Silvio Micali, Michael O. Rabin, and Salil P. Vadhan. Veri able random functions. In Proceedings of the 40th IEEE Symposium on Foundations of Computer Science, pages 120-130, 1999.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....document, check if it is already stored. If so, instead of performing a separate computation to verify the attached signature on the document, compare the attached signature to the one stored. If they are di erent, reject. Unique signature schemes are also related to veri able random functions [MRV99] and non interactive zero knowledge proofs [GO92] and as a result are valuable tools in the design of cryptographic protocols. Veri able random functions (VRFs) are cryptographic objects that produce random looking bits, and yet there is a mechanism to convince a third party that all these bits ....

....signer to update the secret key after each invocation. The only signature schemes satisfying both of these additional properties are the Strong RSA based schemes of Gennaro et al. GHR99] and Cramer and Shoup [CS99] and the scheme implied by the veri able random function due to Micali et al. MRV99] based on RSA. An open question was to come up with a signature scheme satisfying the two additional properties, such that it would be secure under a di erent type of assumption. Here, we give such a signature scheme, based on a generalization of the Die Hellman assumption for groups where ....

[Article contains additional citation context not shown here]

Silvio Micali, Michael Rabin, and Salil Vadhan. Veri able random functions. In Proc. 40th IEEE Symposium on Foundations of Computer Science (FOCS), pages 120-130. IEEE Computer Society Press, 1999.

....signer to update the secret key after each invocation. The only signature schemes satisfying both of these additional properties are the Strong RSA based schemes of Gennaro et al. GHR99] and of Cramer and Shoup [CS99] and the scheme implied by the veri able random function due to Micali et al. [MRV99], based on RSA. An open question was to come up with a signature scheme satisfying the two additional properties, such that it would be secure under a di erent type of assumption. Here, we give such a signature scheme, based on a generalization of the Die Hellman assumption for groups where ....

....greater than n (this is because for a prime e, e n implies that e is relatively prime to (n) Goldwasser and Ostrovsky give a solution in the common random string model. However, in the standard model, the only known construction of unique signatures was the one due to Micali, Rabin, Vadhan [MRV99]. On the negative side, Goldwasser and Ostrovsky have also shown that even in the common random string model, unique signatures require assumptions of the same strength as needed for non interactive zero knowledge proofs with polynomial time provers. The weakest assumption known that is required ....

[Article contains additional citation context not shown here]

Silvio Micali, Michael Rabin, and Salil Vadhan. Veri able random functions. In Proc. 40th IEEE Symposium on Foundations of Computer Science (FOCS), pages 120-130. IEEE Computer Society Press, 1999.

.... issue is analogous to the issue that comes up when using the standard Die Hellman secret as a secret encryption key [2] 5 Unique Signatures and Proofs for the n way Die Hellman Relation Our next application is useful for building unique signatures and veri able pseudo random functions (VRF s) [19]. Let G 1 be a group of prime order with a generator g. De nition 5.1. We say that (g; g 1 ; g n ; h) 2 G 1 is an n way Die Hellman tuple if g generates G 1 and there exist integers a 1 ; a n 2 [1; 1] such that g i = g . Suppose there is no ecient algorithm for the ....

.... where every message has a unique digital signature (in most secure signature schemes there are many valid signatures for a given message) Unique signature schemes were known to exist in the common random string model [11] and in the random oracle model [1] but until the results of Micali et al. [19] there were no constructions for such schemes in the standard model de ned below. Unique signatures are used to construct Veri able Pseudo Random Functions, which are a useful tool in cryptographic protocol design [19] De nition 5.4. An n bit unique signature scheme (which is used to sign ....

[Article contains additional citation context not shown here]

S. Micali, M. Rabin, S. Vadhan, \Veri able Random Functions", in Proc. FOCS `99, pp. 120-130, 1999. 19

....negligible. The same crucial point can also be formally solved without recourse to any random oracle model. Namely, it would suce for the merchant to use a veri able random function (VRF) rather than an ordinary digital signature scheme. As introduced and exempli ed by Micali, Rabin and Vadhan [11], a VRF comprises a pair of keys and a pair of algorithms: a public key PK, a matching secret key SK, an evaluation algorithm E, and a veri cation algorithm V . Key PK totally speci es a function F ( FPK ) from arbitrary bit strings to k bit strings, such that it is hard to compute F (x) on ....

S. Micali, M. Rabin, and S. Vadhan. Veriable random functions. In Proc. 40th Symp. on Foundations of Computer Science, pages 120-130, October 1999.

....in the BPK model that possesses one time, but not sequential, soundness. Proof The proof of the theorem is constructive: I demonstrate such a protocol (P; V) Basic Tools. The protocol (P; V) relies on three techniques: a pseudorandom function PRF [GGM86] a veri able random functions VRF [MRV99], and a non interactive zeroknowledge (NIZK) proof system (NIP; NIV) BFM88, BDMP91] these notions are recalled and de ned in Appendix A) Note that both PRFs and NIZKs can be constructed using general assumptions [HILL99, FLS99] and it is only for VRFs that I need the speci c RSA assumption ....

....Because I need NIZKPKs to be secure against subexponentially strong adversaries, I need subexponentially strong versions of these assumptions. The reader is referred to these papers for details. A. 4 Veri able Random Functions A family of veri able random functions (VRFs) as proposed in [MRV99], is essentially a pseudorandom function family with the additional property that the correct value of a function on an input can not only be computed by the owner of the seed, but also proven to be the unique correct value. The proof can be veri ed by anyone who knows the public key corresponding ....

[Article contains additional citation context not shown here]

Silvio Micali, Michael Rabin, and Salil Vadhan. Veriable random functions. In 40th Annual Symposium on Foundations of Computer Science, pages 120-130, New York, October 1999. IEEE.

....BPK model that possesses one time, but not sequential, soundness. Proof Sketch. The proof of the theorem is constructive: we demonstrate such a protocol (P ; V) Basic Tools. The protocol (P ; V) relies on three techniques: a pseudorandom function PRF [GGM86] a veri able random functions VRF [MRV99], and a noninteractive zero knowledge (NIZK) proof system (NIP; NIV) BFM88,BDMP91] Note that both PRFs and NIZKs can be constructed using general assumptions [HILL99,FLS99] and it is only for VRFs that we need the speci c RSA assumption (which is formally stated in Appendix B.3) The de ....

Silvio Micali, Michael Rabin, and Salil Vadhan. Veriable random functions. In 40th Annual Symposium on Foundations of Computer Science, pages 120-130, New York, October 1999. IEEE.

No context found.

Silvio Micali, Michael O. Rabin, and Salil P. Vadhan. Veri able random functions. In Proceedings of the 40th IEEE Symposium on Foundations of Computer Science, pages 120-130, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC