References O. Goldreich. Foundations of Cryptography, vol. 2: Basic Applications. Cambridge University

Size: px

Start display at page:

Download "References O. Goldreich. Foundations of Cryptography, vol. 2: Basic Applications. Cambridge University"

Georgia Knight
6 years ago
Views:

1 References 1. M. Abdalla, J. H. An, M. Bellare, and C. Namprempre. From identification to signatures via the Fiat-Shamir transform: Necessary and sufficient conditions for security and forwardsecurity. IEEE Transactions on Information Theory, 54(8): , J.H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Advances in Cryptology Eurocrypt 2002, volume 2332 of LNCS, pages Springer, B. Barak and M. Mahmoody-Ghidary. Lower bounds on signatures from symmetric primitives. In 48th Annual Symposium on Foundations of Computer Science (FOCS), pages IEEE, N. Bari and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In Advances in Cryptology Eurocrypt 97, volume 1233 of LNCS, pages Springer, M. Bellare and S. Micali. How to sign given any trapdoor function. In Advances in Cryptology Crypto 88, volume 403 of LNCS, pages Springer, M. Bellare and S. Micali. How to sign given any trapdoor function. Journal of the ACM, 39(1): , M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In Advances in Cryptology Asiacrypt 2000, volume 1976 of LNCS, pages Springer, M. Bellare and T. Ristenpart. Simulation without the artificial abort: Simplified proof and improved concrete security for Waters IBE scheme. In Advances in Cryptology Eurocrypt 2009, volume 5479 of LNCS, pages Springer, M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In 1st ACM Conference on Computer and Communications Security, pages ACM Press, M. Bellare and P. Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Advances in Cryptology Eurocrypt 96, volume 1070 of LNCS, pages Springer, M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology Crypto 97, volume 1294 of LNCS, pages Springer, M. Bellare and S. Shoup. Two-tier signatures from the Fiat-Shamir transform, with applications to strongly unforgeable and one-time signatures. IET Proc. Information Security, 2(2):47 63, D. J. Bernstein. Proving tight security for Rabin-Williams signatures. In Advances in Cryptology Eurocrypt 2008, volume 4965 of LNCS, pages Springer,

2 186 References 14. J. Black. The ideal-cipher model, revisited: An uninstantiable blockcipher-based hash function. In Fast Software Encryption FSE 2006, volume 4047 of LNCS, pages Springer, D. Bleichenbacher and U. M. Maurer. On the efficiency of one-time digital signatures. In Advances in Cryptology Asiacrypt 96, volume 1163 of LNCS, pages Springer, M. Blum. Coin flipping by telephone. In Proc. IEEE Spring COMPCOM, pages , D. Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the American Mathematical Society, 46(2): , D. Boneh and X. Boyen. Short signatures without random oracles and the SDH assumption in bilinear groups. Journal of Cryptology, 21(2): , D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. Journal of Cryptology, 17(4): , September J. N. Bos and D. Chaum. Provably unforgeable signatures. In Advances in Cryptology Crypto 92, volume 740 of LNCS, pages Springer, E. F. Brickell, D. Pointcheval, S. Vaudenay, and M. Yung. Design validations for discrete logarithm based signature schemes. In 3rd Intl. Workshop on Theory and Practice in Public Key Cryptography(PKC 2000), volume 1751 of LNCS, pages Springer, D. R. L. Brown. Generic groups, collision resistance, and ECDSA. Designs, Codes, and Cryptography, 35(1): , C. Cachin, S. Micali, and M. Stadler. Computationally private information retrieval with polylogarithmic communication. In Advances in Cryptology Eurocrypt 99, volume 1592 of LNCS, pages Springer, J. Camenisch and A. Lysyanskaya. A signature scheme with efficient protocols. In 3rd Intl. Conf. on Security in Communication Networks (SCN), volume 2576 of LNCS, pages Springer, R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. Journal of the ACM, 51(4): , D. Catalano and R. Gennaro. Cramer-Damgård signatures revisited: Efficient flat-tree signatures based on factoring. In 8th Intl. Workshop on Theory and Practice in Public Key Cryptography(PKC 2005), volume 3386 of LNCS, pages Springer, B. Chevallier-Mames and M. Joye. A practical and tightly secure signature scheme without hash function. In Cryptographers Track RSA 2007, volume 4377 of LNCS, pages Springer, J.-S. Coron. On the exact security of full domain hash. In Advances in Cryptology Crypto 2000, volume 1880 of LNCS, pages Springer, J.-S. Coron. Optimal security proofs for PSS and other signature schemes. In Advances in Cryptology Eurocrypt 2002, volume 2332 of LNCS, pages Springer, J.-S. Coron and T. Icart. An indifferentiable hash function into elliptic curves. Available at J.-S. Coron and D. Naccache. Security analysis of the Gennaro-Halevi-Rabin signature scheme. In Advances in Cryptology Eurocrypt 2000, volume 1807 of LNCS, pages Springer, R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, University of Amsterdam, R. Cramer and I. Damgård. Secure signature schemes based on interactive protocols. In Advances in Cryptology Crypto 95, volume 963 of LNCS, pages Springer, R. Cramer and I. Damgård. New generation of secure and practical RSA-based signatures. In Advances in Cryptology Crypto 96, volume 1109 of LNCS, pages Springer, R. Cramer and T. Pedersen. Efficient and provable security amplifications. Technical Report CS-R9529, CWI, R. Cramer and V. Shoup. Signature schemes based on the strong RSA assumption. ACM Transactions on Information and System Security, 3(3): , 2000.

