Results 1  10
of
149
Security Arguments for Digital Signatures and Blind Signatures
 JOURNAL OF CRYPTOLOGY
, 2000
"... Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the ..."
Abstract

Cited by 375 (39 self)
 Add to MetaCart
Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the
Efficient Group Signature Schemes for Large Groups (Extended Abstract)
, 1997
"... A group signature scheme allows members of a group to sign messages on the group's behalf such that the resulting signature does not reveal their identity. Only a designated group manager is able to identify the group member who issued a given signature. Previously proposed realizations of grou ..."
Abstract

Cited by 314 (35 self)
 Add to MetaCart
A group signature scheme allows members of a group to sign messages on the group's behalf such that the resulting signature does not reveal their identity. Only a designated group manager is able to identify the group member who issued a given signature. Previously proposed realizations of group signature schemes have the undesirable property that the length of the public key is linear in the size of the group. In this paper we propose the first group signature scheme whose public key and signatures have length independent of the number of group members and which can therefore also be used for large groups. Furthermore, the scheme allows the group manager to add new members to the group without modifying the public key. The realization is ba...
A practical and provably secure coalitionresistant group signature scheme
, 2000
"... A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature’s originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes ..."
Abstract

Cited by 276 (29 self)
 Add to MetaCart
A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature’s originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity. This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art. In its interactive, identity escrow form, our scheme is proven secure and coalitionresistant under the strong RSA and the decisional DiffieHellman assumptions. The security of the noninteractive variant, i.e., the group signature scheme, relies additionally on the FiatShamir heuristic (also known as the random oracle model).
Untraceable Offline Cash in Wallets with Observers
, 1993
"... . Incorporating the property of untraceability of payments into offline electronic cash systems has turned out to be no easy matter. Two key concepts have been proposed in order to attain the same level of security against doublespending as can be trivially attained in systems with full traceabili ..."
Abstract

Cited by 274 (3 self)
 Add to MetaCart
(Show Context)
. Incorporating the property of untraceability of payments into offline electronic cash systems has turned out to be no easy matter. Two key concepts have been proposed in order to attain the same level of security against doublespending as can be trivially attained in systems with full traceability of payments. The first of these, oneshow blind signatures, ensures traceability of doublespenders after the fact. The realizations of this concept that have been proposed unfortunately require either a great sacrifice in efficiency or seem to have questionable security, if not both. The second concept, wallets with observers, guarantees prior restraint of doublespending, while still offering traceability of doublespenders after the fact in case tamperresistance is compromised. No realization of this concept has yet been proposed in literature, which is a serious problem. It seems that the known cash systems cannot be extended to this important setting without significantly worsening ...
DiffieHellman Key Distribution Extended to Group Communication
, 1996
"... Ever since 2party DiffieHellman key exchange was first proposed in 1976, there have been efforts to extend its simplicity and elegance to a group setting. Notable solutions have been proposed by Ingemarsson et al. (in 1982) and Burmester/Desmedt (in 1994). In this paper, we consider a class of pro ..."
Abstract

Cited by 256 (10 self)
 Add to MetaCart
(Show Context)
Ever since 2party DiffieHellman key exchange was first proposed in 1976, there have been efforts to extend its simplicity and elegance to a group setting. Notable solutions have been proposed by Ingemarsson et al. (in 1982) and Burmester/Desmedt (in 1994). In this paper, we consider a class of protocols that we call natural extensions of DiffieHellman to the nparty case. After demonstrating the security of the entire class based on the intractability of the DiffieHellman problem we introduce two novel and practical protocols and compare them to the previous results. We argue that our protocols are optimal with respect to certain aspects of protocol complexity. 1 Introduction It has been almost twenty years since DiffieHellman (DH) 2party key exchange was first proposed in [1]. In the meantime, there have been many attempts to extend its elegance and simplicity to the group setting. The main motivating factor is the increasing popularity of various types of groupware application...
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 237 (7 self)
 Add to MetaCart
(Show Context)
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Design and Analysis of Practical PublicKey Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack
 SIAM Journal on Computing
, 2001
"... A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption sc ..."
Abstract

Cited by 231 (11 self)
 Add to MetaCart
(Show Context)
A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption schemes in the literature that are simultaneously practical and provably secure.
Key Agreement in Dynamic Peer Groups
 IEEE Transactions on Parallel and Distributed Systems
, 2000
"... As a result of the increased popularity of grouporiented applications and protocols, group communication occurs in many different settings: from network multicasting to application layer tele and videoconferencing. Regardless of the application environment, security services are necessary to provi ..."
Abstract

Cited by 213 (18 self)
 Add to MetaCart
(Show Context)
As a result of the increased popularity of grouporiented applications and protocols, group communication occurs in many different settings: from network multicasting to application layer tele and videoconferencing. Regardless of the application environment, security services are necessary to provide communication privacy and integrity. This paper considers the problem of key agreementindynamic peer groups. (Key agreement, especially in a group setting, is the steeping stone for all other security services.) Dynamic peer groups require not only initial key agreement (IKA) but also auxiliary key agreement (AKA) operations such as member addition, member deletion and group fusion. We discuss all group key agreement operations and present a concrete protocol suite, CLIQUES, which offers complete key agreement services. CLIQUES is based on multiparty extensions of the wellknown DiffieHellman key exchange method. The protocols are efficient and provably secure against passiveadversari...
Certificate Revocation and Certificate Update
 USENIX SECURITY SYMPOSIUM
, 1998
"... A new solution is suggested for the problem of certificate revocation. This solution represents Certificate Revocation Lists by an authenticated search data structure. The process of verifying whether a certificate is in the list or not, as well as updating the list, is made very efficient. The sugg ..."
Abstract

Cited by 180 (1 self)
 Add to MetaCart
A new solution is suggested for the problem of certificate revocation. This solution represents Certificate Revocation Lists by an authenticated search data structure. The process of verifying whether a certificate is in the list or not, as well as updating the list, is made very efficient. The suggested solution gains in scalability, communication costs, robustness to parameter changes and update rate. Comparisons to the following solutions are included: 'traditional' CRLs (Certificate Revocation Lists), Micali's Certificate Revocation System (CRS) and Kocher's Certificate Revocation Trees (CRT).
Finally, a scenario in which certificates are not revoked, but frequently issued for shortterm periods is considered. Based on the authenticated search data structure scheme, a certificate update scheme is presented in which all certificates are updated by a common message.
The suggested solutions for certificate revocation and certificate update problems is better than current solutions with respect to communication costs, update rate, and robustness to changes in parameters and is compatible e.g. with X.500 certificates.