Results 1  10
of
25
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 265 (14 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
Signature schemes and anonymous credentials from bilinear maps
, 2004
"... We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of th ..."
Abstract

Cited by 185 (24 self)
 Add to MetaCart
We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of the decisional DiffieHellman assumption. We prove security of our scheme under the LRSW assumption for groups with bilinear maps. We then show how our scheme can be used to construct efficient anonymous credential systems as well as group signature and identity escrow schemes. To this end, we provide efficient protocols that allow one to prove in zeroknowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signature on a committed message.
Efficient blind signatures without random oracles
 In Carlo Blundo and Stelvio Cimato, editors, SCN 2004
, 2004
"... Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We dev ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We develop our construction as follows. In the first step, which is a significant result on its own, we devise and prove the security of a new variant for the CramerShoupFischlin signature scheme. We are able to show that for generating signatures, instead of using randomly chosen prime exponents one can securely use randomly chosen odd integer exponents which significantly simplifies the signature generating process. We obtain our blind signing function as a secure and efficient twoparty computation that cleverly exploits its algebraic properties and those of the Paillier encryption scheme. The security of the resulting signing protocol relies on the Strong RSA assumption and the hardness of decisional composite residuosity; we stress that it does not rely on the existence of random oracles. 1
Short and stateless signatures from the RSA assumption
 In Proceedings of Advances in Cryptology, CRYPTO
"... We present the first signature scheme which is “short”, stateless and secure under the RSA assumption in the standard model. Prior short, standard model signatures in the RSA setting required either a strong complexity assumption such as Strong RSA or (recently) that the signer maintain state. A sig ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We present the first signature scheme which is “short”, stateless and secure under the RSA assumption in the standard model. Prior short, standard model signatures in the RSA setting required either a strong complexity assumption such as Strong RSA or (recently) that the signer maintain state. A signature in our scheme is comprised of one element in Z ∗ N and one integer. The public key is also short, requiring only the modulus N, one element of Z ∗ N, one integer, one PRF seed and some short chameleon hash parameters. To design our signature, we employ the known generic construction of fullysecure signatures from weaklysecure signatures and a chameleon hash. We then introduce a new proof technique for reasoning about weaklysecure signatures. This technique enables the simulator to predict a prefix of the message on which the adversary will forge and to use knowledge of this prefix to embed the challenge. This technique has wider applications beyond RSA. We also use it to provide an entirely new analysis of the security of the Waters signatures: the only short, stateless signatures known to be secure under the Computational DiffieHellman assumption in the standard model. 1
Constantsize hierarchical identitybased signature/signcryption without random oracles

, 2006
"... We construct the first constantsize hierarchical identitybased signature (HIBS) without random oracles the signature size is O(λs) bits, where λs is the security parameter, and it is independent of the number of levels in the hierarchy. We observe that an efficient hierarchical identitybased sig ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
We construct the first constantsize hierarchical identitybased signature (HIBS) without random oracles the signature size is O(λs) bits, where λs is the security parameter, and it is independent of the number of levels in the hierarchy. We observe that an efficient hierarchical identitybased signcryption (HIBSC) scheme without random oracles can be compositioned from our HIBS and Boneh, Boyen, and Goh’s HIBE (hierarchical identitybased encryption)[9]. We further optimize it to a constantfactor efficiency improvement. This is the first constantsize HIBSC without random oracles.
A new short signature scheme without random oracles from bilinear pairings
 IN: VIETCRYPT 2006, LNCS 4341
, 2005
"... To date, there exist three short signature schemes from bilinear pairings. In this paper, we propose a new signature scheme that is existentially unforgeable under a chosen message attack without random oracle. The security of our scheme depends on a new complexity assumption called the k+1 square ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
To date, there exist three short signature schemes from bilinear pairings. In this paper, we propose a new signature scheme that is existentially unforgeable under a chosen message attack without random oracle. The security of our scheme depends on a new complexity assumption called the k+1 square roots assumption. We also discuss the relationship between the k+1 square roots assumption and some related problems and provide some conjectures. Moreover, the k+1 square roots assumption can be used to construct shorter signatures under the random oracle model.
