Results 1  10
of
70
Secure hashandsign signatures without the random oracle
, 1999
"... We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the ..."
Abstract

Cited by 121 (9 self)
 Add to MetaCart
We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the cryptographic hash function in use are well defined and reasonable (although nonstandard). In particular, we do not model this function as a random oracle. We construct our proof of security in steps. First we describe and prove a construction which operates in the random oracle model. Then we show that the random oracle in this construction can be replaced by a hash function which satisfies some strong (but well defined!) computational assumptions. Finally,we demonstrate that these assumptions are reasonable, by proving that a function satisfying them exists under standard intractability assumptions.
Robustness Principles for Public Key Protocols
, 1995
"... : We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a co ..."
Abstract

Cited by 116 (9 self)
 Add to MetaCart
: We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a computer system, to authenticate a transaction, or to set up a key. They typically involve the exchange of about 25 messages, and they are very easy to get wrong: bugs have been found in well known protocols years after they were first published. This is quite remarkable; after all, a protocol is a kind of program, and one would expect to get any other program of this size right by staring at it for a while. A number of remedies have been proposed. One approach is formal mathematical proof, and can range from systematic protocol verification techniques such as the BAN logic [BAN89] to the casebycase reduction of security claims to the intractability of some problem such as factoring. Anot...
Towards realizing random oracles: Hash functions that hide all partial information
, 1997
"... The random oracle model is a very convenient setting for designing cryptographic protocols. In this idealized model all parties have access to a common, public random function, called a random oracle. Protocols in this model are often very simple and efficient; also the analysis is often clearer. ..."
Abstract

Cited by 104 (9 self)
 Add to MetaCart
The random oracle model is a very convenient setting for designing cryptographic protocols. In this idealized model all parties have access to a common, public random function, called a random oracle. Protocols in this model are often very simple and efficient; also the analysis is often clearer. However, we do not have a general mechanism for transforming protocols that are secure in the random oracle model into protocols that are secure in real life. In fact, we do not even know how to meaningfully specify the properties required from such a mechanism. Instead, it is a common practice to simply replace  often without mathematical justification  the random oracle with a `cryptographic hash function' (e.g., MD5 or SHA). Consequently, the resulting protocols have no meaningful proofs of security. We propose a research program aimed at rectifying this situation by means of identifying, and subsequently realizing, the useful properties of random oracles. As a first step, we introduce a new primitive that realizes a specific aspect of random oracles. This primitive, called oracle hashing, is a hash function that, like random oracles, `hides all partial information on its input'. A salient property of oracle hashing is that it is probabilistic: different applications to the same input result in different hash values. Still, we maintain the ability to verify whether a given hash value was generated from a given input. We describe constructions of oracle hashing, as well as applications where oracle hashing successfully replaces random oracles.
Perfectly OneWay Probabilistic Hash Functions
"... Probabilistic hash functions that hide all partial information on their input were recently introduced. This new cryptographic primitive can be regarded as a function that offers "perfect onewayness", in the following sense: Having access to the function value on some input is equivalent ..."
Abstract

Cited by 73 (9 self)
 Add to MetaCart
Probabilistic hash functions that hide all partial information on their input were recently introduced. This new cryptographic primitive can be regarded as a function that offers "perfect onewayness", in the following sense: Having access to the function value on some input is equivalent to having access only to an oracle that answers "yes " if the correct input is queried, and answers "no " otherwise. Constructions of this primitive (originally called oracle hashing and here renamed perfectly oneway functions) were given based on certain strong variants of the DiffieHellman assumption. In this work we present several constructions of perfectly oneway functions; some constructions are based on clawfree permutation, and others are based on any oneway permutation. One of our constructions is simple and efficient to the point of being attractive from a practical point of view.
Easy Come  Easy Go Divisible Cash
, 1998
"... Abstract. Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e ..."
Abstract

Cited by 70 (1 self)
 Add to MetaCart
Abstract. Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e.g., each coin can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto’95, T. Okamoto presented the first efficient divisible, anonymous (but linkable) offline ecash scheme requiring only O(1og n/) computations for each of the withdrawal, payment and deposit procedures, where A / = (total coin value) / (smallest divisible unit) is the divisibility precision. However, the zeroknowledge protocol used for the creation of a blinded unlinkable coin by Okamoto is quite inefficient and is used only at setup to make the system efficient. Incorporating “unlinkable ” blinding only in the setup, however, limits the level of anonymity offered by allowing the linking of all coins withdrawnrather than a more desirable anonymity which allows only linking of subcoins of a withdrawn coin. In this paper we make a further step towards practicality of complete (i.e., divisible) anonymous ecash by presenting a solution where all pre cedures (setup, withdrawal, payment and deposit) are bounded by tens of exponentiations; in particular we improve on Okamoto’s result by 3 orders of magnitude, while the size of the coin remains about 300 Bytes, based on a 512 bit modulus. Moreover, the protocols are compatible with tracing methods used for “fair ” or “revokable ” anonymous cash.
Quantum Lower Bound for the Collision Problem
, 2002
"... The collision problem is to decide whether a function X : . . . , n} is onetoone or twotoone, given that one of these is the case. We show a lower bound of on the number of queries needed by a quantum computer to solve this problem with bounded error probability. The best known upper bou ..."
Abstract

Cited by 58 (13 self)
 Add to MetaCart
The collision problem is to decide whether a function X : . . . , n} is onetoone or twotoone, given that one of these is the case. We show a lower bound of on the number of queries needed by a quantum computer to solve this problem with bounded error probability. The best known upper bound is O , but obtaining any lower bound better than# (1) was an open problem since 1997. Our proof uses the polynomial method augmented by some new ideas. We also give a lower bound for the problem of deciding whether two sets are equal or disjoint on a constant fraction of elements. Finally we give implications of these results for quantum complexity theory.
HAVAL  A OneWay Hashing Algorithm with Variable Length of Output
, 1993
"... A oneway hashing algorithm is a deterministic algorithm that compresses an arbitrary long message into a value of specified length. The output value represents the fingerprint or digest of the message. A cryptographically useful property of a oneway hashing algorithm is that it is infeasible to fi ..."
Abstract

Cited by 51 (17 self)
 Add to MetaCart
A oneway hashing algorithm is a deterministic algorithm that compresses an arbitrary long message into a value of specified length. The output value represents the fingerprint or digest of the message. A cryptographically useful property of a oneway hashing algorithm is that it is infeasible to find two distinct messages that have the same fingerprint. This paper proposes a oneway hashing algorithm called HAVAL. HAVAL compresses a message of arbitrary length into a fingerprint of 128, 160, 192, 224 or 256 bits. In addition, HAVAL has a parameter that controls the number of passes a message block (of 1024 bits) is processed. A message block can be processed in 3, 4 or 5 passes. By combining output length with pass, we can provide fifteen (15) choices for practical applications where different levels of security are required. The algorithm is very efficient and particularly suited for 32bit computers which predominate the current workstation market. Experiments show that HAVAL is 60%...
A composition theorem for universal oneway hash functions
 In Eurocrypt ’00
, 2000
"... Abstract. In this paper we present a new scheme for constructing universal oneway hash functions that hash arbitrarily long messages out of universal oneway hash functions that hash fixedlength messages. The new construction is extremely simple and is also very efficient, yielding shorter keys th ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
Abstract. In this paper we present a new scheme for constructing universal oneway hash functions that hash arbitrarily long messages out of universal oneway hash functions that hash fixedlength messages. The new construction is extremely simple and is also very efficient, yielding shorter keys than previously proposed composition constructions. 1
An Efficient Existentially Unforgeable Signature Scheme and its Applications
 Journal of Cryptology
, 1994
"... A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) fo ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32000321. Email: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...