Showing papers on "Merkle signature scheme published in 2002"
11 Sep 2002
TL;DR: The anonymous credential system of Camenisch and Lysyanskaya as discussed by the authors is a generalization of the anonymous credential scheme of the original anonymous signature scheme and is a building block for anonymity-enhancing cryptographic systems, such as electronic cash, group signatures and anonymous credential systems.
Abstract: Digital signature schemes are a fundamental cryptographic primitive, of use both in its own right, and as a building block in cryptographic protocol design. In this paper, we propose a practical and provably secure signature scheme and show protocols (1) for issuing a signature on a committed value (so the signer has no information about the signed value), and (2) for proving knowledge of a signature on a committed value. This signature scheme and corresponding protocols are a building block for the design of anonymity-enhancing cryptographic systems, such as electronic cash, group signatures, and anonymous credential systems. The security of our signature scheme and protocols relies on the Strong RSA assumption. These results are a generalization of the anonymous credential system of Camenisch and Lysyanskaya.
675 citations
TL;DR: In this paper, an identity-based signature scheme is presented which makes use of bilinear pairings on elliptic curves, similar to the generalised ElGamal signature scheme.
Abstract: An efficient identity-based signature scheme is presented which makes use of bilinear pairings on elliptic curves. This scheme is similar to the generalised ElGamal signature scheme. The security of the scheme is considered.
368 citations
01 Dec 2002
TL;DR: In this article, a 1-out-of-n signature scheme was proposed that allows mixture use of different flavors of keys at the same time, which is more efficient than previous schemes even if it is used only with a single type of keys.
Abstract: This paper addresses how to use public-keys of several different signature schemes to generate 1-out-of-n signatures. Previously known constructions are for either RSA-keys only or DL-type keys only. We present a widely applicable method to construct a 1-out-of-n signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient than previous schemes even if it is used only with a single type of keys. With all DL-type keys, it yields shorter signatures than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et al. With all RSA-type keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et al.
282 citations
02 May 2002
TL;DR: In this paper, a new security proof for Probabilistic signature schemes (PSS) was derived, in which a much shorter random salt is used to achieve the same security level, namely, log 2 qsig bits suffice.
Abstract: The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log2 qsig bits suffice, where qsig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log2 qsig bits are used, then PSS is still provably secure but it cannot have a tight security proof. Our technique applies to other signature schemes such as the Full Domain Hash scheme and Gennaro-Halevi-Rabin's scheme, whose security proofs are shown to be optimal.
212 citations
Journal Article•
TL;DR: A new security proof for PSS is derived in which a much shorter random salt is used to achieve the same security level, namely it is shown that log2 qsig bits suffice, whereqsig is the number of signature queries made by the attacker.
Abstract: The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that loge q sig bits suffice, where q sig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than loge q sig bits are used, then PSS is still provably secure but it cannot have a tight security proof. Our technique applies to other signature schemes such as the Full Domain Hash scheme and Gennaro-Halevi-Rabin's scheme, whose security proofs are shown to be optimal.
184 citations
02 May 2002
TL;DR: It is shown that the signature scheme is secure against chosen-message attacks in the random oracle model if and only if the underlying identification scheme isSecure, and has its commitments drawn at random from a large space.
Abstract: The Fiat-Shamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forward-secure signature schemes. We find minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model, in both the usual and the forward-secure cases. Specifically we show that the signature scheme is secure (resp. forward-secure) against chosen-message attacks in the random oracle model if and only if the underlying identification scheme is secure (resp. forward-secure) against impersonation under passive (i.e.. eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the Fiat-Shamir transform so that the commitment space assumption may be removed.
165 citations
Posted Content•
TL;DR: It turns out that most of the proposed schemes are simpler, more efficient and have more useful properties than similar existing constructions, using the corresponding notions of security.
Abstract: We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap Diffie-Hellman (GDH) group (where the Computational Diffie-Hellman problem is hard but the Decisional Diffie-Hellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [BLS]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.
108 citations
25 Nov 2002
TL;DR: This paper proposes extensions for the RSA cryptosystem and digital signature schemes to the domain of Gaussian integers and the required arithmetic and the use of it is illustrated.
Abstract: This paper proposes extensions for the RSA cryptosystem and digital signature schemes to the domain of Gaussian integers. The required arithmetic and the use of it in the proposed extensions are illustrated. Also, numerical examples are given. The proposed extensions have many advantages over the classical RSA cryptosystem and digital signature.
37 citations
Journal Article•
TL;DR: It is shown that for e = 2 (Rabin), partial-domain hash signature schemes are provably secure in the random oracle model, if the output size of the hash function is larger than 2/3 of the modulus size.
