## Security Proofs for Signature Schemes (1996)

### Cached

### Download Links

- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.ens.fr]
- [ftp.ens.fr]
- DBLP

### Other Repositories/Bibliography

Citations: | 209 - 24 self |

### BibTeX

@INPROCEEDINGS{Pointcheval96securityproofs,

author = {David Pointcheval and Jacques Stern},

title = {Security Proofs for Signature Schemes},

booktitle = {},

year = {1996},

pages = {387--398},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

In this paper, we address the question of providing security proofs for signature schemes in the so-called random oracle model [1]. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight variant of the El Gamal signature scheme [3] where committed values are hashed together with the message. This is a rather surprising result since the original El Gamal is, as RSA [11], subject to existential forgery.

### Citations

2903 | A method for obtaining digital signatures and public key cryptosystems”, Communication of the ACM
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... proof for a slight variant of the El Gamal signature scheme [3] where committed values are hashed together with the message. This is a rather surprising result since the original El Gamal is, as RSA =-=[11]-=-, subject to existential forgery. 1 Introduction Since the appearance of the public key cryptography, in the famous DiffieHellman paper [2], a significant line of research has tried to provide “provab... |

2704 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...er surprising result since the original El Gamal is, as RSA [11], subject to existential forgery. 1 Introduction Since the appearance of the public key cryptography, in the famous DiffieHellman paper =-=[2]-=-, a significant line of research has tried to provide “provable” security for cryptographic protocols. In the area of computational security, proofs have been given in the asymptotic framework of comp... |

1331 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...IS Cedex 05. E-mail: {David.Pointcheval, Jacques.Stern}@ens.fr Abstract. In this paper, we address the question of providing security proofs for signature schemes in the so-called random oracle model =-=[1]-=-. In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight variant of the El Gamal signa... |

1110 | A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms - El-Gamal - 1985 |

1032 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...e permutations. We refer to [6] for details. In 1986, a new paradigm for signature schemes was introduced. It is derived from zero-knowledge identification protocols involving a prover and a verifier =-=[5]-=-, and uses hash functions in order to create a kind of virtual verifier. In [4], Fiat and Shamir proposed a zero-knowledge identification protocol based on the hardness of extracting square roots. The... |

831 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...t signature scheme proven secure against a very general attack, the so-called adaptively chosen-message attack which will be defined later in this paper, has been proposed by Goldwasser-Micali-Rivest =-=[6]-=- in 1984. It uses the notion of claw-free permutations. We refer to [6] for details. In 1986, a new paradigm for signature schemes was introduced. It is derived from zero-knowledge identification prot... |

829 | How to prove yourself: practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ure schemes was introduced. It is derived from zero-knowledge identification protocols involving a prover and a verifier [5], and uses hash functions in order to create a kind of virtual verifier. In =-=[4]-=-, Fiat and Shamir proposed a zero-knowledge identification protocol based on the hardness of extracting square roots. They also described the corresponding signature scheme and outlined its security. ... |

822 |
The MD4 message-digest algorithm
- Rivest
- 1991
(Show Context)
Citation Context ...hich relies on the honest verifier zero-knowledge property of the identification scheme. 2.3 The Random Oracle Model As we already pointed out, signature schemes often use a hash function f (e.g. MD5 =-=[10]-=- or SHS [8]). This use of hash functions may have been motivated by the wish to sign long messages with a single signature. Accordingly, the requirement of the function was collision freeness. It was ... |

312 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...lar, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight variant of the El Gamal signature scheme =-=[3]-=- where committed values are hashed together with the message. This is a rather surprising result since the original El Gamal is, as RSA [11], subject to existential forgery. 1 Introduction Since the a... |

311 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...protocol based on the hardness of extracting square roots. They also described the corresponding signature scheme and outlined its security. Similar results for other signature schemes like Schnorr’s =-=[12]-=- are considered as folklore results but have never appeared in the literature.In this paper, we review the basic method for proving security of signature schemes in the random oracle model [1] and su... |

198 |
A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ... be solved in polynomial time. The same results are true for every signature scheme which comes from the transformation of a honest verifier zero-knowledge identification protocol (Guillou-Quisquater =-=[7]-=-, the Permuted Kernel Problem [13], the Syndrome Decoding problem [14], the Constrained Linear Equations [15], the Permuted Perceptrons Problem [9], etc.). For each of them, existential forgery under ... |

63 | A new identification scheme based on syndrome decoding
- Stern
- 1993
(Show Context)
Citation Context ...gnature scheme which comes from the transformation of a honest verifier zero-knowledge identification protocol (Guillou-Quisquater [7], the Permuted Kernel Problem [13], the Syndrome Decoding problem =-=[14]-=-, the Constrained Linear Equations [15], the Permuted Perceptrons Problem [9], etc.). For each of them, existential forgery under an adaptively chosen-message attack in the random oracle model is equi... |

42 |
An Efficient Identification Scheme based on Permuted Kernels. CRYPTO
- Shamir
- 1989
(Show Context)
Citation Context ...e same results are true for every signature scheme which comes from the transformation of a honest verifier zero-knowledge identification protocol (Guillou-Quisquater [7], the Permuted Kernel Problem =-=[13]-=-, the Syndrome Decoding problem [14], the Constrained Linear Equations [15], the Permuted Perceptrons Problem [9], etc.). For each of them, existential forgery under an adaptively chosen-message attac... |

26 | A new identification scheme based on the perceptrons problem
- Pointcheval
- 1995
(Show Context)
Citation Context ...nowledge identification protocol (Guillou-Quisquater [7], the Permuted Kernel Problem [13], the Syndrome Decoding problem [14], the Constrained Linear Equations [15], the Permuted Perceptrons Problem =-=[9]-=-, etc.). For each of them, existential forgery under an adaptively chosen-message attack in the random oracle model is equivalent to the problem on which the identification scheme relies . 1011 Refer... |

25 | Designing identification schemes with keys of short size
- Stern
- 1994
(Show Context)
Citation Context ...nsformation of a honest verifier zero-knowledge identification protocol (Guillou-Quisquater [7], the Permuted Kernel Problem [13], the Syndrome Decoding problem [14], the Constrained Linear Equations =-=[15]-=-, the Permuted Perceptrons Problem [9], etc.). For each of them, existential forgery under an adaptively chosen-message attack in the random oracle model is equivalent to the problem on which the iden... |