No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
Abstract
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations - a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
... In a well known and widely cited paper [12], the authors provide a classification of security strength for signature schemes. Except commonly used notion of existential forgery they also indicate some weaker notions, like the second on the top list, namely a selective forgery where a signature must be forged for a particular message chosen a priori by the adversary. ...
... , we obtain after taking (9), (10) and (12) into account, that ...
... By (1) we know that node = A ′ ; (b ′ i ) i∈[h−1] ; C ′ , where A ′ = τ x 1 · u 0,0 ℓ i=h u ti i r , b ′ i = u r i and C ′ = g r 2 . Choosing ξ $ ← F p uniformly at random and putting r = ξ−(t i0 −t i * 0 ) −1 ·α ℓ+1−i0 , we get after having regard to the substitutions (9), (10) and (12), that Finally, let σ = σ 1 , σ 2 , (σ 3,j ) j∈[l] be a forged signature of m * in the time period t * , then according to (7) we know that e(σ * 1 , g 2 ) =ê g y 1 g α ℓ 1 , g α 2 ·ê g Y0(t * ) 1 , σ * 2 · l j=1ê g Yj (m * j,i ) 1 , σ * 3,j =ê ((g α 1 ) y , g 2 ) ·ê g (α ℓ+1 ) 1 , g 2 ·ê g ...
... As the security of digital signatures, we consider the ordinary existential unforgeability against the chosen message attack (EUF-CMA) [12] defined by the following experiment. Let Sig be the signing oracle provided to an adversary. ...
... Let pp * be an instance given to the k-resilience adversary B (op, 12) . Then B (op,12) invokes Game 1+b for b ∈ {0, 1} with the adversary A (op, 12) . ...
... Let pp * be an instance given to the k-resilience adversary B (op, 12) . Then B (op,12) invokes Game 1+b for b ∈ {0, 1} with the adversary A (op, 12) . B (op,12) generates public and secret keys (pk s , sk s ) and (pk e , sk e ), a simulated CRS crs 1 , and a honestly generated CRS crs 2 . ...
The group signature with message dependent opening (GS-MDO) is a variant of the group signature in the sense that the opening authority is split into two parties called the opener and the admitter. Most known constructions of GS-MDO consider the static model. The only scheme using the dynamic model by Sun and Liu has a problem of the anonymity against the admitter in the real-world usage because the signing process requires the interaction between the signer and the admitter. In this paper, we restart the line of research of GS-MDO in the dynamic setting. We introduce the definition of the dynamic group signature with message dependent opening (DGS-MDO) with the security requirements and propose a generic construction. By instantiating our construction with appropriate primitives, we can obtain a DGS-MDO scheme with the standard model security, constant signature size and non-interactive signing process.
... Next, we define a secure signature scheme. For this purpose, we use the security notion defined in [44]. ...
... Definition 4 (Secure signatures [44]). A signature scheme S is existentially unforgeable under an adaptive chosen message attack if there is no forger who (t, q S , ϵ)-breaks S with non-negligible ϵ with polynomial t and q S . ...
Recent advances in quantum-computing technology have threatened the security of classical cryptographic algorithms. This initiated research on Post-Quantum Cryptography (PQC), and the National Institute of Standards and Technology (NIST) PQC standardization is in progress. Coping with the current situation in which the security of existing cryptographic algorithms is already in question and that of new cryptographic algorithms is not yet certain, there has been active research on hybrid schemes combining two algorithms such that the security of the combined scheme is based on both underlying algorithms. For digital signatures, a naive solution for a hybrid scheme is to simply concatenate a classical signature and a quantum-resistant signature. In this paper, however, we propose a compact hybrid signature construction method that combines two randomized signatures such that the size of the combined signature is shorter than that of naive concatenation. Our construction allows for selective verification, which provides backward compatibility and conformance with existing regulations. We demonstrate the feasibility of the proposed method by combining ECDSA P-256 and Falcon-512, which are representative classical and post-quantum signature schemes, respectively. We prove that the combined signature is existentially unforgeable against an adaptive chosen-message attack, even if one of the underlying signature schemes is completely broken and only the other one remains secure. Through experiments on a desktop PC and Raspberry Pi 3 Model B, we verify that the proposed method effectively reduces the combined signature size with negligible computational overhead. Our experimental results demonstrate the proposed method is also applicable to PQC-PQC combinations.
... has a property known as the 'adaptive hardcore bit' 5 (described in more detail in the next section), which enables a particularly simple measurement scheme. The second protocol circumvents the need for this special property and, thus, applies to a more general class of cryptographic functions; here we use a function from the Rabin cryptosystem 34,35 . By using an additional interaction round, the cryptographic information is condensed onto the state of a single qubit. ...
... The function f x) = x 2 mod N, with N being the product of two primes p and q, was originally introduced in the context of digital signatures 34,35 . challenge mirrors one explored in classical computer science, which asks whether a sceptical, computationally bounded 'verifier' who is not powerful enough to validate a given statement on their own can be convinced of its veracity by a more powerful but untrusted 'prover'. ...
The ability to perform measurements in the middle of a quantum circuit is a powerful resource. It underlies a wide range of applications, from remote state preparation to quantum error correction. Here we apply mid-circuit measurements for a particular task: demonstrating quantum computational advantage. The goal of such a demonstration is for a quantum device to perform a computational task that is infeasible for a classical device with comparable resources. In contrast to existing demonstrations, the distinguishing feature of our approach is that the classical verification process is efficient, both in asymptotic complexity and in practice. Furthermore, the classical hardness of performing the task is based upon well-established cryptographic assumptions. Protocols with these features are known as cryptographic proofs of quantumness. Using a trapped-ion quantum computer, we perform mid-circuit measurements by spatially isolating portions of the ion chain via shuttling. This enables us to implement two interactive cryptographic proofs of quantumness, which when suitably scaled to larger systems, promise the efficient verification of quantum computational advantage. Our methods can be applied to a range of interactive quantum protocols.
... For preciseness of argument, we show the security of our recommended DSig configuration, which uses W-OTS + [46] as its underlying HBSS ( §5). Specifically, we show that this configuration of DSig is Existentially Unforgeable under Chosen-Message Attacks (EUF-CMA) [39] and that it provides 128-bit security, which is safe by today's standards [7]. EUF-CMA security. ...
Data centers increasingly host mutually distrustful users on shared infrastructure. A powerful tool to safeguard such users are digital signatures. Digital signatures have revolutionized Internet-scale applications, but current signatures are too slow for the growing genre of microsecond-scale systems in modern data centers. We propose DSig, the first digital signature system to achieve single-digit microsecond latency to sign, transmit, and verify signatures in data center systems. DSig is based on the observation that, in many data center applications, the signer of a message knows most of the time who will verify its signature. We introduce a new hybrid signature scheme that combines cheap single-use hash-based signatures verified in the foreground with traditional signatures pre-verified in the background. Compared to prior state-of-the-art signatures, DSig reduces signing time from 18.9 to 0.7 us and verification time from 35.6 to 5.1 us, while keeping signature transmission time below 2.5 us. Moreover, DSig achieves 2.5x higher signing throughput and 6.9x higher verification throughput than the state of the art. We use DSig to (a) bring auditability to two key-value stores (HERD and Redis) and a financial trading system (based on Liquibook) for 86% lower added latency than the state of the art, and (b) replace signatures in BFT broadcast and BFT replication, reducing their latency by 73% and 69%, respectively
... Therefore, proof unforgeability depends on the security of CBC MAC. A secure MAC must defend the adaptive chosen-message attack to resist potential forgery [4], [12], [21]. As for CBC MAC, its security is bounded by the insecurity of a CBC m -F , where F is a pseudo-random function (PRF) or pseudo-random permutation (PRP), as shown in Theorem 1 [3]. ...
