Results 1  10
of
52
Onthefly verification of rateless erasure codes for efficient content distribution
 In Proceedings of the IEEE Symposium on Security and Privacy
, 2004
"... Abstract — The quality of peertopeer content distribution can suffer when malicious participants intentionally corrupt content. Some systems using simple blockbyblock downloading can verify blocks with traditional cryptographic signatures and hashes, but these techniques do not apply well to mor ..."
Abstract

Cited by 89 (4 self)
 Add to MetaCart
Abstract — The quality of peertopeer content distribution can suffer when malicious participants intentionally corrupt content. Some systems using simple blockbyblock downloading can verify blocks with traditional cryptographic signatures and hashes, but these techniques do not apply well to more elegant systems that use rateless erasure codes for efficient multicast transfers. This paper presents a practical scheme, based on homomorphic hashing, that enables a downloader to perform onthefly verification of erasureencoded blocks. I.
Transitive Signature Schemes
 IN PROCEEDINGS OF RSA 2002, VOLUME 2271 OF LNCS
, 2002
"... We consider the problem of finding publickey digital signature schemes with a transitiveclosure property for signing the vertices and edges of a (directed or undirected) finite graph. More precisely, we want the property that if Alice has signed edge (u, v) and she has also signed the edge (v, ..."
Abstract

Cited by 50 (8 self)
 Add to MetaCart
We consider the problem of finding publickey digital signature schemes with a transitiveclosure property for signing the vertices and edges of a (directed or undirected) finite graph. More precisely, we want the property that if Alice has signed edge (u, v) and she has also signed the edge (v, w) then Bob (or anyone) can derive from those two signatures Alice's signature on the edge (u, w). We present an efficient solution for undirected graphs, and leave the case for directed graphs as an open problem.
Signing a Linear Subspace: Signature Schemes for Network Coding
"... Abstract. Network coding offers increased throughput and improved robustness to random faults in completely decentralized networks. In contrast to traditional routing schemes, however, network coding requires intermediate nodes to modify data packets en route; for this reason, standard signature sch ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
Abstract. Network coding offers increased throughput and improved robustness to random faults in completely decentralized networks. In contrast to traditional routing schemes, however, network coding requires intermediate nodes to modify data packets en route; for this reason, standard signature schemes are inapplicable and it is a challenge to provide resilience to tampering by malicious nodes. Here, we propose two signature schemes that can be used in conjunction with network coding to prevent malicious modification of data. In particular, our schemes can be viewed as signing linear subspaces in the sense that a signature σ on V authenticates exactly those vectors in V. Our first scheme is homomorphic and has better performance, with both public key size and perpacket overhead being constant. Our second scheme does not rely on random oracles and uses weaker assumptions. We also prove a lower bound on the length of signatures for linear subspaces showing that both of our schemes are essentially optimal in this regard. 1
Appendonly signatures
 in International Colloquium on Automata, Languages and Programming
, 2005
"... Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we pu ..."
Abstract

Cited by 35 (10 self)
 Add to MetaCart
Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we put forward the notion of “leakageresilient signatures, ” which strengthens the standard security notion by giving the adversary the additional power to learn a bounded amount of arbitrary information about the secret state that was accessed during every signature generation. This notion naturally implies security against all sidechannel attacks as long as the amount of information leaked on each invocation is bounded and “only computation leaks information.” The main result of this paper is a construction which gives a (treebased, stateful) leakageresilient signature scheme based on any 3time signature scheme. The amount of information that our scheme can safely leak per signature generation is 1/3 of the information the underlying 3time signature scheme can leak in total. Signature schemes that remain secure even if a bounded total amount of information is leaked were recently constructed, hence instantiating our construction with these schemes gives the first constructions of provably secure leakageresilient signature schemes. The above construction assumes that the signing algorithm can sample truly random bits, and thus an implementation would need some special hardware (randomness gates). Simply generating this randomness using a leakageresilient streamcipher will in general not work. Our second contribution is a sound general principle to replace uniform random bits in any leakageresilient construction with pseudorandom ones: run two leakageresilient streamciphers (with independent keys) in parallel and then apply a twosource extractor to their outputs. 1
Homomorphic signatures for polynomial functions
, 2010
"... We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Prev ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Previous systems for computing on signed data could only handle linear operations. For polynomials of constant degree, the length of a derived signature only depends logarithmically on the size of the data set. Our system uses ideal lattices in a way that is a “signature analogue” of Gentry’s fully homomorphic encryption. Security is based on hard problems on ideal lattices similar to those in Gentry’s system.
Content Extraction Signatures
 In International Conference on Information Security and Cryptology ICISC 2001, volume 2288 of LNCS
, 2001
"... Motivated by emerging needs in online interactions, we define a new type of digital signature called a ‘Content Extraction Signature ’ (CES). A CES allows the owner, Bob, of a document signed by Alice, to produce an ‘extracted signature ’ on selected extracted portions of the original document, whic ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Motivated by emerging needs in online interactions, we define a new type of digital signature called a ‘Content Extraction Signature ’ (CES). A CES allows the owner, Bob, of a document signed by Alice, to produce an ‘extracted signature ’ on selected extracted portions of the original document, which can be verified to originate from Alice by any third party Cathy, while hiding the unextracted (removed) document portions. The new signature therefore achieves verifiable content extraction with minimal multiparty interaction. We specify desirable functional and security requirements for a CES (including an efficiency requirement: a CES should be more efficient in either computation or communication than the simple multiple signature solution). We propose and analyze four CES constructions which are provably secure with respect to known cryptographic assumptions and compare their performance characteristics.
Transitive signatures based on factoring and RSA
 In ASIACRYPT ’02, volume 2501 of LNCS
, 2002
"... Abstract. We present novel realizations of the transitive signature primitive introduced by Micali and Rivest [12], and also provide an answer to an open question they raise regarding the security of their RSA based scheme. Our schemes provide performance improvements over the scheme of [12]. 1 ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Abstract. We present novel realizations of the transitive signature primitive introduced by Micali and Rivest [12], and also provide an answer to an open question they raise regarding the security of their RSA based scheme. Our schemes provide performance improvements over the scheme of [12]. 1
Private Matching
 Computer Security in the 21st Century
, 2005
"... Sharp lower bound for the total number of ..."
Generalized key delegation for hierarchical identitybased encryption
 In ESORICS 2007, volume 4734 of LNCS
, 2005
"... In this paper, we introduce a new primitive called identitybased encryption with wildcard key derivation (WKDIBE, or “wicked IBE”) that enhances the concept of hierarchical identitybased encryption (HIBE) by allowing more general key delegation patterns. A secret key is derived for a vector of id ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
In this paper, we introduce a new primitive called identitybased encryption with wildcard key derivation (WKDIBE, or “wicked IBE”) that enhances the concept of hierarchical identitybased encryption (HIBE) by allowing more general key delegation patterns. A secret key is derived for a vector of identity strings, where entries can be left blank using a wildcard. This key can then be used to derive keys for any pattern that replaces wildcards with concrete identity strings. For example, one may want to allow the university’s head system administrator to derive secret keys (and hence the ability to decrypt) for all departmental sysadmin email addresses sysadmin@*.univ.edu, where * is a wildcard that can be replaced with any string. We provide appropriate security notions and provably secure instantiations with different tradeoffs in terms of ciphertext size and efficiency. We also present a generic construction of identitybased broadcast encryption (IBBE) from any WKDIBE scheme. One of our instantiation yields an IBBE scheme with constant ciphertext size.
Linearly Homomorphic Signatures over Binary Fields and New Tools for LatticeBased Signatures
, 2010
"... We propose a linearly homomorphic signature scheme that authenticates vector subspaces of a given ambient space. Our system has several novel properties not found in previous proposals: • It is the first such scheme that authenticates vectors defined over binary fields; previous proposals could only ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
We propose a linearly homomorphic signature scheme that authenticates vector subspaces of a given ambient space. Our system has several novel properties not found in previous proposals: • It is the first such scheme that authenticates vectors defined over binary fields; previous proposals could only authenticate vectors with large or growing coefficients. • It is the first such scheme based on the problem of finding short vectors in integer lattices, and thus enjoys the worstcase security guarantees common to latticebased cryptosystems. Our scheme can be used to authenticate linear transformations of signed data, such as those arising when computing mean and Fourier transform or in networks that use network coding. Our construction gives an example of a cryptographic primitive — homomorphic signatures over F2 — that can be built using lattice methods, but cannot currently be built using bilinear maps or other traditional algebraic methods based on factoring or discrete log type problems. Security of our scheme (in the random oracle model) is based on a new hard problem on lattices, called kSIS, that reduces to standard averagecase and worstcase lattice problems. Our formulation of the kSIS problem adds to the “toolbox” of latticebased cryptography and may be useful in constructing other latticebased cryptosystems. As a second application of the new kSIS tool, we construct an ordinary signature scheme and prove it ktime unforgeable in the standard model assuming the hardness of the kSIS problem. Our construction can be viewed as “removing the random oracle” from the signatures of Gentry, Peikert, and Vaikuntanathan at the expense of only allowing a small number of signatures.