Results 11 - 20
of
177
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new lattice-based cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hash-and-sign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract
-
Cited by 123 (7 self)
- Add to MetaCart
(Show Context)
We introduce a new lattice-based cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hash-and-sign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identity-based encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional number-theoretic cryptography. 1
Secure communications over insecure channels based on short authenticated strings
- IN ADVANCES IN CRYPTOLOGY (CRYPTO)
, 2005
"... We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel use ..."
Abstract
-
Cited by 117 (2 self)
- Add to MetaCart
(Show Context)
We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modified, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a confidential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted.
The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme
- Journal of Cryptology
, 2003
"... Abstract We introduce a new class of computational problems which we call the "one-more-RSAinversion " problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems respectively, have polynomially-equivalent comput ..."
Abstract
-
Cited by 91 (5 self)
- Add to MetaCart
(Show Context)
Abstract We introduce a new class of computational problems which we call the "one-more-RSAinversion " problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems respectively, have polynomially-equivalent computational complexity. We show how this leads to a proof of security for Chaum's RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for "one-more-discrete-logarithm " problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.
A New Forward-Secure Digital Signature Scheme”.
- In Proceedings of ASIACRYPT 2000, LNCS 1976,
, 2000
"... ..."
Verifiable Random Functions
- In FOCS 1999
, 1999
"... We efficiently combine unpredictability and verifiability by extending the Goldreich–Goldwasser–Micali construction of pseudorandom functions fs from a secret seed s, so that knowledge of s not only enables one to evaluate fs at any point x, but also to provide an NP-proof that the value fs(x) is in ..."
Abstract
-
Cited by 75 (2 self)
- Add to MetaCart
We efficiently combine unpredictability and verifiability by extending the Goldreich–Goldwasser–Micali construction of pseudorandom functions fs from a secret seed s, so that knowledge of s not only enables one to evaluate fs at any point x, but also to provide an NP-proof that the value fs(x) is indeed correct without compromising the unpredictability of fs at any other point for which no such a proof was provided.
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
, 2000
"... The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to bas ..."
Abstract
-
Cited by 73 (7 self)
- Add to MetaCart
(Show Context)
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational Diffie-Hellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional Diffie-Hellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational Diffie-Hellman assumption is true by providing a proof of security in the random oracle model.
Unique signatures and verifiable random functions from the DH-DDH separation
- Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hard-to-compute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing ..."
Abstract
-
Cited by 63 (3 self)
- Add to MetaCart
Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hard-to-compute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing verifiable random functions. Another useful property of unique signatures is that they are stateless: the signer does not need to update his secret key after an invocation. The only previously known construction of a unique signature in the plain model was based on the RSA assumption. The only other previously known provably secure constructions of stateless signatures were based on the Strong RSA assumption. Here, we give a construction of a unique signature scheme based on a generalization of the Diffie-Hellman assumption in groups where decisional Diffie-Hellman is easy. Several recent results suggest plausibility of such groups. We also give a few related constructions of verifiable random functions (VRFs). VRFs, introduced by Micali, Rabin, and Vadhan, are objects that combine the properties of pseudorandom functions (i.e. indistinguishability from random even after querying) with the verifiability property. Prior to our work, VRFs were only known to exist under the RSA assumption.
Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared Safe-Prime Products
, 2002
"... We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where th ..."
Abstract
-
Cited by 62 (0 self)
- Add to MetaCart
(Show Context)
We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where the modulus is the product of two safe primes, much more efficiently than was previously known.
Optimal Security Proofs for PSS and other Signature Schemes
, 2002
"... The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter r ..."
Abstract
-
Cited by 59 (2 self)
- Add to MetaCart
The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log 2 qsig bits suce, where qsig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log 2 qsig bits are used, then PSS is still provably secure but it cannot have a tight security proof.
On the (In)security of the Fiat-Shamir Paradigm
- In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... In 1986, Fiat and Shamir suggested a general method for transforming secure 3-round public-coin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen ..."
Abstract
-
Cited by 53 (2 self)
- Add to MetaCart
In 1986, Fiat and Shamir suggested a general method for transforming secure 3-round public-coin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...