... In this case, KeyGen(1 k , ) receives the maximum number of messages as input. A signature scheme must fulfill the correctness and existential unforgeability properties [32], which we recall below. ...
Decentralized, offline, and privacy-preserving e-cash could fulfil the need for both scalable and byzantine fault-resistant payment systems. Existing offline anonymous e-cash schemes are unsuitable for distributed environments due to a central bank. We construct a distributed offline anonymous e-cash scheme, in which the role of the bank is performed by a quorum of authorities, and present its two instantiations. Our first scheme is compact, i.e. the cost of the issuance protocol and the size of a wallet are independent of the number of coins issued, but the cost of payment grows linearly with the number of coins spent. Our second scheme is divisible and thus the cost of payments is also independent of the number of coins spent, but the verification of deposits is more costly. We provide formal security proof of both schemes and compare the efficiency of their implementations.
... Aggregate signature security is similar to the non-existence of forger capable, in limits of some exact game for existential forging. The unforgeability scheme for EASB is based on adaptive-chosen message attack with existential forgery [58] that means forger tries to forge EASB, and forger chooses the messages. Adaptive chosen message model for security of aggregate signature is using the message chosen by a forger with challenger C's oracle along with some previous obtained signature's query. ...
An aggregate signature is a digital signature where different individual signatures from various messages create a single short signature. It is helpful to reduce storage cost, bandwidth, and quick verification, which is attractive for different blockchain applications. However, several aggregate signatures depend on pairing-based cryptography, which produces high computation costs. We propose an aggregate signature that is pairing-free and depends upon ECDSA. The scheme is the first aggregate signature scheme that is computationally efficient and does not require extra parameters and costs for signature aggregation and verification in blockchain applications. Moreover, the secure secp256k1 elliptic curve is used for group element generation and ECDSA for signature generation. Besides this, Security proof follows the random oracle model, and the hardness is ECDLP. Application of this scheme requires 90%\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\%$$\end{document} less time than pairing-based schemes and 70%\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\%$$\end{document} less than pairing-free schemes, especially for Blockchain.
... In the domain of cryptographic protocols, there are two main abstractions for performing security verification: computational and symbolic [21]. The computational model [61,60] considers terms as bitstrings, cryptographic algorithms are functions over bitstrings, and the adversary is represented as a probabilistic polynomial-time Turing machine. The symbolic model [47] abstracts the bitstrings as algebraic terms, and an equational theory captures the expected properties of cryptographic algorithms. ...
... In addition, cryptocurrencies have mechanisms to solve other security problems, such as the possible occurrence of double spending when multiple transactions are performed simultaneously [5], [6], [7], [8] or a fork occurring when multiple longest blockchains exist [9], [10]. The consensus mechanism is one of the most important tools that a cryptocurrency uses to ensure consistency and integrity. ...
Nowadays, industrial revolution 4.0 is at the forefront of socio-economic development in many countries. As one of the most developed countries, Japan has proposed new criteria for socio-economic called Super Smart Society 5.0 as a future society for aspiring to. Many state-of-the-art technologies such as Data Science, Big Data, Artificial Intelligence (AI), Robotics, the Internet of Things (IoT), Blockchain, and so on are the backbone of Society 5.0.
The data for IoT, robotics, Big Data, or even AI are transferred through cyberspace. The cybersecurity requirements are more and more paid attention to preventing malicious attackers' data. One of the most reasons is that many current networks are centralized in which the cloud servers keep and control their whole systems. It will be dangered if the centralized servers are attacked, which appears some famous criteria in cybersecurity such as data threat, server crash attack, data loss, etc. A new technology called blockchain was invented to avoid these concerns and has become popular. Blockchain is distributed database recording digital events, important data, or digital currency transactions that have been executed and shared among participating nodes in the network. Accordingly, blockchain is a decentralized network that stores data in blocks, and these blocks are chained together through cryptographic hash functions. This helps the network easily verify that all data in the chain of blocks are kept intact from the beginning. One of the most famous blockchain applications is cryptocurrencies, widely known as Bitcoin, Litecoin, Ethereum, etc. They use Proof-of-Work (PoW) as the consensus mechanism for adding new blocks to the blockchain through the mining process. This process requires miners to perform hash computations until a valid nonce is found to add a new block to the blockchain.
The development of low-energy, high-performance hardware for blockchain mining is gaining widespread attention. The mining process for proof-of-work (PoW) in conventional cryptocurrencies' blockchains is increasingly being replaced by Application-Specific Integrated Circuits (ASICs). This leads to many security threats for the blockchain network because it decreases security and increases power consumption for mining. Therefore, Scrypt, the most representative ASIC-resistant algorithm, was developed to solve this problem. However, there are still some problems and challenges with the current Scrypt hardware. This thesis presents a new hardware architecture for the Scrypt algorithm intended for a PoW-based cryptocurrency mining system. The proposed Multi ROMix Scrypt Accelerator (MRSA) hardware architecture applies several optimization techniques: configuration, local-memory computing with high-performance pipelined Multi ROMix, and rescheduling resources to significantly increase processing speed, flexibility, and energy efficiency. For evaluation, the MRSA is implemented on Field-Programmable Gate Arrays (FPGAs) to examine its actual performance, consumption, and correctness. Evaluation results on a Xilinx system-on-chip (SoC) with the ALVEO U280 Data Center Accelerator Card FPGA show that the MRSA is much more power-efficient than some of the most powerful commercial CPUs, GPUs, and other FPGA implementations. On the ALVEO U280, the MRSA achieves a maximum hash rate of 296.76 kHash/s, a throughput of 304.9 Mbps when reaching a maximum frequency of 259.94 MHz, and power consumption of 18.12 W. The energy efficiency of the MRSA on the ALVEO U280 SoC is 52.83 and 867.88 times higher than those on an RTX 3090 GPU and an i9-10940X CPU, respectively.
... A signature scheme DS is defined by a 4-tuple (Pgen, KGen, Sig, Vf) [24]. Pgen is a PPT parameter generator that generates a public parameter K on a security parameter 1 λ . ...
The security of Schnorr signature Sch has been widely discussed so far. Recently, Fuchsbauer, Plouviez and Seurin gave a tight reduction that proves EUF-CMA of Sch in the random oracle (ROM) with the algebraic group model (AGM) from the discrete logarithm (DL) assumption at EUROCRYPT 2020. Kiltz, Masny and Pan considered multi-user security of Sch at CRYPTO 2016, whereas Fuchsbauer et al. considered the single-user security only. More precisely, Kiltz et al. constructed a tight reduction from EUF-CMA to MU-EUF-CMA. Combining these two results will likely enable us to construct a tight reduction that proves MU-EUF-CMA security of Sch in AGM+ROM from DL assumption. Against such an intuition, we show an impossibility on proving MU-EUF-CMA of Sch in AGM+ROM only by combining them in this paper. To estimate our impossibility result, we also discuss why the result by Fuchsbauer et al. cannot be applied to MU-EUF-CMA setting. Our result therefore suggests that we are required to develop a new proof technique beyond the algebraic reduction or to find a new form of public keys other than that considered in our impossibility, in order to show MU-EUF-CMA of Sch in AGM+ROM.
... There are also two security requirements for the UD-VSP scheme, namely, unforgeability against (adaptively) chosen message attack (UF-CMA) and resistance against impersonation attack (R-IM). The former is identical to the unforgeability of a digital signature scheme [36]. Let UDVSP = (KGen, Sign, Verf, Transform, IVerf) be a UDVSP scheme, and Sign(sk, ·) be the signing oracle. ...