3 References I. Damgård. Collision free hash functions and public key signature schemes. In Advances in Cryptology Eurocrypt 87, volume 304 of LNCS, pages Springer, I. Damgård. A design principle for hash functions. In Advances in Cryptology Crypto 89, volume 435 of LNCS, pages Springer, A. De Santis and M. Yung. On the design of provably secure cryptographic hash functions. In Advances in Cryptology Eurocrypt 90, volume 473 of LNCS, pages Springer, W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6): , Y. Dodis and L. Reyzin. On the power of claw-free permutations. In 3rd Intl. Conf. on Security in Communication Networks (SCN), volume 2576 of LNCS, pages Springer, C. Dwork and M. Naor. An efficient existentially unforgeable signature scheme and its applications. Journal of Cryptology, 11(3): , C. Dwork, M. Naor, O. Reingold, and L. Stockmeyer. Magic functions. Journal of the ACM, 50(6): , T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31: , S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. Journal of Cryptology, 9(1):35 67, U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. Journal of Cryptology, 1(2):77 94, A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology Crypto 86, volume 263 of LNCS, pages Springer, M. Fischlin. The Cramer-Shoup strong-rsa signature scheme revisited. In 6th Intl. Workshop on Theory and Practice in Public Key Cryptography(PKC 2003), volume 2567 of LNCS, pages Springer, M. Fischlin and R. Fischlin. The representation problem based on factoring. In Cryptographers Track RSA 2002, volume 2271 of LNCS, pages Springer, E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In Advances in Cryptology Crypto 97, volume 1294 of LNCS, pages Springer, S. D. Galbraith, K. G. Paterson, and N. P. Smart. Pairings for cryptographers. Discrete Applied Mathematics, 156(16): , R. Gennaro, Y. Gertner, J. Katz, and L. Trevisan. Bounds on the efficiency of generic cryptographic constructions. SIAM Journal on Computing, 35(1): , R. Gennaro, S. Halevi, and T. Rabin. Secure hash-and-sign signatures without the random oracle. In Advances in Cryptology Eurocrypt 99, volume 1592 of LNCS, pages Springer, E.-J. Goh, S. Jarecki, J. Katz, and N. Wang. Efficient signature schemes with tight reductions to the Diffie-Hellman problems. Journal of Cryptology, 20(4): , O. Goldreich. Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In Advances in Cryptology Crypto 86, volume 263 of LNCS, pages Springer, O. Goldreich. Foundations of Cryptography, vol. 1: Basic Tools. Cambridge University Press, Cambridge, UK, O. Goldreich. Foundations of Cryptography, vol. 2: Basic Applications. Cambridge University Press, Cambridge, UK, S. Goldwasser and Y. Tauman Kalai. On the (in)security of the Fiat-Shamir paradigm. In 44th Annual Symposium on Foundations of Computer Science (FOCS), pages IEEE, S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2): , S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1): , 1989.

