#### DMCA

## A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks (1995)

### Cached

### Download Links

- [theory.lcs.mit.edu]
- [people.csail.mit.edu]
- [people.csail.mit.edu]
- [www.infosec.pku.edu.cn]
- DBLP

### Other Repositories/Bibliography

Citations: | 953 - 41 self |

### Citations

3818 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...le this can be enforced by having each message contain a reasonably long checksum.) In this case this specic attack is not likely to result in a successful existential forgery. Rivest-Shamir-Adleman [=-=RSA78]-=-: The RSA scheme is selectively forgeable using a directed chosenmessage attack, since RSA is multiplicative: the signature of a product is the product of the signatures. (This can be handled in pract... |

1506 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...also by Pollard). An even more recent version [OSS84b] based on polynomial equations was similarly broken by Estes, Adleman, Kompella, McCurley and Miller [EAKMM85] for quadratic numberselds. El Gamal=-=[EG84]-=-: This scheme, based on the diculty of computing discrete logarithms, is existentially forgeable with a generic message attack and selectively forgeable using a directed chosen-message attack. Okamoto... |

1373 | Probabilistic Encryption - Goldwasser, Micali - 1984 |

1234 | The knowledge complexity of interactive proof systems - Goldwasser, Micali, et al. - 1989 |

1091 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1985
(Show Context)
Citation Context ... is totally breakable with a directed chosen-message attack. Lieberherr [Li81]: This scheme is similar to Rabin's and Williams', and is totally breakable with a directed chosen-message attack. Shamir =-=[Sh78]-=-: This knapsack-type signature scheme has recently been shown by Tulpan [Tu84] to be universally forgeable with a key-only attack for any practical values of the security parameter. Goldwasser-Micali-... |

744 |
How to Construct Random Functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ed in time O(b k 3 ), or in O(k 3 ) amortized time. 10.3 \Memoryless" Version of the Proposed Signature Scheme The concept of a random function was introduced by Goldreich, Goldwasser and Micali=-= in [GGM84-=-]. Let I k denote the set of k-bit integers. Let W k denote the set of all functions from I k to I k , and let F k W k be a set of functions from I k to I k . We say that F = S k F k is a poly-random... |

600 | Cryptography and Data Security - Denning - 1982 |

583 | A fair protocol for signing contracts
- Ben-Or, Goldreich, et al.
- 1990
(Show Context)
Citation Context ...dealt with here; the most notable being the \contract signing problem" where two parties wish to exchange their signatures to an agreed-upon contract simultaneously (for example, see [Bl83], [EGL=-=82], [BGMR85]). 2.-=-1.1 A Classical Example: Trap-Door Signatures To create a signature scheme, Die and Hellman proposed that A use a \trap-door function" f : informally, a function for which it is easy to evaluate ... |

291 |
New directions in cryptography
- e, Hellman
- 1976
(Show Context)
Citation Context ...5. MIT Laboratory for Computer Science, Cambridge, Mass. 02139 1 1. INTRODUCTION. The idea of a \digital signature"srst appeared in Die and Hellman's seminal paper, \New Directions in Cryptograp=-=hy"[DH76]. They pro-=-pose that each user A publish a \public key" (used for validating signatures), while keeping secret a \secret key" (used for producing signatures). In their scheme user A's signature for a m... |

231 |
Probabilistic algorithm for testing primality
- Rabin
- 1980
(Show Context)
Citation Context ...congruent to 3 (mod 8) (similarly for those congruent to 7 (mod 8)). (In practice, one would use a faster probabilistic primality test such as the one proposed by Solovay and Strassen [SS77] or Rabin =-=[Ra80]-=-.) Let n 2 H and (d; f 0;n ; f 1 0;n ; f 1;n ; f 1 1;n ) 2 [G(1 k )]. First, f 0;n and f 1;n are permutations of Dn = [d()]. Then, we need only show that if there exists a fast algorithm thatsnds x an... |

