Results 11  20
of
191
Simulatable adaptive oblivious transfer
 IN EUROCRYPT
, 2007
"... We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested m ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
(Show Context)
We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k oneaftertheother, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selectivefailure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.
Breaking and repairing optimistic fair exchange from PODC 2003
 In ACM Workshop on Digital Rights Management (DRM
, 2003
"... ..."
(Show Context)
Efficient IDBased Blind Signature and Proxy Signature
 In Proceedings of ACISP 2003, LNCS 2727
, 2003
"... Abstract. Blind signature and proxy signature are very important technologies in secure ecommerce. Identitybased (simply IDbased) public key cryptosystem can be a good alternative for certificatebased public key setting, especially when efficient key management and moderate security are required ..."
Abstract

Cited by 34 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Blind signature and proxy signature are very important technologies in secure ecommerce. Identitybased (simply IDbased) public key cryptosystem can be a good alternative for certificatebased public key setting, especially when efficient key management and moderate security are required. In this paper, we propose a new IDbased blind signature scheme and an IDbased partial delegation proxy signature scheme with warrant based on the bilinear pairings. Also we analyze their security and efficiency. We claim that our new blind signature scheme is more efficient than Zhang and Kim’s scheme [27] in Asiacrypt2002.
On the Generic Construction of IdentityBased Signatures with Additional Properties
, 2006
"... It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identitybased signature schemes can be constructed from any PKIbased signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identitybased signature schemes w ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identitybased signature schemes can be constructed from any PKIbased signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identitybased signature schemes with additional properties” (such as identitybased blind signatures, verifiably encrypted signatures,...) from PKIbased signature schemes with the same properties? Our results show that this is possible for great number of properties including proxy signatures; (partially) blind signatures; verifiably encrypted signatures; undeniable signatures; forwardsecure signatures; (strongly) key insulated signatures; online/offline signatures; threshold signatures; and (with some limitations) aggregate signatures. Using wellknown results for PKIbased schemes, we conclude that such identitybased signature schemes with additional properties can be constructed, enjoying some better properties than specific schemes proposed until know. In particular, our work implies the existence of identitybased signatures with additional properties that are provably secure in the standard model, do not need bilinear pairings, or can be based on general assumptions.
The Exact Security of an Identity Based Signature and its Applications
, 2004
"... This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the SakaiOgishiKasahara IBS that was recently proven secure by Bellare, Namprempre and Neven through a general framework applying to a large family of schemes. We show that their modified SOKIBS scheme can be viewed as a onelevel instantiation of Gentry and Silverberg's alternative hierarchical IBS the exact security of which was never considered before. We also show that this signature is as secure as the onemore DiffieHellman problem. As an application, we propose a modification of Boyen's "Swiss Army Knife" identity based signature encryption (IBSE) that presents better security reductions and satisfies the same strong security requirements with a similar efficiency.
An introduction to pairingbased cryptography
, 2005
"... Bilinear pairings have been used to design ingenious protocols for such tasks as oneround threeparty key agreement, identitybased encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
Bilinear pairings have been used to design ingenious protocols for such tasks as oneround threeparty key agreement, identitybased encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from
RoundOptimal Composable Blind Signatures in the Common Reference String Model
 In Advances in Cryptology — CRYPTO 2006, LNCS 4117
, 2006
"... marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user an ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user and the issuing bank to transmit only one message each. We also put forward the definition of universally composable blind signature schemes, and show how to extend our concurrently executable blind signature protocol to derive such universally composable schemes in the common reference string model under general assumptions. While this protocol then guarantees very strong security properties when executed within larger protocols, it still supports signature generation in two moves. 1
verification with IDbased signatures
 Proceedings of Information Security and Cryptology
, 2004
"... Abstract. An identity (ID)based signature scheme allows any pair of users to verify each other’s signatures without exchanging public key certificates. With the advent of Bilinear maps, several IDbased signatures based on the discrete logarithm problem have been proposed. While these signatures ha ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
Abstract. An identity (ID)based signature scheme allows any pair of users to verify each other’s signatures without exchanging public key certificates. With the advent of Bilinear maps, several IDbased signatures based on the discrete logarithm problem have been proposed. While these signatures have an advantage in the fact that the system secret can be shared by several parties using a threshold scheme (thereby overcoming the security problem of RSAbased IDbased signature schemes), they all share the same efficiency disadvantage. To overcome this, some schemes have focused on finding ways to verify multiple signatures at the same time (i.e. the batch verification problem). While they had some success in improving efficiency of verification, each had a slightly diversified definition of batch verification. In this paper, we propose a taxonomy of batch verification against which we analyze security of wellknown IDbased signature schemes. We also propose a new IDbased signature scheme that allows for all types of multiple signature batch verification, and prove its security in random oracle model. Key words: IDbased signatures, Batch verifications 1
Efficient koutofn oblivious transfer schemes,”
 Journal of Universal Computer Science,
, 2008
"... Abstract: Oblivious transfer is an important cryptographic protocol in various security applications. For example, in online transactions, a koutofn oblivious transfer scheme allows a buyer to privately choose k out of n digital goods from a merchant without learning information about other n−k ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
(Show Context)
Abstract: Oblivious transfer is an important cryptographic protocol in various security applications. For example, in online transactions, a koutofn oblivious transfer scheme allows a buyer to privately choose k out of n digital goods from a merchant without learning information about other n−k goods. In this paper, we propose several efficient tworound koutofn oblivious transfer schemes, in which the receiver R sends O(k) messages to the sender S, and S sends O(n) messages back to R. The schemes provide unconditional security for either sender or receiver. The computational security for the other side is based on the Decisional DiffieHellman (DDH) or ChosenTarget Computational DiffieHellman (CTCDH) problems. Our schemes have the nice property of universal parameters, that is, each pair of R and S need not hold any secret before performing the protocol. The system parameters can be used by all senders and receivers without any trapdoor specification. In some cases, our OT k n schemes are the most efficient ones in terms of the communication cost, either in rounds or the number of messages. Moreover, one of our schemes is extended to an adaptive oblivious transfer scheme. In that scheme, S sends O(n) messages to R in one round in the commitment phase.
A closer look at pki: Security and efficiency
 In proceedings of PKC ’07, LNCS series
, 2007
"... In this paper we take a closer look at the security and efficiency of publickey encryption and signature schemes in publickey infrastructures (PKI). Unlike traditional analyses which assume an “ideal” implementation of the PKI, we focus on the security of joint constructions that consider the cert ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
(Show Context)
In this paper we take a closer look at the security and efficiency of publickey encryption and signature schemes in publickey infrastructures (PKI). Unlike traditional analyses which assume an “ideal” implementation of the PKI, we focus on the security of joint constructions that consider the certification authority (CA) and the users, and include a keyregistration protocol and the algorithms of an encryption or a signature scheme. We therefore consider significantly broader adversarial capabilities. Our analysis clarifies and validates several crucial aspects such as the amount of trust put in the CA, the necessity and specifics of proofs of possession of secret keys, and the security of the basic primitives in this more complex setting. We also provide constructions for encryption and signature schemes that provably satisfy our strong security definitions and are more efficient than the corresponding traditional constructions that assume a digital certificate issued by the CA must be verified whenever a public key is used. Our results address some important aspects for the design and standardization of PKIs, as targeted for example in the standards project ANSI X9.109. 1