Results 1  10
of
22
Another Look at “Provable Security"
, 2004
"... We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common ..."
Abstract

Cited by 61 (12 self)
 Add to MetaCart
We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of publickey systems has been an important theme of researchers. But we argue that the theoremproof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is selfcontained and as jargonfree as possible.
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 54 (5 self)
 Add to MetaCart
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
Strongly unforgeable signatures based on computational diffiehellman
 In Public Key Cryptography
, 2006
"... Abstract. A signature system is said to be strongly unforgeable if the signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Strongly unforgeable signatures are used for constructing chosenciphertext secure systems and gro ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. A signature system is said to be strongly unforgeable if the signature is existentially unforgeable and, given signatures on some message m, the adversary cannot produce a new signature on m. Strongly unforgeable signatures are used for constructing chosenciphertext secure systems and group signatures. Current efficient constructions in the standard model (i.e. without random oracles) depend on relatively strong assumptions such as StrongRSA or StrongDiffieHellman. We construct an efficient strongly unforgeable signature system based on the standard Computational DiffieHellman problem in bilinear groups. 1
Efficiency Improvements for Signature Schemes with Tight Security Reductions
, 2003
"... Much recent work has focused on constructing efficient digital signature schemes whose security is tightly related to the hardness of some underlying cryptographic assumption. With this motivation in mind, we show here two approaches which improve both the computational efficiency and signature leng ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Much recent work has focused on constructing efficient digital signature schemes whose security is tightly related to the hardness of some underlying cryptographic assumption. With this motivation in mind, we show here two approaches which improve both the computational efficiency and signature length of some recentlyproposed schemes: DiffieHellman signatures. Goh and Jarecki [18] recently analyzed a signature scheme which has a tight security reduction to the computational DiffieHellman problem. Unfortunately, their scheme is less efficient in both computation and bandwidth than previous schemes relying on the (related) discrete logarithm assumption. We present a modification of their scheme in which signing is 33% more efficient and signatures are 75% shorter; the security of this scheme is tightly related to the decisional DiffieHellman problem. PSS. The...
Identity based undeniable signatures
 Topics in Cryptology CTRSA 2004, LNCS 2964
, 2004
"... In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existential ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existentially unforgeable under the Bilinear DiffieHellman assumption in the random oracle model. We also prove that it has the invisibility property under the Decisional Bilinear DiffieHellman assumption and we discuss about the efficiency of the scheme.
Designated Verifier Signatures: Anonymity and Efficient Construction from Any Bilinear Map
 Proc. of SCN’04, Springer LNCS
, 2004
"... Abstract. The concept of Designated Verifier Signatures (DVS) was introduced by Jakobsson, Sako and Impagliazzo at Eurocrypt’96. These signatures are intended to a specific verifier, who is the only one able to check their validity. In this context, we formalize the notion of privacy of signer’s ide ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Abstract. The concept of Designated Verifier Signatures (DVS) was introduced by Jakobsson, Sako and Impagliazzo at Eurocrypt’96. These signatures are intended to a specific verifier, who is the only one able to check their validity. In this context, we formalize the notion of privacy of signer’s identity which captures the strong designated verifier property investigated in their paper. We propose a variant of the pairingbased DVS scheme introduced at Asiacrypt’03 by Steinfeld, Bull, Wang and Pieprzyk. Contrary to their proposal, our new scheme can be used with any admissible bilinear map, especially with the low cost pairings and achieves the new anonymity property (in the random oracle model). Moreover, the unforgeability is tightly related to the GapBilinear DiffieHellman assumption, in the random oracle model and the signature length is around 75 % smaller than the original proposal.
Communicationefficient noninteractive proofs of knowledge with online extractors
 In CRYPTO 2005
, 2005
"... marc.fischlin @ inf.ethz.ch ..."
Efficient Signcryption with Key Privacy from Gap DiffieHellman Groups
 PKC 2004. LNCS
, 2004
"... This paper proposes a new public key authenticated encryption (signcryption) scheme based on the DiffieHellman problem in Gap DiffieHellman groups. This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea is to introduce some randomness ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
This paper proposes a new public key authenticated encryption (signcryption) scheme based on the DiffieHellman problem in Gap DiffieHellman groups. This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea is to introduce some randomness into this signature to increase its level of security in the random oracle model and to reuse that randomness to perform encryption. This results in a signcryption protocol that is more efficient than any combination of that signature with an El Gamal like encryption scheme. The new scheme is also shown to satisfy really strong security notions and its strong unforgeability is tightly related to the DiffieHellman assumption in Gap DiffieHellman groups.
Efficient signature schemes with tight reductions to the DiffieHellman problems
 Journal of Cryptology
"... We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient than the first — is based on the hardness of the decisional DiffieHellman problem, a stronger assumption. Given current state of the art, it is as difficult to solve the DiffieHellman problems as it is to solve the discrete logarithm problem in many groups of cryptographic interest. Thus, the signature schemes shown here can currently offer substantially better efficiency (for a given level of provable security) than existing schemes based on the discrete logarithm assumption. The techniques we introduce can be also applied in a wide variety of settings to yield more efficient cryptographic schemes (based on various numbertheoretic assumptions) with tight security reductions. 1
New Paradigms in Signature Schemes
, 2005
"... Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only con ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinearmap–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the BonehLynnShacham (BLS) short signature scheme. BLS signatures with 1024bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present BonehGentryLynnShacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.