Results 1  10
of
17
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 269 (14 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
Another Look at “Provable Security"
, 2004
"... We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common ..."
Abstract

Cited by 61 (12 self)
 Add to MetaCart
We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of publickey systems has been an important theme of researchers. But we argue that the theoremproof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is selfcontained and as jargonfree as possible.
Multisignatures in the plain publickey model and a general forking lemma
 In ACM CCS 06
, 2006
"... A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol a ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol amongst potential signers, or assuming strong, concurrent zeroknowledge proofs of knowledge of secret keys done to the CA at key registration. These requirements limit the use of the schemes. We provide a new scheme that is proven secure in the plain publickey model, meaning requires nothing more than that each signer has a (certified) public key. Furthermore, the important simplification in key management achieved is not at the cost of efficiency or assurance: our scheme matches or surpasses known ones in terms of signing time, verification time and signature size, and is proven secure in the randomoracle model under a standard (not bilinear map related) assumption. The proof is based on a simplified and general Forking Lemma that may be of independent interest.
The Exact Security of an Identity Based Signature and its Applications
, 2004
"... This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, Namprempre and Neven through a general framework applying to a large family of schemes. We show that their modified SOKIBS scheme can be viewed as a onelevel instantiation of Gentry and Silverberg's alternative hierarchical IBS the exact security of which was never considered before. We also show that this signature is as secure as the onemore DiffieHellman problem. As an application, we propose a modification of Boyen's "Swiss Army Knife" identity based signature encryption (IBSE) that presents better security reductions and satisfies the same strong security requirements with a similar efficiency.
Identity based undeniable signatures
 Topics in Cryptology CTRSA 2004, LNCS 2964
, 2004
"... In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existential ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existentially unforgeable under the Bilinear DiffieHellman assumption in the random oracle model. We also prove that it has the invisibility property under the Decisional Bilinear DiffieHellman assumption and we discuss about the efficiency of the scheme.
Designated Verifier Signature Schemes: Attacks, New Security Notions and A New Construction
 In: Proc. of the 32nd International Colloquium on Automata, Languages and Programming (ICALP’05), LNCS 3580
, 2005
"... Abstract. We show that the signer can abuse the disavowal protocol in the JakobssonSakoImpagliazzo designatedverifier signature scheme. In addition, we identify a new security property—nondelegatability—that is essential for designatedverifier signatures, and show that several previously propos ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Abstract. We show that the signer can abuse the disavowal protocol in the JakobssonSakoImpagliazzo designatedverifier signature scheme. In addition, we identify a new security property—nondelegatability—that is essential for designatedverifier signatures, and show that several previously proposed designatedverifier schemes are delegatable. We give a rigorous formalisation of the security for designatedverifier signature schemes, and propose a new and efficient designatedverifier signature scheme that is provably unforgeable under a tight reduction to the Decisional DiffieHellman problem in the nonprogrammable random oracle model, and nondelegatable under a loose reduction in the programmable random oracle model. As a direct corollary, we also get a new efficient conventional signature scheme that is provably unforgeable under a tight reduction to the Decisional DiffieHellman problem in the nonprogrammable random oracle plus common reference string model.
Communicationefficient noninteractive proofs of knowledge with online extractors
 In CRYPTO 2005
, 2005
"... marc.fischlin @ inf.ethz.ch ..."
Efficient signature schemes with tight reductions to the DiffieHellman problems
 Journal of Cryptology
"... We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient than the first — is based on the hardness of the decisional DiffieHellman problem, a stronger assumption. Given current state of the art, it is as difficult to solve the DiffieHellman problems as it is to solve the discrete logarithm problem in many groups of cryptographic interest. Thus, the signature schemes shown here can currently offer substantially better efficiency (for a given level of provable security) than existing schemes based on the discrete logarithm assumption. The techniques we introduce can be also applied in a wide variety of settings to yield more efficient cryptographic schemes (based on various numbertheoretic assumptions) with tight security reductions. 1
Deterministic identitybased signatures for partial aggregation
 J. Comput
, 2006
"... Aggregate signatures are a useful primitive which allows aggregation into a single and constantlength signature many signatures on different messages computed by different users. Specific proposals of aggregate signature schemes exist only for PKIbased scenarios. For identitybased scenarios, wher ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Aggregate signatures are a useful primitive which allows aggregation into a single and constantlength signature many signatures on different messages computed by different users. Specific proposals of aggregate signature schemes exist only for PKIbased scenarios. For identitybased scenarios, where public keys of the users are directly derived from their identities, the signature schemes proposed up to now do not seem to allow constantlength aggregation. We provide an intermediate solution to this problem, by designing a new identitybased signature scheme which allows aggregation when the signatures to be aggregated come all from the same signer. The new scheme is deterministic and enjoys some better properties than the previous proposals; for example, it allows detection of a possible corruption of the master entity. We formally prove that the scheme is unforgeable, in the random oracle model, assuming that the Computational Diffie–Hellman problem is hard to solve.
Proving tight security for Rabin/Williams signatures
 In EUROCRYPT
, 2008
"... This paper proves “tight security in the randomoracle model relative to factorization ” for the lowestcost signature systems available today: every hashgeneric signatureforging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor the public k ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
This paper proves “tight security in the randomoracle model relative to factorization ” for the lowestcost signature systems available today: every hashgeneric signatureforging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor the public key. The most surprising system is the “fixed unstructured B = 0 RabinWilliams” system, which has a tight security proof despite hashing unrandomized messages. At a lower level, the three main accomplishments of the paper are (1) a “B ≥ 1 ” proof that handles some of the lowestcost signature systems by pushing an idea of Katz and Wang beyond the “clawfree permutation pair ” context; (2) a new expository structure, elaborating upon an idea of Koblitz and Menezes; and (3) a proof that uses a new idea and that breaks through the “B ≥ 1 ” barrier. 1