Results 1  10
of
37
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 172 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
Deniable Ring Authentication
 In Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Si ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Signatures (see Rivest, Shamir and Tauman [38]). In this paper we show how to combine these notions and achieve Deniable Ring Authentication: it is possible to convince a verifier that a member of an ad hoc subset of participants (a ring) is authenticating a message m without revealing which one (source hiding), and the verifier V cannot convince a third party that message m was indeed authenticated – there is no ‘paper trail ’ of the conversation, other than what could be produced by V alone, as in zeroknowledge. We provide an efficient protocol for deniable ring authentication based on any strong encryption scheme. That is once an entity has published a publickey of such an encryption system, it can be drafted to any such ring. There is no need for any other cryptographic primitive. The scheme can be extended to yield threshold authentication (e.g. at least k members of the ring are approving the message) as well. 1
A Simple PublicKey Cryptosystem with a Double Trapdoor Decryption Mechanism and its Applications
 In Asiacrypt ’03, LNCS 2894
, 2003
"... Abstract. At Eurocrypt ’02 Cramer and Shoup [7] proposed a general paradigm to construct practical publickey cryptosystems secure against adaptive chosenciphertext attacks as well as several concrete examples. Among the others they presented a variant of Paillier’s [21] scheme achieving such a str ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
Abstract. At Eurocrypt ’02 Cramer and Shoup [7] proposed a general paradigm to construct practical publickey cryptosystems secure against adaptive chosenciphertext attacks as well as several concrete examples. Among the others they presented a variant of Paillier’s [21] scheme achieving such a strong security requirement and for which two, independent, decryption mechanisms are allowed. In this paper we revisit such scheme and show that by considering a different subgroup, one can obtain a different scheme (whose security can be proved with respect to a different mathematical assumption) that allows for interesting applications. In particular we show how to construct a perfectly hiding commitment schemes that allows for an online / offline efficiency tradeoff. The scheme is computationally binding under the assumption that factoring is hard, thus improving on the previous construction by Catalano et al. [5] whose binding property was based on the assumption that inverting RSA[N, N] (i.e. RSA with the public exponent set to N) is hard. 1
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks (Extended Abstract)
 IN CRYPTO
, 2004
"... We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption.
Chameleon Hashing without Key Exposure
, 2004
"... Chameleon signatures are based on well established hashand sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message, i.e., the ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
(Show Context)
Chameleon signatures are based on well established hashand sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of nonrepudiation and nontransferability for the signed message, i.e., the designated recipient is capable of verifying the validity of the signature, but cannot disclose the contents of the signed information to convince any third party without the signer's consent.
Twin Signatures: An Alternative to the HashandSign Paradigm
, 2001
"... This paper introduces a simple alternative to the hashandsign paradigm called twinning. A twin signature is obtained by signing twice the same short message by a probabilistic signature scheme. Analysis of the concept in di#erent settings yields the following results:  We prove that no generi ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
This paper introduces a simple alternative to the hashandsign paradigm called twinning. A twin signature is obtained by signing twice the same short message by a probabilistic signature scheme. Analysis of the concept in di#erent settings yields the following results:  We prove that no generic algorithm can e#ciently forge a twin DSA signature. Although generic algorithms o#er a less stringent form of security than computational reductions in the standard model, such successful proofs still produce positive evidence in favor of the correctness of the new paradigm.
Universal designated verifier signature proof (or How to efficiently prove knowledge of a signature
 In Advances in Cryptology ASIACRYPT’05
, 2005
"... Abstract. Proving knowledge of a signature has many interesting applications. As one of them, the Universal Designated Verifier Signature (UDVS), introduced by Steinfeld et al. in Asiacrypt 2003 aims to protect a signature holder’s privacy by allowing him to convince a verifier that he holds a valid ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Proving knowledge of a signature has many interesting applications. As one of them, the Universal Designated Verifier Signature (UDVS), introduced by Steinfeld et al. in Asiacrypt 2003 aims to protect a signature holder’s privacy by allowing him to convince a verifier that he holds a valid signature from the signer without revealing the signature itself. The essence of the UDVS is a transformation from a publicly verifiable signature to a designated verifier signature, which is performed by the signature holder who does not have access to the signer’s secret key. However, one significant inconvenience of all the previous UDVS schemes considered in the literature is that they require the designated verifier to create a public key using the signer’s public key parameter and have it certified to ensure the resulting public key is compatible with the setting that the signer provided. This restriction is unrealistic in several situations where the verifier is not willing to go through such setup process. In this paper, we resolve this problem by introducing a new type of UDVS. Different from previous approach to UDVS, our new UDVS solution, which we call “Universal Designated Verifier Signature Proof (UDVSP)”, employs an interactive protocol between the signature holder and the verifier while maintaining high level of efficiency. We provide a formal model and security notions for UDVSP and give two constructions based on the bilinear pairings. We prove that the first construction is secure in the random oracle model and so is the second one in the standard model.
New Approaches for Deniable Authentication
 IN EUROCRYPT ’99
, 2005
"... Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We point ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We point
OffLine/OnLine Signatures: Theoretical aspects and Experimental Results
, 2008
"... This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combin ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
This paper presents some theoretical and experimental results about offline/online digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combining regular digital signatures with efficient onetime signatures. Later Shamir and Tauman presented an alternative construction (which produces shorter signatures) by combining regular signatures with chameleon hash functions. We first unify the ShamirTauman and Even et al. approaches by showing that they can be considered different instantiations of the same paradigm. We do this by showing that the onetime signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing are in effect a type of onetime signatures which satisfy this weaker security notion. In the process we study the relationship between onetime signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call twotrapdoor) is a fully secure onetime signature. Finally we ran experimental tests using OpenSSL libraries to test the difference between the two approaches. In our implementation we make extensive use of the observation that offline/online digital signatures do not require collisionresistant hash functions to compress the message, but can be safely implemented with universal oneway hashing in both the offline and the online step. The main application of this observation is that both the steps can be applied to shorter digests. This has particular relevance if blockciphers or hash functions based onetime signatures are used since these are very sensitive to the length of the message. Interestingly, we show that (mostly due to the above observation about hashing), the two approaches are comparable in efficiency and signature length.
A new short signature scheme without random oracles from bilinear pairings
 IN: VIETCRYPT 2006, LNCS 4341
, 2005
"... To date, there exist three short signature schemes from bilinear pairings. In this paper, we propose a new signature scheme that is existentially unforgeable under a chosen message attack without random oracle. The security of our scheme depends on a new complexity assumption called the k+1 square ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
To date, there exist three short signature schemes from bilinear pairings. In this paper, we propose a new signature scheme that is existentially unforgeable under a chosen message attack without random oracle. The security of our scheme depends on a new complexity assumption called the k+1 square roots assumption. We also discuss the relationship between the k+1 square roots assumption and some related problems and provide some conjectures. Moreover, the k+1 square roots assumption can be used to construct shorter signatures under the random oracle model.