## Divertible protocols and atomic proxy cryptography (1998)

Venue: | In EUROCRYPT |

Citations: | 88 - 0 self |

### BibTeX

@INPROCEEDINGS{Blaze98divertibleprotocols,

author = {Matt Blaze and Gerrit Bleumer and Martin Strauss},

title = {Divertible protocols and atomic proxy cryptography},

booktitle = {In EUROCRYPT},

year = {1998},

pages = {127--144},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. First, we introduce the notion of divertibility as a protocol property as opposed to the existing notion as a language property (see Okamoto, Ohta [OO90]). We give a definition of protocol divertibility that applies to arbitrary 2-party protocols and is compatible with Okamoto and Ohta’s definition in the case of interactive zero-knowledge proofs. Other important examples falling under the newdefinition are blind signature protocols. We propose a sufficiency criterion for divertibility that is satisfied by many existing protocols and which, surprisingly, generalizes to cover several protocols not normally associated with divertibility (e.g., Diffie-Hellman key exchange). Next, we introduce atomic proxy cryptography, in which an atomic proxy function, in conjunction with a public proxy key, converts ciphertexts (messages or signatures) for one key into ciphertexts for another. Proxy keys, once generated, may be made public and proxy functions applied in untrusted environments. We present atomic proxy functions for discrete-log-based encryption, identification, and signature schemes. It is not clear whether atomic proxy functions exist in general for all public-key cryptosystems. Finally, we discuss the relationship between divertibility and proxy cryptography. 1

### Citations

3136 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...3.1 Proxy encryption Although the problem of proxy cryptography seems like a natural extension of public-key cryptography, existing cryptosystems do not lend themselves to obvious proxy functions.RSA =-=[RSA78]-=- with a common modulus is an obvious candidate, but that scheme is known to be insecure [Sim83,DeL84].Similarly, there 5 Note that Bob of this example may be a government mandating that Alice provide ... |

2904 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...eas of Camenisch, Piveteau and Stadler [CPS95]. Here, we consider a new sort of protocol for divertibility, namely key exchange.In Figure 1, we present a diverted Diffie-Hellman key exchange protocol =-=[DH76]-=-.Let p be a k-bit prime (k ∈ IN), q be a large prime divisor of p − 1and Gq be the unique (multiplicative) subgroup of order q in Z ∗ p.Furthermore, g �= 1 denotes a randomly chosen element of Gq.(The... |

1202 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...d environments and without their active involvement.Furthermore, encrypting one’s secret key with another’s public key is not in general secure.The cryptosystem we present below, a variant of ElGamal =-=[ElG85]-=-, is thought to be secure in part because the cryptanalysis problem is random-self-reducible—which allows one to assert mathematically that recovering m from the public information 〈ea,E(m, ea),eb〉 is... |

1076 | The knowledge complexity of interactive proof-systems
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...e or any other particular protocol property. 2.1 Definitions In order to deal with protocols of more than two parties, we generalize the notion of interactive Turing machine (ITM) by Goldwasser et al =-=[GMR89]-=-.Then we define connections of ITMs and finally give the definition of protocol divertibility. Definition 1 ((m, n)-Interactive Turing Machine). An (m, n)-Interactive Turing Machine ((m, n)-ITM ) is a... |

877 | How to prove yourself: practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...etween the hash assumption and assumptions about collision freedom or hardness to invert. 7 We note that this generic transformation of a protocol to a signature scheme has appeared in the literature =-=[FS87]-=-. We now analyze the hash assumption.Note that in order to produce a legitimate signature on m that verifies with ga , a signer needs to produce 〈gki 〉 and 〈(ki − mβi)/a〉.Thus, putting 〈βi〉 = h(〈gki 〉... |

323 |
Zero-knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ... the bit, Charlotte checks that (ga ) s′ 2 = s1 or that gs2 = gk . This round is repeated as desired.As with existing protocols, there may be ways to perform several rounds in parallel for efficiency =-=[FFS88]-=-. Symmetric proxy function for Y A symmetric proxy key is a/b.Suppose Charlotte wants to run the protocol with g b instead of g a .Either Alice or Charlotte or any intermediary can use the proxy key t... |

103 |
Proxy signature Delegation of the Power to Sign Message
- Mambo, Usuda, et al.
- 1996
(Show Context)
Citation Context ...ts to another recipient.Mambo and Okamoto [MO97] develop this formulation and give efficient transforms (more efficient than decryption and re-encryption) for ElGamal and RSA.Mambo, Usuda and Okamoto =-=[MUO96]-=- apply a similar notion to signature schemes. While such schemes have value from the standpoint of efficiency, they are not, however, “atomic proxy cryptosystems” by our definition because the transfo... |

