Confidential Signatures and Deterministic Signcryption
This page was last modified on 21 December 2015, at 13:01.

Contents
 1 Introduction
 2 Confidential Signature Schemes
 3 Confidential Hash Functions and Signature Schemes
 3.1 Confidential Hash Functions
 3.2 Confidentiality of Random Oracles
 3.3 FullDomain Hash Signatures
 3.4 Weak Confidentiality of FDH
 3.5 Strongly Confidential Signatures in the ROM
 3.6 Random Oracle Instantiation
 3.7 FiatShamir Signature Schemes
 3.8 FiatShamir Instantiation
 3.9 Strongly Confidential Signatures from Randomness Extraction
 3.10 Extractor Instantiation
 4 Deterministic Signcryption
 5 Acknowledgements
 6 Referenses
 Abstract. . Encryptandsign, where one encrypts and signs a message in parallel, is usually not recommended for con dential message transmission as the signature may leak information about the message. This motivates our investigation of con dential signature schemes, which hide all information about (highentropy) input messages. In this work we provide a formal treatment of con dentiality for such schemes. We give constructions meeting our notions, both in the random oracle model and the standard model. As part of this we show that full domain hash signatures achieve a weaker level of con dentiality than FiatShamir signatures. We then examine the connection of con dential signatures to signcryption schemes. We give formal security models for deterministic signcryption schemes for highentropy and lowentropy messages, and prove encryptandsign to be secure for con dential signature schemes and highentropy messages. Finally, we show that one can derandomize any signcryption scheme in our model and obtain a secure deterministic scheme.^{[1]}
Introduction
A common mistake amongst novice cryptographers is to assume that digital signature schemes provide some kind of con dentiality service to the message being signed. The (faulty) argument in support of this statement is (a) that all signature schemes are of the \hashandsign" variety, which apply a hash function to a message before applying any kind of keyed operation, and (b) that a oneway hash function will hide all partial information about a message. Both facets of this argument are incorrect. However, it does suggest that notions of con dentiality for signature schemes are an interesting avenue of research.^{[2]}
The question of con dentiality of hash functions in signature schemes was previously considered by Canetti as \contentconcealing signatures"; however the original treatment only serves to motivate the concept of perfect oneway hash functions . We provide a more formal treatment here. The question of entropic security has been considered by several other authors. Dodis and Smith studied entropic secure primitives requiring that no function leaks their input Russell and Wang consider the security of symmetric encryption
schemes based on highentropy messages, and several authors have considered the security of asymmetric encryption schemes based on highentropy messages However, we are the rst authors to consider the con dentiality of signatures and signcryption schemes in this scenario. ^{[2]} We believe that the concept of con dential signatures is intrinsically interesting and may prove to be useful in the construction of protocols in which two entities need to check that they are both aware of a particular message which
(a) contains some con dential information, such as a password, and (b) contains a high entropy component, such as a con dential nonce.^{[2]}
De ning Con dential Signatures. Our rst contribution is to de ne con dential signatures. Our starting point are highentropy messages (signatures for messages with low entropy inevitably leak through the veri cation algorithm of the signature scheme). Our de nitions are based on previous e orts for deterministic publickey encryption , and yield three models for con dential signature schemes:
 Weak con dentiality means that no information is leaked to a passive adversary, except possibly for information related to the technical details of the signature scheme.
 Mezzo con dentiality means that no information is leaked to a passive adversary (in possession of the veri cation key). Note that this is in contrast to deterministic publickey encryption where information cannot be hidden in such circumstances. ^{[3]}
 Strong con dentiality means that no information is leaked to an active adversary (in possession of the veri cation key).
Our de nitions are general enough to cover probabilistic and deterministic signature schemes, although we need an additional stipulation in the latter case, preventing the case where the leaked information is the unique signature itself.
Relation to Anonymous Signatures. There are similarities between con dential signatures and anonymous signatures . Anonymous signatures hide the identity of the signer of a highentropy message, whereas con dential signatures hide all the information about the message itself. This is relationship between these two primitives is similar to the relationship between anonymous encryption and traditional public key encryption.
