Results 1 
4 of
4
Limits on the Provable Consequences of Oneway Permutations
, 1989
"... We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new m ..."
Abstract

Cited by 162 (0 self)
 Add to MetaCart
We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where dl parties have access to a black box or a randomly selected permutation. Being totally random, this permutation will be strongly oneway in provable, informationthevretic way. We show that, if P = NP, no protocol for secret key agreement is secure in such setting. Thus, to prove that a secret key greement protocol which uses a oneway permutation as a black box is secure is as hrd as proving F NP. We also obtain, as corollary, that there is an oracle relative to which the implication is false, i.e., there is a oneway permutation, yet secretexchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any oneway permutation. Our results present a general framework for proving statements of the form, "Cryptographic application X is not likely possible based solely on complexity assumption Y." 1
Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
, 1991
"... "Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature ..."
Abstract

Cited by 70 (1 self)
 Add to MetaCart
"Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature scheme which is unconditionally secure for the signer (except for an exponentially small error probability). The security for the recipient is provably as secure as the discrete logarithm in certain groups. Besides, this is the first practical cryptographically strong undeniable signature scheme at all. In many cases, it is more efficient than previous signature schemes unconditionally secure for the signer. Interesting subprotocols are efficient cryptographically collisionfree hash functions based on the discrete log, and efficient perfectly hiding commitments on numbers modulo a prime with particular inequality proofs.
Design Validations for Discrete Logarithm Based Signature Schemes
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSAlike) signature ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Abstract. A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSAlike) signatures abstracted as generic schemes. We show that the following holds: “if the schemes can be broken by an existential forgery using an adaptively chosenmessage attack then either the discrete logarithm problem can be solved, or some hash function can be distinguished from an ideal one, or multicollisions can be found. ” Thus, for these signature schemes, either they are equivalent to the discrete logarithm problem or there is an attack that takes advantage of properties which are not desired (or expected) in strong practical hash functions (SHA1 or whichever high quality cryptographic hash function is used). What is interesting is that the schemes we discuss include KCDSA and slight variations of DSA. Further, since our schemes coincide with (or are extremely close to) their standard counterparts they benefit from their desired properties: efficiency of computation/space, employment of certain mathematical operations and wide applicability to various algebraic
Digital Payment Systems Enabling Security and Unobservability
, 1989
"... In presentday cashless payment systems, the banks and (by installing a Trojan Horse) even the manufacturers of the computer equipment used could easily observe who pays what amount to whom and when. With the increasing digitization of these systems, e.g. pointofsale terminals and home banking, th ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
In presentday cashless payment systems, the banks and (by installing a Trojan Horse) even the manufacturers of the computer equipment used could easily observe who pays what amount to whom and when. With the increasing digitization of these systems, e.g. pointofsale terminals and home banking, the amount of transaction data and their computerization drastically increases. Therefore these payment systems become completely unacceptable, since compiling dossiers on the lifestyle and whereabouts of all clients will become easy. We describe the digital payment systems enabling unobservability of clients and arrange them in a general model to compare their different degrees of unobservability and their different levels of security. Since no single system has all desired features, we propose a suitable synthesis. Keywords Cashless payment, digital payment systems enabling unobservability of clients, linkability of actions, anonymous numbered accounts, tamperresistant devices, blindly sig...