Showing papers on "Merkle signature scheme published in 2004"
15 Aug 2004
TL;DR: In this article, the authors proposed a group signature scheme based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption.
Abstract: We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi.
1,956 citations
Journal Article•
TL;DR: In this paper, the authors proposed a group signature scheme based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption.
Abstract: We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi.
1,562 citations
TL;DR: A short signature scheme based on the Computational Diffie–Hellman assumption on certain elliptic and hyperelliptic curves is introduced for systems where signatures are typed in by a human or are sent over a low-bandwidth channel.
Abstract: We introduce a short signature scheme based on the Computational Diffie–Hellman assumption on certain elliptic and hyperelliptic curves. For standard security parameters, the signature length is about half that of a DSA signature with a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or are sent over a low-bandwidth channel. We survey a number of properties of our signature scheme such as signature aggregation and batch verification.
1,171 citations
01 Mar 2004
TL;DR: This paper proposes a new short signature scheme from the bilinear pairings that unlike BLS, uses general cryptographic hash functions such as SHA-1 or MD5, and does not require special hash functions.
Abstract: In Asiacrypt2001, Boneh, Lynn, and Shacham [8] proposed a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function [6,1,8]. This hash function is probabilistic and generally inefficient. In this paper, we propose a new short signature scheme from the bilinear pairings that unlike BLS, uses general cryptographic hash functions such as SHA-1 or MD5, and does not require special hash functions. Furthermore, the scheme requires less pairing operations than BLS scheme and so is more efficient than BLS scheme. We use this signature scheme to construct a ring signature scheme and a new method for delegation. We give the security proofs for the new signature scheme and the ring signature scheme in the random oracle model.
540 citations
02 May 2004
TL;DR: In this article, Boneh, Gentry, Lynn, and Shacham proposed sequential aggregate signatures, in which the set of signers is ordered and the aggregate signature is computed by having each signer in turn add his signature to it.
Abstract: An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, in which the set of signers is ordered. The aggregate signature is computed by having each signer, in turn, add his signature to it. We show how to realize this in such a way that the size of the aggregate signature is independent of n. This makes sequential aggregate signatures a natural primitive for certificate chains, whose length can be reduced by aggregating all signatures in a chain. We give a construction in the random oracle model based on families of certified trapdoor permutations, and show how to instantiate our scheme based on RSA.
333 citations
TL;DR: Two quantum signature schemes with message recovery relying on the availability of an arbitrator are proposed, one of which uses a public board and the other does not.
159 citations
08 Sep 2004
TL;DR: This paper is the first provably secure blind signature scheme which is also efficient, and obtains its blind signing function as a secure and efficient two-party computation that cleverly exploits its algebraic properties and those of the Paillier encryption scheme.
Abstract: The only known blind signature scheme that is secure in the standard model [19] is based on general results about multi-party computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We develop our construction as follows. In the first step, which is a significant result on its own, we devise and prove the security of a new variant for the Cramer-Shoup-Fischlin signature scheme. We are able to show that for generating signatures, instead of using randomly chosen prime exponents one can securely use randomly chosen odd integer exponents which significantly simplifies the signature generating process. We obtain our blind signing function as a secure and efficient two-party computation that cleverly exploits its algebraic properties and those of the Paillier encryption scheme. The security of the resulting signing protocol relies on the Strong RSA assumption and the hardness of decisional composite residuosity; we stress that it does not rely on the existence of random oracles.
155 citations
23 Feb 2004
TL;DR: A concrete delegation-by-certificate proxy signature scheme which is derived from a certificate-based signature scheme after simple modifications and is provably secure in the random oracle model under the security notion defined by Boldyreva, Palacio and Warinschi.
Abstract: In this paper, we propose the security notion of certificate-based signature that uses the same parameters and certificate revocation strategy as the encryption scheme presented at Eurocrypt 2003 by Gentry Certificate-based signature preserves advantages of certificate-based encryption, such as implicit certification and no private key escrow We present concrete certificate-based signature schemes derived from pairings on elliptic curves and prove their security in the random oracle model assuming that the underlying group is GDH Additionally, we propose a concrete delegation-by-certificate proxy signature scheme which is derived from a certificate-based signature scheme after simple modifications Our proxy scheme is provably secure in the random oracle model under the security notion defined by Boldyreva, Palacio and Warinschi
116 citations
05 Dec 2004
TL;DR: A group signature scheme with constant-size public key and signature length that does not require trapdoor and is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie -Hellman assumptions.
Abstract: We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We also use the schemes to construct a traceable signature scheme.
109 citations
Journal Article•
TL;DR: A group signature scheme with constant-size public key and signature length that does not require trapdoor was proposed in this article, where system parameters can be shared by multiple groups belonging to different organizations.
Abstract: We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We also use the schemes to construct a traceable signature scheme.