Adaptive pseudofree groups and applications
 Advances in Cryptology – EUROCRYPT 2011
, 2011
"... Abstract. A computational group is pseudofree if an adversary cannot find solutions in this group for equations that are not trivially solvable in the free group. This notion was put forth by Rivest as a unifying abstraction of multiple grouprelated hardness assumptions commonly used in cryptograp ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Abstract. A computational group is pseudofree if an adversary cannot find solutions in this group for equations that are not trivially solvable in the free group. This notion was put forth by Rivest as a unifying abstraction of multiple grouprelated hardness assumptions commonly used in cryptography. Rivest’s conjecture that the RSA group is pseudofree had been settled by Micciancio for the case of RSA moduli that are the product of two safe primes. This result holds for a static setting where the adversary is only given the description of the group (together with a set of randomly chosen generators) and has to come up with the equation and the solution. In this paper we explore a powerful extension of the notion of pseudofreeness. We identify, motivate, and study pseudofreeness in face of adaptive adversaries who may learn solutions to other nontrivial equations before having to solve a new nontrivial equation. Our first contribution is a carefully crafted definition of adaptive pseudofreeness that walks a fine line between being too weak and being unsatisfiable. We give generic constructions that show how any group that satisfies our definition can be used to construct digital signatures and network signature schemes. Next, we prove that the RSA group meets our more stringent notion of pseudofreeness and as a consequence we obtain different results. First, we obtain a new network (homomorphic) signature scheme in the standard model. Secondly, we demonstrate the generality of our framework for signatures by showing that all existing strong RSAbased signature schemes are instantiations of our generic construction in the RSA group. 1
New online/offline signature schemes without random oracles. Cryptology ePrint Archive
, 2006
"... Abstract. In this paper, we propose new signature schemes provably secure under the strong RSA assumption in the standard model. Our proposals utilize ShamirTauman’s generic construction for building EFCMA secure online/offline signature schemes from trapdoor commitments and less secure basic sign ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. In this paper, we propose new signature schemes provably secure under the strong RSA assumption in the standard model. Our proposals utilize ShamirTauman’s generic construction for building EFCMA secure online/offline signature schemes from trapdoor commitments and less secure basic signature schemes. We introduce a new natural intractability assumption for hash functions, which can be interpreted as a generalization of second preimage collision resistance. Assuming the validity of this assumption, we are able to construct new signature schemes provably secure under the strong RSA assumption without random oracles. In contrast to CramerShoup’s signature scheme based on strong RSA in the standard model, no costly generation of prime numbers is required for the signer in our proposed schemes. Moreover, the security of our schemes relies on weaker assumptions placed on the hash function than Gennaro, Halevi and Rabin’s solution.
Cryptography in Subgroups of Z*_n
 In proceedings of TCC ’05, LNCS series
, 2005
"... We demonstrate the cryptographic usefulness of a small subgroup of Z # n of hidden order. Cryptographic schemes for integer commitment and digital signatures have been suggested over large subgroups of Z # n , by reducing the order of the groups we obtain quite similar but more e#cient schemes. ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We demonstrate the cryptographic usefulness of a small subgroup of Z # n of hidden order. Cryptographic schemes for integer commitment and digital signatures have been suggested over large subgroups of Z # n , by reducing the order of the groups we obtain quite similar but more e#cient schemes. The underlying cryptographic assumption resembles the strong RSA assumption.
Cryptography in subgroups of Z
 n, Proceedings of TCC 2005, LNCS
"... Abstract. We demonstrate the cryptographic usefulness of a small subgroup of Z ∗ n of hidden order. Cryptographic schemes for integer commitment and digital signatures have been suggested over large subgroups of Z ∗ n, by reducing the order of the groups we obtain quite similar but more efficient sc ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. We demonstrate the cryptographic usefulness of a small subgroup of Z ∗ n of hidden order. Cryptographic schemes for integer commitment and digital signatures have been suggested over large subgroups of Z ∗ n, by reducing the order of the groups we obtain quite similar but more efficient schemes. The underlying cryptographic assumption resembles the strong RSA assumption. We analyze a signature scheme known to be secure against known message attack and prove that it is secure against adaptive chosen message attack. This result does not necessarily rely on the use of a small subgroup, but the small subgroup can make the security reduction tighter. We also investigate the case where Z ∗ n has semismooth order. Using a new decisional assumption, related to high residuosity assumptions, we suggest a homomorphic publickey cryptosystem.