Abstract: We study the security of partial-domain hash signature schemes, in which the output size of the hash function is only a fraction of the modulus size. We show that for e = 2 (Rabin), partial-domain hash signature schemes are provably secure in the random oracle model, if the output size of the hash function is larger than 2/3 of the modulus size. This provides a security proof for a variant of the signature standards ISO 9796-2 and PKCS#1 v1.5, in which a larger digest size is used.
35 citations
Journal Article•
TL;DR: In this paper, the security of graph-based one-time signature schemes is studied from a security point of view. But they do not give a proof of security of their generic construction, and leave open the problem of determining under what assumption security can be formally proved.
Abstract: Essentially all known one-time signature schemes can be described as special instances of a general scheme suggested by Bleichen-bacher and Maurer based on graphs of one-way functions. Bleichen-bacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, studying the graphs that result in the most efficient schemes (with respect to various efficiency measures, but focusing mostly on key generation time). However, they do not give a proof of security of their generic construction, and they leave open the problem of determining under what assumption security can be formally proved. In this paper we analyze graph based signatures from a security point of view and give sufficient conditions that allow to prove the security of the signature scheme in the standard complexity model (no random oracles). The techniques used to prove the security of graph based one-time signatures are then applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations.
31 citations
Proceedings Article•
01 Jan 2002TL;DR: New watermarking schemes for 3D polygon models are introduced, which embed information by permuting the order of vertices or faces, and Polygon Vertex Rotation scheme (PVR) embeds information by rotating the vertices of faces.
Abstract: This paper introduces new watermarking schemes for 3D polygon models. The schemes presented here use just the redundancy in model description, hence essential model data such as vertex coordinates and topology are left intact. Proposed Full Permutation Scheme (FPS) and Partial Permutation Scheme (PPS) embed information by permuting the order of vertices or faces, and Polygon Vertex Rotation scheme (PVR) embeds information by rotating the vertices of faces. The digital signature procedure for verification purposes is also presented, which works in cooperation with popular public-key cryptography. A modified PVR scheme (Packet PVR) is then proposed for more robust signature. Evaluation results show that our schemes can embed 0.2% (by Packet PVR) – 2.8% (by FPS) of information compared to the original model file size. Our methods are orthogonal and complementary to the preceding methods that use geometrical and topological domain.
01 Dec 2002
TL;DR: The techniques used to prove the security of graph based one-time signatures are applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations.
Abstract: Essentially all known one-time signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on "graphs of one-way functions". Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, studying the graphs that result in the most efficient schemes (with respect to various efficiency measures, but focusing mostly on key generation time). However, they do not give a proof of security of their generic construction, and they leave open the problem of determining under what assumption security can be formally proved. In this paper we analyze graph based signatures from a security point of view and give sufficient conditions that allow to prove the security of the signature scheme in the standard complexity model (no random oracles). The techniques used to prove the security of graph based one-time signatures are then applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations.
01 Jan 2002
TL;DR: Two secure nonrepudiable proxy signature schemes are proposed, which overcome disadvantages of M U O and K P Wproxy signature schemes, respectively and can withstand public key substitution attack and forge attack.
Abstract: The concept of proxy signature introduced by Mambo,Usuda,and Okamoto allows a designated person,called a proxy signer,to sign on behalf of an original signer in 1996.However,most existing proxy signature schemes does not support nonrepudiation.In this paper,we propose two secure nonrepudiable proxy signature schemes,which overcome disadvantages of M-U-O and K-P-W proxy signature schemes,respectively.The schemes proposed can withstand public key substitution attack and forge attack.In addition,our new schemes have some other advantages such as proxy signature key generation and updating using insecure channels.Our approach can also be applied to other ElGamal-like proxy signature schemes.
Journal Article•
TL;DR: For resisting the adaptive chosen message attack and improving the sign generation efficiency, a signature scheme based on the strong RSA assumption is described in this paper, and it is proved that the scheme is secure against the adaptive choice message attack under theStrong RSA assumption.
Abstract: For resisting the adaptive chosen message attack and improving the sign generation efficiency, a signature scheme based on the strong RSA assumption is described in this paper. The scheme uses a fixed base rather than by raising them to a fixed power, which is different from the RSA algorithm. Moreover, one can use pre-computation techniques in order to get a better efficiency. In addition, a hash function can be incorporated into the scheme in such a way that it offers a trapdoor to the sign algorithm. The merits of this amendatory scheme are that if one makes a distinction between the 搊ff line?and the 搊n line?cost of signing, the signer can reduce 搊n line?cost significantly by using hash trapdoor. It is proved that the scheme is secure against the adaptive chosen message attack under the strong RSA assumption. The experimental results show that the scheme has high efficiency.
01 Jan 2002
TL;DR: An ecient group signature scheme which make use of elliptic curves identity-based signature scheme is presented which is similar to the performance of the under- lying ID- based signature scheme.
Abstract: We present an ecient group signature scheme which make use of elliptic curves identity-based signature scheme. The performance of the generated group signature scheme is similar to the performance of the under- lying ID-based signature scheme.
Journal Article•
TL;DR: It is shown here that S-L-H scheme is insecure against the public key substitution attack and an improved threshold proxy signature scheme is proposed, which overcame disadvantages of the schemes proposed by Zhang and Kim et al , respectively, and gave an improved scheme.
Abstract: The concept of proxy signature, introduced by Mambo, Usuda, and Okamoto in 1996, allows a designated person, called a proxy signer, to sign on behalf of an original signer. Mambo et al. show that proxy signature should have properties of proxy signer's deviation, unforgeability, verifiability, distinguishability, identifiablity, and undeniability and give three types of delegation: full delegation, partial delegation and delegation with warrant. Sun, Lee and Hwang proposed a threshold proxy signature scheme (denoted as S-L-H scheme), which overcame disadvantages of the schemes proposed by Zhang and Kim et al , respectively, and gave an improved scheme. It is shown here that S-L-H scheme is insecure against the public key substitution attack and an improved threshold proxy signature scheme is proposed. Furthermore, using zero knowledge idea, a general approach to withstanding the public key substitution attack is given. The improved scheme has advantages of nonrepudiation, not using secure channel, being able to resist the public key substitution attack and collusion attack etc.
01 Jan 2002
TL;DR: This paper analyzes and improves the recently proposed bins and balls signature (BiBa), a new approach for designing signatures from one-way functions without trapdoors, and proposes several new related signature algorithms.
Abstract: This paper analyzes and improves the recently proposed bins and balls signature (BiBa [23]), a new approach for designing signatures from one-way functions without trapdoors. We rst construct a general framework for signature schemes based on the balls and bins paradigm and propose several new related signature algorithms. The framework also allows us to obtain upper bounds on the security of such signatures. Several of our signature algorithms approach the upper bound. We then show that by changing the framework in a novel manner we can boost the eÆciency and security of our signature schemes. We call the resulting mechanism Powerball signatures. Powerball signatures o er greater security and eÆciency than previous signature schemes based on one-way functions without trapdoors.
18 Feb 2002
TL;DR: A new signature forgery attack on PKCS #1 v1.5 signatures is described, possible even with a strong hash function, based on choosing a new (and suspicious-looking) hash function identifier as part of the attack.
Abstract: The security of many signature schemes depends on the verifier's assurance that the same hash function is applied during signature verification as during signature generation Several schemes provide this assurance by appending a hash function identifier to the hash value We show that such "hash function firewalls" do not necessarily prevent an opponent from forging signatures with a weak hash function and we give "weak hash function" attacks on several signature schemes that employ such firewalls We also describe a new signature forgery attack on PKCS #1 v15 signatures, possible even with a strong hash function, based on choosing a new (and suspicious-looking) hash function identifier as part of the attack
Journal Article•
TL;DR: In this paper, it was shown that the signature scheme is secure (resp. forward-secure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space.
Abstract: The Fiat-Shamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forward-secure signature schemes. We find minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model, in both the usual and the forward-secure cases. Specifically we show that the signature scheme is secure (resp. forward-secure) against chosen-message attacks in the random oracle model if and only if the underlying identification scheme is secure (resp. forward-secure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the Fiat-Shamir transform so that the commitment space assumption may be removed.
TL;DR: A provably secure group-oriented blind (t, n) threshold signature scheme, which is the first scheme whose security is proved to be equivalent to the discrete logarithm problem in the random oracle model.
Abstract: In this paper, we propose a provably secure group-oriented blind (t, n) threshold signature scheme, which is the first scheme whose security is proved to be equivalent to the discrete logarithm problem in the random oracle model. Based on the scheme, any t out of n signers in a group can represent the group in signing blind threshold signatures, which can be used in anonymous digital e-cash systems or secure voting systems. By means of our proposed scheme, the issue of e-coins is controlled by several authorities. In our scheme, the size of a blind threshold signature is the same as that of an individual blind signature, and the signature verification process is equivalent to that for an individual signature.
TL;DR: This article proposes an improvement of He’s digital signature scheme that is secure and efficient, and based on factoring and discrete logarithms.
Abstract: Recently, He proposed a new digital signature scheme based on factoring and discrete logarithms. In this article, we propose an improvement of He’s digital signature scheme. Our scheme is secure and efficient.
Journal Article•
TL;DR: The authors intend to propose two new untraceable blind signature schemes based on the difficulty of solving the discrete logarithm problem that can fully satisfy all of the properties a blind signature scheme can have.
Abstract: With the help of a blind signature scheme, a requester can obtain a signature on a message from a signer such that the signer knows nothing about the content of the messages and is unable to link the resulting message-signature pair; namely, a blind signature scheme can achieve both blindness and untraceability. Due to the above properties, the blind signature scheme can be used in cryptographic applications such as electronic voting systems and cash payment systems. So far, most of the proposed blind signature schemes are based on the difficulty of solving the factoring problem and quadratic residues. In this paper, the authors intend to propose two new untraceable blind signature schemes based on the difficulty of solving the discrete logarithm problem. The two blind signature schemes are two variations of the DSA signature scheme and can fully satisfy all of the properties a blind signature scheme can have.
TL;DR: A new society oriented scheme, based on the Guillou-Quisquater signature scheme, which is identity-based and the signatures are verified with respect to only one identity.
11 Mar 2002
TL;DR: This paper is the first approach for the fast signature scheme without on-line modular multiplication, derived from three-pass identification scheme, which would require a modular exponentiation as preprocessing.
Abstract: In this paper, we propose a fast signature scheme which is derived from three-pass identification scheme. Our signature scheme would require a modular exponentiation as preprocessing. However, no multiplication is used in the actual (i.e. on-line) signature generation. This means that the phase involves only a hashing operation, addition and a modular reduction. So far, some fast signature schemes called on the fly signatures were proposed. In those schemes the modular reduction is eliminated in the on-line phase. Therefore, our approach to obtain the fast on-line signature is different from theirs. This paper is the first approach for the fast signature scheme without on-line modular multiplication.
16 Dec 2002
TL;DR: In this paper, the authors presented three signature screening algorithms for a variant of ElGamal-type digital signatures, which were used for message authentication in many-to-one communication networks known as concast communication.
Abstract: In this paper we tackle the problem of finding an efficient signature verification scheme when the number of signatures is significantly large and the verifier is relatively weak. In particular, we tackle the problem of message authentication in many-to-one communication networks known as concast communication.The paper presents three signature screening algorithms for a variant of ElGamal-type digital signatures. The cost for these schemes is n applications of hash functions, 2n modular multiplications, and n modular additions plus the verification of one digital signature, where n is the number of signatures.The paper also presents a solution to the open problem of finding a fast screening signature for non-RSA digital signature schemes.
28 Nov 2002
TL;DR: A flaw is shown in a previously proposed fail-stop signature that is based on the difficulty of factorization, and a secure scheme based on that assumption is described.
Abstract: Fail-stop signature (FSS) schemes protect a signer against a forger with unlimited computational power by enabling the signer to provide a proof of forgery, if it occurs. In this paper, we show a flaw in a previously proposed fail-stop signature that is based on the difficulty of factorization, and then describe a secure scheme based on the same assumption.
Journal Article•
TL;DR: Based on discrete logarithm cryptosystem, a secure and efficient (t,n) threshold undeniable signature scheme without a trusted party is presented and has an attractive property that member抯 honesty is verifiable.
Abstract: At Auscrypt?2, Harn and Yang first proposed the conception of (t,n) threshold undeniable signature, in which only subsets with at least t members can represent a group to generate, confirm or disavow a signature. Later, several schemes are proposed, but none of them is secure. So up to now, how to design a secure (t,n) threshold undeniable signature scheme is remained an open problem. In this paper, based on discrete logarithm cryptosystem, a secure and efficient (t,n) threshold undeniable signature scheme without a trusted party is presented. This scheme has an attractive property that member抯 honesty is verifiable because a publicly verifiable secret sharing scheme is used to distribute secrets and two discrete logarithm equality protocols are used to provide necessary proofs of correctness, which are proposed by Schoenmakers at Crypto?9.
Journal Article•
TL;DR: This article shows that the proposed proxy signature scheme proposed by Hwang and Shi is vulnerable to the public key substitution attacks.
Abstract: Recently, Hwang and Shi proposed an efficient proxy signature scheme without using one-way hash functions. In their scheme, an original signer needn't send a proxy certificate to a proxy signer through secure channels. However, there are two public key substitution methods that can be used to attack their scheme. In this article, we show that their scheme is vulnerable to the public key substitution attacks.
Posted Content•
01 Jan 2002
TL;DR: This paper proposes a secure digital signature scheme based on the Strong RSA Assumption, which is a bit smaller but the two schemes have about the same computational efficiency.
Abstract: Digital signatures have been used in Internet applications to provide data authentication and non-repudiation services. Digital signatures will keep on playing an important role in future Internet applications. In this paper we propose a secure digital signature scheme based on the Strong RSA Assumption. Compared with the recent signature scheme by Cramer and Shoup, public keys in our scheme are a bit smaller but the two schemes have about the same computational efficiency.