Results 1  10
of
143
Short signatures from the Weil pairing
, 2001
"... We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures ar ..."
Abstract

Cited by 755 (25 self)
 Add to MetaCart
(Show Context)
We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel.
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 336 (12 self)
 Add to MetaCart
(Show Context)
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Design and Analysis of Practical PublicKey Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack
 SIAM Journal on Computing
, 2001
"... A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption sc ..."
Abstract

Cited by 231 (11 self)
 Add to MetaCart
(Show Context)
A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption schemes in the literature that are simultaneously practical and provably secure.
An IdentityBased Signature from Gap DiffieHellman Groups
 Public Key Cryptography  PKC 2003, LNCS 2139
, 2002
"... In this paper we propose an identity(ID)based signature scheme using gap DiffieHellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model. ..."
Abstract

Cited by 190 (4 self)
 Add to MetaCart
In this paper we propose an identity(ID)based signature scheme using gap DiffieHellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model.
HMQV: A HighPerformance Secure DiffieHellman Protocol
 Protocol, Advances in Cryptology — CRYPTO ’05, LNCS 3621
, 2005
"... The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a ..."
Abstract

Cited by 169 (6 self)
 Add to MetaCart
(Show Context)
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying "the next generation cryptography to protect US government information".
A Proposal for an ISO Standard for Public Key Encryption (version 2.0)
, 2001
"... This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed. ..."
Abstract

Cited by 131 (3 self)
 Add to MetaCart
(Show Context)
This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.
Stronger Security of Authenticated Key Exchange
 In Provable Security: First International Conference, ProvSec 2007, volume 4784 of LNCS
, 2007
"... Recent work by Krawczyk [10] and Menezes [14] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols. In this paper we focus on security models for authenticated key exchange (AKE) protocols. W ..."
Abstract

Cited by 110 (0 self)
 Add to MetaCart
(Show Context)
Recent work by Krawczyk [10] and Menezes [14] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols. In this paper we focus on security models for authenticated key exchange (AKE) protocols. We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the CanettiKrawczyk model. Some of these additional attacks have already been considered by Krawczyk [10]. In an attempt to bring these attacks within the scope of the security model we extend the CanettiKrawczyk model for AKE security by providing significantly greater powers to the adversary. Our contribution is a more compact, integrated, and comprehensive formulation of the security model. We then introduce a new AKE protocol called NAXOS and prove that it is secure against these stronger adversaries. 1
Formal Proofs for the Security of Signcryption
 In PKC ’02
, 2002
"... Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead. ..."
Abstract

Cited by 85 (3 self)
 Add to MetaCart
(Show Context)
Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead.
REACT: Rapid Enhancedsecurity Asymmetric Cryptosystem Transform
 CTRSA 2001, volume 2020 of LNCS
, 2001
"... Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem ..."
Abstract

Cited by 85 (19 self)
 Add to MetaCart
(Show Context)
Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor oneway function (a.k.a. weakly secure publickey encryption scheme) and therefore provides security relative to RSA but also to the DiffieHellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosenciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.
Chosenciphertext security from tagbased encryption
, 2005
"... One of the celebrated applications of IdentityBased Encryption (IBE) is the Canetti, Halevi, and Katz (CHK) transformation from any (selectiveidentity secure) IBE scheme into a full chosenciphertext secure encryption scheme. Since such IBE schemes in the standard model are known from previous wor ..."
Abstract

Cited by 68 (12 self)
 Add to MetaCart
One of the celebrated applications of IdentityBased Encryption (IBE) is the Canetti, Halevi, and Katz (CHK) transformation from any (selectiveidentity secure) IBE scheme into a full chosenciphertext secure encryption scheme. Since such IBE schemes in the standard model are known from previous work this immediately provides new chosenciphertext secure encryption schemes in the standard model. This paper revisits the notion of TagBased Encryption (TBE) and provides security definitions for the selectivetag case. Even though TBE schemes belong to a more general class of cryptographic schemes than IBE, we observe that (selectivetag secure) TBE is a sufficient primitive for the CHK transformation and therefore implies chosenciphertext secure encryption. We construct efficient and practical TBE schemes and give tight security reductions in the standard model from the Decisional Linear Assumption in gapgroups. In contrast to all known IBE schemes our TBE construction does not directly deploy pairings. Instantiating the CHK transformation with our TBE scheme results in an encryption scheme whose decryption can be carried out in one single multiexponentiation. Furthermore, we show how to apply the techniques gained from the TBE construction to directly design a new Key Encapsulation Mechanism. Since in this case we can avoid the CHK transformation the scheme results in improved efficiency.