] ±ESIGN ¼Ê²!mÖ} Ö¾ bï.0 z mš } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP ÍY 5Õ Ì.0Ÿa ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!mÖÊI z ƒ y $-!mö" name="description"> ] ±ESIGN ¼Ê²!mÖ} Ö¾ bï.0 z mš } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP ÍY 5Õ Ì.0Ÿa ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!mÖÊI z ƒ y $-!mö"> ] ±ESIGN ¼Ê². } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP. ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!">

C\s WSf¼Ê Kå ó6'"ü5c "üf> ] ±ESIGN ¼Ê². } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP. ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!

Size: px
Start display at page:

Download "C\s WSf¼Ê Kå ó6'"ü5c "üf> ] ±ESIGN ¼Ê². } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP. ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!"
] ±ESIGN ¼Ê². } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP. ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!.pdf" class="btn bg-purple-seance" href="#" target="_blank" style="margin-top: 10px; display: none;"> Download Document

Transcription

1 1 B=>? ESIGN 5789:46 C\s WSf¼Ê Kå ó6'"ü5c "üf> ] ±ESIGN ¼Ê²!mÖ} Ö¾ bï.0 z mš } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP ÍY 5Õ Ì.0Ÿa ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!mÖÊI z ƒ y $-!mö Ö¾.0 z ˆ mš 2 ; < 2.1 Ž Š Ÿ WSf¼Ê 2 'E!mÖ ¾ å ö! Ÿ / 2¾ y {!mö ã Feige, Fiat, Shmair Q ŠŸ 2Ÿ, å y [8] $- ˆ ã Q Ÿ 2.1 ¼Ê5c (A; B) A: ÊIfª B: $Êf }z ª'Ú hã G ª A ó6' x )F' w z Ú ª x $Êf éw «ƒƒ ª' C: G k WNQ «(A; B) $- Ñ# Ds!m y z{ 1. (A(w);B)(x) ª ëåp > 1 0 (k) B in 2. $- { ö!f Adv ªu3 z ö!f Adv $Êf (A(w); Adv)(x) wúc5õeù ªˆ ðªêif B z ¼ÊZfQAd (Adv; B)(x) eù ƒ ª (Adv; B)(x) }z B in p G[ z > (k) Ì p ª G, Adv, B VÕ ã 2.2 ESIGN Ž Š ESIGN¼Ê { P9EKdÆH WS ŠWSf¼Ê Ïý ` ãn q ƒ ãn ÊI ã œbi y 1

2 Ÿ 2.2 ESIGNÆHæ,åk~2Çö! z u3å q/2 y ES- IGN ¼Ê Ì ã 'E ¾ å ö! Ÿ /2¾ z{'e!mö y $Ì ãn ESIGNÆH!mÖ Ñ# ` ƒ í Ÿ 2.3 ESIGN ¼Ê e Í1]/ã 2.4 i ã a Ù z z{ñ#- bgl]=b?d_pd }z ¾ å ö! Ÿ /2¾ z{'e!mö y $- ESIGN¼Ê!mÖ 1 ESIGNÆH!mÖ z mš 2.3 ESIGN ª Š!mÖ z ESIGNÆH RSA/ã ]Á y eí1]/ã (AERP) bgl]=b?d_pd - 2 'E!m æ,åk~2çö! z u3å q/2 y ƒ ÊI (!mö z ` i Ÿ{È Ë mš ƒ!mö z ESIGN ÆH v {-å!mö ÊI zš5c RSA Ž ÆH5c v PSS FDH-RSA, } x*j Ž ÆH5c v EC-Schnorr ( Š- a - 1:!mÖ ( 5c!mÖ ØÕxå bgl]õ 2 'E /ã /ã ESIGN!mÖÊI AERP Ó bgl] PSS or FDH-RSA!mÖÊI RSA Ó bgl] EC-Schnorr!mÖÊI x*oxzõ Ó bgl] 2.4 ESIGN ªŠ ƒ i ESIGN ÆH nxå!mö.0 a } nxå ÊI ù Œ Šx2 [9] C\s 2ð ç0 } ƒ x2 C\s ESIGNÆH TSH- ESIGN É z ƒ ß' 2

3 Ÿ 2.4 G ESIGN 'Ú e Í1]L} (AERP) pk := fn; eg Gen(1 k ) y R f0; 1g k01 Q Š 0jjy =[x e mod n] k { x 2 (Z=nZ)npZ & L} y { påwúc_8dbcg] Adv z Ÿ m ãõ c, j1 Ü k z Pr[Adv(k; n; e; y)! x] < 1=k c q e Í1]L}» z z{ ƒƒ 0jjy =[x e mod n] k y p G Adv pì g z e Í1]L}» z z{/ã e Í1]/ã î Ÿ 2.5 ESIGN ÆH e Í1]/ãÙ z z{ñ#- bgl]=b?d_ Pd }z æ,åk~2çö! z u3å q/2 y ± 1: e Í1]/ã z ºb CÆHÕ "üzc\o9y y C ESIGN ÆHÕ 15 ½l À- Š [14, 13] ˆ $U ƒ C ESIGN ÆHÕ Cå!mÖ (5õÖ y e Í1]/ã z R %ù Š Õ `Õ e 4 $Ì Ïý z ì3 Nô ö! À& } [5, 6, 10, 18] ä#f n)õ14$7 Nô ö!6gz Oo z ± 2: n = p 2 q n)õ14 0»Ö z n = p 2 q n)õ14 n = pq ŸÛ~ {~ z 1~Œ z n = p 2 q ¹. Šz ~ 8dBcG ]% z [15, 16, 17, 1] ~ ƒ 8dBcG] z Ÿn)Õ14 x*j6 8dBcG] y (5 n = pq n = p 2 q z }z Ÿ2 ût n)õ148dbcg]õy z6 y ƒ 8dBcG] eù_ n C:G &u n)õ C:G &u z $Ì ì_è n = p 2 q C:G n = pq C:G!mÖ Ÿ Ÿ ø 3 < 3.1 ÆÑÅ µ Óœ Œ Ò ÈÏ ½: Hd[ F š : Verilog-XL ³ DesignCompiler 3

4 ÎÀÑ½Ò : M 25.6KG(µ2NAND JhY) ³^_c (13312bit) [bgl]fen?³í Y Õ³1Y] ³ [^_c (13312bit)] ž Œ:?fN? 30MHz +Ytê (D\`e Dag rã) ÊI ÆH 9.8 ms $Ê 2.5 ms Š 'C:G 1152 bit 3.2 ÀÇÄ µ Óœ Œ ŒÈÍÂÄÉÑÊ: CPU: Pentium with MMX 266MHz OS: Trubo Linux version 4.0 ÔØÙ: íñ (gcc version ) w âøõ+yb:ybc gnu mp (gmp version 3.0.1) ZS ËÌÎÒ (»ÑÅ ): ËÌÎÒ (ÐѺ¹Îµ): ÊI ÆH Kbytes $Ê Kbytes ž : ÊI ÆH 512 Kbytes $Ê 476 Kbytes ÊI ÆH 18.0 ms $Ê 2.44 ms 4

5 Š 'C:G 1152 bit ÃÑÁ¼ ¾: n C:G 1152 bits e Ü 1024 hlen glen 32â ó6'x7:dc:g )F'X7:dC:G ÆH2X7:dC:G 160 bits 160 bits 128 bits 329 bytes 206 bytes 290 bytes Ú «: AgV:d_ 2æ. gcc -O3 SzŠ C.0 (call-6) ç0 ŠŸ eù Š"3 y mod n mod p 2 +Y }z ÞþÔ ÎPãn WS ût +Y ƒ ku ÿ5.0 ƒ ût.56 Sz z z ŠŒ M` g ù C.0 ût ep2¾ y 4 ÛA݃ Þ Ü ESIGN¼Ê ¹á ˆ ûôp y IfÝdÊI¼Ê5c Fiat-Shamir ¼Ê ÖòÒ¼Ê5c x* Schnorr ¼Ê Ÿôptz ` ESIGN ôpö v {-å 5c Fiat-Shamir ¼Ê x* Schnorr ¼Ê ( ˆ 5c z 1152 WNQÕ ÎPÍY+T 5Õ.0 ƒ Œ 'Ú $Ê +T Änu &hÿœš ƒ ( }z 9 à U:Sc6 ÞþÔÎPãn,Âl ž ør.0 ù ŒŠ Vb^ K ESIGN Fiat-Shamir ¼Ê5c 6 n 1152 WNQ x* Schnorr 5c %Õ 160 WNQ /ã Š Š, ESIGN e =2 5 Fiat-Shamir ò Ò5Õ!m Õ 30 5 /ã Š } $- - #M(1152) 1152 bits 6 - ÎPÍY 5Õ 'E 8Änu #M(1152) Y ŠÜ a z 5

6 - 2: Änu ( 5c ÊIÄn $ÊÄn #M(1152) #M(1152) òò5õ (5) ESIGN x* Schnorr Fiat-Shamir ²ßˆà [1] Adleman, L.M. and McCurley, K.S.: Open Problems in Number Theoretic Complexity,II (open problems: C7, O7a and O7b), Proc. of ANTS-I, LNCS 877, Springer-Verlag, pp (1995). [2] Bellare, M. and Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Ecient Protocols, Proc. of the First ACM Conference on Computer and Communications Security, pp.62{73 (1993). [3] Bellare, M. and Rogaway, P. : Optimal Asymmetric Encryption, Proc. of Eurocrypt'94, LNCS 950, Springer-Verlag pp (1995). [4] Bellare, M. and Rogaway, P.: The Exact Security of Digital Signatures { How to Sign with RSA and Rabin, Proc. of Eurocrypt'96, LNCS 1070, Springer-Verlag, pp (1996). [5] Brickell, E. and DeLaurentis, J.: An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi, Proc. of Crypto'85, LNCS 218, Springer-Verlag, pp (1986). [6] Brickell, E. and Odlyzko: Cryptanalysis: A Survey of Recent Results, Chap.10, Contemporary Cryptology, Simmons (Ed.), IEEE Press, pp.501{540 (1991). [7] Canetti, R., Goldreich, O. and Halevi, S.: The Random Oracle Methodology, Revisited, Proc. of STOC, ACM Press, pp.209{218 (1998). 6

7 [8] Feige, U., Fiat, A. and Shamir, A.: Zero-Knowledge Proofs of Identity, Journal of Cryptology, 1, 2, pp (1988) [9] Fujisaki, E. and Okamoto, T.: Security of Ecient Digital Signature Scheme TSH-ESIGN, manuscript (1998 November). [10] Girault, M., Ton, P. and Vallee, B.: Computation of Approximate L-th Roots Modulo n and Application to Cryptography, Proc. of Crypto'88, LNCS 403, Springer-Verlag, pp (1990). [11] S. Goldwasser, S. Micali and R. Rivest, \A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks," SIAM J. on Computing, 17, pp.281{ 308, [12] IEEE P1363 Draft, (1999). [13] Okamoto, T.: A Fast Signature Scheme Based on Congruential Polynomial Operations, IEEE Trans. on Inform. Theory, IT-36, 1, pp (1990). [14] Okamoto, T. and Shiraishi, A.: A Fast Signature Scheme Based on Quadratic Inequalities, Proc. of the ACM Symposium on Security and Privacy, ACM Press (1985). [15] Peralta, R.: Bleichenbacher's improvement for factoring numbers of the form N = PQ 2 (private communication) (1997). [16] Peralta, R. and Okamoto, E.: Faster Factoring of Integers of a Special Form, IEICE Trans. Fundamentals, E79-A, 4, pp (1996). [17] Pollard, J.L.: Manuscript (1997). [18] Vallee, B., Girault, M. and Ton, P.: How to Guess L-th Roots Modulo n by Reducing Lattice Bases, Proc. of Conference of ISSAC-88 and AAECC-6 (1988). 7

8 Appendix Security of Ecient Digital Signature Scheme TSH-ESIGN Eiichiro Fujisaki Tatsuaki Okamoto 1 Introduction In this manuscript, we will prove the security of the ecient digital signature scheme TSH-ESIGN. 2 Denitions Denition 2.1 Let A be aprobabilistic algorithm and let A(x 1 ;:::;x n ; r) be the result of A on input (x 1 ;:::;x n ) and coins r. We dene by y A(x 1 ;:::;x n ) the experiment of picking r at random and letting y be A(x 1 ;:::;x n ; r). IfS is a nite set, let y be the operation of picking y at random and uniformly from nite set S. " denotes the null symbol and, for list, " denote the operation of letting list be empty. Moreover, jj denotes the concatenation operator, j1jdenotes the size of bit length, i.e., jyj := blog 2 yc +1. For n-bit string x, [x] k and [x] k denote the most and least signicant k bits of x, respectively (k n). Denition 2.2 [Random Oracle Model] We dene by the set of all maps from the set f0; 1g 3 of nite strings to the set f0; 1g 1 of innite strings. Let H be a map from a set of an appropriate nite length (say : f0; 1g a )toasetofanappropriate nite length (say f0; 1g b ). H means that map H is chosen from at random and uniformly, with restricting the domain to f0; 1g a and the range to the rst b bits of output. Denition 2.3 [Digital Signature Scheme] A digital signature scheme is dened by a triple of algorithms (Gen; Sig; V er) such that Key generation algorithm Gen is a probabilistic polynomial-time algorithm which on input 1 k (k 2 N) outputs a pair (pk; sk), called public key and secret key. R S 8