Electronic Medical Records (EMRs) sharing enhances healthcare and biomedical discoveries but faces challenges: data provider centralization and limited interoperability. Blockchain can address these issues, but existing systems struggle with malicious EMR propagation due to challenges concerning the authenticity, non-repudiation, and integrity of the digital signatures they employ. Universal Designated Verifier Signature Proof (UDVSP) may be an intuitive solution, but existing UDVSP schemes are inefficient due to time-consuming bilinear pairing operations. In this article, we first adopt the Elliptic Curve Digital Signature Algorithm (ECDSA) to propose a more efficient and blockchain-friendly UDVSP scheme, following by a blockchain-based EMR sharing system (EMRChain). To our best knowledge, our proposed UDVSP scheme is the first bilinear pairing-free solution, and EMRChain is the first blockchain-based EMR sharing system to possess the anti-malicious propagation. Furthermore, we proceed to provide a thorough security analysis and performance evaluation of both our UDVSP scheme and EMRChain. Our UDVSP scheme is provably secure within the security model and offers significant computational cost savings (at least 86.76%) and reduced communication overhead (at least 59.37%) compared to existing UDVSP schemes. These results, along with the EMRChain prototype, effectively showcase the utility and effectiveness of EMRChain, which is built upon our UDVSP scheme.
The Indonesian Health Card (KIS) program aims to provide fair and equitable health insurance for all Indonesian citizens. However, significant challenges arise in the privacy and security of sensitive participant data. This research proposes the implementation of Secure Multi-Party Computation (SMPC) as a solution to enhance privacy and security in managing KIS data. SMPC allows multiple parties to perform joint calculations without revealing each party's private data (Boneh & Shoup, 2020), thereby minimizing the risk of data breaches. SMPC Graph is a visual representation of participants and their interactions in a secure multi-party computation process. This study analyzes the implementation of SMPC in the KIS system, tests its performance, and evaluates its security. The results show that SMPC can significantly improve the privacy and security of KIS participants' data without compromising operational efficiency. Thus, the application of SMPC has the potential to be a strategic step in managing health data more securely and with greater privacy guarantees.
Separation logic is a substructural logic which has proved to have numerous and fruitful applications to the verification of programs working on dynamic data structures. Recently, Barthe, Hsu and Liao have proposed a new way of giving semantics to separation logic formulas in which separating conjunction is interpreted in terms of probabilistic independence. The latter is taken in its exact form, i.e., two events are independent if and only if the joint probability is the product of the probabilities of the two events. There is indeed a literature on weaker notions of independence which are computational in nature, i.e. independence holds only against efficient adversaries and modulo a negligible probability of success. The aim of this work is to explore the nature of computational independence in a cryptographic scenario, in view of the aforementioned advances in separation logic. We show on the one hand that the semantics of separation logic can be adapted so as to account for complexity bounded adversaries, and on the other hand that the obtained logical system is useful for writing simple and compact proofs of standard cryptographic results in which the adversary remains hidden. Remarkably, this allows for a fruitful interplay between independence and pseudorandomness, itself a crucial notion in cryptography.
Chameleon hash (CH) is a trapdoor hash function. Generally it is hard to find collisions, but with the help of a trapdoor, finding collisions becomes easy. CH plays an important role in converting a conventional blockchain to a redactable one. However, most of existing CH schemes are too weak to support redactable blockchains. The currently known CH schemes serving for redactable blockchains have the best security of so-called “full collision resistance (\(\text {f-CR}\))”, but they are built either in the random oracle model or rely on heavy tools like the simulation-sound extractable non-interactive zero-knowledge (SSE-NIZK) proof system. Moreover, up to now there is no CH scheme with post-quantum \(\text {f-CR}\) security in the standard model. Therefore, no CH can support redactable blockchains in a post-quantum way without relying on random oracles.
In this paper, we introduce a variant of CH, namely tagged chameleon hash (tCH). Tagged chameleon hash takes a tag into hash evaluations and collision finding algorithms. We define two security notions for tCH, restricted collision resistance (\(\text {r-CR}\)) and full collision resistance (\(\text {f-CR}\)), and prove the equivalence between \(\text {r-CR}\) and \(\text {f-CR}\) when tCH works in the one-time tag mode. We propose a tCH scheme from lattices without using any NIZK proof, and prove that its restricted collision resistance is reduced to the Short Integer Solution (SIS) assumption in the standard model. We also show how to apply tCH to a blockchain in one-time tag mode so that the blockchain can be compiled to a redactable one. Our tCH scheme provides the first post-quantum solution for redactable blockchains, without resorting to random oracles or NIZK proofs. Besides, we also construct a more efficient tCH scheme with \(\text {r-CR}\) tightly reduced to SIS in the random oracle model, which may be of independent interest.
A hash-and-sign signature based on a preimage-sampleable function (Gentry et al., STOC 2008) is secure in the quantum random oracle model if the preimage-sampleable function is collision-resistant (Boneh et al., ASIACRYPT 2011) or one-way (Zhandry, CRYPTO 2012). However, trapdoor functions in code-based and multivariate-quadratic-based signatures are not preimage-sampleable functions; for example, underlying trapdoor functions of the Courtois-Finiasz-Sendrier, Unbalanced Oil and Vinegar (UOV), and Hidden Field Equations (HFE) signatures are not surjections. Thus, such signature schemes adopt probabilistic hash-and-sign with retry. While Sakumoto et al. in PQCRYPTO 2011 showed the security of this paradigm in the classical random oracle model, their proof contains an error. Also, there is currently no known security proof for the probabilistic hash-and-sign with retry in the quantum random oracle model. We correct the proof in the random oracle model and give the first security proof in the quantum random oracle model for the probabilistic hash-and-sign with retry, assuming that the underlying trapdoor function is non-invertible, that is, it is hard to find a preimage of a given random value in the range. Our reduction from the non-invertibility assumption is tighter than the existing ones that apply only to signature schemes based on preimage-sampleable functions. We apply the security proof to code-based and multivariate-quadratic-based signatures. Additionally, we extend the proof into the multi-key setting and propose a generic method that provides security reduction without any security loss in the number of keys.
During the pandemic, the limited functionality of existing privacy-preserving contact tracing systems highlights the need for new designs. Wang et al. proposed an environmental-adaptive framework (CSS ’21) but failed to formalize the security. The similarity between their framework and attribute-based credentials (ABC) inspires us to reconsider contact tracing from the perspective of ABC schemes. In such schemes, users can obtain credentials on attributes from issuers and prove the credentials anonymously (i.e., hiding sensitive information of both user and issuer). This work first extends ABC schemes with auditability, which enables designated auditing authorities to revoke the anonymity of particular issuers. For this purpose, we propose an “auditable public key (APK)” mechanism that extends the updatable public key by Fauzi et al. (AsiaCrypt ’19). We provide formal security definitions regarding auditability and build our auditable ABC scheme by adding a DDH-based APK to Connolly et al.’s ABC construction (PKC ’22). Note that the APK mechanism can be used as a plug-in for other cryptographic primitives and may be of independent interest. Finally, regarding contact tracing, we refine Wang et al.’s framework and present a formal treatment that includes security definitions and protocol construction. An implementation is provided to showcase the practicality of our design.
