On Designated Verifier Signature Schemes
Designated verifier signature schemes allow a signer to convince only the designated verifier that a signed message is authentic. We define attack models on the unforgeability property of such schemes and analyze relationships among the models. We show that the no-message model, where an adversary is given only public keys, is equivalent to the model, where an adversary has also oracle access to the verification algorithm. We also show a separation between the no-message model and the chosen-message model, where an adversary has access to the signing algorithm. Furthermore, we present a modification of the Yang-Liao designated verifier signature scheme and prove its security. The security of the modified scheme is based on the computational Diffie-Hellman problem, while the original scheme requires strong Diffie-Hellman assumption.
Attacking M&M Collective Signature Scheme
A collective signature scheme aims to solve the problem of signing a message by multiple signers. Recently, Moldovyan and Moldovyan  proposed a scheme for collective signatures based on Schnorr signatures. We show some security weaknesses of the scheme.
On Ciphertext Undetectability
We propose a novel security notion for public-key encryption schemes -- ciphertext undetectability. Informally, an encryption scheme has the property of ciphertext undetectability, if the attacker is unable to distinguish between valid and invalid ciphertexts. We compare this notion with the established ones, such as indistinguishability of ciphertexts and plaintext awareness. We analyze the possibilities of constructing schemes with the property of ciphertext undetectability. Moreover, we prove that the Damgard ElGamal, the Cramer-Shoup scheme and its lite variant achieve ciphertext undetectability under standard assumptions.
Attacking LCCC Batch Verification of RSA Signatures
Batch verification of digital signatures is used to improve the computational complexity when large number of digital signatures must be verified. Lee at al.  proposed a new method to identify bad signatures in batches efficiently. We show that the method is flawed.
On High-Rate Cryptographic Compression Functions
The security of iterated hash functions relies on the properties of underlying compression functions. We study highly efficient compression functions based on block ciphers. We propose a model for high-rate compression functions, and give an upper bound for the rate of any collision resistant compression function in our model. In addition, we show that natural generalizations of constructions by Preneel, Govaerts, and Vandewalle to the case of rate-$2$ compression functions are not collision resistant.