Proving Tight Security for Rabin-Williams Signatures.

This paper proves "tight security in the random-oracle model relative to factorization" for the lowest-cost signature systems available today: every hash-generic signature-forging attack can be converted ... The most surprising system is the "fixed unstructured B = 0 Rabin/Williams" system, which has a tight security proof despite hashing unrandomized messages. ... This paper proves tight security for several state-of-the-art variants of the Rabin/ Williams public-key signature system. ...

doi:10.1007/978-3-540-78967-3_5 dblp:conf/eurocrypt/Bernstein08 fatcat:uhxpjg44bzgq7lmt33fvx7va4e

for which Bernstein proved tight security at EUROCRYPT '08. ... Next, we study the security impact of hash function defects for ROM signatures. ... [9] , and the secret key in the Rabin-Williams signature scheme for which Bernstein [6] recently proved tight security, which was not mentioned in either [9, 6] . ...

doi:10.1007/978-3-642-03356-8_26 fatcat:vbjvlxawfzfztgra55nuebyw34

We then use this result to prove that deterministic variants of Rabin-Williams Full Domain Hash signatures have a tight reduction from the 2-Φ/4-Hiding assumption, therefore answering one of the main questions ... left open by Bernstein (EUROCRYPT 2008) in his work on Rabin-Williams signatures. ... Combined with Lemma 2, this yields tight security reductions for PRW and APRW (see Figure 1 for a clear picture). Remark 3. ...

doi:10.1007/978-3-642-54631-0_22 fatcat:xy3p6ofeorbldo6z2dlup42lgq

We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers. ... We give an informal analysis and critique of several typical "provable security" results. ... Acknowledgments We would like to thank Steven Galbraith, Shafi Goldwasser, Ann Hibner Koblitz, Kenny Paterson, Berkant Ustaoglu, and the two anonymous referees for their valuable comments on earlier drafts ...

doi:10.1007/978-3-642-29011-4_2 fatcat:2ellu74n55bxrbr3ka7fk2thre

We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers. ... We give an informal analysis and critique of several typical "provable security" results. ... Acknowledgments We would like to thank Steven Galbraith, Shafi Goldwasser, Ann Hibner Koblitz, Kenny Paterson, Berkant Ustaoglu, and the two anonymous referees for their valuable comments on earlier drafts ...

doi:10.1007/s00145-005-0432-z fatcat:7cnlak7isjhn7enzjqdpm7sdbi

We present the first tight security proofs for two general classes of Strong RSA based signature schemes. ... We so obtain very efficient SDH-based variants of the Cramer-Shoup, Fischlin, and Zhu signature scheme and the first tight security proof of the recent Camenisch-Lysyanskaya scheme that was proposed and ... I would like to thank Mathias Herrmann, Tibor Jager, Eike Kiltz, and Maike Ritzenhofen for useful comments on earlier drafts of this paper and the anonymous referees of EUROCRYPT'11 for helpful comments ...

doi:10.1007/978-3-642-20465-4_12 fatcat:myl6mi6s7jeuzdvik7j2bzql5e

DeMarrais, A subexponential algorithm for discrete logarithms over all finite fields, Math. ... A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields, ANTS I (L. M. ... [47] , Proving tight security for Rabin-Williams signatures, EUROCRYPT 2008 (N. P. Smart, ed.), LNCS, vol. 4965, Springer, 2008, pp. 70-87. [48] D. J. Bernstein, P. Birkner, M. Joye, T. ...

doi:10.1007/978-3-642-03356-8_20 fatcat:lst54auksbgvxaynf3gtsswva4

This modification is reminiscent of the ones applied by Rabin [22] and Williams [25] to the well-known RSA cryptosystem. ... We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standard model. The scheme is obtained from a modification of the so called RSA-Paillier [5] scheme. ... Acknowledgements We would like to thank Dario Catalano for sending us an early version of his paper [6] and the anonymous referees for their useful comments. ...

doi:10.1007/3-540-36288-6_21 fatcat:fqlpspal3zfidbdmxkubredkxy

We present the first tight security proofs for two general classes of Strong RSA (SRSA) based signature schemes. ... We so obtain very efficient SDH-based variants of the Cramer-Shoup, Fischlin, and Zhu signature scheme and the first tight security proof for the recent Camenisch-Lysyanskaya scheme that was proposed and ... In this paper, we therefore take the same approach as Bernstein at EUROCRYPT '08 who proved tight security for the original Rabin-Williams signature scheme in the random-oracle model [2] . ...

