable problems and enhancement of information authentication capability to the cryptosystems, are also discussed. 1
The tale of oneway functions
 Problems of Information Transmission
, 2003
"... All the king’s horses, and all the king’s men, Couldn’t put Humpty together again. The existence of oneway functions (owf) is arguably the most important problem in computer theory. The article discusses and refines a number of concepts relevant to this problem. For instance, it gives the first com ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
All the king’s horses, and all the king’s men, Couldn’t put Humpty together again. The existence of oneway functions (owf) is arguably the most important problem in computer theory. The article discusses and refines a number of concepts relevant to this problem. For instance, it gives the first combinatorial complete owf, i.e., a function which is oneway if any function is. There are surprisingly many subtleties in basic definitions. Some of these subtleties are discussed or hinted at in the literature and some are overlooked. Here, a unified approach is attempted. 1
Computational Sample Complexity and AttributeEfficient Learning
, 2000
"... Two fundamental measures of the efficiency of a learning algorithm are its running time and the number of examples it requires (its sample complexity). In this paper we demonstrate that even for simple concept classes, an inherent tradeoff can exist between running time and sample complexity. We ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Two fundamental measures of the efficiency of a learning algorithm are its running time and the number of examples it requires (its sample complexity). In this paper we demonstrate that even for simple concept classes, an inherent tradeoff can exist between running time and sample complexity. We present a concept class of 1decision lists and prove that while a computationally unbounded learner can learn the class from O(1) examples, under a standard cryptographic assumption any polynomialtime learner requires almost \Theta(n) examples. Using a different construction, we present a concept class of kdecision lists which exhibits a similar but stronger gap in sample complexity. These results strengthen the results of Decatur, Goldreich and Ron [9] on distributionfree computational sample complexity and come within a logarithmic factor of the largest possible gap for concept classes of kdecision lists. Finally, we construct a concept class of decision lists which can be lear...
Answers To Frequently Asked Questions About Today's Cryptography
, 1993
"... this document, authentication will generally refer to the use of digital signatures, which play a function for digital documents similar to that played by handwritten signatures for printed documents: the signature is an unforgeable piece of data asserting that a named person wrote or otherwise agre ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
this document, authentication will generally refer to the use of digital signatures, which play a function for digital documents similar to that played by handwritten signatures for printed documents: the signature is an unforgeable piece of data asserting that a named person wrote or otherwise agreed to the document to which the signature is attached. The recipient, as well as a third party, can verify both that the document did indeed originate from the person whose signature is attached and that the document has not been altered since it was signed. A secure digital signature system thus consists of two parts: a method of signing a document such that forgery is infeasible, and a method of verifying that a signature was actually generated by whomever it represents. Furthermore, secure digital signatures cannot be repudiated; i.e., the signer of a document cannot later disown it by claiming it was forged.
How to leak a secret: Theory and applications of ring signatures
 Essays in Theoretical Computer Science: in Memory of Shimon Even, volume 3895 of LNCS Festschrift
, 2006
"... Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedu ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way that can only be verified by its intended recipient, and to solve other problems in multiparty computations. Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. [CDS94]. Our constructions of such signatures are unconditionally signerambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption. We also describe a large number of extensions, modifications and applications of ring signatures which were published after the original version of this work (in Asiacrypt 2001).