Blockchain-based authentication, as a distributed system, is a significant method to achieve secure service access and provision for the distributed mobile cloud computing (MCC) environment. However, owing to the transparency of blockchain, it remains a challenge to protect users’ access behavior from disclosure. Besides, billions of users in the MCC system may cause storage bottlenecks to the blockchain network. To overcome these challenges, this paper designs two blockchain-based privacy-preserving authentication schemes supporting hierarchical access control for the MCC environment. Both schemes allow users to access multiple services with different permissions after a single registration. To address the challenges of privacy disclosure, we use polynomial commitment to replace the plaintext on the blockchain. Meanwhile, a new verification and updating of the access permission method is proposed using the homomorphic property of polynomial commitment. The first scheme works toward reducing computation costs, which is more suitable for systems with a limited number of service providers (SPs). On the other hand, the second scheme aims to reduce the storage requirements of blockchain, and it provides more efficient hierarchical access control for large-scale scenarios without requiring more storage space. Then, the security analysis demonstrates that the two schemes satisfy multiple security requirements. Finally, a comparative summary is presented to show that our schemes have good performance in computation and communication efficiency and are well suited to the MCC system.
Anycast messaging (i.e., sending a message to an unspecified receiver) has long been neglected by the anonymous communication community. An anonymous anycast prevents senders from learning who the receiver of their message is, allowing for greater privacy in areas such as political activism and whistleblowing. To design protocols with provable guarantees for anonymous anycast, a formal consideration of the problem is necessary, but missing in current work. We use a game-based approach to provide formal definitions of anycast functionality and privacy. Our work also introduces Panini, the first anonymous anycast protocol that requires only existing infrastructure.
We show that Panini allows the actual receiver of the anycast message to remain anonymous, even in the presence of an honest but curious sender. In an empirical evaluation, we find that Panini adds only minimal overhead over regular unicast: Sending a message anonymously to one of eight possible receivers results in an end-to-end latency of 0.76 s.
This article presents a tracing mechanism for group signatures answering the security threats of malicious authorities and users' forgeries. The proposal weakens the high trust placed on the centralized tracing party in previous group signatures by decentralizing tracing power using a multiple tracer setting and limiting the tracers' access using attribute‐based encryption and the requirement of the group manager's agreement. We allow the group manager to control tracers identifying his group users. Instead of a centralized tracer, our setting has multiple tracers possessing attribute sets. Thus, after getting the group manager's permission, a tracer should satisfy the access policy in a given signature to identify the signer. On the other hand, our group signature scheme decentralizes the tracing key generation and removes the group manager's tracing ability. Thus, it ensures that only the attribute‐satisfying and permitted tracers can identify the signer. Moreover, this article delivers security against malicious users. It presents a verification process of access policy of the signatures to prevent users from utilizing invalid attributes for signing. In addition, the article delivers a collaborative tracing mechanism to satisfy attribute sets that a tracer fails to fulfill alone for identifying a signer. Thus, our tracing mechanism ensures security against malicious authorities and group users in group signatures. The article gives the general construction of the scheme and discusses the security.
Consensus protocol is one of the core technologies of IoT-blockchain applications, which is used to ensure the consistency of data between terminal devices that do not trust each other. Practical Byzantine Fault Tolerance (PBFT) is a typical consensus algorithm. Due to its advantages of low computational power and complexity, PBFT is deemed more suitable for IoT-blockchain applications. PBFT can tolerate 1/3 faulty nodes in a blockchain network, which can be malicious or unresponsive. In this work, if a node does not respond to messages from other nodes, it can be regarded as an offline node. Therefore, when more than a third of the nodes go offline, the blockchain network breaks down. However, in IoT applications, this situation is likely to occur and greatly limits the security and stability of IoT-blockchain networks. In order to solve the above problem, we propose a novel threshold proxy signature-based PBFT (TP-PBFT) consensus for IoT-blockchain applications. We construct a new threshold proxy signature scheme that enables the proxy signers to sign messages on behalf of the offline nodes. In addition, we design a “two-step clustering” method to construct a double-layer architecture that improves the scalability of PBFT. Meanwhile, a reputation mechanism is introduced to evaluate the quality of the nodes. The experimental results show that our TP-PBFT consensus protocol can reach consensus when the number of offline nodes more than 1/3.
Threshold signatures have emerged as a promising solution to secure cryptocurrencies. While some signature algorithms like Schnorr, BLS, EdDSA are threshold-friendly, the structure of ECDSA makes it challenging to construct such schemes. As such the known threshold ECDSA schemes use complex zero-knowledge proofs. However, these impact their performance negatively. Further, these schemes have attempted to achieve efficiency in signature computation part while accepting complexity in the key generation. To be more specific, in the known 2-of-2 schemes the two parties need to perform key generation together to be able to run signature computation. In this work, we propose an efficient two-party ECDSA protocol that enables two parties to “aggregate” their ECDSA signature (on a single message) without participating in any kind of key generation process. Our protocol is based on additive sharing of (ECDSA) private keys and homomorphic properties of Paillier encryption. All the zero-knowledge proof we use are non-interactive. As a result, our key generation is 7x faster than state-of-the-art. In terms of overall time complexity, our scheme is comparable with state of the art 2-of-2 ECDSA scheme.
With the ever greater adaptation of blockchain systems, smart contract based ecosystems have formed to provide financial services and other utility. This results in an ever increasing demand for transactions on blockchains, however, the amount of transactions per second on a given ledger is limited. Layer-2 systems attempt to improve scalability by taking transactions off-chain, with building blocks that are two party channels which are concatenated to form networks. Interaction between two parties requires (1) routing such a network, (2) interaction with and collateral from all intermediaries on the routed path and (3) interactions are often more limited compared to what can be done on the ledger. In contrast to that design, recent constructions such as Hydra Heads (FC’21) are both multi-party and isomorphic, allowing interactions to have the same expressiveness as on the ledger making it akin to a ledger located on Layer-2. The follow up Interhead Construction (MARBLE’22) further extends the protocol to connect Hydra Heads into networks by means of a “virtual” Hydra Head construction. This work puts forth an even greater generalization of the Interhead Protocol, allowing for interaction across different Layer-2 ledgers with a multitude of improvements. As concrete example, our design is modular and lightweight, which makes it viable for both full virtual ledger constructions as well as straightforward one-time interactions and payments systems.
Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly nonlinear and typically involve randomness) has not been considered until now. In this paper, we describe the first masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distributions would be prohibitively inefficient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the efficiency of the proposed countermeasure.
As a momentous attribute of blockchains, the immutability ensures the integrity and credibility of historical data, but it is inevitably abused to spread illegal content and does not meet certain requirements of relevant privacy protection laws and regulations such as the General Data Protection Regulation (GDPR). In this paper, we focus on the redactable blockchain, which can break the immutability in a safe and controllable way without affecting the normal operation of the blockchain. We propose a redactable blockchain based on the aggregation signature in the permissioned setting. This scheme supports democratic instant modification and accountability, in which every user has the right to propose editing requests, and the credible balloting committee is responsible for reviewing and voting on the redaction. In addition, in order to achieve accountability, we introduce the concept of a witness chain to ensure that every revision can be traced.