179 | Hiding information and signatures in trapdoor knapsacks
- Merkle, Member, et al.
- 1978
(Show Context)
Citation Context ...chosenmessage attack, since RSA is multiplicative: the signature of a product is the product of the signatures. (This can be handled in practice as above using a sparse message space.) Merkle-Hellman =-=[MH78]: Sha-=-mir showed the basic Merkle-Hellman \knapsack" scheme to be universally forgeable using just a key-only attack [Sh82]. (This scheme was perhaps more an encryption scheme than a signature scheme, ... |

158 |
A Fast Monte-Carlo Test for Primality
- Solovay, Strassen
- 1977
(Show Context)
Citation Context ...f these will be congruent to 3 (mod 8) (similarly for those congruent to 7 (mod 8)). (In practice, one would use a faster probabilistic primality test such as the one proposed by Solovay and Strassen =-=[SS77]-=- or Rabin [Ra80].) Let n 2 H and (d; f 0;n ; f 1 0;n ; f 1;n ; f 1 1;n ) 2 [G(1 k )]. First, f 0;n and f 1;n are permutations of Dn = [d()]. Then, we need only show that if there exists a fast algorit... |

138 | Constructing Digital Signatures from a One-Way Function - Lamport - 1979 |

135 | A logarithmic time sort for linear size networks - Reif, Valiant - 1987 |

124 | Chameleon signatures - Krawczyk, Rabin - 2000 |

115 |
Coin flipping by telephone
- Blum
- 1982
(Show Context)
Citation Context ...lgorithms seems to be to choose k to be large enough and then to choose n randomly from H k . These numbers were used in [Wi80] and their wide applicabilty to cryptography was demonstrated by Blum in =-=[Bl82] { he-=-nce they are commonly referred to as \Blum integers". Let Qn denote the set of quadratic residues (mod n). We note that for n 2 H : 1 has Jacobi symbol +1 but is not in Qn . 2 has Jacobi symbol 1... |

88 | public key systems - Secrecy - 1979 |

86 | Almost All Primes Can Be Quickly Certified
- Goldwasser, Kilian
- 1986
(Show Context)
Citation Context ...(these algorithms make use of Proof: We first note that uniformly selecting k-bit guaranteed primes can be accomplished in expected polynomial (in k) time, by the recent work of Goldwasser and Kilian =-=[GK86]-=-, and that asymptotically one-quarter of these will be congruent to 3 (mod 8) (similarly for those congruent to 7 (mod 8)). (In practice, one would use a faster probabilistic primality test such as th... |

80 |
How to exchange (secret) keys
- Blum
- 1983
(Show Context)
Citation Context ...ms which are not dealt with here; the most notable being the \contract signing problem" where two parties wish to exchange their signatures to an agreed-upon contract simultaneously (for example,=-= see [Bl83], [EG-=-L82], [BGMR85]). 2.1.1 A Classical Example: Trap-Door Signatures To create a signature scheme, Die and Hellman proposed that A use a \trap-door function" f : informally, a function for which it i... |

70 |
A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem
- Shamir
- 1982
(Show Context)
Citation Context ...be handled in practice as above using a sparse message space.) Merkle-Hellman [MH78]: Shamir showed the basic Merkle-Hellman \knapsack" scheme to be universally forgeable using just a key-only at=-=tack [Sh82]-=-. (This scheme was perhaps more an encryption scheme than a signature scheme, but had been proposed for use as a signature scheme as well.) Rabin [Ra79]: Rabin's signature scheme is totally breakable ... |

63 | Transitive signature schemes
- Micali, Rivest
- 2002
(Show Context)
Citation Context ...al problems arise if digital signatures are implemented using trap-door functions as suggested by Die and Hellman [DH76]; these problems have been addressed and solved in part elsewhere. For example, =-=[GMY83]-=- showed how to handle arbitrary or sparse messages sets and how to ensure that if an enemy sees previous signatures (for messages that he has not chosen) it does not help him to forge new signatures (... |

38 | A Paradoxical Solution to the Signature Problem - Goldwasser, Micali, et al. - 1984 |

26 | Cryptography: A New Dimension in Data Security - Meyer, Matyas - 1982 |

24 |
Digitalized Signatures as Intractable as Factorization
- Rabin
- 1979
(Show Context)
Citation Context ...versally forgeable using just a key-only attack [Sh82]. (This scheme was perhaps more an encryption scheme than a signature scheme, but had been proposed for use as a signature scheme as well.) Rabin =-=[Ra79]-=-: Rabin's signature scheme is totally breakable if the enemy uses a directed chosen-message attack (see section 4). However, for non-sparse message spaces selective forgery is as hard as factoring if ... |

20 | Cryptology: A New Dimension - Meyer, Matyas - 1982 |

16 |
An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi
- Brickell, DeLaurentis
- 1986
(Show Context)
Citation Context ...sage attack. Okamoto-Shiraishi[OS85]: This scheme, based on the diculty of solving quadratic inequalities modulo a composite modulus, was shown to be universally forgeable by Brickell and DeLaurentis =-=[BD85]-=-. 4. THE PARADOX OF PROVING SIGNATURE SCHEMES SECURE The paradoxical nature of signature schemes which are provably secure against chosen-message attacks made itssrst appearance in Rabin's paper, \Dig... |

12 | Blind signatures for untraceable payments, Advances in Cryptology - Crypto '82 - CHAUM - 1983 |

11 |
A fast signature scheme based on quadratic inequalities
- Okamoto, Shiraishi
- 1985
(Show Context)
Citation Context ...eme, based on the diculty of computing discrete logarithms, is existentially forgeable with a generic message attack and selectively forgeable using a directed chosen-message attack. Okamoto-Shiraishi=-=[OS85]-=-: This scheme, based on the diculty of solving quadratic inequalities modulo a composite modulus, was shown to be universally forgeable by Brickell and DeLaurentis [BD85]. 4. THE PARADOX OF PROVING SI... |

10 |
Two remarks concerning the GMR signature scheme
- Goldreich
- 1986
(Show Context)
Citation Context ...a k-bit message can be computed in time O(b k 4 ), or in O(k 4 ) amortized time. This particular instance of our scheme can be improved in a manner suggested in discussions with Oded Goldreich (see [=-=Go86]-=- { we appreciate his permission to quote these results here). The improvement relates to the computation of f 1 hyi (x) (or g 1 hyi (x)). We notesrst of all that taking square roots modulo n is equiva... |

10 |
An ecient signature scheme based on quadratic equations
- Ong, Schnorr, et al.
- 1984
(Show Context)
Citation Context ...the existence of claw-free permutation pair generators). Several of the ideas and techniques presented in [GMY83], such as bit-by-bit authentication, are used in the present paper. Ong-Schnorr-Shamir =-=[OSS84a]: Tot-=-ally breaking this scheme using an adaptive chosen-message attack has been shown to be as hard as factoring. However, Pollard [Po84] has recently been able to show that the \OSS" signature scheme... |

7 |
How to exchange secrets
- Blum
- 1983
(Show Context)
Citation Context ...ms which are not dealt with here; the most notable being the “contract signing problem” where two parties wish to exchange their signatures to an agreed-upon contract simultaneously (for example, see =-=[Bl83]-=-, [EGL82], [BGMR85]). 2.1.1 A Classical Example: Trap-Door Signatures To create a signature scheme, Diffie and Hellman proposed that A use a “trap-door function” f: informally, a function for which it... |

7 |
A.: An efficient signature scheme based on quadratic equations
- Ong, Schnorr, et al.
- 1984
(Show Context)
Citation Context ...the existence of claw-free permutation pair generators). Several of the ideas and techniques presented in [GMY83], such as bit-by-bit authentication, are used in the present paper. Ong-Schnorr-Shamir =-=[OSS84a]-=-: Totally breaking this scheme using an adaptive chosen-message attack has been shown to be as hard as factoring. However, Pollard [Po84] has recently been able to show that the “OSS” signature scheme... |

6 |
Breaking the Ong-Schnorr-Shamir Signature Schemes for Quadratic Number Fields
- Estes, Adleman, et al.
- 1986
(Show Context)
Citation Context ...le in practice using just a key-only attack (also by Pollard). An even more recent version [OSS84b] based on polynomial equations was similarly broken by Estes, Adleman, Kompella, McCurley and Miller =-=[EAKMM85]-=- for quadratic numberselds. El Gamal[EG84]: This scheme, based on the diculty of computing discrete logarithms, is existentially forgeable with a generic message attack and selectively forgeable using... |

5 |
Almost all primes can be quickly certi
- Goldwasser, Kilian
- 1986
(Show Context)
Citation Context ...lgorithms make use of p and q). Proof: Wesrst note that uniformly selecting k-bit guaranteed primes can be accomplished in expected polynomial (in k) time, by the recent work of Goldwasser and Kilian =-=[GK86]-=-, and that asymptotically one-quarter of these will be congruent to 3 (mod 8) (similarly for those congruent to 7 (mod 8)). (In practice, one would use a faster probabilistic primality test such as th... |

5 |
Efficient Signature Schemes Based on Polynomial Equations
- Ong, Schnorr, et al.
- 1984
(Show Context)
Citation Context ...secret trap-door information. A more recent \cubic" version has recently been shown to be universally forgeable in practice using just a key-only attack (also by Pollard). An even more recent ver=-=sion [OSS84b]-=- based on polynomial equations was similarly broken by Estes, Adleman, Kompella, McCurley and Miller [EAKMM85] for quadratic numberselds. El Gamal[EG84]: This scheme, based on the diculty of computing... |

4 |
A Fast Signature Scheme Based on Quadratic
- Okamoto, Shiraishi
- 1985
(Show Context)
Citation Context ..., based on the difficulty of computing discrete logarithms, is existentially forgeable with a generic message attack and selectively forgeable using a directed chosen-message attack. Okamoto-Shiraishi=-=[OS85]-=-: This scheme, based on the difficulty of solving quadratic inequalities modulo a composite modulus, was shown to be universally forgeable by Brickell and DeLaurentis [BD85]. 4. THE PARADOX OF PROVING... |

4 | to swindle Rabin, Cryptologia 3 - Yuval, How - 1979 |

4 | Making the digital signature legal--and safeguarded - Lipton, Matyas - 1918 |

3 |
A Modfication of the RSA Public-Key Cryptosystem
- Williams
(Show Context)
Citation Context ... uses a directed chosen-message attack (see section 4). However, for non-sparse message spaces selective forgery is as hard as factoring if the enemy is restricted to a known message attack. Williams =-=[Wi80]-=-: This scheme is similar to Rabin's. The proof that selective forgery is as hard as factoring is slightly stronger, since here only a single instance of selective forgery guarantees factoring (Rabin n... |

2 | Digital Signatures -- An Overview Computer Networks Vol 3 - Matyas - 1979 |

2 |
A Fast Signature Scheme Based on
- Ong, Schnorr, et al.
- 1984
(Show Context)
Citation Context ...secret trap-door information. A more recent “cubic” version has recently been shown to be universally forgeable in practice using just a key-only attack (also by Pollard). An even more recent version =-=[OSS84b]-=- based on polynomial equations was similarly broken by Estes, Adleman, Kompella, McCurley and Miller [EAKMM85] for quadratic number fields. El Gamal[EG84]: This scheme, based on the difficulty of comp... |

1 | Signatures and Untraceable Payments," Advance in Cryptography - Chaum - 1983 |

1 |
Uniform Complexity and Digital Signatures," Theoretical Computer Science 16,1
- Lieberherr
- 1981
(Show Context)
Citation Context ...as we do) the properties of numbers which are the product of a prime p 3 (mod 8) and a prime q 7 (mod 8). Again, this scheme is totally breakable with a directed chosen-message attack. Lieberherr [L=-=i81]-=-: This scheme is similar to Rabin's and Williams', and is totally breakable with a directed chosen-message attack. Shamir [Sh78]: This knapsack-type signature scheme has recently been shown by Tulpan ... |

1 | Making the Digital Signature Legal { and Safeguarded - Lipton, Matyas - 1978 |

1 | Digital Signatures { An Overview - Matyas - 1979 |

1 | Public-Key Systems," Stanford Electrical Engineering - Merkle, Authentication |

1 |
How to Break The `OSS' Signature Scheme", Private Communication
- Pollard
- 1984
(Show Context)
Citation Context ...ntication, are used in the present paper. Ong-Schnorr-Shamir [OSS84a]: Totally breaking this scheme using an adaptive chosen-message attack has been shown to be as hard as factoring. However, Pollard =-=[Po84] has -=-recently been able to show that the \OSS" signature scheme is universally forgeable in practice using just a key-only attack; he developed an algorithm to forge a signature for any given message ... |

1 |
Fast Cryptanalysis of a Fast Signature System
- Tulpan
- 1984
(Show Context)
Citation Context ...: This scheme is similar to Rabin's and Williams', and is totally breakable with a directed chosen-message attack. Shamir [Sh78]: This knapsack-type signature scheme has recently been shown by Tulpan =-=[Tu84]-=- to be universally forgeable with a key-only attack for any practical values of the security parameter. Goldwasser-Micali-Yao [GMY83]: This paper presents for thesrst time signature schemes which are ... |

1 | How to Swindle Rabin," Cryptologia 3 - Yuval - 1979 |

1 |
Coin flipping by telephone, Proc
- BLUM
- 1982
(Show Context)
Citation Context ... algorithms seems to be to choose k to be large enough and then to choose n randomly from Hk. These numbers were used in [Wi80] and their wide applicabilty to cryptography was demonstrated by Blum in =-=[Bl82]-=- – hence they are commonly referred to as “Blum integers”. Let Qn denote the set of quadratic residues (mod n). We note that for n ∈ H: −1 has Jacobi symbol +1 but is not in Qn. 2 has Jacobi symbol −1... |

1 |
Uniform Complexity and Digital Signatures,” Theoretical Computer Science 16,1
- Lieberherr
- 1981
(Show Context)
Citation Context ...as we do) the properties of numbers which are the product of a prime p ≡ 3 (mod 8) and a prime q ≡ 7 (mod 8). Again, this scheme is totally breakable with a directed chosen-message attack. Lieberherr =-=[Li81]-=-: This scheme is similar to Rabin’s and Williams’, and is totally breakable with a directed chosen-message attack. Shamir [Sh78]: This knapsack-type signature scheme has recently been shown by Tulpan ... |

1 |
How to Break The
- Pollard
- 1984
(Show Context)
Citation Context ...ntication, are used in the present paper. Ong-Schnorr-Shamir [OSS84a]: Totally breaking this scheme using an adaptive chosen-message attack has been shown to be as hard as factoring. However, Pollard =-=[Po84]-=- has recently been able to show that the “OSS” signature scheme is universally forgeable in practice using just a key-only attack; he developed an algorithm to forge a signature for any given message ... |

1 | to exchange (secret) keys - How - 1983 |

1 | Two remarks concerning the GMR signature scleme - GOLDREICH - 1986 |

1 | Uniform complexity and digital signatures, Theoret - LEBERHERR - 1981 |

1 | Digital signatures--an overview - MATYAS - 1979 |

1 | How to break the "OSS" signature scheme, private communication, 1984 - POLLARD - 1978 |

1 | A logarithmic time sortfor linear size networks - REIF, VALIANT - 1983 |

1 | A fast Monte-Carlo test for primality, this Journal, 6 Y. TULPAN, Fast cryptoanalysis of a fast signature system - STRASSEN - 1984 |