L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, october 1979. (Cited on page 2, 5, 6.)  Home/Search   Document Not in Database   Summary   Related Articles   Check

....only one expensive signing verification operation is needed, plus one inexpensive one time signature signing verification for each packet in the sequence. However, since one time signatures and keys are very large, this technique has a large communication overhead (around 1000 bytes per packet) [9, 10]. The get al..l before requirement of both techniques in [7] is too strong for practical Internet applications. Reliable packet delivery is not used by many applications for flows and multicasts. For example, reliable delivery is generally not used for video and audio flows due to the extra delays ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL 98, SRI Intl., 1979.

....research. SIGNATURE SCHEMES. This work provides a sufficient understanding of physically observable cryptography to see that signatures are possible in the new setting Indeed, it is not too hard to see that minimal one way functions imply one time signature schemes (e.g. using construction of [18]) and durable functions imply even more efficient onetime signature schemes (e.g. using construction of [11] Merkle trees [19] provide for a way to make multi time (stateful) signatures out of one time signatures. Note that, even though the Merkle tree construction requires hashing, no new ....

Leslie Lamport. Constructing digital signatures from a one way function. Technical Report CSL-98, SRI International, October 1979.

....We remark that since the concurrent setting that we consider is where only a single protocol is run many times concurrently, our protocol for blind signatures must use invocations of the oblivious transfer functionality and nothing else. Our protocol uses the specific construction of [31] for a one time signature schemes. The signature scheme of [31] is defined as follows. Let f be a one way function. Then, the signing key equals 2n random points x n , and the verification key equals y n , where for every i, y i ) and y i ) Now, a signature on the message ....

....we consider is where only a single protocol is run many times concurrently, our protocol for blind signatures must use invocations of the oblivious transfer functionality and nothing else. Our protocol uses the specific construction of [31] for a one time signature schemes. The signature scheme of [31] is defined as follows. Let f be a one way function. Then, the signing key equals 2n random points x n , and the verification key equals y n , where for every i, y i ) and y i ) Now, a signature on the message w = w 1 w n equals x , x n . The ....

L. Lamport. Constructing Digital Signatures from One-Way Functions. SRI International, CSL-98, 1979.

....packet, very high overhead to create and verify the signature. Even previously proposed one time signature schemes that are based on symmetric cryptography (one way functions without trapdoors) have a high overhead: Gennaro and Rohatgi s broadcast signature based on Lamport s one time signature [20] requires over 1 Kbyte of authentication information per packet [11] and Rohatgi s improved k time signature scheme requires over 300 bytes per packet [36] The recently proposed TESLA protocol provides efcient authenticated broadcast [31, 30] However, TESLA is not designed for such limited ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, October 1979.

....The leaves of the tree may either be used one by one, or many at the same time. The former type of use is well suited for applications such as TESLA [10] certification refreshal [9] wireless security [2] and micro payments [4, 12] while the latter type finds direct use for Merkle signatures [8, 5]. This partition of applications also corresponds to the birth of the techniques we describe; while the second and third author were motivated by the case relating to Merkle signatures, the first and fourth author focused on the general case. Outline. We begin by reviewing the goals and standard ....

L. Lamport, "Constructing Digital Signatures from a One Way Function," SRI International Technical Report CSL-98 (October 1979).

....ultra fast traversal of hash chains is bene cial, and propose a very ecient implementation suitable for this scenario based on double hash chains a new type of hash chain. Double hash chains are strongly related to Lamport s construction of one time digital signatures from a one way function [8]. The novelty of our approach is that we pack all the commitments in a hash chain. We believe that double hash chains are an interesting concept on their own, that may nd uses in other applications as well. Suppose a stream of bits needs to be communicated between two parties in an authenticated ....

L. Lamport. Constructing Digital Signatures from a One-way Function. SRI International Technical Report SRI-CSL-98, October 1979.

....that requires no access to #. 4 Lower Bound for Signature Schemes We now show a lower bound on the e#ciency of black box constructions for signature schemes based on one way permutations (we no longer consider trapdoor permutations since one way permutations su#ce to construct signature schemes [17, 18, 20]) Let (Gen ) be a signature scheme for messages of length m that expects as an oracle a permutation #, and suppose that is secure whenever # is S p hard. We prove that unless Vrfy queries # at m log S p ) times, then it is possible to construct from an unconditional one way ....

