Results 1  10
of
20
LatticeBased Identification Schemes Secure Under Active Attacks
, 2008
"... There is an inherent difficulty in building 3move ID schemes based on combinatorial problems without much algebraic structure. A consequence of this, is that most standard ID schemes today are based on the hardness of number theory problems. Not having schemes based on alternate assumptions is a c ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
(Show Context)
There is an inherent difficulty in building 3move ID schemes based on combinatorial problems without much algebraic structure. A consequence of this, is that most standard ID schemes today are based on the hardness of number theory problems. Not having schemes based on alternate assumptions is a cause for concern since improved number theoretic algorithms or the realization of quantum computing would make the known schemes insecure. In this work, we examine the possibility of creating identification protocols based on the hardness of lattice problems. We construct a 3move identification scheme whose security is based on the worstcase hardness of the shortest vector problem in all lattices, and also present a more efficient version based on the hardness of the same problem in ideal lattices.
Security of Blind Discrete Log Signatures against Interactive Attacks
 ICICS 2001, LNCS 2229
, 2001
"... We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following RO ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
(Show Context)
We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following ROSproblem is intractable: find an overdetermined, solvable system of linear equations modulo q with random inhomogenities (right sides). There is an inherent weakness in the security result of Pointcheval and Stern. Theorem 26 [PS00] does not cover attacks with 4 parallel interactions for elliptic curves of order 2 200 . That would require the intractability of the ROSproblem, a plausible but novel complexity assumption. Conversely, assuming the intractability of the ROSproblem, we show that Schnorr signatures are secure in the random oracle and generic group model against the onemore signature forgery.
On the fly authentication and signature schemes based on groups of unknown order
 Journal of Cryptology
"... Abstract. In response to the current need for fast, secure and cheap publickey cryptography, we propose an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the problem of computing discrete logarithms in any group, short keys, ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In response to the current need for fast, secure and cheap publickey cryptography, we propose an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the problem of computing discrete logarithms in any group, short keys, very short transmission and minimal online computation. This leads to both efficient and secure applications well suited to implementation on low cost smart cards. We introduce GPS, a Schnorrlike scheme that does not require knowledge of the order of the group nor of the group element. As a consequence, it can be used with most cryptographic group structures, including those of unknown order. Furthermore, the computation of the prover’s response is done over the integers, hence can be done with very limited computational capabilities. This paper provides complete security proofs of the identification scheme. From a practical point of view, the possible range of parameters is discussed and a report on the performances of an actual implementation on a cheap smart card is included: a complete and secure authentication can be performed in less than 20 milliseconds with low cost equipment. Key words. Identification scheme, Digital signature, Discrete logarithm problem, Minimal online computation, Low cost smart cards.
FiatShamir with aborts: Applications to lattice and factoringbased signatures
, 2009
"... Abstract. We demonstrate how the framework that is used for creating efficient numbertheoretic ID and signature schemes can be transferred into the setting of lattices. This results in constructions of the most efficient todate identification and signature schemes with security based on the worst ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We demonstrate how the framework that is used for creating efficient numbertheoretic ID and signature schemes can be transferred into the setting of lattices. This results in constructions of the most efficient todate identification and signature schemes with security based on the worstcase hardness of problems in ideal lattices. In particular, our ID scheme has communication complexity of around 65, 000 bits and the length of the signatures produced by our signature scheme is about 50, 000 bits. All prior latticebased identification schemes required on the order of millions of bits to be transferred, while all previous latticebased signature schemes were either stateful, too inefficient, or produced signatures whose lengths were also on the order of millions of bits. The security of our identification scheme is based on the hardness of finding the approximate shortest vector to within a factor of Õ(n2) in the standard model, while the security of the signature scheme is based on the same assumption in the random oracle model. Our protocols are very efficient, with all operations requiring Õ(n) time. We also show that the technique for constructing our latticebased schemes can be used to improve certain numbertheoretic schemes. In particular, we are able to shorten the length of the signatures that are produced by Girault’s factoringbased digital signature scheme ([10, 11, 31]). 1
VSH, an efficient and provable collisionresistant hash function
"... We introduce VSH, very smooth hash, a new Sbit hash function that is provably collisionresistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an Sbit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
We introduce VSH, very smooth hash, a new Sbit hash function that is provably collisionresistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an Sbit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of S. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in S. VSH is theoretically pleasing because it requires just a single multiplication modulo the Sbit composite per Ω(S) messagebits (as opposed to O(log S) messagebits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as CramerShoup) and designatedverifier signatures.
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
A Secure Identification and Key agreement protocol with user Anonymity (SIKA)
"... user identification, authentication, key agreement, anonymity, RSA, DenialofService (DoS) attack Anonymity is a desirable security feature in addition to providing user identification and key agreement during a user’s login process. Recently, Yang et al., proposed an efficient user identification ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
user identification, authentication, key agreement, anonymity, RSA, DenialofService (DoS) attack Anonymity is a desirable security feature in addition to providing user identification and key agreement during a user’s login process. Recently, Yang et al., proposed an efficient user identification and key distribution protocol while preserving user anonymity. Their protocol addresses a weakness in the protocol proposed by Wu and Hsu. Unfortunately, Yang’s protocol poses a vulnerability that can be exploited to launch a DenialofService (DoS) attack. In this paper, we cryptanalyze Yang’s protocol and present the DoS attack. We further secure their protocol by proposing a Secure Identification and Key agreement protocol with user Anonymity (SIKA) that overcomes the above limitation while achieving security features like identification, authentication, key agreement and user anonymity.
A critical look at cryptographic hash function literature
 ECRYPT Hash Workshop
, 2007
"... Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accur ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accurately depicting the research aims people have today. 1