Results 1 
5 of
5
A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
, 1995
"... We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a ..."
Abstract

Cited by 827 (48 self)
 Add to MetaCart
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosenmessage attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "clawfree" pair of permutations  a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
Discrete Logarithms in Finite Fields and Their Cryptographic Significance
, 1984
"... Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its appl ..."
Abstract

Cited by 87 (6 self)
 Add to MetaCart
Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2 n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2 n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2 n ) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2 n ) ought to be avoided in all cryptographic applications. On the other hand, ...
Evaluation of security level of cryptography: ESIGN signature scheme
 CRYPTREC Project
, 2001
"... to be existentially unforgeable against chosenmessage attacks assuming that the approximate eth root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer fact ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
to be existentially unforgeable against chosenmessage attacks assuming that the approximate eth root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer factorization problem or the discrete logarithm problem. One way to p solve the AER problem is to factor the integer n, where n 2 q and p and q are primes of the same bitlength. The parameters recommended ensure that ESIGN resists all known attacks for factoring integers of this form. 2 Protocol specification 2.1 ESIGN key pairs For the security parameter pLen, k each entity does the following: 1. Randomly select two distinct primes, p, q, each of bitsize k and compute p n 2. Select an integer 4. 3. A’s public key is¢n£e£k¤; A’s private key is¢p£q¤. e¡ In addition, one needs to specify a hash function H¥whose output length is k bits. 2.2 ESIGN signature generation To sign a message m, an entity A with the private key¢p£q¤does the following: 1. Compute H¥¦¢m¤,and let be bit. H¢m¤ obtained from by H¥¦¢m¤ 2 q. deleting the most significant 2. Pick r uniformly from§r ¨ at random gcd¢r£p ¤ Zpq: 1©.
Can O.S.S. be Repaired?
 Advances in Cryptology—EUROCRYPT ’93 Proceedings
, 1994
"... This paper describes a family of new OngSchnorrShamirFiat Shamir like [1] identification and signature protocols designed to prevent forgers from using the PollardSchnorr attack [2]. ..."
Abstract
 Add to MetaCart
This paper describes a family of new OngSchnorrShamirFiat Shamir like [1] identification and signature protocols designed to prevent forgers from using the PollardSchnorr attack [2].
Cryptanalysis of the Birational Permutation Signature Scheme over a Noncommutative Ring
"... Abstract. In 2008, Hashimoto and Sakurai proposed a new efficient signature scheme, which is a noncommutative ring version of Shamir’s birational permutation signature scheme. Shamir’s scheme is a generalization of the OSS (OngSchnorrShamir) signature scheme and was broken by Coppersmith et al. u ..."
Abstract
 Add to MetaCart
Abstract. In 2008, Hashimoto and Sakurai proposed a new efficient signature scheme, which is a noncommutative ring version of Shamir’s birational permutation signature scheme. Shamir’s scheme is a generalization of the OSS (OngSchnorrShamir) signature scheme and was broken by Coppersmith et al. using its linearity and commutativity. The HS (HashimotoSakurai) scheme is expected to be secure against the attack of Coppersmith et al. since the scheme is based on the noncommutative structure. In this paper, we propose an attack against the HS scheme. Our proposed attack is practical under the condition that its step size and the number of steps are small. More precisely, we firstly show that the HS scheme is essentially a commutative scheme, that is, the HS scheme can be reduced to some commutative birational permutation signature scheme. Then we apply Patarinlike attack against the commutative birational permutation signature scheme. We discuss efficiency of our attack by using some experimental results. Furthermore the commutative scheme obtained from the HS scheme is the Rainbowtype signature scheme. We also discuss the security of the Rainbowtype signature scheme, and propose an efficient attack against some class of the Rainbowtype signature scheme. Key words: noncommutative ring, birational permutation, Rainbow, Gröbner basis