Constructing Con dential Signatures. We then show how to obtain con dential signatures. We rst introduce the related concept of con dential hash functions, akin to hiding hash functions. We prove that random oracles are con dential hash functions, as are perfectly oneway hash functions in a weaker form.
We then show that the use of weakly con dential hash functions in full domain hash (FDH) signature schemes yields weakly con dential signatures. We show that FDH signature schemes and FiatShamir signatures are con dential in the random oracle model. We also show that strongly secure con dential signatures can be obtained in the standard model via the use of a randomness extractor (provided the message entropy lies above some xed bound).
Applications to Signcryption. Secure message transmission is usually performed via the encryptthensign paradigm, where the sender encrypts the message under the receiver's public encryption key and then signs the ciphertext with his own signing key. Signcryption schemes, introduced by , aim to gain e  ciency by combining the two operations. One consequence of previous security de nitions is that the encryptandsign approach, where one encrypts the message and signs the message in parallel, does not provide a secure signcryption in general as the signature may reveal information about the message.</math>.^{[4]}
We introduce security notions for (possibly deterministic) signcryption schemes with highentropy messages, along the lines of deterministic publickey encryption and con dential signatures. In case of signcryption schemes, we can also give a lowentropymessage version and show that this de nition is strictly stronger than the de nitions for highentropy messages. We show that the parallelizable encryptandsign scheme is highentropy con dential if the underlying encryption scheme is INDCCA2 and the signature scheme is con dential (and deterministic). We nally prove that we can derandomize any signcryption scheme to derive a secure deterministic scheme.^{[3]}
Besides the fact that some of our results require the signcryption scheme to be deterministic, we also believe that deterministic signcryption schemes may be intrinsically more secure than many current schemes. The reason is that most of the current signcryption schemes are based on discretelogarithmbased digital signature schemes which are highly sensitive to imperfect randomness .
In situations where we have been forced due to size constraints to omit a theorem's proof, the proof can be found in the full version of the paper.^{[5]}
Confidential Signature Schemes
We formalise the notion of a con dential signature in three ways and give constructions. These con dentiality notions can be applied to either probabilistic or deterministic signature schemes.^{[6]}
Definition of Confidential Signature Schemes
A digital signature scheme is a tuple of e cient algorithms . All algorithms (in this article) are probabilistic polynomialtime (PPT) in the security parameter k (which we assume clear from the context). The parameter generation algorithm produces a set of parameters common to all users ; subsequently the key generation algorithm produces a public/private key pair .The signing algorithm takes a message and the private key, and outputs a signature .. The veri cation algorithm takes as input a message, signature and public key, and outputs either a valid symbol > or an invalid symbol. This is written .^{[7]}.
(1)
If then output
Else return
(2)
If then output
Else return
(3)
If then output
Else return ^{[8]}
Notions of con dentiality for (a) weakly con dential signature schemes; (b) mezzo con dential signature schemes; (c) strongly con dential signature schemes. The signing algorithm is applied to the message vector m componentwise.
The standard notion for signature security is that of unforgeability under chosen message attacks (see Appendix A.1 for formal de nitions). We present three con dentiality notions for a digital signature scheme  see Figure 1. These notions are split depending on the adversary's capabilities, which corresponds in a natural way to reallife scenarios where it may be possible to derive some information about a message from a signature which might be deemed practically useless, e.g., the value of the hash of the message, but leakage of which cannot be avoided.^{[5]}
In the weak con dentiality model, the attacker should not be able to determine any information about the messages apart from that which can be obtained directly from the signature itself. Mezzo con dentiality models the scenario where the attacker is able to retrieve public keys of the users, but cannot interact directly with their communication network and obtain signatures of messages. In the strong model, an active attacker should not be able to determine any information about the messages apart from the signature itself.^{[8]}
For x from {w,m,s} the attacker A's advantage in the xSig game is de ned to be:
A signature scheme is weakly con dential (resp. mezzo con dential/strongly condential) if all attackers have negligible advantage in the wSig security game, subject to the following restraints:
For deterministic schemes we need the following additional constraint, ruling out trivial attacks:^{[7]}
(1)
Return
(2)
If
Return
Else
Return
(3)
If
Parse as
Return
A signature scheme which is weakly con dential but not mezzo con dential.
The latter condition prevents an attacker against a deterministic scheme from \winning" by setting  i.e., it prevents the attacker from \winning" the game simply by determining that the message m has the property that its unique signature is ^{[9]}
The notions of con dentiality are strictly increasing in strength. If SS is a weakly con dential signature schemes, then Figure 2 depicts a scheme which is weakly con dential but not mezzo con dential. Similarly, if SS is a mezzo con dential signature scheme, then Figure 3 shows a scheme which is mezzo con dential but not strongly con dential.
^{[6]}
(1)
Return
(2)
If
Set
Return
Else
Set
Return
(3)
If
Parse as
and
, and
If
Return T iff
, and
for any m from {0,1}*,
and
Else return T
A signature scheme which is mezzo con dential but not strongly con dential.
Confidential Hash Functions and Signature Schemes
Confidential Hash Functions
We recap the notion of a hiding hash function by Bellare et al., but call such functions con dential here. For our purposes, a hash function is a PPT pair of algorithms for key generation and hashing, respectively. We will identify the description output by the key generation algorithm H:Kg with the hash function H itself. The collision of an attacker A against a hash function H is defined as^{[5]}
A hash function is weakly (resp. strongly) con dential if every PPT attacker A has negligible advantage in the corresponding game subject to the following restraints:
 Pattern preserving: there exist a length function l(k) and equality functions such that for all possible we have that .
 High entropy: the function is negligible where the probability is only over A1's random tape. We de ne to be the adversary's minimum entropy.
In the random oracle model, where the adversary is granted oracle access to the hash function H instead of receiving the description as input, we give A1 access to the random oracle in the strong case, but deny A1 access to H in the weak case. It is easy to see that a random oracle thus achieves weak con dentiality, whereas the above attack on deterministic functions still applies in the strong case. However, under the additional constraint that A1 does not query H about any x in its output x (hashfree adversaries) a random oracle is also strongly con dential: ^{[6]}
Confidentiality of Random Oracles
For any adversary A = (A1; A2) where A1 outputs vectors of length and with minentropy , and where A2 makes at most queries to the random oracle, we have
for from where A is assumed to be hashfree (in the strong case).
As for constructions in the standard model, we note that perfectly oneway functions (POWs) provide a partial solution. POWs have been designed to hide all information about preimages, akin to our con dentiality notion. However, all known constructions of POWs are only good for xed (sets of) input distributions where the distributions can depend only on the security parameter but not the hash function description. Furthermore, known POWs usually require the conditional entropy of any xi to be high, given the other xj's. In light of this, any valued perfectly oneway function is a weakly con dential hash function. Hence, we can build such hash functions based, for example, on clawfree permutations or oneway permutations .^{[10]}
FullDomain Hash Signatures
A fulldomain hash (FDH) signature scheme FDH for deterministic hash function H is a signature scheme in which the signing algorithm computes a signature as for some secret function f, and the verification algorithm checks that for some public function g.^{[11]}
(1)
Return
(2)
Parse as
Return
(3)
Parse as
Return T if
Otherwise return T
Weak Confidentiality of FDH
The FDHsignature for hash function H is weakly con dential if H is weakly con dential. More precisely, for any adversary A = (A1; A2) against the weak confidentiality of FDH, where A1 outputs messages and A2 makes at most signature queries, there exists an adversary B = (B1; B2) against the weak con dentiality of the hash function such that^{[7]}
where B1's running time is identical to the one of A1, and B2's running time is the one of A2 plus.
The proof actually shows that the signature scheme remains con dential for an adversarially chosen key pair (f; g), i.e., confidentiality only relies on the confidentiality of the hash function. Moreover, by Proposition 1, we have that FDHsignature schemes are weakly con dential in the random oracle model.