Blockchain plays an important role in distributed file systems, such as cryptocurrency. One of the important building blocks of blockchain is the key-value commitment scheme, which constructs a commitment value from two inputs: a key and a value. In an ordinal commitment scheme, a single user creates a commitment value from an input value, whereas, in a key-value commitment scheme, multiple users create a commitment value from their own key and value. Both commitment schemes need to satisfy both binding and hiding properties. The concept of a key-value commitment scheme was first proposed by Agrawal et al. in 2020 using the strong RSA assumption. They also proved its key-binding property of their key-value commitment scheme. However, the key-hiding property was not yet proved. The key-hiding property was then proposed by Campaneli et al. in 2022. In this paper, we propose two lattice-based key-value commitment schemes, \(\textsf{Insert}\text {-}\textsf{KVC}_{m/2,n,q,\beta }\), and \(\textsf{KVC}_{m,n,q,\beta }\). Furthermore, we prove the key-binding and key-hiding of both lattice-based \(\textsf{Insert}\text {-}\textsf{KVC}_{m/2,n,q,\beta }\) and \(\textsf{KVC}_{m,n,q,\beta }\) for the first time. We prove the key-binding of both \(\textsf{Insert}\text {-}\textsf{KVC}_{m/2,n,q,\beta }\) and \(\textsf{KVC}_{m,n,q,\beta }\) based on the short integer solutions (\(\textsf{SIS}^\infty _{n,m,q,\beta }\)) problem. Furthermore, we prove key-hiding of both \(\textsf{Insert}\text {-}\textsf{KVC}_{m/2,n,q,\beta }\) and \(\textsf{KVC}_{m,n,q,\beta }\) based on the Decisional-\(\textsf{SIS}^\infty _{n,m,q,\beta }\) form problem, which we first introduced in this paper. We also discuss the difficulty of the Decisional-\(\textsf{SIS}^\infty _{n,m,q,\beta }\) form problem.
Motivated by recent advances in exploring the power of hybridized TEE-blockchain systems, we present \(\textsf{LucidiTEE} \), a unified framework for confidential, policy-compliant computing that guarantees fair output delivery. For context:
Ekiden (EuroS &P’19) and FastKitten (Sec’19) use enclave-ledger interactions to enable privacy-preserving smart contracts. However, they store the contract’s inputs on-chain, and therefore, are impractical for applications that process large volumes of data or serve large number of users. In contrast, \(\textsf{LucidiTEE} \) implements privacy-preserving computation while storing inputs, outputs, and state off-chain, using the ledger only to enforce policies on computation.
Chaudhuri et al. (CCS’17) showed that enclave-ledger interactions enable fair secure multiparty computation. In a setting with n processors each of which possesses a TEE, they show how to realize fair secure computation tolerating up to t corrupt parties for any \(t < n\). We improve upon their result by showing a novel protocol which requires only t out of the n processors to possess a TEE.
Kaptchuk et al. (NDSS’19) showed that enclave-ledger interactions can enable applications such as one-time programs and rate limited logging. We generalize their ideas to enforcing arbitrary history-based policies within and across several multi-step computations, and formally specify a new functionality for policy-compliant multiparty computation.
Summarizing, \(\textsf{LucidiTEE} \) enables multiple parties to jointly compute on private data, while enforcing history-based policies even when input providers are offline, and fairness to all output recipients, in a malicious setting. \(\textsf{LucidiTEE} \) uses the ledger only to enforce policies; i.e., it does not store inputs, outputs, or state on the ledger, letting it scale to big data computation. We show novel applications including a personal finance app, collaborative machine learning, and policy-based surveys amongst an apriori-unknown set of participants.
The homogeneous strong designated verifier signature scheme cannot meet the requirements of heterogeneous cryptography communication. With the idea of Heterogeneous Signcryption and strong designated verifier signature, we present a securely and mutually heterogeneous strong designated verifier signature (SMHSDVS) scheme between Public Key Infrastructure and Identity-based Cryptography, which has correctness, non-transferability, unforgeability, strongness, source hiding and non-delegatability. In addition, we use the Computational Diffie-Hellman model in oracle to analyze unforgeability and use mechanized tool CryptoVerif to analyze non-transferability. Finally, we evaluate the performance of heterogeneous digital signature scheme by compared with related schemes, and the results show that the proposed scheme is secure and efficient.
Ethereum leverages ECDSA as the digital signature scheme to validate transactions. From the provable security standpoint, ECDSA built on an 80-bit security Elliptic Curve group can achieve at most 50-bit concrete security, rather than 80-bit security, due to its reduction loss for
$2^{30}$
signature queries in security analysis. The state-of-the-art ECDSA scheme comes with no de facto formal security guarantee. Although there have been many signatures with higher concrete security, their structures are quite different from ECDSA and a total replacement of the signature field in Ethereum will incur high deployment cost. In this work, we present EthereumX without compromising the signature structure in Ethereum while achieves better security. The security gain is built on top of a new technique named randomness preprocessing module (RPM), which can securely pre-generate and verify randomness with the help of Ethereum. Calling RPM allows to pre-select randomness, which will be used for the subsequent signature, and to verify the randomness, assuring that it is previously generated. We give an instantiation with formal security guarantee and prove that it can be improved to 80-bit concrete security under the same discrete logarithm assumption as ECDSA. From this instantiated scheme, we implement EthereumX via a deployment into a locally simulated network. Experiment results show that EthereumX costs 5 seconds for a block generation which is equal to Ethereum, and generates/verifies at least
$17017/10623$
transactions per second that is practical enough in application, even if they are slightly slower than Ethereum which generates/verifies at least
$17908/11257$
transactions per second. We also mention that RMP can be applied to other DL-based signatures for the security improvement.
Since the formalization of Verifiable Delay Functions (VDF) by Boneh et al. in 2018, VDFs have been adopted for use in blockchain consensus protocols and random beacon implementations. However, the impending threat to VDF-based applications comes in the form of Shor’s algorithm running on quantum computers in the future which can break the discrete logarithm and integer factorization problems that existing VDFs are based on. Clearly, there is a need for quantum-secure VDFs. In this paper, we propose ZKBdf, which makes use of ZKBoo, a zero-knowledge proof system for verifiable computation, as the basis for realizing a quantum-secure VDF. We describe the algorithm, provide the security proofs, implement the scheme and measure the execution and size requirements. In addition, as ZKBdf extends the standard VDF with an extra “Prover-secret” feature, new VDF use-cases are also explored.
Introduction:
In the digital age, the security and integrity of data and communications have become paramount. Authentication protocols play a crucial role in ensuring that only authorized individuals gain access to specific resources. While numerous password-based authentication protocols exist, there appears to be a gap in the literature concerning non-repudiable password authentication. This research aims to bridge that gap.
Background:
Since autumn 2022, I have been deeply immersed in the development of a concept for non-repudiable password authentication. This journey began as a quest to enhance the security measures of traditional password-based authentication systems. During my extensive literature review, I observed a distinct lack of research focused on non-repudiation in the context of password authentication. This observation was surprising given the critical importance of non-repudiation in ensuring the integrity and authenticity of digital transactions.
Objective:
The primary objective of this research is to design, develop, and validate a novel authentication protocol that integrates the principle of non-repudiation with traditional password-based authentication mechanisms.
Research Questions:
1. Why has non-repudiation been seemingly overlooked in the realm of password-based authentication protocols?
2. What are the potential challenges and barriers in integrating non-repudiation into password-based authentication systems?
3. How can a non-repudiable password authentication protocol be designed to ensure both security and user-friendliness?
Methodology:
The research is being conducted in the following phases:
1. Literature Review: A comprehensive review of existing password-based authentication protocols to understand their design principles and identify potential gaps.
2. Conceptualization: Development of the initial concept for a non-repudiable password authentication system.
3. Design and Development: Creation of a prototype based on the conceptual framework.
4. Validation: Testing the prototype in real-world scenarios to assess its effectiveness, security, and usability.
5. Feedback and Iteration: Based on the results from the validation phase, refining and iterating the prototype to address any identified issues.
Cryptographic Primitives used in the protocol: [UNDISCLOSED], please contact me, if you are interested.
Expected Outcomes:
By the end of this research, I aim to:
1. Establish the importance and need for non-repudiable password authentication.
2. Present a fully developed and tested protocol that integrates non-repudiation into password-based authentication systems.
3. Contribute a novel perspective and solution to the broader cybersecurity community.
Timeline:
My thesis submission is scheduled for End of November, but I'm panning to continue my research over the next 12-18 months, to submit corresponding papers to conferences.
Conclusion:
This research on non-repudiable password authentication seeks to push the boundaries of what's possible in authentication protocols.
Request for Collaboration:
I invite researchers, experts, and enthusiasts in the field of cybersecurity to collaborate, provide feedback, or share insights that can enrich this research journey. Together, we can pioneer a new area of authentication protocols.
We prove adaptive security of a simple three-round threshold Schnorr signature scheme, which we call \(\textsf{Sparkle}\). The standard notion of security for threshold signatures considers a static adversary – one who must declare which parties are corrupt at the beginning of the protocol. The stronger adaptive adversary can at any time corrupt parties and learn their state. This notion is natural and practical, yet not proven to be met by most schemes in the literature.In this paper, we demonstrate that \(\textsf{Sparkle}\) achieves several levels of security based on different corruption models and assumptions. To begin with, \(\textsf{Sparkle}\) is statically secure under minimal assumptions: the discrete logarithm assumption (DL) and the random oracle model (ROM). If an adaptive adversary corrupts fewer than \(t/2\) out of a threshold of \(t+1\) signers, then \(\textsf{Sparkle}\) is adaptively secure under a weaker variant of the one-more discrete logarithm assumption (AOMDL) in the ROM. Finally, we prove that \(\textsf{Sparkle}\) achieves full adaptive security, with a corruption threshold of \(t\), under AOMDL in the algebraic group model (AGM) with random oracles. Importantly, we show adaptive security without requiring secure erasures. Ours is the first proof achieving full adaptive security without exponential tightness loss for any threshold Schnorr signature scheme; moreover, the reduction is tight.
Existing proofs of adaptive security (e.g., in settings in which decryption keys are adaptively revealed) often rely on guessing arguments. Such guessing arguments can be simple (and, e.g., just involve guessing which keys are revealed), or more complex “partitioning” arguments. Since guessing directly and negatively impacts the loss of the corresponding security reduction, this leads to black-box lower bounds for a number of cryptographic scenarios that involve adaptive security.
In this work, we provide an alternative to such guessing arguments: instead of guessing in a security reduction which adaptive choices an adversary
makes, we rewind many times until we can successfully embed a given computational challenge. The main benefit of using rewindings is that these rewindings can be arranged sequentially, and the corresponding reduction loss only accumulates additively (instead of multiplicatively, as with guessing). The main technical challenge is to show that ’s success is not negatively affected after (potentially many) rewindings. To this end, we develop a machinery for “undirected ” rewindings that preserve
’s success across (potentially many) rewindings.
We use this strategy to show
- security of the “Logical Key Hierarchy” protocol underlying the popular TreeKEM key management protocol, and
- security of the Goldreich-Goldwasser-Micali (GGM) pseudorandom function (PRF) as a prefix-constrained PRF.
In both cases, we provide the first polynomial reductions to standard assumptions (i.e., to IND-CPA and PRG security, respectively), and in case of the GGM PRF, we also circumvent an existing lower bound.
Log files provide essential information regarding the actions of processes in critical computer systems. If an attacker modifies log entries, critical digital evidence is lost. Therefore, many algorithms for secure logging have been devised, each achieving different security goals under different assumptions. We analyze these algorithms and identify their essential security features. Within a common system and attacker model, we integrate these algorithms into a single (parameterizable) “meta” algorithm called LAVA that possesses the union of the security features and can be parameterized to yield the security features of former algorithms. We present a security and efficiency analysis and provide a Python module that can be used to provide secure logging for forensics and incident response.
a computational short-cut is shown, which can compromise the security of Rabin's digital signature system.
Electronic messages, documents and checks must be authenticated by digital signatures which are not forgeable even by their recipients. The RSA system can generate and verify such signatures, but each message requires hundreds of high precision modular multiplications which can be implemented efficiently only on special purpose hardware. In this paper we propose a new signature scheme which can be easily implemented in software on microprocessors: signature generation requires one modular multiplication and one modular division, signature verification requires three modular multiplications, and the key size is comparable to that of the RSA system. The new scheme is based on the quadratic equation m &equil; s21 + ks22 (mod n), where m is the message, s1 and s2 are the signature, and k and n are the publicly known key. While we cannot prove that the security of the scheme is equivalent to factoring, all the known methods for solving this quadratic equation for arbitrary k require the extraction of square roots modulo n or the solution of similar problems which are at least as hard as factoring. A novel property of the new scheme is that legitimate users can choose k in such a way that they can sign messages even without knowing the factorization of n, and thus everyone can use the same modulus if no one knows its factorization.
Randomized protocols for signing contracts, certified mail, and flipping a coin are presented. The protocols use a 1-out-of-2 oblivious transfer subprotocol which is axiomatically defined.
The 1-out-of-2 oblivious transfer allows one party to transfer exactly one secret, out of two recognizable secrets, to his counterpart. The first (second) secret is received with probability one half, while the sender is ignorant of which secret has been received.
An implementation of the 1-out-of-2 oblivious transfer, using any public key cryptosystem, is presented.
A constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented. This generator is a deterministic polynomial-time algorithm that transforms pairs (g, r), where g is any one-way function and r is a random k-bit string, to polynomial-time computable functionsf,: { 1, . . . , 2') + { 1, . . . , 2kl. Thesef,'s cannot be distinguished from random functions by any probabilistic polynomial-time algorithm that asks and receives the value of a function at arguments of its choice. The result has applications in cryptography, random constructions, and complexity theory. Categories and Subject Descriptors: F.0 (Theory of Computation): General; F. 1.1 (Computation by Abstract Devices): Models of Computation-computability theory; G.0 (Mathematics of Computing): General; G.3 (Mathematics of Computing): Probability and Statistics-probabilistic algorithms; random number generation
Suppose two parties A, and B, in a communication network, have negotiated a contract, which they wish to sign. To this end, they need a protocol which has the two following properties:
(1)
At the end of an honest execution of the protocol, each party has a signature of the other.
(2)
If one party, X, executes the protocol honestly, his counterpoint, Y, cannot obtain X’s signature to the contract without yielding his own signature.
The Rivest, Shamir, and Adleman (RSA) public-key encryption algorithm can be broken if the integer R used as the modulus can be factored. It my however be possible to break this system without factoring R . A modification of the RSA scheme is described. For this modified version it is shown that, if the encryption procedure can be broken in a certain number of operations, then R can be factored in only a few more operations. Furthermore, this technique can also be used to produce digital signatures, in much the same manner as the RSA scheme.
Two parties, A and B, want to sign a contract C over a
communication network. To do so, they must simultaneously exchange their
commitments to C. Since simultaneous exchange is usually impossible in
practice, protocols are needed to approximate simultaneity by exchanging
partial commitments in piece-by-piece manner. During such a protocol,
one party or another may have a slight advantage; a fair protocol keeps
this advantage within acceptable limits. A new protocol is proposed. It
is fair in the sense that, at any stage in its execution, the
conditional probability that one party cannot commit both parties to the
contract given that the other party can, is close to zero. This is true
even if A and B have vastly different computing powers and is proved
under very weak cryptographic assumptions
A new digital signature scheme is proposed in which the computation time is several hundred times faster than the RSA scheme and in which the key length and signature length are almost comparable to those for the RSA. Moreover, the scheme can be easily implemented and is, therefore, most practical for many digital signature applications. This new scheme is based on both a quadratic congruent inequality and a one-way hash function. The secret key consists of two large prime numbers p and q, and the public key is their product, n=p2q. An inequality is used for signature verification. Although the degree of security in this scheme has not been proved, it is shown that security seems to be equivalent to the difficulty of factoring a large number.
We present a practical probabilistic algorithm for testing large numbers of arbitrary form for primality. The algorithm has the feature that when it determines a number composite then the result is always true, but when it asserts that a number is prime there is a provably small probability of error. The algorithm was used to generate large numbers asserted to be primes of arbitrary and special forms, including very large numbers asserted to be twin primes. Theoretical foundations as well as details of implementation and experimental results are given.
A new probabilistic model of data encryption is introduced. For this model, under suitable complexity assumptions, it is proved that extracting any information about the cleartext from the cyphertext is hard on the average for an adversary with polynomially bounded computational resources. The proof holds for any message space with any probability distribution. The first implementation of this model is presented. The security of this implementation is proved under the interactability assumptin of deciding Quadratic Residuosity modulo composite numbers whose factorization is unknown.
The notion of digital signature based on trapdoor functions has been introduced by Diffie and Hellman[3]. Rivest, Shamir and Adleman[8] gave the first number theoretic implementation of a signature scheme based on a trapdoor function. If f is a trapdoor function and m a message, f−1(m) is the signature of m. The signature can be verified by computing f(f−1(m)) &equil; m. This approach presents the following problems even when f is hard to invert: 1) there may be special message spaces (or subsets of them) that are easy to sign without knowing the trapdoor information 2) it is possible to forge the signature of random numbers; this violates the requirements of many protocols 3) given a polynomial number of signed messages, it may be possible to sign a new one without knowing the trapdoor information. We solve the above problems by exhibiting two signature schemes for which any strategy of an adversary, who has seen all previously signed messages, that has a moderate success in forging even a single additional signature, is transformable to a fast algorithm for factoring or inverting the RSA function. This provably holds for all message spaces with all possible Probability distributions. Thus, in particular, given the signature of m, forging the signature of m+1 or 2m or 2sm is as hard as factoring. The two signature schemes
Signatures based on polynomial equations modulo n have been introduced by Ong, Schnorr, Shamir [3]. We extend the original binary quadratic OSS-scheme to algebraic integers. So far the generalised scheme is not vulnerable by the recent algorithm of Pollard for solving s
12 + k s
22 = m (mod n) which has broken the original scheme.
Recently Ong, Schnorr, and Shamir [OSS1, OSS2] have presented new public key signature schemes based on quadratic equations. We will refer to these as the OSS schemes. The security of the schemes rest in part on the difficulty of finding solutions to $$
X^2 - KY^2 \equiv M(mod{\mathbf{ }}n),
$$ (1) where n is the product of two large rational primes. In the original OSS scheme [OSS1], K, M, X, and Y were to be rational integers. However, when this version succumbed to an attack by Pollard [PS,S1], a new version was introduced [OSS2], where M, X, and Y were to be quadratic integers, i. e. elements of the ring \(
Z[\sqrt d ]
\). In this paper we will show that the OSS system in \(
Z[\sqrt d ]
\) is also breakable The method by which we do this is to reduce the problem of solving the congruence over the ring \(
Z[\sqrt d ]
\) to the problem of solving the congruence over the integers, for which we can use Pollard’s algorithm.
Recently Okamoto and Shiraishi proposed a public key authentication system [1]. The security of the scheme is based on the difficulty of solving quadratic inequalities. This new system is interesting
since the amount of computing needed for the proposed scheme is significantly less than that needed for an RSA encryption.
This report is an investigation into the security of the proposed digital signature scheme. We demonstrate that if the system
is used as it is presented, an opponent could sign messages without factoring the modulus. Further, we suggest a modification
which may not have the same flaw as the proposed scheme.
Automation of the way we pay for goods and services is already underway, as can be seen by the variety and growth of electronic banking services available to consumers. The ultimate structure of the new electronic payments system may have a substantial impact on personal privacy as well as on the nature and extent of criminal use of payments. Ideally a new payments system should address both of these seemingly conflicting sets of concerns.
Assume that two parties, A and B, want to sign a contract over a communication network, i.e. they want to exchange their “commitments“ to the contract. We consider a contract signing protocol to be fair if, at any stage in its execution, the following hold: the conditional probability that party A obtains B's signature to the contract given that B has obtained A's signature to the contract, is close to 1. (Symmetrically, when switching the roles of A and B).
Contract signing protocols cannot be fair without relying on a trusted third party. We present a fair, cryptographic protocol for signing contracts that makes use of the weakest possible form of a trusted third party (judge). If both A and B are honest, the judge will never be called upon. Otherwise, the judge rules by performing a simple computation, without referring to previous verdicts. Thus, no bookkeeping is required from the judge. Our protocol is fair even if A and B have very different computing powers. Its fairness is proved under the very general cryptographic assumption that functions that are one-way in a weak sense exist. Our protocol is also optimal with respect to the number of messages exchanged.
Let n be an odd integer. Take a random number a from a uniform distribution on the set $\{1, 2,\cdots, n -1\}$. If a and n are relatively prime, compute the residue $\varepsilon \equiv a^{(n - 1)/2}(\bmod n)$, where $ - 1 \leqq \varepsilon < n - 2$, and the Jacobi symbol $\delta = (a /n)$. If $\varepsilon = 6$, decide that n is prime. If either $\gcd (a,n) > 1$ or $\varepsilon \ne \delta $ decide that n is composite. Obviously, if n is prime, the decision made will be correct. We will show below, that for composite n the probability of an incorrect decision is $\leqq 1 / 2$. The number of multiprecision operations needed for the whole procedure is $< 6\log _2 n$. m-fold repetition using independent random numbers yields a Monte-Carlo test for primality with error probabilities 0 (if n is prime) and $< 2^{-m}$(if n is composite) and with multiprecision arithmetic cost $< 6m\log _2 n$.
Let n be an odd integer. Take a random number a from a uniform distribution on the set $\{1, 2,\cdots, n -1\}$. If a and n are relatively prime, compute the residue $\varepsilon \equiv a^{(n - 1)/2}(\bmod n)$, where $ - 1 \leqq \varepsilon < n - 2$, and the Jacobi symbol $\delta = (a /n)$. If $\varepsilon = 6$, decide that n is prime. If either $\gcd (a,n) > 1$ or $\varepsilon \ne \delta $ decide that n is composite. Obviously, if n is prime, the decision made will be correct. We will show below, that for composite n the probability of an incorrect decision is $\leqq 1 / 2$. The number of multiprecision operations needed for the whole procedure is $< 6\log _2 n$. m-fold repetition using independent random numbers yields a Monte-Carlo test for primality with error probabilities 0 (if n is prime) and $< 2^{-m}$(if n is composite) and with multiprecision arithmetic cost $< 6m\log _2 n$.
Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian. In this paper a computational complexity theory of the 'knowledge' contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.
To satisfy the requirements demanded by many of today's business transactions, a communications system must provide the capability for messages to be signed by digital signatures. Being dependent upon both the message and the originator, digital signatures can be used by the message recipient to prove to an impartial third party (judge or adjudicator) not only the identify of the message's originator but also the message's true content.Two types of digital signatures are investigated: true signatures, and arbitrated signatures. A true signature can be validated by anyone having the correct nonsecret (public) validation parameter, whereas an arbitrated signature must be validated by a trusted arbiter. Arbitrated signatures appear to be adequate if the sender and receiver both belong to a common organization. However, true signatures are usually required when the sender and receiver belong to different organizations.
A protocol is presented whereby two adversaries may exchange secrets, although neither trusts the other. The secrets are the prime factors of their publicly announced composite numbers. The two adversaries can exchange their secrets bit by bit, but each fears the other will cheat by sending "junk" bits. To solve this problem we show how each of the two can prove, for each bit delivered, that the bit is good. Applications are suggested to such electronic business transactions as signing contracts and sending certified electronic mail.
We give a randomized algorithm that sorts on an N node network with constant valence in 0(log N) time. More particularly the algorithm sorts N items on an N node cube-connected cycles graph and for some constant k for all large enough α it terminates within kα log N time with probability at least 1−N−α.
An encryption method is presented with the novel property that publicly re- vealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: 1. Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intended recipient. Only he can decipher the message, since only he knows the corresponding decryption key. 2. A message can be \signed" using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed en- cryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in \electronic mail" and \electronic funds transfer" systems. A message is encrypted by representing it as a number M, raising M to a publicly specied
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intended recipient. Only he can decipher the message, since only he knows the corresponding decryption key.
A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n , of two large secret prime numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d = 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n .
Thesis (Ph. D.)--Stanford University. Includes bibliographical references (leaves 151-156). Photocopy of a typescript. Ann Arbor : University Microfilms International, 1982. -- 21 cm.
The cryptographic security of the Merkle-Hellman cryptosystem has been a major open problem since 1976. In this paper we show that the basic variant of this cryptosystem, in which the elements of the public key are modular multiples of a superincreasing sequence, is breakable in polynomial time.
We present a general signature scheme which uses any pair of trap-door permutations (f0, f1) for which it is infeasible to find any x, y with f0(x) = f1(y). The scheme possesses the novel property of being robust against an adaptive chosen message attack: no adversary who first asks for and then receives sgnatures for messages of his choice (which may depend on previous signatures seen) can later forge the signature of even a singl additional message.
For specific instance of our general scheme, we prove that
(1)
forging signatures is provably equivalent to factoring (i.e., factoring is polynomial-time reducible to forging signatures, and vice versa) while
(2)
forging an additional signature, after an adaptive chosen message attack is still equivalent to factoring.
Such scheme is “paradoxical” since the above two properties were believed (and even “proven” in the folklore) to be contradictory.
The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are not too long.
A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
The cryptographic security of the Merkle-Hellman system (which is one of the two public-key cryptosystems proposed so far) has been a major open problem since 1976. In this paper we show that when the elements of the public key al,...,an are modular multiples of a superincreasing sequence (as proposed by Merkle and Hellman), almost all the equations of the form $$
\sum\limits_{1 = l}^n {{x_i}{a_i} = b\quad {x_i} \in \left\{ {0,1} \right\}}
$$ can be solved in polynomia time, and thus the cleartexts xl...xn that correspond to given ciphertexts b can be easily found.
The knapsack problem is an NP-complete combinatorial problem that is strongly believed to be computationally difficult to solve in general. Specific instances of this problem that appear very difficult to solve unless one possesses "trapdoor information" used in the design of the problem are demonstrated. Because only the designer can easily solve problems, others can send him information hidden in the solution to the problems without fear that an eavesdropper will be able to extract the information. This approach differs from usual cryptographic systems in that a secret key is not needed. Conversely, only the designer can generate signatures for messages, but anyone can easily check their authenticity.
Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Constructing digital signatures from a one-way function, SRI Intl. CSL-98
- L Lamport
L. LAMPORT, Constructing digital signatures from a one-way function, SRI Intl. CSL-98, October 1979. K. LEBERHERR, Uniform complexity and digital signatures, Theoret. Computer. Sci., 16 (1981) pp. 99-110.
Fast cryptoanalysis of a fast signature system, Master's Thesis in Applied Mathematics, Weizmann Institute, Israel, 1984. H. C. WILLIAMS, A modification of the RSA public-key cryptosystem
- Y Tulpan
Y. TULPAN, Fast cryptoanalysis of a fast signature system, Master's Thesis in Applied Mathematics, Weizmann Institute, Israel, 1984. H. C. WILLIAMS, A modification of the RSA public-key cryptosystem, IEEE Trans. Inform. Theory, IT-26 (1980), pp. 726-729.
By Lemma 3, given O and tr, it is now easy to compute either (1) a g-claw (i.e., a claw for the second claw-free pair in PK), or (2) an f-claw (i.e., a claw for the first claw-free pair in PK), or (3) an f-item whose root belongs to Denote the probability that case
- =
ek >= Q( k)" By Lemma 3, given O and tr, it is now easy to compute either (1) a g-claw (i.e., a claw for the second claw-free pair in PK), or (2) an f-claw (i.e., a claw for the first claw-free pair in PK), or (3) an f-item whose root belongs to Denote the probability that case (1), (2) or (3) hold, respectively, by 61, t2 and
How to break the "OSS" signature scheme, private communication
- J Pollard
- S Goldwasser
- S Micali
- R L Rivest
J. POLLARD, How to break the "OSS" signature scheme, private communication, 1984. S. GOLDWASSER, S. MICALI AND R. L. RIVEST IRa78] [Ra79] IRa80] [RV83] [RSA78] [Sh78] [Sh821 [SS77] [Tu84] [Wi80]
D. CHAUM, Blind signatures and untraceable payments, in Advances in Cryptography
- E Brickell
- J Delaurentis
E. BRICKELL AND J. DELAURENTIS, An attack on a signature scheme proposed by Okamoto and Shiraishi, Proc. Crypto 85, Springer-Verlag, New York, Heidelberg, Berlin, 1986. D. CHAUM, Blind signatures and untraceable payments, in Advances in Cryptography--Proc. Crypto 82, D. Chaum, R. Rivest and A. Sherman, eds., Plenum Press, New York, 1983. D. DENNING, Cryptography and Data Security, Addison-Wesley, Reading, MA, 1982. W. DIFFIE AND M. E. HELLMAN, New directions in cryptography, IEEE Trans. Inform. Theory, IT-22, 6 (1976), pp. 644-654.
Making the digital signature legal--and safeguarded
- S Lipton
- S Matyas
S. LIPTON AND S. MATYAS, Making the digital signature legal--and safeguarded, Data Communications, (1978), pp. 41-52.
Coin flipping by telephone How to exchange (secret) keys
- M Blum
M. BLUM, Coin flipping by telephone, Proc. IEEE Spring COMPCOM, 1982, San Francisco, pp. 133-137. How to exchange (secret) keys, ACM Trans. Comput. Systems, (1983), pp. 175-193.
Digitalized signatures
- M Rabin
M. RABIN, Digitalized signatures, in Foundations of Secure Computation, R. A. DeMillo, D. Dobkin, A. Jones and R. Lipton, eds., Academic Press, New York, 1978, pp. 133-153.
Hiding Information and Signatures in Trap-Door Knapsacks
- R Merkle
- M Hellman
Merkle, R., and M. Hellman, " Hiding Information and Signatures in Trap-Door
Knapsacks, " IEEE Trans. Infor. Theory IT-24 (Sept. 1978), 525-530.
Uniform Complexity and Digital Signatures Making the Digital Signature Legal – and Safeguarded
- K Lieberherr
- S Lipton
- S Matyas
Lieberherr, K. " Uniform Complexity and Digital Signatures, " Theoretical Computer
Science 16,1 (Oct. 1981), 99-110.
[LM78]
Lipton, S., and S. Matyas, " Making the Digital Signature Legal – and Safeguarded, "
Data Communications (Feb. 1978), 41-52.
A Fair Protocol for Signing Contracts Coin Flipping by Telephone
- M Ben-Or
- O Goldreich
- S Micali
- R L Rivest
Ben-Or, M., O. Goldreich, S. Micali, and R.L. Rivest, " A Fair Protocol for Signing
Contracts, " Proc. 12-th ICALP Conference (Napflion, Greece, July 1985), 43–52.
[Bl82]
Blum, M. " Coin Flipping by Telephone, " Proc. IEEE Spring COMPCOM (1982),
133-137.