Results 1  10
of
74
Efficient proofs that a committed number lies in an interval
, 2000
"... Abstract. Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or in ..."
Abstract

Cited by 161 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or inexact (i.e. proved membership to a much larger interval). This paper presents a new proof, which is both efficient and exact. Here, “efficient ” means that there are less than 20 exponentiations to perform and less than 2 Kbytes to transmit. The potential areas of application of this proof are numerous (electronic cash, group signatures, publicly verifiable secret encryption, etc...). 1
Practical Verifiable Encryption and Decryption of Discrete Logarithms
, 2003
"... Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protoco ..."
Abstract

Cited by 150 (21 self)
 Add to MetaCart
Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cutandchoose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures. 1
Proving in ZeroKnowledge that a Number is the Product of Two Safe Primes
, 1998
"... This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime. ..."
Abstract

Cited by 131 (13 self)
 Add to MetaCart
(Show Context)
This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime.
Compact ecash
 In EUROCRYPT, volume 3494 of LNCS
, 2005
"... Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and s ..."
Abstract

Cited by 95 (18 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and spend operations is O(ℓ + k) andtheuser’s wallet can be stored using O(ℓ + k) bits,wherek is a security parameter. The best previously known schemes require at least one of these complexities to be O(2 ℓ · k). In fact, compared to previous ecash schemes, our whole wallet of 2 ℓ coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has doublespent. We then extend our scheme to our second result, the first ecash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2 ℓ coins in her wallet, all her spendings of these coins can be traced. However, the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(ℓ · k) and O(ℓ · k + k 2) bits, respectively, and wallets take O(ℓ · k) bitsofstorage. All our schemes are secure in the random oracle model.
How to win the clonewars: efficient periodic ntimes anonymous authentication
 In ACM Conference on Computer and Communications Security
, 2006
"... We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes ..."
Abstract

Cited by 59 (12 self)
 Add to MetaCart
(Show Context)
We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damg˚ard et al. [30], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damg˚ard et al. also only support one authentication per time period, while we support n. Because our construction is based on ecash, we can use existing techniques to identify a cheating user, trace all of her etokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse etokens. The verifier can always recognize a reused etoken; however, we preserve the anonymity of users who do not reuse etokens too often. 1
1outofn signatures from a variety of keys
 In Advances in Cryptology  ASIACRYPT 2002, LNCS
, 2002
"... Abstract. This paper addresses how to use publickeys of several different signature schemes to generate 1outofn signatures. Previously known constructions are for either RSAkeys only or DLtype keys only. We present a widely applicable method to construct a 1outofn signature scheme that allo ..."
Abstract

Cited by 54 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper addresses how to use publickeys of several different signature schemes to generate 1outofn signatures. Previously known constructions are for either RSAkeys only or DLtype keys only. We present a widely applicable method to construct a 1outofn signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient than previous schemes even if it is used only with a single type of keys. With all DLtype keys, it yields shorter signatures than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et. al. With all RSAtype keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et. al. 1
ktimes anonymous authentication (Extended Abstract)
 IN ASIACRYPT, VOLUME 3329 OF LNCS
, 2004
"... We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the all ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
(Show Context)
We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the allowable number, and that allow 2) anyone to trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Although identity escrow/group signature schemes allow users to be anonymously authenticated, the authorities in these schemes have the unnecessary ability to trace any user. Moreover, since it is only the authority who is able to trace users, one needs to make cumbersome inquiries to the authority to see how many times a user has been authenticated. Our scheme can be applied to evoting, ecash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users’ participation from protocols and guarantees that they will remain anonymous to everyone.
Efficient Group Signatures without Trapdoors
, 2002
"... Group signature schemes are fundamental cryptographic tools that enable unlinkably anonymous authentication, in the same fashion that digital signatures provide the basis for strong authentication protocols. In this paper we present the first group signature scheme with constantsize parameters that ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Group signature schemes are fundamental cryptographic tools that enable unlinkably anonymous authentication, in the same fashion that digital signatures provide the basis for strong authentication protocols. In this paper we present the first group signature scheme with constantsize parameters that does not employ any trapdoor function. This novel type of group signature scheme allows public parameters to be shared among organizations. Such sharing represents a highly desirable simpli cation over existing schemes, which require each organization to maintain a separate cryptographic domain.
Timed Release of Standard Digital Signatures (Extended Abstract)
 In Financial Cryptography ’02
, 2002
"... In this paper, we investigate the timed release of standard digital signatures, and demonstrate how to do it for RSA, Schnorr and DSA signatures. Such signatures, once released, cannot be distinguished from signatures of the same type obtained without a timed release, making it transparent to an obs ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
In this paper, we investigate the timed release of standard digital signatures, and demonstrate how to do it for RSA, Schnorr and DSA signatures. Such signatures, once released, cannot be distinguished from signatures of the same type obtained without a timed release, making it transparent to an observer of the end result. While previous work has allowed timed release of signatures, these have not been standard, but specialpurpose signatures.
Fair Encryption of RSA Keys
 IN PROCEEDINGS OF EUROCRYPT 2000, VOLUME 1807 OF LNCS
, 2000
"... Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without comp ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without compromising secrecy. We consider an optimistic scenario in which users have pairs of public and private keys and give an encryption of their secret key with the public key of a third party. In this setting we wish to provide a publicly verifiable proof that the third party is able to recover the secret key if needed. Our emphasis is on size; we believe that the proof should be of the same length as the original key. In this paper, we propose such proofs of fair encryption for El Gamal and RSA keys, using the Paillier cryptosystem. Our proofs are really efficient since in practical terms they are only a few hundred bytes long. As an application, we design a very simple and efficient key recovery system.