Results 1  10
of
20
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 387 (13 self)
 Add to MetaCart
(Show Context)
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
A Generalized Birthday Problem
 In CRYPTO
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm ..."
Abstract

Cited by 127 (0 self)
 Add to MetaCart
(Show Context)
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography.
if) size matters: sizehiding private set intersection
, 2011
"... Modern society is increasingly dependent on, and fearful of, the availability of electronic information. There are numerous examples of situations where sensitive data must be – sometimes reluctantly – shared between two or more entities without mutual trust. As often happens, the research community ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
(Show Context)
Modern society is increasingly dependent on, and fearful of, the availability of electronic information. There are numerous examples of situations where sensitive data must be – sometimes reluctantly – shared between two or more entities without mutual trust. As often happens, the research community has foreseen the need for mechanisms to enable limited (privacypreserving) sharing of sensitive information and a number of effective solutions have been proposed. Among them, Private Set Intersection (PSI) techniques are particularly appealing for scenarios where two parties wish to compute an intersection of their respective sets of items without revealing to each other any other information. Thus far, "any other information " has been interpreted to mean any information about items not in the intersection. In this paper, we motivate the need for Private Set Intersection with a stronger privacy property of hiding the size of the set held by one of the two entities ("client"). We introduce the notion of SizeHiding Private Set Intersection (SHIPSI) and propose an efficient construction secure under the RSA assumption in the Random Oracle Model. We also show that input sizehiding is attainable at very low additional cost. 1
Twin Signatures: An Alternative to the HashandSign Paradigm
, 2001
"... This paper introduces a simple alternative to the hashandsign paradigm called twinning. A twin signature is obtained by signing twice the same short message by a probabilistic signature scheme. Analysis of the concept in di#erent settings yields the following results:  We prove that no generi ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
This paper introduces a simple alternative to the hashandsign paradigm called twinning. A twin signature is obtained by signing twice the same short message by a probabilistic signature scheme. Analysis of the concept in di#erent settings yields the following results:  We prove that no generic algorithm can e#ciently forge a twin DSA signature. Although generic algorithms o#er a less stringent form of security than computational reductions in the standard model, such successful proofs still produce positive evidence in favor of the correctness of the new paradigm.
TrustPreserving Set Operations
 PROCEEDINGS OF INFOCOM
, 2003
"... We describe a method of performing trustpreserving set operations by untrusted parties. Our motivation for this is the problem of securely reusing contentbased search results in peertopeer networks. We model search results and indexes as data sets. Such sets have value for answering a new query on ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
We describe a method of performing trustpreserving set operations by untrusted parties. Our motivation for this is the problem of securely reusing contentbased search results in peertopeer networks. We model search results and indexes as data sets. Such sets have value for answering a new query only if they are trusted. In the absence of any systemwide security mechanism, a data set is trusted by a node a only if it was generated by some node trusted by a. Our main
A Practical and Tightly Secure Signature Scheme Without Hash Function
, 2007
"... In 1999, two signature schemes based on the flexible RSA problem (a.k.a. strong RSA problem) were independently introduced: the GennaroHaleviRabin (GHR) signature scheme and the CramerShoup (CS) signature scheme. Remarkably, these schemes meet the highest security notion in the standard model. T ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
In 1999, two signature schemes based on the flexible RSA problem (a.k.a. strong RSA problem) were independently introduced: the GennaroHaleviRabin (GHR) signature scheme and the CramerShoup (CS) signature scheme. Remarkably, these schemes meet the highest security notion in the standard model. They however differ in their implementation. The CS scheme and its subsequent variants and extensions proposed so far feature a loose security reduction, which, in turn, implies larger security parameters. The security of the GHR scheme and of its twinningbased variant are shown to be tightly based on the flexible RSA problem but additionally (i) either assumes the existence of divisionintractable hash functions, or (ii) requires an injective mapping into the prime numbers in both the signing and verification algorithms. In this paper, we revisit the GHR signature scheme and completely remove the extra assumption made on the hash functions without relying on injective prime mappings. As a result, we obtain a practical signature scheme (and an online/offline variant thereof) whose security is solely and tightly related to the strong RSA assumption.
New online/offline signature schemes without random oracles. Cryptology ePrint Archive
, 2006
"... Abstract. In this paper, we propose new signature schemes provably secure under the strong RSA assumption in the standard model. Our proposals utilize ShamirTauman’s generic construction for building EFCMA secure online/offline signature schemes from trapdoor commitments and less secure basic sign ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we propose new signature schemes provably secure under the strong RSA assumption in the standard model. Our proposals utilize ShamirTauman’s generic construction for building EFCMA secure online/offline signature schemes from trapdoor commitments and less secure basic signature schemes. We introduce a new natural intractability assumption for hash functions, which can be interpreted as a generalization of second preimage collision resistance. Assuming the validity of this assumption, we are able to construct new signature schemes provably secure under the strong RSA assumption without random oracles. In contrast to CramerShoup’s signature scheme based on strong RSA in the standard model, no costly generation of prime numbers is required for the signer in our proposed schemes. Moreover, the security of our schemes relies on weaker assumptions placed on the hash function than Gennaro, Halevi and Rabin’s solution.
OffLine/OnLine Signatures: Theoretical aspects and Experimental Results
, 2008
"... This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combin ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combining regular digital signatures with efficient onetime signatures. Later Shamir and Tauman presented an alternative construction (which produces shorter signatures) by combining regular signatures with chameleon hash functions. We first unify the ShamirTauman and Even et al. approaches by showing that they can be considered different instantiations of the same paradigm. We do this by showing that the onetime signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing are in effect a type of onetime signatures which satisfy this weaker security notion. In the process we study the relationship between onetime signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call twotrapdoor) is a fully secure onetime signature. Finally we ran experimental tests using OpenSSL libraries to test the difference between the two approaches. In our implementation we make extensive use of the observation that offline/online digital signatures do not require collisionresistant hash functions to compress the message, but can be safely implemented with universal oneway hashing in both the offline and the online step. The main application of this observation is that both the steps can be applied to shorter digests. This has particular relevance if blockciphers or hash functions based onetime signatures are used since these are very sensitive to the length of the message. Interestingly, we show that (mostly due to the above observation about hashing), the two approaches are comparable in efficiency and signature length.
Proof of Freshness: How to efficiently use on online single secure clock to secure shared untrusted memory
, 2006
"... to secure shared untrusted memory. ..."
(Show Context)
PrimarySecondaryResolver Membership Proof Systems
, 2014
"... We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and se ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and secret keys in order for secondaries (provers with knowledge of both keys) and resolvers (verifiers who only know the public key) to engage in interactive proof sessions regarding elements in the universe and their values. The motivation for such systems is for constructing a secure Domain Name System (DNSSEC) that does not reveal any unnecessary information to its clients. We require our systems to be complete, so honest executions will result in correct conclusions by the resolvers, sound, so malicious secondaries cannot cheat resolvers, and zeroknowledge, so resolvers will not learn additional information about elements they did not query explicitly. Providing proofs of membership is easy, as the primary can simply precompute signatures over all the members of the set. Providing proofs of nonmembership, i.e. a denialofexistence mechanism, is trickier and is the main issue in constructing PSR systems.