Results 1  10
of
48
PrivacyPreserving Public Auditing for Secure Cloud Storage
, 2009
"... Using Cloud Storage, users can remotely store their data and enjoy the ondemand high quality applications and services from a shared pool of configurable computing resources, without the burden of local data storage and maintenance. However, the fact that users no longer have physical possession o ..."
Abstract

Cited by 75 (3 self)
 Add to MetaCart
(Show Context)
Using Cloud Storage, users can remotely store their data and enjoy the ondemand high quality applications and services from a shared pool of configurable computing resources, without the burden of local data storage and maintenance. However, the fact that users no longer have physical possession of the outsourced data makes the data integrity protection in Cloud Computing a formidable task, especially for users with constrained computing resources. Moreover, users should be able to just use the cloud storage as if it is local, without worrying about the need to verify its integrity. Thus, enabling public auditability for cloud storage is of critical importance so that users can resort to a third party auditor (TPA) to check the integrity of outsourced data and be worryfree. To securely introduce an effective TPA, the auditing process should bring in no new vulnerabilities towards user data privacy, and introduce no additional online burden to user. In this paper, we propose a secure cloud storage system supporting privacypreserving public auditing. We further extend our result to enable the TPA to perform audits for multiple users simultaneously and efficiently. Extensive security and performance analysis show the proposed schemes are provably secure and highly efficient.
Highspeed highsecurity signatures
"... Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance ..."
Abstract

Cited by 43 (9 self)
 Add to MetaCart
(Show Context)
Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.
Unidirectional ChosenCiphertext Secure Proxy ReEncryption
 In PKC’08, LNCS
"... Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recentl ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosenciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy reencryption schemes with chosenciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the CanettiHohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as noninteractive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the CanettiHohenberger scheme, they meet a relaxed flavor of chosenciphertext security introduced by Canetti, Krawczyk and Nielsen. 1
Lattice Signatures and Bimodal Gaussians
"... Abstract. Our main result is a construction of a latticebased digital signature scheme that represents an improvement, both in theory and in practice, over today’s most efficient lattice schemes. The novel scheme is obtained as a result of a modification of the rejection sampling algorithm that is ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Our main result is a construction of a latticebased digital signature scheme that represents an improvement, both in theory and in practice, over today’s most efficient lattice schemes. The novel scheme is obtained as a result of a modification of the rejection sampling algorithm that is at the heart of Lyubashevsky’s signature scheme (Eurocrypt, 2012) and several other lattice primitives. Our new rejection sampling algorithm which samples from a bimodal Gaussian distribution, combined with a modified scheme instantiation, ends up reducing the standard deviation of the resulting signatures by a factor that is asymptotically square root in the security parameter. The implementations of our signature scheme for security levels of 128, 160, and 192 bits compare very favorably to existing schemes such as RSA and ECDSA in terms of efficiency. In addition, the new scheme has shorter signature and public key sizes than all previously proposed lattice signature schemes. As part of our implementation, we also designed several novel algorithms which could be of independent interest. Of particular note, is a new algorithm for efficiently generating discrete Gaussian samples over Z n. Current algorithms either require many highprecision floating point exponentiations or the storage of very large precomputed tables, which makes them completely inappropriate for usage in constrained devices. Our sampling algorithm reduces the hardcoded table sizes from linear to logarithmic as compared to the timeoptimal implementations, at the cost of being only a small factor slower. 1
TwoTier Signatures, Strongly Unforgeable Signatures, and FiatShamir without Random Oracles
, 2007
"... We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires secu ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires security of the starting protocol against concurrent attacks. We can show that numerous protocols have the required properties and so obtain numerous efficient twotier schemes. Our first application is an efficient transform of any unforgeable signature scheme into a strongly unforgeable one, which uses as a tool any twotier scheme. (This extends work of Boneh, Shen and Waters whose transform only applies to a limited class of schemes.) The second application is new onetime signature schemes that, compared to oneway function based ones of the same computational cost, have smaller key and signature sizes.
NonInteractive Key Exchange ⋆
"... Abstract Noninteractive key exchange (NIKE) is a fundamental but muchoverlooked cryptographic primitive. It appears as a major contribution in the groundbreaking paper of Diffie and Hellman, but NIKE has remained largely unstudied since then. In this paper, we provide different security models fo ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
Abstract Noninteractive key exchange (NIKE) is a fundamental but muchoverlooked cryptographic primitive. It appears as a major contribution in the groundbreaking paper of Diffie and Hellman, but NIKE has remained largely unstudied since then. In this paper, we provide different security models for this primitive and explore the relationships between them. We then give constructions for secure NIKE in the Random Oracle Model based on the hardness of factoring and in the standard model based on the hardness of a variant of the decisional Bilinear Diffie Hellman Problem for asymmetric pairings. We also study the relationship between NIKE and public key encryption (PKE), showing that a secure NIKE scheme can be generically converted into an INDCCA secure PKE scheme. This conversion also illustrates the fundamental nature of NIKE in public key cryptography.
The power of proofsofpossession: securing multiparty signatures against roguekey attacks
, 2007
"... Multiparty signature protocols need protection against roguekey attacks, made possible whenever an adversary can choose its public key(s) arbitrarily. For many schemes, provable security has only been established under the knowledge of secret key (KOSK) assumption where the adversary is required to ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
Multiparty signature protocols need protection against roguekey attacks, made possible whenever an adversary can choose its public key(s) arbitrarily. For many schemes, provable security has only been established under the knowledge of secret key (KOSK) assumption where the adversary is required to reveal the secret keys it utilizes. In practice, certifying authorities rarely require the strong proofs of knowledge of secret keys required to substantiate the KOSK assumption. Instead, proofs of possession (POPs) are required and can be as simple as just a signature over the certificate request message. We propose a general registered key model, within which we can model both the KOSK assumption and inuse POP protocols. We show that simple POP protocols yield provable security of Boldyreva’s multisignature scheme [11], the LOSSW multisignature scheme [28], and a 2user ring signature scheme due to Bender, Katz, and Morselli [10]. Our results are the first to provide formal evidence that POPs can stop roguekey attacks.
Efficient sequential aggregate signed data. In
 Advances in Cryptology – EUROCRYPT 2008,
, 2008
"... Abstract We generalize the concept of sequential aggregate signatures (SAS), proposed by Lysyanskaya, Micali, Reyzin, and Shacham at Eurocrypt 2004, to a new primitive called sequential aggregate signed data (SASD) that tries to minimize the total amount of transmitted data, rather than just signat ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract We generalize the concept of sequential aggregate signatures (SAS), proposed by Lysyanskaya, Micali, Reyzin, and Shacham at Eurocrypt 2004, to a new primitive called sequential aggregate signed data (SASD) that tries to minimize the total amount of transmitted data, rather than just signature length. We present SAS and SASD schemes that offer numerous advantages over the scheme of Lysyanskaya et al. Most importantly, our schemes can be instantiated with uncertified clawfree permutations, thereby allowing implementations based on lowexponent RSA and factoring, and drastically reducing signing and verification costs. Our schemes support aggregation of signatures under keys of different lengths, and the SASD scheme even has as little as 160 bits of bandwidth overhead. Finally, we present a multisigned data scheme that, when compared to the stateoftheart multisignature schemes, is the first scheme with noninteractive signature generation not based on pairings. All of our constructions are proved secure in the random oracle model based on families of clawfree permutations.
MultiUse Unidirectional Proxy ReSignatures
, 2008
"... Abstract. In 1998, Blaze, Bleumer, and Strauss suggested a cryptographic primitive termed proxy resignature in which a proxy transforms a signature computed under Alice’s secret key into one from Bob on the same message. The proxy is only semitrusted in that it cannot learn any signing key or sign ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In 1998, Blaze, Bleumer, and Strauss suggested a cryptographic primitive termed proxy resignature in which a proxy transforms a signature computed under Alice’s secret key into one from Bob on the same message. The proxy is only semitrusted in that it cannot learn any signing key or sign arbitrary messages on behalf of Alice or Bob. At CCS 2005, Ateniese and Hohenberger revisited this primitive by providing appropriate security definitions and efficient constructions in the random oracle model. Nonetheless, they left open the problem of constructing a multiuse unidirectional scheme where the proxy is only able to translate in one direction and signatures can be retranslated several times. This paper provides the first steps towards efficiently solving this problem, suggested for the first time 10 years ago, and presents the first multihop unidirectional proxy resignature schemes. Although our proposals feature a linear signature size in the number of translations, they are the first multiuse realizations of the primitive that satisfy the requirements of the AtenieseHohenberger security model. The first scheme is secure in the random oracle model. Using the same underlying idea, it readily extends into a secure construction in the standard model (i.e. the security proof of which avoids resorting to the random oracle idealization). Both schemes are computationally efficient but require newly defined DiffieHellmanlike assumptions in bilinear groups.