M. O. Rabin, Digitalized signatures as intractable as factorization, Tech. Rep. MIT/LCS/TR-212, MIT, 1979.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....new signature schemes that make OSBE easy. In addition, we look for protocols that do not involve any interaction with (trusted or semi trusted) third parties, except for the generation of signatures on certificates. We present OSBE protocols for three existing signature schemes: RSA [16] Rabin [15], and BLS [6] The RSA OSBE protocol is two round: one message from the receiver followed by one message from the sender. The receiver and the sender each computes two exponentiations. We prove in the Random Oracle Model [3] that our RSA OSBE protocol is as secure as RSA signatures. We ance or ....

....interaction phase there is only one message the sender sends a ciphertext to the recipient. As usual, the recipient is only able to decrypt if she has a third party s signature on some predefined message M . Using IBE we build a oneround OSBE where user certificates are signed using a Rabin [15] or BLS [6] signature. Before we describe the one round OSBE we briefly review the concept of Identity Based Encryption. IBE was first proposed by Shamir [18] but the first usable IBE systems were found only very recently [5, 11] An IBE public key encryption scheme is a standard public key ....

Michael O. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

....study of cryptography. Their signature scheme is based on the assumption that they introduced, called the RSA assumption. By now, the RSA assumption has become a standard cryptographic assumption. Early work on signatures was also carried out by Lamport [Lam79] Merkle [Mer90] and Rabin [Rab79] Goldwasser, Micali, and Rivest [GMR88] gave the rigorous de nition of security for signature schemes and provided the rst construction that provably satis ed that de nition, under a suitable assumption (namely, the assumption that claw free pairs of permutations exist, which is implied by ....

Michael Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

....space. Merkle Hellman [MH78] Shamir showed the basic Merkle Hellman knapsack scheme to be universally forgeable using just a key only attack [Sh82] This scheme was perhaps more an encryption scheme than a signature scheme, but had been proposed for use as a signature scheme as well. Rabin [Ra79]: Rabin s signature scheme is totally breakable if the enemy uses a directed chosen message attack (see section 4) However, for non sparse message spaces selective forgery is as hard as factoring if the enemy is restricted to a known message attack. Williams [Wi80] This scheme is similar to ....

....by Brickell and DeLaurentis [BD85] 4. THE PARADOX OF PROVING SIGNATURE SCHEMES SECURE The paradoxical nature of signature schemes which are provably secure against chosen message attacks made its rst appearance in Rabin s paper, Digitalized Signatures as Intractable as Factorization [Ra79]. The signature scheme proposed there works as follows. User A publishes a number n which is the product of two large primes. To sign a message M , A computes as M s signature one of M s square roots modulo n. When M is not a square modulo n, A modi es a few bits of M to nd a nearby square. ....

Rabin, Michael. \Digitalized Signatures as Intractable as Factorization," MIT Laboratory for Computer Science Technical Report MIT/LCS/TR-212 (Jan. 1979).

....basis for a number of cryptosystems. Squaring and extracting square roots modulo n are frequently used operations in the design of cryptographic operators. We say that x is a square root of y, modulo n if x 2 y (mod n) If n has t prime factors, then x may have up to 2 t square roots. Rabin [130] proved that nding square roots modulo n is polynomial time equivalent to factoring n; given an ecient algorithm for extracting square roots modulo n one can construct an ecient algorithm for factoring n, and vice versa. The following fact observed by Williams and Blum is also frequently useful: ....

....y 1 , then she can sign the message 0 by releasing x 0 and she can similarly sign the message 1 by releasing the message x 1 . Merkle [116] introduced some extensions of this basic idea, involving building a tree of authenticated values whose root is stored in the public key of the signer. Rabin [130] proposed a method where the signature for a message M was essentially the square root of M , modulo n, the product of two large primes. Since the ability to take square roots is provably equivalent to the ability to factor n, an adversary should not be able to forge any signatures unless he can ....

