Signature Scheme

The term proxy certificate is used to describe a certificate that is issued by an end user for the purpose of delegating responsibility to another user so that the latter can perform certain actions on behalf of the former. Such certificates have been suggested for use in a number of applications, particularly in distributed computing environments where delegation of rights is common. In this paper, we present a new concept called proof-carrying proxy certificates. Our approach allows to combine the verification of the validity of the proxy certificate and the authorization decision making in an elegant way that enhances the privacy of the end user. In contrast with standard proxy certificates that are generated using standard (public-key) signature schemes, the proposed certificates are generated using a signature scheme for which the validity of a generated signature proves the compliance of the signer with a credential-based policy. We present a concrete realization of our approach using bilinear pairings over elliptic curves and we prove its security under adapted attack models.

Byzantine Agreement has become increasingly important in establishing distributed properties when there may exist errors in the systems. Recent polynomial algorithms for reaching Byzantine Agreement provide us with feasible solutions for obtaining coordination and synchronization in distributed systems. In this paper we study the amount of information exchange necessary to ensure Byzantine Agreement. This is measured by the number of messages and the number of signatures appended to messages (in case of authenticated algorithms) the participating processors need to send, in the worse case, in order to reach Byzantine Agreement. The lower bound for the number of signatures in the authenticated case is ~(nt), where n is the number of participating processors and t is the upper bound on the number of faults. If n is large compared to t, it matches the upper bounds from previously known algorithms. The lower bound for the number of messages is ~(n+t2). We present an algorithm that achieves this bound and for which the number of phases does not exceed the minimum t+l by more than a constant factor.

In this paper a new signature scheme, called Policy-Endorsing Attribute-Based Signature, is developed to correspond with the existing Ciphertext-Policy Attribute-Based Encryption. This signature provides a policy-and-endorsement mechanism. In this mechanism a single user, whose attributes satisfy the predicate, endorses the message. This signature allows the signer to announce his endorsement using an access policy without having to reveal the identity of the signer. The security of this signature, selfless anonymity and existential unforgeability, is based on the Strong Diffie-Hellman assumption and the Decision Linear assumption in bilinear map groups.

Most prior designated confirmer signature schemes either prove security in the random oracle model (ROM) or use general zero-knowledge proofs for NP statements (making them impractical). By slightly modifying the definition of designated confirmer signatures, Goldwasser and Waisbard presented an approach in which the Confirm and ConfirmedSign protocols could be implemented without appealing to general zero-knowledge proofs for NP statements (their “Disavow” protocol still requires them). The Goldwasser-Waisbard approach could be instantiated using Cramer-Shoup, GMR, or Gennaro-Halevi-Rabin signatures. In this paper, we provide an alternate generic transformation to convert any signature scheme into a designated confirmer signature scheme, without adding random oracles. Our key technique involves the use of a signature on a commitment and a separate encryption of the random string used for commitment. By adding this “layer of indirection,” the underlying protocols in our schemes admit efficient instantiations (i.e., we can avoid appealing to general zero-knowledge proofs for NP statements) and furthermore the performance of these protocols is not tied to the choice of underlying signature scheme. We illustrate this using the Camenisch-Shoup variation on Paillier’s cryptosystem and Pedersen commitments. The confirm protocol in our resulting scheme requires 10 modular exponentiations (compared to 320 for Goldwasser-Waisbard) and our disavow protocol requires 41 modular exponentiations (compared to using a general zero-knowledge proof for Goldwasser-Waisbard). Previous schemes use the “encryption of a signature” paradigm, and thus run into problems when trying to implement the “confirm” and “disavow” protocols efficiently.

This survey provides a comparative overview of code-based signature schemes with respect to security and performance. Furthermore, we explicitly describe serveral code-based signature schemes with additional properties such as identity-based, threshold ring and blind signatures.

Three decades ago public-key cryptosystems made a revolutionary breakthrough in cryptography. They have developed into an indispensable part of our modern communication system. In practical applications RSA, DSA, ECDSA, and similar public key cryptosystems are commonly used. Their security depends on assumptions about the difficulty of certain problems in number theory, such as the Integer Prime Factorization Problem or the Discrete Logarithm Problem.

Known compact e-cash schemes are constructed from signature schemes with efficient protocols and verifiable random functions. In this paper, we introduce a different approach. We construct compact e-cash schemes from bounded accumulators. A bounded accumulator is an accumulator with a limit on the number of accumulated values. We show a generic construction of compact e-cash schemes from bounded accumulators and signature schemes with certain properties and instantiate it using an existing pairing-based accumulator and a new signature scheme. Our scheme revokes the secret key of the double-spender directly and thus supports more efficient coin tracing. The new signature scheme has an interesting property that is has the message space of a cyclic group \(\mathbb{G}_1\) equipped with a bilinear pairing, with efficient protocol to show possession of a signature without revealing the signature nor the message. We show that the new scheme is secure in the generic group model. The new signature scheme may be of independent interest.

An identity based signature scheme allows any pair of users to communicate securely and to verify each others signatures without exchanging public key certificates. An aggregate signature scheme is a digital signature scheme which supports aggregation of signatures. Batch verification is a method to verify multiple signatures at once. Aggregate signature is useful in reducing both communication and computation cost. In this paper, we describe the breaks possible in some of the aggregate signature schemes and batch verification scheme.

In this paper, we propose a Directed threshold multisignature scheme without SDC. This signature scheme is applicable when the message is sensitive to the signature receiver; and the signatures are generated by the cooperation of a number of people from a given group of senders. In this scheme, any malicious set of signers cannot impersonate any other set of signers to forge the signatures. In case of forgery, it is possible to trace the signing set.

Informally, an obfuscator O is an (efficient, probabilistic) "compiler" that takes as input a program (or circuit) P and produces a new program O(P ) that has the same functionality as P yet is "unintelligible" in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice's theorem. Most of these applications are based on an interpretation of the "unintelligibility" condition in obfuscation as meaning that O(P ) is a "virtual black box," in the sense that anything one can efficiently compute given O(P ), one could also efficiently compute given oracle access to P .

The McEliece and the Niederreiter public key cryptosystems (PKC) are supposed secure in a post quantum world (4) because there is no ecient quantum algorithm for the underlying problems upon which these cryptosystems are built. The CFS, Stern and KKS signature schemes are post-quantum secure because they are based on hard problems of coding theory. The purpose of this article is to describe what kind of attacks have been proposed against code-based constructions and what is missing.

Chameleon hash function is a trapdoor one-way hash function. The ID-based chameleon hash function was first introduced by Ateniese and Medeiros . As discussed by [1], the general advantages of IDbased cryptography over conventional cryptography with respect to key distribution are even more pronounced in a chameleon hashing scheme, because the owner of a public key does not necessarily need to retrieve the associated secret key. In this paper, we propose two new ID-based Chameleon hashing schemes from bilinear pairings. Also we analyze their security and efficiency. Based on these ID-based chameleon hashes, IDbased chameleon signature schemes can be designed.

In Asiacrypt2001, Boneh, Lynn, and Shacham [8] proposed a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function . This hash function is probabilistic and generally inefficient. In this paper, we propose a new short signature scheme from the bilinear pairings that unlike BLS, uses general cryptographic hash functions such as SHA-1 or MD5, and does not require special hash functions. Furthermore, the scheme requires less pairing operations than BLS scheme and so is more efficient than BLS scheme. We use this signature scheme to construct a ring signature scheme and a new method for delegation. We give the security proofs for the new signature scheme and the ring signature scheme in the random oracle model.

Deniable authentication protocol enables a receiver to identify the true source of a given message, but not to prove the identity of the sender to a third party. This property is very useful for providing secure negotiation over the Internet. This paper describes a secure non-interactive deniable authentication protocol using ECDSA signature scheme. The security of the protocol is based on difficulty of breaking Elliptic Curve Discrete Logarithm Problem. It can be implemented in low power and small processor mobile devices such as smart card, PDA etc which work in low power and small processor.

“Certificateless public-key cryptosystem” is a new and attractive paradigm, which avoids the inherent key escrow property in identity-based public-key cryptosystems, and does not need expensive certificates as in the public key infrastructure. A strong security model for certificateless public key encryption was established by Al-Riyami and Paterson in 2003. In this paper, we first present a security model for certificateless public-key signature schemes, and then propose an efficient construction based on bilinear pairings. The security of the proposed scheme can be proved to be equivalent to the computational Diffie-Hellman problem in the random oracle model with a tight reduction.

Since the introduction of nominative signature in 1996, there have been only a few schemes proposed and all of them have already been found flawed. In addition, there is no formal security model defined. Even more problematic, there is no convincing application proposed. Due to these problems, the research of nominative signature has almost stalled and it is unknown if a secure nominative signature scheme can be built or there exists an application for it. In this paper, we give positive answers to these problems. First, we illustrate that nominative signature is a better tool for building user certification systems which are originally believed to be best implemented using a universal designated-verifier signature. Second, we propose a formal definition and a rigorous set of adversarial models for nominative signature. Third, we show that Chaum's undeniable signature can be transformed efficiently to a nominative signature and prove its security.

We introduce a new lattice-based cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: An efficient, stateless ‘hash-and-sign’ signature scheme in the standard model (i.e., no random oracles), and The first hierarchical identity-based encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional number-theoretic cryptography.

Group signature schemes are cryptographic systems that provide revocable anonymity for signers. We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We will show that the schemes can be used to construct a traceable signature scheme and identity escrow schemes. They can also be extended to provide membership revocation.

The identity (ID) based public key cryptosystem simplifies the key management and provides moderate security with comparison to the certificate based public key cryptosystem. Many signature schemes have been proposed using the identity of user. Proxy signature scheme enables the original signer to delegate his/her signing capability to a proxy signer. Bilinear pairings are useful in signature protocols for the ease of computation. In this paper, we have proposed an ID-based multi-proxy multi-signature scheme from bilinear pairing, using the schemes of Cao and Cao [2, 3] and Li and Chen [7]. We have also discussed the security properties of our scheme.

We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocable commitments. The unforgeability of the employed signature scheme is guaranteed by the LRSW assumption while the blindness property of our scheme is guaranteed by the Decisional Linear Diffie-Hellman assumption.

Lattice-based signature schemes following the Goldreich- Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRU Cryptosystemssign. Here, we propose an alternative method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can be solved by a gradient descent. Our approach is very effective in practice: we present the first succesful key-recovery experiments on NTRU Cryptosystemssign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 90,000 signatures are sufficient to recover the NTRU Cryptosystemssign-251 secret key. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges, using a number of signatures which is roughly quadratic in the lattice dimension.

In this paper, we propose an Identity (ID)-based Secure Routing Scheme for secure routing in wireless ad-hoc networks. It make use of Identity based Signature scheme and hash chains to secure the AODV (Ad-hoc on demand distance vector routing) messages. We have used ID based Signature scheme for the immutable fields, that is the fields that remain same throughout the journey of the routing packet and Hash Chains for the mutable fields (fields which changes from node to node) e.g. Hop Count. This system has the following advantages as compared to the previous solutions, most of which uses RSA based Public Key Cryptographic solutions. Firstly, it makes use of Identity based signature scheme which is certificateless thus saving overhead costs of communication and storage. Secondly, in ID based schemes we can use our identity, like our IP address or email ID as our public key, which leads to smaller key size as compared to other cryptographic techniques. Also this system does not require establishment of any third party like PKI (Public-key Infrastructure) at the initial stages of network establishment Index Terms-Security, Wireless Ad-hoc Networks, Routing Protocols, ID-based Cryptography, Secure AODV.

There has been significant progress in the live video streaming systems. However, there has been little study on the security aspect in such systems. Our prior experiences in Anysee exhibit that existing systems are largely vulnerable to intermediate attacks, in which the content pollution is a common attack that can significantly reduce the content availability, and consequently impair the playback quality.

At Crypto 96 Cramer and Damgård proposed an efficient, tree-based, signature scheme that is provably secure against adaptive chosen message attacks under the assumption that inverting RSA is computationally infeasible. In this paper we show how to modify their basic construction in order to achieve a scheme that is provably secure under the assumption that factoring large composites of a certain form is hard. Interestingly our scheme is as efficient as the original Cramer Damgård solution while relying on a seemingly weaker intractability assumption.

Abstract. McEliece is one of the oldest known public key cryptosys-tems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow practical digital ...

