Results 11  20
of
22
Verifiable Partial Sharing of Integer Factors
 In Selected Areas in Cryptography (SAC ’98
, 1998
"... . It is not known to date how to partially share the factors of an integer (e.g., an RSA modulus) with verifiability. We construct such a scheme on exploitation of a significantly lowered complexity for factoring n = pq using a nontrivial factor of OE(n). 1 Introduction Partial key escrow purport ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. It is not known to date how to partially share the factors of an integer (e.g., an RSA modulus) with verifiability. We construct such a scheme on exploitation of a significantly lowered complexity for factoring n = pq using a nontrivial factor of OE(n). 1 Introduction Partial key escrow purports to add a great deal of difficulty to mass privacy intrusion which is possible in ordinary key escrow with abusive authorities while preserving the property of an ordinary escrowed cryptosystem in targeting small number of criminals. In partial key escrow, a portion of an individual's private key with an agreed and proved size will not be in escrow. Key recovery requires a nontrivial effort to determine the missing part. A partial key escrow scheme must render that the determination of the missing key part will only be possible after recovery of the key part in escrow (usually with a set of distributed agents who are collectively trusted to share the escrowed key part). If the missing par...
Singlebit reencryption with applications to distributed proof systems
 In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES
, 2007
"... Computer Science Dept. We examine the implementation of the distributed proof system designed by Minami and Kotz [17]. We find that, although a highlevel analysis shows that it preserves confidentiality, the implementation of the cryptographic primitives contains a covert channel that can leak info ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Computer Science Dept. We examine the implementation of the distributed proof system designed by Minami and Kotz [17]. We find that, although a highlevel analysis shows that it preserves confidentiality, the implementation of the cryptographic primitives contains a covert channel that can leak information. Moreover, this channel is present with any traditional choice of public key encryption functions. To remedy this problem, we use the GoldwasserMicali cryptosystem to implement singlebit reencryption and show how to make it free of covert channels. We then extend the primitive to support commutative encryption as well. Using this primitive, we design a variant of the MinamiKotz algorithm that not only is free of covert channels, but also has additional proving power over the original design.
RSAbased AutoRecoverable Cryptosystems
 In Proceedings of PKC2000, LNCS 1751
, 2000
"... Abstract. The deployment of a “publickey infrastructure ” (PKI) has recently started. Another recent concern in business and on the national level is the issue of escrowed encryption, key recovery, and emergency access to information (e.g., in the medical record area). Independent development of a ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. The deployment of a “publickey infrastructure ” (PKI) has recently started. Another recent concern in business and on the national level is the issue of escrowed encryption, key recovery, and emergency access to information (e.g., in the medical record area). Independent development of a PKI and an escrowed PKI (whenever required or desired) will pose a lot of constraints, duplication efforts and increased costs of the deployment. It will introduce interoperability issues which will be hard to overcome. Thus, what we advocate here is a joint design of an escrowed PKI and a regular PKI. In this work we develop an approach to such an integrated design. We give the first autorecoverable systems based on RSA (or factoring), whereas the original autorecoverable autocertifiable schemes were based on Discrete Logarithm based keys. The security proof of our system assumes only that RSA is hard, while the original schemes required new specific discrete log based assumptions. We also put forth the notion of “generic ” autorecoverable systems where one can start with an unescrowed user key and then by simply doing “reregistration”, change the key into an escrowed one. In contrast, in the original systems the user keys were tightly connected with the escrow authorities ’ key. Besides this novel (re)registration procedure there are no changes or differences for users between a PKI and a generic autorecoverable PKI. 1
The Graph Clustering Problem has a Perfect ZeroKnowledge Proof
, 1998
"... The input to the Graph Clustering Problem consists of a sequence of integers m 1 ; :::; m t and a sequence of P t i=1 m i graphs. The question is whether the equivalence classes, under the graph isomorphism relation, of the input graphs have sizes which match the input sequence of integers. In thi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
The input to the Graph Clustering Problem consists of a sequence of integers m 1 ; :::; m t and a sequence of P t i=1 m i graphs. The question is whether the equivalence classes, under the graph isomorphism relation, of the input graphs have sizes which match the input sequence of integers. In this note we show that this problem has a (perfect) zeroknowledge interactive proof system. Keywords: Graph Isomorphism, ZeroKnowledge Interactive Proofs. 1 Introduction The remarkable notion of perfect zeroknowledge proofs was introduced by Goldwasser, Micali and Rackoff [GoMiRa]. A perfect zeroknowledge proof system is a method for a prover to convince a polynomialtime bounded verifier with very high probability that a certain assertion is true without revealing any additional information (in an informationtheoretic sense). Not many are the languages which have been shown to have a perfect zeroknowledge proof system; in particular, all of them share numbertheoretic or random selfred...
Towards signatureonly signature schemes
 Advances in Cryptology  ASIACRYPT'2000, volume 1976 of LNCS
, 2000
"... Abstract. We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may be applicable in the context of, say, exportable/escrow cryptography. The basic dilemma is that on the one hand, (1) to avoid framing by potentially misbehaving authorities we do not want them to ever learn the “signing keys ” (e.g., Japan at some point declared a policy where signature keys may be required to be escrowed), and on the other hand (2) if we allow separate inaccessible public signatureverificationkeys,thesekeys(basedontrapdoorfunctions)canbe used as “shadow publickeys, ” and hence can be used to encrypt data in an unrecoverable manner. Any solution within the “trapdoor function” paradigm of Diffie and Hellman does not seem to lead to a solution which will simultaneously satisfy (1) and (2). The cryptographic community so far has paid very limited attention to
How to Prove That a Committed Number Is
"... Abstract. The problem of proving a number is of a given arithmetic format with some prime elements, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Cameni ..."
Abstract
 Add to MetaCart
Abstract. The problem of proving a number is of a given arithmetic format with some prime elements, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and Michels, other works are only limited to some special forms of arithmetic format with prime elements. In Camenisch and Michels’s scheme, the main building block is a protocol to prove a committed number to be prime based on algebraic primality testing algorithms. In this paper, we propose a new protocol to prove a committed number to be prime. Our protocol is O(t) times more efficient than Camenisch and Michels’s protocol, where t is the security parameter. This results in O(t) time improvement for the overall scheme. 1
How to Prove That a Committed Number is Prime
, 2000
"... The problem of proving a number is of an arithmetic format of which some elements are prime, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and ..."
Abstract
 Add to MetaCart
The problem of proving a number is of an arithmetic format of which some elements are prime, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and Michels, other works are only limited to some special forms of arithmetic format with prime elements. In Camenisch and Michels's scheme, the main building block is a protocol to prove a committed number to be prime. In this paper, we propose a new protocol to prove a committed number to be prime. Our protocol is O(t) times more ecient than Camenisch and Michels's protocol, where t is the security parameter. This results in O(t) time improvement for the overall scheme.
On Design of RSA Threshold Signature Scheme
, 2001
"... Almost all threshold signature schemes based on secret sharing such as polynomial sharing have a common weakness that they cannot resist the conspiracy attack. The reason is that the manager possesses the secret share of each member, and the secret can be retrieved by an adversary if the adversary c ..."
Abstract
 Add to MetaCart
Almost all threshold signature schemes based on secret sharing such as polynomial sharing have a common weakness that they cannot resist the conspiracy attack. The reason is that the manager possesses the secret share of each member, and the secret can be retrieved by an adversary if the adversary can corrupt t members (where t is the threshold).
Doubleauthenticationpreventing signatures
, 2013
"... Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and timestamping authorities certify that a certain piece of information existed at a certain ..."
Abstract
 Add to MetaCart
Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and timestamping authorities certify that a certain piece of information existed at a certain time. Traditional digital signature schemes however impose no uniqueness conditions, so a malicious or coerced authority can make multiple certifications for the same subject but different objects. We propose the notion of a doubleauthenticationpreventing signature, in which a value to be signed is split into two parts: a subject and a message. If a signer ever signs two different messages for the same subject, enough information is revealed to allow anyone to compute valid signatures on behalf of the signer. This doublesignature forgeability property prevents, or at least strongly discourages, signers misbehaving. We give a generic construction using a new type of trapdoor functions with extractability properties, which we show can be instantiated using the group of signagnostic quadratic residues modulo a Blum integer.