Tag Archive

You are currently browsing the tag archive for the ‘signature schemes’ tag.

CS276 Lecture 22: Signatures in the Random Oracle Model

May 6, 2009 in CS276 | Tags: , | 1 comment

Summary

In the last lecture we described a very complex signature scheme based on one-time signatures and pseudorandom functions. Unfortunately there is no known simple and efficient signature scheme which is existentially unforgeable under a chosen message attack under general assumptions.

Today we shall see a very simple scheme based on RSA which is secure in the random oracle model. In this model, all parties have oracle access to a random function {H : \{ 0,1 \}^n \rightarrow \{ 0,1 \}^m}. In implementations, this random function is replaced by a cryptographic hash function. Unfortunately, the proof of security we shall see today breaks down when the random oracle is replaced by hash function, but at least the security in the random oracle model gives some heuristic confidence in the design soundness of the construction.

Read the rest of this entry »

CS276 Lecture 21: Signatures

May 1, 2009 in CS276 | Tags: | Leave a comment

Scribed by Anand Bhaskar

Summary

Today we show how to construct an inefficient (but efficiently verifiable) signature scheme starting from a one-time signature scheme.

Next time we shall see how to make it efficient using a pseudorandom function.

Read the rest of this entry »

CS276 Lecture 20: Signatures

May 1, 2009 in CS276 | Tags: , | Leave a comment

Scribed by Nick Jalbert

Summary

Today we begin to talk about signature schemes.

We describe various ways in which “textbook RSA” signatures are insecure, develop the notion of existential unforgeability under chosen message attack, analogous to the notion of security we gave for authentication, and discuss the difference between authentication in the private-key setting and signatures in the public-key setting.

As a first construction, we see Lamport’s one-time signatures based on one-way functions, and we develop a rather absurdly inefficient stateful scheme based on one-time signatures. The scheme will be interesting for its idea of “refreshing keys” which will be used next time to design a stateless, and reasonably efficient, scheme.

Read the rest of this entry »

CS276 Lecture 22 (draft)

April 22, 2009 in CS276 | Tags: , , | Leave a comment

Summary

In the last lecture we described a very complex signature scheme based on one-time signatures and pseudorandom functions. Unfortunately there is no known simple and efficient signature scheme which is existentially unforgeable under a chosen message attack under general assumptions.

Today we shall see a very simple scheme based on RSA which is secure in the random oracle model. In this model, all parties have oracle access to a random function {H : \{ 0,1 \}^n \rightarrow \{ 0,1 \}^m}. In implementations, this random function is replaced by a cryptographic hash function. Unfortunately, the proof of security we shall see today breaks down when the random oracle is replaced by hash function, but at least the security in the random oracle model gives some heuristic confidence in the design soundness of the construction.

Read the rest of this entry »

CS276 Lecture 21 (draft)

April 8, 2009 in CS276, Uncategorized | Tags: | Leave a comment

Summary

Today we show how to construct an inefficient (but efficiently verifiable) signature scheme starting from a one-time signature scheme.

Next time we shall see how to make it efficient using a pseudorandom function.

Read the rest of this entry »

CS276 Lecture 20 (draft)

April 7, 2009 in CS276 | Tags: , , | Leave a comment

Summary

Today we begin to talk about signature schemes.

We describe various ways in which “textbook RSA” signatures are insecure, develop the notion of existential unforgeability under chosen message attack, analogous to the notion of security we gave for authentication, and discuss the difference between authentication in the private-key setting and signatures in the public-key setting.

As a first construction, we see Lamport’s one-time signatures based on one-way functions, and we develop a rather absurdly inefficient stateful scheme based on one-time signatures. The scheme will be interesting for its idea of “refreshing keys” which will be used next time to design a stateless, and reasonably efficient, scheme.

Read the rest of this entry »

a

Follow

Get every new post delivered to your Inbox.

Join 181 other followers