Results 1  10
of
58
Signature schemes and anonymous credentials from bilinear maps
, 2004
"... We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of th ..."
Abstract

Cited by 187 (24 self)
 Add to MetaCart
We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of the decisional DiffieHellman assumption. We prove security of our scheme under the LRSW assumption for groups with bilinear maps. We then show how our scheme can be used to construct efficient anonymous credential systems as well as group signature and identity escrow schemes. To this end, we provide efficient protocols that allow one to prove in zeroknowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signature on a committed message.
Evaluating 2dnf formulas on ciphertexts
 In proceedings of TCC ’05, LNCS series
, 2005
"... Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create th ..."
Abstract

Cited by 153 (6 self)
 Add to MetaCart
Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create the encryption of ψ(x1,..., xn). More generally, we can evaluate quadratic multivariate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system: 1. In a database of size n, the total communication in the basic step of the KushilevitzOstrovsky PIR protocol is reduced from √ n to 3 √ n. 2. An efficient election system based on homomorphic encryption where voters do not need to include noninteractive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient. 3. A protocol for universally verifiable computation. 1
Efficient SelectiveID Secure IdentityBased Encryption Without Random Oracles., in Cachin and Camenisch [13
 6. , Secure Identity Based Encryption Without Random Oracles., in Franklin [20
"... Abstract. We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead o ..."
Abstract

Cited by 149 (8 self)
 Add to MetaCart
Abstract. We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles. 1
Collusion resistant broadcast encryption with short ciphertexts and private keys
"... We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public ke ..."
Abstract

Cited by 130 (16 self)
 Add to MetaCart
We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O (√n) for any subset of receivers. We discuss several applications of these systems.
Efficient SelectiveID Secure Identity Based Encryption without Random Oracles
, 2004
"... We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to ..."
Abstract

Cited by 100 (7 self)
 Add to MetaCart
We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles.
Efficient SelectiveID Secure Identity Based Encryption without Random Oracles
 Proceedings of Eurocrypt 2004, volume 3027 of LNCS
, 2004
"... We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to ..."
Abstract

Cited by 68 (9 self)
 Add to MetaCart
We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles.
A verifiable random function with short proofs and keys
 PKC 2005, LNCS
, 2005
"... Abstract. We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14, 15], it avoids using an inefficient GoldreichLevin transformation, thereby saving several factors in security. Our ..."
Abstract

Cited by 52 (3 self)
 Add to MetaCart
Abstract. We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14, 15], it avoids using an inefficient GoldreichLevin transformation, thereby saving several factors in security. Our proofs of security are based on a decisional bilinear DiffieHellman inversion assumption, which seems reasonable given current state of knowledge. For small message spaces, our VRF’s proofs and keys have constant size. By utilizing a collisionresistant hash function, our VRF can also be used with arbitrary message spaces. We show that our scheme can be instantiated with an elliptic group of very reasonable size. Furthermore, it can be made distributed and proactive. 1
Unique signatures and verifiable random functions from the DHDDH separation
 Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing ..."
Abstract

Cited by 50 (4 self)
 Add to MetaCart
Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing verifiable random functions. Another useful property of unique signatures is that they are stateless: the signer does not need to update his secret key after an invocation. The only previously known construction of a unique signature in the plain model was based on the RSA assumption. The only other previously known provably secure constructions of stateless signatures were based on the Strong RSA assumption. Here, we give a construction of a unique signature scheme based on a generalization of the DiffieHellman assumption in groups where decisional DiffieHellman is easy. Several recent results suggest plausibility of such groups. We also give a few related constructions of verifiable random functions (VRFs). VRFs, introduced by Micali, Rabin, and Vadhan, are objects that combine the properties of pseudorandom functions (i.e. indistinguishability from random even after querying) with the verifiability property. Prior to our work, VRFs were only known to exist under the RSA assumption.
Signature Schemes and Applications to Cryptographic Protocol Design
, 2002
"... Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature sch ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature schemes suitable for a broad range of applications. An important
IDBased Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption
 In CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security
, 2004
"... A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secre ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secret keys autonomously. We present a scalable forwardsecure HIBE (fsHIBE) scheme satisfying the above properties. We also show how our fsHIBE scheme can be used to construct a forwardsecure publickey broadcast encryption scheme, which protects the secrecy of prior transmissions in the broadcast encryption setting. We further generalize fsHIBE into a collusionresistant multiple hierarchical IDbased encryption scheme, which can be used for secure communications with entities having multiple roles in rolebased access control. The security of our schemes is based on the bilinear DiffieHellman assumption in the random oracle model. 1