Results 1  10
of
23
Proving in ZeroKnowledge that a Number is the Product of Two Safe Primes
, 1998
"... This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime. ..."
Abstract

Cited by 121 (13 self)
 Add to MetaCart
This paper presents the first efficient statistical zeroknowledge protocols to prove statements such as: A committed number is a pseudoprime.
Separability and Efficiency for Generic Group Signature Schemes (Extended Abstract)
, 1999
"... A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member ..."
Abstract

Cited by 74 (13 self)
 Add to MetaCart
A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a keymanagement as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separable group signature scheme and present an ecient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depe...
Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
, 1991
"... "Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature ..."
Abstract

Cited by 70 (1 self)
 Add to MetaCart
"Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature scheme which is unconditionally secure for the signer (except for an exponentially small error probability). The security for the recipient is provably as secure as the discrete logarithm in certain groups. Besides, this is the first practical cryptographically strong undeniable signature scheme at all. In many cases, it is more efficient than previous signature schemes unconditionally secure for the signer. Interesting subprotocols are efficient cryptographically collisionfree hash functions based on the discrete log, and efficient perfectly hiding commitments on numbers modulo a prime with particular inequality proofs.
A New and Efficient AllOrNothing Disclosure of Secrets Protocol
, 1998
"... Twoparty protocols have been considered for a long time. ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
Twoparty protocols have been considered for a long time.
Practical ZeroKnowledge Proofs: Giving Hints and Using Deficiencies
 JOURNAL OF CRYPTOLOGY
, 1994
"... New zeroknowledge proofs are given for some numbertheoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be superpolynomial in power. A probabilistic polynomial t ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
New zeroknowledge proofs are given for some numbertheoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be superpolynomial in power. A probabilistic polynomial time prover with the appropriate trapdoor knowledge is sufficient. The proofs are perfect or statistical zeroknowledge in all cases except one.
TwoParty Generation of DSA Signatures
, 2004
"... We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and that is very practical. We also briefly outline a variation that requires more rounds of communication but that allows a proof of security for sequential execution without random oracles.
An Efficient NonInteractive Statistical ZeroKnowledge Proof System for QuasiSafe Prime Products
"... We present efficient zeroknowledge proof systems for quasisafe prime products and other related languages. Quasisafe primes are a relaxation of safe primes, a class of prime numbers useful in many cryptographic applications. More specifically we present the first simple and efficient zeroknowled ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
We present efficient zeroknowledge proof systems for quasisafe prime products and other related languages. Quasisafe primes are a relaxation of safe primes, a class of prime numbers useful in many cryptographic applications. More specifically we present the first simple and efficient zeroknowledge proof that an alleged RSA modulus is of the correct form, i.e. the product of two primes. All previously known proof enforced only that the modulus was the product of two prime powers. We then present a zeroknowledge proof that the primes composing the RSA modulus are quasisafe. Our proof systems achieve higher security and better efficiency than all previously known ones. In particular, all our proof systems are perfect or statistical zeroknowledge, meaning that even a computationally unbounded adversary cannot extract any information from the proofs. Moreover, our proof systems are extremely efficient because they do not use general reductions to NPcomplete problems, can be easily parallelized preserving zeroknowledge, and are noninteractive for computationally unbounded provers. The prover can also be efficiently implemented given some trapdoor information and using very little interaction. We demonstrate the applicability of quasisafe primes by showing how they can be effectively used in the context of RSA based undeniable signatures to enforce the use of "good " public keys, i.e., keys such that if a signer can convince a recipient of the validity of a signature, then he won't be able to subsequently deny the same signature in case of a dispute.
Cryptography and Evidence
, 1997
"... The invention of publickey cryptography led to the notion that cryptographically protected messages could be used as evidence to convince an impartial adjudicator that a disputed event had in fact occurred. Information stored in a computer is easily modi ed, and so records can be falsi ed or retros ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
The invention of publickey cryptography led to the notion that cryptographically protected messages could be used as evidence to convince an impartial adjudicator that a disputed event had in fact occurred. Information stored in a computer is easily modi ed, and so records can be falsi ed or retrospectively modi ed. Cryptographic protection prevents modi cation, and it is hoped that this will make cryptographically protected data acceptable as evidence. This usage of cryptography to render an event undeniable has become known as nonrepudiation. This dissertation is an enquiry into the fundamental limitations of this application of cryptography, and the disadvantages of the techniques which are currently in use. In the course of this investigation I consider the converse problem, of ensuring that an instance of communication between computer systems leaves behind no unequivocal evidence of its having taken place. Features of communications protocols that were seen as defects from the standpoint of nonrepudiation can be seen as bene ts from the standpoint of this converse problem, which I call \plausible deniability". i Declaration This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration. This dissertation is not substantially the same as any other that I have submitted for a degree, diploma, or other quali cation at any other university. Acknowledgements Iwould like to thank Peter Kirstein and Ben Bacarisse for managing the research projects which caused me to become interested in this area; Steve Kent for many interesting discussions about the problems of key certi cation; Russ Housley for suggesting the term \plausible deniability"; Roger Needham for being my supervisor; and Bruce Christianson for his advice on how to write a dissertation. ii To my grandfather,
Security of Signature Schemes in a MultiUser Setting
, 2001
"... This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this securi ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this security notion to the multiuser setting and show that signature schemes proven secure in the singleuser setting can, under reasonable constraints, also be proven secure in the multiuser setting. 1
Subquadratic ZeroKnowledge
, 1995
"... We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \G ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \Gammak . In the case k = n, the communication complexity of these protocols is therefore\Omega\Gamma n 2 ) bit commitments. In this paper, we present a zeroknowledge proof system for achieving the same goal with only O(n 1+"n + k p n 1+"n ) bit commitments, where " n goes to zero as n goes to infinity. In the case k = n, this is O(n p n 1+"n ). Moreover, only O(k) commitments need ever be opened, which is interesting if it is substantially less expensive to commit to a bit than to open a commitment. A preliminary version of this paper appeared in the Proceedings of the 32nd Annual IEEE Symposium on Foundations of Computer Science, October 1991. y Supported in part by NSA Gr...