Results 1 
9 of
9
Realizing hashandsign signatures under standard assumptions
 In Advances in Cryptology – EUROCRYPT ’09, volume 5479 of LNCS
, 2009
"... Currently, there are relatively few instances of “hashandsign ” signatures in the standard model. Moreover, most current instances rely on strong and less studied assumptions such as the Strong RSA and qStrong DiffieHellman assumptions. In this paper, we present a new approach for realizing hash ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
Currently, there are relatively few instances of “hashandsign ” signatures in the standard model. Moreover, most current instances rely on strong and less studied assumptions such as the Strong RSA and qStrong DiffieHellman assumptions. In this paper, we present a new approach for realizing hashandsign signatures in the standard model. In our approach, a signer associates each signature with an index i that represents how many signatures that signer has issued up to that point. Then, to make use of this association, we create simple and efficient techniques that restrict an adversary which makes q signature requests to forge on an index no greater than 2 ⌈lg(q) ⌉ < 2q. Finally, we develop methods for dealing with this restricted adversary. Our approach requires that the signer maintain a small amount of state — a counter of the number of signatures issued. We achieve two new realizations for hashandsign signatures respectively based on the RSA assumption and the Computational DiffieHellman assumption in bilinear groups. 1
Short and stateless signatures from the RSA assumption
 In Proceedings of Advances in Cryptology, CRYPTO
"... We present the first signature scheme which is “short”, stateless and secure under the RSA assumption in the standard model. Prior short, standard model signatures in the RSA setting required either a strong complexity assumption such as Strong RSA or (recently) that the signer maintain state. A sig ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We present the first signature scheme which is “short”, stateless and secure under the RSA assumption in the standard model. Prior short, standard model signatures in the RSA setting required either a strong complexity assumption such as Strong RSA or (recently) that the signer maintain state. A signature in our scheme is comprised of one element in Z ∗ N and one integer. The public key is also short, requiring only the modulus N, one element of Z ∗ N, one integer, one PRF seed and some short chameleon hash parameters. To design our signature, we employ the known generic construction of fullysecure signatures from weaklysecure signatures and a chameleon hash. We then introduce a new proof technique for reasoning about weaklysecure signatures. This technique enables the simulator to predict a prefix of the message on which the adversary will forge and to use knowledge of this prefix to embed the challenge. This technique has wider applications beyond RSA. We also use it to provide an entirely new analysis of the security of the Waters signatures: the only short, stateless signatures known to be secure under the Computational DiffieHellman assumption in the standard model. 1
Highspeed highsecurity signatures
"... Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.
Tightlysecure signatures from lossy identification schemes
"... In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short Discrete Logarithm problem, while still maintaining the nontight reduction to the computational version of the problem upon which the original scheme of Girault et al. is based. The second signature scheme we construct is a modification of the scheme of Lyubashevsky (Asiacrypt 2009) that is based on the worstcase hardness of the shortest vector problem in ideal lattices. And the third scheme is a very simple signature scheme that is based directly on the hardness of the Subset Sum problem. We also present a general transformation that converts, what we term lossy identification schemes, into signature schemes with tight security reductions. We believe that this greatly simplifies the task of constructing and proving the security of such signature schemes.
Factorization
"... Abstract. This paper proves “tight security in the randomoracle model relative to factorization ” for the lowestcost signature systems available today: every hashgeneric signatureforging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor th ..."
Abstract
 Add to MetaCart
Abstract. This paper proves “tight security in the randomoracle model relative to factorization ” for the lowestcost signature systems available today: every hashgeneric signatureforging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor the public key. The most surprising system is the “fixed unstructured B = 0 Rabin–Williams ” system, which has a tight security proof despite hashing unrandomized messages. B, number of bits of randomization of hash input B large B = 1 B = 0 Variable unstructured tight security: ’96 no security: no security: Rabin–Williams Bellare–Rogaway easy attack easy attack Variable principal tight security: loose security: loose security: Rabin–Williams this paper this paper this paper
A preliminary version appears in ACM Conference on Computer and Communications Security (CCS) 2012. Verifiable Data Streaming
"... Abstract. In a verifiable data streaming protocol, the client streams a long string to the server who stores it in its database. The stream is verifiable in the sense that the server can neither change the order of the elements nor manipulate them. The client may also retrieve data from the database ..."
Abstract
 Add to MetaCart
Abstract. In a verifiable data streaming protocol, the client streams a long string to the server who stores it in its database. The stream is verifiable in the sense that the server can neither change the order of the elements nor manipulate them. The client may also retrieve data from the database and update them. The content of the database is publicly verifiable such that any party in possession of some value s and a proof π can check that s is indeed in the database. We introduce the notion of verifiable data streaming and present an efficient instantiation that supports an exponential number of values based on general assumptions. Our main technique is an authentication tree in which the leaves are not fixed in advanced such that the user, knowing some trapdoor, can authenticate a new element on demand without pre or recomputing all other leaves. We call this data structure chameleon authentication tree (CAT). We instantiate our scheme with primitives that are secure under the discrete logarithm assumption. The algebraic properties of this assumption allow us to obtain a very efficient verification algorithm. As a second application of CATs, we present a new transformation from any onetime to manytime signature scheme that is more efficient than previously known solutions. 1
Short Signatures From DiffieHellman: Realizing Short Public Key
"... Abstract. In EUROCRYPT 2005, Waters [42] proposed a signature scheme based on the computational DiffieHellman (DH) assumption without random oracles. His scheme is the first and sole signature scheme in the category of (hashandsign) signature schemes secure under the DH assumption in the standard ..."
Abstract
 Add to MetaCart
Abstract. In EUROCRYPT 2005, Waters [42] proposed a signature scheme based on the computational DiffieHellman (DH) assumption without random oracles. His scheme is the first and sole signature scheme in the category of (hashandsign) signature schemes secure under the DH assumption in the standard model and has also been applied to the design of numerous protocols in the various cryptographic areas. However, the Waters signature scheme suffered from a large public key of Θ(λ) group elements, where λ is the security parameter. Realizing standard model DHbased signature scheme, in which both the signature and the public key are short, has been an open problem. We propose short signatures from the DH assumption, √ which has a sublinear size public key. More λ precisely, our proposal produces a public key of Θ ( ) group elements. Our construction is inspired from two techniques for short signatures such as using programmable hashes [26] and using tags [27]. From two previous techniques, we first derive a signature scheme with a somewhat short public key of Θ ( λ), and then we developed a new technique for asymmetric trade between the public key size log λ and the signature size. √ In particular, by adding one field element in each signature, we can reduce the λ public key size to O ( ) group elements, so that the resulting signature size is two group elements and two field elements. log λ We also propose a variant by applying a technique for compressing tag vectors so that the resulting signatures has a shorter signature size (two group elements and one field element) by augmenting signing/verification costs and adding constant factor in public key size (that is, public key size is λ still Θ ( ) group elements). Note that we limit ourselves to dealing with only polynomialtime log λ reductions in all security proofs. log λ 1
Identity Based Deterministic Signature Scheme Without ForkingLemma
"... Abstract. Since the discovery of identity based cryptography, a number of identity based signature schemes were reported in the literature. Although, a lot of identity based signature schemes were proposed, the only identity based deterministic signature scheme was given by Javier Herranz. This sign ..."
Abstract
 Add to MetaCart
Abstract. Since the discovery of identity based cryptography, a number of identity based signature schemes were reported in the literature. Although, a lot of identity based signature schemes were proposed, the only identity based deterministic signature scheme was given by Javier Herranz. This signature scheme uses Schnorr signature scheme for generating the private key of the users and uses BLS short signature scheme for generating users signature. The security of this scheme was proved in the random oracle model using forking lemma. In this paper, we introduce a new identity based deterministic signature scheme and prove the security of the scheme in the random oracle model, without the aid of forking lemma. Hence, our scheme offers tighter security reduction to the underlying hard problem than the existing identity based deterministic signature scheme.
DOI 10.1007/s1338901200271 REGULAR PAPER Highspeed highsecurity signatures
"... © The Author(s) 2012. This article is published with open access at Springerlink.com Abstract This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 securit ..."
Abstract
 Add to MetaCart
© The Author(s) 2012. This article is published with open access at Springerlink.com Abstract This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys