Results 1  10
of
35
Short group signatures
 In proceedings of CRYPTO ’04, LNCS series
, 2004
"... Abstract. We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong DiffieHellman assumption and a new assumption in bilinear groups called the Decision ..."
Abstract

Cited by 292 (21 self)
 Add to MetaCart
(Show Context)
Abstract. We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong DiffieHellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1
Security proofs for identitybased identification and signature schemes
 Advances in Cryptology – EuroCrypt’04, LNCS
, 2004
"... ..."
(Show Context)
GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks
, 2002
"... Abstract. The GuillouQuisquater (GQ) and Schnorr identification schemes are amongst the most efficient and bestknown FiatShamir followons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ ba ..."
Abstract

Cited by 66 (7 self)
 Add to MetaCart
(Show Context)
Abstract. The GuillouQuisquater (GQ) and Schnorr identification schemes are amongst the most efficient and bestknown FiatShamir followons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ based on the assumed security of RSA under one more inversion, an extension of the usual onewayness assumption that was introduced in [5]. It also provides such a proof for the Schnorr scheme based on a corresponding discretelog related assumption. These are the first security proofs for these schemes under assumptions related to the underlying oneway functions. Both results extend to establish security against impersonation under concurrent attack. 1
Strong KeyInsulated Signature Schemes
, 2002
"... Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the se ..."
Abstract

Cited by 50 (13 self)
 Add to MetaCart
Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the secrecy of the private key.
On the (In)security of the FiatShamir Paradigm
 In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
(Show Context)
In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...
Multisignatures in the plain publickey model and a general forking lemma
 In ACM CCS 06
, 2006
"... A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol a ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
(Show Context)
A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol amongst potential signers, or assuming strong, concurrent zeroknowledge proofs of knowledge of secret keys done to the CA at key registration. These requirements limit the use of the schemes. We provide a new scheme that is proven secure in the plain publickey model, meaning requires nothing more than that each signer has a (certified) public key. Furthermore, the important simplification in key management achieved is not at the cost of efficiency or assurance: our scheme matches or surpasses known ones in terms of signing time, verification time and signature size, and is proven secure in the randomoracle model under a standard (not bilinear map related) assumption. The proof is based on a simplified and general Forking Lemma that may be of independent interest.
On the fly authentication and signature schemes based on groups of unknown order
 Journal of Cryptology
"... Abstract. In response to the current need for fast, secure and cheap publickey cryptography, we propose an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the problem of computing discrete logarithms in any group, short keys, ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In response to the current need for fast, secure and cheap publickey cryptography, we propose an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the problem of computing discrete logarithms in any group, short keys, very short transmission and minimal online computation. This leads to both efficient and secure applications well suited to implementation on low cost smart cards. We introduce GPS, a Schnorrlike scheme that does not require knowledge of the order of the group nor of the group element. As a consequence, it can be used with most cryptographic group structures, including those of unknown order. Furthermore, the computation of the prover’s response is done over the integers, hence can be done with very limited computational capabilities. This paper provides complete security proofs of the identification scheme. From a practical point of view, the possible range of parameters is discussed and a report on the performances of an actual implementation on a cheap smart card is included: a complete and secure authentication can be performed in less than 20 milliseconds with low cost equipment. Key words. Identification scheme, Digital signature, Discrete logarithm problem, Minimal online computation, Low cost smart cards.
The security of the FDH variant of Chaum’s undeniable signature scheme. The full version of this paper. Available from the Cryptology ePrint Archive, http://www.iacr.org
"... Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme ac ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme according to three dimensions, the goal of adversaries, the attacks and the ZK level of confirmation and disavowal protocols. We finally relate each security to some wellknown computational problem. In particular, we prove that the security of the FDH variant of Chaum’s scheme with NIZK confirmation and disavowal protocols is equivalent to the CDH problem, as opposed to the GDH problem as claimed by Okamoto and Pointcheval.
TwoTier Signatures, Strongly Unforgeable Signatures, and FiatShamir without Random Oracles
, 2007
"... We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires secu ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires security of the starting protocol against concurrent attacks. We can show that numerous protocols have the required properties and so obtain numerous efficient twotier schemes. Our first application is an efficient transform of any unforgeable signature scheme into a strongly unforgeable one, which uses as a tool any twotier scheme. (This extends work of Boneh, Shen and Waters whose transform only applies to a limited class of schemes.) The second application is new onetime signature schemes that, compared to oneway function based ones of the same computational cost, have smaller key and signature sizes.
FiatShamir with aborts: Applications to lattice and factoringbased signatures
, 2009
"... Abstract. We demonstrate how the framework that is used for creating efficient numbertheoretic ID and signature schemes can be transferred into the setting of lattices. This results in constructions of the most efficient todate identification and signature schemes with security based on the worst ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We demonstrate how the framework that is used for creating efficient numbertheoretic ID and signature schemes can be transferred into the setting of lattices. This results in constructions of the most efficient todate identification and signature schemes with security based on the worstcase hardness of problems in ideal lattices. In particular, our ID scheme has communication complexity of around 65, 000 bits and the length of the signatures produced by our signature scheme is about 50, 000 bits. All prior latticebased identification schemes required on the order of millions of bits to be transferred, while all previous latticebased signature schemes were either stateful, too inefficient, or produced signatures whose lengths were also on the order of millions of bits. The security of our identification scheme is based on the hardness of finding the approximate shortest vector to within a factor of Õ(n2) in the standard model, while the security of the signature scheme is based on the same assumption in the random oracle model. Our protocols are very efficient, with all operations requiring Õ(n) time. We also show that the technique for constructing our latticebased schemes can be used to improve certain numbertheoretic schemes. In particular, we are able to shorten the length of the signatures that are produced by Girault’s factoringbased digital signature scheme ([10, 11, 31]). 1