The knowledge complexity of interactive proof-systems
STOC '85 Proceedings of the seventeenth annual ACM symposium on Theory of computing
An attack on a signature scheme proposed by Okamoto and Shiraishi
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
How to prove yourself: practical solutions to identification and signature problems
Proceedings on Advances in cryptology---CRYPTO '86
A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
How to break Okamoto's cryptosystem by reducing lattice bases
Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT'88
Public-key cryptosystems provably secure against chosen ciphertext attacks
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The random oracle methodology, revisited (preliminary version)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Twin signatures: an alternative to the hash-and-sign paradigm
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
Relations Among Notions of Security for Public-Key Encryption Schemes
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Security of Signed ElGamal Encryption
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Design Validations for Discrete Logarithm Based Signature Schemes
PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Lower bounds for discrete logarithms and related problems
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
Security of Signature Schemes in a Multi-User Setting
Designs, Codes and Cryptography
Provable Cryptographic Security and its Applications to Mobile Wireless Computing
Wireless Personal Communications: An International Journal
Generic Groups, Collision Resistance, and ECDSA
Designs, Codes and Cryptography
A More Natural Way to Construct Identity-Based Identification Schemes
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Gradually Convertible Undeniable Signatures
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
A new framework for the design and analysis of identity-based identification schemes
Theoretical Computer Science
An Efficient On-Line/Off-Line Signature Scheme without Random Oracles
CANS '08 Proceedings of the 7th International Conference on Cryptology and Network Security
Parallel authentication and public-key encryption
ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
Why provable security matters?
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
SCN'02 Proceedings of the 3rd international conference on Security in communication networks
Secure applications of Pedersen's distributed key generation protocol
CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
High-speed high-security signatures
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
ECGSC: elliptic curve based generalized signcryption
UIC'06 Proceedings of the Third international conference on Ubiquitous Intelligence and Computing
Digital signatures do not guarantee exclusive ownership
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
Optimal asymmetric encryption and signature paddings
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
ICCSA'06 Proceedings of the 2006 international conference on Computational Science and Its Applications - Volume Part III
Traceable signature with stepping capabilities
Cryptography and Security
Cryptography and Security
Hi-index | 0.00 |
Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked. This became clear when Shoup found that there was a gap in the widely believed security proof of OAEP against adaptive chosen-ciphertext attacks. We give more examples, showing that provable security is more subtle than it at first appears. Our examples are in the area of signature schemes: one is related to the security proof of ESIGN and the other two to the security proof of ECDSA. We found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one. Concerning ECDSA, both examples are based on the concept of duplication: one shows how to manufacture ECDSA keys that allow for two distinct messages with identical signatures, a duplicate signature; the other shows that from any message-signature pair, one can derive a second signature of the same message, the malleability. The security proof provided by Brown [7] does not account for our first example while it surprisingly rules out malleability, thus offering a proof of a property, non-malleability, that the actual scheme does not possess.