Abstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k;
|
|
- Charlotte Hood
- 5 years ago
- Views:
Transcription
1 New ElGamal Type Threshold Digital Signature Scheme Choonsik PARK y and Kaoru KUROSAWA z y Electronics and Telecommunications Research Institute, P.O.Box 106, Yusong-ku, Taejeon, , Korea z Tokyo Institute of Technology 2{12{1 O-okayama, Meguro-ku, Tokyo 152, Japan kkurosaw@ss.titech.ac.jp 1
2 Abstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k; n) threshold ElGamal type digital signature scheme with no trusted center. We rst present a variant of ElGamal type digital signature scheme which requires only a linear combination of two shared secrets when applied to the (k; n)-threshold scenario. More precisely, it is a variant of Digital Signature Standard (DSS) which was recommended by the U.S. National Institute of Standard and Technology (NIST). We consider that it is meaningful to develop an ecient (k; n)- threshold digital signature scheme for DSS. The proposed (k; n) threshold digital signature scheme is proved to be as secure as the proposed variant of DSS against chosen message attack. 1 Introduction The notion of group oriented cryptography was introduced by Desmedt [1]. In a group oriented public key cryptosystem (or a group oriented digital signature scheme), the receiver/signer is a group of n members. Since then, this notion has been studied by many researchers. By using a general multiparty protocol [2], Desmedt [1] showed that a t-resilient public key cryptosystem (t < n=2) with no trusted center is obtained such that (1) n members can decrypt a ciphertext even if there are t dishonest members. (The secret key will never be calculated by the group, though.) (2) Any t dishonest members cannot decrypt any ciphertexts. This scheme is, however, completely impractical and interactive. Frankel [3] showed a dierent type but more ecient group oriented RSA type public key cryptosystem by using trusted clerks. Desmedt and Frankel [4] showed an ecient (k; n) threshold ElGamal type public key cryptosystem such that (1) k out of n members must cooperate to decrypt a ciphertext. (2) Any k? 1 dishonest members cannot decrypt any ciphertexts. This system requires a trusted center. Hwang [5] and then Pedersen [6] showed that the trusted center can be eliminated. In the system of Hwang 2
3 [5], however, the size of the group public key is much larger than that of Desmedt and Frankel [4] because each member publicizes his own public key. In the system of Pedersen [6], the public key is as small as that of Desmedt and Frankel [4]. Pedersen's system makes use of a noninteractive veriable secret sharing scheme [7]. Similarly, t-resilient digital signature schemes and (k; n)-threshold digital signature schemes are dened. In a t-resilient digital signature scheme, (1) n members can issue a signature even if there are t dishonest members. (The secret key will never be calculated by the group, though.) (2) Any t dishonest members cannot forge a signature. In a (k; n)-threshold digital signature scheme, (1) k out of n members must cooperate to issue a signature. (2) Any k? 1 dishonest members cannot forge a signature. Desmedt and Frankel [8] showed a (k; n) threshold RSA type digital signature scheme which requires a trusted center. As in group public key cryptosystems, Desmedt [1] showed that a t- resilient digital signature scheme with no trusted center is obtained for any digital signature scheme by using a general purpose multiparty protocol [2]. Cerecedo, Matsumoto and Imai (CMI) [9] showed an ecient t resilient digital signature scheme with no trusted center (t < n=2) for Schnorr's scheme [10]. An ecient multiparty protocol is known for linear combinations [11], but not for multiplications. The CMI scheme for Schnorr's scheme is ef- cient because the Schnorr's scheme requires only a linear combination of two shared secrets. On the other hand, ElGamal digital signature scheme [12] requires a multiplication and a division as well as a linear combination. CMI [9] showed an ecient multiplication protocol for t < n=3 which works under a certain condition and suggested to apply it to ElGamal scheme and two variants of ElGamal scheme [13, 14]. Clearly, no matter how ecient the multiplication protocol is, their ElGamal type schemes are not so ecient as their Schnorr's scheme because the ElGamal type schemes require a multiplication and a division as well as a linear combination. Actually, their ElGamal type schemes are more complicated than it is claimed in [9]: 1. As a division protocol, CMI used a multiparty protocol of [15]. The division protocol involves a multiplication protocol in it (see 4.3 of [9]). 3
