Schnorr Signature. Schnorr Signature. October 31, 2012
|
|
- Ashley Shields
- 6 years ago
- Views:
Transcription
1 . October 31, 2012
2 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security Proof Forking Lemma
3 Salient Features - Salient Features Derived from Schnorr identification scheme through Fiat-Shamir transformation Based on the DLP Security argued using oracle replay attacks Uses the random oracle heuristic
4 Preliminaries PRELIMINARIES
5 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π
6 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π Aim: Π is hard = P is not breakable
7 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π Aim: Π is hard = P is not breakable P is breakable = Π is not hard B Π Π P C P A
8 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π Aim: Π is hard = P is not breakable P is breakable = Π is not hard B Π Π P C P A Since Π is assumed to be hard, this leads to a contradiction.
9 Preliminaries Security Proofs Security Model Lays down the schema to be followed for giving security proofs Described using a game between a challenger C and an adversary A C P P A C simulates the protocol environment for A A wins the game if it solves the challenge given by C
10 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function.
11 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function. P H
12 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function. P H P C H P A
13 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function. P H P C H P A Proofs without random oracles preferred.
14 Preliminaries PKS and its Security Models PUBLIC-KEY SIGNATURES AND ITS SECURITY MODELS
15 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } -
16 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } - Key Generation: Used by the user to generate the public-private key pair (pk, sk) pk is published and the sk kept secret Run on a security parameter κ (pk, sk) $ K(κ)
17 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } - Key Generation: Used by the user to generate the public-private key pair (pk, sk) pk is published and the sk kept secret Run on a security parameter κ (pk, sk) $ K(κ) Signing: Used by the user to generate signature on some message m The secret key sk used for signing σ $ S(sk, m)
18 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } - Key Generation: Used by the user to generate the public-private key pair (pk, sk) pk is published and the sk kept secret Run on a security parameter κ (pk, sk) $ K(κ) Signing: Used by the user to generate signature on some message m The secret key sk used for signing Verification: σ $ S(sk, m) Outputs 1 if σ is a valid signature on m; else, outputs 0 result V (σ, m, pk)
19 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack
20 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk).
21 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk).
22 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk). Forgery Adversary A wins if ˆσ is a valid signature on ˆm. pk C EU-NMA A (ˆσ, ˆm)
23 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk). Forgery Adversary A wins if ˆσ is a valid signature on ˆm. pk C EU-NMA A (ˆσ, ˆm) Adversary s advantage in the game: [ ] Pr 1 V (ˆσ, ˆm, pk) (sk, pk) $ K(κ); (ˆσ, ˆm) $ A(pk)
24 Preliminaries PKS and its Security Models Definition EU-CMA Existential unforgeability under chosen-message attack Challenger C generates key-pair (pk, sk). Signature Queries Access to a signing oracle O Forgery Adversary A wins if ˆσ is a valid signature on ˆm. A has not made a signature query on ˆm. C O pk EU-CMA (ˆσ, ˆm) Adversary s advantage in the game: [ ] Pr 1 V (ˆσ, ˆm, pk) (sk, pk) $ K(κ); (ˆσ, ˆm) $ A O (pk) A
25 Preliminaries Hardness Assumption Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = g and G = p DLP C (G, g, p, g α ) α DLP A
26 Preliminaries Hardness Assumption Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = g and G = p DLP C (G, g, p, g α ) α DLP A Definition The DLP in G is to find α given g α, where α R Z p. An adversary A has advantage ɛ in solving the DLP if Pr [ α R Z p ; α A(G, p, g, g α ) α = α ] ɛ. The (ɛ, t)-discrete-log assumption holds in G if no adversary has advantage at least ɛ in solving the DLP in time at most t.
27 SCHNORR SIGNATURE
28 The Construction The Setting. 1. We work in group G = g of prime order p. 2. A hash function H is used. H : {0, 1} Z p
29 The Construction The Setting. 1. We work in group G = g of prime order p. 2. A hash function H is used. H : {0, 1} Z p Key Generation. K(κ): 1. Select z R Z p as the secret key sk 2. Set Z := g z as the public key pk
30 The Construction The Setting. 1. We work in group G = g of prime order p. 2. A hash function H is used. H : {0, 1} Z p Key Generation. K(κ): 1. Select z R Z p as the secret key sk 2. Set Z := g z as the public key pk Signing. S(m, sk): 1. Let sk = z. Select r R Z p, set R := g r and c := H(m, R). 2. The signature on m is σ := (y, R) where y := r + zc
31 The Construction Verification. V (σ, m): 1. Let σ = (y, R) and c = H(m, R). 2. σ is valid if g y = RZ c
32 The Construction Security of : An Intuition Consider an adversary A with ability to launch chosen-message attack on the Schnorr signature. Let {σ 1,..., σ n } with σ i = (r i + zc i, R i ) on m i be the signatures that A receives.
