C\s WSf¼Ê Kå ó6'"ü5c "üf> ] ±ESIGN ¼Ê². } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP. ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!


 Georgiana Terry
 3 years ago
 Views:
Transcription
1 1 B=>? ESIGN 5789:46 C\s WSf¼Ê Kå ó6'"ü5c "üf> ] ±ESIGN ¼Ê²!mÖ} Ö¾ bï.0 z mš } Äntê.0 }z ep.0 1 ¹ã T R;<8 JXQ;< 8eph6 &u z2ÿå.056 y Cå +Y ¹ãC:G ÎP ÍY 5Õ Ì.0Ÿa ESIGN ¼Ê âå *Ð ûzôpö 4^ } ~ 2!mÖÊI z ƒ y $!mö Ö¾.0 z ˆ mš 2 ; < 2.1 Ž Š Ÿ WSf¼Ê 2 'E!mÖ ¾ å ö! Ÿ / 2¾ y {!mö ã Feige, Fiat, Shmair Q ŠŸ 2Ÿ,Â å y [8] $ ˆ ã Q Ÿ 2.1 ¼Ê5c (A; B) A: ÊIfª B: $Êf }z ª'Ú hã G ª A ó6' x )F' w z Ú ª x $Êf éw «ƒƒ ª' C: G k WNQ «(A; B) $ Ñ# Ds!m y z{ 1. (A(w);B)(x) ª ëåp > 1 0 (k) B in 2. $ { ö!f Adv ªu3 z ö!f Adv $Êf (A(w); Adv)(x) wúc5õeù ªˆ ðªêif B z ¼ÊZfQAd (Adv; B)(x) eù ƒ ª (Adv; B)(x) }z B in p G[ z > (k) Ì p ª G, Adv, B VÕ ã 2.2 ESIGN Ž Š ESIGN¼Ê { P9EKdÆH WS ŠWSf¼Ê Ïý ` ãn q ƒ ãn ÊI ã œbi y 1
2 Ÿ 2.2 ESIGNÆHæ,åk~2Çö! z u3å q/2 y ES IGN ¼Ê Ì ã 'E ¾ å ö! Ÿ /2¾ z{'e!mö y $Ì ãn ESIGNÆH!mÖ Ñ# ` ƒ í Ÿ 2.3 ESIGN ¼Ê e Í1]/ã 2.4 i ã a Ù z z{ñ# bgl]=b?d_pd }z ¾ å ö! Ÿ /2¾ z{'e!mö y $ ESIGN¼Ê!mÖ 1 ESIGNÆH!mÖ z mš 2.3 ESIGN ª Š!mÖ z ESIGNÆH RSA/ã ]Á y eí1]/ã (AERP) bgl]=b?d_pd  2 'E!m æ,åk~2çö! z u3å q/2 y ƒ ÊI (!mö z ` i Ÿ{È Ë mš ƒ!mö z ESIGN ÆH v {å!mö ÊI zš5c RSA Ž ÆH5c v PSS FDHRSA, } x*j Ž ÆH5c v ECSchnorr ( Š a  1:!mÖ ( 5c!mÖ ØÕxå bgl]õ 2 'E /ã /ã ESIGN!mÖÊI AERP Ó bgl] PSS or FDHRSA!mÖÊI RSA Ó bgl] ECSchnorr!mÖÊI x*oxzõ Ó bgl] 2.4 ESIGN ªŠ ƒ i ESIGN ÆH nxå!mö.0 a } nxå ÊI ù Œ Šx2 [9] C\s 2ð ç0 } ƒ x2 C\s ESIGNÆH TSH ESIGN É z ƒ ß' 2
3 Ÿ 2.4 G ESIGN 'Ú e Í1]L} (AERP) pk := fn; eg Gen(1 k ) y R f0; 1g k01 Q Š 0jjy =[x e mod n] k { x 2 (Z=nZ)npZ & L} y { påwúc_8dbcg] Adv z Ÿ m ãõ c, j1 Ü k z Pr[Adv(k; n; e; y)! x] < 1=k c q e Í1]L}» z z{ ƒƒ 0jjy =[x e mod n] k y p G Adv pì g z e Í1]L}» z z{/ã e Í1]/ã î Ÿ 2.5 ESIGN ÆH e Í1]/ãÙ z z{ñ# bgl]=b?d_ Pd }z æ,åk~2çö! z u3å q/2 y ± 1: e Í1]/ã z ºb CÆHÕ "üzc\o9y y C ESIGN ÆHÕ 15 ½l À Š [14, 13] ˆ $U ƒ C ESIGN ÆHÕ Cå!mÖ (5õÖ y e Í1]/ã z R %ù Š Õ `Õ e 4 $Ì Ïý z ì3 Nô ö! À& } [5, 6, 10, 18] ä#f n)õ14$7 Nô ö!6gz Oo z ± 2: n = p 2 q n)õ14 0»Ö z n = p 2 q n)õ14 n = pq ŸÛ~ {~ z 1~Œ z n = p 2 q ¹. Šz ~ 8dBcG ]% z [15, 16, 17, 1] ~ ƒ 8dBcG] z Ÿn)Õ14 x*j6 8dBcG] y (5 n = pq n = p 2 q z }z Ÿ2 ût n)õ148dbcg]õy z6 y ƒ 8dBcG] eù_ n C:G &u n)õ C:G &u z $Ì ì_è n = p 2 q C:G n = pq C:G!mÖ Ÿ Ÿ ø 3 < 3.1 ÆÑÅ µ Óœ Œ Ò ÈÏ ½: Hd[ F š : VerilogXL ³ DesignCompiler 3
4 ÎÀÑ½Ò : M 25.6KG(µ2NAND JhY) ³^_c (13312bit) [bgl]fen?³í Y Õ³1Y] ³ [^_c (13312bit)] ž Œ:?fN? 30MHz +Ytê (D\`e Dag rã) ÊI ÆH 9.8 ms $Ê 2.5 ms Š 'C:G 1152 bit 3.2 ÀÇÄ µ Óœ Œ ŒÈÍÂÄÉÑÊ: CPU: Pentium with MMX 266MHz OS: Trubo Linux version 4.0 ÔØÙ: íñ (gcc version ) w âøõ+yb:ybc gnu mp (gmp version 3.0.1) ZS ËÌÎÒ (»ÑÅ ): ËÌÎÒ (ÐÑº¹Îµ): ÊI ÆH Kbytes $Ê Kbytes ž : ÊI ÆH 512 Kbytes $Ê 476 Kbytes ÊI ÆH 18.0 ms $Ê 2.44 ms 4
5 Š 'C:G 1152 bit ÃÑÁ¼ ¾: n C:G 1152 bits e Ü 1024 hlen glen 32â ó6'x7:dc:g )F'X7:dC:G ÆH2X7:dC:G 160 bits 160 bits 128 bits 329 bytes 206 bytes 290 bytes Ú «: AgV:d_ 2æ. gcc O3 SzŠ C.0 (call6) ç0 ŠŸ eù Š"3 y mod n mod p 2 +Y }z ÞþÔ ÎPãn WS ût +Y ƒ ku ÿ5.0 ƒ ût.56 Sz z z ŠŒ M` g ù C.0 ût ep2¾ y 4 ÛAÝƒ Þ Ü ESIGN¼Ê ¹á ˆ ûôp y IfÝdÊI¼Ê5c FiatShamir ¼Ê ÖòÒ¼Ê5c x* Schnorr ¼Ê Ÿôptz ` ESIGN ôpö v {å 5c FiatShamir ¼Ê x* Schnorr ¼Ê ( ˆ 5c z 1152 WNQÕ ÎPÍY+T 5Õ.0 ƒ Œ 'Ú $Ê +T Änu &hÿœš ƒ ( }z 9 à U:Sc6 ÞþÔÎPãn,Âl ž ør.0 ù ŒŠ Vb^ K ESIGN FiatShamir ¼Ê5c 6 n 1152 WNQ x* Schnorr 5c %Õ 160 WNQ /ã Š Š, ESIGN e =2 5 FiatShamir ò Ò5Õ!m Õ 30 5 /ã Š } $  #M(1152) 1152 bits 6  ÎPÍY 5Õ 'E 8Änu #M(1152) Y ŠÜ a z 5
