Results 1  10
of
25
The BiBa OneTime Signature and Broadcast Authentication Protocol
 In ACM Conference on Computer and Communications Security
, 2001
"... We introduce the BiBa signature scheme, a new signature construction that uses oneway functions without trapdoors. BiBa features a low verification overhead and a relatively small signature size. In comparison to other oneway function based signature schemes, BiBa has smaller signatures and is at ..."
Abstract

Cited by 90 (3 self)
 Add to MetaCart
We introduce the BiBa signature scheme, a new signature construction that uses oneway functions without trapdoors. BiBa features a low verification overhead and a relatively small signature size. In comparison to other oneway function based signature schemes, BiBa has smaller signatures and is at least twice as fast to verify (which probably makes it one of the fastest signature scheme to date for verification) . On the downside, the BiBa public key is large, and the signature generation overhead is higher than previous schemes based on oneway functions without trapdoors (although it can be trivially parallelized).
Digital Payment Systems with Passive AnonymityRevoking Trustees
 COMPUTER SECURITY  ESORICS 96
, 1996
"... Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in conflict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design system ..."
Abstract

Cited by 68 (5 self)
 Add to MetaCart
Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in conflict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design systems in which a trustee or a set of trustees can selectively revoke the anonymity of the participants involved in suspicious transactions. From an operational point of view, it can be an important requirement that such trustees are neither involved in payment transactions nor in the opening of an account, but only in case of a justified suspicion. In this paper we propose the first efficient anonymous digital payment systems satisfying this requirement. The described basic protocol for anonymity revocation can be used in online or offline payment systems.
Efficient Protocols for Signing Routing Messages
, 1998
"... In this work, we aim to reduce the computational costs of using publickey digital signatures in securing routing protocols. Two protocols (COSP and IOSP) using onetime digital signatures are introduced to provide the functionality of publickey digital signatures. Our protocols are intended to be ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
In this work, we aim to reduce the computational costs of using publickey digital signatures in securing routing protocols. Two protocols (COSP and IOSP) using onetime digital signatures are introduced to provide the functionality of publickey digital signatures. Our protocols are intended to be used in place of publickey digital signatures for signing all kinds of message exchanges among routers. We obtained more than tenfold increase in speed compared with publickey signatures. Our protocols overcome the shortcomings identified in previous works, such as timing constraints, limited applications and high storage and computational costs for volatile environments [12].
Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying
 In Seventh Australasian Conference on Information Security and Privacy (ACISP 2002
, 2002
"... Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatu ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
Onetime signature schemes have found numerous applications: in ordinary, online/offline, and forwardsecure signatures. More recently, they have been used in multicast and broadcast authentication. We propose a onetime signature scheme with very efficient signing and verifying, and short signatures. Our scheme is wellsuited for broadcast authentication, and, in fact, can be viewed as an improvement of the BiBa onetime signature (proposed by Perrig in CCS 2001 for broadcast authentication).
On the Efficiency of Onetime Digital Signatures
, 1996
"... Digital signature schemes based on a general oneway function without trapdoor offer two potential advantages over digital signature schemes based on trapdoor oneway functions such as the RSA system: higher efficiency and much more freedom in choosing a cryptographic function to base the secur ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Digital signature schemes based on a general oneway function without trapdoor offer two potential advantages over digital signature schemes based on trapdoor oneway functions such as the RSA system: higher efficiency and much more freedom in choosing a cryptographic function to base the security on. Such a scheme is characterized by a directed acyclic computation graph and an antichain in a certain partially ordered set defined by the graph. Several results on the achievable efficiency of such schemes are proved, where the efficiency of a scheme is defined as the ratio of the size of messages that can be signed and the number of oneway function evaluations needed for setting up the system. For instance, the maximal achievable efficiency for trees is shown to be equal to a constant fl 0:4161426 and a family of general graphs with substantially greater efficiency 0:476 is demonstrated. This construction appears to be close to optimal.
Optimal Treebased Onetime Digital Signature Schemes
 In STACS ’96: Proceedings of the 13th Annual Symposium on Theoretical Aspects of Computer Science
, 1996
"... . A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from s ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
. A minimal cutset of a tree directed from the leaves to the root is a minimal set of vertices such that every path from a leaf to the root meets at least one of these vertices. An order relation on the set of minmal cutsets can be defined: U V if and only if every vertex of U is on the path from some vertex in V to the root. Motivated by the design of efficient cryptographic digital signature schemes, the problem of constructing trees with a large number of pairwise incomparable minimal cutsets or, equivalently, with a large antichain in the poset of minimal cutsets, is considered. Keywords. Cryptography, digital signature schemes, trees, partially ordered sets. 1 Introduction We consider trees directed from the leaves to the root where every vertex has at most two predecessors. In this paper, a cutset of such a tree T is defined as a set of vertices which contains at least one vertex of every path from a leaf to the root. A cutset is minimal when it contains exactly one vertex of...
The provable security of graphbased onetime signatures and extensions to algebraic signature schemes
 Advances in Cryptology – ASIACRYPT 2002
, 2002
"... Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, studying the graphs that result in the most efficient schemes (with respect to various efficiency measures, but focusing mostly on key generation time). However, they do not give a proof of security of their generic construction, and they leave open the problem of determining under what assumption security can be formally proved. In this paper we analyze graph based signatures from a security point of view and give sufficient conditions that allow to prove the security of the signature scheme in the standard complexity model (no random oracles). The techniques used to prove the security of graph based onetime signatures are then applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations. 1
Lower Bounds on Signatures From Symmetric Primitives
, 2008
"... We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
We show that every construction of onetime signature schemes from a random oracle achieves blackbox security at most 2 (1+o(1))q, where q is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to 1 by a (computationally unbounded) adversary making 2 (1+o(1))q queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport’s onetime signatures (Lamport ’79) achieves 2 (0.812−o(1))q blackbox security using q queries to the oracle. Our result extends (with a loss of a constant factor in the number of queries) also to the random permutation and idealcipher oracles. Since the symmetric primitives (e.g. block ciphers, hash functions, and message authentication codes) can be constructed by a constant number of queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature schemes from symmetric primitives when the construction is blackbox. This can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives. 1
SVP: a Flexible Micropayment Scheme
 Advances in Cryptology  Proceedings of Financial Cryptography '97
"... We propose a cheap micropayment scheme based on reasonable requirements. It is flexible in the sense that many security options are possible depending on the policy of the involved participants. We avoid large data storage, heavy computations. The scheme is software based for the user and hardwa ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We propose a cheap micropayment scheme based on reasonable requirements. It is flexible in the sense that many security options are possible depending on the policy of the involved participants. We avoid large data storage, heavy computations. The scheme is software based for the user and hardware based for the service provider. Possibilities of having softwarebased solution for both are also presented. 1 Introduction In the forthcoming years or even months, it is anticipated that electronic payments over secure networks are going to expand rapidly. The definition of the SET protocol (see [4]) by a group of credit cards providers is a definite sign of this expected growth. Among the variety of payment schemes that have been proposed recently, several address the very specific question of micropayments (see [1, 2, 6]). Such payments arise in the context of the Internet when an individual user is browsing around and wish to access resources for which a small payment appears adequ...