4 An ElGamal digital signature requires a division and a multiplication in sequence. Therefore, it requires two multiplications in sequence. On the other hand, the ecient CMI multiplication protocol for t < n=3 works just for one multiplication, but not more. 2. For t < n=2, it is needed to reshare the local products of pieces (see of [9]). Beaver called this problem the ABC problem and solved it (see 5.3 and 5.4 of [16]). His protocol is, however, still very complicated. After a preliminary version of CMI [17], Katoh, Hirose, Minoh and Ikeda (KHMI) [18] showed a group oriented digital signature scheme for ElGamal scheme. This scheme also requires a multiplication and a division. Anyway, previous ElGamal type group oriented digital signature schemes are more complicated than the CMI scheme for Schnorr's scheme because they require a multiplication and a division. In this paper, we show an ecient (k; n) threshold ElGamal type digital signature scheme with no multiplication, no division and with no trusted center. We rst present a variant of ElGamal type digital signature scheme which requires only a linear combination of two shared secrets when applied to the (k; n)-threshold scenario. More precisely, it is a variant of Digital Signature Standard (DSS) [14] which was recommended by the U.S. National Institute of Standard and Technology (NIST). We consider that it is meaningful to develop an ecient (k; n)-threshold digital signature scheme for DSS. The proposed (k; n)-threshold digital signature scheme consists of two protocols, a key generation protocol and a signature issuing protocol. In the key generation protocol, each member of the group (each signer) rst broadcasts kjpj bits and then sends (n?1)jqj bits secretly, where the discrete log problem is considered in modp and q is a large prime number which divides p? 1. In the signature issuing protocol, each signer broadcasts kjpj bits, sends (k? 1)jqj bits secretly and then broadcasts jqj bits. Thus, our scheme is as ecient as the CMI scheme for Schnorr's scheme. Further, the proposed (k; n) threshold digital signature scheme is proved to be as secure as the proposed variant of DSS against chosen message attack. Recently, some researchers have investigated many variations of ElGamal signature scheme [19, 20, 21]. Our variant of DSS is related to those variations in some ways. 4
5 2 Preliminaries 2.1 Public Parameters Throughout this paper, p and q are large primes such that q divides p? 1, and g generates the subgroup, G q, of Z p of order q. It is assumed that p; q and g are publicly known. 2.2 Secret Sharing Scheme In a (k; n) threshold secret sharing scheme [22], a dealer distributes a secret s to n participants P1; : : : ; P n in such a way that Any group of fewer than k participants cannot obtain any information about the secret s. Any group of at least k participants can compute the secret s in polynomial time. Shamir showed a (k; n) threshold secret sharing scheme such as follows [22]. In order to distribute s 2 Z q among P1; : : : ; P n (where n < q), the dealer chooses a random polynomial f over Z q of degree at most k? 1 satisfying f(0) = s. Participant P i receives s i = f(i) as his private share. Due to the fact that there is one and only one polynomial of degree at most k?1 satisfying f(i) = s i for k values of i, the Shamir's scheme satises the denition of a (k; n) threshold scheme. Any k participants (P i1; : : : ; P ik ) can nd f and s by using Lagrange formula: Then f(u) = kx = kx l=1( Y h6=l kx l=1( Y h6=l u? i h i l? i h )f(i l ) u? i h i l? i h )s il (1) s = a j s ij mod q; (2) j=1 where a1; : : : ; a k are given by a j = Y h6=j i h i h? i j mod q: Each a i is non-zero and can easily be computed from the public information. 5
6 2.3 Veriable Secret Sharing Scheme Veriable secret sharing schemes (VSS) have been developed to prevent the cheating of the dealer. In a veriable secret sharing scheme, each participant can verify his share. Feldman [7] obtained a noninteractive VSS from the Shamir secret sharing by using probabilistic encryptions. Pedersen [6, 23] presented a noninteractive VSS for the purpose of a (k; n) threshold ElGamal type public key cryptosystem which is very similar to [7] but somewhat simpler. Pedersen's scheme [6, 23] is as follows. Assume the dealer has a secret s 2 Z q and is committed to s through a public information h = g s mod p. This secret can be distributed to P1; : : : ; P n as follows: PROTOCOL DISTRIBUTE (at the dealer) step 1. Choose a random polynomial f(u) = f0 + f1u + : : : + f k?1u k?1 over Z q of degree k? 1 satisfying f(0) = s. Compute s i = f(i). step 2. Send s i secretly to P i and broadcast (g f i mod p)i=1;:::;k?1 to all n participants. Thus the dealer broadcasts k?1 elements in Z p and sends secretly n elements in Z q. PROTOCOL VERIFY SHARE (at P i ) step 1. Verify that g s i = Q k?1 j=0 (gf j ) i j mod p. step 2. If this is false, broadcast s i and reject the dealer. step 3. For other each s l claimed at step 2, verify that g s l = Q k?1 j=0 (gf j ) l j mod p. If this is true, reject P l. Otherwise, reject the dealer. step 4. If the dealer is not rejected, accept s i. Proposition 2.1 [6, 23] Suppose that y(= g s mod p) is publicly known. Then, any l (1 l k? 1) participants having shares (s ij ) j=1;:::;l can nd (g f 0 j )j=1;:::;k?1 such that f 0 (u) = s + f1u 0 + : : : + fk?1u 0 k?1 f 0 (i j ) = s ij ; j = 1; : : : ; l; where f 0 (u) is a random polynomial, in polynomial time. 6
