Shafi Goldwasser,Silvio Micali,Andrew Chi-Chih Yao

DOI: https://doi.org/10.1145/800061.808774

1983-01-01

Abstract:The notion of digital signature based on trapdoor functions has been introduced by Diffie and Hellman[3]. Rivest, Shamir and Adleman[8] gave the first number theoretic implementation of a signature scheme based on a trapdoor function. If f is a trapdoor function and m a message, f−1(m) is the signature of m. The signature can be verified by computing f(f−1(m)) = m. This approach presents the following problems even when f is hard to invert: 1) there may be special message spaces (or subsets of them) that are easy to sign without knowing the trapdoor information 2) it is possible to forge the signature of random numbers; this violates the requirements of many protocols 3) given a polynomial number of signed messages, it may be possible to sign a new one without knowing the trapdoor information. We solve the above problems by exhibiting two signature schemes for which any strategy of an adversary, who has seen all previously signed messages, that has a moderate success in forging even a single additional signature, is transformable to a fast algorithm for factoring or inverting the RSA function. This provably holds for all message spaces with all possible Probability distributions. Thus, in particular, given the signature of m, forging the signature of m+1 or 2m or 2sm is as hard as factoring. The two signature schemes

David Nowak

DOI: https://doi.org/10.1007/978-3-642-00730-9_23

2009-04-07

Abstract:Cryptographic primitives are fundamental for information security: they are used as basic components for cryptographic protocols or public-key cryptosystems. In many cases, their security proofs consist in showing that they are reducible to computationally hard problems. Those reductions can be subtle and tedious, and thus not easily checkable. On top of the proof assistant Coq, we had implemented in previous work a toolbox for writing and checking game-based security proofs of cryptographic primitives. In this paper we describe its extension with number-theoretic capabilities so that it is now possible to write and check arithmetic-based cryptographic primitives in our toolbox. We illustrate our work by machine checking the game-based proofs of unpredictability of the pseudo-random bit generator of Blum, Blum and Shub, and semantic security of the public-key cryptographic scheme of Goldwasser and Micali.

Cryptography and Security,Logic in Computer Science

Andrew C. Yao

DOI: https://doi.org/10.1109/sfcs.1982.38

1982-01-01

Abstract:giving away any information about the values of their own variables? The millionaires'problem corresponds to the case when m = 2 and f (x1, x2) = 1 if x1 < x2, and 0 otherwise. In this paper, we will give precise formu-lation of this general problem and describe three ways of solving it by use of one-way functions (i. e., functions which are easy to evaluate but hard to invert). These results have applications to secret voting, private query-ing of database, oblivious negotiation, playing mental poker, etc. We will also discuss the complexity question "How many bits need to be exchanged for the computa-tion", and describe methods to prevent participants from cheating. Finally, we study the question "What cannot be accomplished with one-way functions". Before describing these results, we would like to put this work in perspective by first considering a unified view of secure computation in the next section.

R. L. Rivest,A. Shamir,L. Adleman

DOI: https://doi.org/10.1145/359340.359342

IF: 22.7

1978-02-01

Communications of the ACM

Abstract:An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n , of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n .

computer science, theory & methods, software engineering, hardware & architecture

Dima Grigoriev,Vladimir Shpilrain

DOI: https://doi.org/10.48550/arXiv.1301.5069

2013-01-22

Abstract:We show that some problems in information security can be solved without using one-way functions. The latter are usually regarded as a central concept of cryptography, but the very existence of one-way functions depends on difficult conjectures in complexity theory, most notably on the notorious "$P \ne NP$" conjecture. In this paper, we suggest protocols for secure computation of the sum, product, and some other functions, without using any one-way functions. A new input that we offer here is that, in contrast with other proposals, we conceal "intermediate results" of a computation. For example, when we compute the sum of $k$ numbers, only the final result is known to the parties; partial sums are not known to anybody. Other applications of our method include voting/rating over insecure channels and a rather elegant and efficient solution of Yao's "millionaires' problem". Then, while it is fairly obvious that a secure (bit) commitment between two parties is impossible without a one-way function, we show that it is possible if the number of parties is at least 3. We also show how our (bit) commitment scheme for 3 parties can be used to arrange an unconditionally secure (bit) commitment between just two parties if they use a "dummy" (e.g., a computer) as the third party. We explain how our concept of a "dummy" is different from a well-known concept of a "trusted third party". We also suggest a protocol, without using a one-way function, for "mental poker", i.e., a fair card dealing (and playing) over distance. We also propose a secret sharing scheme where an advantage over Shamir's and other known secret sharing schemes is that nobody, including the dealer, ends up knowing the shares owned by any particular player. It should be mentioned that computational cost of our protocols is negligible to the point that all of them can be executed without a computer.

Cryptography and Security,Information Theory

Zongyang Zhang,Yu Chen,Sherman S. M. Chow,Goichiro Hanaoka,Zhenfu Cao,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-319-26059-4_24

2015-01-01

Abstract:A popular methodology of designing cryptosystems with practical efficiency is to give a security proof in the random oracle RO model. The work of Fischlin and Fleischhacker Eurocrypt﾿'13 investigated the case of Schnorr signature and generally, Fiat-Shamir signatures and showed the reliance of RO model is inherent. We generalize their results to a large class of \"malleable\" hash-and-sign signatures, where one can efficiently \"maul\"any two valid signatures between two signature instances with different public keys if it can get the difference between the secret keys. We follow the technique of Fischlin and Fleischhacker to show that the security of malleable hash-and-sign signature cannot be reduced to its related hard cryptographic problem without programming the RO. Our proof assumes the hardness of a one-more cryptographic problem depending on the signature instantiation. Our result applies to single-instance black-box reductions, subsuming those reductions used in existing proofs. Our framework not only encompasses Fiat-Shamir signatures as special cases, but also covers $$\\Gamma $$-signature Yao and Zhao, IEEE Transactions on Information Forensics and Security﾿'13, and other schemes which implicitly used malleable hash-and-sign signatures, including Boneh-Franklin identity-based encryption, and Sakai-Ohgishi-Kasahara non-interactive identity-based key exchange.

X Deng,CH Lee,H Zhu

DOI: https://doi.org/10.1049/ip-cdt:20010207

2001-01-01

IEE Proceedings - Computers and Digital Techniques

Abstract:Two deniable authentication schemes have been developed. One is based on the intractability of the factoring problem, and the other is based on the intractability of the discrete logarithm problem. The computation cost of the first scheme is about (t+2)/2s. The second scheme requires about (2t+3)/4s of a previous scheme; s is the length of a message block and t is the cost of multiplication mod N operations. It is shown that both protocols reserve all cryptographic characterisations of the previous scheme.

Michael Burrows,Martin Abadi,Roger Needham

DOI: https://doi.org/10.1145/77648.77649

1990-02-01

ACM Transactions on Computer Systems

Abstract:Authentication protocols are the basis of security in many distributed systems, and it is therefore essential to ensure that these protocols function correctly. Unfortunately, their design has been extremely error prone. Most of the protocols found in the literature contain redundancies or security flaws. A simple logic has allowed us to describe the beliefs of trustworthy parties involved in authentication protocols and the evolution of these beliefs as a consequence of communication. We have been able to explain a variety of authentication protocols formally, to discover subtleties and errors in them, and to suggest improvements. In this paper we present the logic and then give the results of our analysis of four published protocols, chosen either because of their practical importance or because they serve to illustrate our method.

computer science, theory & methods

Lior Rotem,Gil Segev

DOI: https://doi.org/10.1007/s00145-024-09506-5

2024-06-08

Journal of Cryptology

Abstract:The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the "square-root barrier." In particular, in any group of order p where Shoup's generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t -time attacks on the Schnorr identification and signature schemes have success probability , whereas existing proofs of security only rule out attacks with success probabilities and , respectively, where denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from -protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr's schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is " d -moment hard": The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the d th moment of the algorithm's running time. In the concrete context of the discrete logarithm problem, already Shoup's original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t -time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most and , respectively.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Shundong Li,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.4236/iim.2009.13026

2009-01-01

Abstract:This paper studies how to take advantage of other's computing ability to sign a message with one's private key without disclosing the private key.A protocol to this problem is presented, and it is proven, by well known simulation paradigm, that this protocol is private.

Andrew Chi-Chih Yao

DOI: https://doi.org/10.1109/SFCS.1982.45

1982-01-01

Abstract:The purpose of this paper is to introduce a new information theory and explore its appplications. Using modern computational complexity, we study the notion of information that can be accessed through a feasible computation. In Part 1 of this paper, we lay the foundation of the theory and set up a framework for cryptography and pseudorandom number generation. In Part 2, we study the concept of trapdoor functions and examine applications of such functions in cryptography, pseudorandom number generation, and abstract complexity theory.

