. It is not known to date how to partially share the factors of an integer (e.g., an RSA modulus) with verifiability. We construct such a scheme on exploitation of a significantly lowered complexity for factoring n = pq using a non-trivial factor of OE(n). 1 Introduction Partial key escrow purports to add a great deal of difficulty to mass privacy intrusion which is possible in ordinary key escrow with abusive authorities while preserving the property of an ordinary escrowed cryptosystem in targeting small number of criminals. In partial key escrow, a portion of an individual's private key with an agreed and proved size will not be in escrow. Key recovery requires a non-trivial effort to determine the missing part. A partial key escrow scheme must render that the determination of the missing key part will only be possible after recovery of the key part in escrow (usually with a set of distributed agents who are collectively trusted to share the escrowed key part). If the missing par...

Computer Science Dept. We examine the implementation of the distributed proof system designed by Minami and Kotz [17]. We find that, although a high-level analysis shows that it preserves confidentiality, the implementation of the cryptographic primitives contains a covert channel that can leak information. Moreover, this channel is present with any traditional choice of public key encryption functions. To remedy this problem, we use the Goldwasser-Micali cryptosystem to implement single-bit re-encryption and show how to make it free of covert channels. We then extend the primitive to support commutative encryption as well. Using this primitive, we design a variant of the Minami-Kotz algorithm that not only is free of covert channels, but also has additional proving power over the original design.

The input to the Graph Clustering Problem consists of a sequence of integers m 1 ; :::; m t and a sequence of P t i=1 m i graphs. The question is whether the equivalence classes, under the graph isomorphism relation, of the input graphs have sizes which match the input sequence of integers. In this note we show that this problem has a (perfect) zero-knowledge interactive proof system. Keywords: Graph Isomorphism, Zero-Knowledge Interactive Proofs. 1 Introduction The remarkable notion of perfect zero-knowledge proofs was introduced by Goldwasser, Micali and Rackoff [GoMiRa]. A perfect zero-knowledge proof system is a method for a prover to convince a polynomial-time bounded verifier with very high probability that a certain assertion is true without revealing any additional information (in an information-theoretic sense). Not many are the languages which have been shown to have a perfect zero-knowledge proof system; in particular, all of them share number-theoretic or random self-red...

Abstract. We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may be applicable in the context of, say, exportable/escrow cryptography. The basic dilemma is that on the one hand, (1) to avoid framing by potentially misbehaving authorities we do not want them to ever learn the “signing keys ” (e.g., Japan at some point declared a policy where signature keys may be required to be escrowed), and on the other hand (2) if we allow separate inaccessible public signatureverificationkeys,thesekeys(basedontrapdoorfunctions)canbe used as “shadow public-keys, ” and hence can be used to encrypt data in an unrecoverable manner. Any solution within the “trapdoor function” paradigm of Diffie and Hellman does not seem to lead to a solution which will simultaneously satisfy (1) and (2). The cryptographic community so far has paid very limited attention to

Abstract. The deployment of a “public-key infrastructure ” (PKI) has recently started. Another recent concern in business and on the national level is the issue of escrowed encryption, key recovery, and emergency access to information (e.g., in the medical record area). Independent development of a PKI and an escrowed PKI (whenever required or desired) will pose a lot of constraints, duplication efforts and increased costs of the deployment. It will introduce inter-operability issues which will be hard to overcome. Thus, what we advocate here is a joint design of an escrowed PKI and a regular PKI. In this work we develop an approach to such an integrated design. We give the first auto-recoverable systems based on RSA (or factoring), whereas the original auto-recoverable auto-certifiable schemes were based on Discrete Logarithm based keys. The security proof of our system assumes only that RSA is hard, while the original schemes required new specific discrete log based assumptions. We also put forth the notion of “generic ” auto-recoverable systems where one can start with an unescrowed user key and then by simply doing “re-registration”, change the key into an escrowed one. In contrast, in the original systems the user keys were tightly connected with the escrow authorities ’ key. Besides this novel (re)-registration procedure there are no changes or differences for users between a PKI and a generic auto-recoverable PKI. 1

1.4 Simple XOR

Abstract. The problem of proving a number is of a given arithmetic format with some prime elements, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and Michels, other works are only limited to some special forms of arithmetic format with prime elements. In Camenisch and Michels’s scheme, the main building block is a protocol to prove a committed number to be prime based on algebraic primality testing algorithms. In this paper, we propose a new protocol to prove a committed number to be prime. Our protocol is O(t) times more efficient than Camenisch and Michels’s protocol, where t is the security parameter. This results in O(t) time improvement for the overall scheme. 1

The problem of proving a number is of an arithmetic format of which some elements are prime, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and Michels, other works are only limited to some special forms of arithmetic format with prime elements. In Camenisch and Michels's scheme, the main building block is a protocol to prove a committed number to be prime. In this paper, we propose a new protocol to prove a committed number to be prime. Our protocol is O(t) times more ecient than Camenisch and Michels's protocol, where t is the security parameter. This results in O(t) time improvement for the overall scheme.

Almost all threshold signature schemes based on secret sharing such as polynomial sharing have a common weakness that they cannot resist the conspiracy attack. The reason is that the manager possesses the secret share of each member, and the secret can be retrieved by an adversary if the adversary can corrupt t members (where t is the threshold).