Proof. Assume that FDH is not weakly con dential and that there exists an adversary A = (A1; A2) successfully breaking this property. Then we construct an adversary B = (B1; B2) against the weak con dentiality of the hash function as follows. Adversary B1 on input runs A1 on input and outputs this algorithm's answer .^{[12]}
Algorithm B2 receives as input a description H of the con dential hash func tion and a vector h of hash values. B2 runs , and computes signatures. It invokes A2 on and answers each subsequent signature request for message m by computing . When A2 outputs t' algorithm B2 copies this output and stops.
It is easy to see that B's advantage attacking the con dentiality of the hash function is identical to A's advantage attacking the con dentiality of the FDH signature scheme.^{[11]}
Strongly Confidential Signatures in the ROM
Recall from the previous section that FDH signatures leak the hash value of a message. To prevent this, we make the hashing process probabilistic and compute for randomness r. Then A1 cannot predict the hash values of the challenge messages due to r (which becomes public only afterwards) and A2 cannot guess the hash values due to the entropy in the message m (even though r is then known). Our instantiation is shown in Figure 5.^{[13]}
Random Oracle Instantiation
If H is a hash function modeled as a random oracle, then the signature scheme SS0 is strongly con  dential. That is, for any attacker A = (A1; A2) against the strong con dentiality of the signature scheme SS0, where A1 outputs a vector of length and with is a signature scheme. We define a new signature scheme SS’ as follows ^{[14]}
(1)
Return
(2)
Parse as
Return
(3)
Parse as
Parse as
Return
Construction of a strongly con dential signature scheme in the ROM
Minentropy , and where A2 asks at most qh oracle queries (signing queries and direct hash oracle queries), we have
FiatShamir Signature Schemes
Our second instantiation is based upon the FiatShamir paradigm that turns every (threeround) identi cation scheme into a signature scheme. An identification scheme (ID scheme) is defined by a triplet , where G is a key generation algorithm and the sender S wishes to prove his identity to the receiver R. More formally: is an eficient algorithm that outputs a key pair . are interactive algorithms and it is required that (where the probability is taken over the coin tosses of S; R and G). A canonical ID scheme is a 3round ID scheme in which is sent by the sender S, by the receiver R and consists of R's random coins, and is sent by the sender.^{[14]}
In order to prove the con dentiality of this scheme, we need to assume that the commitment of the FiatShamir scheme has nontrivial entropy. This can always be achieved by appending public randomness.
FiatShamir Instantiation
If H is a hash function modeled as a random oracle, then the FiatShamir instantiation SS for nontrivial commitments is strongly con dential. More precisely, for any attacker A = (A1; A2) against the strong con dentiality of the signature scheme SS where A1 outputs a message vector of length with minentropy , has minentropy , and A2 asks at most oracle queries (signing queries and direct hash oracle queries), we have
Suppose is a canonical identification scheme and H is a hash function family. We de ne the signature scheme SS’’=(SS.Setup’’, SS.Kg’’, SS.Sign’’, SS.Ver’’) as follows^{[15]}
(1)
Return
(2)
Parse as
Return
(3)
Parse as
Parse as
Return 1 iff
and
The FiatShamir paradigm that turns every ID scheme into a signature scheme.
Strongly Confidential Signatures from Randomness Extraction
Our instantiation in the standard model relies on randomness extractors and is depicted in Figure 7. The main idea is to smooth the distribution of the message via an extractor, and to sign the almost uniform value h^{[15]}
To ensure unforgeability we need to augment the extractor's extraction property by collisionresistance, imposing the requirement that the extractors be keyed and introducing dependency of the extractor's parameters on the security parameter k. For a survey about very e cient constructions of such collisionresistant extractors see .
