Results 1  10
of
36
How to leak a secret
 PROCEEDINGS OF THE 7TH INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATION OF CRYPTOLOGY AND INFORMATION SECURITY: ADVANCES IN CRYPTOLOGY
, 2001
"... In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and ..."
Abstract

Cited by 1754 (4 self)
 Add to MetaCart
In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is unconditionally signerambiguous, provably secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.
A Generalized Birthday Problem
 In CRYPTO
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm ..."
Abstract

Cited by 93 (0 self)
 Add to MetaCart
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography.
Universal Reencryption for Mixnets
 IN PROCEEDINGS OF THE 2004 RSA CONFERENCE, CRYPTOGRAPHER’S TRACK
, 2002
"... We introduce a new cryptographic technique that we call universal reencryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal reencryption can be don ..."
Abstract

Cited by 81 (10 self)
 Add to MetaCart
We introduce a new cryptographic technique that we call universal reencryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal reencryption can be done without knowledge of public keys. We propose an asymmetric cryptosystem with universal reencryption that is half as efficient as standard ElGamal in terms of computation and storage. While
Proof Systems for General Statements about Discrete Logarithms
, 1997
"... Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about know ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about knowledge of discrete logarithms. This notation leads directly to a method for constructing efficient proof systems of knowledge. 1 Introduction Many complex cryptographic systems, such as payment systems (e.g. see [1, 2, 4]) and voting schemes [11], are based on the difficulty of the discrete logarithm problem. These systems make use of various minimumdisclosure proofs of statements about discrete logarithms [13, 7, 6, 10]. Typical examples are efficient proofs of knowledge of a discrete logarithm which are based on Schnorr's digital signature scheme [18] and systems for proving the equality of two discrete logarithms, as used in [8]. The goal of this paper is to identify the basic techniques...
Anonymous identification in ad hoc groups
, 2004
"... We introduce Ad Hoc Anonymous Identification schemes, a new multiuser cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with oneway domain, a natur ..."
Abstract

Cited by 45 (1 self)
 Add to MetaCart
We introduce Ad Hoc Anonymous Identification schemes, a new multiuser cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with oneway domain, a natural extension of cryptographic accumulators we introduce in this work. We provide a formal model for Ad Hoc Anonymous Identification schemes and design secure such schemes both generically (based on any accumulator with oneway domain) and for a specific efficient implementation of such an accumulator based on the Strong RSA Assumption. A salient feature of our approach is that identification protocols take time independent of the size of the ad hoc group. All our schemes and notions can be generally and efficiently amended so that they allow the recovery of the signer’s identity by an authority, if the latter is desired. Using the FiatShamir transform, we also obtain constantsize, signerambiguous group and ring signatures (provably secure in the Random Oracle Model). For ring signatures, this is the first such constantsize scheme, as all the previous proposals had signature size proportional to the size of the ring. For group signatures, we obtain schemes comparable in performance with stateoftheart schemes, with the additional feature that the role of the group manager during key registration is extremely simple and essentially passive: all it does is accept the public key of the new member (and update the constantsize public key of the group).
Threshold ring signatures and applications to adhoc groups
 Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. In this paper, we investigate the recent paradigm for group signatures proposed by Rivest et al. at Asiacrypt ’01. We first improve on their ring signature paradigm by showing that it holds under a strictly weaker assumption, namely the random oracle model rather than the ideal cipher. The ..."
Abstract

Cited by 43 (0 self)
 Add to MetaCart
Abstract. In this paper, we investigate the recent paradigm for group signatures proposed by Rivest et al. at Asiacrypt ’01. We first improve on their ring signature paradigm by showing that it holds under a strictly weaker assumption, namely the random oracle model rather than the ideal cipher. Then we provide extensions to make ring signatures suitable in practical situations, such as threshold schemes or adhoc groups. Finally we propose an efficient scheme for threshold scenarios based on a combinatorial method and provably secure in the random oracle model. 1
Statistical zeroknowledge proofs with efficient provers: Lattice problems and more
 In CRYPTO
, 2003
"... Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) a ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP), where the witness is simply a short vector in the lattice or a lattice vector close to the target, respectively. Our proof systems are in fact proofs of knowledge, and as a result, we immediately obtain efficient latticebased identification schemes which can be implemented with arbitrary families of lattices in which the approximate SVP or CVP are hard. We then turn to the general question of whether all problems in SZK ∩ NP admit statistical zeroknowledge proofs with efficient provers. Towards this end, we give a statistical zeroknowledge proof system with an efficient prover for a natural restriction of Statistical Difference, a complete problem for SZK. We also suggest a plausible approach to resolving the general question in the positive. 1
Noninteractive Private Auctions
, 2001
"... We describe a new auction protocol that enjoys the following properties: the biddings are submitted noninteractively and no information beyond the result is disclosed. The protocol is efficient for a logarithmic number of players. Our solution uses a semitrusted third party T who learns no informa ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
We describe a new auction protocol that enjoys the following properties: the biddings are submitted noninteractively and no information beyond the result is disclosed. The protocol is efficient for a logarithmic number of players. Our solution uses a semitrusted third party T who learns no information provided that he does not collude with any participant. The robustness against active cheating players is achieved through an extra mechanism for fair encryption of a bit which is of independent interest. The scheme is based on homomorphic encryption but differs from general techniques of secure circuit evaluation by taking into account the level of each gate and allowing efficient computation of unbounded logical gates. In a scenario with a small numbers of players, we believe that our work may be of practical significance, especially for electronic transactions.
Rapid Demonstration of Linear Relations Connected by Boolean Operators
 In EUROCRYPT ’97
, 1997
"... . Consider a polynomialtime prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
. Consider a polynomialtime prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself. Our protocols support many proof modes, and are as secure as the Discrete Logarithm assumption or the RSA/factoring assumption. 1 Introduction Consider a polynomialtime prover that has committed to a vector of secrets and wants to demonstrate that the secrets satisfy some satisfiable formula from propositional logic, where the atomic propositions are relations that are linear in the secrets. An example formula is \Gamma (5x 1 \Gamma 3x 2 = 5) AND (2x 2 + 3x 3 = 7) \Delta OR \Gamma NOT(x 1 + 4x 3 = 5) \Delta ; where (x 1 ; : : : ; x k ) is the prover's vector of secrets. The prover does not want to reveal any more information about its secrets than what is co...
A Complete Problem for Statistical Zero Knowledge
, 2002
"... We present the rst complete problem for SZK, the class of promise problems possessing statistical zeroknowledge proofs (against an honest veri er). The problem, called Statistical Difference, is to decide whether two eciently samplable distributions are either statistically close or far apart. Th ..."
Abstract

Cited by 36 (13 self)
 Add to MetaCart
We present the rst complete problem for SZK, the class of promise problems possessing statistical zeroknowledge proofs (against an honest veri er). The problem, called Statistical Difference, is to decide whether two eciently samplable distributions are either statistically close or far apart. This gives a new characterization of SZK that makes no reference to interaction or zero knowledge. We propose the use of complete problems to unify and extend the study of statistical zero knowledge. To this end, we examine several consequences of our Completeness Theorem and its proof, such as: A way to make every (honestveri er) statistical zeroknowledge proof very communication ecient, with the prover sending only one bit to the veri er (to achieve soundness error 1=2). Simpler proofs of many of the previously known results about statistical zero knowledge, such as the Fortnow and Aiello{Hastad upper bounds on the complexity of SZK and Okamoto's result that SZK is closed under complement.