#### DMCA

## An attack on the proactive RSA signature scheme in the URSA ad hoc network access control protocol (2004)

### Cached

### Download Links

- [sconce.ics.uci.edu]
- [www.ics.uci.edu]
- [www.ics.uci.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | in the URSA Ad Hoc Network Access Control Protocol. In ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN |

Citations: | 18 - 5 self |

### Citations

2575 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...heme can be applicable to MANETs because it avoids the need to access all shares during the threshold signature protocol. This is because it relies solely on Shamir’s polynomial secret sharing scheme =-=[24]-=-, as opposed to resorting to an additional layer of additive secret sharing, as is done by the two most efficient provably secure proactive RSA schemes [8, 21] discussed above. The core of the URSA pr... |

1062 | Securing ad hoc networks
- Zhou, Haas
- 1999
(Show Context)
Citation Context ...long as in any single time period the number of simultaneously corrupted members does not exceed t. Application of Proactive Signatures to Peer-to-Peer Group Security. As pointed out by Zhou and Haas =-=[25]-=-, proactive signature schemes can be used to implement group access control decisions without relying on a trusted and always accessible group “manager”, who makes all admission and revocation decisio... |

753 | Short signature from the Weil pairing
- Boneh, Lynn, et al.
- 2001
(Show Context)
Citation Context ... proactive DSS signature scheme of Gennaro et al. [9]. Recently, the same authors [23] examined the performance of a more efficient access control protocol based on the proactive BLS signature scheme =-=[4]-=- of Boldyreva [2], which relies on elliptic curve cryptography. However, the common operation of signature verification in DSS, BLS, and in all other discrete-log based signature schemes, is orders of... |

319 | Providing robust and ubiquitous security support for mobile ad-hoc networks
- Kong, Zerfos, et al.
- 2001
(Show Context)
Citation Context ...ttack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol ABSTRACT Stanisław Jarecki, Nitesh Saxena, and Jeong Hyun Yi Recently, Luo, et al. in a series of papers =-=[17, 14, 13, 18, 15]-=- proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proacti... |

296 |
Threshold cryptosystems,”
- Desmedt, Frankel
- 1989
(Show Context)
Citation Context ...Computer Science UC Irvine, CA 92697, USA {stasio, nitesh, jhyi}@ics.uci.edu 1 1. INTRODUCTION: BACKGROUND AND MOTIVATION Threshold and Proactive Signature Schemes. A (t,n) threshold signature scheme =-=[6]-=- enables any subgroup of t+1 members in a group consisting of n > t members, to collaboratively sign a message on behalf of that group. This is achieved by secret-sharing the signature key, e.g. the R... |

231 | Proactive secret sharing or: How to cope with perpetual leakage”,
- Herzberg, Jarecki, et al.
- 1995
(Show Context)
Citation Context ...t in particular protect the secrecy of the signature key as long as no more than t of the group members are corrupt. A proactive signature scheme [10], based on techniques of proactive secret sharing =-=[20, 11]-=-, is a threshold signature scheme which remains secure and robust even if in every time period, called “share update interval”, a possibly different set of t group members is corrupted. This is achiev... |

191 | Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme
- Boldyreva
- 2003
(Show Context)
Citation Context ...gnature scheme of Gennaro et al. [9]. Recently, the same authors [23] examined the performance of a more efficient access control protocol based on the proactive BLS signature scheme [4] of Boldyreva =-=[2]-=-, which relies on elliptic curve cryptography. However, the common operation of signature verification in DSS, BLS, and in all other discrete-log based signature schemes, is orders of magnitude more c... |

168 |
How to withstand mobile virus attacks”,
- Ostrovsky, Yung
- 1991
(Show Context)
Citation Context ...t in particular protect the secrecy of the signature key as long as no more than t of the group members are corrupt. A proactive signature scheme [10], based on techniques of proactive secret sharing =-=[20, 11]-=-, is a threshold signature scheme which remains secure and robust even if in every time period, called “share update interval”, a possibly different set of t group members is corrupted. This is achiev... |

107 | Self-securing Ad Hoc Wireless Networks,"
- Luo, Zerfos, et al.
- 2002
(Show Context)
Citation Context ...ttack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol ABSTRACT Stanisław Jarecki, Nitesh Saxena, and Jeong Hyun Yi Recently, Luo, et al. in a series of papers =-=[17, 14, 13, 18, 15]-=- proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proacti... |

100 | Proactive Public Key and Signature Systems,"
- Herzberg, Jakobsson, et al.
- 1997
(Show Context)
Citation Context ...o achieve t-security, a threshold signature scheme must in particular protect the secrecy of the signature key as long as no more than t of the group members are corrupt. A proactive signature scheme =-=[10]-=-, based on techniques of proactive secret sharing [20, 11], is a threshold signature scheme which remains secure and robust even if in every time period, called “share update interval”, a possibly dif... |

92 | A simplified approach to threshold and proactive rsa
- Rabin
- 1998
(Show Context)
Citation Context ...y Secure RSA Proactive Signature Schemes. Unfortunately, the most efficient currently known provably secure proactive RSA signature schemes, two schemes by Frankel et al. [7, 8] and a scheme by Rabin =-=[21]-=-, are not easily applicable to securing access control in ad hoc mobile groups by the methods described above. The fundamental reason is that the arithmetic operations involved in the RSA signatures s... |

77 | Separability and efficiency for generic group signature schemes.
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ...ved, for example if the scheme is amended by specialpurpose zero-knowledge proof protocols for proving equality of discrete logarithms in two different groups, e.g. the proofs of Camenish and Michels =-=[5]-=-. Such proof protocols are not very fast, but their expense can be tolerated because they would need to be executed only in the (rare) case of a corrupted member providing an incorrect partial signatu... |

77 | URSA: Ubiquitous and Robust Access Control for Mobile Ad-hoc Networks. - Luo, Kong, et al. - 2004 |

64 | Ubiquitous and robust authentication services for ad hoc wireless networks.
- Luo, Lu
- 2000
(Show Context)
Citation Context ...ttack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol ABSTRACT Stanisław Jarecki, Nitesh Saxena, and Jeong Hyun Yi Recently, Luo, et al. in a series of papers =-=[17, 14, 13, 18, 15]-=- proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proacti... |

54 |
An attack on RSA given a small fraction of the private key bits.
- Boneh, Durfee, et al.
- 1998
(Show Context)
Citation Context ... search by making a simple observation about half of the MSBs of d for small e values, and by utilizing several known results regarding the security of the RSA cryptosystem under partial key exposure =-=[3, 1]-=-. Below we explain the speed up for small e’s, and we list the other applicable results and explain how they speed up our search algorithm. The graph in Figure (1) summarizes this discussion by showin... |

50 | Proactive RSA.
- Frankel, Gemmell, et al.
- 1997
(Show Context)
Citation Context ... with Currently Known Provably Secure RSA Proactive Signature Schemes. Unfortunately, the most efficient currently known provably secure proactive RSA signature schemes, two schemes by Frankel et al. =-=[7, 8]-=- and a scheme by Rabin [21], are not easily applicable to securing access control in ad hoc mobile groups by the methods described above. The fundamental reason is that the arithmetic operations invol... |

35 | Optimal-resilience proactive public-key cryptosystems
- Frankel, Gemmell, et al.
- 1997
(Show Context)
Citation Context ... with Currently Known Provably Secure RSA Proactive Signature Schemes. Unfortunately, the most efficient currently known provably secure proactive RSA signature schemes, two schemes by Frankel et al. =-=[7, 8]-=- and a scheme by Rabin [21], are not easily applicable to securing access control in ad hoc mobile groups by the methods described above. The fundamental reason is that the arithmetic operations invol... |

35 | On the Utility of Distributed Cryptography and P2P and MANETs: The Case of Membership Control
- Narasimha, Tsudik, et al.
- 2003
(Show Context)
Citation Context ...nstruct the RSA signature m d (mod N) from t + 1 signature shares produced individually by the t+1 members participating in the signing protocol. The first problem with this scheme was pointed out in =-=[19]-=-. Namely, contrary to what the authors of the proposal claimed, their scheme does not provide robustness in signature generation in the presence of t malicious members. Simply speaking, the robustness... |

33 | New partial key exposure attacks on RSA,”
- Blomer, May
- 2003
(Show Context)
Citation Context ... search by making a simple observation about half of the MSBs of d for small e values, and by utilizing several known results regarding the security of the RSA cryptosystem under partial key exposure =-=[3, 1]-=-. Below we explain the speed up for small e’s, and we list the other applicable results and explain how they speed up our search algorithm. The graph in Figure (1) summarizes this discussion by showin... |

26 | Admission control in Peer-toPeer: design and performance evaluation, - Saxena, Tsudik, et al. - 2003 |

20 | Adaptive security for multilevel ad hoc networks
- Kong, Luo, et al.
- 2002
(Show Context)
Citation Context |

20 | Identity-based access control for ad hoc groups
- Saxena, Tsudik, et al.
(Show Context)
Citation Context ... of Luo, et al. (see below), Saxena et al. [22] implemented such access control protocol for ad hoc networks using the proactive DSS signature scheme of Gennaro et al. [9]. Recently, the same authors =-=[23]-=- examined the performance of a more efficient access control protocol based on the proactive BLS signature scheme [4] of Boldyreva [2], which relies on elliptic curve cryptography. However, the common... |

8 | Further simplifications in proactive rsa signatures., in: TCC 2005: Theory of Cryptography
- Jarecki, Saxena
(Show Context)
Citation Context ...ted Work. Recently, two authors of this paper examined a related question of whether the URSA proactive RSA signature scheme can be fixed, and at what cost, to make a provably secure signature scheme =-=[12]-=-. It turns out that if polynomial secret-sharing in the URSA scheme is replaced with additive sharing in the first layer (with a second layer of polynomial sharing, as in the provably secure RSA schem... |

6 |
S.Jarecki, H.Krawczyk, and T.Rabin. Robust Threshold DSS Signatures
- Gennaro
(Show Context)
Citation Context ...egree, by controlling the shares of f(z) held by the corrupted players. In provably-secure proactive schemes that employ this proactive share update protocol, like the proactive DSS or BLS signatures =-=[9, 2]-=-, this adversarial ability does not pose any harm. However, as we will see in section 4, this control ability means trouble for the URSA proactive RSA scheme since the information about shared secret ... |

2 |
Comments on Recent Advances in Cryptoanalysis of URSA. A draft communicated to the authors by email by Songwu Lu, on August 16th
- Lu
- 2004
(Show Context)
Citation Context ... corrupted players. It is therefore important for the practical feasibility of the attack how this Ω group is decided. From the initial reply of the URSA authors to the attack presented in this paper =-=[16]-=-, it appears that the details of how the Ω group is decided are not set in stone in the design of the URSA scheme. This is not surprising since the idea of modifying the Herzberg et al. protocol by de... |