7 2.4 Generating a random secret An ecient multiparty protocol for generating a random number R is known [6, 23]. Suppose that a dealer chooses R at random, publicizes y = g R mod p and sends f(i) to P i secretly for i = 1; ; n, where f(u) is a random polynomial of degree k? 1 such that f(0) = R mod q. This procedure is simulated by the following protocol without the dealer. PROTOCOL RANDOM NUMBER (at P i ) step 1. Each P i chooses r i 2 Z q at random and broadcasts y i = g r i mod p to all other participants. step 2. Each P i distributes r i by using PROTOCOL DISTRIBUTE. That is, P i chooses a random polynomial such that f i (u) = r i + a i;1u + + a i;k?1u k?1 and sends f i (j) mod q to P j secretly (8j 6= i). P i also broadcasts g a i;1 ; ; g a i;k?1 mod p: step 3. Each P i executes PROTOCOL VERIFY. step 4. Let H 4 =fp j jp j is not detected to be cheating at step 3g: P i computes s i 4 = P j2h f j(i) secretly. step 5. Every Y P i computes Y Y y= 4 y j ; g a i;1 (= g b 1 ); ; g a i;k?1 (= g b k?1 ): j2h j2h Proposition 2.2 [6, 23] In PROTOCOL RANDOM NUMBER, let Then, R 4 = X j2h r j ; f(u) 4 = X j2h f j (u): y = g R f(u) = R + b1u + + b k?1u k?1 f(i) = s i : j2h 7
8 Denition 2.1 In PROTOCOL RANDOM NUMBER, we say that y is the main output. (y; g b 1 ; ; g b k?1) is the public output. s i is the secret output of P i. 3 A variant of DSS Digital Signature Standard (DSS) [14] proposed by NIST (the U.S. National Institute of Standard and Technology) is a slight variant of ElGamal digital signature scheme. In this section, we show a variant of DSS for which an ecient (k; n) threshold digital signature scheme can be designed. Recently, some researchers have investigated many variations of ElGamal signature scheme [19, 20, 21]. Our variant of DSS is related to those variations in some ways. 3.1 Digital Signature Standard (DSS) Let h be a one way hash function whose range is f0; ; q? 1g. Public key p; q; g; y(= g x mod p), (see subsection 2.1). Secret key x 2 Z q Message m Signature (r; s) such that r = (g l mod p) mod q (3) s = (h(m) + rx)=l(6= 0) mod q (4) where l 2 Z q is a random number (l 6= 0). Verication (r; s) is a valid signature for m if and only if r = (g h(m)=s y r=s mod p) mod q (5) 8
9 3.2 A variant of DSS Now, we present a variant of DSS. In our variant, the public key and the secret key are the same as those of DSS [14]. Let h be a one way hash function whose range is f1; ; q? 1g. Public key p; q; g; y(= g x mod p), (see subsection 2.1). Secret key x 2 Z q Message m Signature (t; w) such that w = (g e mod p) mod q (6) t = wx + h(m)e mod q (7) where e 2 Z q is a random number. Verication (t; w) is a valid signature for m if and only if w = (g t=h(m) y?w=h(m) mod p) mod q (8) The validity of eq.(8) is proved by the following lemma. Lemma 3.1 g e = g t=h(m) y?w=h(m) mod p ( Proof ) From eq.(7), e = t=h(m)? wx=h(m) mod q: Then, it is easy to see that this lemma holds. 2 An ecient multiparty protocol is known for linear combinations [11], but not for multiplications. In DSS, suppose that h(m) and r are publicly known constants. Then, the right hand side of eq.(4) is not a linear combination of x and l. It requires a division and a multiplication. Therefore, we cannot obtain an ecient (k; n)-threshold digital signature scheme even if a general purpose multiparty protocol is applied. On the contrary, in our scheme, suppose that h(m) and w are publicly known constants. Then, the right hand side of eq.(7) is just a linear combination of x and e. Therefore, we can obtain an ecient (k; n)-threshold digital signature scheme as will be shown in the next section. 9
10 Remark 3.1 In section of [19], Shimbo discussed the security of a variant of ElGamal signature scheme. He showed that h must be chosen carefully in the variant of ElGamal. However, his discussion cannot be applied to our variant of DSS because q is a prime number in eq.(7). We need only that h(m) 6= 0 mod q. Remember that the range of our h is dened as f1; ; q? 1g. 4 Proposed threshold digital signature scheme for DSS In this section, we show an ecient (k; n)-threshold digital signature scheme for DSS by using the scheme which we developed in subsection 3.2. The public key and signatures are the same as those of subsection Proposed scheme The proposed scheme consists of two protocols, a key generation protocol and a signature issuing protocol. Let P1; : : : ; P n be a set of signers. In our scheme; (K1) The key generation protocol requires all n signers to cooperate to generate a public key of the group and a secret key of each P i. (K2) In the signature issuing protocol, a subset B of signers can issue a signature if B contains k or more honest signers. (Cheaters may be included in B.) (K3) Any k? 1 dishonest signers cannot forge a signature even after polynomially many signatures have been issued. First, P1; : : : ; P n agree on (p; q; g). Key generation protocol (step 1) P1; : : : ; P n execute PROTOCOL RANDOM NUMBER. Let the public output be y(= g x mod p); g b 1 ; ; g b k?1 mod p: and the secret output of P i be i. 10
