Results 1  10
of
22
Proving in ZeroKnowledge that a Number is the Product of Two Safe Primes
, 1998
"... This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime. ..."
Abstract

Cited by 121 (13 self)
 Add to MetaCart
This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime.
Separability and Efficiency for Generic Group Signature Schemes (Extended Abstract)
, 1999
"... A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member ..."
Abstract

Cited by 74 (13 self)
 Add to MetaCart
A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separable group signature scheme and present an ecient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depe...
On Monotone Formula Closure of SZK
, 1994
"... We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that i ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that interactive SZK for random self reducible languages (RSR) (and for coRSR) is closed under monotone boolean operations. Namely, we give SZK proofs for monotone boolean formulae whose atoms are statements about an SZK language which is RSR (or a complement of RSR). All previously known languages in SZK are in these classes. We then show that if a language L has a noninteractive SZK proof system then honestverifier interactive SZK proof systems exist for all monotone boolean formulae whose atoms are statements about the complement of L. We also discuss extensions and generalizations. 1 Introduction Goldwasser, Micali, and Rackoff [34] introduced the notion of a zeroknowledge proof, a proof ...
Statistical zeroknowledge proofs with efficient provers: Lattice problems and more
 In CRYPTO
, 2003
"... Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) a ..."
Abstract

Cited by 39 (9 self)
 Add to MetaCart
Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP), where the witness is simply a short vector in the lattice or a lattice vector close to the target, respectively. Our proof systems are in fact proofs of knowledge, and as a result, we immediately obtain efficient latticebased identification schemes which can be implemented with arbitrary families of lattices in which the approximate SVP or CVP are hard. We then turn to the general question of whether all problems in SZK ∩ NP admit statistical zeroknowledge proofs with efficient provers. Towards this end, we give a statistical zeroknowledge proof system with an efficient prover for a natural restriction of Statistical Difference, a complete problem for SZK. We also suggest a plausible approach to resolving the general question in the positive. 1
TwoParty Generation of DSA Signatures
, 2004
"... We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and that is very practical. We also briefly outline a variation that requires more rounds of communication but that allows a proof of security for sequential execution without random oracles.
TimedRelease Cryptography
 In In Selected Areas in Cryptography VIII (SAC'01
, 2001
"... Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al sugges ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Let n be a large composite number. Without factoring n, the computation of a 2 t (mod n)given a, t with gcd(a# n) = 1 and t!n can be done in t squarings modulo n.For t n (e.g., n?2 1024 and t!2 100 ), no lower complexity than t squarings is known to fulfill this task. Rivest et al suggested to use such constructions as good candidates for realising timedrelease crypto problems. We argue the necessity for a zeroknowledge proof of the correctness of such constructions and propose the first practically efficient protocol for a realisation. Our protocol proves, in log 2 t standard crypto operations, the correctness of (a e ) 2 t (mod n) with respect to a e where e is an RSA encryption exponent. With such a proof, a Timedrelease Encryption of a message M can be given as a 2 t M (mod n) with the assertion that the correct decryption of the RSA ciphertext M e (mod n) can be obtained by performing t squarings modulo n starting from a. Timedrelease RSA signatures can be constructed analogously. Keywords Timedrelease cryptography, Timelock puzzles, Nonparallelisability, Efficient zeroknowledge protocols. 1
Security of Signature Schemes in a MultiUser Setting
, 2001
"... This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this securi ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this security notion to the multiuser setting and show that signature schemes proven secure in the singleuser setting can, under reasonable constraints, also be proven secure in the multiuser setting. 1
Short Proofs of Knowledge for Factoring
 in PKC 2000, Springer LNCS 1751
, 2000
"... . The aim of this paper is to design a proof of knowledge for the factorization of an integer n. We propose a statistical zeroknowledge protocol similar to proofs of knowledge of discrete logarithm a la Schnorr. The efficiency improvement in comparison with the previously known schemes can be compa ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
. The aim of this paper is to design a proof of knowledge for the factorization of an integer n. We propose a statistical zeroknowledge protocol similar to proofs of knowledge of discrete logarithm a la Schnorr. The efficiency improvement in comparison with the previously known schemes can be compared with the difference between the FiatShamir scheme and the Schnorr one. Furthermore, the proof can be made noninteractive. From a practical point of view, the improvement is dramatic: the size of such a noninteractive proof is comparable to the size of the integer n and the computational resources needed can be kept low; three modular exponentiations both for the prover and the verifier are enough to reach a high level of security. This paper appears in the proceedings of PKC2000, LNCS , Springer Verlag, 2000 1 Introduction Zeroknowledge (ZK) proofs have first been proposed in 1985 by Goldwasser, Micali and Rackoff [14]. Those proofs are interactive protocols between a prover who wan...
Secret Sharing and Perfect Zero Knowledge
 PROC. OF CRYPTO 93, SPRINGER VERLAG LNCS SERIES
, 1994
"... In this work we study relations between secret sharing and perfect zero knowledge in the noninteractive model. Both secret sharing schemes and noninteractive zero knowledge are important cryptographic primitives with several applications in the management of cryptographic keys, in multipaxty secu ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
In this work we study relations between secret sharing and perfect zero knowledge in the noninteractive model. Both secret sharing schemes and noninteractive zero knowledge are important cryptographic primitives with several applications in the management of cryptographic keys, in multipaxty secure protocols, and may other axeas. Secret sharing schemes are very wellstudied objects while noninteractive perfect zeroknowledge proofs seem to be very elusive. In fact, since the introduction of the noninteractive model for zero knowledge, the only perfect zeroknowledge proof known was for quadratic non residues. In this work, we show that a large class of languages related to quadratic residuosity admits noninteractive perfect zeroknowledge proofs. More precisely, we give a protocol for proving noninteractively and in perfect zero knowledge the veridicity of any "threshold" statement where atoms are statements about the quadratic chaxacter of input elements. We show that our technique is very general and extend this result to any secret sharing scheme (of which threshold schemes are just an example).
RSA Key Generation with Verifiable Randomness
 In Public Key Cryptography 2002, LNCS 2274
, 2002
"... Abstract. We consider the problem of proving that a user has selected and correctly employed a truly random seed in the generation of her RSA key pair. This task is related to the problem of key validation, the process whereby a user proves to another party that her key pair has been generated secur ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We consider the problem of proving that a user has selected and correctly employed a truly random seed in the generation of her RSA key pair. This task is related to the problem of key validation, the process whereby a user proves to another party that her key pair has been generated securely. The aim of key validation is to pursuade the verifying party that the user has not intentionally weakened or reused her key or unintentionally made use of bad software. Previous approaches to this problem have been ad hoc, aiming to prove that a private key is secure against specific types of attacks, e.g., that an RSA modulus is resistant to ellipticcurvebased factoring attacks. This approach results in a rather unsatisfying laundry list of security tests for keys. We propose a new approach that we refer to as key generation with verifiable randomness (KEGVER). Our aim is to show in zero knowledge that a private key has been generated at random according to a prescribed process, and is therefore likely to benefit from the full strength of the underlying cryptosystem. Our proposal may be viewed as a kind of distributed key generation protocol involving the user and verifying party. Because the resulting private key is held solely by the user, however, we are able to propose a protocol much more practical than conventional distributed key generation. We focus here on a KEGVER protocol for RSA key generation. Key words: certificate authority, key generation, nonrepudiation, publickey infrastructure, verifiable randomness, zero knowledge 1