Results 21  30
of
152
Noninteractive Private Auctions
, 2001
"... We describe a new auction protocol that enjoys the following properties: the biddings are submitted noninteractively and no information beyond the result is disclosed. The protocol is efficient for a logarithmic number of players. Our solution uses a semitrusted third party T who learns no informa ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
We describe a new auction protocol that enjoys the following properties: the biddings are submitted noninteractively and no information beyond the result is disclosed. The protocol is efficient for a logarithmic number of players. Our solution uses a semitrusted third party T who learns no information provided that he does not collude with any participant. The robustness against active cheating players is achieved through an extra mechanism for fair encryption of a bit which is of independent interest. The scheme is based on homomorphic encryption but differs from general techniques of secure circuit evaluation by taking into account the level of each gate and allowing efficient computation of unbounded logical gates. In a scenario with a small numbers of players, we believe that our work may be of practical significance, especially for electronic transactions.
Computation of Discrete Logarithms in Prime Fields
 Design, Codes and Cryptography
, 1991
"... The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describe ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...
Compliance defects in public key cryptography
 in Proceedings of the USENIX Technical Conference
, 1996
"... Publickey cryptographyhaslowinfrastructural overhead because publickey users bear a substantial but hidden administrative burden. A publickey security system trusts its users to validate each others ' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
Publickey cryptographyhaslowinfrastructural overhead because publickey users bear a substantial but hidden administrative burden. A publickey security system trusts its users to validate each others ' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but publickey security systems lack a centralized infrastructure for enforcing users ' discipline. A compliance defect in a cryptosystem is such a rule of operation that is both di cult to follow and unenforceable. This paper presents ve compliance defects that are inherent in publickey cryptography � these defects make publickey cryptography more suitable for servertoserver security than for desktop applications. 1
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
Can D.S.A. be Improved?  Complexity TradeOffs with the Digital Signature Standard
, 1995
"... The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtedly, many applications will include this standard in the future and thus, the foreseen domination ..."
Abstract

Cited by 34 (2 self)
 Add to MetaCart
The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtedly, many applications will include this standard in the future and thus, the foreseen domination of DSA as a legal certification tool is su#ciently important to focus research endeavours on the suitability of this scheme to various situations. In this paper, we present six new DSAbased protocols for:  Performing a quick batchverification of n signatures. The proposed scheme allows to make the economy of 3(n1) log 2 (q) 480n modular multiplications.
Strengthening EPC Tags Against Cloning
 In WiSe ’05: Proceedings of the 4th ACM workshop on Wireless security
, 2005
"... Abstract. The EPC (Electronic Product Code) tag is a form of RFID (RadioFrequency IDentification) device that is emerging as a successor to the printed barcode. Like barcodes, EPC tags emit static codes that serve to identify and track shipping containers and individual objects. EPC tags, though, h ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
Abstract. The EPC (Electronic Product Code) tag is a form of RFID (RadioFrequency IDentification) device that is emerging as a successor to the printed barcode. Like barcodes, EPC tags emit static codes that serve to identify and track shipping containers and individual objects. EPC tags, though, have a powerful benefit: they communicate in an automated, wireless manner. Some commercial segments, like the pharmaceutical industry, are coming to view EPC tags as an anticounterfeiting tool. EPC tags are a potent mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. They are poor authenticators, though. EPC tags are vulnerable to elementary cloning and counterfeiting attacks. In this paper, we present techniques that strengthen the resistance of EPC tags to elementary cloning attacks. Our proposals are compliant with EPCglobal Class1 Generation2 UHF tags, which are likely to predominate in supply chains. We show how to leverage PINbased accesscontrol and privacy enhancement mechanisms in EPC tags to achieve what may be viewed as crude challengeresponse authentication. Our techniques can even strengthen EPC tags against cloning in environments with untrusted reading devices.
Proofs of Storage from Homomorphic Identification Protocols
"... Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication schemes where ‘tags ’ on multiple messages can be homomorphically combined to yield a ‘tag ’ on any linear combination of these messages. We provide a framework for building publickey HLAs from any identification protocol satisfying certain homomorphic properties. We then show how to turn any publickey HLA into a publiclyverifiable PoS with communication complexity independent of the file length and supporting an unbounded number of verifications. We illustrate the use of our transformations by applying them to a variant of an identification protocol by Shoup, thus obtaining the first unboundeduse PoS based on factoring (in the random oracle model). 1
Efficient and NonMalleable Proofs of Plaintext Knowledge and Applications (Extended Abstract)
 Advances in Cryptology – proc. of EUROCRYPT ’03, LNCS 2656
, 2002
"... We describe efficient protocols for nonmalleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols:  Chosenciphertextsecure, interactive encryption. In settings where both p ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
We describe efficient protocols for nonmalleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols:  Chosenciphertextsecure, interactive encryption. In settings where both parties are online, an interactive encryption protocol may be used. We construct chosenciphertextsecure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semanticallysecure scheme...
Strengthening ZeroKnowledge Protocols using Signatures
 IN PROCEEDINGS OF EUROCRYPT ’03, LNCS SERIES
, 2003
"... Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper, ..."
Abstract

Cited by 27 (6 self)
 Add to MetaCart
Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper,
A New Identification Scheme Based on the Perceptrons Problem
 In Eurocrypt ’95, LNCS 921
, 1995
"... Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. Mo ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. More recently, new schemes appeared with the peculiarity that they are more efficient from the computational point of view and that their security is based on N Pcomplete problems: PKP (Permuted Kernels Problem) [10], SD (Syndrome Decoding) [12] and CLE (Constrained Linear Equations) [13]. We present a new N Pcomplete linear problem which comes from learning machines: the Perceptrons Problem. We have some constraints, m vectors X i of {−1, +1} n, and we want to find a vector V of {−1, +1} n such that X i · V ≥ 0 for all i. Next, we provide some zeroknowledge interactive identification protocols based on this problem, with an evaluation of their security. Eventually, those protocols are well suited for smart card applications. 1