For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collision-intractability of certain hash-functions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...

Abstract. The EPC (Electronic Product Code) tag is a form of RFID (Radio-Frequency IDentification) device that is emerging as a successor to the printed barcode. Like barcodes, EPC tags emit static codes that serve to identify and track shipping containers and individual objects. EPC tags, though, have a powerful benefit: they communicate in an automated, wireless manner. Some commercial segments, like the pharmaceutical industry, are coming to view EPC tags as an anti-counterfeiting tool. EPC tags are a potent mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. They are poor authenticators, though. EPC tags are vulnerable to elementary cloning and counterfeiting attacks. In this paper, we present techniques that strengthen the resistance of EPC tags to elementary cloning attacks. Our proposals are compliant with EPCglobal Class-1 Generation-2 UHF tags, which are likely to predominate in supply chains. We show how to leverage PIN-based accesscontrol and privacy enhancement mechanisms in EPC tags to achieve what may be viewed as crude challenge-response authentication. Our techniques can even strengthen EPC tags against cloning in environments with untrusted reading devices.

The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtedly, many applications will include this standard in the future and thus, the foreseen domination of DSA as a legal certification tool is su#ciently important to focus research endeavours on the suitability of this scheme to various situations. In this paper, we present six new DSA-based protocols for: -- Performing a quick batch-verification of n signatures. The proposed scheme allows to make the economy of 3(n-1) log 2 (q) 480n modular multiplications.

Abstract. Identification is a useful cryptographic tool. Since zero-knowledge theory appeared [3], several interactive identification schemes have been proposed (in particular Fiat-Shamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. More recently, new schemes appeared with the peculiarity that they are more efficient from the computational point of view and that their security is based on N P-complete problems: PKP (Permuted Kernels Problem) [10], SD (Syndrome Decoding) [12] and CLE (Constrained Linear Equations) [13]. We present a new N P-complete linear problem which comes from learning machines: the Perceptrons Problem. We have some constraints, m vectors X i of {−1, +1} n, and we want to find a vector V of {−1, +1} n such that X i · V ≥ 0 for all i. Next, we provide some zero-knowledge interactive identification protocols based on this problem, with an evaluation of their security. Eventually, those protocols are well suited for smart card applications. 1

We describe efficient protocols for non-malleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols: -- Chosen-ciphertext-secure, interactive encryption. In settings where both parties are on-line, an interactive encryption protocol may be used. We construct chosen-ciphertext-secure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semantically-secure scheme...

Recently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, non-malleability, and universal composability. In this paper,

A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such as the discrete logarithm problem. More precisely,

Chameleon signatures are non-interactive signatures based on a hash-and-sign paradigm, and similar in efficiency to regular signatures.

A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudo-prime of the same size that passes the Miller-Rabin test for only one base. Therefore our algorithm is even faster than presently-used algorithms for generating only pseudo-primes because several Miller-Rabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval. Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA public-key cryptosystem is presented. The prime generation algorithm can easily be modified to generate nearly random primes or RSA-moduli that satisfy t...

We analyze the security of an interactive identification scheme. The scheme is the obvious extension of the original square root scheme of Goldwasser, Micali and Rackoff to 2 m th roots. This scheme is quite practical, especially in terms of storage and communication complexity. Although this scheme is certainly not new, its security was apparently not fully understood. We prove that this scheme is secure if factoring integers is hard, even against active attacks where the adversary is first allowed to pose as a verifier before attempting impersonation.