38 |
Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts
- Mambo, Okamoto
- 1997
(Show Context)
Citation Context ...us work on delegating the power to decrypt has focused on developing efficient transformations that allow the original recipient to forward specific ciphertexts to another recipient.Mambo and Okamoto =-=[MO97]-=- develop this formulation and give efficient transforms (more efficient than decryption and re-encryption) for ElGamal and RSA.Mambo, Usuda and Okamoto [MUO96] apply a similar notion to signature sche... |

34 | Meta-Message Recovery and Meta-Blind signature schemes based on the discrete logarithm problem and their applications
- Horster, Michels, et al.
(Show Context)
Citation Context ...ble; in particular (i) the diverted ZKP that Okamoto and Ohta used to prove their main theorem [OO90] and (ii) asblind modified ElGamal Signature, which was presented by Horster, Michels and Petersen =-=[HMP95]-=- who built on ideas of Camenisch, Piveteau and Stadler [CPS95]. Here, we consider a new sort of protocol for divertibility, namely key exchange.In Figure 1, we present a diverted Diffie-Hellman key ex... |

25 |
Jan-Hendrik Evertse, and Jeroen van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations
- Chaum
- 1988
(Show Context)
Citation Context ...h valid from invalid diverted out-messages (a ′ ,b ′ ) with non-negligible probability, i.e., probability ≥ 1 P (k) for some polynomial P , then he had broken the simultaneous discrete log assumption =-=[CEG88]-=-. ⊓⊔ 2.4 Why the Previous Definition is a Little too Weak The previous definition of divertibility by Okamoto and Ohta [OO90], and by Itoh et al [ISS91] as well, requires that two attackers Ã, ˜B who ... |

19 |
Divertible Zero Knowledge Interactive Proofs and Commutative Random SelfReducibility
- Okamoto, Ohta
- 1990
(Show Context)
Citation Context ...SA {mab,bleumer,mstrauss}@research.att.com Abstract. First, we introduce the notion of divertibility as a protocol property as opposed to the existing notion as a language property (see Okamoto, Ohta =-=[OO90]-=-). We give a definition of protocol divertibility that applies to arbitrary 2-party protocols and is compatible with Okamoto and Ohta’s definition in the case of interactive zero-knowledge proofs. Oth... |

19 | A “weak” privacy protocol using the RSA crypto algorithm - Simmons - 1983 |

18 | A Further Weakness in the Common Modulus Protocol for the RSA Cryptosystem - DeLaurentis - 1984 |

12 |
A proposed federal information processing standard for secure hash (SHS
- NIST
- 1992
(Show Context)
Citation Context ... k) is the signature function for message m by key k and V (m, s, k) is the verify function for message m with signature s by key k. Again, existing digital signature schemes such as RSA [RSA78], DSA =-=[NIS91]-=-, or ElGamal [ElG85], etc.do not have obvious proxy functions (which, again, is not to say that such functions do not exist). As in the case of proxy identification, in order to construct a proxy key ... |

9 |
The prisoners' problem and the subliminal channel." CRYPTO'83
- Simmons
- 1984
(Show Context)
Citation Context ...with applications to identification protocols.The basic observation was that some 2-party identification protocols could be extended by placing an intermediary— called a warden for historical reasons =-=[Sim84]-=-—between the prover and verifier so that, even if both parties conspire, they cannot distinguish talking to each other through the warden from talking directly to a hypothetical honest verifier and ho... |

2 |
Yvo Desmedt: All languages in NP have divertible zero-knowledge proofs and argurments under cryptographic assumptions; Eurocrypt '90, LNCS 473
- Burmester
- 1991
(Show Context)
Citation Context ...er and honest prover, respectively.Since identification protocols were developed in close relation to interactive zero-knowledge proofs (ZKP), Okamoto and Ohta [OO90] (and later Desmedt and Burmester =-=[BD91]-=- and Ihto et al [ISS91]) established the notion of divertibility as a language property, i.e., a language is considered divertible if it can be recognized by a diverted interactive zero-knowledge proo... |

2 |
An encrypted key transmission protocol. CRYPTO '94 Rump Session presentation
- Hughes
- 1994
(Show Context)
Citation Context ...lar in structure to ElGamal encryption [ElG85], but with the parameters used differently and the inverse of the secret used to recover the message. 6 (This approach has merit beyond proxy encryption; =-=[Hug94]-=- proposed a Diffie-Hellman-like key agreement protocol based on the inverse of the secret, which allows a message’s sender to determine the key prior to identifying its recipient). Cryptosystem X (enc... |

2 |
Hiroki Shizuya: Any Language in IP has a Divertible ZKIP; Asiacrypt '91
- Itoh, Sakurai
- 1993
(Show Context)
Citation Context ...respectively.Since identification protocols were developed in close relation to interactive zero-knowledge proofs (ZKP), Okamoto and Ohta [OO90] (and later Desmedt and Burmester [BD91] and Ihto et al =-=[ISS91]-=-) established the notion of divertibility as a language property, i.e., a language is considered divertible if it can be recognized by a diverted interactive zero-knowledge proof system.In this paper,... |