Results 1  10
of
22
TwoTier Signatures, Strongly Unforgeable Signatures, and FiatShamir without Random Oracles
, 2007
"... We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires secu ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires security of the starting protocol against concurrent attacks. We can show that numerous protocols have the required properties and so obtain numerous efficient twotier schemes. Our first application is an efficient transform of any unforgeable signature scheme into a strongly unforgeable one, which uses as a tool any twotier scheme. (This extends work of Boneh, Shen and Waters whose transform only applies to a limited class of schemes.) The second application is new onetime signature schemes that, compared to oneway function based ones of the same computational cost, have smaller key and signature sizes.
ProofCarrying Data and Hearsay Arguments from Signature Cards
"... Design of secure systems can often be expressed as ensuring that some property is maintained at every step of a distributed computation among mutuallyuntrusting parties. Special cases include integrity of programs running on untrusted platforms, various forms of confidentiality and sidechannel res ..."
Abstract

Cited by 10 (7 self)
 Add to MetaCart
Design of secure systems can often be expressed as ensuring that some property is maintained at every step of a distributed computation among mutuallyuntrusting parties. Special cases include integrity of programs running on untrusted platforms, various forms of confidentiality and sidechannel resilience, and domainspecific invariants. We propose a new approach, proofcarrying data (PCD), which circumnavigates the threat of faults and leakage by reasoning about properties of the output data, independently of the preceding computation. In PCD, the system designer prescribes the desired properties of the computation’s outputs. Corresponding proofs are attached to every message flowing through the system, and are mutually verified by the system’s components. Each such proof attests that the message’s data and all of its history comply with the specified properties. We construct a general protocol compiler that generates, propagates and verifies such proofs of compliance, while preserving the dynamics and efficiency of the original computation. Our main technical tool is the cryptographic construction of short noninteractive arguments (computationallysound proofs) for statements whose truth depends on “hearsay evidence”: previous arguments about other statements. To this end, we attain a particularly strong proof of knowledge. We realize the above, under standard cryptographic assumptions, in a model where the prover has blackbox access to some simple functionality — essentially, a signature card.
Universal designated verifier signatures without random oracles or nonblack box assumptions
 IN SCN06, VOLUME 4116 OF LNCS
, 2006
"... Universal designated verifier signatures (UDVS) were introduced in 2003 by Steinfeld et al. to allow signature holders to monitor the verification of a given signature in the sense that any plain signature can be publicly turned into a signature which is only verifiable by some specific designated ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Universal designated verifier signatures (UDVS) were introduced in 2003 by Steinfeld et al. to allow signature holders to monitor the verification of a given signature in the sense that any plain signature can be publicly turned into a signature which is only verifiable by some specific designated verifier. Privacy issues, like nondissemination of digital certificates, are the main motivations to study such primitives. In this paper, we propose two fairly efficient UDVS schemes which are secure (in terms of unforgeability and anonymity) in the standard model (i.e. without random oracles). Their security relies on algorithmic assumptions which are much more classical than assumptions involved in the two only known UDVS schemes in standard model to date. The latter schemes, put forth by Zhang et al. in 2005 and Vergnaud in 2006, rely on the Strong DiffieHellman assumption and the strangelooking knowledge of exponent assumption (KEA). Our schemes are obtained from Waters’s signature and they do not need the KEA assumption. They are also the first random oraclefree constructions with the anonymity property.
