Results 1  10
of
196
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 743 (28 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 321 (13 self)
 Add to MetaCart
(Show Context)
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Toward secure key distribution in truly adhoc networks
 in Proceedings of the International Symposium on Applications and the Internet Workshop
"... Adhoc networks — and in particular wireless mobile adhoc networks — have unique characteristics and constraints that make traditional cryptographic mechanisms and assumptions inappropriate. In particular, it may not be warranted to assume preexisting shared secrets between members of the network ..."
Abstract

Cited by 81 (0 self)
 Add to MetaCart
(Show Context)
Adhoc networks — and in particular wireless mobile adhoc networks — have unique characteristics and constraints that make traditional cryptographic mechanisms and assumptions inappropriate. In particular, it may not be warranted to assume preexisting shared secrets between members of the network or the presence of a common PKI. Thus, the issue of key distribution in adhoc networks represents an important problem. Unfortunately, this issue has been largely ignored; as an example, most protocols for secure adhoc routing assume that key distribution has already taken place. Traditional key distribution schemes either do not apply in an adhoc scenario or are not efficient enough for small, resourceconstrained devices. We propose to combine efficient techniques from identitybased (IDbased) and threshold cryptography to provide a mechanism that enables flexible and efficient key distribution while respecting the constraints of adhoc networks. We also discuss the available mechanisms and their suitability for the proposed task. 1.
An efficient signature scheme from bilinear pairings and its applications, PKC 2004
, 2004
"... a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function [6, 1, 8]. This hash function is probabilistic and gen ..."
Abstract

Cited by 78 (13 self)
 Add to MetaCart
a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function [6, 1, 8]. This hash function is probabilistic and generally inefficient. In this paper, we propose a new short signature scheme from the bilinear pairings that unlike BLS, uses general cryptographic hash functions such as SHA1 or MD5, and does not require special hash functions. Furthermore, the scheme requires less pairing operations than BLS scheme and so is more efficient than BLS scheme. We use this signature scheme to construct a ring signature scheme and a new method for delegation. We give the security proofs for the new signature scheme and the ring signature scheme in the random oracle model.
Sequential aggregate signatures from trapdoor permutations
 Advances in Cryptology – EUROCRYPT 2004
, 2004
"... An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, inwhichthesetof signers is ordered. The aggrega ..."
Abstract

Cited by 59 (3 self)
 Add to MetaCart
An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, inwhichthesetof signers is ordered. The aggregate signature is computed by having each signer, in turn, add his signature to it. We show how to realize this in such a way that the size of the aggregate signature is independent of n. This makes sequential aggregate signatures a natural primitive for certificate chains, whose length can be reduced by aggregating all signatures in a chain. We give a construction in the random oracle model based on families of certified trapdoor permutations, and show how to instantiate our scheme based on RSA. 1
Sequential aggregate signatures and multisignatures without random oracles
 In EUROCRYPT, 2006. (Cited on
, 2006
"... Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature schem ..."
Abstract

Cited by 51 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature scheme are sequentially constructed, but knowledge of the order in which messages were signed is not necessary for verification. The aggregate signatures obtained are shorter than Lysyanskaya et al. sequential aggregates and can be verified more efficiently than Boneh et al. aggregates. We also consider applications to secure routing and proxy signatures. 1
Multisignatures in the plain publickey model and a general forking lemma
 In ACM CCS 06
, 2006
"... A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol a ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
(Show Context)
A multisignature scheme enables a group of signers to produce a compact, joint signature on a common document, and has many potential uses. However, existing schemes impose key setup or PKI requirements that make them impractical, such as requiring a dedicated, distributed key generation protocol amongst potential signers, or assuming strong, concurrent zeroknowledge proofs of knowledge of secret keys done to the CA at key registration. These requirements limit the use of the schemes. We provide a new scheme that is proven secure in the plain publickey model, meaning requires nothing more than that each signer has a (certified) public key. Furthermore, the important simplification in key management achieved is not at the cost of efficiency or assurance: our scheme matches or surpasses known ones in terms of signing time, verification time and signature size, and is proven secure in the randomoracle model under a standard (not bilinear map related) assumption. The proof is based on a simplified and general Forking Lemma that may be of independent interest.
Efficient Blind and Partially Blind Signatures Without Random Oracles
, 2006
"... This paper proposes a new efficient signature scheme from bilinear maps that is secure in the standard model (i.e., without the random oracle model). Our signature scheme is more effective in many applications (e.g., blind signatures, group signatures, anonymous credentials etc.) than the existing ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
This paper proposes a new efficient signature scheme from bilinear maps that is secure in the standard model (i.e., without the random oracle model). Our signature scheme is more effective in many applications (e.g., blind signatures, group signatures, anonymous credentials etc.) than the existing secure signature schemes in the standard model. As typical applications of our signature scheme, this paper presents efficient blind signatures and partially blind signatures that are secure in the standard model. Here, partially blind signatures are a generalization of blind signatures (i.e., blind signatures are a special case of partially blind signatures) and have many applications including electronic cash and voting. Our blind signature scheme is more efficient than the existing secure blind signature schemes in the standard model such as the CamenischKoprowskiWarinsch [9] and JuelsLubyOstrovsky [24] schemes. Our partially blind signature scheme is the first one that is secure in the standard model and it is also efficient (as efficient as our blind signatures). The security proof of our blind and partially blind signature schemes requires the 2SDH assumption, a stronger variant of the SDH assumption introduced by Boneh and Boyen [7]. This paper also presents an efficient way to convert our (partially) blind signature scheme in the standard model to a scheme secure for a concurrent run of users in the common reference string (CRS) model. Finally, we present a blind signature scheme based on the Waters signature scheme.
Unidirectional ChosenCiphertext Secure Proxy ReEncryption
 In PKC’08, LNCS
"... Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recentl ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosenciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy reencryption schemes with chosenciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the CanettiHohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as noninteractive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the CanettiHohenberger scheme, they meet a relaxed flavor of chosenciphertext security introduced by Canetti, Krawczyk and Nielsen. 1