Results 1  10
of
12
Security proofs for identitybased identification and signature schemes
 In: Proc. EUROCRYPT 2004, Lecture Notes in Computer Science
, 2004
"... ..."
(Show Context)
Signature schemes with bounded leakage resilience
 In ASIACRYPT
, 2009
"... A leakageresilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (or possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show a signature scheme tolerating (optimal) leakage of up to n − nǫ ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
(Show Context)
A leakageresilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (or possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show a signature scheme tolerating (optimal) leakage of up to n − nǫ bits of information about the secret key, and a more efficient onetime signature scheme that tolerates leakage of ( 1 4 −ǫ) ·n bits of information about the signer’s entire state. The latter construction extends to give a leakageresilient ttime signature scheme. All these constructions are in the standard model under general assumptions. 1
Separable identitybased ring signatures: Theoretical foundations for fighting phishing attacks
, 2005
"... Email phishing attacks are one of today’s most common and costly forms of digital identity theft, where an adversary tricks a user into revealing their personal information by impersonating an established company. Such attacks could be mitigated with digitallysigned emails, if these signatures did ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Email phishing attacks are one of today’s most common and costly forms of digital identity theft, where an adversary tricks a user into revealing their personal information by impersonating an established company. Such attacks could be mitigated with digitallysigned emails, if these signatures did not: (1) destroy the traditional repudiability of email, and (2) require the unrealistic, widespread adoption of a PublicKey Infrastructure (PKI). In order to overcome these obstacles, we introduce, define, and implement separable (a.k.a. crossdomain) identitybased ring signatures (SIBR, pronounced “cyber, ” signatures). The ring structure of these signatures provides repudiability. With identitybased public keys, a full PKI is no longer required. Separability allows ring constructions across different identitybased master key domains. Together, these properties make SIBR signatures a practical solution to the email spoofing problem. Our construction yields a number of interesting components. First, we present several novel proofs of knowledge of bilinear map preimages. We then present new identitybased identification (IBI) and signature (IBS) schemes based on these proofs. We note how our constructions share system parameters with the existing identitybased encryption schemes of BonehFranklin and Waters, thereby forming complete identitybased cryptosystems. We finally construct the first SIBR signature schemes by transforming our new signature schemes and certain other signature schemes.
This is the full version. Bounded Tamper Resilience: How to go beyond the Algebraic
, 2013
"... Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine ..."
Abstract
 Add to MetaCart
(Show Context)
Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine functions or polynomials of bounded degree. In this work, we show that it is possible to go beyond the algebraic barrier and achieve security against arbitrary key relations, by restricting the number of tampering queries the adversary is allowed to ask for. The latter restriction is necessary in case of arbitrary key relations, as otherwise a generic attack of Gennaro et al. (TCC 2004) shows how to recover the key of almost any cryptographic primitive. We describe our contributions in more detail below. 1. We show that standard ID and signature schemes constructed from a large class of Σprotocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters.
ZeroKnowledge Proofs and Applications
"... The material below covers two lectures on the beautiful and influential concept of zeroknowledge proofs. This notion, introduced by Goldwasser, Micali and Rackoff [GMR85] formalizes the idea of a proof that “yields nothing but its validity”.1 We will start by describing a simple running example, w ..."
Abstract
 Add to MetaCart
(Show Context)
The material below covers two lectures on the beautiful and influential concept of zeroknowledge proofs. This notion, introduced by Goldwasser, Micali and Rackoff [GMR85] formalizes the idea of a proof that “yields nothing but its validity”.1 We will start by describing a simple running example, which will allow us to abstract away some basic properties. This will lead to the concept of Σprotocols, and their application to construct secure identification schemes. Next, we will move to cryptographic applications. In particular we will show how to use zeroknowledge proofs to construct efficient (and provably secure) identification and signature schemes. Finally, we will formalize the definition of zeroknowledge and survey the main results about constructing zeroknowledge proofs for all NP. The topics covered and the exposition, are inspired by [Dam10, HL10, Ven12]. Comments,
Comments and Improvements on Chameleon Hashing Without Key Exposure Based on Factoring
"... Abstract. In this paper, we present some security flaws of the keyexposure free chameleon hash scheme based on factoring [9]. Besides, we propose an improved chameleon hash scheme without key exposure based on factoring which enjoys all the desired security notions of chameleon hashing. ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present some security flaws of the keyexposure free chameleon hash scheme based on factoring [9]. Besides, we propose an improved chameleon hash scheme without key exposure based on factoring which enjoys all the desired security notions of chameleon hashing.
Tamper Resilient Cryptography Without SelfDestruct
"... We initiate a general study of schemes resilient to both tampering and leakage attacks. Tampering attacks are powerful cryptanalytic attacks where an adversary can change the secret state and observes the effect of such changes at the output. Our contributions are outlined below: 1. We propose a gen ..."
Abstract
 Add to MetaCart
We initiate a general study of schemes resilient to both tampering and leakage attacks. Tampering attacks are powerful cryptanalytic attacks where an adversary can change the secret state and observes the effect of such changes at the output. Our contributions are outlined below: 1. We propose a general construction showing that any cryptographic primitive where the secret key can be chosen as a uniformly random string can be made secure against bounded tampering and leakage. This holds in a restricted model where the tampering functions must be chosen from a set of bounded size after the public parameters have been sampled. Our result covers pseudorandom functions, and many encryption and signature schemes. 2. We show that standard ID and signature schemes constructed from a large class of Σprotocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and/or obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters. 3. We show a bounded tamper and leakage resilient CCA secure public key cryptosystem
A Survey on IDBased Cryptographic Primitives
 Cryptology ePrint Archive, Report2005/094
, 2005
"... IDbased cryptosystem has been, for a few years, the most active area of research and currently is of great interest to the cryptographic society. In this work we survey three fundamental IDbased cryptographic primitives Digital Signature, Encryption and Key Agreement, which are based on the mathem ..."
Abstract
 Add to MetaCart
(Show Context)
IDbased cryptosystem has been, for a few years, the most active area of research and currently is of great interest to the cryptographic society. In this work we survey three fundamental IDbased cryptographic primitives Digital Signature, Encryption and Key Agreement, which are based on the mathematical concepts Integer Factorization, Quadratic Residues and Bilinear Pairings. We review several schemes along with their efficiency and security considerations. The survey helps in understanding the research work carried out in the area of IDbased cryptosystems from the year 1984 to 2004.
Mercurial Commitments with Applications to ZeroKnowledge Sets ∗
"... We introduce a new flavor of commitment schemes, which we call mercurial commitments. Informally, mercurial commitments are standard commitments that have been extended to allow for soft decommitment. Soft decommitments, on the one hand, are not binding but, on the other hand, cannot be in conflict ..."
Abstract
 Add to MetaCart
(Show Context)
We introduce a new flavor of commitment schemes, which we call mercurial commitments. Informally, mercurial commitments are standard commitments that have been extended to allow for soft decommitment. Soft decommitments, on the one hand, are not binding but, on the other hand, cannot be in conflict with true decommitments. We then demonstrate that a particular instantiation of mercurial commitments has been implicitly used by Micali, Rabin and Kilian to construct zeroknowledge sets. (A zeroknowledge set scheme allowsaProverto(1)committoasetS in a way that reveals nothing about S and (2) prove to a Verifier, in zeroknowledge, statements of the form x ∈ S and x / ∈ S.) The rather complicated construction of Micali et al. becomes easy to understand when viewed as a more general construction with mercurial commitments as an underlying building block. By providing mercurial commitments based on various assumptions, we obtain several different new zeroknowledge set constructions.
Contributors
, 2005
"... PP Restricted to other programme participants (including the Commission services) RE Restricted to a group specified by the consortium (including the Commission services) CO Confidential, only for members of the consortium (including the Commission services) ..."
Abstract
 Add to MetaCart
PP Restricted to other programme participants (including the Commission services) RE Restricted to a group specified by the consortium (including the Commission services) CO Confidential, only for members of the consortium (including the Commission services)