Results 1  10
of
34
GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks
, 2002
"... Abstract. The GuillouQuisquater (GQ) and Schnorr identification schemes are amongst the most efficient and bestknown FiatShamir followons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ ba ..."
Abstract

Cited by 66 (7 self)
 Add to MetaCart
(Show Context)
Abstract. The GuillouQuisquater (GQ) and Schnorr identification schemes are amongst the most efficient and bestknown FiatShamir followons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ based on the assumed security of RSA under one more inversion, an extension of the usual onewayness assumption that was introduced in [5]. It also provides such a proof for the Schnorr scheme based on a corresponding discretelog related assumption. These are the first security proofs for these schemes under assumptions related to the underlying oneway functions. Both results extend to establish security against impersonation under concurrent attack. 1
Anonymous identification in ad hoc groups
, 2004
"... We introduce Ad Hoc Anonymous Identification schemes, a new multiuser cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with oneway domain, a natur ..."
Abstract

Cited by 46 (1 self)
 Add to MetaCart
(Show Context)
We introduce Ad Hoc Anonymous Identification schemes, a new multiuser cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with oneway domain, a natural extension of cryptographic accumulators we introduce in this work. We provide a formal model for Ad Hoc Anonymous Identification schemes and design secure such schemes both generically (based on any accumulator with oneway domain) and for a specific efficient implementation of such an accumulator based on the Strong RSA Assumption. A salient feature of our approach is that identification protocols take time independent of the size of the ad hoc group. All our schemes and notions can be generally and efficiently amended so that they allow the recovery of the signer’s identity by an authority, if the latter is desired. Using the FiatShamir transform, we also obtain constantsize, signerambiguous group and ring signatures (provably secure in the Random Oracle Model). For ring signatures, this is the first such constantsize scheme, as all the previous proposals had signature size proportional to the size of the ring. For group signatures, we obtain schemes comparable in performance with stateoftheart schemes, with the additional feature that the role of the group manager during key registration is extremely simple and essentially passive: all it does is accept the public key of the new member (and update the constantsize public key of the group).
Threshold Cryptosystems Secure against ChosenCiphertext Attacks
 IN PROC. OF ASIACRYPT
, 2000
"... Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the ..."
Abstract

Cited by 35 (3 self)
 Add to MetaCart
(Show Context)
Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving INDCCA. Both are El Gamallike schemes and thus are based on the same intractability assumption, namely the Decisional DiffieHellman problem. In this article we rehabilitate the twinencryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) INDCPA scheme into a (threshold) INDCCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosenciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.
Parallel and concurrent security of the HB and HB+ protocols
 Journal of Cryptology
, 2010
"... Hopper and Blum (Asiacrypt 2001) and Juels and Weis (Crypto 2005) recently proposed two sharedkey authentication protocols — HB and HB +, respectively — whose extremely low computational cost makes them attractive for lowcost devices such as radiofrequency identification (RFID) tags. The security ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
(Show Context)
Hopper and Blum (Asiacrypt 2001) and Juels and Weis (Crypto 2005) recently proposed two sharedkey authentication protocols — HB and HB +, respectively — whose extremely low computational cost makes them attractive for lowcost devices such as radiofrequency identification (RFID) tags. The security of these protocols is based on the conjectured hardness of the “learning parity with noise ” (LPN) problem, which is equivalent to the problem of decoding random binary linear codes. The HB protocol is proven secure against a passive (eavesdropping) adversary, while the HB + protocol is proven secure against active attacks. In this paper, we revisit the security analysis of these protocols and give simpler proofs of security that also have a number of technical advantages with respect to prior work. Most significantly, we prove security for parallel or concurrent executions, meaning that the protocols can be parallelized to run in fewer rounds. We also explicitly address the dependence of the soundness error on the number of iterations. The results of this work appeared in preliminary form in [26] and [27]. Some of this research was performed while
The CramerShoup StrongRSA signature scheme revisited
 In proceedings of PKC ’03, LNCS series
, 2003
"... marc.fischlin @ sit.fraunhofer.de ..."
(Show Context)
On the fly authentication and signature schemes based on groups of unknown order
 Journal of Cryptology
"... Abstract. In response to the current need for fast, secure and cheap publickey cryptography, we propose an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the problem of computing discrete logarithms in any group, short keys, ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In response to the current need for fast, secure and cheap publickey cryptography, we propose an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the problem of computing discrete logarithms in any group, short keys, very short transmission and minimal online computation. This leads to both efficient and secure applications well suited to implementation on low cost smart cards. We introduce GPS, a Schnorrlike scheme that does not require knowledge of the order of the group nor of the group element. As a consequence, it can be used with most cryptographic group structures, including those of unknown order. Furthermore, the computation of the prover’s response is done over the integers, hence can be done with very limited computational capabilities. This paper provides complete security proofs of the identification scheme. From a practical point of view, the possible range of parameters is discussed and a report on the performances of an actual implementation on a cheap smart card is included: a complete and secure authentication can be performed in less than 20 milliseconds with low cost equipment. Key words. Identification scheme, Digital signature, Discrete logarithm problem, Minimal online computation, Low cost smart cards.
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks (Extended Abstract)
 IN CRYPTO
, 2004
"... We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
(Show Context)
We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption.
Secure Object Identification  or: Solving The Chess Grandmaster Problem
 Proceedings of the 2003 Workshop on New Security Paradigms
, 2003
"... Many applications of cryptographic identification protocols are vulnerable against physical adversaries who perform real time attacks. For instance, when identifying a physical object like an automated teller machine, common identification schemes can be bypassed by faithfully relaying all messages ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Many applications of cryptographic identification protocols are vulnerable against physical adversaries who perform real time attacks. For instance, when identifying a physical object like an automated teller machine, common identification schemes can be bypassed by faithfully relaying all messages between the communicating participants. This attack is known as mafia fraud.
The Representation Problem Based on Factoring
 In Proceedingsn of CTRSA’02, LNCS 2271
, 2002
"... We review the representation problem based on factoring and show that this problem gives rise to alternative solutions to a lot of cryptographic protocols in the literature. And, while the solutions so far usually either rely on the RSA problem or the intractability of factoring integers of a specia ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
We review the representation problem based on factoring and show that this problem gives rise to alternative solutions to a lot of cryptographic protocols in the literature. And, while the solutions so far usually either rely on the RSA problem or the intractability of factoring integers of a special form (e.g., Blum integers), the solutions here work with the most general factoring assumption. Protocols we discuss include identification schemes secure against parallel attacks, secure signatures, blind signatures and (nonmalleable) commitments.
Towards Secure IFF: Preventing Mafia Fraud Attacks
, 2002
"... Common identigication schemes are vulnerable against realtime attacks, that are known as magia frauds: An active adversary relays unnoticed all messages between the participants  causing a misidentigication with fatal consequences. No convincing practical solution is known so far, and even common ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Common identigication schemes are vulnerable against realtime attacks, that are known as magia frauds: An active adversary relays unnoticed all messages between the participants  causing a misidentigication with fatal consequences. No convincing practical solution is known so far, and even common security proofs explicitly omit such scenarios.