## CryptoDB

### Huafei Zhu

#### Publications

Year
Venue
Title
2007
PKC
2004
PKC
2004
EPRINT
In this paper, we provide a new approach to study undeniable signatures by translating secure digital signatures to secure undeniable signatures so that the existing algorithms can be used. Our mechanism is that any verifier without trapdoor information cannot distinguish whether a message is encoded from Diffie-Hellamn resource $D$ or random resource $R$ while a signer with trapdoor information can distinguish efficiently a codeword which is computed from $D$ or $R$. We show how our mechanism can be efficiently achieved and provide proofs of security for our schemes in the standard complexity model. We also provide evidences to show that our approach can be applied to construct designated confirmer signatures, designated verifier signatures as well.
2003
EPRINT
We present a practical protocol that allows two players to negotiate price over the Internet in a deniable way so that a player $A$ can prevent another player $B$ from showing this offer $P$ to a third party $C$ in order to elicit a better offer while player $B$ should be sure that this offer $P$ generated by $A$, but should $C$ be unclear whether $P$ is generated by $A$ or $B$ itself, even $C$ and $B$ fully cooperated. Our protocol is a standard browser-server model and uses a trusted third party, but only in a very limited fashion: the trusted third party is only needed in the cases where one player attempts to cheat or simply crashes, therefore, in the vast of majority transactions, the third party is not to be involved at all. In addition, Our price negotiable transaction system enjoys the following properties: \begin{description} \item[(1)]It works in an asynchronous communication model. \item[(2)]It is inter-operated with existing or proposed scheme for electronics voting system; \item[(3)]The two players need not sacrifice their privacy in making use of the trusted third party; \item[(4)]The deniable property can be proved secure in the random oracle paradigm, while the matching protocol can be proved secure in the standard intractable assumption. \end{description}
2003
EPRINT
In distributed networks, a target party $T$ could be a person never meet with a source party $S$, therefore $S$ may not hold any prior evaluation of trustworthiness of $T$. To get permit to access $S$, $T$ should be somewhat trusted by $S$. Consequently, we should study the approach to evaluate trustworthiness of $T$. To attack the problem, we view individual participant in distributed networks as a node of a delegation graph $G$ and map a delegation path from target party $T$ to source party $S$ in networks into an edge in the correspondent transitive closure of graph $G$. Based on the transitive closure property of the graph $G$, we decompose the problem to three related questions below: -how to evaluate trustworthiness of participants in an edge? -how to compute trustworthiness of participants in a path? -how to evaluate the trustworthiness of a target participant in a transitive closure graph? We attack the above three questions by first computing trustworthiness of participants in distributed and authenticated channel. Then we present a practical approach to evaluate trustworthiness by removing the assumption of the authenticated channel in distributed networks.
2003
EPRINT
We study elliptic curve cryptosystems by first investigating the schemes defined over $Z_p$ and show that the scheme is provably secure against adaptive chosen cipher-text attack under the decisional Diffie-Hellman assumption. Then we derive a practical elliptic curve cryptosystem by making use of some nice elliptic curve where the decisional Diffie-Hellman assumption is reserved.
2003
EPRINT
Following from the remarkable works of Cramer and Shoup \cite{CS}, three trapdoor hash signature variations have been presented in the literature: the first variation was presented in CJE'01 by Zhu \cite{Zhu}, the second variation was presented in SCN'02 by Camenisch and Lysyanskaya \cite{CL} and the third variation was presented in PKC'03 by Fischlin \cite{Fis}. All three mentioned trapdoor hash signature schemes have similar structure and the security of the last two modifications is rigorously proved. We point out that the distribution of variables derived from Zhu's signing oracle is different from that generated by Zhu's signing algorithm since the signing oracle in Zhu's simulator is defined over $Z$, instead of $Z_n$. Consequently the proof of security of Zhu's signature scheme should be studied more precisely. We also aware that the proof of Zhu's signature scheme is not a trivial work which is stated below: \begin{itemize} \item the technique presented by Cramer and Shoup \cite{CS} cannot be applied directly to prove the security of Zhu's signature scheme since the structure of Cramer-Shoup's trap-door hash scheme is double deck that is easy to simulate a signing query as the order of subgroup $G$ is a public parameter; \item the technique presented by Camenisch and Lysyanskaya \cite{CL} cannot be applied directly since there are extra security parameters $l$ and $l_s$ guide the statistical closeness of the simulated distributions to the actual distribution; \item the technique presented by Fischlin cannot be applied directly to Zhu's signature scheme as the security proof of Fischlin's signature relies on a set of pairs $(\alpha_i, \alpha_i \oplus H(m_i))$ while the security proof of Zhu's signature should rely on a set of pairs $(\alpha_i, H(m_i))$. \end{itemize} In this report, we provide an interesting random argument technique to show that Zhu's signature scheme immune to adaptive chosen-message attack under the assumptions of the strong RSA problem as well as the existence of collision free hash functions.
2003
EPRINT
In this paper, we study the security notions of verifiably committed signatures by introducing privacy and cut-off time, and then we propose the first scheme which is provably secure in the standard complexity model based on the strong RSA assumption. The idea behind the construction is that given any valid partial signature of messages, if a co-signer with its auxiliary input is able to generate variables called the resolution of messages such that the distribution of the variables is indistinguishable from that generated by the primary signer alone from the views of the verifier/arbitrator, a verifiably committed signature can be constructed.
2003
EPRINT
In PODC 2003, Park et al. \cite{PCSR} first introduce a connection between fair exchange and sequential two-party multi-signature scheme and provide a novel method of constructing fair exchange protocol by distributing the computation of RSA signature. This approach avoids the design of verifiable encryption scheme at the expense of having co-signer store a piece of prime signer's secret key. Dodis and Reyzin \cite{DR} showed that the protocol in \cite{PCSR} is totally breakable in the registration phase, then presented a remedy scheme which is provably secure in the random oracle model, by utilizing Boldyreva non-interactive two-party multi-signature scheme \cite{Bo}. Security in the random oracle model does not imply security in the real world. In this paper, we provide the first two efficient committed signatures which are provably secure in the standard complexity model from strong RSA assumption. Then we construct efficient optimistic fair exchange protocols from those new primitives.
2002
PKC
2002
EPRINT
We present a new public key cryptosystem based on the notion called square decisional Diffie-Hellman problem. The scheme is provably secure against adaptive chosen cipher-text attack under the hardness assumption of the square decisional Diffie-Hellman problem. Compared with Cramer and Shoup's notable public key scheme, our scheme enjoys several nice features: (1)Both schemes are provably secure against adaptive chosen cipher-text attack under the intractability paradigm (the security of Cramer-Shoup's scheme is based on the standard decisional Diffie-Hellman problem while ours based on the square decisional Diffie-Hellman problem; (2)The computational and communication complexity of our scheme is equivalent to the Cramer and Shoup's scheme however, the test function of Cramer-shoup's scheme is linear while our scheme is non-linear, therefore our reduction is more efficient.

#### Coauthors

Feng Bao (1)
Xiaotie Deng (1)
Robert H. Deng (1)
Chan H. Lee (1)
Yi Mu (1)
Willy Susilo (1)