....#, and suppose that is secure whenever # is S p hard. We prove that unless Vrfy queries # at m log S p ) times, then it is possible to construct from an unconditional one way function. Of course, this one way function can then be used to construct an unconditionally secure signature scheme [17, 18, 20] (i.e. without any access to #) We give an informal overview of our proof technique (formalized in the proof of Theorem 6) As a first attempt to construct a one way function, one might define F 1 (PK,M,#) PK#Vrfy (PK,M,#) Intuitively, this function is di#cult to invert on elements of ....

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, 1979.

....and paved the way for further study of cryptography. Their signature scheme is based on the assumption that they introduced, called the RSA assumption. By now, the RSA assumption has become a standard cryptographic assumption. Early work on signatures was also carried out by Lamport [Lam79] Merkle [Mer90] and Rabin [Rab79] Goldwasser, Micali, and Rivest [GMR88] gave the rigorous de nition of security for signature schemes and provided the rst construction that provably satis ed that de nition, under a suitable assumption (namely, the assumption that claw free pairs of ....

Leslie Lamport. Constructing digital signatures from a one-way function. Technical Report Technical Report CSL-98, SRI International, October 1979.

....secure (i.e. conjectured OWHFs) for example, SHA [12] In addition, block ciphers can also be used as a building block for constructing hash functions, for example, Rijndael [3] 2. 2 One Time Digital Signatures The idea of using OWHFs for one time digital signatures was introduced by Lamport [9, 10]. The basic idea works as follows. The signer chooses two random strings, X 0 ; X 1 (representing 0 and 1) per each message bit, and publishes the results of activating an OWHF on them: Y 0 = f(X 0 ) Y 1 = f(X 1 ) To sign a message the signer reveals the preimage (X 0 or X 1 ) corresponding to ....

....[7] and in signing routing messages [20] In all these applications the cost of signing and verifying real digital signatures (such as RSA) was considered too high, so the authors used them to set up a one time scheme, and used the latter for signing the actual data. 2. 3 Hash Chains Lamport [9] was the rst one who suggested to use hash chains as a cryptographic primitive. The idea is to pick an initial string, X 0 , at random, and create a hash chain by iteratively applying an OWHF to it: X 1 = f(X 0 ) X 2 = f(X 1 ) etc. The links of the chain are then revealed in reverse order, and ....

L. Lamport, Constructing digital signatures from one-way function, Technical Report SRI-CSL-98, SRI International, Oct 1979.

....Keywords: Broadcast authentication, source authentication for multicast, one time signature, signature based on a one way function without trapdoor. 1. INTRODUCTION For the past 25 years researchers have created and refined digital signature schemes using one way functions without trapdoors [2, 5, 9, 10, 13, 14, 18, 23]. These signature schemes are efficient for signature generation and verification, but the signatures are too large for many applications. We propose the BiBa signature, a new approach for signatures based on one way functions without trapdoor. The signature size of our scheme is much smaller than ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98, SRI International Computer Science Laboratory, Oct. 1979.

....hypothesized by Diffie and Hellman can be used (though by a totally different way) to achieve perfect security. Let us say that we would have not devised our scheme without the work of [GMR] from which we borrow definitions, notations, and several ideas) and the older work of Lamport [La]. 1.6 Recent Improvements Our basic digital signature scheme, together with other beautiful ideas of Merkle [M] have been successfully used by Naor and Yung [NY] and Rompel [R] Naor and Yung show that even one way permutations are sufficient for secure digital signatures. Rompel shows that ....

....is a (polynomial time) algorithm to determine whether a given point lies in the domain. 5 An Overview of the Scheme We present here an overview of our scheme and a sketch of the proof of security. For simplicity we will for the moment completely disregard efficiency. 7 5. 1 Background Lamport [La] suggested the following method for signing a single bit. The signer makes public a trapdoor permutation f and a pair of points ff and ff , and keeps secret f . The signature of a bit b 2 f0; 1g is then f ) The drawback of this method is that the number of bits that can be signed ....

Lamport, L. "Constructing Digital Signatures from a One-Way Function," SRI Intl. CSL98, October 1979. 19

....reason is that the applications mentioned in Section 1 are relatively new. Since the slowness of digital signatures mainly stems from the high cost of modular arithmetic, an alternative approach is the so called one time signatures used in secret key (or symmetric) cryptographic systems, e.g. [4, 9, 11]. Although one time signatures are very fast to compute, this approach requires large amounts of keys to be generated, managed, and distributed (since a signature can only be used once) Therefore, they are not widely used in practice. Another approach of mixing private key digital signatures and ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, October 1979.

....(assuming that the signature code even ts into memory) Section 7 reviews related work in ecient signature schemes. Signatures based on one way functions without trapdoors (sometimes called one time signature schemes) are an interesting alternative to signatures based on asymmetric cryptography [4, 5, 14, 18, 19, 28]. One of their main advantages is that these signatures only rely on a one way function, which we can implement with a fast hash function (e.g. SHA 1 [22] or MD5 [29] or from a block cipher [16, 20, 26, 27] These one time signature schemes are orders of magnitude faster than traditional ....

....published the rst one time signature based on a symmetric encryption function [28] The signature requires interaction between the signer and the veri er, and the public key and signature are on the order of 1 Kbyte. Lamport shows how to construct a digital signature out of a one way function [14]. His approach does not require interaction between the signer and veri er, however, the size of the validation parameters and signature are still on the order of 1 Kbyte. Lamport s basic approach is that the signer publishes two commitments for each bit (for 0 and 1, respectively) of the data to ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report SRICSL -98, SRI International Computer Science Laboratory, Oct. 1979.

....additional properties: # Given x, it is easy to compute h#x# # Given h#x#, it is hard to compute x # It is hard to find two values x and y such that h#x#= h#y#,butx 6= y. Some authors describe the third property as collisionresistance. One time signature scheme was first introduced by Lamport [19, 8]. For signing a single bit, choose as the secret key two values x 1 and x 2 (representing 0 and 1 ) at random and publish their images under a one way function y 1 = f#x 1 # and y 2 = f#x 2 # as the public key. These x s and y s are called secret key components and public key components, ....

L. Lamport, Constructing digital signatures from oneway function, Technical Report SRI-CSL-98,SRIInter- national, October 1979.

....key) randomly and uniformly from the set of keys, K. The index determines an instance of the one way function, i.e. E k : Sigma n Sigma n where Sigma = f0; 1g; it is known only by the signer. Note that n has to be large enough to avoid birthday attacks. Lamport scheme Lamport s scheme [40] generates signatures for n bit messages. To sign a message, the signer first chooses randomly n key pairs: K 10 ; K 11 ) K 20 ; K 21 ) K n0 ; K n1 ) 1) The pairs of keys are kept secret and are known to the signer only. Next, the signer creates two sequences, S and R: S = f(S 10 ....

L. Lamport. Constructing digital signatures from a one-way function. TR CSL-98, SRI International, Oct. 1979.

....of our scheme, mainly of theoretical interest due to performance considerations, can be based solely on the assumption that one way functions exist. 1. 1 Prior Work One time signatures based on the idea of committing to secret keys via one way functions were proposed independently by Lamport [Lam79] and (in an interactive setting) by Rabin [Rab78] Various improvements were proposed by Meyer and Matyas [MM82, pages 406 409] Merkle [Mer82] Winternitz (as cited in [Mer87] Vaudenay [Vau92] in an interactive setting) and Even, Goldreich and Micali [EGM96] Bleichenbacher and Maurer ....

Leslie Lamport. Constructing digital signatures from a one way function. Technical Report CSL-98, SRI International, October 1979.

....only one expensive signing verification operation is needed, plus one inexpensive one time signature signing verification for each packet in the sequence. However, since one time signatures and keys are very large, this technique has a large communication overhead (around 1000 bytes per packet) [9, 10]. The get al..l before requirement of both techniques in [7] is too strong for practical Internet applications. Reliable packet delivery is not used by many applications for flows and multicasts. For example, reliable delivery is generally not used for video and audio flows due to the extra delays ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL 98, SRI Intl., 1979.

....packet, very high overhead to create and verify the signature. Even previously proposed one time signature schemes that are based on symmetric cryptography (one way functions without trapdoors) have a high overhead: Gennaro and Rohatgi s broadcast signature based on Lamport s one time signature [20] requires over 1 Kbyte of authentication information per packet [11] and Rohatgi s improved # time signature scheme requires over ### bytes per packet [36] The recently proposed TESLA protocol provides efficient authenticated broadcast [31, 30] However, TESLA is not designed for such limited ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, October 1979.

....packet, very high overhead to create and verify the signature. Even previously proposed one time signature schemes that are based on symmetric cryptography (one way functions without trapdoors) have a high overhead: Gennaro and Rohatgi s broadcast signature based on Lamport s one time signature [20] requires over 1 Kbyte of authentication information per packet [11] and Rohatgi s improved k time signature scheme requires over 300 bytes per packet [36] The recently proposed TESLA protocol provides efficient authenticated broadcast [31, 30] However, TESLA is not designed for such limited ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, October 1979.

....public key encryption requires the assumption that public key encryption is possible. We describe an implementation based on digital signature schemes because digital signatures can be constructed from a variety of complexity assumptions including simply the assumption that one way functions exist [14], which is the weakest possible cryptography assumption. 3.3.1 Brief Summary Of Digital Signature Schemes Many digital signature schemes have been proposed and analyzed in the cryptography literature. The main idea is to assume that some problem is computationally intractable and use this ....

L. Lamport. Constructing digital signatures from a one-way function. In SRI Intl. CSL-98, October 1979.

....be accomplished using conventional cryptography. Just as some cryptographic schemes are suited for encryption but not signatures, some proposals have been made for signature only schemes. Some early suggestions were made that were based on the use of one way functions or conventional cryptography [101, 134]. For example, if f is a one way function, and Alice has published the two numbers f(x 0 ) y 0 and f(x 1 ) y 1 , then she can sign the message 0 by releasing x 0 and she can similarly sign the message 1 by releasing the message x 1 . Merkle [116] introduced some extensions of this basic idea, ....

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, October 1979.

....packet, very high overhead to create and verify the signature. Even previously proposed one time signature schemes that are based on symmetric cryptography (one way functions without trapdoors) have a high overhead: Gennaro and Rohatgi s broadcast signature based on Lamport s one time signature [20] requires over 1 Kbyte of authentication information per packet [11] and Rohatgi s improved k time signature scheme requires over 300 bytes per packet [36] The recently proposed TESLA protocol provides efficient authenticated broadcast [31, 30] However, TESLA is not designed for such limited ....

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, October 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, october 1979. (Cited on page 2, 5, 6.)

No context found.

L. Lamport. Constructing digital signatures from a one way function. Technical report, SRI International, 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, 1979.

No context found.

Leslie Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, Palo Alto, 1979.

No context found.

L. Lamport,"Constructing Digital Signatures From a One-Way Function," no. CSL 98, 1979.

No context found.

L. Lamport, "Constructing Digital Signatures from a One-way Function," Technical Report SRI Int'l., CLS 98, Oct. 1979.

No context found.

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, 1978.

No context found.

L. Lamport, "Constructing Digital Signatures from a One Way Function," SRI International Technical Report CSL-98 (October 1979).

No context found.

L. Lamport. Constructing digital signatures from a one way function. Technical Report Technical Report CSL98, SRI International, October 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL 98, SRI Intl., 1979.

No context found.

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL 98, SRI Intl, 1979.

No context found.

L. Lamport, "Constructing Digital Signatures from a One Way Function," SRI International Technical Report CSL-98 (October 1979).

No context found.

L. Lamport. Constructing Digital Signatures From a One-Way Function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, Palo Alto, 1979.

No context found.

L. Lamport. Constructing Digital Signatures From a One-Way Function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical report, SRI-CSL98, SRI International Computer Science Laboratory, Oct. 1979.

No context found.

L. Lamport. Constructing Digital Signatures from One-Way Functions. SRI International, CSL-98, 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report SRI Intl. CSL 98, 1979.

No context found.

L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, Palo Alto, 1979.

No context found.

L. Lamport, "Constructing digital signatures from a one-way function," SRI Int., Menlo Park, CA, Tech. Rep. CSL 98, 1979.

No context found.

L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, 1979.

No context found.

L. Lamport, "Constructing Digital Signatures from a One Way Function," SRI International Technical Report CSL-98 (October 1979).

No context found.

Lamport, L. \Constructing Digital Signatures from a One-Way Function," SRI Intl. CSL-98. (Oct. 1979) 25

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC