In 1999, Gennaro, Halevi and Rabin proposed a signature which achieves provable security without assuming the random oracles, and it is the first RSA-type signature whose security is proved in the standard model. Since that time, several signatures have been proposed to achieve better efficiency or useful property along with the provable security in the standard model. In this paper, we construct a trapdoor hash function, and design an efficient online/offline signature by using the trapdoor hash function. Our signature scheme requires only one non-modular multiplication of two small integers for online signing, and it provides the fastest online signing among all online/offline signatures that achieve provable security in the standard model.

For reliable storage services, we need a way not only to monitor the state of stored data but also to recover the original data when some data loss is discovered. To solve the problem, a novel technique called HAIL has been proposed. Unfortunately, HAIL cannot support dynamic data which is changed according to users' modification queries. There are many applications where dynamic data are used. So, we need a way to support dynamic data in cloud services to use cloud storage system for various applications. In this paper, we propose a new technique that can support the use of dynamic data in cloud storage systems. For dynamic data update, we design a new data chunk generation strategy which guarantee efficient data insertion, deletion, and modification. Our technique requires O(1) operations for each data update when existing techniques require O(n) operations where n is the size of data.

Trapdoor commitment schemes are widely used for adding valuable properties to ordinary signatures or enhancing the security of weakly secure signatures. In this letter, we propose a trapdoor commitment scheme based on RSA function, and prove its security under the hardness of the integer factoring. Our scheme is very efficient in computing a commitment. Especially, it requires only three multiplications for evaluating a commitment when e=3 is used as a public exponent of RSA function. Moreover, our scheme has two useful properties, key exposure freeness and strong trapdoor opening, which are useful for designing secure chameleon signature schemes and converting a weakly secure signature to a strongly secure signature, respectively.

Distance bounding protocols permit a verifier to compute the distance to a prover by measuring the execution time of n rounds of challenge-response authentication. Many protocols have been proposed to reduce the false acceptance rate of the challenge-response procedure. Until now, it has been widely believed that the lowest bound of the false acceptance rate is (1/2)n when n is the number of rounds and the prover can send only one response bit for each round. In this paper, we propose a new distance bounding protocol whose false acceptance rate is (1/3)n against the distance fraud attacks and the mafia fraud attacks. To reduce the false acceptance rate, we use two challenge bits for each iteration and introduce a way of expressing three cases with the use of only one response bit, the same bit length as existing protocols. Our protocol is the first distance bounding protocol whose false acceptance rate is lower than the currently believed minimal bound without increasing the number of response bits for each round.

Previously proposed batch signature schemes do not allow a signer to generate a signature immediately for sequentially asked signing queries. In this letter, we propose flexible batch signatures which do not need any waiting period and have very light computational overhead. Therefore our schemes are well suited for low power devices.

Recently, several ID-based key sharing schemes have been proposed, where an initiation phase generates users' secret key associated with identities under the hardness of integer factorization. In this letter, we show that, unfortunately any key sharing scheme with this initiation phase is intrinsically insecure in the sense that the collusion of some users enables them to derive master private keys and hence, generating any user's secret key.

Boneh and Franklin considered to add the revocation functionality to identity-based encryption (IBE). Though this methodology is applicable to any IBE and hierarchical IBE (HIBE), the resulting scheme is non-scalable. Therefore, a generic transformation of scalable revocable (H)IBE (R(H)IBE) from non-scalable R(H)IBE is really desirable. Towards this final goal, in this paper we introduce prototype RHIBE which does not require to be scalable (but requires some conditions), and propose a generic transformation of scalable RHIBE from prototype RHIBE. Moreover, we construct a prototype RHIBE scheme based on the decisional bilinear Diffie-Hellman (DBDH) assumption. Since our prototype RHIBE provides history-free update, insider security, and decryption key exposure resistance, our construction yields the first RHIBE scheme based on the static assumption with these desirable properties.