6  2: Änu ( 5c ÊIÄn $ÊÄn #M(1152) #M(1152) òò5õ (5) ESIGN x* Schnorr FiatShamir ²ßˆà [1] Adleman, L.M. and McCurley, K.S.: Open Problems in Number Theoretic Complexity,II (open problems: C7, O7a and O7b), Proc. of ANTSI, LNCS 877, SpringerVerlag, pp (1995). [2] Bellare, M. and Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Ecient Protocols, Proc. of the First ACM Conference on Computer and Communications Security, pp.62{73 (1993). [3] Bellare, M. and Rogaway, P. : Optimal Asymmetric Encryption, Proc. of Eurocrypt'94, LNCS 950, SpringerVerlag pp (1995). [4] Bellare, M. and Rogaway, P.: The Exact Security of Digital Signatures { How to Sign with RSA and Rabin, Proc. of Eurocrypt'96, LNCS 1070, SpringerVerlag, pp (1996). [5] Brickell, E. and DeLaurentis, J.: An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi, Proc. of Crypto'85, LNCS 218, SpringerVerlag, pp (1986). [6] Brickell, E. and Odlyzko: Cryptanalysis: A Survey of Recent Results, Chap.10, Contemporary Cryptology, Simmons (Ed.), IEEE Press, pp.501{540 (1991). [7] Canetti, R., Goldreich, O. and Halevi, S.: The Random Oracle Methodology, Revisited, Proc. of STOC, ACM Press, pp.209{218 (1998). 6
7 [8] Feige, U., Fiat, A. and Shamir, A.: ZeroKnowledge Proofs of Identity, Journal of Cryptology, 1, 2, pp (1988) [9] Fujisaki, E. and Okamoto, T.: Security of Ecient Digital Signature Scheme TSHESIGN, manuscript (1998 November). [10] Girault, M., Ton, P. and Vallee, B.: Computation of Approximate Lth Roots Modulo n and Application to Cryptography, Proc. of Crypto'88, LNCS 403, SpringerVerlag, pp (1990). [11] S. Goldwasser, S. Micali and R. Rivest, \A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks," SIAM J. on Computing, 17, pp.281{ 308, [12] IEEE P1363 Draft, (1999). [13] Okamoto, T.: A Fast Signature Scheme Based on Congruential Polynomial Operations, IEEE Trans. on Inform. Theory, IT36, 1, pp (1990). [14] Okamoto, T. and Shiraishi, A.: A Fast Signature Scheme Based on Quadratic Inequalities, Proc. of the ACM Symposium on Security and Privacy, ACM Press (1985). [15] Peralta, R.: Bleichenbacher's improvement for factoring numbers of the form N = PQ 2 (private communication) (1997). [16] Peralta, R. and Okamoto, E.: Faster Factoring of Integers of a Special Form, IEICE Trans. Fundamentals, E79A, 4, pp (1996). [17] Pollard, J.L.: Manuscript (1997). [18] Vallee, B., Girault, M. and Ton, P.: How to Guess Lth Roots Modulo n by Reducing Lattice Bases, Proc. of Conference of ISSAC88 and AAECC6 (1988). 7
8 Appendix Security of Ecient Digital Signature Scheme TSHESIGN Eiichiro Fujisaki Tatsuaki Okamoto 1 Introduction In this manuscript, we will prove the security of the ecient digital signature scheme TSHESIGN. 2 Denitions Denition 2.1 Let A be aprobabilistic algorithm and let A(x 1 ;:::;x n ; r) be the result of A on input (x 1 ;:::;x n ) and coins r. We dene by y A(x 1 ;:::;x n ) the experiment of picking r at random and letting y be A(x 1 ;:::;x n ; r). IfS is a nite set, let y be the operation of picking y at random and uniformly from nite set S. " denotes the null symbol and, for list, " denote the operation of letting list be empty. Moreover, jj denotes the concatenation operator, j1jdenotes the size of bit length, i.e., jyj := blog 2 yc +1. For nbit string x, [x] k and [x] k denote the most and least signicant k bits of x, respectively (k n). Denition 2.2 [Random Oracle Model] We dene by the set of all maps from the set f0; 1g 3 of nite strings to the set f0; 1g 1 of innite strings. Let H be a map from a set of an appropriate nite length (say : f0; 1g a )toasetofanappropriate nite length (say f0; 1g b ). H means that map H is chosen from at random and uniformly, with restricting the domain to f0; 1g a and the range to the rst b bits of output. Denition 2.3 [Digital Signature Scheme] A digital signature scheme is dened by a triple of algorithms (Gen; Sig; V er) such that Key generation algorithm Gen is a probabilistic polynomialtime algorithm which on input 1 k (k 2 N) outputs a pair (pk; sk), called public key and secret key. R S 8
9 Signing algorithm Sig is a probabilistic polynomialtime algorithm which on input sk Gen(1 k ) and a message m 2f0; 1g 3 produces a string, s 2f0; 1g 3,called the signatureofm. Verication algorithm Veris a probabilistic polynomialtime algorithm which on input pk Gen(1 k ) and a pair of a message and a signature, (m; s) returns 0 (i.e. invalid) or 1 (i.e. valid) to indicate whether or not the signature is valid. Here we insist that, for any (m; s) where s Sig sk (m), werequire Ver pk (m; s) = 1, otherwise Ver pk (m; s) =0with overwhelming probability. Denition 2.4 [Forging Algorithm F ] Let 5:=(Gen; Sig; V er) be a digital signature scheme. Let A be an algorithm which on input pk obtained by running the generator, Gen, hasaccess to random hash function H and signing oracle Sig sk and eventually outputs some string. We say that adversary A is a (t; q h ;q s ;(k))forger for 5(1 k ) if AdvF 5 (k) := Pr[H ; (pk; sk) Gen(1k ):F H;Sig sk (pk)! (m; s)] (k); where Ver pk (m; s) =1and m is not included in the list of queries that F asks to Sig sk (1), and, moreover, F completes within running time t, asking at most q h queries to H(1) and at most q s queries to Sig sk (1). 3 TSHESIGN: ESIGN with Trisection Size Hash This section introduces the digital signature scheme TSHESIGN. 3.1 Trisection Size Hash function h Although it is necessary that the hash function used in our proposed signature scheme be ideal (or random oracle) to prove the security of the signature scheme, an arbitrary hash function (e.g., MD5 and SHA1) is available for practical use. When the signature scheme is dened over Z=nZ, where jnj = 3k, the underlying hash function h(1) isdenedash : f0; 1g 3!f0; 1g k01. (That is, the size of the image of hash h is around one third of the size of jnj.) 9
10 3.2 Key Generation algorithm Gen Key generation algorithm Gen outputs, given security parameter 1 k (k 2 N), (pk; sk) where pk = fn; eg and sk = fn; e; p; qg. The parameters, n; e; p and q, satisfy the following conditions: p; q (p 6= q) are prime numbers with kbit length, i.e., k = jpj = jqj. n := p 2 q with 3kbit length and e> Signature Generation Sig sk (m) The signature s of message m is computed by the signature algorithm Sig sk (1) as follows: Step 1 Pick r at random and uniformly from (Z=pqZ)npZ := fr 2 Z=pqZj gcd(r; p) =1g. Step 2 Set z (0jjh(m)jj0 2k ) and (z 0 r e )modn. Step 3 Set (w 0 ;w 1 )such that If w 1 2 2k01, then go back to Step 1. w Step 4 Set t 0 er mod p, ands (r + tpq) modn. e01 Step 5 Output s. w 0 = d e; pq (1) w 1 = w 0 1 pq 0 : (2) 3.4 Signature Verication Ver pk (m; s) For a pair of message m and signature s, the verication algorithm Ver pk (m; s) outputs valid (or1)if [s e mod n] k+1 == 0jjh(m)jj0; (3) otherwise invalid (or 0). Here we dene by Ver(h(m);pk) the set of valid signatures, namely, given (h(m);pk), signatures that satisfy Equation (3). 10
11 Remark: In practice, the verication equation can be replaced by [s e mod n] k == 0jjh(m): (4) The formal proof in the next section still works with minor modication of the approximate eth root assumption. 4 Security In this section, we examine the security of TSHESIGN. We rst introduce a problem that is considered to be dicult to solve and then prove that breaking our scheme is as dicult as solving this problem. We call the underlying problem the approximate eth root problem (AERP). Roughly speaking, AERP is the problem, for given (y; e), of nding x such that x e mod n is approximately equivalent toy, i.e., x e mod n y. Now let us dene the approximate eth root problem (AERP) and the breaking algorithm. Denition 4.1 [Approximate eth root problem (AERP)] Let Gen be the generator of the TSHESIGN algorithm. Approximate eth root problem (AERP) is, for given pk := fn; eg 0jjyjj0 ==[x e mod n] k+1. Gen(1 k ) and y R f0; 1g k01, to nd x 2 (Z=nZ)npZ such that Denition 4.2 [AERPBreaker B] We say that adversary B is a (t; (k))aerpbreaker if Adv AERP B (k) := Pr[(pk; sk) Gen(1 k ); y R f0; 1g k01 : B(pk; y)! x] (k); where 0jjyjj0 ==[x e mod n] k and B completes within running time t. The following theorem is the main result of this manuscript. This theorem implies that breaking AERP is as dicult as forging TSHESIGN (existentially forging under adaptive chosen message attacks). 11
12 Theorem 4.3 If there exists a (t(k);q h (k);q s (k);(k))forger F for TSHESIGN, then there exists a (t 0 (k); 0 (k))aerpbreaker B such that Proof: t 0 (k) = t(k)+4(q h + q s ) 1 (k 3 ); and 0 (k) = (1=q h ) 1 (k): Let 5 := (Gen; Sig; V er) be a triple of the TSHESIGN algorithm and F be a (t; q h ;q s ;)forging algorithm for TSHESIGN. We will present an AERPBreaker B that includes F as an oracle. The aim of B is, given y, to nd an approximate root x such that 0jjyjj0 ==[x e mod n] k+1. Recall that the advantage of ESIGNbreaker B is dened by Adv AERP B (k) :=Pr[(pk; sk) Gen(1 k ); y R f0; 1g k01 : B(pk; y)! x]: Likewise recall that the advantage of forger F for TSHESIGN is dened by Adv 5 F (k) :=Pr[H ; (pk; sk) Gen(1k ):F H;Sig sk (pk)! (m; s); where s 2 Ver(H(m);pk)]; where Ver(H(m);pk) is dened as above in Sec.3.4 and m is not included in the list of queries that F asks to Sig sk (1). Since forging algorithm F will make two kinds of queries, hash oracle queries and signing oracle queries, B must answer these queries by itself. Below we describe the specication of AERPbreaker B: AERPBreaker: B(pk; y) set " (empty) and x " (null); set l R f1;:::;q h g, i 0 and j 0; run F(pk); do while F does not ask query Q to H(1) nor ask to Sig sk (1) if F asks query Q to H(1) i ++;j + +; (increment i; j); if j == l else if Q 62 set Q l Q; put (Q l ;";y) in the list and answer F with y; set Q i Q; 12