33 The Construction Security of : An Intuition Consider an adversary A with ability to launch chosen-message attack on the Schnorr signature. Let {σ 1,..., σ n } with σ i = (r i + zc i, R i ) on m i be the signatures that A receives. r c c 1 r = r c n n z y 1 y 2. r n
34 The Construction Security of : An Intuition However, A can solve for x if it gets two equations containing the same r but different c, i.e. y 1 = r + zc 1 and y 2 = r + zc 2 implies z = y 1 y 2 c 1 c 2
35 Oracle Replay Attack ORACLE REPLAY ATTACK
36 Oracle Replay Attack The Oracle Replay Attack Recall the random oracle methodology. P H P C Q i P A H s i
37 Oracle Replay Attack The Oracle Replay Attack Recall the random oracle methodology. P H P C Q i P A H s i s 1 Q 1 Q 2 Q I s I s γ Q I +1 Q γ Run 0
38 Oracle Replay Attack The Oracle Replay Attack Recall the random oracle methodology. P H P C Q i P A H s i s 1 Q 1 Q 2 Q I s I s γ Q I +1 Q γ Run 0 s I Q I +1 Q γ Run 1 s γ The simulation carried out during Run 1 (from query Q i ) using a different random function
39 Oracle Replay Attack Security of in EU-NMA Consider the simpler model of existential unforgeability under no-message attack (EU-NMA) C gives the challenge public key pk := (G, g, p, g α ) to A A not allowed signature queries; forges on a message ˆm A also allowed access to an H-oracle {Q 1,..., Q γ } DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A
40 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A Q 0 I : H( ˆm 0, ˆR 0 ) = c 0 s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (ŷ 0 = ˆr 0 + αc 0, ˆR 0 ) s Q Q 0 2 Q 0 I
41 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A Q 0 I : H( ˆm 0, ˆR 0 ) = c 0 and Q φ J : H( ˆm 1, ˆR 1 ) = c 1 s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (ŷ 0 = ˆr 0 + αc 0, ˆR 0 ) s 0 1 Q 0 1 Q 0 2 Q 0 I s 1 I Q 1 I +1 Q 1 γ ˆσ 1 = (ŷ 1 = ˆr 1 + αc 1, ˆR 1 ) s 1 γ
42 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A J = I = ˆm 1 = ˆm 0 ˆR 1 = ˆR 0 s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (y 0 = r 0 + αc 0, R 0 ) s 0 1 Q 0 1 Q 0 2 Q 0 I s 1 I Q 1 I +1 Q 1 γ ˆσ 1 = (y 1 = r 0 + αc 1, R 0 ) s 1 γ
43 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A J = I = ˆm 1 = ˆm 0 ˆR 1 = ˆR 0 and α = (ŷ 0 ŷ 1 )/(c 0 c 1 ) s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (y 0 = r 0 + αc 0, R 0 ) s 0 1 Q 0 1 Q 0 2 Q 0 I s 1 I Q 1 I +1 Q 1 γ ˆσ 1 = (y 1 = r 0 + αc 1, R 0 ) s 1 γ
44 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m)
45 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m) Signature for m is of form σ = (r + αc, g r ), where c = H(m, g r ).
46 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m) Signature for m is of form σ = (r + αc, g r ), where c = H(m, g r ). But, we don t know α!
47 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m) Signature for m is of form σ = (r + αc, g r ), where c = H(m, g r ). But, we don t know α! Problem solved using Boneh-Boyen algebraic technique: Select c, s R Z p and set r = αc + s. Program the random oracle to set c = H(m, g r ) and send (s, g r ) as the signature.
48 Security Proof FORKING LEMMA
49 Forking Lemma Forking Algorithm The oracle replay attack formalised through the forking algorithm Algorithm 1 F Y (x) Pick coins ρ for Y at random s 0 1,..., s0 γ R S; (I 0, σ 0 ) $ Y (x, s 0 1,..., s0 γ; ρ) [Run 0] s 1 I 0,..., s 1 γ R S; (I 1, σ 1 ) $ Y (x, s 0 1,..., s0 I 0 1, s1 I 0,..., s 1 γ; ρ) [Run 1] if (I 0 > 0 I 1 = I 0 s 1 I 0 s 0 I 0 ) then return (1, σ 0, σ 1 ) else return (0,, ) end if
50 Forking Lemma The Forking Lemma The forking lemma gives a lower bound on the success probability of the oracle replay attack (frk) in terms of the success probability of the adversary during a particular run (acc).
51 Forking Lemma The Forking Lemma The forking lemma gives a lower bound on the success probability of the oracle replay attack (frk) in terms of the success probability of the adversary during a particular run (acc). To be precise, ( acc frk acc γ 1 ) p
52 Forking Lemma The Forking Lemma The forking lemma gives a lower bound on the success probability of the oracle replay attack (frk) in terms of the success probability of the adversary during a particular run (acc). To be precise, ( acc frk acc γ 1 ) p s 1 Q 1 Q 2 Q I s I s γ Q I +1 Q γ Run 0 s I Q I +1 Q γ Run 1 s γ
53 Forking Lemma Theorem Theorem If A is an adversary with advantage ɛ against the Schnorr signature scheme, in the setting (G, g, p), then we can construct an algorithm B that solves the DLP with advantage ( ɛ ɛ ɛ γ 1 ) p provided H is modelled as a random oracle with an upper bound of q H queries.
54 Forking Lemma Related Literature 1. Mihir Bellare and Gregory Neven. Multi-signatures in the plain public-key model and a general forking lemma. 2. David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. 3. Sanjam Garg, Raghav Bhaskar, and Satyanarayana V. Lokam. Improved bounds on security reductions for discrete log based signatures. 4. Yannick Seurin. On the exact security of Schnorr-type signatures in the random oracle model.
55 Forking Lemma QUESTIONS?
56 Forking Lemma THANK YOU!
Constructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationVI. The Fiat-Shamir Heuristic
VI. The Fiat-Shamir Heuristic - as already seen signatures can be used and are used in practice to design identification protocols - next we show how we can obtain signatures schemes from - protocols using
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationQ B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h
MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationGQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks
GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks [Mihir Bellare, Adriana Palacio] Iliopoulos Fotis School of Electrical and Computer Engineering
More informationConstructing Provably Secure Identity-Based Signature Schemes.
Constructing Provably Secure Identity-Based Signature Schemes. A Thesis Submitted for the Degree of Master of Science (Engineering) in the Faculty of Engineering by Chethan Kamath H Computer Science and
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationLimitations of the Meta-Reduction Technique: The Case of Schnorr Signatures
An extended abstract of this paper appears at Eurocrypt 2013. Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 Technische Universität Darmstadt
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationSecurity Arguments for Digital Signatures and Blind Signatures
J. Cryptology (2000) 13: 361 396 DOI: 10.1007/s001450010003 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures David Pointcheval and
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationEvaluation Report on the ECDSA signature scheme
Evaluation Report on the ECDSA signature scheme Jacques Stern 1 Introduction This document is an evaluation of the ECDSA signature scheme. Our work is based on the analysis of various documents [1, 32,
More informationA NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 119 131 A NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION JUNG HEE CHEON 1, YONGDAE KIM 2 AND HYO
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationUninstantiability of Full-Domain Hash
Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008 Why talk about this old stuff? Why talk about
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationA Security Proof of KCDSA using an extended Random Oracle Model
A Security Proof of KCDSA using an extended Random Oracle Model Vikram Singh Abstract We describe a tight security reduction to the discrete logarithm problem for KCDSA under an extended Random Oracle
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationA DL Based Short Strong Designated Verifier Signature Scheme with Low Computation
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 27, 451-463 (2011) A DL Based Short Strong Designated Verifier Signature Scheme with Low Computation HAN-YU LIN, TZONG-SUN WU + AND YI-SHIUNG YEH Department
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationSimple Schnorr Multi-Signatures with Applications to Bitcoin
Simple Schnorr Multi-Signatures with Applications to Bitcoin Gregory Maxwell, Andrew Poelstra 1, Yannick Seurin 2, and Pieter Wuille 1 1 Blockstream 2 ANSSI, Paris, France greg@xiph.org, {apoelstra, pwuille}@blockstream.com,
More informationOn the (In)security of the Fiat-Shamir Paradigm
On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationRing Signatures without Random Oracles
Ring Signatures without Random Oracles Sherman S. M. Chow 1, Joseph K. Liu 2, Victor K. Wei 3 and Tsz Hon Yuen 3 1 Department of Computer Science Courant Institute of Mathematical Sciences New York University,
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationOn Tight Security Proofs for Schnorr Signatures
On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1, Tibor Jager 2, and Dominique Schröder 3 1 Ruhr University Bochum 2 Paderborn University 3 Friedrich-Alexander-University Erlangen-Nürnberg
More informationIdentity Based Deterministic Signature Scheme Without Forking-Lemma