In order to use extractors, we need a stronger assumption on the message distribution: we assume that the adversary A1 now outputs vectors of messages such that each message in the vector has minentropy greater than some xed bound given the other messages. Observe that the collisionresistance requirement on the extractor implies that must be superlogarithmic. We say that the output has conditional minentropy .^{[16]}
Extractor Instantiation
If extractor then the extractor instantiation of is strongly con dential. More specifically, for any attacker A = (A1; A2) against the strong con dentiality of the signature scheme SS, where A1 outputs a vector of length with conditional minentropy , we have
Note that our construction of the randomness extractor operates on messages of a fixed length of input bits, and the signature length depends on this Suppose is a signature scheme. We define a new signature scheme SS as follows value . ^{[17]}
(1)
Choose an extractor Ext
Return
(2)
Parse as
Return
(3)
Parse as
Parse as
Set
Return
Construction of strongly con dential signature scheme based on randomness extractors.
To process larger messages we can first hash input messages with a collisionresistant hash function, before passing it to the extractor. In this case, some care must be taken to determine a correct bound for the entropy lost through the hash function computation.
Deterministic Signcryption
Signcryption is a publickey primitive which aims to simultaneously provide message con dentiality and message integrity. Signcryption was introduced by Zheng and security models were independently introduced by An, Dodis and Rabin and by Baek, Steinfeld and Zheng . Similar to publickey encryption, achieving con dentiality in the formal security models requires that signcryption is a randomised process; however, we may also consider the con dentiality of deterministic signcryption schemes on highentropy message spaces. We will also see that a practical version of con dentiality may even be achieved by a deterministic signcryption scheme for low entropy message distributions.^{[16]}
Notions of Confidentiality for Signcryption Schemes
A signcryption scheme is a tuple of PPT algorithms ^{[9]} . The setup algorithm generates public parameters common to all algorithms. We will generally assume that all algorithms take sc as an implicit input, even if it is not explicitly stated. The sender keygeneration algorithm generates a key pair for the sender and the receiver keygeneration algorithm generates a key pair for a receiver . The signcryption algorithm takes as input a message m, the sender's private key , and the receiver's public key , and outputs a signcryption ciphertext C R SC:SignCrypt(skS; pkR; m). The unsigncryption algorithm takes as input a ciphertext C 2 C, the sender's public key , and the receiver's private key , and outputs either a message ^{[14]} or an error symbol.
It is interesting to consider the basic attack on a deterministic signcryption scheme. In such an attack, the attacker picks two messages (m0; m1) and receives a signcryption C of the message mb. The attacker checks whether C is the signcryption of m0 by requesting the signcryption of m0 from the signcryption oracle. As in the case of publickey encryption, we may prevent this basic attack by using a highentropy message space and so prevent the attacker being able to determine which message to query to the signcryption oracle. However, unlike the case of publickey encryption, we may also prevent this attacker by forbidding the attacker to query the signcryption oracle on m0 and m1. We can therefore di erentiate between the highentropy case (in which the message distribution chosen by the attacker has high entropy) and the lowentropy case (in which the attacker is forbidden from querying the signcryption oracle on a challenge message)..^{[10]}
We give de nitions for the highentropy and lowentropy con dentiality in Figure 8. In both cases, i.e. for x from {h,l}, the attacker's advantage is defined as
A signcryption scheme is highentropy con dential if every PPT attacker A has negligible advantage in the hSCR game subject to the following restrictions:^{[17]}
 Strongly pattern preserving  High entropy  Signature free  Nontrivial
A signcryption scheme is lowentropy con dential if every PPT attacker A has negligible advantage in the lSCR game subject to the restrictions that A never queries the encryption oracle, and A2 never queries the decryption oracle on (^{[16]}
Any deterministic signcryption scheme SC which is lowentropy con dential is also highentropy con dential. In particular, for any adversary A against highentropy con dentiality, making at most signcryption queries and where A1 outputs messages with minentropy , there exists an adversary A' such that
where the running time of A' equals the time of A plus ..^{[8]}
(1)
If then output 1
Else return 0
(2)
Output b'
The proof essentially shows that, since the challenge messages produced by a highentropy attacker A1 have minentropy , the probability that A2 queries the signcryption oracle on one of those messages is bounded by . If this does not occur, then a lowentropy attacker can easily run a highentropy attacker as a blackbox subroutine. The proof holds for deterministic schemes only. We are not aware if the same is true for probabilistic schemes.^{[16]}
We also have that the lowentropy con dentiality de nition is strictly stronger than the highentropy con dentiality de nition. If SC is a highentropy con dential signcryption scheme, then the signcryption scheme SC0 given in Figure 9 is highentropy con dential signcryption scheme but not a lowentropy con dential signcryption scheme.