13 if Q i = Q l abort F and break; do while 0jj 3 jj0 ==[x e i mod n]k+1, x i R (Z=nZ)npZ; set (0jjy i jj0) [x e i mod n]k+1 ; put (Q i ;x i ;y i ) in the list and answer F with y i ; else (Q 2 ) answer F with the corresponding y 0 2 ; else if F asks query Q to Sig sk (1) i + + (increment i); else if Q 62 set Q i Q; End. do while 0jj 3 jj0 ==[x e i x i R (Z=nZ)npZ; mod n]k+1 set (0jjy i jj0) [x e i mod n]k+1 ; put (Q i ;x i ;y i ) in the list and answer F with x i ; else (Q 2 ) answer F with the corresponding x 0 2 ; if F outputs (Q l ;x l ) set x x l ; return x Here '3' denotes an (k 01)bit arbitrary string and denotes a list that records queries of F and the corresponding signatures and hash values that B makes. B starts with list empty and then records (Q i ;x i ;y i )in by following the specication until aborting F or F ends asking queries. Hereafter we explain the strategy of this specication, which is similar to that of FDHRSA as presented by Bellare and Rogawayin[4]. First B picks up l uniformly from f1;:::;q H g. B sets counters, i; j, asi 0and j 0. Counter i is utilized for counting the total number of the queries that F asks to random oracle H and signing oracle Sig, while counter j is utilized for counting the number of F 's asking to H. 13
14 If F asks query Q to random oracle H(1), B increases i; j and then works as follows: { If the query is the lth one, B sets Q l Q, puts (Q l ;";y) in list, and answers F with y, where y is the instance input to B, { Else if the query has not been recorded in list, B sets Q i Q, and then after executing Experiment I= [repeatedly picks up x i from (Z=nZ)npZ until 0jj 3 jj0 ==[x e i mod n]k+1, where '3' denotes an (k 0 1)bit arbitrary string], makes an entry of (Q i ;x i ;y i )in and answers F with y i as the hash value of Q, where y i is dened by 0jjy i jj0 [x e i mod n]k+1. { Otherwise (i.e., Q is already in list ), B answers F with the corresponding y 0 2. Similarly, iff asks query Q to signing oracle Sig sk (1), B increases i and then works as follows: { If Q i = Q l, B aborts F and outputs " (This means B failed to solve AERP), { Else if Q 62, B sets Q i Q, and then after executing Experiment I makes an entry of (Q i ;x i ;y i )in and answers F with x i as the signing value of Q, where y i is dened by 0jjy i jj0 [x e i mod n]k+1. { Otherwise (i.e., Q is already in list ), B answers F with the corresponding x 0 2. Here we state that the distribution of (x i ;y i ) from Experiment I is identical to that of (s; H(m)) of signing algorithm Sig sk (1) in the random oracle model. To prove this, we state the following two lemmas. To prove Lemma 4.5 is sucient to prove this statement. Lemma 4.4 For given h(m) 2f0; 1g k01 and pk holds: Gen(1 k ), the following equation #Ver(h(m);pk)=#fr 2 (Z=pqZ)npZj0 (0 mod pq)+pq < 2 2k01 g; (5) where := ((0jjh(m)jj0 2k ) 0 r e )modn. 14