Identity Based Deterministic ignature cheme Without Forking-Lemma. harmila Deva elvi,. ree Vivek, C. Pandu Rangan Theoretical Computer cience Laboratory, Department of Computer cience and Engineering,
More informationProvable Security Proofs and their Interpretation in the Real World
Provable Security Proofs and their Interpretation in the Real World Vikram Singh Abstract This paper analyses provable security proofs, using the EDL signature scheme as its case study, and interprets
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCryptographic Security of Macaroon Authorization Credentials
Cryptographic ecurity of Macaroon Authorization Credentials Adriana López-Alt New York University ecember 6, 2013 Abstract Macaroons, recently introduced by Birgisson et al. [BPUE + 14], are authorization
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationAN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION
Serdica J. Computing 3 (2009), 309 38 AN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION Raghav Bhaskar, Karthekeyan Chandrasekaran, Satyanaryana V. Lokam, Peter L. Montgomery, Ramarathnam
More informationLimitations of the Meta-Reduction Technique: The Case of Schnorr Signatures
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Grenzen der Metareduktionstechnik: Der Fall von Schnorr Signaturen Master Thesis by Nils Fleischhacker September 25, 2012 Limitations
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationShort Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)
Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model) Hovav Shacham UC San Diego and UT Austin Abstract. A signature scheme is unique if for every public key and
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationA lattice-based partially blind signature
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 206; 9:820 828 Published online February 206 in Wiley Online Library (wileyonlinelibrary.com)..439 SPECIAL ISSUE PAPER A lattice-based partially
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationA short identity-based proxy ring signature scheme from RSA
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 A short identity-based proxy ring signature
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationProvably Secure Partially Blind Signatures
Provably Secure Partially Blind Signatures Masayuki ABE and Tatsuaki OKAMOTO NTT Laboratories Nippon Telegraph and Telephone Corporation 1-1 Hikari-no-oka Yokosuka-shi Kanagawa-ken, 239-0847 Japan E-mail:
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationAn Efficient ID-based Digital Signature with Message Recovery Based on Pairing
An Efficient ID-based Digital Signature with Message Recovery Based on Pairing Raylin Tso, Chunxiang Gu, Takeshi Okamoto, and Eiji Okamoto Department of Risk Engineering Graduate School of Systems and
More informationCertificateless Signcryption without Pairing
Certificateless Signcryption without Pairing Wenjian Xie Zhang Zhang College of Mathematics and Computer Science Guangxi University for Nationalities, Nanning 530006, China Abstract. Certificateless public
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationNon-Adaptive Programmability of Random Oracle
Non-Adaptive Programmability of Random Oracle Rishiraj Bhattacharyya Pratyay Mukherjee Abstract Random Oracles serve as an important heuristic for proving security of many popular and important cryptographic
More informationConcurrent Signatures
Concurrent Signatures Liqun Chen 1, Caroline Kudla 2, and Kenneth G. Paterson 2 1 Hewlett-Packard Laboratories, Bristol, UK liqun.chen@hp.com 2 Information Security Group Royal Holloway, University of
More informationDigital Signature Algorithm
Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 11 DSA: The is a US standard, proposed in 1991 by the NIST Along with the DSA, the hash function SHA-1 was also specified
More informationMulti-key Hierarchical Identity-Based Signatures
Multi-key Hierarchical Identity-Based Signatures Hoon Wei Lim Nanyang Technological University 9 June 2010 Outline 1 Introduction 2 Preliminaries 3 Multi-key HIBS 4 Security Analysis 5 Discussion 6 Open
More informationFrom Identification to Signatures, Tightly: A Framework and Generic Transforms
From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare 1 Bertram Poettering 2 Douglas Stebila 3 February 2016 Abstract This paper provides a framework to treat the
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationIdentification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks
Identification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks Hiroaki Anada and Seiko Arita Institute of Information Security, Yokohama, Japan hiroaki.anada@gmail.com,
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationPSS Is Secure against Random Fault Attacks
PSS Is Secure against Random Fault Attacks Jean-Sébastien Coron and Avradip Mandal University of Luxembourg Abstract. A fault attack consists in inducing hardware malfunctions in order to recover secrets
More informationCommunication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors
Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/
More informationIntroduction to Pairing-Based Cryptography
Introduction to Pairing-Based Cryptography Mihir Bellare April, 2006 Department of Computer Science and Engineering, University of California at San Diego, La Jolla, CA 92093, USA. mihir@cs.ucsd.edu, http://www-cse.ucsd.edu/users/mihir
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More information