11 Then, the public verication key of the group is (p; q; g; y). Another public information is (g b 1 ; ; g b k?1). This information is used by signers to issue a signature. The secret key of P i is i. From Proposition 2.2, Let i = F1(i); where F1(u) = x + b1u + + b k?1u k?1 : (9) H1 4 =fp j jp j is not detected to be cheating at step 1 g: Signature issuing protocol Let m be a message and h be a one way hash function. Suppose that B H1 issue a signature. (step 2-1) If jbj < k, stop. Otherwise, B execute PROTOCOL RANDOM NUMBER. Let the public output be v(= g e mod p); g c 1 ; ; g c k?1 mod p: and the secret output of P i be i. Let w = v mod q: From Proposition 2.2, Let i = F2(i); where F2(u) = e + c1u + + c k?1u k?1 : (10) H2 4 =fp j jp j 2 B and P j is not detected to be cheating at step 2-1g: (step 2-2) If jh2j < k, stop. Otherwise, each P i 2 H2 reveals i 4 =w i + h(m) i mod q (11) (step 2-3) Each P i 2 H2 veries that Y Y k?1 k?1 g l = (y (g b j ) w (v (g c )lj j ) h(m) for 8l: )lj j=1 j=1 11
12 Let H3 4 =fp j jp j 2 H2 and P j is not detected to be cheating at step 2-3g: (step 2-4) If jh3j < k, stop. Otherwise, each P i 2 H3 computes t satisfying t = wx + h(m)e mod q (12) by applying Lagrange formula to f i g (see the following lemma). The signature is (t; w). (Remember that w is obtained at step 2-1.) The validity of the signature (t; w) is veried by eq.(8). Lemma 4.1 In the proposed scheme above, let t = wx + h(m)e mod q: Then, for any fp i1 ; ; P ik g 2 H3, ( Proof ) Let t = j=1 kx Y d6=j i d i d? i j ij (13) F3(u) 4 =wf1(u) + h(m)f2(u): (14) Then, from eq.(9), eq.(10) and eq.(11), F3(0) = wf1(0) + h(m)f2(0) = wx + h(m)e = t: (15) F3(i) = wf1(i) + h(m)f2(i) = w i + h(m) i = i : (16) Therefore, by using Lagrange formula (eq.(2)), we see that eq.(13) holds. 2 Remark 4.1 (1) The validity of i is veried at step (2-3) by using eq.(16). (2) Step (2-2), (2-3) and (2-4) are a multiparty protocol of computing eq.(12), where the private input to P i is ( i ; i ). (w; h(m)) are the public constants. Then, eq.(12) is just a \linear combination" of shared secrets x and e. Therefore, we have been able to obtain an ecient (k; n)- threshold digital signature scheme. 12
13 4.2 Eciency In PROTOCOL RANDOM NUMBER, let l denote the number of players. Each player rst broadcasts kjpj bits and then sends (l? 1)jqj bits secretly. Now, the communication complexity of the proposed (k; n) threshold scheme is analyzed as follows. In the key generation protocol, each signer rst broadcasts kjpj bits and then sends (n? 1)jqj bits secretly. In the signature issuing protocol, each signer rst broadcasts kjpj bits and then sends (jbj? 1)jqj bits secretly. Finally, each signer broadcasts jqj bits. Thus, our scheme is as ecient as the CMI scheme for Schnorr's scheme [9]. 5 Security In this section, we show that the proposed (k; n) threshold digital signature scheme is secure. 5.1 Correctness and Detectability The correctness of the signature (t; w) is easily veried by eq.(8). Next, We prove (K2) of subsection 4.1. Cheatings at step 1 and step (2-1) occur in PROTOCOL RANDOM NUMBER. The cheaters are detected by PROTOCOL VERIFY SHARE included in the PROTOCOL RANDOM NUMBER. Cheaters at step (2-2) are detected by step (2-3). Then, the detected cheaters are eliminated from later on. Therefore, if there exist at least k honest signers in the signature issuing protocol, our scheme can issue a valid signature. 5.2 View The view of P i in a protocol is everything that P i sees in executing the protocol. For example, in PROTOCOL RANDOM NUMBER, the view of P1 is g r 1 ; : : : ; g rn ; g a 1;1 ; : : : ; g a 1;k?1 ; : : : ; g a n;1 ; : : : ; g a n;k?1 ; f1(1); : : : ; f n (1); r1; a1;1; : : : ; a1;k?1 13
14 and the content of his random tape. Supose that an adversary corrupts P i1 ; ; P il. Then, the view of the adversary is f the view of P i1 g [ [ f the view of P il g. Denition 5.1 Suppose that a set of players B execute PROTOCOL RAN- DOM NUMBER on input (p; q; g) and the main output is y. Let ^A be the adversary which corrupts up to k-1 players. Denote the view of ^A for this protocol by view( ^A; p; q; g; y). Let VIEW( ^A; p; q; g; y) denote the random variable induced by view( ^A; p; q; g; y). Lemma 5.1 For any probabilistic polynomial time adversary ^A, there exists a probabilistic polynomial time Turing machine M such that the probability distribution of M(p; q; g; y) is identical to VIEW( ^A; p; q; g; y). ( Proof ) For simplicity, suppose that B = fp1; ; P n g and ^A corrupts P1; : : : ; P k?1. Then, view( ^A; p; q; g; y) is as follows. (a) r i and y i = g r i mod p for 1 i k? 1. (b) y j for k j n, where y1 y n = y. (c) a i;1; : : : ; a i;k?1 for 1 i k? 1. (d) g a i;1 ; : : : ; g a i;k?1 for 1 i n. (e) f1(i); : : : ; f n (i) for 1 i k? 1. For 1 i k? 1, f i (u) = r i + a i;1u + + a i;k?1u k?1 : (f) s i (= f1(i) + + f n (i)) for 1 i k? 1. (g) The content of the random tape of ^A. Now, we show M. (1) M computes (a) and (c) as ^A does. (2) From (c), M obtains polynomials f1(u); : : : ; f k?1(u). M computes f1(i); : : : ; f k?1(i) for 1 i k? 1. M chooses f k (i); : : : ; f n (i); 1 i k? 1, randomly. Then, M obtains (e) and (f). (3) M chooses y k ; : : : ; y n?1 randomly. Let y n = y=y1 y n?1. Then, M obtains (b). 14
15 (4) M can compute g a i;1 ; : : : ; g a i;k?1 for 1 i k? 1 from (1). (5) Note that M obtains y j from (3) and f j (1); : : : ; f j (k? 1) from (2) for k j n. Then, by Proposition 2.1, M can compute g a j;1 ; : : : ; g a j;k?1 for k j n from y j and f j (1); : : : ; f j (k? 1). M obtains (d). (6) M knows the content of the random tape of ^A because, in(1), M behaves in the same way as ^A does. Therefore, M can compute view( ^A; p; q; g; y) with the same probability as VIEW( ^A; p; q; g; y) Unforgeability Let D1 denote the digital signature scheme of subsection 3.2 and D2 denote the proposed (k; n) threshold digital signature scheme of subsection 4.1. In this section, we prove that D2 is as secure as D1 against chosen message attack by using Theorem 5.1 and Theorem 5.2 below. (We prove (K3) of subsection 4.1.) In chosen message attack against a digital signature scheme, an adversary A1 is allowed to use a signer as an oracle. He tries to forge a signature after getting signatures from the signer to messages of his own choice. If there exists no probabilistic polynomial time algorithm A1 that can forge a message in this way, we say that the signature scheme is secure against chosen message attack. For a (k; n) threshold digital signature scheme, we assume k? 1 or less signers deviating from the protocol in an arbitrary way. This is formalized by means of a probabilistic polynomial time adversary A2 which corrupts up to k? 1 signers. We dene a chosen message attack against our (k; n) threshold digital signatures scheme as follows. An adversary A2 is allowed to have the signature issuing protocol executed by any k or more signers to messages of his own choice. A2 tries to forge a signature from signatures he obtained in this way and his view, where the view is everything that A2 sees in executing the key generation protocol and the signature issuing protocol. Denition 5.2 Let A1 be a probabilistic polynomial time Turing machine which can use a signer of D1 as an oracle. We denote by A1(p; q; g; y) the random variable that takes a value of (m1; m2; ; ( ^m; ^t; ^w)) with the same probability that A1 on input (p; q; g; y) queries (m1; m2; ; ) to the signer and nally outputs ( ^m; ^t; ^w), where the probability is taken over the coin tosses of A1 and the signer. 15
16 Denition 5.3 Let A2 be a probabilistic polynomial time Turing machine which can corrupt up to k?1 signers of D2. A2 can have the signature issuing protocol executed by any k or more signers. We denote by A2(p; q; gjy) the random variable that takes a value of (m1; m2; ; ( ^m; ^t; ^w)) with the same probability that A2 on input (p; q; g) queries (m1; m2; ; ) to the signature issuing protocol and nally outputs ( ^m; ^t; ^w) under the condition that the key generation protocol outputs y, where the probability is taken over the coin tosses of A2 and the signers. Theorem 5.1 For any adversary A1 against D1, there exists an adversary A2 against D2 such that Pr[A2(p; q; gjy) = (m1; m2; ; ( ^m; ^t; ^w))] = Pr[A1(p; q; g; y) = (m1; m2; ; ( ^m; ^t; ^w))] (17) for any public key (p; q; g; y) and any (m1; m2; ; ( ^m; ^t; ^w)). ( Proof ) We show A2 which uses A1 as a subroutine. Suppose that the key generation protocol of D2 outputs y. A2 provides A1 with (p; q; g; y) and the content of the random tape of A1. Then, A2 runs A1. If A1 requests a signature for a message m i ; A2 has P1; : : : ; P k execute the signature issuing protocol for m i. A2 obtains the signature (t i ; w i ) for m i from P1; : : : ; P k. Then, A2 feeds (t i ; w i ) to A1. Thus, A1 can do his chosen message attack. A2 outputs ( ^m; ^t; ^w) if and only if A1 outputs ( ^m; ^t; ^w). Now, it is clear that eq.(17) holds. 2 Theorem 5.2 For any adversary A2 against D2, there exists an adversary A1 against D1 such that Pr[A1(p; q; g; y) = (m1; m2; ; ( ^m; ^t; ^w))] = Pr[A2(p; q; gjy) = (m1; m2; ; ( ^m; ^t; ^w))] (18) for any public key (p; q; g; y) and any (m1; m2; ; ( ^m; ^t; ^w)). ( Proof ) We show A1 which uses A2 as a subroutine. A1 provides A2 with (p; q; g; y) and the content of the random tape of A2. By using M of lemma 5.1, A1 generates view(a2; p; q; g; y) of the key generation protocol and feeds it to A2. Next, A1 runs A2. If A2 requests a signature for a message m i, 16
