[PDF] Top 20 Improved (Almost) Tightly-Secure Structure-Preserving Signatures

... adjust signatures for messages in one of the two sets so that after logarithmic number of steps (say, in the size of the tag space) all modified signatures hide the ...to structure-preserving ... See full document

... of structure-preserving USS-QA-NIZK from Section ...as signatures, the USS-QA-NIZK can be considered as a signature scheme for message space consisting of no-instances, and the notion of unbounded ... See full document

... flat-tree signatures with improved ...two-tier signatures TTSig (a generalization of two-tier signatures [7] to any d ≥ 1), we build flat d-ary (instead of binary, 2-ary) trees via our second ... See full document

... the tightly secure (without corruptions) signature scheme from [HJ12a, ADK + 13] and the Groth-Sahai non-interactive proof system [GS08] will be suitable DLIN-based building ...recent ... See full document

... The currently most efficient non-tightly secure SPS schemes are due to Jutla and Roy [38] and Kiltz, Pan, and Wee [40]. Table 2 compares the computational complexity of their verification operation with the ... See full document

... fully secure SPS requires at least 2 verification equations, at least 3 group elements, the 3 elements not all the same group (for Type III asymmetric ...one-time secure SPS against random message attack ... See full document

... 3-element signatures cannot be proved secure under a non-interactive assumption using black-box reductions, so strong assumptions are needed to get optimal efficiency in the Type III ...optimal ... See full document

... Structure-Preserving Signatures (SPSs) [4] are signature schemes over bilinear groups where the messages, the verification key and the signatures consist of only group elements from ... See full document

... EQS. Structure-preserving signatures on equivalence classes, or equivalence- class signatures (EQS) for short, allow similar applications to ...Equivalence-class signatures were ... See full document

... shrinking structure- preserving trapdoor commitment scheme ...construct secure signature schemes that achieve existential unforgeability against adaptive chosen message attacks [31] in combination ... See full document

... one-time signatures and signatures secure against extended random message attacks ...one-time signatures, denoted by POS, are one-time signatures for which only a part of the one-time ... See full document

... Our approach follows the framework of [4], i.e., we show the existence of a crucial relation (see Sec- tion 2.7) in the algebraic model [11, 17]. It is known that if such a relation exists, a meta-reduction [13] can be ... See full document

... Proof. Perfect correctness, perfect randomizability and structure-preservation follows by inspection. What remains now is to prove that the signature scheme is C-EUF-CMA secure in the generic group model. ... See full document

... + signatures [BBS04, ASM06], which cover a broad class of ABC schemes from randomizable signature schemes with efficient proofs of ...provable secure version [BL13]) for the sake of completeness, although ... See full document

... Group signatures are a central cryptographic primitive which allows users to sign messages while hiding their identity within a crowd of group ...The structure-preserving signatures of Abe et ... See full document

... our tightly simulation-sound proof system into the construction of [14] yields a PKE scheme that is tightly chosen-ciphertext secure even under key-dependent message ...Besides, ... See full document

... as long as these corruptions do not allow the adversary to trivially win the se- curity experiment (e.g., because it is able to corrupt a communication partner before the key is computed, such that the attacker can ... See full document

... building secure signature schemes as failed impersonation attempts will be kept hidden from the adversary since the tasks of generating the commitment and challenge are performed by the ... See full document

... When evaluating different PAKE designs, two main criteria are the protocol’s efficiency in terms of computation and communication, and the security guarantees that the protocol provides. Of these two criteria, the ... See full document

... with almost tight security reduction in the multi-instance and multi- challenge setting yield almost tightly CCA secure PKE in the same setting via simple modification of Canetti- Halevi-Katz ... See full document