Results 1  10
of
15
CollisionFree Accumulators and FailStop Signature Schemes Without Trees
, 1997
"... . Oneway accumulators, introduced by Benaloh and de Mare, can be used to accumulate a large number of values into a single one, which can then be used to authenticate every input value without the need to transmit the others. However, the oneway property does is not sufficient for all applications ..."
Abstract

Cited by 172 (0 self)
 Add to MetaCart
. Oneway accumulators, introduced by Benaloh and de Mare, can be used to accumulate a large number of values into a single one, which can then be used to authenticate every input value without the need to transmit the others. However, the oneway property does is not sufficient for all applications. In this paper, we generalize the definition of accumulators and define and construct a collisionfree subtype. As an application, we construct a failstop signature scheme in which many onetime public keys are accumulated into one short public key. In contrast to previous constructions with tree authentication, the length of both this public key and the signatures can be independent of the number of messages that can be signed. 1 Introduction The security of digital signature schemes depends on socalled computational assumptions, e.g., the factoring assumption. If somebody can break the assumption on which the system is based, and if he can therefore get the private key of the signer, h...
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
Some Timestamping Protocol Failures
, 1998
"... Protocol failures are presented for two timestamping schemes. These failures emphasize the importance and difficulty of implementing a secure protocol even though there exist secure underlying algorithms. As well, they indicate the importance of clearly defining the goals for a protocol. For the sch ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Protocol failures are presented for two timestamping schemes. These failures emphasize the importance and difficulty of implementing a secure protocol even though there exist secure underlying algorithms. As well, they indicate the importance of clearly defining the goals for a protocol. For the scheme of Benaloh and de Mare (Eurocrypt '93), it is shown that although an indication of time can be included during the computation of the timestamp, the verifiation of the timestamp does not allow for the recovery of this temporal measure. For the scheme of Haber and Stornetta (Journal of Cryptology '91), we demonstrate how a collusion attack between a single user and a timestamping service allows for the backdating of timestamps. This attack is successful despite the claim that the timestamping service need not be trusted. For each of these schemes we discuss methods for improvement.
Unclonable group identification
 In EUROCRYPT, volume 4004 of LNCS
, 2006
"... Abstract. We introduce and motivate the concept of unclonable group identification, that provides maximal protection against sharing of identities while still protecting the anonymity of users. We prove that the notion can be realized from any oneway function and suggest a more efficient implementa ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Abstract. We introduce and motivate the concept of unclonable group identification, that provides maximal protection against sharing of identities while still protecting the anonymity of users. We prove that the notion can be realized from any oneway function and suggest a more efficient implementation based on specific assumptions. 1
Integrating Timestamping and Notarization
, 1999
"... In this thesis, we examine the current state of the most widely used public key infrastructure model and secure timestamping systems. We begin by giving an overview of the evolution of the timestamping techniques to show the direction of research. We identify some problems in PKI and timestamping ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
In this thesis, we examine the current state of the most widely used public key infrastructure model and secure timestamping systems. We begin by giving an overview of the evolution of the timestamping techniques to show the direction of research. We identify some problems in PKI and timestamping that need solutions in practice. The problems are not very bad today but are becoming worse as time goes on and people start using these services more and more. Both problems are essentially scalability problems. We show a simple and known solution attempt to the problem with PKI. The solution doesn't work either but gives a hint for building a working solution. Using the hints we present a working solution for the PKI problem. The new protocol eliminates certificate revocation lists and reduces the number of time stamps required since no time stamps are needed any more for the PKI itself. We also point the similarities between the new system and some existing timestamping systems. We an...
M.Prandini, A Novel Approach to OnLine Status Authentication of Public Key Certificates
 in Proc. the 16th Annual Computer Security Applications Conference
, 2000
"... The widespread use of public networks, such as the Internet, for the exchange of sensitive data, like legally valid documents and business transactions, poses severe security constraints. The approach relying on publickey certificates certainly represents a valuable solution from the viewpoint of d ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
The widespread use of public networks, such as the Internet, for the exchange of sensitive data, like legally valid documents and business transactions, poses severe security constraints. The approach relying on publickey certificates certainly represents a valuable solution from the viewpoint of data integrity and authentication. The effectiveness of the approach, however, may be arguable, especially when a trivial strategy is adopted within a PublicKey Infrastructure (PKI) to deal with the problem of revoked certificates. This paper presents a novel certificate status handling scheme, based on a purposelyconceived extension of the OneWay Accumulator (OWA) cryptographic primitive. The distinguishing characteristic of the devised Owabased Revocation Scheme (ORS) is that it exploits a single directorysigned proof to collectively authenticate the status of all the certificates handled by a Certification Authority (CA) within a PKI. A thorough investigation on the performance attainable shows that ORS exhibits the same features of the wellknown Online Certificate Status Protocol (OCSP) as regards security, scalability and certificate statusupdating timeliness, at the same time drastically reducing the directory computational load that, in a hightraffic context, could be nearly unbearable when OCSP is applied. 1.