17 A1 obtains the signature (t i ; w i ) for m i from the oracle (signer) and feeds (t i ; w i ) to A2. A1 also computes v i = g t i=h(m i ) y?w i =h(m i ) mod p and feeds v i to A2 (see lemma 3.1). By using M, A1 generates view(a2; p; q; g; v i ) and feeds it to A2. A1 must feed f1; : : : ; k g to A2, further. For simplicity, suppose that A2 has the signature issuing protocol executed by P1; : : : ; P k and A2 corrupts P1; : : : ; P k?1. Note that 1; : : : ; k?1 are included in the view(a2; p; q; g; y). Similarly, 1; : : : ; k?1 are included in the view(a2; p; q; g; v i ). Therefore, M can compute 1; : : : ; k?1. Finally, A1 computes k as follows. From Lagrange formula (eq.(2)), we have where d j = Y h6=j h h? j t i = d d k?1 k?1 + d k k 6= 0 for 1 j k: Hence, k is obtained as follows. X k?1 k = (t i? d j j )=d k : j=1 Now, A1 feeds f1; : : : ; k g to A2. Then, A2 can obtain the whole view and do his chosen message attack. A1 outputs ( ^m; ^t; ^w) if and only if A2 outputs ( ^m; ^t; ^w). Thus, it is clear that eq.(18) holds. 2 6 Conclusion We have shown an ecient (k; n) threshold DSS type digital signature scheme with no trusted center. It has been proved that the proposed (k; n) threshold digital signature scheme is as secure as the proposed variant of DSS against chosen message attack. It will be a further work to develop an ecient (k; n) threshold RSA type digital signature scheme with no trusted center. 17
18 References [1] Y. Desmedt, \Society and Group Oriented Cryptography : A New Concept ", In Proc. of Crypto'87, Lecture Notes in Computer Science, LNCS 293, Springer Verlag, pp.120{127, [2] O. Goldreich, S. Micali, and A. Wigderson, \How to Play Any Mental Game ", In Proceedings of the 19th ACM Symposium on Theory of Computing, pp.218{229, [3] Y. Frankel, \A practical protocol for large group oriented networks ", In Proc. of Eurocrypt'89, Lecture Notes in Computer Science, LNCS 434, Springer Verlag, pp.56{61, [4] Y. Desmedt and Y Frankel, \Threshold Cryptosystem ", In Proc. of Crypto'89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag, pp.307{315, [5] T. Hwang, \Cryptosystem for group oriented cryptography ", In Proc. of Eurocrypt'90, Lecture Notes in Computer Science, LNCS 473, Springer Verlag, pp.352{360, [6] T.P. Pedersen, \A Threshold Cryptosystem without a Trusted Party ", In Proc. of Eurocrypt'91, Lecture Notes in Computer Science, LNCS 547, Springer Verlag, pp.522{526, [7] P. Feldman, \A Practical Scheme for Non-Interactive Veriable Secret Sharing ", In Proceedings of 28th IEEE symposium on Foundations of Computer Science, pp.427{437, [8] Y. Desmedt and Y. Frankel, \Shared Generation of Authenticators and Signatures ", In Proc. of Crypto'91, Lecture Notes in Computer Science, LNCS 576, Springer Verlag, pp.457{469, [9] M. Cerecedo, T. Matsumoto, and H. Imai, \Ecient and Secure Multiparty Generation of Digital Signatures Based on Discrete Logarithms ", In IEICE Trans. on Fundamentals, vol.e76-a, no.4, pp.532{545, [10] C.P. Schnorr, \Ecient Identication and Signatures for Smart Cards ", In Proc. of Crypto'89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag, pp.235{251,
19 [11] M. Ben-or, S. Goldwasser, and A. Wigderson, \Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation ", In Proceedings of the 20th ACM Symposium on Theory of Computing, pp.1{10, [12] T. ElGamal, \A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms ", In IEEE Trans. IT, vol.31, no.4, pp.469{472, [13] G. Agnew, R. Mullin, and S. Vanstone, \Improved Digital Signature Scheme Based on Discrete Logarithms ", In Electronics Letters, vol.26, no.14, pp.1024{1025, [14] \Working Draft American National Standard X X, Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry:Part 1: The Digital Signature Algorithm (DSA), American Bankers Association, Washington,D.C., Feb A description of the algorithm and comments on the proposed can be found in the article \Debating Encryption Standards "", In Communications of the ACM, Vol.35, No.7, pp.32{54, [15] J. Bar-Ilan and D. Beaver, \Non-Cryptographic Fault-Tolerant Computing in a Constant Number of Rounds of Interaction ", In Proceedings of the ACM symposium on Principles of Distributed Computation, pp.201{209, [16] D. Beaver, \Secure multiparty protocol and zero knowledge proof systems tolerating a faulty minority ", In Journal of Cryptology, vol.4, no.4, pp.75{122, [17] M. Cerecedo, T. Matsumoto, and H. Imai, \Practical protocols for fault tolerant distributed generation of signatures ", In Symposium on cryptography and information security, Tateshina, Japan, April 2-4, pp.532{545, [18] T. Katoh, S. Hirose, M. Minoh, and K. Ikeda, \A protocol for group oriented signature scheme applying Elgamal's public key cryptosystem ", In Proc. of the IEICE fall conference, Sept., 1{187, [19] A. Shimbo, \Multisgnature schemes based on the ElGamal scheme (in Japanese) ", In SCIS'94 workshop, January 27-29, SCIS-2C,
20 [20] K.Nyberg and R.A.Rueppel, \Message recovery for signature schemes based on the discrete logarithm problem ", In Proc. of Eurocrypt '94, pp.175{190, [21] L. Harn and Y. Xu, \Design of generalized ElGamal type digital signature schemes based on discrete logarithms ", In Electronics Letters, vol.30, no.24, pp.2025{2026, [22] A. Shamir, \How to Share a Secret ", In Communications of the ACM, vol.22, no.11, pp.612{613, [23] T.P. Pedersen, \Distributed Provers with Applications to Undeniable Signatures ", In Proc. of Eurocrypt'91, Lecture Notes in Computer Science, LNCS 547, Springer Verlag, pp.221{238,
Cryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationSecure Multiplication of Shared Secrets In The Exponent
Secure Multiplication of Shared Secrets In The Exponent Rosario Gennaro Mario Di Raimondo May 26, 2003 Abstract We present a new protocol for the following task. Given tow secrets a, b shared among n players,
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationSome Bounds and a Construction for Secure Broadcast Encryption
Some Bounds and a Construction for Secure Broadcast Encryption Kaoru Kurosawa 1, Takuya Yoshida 1, Yvo Desmedt 2,3, and Mike Burmester 3 1 Dept. of EE, Tokyo Institute of Technology 2 12 1 O-okayama, Meguro-ku,
More informationShared Generation of Shared RSA Keys 1. Simon Blake-Wilson 3. Certicom Corp. Steven Galbraith.
Shared Generation of Shared RSA Keys 1 Simon Blackburn 2 Royal Holloway simonb@dcs.rhbnc.ac.uk Simon Blake-Wilson 3 Certicom Corp. sblakewi@certicom.com Steven Galbraith Royal Holloway stevenga@dcs.rhbnc.ac.uk
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationRound-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary
Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University, 4-12-1 Nakanarusawa, Hitachi,
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationOne Round Threshold Discrete-Log Key Generation without Private Channels
One Round Threshold Discrete-Log Key Generation without Private Channels Pierre-Alain Fouque and Jacques Stern École Normale Supérieure, Département d Informatique 45, rue d Ulm, F-75230 Paris Cedex 05,
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More information[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex
Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More informationduring signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech
Generating a Product of Three Primes with an Unknown Factorization Dan Boneh and Jeremy Horwitz Computer Science Department, Stanford University, Stanford, CA 94305-9045 fdabo,horwitzg@cs.stanford.edu
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationGenerating ElGamal signatures without. knowing the secret key??? Daniel Bleichenbacher. ETH Zurich.
Generating ElGamal signatures without knowing the secret key??? Daniel Bleichenbacher ETH Zurich Institute for Theoretical Computer Science CH-8092 Zurich, Switzerland email: bleichen@inf.ethz.ch Abstract.
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationSealed-bid Auctions with Efficient Bids
Sealed-bid Auctions with Efficient Bids Toru Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University 3-1-1 Tsushima-naka,
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationVerifiable Secret Redistribution
Verifiable Secret Redistribution Theodore M. Wong Jeannette M. Wing October 2001 CMU-CS-01-155 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Abstract We present a new protocol
More informationTwo-Party Generation of DSA Signatures
Two-Party Generation of DSA Signatures (Extended Abstract) Philip MacKenzie and Michael K. Reiter Bell Labs, Lucent Technologies, Murray Hill, NJ, USA Abstract. We describe a means of sharing the DSA signature
More informationOn Expected Constant-Round Protocols for Byzantine Agreement
On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali (STOC 88) show an n-party Byzantine agreement protocol tolerating
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationA message recovery signature scheme equivalent to DSA over elliptic curves
A message recovery signature scheme equivalent to DSA over elliptic curves Atsuko Miyaji Multimedia Development Center Matsushita Electric Industrial Co., LTD. E-mail : miyaji@isl.mei.co.jp Abstract. The
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationA New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm
A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Management Information System National Chung Hsing University
More informationMontgomery-Suitable Cryptosystems
Montgomery-Suitable Cryptosystems [Published in G. Cohen, S. Litsyn, A. Lobstein, and G. Zémor, Eds., Algebraic Coding, vol. 781 of Lecture Notes in Computer Science, pp. 75-81, Springer-Verlag, 1994.]
More informationFast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests
Fast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests Maged H. Ibrahim I. I. Ibrahim A. H. El-Sawy Telecommunications Department, Faculty of Engineering, Helwan University
More informationPrivacy Preserving Multiset Union with ElGamal Encryption
Privacy Preserving Multiset Union with ElGamal Encryption Jeongdae Hong 1, Jung Woo Kim 1, and Jihye Kim 2 and Kunsoo Park 1, and Jung Hee Cheon 3 1 School of Computer Science and Engineering, Seoul National
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationOn Expected Constant-Round Protocols for Byzantine Agreement
On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali show an n-party Byzantine agreement protocol in the plain model
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationn-party protocol for this purpose has maximum privacy if whatever a subset of the users can
Appeared in Crypto87, Springer Verlag, Lecture Note in Computer Science (293), pages 73{86. Reproduced (in June 1997) from an old tro le. How to Solve any Protocol Problem { An Eciency Improvement (Extended
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationSecure Modulo Zero-Sum Randomness as Cryptographic Resource
Secure Modulo Zero-Sum Randomness as Cryptographic Resource Masahito Hayashi 12 and Takeshi Koshiba 3 1 Graduate School of Mathematics, Nagoya University masahito@math.nagoya-u.ac.jp 2 Centre for Quantum
More informationEfficient Secret Sharing Schemes Achieving Optimal Information Rate
Efficient Secret Sharing Schemes Achieving Optimal Information Rate Yongge Wang KINDI Center for Computing Research, Qatar University, Qatar and Department of SIS, UNC Charlotte, USA Email: yonggewang@unccedu
More informationMultiparty Computation, an Introduction
Multiparty Computation, an Introduction Ronald Cramer and Ivan Damgård Lecture Notes, 2004 1 introduction These lecture notes introduce the notion of secure multiparty computation. We introduce some concepts
More informationA Simplified Approach to Threshold and Proactive RSA
A Simplified Approach to Threshold and Proactive RSA Tal Rabin IBM T.J. Watson Research Center PO Box 704, Yorktown Heights, New York 10598 talr@watson.ibm.com Abstract. We present a solution to both the
More informationAn undeniable signature scheme consists of several components: a public and a secret key, a method to sign a message and two interactive protocols. Fo
Ecient Undeniable Signature Schemes based on Ideal Arithmetic in Quadratic Orders Ingrid Biehl Technische Universitat Darmstadt, Alexanderstr. 10, D-64283, Darmstadt, Germany E-mail: ingi@cdc.informatik.tu-darmstadt.de
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationA Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol
A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol Christian L F Corniaux and Hossein Ghodosi James Cook University, Townsville QLD 4811, Australia chriscorniaux@myjcueduau, hosseinghodosi@jcueduau
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationSimple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme
Simple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme Ashish Choudhury Applied Statistics Unit Indian Statistical Institute Kolkata India partho31@gmail.com, partho 31@yahoo.co.in
More informationBatch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Outline Introduction
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationProtocols for Multiparty Coin Toss with a Dishonest Majority
Protocols for Multiparty Coin Toss with a Dishonest Maority Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer Science and Mathematics
More informationThreshold RSA for Dynamic and Ad-Hoc Groups (Extended Abstract )
Threshold RSA for Dynamic and Ad-Hoc Groups (Extended Abstract ) Rosario Gennaro, Shai Halevi, Hugo Krawczyk, Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY USA Abstract. We consider the use of
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationUniversally Composable Multi-Party Computation with an Unreliable Common Reference String
Universally Composable Multi-Party Computation with an Unreliable Common Reference String Vipul Goyal 1 and Jonathan Katz 2 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationConcurrent Signatures
Concurrent Signatures Liqun Chen 1, Caroline Kudla 2, and Kenneth G. Paterson 2 1 Hewlett-Packard Laboratories, Bristol, UK liqun.chen@hp.com 2 Information Security Group Royal Holloway, University of
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationEfficient Conversion of Secret-shared Values Between Different Fields
Efficient Conversion of Secret-shared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a
More information3-Move Undeniable Signature Scheme
3-Move Undeniable Signature Scheme Kaoru Kurosawa 1 and Swee-Huay Heng 2 1 Ibaraki University, 4-12-1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan kurosawa@cis.ibaraki.ac.jp 2 Multimedia University,
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More information