A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
Communications of the ACM
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Incremental Cryptography: The Case of Hashing and Signing
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Two Simplified Algorithms for Maintaining Order in a List
ESA '02 Proceedings of the 10th Annual European Symposium on Algorithms
Maintaining order in a linked list
STOC '82 Proceedings of the fourteenth annual ACM symposium on Theory of computing
Note: A simple transitive signature scheme for directed trees
Theoretical Computer Science
Signing a Linear Subspace: Signature Schemes for Network Coding
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
Homomorphic signatures for polynomial functions
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
A provably secure short transitive signature scheme from bilinear group pairs
SCN'04 Proceedings of the 4th international conference on Security in Communication Networks
Directed transitive signature scheme
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Transitive signatures: new schemes and proofs
IEEE Transactions on Information Theory
Computing on authenticated data for adjustable predicates
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
| Hi-index | 0.00 |
A transitive signature scheme allows us to sign a graph in such a way that, given signatures on edges (a,b) and (b,c), it is possible to compute the signature on edge (a,c) without the signer's secret. Constructions for undirected graphs are known but the case of directed graphs remains open. A first solution for the particular case of directed trees (DTTS) was given by Yi at CT-RSA 2007. In Yi's construction, the signature for an edge is O(n log(n logn)) bits long in the worst case where n is the number of nodes. A year later in Theoretical Computer Science 396, Neven proposed a simpler scheme where the signature size is reduced to O(n logn) bits. Although this construction is more efficient, O(n logn)-bit long signatures still remain impractical for large n. In this work, we propose a new DTTS scheme such that, for any value λ≥1 and security parameter κ: (a) edge signatures are only O(κλ) bits long, (b) signing or verifying an edge signature requires O(λ) cryptographic operations, and (c) computing (without the secret key) an edge signature in the transitive closure of the tree requires O(λn1/λ) cryptographic operations. To the best of our knowledge this is the first construction with such a trade off. Our construction relies on hashing with common-prefix proofs, a new variant of collision resistance hashing. A family $\cal H$ provides hashing with common-prefix proofs if for any $H \in \cal H$ , given two strings X and Y equal up to position i, a prover can convince anyone that X[1..i] is a prefix of Y by sending only H(X),H(Y), and a small proof. We believe that this new primitive will lead to other interesting applications.