Citation Context

...heme can be applicable to MANETs because it avoids the need to access all shares during the threshold signature protocol. This is because it relies solely on Shamir’s polynomial secret sharing scheme =-=[24]-=-, as opposed to resorting to an additional layer of additive secret sharing, as is done by the two most efficient provably secure proactive RSA schemes [8, 21] discussed above. The core of the URSA pr...

Citation Context

...long as in any single time period the number of simultaneously corrupted members does not exceed t. Application of Proactive Signatures to Peer-to-Peer Group Security. As pointed out by Zhou and Haas =-=[25]-=-, proactive signature schemes can be used to implement group access control decisions without relying on a trusted and always accessible group “manager”, who makes all admission and revocation decisio...

Citation Context

... proactive DSS signature scheme of Gennaro et al. [9]. Recently, the same authors [23] examined the performance of a more efficient access control protocol based on the proactive BLS signature scheme =-=[4]-=- of Boldyreva [2], which relies on elliptic curve cryptography. However, the common operation of signature verification in DSS, BLS, and in all other discrete-log based signature schemes, is orders of...

Citation Context

...ttack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol ABSTRACT Stanisław Jarecki, Nitesh Saxena, and Jeong Hyun Yi Recently, Luo, et al. in a series of papers =-=[17, 14, 13, 18, 15]-=- proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proacti...

Citation Context

...Computer Science UC Irvine, CA 92697, USA {stasio, nitesh, jhyi}@ics.uci.edu 1 1. INTRODUCTION: BACKGROUND AND MOTIVATION Threshold and Proactive Signature Schemes. A (t,n) threshold signature scheme =-=[6]-=- enables any subgroup of t+1 members in a group consisting of n > t members, to collaboratively sign a message on behalf of that group. This is achieved by secret-sharing the signature key, e.g. the R...

Citation Context

...t in particular protect the secrecy of the signature key as long as no more than t of the group members are corrupt. A proactive signature scheme [10], based on techniques of proactive secret sharing =-=[20, 11]-=-, is a threshold signature scheme which remains secure and robust even if in every time period, called “share update interval”, a possibly different set of t group members is corrupted. This is achiev...

Citation Context

...gnature scheme of Gennaro et al. [9]. Recently, the same authors [23] examined the performance of a more efficient access control protocol based on the proactive BLS signature scheme [4] of Boldyreva =-=[2]-=-, which relies on elliptic curve cryptography. However, the common operation of signature verification in DSS, BLS, and in all other discrete-log based signature schemes, is orders of magnitude more c...

Citation Context

...t in particular protect the secrecy of the signature key as long as no more than t of the group members are corrupt. A proactive signature scheme [10], based on techniques of proactive secret sharing =-=[20, 11]-=-, is a threshold signature scheme which remains secure and robust even if in every time period, called “share update interval”, a possibly different set of t group members is corrupted. This is achiev...

Citation Context

...ttack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol ABSTRACT Stanisław Jarecki, Nitesh Saxena, and Jeong Hyun Yi Recently, Luo, et al. in a series of papers =-=[17, 14, 13, 18, 15]-=- proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proacti...

Citation Context

...o achieve t-security, a threshold signature scheme must in particular protect the secrecy of the signature key as long as no more than t of the group members are corrupt. A proactive signature scheme =-=[10]-=-, based on techniques of proactive secret sharing [20, 11], is a threshold signature scheme which remains secure and robust even if in every time period, called “share update interval”, a possibly dif...

Citation Context

...y Secure RSA Proactive Signature Schemes. Unfortunately, the most efficient currently known provably secure proactive RSA signature schemes, two schemes by Frankel et al. [7, 8] and a scheme by Rabin =-=[21]-=-, are not easily applicable to securing access control in ad hoc mobile groups by the methods described above. The fundamental reason is that the arithmetic operations involved in the RSA signatures s...

Citation Context

...ved, for example if the scheme is amended by specialpurpose zero-knowledge proof protocols for proving equality of discrete logarithms in two different groups, e.g. the proofs of Camenish and Michels =-=[5]-=-. Such proof protocols are not very fast, but their expense can be tolerated because they would need to be executed only in the (rare) case of a corrupted member providing an incorrect partial signatu...

Citation Context

...ttack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol ABSTRACT Stanisław Jarecki, Nitesh Saxena, and Jeong Hyun Yi Recently, Luo, et al. in a series of papers =-=[17, 14, 13, 18, 15]-=- proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proacti...

Citation Context

... search by making a simple observation about half of the MSBs of d for small e values, and by utilizing several known results regarding the security of the RSA cryptosystem under partial key exposure =-=[3, 1]-=-. Below we explain the speed up for small e’s, and we list the other applicable results and explain how they speed up our search algorithm. The graph in Figure (1) summarizes this discussion by showin...

Citation Context

... with Currently Known Provably Secure RSA Proactive Signature Schemes. Unfortunately, the most efficient currently known provably secure proactive RSA signature schemes, two schemes by Frankel et al. =-=[7, 8]-=- and a scheme by Rabin [21], are not easily applicable to securing access control in ad hoc mobile groups by the methods described above. The fundamental reason is that the arithmetic operations invol...

Citation Context

... with Currently Known Provably Secure RSA Proactive Signature Schemes. Unfortunately, the most efficient currently known provably secure proactive RSA signature schemes, two schemes by Frankel et al. =-=[7, 8]-=- and a scheme by Rabin [21], are not easily applicable to securing access control in ad hoc mobile groups by the methods described above. The fundamental reason is that the arithmetic operations invol...

Citation Context

...nstruct the RSA signature m d (mod N) from t + 1 signature shares produced individually by the t+1 members participating in the signing protocol. The first problem with this scheme was pointed out in =-=[19]-=-. Namely, contrary to what the authors of the proposal claimed, their scheme does not provide robustness in signature generation in the presence of t malicious members. Simply speaking, the robustness...

Citation Context

... search by making a simple observation about half of the MSBs of d for small e values, and by utilizing several known results regarding the security of the RSA cryptosystem under partial key exposure =-=[3, 1]-=-. Below we explain the speed up for small e’s, and we list the other applicable results and explain how they speed up our search algorithm. The graph in Figure (1) summarizes this discussion by showin...

Citation Context

...ttack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol ABSTRACT Stanisław Jarecki, Nitesh Saxena, and Jeong Hyun Yi Recently, Luo, et al. in a series of papers =-=[17, 14, 13, 18, 15]-=- proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proacti...

Citation Context

... of Luo, et al. (see below), Saxena et al. [22] implemented such access control protocol for ad hoc networks using the proactive DSS signature scheme of Gennaro et al. [9]. Recently, the same authors =-=[23]-=- examined the performance of a more efficient access control protocol based on the proactive BLS signature scheme [4] of Boldyreva [2], which relies on elliptic curve cryptography. However, the common...

Citation Context

...ted Work. Recently, two authors of this paper examined a related question of whether the URSA proactive RSA signature scheme can be fixed, and at what cost, to make a provably secure signature scheme =-=[12]-=-. It turns out that if polynomial secret-sharing in the URSA scheme is replaced with additive sharing in the first layer (with a second layer of polynomial sharing, as in the provably secure RSA schem...

Citation Context

...egree, by controlling the shares of f(z) held by the corrupted players. In provably-secure proactive schemes that employ this proactive share update protocol, like the proactive DSS or BLS signatures =-=[9, 2]-=-, this adversarial ability does not pose any harm. However, as we will see in section 4, this control ability means trouble for the URSA proactive RSA scheme since the information about shared secret ...

Citation Context

... corrupted players. It is therefore important for the practical feasibility of the attack how this Ω group is decided. From the initial reply of the URSA authors to the attack presented in this paper =-=[16]-=-, it appears that the details of how the Ω group is decided are not set in stone in the design of the URSA scheme. This is not surprising since the idea of modifying the Herzberg et al. protocol by de...