Abstract. We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyper-elliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel. 1

We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#e-Hellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.

Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identity-based encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128-, 192-, or 256-bit AES keys. In this paper we examine the implications of heightened security needs for pairing-based cryptosystems. We first describe three different reasons why high-security users might have concerns about the long-term viability of these systems. However, in our view none of the risks inherent in pairing-based systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.

Abstract. Constructing efficient and secure encryption schemes is an important motivation for modern cryptographic research. We propose simple and secure constructions of hybrid encryption schemes that aim to keep message expansion to a minimum, in particular for RSA-based protocols. We show that one can encrypt using RSA a message of length |m | bits, at a security level equivalent to a block cipher of κ bits in security, in |m | + 4κ + 2 bits. This is therefore independent of how large the RSA key length grows as a function of κ. Our constructions are natural and highly practical, but do not appear to have been given any previous formal treatment. 1

Many variants of the ElGamal signature scheme have been proposed. The most famous is the DSA standard. If computing discrete logarithms is hard, then some of these schemes have been proven secure in an idealized model, either the random oracle or the generic group. We propose a generic but simple presentation of signature schemes with security based on the discrete logarithm. We show how they can be proven secure in idealized model, under which conditions. We conclude that none of the previously proposed digital signature schemes has optimal properties and we propose a scheme named PECDSA.

New ways are proposed to design short signature schemes based on difficulty of factorizing a composite number n that is a product of two large secret primes. The paper presents digital signature schemes in which the signature represents a pair of numbers (k, g) and its length is reduced to 320 bits providing security of the RSA cryptosystem with 1024-bit modulus.

Granboulan [4] proposed the signature scheme in the ideal cipher model named OPSSR that achieves the lower bound for message expansion. In this paper, we propose a scheme which can give the security equivalent to that of OPSSR in the random permutation model that is weaker than the ideal cipher model. We also show exact security proof. We extend our scheme to the multi key setting. By the results of this paper, we partially solve the open problems posed by Granboulan.

Abstract not found