Results 1  10
of
34
Identity Escrow
 In Advances in Cryptology — CRYPTO ’98
, 1997
"... We introduce the notion of escrowed identity, an application of keyescrow ideas to the problem of identification. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's identi ..."
Abstract

Cited by 72 (0 self)
 Add to MetaCart
We introduce the notion of escrowed identity, an application of keyescrow ideas to the problem of identification. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's identity. However, B receives a guarantee that E can indeed determine A's identity. We give protocols for escrowed identity based on the ElGamal (signature and encryption) schemes and on the RSA function. A useful feature of our protocol is that after setting up A to use the system, E is only involved when it is actually needed to determine A's identity. Keywords: Cryptography, Key escrow, Proofs of identity. 1
Verifiable partial key escrow
 PROCEEDINGS OF 4TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY
, 1995
"... One of the main objections to existing proposals for key escrow is that the individual's privacy relies on too high a level of trust in the law enforcement agencies. In particular, even if the government is trustworthy today, it may be replaced by an untrustworthy government tomorrow which could imm ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
One of the main objections to existing proposals for key escrow is that the individual's privacy relies on too high a level of trust in the law enforcement agencies. In particular, even if the government is trustworthy today, it may be replaced by an untrustworthy government tomorrow which could immediately and suddenly recover the secret keys of all users. "Partial key escrow" was suggested to address this concern, in the context of DES keys. Only some part of a user key is escrowed, so that the authority must make a computational effort to find the rest. We extend this idea and provide schemes to perform partial key escrow in a verifiable manner in a publickey encryption setting. We uncover some subtle issues which must be addressed for any partial key escrow scheme to be secure, the most important of which is the danger of early recovery. We show that other proposals for verifiable partial key escrow suffer from the early recovery problem, and thus do not in fact offer an advantage over standard keyescrow schemes. Our verifiable partial key escrow scheme for the DiffieHellman cryptosystem does not suffer from early recovery. Political debate will not make the user versus lawenforcement conflict on privacy vanish. Today
The Foundations of Modern Cryptography
, 1998
"... In our opinion, the Foundations of Cryptography are the paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. In this essay, we survey some of these paradigms, approaches and techniques as well as some of the fundamental result ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
In our opinion, the Foundations of Cryptography are the paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. In this essay, we survey some of these paradigms, approaches and techniques as well as some of the fundamental results obtained using them. Special effort is made in attempt to dissolve common misconceptions regarding these paradigms and results. c flCopyright 1998 by Oded Goldreich. Permission to make copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted. A preliminary version of this essay has appeared in the proceedings of Crypto97 (Springer's Lecture Notes in Computer Science, Vol. 1294). 0 Contents 1 Introduction 2 I Basic Tools 6 2 Central Paradigms 6 2.1 Computati...
An Efficient NonInteractive Statistical ZeroKnowledge Proof System for QuasiSafe Prime Products
"... We present efficient zeroknowledge proof systems for quasisafe prime products and other related languages. Quasisafe primes are a relaxation of safe primes, a class of prime numbers useful in many cryptographic applications. More specifically we present the first simple and efficient zeroknowled ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
We present efficient zeroknowledge proof systems for quasisafe prime products and other related languages. Quasisafe primes are a relaxation of safe primes, a class of prime numbers useful in many cryptographic applications. More specifically we present the first simple and efficient zeroknowledge proof that an alleged RSA modulus is of the correct form, i.e. the product of two primes. All previously known proof enforced only that the modulus was the product of two prime powers. We then present a zeroknowledge proof that the primes composing the RSA modulus are quasisafe. Our proof systems achieve higher security and better efficiency than all previously known ones. In particular, all our proof systems are perfect or statistical zeroknowledge, meaning that even a computationally unbounded adversary cannot extract any information from the proofs. Moreover, our proof systems are extremely efficient because they do not use general reductions to NPcomplete problems, can be easily parallelized preserving zeroknowledge, and are noninteractive for computationally unbounded provers. The prover can also be efficiently implemented given some trapdoor information and using very little interaction. We demonstrate the applicability of quasisafe primes by showing how they can be effectively used in the context of RSA based undeniable signatures to enforce the use of "good " public keys, i.e., keys such that if a signer can convince a recipient of the validity of a signature, then he won't be able to subsequently deny the same signature in case of a dispute.
Encapsulated key escrow
, 1996
"... The main objection to current keyescrow proposals is that they assume complete faith in the authority and its trustees. If the authority does not follow the rules, or is replaced by an untrustworthy authority tomorrow, it can immediately recover the secret keys of all users, and embark on massive ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
The main objection to current keyescrow proposals is that they assume complete faith in the authority and its trustees. If the authority does not follow the rules, or is replaced by an untrustworthy authority tomorrow, it can immediately recover the secret keys of all users, and embark on massive wiretapping. We introduce a new approach tokey escrow called encapsulated key escrow (EKE). With this approach itis computationally possible for an authority to wiretap individual users, but computationally prohibitive for the authority to launch large scale wiretapping. This is achieved by imposing a time delay between obtaining the escrowed information of a user and actually recovering the secret key. Furthermore, the recoverability is veri able at escrow time. The approach is applicable both for session keys and for public key cryptography. EKE is a simple general paradigm, applicable across cryptosystems and key distribution protocols, regardless of their type. It solves in one stroke the problem of imposing time delays in key escrow. In particular it yields the rst time delayed key escrow system for RSA, and more e cient solutions for Di eHellman than achievable by the previous approach to time delays, namely partial key escrow (PKE). The idea behind EKE is a new cryptographic tool called a veri able cryptographic time capsule (VCTC). This has broader applications to \sending information into the future."
Complexity and Security of Distributed Protocols
, 1993
"... This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the c ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the complexity (cryptographic) assumptions that are made. We present new protocols, both for general secure computation (i.e., of any function over a finite domain) and for specific tasks (e.g., electronic money). We investigate fundamental relationships among security needs and various resource requirements, with an emphasis on communication complexity. A number of mathematical methods are employed for our investigations, including algebraic, graphtheoretic, and cryptographic techniques.
Equitable key escrow with limited time span (or, How to enforce time expiration cryptographically)
 ADVANCES IN CRYPTOLOGY, ASIACRYPT 98, LNCS 1514
, 1998
"... With equitable key escrow the control of society over the individual and the control of the individual over society are shared fairly. In particular, the control is limited to specified time periods. We consider two applications: time controlled key escrow and time controlled auctions with closed b ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
With equitable key escrow the control of society over the individual and the control of the individual over society are shared fairly. In particular, the control is limited to specified time periods. We consider two applications: time controlled key escrow and time controlled auctions with closed bids. In the rst the individual cannot be targeted outside the period authorized by the court. In the second the individual cannot withhold his closed bid beyond the bidding period. We propose two protocols, one for each application. We do not require the use of temperproof devices.
Online Secret Sharing
 In Proc. of the 5th IMA Conf. on Cryptography and Coding
, 1995
"... . We propose a new construction for computationally secure secret sharing schemes with general access structures where all shares are as short as the secret. Our scheme provides the capability to share multiple secrets and to dynamically add participants online, without having to redistribute new ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
. We propose a new construction for computationally secure secret sharing schemes with general access structures where all shares are as short as the secret. Our scheme provides the capability to share multiple secrets and to dynamically add participants online, without having to redistribute new shares secretly to the current participants. These capabilities are gained by storing additional authentic (but not secret) information at a publicly accessible location. 1 Introduction Secret sharing is an important and widely studied tool in cryptography and distributed computation. Informally, a secret sharing scheme is a protocol in which a dealer distributes a secret among a set of participants such that only specific subsets of them, defined by the access structure, can recover the secret at a later time. Secret sharing has largely been investigated in the informationtheoretic security model, requiring that the participants' shares give no information on the secret, i.e. that the res...
Private Information Storage (Extended Abstract)
, 1996
"... We consider the setting of hiding information through the use of multiple databases that do not interact with one another. In this setting, there are k 2 "databases" which can be accessed by some "users". Users do not keep any state information, but wish to access O(n) bits of "data". Previously, ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
We consider the setting of hiding information through the use of multiple databases that do not interact with one another. In this setting, there are k 2 "databases" which can be accessed by some "users". Users do not keep any state information, but wish to access O(n) bits of "data". Previously, in this setting solutions for retrieval of data in the efficient manner were given, where a user achieves this by interacting with all the databases. We consider the case of both writing and reading . While the case of reading was well studied before, the case of writing was previously completely open. In this paper, we show how to implement both read and write operations, with the following strong security guarantees: all the information about the read/write operation is informationtheoretically hidden from all the databases (i.e. both the value of the bit and the address of the bit). As in the previous papers, we measure, as a function of k and n the amount of communication ...