Results 11  20
of
126
Strong KeyInsulated Signature Schemes
, 2002
"... Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the se ..."
Abstract

Cited by 48 (13 self)
 Add to MetaCart
Digital signing is at the heart of Internet based transactions and ecommerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the secrecy of the private key.
DistanceBounding Protocols (Extended Abstract)
 EUROCRYPT’93, Lecture Notes in Computer Science 765
, 1993
"... It is often the case in applications of cryptographic protocols that one party would like to determine a practical upperbound on the physical distance to the other party. For instance, when a person conducts a cryptographic identification protocol at an entrance to a building, the access control co ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
It is often the case in applications of cryptographic protocols that one party would like to determine a practical upperbound on the physical distance to the other party. For instance, when a person conducts a cryptographic identification protocol at an entrance to a building, the access control computer in the building would like to be ensured that the person giving the responses is no more than a few meters away. The "distance bounding" technique we introduce solves this problem by timing the delay between sending out a challenge bit and receiving back the corresponding response bit. It can be integrated into common identification protocols. The technique can also be applied in the threeparty setting of "wallets with observers" in such a way that the intermediary party can prevent the other two from exchanging information, or even developing common coinflips.
On the (In)security of the FiatShamir Paradigm
 In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
Efficient NonMalleable Commitment Schemes
 In Crypto 2000, SpringerVerlag (LNCS 1880
, 2000
"... . We present e#cient nonmalleable commitment schemes based on standard assumptions such as RSA and DiscreteLog, and under the condition that the network provides publicly available RSA or DiscreteLog parameters generated by a trusted party. Our protocols require only three rounds and a few mo ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
. We present e#cient nonmalleable commitment schemes based on standard assumptions such as RSA and DiscreteLog, and under the condition that the network provides publicly available RSA or DiscreteLog parameters generated by a trusted party. Our protocols require only three rounds and a few modular exponentiations. We also discuss the di#erence between the notion of nonmalleable commitment schemes used by Dolev, Dwork and Naor [DDN00] and the one given by Di Crescenzo, Ishai and Ostrovsky [DIO98]. 1 Introduction Loosely speaking, a commitment scheme is nonmalleable if one cannot transform the commitment of another person's secret into one of a related secret. Such nonmalleable schemes are for example important for auctions over the Internet: it is necessary that one cannot generate a valid commitment of a bid b + 1 after seeing the commitment of an unknown bid b of another participant. Unfortunately, this property is not achieved by commitment schemes in general, because ...
Appendonly signatures
 in International Colloquium on Automata, Languages and Programming
, 2005
"... Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we pu ..."
Abstract

Cited by 35 (10 self)
 Add to MetaCart
Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we put forward the notion of “leakageresilient signatures, ” which strengthens the standard security notion by giving the adversary the additional power to learn a bounded amount of arbitrary information about the secret state that was accessed during every signature generation. This notion naturally implies security against all sidechannel attacks as long as the amount of information leaked on each invocation is bounded and “only computation leaks information.” The main result of this paper is a construction which gives a (treebased, stateful) leakageresilient signature scheme based on any 3time signature scheme. The amount of information that our scheme can safely leak per signature generation is 1/3 of the information the underlying 3time signature scheme can leak in total. Signature schemes that remain secure even if a bounded total amount of information is leaked were recently constructed, hence instantiating our construction with these schemes gives the first constructions of provably secure leakageresilient signature schemes. The above construction assumes that the signing algorithm can sample truly random bits, and thus an implementation would need some special hardware (randomness gates). Simply generating this randomness using a leakageresilient streamcipher will in general not work. Our second contribution is a sound general principle to replace uniform random bits in any leakageresilient construction with pseudorandom ones: run two leakageresilient streamciphers (with independent keys) in parallel and then apply a twosource extractor to their outputs. 1
From identification to signatures via the FiatShamir transform: Minimizing assumptions for security and forwardsecurity
 Proceedings of Eurocrypt 2002, volume 2332 of LNCS
, 2002
"... The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, ..."
Abstract

Cited by 32 (5 self)
 Add to MetaCart
The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model are determined, both in the usual and in the forwardsecure cases. Specifically, it is shown that the signature scheme is secure (resp. forwardsecure) against chosenmessage attacks in the random oracle model if and only if the underlying identification scheme is secure (resp. forwardsecure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the FiatShamir transform so that the commitment space assumption may be removed. Keywords: Signature schemes, identification schemes, FiatShamir transform, forward security,
MetaMessage Recovery and MetaBlind signature schemes based on the discrete logarithm problem and their applications
, 1994
"... There have been several approaches in the past to obtain signature schemes with appendix and signature schemes giving message recovery based on the discrete logarithm problem. Most of them can be embedded into a MetaElGamal and MetaMessage recovery scheme. In this paper we present the Metablind s ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
There have been several approaches in the past to obtain signature schemes with appendix and signature schemes giving message recovery based on the discrete logarithm problem. Most of them can be embedded into a MetaElGamal and MetaMessage recovery scheme. In this paper we present the Metablind signature schemes which have been developed from the ElGamal based blind signature scheme and the message recovery blind signature scheme discovered recently. From our Metascheme we get various variants from which some are more efficient than the already known ones. They can be recommended for practical use. Then we give interesting applications of the MetaMessage recovery and MetaBlind signature schemes like authentic encryption schemes, key distribution protocols and authentication schemes. Again, we can extract highly efficient variants.
A Fair and Efficient Solution to the Socialist Millionaires' Problem
 Discrete Applied Mathematics
, 2001
"... We present a solution to the Tiercé problem, in which two players want to know whether they have backed the same combination (but neither player wants to disclose its combination to the other one). The problem is also known as the socialist millionaires' problem, in which two millionaires want to kn ..."
Abstract

Cited by 31 (0 self)
 Add to MetaCart
We present a solution to the Tiercé problem, in which two players want to know whether they have backed the same combination (but neither player wants to disclose its combination to the other one). The problem is also known as the socialist millionaires' problem, in which two millionaires want to know whether they happen to be equally rich. In our solution, both players will be convinced of the correctness of the equality test between their combinations and will get no additional information on the other player's combination. Our solution is fair : one party cannot get the result of the comparison while preventing the other one from getting it. The protocol requires O(k) exponentiations only, where k is a security parameter.
Identification protocols secure against reset attacks
 Adv. in Cryptology — Eurocrypt 2001, LNCS
, 2001
"... Abstract. We provide identi£cation protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
Abstract. We provide identi£cation protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of the user. These protocols are suitable for use by devices (like smartcards) which when under adversary control may not be able to reliably maintain their internal state between invocations. 1