Joshua Guttman

DOI: https://doi.org/10.4204/EPTCS.8.5

2009-11-11

Abstract:A model-theoretic approach can establish security theorems for cryptographic protocols. Formulas expressing authentication and non-disclosure properties of protocols have a special form. They are quantified implications for all xs . (phi implies for some ys . psi). Models (interpretations) for these formulas are *skeletons*, partially ordered structures consisting of a number of local protocol behaviors. Realized skeletons contain enough local sessions to explain all the behavior, when combined with some possible adversary behaviors. We show two results. (1) If phi is the antecedent of a security goal, then there is a skeleton A_phi such that, for every skeleton B, phi is satisfied in B iff there is a homomorphism from A_phi to B. (2) A protocol enforces for all xs . (phi implies for some ys . psi) iff every realized homomorphic image of A_phi satisfies psi. Hence, to verify a security goal, one can use the Cryptographic Protocol Shapes Analyzer CPSA (TACAS, 2007) to identify minimal realized skeletons, or "shapes," that are homomorphic images of A_phi. If psi holds in each of these shapes, then the goal holds.

Cryptography and Security,Logic in Computer Science

Yang Yu,Huiwen Jia,Xiaoyun Wang

2023-05-21

Abstract:This work aims to improve the practicality of gadget-based cryptosystems, with a focus on hash-and-sign signatures. To this end, we develop a compact gadget framework in which the used gadget is a square matrix instead of the short and fat one used in previous constructions. To work with this compact gadget, we devise a specialized gadget sampler, called semi-random sampler, to compute the approximate preimage. It first deterministically computes the error and then randomly samples the preimage. We show that for uniformly random targets, the preimage and error distributions are simulatable without knowing the trapdoor. This ensures the security of the signature applications. Compared to the Gaussian-distributed errors in previous algorithms, the deterministic errors have a smaller size, which lead to a substantial gain in security and enables a practically working instantiation. As the applications, we present two practically efficient gadget-based signature schemes based on NTRU and Ring-LWE respectively. The NTRU-based scheme offers comparable efficiency to Falcon and Mitaka and a simple implementation without the need of generating the NTRU trapdoor. The LWE-based scheme also achieves a desirable overall performance. It not only greatly outperforms the state-of-the-art LWE-based hash-and-sign signatures, but also has an even smaller size than the LWE-based Fiat-Shamir signature scheme Dilithium. These results fill the long-term gap in practical gadget-based signatures.

Cryptography and Security

Gaurav Mittal,Sandeep Kumar,Sunil Kumar,Shubham Mittal

DOI: https://doi.org/10.1007/s00500-024-10325-w

IF: 3.732

2024-11-29

Soft Computing

Abstract:The concept of undeniable signature scheme was proposed by Chaum and Antwerpen in 1989. In this scheme, the signature can only be verified by the verifier with the co-operation of the signer. In this paper, we propose a novel undeniable signature scheme based on the structure of group ring. We consider the well studied hard problems, that is, inverse computation problem (ICP) and discrete logarithm problem (DLP) in group ring and show that under the chosen message attack, our scheme is strongly unforgeable, invisible and secure against impersonation attack. These security notions, that is, strongly unforgeability, invisibility and impersonation are defined through three different games. In order to practically realize the scheme, we discuss a case study in which we generate the signature for a message and then verify it through the verification algorithm. Finally, we compare our scheme with several other renowned schemes available in the literature and show it is efficient in terms of the total execution time.

computer science, artificial intelligence, interdisciplinary applications

K. Longmate,E.M. Ball,E. Dable-Heath,R.J. Young

DOI: https://doi.org/10.48550/arXiv.2009.12118

2020-09-25

Abstract:Signatures are primarily used as a mark of authenticity, to demonstrate that the sender of a message is who they claim to be. In the current digital age, signatures underpin trust in the vast majority of information that we exchange, particularly on public networks such as the internet. However, schemes for signing digital information which are based on assumptions of computational complexity are facing challenges from advances in mathematics, the capability of computers, and the advent of the quantum era. Here we present a review of digital signature schemes, looking at their origins and where they are under threat. Next, we introduce post-quantum digital schemes, which are being developed with the specific intent of mitigating against threats from quantum algorithms whilst still relying on digital processes and infrastructure. Finally, we review schemes for signing information carried on quantum channels, which promise provable security metrics. Signatures were invented as a practical means of authenticating communications and it is important that the practicality of novel signature schemes is considered carefully, which is kept as a common theme of interest throughout this review.

