Results 21  30
of
840
PublicKey Cryptosystems from Lattice Reduction Problems
, 1996
"... We present a new proposal for a trapdoor oneway function, from whichwe derive publickey encryption and digital signatures. The security of the new construction is based on the conjectured computational difficulty of latticereduction problems, providing a possible alternative to existing publicke ..."
Abstract

Cited by 122 (5 self)
 Add to MetaCart
We present a new proposal for a trapdoor oneway function, from whichwe derive publickey encryption and digital signatures. The security of the new construction is based on the conjectured computational difficulty of latticereduction problems, providing a possible alternative to existing publickey encryption algorithms and digital signatures such as RSA and DSS.
Publicly Verifiable Secret Sharing
, 1996
"... . A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Verifiable secret sharing has been proposed to achieve security against cheating participants. Its first realization had the special property that everybody, not only t ..."
Abstract

Cited by 120 (1 self)
 Add to MetaCart
. A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Verifiable secret sharing has been proposed to achieve security against cheating participants. Its first realization had the special property that everybody, not only the participants, can verify that the shares are correctly distributed. We will call such schemes publicly verifiable secret sharing schemes, we discuss new applications to escrow cryptosystems and to payment systems with revocable anonymity, and we present two new realizations based on ElGamal's cryptosystem. 1 Introduction A secret sharing scheme [20, 2] allows to split a secret into different pieces, called shares, which are given to the participants, such that only certain groups of them can recover the secret. The first secret sharing schemes have been threshold schemes, where only groups of more than a certain number of participants can recover the secret. Verifiable secret sharing (V...
Pseudonym Systems
, 1999
"... Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previou ..."
Abstract

Cited by 119 (11 self)
 Add to MetaCart
Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previous work in this area did not protect the system against dishonest users who collectively use their pseudonyms and credentials, i.e. share an identity. Previous practical schemes also relied very heavily on the involvement of a trusted center. In the present paper we give a formal definition of pseudonym systems where users are motivated not to share their identity, and in which the trusted center's involvement is minimal. We give theoretical constructions for such systems based on any oneway function. We also suggest an efficient and easy to implement practical scheme. This is joint work with Ronald L. Rivest and Amit Sahai.
Robustness Principles for Public Key Protocols
, 1995
"... : We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a co ..."
Abstract

Cited by 117 (9 self)
 Add to MetaCart
: We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a computer system, to authenticate a transaction, or to set up a key. They typically involve the exchange of about 25 messages, and they are very easy to get wrong: bugs have been found in well known protocols years after they were first published. This is quite remarkable; after all, a protocol is a kind of program, and one would expect to get any other program of this size right by staring at it for a while. A number of remedies have been proposed. One approach is formal mathematical proof, and can range from systematic protocol verification techniques such as the BAN logic [BAN89] to the casebycase reduction of security claims to the intractability of some problem such as factoring. Anot...
Efficient receiptfree voting based on homomorphic encryption
, 2000
"... Abstract. Voting schemes that provide receiptfreeness prevent voters from proving their cast vote, and hence thwart votebuying and coercion. We analyze the security of the multiauthority voting protocol of Benaloh and Tuinstra and demonstrate that this protocol is not receiptfree, opposed to what ..."
Abstract

Cited by 114 (0 self)
 Add to MetaCart
Abstract. Voting schemes that provide receiptfreeness prevent voters from proving their cast vote, and hence thwart votebuying and coercion. We analyze the security of the multiauthority voting protocol of Benaloh and Tuinstra and demonstrate that this protocol is not receiptfree, opposed to what was claimed in the paper and was believed before. Furthermore, we propose the first practicable receiptfree voting scheme. Its only physical assumption is the existence of secret oneway communication channels from the authorities to the voters, and due to the public verifiability of the tally, voters only join a single stage of the protocol, realizing the “voteandgo ” concept. The protocol combines the advantages of the receiptfree protocol of Sako and Kilian and of the very efficient protocol of Cramer, Gennaro, and Schoenmakers, with help of designatedverifier proofs of Jakobsson, Sako, and Impagliazzo. Compared to the receiptfree protocol of Sako and Kilian for security parameter ℓ (the number of repetitions in the noninteractive cutandchoose proofs), the protocol described in this paper realizes an improvement of the total bit complexity by a factor ℓ.
A Probabilistic PolyTime Framework for Protocol Analysis
, 1998
"... We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard rel ..."
Abstract

Cited by 112 (6 self)
 Add to MetaCart
We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. Using an asymptotic notion of probabilistic equivalence, we relate observational equivalence to polynomialtime statistical tests and discuss some example protocols to illustrate the potential of this approach.
The Elliptic Curve Digital Signature Algorithm (ECDSA)
, 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract

Cited by 104 (5 self)
 Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponentialtime algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strengthperkeybit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
New Publickey Cryptosystem Using Braid Groups
 Advances in cryptology—CRYPTO 2000 (Santa Barbara, CA), 166–183, Lecture Notes in Comput. Sci. 1880
, 2000
"... Abstract. The braid groups are infinite noncommutative groups naturally arising from geometric braids. The aim of this article is twofold. One is to show that the braid groups can serve as a good source to enrich cryptography. The feature that makes the braid groups useful to cryptography includes ..."
Abstract

Cited by 95 (4 self)
 Add to MetaCart
Abstract. The braid groups are infinite noncommutative groups naturally arising from geometric braids. The aim of this article is twofold. One is to show that the braid groups can serve as a good source to enrich cryptography. The feature that makes the braid groups useful to cryptography includes the followings: (i) The word problem is solved via a fast algorithm which computes the canonical form which can be efficiently manipulated by computers. (ii) The group operations can be performed efficiently. (iii) The braid groups have many mathematically hard problems that can be utilized to design cryptographic primitives. The other is to propose and implement a new key agreement scheme and public key cryptosystem based on these primitives in the braid groups. The efficiency of our systems is demonstrated by their speed and information rate. The security of our systems is based on topological, combinatorial and grouptheoretical problems that are intractible according to our current mathematical knowledge. The foundation of our systems is quite different from widely used cryptosystems based on number theory, but there are some similarities in design. Key words: public key cryptosystem, braid group, conjugacy problem, key exchange, hard problem, noncommutative group, oneway function, public key infrastructure 1
Keyprivacy in publickey encryption
, 2001
"... We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning t ..."
Abstract

Cited by 94 (8 self)
 Add to MetaCart
We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosenplaintext attack assuming the Decision DiffieHellman problem is hard and that the CramerShoup scheme provides anonymity under chosenciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSAOAEP that provides anonymity in the random oracle model assuming RSA is oneway.We also give constructions of anonymous trapdoor permutations, assuming RSA is oneway, which yield anonymous encryption schemes in the standard model.
Discrete Logarithms in Finite Fields and Their Cryptographic Significance
, 1984
"... Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its appl ..."
Abstract

Cited by 87 (6 self)
 Add to MetaCart
Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2 n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2 n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2 n ) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2 n ) ought to be avoided in all cryptographic applications. On the other hand, ...