Results 1  10
of
20
A practical and provably secure coalitionresistant group signature scheme
, 2000
"... A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature’s originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes ..."
Abstract

Cited by 238 (20 self)
 Add to MetaCart
A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature’s originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity. This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art. In its interactive, identity escrow form, our scheme is proven secure and coalitionresistant under the strong RSA and the decisional DiffieHellman assumptions. The security of the noninteractive variant, i.e., the group signature scheme, relies additionally on the FiatShamir heuristic (also known as the random oracle model).
Design and Analysis of Practical PublicKey Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack
 SIAM Journal on Computing
, 2001
"... A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption sc ..."
Abstract

Cited by 189 (11 self)
 Add to MetaCart
A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption schemes in the literature that are simultaneously practical and provably secure.
Digital Payment Systems with Passive AnonymityRevoking Trustees
 COMPUTER SECURITY  ESORICS 96
, 1996
"... Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in conflict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design system ..."
Abstract

Cited by 68 (5 self)
 Add to MetaCart
Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in conflict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design systems in which a trustee or a set of trustees can selectively revoke the anonymity of the participants involved in suspicious transactions. From an operational point of view, it can be an important requirement that such trustees are neither involved in payment transactions nor in the opening of an account, but only in case of a justified suspicion. In this paper we propose the first efficient anonymous digital payment systems satisfying this requirement. The described basic protocol for anonymity revocation can be used in online or offline payment systems.
Provably Secure Blind Signature Schemes
, 1996
"... In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in offline electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The des ..."
Abstract

Cited by 68 (10 self)
 Add to MetaCart
In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in offline electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The design of some of the underlying signature schemes can be validated by a proof in the socalled random oracle model, but the security of the original signature scheme does not, by itself, imply the security of the blind version. In this paper, we first propose a definition of security for blind signatures, with application to electronic cash. Next, we focus on a specific example which can be successfully transformed in a provably secure blind signature scheme.
Separating Decision DiffieHellman from DiffieHellman in cryptographic groups
, 2001
"... In many cases, the security of a cryptographic scheme based on DiffieHellman does in fact rely on the hardness of... ..."
Abstract

Cited by 64 (0 self)
 Add to MetaCart
In many cases, the security of a cryptographic scheme based on DiffieHellman does in fact rely on the hardness of...
Proof Systems for General Statements about Discrete Logarithms
, 1997
"... Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about know ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about knowledge of discrete logarithms. This notation leads directly to a method for constructing efficient proof systems of knowledge. 1 Introduction Many complex cryptographic systems, such as payment systems (e.g. see [1, 2, 4]) and voting schemes [11], are based on the difficulty of the discrete logarithm problem. These systems make use of various minimumdisclosure proofs of statements about discrete logarithms [13, 7, 6, 10]. Typical examples are efficient proofs of knowledge of a discrete logarithm which are based on Schnorr's digital signature scheme [18] and systems for proving the equality of two discrete logarithms, as used in [8]. The goal of this paper is to identify the basic techniques...
On certain exponential sums and the distribution of DiffieHellman triples
 J. London Math. Soc
, 1999
"... Let g be a primitive root modulo a prime p. It is proved that the triples (gx,gy,gxy), x,y�1,…,p�1, are uniformly distributed modulo p in the sense of H. Weyl. This result is based on the following upper bound for double exponential sums. Let ε�0 be fixed. Then p−� x,y=� exp0 2πiagx�bgy�cgxy ..."
Abstract

Cited by 26 (14 self)
 Add to MetaCart
Let g be a primitive root modulo a prime p. It is proved that the triples (gx,gy,gxy), x,y�1,…,p�1, are uniformly distributed modulo p in the sense of H. Weyl. This result is based on the following upper bound for double exponential sums. Let ε�0 be fixed. Then p−� x,y=� exp0 2πiagx�bgy�cgxy
Biometric yet Privacy Protecting Person Authentication
 In Proceedings of 1998 Information Hiding Workshop (IHW 98
, 1998
"... Many eligibility or entitlement certificates in every day life are nontransferable between persons. However, they are usually implemented by personal physical tokens that owners can easily pass around (e.g. credit card), driver's license). So there must either be negligible incentives to pass these ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Many eligibility or entitlement certificates in every day life are nontransferable between persons. However, they are usually implemented by personal physical tokens that owners can easily pass around (e.g. credit card), driver's license). So there must either be negligible incentives to pass these certificates or the tokens around, or the tokens must allow to authenticate the persons who show certificates, e.g., by imprinted photographs. However, any kind of easily accessible personal identifying information threatens the owners' privacy. To solve these somehow paradoxical requirements, we assume for each owner a kind of pilot that is equipped with a tamper resistant biometric authentication facility. We draft cryptographic protocols for issuing and showing nontransferable yet privacy protecting certificates. Unforgeability of certificates relies on a wellestablished computational assumption, nontransferability relies upon a physical assumption and owners' privacy is protected unconditionally. Ke ywords: Nontransferable certificates, Walletswithobserver, Blind Signatures, Interactive proofs, Biometric person authentication. 1
Cryptanalysis of two group signature schemes
 In Information Security
, 1999
"... Abstract. Group signature schemes allow a group member to anonymously sign on group's behalf. Moreover, in case of anonymity misuse, a group authority can recover the issuer of a signature. This paper analyzes the security of two group signature schemes recently proposed by Tseng and Jan. We show th ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. Group signature schemes allow a group member to anonymously sign on group's behalf. Moreover, in case of anonymity misuse, a group authority can recover the issuer of a signature. This paper analyzes the security of two group signature schemes recently proposed by Tseng and Jan. We show that both schemes are universally forgeable, that is, anyone (not necessarily a group member) is able to produce a valid group signature on an arbitrary message, which cannot be traced by the group authority.
A Provably Secure Restrictive Partially Blind Signature Scheme
"... The concept of partially blind signatures was first introduced by Abe and Fujisaki. Subsequently, in work by Abe and Okamoto, a provably secure construction was proposed along with a formalised definition for partially blind schemes. The construction was based on a witness indistinguishable protocol ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
The concept of partially blind signatures was first introduced by Abe and Fujisaki. Subsequently, in work by Abe and Okamoto, a provably secure construction was proposed along with a formalised definition for partially blind schemes. The construction was based on a witness indistinguishable protocol described by Cramer et al. and utilises a blind Schnorr signature scheme. This paper investigates incorporating...