Results 11  20
of
252
Optimal Asymmetric Encryption – How to Encrypt with RSA
, 1995
"... Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme ..."
Abstract

Cited by 204 (18 self)
 Add to MetaCart
Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. " Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows " the corresponding plaintextssuch ascheme is not only semantically secure but also nonmalleable and secure against chosenciphertext attack.
Noninteractive ZeroKnowledge
 SIAM J. COMPUTING
, 1991
"... This paper investigates the possibility of disposing of interaction between prover and verifier in a zeroknowledge proof if they share beforehand a short random string. Without any assumption, it is proven that noninteractive zeroknowledge proofs exist for some numbertheoretic languages for which ..."
Abstract

Cited by 188 (19 self)
 Add to MetaCart
This paper investigates the possibility of disposing of interaction between prover and verifier in a zeroknowledge proof if they share beforehand a short random string. Without any assumption, it is proven that noninteractive zeroknowledge proofs exist for some numbertheoretic languages for which no efficient algorithm is known. If deciding quadratic residuosity (modulo composite integers whose factorization is not known) is computationally hard, it is shown that the NPcomplete language of satisfiability also possesses noninteractive zeroknowledge proofs.
A forwardsecure digital signature scheme
, 1999
"... Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. Thi ..."
Abstract

Cited by 175 (13 self)
 Add to MetaCart
Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the FiatShamir and OngSchnorr identification and signature schemes, and is proven to be forward secure based on the hardness of factoring, in the random oracle model. The construction is also quite efficient. 1
Witness indistinguishable and witness hiding protocols
 in 22nd STOC
, 1990
"... A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is witness hiding ..."
Abstract

Cited by 167 (0 self)
 Add to MetaCart
A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is witness hiding
Using Secure Coprocessors
, 1994
"... The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between p ..."
Abstract

Cited by 150 (8 self)
 Add to MetaCart
The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between physically separated systems, but this is not enough: we must be able to guarantee the privacy of the cryptographic keys and the integrity of the cryptographic functions, in addition to the integrity of the security kernel and access control databases we have on the machines. Physical security is a central assumption upon which secure distributed systems are built; without this foundation even the best cryptosystem or the most secure kernel will crumble. In this thesis, I address the distributed security problem by proposing the addition of a small, physically secure hardware module, a secure coprocessor, to standard workstations and PCs. My central axiom is that secure coprocessors are able to maintain the privacy of the data they process. This thesis attacks the distributed security problem from multiple sides. First, I analyze the security properties of existing system components, both at the hardware and
An IdentityBased Signature from Gap DiffieHellman Groups
 Public Key Cryptography  PKC 2003, LNCS 2139
, 2002
"... In this paper we propose an identity(ID)based signature scheme using gap DiffieHellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model. ..."
Abstract

Cited by 145 (4 self)
 Add to MetaCart
In this paper we propose an identity(ID)based signature scheme using gap DiffieHellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model.
On Defining Proofs of Knowledge
, 1998
"... The notion of a "proof of knowledge," suggested by Gold wasset, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for s ..."
Abstract

Cited by 139 (23 self)
 Add to MetaCart
The notion of a "proof of knowledge," suggested by Gold wasset, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for some of the applications in which they are used. Consequently,
Digital Signatures for Flows and Multicasts
, 1998
"... We present chaining techniques for signing/verifying multiple packets using a single signing/verification operation. We then present flow signing and verification procedures based upon a tree chaining technique. Since a single signing/verification operation is amortized over many packets, these proc ..."
Abstract

Cited by 138 (2 self)
 Add to MetaCart
We present chaining techniques for signing/verifying multiple packets using a single signing/verification operation. We then present flow signing and verification procedures based upon a tree chaining technique. Since a single signing/verification operation is amortized over many packets, these procedures improve signing and verification rates by one to two orders of magnitude compared to the approach of signing/verifying packets individually. Our procedures do not depend upon reliable delivery of packets, provide delaybounded signing, and are thus suitable for delaysensitive flows and multicast applications. To further improve our procedures, we propose several extensions to the FeigeFiatShamir digital signature scheme to substantially speed up both the signing and verification operations, as well as to allow "adjustable and incremental" verification. The extended scheme, called eFFS, is compared to four other digital signature schemes (RSA, DSA, ElGamal, Rabin). We compare their ...
An Efficient Offline Electronic Cash System Based On The Representation Problem
, 1993
"... We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some technique ..."
Abstract

Cited by 136 (3 self)
 Add to MetaCart
We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than previously proposed systems. Another
Designated Verifier Proofs and Their Applications
, 1996
"... For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the correctness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended ver ..."
Abstract

Cited by 134 (5 self)
 Add to MetaCart
For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the correctness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended verifier(s) in fact can be convinced about the validity or invalidity of the signature. Generally, authentication of messages and offtherecord messages are in conflict with each other. We show how, using designation of verifiers, these notions can be combined, allowing authenticated but private conversations to take place. Our solution guarantees that only the specified verifier can be convinced by the proof, even if he shares all his secret information with entities that want to get convinced. Our solution is based on trapdoor commitments [4], allowing the designated verifier to open up commitments in any way he wants. We demonstrate how a trapdoor commitment scheme can be used to constr...