Results 1  10
of
42
Security Arguments for Digital Signatures and Blind Signatures
 JOURNAL OF CRYPTOLOGY
, 2000
"... Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the ..."
Abstract

Cited by 300 (36 self)
 Add to MetaCart
Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the
Security Proofs for Signature Schemes
, 1996
"... In this paper, we address the question of providing security proofs for signature schemes in the socalled random oracle model [1]. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight ..."
Abstract

Cited by 225 (24 self)
 Add to MetaCart
In this paper, we address the question of providing security proofs for signature schemes in the socalled random oracle model [1]. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight variant of the El Gamal signature scheme [3] where committed values are hashed together with the message. This is a rather surprising result since the original El Gamal is, as RSA [11], subject to existential forgery.
A New Identification Scheme Based on Syndrome Decoding
, 1994
"... Zeroknowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([6]). Their practical significance was soon demonstrated in the work of Fiat and Shamir ([4]), who turned zeroknowledge proofs of quadratic residuosity into efficient means of establishing user identities. ..."
Abstract

Cited by 67 (8 self)
 Add to MetaCart
Zeroknowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([6]). Their practical significance was soon demonstrated in the work of Fiat and Shamir ([4]), who turned zeroknowledge proofs of quadratic residuosity into efficient means of establishing user identities. Still, as is almost always the case in publickey cryptography, the FiatShamir scheme relied on arithmetic operations on large numbers. In 1989, there were two attempts to build identification protocols that only use simple operations (see [11, 10]). One appeared in the EUROCRYPT proceedings and relies on the intractability of some coding problems, the other was presented at the CRYPTO rump session and depends on the socalled Permuted Kernel problem (PKP). Unfortunately, the first of the schemes was not really practical. In the present paper, we propose a new identification scheme, based on errorcorrecting codes, which is zeroknowledge and is of practical value. Furthermore, we describe several variants, including one which has an identity based character. The security of our scheme depends on the hardness of decoding a word of given syndrome w.r.t. some binary linear errorcorrecting code.
A New PublicKey Cryptosystem
, 1997
"... This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power. ..."
Abstract

Cited by 41 (5 self)
 Add to MetaCart
This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power.
Designing Identification Schemes with Keys of Short Size
 Advances in Cryptology  proceedings of CRYPTO '94
, 1994
"... In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see [10, 8]). One was presented at the CRYPTO 89 rump session ([8]) and depends on the socalled Permuted Kerne ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see [10, 8]). One was presented at the CRYPTO 89 rump session ([8]) and depends on the socalled Permuted Kernel problem (PKP). Another appeared in the CRYPTO 93 proceedings and is based on the syndrome decoding problem (SD) form the theory of error correcting codes ([11]). In this paper, we introduce a new scheme of the same family with the distinctive character that both the secret key and the public identification key can be taken to be of short length. By short, we basically mean the usual size of conventional symmetric cryptosystems. As is known, the possibility of using short keys has been a challenge in public key cryptography and has practical applications. Our scheme relies on a combinatorial problem which we call Constrained Linear Equations (CLE in short) and which consists of solving a set of linear equations modulo some small prime q, the unknowns being subject to belong to a specific subset of the integers mod q. Thus, we enlarge the set of tools that can be used in cryptography.
A New Identification Scheme Based on the Perceptrons Problem
 In Eurocrypt ’95, LNCS 921
, 1995
"... Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. Mo ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. More recently, new schemes appeared with the peculiarity that they are more efficient from the computational point of view and that their security is based on N Pcomplete problems: PKP (Permuted Kernels Problem) [10], SD (Syndrome Decoding) [12] and CLE (Constrained Linear Equations) [13]. We present a new N Pcomplete linear problem which comes from learning machines: the Perceptrons Problem. We have some constraints, m vectors X i of {−1, +1} n, and we want to find a vector V of {−1, +1} n such that X i · V ≥ 0 for all i. Next, we provide some zeroknowledge interactive identification protocols based on this problem, with an evaluation of their security. Eventually, those protocols are well suited for smart card applications. 1
LatticeBased Identification Schemes Secure Under Active Attacks
, 2008
"... There is an inherent difficulty in building 3move ID schemes based on combinatorial problems without much algebraic structure. A consequence of this, is that most standard ID schemes today are based on the hardness of number theory problems. Not having schemes based on alternate assumptions is a c ..."
Abstract

Cited by 23 (6 self)
 Add to MetaCart
There is an inherent difficulty in building 3move ID schemes based on combinatorial problems without much algebraic structure. A consequence of this, is that most standard ID schemes today are based on the hardness of number theory problems. Not having schemes based on alternate assumptions is a cause for concern since improved number theoretic algorithms or the realization of quantum computing would make the known schemes insecure. In this work, we examine the possibility of creating identification protocols based on the hardness of lattice problems. We construct a 3move identification scheme whose security is based on the worstcase hardness of the shortest vector problem in all lattices, and also present a more efficient version based on the hardness of the same problem in ideal lattices.
The composite discrete logarithm and secure authentication
 In Public Key Cryptography
, 2000
"... Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certifica ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zeroknowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witnessindistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witnessindistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witnessindistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.
Concurrently Secure Identification Schemes Based on the WorstCase Hardness of Lattice Problems
, 2008
"... In this paper, we show that two variants of Stern’s identification scheme [IEEE Transaction on Information Theory ’96] are provably secure against concurrent attack under the assumptions on the worstcase hardness of lattice problems. These assumptions are weaker than those for the previous lattice ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
In this paper, we show that two variants of Stern’s identification scheme [IEEE Transaction on Information Theory ’96] are provably secure against concurrent attack under the assumptions on the worstcase hardness of lattice problems. These assumptions are weaker than those for the previous latticebased identification schemes of Micciancio and Vadhan [CRYPTO ’03] and of Lyubashevsky [PKC ’08]. We also construct efficient ad hoc anonymous identification schemes based on the lattice problems by modifying the variants.
A New Paradigm for Public Key Identification
 IEEE TRANSACTIONS ON INFORMATION THEORY
"... The present article investigates the possibility of designing zeroknowledge identification schemes based on hard problems from coding theory. Zeroknowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([16]). Their practical significance was soon demonstrated in ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
The present article investigates the possibility of designing zeroknowledge identification schemes based on hard problems from coding theory. Zeroknowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([16]). Their practical significance was soon demonstrated in the work of Fiat and Shamir ([11]), who turned zeroknowledge proofs of quadratic residuosity into efficient means of establishing user identities. In the present paper, we propose a new identification scheme, based on errorcorrecting codes, which is zeroknowledge and seems of practical value. Furthermore