15 Sketch of Proof: Recall that Ver(h(m);pk):=fs 2 (Z=nZ)npZj[s e mod n] k+1 == 0jjh(m)jj0g. Represent s 2 Ver(h(m);pk)bys = r + tpq where r 2 (Z=pqZ)npZ, andt 2 Z=pZ. Itis easy to check that (r; t) is the unique representation of s. Let Setr(h(m)) := fr 2 (Z=pqZ)npZj0 (0 mod pq) +pq < 2 2k01 g where := ((0jjh(m)jj0 2k ) 0 r e )modn. This makes it possible to make bijective map Ver(h(m);pk)! Setr(h(m)) by r := s mod pq and t := (0 mod pq) +pq where := ((0jjh(m)jj0 2k ) 0 r e )modn. Therefore, #Ver(h(m);pk)=#Setr(h(m)). { Lemma 4.5 For given s 0 2 Ver(h(m);pk), the following equation holds: Pr[s Sigsk(m) h :s == s 0 ]= Pr [s == s 0 js 2 Ver(h(m);pk)] = s R(Z=nZ)npZ where Pr s R(Z=nZ)npZ [s == s 0js 2 Ver(h(m);pk)] denotes the conditional probability of Event [s R (Z=nZ)npZ : s == s 0 ] given Event [s R (Z=nZ)npZ : s 2 Ver(h(m);pk)]. Sketch of Proof: >From Lemma 4.4, the proof of this lemma is straightforward. { >From Lemma 4.5, we found that B can answer F by itself unless F asks Q l as a signing query. Eventually, when F outputs (Q; s), Q is considered to be Q j for some j. In the case of j = l, B succeeds to break AERP because [s e mod n] k+1 == y, and the success probability 0 (k) isatleast(1=q h ) 1 (k). { 1 #Ver(h(m);pk) ; (6) 15
Improved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationA New ForwardSecure Digital Signature Scheme
The extended abstract of this work appears Advances in Cryptology Asiacrypt 2000, Tatsuaki Okamoto, editor, Lecture Notes in Computer Science vol. 1976, SpringerVerlag, 2000. c IACR A New ForwardSecure
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationIn this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamaltype sc
Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane
More information9 Digital Signatures: Definition and First Constructions. Hashing.
Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationSecurity of Blind Digital Signatures
Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA JeanSébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jeansebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationTo appear in Advances in Cryptology CRYPTO '97 Ecient Group Signature Schemes for Large Groups (Extended Abstract) Jan Camenisch Department of Computer Science Haldeneggsteig 4 ETH Zurich 8092 Zurich,
More informationRSA OAEP is Secure under the RSA Assumption
This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,
More informationThe Exact Security of Digital Signatures How to Sign with RSA and Rabin
Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., SpringerVerlag, 1996. The Exact Security of Digital Signatures How to Sign with
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationDigital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem
Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the reallife example where a person pays by credit card and signs a bill; the seller verifies
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More informationTwin Signatures: an Alternative to the HashandSign Paradigm
Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the HashandSign Paradigm
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationFast Batch Verification for Modular Exponentiation and Digital Signatures
An extended abstract of this paper appears in Advances in Cryptology Eurocrypt 98 Proceedings, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed., SpringerVerlag, 1998. This is the full version.
More informationETH Zurich. Email: stadler@inf.ethz.ch. participants such that only certain groups of them can recover it.
Publicly Veriable Secret Sharing Markus Stadler? Institute for Theoretical Computer Science ETH Zurich CH8092 Zurich, Switzerland Email: stadler@inf.ethz.ch Abstract. A secret sharing scheme allows to
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511517 HIKARI Ltd, www.mhikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita Rotaru
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationSecurity Arguments for Digital Signatures and Blind Signatures
Journal of Cryptology, Volume 13, Number 3. Pages 361 396, SpringerVerlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationDIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES. Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS
DIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS December 2008 APPROVED: Stephen R. Tate, Major Professor
More informationTextbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures
Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationDIGITAL SIGNATURES 1/1
DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications EunKyung Ryu 1), KeeYoung Yoo 2), KeumSook Ha 3) Abstract The technique
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationIntroduction to Cryptography
Introduction to Cryptography Part 2: publickey cryptography JeanSébastien Coron January 2007 Publickey cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationOn the Fly Authentication and Signature Schemes Based on Groups of Unknown Order
J. Cryptology (2006) 19: 463 487 DOI: 10.1007/s0014500602240 2006 International Association for Cryptologic Research On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order
More informationEfficient construction of votetags to allow open objection to the tally in electronic elections
Information Processing Letters 75 (2000) 211 215 Efficient construction of votetags to allow open objection to the tally in electronic elections Andreu Riera a,,joseprifà b, Joan Borrell b a isoco, Intelligent
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationA Secure and Efficient Conference Key Distribution System
********************** COVER PAGE ********************** A Secure and Efficient Conference Key Distribution System (Extended Abstract) Mike Burmester Department of Mathematics Royal Holloway University
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationAsymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University
Asymmetric Cryptography Mahalingam Ramkumar Department of CSE Mississippi State University Mathematical Preliminaries CRT Chinese Remainder Theorem Euler Phi Function Fermat's Theorem Euler Fermat's Theorem
More informationA Method for Making PasswordBased Key Exchange Resilient to Server Compromise
A Method for Making PasswordBased Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu
More informationRSA signatures and Rabin Williams signatures: the state of the art
RSA signatures and Rabin Williams signatures: the state of the art Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago, Chicago,
More informationIndex Calculation Attacks on RSA Signature and Encryption
Index Calculation Attacks on RSA Signature and Encryption JeanSébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jeansebastien.coron,david.naccache}@gemplus.com
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationA lowcost Alternative for OAEP
A lowcost Alternative for OAEP Peter Schartner University of Klagenfurt Computer Science System Security peter.schartner@aau.at Technical Report TRsyssec1102 Abstract When encryption messages by use
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationPricing via Processing or Combatting Junk Mail
Pricing via Processing or Combatting Junk Mail Cynthia Dwork Moni Naor Draft of full version Abstract We present a computational technique for combatting junk mail, in particular, and controlling access
More informationA Fast Semantically Secure Public Key Cryptosystem Based on Factoring
International Journal of Network Security, Vol.3, No., PP.144 150, Sept. 006 (http://ijns.nchu.edu.tw/) 144 A Fast Semantically Secure Public Key Cryptosystem Based on Factoring Sahdeo Padhye and Birendra
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationHybrid Signcryption Schemes with Insider Security (Extended Abstract)
Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationSecurity in Electronic Payment Systems
Security in Electronic Payment Systems Jan L. Camenisch, JeanMarc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH8092 Zurich email: {camenisch, stadler}@inf.ethz.ch
More informationSUBLIMINALFREE AUTHENTICATION AND SIGNATURE
SUBLIMINALFREE AUTHENTICATION AND SIGNATURE (Extended Abstract) Yvo Desmedt Dept. EE & CS, Univ. of Wisconsin  Milwaukee P.O. Box 784, WI 53201 Milwaukee, U.S.A. ABSTRACT Simmons [17] introduced the notion
More informationAnalysis of PrivacyPreserving Element Reduction of Multiset
Analysis of PrivacyPreserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaCRIM, Seoul
More informationConcrete Security of the BlumBlumShub Pseudorandom Generator
Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. SpringerVerlag. Concrete Security of the BlumBlumShub Pseudorandom Generator
More informationThreshold Identity Based Encryption Scheme without Random Oracles
WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yatsen University Guangzhou, P.R. China Yanming Wang Lingnan College
More informationA New, Publicly Veriable, Secret Sharing Scheme
Scientia Iranica, Vol. 15, No. 2, pp 246{251 c Sharif University of Technology, April 2008 A New, Publicly Veriable, Secret Sharing Scheme A. Behnad 1 and T. Eghlidos A Publicly Veriable Secret Sharing
More informationRemotely Keyed Encryption Using NonEncrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counterparts of the message authentication schemes in the public
More informationEfficient online electronic checks
Applied Mathematics and Computation 162 (2005) 1259 1263 www.elsevier.com/locate/amc Efficient online electronic checks WeiKuei Chen Department of Computer Science and Information Engineering, ChingYun
More informationDigital Signatures out of SecondPreimage Resistant Hash Functions
Digital Signatures out of SecondPreimage Resistant Hash Functions Erik Dahmen 1, Katsuyuki Okeya 2, Tsuyoshi Takagi 3, and Camille Vuillaume 2 1 Technische Universität Darmstadt dahmen@cdc.informatik.tudarmstadt.de
More informationDigital signatures. Informal properties
Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.
More informationLUC: A New Public Key System
LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of
More informationA General Construction for FailStop Signature using Authentication Codes. A General Construction for FailStop. Signatures using Authentication Codes
A General Construction for FailStop Signature using Authentication Codes A General Construction for FailStop Signatures using Authentication Codes Rei SafaviNaini and Willy Susilo Abstract. Security
More informationChosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 Daniel Bleichenbacher Bell Laboratories 700 Mountain Ave., Murray Hill, NJ 07974 bleichen@research.belllabs.com
More informationPrivacyProviding Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar
PrivacyProviding Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar PrivacyProviding Signatures and Their Applications by Somayeh Heidarvand In fulfillment
More informationProvably Secure Cryptography: State of the Art and Industrial Applications
Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services FrenchJapanese Joint Symposium on Computer Security Outline
More informationPostQuantum Cryptography #4
PostQuantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertextonly attack: This is the most basic type of attack
More informationNew Online/Offline Signature Schemes Without Random Oracles
New Online/Offline Signature Schemes Without Random Oracles Kaoru Kurosawa 1 and Katja SchmidtSamoa 2 1 Department of Computer and Information Sciences, Ibaraki University, Japan 2 Fachbereich Informatik,
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationTamperEvident Digital Signatures: Protecting Certification Authorities Against Malware
TamperEvident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana Univ. at Bloomington Bloomington, IN 47405 Philippe Golle Palo Alto
More informationDelegation of Cryptographic Servers for CaptureResilient Devices
ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.
More informationOn Factoring Integers and Evaluating Discrete Logarithms
On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements
More informationDigital Signatures. Good properties of handwritten signatures:
Digital Signatures Good properties of handwritten signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is
More informationHow to Protect PeertoPeer Online Games from Cheats
How to Protect PeertoPeer Online Games from Cheats Haruhiro Yoshimoto Rie Shigetomi Hideki Imai University of Tokyo Imai Laboratory, Institute of Industrial Science, The University of Tokyo, 461 Komaba,
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationNetwork Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 81
Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 81 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret
More informationOnLine/OffLine Digital Signatures
J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research OnLine/OffLine Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,
More informationA Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer. Yale University. S. Micali Massachusetts Institute of Technology
J, Cryptoiogy (1996) 9:191195 Joumol of CRYPTOLOGY O 1996 International Association for Cryptologic Research A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer Yale University
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationA NOVEL DIGITAL SIGNATURE SCHEME BASED ON CUBIC RESIDUE WITH PROVABLE SECURITY. Received December 2010; revised July 2011
International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 1494198 Volume 8, Number (A), March 2012 pp. 1645 166 A NOVEL DIGITAL SIGNATURE SCHEME BASED ON CUBIC
More informationSemantic Security for the McEliece Cryptosystem without Random Oracles
Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationETH Zurich. Email: fstadler, camenischg@inf.ethz.ch UBILAB. Email: piveteau@ubilab.ubs.ch
Fair Blind Signatures Markus Stadler 1, JeanMarc Piveteau 2, Jan Camenisch 1 1 Institute for Theoretical Computer Science ETH Zurich CH8092 Zurich, Switzerland Email: fstadler, camenischg@inf.ethz.ch 2
More informationPublicKey Encryption (Asymmetric Encryption)
PublicKey Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 The story so far (PrivateKey Crypto) Alice establish secure
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationOn the Security of OneWitness Blind Signature Schemes
On the Security of OneWitness Blind Signature Schemes Foteini Baldimtsi and Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. Blind signatures have proved
More informationIntroduction. Chapter 1
Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/cryptobook/ The copyright
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of publickey cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More information