Results 1  10
of
54
Security Arguments for Digital Signatures and Blind Signatures
 JOURNAL OF CRYPTOLOGY
, 2000
"... Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the ..."
Abstract

Cited by 283 (35 self)
 Add to MetaCart
Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the
Practical Verifiable Encryption and Decryption of Discrete Logarithms
, 2003
"... Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protoco ..."
Abstract

Cited by 137 (20 self)
 Add to MetaCart
Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cutandchoose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures. 1
Identity Escrow
 In Advances in Cryptology — CRYPTO ’98
, 1997
"... We introduce the notion of escrowed identity, an application of keyescrow ideas to the problem of identification. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's identi ..."
Abstract

Cited by 72 (0 self)
 Add to MetaCart
We introduce the notion of escrowed identity, an application of keyescrow ideas to the problem of identification. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A's identity. However, B receives a guarantee that E can indeed determine A's identity. We give protocols for escrowed identity based on the ElGamal (signature and encryption) schemes and on the RSA function. A useful feature of our protocol is that after setting up A to use the system, E is only involved when it is actually needed to determine A's identity. Keywords: Cryptography, Key escrow, Proofs of identity. 1
Easy Come  Easy Go Divisible Cash
, 1998
"... Abstract. Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e ..."
Abstract

Cited by 71 (1 self)
 Add to MetaCart
Abstract. Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e.g., each coin can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto’95, T. Okamoto presented the first efficient divisible, anonymous (but linkable) offline ecash scheme requiring only O(1og n/) computations for each of the withdrawal, payment and deposit procedures, where A / = (total coin value) / (smallest divisible unit) is the divisibility precision. However, the zeroknowledge protocol used for the creation of a blinded unlinkable coin by Okamoto is quite inefficient and is used only at setup to make the system efficient. Incorporating “unlinkable ” blinding only in the setup, however, limits the level of anonymity offered by allowing the linking of all coins withdrawnrather than a more desirable anonymity which allows only linking of subcoins of a withdrawn coin. In this paper we make a further step towards practicality of complete (i.e., divisible) anonymous ecash by presenting a solution where all pre cedures (setup, withdrawal, payment and deposit) are bounded by tens of exponentiations; in particular we improve on Okamoto’s result by 3 orders of magnitude, while the size of the coin remains about 300 Bytes, based on a 512 bit modulus. Moreover, the protocols are compatible with tracing methods used for “fair ” or “revokable ” anonymous cash.
Proof Systems for General Statements about Discrete Logarithms
, 1997
"... Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about know ..."
Abstract

Cited by 60 (5 self)
 Add to MetaCart
Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about knowledge of discrete logarithms. This notation leads directly to a method for constructing efficient proof systems of knowledge. 1 Introduction Many complex cryptographic systems, such as payment systems (e.g. see [1, 2, 4]) and voting schemes [11], are based on the difficulty of the discrete logarithm problem. These systems make use of various minimumdisclosure proofs of statements about discrete logarithms [13, 7, 6, 10]. Typical examples are efficient proofs of knowledge of a discrete logarithm which are based on Schnorr's digital signature scheme [18] and systems for proving the equality of two discrete logarithms, as used in [8]. The goal of this paper is to identify the basic techniques...
How to win the clonewars: efficient periodic ntimes anonymous authentication
 In ACM Conference on Computer and Communications Security
, 2006
"... We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes ..."
Abstract

Cited by 55 (11 self)
 Add to MetaCart
We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n etokens. She shows an etoken to a verifier to authenticate herself; each etoken can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damg˚ard et al. [30], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damg˚ard et al. also only support one authentication per time period, while we support n. Because our construction is based on ecash, we can use existing techniques to identify a cheating user, trace all of her etokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse etokens. The verifier can always recognize a reused etoken; however, we preserve the anonymity of users who do not reuse etokens too often. 1
Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes
, 2000
"... Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group enc ..."
Abstract

Cited by 52 (8 self)
 Add to MetaCart
Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereofindependent ofeach other, even without having these applications in mind. 1
Group Blind Digital Signatures: A Scalable Solution to Electronic Cash
 Financial Cryptography, Second International Conference, 1998, LNCS 1465
"... Abstract. In this paper we construct a practical group blind signature scheme. Our scheme combines the already existing notions of blind signatures and group signatures. It is an extension of Camenisch and Stadler’s Group Signature Scheme [5] that adds the blindness property. We show how to use our ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
Abstract. In this paper we construct a practical group blind signature scheme. Our scheme combines the already existing notions of blind signatures and group signatures. It is an extension of Camenisch and Stadler’s Group Signature Scheme [5] that adds the blindness property. We show how to use our group blind signatures to construct an electronic cash system in which multiple banks can securely distribute anonymous and untraceable ecash. Moreover, the identity of the ecash issuing bank is concealed, which is conceptually novel. The space, time, and communication complexities of the relevant parameters and operations are independent of the group size. 1
Variations of diffiehellman problem
 In ICICS ’03, volume 2836 of LNCS
, 2003
"... Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and d ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and divisible DiffieHellman problem, are equivalent with optimal reduction. Also, we are considering variations of the decisional DiffieHellman problem in single sample and polynomial samples settings, and we are able to show that all variations are equivalent except for the argument DDH ⇐ SDDH. We are not able to prove or disprove this statement, thus leave an interesting open problem. Keywords: DiffieHellman problem, Square DiffieHellman problem, Inverse DiffieHellman problem, Divisible DiffieHellman problem
"Indirect Discourse Proofs": Achieving Efficient Fair OffLine ECash
, 1996
"... Cryptography has been instrumental in reducing the involvement of overhead third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in offline ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
Cryptography has been instrumental in reducing the involvement of overhead third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in offline electronic cash the bank (which is offline during a purchase) is assured that if a user double spends he will be traced. Here we suggest the notion of Indirect Discourse Proofs with which one can prove indirectly yet efficiently that a third party has a certain future capability (i.e., assure Trustees can trace). The efficient proofs presented here employ algebraic properties of exponentiation (or functions of similar homomorphic nature). Employing this idea we present the concept of "Fair OffLine eCash" (FOLC) system which enables tracing protocols for identifying either the coin or its owner. Recently, the need to trace and identify coins with owners/withdrawals was identified (to av...