Results 11  20
of
1,048
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 265 (14 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
Efficient Group Signature Schemes for Large Groups (Extended Abstract)
, 1997
"... A group signature scheme allows members of a group to sign messages on the group's behalf such that the resulting signature does not reveal their identity. Only a designated group manager is able to identify the group member who issued a given signature. Previously proposed realizations of group sig ..."
Abstract

Cited by 264 (26 self)
 Add to MetaCart
A group signature scheme allows members of a group to sign messages on the group's behalf such that the resulting signature does not reveal their identity. Only a designated group manager is able to identify the group member who issued a given signature. Previously proposed realizations of group signature schemes have the undesirable property that the length of the public key is linear in the size of the group. In this paper we propose the first group signature scheme whose public key and signatures have length independent of the number of group members and which can therefore also be used for large groups. Furthermore, the scheme allows the group manager to add new members to the group without modifying the public key. The realization is ba...
Optimistic fair exchange of digital signatures
 IEEE Journal on Selected Areas in Communications
, 1998
"... Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an elect ..."
Abstract

Cited by 239 (10 self)
 Add to MetaCart
Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic, ” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. 1
Optimal Asymmetric Encryption
, 1994
"... Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string z of length slightly less than k bits can be encrypted as where r= is a simple probabilistic encoding of z depending on the hash function; and (ii) the scheme ca ..."
Abstract

Cited by 238 (18 self)
 Add to MetaCart
Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string z of length slightly less than k bits can be encrypted as where r= is a simple probabilistic encoding of z depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is "ideal." Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she "knows" the corresponding plaintexts such a scheme is not only semantically secure but also nonmalleable and secure against chosenciphertext attack.
A practical and provably secure coalitionresistant group signature scheme
, 2000
"... A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature’s originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes ..."
Abstract

Cited by 238 (20 self)
 Add to MetaCart
A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature’s originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity. This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art. In its interactive, identity escrow form, our scheme is proven secure and coalitionresistant under the strong RSA and the decisional DiffieHellman assumptions. The security of the noninteractive variant, i.e., the group signature scheme, relies additionally on the FiatShamir heuristic (also known as the random oracle model).
Information Sharing across Private Databases
, 2003
"... Literature on information integration across databases tacitly assumes that the data in each database can be revealed to the other databases. However, there is an increasing need for sharing information across autonomous entities in such a way that no information apart from the answer to the query i ..."
Abstract

Cited by 216 (13 self)
 Add to MetaCart
Literature on information integration across databases tacitly assumes that the data in each database can be revealed to the other databases. However, there is an increasing need for sharing information across autonomous entities in such a way that no information apart from the answer to the query is revealed. We formalize the notion of minimal information sharing across private databases, and develop protocols for intersection, equijoin, intersection size, and equijoin size. We also show how new applications can be built using the proposed protocols.
Security Proofs for Signature Schemes
, 1996
"... In this paper, we address the question of providing security proofs for signature schemes in the socalled random oracle model [1]. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight ..."
Abstract

Cited by 209 (24 self)
 Add to MetaCart
In this paper, we address the question of providing security proofs for signature schemes in the socalled random oracle model [1]. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight variant of the El Gamal signature scheme [3] where committed values are hashed together with the message. This is a rather surprising result since the original El Gamal is, as RSA [11], subject to existential forgery.
Optimal Asymmetric Encryption – How to Encrypt with RSA
, 1995
"... Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme ..."
Abstract

Cited by 204 (18 self)
 Add to MetaCart
Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. " Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows " the corresponding plaintextssuch ascheme is not only semantically secure but also nonmalleable and secure against chosenciphertext attack.
Practical Threshold Signatures
, 1999
"... We present an RSA threshold signature scheme. The scheme enjoys the following properties: 1. it is unforgeable and robust in the random oracle model, assuming the RSA problem is hard ..."
Abstract

Cited by 202 (2 self)
 Add to MetaCart
We present an RSA threshold signature scheme. The scheme enjoys the following properties: 1. it is unforgeable and robust in the random oracle model, assuming the RSA problem is hard