Results 1  10
of
39
Security Arguments for Digital Signatures and Blind Signatures
 JOURNAL OF CRYPTOLOGY
, 2000
"... Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the ..."
Abstract

Cited by 278 (35 self)
 Add to MetaCart
Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the
Security Proofs for Signature Schemes
, 1996
"... In this paper, we address the question of providing security proofs for signature schemes in the socalled random oracle model [1]. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight ..."
Abstract

Cited by 209 (24 self)
 Add to MetaCart
In this paper, we address the question of providing security proofs for signature schemes in the socalled random oracle model [1]. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight variant of the El Gamal signature scheme [3] where committed values are hashed together with the message. This is a rather surprising result since the original El Gamal is, as RSA [11], subject to existential forgery.
A New Identification Scheme Based on Syndrome Decoding
, 1994
"... Zeroknowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([6]). Their practical significance was soon demonstrated in the work of Fiat and Shamir ([4]), who turned zeroknowledge proofs of quadratic residuosity into efficient means of establishing user identities. ..."
Abstract

Cited by 63 (8 self)
 Add to MetaCart
Zeroknowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([6]). Their practical significance was soon demonstrated in the work of Fiat and Shamir ([4]), who turned zeroknowledge proofs of quadratic residuosity into efficient means of establishing user identities. Still, as is almost always the case in publickey cryptography, the FiatShamir scheme relied on arithmetic operations on large numbers. In 1989, there were two attempts to build identification protocols that only use simple operations (see [11, 10]). One appeared in the EUROCRYPT proceedings and relies on the intractability of some coding problems, the other was presented at the CRYPTO rump session and depends on the socalled Permuted Kernel problem (PKP). Unfortunately, the first of the schemes was not really practical. In the present paper, we propose a new identification scheme, based on errorcorrecting codes, which is zeroknowledge and is of practical value. Furthermore, we describe several variants, including one which has an identity based character. The security of our scheme depends on the hardness of decoding a word of given syndrome w.r.t. some binary linear errorcorrecting code.
A New PublicKey Cryptosystem
, 1997
"... This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power. ..."
Abstract

Cited by 40 (5 self)
 Add to MetaCart
This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power.
A New Identification Scheme Based on the Perceptrons Problem
 In Eurocrypt ’95, LNCS 921
, 1995
"... Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. Mo ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. More recently, new schemes appeared with the peculiarity that they are more efficient from the computational point of view and that their security is based on N Pcomplete problems: PKP (Permuted Kernels Problem) [10], SD (Syndrome Decoding) [12] and CLE (Constrained Linear Equations) [13]. We present a new N Pcomplete linear problem which comes from learning machines: the Perceptrons Problem. We have some constraints, m vectors X i of {−1, +1} n, and we want to find a vector V of {−1, +1} n such that X i · V ≥ 0 for all i. Next, we provide some zeroknowledge interactive identification protocols based on this problem, with an evaluation of their security. Eventually, those protocols are well suited for smart card applications. 1
Designing Identification Schemes with Keys of Short Size
 Advances in Cryptology  proceedings of CRYPTO '94
, 1994
"... In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see [10, 8]). One was presented at the CRYPTO 89 rump session ([8]) and depends on the socalled Permuted Kerne ..."
Abstract

Cited by 25 (4 self)
 Add to MetaCart
In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see [10, 8]). One was presented at the CRYPTO 89 rump session ([8]) and depends on the socalled Permuted Kernel problem (PKP). Another appeared in the CRYPTO 93 proceedings and is based on the syndrome decoding problem (SD) form the theory of error correcting codes ([11]). In this paper, we introduce a new scheme of the same family with the distinctive character that both the secret key and the public identification key can be taken to be of short length. By short, we basically mean the usual size of conventional symmetric cryptosystems. As is known, the possibility of using short keys has been a challenge in public key cryptography and has practical applications. Our scheme relies on a combinatorial problem which we call Constrained Linear Equations (CLE in short) and which consists of solving a set of linear equations modulo some small prime q, the unknowns being subject to belong to a specific subset of the integers mod q. Thus, we enlarge the set of tools that can be used in cryptography.
LatticeBased Identification Schemes Secure Under Active Attacks
, 2008
"... There is an inherent difficulty in building 3move ID schemes based on combinatorial problems without much algebraic structure. A consequence of this, is that most standard ID schemes today are based on the hardness of number theory problems. Not having schemes based on alternate assumptions is a c ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
There is an inherent difficulty in building 3move ID schemes based on combinatorial problems without much algebraic structure. A consequence of this, is that most standard ID schemes today are based on the hardness of number theory problems. Not having schemes based on alternate assumptions is a cause for concern since improved number theoretic algorithms or the realization of quantum computing would make the known schemes insecure. In this work, we examine the possibility of creating identification protocols based on the hardness of lattice problems. We construct a 3move identification scheme whose security is based on the worstcase hardness of the shortest vector problem in all lattices, and also present a more efficient version based on the hardness of the same problem in ideal lattices.
The composite discrete logarithm and secure authentication
 In Public Key Cryptography
, 2000
"... Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certifica ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zeroknowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witnessindistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witnessindistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witnessindistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.
Efficient Scalable Fair Cash with Offline Extortion Prevention
 Lecture Notes in Computer Science
, 1997
"... . There have been many proposals to realize anonymous electronic cash. Although these systems offer high privacy to the users, they have the disadvantage that the anonymity might be misused by criminals to commit perfect crimes. The recent research focuses therefore on the realization of fair electr ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
. There have been many proposals to realize anonymous electronic cash. Although these systems offer high privacy to the users, they have the disadvantage that the anonymity might be misused by criminals to commit perfect crimes. The recent research focuses therefore on the realization of fair electronic cash systems where the anonymity of the coins is revocable by a trustee in the case of fraudulent users. In this paper, we propose a new efficient fair cash system which offers scalable security with respect to its efficiency. Our system prevents extortion attacks, like blackmailing or the use of blindfolding protocols under offline payments and with the involvement of the trustee only at registration of the users. Another advantage is, that it is assembled from well studied cryptographic techniques, such that its security can easily be evaluated. The strength of this approach is clearly its simplicity. Although it might astonish the reader that the design matters little from existing...
Efficient Zeroknowledge Authentication Based on a Linear Algebra Problem MiniRank
 ADVANCES IN CRYPTOLOGY – ASIACRYPT 2001, VOLUME 2248 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2001
"... A Zeroknowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on NPhard problems. Among them, ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
A Zeroknowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on NPhard problems. Among them,