4 188 References 61. S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2): , S. Goldwasser, S. Micali, and A. C.-C. Yao. Strong signature schemes. In 15th Annual ACM Symposium on Theory of Computing (STOC), pages ACM Press, L. C. Guillou and J.-J. Quisquater. A paradoxical indentity-based signature scheme resulting from zero-knowledge. In Advances in Cryptology Crypto 88, volume 403 of LNCS, pages Springer, J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM Journal on Computing, 28(4): , D. Hofheinz and E. Kiltz. Programmable hash functions and their applications. In Advances in Cryptology Crypto 2008, volume 5157 of LNCS, pages Springer, S. Hohenberger and B. Waters. Realizing hash-and-sign signatures under standard assumptions. In Advances in Cryptology Eurocrypt 2009, volume 5479 of LNCS, pages Springer, S. Hohenberger and B. Waters. Short and stateless signatures from the RSA assumption. In Advances in Cryptology Crypto 2009, volume 5677 of LNCS, pages Springer, Q. Huang, D. S. Wong, and Y. Zhao. Generic transformation to strongly unforgeable signatures. In ACNS 07: 5th International Conference on Applied Cryptography and Network Security (ACNS), volume 4521 of LNCS, pages Springer, M. Jakobsson. Reducing costs in identification protocols. Presented at the rump session of Crypto Available at M. Joye. How (not) to design strong-rsa signatures. Designs, Codes, and Cryptography. To appear. 71. J. Katz and C.-Y. Koo. On constructing universal one-way hash functions from arbitrary one-way functions. Available at J. Katz and Y. Lindell. Introduction to Modern Cryptography. Chapman & Hall/CRC Press, J. Katz and N. Wang. Efficiency improvements for signature schemes with tight security reductions. In ACM CCS 03: 10th ACM Conference on Computer and Communications Security, pages ACM Press, H. Krawczyk and T. Rabin. Chameleon signatures. In Network and Distributed System Security Symposium NDSS The Internet Society, K. Kurosawa and K. Schmidt-Samoa. New online/offline signature schemes without random oracles. In 9th Intl. Conference on Theory and Practice of Public Key Cryptography(PKC 2006), volume 3958 of LNCS, pages Springer, L. Lamport. Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98, SRI Intl. Computer Science Laboratory, October J. Malone-Lee and N. P. Smart. Modifications of ECDSA. In SAC 2002: 9th Annual International Workshop on Selected Areas in Cryptography (SAC), volume 2595 of LNCS, pages Springer, R. C. Merkle. Protocols for public key cryptosystems. In IEEE Symposium on Security & Privacy, pages IEEE, R. C. Merkle. A digital signature based on a conventional encryption function. In Advances in Cryptology Crypto 87, volume 293 of LNCS, pages Springer, R. C. Merkle. A certified digital signature (that antique paper from 1979). In Advances in Cryptology Crypto 89, volume 435 of LNCS, pages Springer, R. C. Merkle. One way hash functions and DES. In Advances in Cryptology Crypto 89, volume 435 of LNCS, pages Springer, S. Micali. A secure and efficient digital signature algorithm. Technical Report MIT/LCS/TM- 501b, Massachusetts Institute of Technology, Laboratory for Computer Science, April S. Micali, M. O. Rabin, and S. P. Vadhan. Verifiable random functions. In 40th Annual Symposium on Foundations of Computer Science (FOCS), pages IEEE, S. Micali and L. Reyzin. Improving the exact security of digital signature schemes. Journal of Cryptology, 15(1):1 18, 2002.

5 References M. Mitzenmacher and A. Perrig. Bounds and improvements for BiBa signature schemes. Technical Report TR-02-02, Harvard University, D. Naccache, D. Pointcheval, and J. Stern. Twin signatures: An alternative to the hash-andsign paradigm. In ACM CCS 01: 8th ACM Conference on Computer and Communications Security, pages ACM Press, M. Naor. On cryptographic assumptions and challenges (invited talk). In Advances in Cryptology Crypto 2003, volume 2729 of LNCS, pages Springer, M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In 21st Annual ACM Symposium on Theory of Computing (STOC), pages ACM Press, J. B. Nielsen. Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case. In Advances in Cryptology Crypto 2002, volume 2442 of LNCS, pages Springer, National Institute of Standards and Technology. Digital signature standard (DSS). Federal Information Processing Standards (FIPS) Publication #186-3, Available at K. Ohta and T. Okamoto. A modification of the Fiat-Shamir scheme. In Advances in Cryptology Crypto 88, volume 403 of LNCS, pages Springer, K. Ohta and T. Okamoto. On concrete security treatment of signatures derived from identification. In Advances in Cryptology Crypto 98, volume 1462 of LNCS, pages Springer, T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In Advances in Cryptology Crypto 92, volume 740 of LNCS, pages Springer, H. Ong and C.-P. Schnorr. Fast signature generation with a Fiat-Shamir-like scheme. In Advances in Cryptology Eurocrypt 90, volume 473 of LNCS, pages Springer, PKCS #1 version 2.1: RSA cryptography standard. RSA Data Security, Inc., Available at D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3): , M. O. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, Laboratory for Computer Science, MIT, January L. Reyzin and N. Reyzin. Better than BiBa: Short one-time signatures with fast signing and verifying. In 7th Australian Conference on Information Security and Privacy, ACISP 2002, volume 2384 of LNCS, pages Springer, R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2): , J. Rompel. One-way functions are necessary and sufficient for secure signatures. In 22nd Annual ACM Symposium on Theory of Computing (STOC), pages ACM Press, C.-P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3): , A. Shamir. On the generation of cryptographically strong pseudorandom sequences. ACM Trans. on Computer Systems, 1(1):38 44, A. Shamir and Y. Tauman. Improved online/offline signature schemes. In Advances in Cryptology Crypto 2001, volume 2139 of LNCS, pages Springer, V. Shoup. On the security of a practical identification scheme. Journal of Cryptology, 12(4): , V. Shoup. A composition theorem for universal one-way hash functions. In Advances in Cryptology Eurocrypt 2000, volume 1807 of LNCS, pages Springer, R. Steinfeld, J. Pieprzyk, and H. Wang. How to strengthen any weakly unforgeable signature into a strongly unforgeable signature. In Cryptographers Track RSA 2007, volume 4377 of LNCS, pages Springer, 2007.

6 190 References 107. S. Vaudenay. The security of DSA and ECDSA. In 6th Intl. Workshop on Theory and Practice in Public Key Cryptography(PKC 2003), volume 2567 of LNCS, pages Springer, L. Washington. Elliptic Curves: Number Theory and Cryptography. CRC Press, B. R. Waters. Efficient identity-based encryption without random oracles. In Advances in Cryptology Eurocrypt 2005, volume 3494 of LNCS, pages Springer, H. C. Williams. A modification of the RSA public-key encryption procedure. IEEE Transactions on Information Theory, 26(6): , 1980.