We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap Diffie-Hellman (GDH) group (where the Computational Diffie-Hellman problem is hard but the Decisional Diffie-Hellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [BLS]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.

We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap Diffie-Hellman (GDH) group (where the Computational Diffie-Hellman problem is hard but the Decisional Diffie-Hellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [8]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.

In this paper, a novel Blind Signature Scheme (BSS) based on Nyberg-Rueppel Signature Scheme (NRSS) using Elliptic Curve Discrete Logarithm Problem (ECDLP) has been proposed. Blind signature allows a requester to obtain signature from a signer on any document, in such a ...

We propose and analyze two efficient signature schemes whose security is tightly related to the Diffie-Hellman problems in the random oracle model. The security of our first scheme relies on the hardness of the computational Diffie-Hellman problem; the security of our second scheme-which is more efficient than the first-is based on the hardness of the decisional Diffie-Hellman problem, a stronger assumption. Given the current state of the art, it is as difficult to solve the Diffie-Hellman problems as it is to solve the discrete logarithm problem in many groups of cryptographic interest. Thus, the signature schemes shown here can currently offer substantially better efficiency (for a given level of provable security) than existing schemes based on the discrete logarithm assumption. The techniques we introduce can also be applied in a wide variety of settings to yield more efficient cryptographic schemes (based on various number-theoretic assumptions) with tight security reductions.

An ID-based cryptosystem enables the user to use public keys without exchanging public key certificates. In this scheme, users can use their identity to generate their public and private keys. The notion of bilinear pairing makes the system easy and efficient providing specific securities. In this paper, we have proposed an ID-based signature scheme from bilinear pairing based on k-plus problem. We show that the proposed scheme is existential unforgeable in the random oracle model under the inverse CDHP assumption. Our scheme is computationally more efficient than other existing schemes.

In this paper we analyse the Digital Signature Algorithm (DSA) and its immunity to the fault cryptanalysis that takes advantage of errors inducted into the private key a. The focus of our attention is on the DSA scheme as it is a widely adopted by the research community, it is known to be vulnerable to this type of attack, but neither sound nor effective modifications to improve its immunity have been proposed. In our paper we consider a new way of implementing the DSA that enhances its immunity in the presence of faults. Our proposal ensures that inducting errors into the private key has no benefits since the attacker cannot deduce any information about the private key given erroneous signatures. The overhead of our proposal is similar to the overhead of obvious countermeasure based on signature verification. However, our modification generates fewer security issues.

In this paper, we propose a new signature scheme that is existentially unforgeable under a chosen message attack without random oracle. The security of our scheme depends on a new complexity assumption called the k+1 square roots assumption. We also discuss the relationship between the k+1 square roots assumption and some related problems and provide some conjectures. Moreover, the k+1 square roots assumption can be used to construct shorter signatures under the random oracle model. As some applications, a new chameleon hash signature scheme and a on-line/off-line signature scheme and a new efficient anonymous credential scheme based on the proposed signature scheme are presented.

Recent results of Ajtai on the hardness of lattice problems have inspired several cryptographic protocols. At Crypto ’97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that there is a major flaw in the design of the scheme which has two implications: any ciphertext leaks information on the plaintext, and the problem of decrypting ciphertexts can be reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.

In this paper, we formulate the concept of policy-based cryptography which makes it possible to perform policy enforcement in large-scale open environments like the Internet, with respect to the data minimization principle according to which only strictly necessary information should be collected for a given purpose. We use existing cryptographic primitives based on bilinear pairings over elliptic curves to develop concrete policy-based encryption and signature schemes which allow performing relatively efficient encryption and signature operations with respect to policies formalized as monotonic logical formulae. we illustrate the properties of our policy-based cryptographic schemes through the description of three application scenarios.