M. Rabin. Digitalized Signatures as Intractable as Factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

....attacks come in a variety of flavors, such as ciphertext only, known plaintext (and matching ciphertext) chosen plaintext, and chosen ciphertext. Cryptosystems secure against one type of attack may not be secure against another. A classic example of this is Rabin s signature algorithm [35], for which it is shown that a passive attack forging a signature knowing only the public signature verification key is provably as hard as factorization, whereas an active attack querying the signer by asking for his signature on some specially constructed messages is devastating and ....

M. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

....signature scheme in which all the ring members use RSA [7] as their individual signature schemes. The same construction can be used for any other trapdoor one way permutation, but we have to modify it slightly in order to use trapdoor one way functions (as in, for example, Rabin s signature scheme [6]) Suppose that Alice wishes to sign a message m with a ring signature for the ring of r individuals A 1 , A 2 , A r , where the signer Alice is A s , for some value of s, 1 s r. 3.1 RSA trap door permutations Each ring member A i has an RSA public key P i = n i ; e i ) which speci ....

....y. This is not necessarily true for other trapdoor functions, since the forger A can intentionally decide not to produce any forgeries in which one of the gaps between cyclically consecutive E functions happens to be 2. 4 Our Ring Signature Scheme (Rabin version) Rabin s public key cryptosystem [6] has more ecient signature veri cation than RSA, since veri cation involves squaring rather than cubing, which reduces the number of modular multiplications from 2 to 1. However, we need to deal with the fact that the Rabin mapping f i (x i ) x 2 i (mod n i ) is not a permutation over Z ....

M. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979. 12

....encryption function, namely, the Rabin function. We let (a; b) denote the greatest common divisor of two integers a and b . Let N = p Delta q be a product of two distinct primes, and let 0 x N such that (x; N ) 1 . Further, let y = x 2 mod N . The function x 7 y is the Rabin function [18]. The inverse to the Rabin function can be defined to be the set of four values 0 x 1 x 2 x 3 x 4 N such that x 2 i j y mod N . It is known that if there is a feasible algorithm to compute the inverse to the Rabin function (as a function of y and N with (y; N ) 1) then there is a ....

....be defined to be the set of four values 0 x 1 x 2 x 3 x 4 N such that x 2 i j y mod N . It is known that if there is a feasible algorithm to compute the inverse to the Rabin function (as a function of y and N with (y; N ) 1) then there is a feasible algorithm for factoring integers [18, 2]. Theorem 9 Let A(x) be any polynomial time predicate and let OE A (x 1 ; x 2 ; x 3 ; x 4 ; w p ; w q ; p; q; y; N ) be the formula N = p Delta q Pratt(w p ; p) Pratt(w q ; q) y; N ) 1 4 i=1 x 2 i j y mod N x 1 x 2 x 3 x 4 A(x 1 ; x 2 ; x 3 ; x 4 ) and define OE :A ....

M. O. Rabin, Digitalized signatures as intractable as factorization, Tech. Rep. MIT/LCS/TR-212, MIT, 1979.

....have the attraction of being resistant to a guessed ciphertext attack (see Question 2.5) but at a cost of data expansion. In probabilistic encryption, the same plaintext encrypted twice under the same key will give, with high probability, two different ciphertexts. For digital signatures, Rabin [68] proposed a system which is provably equivalent to factoring; this is an advantage over RSA, where one may still have a lingering worry about an attack unrelated to factoring. Rabin s method is susceptible to a chosen message attack, however, in which the attacker tricks the user into signing ....

M.O. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT, 1979.

....basis for a number of cryptosystems. Squaring and extracting square roots modulo n are frequently used operations in the design of cryptographic operators. We say that x is a square root of y, modulo n if x 2 j y (mod n) If n has t prime factors, then x may have up to 2 t square roots. Rabin [130] proved that finding square roots modulo n is polynomial time equivalent to factoring n; given an efficient algorithm for extracting square roots modulo n one can construct an efficient algorithm for factoring n, and vice versa. The following fact observed by Williams and Blum is also frequently ....

....= y 1 , then she can sign the message 0 by releasing x 0 and she can similarly sign the message 1 by releasing the message x 1 . Merkle [116] introduced some extensions of this basic idea, involving building a tree of authenticated values whose root is stored in the public key of the signer. Rabin [130] proposed a method where the signature for a message M was essentially the square root of M , modulo n, the product of two large primes. Since the ability to take square roots is provably equivalent to the ability to factor n, an adversary should not be able to forge any signatures unless he can ....

M. Rabin. Digitalized Signatures as Intractable as Factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

.... 3 Problems with Previous Proposals Rabin pioneered the research of constructing provably secure public key cryptosystems by designing a public key cryptosystem with the property that extracting the complete plaintext of an object ciphertext is computationally equivalent to factoring large numbers [16]. Goldwasser and Micali invented the first public key cryptosystem that hides all partial information [13] The cryptosystem is a probabilistic one and it enciphers a plaintext in a bit by bit manner. A common drawback of these and many other cryptosystems is that, although secure against chosen ....

M. Rabin, "Digitalized signatures as intractable as factorization," Technical Report MIT/LCS/TR-212, MIT, Laboratory for Computer Science, 1979.

....known to the receiver alone, with which the receiver can invert the function. The idea of public key cryptosystems and trapdoor functions was introduced in the seminal work of Diffie and Hellman in 1976 [61, 62] Soon after the first implementations of their idea were proposed in [151] [146], 125] A simple construction of public key encryption from trapdoor functions goes as follows. Recipient B can choose at random a trapdoor function f and its associated trapdoor information t, and set its public key to be a description of f and its private key to be t. If A wants to send ....

.... p and a probabilistic polynomial time algorithm I such that for every k there exists an t k 2 f0; 1g such that jt k j p(k) and for all x 2 f0; 1g , I(f(x) t k ) y such that f(y) f(x) An example of a function which may be trapdoor if factoring integers is hard was proposed by Rabin[146]. Let f(x; n) x 2 mod n where n = pq a product of two primes and x 2 Z n . Rabin[146] has shown that inverting f is easy iff factoring composite numbers product of two primes is easy. The most famous candidate trapdoor function is the RSA[151] function f(x; n; l) x l mod n where (l; ....

[Article contains additional citation context not shown here]

M. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

.... 3 Problems with Previous Proposals Rabin pioneered the research of constructing provably secure public key cryptosystems by designing a public key cryptosystem with the property that extracting the complete plaintext of an object ciphertext is computationally equivalent to factoring large numbers [Rab79]. Goldwasser and Micali invented the first public key cryptosystem that hides all partial information [GM84] The cryptosystem is a probabilistic one and it enciphers a plaintext in a bit by bit manner. A common drawback of these and many other cryptosystems is that, although secure against chosen ....

M. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT, Laboratory for Computer Science, 1979.

No context found.

M. O. Rabin, Digitalized signatures as intractable as factorization, Tech. Rep. MIT/LCS/TR-212, MIT, 1979.

No context found.

Michael O. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979. 18

No context found.

Michael O. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

No context found.

M. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979.

No context found.

M. Rabin, "Digitalized signatures as intractable as factorization," Technical Report MIT/LCS/TR-212, MIT, Laboratory for Computer Science, 1979.

No context found.

M.O. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT, 1979.

No context found.

M.O. Rabin. Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT, 1979.

No context found.

M. Rabin. Digitalized Signatures as Intractable as Factorization. MIT/LCS/TR-212, 1979.

No context found.

M. Rabin, Digitalized signatures as intractable as factorization, Technical Report MIT/LCS/TR-212, MIT Lab. for Comp. Sci., 1979.

No context found.

M. Rabin. Digitalized Signatures as Intractable as Factorization. MIT/LCS/TR-212, 1979.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC