Results 1  10
of
13
TwoParty Generation of DSA Signatures
, 2004
"... We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and that is very practical. We also briefly outline a variation that requires more rounds of communication but that allows a proof of security for sequential execution without random oracles.
Fully distributed threshold RSA under standard assumptions
 ADVANCES IN CRYPTOLOGY — ASIACRYPT 2001, VOLUME ??? OF LNCS
, 2001
"... The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup propo ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup proposed a practical RSA threshold signature scheme that allows to share the ability to sign between a set of players. This scheme can be used for decryption as well. However, Shoup’s protocol assumes a trusted dealer to generate and distribute the keys. This comes from the fact that the scheme needs a special assumption on the RSA modulus and this kind of RSA moduli cannot be easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin’s protocol but it seems difficult to modify it in order to generate the kind of RSA moduli that Shoup’s protocol requires. The present work takes a different path by proposing a method to enhance the key generation with some additional properties and revisits Shoup’s protocol to work with the resulting RSA moduli. Both of these enhancements decrease the performance of the basic protocols. However, we think that in the applications we target, these enhancements provide practical solutions. Indeed, the key generation protocol is usually run only once and the number of players used to sign or decrypt is not very large. Moreover, these players have time to perform their task so that the communication or time complexity are not overly important.
RSAbased Undeniable Signatures For General Moduli
 Advances in CTRSA 2002, LNCS 2271
"... Gennaro, Krawczyk and Rabin gave the first undeniable signature scheme based on RSA signatures. However, their solution required the use of RSA moduli which are a product of safe primes. This paper gives techniques which allow RSAbased undeniable signatures for general moduli. ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
Gennaro, Krawczyk and Rabin gave the first undeniable signature scheme based on RSA signatures. However, their solution required the use of RSA moduli which are a product of safe primes. This paper gives techniques which allow RSAbased undeniable signatures for general moduli.
The composite discrete logarithm and secure authentication
 In Public Key Cryptography
, 2000
"... Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certifica ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zeroknowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witnessindistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witnessindistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witnessindistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.
Fair Encryption of RSA Keys
 IN PROCEEDINGS OF EUROCRYPT 2000, VOLUME 1807 OF LNCS
, 2000
"... Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without comp ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without compromising secrecy. We consider an optimistic scenario in which users have pairs of public and private keys and give an encryption of their secret key with the public key of a third party. In this setting we wish to provide a publicly verifiable proof that the third party is able to recover the secret key if needed. Our emphasis is on size; we believe that the proof should be of the same length as the original key. In this paper, we propose such proofs of fair encryption for El Gamal and RSA keys, using the Paillier cryptosystem. Our proofs are really efficient since in practical terms they are only a few hundred bytes long. As an application, we design a very simple and efficient key recovery system.
RSAbased AutoRecoverable Cryptosystems
 In Proceedings of PKC2000, LNCS 1751
, 2000
"... Abstract. The deployment of a “publickey infrastructure ” (PKI) has recently started. Another recent concern in business and on the national level is the issue of escrowed encryption, key recovery, and emergency access to information (e.g., in the medical record area). Independent development of a ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. The deployment of a “publickey infrastructure ” (PKI) has recently started. Another recent concern in business and on the national level is the issue of escrowed encryption, key recovery, and emergency access to information (e.g., in the medical record area). Independent development of a PKI and an escrowed PKI (whenever required or desired) will pose a lot of constraints, duplication efforts and increased costs of the deployment. It will introduce interoperability issues which will be hard to overcome. Thus, what we advocate here is a joint design of an escrowed PKI and a regular PKI. In this work we develop an approach to such an integrated design. We give the first autorecoverable systems based on RSA (or factoring), whereas the original autorecoverable autocertifiable schemes were based on Discrete Logarithm based keys. The security proof of our system assumes only that RSA is hard, while the original schemes required new specific discrete log based assumptions. We also put forth the notion of “generic ” autorecoverable systems where one can start with an unescrowed user key and then by simply doing “reregistration”, change the key into an escrowed one. In contrast, in the original systems the user keys were tightly connected with the escrow authorities ’ key. Besides this novel (re)registration procedure there are no changes or differences for users between a PKI and a generic autorecoverable PKI. 1
Recovering keys in open networks
 In Proceedings of IEEE Information Theory and Communications Workshop (ITW'99). Kruger National Park
, 1999
"... ..."
Towards signatureonly signature schemes
 Advances in Cryptology  ASIACRYPT'2000, volume 1976 of LNCS
, 2000
"... Abstract. We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may be applicable in the context of, say, exportable/escrow cryptography. The basic dilemma is that on the one hand, (1) to avoid framing by potentially misbehaving authorities we do not want them to ever learn the “signing keys ” (e.g., Japan at some point declared a policy where signature keys may be required to be escrowed), and on the other hand (2) if we allow separate inaccessible public signatureverificationkeys,thesekeys(basedontrapdoorfunctions)canbe used as “shadow publickeys, ” and hence can be used to encrypt data in an unrecoverable manner. Any solution within the “trapdoor function” paradigm of Diffie and Hellman does not seem to lead to a solution which will simultaneously satisfy (1) and (2). The cryptographic community so far has paid very limited attention to
Fast MonteCarlo Primality Evidence Shown in the Dark
, 2000
"... We construct an efficient proof of knowledge protocol for the demonstration of MonteCarlo evidence that a number n is the product of twooddprimes of roughly equal size without the prime factors being disclosed. The cost for a proof amounts to 12k log 2 n multiplications of integers of size of n ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We construct an efficient proof of knowledge protocol for the demonstration of MonteCarlo evidence that a number n is the product of twooddprimes of roughly equal size without the prime factors being disclosed. The cost for a proof amounts to 12k log 2 n multiplications of integers of size of n where k is a security parameter which controls the error probability of the proof under 2 ;k . With the same security parameter this error probability improves from the previous result of e ;k=74 for n in the general case of the twoprimeproduct structure. Wealsoprove the securityofour protocol with respect to a decisionDiffieHellman problem. Key Words MonteCarlo primality test, Zeroknowledge protocols. 1 Introduction In publickey cryptography, the private component of an individual user's cryptographic key should be known only to the user. On the other hand, the user's public key should be certified by a known authority for authentication. The authority may naturally demand that...
A New N PComplete Problem and PublicKey Identification
"... Abstract. The appearance of the theory of zeroknowledge, presented by Goldwasser, Micali and Rackoff in 1985, opened a way to secure identification schemes. The first application was the famous FiatShamir scheme based on the problem of modular square roots extraction. In the following years, many ..."
Abstract
 Add to MetaCart
Abstract. The appearance of the theory of zeroknowledge, presented by Goldwasser, Micali and Rackoff in 1985, opened a way to secure identification schemes. The first application was the famous FiatShamir scheme based on the problem of modular square roots extraction. In the following years, many other schemes have been proposed, some FiatShamir extensions but also new discrete logarithm based schemes. Therefore, all of them were based on problems from number theory. Their main common drawback is high computational load because of arithmetical operations modulo large integers. Implementation on lowcost smart cards was made difficult and inefficient. With the Permuted Kernels Problem (PKP), Shamir proposed the first efficient scheme allowing for an implementation on such lowcost smart cards, but very few others have afterwards been suggested. In this paper, we present an efficient identification scheme based on a combinatorial N Pcomplete problem: the Permuted Perceptrons Problem (PPP). This problem seems hard enough to be unsolvable even with very small parameters, and some recent cryptanalysis studies confirm that position. Furthermore, it admits efficient zeroknowledge proofs of knowledge and so it is wellsuited for cryptographic purposes. An actual implementation completes the optimistic opinion about efficiency and practicability on lowcost smart cards, and namely with less than 2KB of EEPROM and just 100 Bytes of RAM and 6.4 KB of communication.