Efficient certificate status handling within PKIs: an application to public administration services
 Proc. of the 15th Annual Computer Security Applications Conference, pp
, 1999
"... Public administrations show a strong interest in digital signature technology as a mean for secure and authenticated document exchange, hoping it will help reducing paperbased transactions with citizens. The main problem posed by this technology is with the necessary publickey infrastructure, and ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Public administrations show a strong interest in digital signature technology as a mean for secure and authenticated document exchange, hoping it will help reducing paperbased transactions with citizens. The main problem posed by this technology is with the necessary publickey infrastructure, and in particular with certificate status handling. This paper describes the definition and deployment of a webbased environment suitable for offering administrative services to citizens and for accepting authenticated documents from citizens. The best features of two different certificate status handling schemes, namely CRL and OCSP, have been exploited within this environment to obtain a good balance between security, timeliness and efficiency. 1.
Graphdecompositionbased frameworks for subsetcover broadcast encryption and efficient instantiations
 In Proceedings of Advances in Cryptology  Asiacrypt 05, Lecture Notes in Computer Science 3788
, 2005
"... Abstract. We present generic frameworks for constructing efficient broadcast encryption schemes in the subsetcover paradigm, introduced by Naor et.al., based on various key derivation techniques. Our frameworks characterize any instantiation completely to its underlying graph decompositions, which ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. We present generic frameworks for constructing efficient broadcast encryption schemes in the subsetcover paradigm, introduced by Naor et.al., based on various key derivation techniques. Our frameworks characterize any instantiation completely to its underlying graph decompositions, which are purely combinatorial in nature. This abstracts away the security of each instantiated scheme to be guaranteed by the generic one of the frameworks; thus, gives flexibilities in designing schemes. Behind these are new techniques based on (trapdoor) RSA accumulators utilized to obtain practical performances. We then give some efficient instantiations from the frameworks. Our first construction improves the currently best schemes, including the one proposed by Goodrich et.al., without any further assumptions (only pseudorandom generators are used) by some factors. The second instantiation, which is the most efficient, is instantiated based on RSA and directly improves the first scheme. Its ciphertext length is of order O(r), the key size is O(1), and its computational cost is O(n 1/k log 2 n) for any (arbitrary large) constant k; where r and n are the number of revoked users and all users respectively. To the best of our knowledge, this is the first explicit collusionsecure scheme in the literature that achieves both ciphertext size and key size independent of n simultaneously while keeping all other costs efficient, in particular, sublinear in n. The third scheme improves Gentry and Ramzan’s scheme, which itself is more efficient than the above schemes in the aspect of asymptotic computational cost.
K.: A Distributed time stamping scheme
 Proc. of the conference on Signal Image Tech (SITIS ’05), Cameroon
, 2005
"... The aim of a timestamping system is to prove the existence of a digital document at a particular time in the past. Implemented timestamping systems are generally based on a centralized server model. However, the unique server may represent a weakness for the system. In this paper, we propose a dis ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
The aim of a timestamping system is to prove the existence of a digital document at a particular time in the past. Implemented timestamping systems are generally based on a centralized server model. However, the unique server may represent a weakness for the system. In this paper, we propose a distributed timestamping scheme which is more robust against a denial of service attack. Our protocol is based on a multisignature scheme. In order to be valid, timestamps need to be accepted by at least λ servers. The interesting point is that the size of the timestamp token does not depend on λ and that there is no publication process.
FailStop Signatures Without Trees
 HILDESHEIMER INFORMATIK BERICHTE, INSTITUT FÜR INFORMATIK
, 1994
"... We construct the first failstop signature scheme where neither the signature length nor the length of the public key grows as a function of the number of messages that can be signed with one key. The computation needed for signing and testing is reduced similarly. This removes one of the main diffe ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We construct the first failstop signature scheme where neither the signature length nor the length of the public key grows as a function of the number of messages that can be signed with one key. The computation needed for signing and testing is reduced similarly. This removes one of the main differences between the complexity of ordinary signature schemes and previous failstop signature schemes: In the latter, signatures were branches in an authentication tree, and their length is therefore logarithmic in the size of that tree. Our result also bridges the main gap between known lower and upper bounds on the complexity of failstop signature schemes. The construction is based on oneway accumulators.