9 Signing algorithm Sig is a probabilistic polynomial-time algorithm which on input sk Gen(1 k ) and a message m 2f0; 1g 3 produces a string, s 2f0; 1g 3,called the signatureofm. Verication algorithm Veris a probabilistic polynomial-time algorithm which on input pk Gen(1 k ) and a pair of a message and a signature, (m; s) returns 0 (i.e. invalid) or 1 (i.e. valid) to indicate whether or not the signature is valid. Here we insist that, for any (m; s) where s Sig sk (m), werequire Ver pk (m; s) = 1, otherwise Ver pk (m; s) =0with overwhelming probability. Denition 2.4 [Forging Algorithm F ] Let 5:=(Gen; Sig; V er) be a digital signature scheme. Let A be an algorithm which on input pk obtained by running the generator, Gen, hasaccess to random hash function H and signing oracle Sig sk and eventually outputs some string. We say that adversary A is a (t; q h ;q s ;(k))-forger for 5(1 k ) if AdvF 5 (k) := Pr[H ; (pk; sk) Gen(1k ):F H;Sig sk (pk)! (m; s)] (k); where Ver pk (m; s) =1and m is not included in the list of queries that F asks to Sig sk (1), and, moreover, F completes within running time t, asking at most q h queries to H(1) and at most q s queries to Sig sk (1). 3 TSH-ESIGN: ESIGN with Trisection Size Hash This section introduces the digital signature scheme TSH-ESIGN. 3.1 Trisection Size Hash function h Although it is necessary that the hash function used in our proposed signature scheme be ideal (or random oracle) to prove the security of the signature scheme, an arbitrary hash function (e.g., MD5 and SHA-1) is available for practical use. When the signature scheme is dened over Z=nZ, where jnj = 3k, the underlying hash function h(1) isdenedash : f0; 1g 3!f0; 1g k01. (That is, the size of the image of hash h is around one third of the size of jnj.) 9

10 3.2 Key Generation algorithm Gen Key generation algorithm Gen outputs, given security parameter 1 k (k 2 N), (pk; sk) where pk = fn; eg and sk = fn; e; p; qg. The parameters, n; e; p and q, satisfy the following conditions: p; q (p 6= q) are prime numbers with k-bit length, i.e., k = jpj = jqj. n := p 2 q with 3k-bit length and e> Signature Generation Sig sk (m) The signature s of message m is computed by the signature algorithm Sig sk (1) as follows: Step 1 Pick r at random and uniformly from (Z=pqZ)npZ := fr 2 Z=pqZj gcd(r; p) =1g. Step 2 Set z (0jjh(m)jj0 2k ) and (z 0 r e )modn. Step 3 Set (w 0 ;w 1 )such that If w 1 2 2k01, then go back to Step 1. w Step 4 Set t 0 er mod p, ands (r + tpq) modn. e01 Step 5 Output s. w 0 = d e; pq (1) w 1 = w 0 1 pq 0 : (2) 3.4 Signature Verication Ver pk (m; s) For a pair of message m and signature s, the verication algorithm Ver pk (m; s) outputs valid (or1)if [s e mod n] k+1 == 0jjh(m)jj0; (3) otherwise invalid (or 0). Here we dene by Ver(h(m);pk) the set of valid signatures, namely, given (h(m);pk), signatures that satisfy Equation (3). 10

11 Remark: In practice, the verication equation can be replaced by [s e mod n] k == 0jjh(m): (4) The formal proof in the next section still works with minor modication of the approximate e-th root assumption. 4 Security In this section, we examine the security of TSH-ESIGN. We rst introduce a problem that is considered to be dicult to solve and then prove that breaking our scheme is as dicult as solving this problem. We call the underlying problem the approximate e-th root problem (AERP). Roughly speaking, AERP is the problem, for given (y; e), of nding x such that x e mod n is approximately equivalent toy, i.e., x e mod n y. Now let us dene the approximate e-th root problem (AERP) and the breaking algorithm. Denition 4.1 [Approximate e-th root problem (AERP)] Let Gen be the generator of the TSH-ESIGN algorithm. Approximate e-th root problem (AERP) is, for given pk := fn; eg 0jjyjj0 ==[x e mod n] k+1. Gen(1 k ) and y R f0; 1g k01, to nd x 2 (Z=nZ)npZ such that Denition 4.2 [AERP-Breaker B] We say that adversary B is a (t; (k))-aerpbreaker if Adv AERP B (k) := Pr[(pk; sk) Gen(1 k ); y R f0; 1g k01 : B(pk; y)! x] (k); where 0jjyjj0 ==[x e mod n] k and B completes within running time t. The following theorem is the main result of this manuscript. This theorem implies that breaking AERP is as dicult as forging TSH-ESIGN (existentially forging under adaptive chosen message attacks). 11

12 Theorem 4.3 If there exists a (t(k);q h (k);q s (k);(k))-forger F for TSH-ESIGN, then there exists a (t 0 (k); 0 (k))-aerp-breaker B such that Proof: t 0 (k) = t(k)+4(q h + q s ) 1 (k 3 ); and 0 (k) = (1=q h ) 1 (k): Let 5 := (Gen; Sig; V er) be a triple of the TSH-ESIGN algorithm and F be a (t; q h ;q s ;)-forging algorithm for TSH-ESIGN. We will present an AERP-Breaker B that includes F as an oracle. The aim of B is, given y, to nd an approximate root x such that 0jjyjj0 ==[x e mod n] k+1. Recall that the advantage of ESIGN-breaker B is dened by Adv AERP B (k) :=Pr[(pk; sk) Gen(1 k ); y R f0; 1g k01 : B(pk; y)! x]: Likewise recall that the advantage of forger F for TSH-ESIGN is dened by Adv 5 F (k) :=Pr[H ; (pk; sk) Gen(1k ):F H;Sig sk (pk)! (m; s); where s 2 Ver(H(m);pk)]; where Ver(H(m);pk) is dened as above in Sec.3.4 and m is not included in the list of queries that F asks to Sig sk (1). Since forging algorithm F will make two kinds of queries, hash oracle queries and signing oracle queries, B must answer these queries by itself. Below we describe the specication of AERP-breaker B: AERP-Breaker: B(pk; y) set " (empty) and x " (null); set l R f1;:::;q h g, i 0 and j 0; run F(pk); do while F does not ask query Q to H(1) nor ask to Sig sk (1) if F asks query Q to H(1) i ++;j + +; (increment i; j); if j == l else if Q 62 set Q l Q; put (Q l ;";y) in the list and answer F with y; set Q i Q; 12

13 if Q i = Q l abort F and break; do while 0jj 3 jj0 ==[x e i mod n]k+1, x i R (Z=nZ)npZ; set (0jjy i jj0) [x e i mod n]k+1 ; put (Q i ;x i ;y i ) in the list and answer F with y i ; else (Q 2 ) answer F with the corresponding y 0 2 ; else if F asks query Q to Sig sk (1) i + + (increment i); else if Q 62 set Q i Q; End. do while 0jj 3 jj0 ==[x e i x i R (Z=nZ)npZ; mod n]k+1 set (0jjy i jj0) [x e i mod n]k+1 ; put (Q i ;x i ;y i ) in the list and answer F with x i ; else (Q 2 ) answer F with the corresponding x 0 2 ; if F outputs (Q l ;x l ) set x x l ; return x Here '3' denotes an (k 01)-bit arbitrary string and denotes a list that records queries of F and the corresponding signatures and hash values that B makes. B starts with list empty and then records (Q i ;x i ;y i )in by following the specication until aborting F or F ends asking queries. Hereafter we explain the strategy of this specication, which is similar to that of FDH-RSA as presented by Bellare and Rogawayin[4]. First B picks up l uniformly from f1;:::;q H g. B sets counters, i; j, asi 0and j 0. Counter i is utilized for counting the total number of the queries that F asks to random oracle H and signing oracle Sig, while counter j is utilized for counting the number of F 's asking to H. 13

14 If F asks query Q to random oracle H(1), B increases i; j and then works as follows: { If the query is the l-th one, B sets Q l Q, puts (Q l ;";y) in list, and answers F with y, where y is the instance input to B, { Else if the query has not been recorded in list, B sets Q i Q, and then after executing Experiment I= [repeatedly picks up x i from (Z=nZ)npZ until 0jj 3 jj0 ==[x e i mod n]k+1, where '3' denotes an (k 0 1)-bit arbitrary string], makes an entry of (Q i ;x i ;y i )in and answers F with y i as the hash value of Q, where y i is dened by 0jjy i jj0 [x e i mod n]k+1. { Otherwise (i.e., Q is already in list ), B answers F with the corresponding y 0 2. Similarly, iff asks query Q to signing oracle Sig sk (1), B increases i and then works as follows: { If Q i = Q l, B aborts F and outputs " (This means B failed to solve AERP), { Else if Q 62, B sets Q i Q, and then after executing Experiment I makes an entry of (Q i ;x i ;y i )in and answers F with x i as the signing value of Q, where y i is dened by 0jjy i jj0 [x e i mod n]k+1. { Otherwise (i.e., Q is already in list ), B answers F with the corresponding x 0 2. Here we state that the distribution of (x i ;y i ) from Experiment I is identical to that of (s; H(m)) of signing algorithm Sig sk (1) in the random oracle model. To prove this, we state the following two lemmas. To prove Lemma 4.5 is sucient to prove this statement. Lemma 4.4 For given h(m) 2f0; 1g k01 and pk holds: Gen(1 k ), the following equation #Ver(h(m);pk)=#fr 2 (Z=pqZ)npZj0 (0 mod pq)+pq < 2 2k01 g; (5) where := ((0jjh(m)jj0 2k ) 0 r e )modn. 14

15 Sketch of Proof: Recall that Ver(h(m);pk):=fs 2 (Z=nZ)npZj[s e mod n] k+1 == 0jjh(m)jj0g. Represent s 2 Ver(h(m);pk)bys = r + tpq where r 2 (Z=pqZ)npZ, andt 2 Z=pZ. Itis easy to check that (r; t) is the unique representation of s. Let Setr(h(m)) := fr 2 (Z=pqZ)npZj0 (0 mod pq) +pq < 2 2k01 g where := ((0jjh(m)jj0 2k ) 0 r e )modn. This makes it possible to make bijective map Ver(h(m);pk)! Setr(h(m)) by r := s mod pq and t := (0 mod pq) +pq where := ((0jjh(m)jj0 2k ) 0 r e )modn. Therefore, #Ver(h(m);pk)=#Setr(h(m)). { Lemma 4.5 For given s 0 2 Ver(h(m);pk), the following equation holds: Pr[s Sigsk(m) h :s == s 0 ]= Pr [s == s 0 js 2 Ver(h(m);pk)] = s R(Z=nZ)npZ where Pr s R(Z=nZ)npZ [s == s 0js 2 Ver(h(m);pk)] denotes the conditional probability of Event [s R (Z=nZ)npZ : s == s 0 ] given Event [s R (Z=nZ)npZ : s 2 Ver(h(m);pk)]. Sketch of Proof: >From Lemma 4.4, the proof of this lemma is straightforward. { >From Lemma 4.5, we found that B can answer F by itself unless F asks Q l as a signing query. Eventually, when F outputs (Q; s), Q is considered to be Q j for some j. In the case of j = l, B succeeds to break AERP because [s e mod n] k+1 == y, and the success probability 0 (k) isatleast(1=q h ) 1 (k). { 1 #Ver(h(m);pk) ; (6) 15

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

A New Forward-Secure Digital Signature Scheme

A New Forward-Secure Digital Signature Scheme The extended abstract of this work appears Advances in Cryptology Asiacrypt 2000, Tatsuaki Okamoto, editor, Lecture Notes in Computer Science vol. 1976, Springer-Verlag, 2000. c IACR A New Forward-Secure

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

To appear in Advances in Cryptology CRYPTO '97 Ecient Group Signature Schemes for Large Groups (Extended Abstract) Jan Camenisch Department of Computer Science Haldeneggsteig 4 ETH Zurich 8092 Zurich,

More information

Universal Padding Schemes for RSA

Universal Padding Schemes for RSA Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com

More information

9 Digital Signatures: Definition and First Constructions. Hashing.

9 Digital Signatures: Definition and First Constructions. Hashing. Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

More information

Security of Blind Digital Signatures

Security of Blind Digital Signatures Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.

More information

Lecture 2: Complexity Theory Review and Interactive Proofs

Lecture 2: Complexity Theory Review and Interactive Proofs 600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

More information

The Exact Security of Digital Signatures How to Sign with RSA and Rabin

The Exact Security of Digital Signatures How to Sign with RSA and Rabin Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996. The Exact Security of Digital Signatures How to Sign with

More information

RSA OAEP is Secure under the RSA Assumption

RSA OAEP is Secure under the RSA Assumption This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12. Digital signatures. 12.1 Digital signature schemes Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

More information

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

ETH Zurich. Email: stadler@inf.ethz.ch. participants such that only certain groups of them can recover it.

ETH Zurich. Email: stadler@inf.ethz.ch. participants such that only certain groups of them can recover it. Publicly Veriable Secret Sharing Markus Stadler? Institute for Theoretical Computer Science ETH Zurich CH-8092 Zurich, Switzerland Email: stadler@inf.ethz.ch Abstract. A secret sharing scheme allows to

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Fast Batch Verification for Modular Exponentiation and Digital Signatures

Fast Batch Verification for Modular Exponentiation and Digital Signatures An extended abstract of this paper appears in Advances in Cryptology Eurocrypt 98 Proceedings, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed., Springer-Verlag, 1998. This is the full version.

More information

DIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES. Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS

DIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES. Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS DIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS December 2008 APPROVED: Stephen R. Tate, Major Professor

More information

Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

More information

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

Security Arguments for Digital Signatures and Blind Signatures

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, Volume 13, Number 3. Pages 361 396, Springer-Verlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures

More information

Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

RSA signatures and Rabin Williams signatures: the state of the art

RSA signatures and Rabin Williams signatures: the state of the art RSA signatures and Rabin Williams signatures: the state of the art Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago, Chicago,

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Efficient construction of vote-tags to allow open objection to the tally in electronic elections

Efficient construction of vote-tags to allow open objection to the tally in electronic elections Information Processing Letters 75 (2000) 211 215 Efficient construction of vote-tags to allow open objection to the tally in electronic elections Andreu Riera a,,joseprifà b, Joan Borrell b a isoco, Intelligent

More information

DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan

More information

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using HMAC in NIST SP 800-90 Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

More information

A Method for Making Password-Based Key Exchange Resilient to Server Compromise

A Method for Making Password-Based Key Exchange Resilient to Server Compromise A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Pricing via Processing or Combatting Junk Mail

Pricing via Processing or Combatting Junk Mail Pricing via Processing or Combatting Junk Mail Cynthia Dwork Moni Naor Draft of full version Abstract We present a computational technique for combatting junk mail, in particular, and controlling access

More information

On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order

On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order J. Cryptology (2006) 19: 463 487 DOI: 10.1007/s00145-006-0224-0 2006 International Association for Cryptologic Research On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order

More information

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks. By Abdulaziz Alrasheed and Fatima RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

A Secure and Efficient Conference Key Distribution System

A Secure and Efficient Conference Key Distribution System ********************** COVER PAGE ********************** A Secure and Efficient Conference Key Distribution System (Extended Abstract) Mike Burmester Department of Mathematics Royal Holloway University

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

A low-cost Alternative for OAEP

A low-cost Alternative for OAEP A low-cost Alternative for OAEP Peter Schartner University of Klagenfurt Computer Science System Security peter.schartner@aau.at Technical Report TR-syssec-11-02 Abstract When encryption messages by use

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

Security in Electronic Payment Systems

Security in Electronic Payment Systems Security in Electronic Payment Systems Jan L. Camenisch, Jean-Marc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH-8092 Zurich e-mail: {camenisch, stadler}@inf.ethz.ch

More information

Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

More information

SUBLIMINALFREE AUTHENTICATION AND SIGNATURE

SUBLIMINALFREE AUTHENTICATION AND SIGNATURE SUBLIMINALFREE AUTHENTICATION AND SIGNATURE (Extended Abstract) Yvo Desmedt Dept. EE & CS, Univ. of Wisconsin - Milwaukee P.O. Box 784, WI 53201 Milwaukee, U.S.A. ABSTRACT Simmons [17] introduced the notion

More information

Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

More information

A Fast Semantically Secure Public Key Cryptosystem Based on Factoring

A Fast Semantically Secure Public Key Cryptosystem Based on Factoring International Journal of Network Security, Vol.3, No., PP.144 150, Sept. 006 (http://ijns.nchu.edu.tw/) 144 A Fast Semantically Secure Public Key Cryptosystem Based on Factoring Sahdeo Padhye and Birendra

More information

A New, Publicly Veriable, Secret Sharing Scheme

A New, Publicly Veriable, Secret Sharing Scheme Scientia Iranica, Vol. 15, No. 2, pp 246{251 c Sharif University of Technology, April 2008 A New, Publicly Veriable, Secret Sharing Scheme A. Behnad 1 and T. Eghlidos A Publicly Veriable Secret Sharing

More information

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

Remotely Keyed Encryption Using Non-Encrypting Smart Cards THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

LUC: A New Public Key System

LUC: A New Public Key System LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

More information

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar Privacy-Providing Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar Privacy-Providing Signatures and Their Applications by Somayeh Heidarvand In fulfillment

More information

Digital signatures. Informal properties

Digital signatures. Informal properties Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

New Online/Offline Signature Schemes Without Random Oracles

New Online/Offline Signature Schemes Without Random Oracles New Online/Offline Signature Schemes Without Random Oracles Kaoru Kurosawa 1 and Katja Schmidt-Samoa 2 1 Department of Computer and Information Sciences, Ibaraki University, Japan 2 Fachbereich Informatik,

More information

A General Construction for Fail-Stop Signature using Authentication Codes. A General Construction for Fail-Stop. Signatures using Authentication Codes

A General Construction for Fail-Stop Signature using Authentication Codes. A General Construction for Fail-Stop. Signatures using Authentication Codes A General Construction for Fail-Stop Signature using Authentication Codes A General Construction for Fail-Stop Signatures using Authentication Codes Rei Safavi-Naini and Willy Susilo Abstract. Security

More information

Delegation of Cryptographic Servers for Capture-Resilient Devices

Delegation of Cryptographic Servers for Capture-Resilient Devices ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.

More information

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 Daniel Bleichenbacher Bell Laboratories 700 Mountain Ave., Murray Hill, NJ 07974 bleichen@research.bell-labs.com

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana Univ. at Bloomington Bloomington, IN 47405 Philippe Golle Palo Alto

More information

How to Protect Peer-to-Peer Online Games from Cheats

How to Protect Peer-to-Peer Online Games from Cheats How to Protect Peer-to-Peer Online Games from Cheats Haruhiro Yoshimoto Rie Shigetomi Hideki Imai University of Tokyo Imai Laboratory, Institute of Industrial Science, The University of Tokyo, 4-6-1 Komaba,

More information

A NOVEL DIGITAL SIGNATURE SCHEME BASED ON CUBIC RESIDUE WITH PROVABLE SECURITY. Received December 2010; revised July 2011

A NOVEL DIGITAL SIGNATURE SCHEME BASED ON CUBIC RESIDUE WITH PROVABLE SECURITY. Received December 2010; revised July 2011 International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 149-4198 Volume 8, Number (A), March 2012 pp. 1645 166 A NOVEL DIGITAL SIGNATURE SCHEME BASED ON CUBIC

More information

Digital Signatures out of Second-Preimage Resistant Hash Functions

Digital Signatures out of Second-Preimage Resistant Hash Functions Digital Signatures out of Second-Preimage Resistant Hash Functions Erik Dahmen 1, Katsuyuki Okeya 2, Tsuyoshi Takagi 3, and Camille Vuillaume 2 1 Technische Universität Darmstadt dahmen@cdc.informatik.tu-darmstadt.de

More information

Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

More information

On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

More information

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings Theoretical and Applied Informatics ISSN 896 5334 Vol.24 (202), no. 2 pp. 09 8 DOI: 0.2478/v079-02-0009-0 An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

More information

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Semantic Security for the McEliece Cryptosystem without Random Oracles

Semantic Security for the McEliece Cryptosystem without Random Oracles Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

ETH Zurich. Email: fstadler, camenischg@inf.ethz.ch UBILAB. Email: piveteau@ubilab.ubs.ch

ETH Zurich. Email: fstadler, camenischg@inf.ethz.ch UBILAB. Email: piveteau@ubilab.ubs.ch Fair Blind Signatures Markus Stadler 1, JeanMarc Piveteau 2, Jan Camenisch 1 1 Institute for Theoretical Computer Science ETH Zurich CH8092 Zurich, Switzerland Email: fstadler, camenischg@inf.ethz.ch 2

More information

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1 Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University Implementation and Comparison of Various Digital Signature Algorithms -Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information

More information

A blind digital signature scheme using elliptic curve digital signature algorithm

A blind digital signature scheme using elliptic curve digital signature algorithm A blind digital signature scheme using elliptic curve digital signature algorithm İsmail BÜTÜN * and Mehmet DEMİRER *Department of Electrical Engineering, University of South Florida, Tampa, FL, USA Department

More information

Lecture 25: Pairing-Based Cryptography

Lecture 25: Pairing-Based Cryptography 6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

More information

A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer. Yale University. S. Micali Massachusetts Institute of Technology

A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer. Yale University. S. Micali Massachusetts Institute of Technology J, Cryptoiogy (1996) 9:191-195 Joumol of CRYPTOLOGY O 1996 International Association for Cryptologic Research A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer Yale University

More information

A novel deniable authentication protocol using generalized ElGamal signature scheme

A novel deniable authentication protocol using generalized ElGamal signature scheme Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme Wei-Bin Lee a, Chia-Chun Wu a, Woei-Jiunn Tsaur

More information

Massachusetts Institute of Technology. rosario,silvio@theory.lcs.mit.edu. Abstract

Massachusetts Institute of Technology. rosario,silvio@theory.lcs.mit.edu. Abstract Veriable Secret Sharing as Secure Computation Rosario Gennaro Silvio Micali Laboratory for Computer Science Massachusetts Institute of Technology rosario,silvio@theory.lcs.mit.edu Abstract We present a

More information

On Generating the Initial Key in the Bounded-Storage Model

On Generating the Initial Key in the Bounded-Storage Model On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of

More information

CRC Press has granted the following specific permissions for the electronic version of this book:

CRC Press has granted the following specific permissions for the electronic version of this book: This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has

More information

On the Security of One-Witness Blind Signature Schemes

On the Security of One-Witness Blind Signature Schemes On the Security of One-Witness Blind Signature Schemes Foteini Baldimtsi and Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. Blind signatures have proved

More information

Fully homomorphic encryption equating to cloud security: An approach

Fully homomorphic encryption equating to cloud security: An approach IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 9, Issue 2 (Jan. - Feb. 2013), PP 46-50 Fully homomorphic encryption equating to cloud security: An approach

More information

On-Line/Off-Line Digital Signatures

On-Line/Off-Line Digital Signatures J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

More information

Ronald L. Rivest, Adi Shamir, and DavidA.Wagner. Rehovot, Israel. U.C. Berkeley

Ronald L. Rivest, Adi Shamir, and DavidA.Wagner. Rehovot, Israel. U.C. Berkeley Time-lock puzzles and timed-release Crypto Ronald L. Rivest, Adi Shamir, and DavidA.Wagner Revised March 10, 1996 MIT Laboratory for Computer Science 545 Technology Square, Cambridge, Mass. 02139 Weizmann

More information

A New Generic Digital Signature Algorithm

A New Generic Digital Signature Algorithm Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

More information