Results 11  20
of
113
The OneMoreRSAInversion Problems and the Security of Chaum’s Blind Signature Scheme
 Journal of Cryptology
, 2003
"... Abstract We introduce a new class of computational problems which we call the "onemoreRSAinversion " problems. Our main result is that two problems in this class, which we call the chosentarget and knowntarget inversion problems respectively, have polynomiallyequivalent computational ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
Abstract We introduce a new class of computational problems which we call the "onemoreRSAinversion " problems. Our main result is that two problems in this class, which we call the chosentarget and knowntarget inversion problems respectively, have polynomiallyequivalent computational complexity. We show how this leads to a proof of security for Chaum's RSAbased blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for "onemorediscretelogarithm " problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
, 2000
"... The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to bas ..."
Abstract

Cited by 67 (7 self)
 Add to MetaCart
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational DiffieHellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional DiffieHellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational DiffieHellman assumption is true by providing a proof of security in the random oracle model.
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract

Cited by 65 (5 self)
 Add to MetaCart
We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography. 1
Verifiable Random Functions
 In FOCS 1999
, 1999
"... We efficiently combine unpredictability and verifiability by extending the Goldreich–Goldwasser–Micali construction of pseudorandom functions fs from a secret seed s, so that knowledge of s not only enables one to evaluate fs at any point x, but also to provide an NPproof that the value fs(x) is in ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
We efficiently combine unpredictability and verifiability by extending the Goldreich–Goldwasser–Micali construction of pseudorandom functions fs from a secret seed s, so that knowledge of s not only enables one to evaluate fs at any point x, but also to provide an NPproof that the value fs(x) is indeed correct without compromising the unpredictability of fs at any other point for which no such a proof was provided.
Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared SafePrime Products
, 2002
"... We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where th ..."
Abstract

Cited by 49 (0 self)
 Add to MetaCart
We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where the modulus is the product of two safe primes, much more efficiently than was previously known.
Optimal Security Proofs for PSS and other Signature Schemes
, 2002
"... The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter r ..."
Abstract

Cited by 49 (2 self)
 Add to MetaCart
The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log 2 qsig bits suce, where qsig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log 2 qsig bits are used, then PSS is still provably secure but it cannot have a tight security proof.
Unique signatures and verifiable random functions from the DHDDH separation
 Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing ..."
Abstract

Cited by 48 (4 self)
 Add to MetaCart
Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing verifiable random functions. Another useful property of unique signatures is that they are stateless: the signer does not need to update his secret key after an invocation. The only previously known construction of a unique signature in the plain model was based on the RSA assumption. The only other previously known provably secure constructions of stateless signatures were based on the Strong RSA assumption. Here, we give a construction of a unique signature scheme based on a generalization of the DiffieHellman assumption in groups where decisional DiffieHellman is easy. Several recent results suggest plausibility of such groups. We also give a few related constructions of verifiable random functions (VRFs). VRFs, introduced by Micali, Rabin, and Vadhan, are objects that combine the properties of pseudorandom functions (i.e. indistinguishability from random even after querying) with the verifiability property. Prior to our work, VRFs were only known to exist under the RSA assumption.
On the (In)security of the FiatShamir Paradigm
 In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...
SiBIR: Signerbase intrusionresilient signatures
 in Proc. Crypto 2002
, 2002
"... We propose a new notion of signerbase intrusionresilient (SiBIR) signatures, which generalizes and improves upon both forwardsecure [And97, BM99] and keyinsulated [DKXY02] signature schemes. Specifically, as in the prior notions, time is divided into predefined time periods (e.g., days); each si ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
We propose a new notion of signerbase intrusionresilient (SiBIR) signatures, which generalizes and improves upon both forwardsecure [And97, BM99] and keyinsulated [DKXY02] signature schemes. Specifically, as in the prior notions, time is divided into predefined time periods (e.g., days); each signature includes the number of the time period in which it was generated; while the public key remains the same, the secret keys evolve with time. Also, as in keyinsulated schemes, the user has two modules, signer and home base: the signer generates signatures on his 1 own, and the base is needed only to help update the signer’s key from one period to the next. The main strength of intrusionresilient schemes, as opposed to prior notions, is that they remain secure even after arbitrarily many compromises of both modules, as long as the compromises are not simultaneous. Moreover, even if the intruder does compromise both modules simultaneously, she will still be unable to generate any signatures for the previous time periods. We provide an efficient intrusionresilient signature scheme, provably secure in the random oracle model based on the strong RSA assumption. We also discuss how such schemes can eliminate the need for certificate revocation in the case of online authentication. 1
On SimulationSound Trapdoor Commitments
 In proceedings of EUROCRYPT ’04, LNCS series
, 2003
"... We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any oneway functions, and how to construct very efficient SSTC schemes based on specific numbertheoretic assumptions. We also show how to construct simulationsound, nonmalleable, and universallycomposable zeroknowledge protocols using SSTC schemes, yielding, for instance, the most efficient universallycomposable zeroknowledge protocols known. Finally, we explore the relation between SSTC schemes and nonmalleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are nonmalleable.