Threshold Undeniable RSA Signature Scheme
|
|
- Joella White
- 5 years ago
- Views:
Transcription
1 Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing , P. R. China. {glwang, qsh, mshwang}@ercist.iscas.ac.cn 2 Mathematics Department, College of Science and Technology, Nihon University, Tokyo , Japan. {zhanfei zhou}@hotmail.com Abstract. Undeniable signature has been extensively researched after Chaum and Antwerpen first proposed the concept of this special digital signature ten years ago. Up to now, however, almost all the existed schemes are based on discrete logarithm cryptosystems. In this paper, based on an improvement of the practical threshold RSA signature scheme proposed by Shoup at Eurocrypt 2000 and the first undeniable RSA signature scheme proposed by Gennaro, Krawczyk and Rabin at Crypto 97, we present the first, as we know, threshold undeniable RSA signature scheme. Our scheme is secure and robust since all the partial signatures are verifiable by adopting a discrete logarithm equality protocol proposed by Shoup. 1 Introduction Undeniable signature is a special kind of digital signature with the characteristic that signature cannot be verified without the cooperation of the signer and cannot be denied by the signer if he has signed the signature indeed. (t, n) threshold signature is one kind of group-oriented signature, in which only the subsets with at least t members in a group U can generate a valid signature and any verifier can simply verify an alleged signature if he/she knows U s group public key. However, in a (t, n) threshold undeniable signature scheme, any subset of t members out of n, denoted by U B, can represent the group U to generate a signature, but without the cooperation of t members, a verifier cannot verify the validity of an alleged signature even if he knows U s group public key. At the same time, any subset of less than t members cannot generate, confirm or disavow a signature even if they cooperate maliciously. Generally speaking, a threshold undeniable signature scheme consists of the following three main sub-protocols. (1) Signing Protocol: t members in subset U B run this protocol to produce a valid signature for any message, but any attacker I cannot forge a valid Supported by the National Key Basic Research Program of China (No. G ) and the National Natural Science Foundation of China (No ).
2 signature of group U with non-negligent possibility unless I has corrupted at least t members or U s private signing key has been compromised to I (i.e., nonforgeability). (2) Confirmation Protocol: By running this protocol between prover U B, t members of U, and verifier V, V is convinced that an alleged signature is indeed signed by U. Confirmation protocol should satisfy the following three properties. Completeness: A signature signed by group U will always be accepted by V if all the members in U B and V are honest (this means that they properly act as the protocol described). Soundness: Even a cheating prover U B cannot convince the verifier V to accept an non-valid signature of U with non-negligent possibility. Zero-knowledge: On input a message and its valid signature, any possible cheating verifier V interacting with a subset U B does not learn any information aside from the validity of the signature. (3) Denial Protocol: By running this protocol, prover U B ensures a verifier V that a signature is not signed by group U. Denial protocol also should satisfy the similar three properties as follows. Completeness: A signature not signed by U will always pass through the denial protocol such that V believes that it is not U s signature if all the members in U B and V are honest. Soundness: Even a cheating prover U B cannot successfully deny a valid signature of U with non-negligent possibility by running denial protocol. Zero-knowledge: On input a message and a non-valid signature, any possible cheating verifier V interacting with a subset U B does not learn any information aside from the the fact that this non-valid signature is in fact not a valid signature of group U. Besides nonforgeability, a threshold undeniable signature should also be robust, meaning that corrupted members should not be able to prevent uncorrupted members from generating signatures. After Chaum and Antwerpen first proposed the conception of undeniable signature in [6], extensive researches are done to this special kind signature. Chaum [2] presented a zero-knowledge undeniable signature scheme with promising applications in copyright protection of electronic products. By combining the undeniable signature and group-oriented signature [7, 8], Harn and Yang [13] proposed the conception of (t, n) threshold undeniable signature, and presented two concrete schemes in respect of t = 1 and t = n. But Langford [14] pointed out that their (n, n) threshold undeniable signature scheme only possesses a security of 2-out-of-n, because any two adjacent members can generate a valid threshold signature. Lin etc. presented a general threshold undeniable signature scheme [16], but which is also subjected to Langford s attack [14]. [15] generalized Chaum s zero-knowledge undeniable signature [2] to a (t, n) threshold undeniable signature scheme with a dealer. However, unlike all the above schemes based
3 on discrete logarithm cryptosystems, Gennaro, Krawczyk and Rabin presented the first undeniable RSA signature scheme [12]. In this paper, we will construct the first, as we know, threshold undeniable RSA signature scheme with a dealer. Our Scheme are builded from an improvement to Shoup s threshold signature scheme [20] and Gennaro etc. s undeniable RSA signature scheme [12]. Our schemes are secure and robust because all the partial signatures are verifiable by adopting a discrete logarithm equality protocol proposed by Shoup [20]. The organization of this paper is as follows. Notations are described in 2. