Results 11  20
of
257
Formal Proofs for the Security of Signcryption
 In PKC ’02
, 2002
"... Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead. ..."
Abstract

Cited by 66 (1 self)
 Add to MetaCart
Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead.
A Key Recovery Attack on Discrete Logbased Schemes Using a Prime Order Subgroup
, 1997
"... Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many pro ..."
Abstract

Cited by 62 (2 self)
 Add to MetaCart
Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete logbased schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most DiffieHellmantype key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...
Security proofs for identitybased identification and signature schemes
 In Proc. EUROCRYPT 2004
, 2004
"... Abstract. This paper provides either security proofs or attacks for a large number of identitybased identification and signature schemes defined either explicitly or implicitly in existing literature. Underlying these are a framework that on the one hand helps explain how these schemes are derived, ..."
Abstract

Cited by 62 (7 self)
 Add to MetaCart
Abstract. This paper provides either security proofs or attacks for a large number of identitybased identification and signature schemes defined either explicitly or implicitly in existing literature. Underlying these are a framework that on the one hand helps explain how these schemes are derived, and on the other hand enables modular security analyses, thereby helping to understand, simplify and unify previous work. 1
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
Selfblindable credential certificates from the weil pairing
, 2001
"... Abstract. We describe two simple, efficient and effective credential pseudonymous certificate systems, which also support anonymity without the need for a trusted third party. The second system provides cryptographic protection against the forgery and transfer of credentials. Both systems are based ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
Abstract. We describe two simple, efficient and effective credential pseudonymous certificate systems, which also support anonymity without the need for a trusted third party. The second system provides cryptographic protection against the forgery and transfer of credentials. Both systems are based on a new paradigm, called selfblindable certificates. Such certificates can be constructed using the Weil pairing in supersingular elliptic curves. 1
Secret Handshakes from CAOblivious Encryption
, 2004
"... Secret handshake protocols were recently introduced [1] to allow members of the same group to authenticate each other secretly, in the sense that someone who is not a group member cannot tell, by engaging some party in the handshake protocol, whether that party is a member of this group. On the o ..."
Abstract

Cited by 44 (6 self)
 Add to MetaCart
Secret handshake protocols were recently introduced [1] to allow members of the same group to authenticate each other secretly, in the sense that someone who is not a group member cannot tell, by engaging some party in the handshake protocol, whether that party is a member of this group. On the other hand, any two parties who are members of the same group will recognize each other as members. Thus, a secret handshake protocol can be used in any scenario where group members need to identify each other without revealing their group a#liations to outsiders.
On Concrete Security Treatment of Signatures Derived from Identification
 In Crypto '98, LNCS 1462
, 1998
"... Signature schemes that are derived from three move identification schemes such as the FiatShamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature sche ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
Signature schemes that are derived from three move identification schemes such as the FiatShamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified ElGamal schemes, and show the "concrete security analysis" of these schemes. We then apply it to the multisignature schemes.
Simulation in quasipolynomial time, and its application to protocol composition
 In EUROCRYPT
, 2003
"... Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concur ..."
Abstract

Cited by 37 (10 self)
 Add to MetaCart
Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concurrent quasipolynomial time simulatable arguments and show that such arguments can be used in advanced composition operations without any setup assumptions. Our protocols rely on slightly strong, but standard type assumptions (namely the existence of onetoone oneway functions secure against subexponential circuits). 1
The Relationship Between Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1998
"... Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that re ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the DiffieHellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the DiffieHellman problem and the discrete logarithm problem are polynomialtime equivalent in G. Second, it is proved that the DiffieHellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...
Implementing TwoParty Computation Efficiently with Security Against Malicious Adversaries
 6th Conf. on Security and Cryptography for Networks (SCN), SpringerVerlag LNCS 5229
, 2008
"... Abstract. We present an implementation of the protocol of Lindell and Pinkas for secure twoparty computation which is secure against malicious adversaries [13]. This is the first running system which provides security against malicious adversaries according to rigorous security definition and witho ..."
Abstract

Cited by 36 (6 self)
 Add to MetaCart
Abstract. We present an implementation of the protocol of Lindell and Pinkas for secure twoparty computation which is secure against malicious adversaries [13]. This is the first running system which provides security against malicious adversaries according to rigorous security definition and without using the random oracle model. We ran experiments showing that the protocol is practical. In addition we show that there is little benefit in replacing subcomponents secure in the standard model with those which are only secure in the random oracle model. Throughout we pay particular attention to using the most efficient subcomponents in the protocol, and we select parameters for the encryption schemes, commitments and oblivious transfers which are consistent with a security level equivalent to AES128. 1