A signcryption scheme which is highentropy secure but not lowentropy secure^{[15]}
(1)
if
Return
Else
Return
The EncryptandSign Signcryption Scheme
Initially, it may be thought that highentropy con dentiality may be easily achieved through the combination of deterministic encryption and con dential signatures.
However, many of the classic composition theorems, such as encryptthensign, fail to achieve highentropy security even when instantiated with secure components.^{[10]}

Derandomization
Goldreich presents a technique to turn any probabilistic signature scheme into a deterministic one. The idea is to include the secret key of a pseudorandom function (PRF:Kg; PRF) in the secret signing key and, when signing a message m, use the random coins r = PRF( ; m) in this process. Note that the resulting scheme now yields the same signature if run twice on the same message. A formal definition of a PRF can be found in Appendix A.
We show that Goldreich's idea applies to signcryption schemes as well, taking advantage of the fact that a signcryption scheme involves a secret signing key in which we can put the key of the pseudorandom function. Nonetheless, whereas a probabilistic signcryption scheme usually hides the fact that the same message has been encrypted twice, a derandomized version clearly leaks this information.^{[15]}
For a signcryption scheme the derandomized version based on a pseudorandom function works according to Goldreich's strategy: ^{[9]}
(1)
Return
(2)
Parse as
Return C
Derandomized Signcryption
Let be an unforgeable and highentropy (resp. lowentropy) con dential signcryption scheme. Then the scheme is a deterministic, unforgeable signcryption scheme which is highentropy (resp. lowentropy) con dential. That is, for x from {l,h} and any adversary A = (A1; A2) against con dentiality, there exist adversaries D and B = (B1; B2) such that^{[1]}
Acknowledgements
The authors wish to thank the ECRYPT II MAYA working group on the design and analysis of primitives and protocols for interesting preliminary discussions on this topic. The work described in this report has in part been supported by the Commission of the European Communities through the ICT program under contract ICT2007216676 ECRYPT II. The information in this document is provided as is, and no warranty is given or implied that the information is t for any particular purpose. The user thereof uses the information at its sole risk and liability. Dominique and Marc were supported by the Emmy Noether grant Fi 940/21 of the German Research Foundation (DFG), and by CASED (www.cased.de).
Referenses
Cite error: Invalid <references>
tag;
parameter "group" is allowed only.
<references />
, or <references group="..." />
 ↑ ^{1.0} ^{1.1} 18. N. A. HowgraveGraham and N. P. Smart. Lattice attacks on digital signature schemes. Designs, Codes and Cryptography, 23(3):283{290, 2001.
 ↑ ^{2.0} ^{2.1} ^{2.2} J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In L. Knudsen, editor, Advances in Cryptology – Eurocrypt 2002, volume 2332 of Lecture Notes in Computer Science, pages 83–107. SpringerVerlag, 2002.
 ↑ ^{3.0} ^{3.1} 9. J.S. Coron. On the exact security of full domain hash. In M. Bellare, editor,
 ↑ J16. Marc Fischlin. Anonymous signatures made easy. In PublicKey Cryptography (PKC) 2007, volume 4450 of Lecture Notes in Computer Science, pages 31{42. SpringerVerlag, 2007.
 ↑ ^{5.0} ^{5.1} ^{5.2} 15. M. Fischlin. Pseudorandom function tribe ensembles based on oneway permutations: Improvements and applications. In J. Stern, editor, Advances in Cryptology  Eurocrypt 1999, volume 1592 of Lecture Notes in Computer Science, pages 429{444. SpringerVerlag, 1999.
 ↑ ^{6.0} ^{6.1} ^{6.2} 13. D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography. SIAM Journal on Computing, 30(2):391{437, 2000...
 ↑ ^{7.0} ^{7.1} ^{7.2} J. Baek, R. Steinfeld, and Y. Zheng. Formal proofs for the security of signcryption. Journal of Cryptology, 20(2):203–235, 2007
 ↑ ^{8.0} ^{8.1} ^{8.2} 10. A. W. Dent, M. Fischlin, M. Manulis, M. Stam, and D. Schr•oder. Con dential signatures and deterministic signcryption. Available from http://eprint.iacr.org/2009/588, 2009.,
 ↑ ^{9.0} ^{9.1} ^{9.2} 12. Y. Dodis and A. Smith. Entropic security and the encryption of high entropy messages. In J. Kilian, editor, Theory of Cryptography { TCC 2005, volume 3378 of Lecture Notes in Computer Science, pages 556{577. SpringerVerlag, 2005..
 ↑ ^{10.0} ^{10.1} ^{10.2} 7. R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In B. Kaliski, editor, Advances in Cryptology – Crypto ’97, volume 1294 of Lecture Notes in Computer Science, pages 455–469. SpringerVerlag, 1997
 ↑ ^{11.0} ^{11.1} R. Canetti, D. Micciancio, and O. Reingold. Perfectly oneway probabilistic hash functions. In Proc. 30th Symposium on the Theory of Computing – STOC 1998, pages 131–140. ACM, 1998.
 ↑ M. Bellare, A. Boldyreva, and A. O’Neill. Deterministic and efficiently searchable encryption. In A. Menezes, editor, Advances in Cryptology – Crypto 2007, volume 4622 of Lecture Notes in Computer Science, pages 535–552. SpringerVerlag, 2007
 ↑ M. Bellare, M. Fischlin, A. O’Neill, and T. Ristenpart. Deterministic encryption: Definitional equivalences and constructions without random oracles. In D. Wagner, editor, Advances in Cryptology – Crypto 2008, volume 5157 of Lecture Notes in Computer Science, pages 360–378. SpringerVerlag, 2008.
 ↑ ^{14.0} ^{14.1} ^{14.2} 14. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identi cation and signature problems. In A. Odlyzko, editor, Advances in Cryptology { Crypto '86, volume 263 of Lecture Notes in Computer Science, pages 186{194. SpringerVerlag, 1986
 ↑ ^{15.0} ^{15.1} ^{15.2} ^{15.3} 6. A. Boldyreva, S. Fehr, and A. O’Neill. On notions of security for deterministic encryption, and efficient constructions without random oracles. In D. Wagner, editor, Advances in Cryptology – Crypto 2008, volume 5157 of Lecture Notes in Computer Science, pages 335–359. SpringerVerlag, 2008.
 ↑ ^{16.0} ^{16.1} ^{16.2} ^{16.3} 5. M. Bellare and P. Rogaway. The exact security of digital signatures — how to sign with RSA and Rabin. In U. Maurer, editor, Advances in Cryptology – Eurocrypt ’96, volume 1070 of Lecture Notes in Computer Science, pages 399–416. SpringerVerlag, 1996.
 ↑ ^{17.0} ^{17.1} 17. O. Goldreich. Two remarks concerning the GoldwasserMicaliRivest signature scheme. In A. M. Odlyzko, editor, Proceedings on Advances in Cryptology { Crypto '86, volume 263 of Lecture Notes in Computer Science, pages 104{110. SpringerVerlag, 1987.
Присоединяйся к команде
ISSN:
Следуй за Полисом
Оставайся в курсе последних событий
License
Except as otherwise noted, the content of this page is licensed under the Creative Commons Creative Commons «AttributionNonCommercialNoDerivatives» 4.0 License, and code samples are licensed under the Apache 2.0 License. See Terms of Use for details.