Results 1  10
of
20
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 265 (14 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
Another Look at “Provable Security"
, 2004
"... We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common ..."
Abstract

Cited by 59 (12 self)
 Add to MetaCart
We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of publickey systems has been an important theme of researchers. But we argue that the theoremproof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is selfcontained and as jargonfree as possible.
Adaptive Security in Broadcast Encryption Systems
"... We present new techniques for achieving adaptive security in broadcast encryption systems. Previous work on fully collusion resistant broadcast encryption with short ciphertexts was limited to considering only static security. First, we present a new definition of security that we call semistatic s ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
We present new techniques for achieving adaptive security in broadcast encryption systems. Previous work on fully collusion resistant broadcast encryption with short ciphertexts was limited to considering only static security. First, we present a new definition of security that we call semistatic security and show a generic “twokey ” transformation from semistatically secure systems to adaptively secure systems that have comparablesize ciphertexts. Using bilinear maps, we then construct broadcast encryption systems that are semistatically secure in the standard model and have constantsize ciphertexts. Our semistatic constructions work when the number of indices or identifiers in the system is polynomial in the security parameter. For identitybased broadcast encryption, where the number of potential indices or identifiers may be exponential, we present the first adaptively secure system with sublinear ciphertexts. We prove security in the standard model. 1
How Risky is the RandomOracle Model?
"... Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Be ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the IDbased cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the RabinWilliams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/RabinWilliams, an appropriate PSS padding is more robust than all other paddings known. 1
Highspeed highsecurity signatures
"... Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.
Comparing two pairingbased aggregate signature schemes”, Designs, Codes and Cryptography
"... Abstract. In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provablysecure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairingbased aggregate signature scheme which has a security proof that does ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Abstract. In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provablysecure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairingbased aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from BarretoNaehrig (BN) elliptic curves are employed. 1.
ForwardSecure Signatures in Untrusted Update Environments: . . .
, 2007
"... Forwardsecure signatures (FSS) prevent forgeries for past time periods when an attacker obtains full access to the signer’s storage. To simplify the integration of these primitives into standard security architectures, Boyen, Shacham, Shen and Waters recently introduced the concept of forwardsecure ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Forwardsecure signatures (FSS) prevent forgeries for past time periods when an attacker obtains full access to the signer’s storage. To simplify the integration of these primitives into standard security architectures, Boyen, Shacham, Shen and Waters recently introduced the concept of forwardsecure signatures with untrusted updates where private keys are additionally protected by a second factor (derived from a password). Key updates can be made on encrypted version of signing keys so that passwords only come into play for signing messages. The scheme put forth by Boyen et al. relies on bilinear maps and does not require the random oracle. The latter work also suggested the integration of untrusted updates in the BellareMiner forwardsecure signature and left open the problem of endowing other existing FSS systems with the same second factor protection. This paper solves this problem by showing how to adapt the very efficient generic construction of Malkin, Micciancio and Miner (MMM) to untrusted update environments. More precisely, our modified construction which does not use random oracles either obtains a forwardsecure signature with untrusted updates from any 2party multisignature in the plain public key model. In combination with Bellare and Neven’s multisignatures, our generic method yields implementations based on standard assumptions such as RSA, factoring or the hardness of computing discrete logarithms. Like the original MMM scheme, it does not require to set a bound on the number of time periods at key generation.
PROVING TIGHT SECURITY FOR STANDARD RABINWILLIAMS SIGNATURES
, 2003
"... This paper discusses the security of the RabinWilliams publickey signature system with a deterministic signing algorithm that computes “standard signatures.” The paper proves that any generic attack on standard RabinWilliams signatures can be mechanically converted into a factorization algorithm ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This paper discusses the security of the RabinWilliams publickey signature system with a deterministic signing algorithm that computes “standard signatures.” The paper proves that any generic attack on standard RabinWilliams signatures can be mechanically converted into a factorization algorithm with comparable speed and approximately the same effectiveness. “Comparable” and “approximately” are explicitly quantified.
Another Look at Tightness
 Proceedings of Selected Areas in Cryptography (SAC’11), LNCS. 7118
, 2012
"... Abstract. We examine a natural, but nontight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multiuser setting. If security parameters for the MAC scheme are selected without accounting for the nontightness in the reduction, then the MAC scheme is s ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. We examine a natural, but nontight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multiuser setting. If security parameters for the MAC scheme are selected without accounting for the nontightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable in the multiuser setting. We find similar deficiencies in the security assurances provided by nontight proofs when we analyze some protocols intheliteratureincludingonesfor networkauthentication and aggregate MACs. Our observations call into question the practical value of nontight reductionist security proofs. We also exhibit attacks on authenticated encryption schemes, disk encryption schemes, and stream ciphers in the multiuser setting. 1
Efficient strong designated verifier signature schemes without random oracles or delegatability. Cryptology ePrint Archive, Report 2009/518
, 2009
"... Designated verifier signature (DVS) is a cryptographic primitive that allows a signer to convince a verifier the validity of a statement in a way that the verifier is unable to transfer the conviction to a third party. In DVS, signatures are publicly verifiable. The validity of a signature ensures t ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Designated verifier signature (DVS) is a cryptographic primitive that allows a signer to convince a verifier the validity of a statement in a way that the verifier is unable to transfer the conviction to a third party. In DVS, signatures are publicly verifiable. The validity of a signature ensures that it is from either the signer or the verifier. Strong DVS (SDVS) enhances the privacy of the signer so that anyone except the designated verifier cannot verify the signer’s signatures. In this paper we propose a highly efficient SDVS scheme based on pseudorandom functions, which is proved to be secure in the standard model. Compared with the most efficient SDVS scheme secure in the random oracle model, our scheme has almost the same complexity in terms of both the computational cost of generating a signature and signature size. A signature of our scheme is simply the output of a pseudorandom function. The security of the scheme is tightly reduced to the hardness of DDH problem and the security of the pseudorandom function. Since our scheme is vulnerable to delegatability attacks, the study of which was initiated by Lipmaa, Wang and Bao in ICALP 2005, we then propose another construction of SDVS, which is the first one immune to delegatability attacks. The scheme is also very efficient, and has the same