101 citations
01 Mar 2004
TL;DR: This paper formalizes the concept of ID-based identification scheme and shows a transformation from any digital signature scheme satisfying certain condition to an ID- based identification scheme based on the hardness of discrete logarithm problem.
Abstract: In this paper, we first formalize the concept of ID-based identification scheme. Secondly, we show a transformation from any digital signature scheme satisfying certain condition to an ID-based identification scheme. As an instance, we present the first provably secure ID-based identification scheme based on the hardness of discrete logarithm problem. (More precisely, the hardness of gap Diffie-Hellman (GDH) problem.) We further show that for the ID-based signature scheme which is obtained by the Fiat-Shamir heuristic, a tight security bound is easily derived due to our transformation.
Posted Content•
TL;DR: It is proved that the proposed signature scheme is secure against existential forgery under adaptively chosen message and ID attack in the random oracle model and why other ID-based signature schemes are hard to achieve these properties.
Abstract: In 1984, Shamir proposed a new public key cryptography, the identity (ID)-based encryption and signature schemes which allows any pair of users to communicate securely and to verify each other’s signatures without exchanging certificates. Since then, we have several ID-based signatures based on the discrete logarithm problem. While they have an advantage that the system secret can be shared by several parties through threshold schemes, they have a critical disadvantage in efficiency. To enhance the efficiency of verification, we propose a new ID-based signature scheme that allows batch verification of multiple signatures. The verification cost of the proposed signature scheme for k signatures is almost constant with minimal security loss and when a new signature by a different signer is added to the batch verification, the additional cost is almost a half of that of a single signature. We prove that the proposed signature scheme is secure against existential forgery under adaptively chosen message and ID attack in the random oracle model and show why other ID-based signature schemes are hard to achieve these properties.
02 Dec 2004
TL;DR: In this article, the first identity-based threshold ring signature scheme was proposed and the scheme is provably secure in the random oracle model and provides trusted authority compatibility, which is also the most efficient scheme in terms of number of pairing operations required.
Abstract: In threshold ring signature schemes, any group of t entities spontaneously conscript arbitrarily n – t entities to generate a publicly verifiable t-out-of-n signature on behalf of the whole group, yet the actual signers remain anonymous. The spontaneity of these schemes is desirable for ad-hoc groups such as mobile ad-hoc networks. In this paper, we present an identity based (ID-based) threshold ring signature scheme. The scheme is provably secure in the random oracle model and provides trusted authority compatibility. To the best of authors’ knowledge, our scheme is the first ID-based threshold ring signature scheme which is also the most efficient (in terms of number of pairing operations required) ID-based ring signature scheme (when t = 1) and threshold ring signature scheme from pairings.
27 Oct 2004
TL;DR: This paper provides two secure schemes to realize the new notion of perfect concurrent signatures based on Schnorr’s signature schemes and bilinear pairing, and shows that the scheme based on bilinears pairing is more efficient than the one that is based upon Schnorr's signature scheme.
Abstract: The notion of concurrent signatures was recently introduced by Chen, Kudla and Paterson in their seminal paper in [5]. In concurrent signature schemes, two entities can produce two signatures that are not binding, until an extra piece of information (namely the keystone) is released by one of the parties. Upon release of the keystone, both signatures become binding to their true signers concurrently. In this paper, we extend this notion by introducing a new and stronger notion called perfect concurrent signatures. We require that although both signers are known to be trustworthy, the two signatures are still ambiguous to any third party (c.f. [5]). We provide two secure schemes to realize the new notion based on Schnorr’s signature schemes and bilinear pairing. These two constructions are essentially the same. However, as we shall show in this paper, the scheme based on bilinear pairing is more efficient than the one that is based on Schnorr’s signature scheme.
27 Oct 2004
TL;DR: This scheme is the first provably secure hierarchical ID-based signature scheme (HIBS) and is also the first ID- based signature scheme working with the BB-HIBE, and is extended into a new forward-secure signature scheme.
Abstract: At EUROCRYPT 2004, Boneh and Boyen [5] proposed a new hierarchical identity-based (ID-based) encryption (HIBE) scheme provably selective-ID secure without random oracles. In this paper we propose a new hierarchical ID-based signature that shares the same system parameters with their hierarchical ID-based encryption scheme (BB-HIBE). BB-HIBE and our signature scheme yield a complete ID-based public key cryptosystem. To the best of the authors’ knowledge, our scheme is the first provably secure hierarchical ID-based signature scheme (HIBS) and is also the first ID-based signature scheme working with the BB-HIBE. The scheme is provably secure against existential forgery for selective-ID, adaptive chosen-message-and-identity attack (EF-sID-CMIA) in the random oracle model, and have a good exact security under adaptive chosen-message attack. As a bonus result, we extend our HIBS scheme into a new forward-secure signature scheme.
