Results 1  10
of
62
Secure Identity Based Encryption without Random Oracles
, 2004
"... We present a fully secure identity based encryption scheme whose proof of security does not rely on the random oracle heuristic. Security is based on the decisional bilinear DiffieHellman assumption. Previous constructions of this type incured a large penatly factor in the security reduction from t ..."
Abstract

Cited by 103 (9 self)
 Add to MetaCart
We present a fully secure identity based encryption scheme whose proof of security does not rely on the random oracle heuristic. Security is based on the decisional bilinear DiffieHellman assumption. Previous constructions of this type incured a large penatly factor in the security reduction from the underlying complexity assumption. The security reduction of the present system is polynomial in all the parameters.
Another Look at “Provable Security"
, 2004
"... We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common ..."
Abstract

Cited by 61 (12 self)
 Add to MetaCart
We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of publickey systems has been an important theme of researchers. But we argue that the theoremproof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is selfcontained and as jargonfree as possible.
Simulationsound nizk proofs for a practical language and constant size group signatures
, 2006
"... Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NP ..."
Abstract

Cited by 45 (9 self)
 Add to MetaCart
Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NPcomplete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulationsound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.
A.: On notions of security for deterministic encryption, and efficient constructions without random oracles. Full version of this paper
, 2008
"... Abstract. The study of deterministic publickey encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible ” notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encr ..."
Abstract

Cited by 45 (0 self)
 Add to MetaCart
Abstract. The study of deterministic publickey encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible ” notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is apriori hardtoguess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for many practical applications. We show equivalence of this definition to singlemessage and indistinguishabilitybased ones, which are easier to work with. Then we give general constructions of both chosenplaintext (CPA) and chosenciphertextattack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard numbertheoretic assumptions. Our constructions build on the recentlyintroduced framework of Peikert and Waters (STOC ’08) for constructing CCAsecure probabilistic encryption schemes, extending it to the deterministicencryption setting as well.
From identification to signatures via the FiatShamir transform: Minimizing assumptions for security and forwardsecurity
 Proceedings of Eurocrypt 2002, volume 2332 of LNCS
, 2002
"... The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, ..."
Abstract

Cited by 32 (5 self)
 Add to MetaCart
The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model are determined, both in the usual and in the forwardsecure cases. Specifically, it is shown that the signature scheme is secure (resp. forwardsecure) against chosenmessage attacks in the random oracle model if and only if the underlying identification scheme is secure (resp. forwardsecure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the FiatShamir transform so that the commitment space assumption may be removed. Keywords: Signature schemes, identification schemes, FiatShamir transform, forward security,
Fully anonymous group signatures without random oracles
 In ASIACRYPT 2007, volume 4833 of LNCS
, 2007
"... We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in par ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in particular providing protection against key exposures and not relying on random oracles in the security proof.
Efficient Identitybased Signatures Secure in the Standard Model
 In: ACISP 2006, LNCS 4058
, 2006
"... Abstract. The only known construction of identitybased signatures that can be proven secure in the standard model is based on the approach of attaching certificates to nonidentitybased signatures. This folklore construction method leads to schemes that are somewhat inefficient and leaves open the ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
Abstract. The only known construction of identitybased signatures that can be proven secure in the standard model is based on the approach of attaching certificates to nonidentitybased signatures. This folklore construction method leads to schemes that are somewhat inefficient and leaves open the problem of finding more efficient direct constructions. We present the first such construction. Our scheme is obtained from a modification of Waters ’ recently proposed identitybased encryption scheme. It is computationally efficient and the signatures are short. The scheme’s security is proven in the standard model and rests on the hardness of the computational DiffieHellman problem in groups equipped with a pairing. 1
Discretelogbased signatures may not be equivalent to discrete log
 ASIACRYPT 2005, LNCS 3788
, 2005
"... Abstract. We provide evidence that the unforgeability of several discretelog based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts in nature wellknown proofs standing in weakened proof methodologies, in particular proofs e ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
Abstract. We provide evidence that the unforgeability of several discretelog based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts in nature wellknown proofs standing in weakened proof methodologies, in particular proofs employing various formulations of the Forking Lemma in the random oracle Model. Our impossibility proofs apply to many discretelogbased signatures like ElGamal signatures and their extensions, DSA, ECDSA and KCDSA as well as standard generalizations of these, and even RSAbased signatures like GQ. We stress that our work sheds more light on the provable (in)security of popular signature schemes but does not explicitly lead to actual attacks on these. 1
The Exact Security of an Identity Based Signature and its Applications
, 2004
"... This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, Namprempre and Neven through a general framework applying to a large family of schemes. We show that their modified SOKIBS scheme can be viewed as a onelevel instantiation of Gentry and Silverberg's alternative hierarchical IBS the exact security of which was never considered before. We also show that this signature is as secure as the onemore DiffieHellman problem. As an application, we propose a modification of Boyen's "Swiss Army Knife" identity based signature encryption (IBSE) that presents better security reductions and satisfies the same strong security requirements with a similar efficiency.
Efficient blind signatures without random oracles
 In Carlo Blundo and Stelvio Cimato, editors, SCN 2004
, 2004
"... Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We dev ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We develop our construction as follows. In the first step, which is a significant result on its own, we devise and prove the security of a new variant for the CramerShoupFischlin signature scheme. We are able to show that for generating signatures, instead of using randomly chosen prime exponents one can securely use randomly chosen odd integer exponents which significantly simplifies the signature generating process. We obtain our blind signing function as a secure and efficient twoparty computation that cleverly exploits its algebraic properties and those of the Paillier encryption scheme. The security of the resulting signing protocol relies on the Strong RSA assumption and the hardness of decisional composite residuosity; we stress that it does not rely on the existence of random oracles. 1