doi:10.1007/s00145-013-9173-6 fatcat:xvqby5svf5ashedbyuowdckcom

Thus it provides some advantages for practical applications. ... To confirm this statement, we develop a simple hybrid encryption scheme based on our proposed trapdoor permutation that is CCA-secure in the random oracle model. ... Acknowledgement The author wishes to thank anonymous referees for useful comments. ...

doi:10.1016/j.entcs.2005.09.039 fatcat:42kkhjwa7zhpjbhjxexdfinsze

Open Access

The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this ... Almost all recent works present lower tightness bounds and most recently Seurin (Eurocrypt 2012) showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random ... Nils Fleischhacker and Dominique Schröder were supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy, and Accountability (CISPA ...

doi:10.1007/978-3-662-45611-8_27 fatcat:cquvpg3adrcexc4lspffscwtu4

If security parameters for the MAC scheme are selected without accounting for the non-tightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable ... We examine a natural, but non-tight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multi-user setting. ... We wish to thank Greg Zaverucha for bringing reference [44] to our attention. ...

doi:10.1007/978-3-642-28496-0_18 fatcat:ogadsyu7dva2dayftppy46dzca

their "tight-security" counterparts.) ... We put forward a new method of constructing Fiat-Shamir-like signature schemes that yields better "exact security" than the original Fiat-Shamir method. ... Acknowledgments We would like to thank Salil Vadhan for pointing out an error in an earlier version of this work and Mihir Bellare for suggesting using an idea from [BM99] to improve Corollary 1. ...

doi:10.1007/s00145-001-0005-8 fatcat:gvxrhnzkmnhd7mgrmfajz6bmc4

Surprisingly, our CDH-based scheme turns out to be (a slight simplification of) the Chevallier-Mames signature scheme (CRYPTO 05), thereby providing a theoretical explanation of its tight security proof ... We carry out a concrete security analysis of signature schemes obtained from five-move identification protocols via the Fiat-Shamir transform. ... Subsequently, [3] proved a tight reduction for the GPS scheme to the decisional variant of the SEDL [36] . ...

doi:10.1007/978-3-319-70700-6_3 fatcat:fl5p6y3banh6zbgchmjnxm7oxm

Our experimental results show that, in the Secure Sockets Layer (SSL) protocol, fast verification digital signatures can provide a 7% increase in connections per second compared to RSA signatures, and ... These schemes can be up to 20 times faster for client authentication compared to RSA-based schemes. ... The authors are also grateful to Lakshmi Devi Kuppusamy for her valuable comments and helpful advice and Hua Liu for his assistance in experiment implementation. ...

doi:10.1145/1966913.1966929 dblp:conf/ccs/RangasamySBN11 fatcat:gjrjlscaencfpm3tmpzvqpv5fa

Proving Tight Security for Rabin-Williams Signatures [chapter]

Preserved Fulltext

How Risky Is the Random-Oracle Model? [chapter]

Preserved Fulltext

On the Lossiness of the Rabin Trapdoor Function [chapter]

Preserved Fulltext

Another Look at Provable Security [chapter]

Preserved Fulltext

Another Look at "Provable Security"

Preserved Fulltext

Tight Proofs for Signature Schemes without Random Oracles [chapter]

Preserved Fulltext

Solving Hidden Number Problem with One Bit Oracle and Advice [chapter]

Preserved Fulltext

A Practical Public Key Cryptosystem from Paillier and Rabin Schemes [chapter]

Preserved Fulltext

Tight Security for Signature Schemes Without Random Oracles

Preserved Fulltext

A New Rabin-type Trapdoor Permutation Equivalent to Factoring

Preserved Fulltext

On Tight Security Proofs for Schnorr Signatures [chapter]

Preserved Fulltext

Another Look at Tightness [chapter]

Preserved Fulltext

Improving the exact security of digital signature schemes

Preserved Fulltext

Tightly-Secure Signatures from Five-Move Identification Protocols [chapter]

Preserved Fulltext

An integrated approach to cryptographic mitigation of denial-of-service attacks

Preserved Fulltext