Cryptography and Security,Quantum Physics

Rohit Chatterjee,Kai-Min Chung,Xiao Liang,Giulio Malavolta

DOI: https://doi.org/10.48550/arXiv.2112.06078

2021-12-12

Abstract:This work revisits the security of classical signatures and ring signatures in a quantum world. For (ordinary) signatures, we focus on the arguably preferable security notion of blind-unforgeability recently proposed by Alagic et al. (Eurocrypt'20). We present two short signature schemes achieving this notion: one is in the quantum random oracle model, assuming quantum hardness of SIS; and the other is in the plain model, assuming quantum hardness of LWE with super-polynomial modulus. Prior to this work, the only known blind-unforgeable schemes are Lamport's one-time signature and the Winternitz one-time signature, and both of them are in the quantum random oracle model. For ring signatures, the recent work by Chatterjee et al. (Crypto'21) proposes a definition trying to capture adversaries with quantum access to the signer. However, it is unclear if their definition, when restricted to the classical world, is as strong as the standard security notion for ring signatures. They also present a construction that only partially achieves (even) this seeming weak definition, in the sense that the adversary can only conduct superposition attacks over the messages, but not the rings. We propose a new definition that does not suffer from the above issue. Our definition is an analog to the blind-unforgeability in the ring signature setting. Moreover, assuming the quantum hardness of LWE, we construct a compiler converting any blind-unforgeable (ordinary) signatures to a ring signature satisfying our definition.

Quantum Physics,Cryptography and Security

Jinhui Liu,Jianwei Jia,Huanguo Zhang,Zhe Dong

DOI: https://doi.org/10.13245/j.hust.141118

2014-01-01

Abstract:Based on closet weights and decoding problems in error correcting codes ,which were NP-complete ,a new digital signature protocol was proposed .Then the existing methods of attacking the digital signature protocol were analyzed ,such as brute force attack ,ciphertext only attack ,plaintext chosen attack and forged signature ,and computational complexity of the corresponding attack were al-so proposed .Some parameters of four Goppa codes and security level of the corresponding digital sig-nature protocols were given .Finally ,experimental results and security parameters which are designed have proven that the matrix calculation ,decryption with probability correctly ,and relatively code rates are efficient ,which make the validity of the proposed protocol .The scheme has much more ad-vantages in low computational complexity ,decryption with probability correctly ,the potential to re-sist known quantum algorithms attacks ,which can be widely used in electronic transaction process .

D DOLEV,AC YAO

DOI: https://doi.org/10.1109/tit.1983.1056650

IF: 2.5

1983-01-01

IEEE Transactions on Information Theory

Abstract:Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.

Adrian Kent

DOI: https://doi.org/10.1103/PhysRevA.68.012312

2003-06-12

Abstract:A significant branch of classical cryptography deals with the problems which arise when mistrustful parties need to generate, process or exchange information. As Kilian showed a while ago, mistrustful classical cryptography can be founded on a single protocol, oblivious transfer, from which general secure multi-party computations can be built. The scope of mistrustful quantum cryptography is limited by no-go theorems, which rule out, inter alia, unconditionally secure quantum protocols for oblivious transfer or general secure two-party computations. These theorems apply even to protocols which take relativistic signalling constraints into account. The best that can be hoped for, in general, are quantum protocols computationally secure against quantum attack. I describe here a method for building a classically certified bit commitment, and hence every other mistrustful cryptographic task, from a secure coin tossing protocol. No security proof is attempted, but I sketch reasons why these protocols might resist quantum computational attack.

Quantum Physics,Cryptography and Security

Takehiko Mieno,Hiroyuki Okazaki,Kenichi Arai,Yuichi Futa

DOI: https://doi.org/10.1109/access.2024.3368453

IF: 3.9

2024-03-06

IEEE Access

Abstract:The formal verification of cryptographic protocols has been extensively studied in recent years. To verify the cryptographic protocol security, formal verification tools consider protocol properties as interactive processes involving a cryptographic functionality. In general, we formally define a cryptographic functionality as an abstract function. However, the actual cryptographic protocols used comprise complex combinations of cryptographic functionalities. Thus, we may not determine if the protocol is secure, even when the cryptographic protocol security with cryptographic functionalities is verified using verification tools. Increasing the reliability of the verification results necessitates the verification of the security properties of these algorithms using ProVerif. Many cryptographic algorithms have been designed as iterative algorithms. These include the Merkle and Damgård construction (MD construction) method for cryptographic hash functions and the cipher block chaining mode (CBC mode) for the block cipher mode of operation. However, formalizing an iterative execution is difficult in ProVerif. Thus, we propose a method for formalizing a model of iterative executions. In the proposed method, we describe to formalize iterative execution as a formal model of function calls. We demonstrate the validity of our proposed method by formally verifying the safety of the MD construction method, which behaves like an iterative execution by including a one-way compression function and internal variables changed by the output of these functions. We also present a method for formalizing a common block cipher mode of operation (i.e., CBC mode) used in the proposed method to handle iterative execution.

computer science, information systems,telecommunications,engineering, electrical & electronic