Results 1  10
of
56
Short signatures from the Weil pairing
, 2001
"... We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures ar ..."
Abstract

Cited by 755 (25 self)
 Add to MetaCart
We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel.
Signature schemes and anonymous credentials from bilinear maps
, 2004
"... We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of th ..."
Abstract

Cited by 234 (23 self)
 Add to MetaCart
We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discretelogarithmbased assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of the decisional DiffieHellman assumption. We prove security of our scheme under the LRSW assumption for groups with bilinear maps. We then show how our scheme can be used to construct efficient anonymous credential systems as well as group signature and identity escrow schemes. To this end, we provide efficient protocols that allow one to prove in zeroknowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signature on a committed message.
Towards hierarchical identitybased encryption
 In Proceedings of Asiacrypt 2002, LNCS 2501
, 2002
"... Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated w ..."
Abstract

Cited by 141 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated with primitive IDs (PIDs) that are arbitrary strings. A user’s public key consists of their PID and their domain’s PID (in whole called an address). In a regular IBE (which corresponds to a 1HIBE) scheme, there is only one PKG that distributes private keys to each user (whose public keys are their PID). In a 2HIBE, users retrieve their private key from their domain PKG. Domain PKGs can compute the private key of any user in their domain, provided they have previously requested their domain secret key from the root PKG (who possesses a master secret). We can go beyond two levels by adding subdomains, subsubdomains, and so on. We present a twolevel system with total collusion resistance at the upper (domain) level and partial collusion resistance at the lower (user) level, which has chosenciphertext security in the randomoracle model. 1
Unique signatures and verifiable random functions from the DHDDH separation
 Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing ..."
Abstract

Cited by 63 (3 self)
 Add to MetaCart
Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing verifiable random functions. Another useful property of unique signatures is that they are stateless: the signer does not need to update his secret key after an invocation. The only previously known construction of a unique signature in the plain model was based on the RSA assumption. The only other previously known provably secure constructions of stateless signatures were based on the Strong RSA assumption. Here, we give a construction of a unique signature scheme based on a generalization of the DiffieHellman assumption in groups where decisional DiffieHellman is easy. Several recent results suggest plausibility of such groups. We also give a few related constructions of verifiable random functions (VRFs). VRFs, introduced by Micali, Rabin, and Vadhan, are objects that combine the properties of pseudorandom functions (i.e. indistinguishability from random even after querying) with the verifiability property. Prior to our work, VRFs were only known to exist under the RSA assumption.
Constructing Elliptic Curves with Prescribed Embedding Degrees
, 2002
"... Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but smal ..."
Abstract

Cited by 62 (17 self)
 Add to MetaCart
(Show Context)
Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.
Oblivious SignatureBased Envelope
 IN PROCEEDINGS OF THE 22ND ACM SYMPOSIUM ON PRINCIPLES OF DISTRIBUTED COMPUTING (PODC 2003
, 2003
"... Exchange of digitally signed certificates is often used to establish mutual trust between strangers that wish to share resources or to conduct business transactions. Automated Trust Negotiation (ATN) is an approach to regulate the flow of sensitive information during such an exchange. Previous work ..."
Abstract

Cited by 59 (7 self)
 Add to MetaCart
Exchange of digitally signed certificates is often used to establish mutual trust between strangers that wish to share resources or to conduct business transactions. Automated Trust Negotiation (ATN) is an approach to regulate the flow of sensitive information during such an exchange. Previous work on ATN are based on access control techniques, and cannot handle cyclic policy interdependency satisfactorily. We show that the problem can be modelled as a 2party secure function evaluation (SFE) problem, and propose a scheme called oblivious signaturebased envelope (OSBE) for efficiently solving the SFE problem. We develop a provably secure and efficient OSBE protocol for certificates signed using RSA signatures. We also build provably secure and efficient oneround OSBE for Rabin and BLS signatures from recent constructions for identitybased encryption. We also discuss other applications of OSBE.
Supersingular abelian varieties in cryptology
 Advances in Cryptology  CRYPTO 2002
"... Abstract. For certain security applications, including identity based encryption and short signature schemes, it is useful to have abelian varieties with security parameters that are neither too small nor too large. Supersingular abelian varieties are natural candidates for these applications. This ..."
Abstract

Cited by 52 (7 self)
 Add to MetaCart
(Show Context)
Abstract. For certain security applications, including identity based encryption and short signature schemes, it is useful to have abelian varieties with security parameters that are neither too small nor too large. Supersingular abelian varieties are natural candidates for these applications. This paper determines exactly which values can occur as the security parameters of supersingular abelian varieties (in terms of the dimension of the abelian variety and the size of the finite field), and gives constructions of supersingular abelian varieties that are optimal for use in cryptography. 1
A cryptographic framework for the controlled release of certified data
 In Security Protocols Workshop
, 2004
"... Abstract. It is usually the case that before a transaction can take place, some mutual trust must be established between the participants. Online, doing so requires the exchange of some certified information about the participants. The easy solution is to disclose one’s identity and reveal all of o ..."
Abstract

Cited by 47 (6 self)
 Add to MetaCart
(Show Context)
Abstract. It is usually the case that before a transaction can take place, some mutual trust must be established between the participants. Online, doing so requires the exchange of some certified information about the participants. The easy solution is to disclose one’s identity and reveal all of one’s certificates to establish such a trust relationship. However, it is clear that such an approach is unsatisfactory from a privacy point of view. In fact, often revealing any information that uniquely corresponds to a given individual is a bad idea from the privacy point of view. In this survey paper we describe a framework where for each transaction there is a precise specification of what pieces of certified data is revealed to each participant. We show how to specify transactions in this framework, give examples of transactions that use it, and describe the cryptographic building blocks that this framework is built upon. We conclude with bibliographic notes on the stateoftheart in this area. 1
IDBased One Round Authenticated Tripartite Key Agreement Protocol with Pairings
, 2002
"... With various applications of Weil pairing (Tate pairing) to cryptography, IDbased encryption schemes, digital signature schemes, blind signature scheme, twoparty authenticated key agreement schemes, and tripartite key agreement scheme were proposed recently, all of them using bilinear pairing (Wei ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
With various applications of Weil pairing (Tate pairing) to cryptography, IDbased encryption schemes, digital signature schemes, blind signature scheme, twoparty authenticated key agreement schemes, and tripartite key agreement scheme were proposed recently, all of them using bilinear pairing (Weil or Tate pairing). In this paper, we propose an IDbased one round authenticated tripartite key agreement protocol.
A Secure Signature Scheme from Bilinear Maps
 CTRSA 2003, LNCS 2612
"... We present a new class of signature schemes based on properties of certain bilinear algebraic maps. These signatures are secure against existential forgery under a chosen message attack in the standard model (without using the random oracle model). Security is based on the computational DiffieHellm ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
We present a new class of signature schemes based on properties of certain bilinear algebraic maps. These signatures are secure against existential forgery under a chosen message attack in the standard model (without using the random oracle model). Security is based on the computational DiffieHellman problem. The concrete schemes that we get are the most efficient provable discretelog type signature schemes to date.