Results 1  10
of
12
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 265 (14 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
A Generalized Birthday Problem
 In CRYPTO
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm ..."
Abstract

Cited by 93 (0 self)
 Add to MetaCart
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography.
if) size matters: sizehiding private set intersection
, 2011
"... Modern society is increasingly dependent on, and fearful of, the availability of electronic information. There are numerous examples of situations where sensitive data must be – sometimes reluctantly – shared between two or more entities without mutual trust. As often happens, the research community ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Modern society is increasingly dependent on, and fearful of, the availability of electronic information. There are numerous examples of situations where sensitive data must be – sometimes reluctantly – shared between two or more entities without mutual trust. As often happens, the research community has foreseen the need for mechanisms to enable limited (privacypreserving) sharing of sensitive information and a number of effective solutions have been proposed. Among them, Private Set Intersection (PSI) techniques are particularly appealing for scenarios where two parties wish to compute an intersection of their respective sets of items without revealing to each other any other information. Thus far, "any other information " has been interpreted to mean any information about items not in the intersection. In this paper, we motivate the need for Private Set Intersection with a stronger privacy property of hiding the size of the set held by one of the two entities ("client"). We introduce the notion of SizeHiding Private Set Intersection (SHIPSI) and propose an efficient construction secure under the RSA assumption in the Random Oracle Model. We also show that input sizehiding is attainable at very low additional cost. 1
TrustPreserving Set Operations
 PROCEEDINGS OF INFOCOM
, 2003
"... We describe a method of performing trustpreserving set operations by untrusted parties. Our motivation for this is the problem of securely reusing contentbased search results in peertopeer networks. We model search results and indexes as data sets. Such sets have value for answering a new query on ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
We describe a method of performing trustpreserving set operations by untrusted parties. Our motivation for this is the problem of securely reusing contentbased search results in peertopeer networks. We model search results and indexes as data sets. Such sets have value for answering a new query only if they are trusted. In the absence of any systemwide security mechanism, a data set is trusted by a node a only if it was generated by some node trusted by a. Our main
Twin Signatures: An Alternative to the HashandSign Paradigm
, 2001
"... This paper introduces a simple alternative to the hashandsign paradigm called twinning. A twin signature is obtained by signing twice the same short message by a probabilistic signature scheme. Analysis of the concept in di#erent settings yields the following results:  We prove that no generi ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
This paper introduces a simple alternative to the hashandsign paradigm called twinning. A twin signature is obtained by signing twice the same short message by a probabilistic signature scheme. Analysis of the concept in di#erent settings yields the following results:  We prove that no generic algorithm can e#ciently forge a twin DSA signature. Although generic algorithms o#er a less stringent form of security than computational reductions in the standard model, such successful proofs still produce positive evidence in favor of the correctness of the new paradigm.
New online/offline signature schemes without random oracles. Cryptology ePrint Archive
, 2006
"... Abstract. In this paper, we propose new signature schemes provably secure under the strong RSA assumption in the standard model. Our proposals utilize ShamirTauman’s generic construction for building EFCMA secure online/offline signature schemes from trapdoor commitments and less secure basic sign ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. In this paper, we propose new signature schemes provably secure under the strong RSA assumption in the standard model. Our proposals utilize ShamirTauman’s generic construction for building EFCMA secure online/offline signature schemes from trapdoor commitments and less secure basic signature schemes. We introduce a new natural intractability assumption for hash functions, which can be interpreted as a generalization of second preimage collision resistance. Assuming the validity of this assumption, we are able to construct new signature schemes provably secure under the strong RSA assumption without random oracles. In contrast to CramerShoup’s signature scheme based on strong RSA in the standard model, no costly generation of prime numbers is required for the signer in our proposed schemes. Moreover, the security of our schemes relies on weaker assumptions placed on the hash function than Gennaro, Halevi and Rabin’s solution.
OffLine/OnLine Signatures: Theoretical aspects and Experimental Results ⋆
"... Abstract. This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed b ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combining regular digital signatures with efficient onetime signatures. Later Shamir and Tauman presented an alternative construction (which produces shorter signatures) by combining regular signatures with chameleon hash functions. We first unify the ShamirTauman and Even et al. approaches by showing that they can be considered different instantiations of the same paradigm. We do this by showing that the onetime signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing are in effect a type of onetime signatures which satisfy this weaker security notion. In the process we study the relationship between onetime signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call twotrapdoor) is a fully secure onetime signature. Finally we ran experimental tests using OpenSSL libraries to test the difference between the two approaches. In our implementation we make extensive use of the observation that offline/online digital signatures do not require collisionresistant hash functions to compress the message, but can be safely implemented with universal oneway hashing in both the offline and the online step. The main application of this observation is that both the steps can be applied to shorter digests. This has particular relevance if blockciphers or hash functions based onetime signatures are used since these are very sensitive to the length of the message. Interestingly, we show that (mostly due to the above observation about hashing), the two approaches are comparable in efficiency and signature length. 1
A Practical and Tightly Secure Signature Scheme Without Hash Function
, 2007
"... In 1999, two signature schemes based on the flexible RSA problem (a.k.a. strong RSA problem) were independently introduced: the GennaroHaleviRabin (GHR) signature scheme and the CramerShoup (CS) signature scheme. Remarkably, these schemes meet the highest security notion in the standard model. T ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
In 1999, two signature schemes based on the flexible RSA problem (a.k.a. strong RSA problem) were independently introduced: the GennaroHaleviRabin (GHR) signature scheme and the CramerShoup (CS) signature scheme. Remarkably, these schemes meet the highest security notion in the standard model. They however differ in their implementation. The CS scheme and its subsequent variants and extensions proposed so far feature a loose security reduction, which, in turn, implies larger security parameters. The security of the GHR scheme and of its twinningbased variant are shown to be tightly based on the flexible RSA problem but additionally (i) either assumes the existence of divisionintractable hash functions, or (ii) requires an injective mapping into the prime numbers in both the signing and verification algorithms. In this paper, we revisit the GHR signature scheme and completely remove the extra assumption made on the hash functions without relying on injective prime mappings. As a result, we obtain a practical signature scheme (and an online/offline variant thereof) whose security is solely and tightly related to the strong RSA assumption.
Proof of Freshness: How to efficiently use on online single secure clock to secure shared untrusted memory
, 2006
"... to secure shared untrusted memory. ..."
TrustPreserving Set Operations
 Proceedings of INFOCOM
, 2003
"... We describe a method of performing trustpreserving set operations by untrusted parties. Our motivation for this is the problem of securely reusing contentbased search results in peertopeer networks. We model search results and indexes as data sets. Such sets have value for answering a new query on ..."
Abstract
 Add to MetaCart
We describe a method of performing trustpreserving set operations by untrusted parties. Our motivation for this is the problem of securely reusing contentbased search results in peertopeer networks. We model search results and indexes as data sets. Such sets have value for answering a new query only if they are trusted. In the absence of any systemwide security mechanism, a data set is trusted by a node a only if it was generated by some node trusted by a.