TL;DR: The authors shall present a generalized version of proxy signature scheme that can be applied to every possible proxy situation and demonstrate how to specify proxy signature schemes on elliptic curve over finite fields.
TL;DR: A threshold multi-proxy multi-signature scheme with shared verification that allows the group of original signers to delegate the signing capability to the designated group of proxy signers and a subset of verifiers in the designated verifier group can authenticate the proxy signature.
TL;DR: A (t, n) threshold signature with (k, l) threshold-shared verification to be used in a group-oriented cryptosystem without a shared distribution center (SDC) that is more practical in real-world applications and more efficient than its predecessors.
TL;DR: An improvement of Hsu et al.'s scheme that is more efficient in terms of computational complexity and communication cost is proposed.
27 Sep 2004
TL;DR: This work disproves their result that any signature scheme that is existentially unforgeable under adaptive chosen-message attack is a secure realization, and shows that this functionality cannot be securely realized by any signing scheme.
Abstract: Canetti and Rabin recently proposed a universally composable ideal functionality \(\mathcal{F}_{\rm SIG}\) for digital signatures. We show that this functionality cannot be securely realized by any signature scheme, thereby disproving their result that any signature scheme that is existentially unforgeable under adaptive chosen-message attack is a secure realization.
Journal Article•
TL;DR: Aproxy multi signature scheme based on the elliptic curve discrete logarithm problem is proposed for the first time and can be generated and verified more efficiently, and the length of the proxy multi signature is shortened greatly.
Abstract: First the elliptic curve digital signature algorithm is improved by avoiding the time consuming inversion operations in its signature generation and verification Then a proxy signature scheme is devised based on the improved elliptic curve digital signature algorithm, which satisfies all of the security requirements Proxy signature is a signature scheme that an original signer delegates his/her signing capability to a proxy signer, and then the proxy signer creates a signature on behalf of the original signer The scheme that allows a proxy signer to generate a proxy signature on behalf of two or more original signers is called a proxy multi signature scheme All of the proxy multi signature schemes that have been proposed are based on the ordinary discrete logarithm problem Here a proxy multi signature scheme based on the elliptic curve discrete logarithm problem is proposed for the first time When using this new scheme, proxy multi signature can be generated and verified more efficiently, and the length of the proxy multi signature is shortened greatly
01 Jan 2004
TL;DR: It is shown that both Tan et al.'s schemes do not satisfy the unforgeability and unlinkability properties and it is pointed out that Lal and Awasthi's scheme does not possess the unlinkable property either.
Abstract: A proxy blind signature scheme is a digital signature scheme which combines the properties of proxy signature and blind signature schemes. Recently, Tan et al. proposed two proxy blind signature schemes based on DLP and ECDLP respectively. Later, compared with Tan et al.'s scheme, Lal and Awasthi further proposed a more efficient proxy blind signature scheme. In this paper, we show that Tan et al.'s schemes do not satisfy the unforgeability and unlinkability properties. Moreover, we also point out that Lal and Awasthi's scheme does not possess the unlinkability property either.
TL;DR: This letter shows another attack on Shieh et al.'s signature scheme and proposes a secure digital signature scheme, where neither one-way hash functions nor message redundancy schemes are employed.
Abstract: In 2000, Shieh et al. proposed some multisignature schemes based on a new digital signature scheme to satisfy the special requirements of the mobile system. In these schemes, one-way hash functions and message redundancy schemes are not used. Later, Hwang and Li indicated that Shieh et al.'s digital signature scheme suffers from the forgery attacks. They also claimed that message redundancy schemes should still be used to resist some attacks. In this letter, we show another attack on Shieh et al.'s signature scheme and propose a secure digital signature scheme, where neither one-way hash functions nor message redundancy schemes are employed.
TL;DR: In this article, the authors proposed a (t, n) threshold proxy signature scheme, where the original signer can delegate his/her signing capability to n proxy signers such that any t or more proxy signer could sign messages on behalf of the former, but t-1 or less of them cannot do the same thing.
Abstract: In a (t, n) threshold proxy signature scheme, the original signer can delegate his/her signing capability to n proxy signers such that any t or more proxy signers can sign messages on behalf of the former, but t-1 or less of them cannot do the same thing. Such schemes have been suggested for use in a number of applications, particularly, in distributed computing where delegation of rights is quite common. Based on the RSA cryptosystem, [M. -S. Hwang et al. (2003) recently proposed an efficient (t, n) threshold proxy signature scheme. We identify several security weaknesses in their scheme and show that their scheme is insecure.
Posted Content•
TL;DR: In this article, two forward secure signature schemes based on gap DiffieHellman groups were proposed and proved to be secure in the sense of slightly stronger security notion than that by Bellare and Miner in the random oracle model.
Abstract: In this paper, we present two forward secure signature schemes based on gap DiffieHellman groups and prove these schemes to be secure in the sense of slightly stronger security notion than that by Bellare and Miner in the random oracle model. Both schemes use the same key update strategy as the encryption scheme presented by Canetti, Halevi and Katz. Hence, our schemes outperform the previous tree-based forward secure signature scheme by Bellare and Miner in the key generation and key update time, which are only constant in the number of time periods. Specifically, we describe a straightforward scheme following from the encryption scheme, and then improve its efficiency for signature verification algorithm which needs only 3 pairing computations independent of the total time periods.
Journal Article•
TL;DR: A threshold ring signature scheme (spontaneous anonymous threshold signature scheme) that allows the use of both RSA-based and DL-based public keys at the same time and is existential unforgeable against chosen message attacks in the random oracle model is presented.
Abstract: We present a threshold ring signature scheme (spontaneous anonymous threshold signature scheme) that allows the use of both RSA-based and DL-based public keys at the same time. More generally, the scheme supports the mixture of public keys for any trapdoor-one-way type as well as three-move type signature schemes. This kind of 'separability' has useful applications in practice as a threshold ring signature is no longer limited to support only one particular type of public keys, as required by all the previous schemes. In the paper, we also show that the signature maintains the anonymity of participating signers unconditionally and is existential unforgeable against chosen message attacks in the random oracle model.
Journal Article•
TL;DR: In this paper, Boneh, Gentry, Lynn, and Shacham proposed sequential aggregate signatures, in which the set of signers is ordered and the aggregate signature is computed by having each signer in turn add his signature to it.
Abstract: An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and Shacham) is a method for combining n signatures from n different signers on n different messages into one signature of unit length. We propose sequential aggregate signatures, in which the set of signers is ordered. The aggregate signature is computed by having each signer, in turn, add his signature to it. We show how to realize this in such a way that the size of the aggregate signature is independent of n. This makes sequential aggregate signatures a natural primitive for certificate chains, whose length can be reduced by aggregating all signatures in a chain. We give a construction in the random oracle model based on families of certified trapdoor permutations, and show how to instantiate our scheme based on RSA.
29 Mar 2004
TL;DR: This work proposes a new proxy blind signature scheme based on an ID-based signature scheme, which uses bilinear pairings of elliptic curves or hyperelliptic curves.
Abstract: Blind signature is the concept to ensure anonymity of e-coin. Untracebility and unlinkability are two main properties of real coin, which require mimicking electronically. Proxy signature schemes allow a proxy signer to generate a proxy signature on behalf of an original signer. All the previous proxy signature schemes are based on ElGamal-type schemes. We propose a new proxy blind signature scheme based on an ID-based signature scheme, which uses bilinear pairings of elliptic curves or hyperelliptic curves.
08 Sep 2004
TL;DR: The transitive signature scheme is proven secure, i.e. transitively unforgeable under adaptive chosen message attack, assuming hardness of the computational co-Diffie-Hellman problem in bilinear group pairs and the security of the underlying standard signature scheme under known message attack.
Abstract: We present a realization of the transitive signature scheme based on the algebraic properties of bilinear group pairs. The scheme is proven secure, i.e. transitively unforgeable under adaptive chosen message attack, assuming hardness of the computational co-Diffie-Hellman problem in bilinear group pairs and the security of the underlying standard signature scheme under known message attack. Our scheme mostly conforms to previously designed schemes of Micali-Rivest and Bellare-Neven in structure; yet there are two contributions: firstly, we take advantage of bilinear group pairs which were previously used by Boneh, Lynn, and Shacham to build short signature schemes. Secondly, we show that a slight modification in previous definitions of the transitive signature relaxes the security requirement for the underlying standard signature from being secure under chosen message attack to being secure under known message attack; thus shorter and more efficient signatures can be chosen for the underlying standard signature. These two facts eventually yield to short transitive signatures with respect to both node and edge signature size.
TL;DR: This paper introduces an efficient scheme named server assisted one-time signature (SAOTS) alternative to server assisted signature scheme introduced by Asokan et al, which is communication-efficient running in fewer rounds, two instead of three.
Abstract: Two most important goals of server assisted signature schemes are to aid small and mobile devices in computing digital signatures and to provide immediate revocation of signing capabilities. In this paper, we introduce an efficient scheme named server assisted one-time signature (SAOTS) alternative to server assisted signature scheme introduced by Asokan et al. Extended the Lamport’s one-time signatures by utilizing hash chains, this new scheme’s advantages are two-folds; first of all, it is communication-efficient running in fewer rounds, two instead of three, secondly, verification of server’s signature can also be performed off-line resulting in real-time efficiency in computation as well as flexibility in the public-key signature scheme to be used. The experiments we have conducted showed that at least 40% gain in performance is obtained if SAOTS is preferred.