In Eurocrypt 2003, Gentry introduced the notion of certificate-based encryption. The merit of certificate-based encryption lies in the following features: (1) providing more efficient public-key infrastructure (PKI) that requires less infrastructure, (2) solving the certificate revocation problem, and (3) eliminating third-party queries in the traditional PKI. In addition, it also solves the inherent key escrow problem in the identity-based cryptography. In this paper, we first introduce a new attack called the “Key Replacement Attack” in the certificate-based system and refine the security model of certificate-based signature. We show that the certificate-based signature scheme presented by Kang, Park and Hahn in CT-RSA 2004 is insecure against key replacement attacks. We then propose a new certificate-based signature scheme, which is shown to be existentially unforgeable against adaptive chosen message attacks under the computational Diffie-Hellman assumption in the random oracle model. Compared with the certificate-based signature scheme in CT-RSA 2004, our scheme enjoys shorter signature length and less operation cost, and hence, our scheme outperforms the existing schemes in the literature.

Universal Designated-Verifier Signature (UDVS) schemes are digital signature schemes with additional functionality which allows any holder of a signature to designate the signature to any desired designated-verifier such that the designated-verifier can verify that the message was signed by the signer, but is unable to convince anyone else of this fact. Since UDVS schemes reduce to standard signatures when no verifier designation is performed, it is natural to ask how to extend the classical Schnorr or RSA signature schemes into UDVS schemes, so that the existing key generation and signing implementation infrastructure for these schemes can be used without modification. We show how this can be efficiently achieved, and provide proofs of security for our schemes in the random oracle model.

Veriably encrypted signatures are used when Alice wants to sign a message for Bob but does not want Bob to possess her signature on the message until a later date. Such signatures are used in optimistic contact signing to provide fair exchange. Partially blind signature schemes are an extension of blind signature schemes that allows a signer to sign a

McEliece is one of the oldest known public key cryptosys- tems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow practical digital signatures. In the present paper we disprove this belief and show a way to build a practical

In this paper we present a method of attacking public-key cryptosystems (PKCs) on tamper resistant devices. The attack makes use of transient faults and seems applicable to many types of PKCs. In particular, we show how to attack the RSA, the ElGamal signature scheme, the Schnorr signature scheme, and the DSA. We also present some possible methods to counter the attack.

This survey provides a comparative overview of code-based signature schemes with respect to security and performance. Furthermore, we explicitly describe serveral code-based signature schemes with additional properties such as identity-based, threshold ring and blind signatures.

In this paper, a new identity-based identification scheme based on error-correcting codes is proposed. Two well known code-based schemes are combined : the signature scheme by Courtois, Finiasz and Sendrier and an identification scheme by Stern. A proof of security for the scheme in the Random Oracle Model is given.

In this paper we evaluate the power consumption of different digital signature schemes. We compare the cost of the Elliptic Curve Digital Signature Algorithm with signature schemes solely based on symmetric techniques such as the Diffie-Lamport one-time signature scheme. These evaluations take into account all aspects of using digital signatures in wireless environments: energy consumption of key generation, signing and verification, and the communication cost of sending and receiving the necessary data (including the public keys and the necessary data to authenticate them).

In this paper, we propose a novel privacy-preserving location assurance protocol for secure location-aware services over vehicular ad hoc networks (VANETs). In particular, we introduce the notion of location-aware credentials based on “hash-sign-switch” paradigm so as to guarantee the trustworthiness of location in location-aware services while providing conditional privacy preservation which is a desirable property for secure vehicular communications. Furthermore, the proposed protocol provides efficient procedures that alleviate a burden of computation for location-aware signature generation and verification on vehicles in VANETs. In order to achieve these goals, we consider online/offline signature scheme and identity-based aggregate signature scheme as our building blocks. Finally, we demonstrate experimental results to confirm the efficiency and effectiveness of the proposed protocol.

Broadcast authentication is a critical security service in wireless sensor networks (WSNs), as it allows mobile users of WSNs to broadcast messages to multiple sensor nodes in a secure way. Although symmetric-key-based solutions such as µTESLA and multilevel µTESLA have been proposed, they all suffer from severe energy-depletion attacks resulting from the nature of delayed message authentication. This paper presents several efficient public-key-based schemes to achieve immediate broadcast authentication and thus avoid the security vulnerability that is intrinsic to µTESLA-like schemes. Our schemes are built upon the unique integration of several cryptographic techniques, including the Bloom filter, the partial message-recovery signature scheme, and the Merkle hash tree. We prove the effectiveness and efficiency of the proposed schemes by a comprehensive quantitative analysis of their energy consumption in both computation and communication.