## Self-Delegation with Controlled Propagation - or - What If You Lose Your Laptop (1998)

### Cached

### Download Links

Citations: | 17 - 2 self |

### BibTeX

@MISC{Goldreich98self-delegationwith,

author = {Oded Goldreich and Birgit Pfitzmann and Ronald L. Rivest},

title = {Self-Delegation with Controlled Propagation - or - What If You Lose Your Laptop},

year = {1998}

}

### Years of Citing Articles

### OpenURL

### Abstract

We introduce delegation schemes wherein a user may delegate certain rights to himself, but may not safely delegate these rights to others. In our motivating application, a user has a primary (longterm) key that receives some personalized access rights, yet the user may reasonably wish to delegate these rights to new secondary (short-term) keys he creates to use on his laptop when traveling, to avoid having to store his primary secret key on the vulnerable laptop. We propose several cryptographic schemes, both generic ones under general assumptions and more specific practical ones, that fulfill these somewhat conflicting requirements, without relying on special-purpose (e.g., tamper-proof) hardware. This is an extended abstract of our work [19].

### Citations

3006 | New Directions in Cryptography - Diffie, Hellman - 1976 |

1968 | How to share a secret
- Shamir
(Show Context)
Citation Context ...ynomial of degree r - 1 over GF(2 n) with the primary def r- 1 secret key as the constant coeJ~cient, say, p(x) = ~=o PJ "xJ with Po = sk. This corresponds to setting up a secret sharing scheme as in =-=[26]-=-. tie makes165 a commitment C to all the non.constant coel~cients using the given commitment scheme. Typically, the length of the commitment automatically shows that the content is a polynomial of de... |

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ...ented by the server by using a pseudorandom function [20]. In practice, one may be tempted to use a concrete publicly available function, typically a hash function, believed to “behave randomly” (cf. =-=[19, 2]-=-). However, in connection with the role that m, the bound on the number of function values an adversary can evaluate, plays in the proposition below, it would need to be a very slow function. To analy... |

1098 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser
- 1989
(Show Context)
Citation Context ... primary secret key. More precisely, as we concentrate on generic schemes, we have to speak about any knowledge gained by validation tags. A suitable terminology is that of knowledge complexity (cf., =-=[20, 18]-=-). 4 Specifically, gradual schemes have a parameter $, called the slope, so that each correctly validated secondary key triple only gives ~ bits of knowledge. Schemes with threshold have a parameter r... |

896 | How to prove yourself: Practical solutions to identification and signature problems, proceeding
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...pk- II h~' mod p ./=1 using the values hj in the user's extended primary public key. Now the user has to give a zero-knowledge proof of knowledge of vall, i.e., of the discrete logarithm of pk~ (c f, =-=[6, 15]-=-). An alternative is Schnorr identification [25], which needs only one ezponentiation on each side, but is only known to be witness-hiding [14].167 The security of this scheme is obvious from the per... |

668 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...e" (or Beacon) service throughout the lifetime of the system; rl equals the answer of this random oracle on query L The random oracle may be implemented by the server by using a pseudorandom function =-=[16]-=-. To analyze the controlled-propagation quality of these constructions, we need a technical lemma about the probability that too many of the rl's are linearly dependent. Note that when we talk of the ... |

631 |
Ecient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...s [12, 21]. In Section 4, we present more specific and efficient constructions where the primary key pair must belong to a discrete-logarithm based cryptographic scheme like Schnorr or DSS signatures =-=[25, 11]-=-. - Gradual vs. threshold: In Constructions 1 thru 1.2, the security of the primary secret key degrades gradually with the number of secondary secret keys available to an adversary until the primary s... |

396 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...e set of valid public keys and of valid key pairs Predl : {pkl3sk, aux : (sk, aux, pk) 6 Pred} Pred2 = {(sk, pk)13aux : (sk, aux, pk) q Pred} are in NP and therefore have zero-knowledge proof systems =-=[17]-=-. - Unique secret keys: For every pk, there exists at most one sk such that (sk, pk) e Pred2. -- Key generation of the given cryptographic scheme produces triples (sk, aux, pk) E Pred. Using any one-w... |

303 | Collusion-Secure Fingerprinting for Digital Data
- Bonen, Shaw
- 1998
(Show Context)
Citation Context ...e note the analogy between the current work and [14]: The latter paper presents a transparent approach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinting =-=[32, 5, 6, 29]-=-. Some analogy exists also between self-delegation schemes and ( ; 1)-spendable coins [10, 27]. Conceptually speaking, the problems are different since there is no requirement on personal use in the l... |

250 | Bit commitment using pseudo-randomness
- Naor
- 1989
(Show Context)
Citation Context ...dices domain): Let a cryptographic scheme with unique secret keys with a relation Pred as above be given. Additionally, we need a secure commitment scheme that is unconditionally binding; e.g., as in =-=[22]-=-. - Server setup: The server chooses parameters n for the length of secret keys and r for the threshold and a reference string Ref E {0, 1} p~ for the non-interactive zero-knowledge proof system. It f... |

248 |
A practical scheme for non-interactive verifiable secret sharing
- Feldman
- 1987
(Show Context)
Citation Context ...q- 1}, and the corresponding main part of the public key is h = gS~ mod p.166 The actual scheme is a slight extension to Feldma~'s Verifiable Secret Sharing (VSS) scheme based on discrete logarithms =-=[13]-=-. The validation tags are simply shares of the secret key. We need two extra properties for our application: First, if we want a large domain of limitations indices, the VSS scheme must allow a large ... |

212 |
Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract
- Chor, Goldwasser, et al.
(Show Context)
Citation Context ...ptops), but external verifiers, i.e., we need an efficient zero-knowledge proof of knowledge of a proper share. Although these extra properties are not required in the general definition of VSS (cf., =-=[8]-=-), they happen to hold in Feldman's VSS. This gives the following scheme, for any 7- > 2. Construction 3 (discrete log, threshold): Let any cryptographic scheme based on discrete logarithms in groups ... |

179 |
Multiple non-interactive zero-knowledge proofs under general assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...ection 3, we present generic schemes' which apply to any primary and secondary keys. They rely on non-interactive zero-knowledge proofs [3], and thus on the existence of trapdoor one-way permutations =-=[12, 21]-=-. In Section 4, we present more specific and efficient constructions where the primary key pair must belong to a discrete-logarithm based cryptographic scheme like Schnorr or DSS signatures [25, 11]. ... |

175 | Witness Indistinguishable and Witness Hiding Protocols
- Feige, Shamir
- 1990
(Show Context)
Citation Context ...of vall, i.e., of the discrete logarithm of pk~ (c f, [6, 15]). An alternative is Schnorr identification [25], which needs only one ezponentiation on each side, but is only known to be witness-hiding =-=[14]-=-.167 The security of this scheme is obvious from the perfect security of the Verifiable Secret Sharing scheme when the public key is already given [24]: Less than r validation tags, i.e., shares, giv... |

151 | On Defining Proofs of Knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...connection with the second person's program, which may be arbitrary, yet must be efficient. For simplicity, we concentrate on users giving away full-quality secondary keys, but with definitions as in =-=[1]-=- this can be generalized to giving away information that will only convince the verifier with a certain probability. Our two goals can now be formulated in more detail as follows: - Restricted damage ... |

129 |
Non-interactive zero-knowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...orized by the following parameters: - Generic vs. specific: In Section 3, we present generic schemes' which apply to any primary and secondary keys. They rely on non-interactive zero-knowledge proofs =-=[3]-=-, and thus on the existence of trapdoor one-way permutations [12, 21]. In Section 4, we present more specific and efficient constructions where the primary key pair must belong to a discrete-logarithm... |

76 |
How to Exchange (Secret) Keys
- Blum
- 1993
(Show Context)
Citation Context ...hat verifiers do not gain an advantage in finding a user's primary secret key. On the other hand, knowledge of ~l's is related to the gradual release of a secret (as introduced for secret exchange in =-=[2]-=-): Knowledge of a few such pieces (i.e., el's) does not endanger the secret, whereas knowledge of many "orthogonal" pieces does endanger it. A crucial point is to ensure this "orthogonality" whenever ... |

72 |
Distributed provers with applications to undeniable signatures
- Pedersen
(Show Context)
Citation Context ...ch side, but is only known to be witness-hiding [14].167 The security of this scheme is obvious from the perfect security of the Verifiable Secret Sharing scheme when the public key is already given =-=[24]-=-: Less than r validation tags, i.e., shares, give no information about the secret beyond what is known by the public key, whereas r validation tags enable reconstruction. An alternative way of using t... |

66 | Anonymous fingerprinting
- PFITZMANN, WAIDNER
- 1997
(Show Context)
Citation Context ...e note the analogy between the current work and [14]: The latter paper presents a transparent approach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinting =-=[32, 5, 6, 29]-=-. Some analogy exists also between self-delegation schemes and ( ; 1)-spendable coins [10, 27]. Conceptually speaking, the problems are different since there is no requirement on personal use in the l... |

57 |
de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations
- Chaum, Evertse, et al.
- 1988
(Show Context)
Citation Context ...pk- II h~' mod p ./=1 using the values hj in the user's extended primary public key. Now the user has to give a zero-knowledge proof of knowledge of vall, i.e., of the discrete logarithm of pk~ (c f, =-=[6, 15]-=-). An alternative is Schnorr identification [25], which needs only one ezponentiation on each side, but is only known to be witness-hiding [14].167 The security of this scheme is obvious from the per... |

54 |
Fiat and M. Naor: Untraceable Electronic Cash
- Chaum, A
- 1988
(Show Context)
Citation Context ...ach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinting following [27]. Some analogy exists also between self-delegation schemes and (v-1)-spendable coins =-=[7, 23]-=-. Conceptually speaking, the problems are different since there is no requirement on personal use in the latter, and the main issue is untraceability (otherwise identification of overspenders would be... |

52 |
Disposable Zero-Knowledge Authentication and Their Applications to Untraceable Electronic Cash
- Okamoto, Ohta
- 1990
(Show Context)
Citation Context ...ch to copyright protection, in contrast to the (typical) statutory approach based on fingerprinting [32, 5, 6, 29]. Some analogy exists also between self-delegation schemes and ( ; 1)-spendable coins =-=[10, 27]-=-. Conceptually speaking, the problems are different since there is no requirement on personal use in the latter, and the main issue is untraceability (otherwise identification of overspenders would be... |

38 |
Fingerprinting long forgiving messages
- Blakley, Meadows, et al.
- 1985
(Show Context)
Citation Context ...e note the analogy between the current work and [14]: The latter paper presents a transparent approach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinting =-=[32, 5, 6, 29]-=-. Some analogy exists also between self-delegation schemes and ( ; 1)-spendable coins [10, 27]. Conceptually speaking, the problems are different since there is no requirement on personal use in the l... |

35 |
Achieving Electronic Privacy. Scientific American 267,2
- Chaum
- 1992
(Show Context)
Citation Context ...ion certificates, suggested above, as a new type of certificate which one may call a self-delegation certificate.) Other approaches to the issue of limiting the delegation of rights were suggested in =-=[4, 5]-=-. We note the analogy between the current work and [10]: The latter paper presents a transparent approach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinti... |

31 |
Showing credentials without identification: Transferring signatures between unconditionally unlinkable pseudonyms
- Chaum
- 1990
(Show Context)
Citation Context ...ion certificates, suggested above, as a new type of certificate which one may call a self-delegation certificate.) Other approaches to the issue of limiting the delegation of rights were suggested in =-=[4, 5]-=-. We note the analogy between the current work and [10]: The latter paper presents a transparent approach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinti... |

27 | Quantifying Knowledge Complexity
- Goldreich, Petrank
- 1991
(Show Context)
Citation Context ... primary secret key. More precisely, as we concentrate on generic schemes, we have to speak about any knowledge gained by validation tags. A suitable terminology is that of knowledge complexity (cf., =-=[20, 18]-=-). 4 Specifically, gradual schemes have a parameter $, called the slope, so that each correctly validated secondary key triple only gives ~ bits of knowledge. Schemes with threshold have a parameter r... |

26 | An efficient noninteractive zero-knowledge proof system for np with general assumptions
- Kilian, Petrank
- 1998
(Show Context)
Citation Context ...ection 3, we present generic schemes' which apply to any primary and secondary keys. They rely on non-interactive zero-knowledge proofs [3], and thus on the existence of trapdoor one-way permutations =-=[12, 21]-=-. In Section 4, we present more specific and efficient constructions where the primary key pair must belong to a discrete-logarithm based cryptographic scheme like Schnorr or DSS signatures [25, 11]. ... |

19 | Divertible Zero-Knowledge Interactive Proofs and Commutative Random Self-Reducibility - Okamoto, Ohta - 1989 |

13 | Pedersen: Wallet Databases with Observers - Chaum, P - 1993 |

1 |
Wagner: Fingerprinting
- R
(Show Context)
Citation Context |

1 |
Disposable Zero-Knowledege Authentications and their Applications to Untraceable Electronic Cash
- Okamoto, Ohta
- 1990
(Show Context)
Citation Context ...ach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinting following [27]. Some analogy exists also between self-delegation schemes and (v-1)-spendable coins =-=[7, 23]-=-. Conceptually speaking, the problems are different since there is no requirement on personal use in the latter, and the main issue is untraceability (otherwise identification of overspenders would be... |