Results 1  10
of
156
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 387 (13 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 281 (25 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
Improved proxy reencryption schemes with applications to secure distributed storage
 IN NDSS
, 2005
"... In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy reencryption, in which a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure reencryption will become increasingly popu ..."
Abstract

Cited by 190 (16 self)
 Add to MetaCart
In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy reencryption, in which a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure reencryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the widespread adoption of BBS reencryption has been hindered by considerable security risks. Following recent work of Ivan and Dodis, we present new reencryption schemes that realize a stronger notion of security and we demonstrate the usefulness of proxy reencryption as a method of adding access control to the SFS readonly file system. Performance measurements of our experimental file system demonstrate that proxy reencryption can work effectively in practice.
Practical Verifiable Encryption and Decryption of Discrete Logarithms
, 2003
"... Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protoco ..."
Abstract

Cited by 170 (23 self)
 Add to MetaCart
Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cutandchoose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures. 1
CertificateBased Encryption and the Certificate Revocation Problem
, 2003
"... We introduce the notion of certificatebased encryption. In this model, a certificate  or, more generally, a signature  acts not only as a certificate but also as a decryption key. To decrypt a message, a keyholder needs both its secret key and an uptodate certificate from its CA (or a sig ..."
Abstract

Cited by 86 (0 self)
 Add to MetaCart
We introduce the notion of certificatebased encryption. In this model, a certificate  or, more generally, a signature  acts not only as a certificate but also as a decryption key. To decrypt a message, a keyholder needs both its secret key and an uptodate certificate from its CA (or a signature from an authorizer). Certificatebased encryption combines the best aspects of identitybased encryption (implicit certification) and public key encryption (no escrow). We demonstrate how certificatebased encryption can be used to construct an e#cient PKI requiring less infrastructure than previous proposals, including Micali's Novomodo, NaorNissim and AielloLodhaOstrovsky.
Formal Proofs for the Security of Signcryption
 In PKC ’02
, 2002
"... Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead. ..."
Abstract

Cited by 84 (3 self)
 Add to MetaCart
(Show Context)
Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead.
Multipurpose IdentityBased Signcryption  A Swiss Army Knife for IdentityBased Cryptography
 In Proc. CRYPTO 2003
, 2003
"... IdentityBased (IB) cryptography is a rapidly emerging approach to publickey cryptography that does not require principals to precompute key pairs and obtain certi cates for their public keysinstead, public keys can be arbitrary identi ers such as email addresses, while private keys are deri ..."
Abstract

Cited by 71 (1 self)
 Add to MetaCart
(Show Context)
IdentityBased (IB) cryptography is a rapidly emerging approach to publickey cryptography that does not require principals to precompute key pairs and obtain certi cates for their public keysinstead, public keys can be arbitrary identi ers such as email addresses, while private keys are derived at any time by a trusted private key generator upon request by the designated principals. Despite the urry of recent results on IB encryption and signature, some questions regarding the security and eciency of practicing IB encryption (IBE) and signature (IBS) as a joint IB signature/encryption (IBSE) scheme with a common set of parameters and keys, remain unanswered.
Publickey broadcast encryption for stateless receivers
 In Digital Rights Management — DRM ’02, volume 2696 of LNCS
, 2002
"... A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated thro ..."
Abstract

Cited by 53 (6 self)
 Add to MetaCart
A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated through the lifetime of the system. This setting was considered by Naor, Naor and Lotspiech [NNL01], who also present a very efficient “subset difference ” (SD) method for solving this problem. The efficiency of this method (which also enjoys efficient traitor tracing mechanism and several other useful features) was recently improved by Halevi and Shamir [HS02], who called their refinement the “Layered SD ” (LSD) method. Both of the above methods were originally designed to work in the centralized symmetric key setting, where only the trusted designer of the system can encrypt messages to users. On the other hand, in many applications it is desirable not to store the secret keys “online”, or to allow untrusted users to broadcast information. This leads to the question of building a public key broadcast encryption scheme for stateless receivers; in particular, of extending the elegant SD/LSD methods to the public key setting. Naor et al. [NNL01] notice that the natural technique for doing so will result in an enormous public key and very large storage for every user. In fact, [NNL01] pose this question of reducing the public key size and user’s storage as the first open problem of their paper. We resolve this question in the affirmative, by demonstrating that an O(1) size public key can be achieved for both of SD/LSD methods, in addition to the same (small) user’s storage and ciphertext size as in the symmetric key setting. 1
Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack
 In Public Key Cryptography — PKC ’03, volume 2567 of LNCS
, 2003
"... Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a mes ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
(Show Context)
Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of “revoked” users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a “pirate decoder”, the center can trace at least one of the “traitors ” given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of nonadaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation ” between the classical notion of CCA2security and the recently proposed [15, 1] relaxed notion of gCCA2security. 1