7 Index attacks (adaptive) chosen-message, 13, known-message, 13, 15 16, 23, 27, 109 random-message, 12, 14 15, replay, 10, 11 bilinear maps, 121 signature schemes based on, Blum integer, 47, 48, 178 Boneh-Boyen scheme, 125 Boneh-Lynn-Shacham scheme, 145 canonical identification schemes, see identification schemes, canonical clawfree permutation construction of hash function from, clawfree trapdoor permutation, 41 43, 143, 147, 149 doubly enhanced, 43, 48, 51, 143 from the factoring assumption, from the RSA assumption, 51 collision-resistant hash function, see hash function, collision-resistant constructions of signature schemes based on bilinear maps, , based on the RSA assumption, , based on the strong RSA assumption, chain-based signatures, 75 CMA-security from KMA-security, 23 27, 98 CMA-security from RMA-security, from any one-way function, 83 from identification schemes, full-domain hash, Lamport scheme, 74 strong unforgeability from unforgeability, the Boneh-Boyen scheme, the Boneh-Lynn-Shacham scheme, 145 the Cramer-Damgård scheme, the Cramer-Shoup scheme, 98 the Dwork-Naor scheme, the Fischlin scheme, the Gennaro-Halevi-Rabin scheme, the Hohenberger-Waters scheme, the Lamport scheme, the Waters scheme, tree-based signatures, 77 Cramer-Damgård scheme, 100 Cramer-Shoup scheme, 112 definitions of security identification schemes, 157 relations between, 18 signature schemes, Diffie-Hellman assumptions, 53, 127, 128, 183 Digital Signature Standard (DSS), 183 discrete logarithm assumption, 52 53, 122, 180 construction of hash functions from, doubly enhanced, see clawfree trapdoor permutation, doubly enhanced, see trapdoor permutation, doubly enhanced Dwork-Naor scheme, 92 existential unforgeability, 11, factoring assumption, 43 50, 56, 172, 174 clawfree trapdoor permutation from, 47 trapdoor permutations from, 47 Fiat-Shamir identification scheme, Fiat-Shamir transform,

8 192 Index Fischlin scheme, 114 full-domain hash (FDH), probabilistic, tigher security reduction for, variant of, Gennaro-Halevi-Rabin scheme, 117 Goldwasser-Micali-Rackoff identification scheme, Guillou-Quisquater identification scheme, hash function, 53 collision-resistant, 54 55, 58, constructions of, Merkle-Damgård transform, universal one-way, 54, 62 64, 73, 81 constructions of, Hohenberger-Waters scheme, 106 honest-verifier zero knowledge, see identification schemes, honest-verifier zero knowledge special, 170 identification schemes canonical, 159 definition of security for, 157 Fiat-Shamir transform, functional definition of, 156 honest-verifier zero knowledge, 164, 165, 170 parallel repetition of, 171 special soundness, 164, 165, 170 the Fiat-Shamir scheme, the Goldwasser-Micali-Rackoff scheme, the Guillou-Quisquater scheme, the Ong-Schnorr scheme, the Schnorr scheme, Lamport one-time signature scheme, Merkle-Damgård transform, message authentication codes comparison with signature schemes, 4 6 message space, 9 fixed vs. key-dependent, 10 increasing the size of, 30 32, negligible (definition), 7 on-line/off-line signature schemes, 27 one-time signature scheme, 23, 27, 64, 70 74, 99, 171 constructing signatures from, 75 one-way function, necessary for signatures, 39 SHA-1 as, 69 sufficient for one-time signatures, 70 sufficient for signatures, 83 one-way permutation, 36 39, 73 construction of universal one-way hash function from, 59 Ong-Schnorr identification scheme, pseudorandom function use in constructing signatures, 82 RSA assumption, 50 52, 56, 143, 147, 176 clawfree trapdoor permutation from, 51 signature schemes based on, , Schnorr identification scheme, security computational, 7 9 unconditional, 6 7 sigma protocols (Σ-protocols), 182 signature schemes definitions of security for, functional definition of, 9 one-time, 12, 17 properties of, 4 stateful vs. stateless, 11 special soundness, see identification schemes, special soundness stateful signature scheme, 11, 75 82, 92, 100, 119 definition of, 75 strong Diffie-Hellman assumption, 123 strong RSA assumption, 90 signature schemes based on, strong unforgeability, 12, 14 18, 27 30, 33, 73 from unforgeability, 27 trapdoor permutation, 39 41, 85, 143 doubly enhanced, 40, 51, 143 from the factoring assumption, 47 from the RSA assumption, 51 universal one-way hash function, see hash function, universal one-way Waters scheme, 128

Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption

Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu