Results 1  10
of
35
Untraceable Offline Cash in Wallets with Observers
, 1993
"... . Incorporating the property of untraceability of payments into offline electronic cash systems has turned out to be no easy matter. Two key concepts have been proposed in order to attain the same level of security against doublespending as can be trivially attained in systems with full traceabili ..."
Abstract

Cited by 226 (3 self)
 Add to MetaCart
. Incorporating the property of untraceability of payments into offline electronic cash systems has turned out to be no easy matter. Two key concepts have been proposed in order to attain the same level of security against doublespending as can be trivially attained in systems with full traceability of payments. The first of these, oneshow blind signatures, ensures traceability of doublespenders after the fact. The realizations of this concept that have been proposed unfortunately require either a great sacrifice in efficiency or seem to have questionable security, if not both. The second concept, wallets with observers, guarantees prior restraint of doublespending, while still offering traceability of doublespenders after the fact in case tamperresistance is compromised. No realization of this concept has yet been proposed in literature, which is a serious problem. It seems that the known cash systems cannot be extended to this important setting without significantly worsening ...
An Efficient Offline Electronic Cash System Based On The Representation Problem
, 1993
"... We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some technique ..."
Abstract

Cited by 136 (3 self)
 Add to MetaCart
We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than previously proposed systems. Another
DistanceBounding Protocols (Extended Abstract)
 EUROCRYPT’93, Lecture Notes in Computer Science 765
, 1993
"... It is often the case in applications of cryptographic protocols that one party would like to determine a practical upperbound on the physical distance to the other party. For instance, when a person conducts a cryptographic identification protocol at an entrance to a building, the access control co ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
It is often the case in applications of cryptographic protocols that one party would like to determine a practical upperbound on the physical distance to the other party. For instance, when a person conducts a cryptographic identification protocol at an entrance to a building, the access control computer in the building would like to be ensured that the person giving the responses is no more than a few meters away. The "distance bounding" technique we introduce solves this problem by timing the delay between sending out a challenge bit and receiving back the corresponding response bit. It can be integrated into common identification protocols. The technique can also be applied in the threeparty setting of "wallets with observers" in such a way that the intermediary party can prevent the other two from exchanging information, or even developing common coinflips.
Computation of Discrete Logarithms in Prime Fields
 Design, Codes and Cryptography
, 1991
"... The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describe ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...
Generating ElGamal signatures without knowing the secret key
, 1996
"... . We present a new method to forge ElGamal signatures if the public parameters of the system are not chosen properly. Since the secret key is hereby not found this attack shows that forging ElGamal signatures is sometimes easier than the underlying discrete logarithm problem. 1 Introduction ElGamal ..."
Abstract

Cited by 38 (0 self)
 Add to MetaCart
. We present a new method to forge ElGamal signatures if the public parameters of the system are not chosen properly. Since the secret key is hereby not found this attack shows that forging ElGamal signatures is sometimes easier than the underlying discrete logarithm problem. 1 Introduction ElGamal's digital signature scheme [4] relies on the difficulty of computing discrete logarithms in the multiplicative group IF p and can therefore be broken if the computation of discrete logarithms is feasible. However, the converse has never been proved. In this paper we show that it is sometimes possible to forge signatures without breaking the underlying discrete logarithm problem. This shows that the ElGamal signature scheme and some variants of the scheme must be used very carefully. The paper is organized as follows. Section 2 describes the ElGamal signature scheme. In Section 3 we present a method to forge signatures if some additional information on the generator is known. We show that...
Rapid Demonstration of Linear Relations Connected by Boolean Operators
 In EUROCRYPT ’97
, 1997
"... . Consider a polynomialtime prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
. Consider a polynomialtime prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself. Our protocols support many proof modes, and are as secure as the Discrete Logarithm assumption or the RSA/factoring assumption. 1 Introduction Consider a polynomialtime prover that has committed to a vector of secrets and wants to demonstrate that the secrets satisfy some satisfiable formula from propositional logic, where the atomic propositions are relations that are linear in the secrets. An example formula is \Gamma (5x 1 \Gamma 3x 2 = 5) AND (2x 2 + 3x 3 = 7) \Delta OR \Gamma NOT(x 1 + 4x 3 = 5) \Delta ; where (x 1 ; : : : ; x k ) is the prover's vector of secrets. The prover does not want to reveal any more information about its secrets than what is co...
From identification to signatures via the FiatShamir transform: Minimizing assumptions for security and forwardsecurity
 Proceedings of Eurocrypt 2002, volume 2332 of LNCS
, 2002
"... The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, ..."
Abstract

Cited by 32 (5 self)
 Add to MetaCart
The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model are determined, both in the usual and in the forwardsecure cases. Specifically, it is shown that the signature scheme is secure (resp. forwardsecure) against chosenmessage attacks in the random oracle model if and only if the underlying identification scheme is secure (resp. forwardsecure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the FiatShamir transform so that the commitment space assumption may be removed. Keywords: Signature schemes, identification schemes, FiatShamir transform, forward security,
MetaMessage Recovery and MetaBlind signature schemes based on the discrete logarithm problem and their applications
, 1994
"... There have been several approaches in the past to obtain signature schemes with appendix and signature schemes giving message recovery based on the discrete logarithm problem. Most of them can be embedded into a MetaElGamal and MetaMessage recovery scheme. In this paper we present the Metablind s ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
There have been several approaches in the past to obtain signature schemes with appendix and signature schemes giving message recovery based on the discrete logarithm problem. Most of them can be embedded into a MetaElGamal and MetaMessage recovery scheme. In this paper we present the Metablind signature schemes which have been developed from the ElGamal based blind signature scheme and the message recovery blind signature scheme discovered recently. From our Metascheme we get various variants from which some are more efficient than the already known ones. They can be recommended for practical use. Then we give interesting applications of the MetaMessage recovery and MetaBlind signature schemes like authentic encryption schemes, key distribution protocols and authentication schemes. Again, we can extract highly efficient variants.
On robust combiners for oblivious transfer and other primitives
 In Proc. Eurocrypt ’05
, 2005
"... At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19. ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19.
Security Analysis of a Practical "on the fly" Authentication and Signature Generation
 In Eurocrypt '98, LNCS 1403
, 1998
"... . In response to the current need for fast, secure and cheap publickey cryptography, we study an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the general problem of computing discrete logarithms modulo any number, short iden ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
. In response to the current need for fast, secure and cheap publickey cryptography, we study an interactive zeroknowledge identification scheme and a derived signature scheme that combine provable security based on the general problem of computing discrete logarithms modulo any number, short identitybased keys, very short transmission and minimal online computation. This leads to both efficient and secure applications well suited to the implementation on low cost smart cards. We develop complete proofs of completeness, soundness and statistical zeroknowledge property of the identification scheme. The security analysis of the signature scheme leads to present a novel number theoretical lemma of independent interest and an original use of the "forking lemma" technique. From a practical point of view, the possible choice of parameters is discussed and we submit performances of an actual implementation on a cheap smart card. As an example, a complete and secure authentication can be ...