Generic Transformation to Strongly Unforgeable Signatures
 In ACNS’07, LNCS 4521
, 2007
"... Abstract. Recently, there are several generic transformation techniques proposed for converting unforgeable signature schemes (the message in the forgery has not been signed yet) into strongly unforgeable ones (the message in the forgery could have been signed previously). Most of the techniques are ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. Recently, there are several generic transformation techniques proposed for converting unforgeable signature schemes (the message in the forgery has not been signed yet) into strongly unforgeable ones (the message in the forgery could have been signed previously). Most of the techniques are based on trapdoor hash functions and all of them require adding supplementary components onto the original key pair of the signature scheme. In this paper, we propose a new generic transformation which converts any unforgeable signature scheme into a strongly unforgeable one, and also keeps the key pair of the signature scheme unchanged. Our technique is based on strong onetime signature schemes. We show that they can be constructed efficiently from any onetime signature scheme that is based on oneway functions. The performance of our technique also compares favorably with that of those trapdoorhashfunctionbased ones. In addition, this new generic transformation can also be used for attaining strongly unforgeable signature schemes in other cryptographic settings which include certificateless signature, identitybased signature, and several others. To the best of our knowledge, similar extent of versatility is not known to be supported by any of those comparable techniques. Finally and of independent interest, we show that our generic transformation technique can be modified to an online/offline signature scheme, which possesses a very efficient signing process. 1
Circular chosenciphertext security with compact ciphertexts
, 2012
"... A keydependent message (KDM) secure encryption scheme is secure even if an adversary obtains encryptions of messages that depend on the secret key. Such keydependent encryptions naturally occur in scenarios such as harddisk encryption, formal cryptography, or in specific protocols. However, there ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
A keydependent message (KDM) secure encryption scheme is secure even if an adversary obtains encryptions of messages that depend on the secret key. Such keydependent encryptions naturally occur in scenarios such as harddisk encryption, formal cryptography, or in specific protocols. However, there are not many provably secure constructions of KDMsecure encryption schemes. Moreover, only one construction, due to Camenisch, Chandran, and Shoup (Eurocrypt 2009) is known to be secure against active (i.e., CCA) attacks. In this work, we construct the first publickey encryption scheme that is KDMsecure against active adversaries and has compact ciphertexts. As usual, we allow only circular key dependencies, meaning that encryptions of arbitrary secret keys under arbitrary public keys are considered in a multiuser setting. Technically, we follow the approach of Boneh, Halevi, Hamburg, and Ostrovsky (Crypto 2008) to KDM security, which however only achieves security against passive adversaries. We explain an inherent problem in adapting their techniques to active security, and resolve this problem using a new technical tool called “lossy algebraic filters ” (LAFs). We stress that we significantly deviate from the approach of Camenisch, Chandran, and Shoup to obtain KDM security against active adversaries. This allows us to develop a scheme with compact ciphertexts that consist only of a constant number of group elements. Keywords: 1
Allbutmany lossy trapdoor functions
 In EUROCRYPT
, 2012
"... We put forward a generalization of lossy trapdoor functions (LTFs). Namely, allbutmany lossy trapdoor functions (ABMLTFs) are LTFs that are parametrized with tags. Each tag can either be injective or lossy, which leads to an invertible or a lossy function. The interesting property of ABMLTFs is ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
We put forward a generalization of lossy trapdoor functions (LTFs). Namely, allbutmany lossy trapdoor functions (ABMLTFs) are LTFs that are parametrized with tags. Each tag can either be injective or lossy, which leads to an invertible or a lossy function. The interesting property of ABMLTFs is that it is possible to generate an arbitrary number of lossy tags by means of a special trapdoor, while it is not feasible to produce lossy tags without this trapdoor. Our definition and construction can be seen as generalizations of allbutone LTFs (due to Peikert and Waters) and allbutN LTFs (due to Hemenway et al.). However, to achieve ABMLTFs (and thus a number of lossy tags which is not bounded by any polynomial), we have to employ some new tricks. Concretely, we give two constructions that use “disguised” variants of the Waters, resp. BonehBoyen signature schemes to make the generation of lossy tags hard without trapdoor. In a nutshell, lossy tags simply correspond to valid signatures. At the same time, tags are disguised (i.e., suitably blinded) to keep lossy tags indistinguishable from injective tags. ABMLTFs are useful in settings in which there are a polynomial number of adversarial challenges (e.g., challenge ciphertexts). Specifically, building on work by Hemenway et al., we show that ABMLTFs can be used to achieve selective opening security against chosenciphertext attacks. One of our ABMLTF constructions thus yields the first SOCCA secure encryption scheme with compact ciphertexts (O(1) group elements) whose efficiency does not depend on the number of challenges. Our second ABMLTF construction yields an INDCCA (and in fact SOCCA) secure encryption scheme whose security reduction is independent of the number of challenges and decryption queries.
Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home
, 2009
"... In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection throu ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection through which all service requests of the mobile device are sent to and answered directly by the home network. Such Wireless Roaming via Tunnels (WRT) offers several (security) benefits but states also new security challenges on authentication and key establishment, as the goal is not only to protect the endtoend communication between the tunnel peers but also the tunnel itself. In this paper we formally specify mutual authentication and key establishment goals for WRT and propose an efficient and provably secure protocol that can be used to secure such roaming session. Additionally, we describe some modular protocol extensions to address resistance against DoS attacks, anonymity of the mobile device and unlinkability of its roaming sessions, as well as the accounting claims of the foreign network in commercial scenarios.
Onetime Signatures and Chameleon Hash Functions
"... Abstract. In this work we show a general construction for transforming any chameleon hash function to a strongly unforgeable onetime signature scheme. Combined with the result of [Bellare and Ristov, PKC 2007], this also implies a general construction of strongly unforgeable onetime signatures fro ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In this work we show a general construction for transforming any chameleon hash function to a strongly unforgeable onetime signature scheme. Combined with the result of [Bellare and Ristov, PKC 2007], this also implies a general construction of strongly unforgeable onetime signatures from Σprotocols in the standard model. Our results explain and unify several works in the literature which either use chameleon hash functions or onetime signatures, by showing that several of the constructions in the former category can be interpreted as efficient instantiations of those in the latter. They also imply that any “noticeable ” improvement to the efficiency of constructions for chameleon hash functions leads to similar improvements for onetime signatures. This makes such improvements challenging since efficiency of onetime signatures has been studied extensively. We further demonstrate the usefulness of our general construction by studying and optimizing specific instantiations based on the hardness of factoring, the discretelog problem, and the worstcase latticebased assumptions. Some of these signature schemes match or improve the efficiency of the best previous constructions or relax the underlying hardness assumptions. Two of the schemes have very fast signing (no exponentiations) which makes them attractive in scenarios where the signer has limited computational resources.
Formal Security Treatments for IBEtoSignature Transformation: Relations among Security Notions. Cryptology ePrint Archive, Report 2007/030. Available at http://eprint.iacr.org/2007/030
"... In a seminal paper of identity based encryption (IBE), Boneh and Franklin [BF01] mentioned an interesting transform from an IBE scheme to a signature scheme, which was observed by Moni Naor. In this paper, we give formal security treatments for this transform and discover several implications and se ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In a seminal paper of identity based encryption (IBE), Boneh and Franklin [BF01] mentioned an interesting transform from an IBE scheme to a signature scheme, which was observed by Moni Naor. In this paper, we give formal security treatments for this transform and discover several implications and separations among security notions of IBE and transformed signature. For example, we show for such a successful transform, onewayness of IBE is an essential condition. Additionally, we give a sufficient and necessary condition for converting a semantically secure IBE scheme into an existentially unforgeable signature scheme. Our results help establish strategies on design and automatic security proof of signature schemes from (possibly weak) IBE schemes. We also show some separation results which strongly support that onewayness, rather than semantic security, of IBE captures an essential condition to achieve secure signature.
Nominative signature: Application, security model and construction. Cryptology ePrint Archive
"... Abstract. Since the introduction of nominative signature in 1996, there have been only a few schemes proposed and all of them have already been found flawed. In addition, there is no formal security model defined. Even more problematic, there is no convincing application proposed. Due to these probl ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. Since the introduction of nominative signature in 1996, there have been only a few schemes proposed and all of them have already been found flawed. In addition, there is no formal security model defined. Even more problematic, there is no convincing application proposed. Due to these problems, the research of nominative signature has almost stalled and it is unknown if a secure nominative signature scheme can be built or there exists an application for it. In this paper, we give positive answers to these problems. First, we illustrate that nominative signature is a better tool for building user certification systems which are originally believed to be best implemented using a universal designatedverifier signature. Second, we propose a formal definition and a rigorous set of adversarial models for nominative signature. Third, we show that Chaum’s undeniable signature can be transformed efficiently to a nominative signature and prove its security.