Abstract. We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyper-elliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel. 1

This paper presents a new password authentication and key-exchange protocol suitable for authenticating users and exchanging keys over an untrusted network. The new protocol resists dictionary attacks mounted by either passive or active network intruders, allowing, in principle, even weak passphrases to be used safely. It also o ers perfect forward secrecy, which protects past sessions and passwords against future compromises. Finally, user passwords are stored in a form that is not plaintext-equivalent to the password itself, so an attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host. This new protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and o ers signi cantly improved performance over comparably strong extended methods that resist stolen-veri er attacks such as Augmented EKE or B-SPEKE. 1

We develop an efficient identity based signature scheme based on pairings whose security relies on the hardness of the Diffie-Hellman problem in the random oracle model. We describe how this scheme is obtained as a special version of a more general generic scheme which yields further new provably secure identity based signature schemes if pairings are used. The generic scheme also includes traditional public key signature schemes. We further discuss issues of key escrow and the distribution of keys to multiple trust authorities. The appendix contains a brief description of the relevant properties of supersingular elliptic curves and the Weil and Tate pairings.

Abstract. Secure and authenticated message delivery/storage is one of the major aims of computer and communication security research. The current standard method to achieve this aim is “(digital) signature followed by encryption”. In this paper, we address a question on the cost of secure and authenticated message delivery/storage, namely, whether it is possible to transport/store messages of varying length in a secure and authenticated way with an expense less than that required by “signature followed by encryption”. This question seems to have never been addressed in the literature since the invention of public key cryptography. We then present a positive answer to the question. In particular, we discover a new cryptographic primitive termed as “signcryption ” which simultaneously fulfills both the functions of digital signature and public key encryption in a logically single step, and with a cost significantly lower than that required by “signature followed by encryption”. For typical security parameters for high level security applications (size of public moduli = 1536 bits), signcryption costs 50 % (31%, respectively) less in computation time and 85 % (91%, respectively) less in message expansion than does “signature followed by encryption ” based on the discrete logarithm problem (factorization problem, respectively).

There have been many approaches in the past to generalize the ElGamal signature scheme. In this paper we integrate all these approaches in a Meta-ElGamal signature scheme. We also investigate some new types of variations, that haven't been considered before. By this method we obtain in our example settings numerous variants of the ElGamal scheme. From these variants, we can extract new, highly efficient signature schemes, which haven't been proposed before. As an example, we present efficient DSA-variants.

There have been several approaches in the past to obtain signature schemes with appendix and signature schemes giving message recovery based on the discrete logarithm problem. Most of them can be embedded into a Meta-ElGamal and Meta-Message recovery scheme. In this paper we present the Meta-blind signature schemes which have been developed from the ElGamal based blind signature scheme and the message recovery blind signature scheme discovered recently. From our Meta-scheme we get various variants from which some are more efficient than the already known ones. They can be recommended for practical use. Then we give interesting applications of the Meta-Message recovery and Meta-Blind signature schemes like authentic encryption schemes, key distribution protocols and authentication schemes. Again, we can extract highly efficient variants.

This paper presents a new password authentication and key agreement protocol called AMP in a provable manner. The intrinsic problem with password authentication is a password, associated with each user, has low entropy so that (1) the password is hard to transmit securely over an insecure channel and (2) the password file is hard to protect. Our solution to this complex problem is the amplified password proof idea along with the amplified password file. A party commits the high entropy information and amplifies her password with that information in the amplified password proof. She never shows any information except that she knows it for her proof. Our amplified password proof idea is similar to the zero-knowledge proof in that sense. A server stores amplified verifiers in the amplified password file that is secure against a server file compromise and a dictionary attack. AMP mainly provides the passwordverifier based authentication and the Diffie-Hellman based key agreement, securely and efficiently. AMP is simple and actually the most efficient protocol among the related protocols. 1.

Abstract not found

Group signature schemes are fundamental cryptographic tools that enable unlinkably anonymous authentication, in the same fashion that digital signatures provide the basis for strong authentication protocols. In this paper we present the first group signature scheme with constantsize parameters that does not employ any trapdoor function. This novel type of group signature scheme allows public parameters to be shared among organizations. Such sharing represents a highly desirable simpli cation over existing schemes, which require each organization to maintain a separate cryptographic domain.

Introduction In ordinary digity signatU8 schemes, anyone can verify signatUPR wit signer's public key. However it is not necessary for anyonet be convinced a just(WUP tus of signer's dishonorable message such as a bill.It is enough for a receiver onlyt prove ajustRUPR7BN of tf signat(R if tU signer doesnot execut a contnURB Undeniablesignatbl schemes [2] or tU limitB verifier signatUR scheme [9] include suchprot cols as only a limit( verifier can be convincedit Ourt ypical applicatW ( oft8 limitU verifiersignatNJ scheme is tU case where a receiver is acredit company and a signer is a user. Thecredit company willtl t keep user's privacy in ordert get user's ter's provided a user executJ te contnUNR In such a sitRWWUP ourlimit7 verifier signatW8 scheme will be shown t be more efficient tie undeniablesignatab schemeswit respect t computW((8 cost Thereexist messages such as o#cial document which will befirst tstR) aslimit8 verifier signatign but aftn a few years as ordinarydigitr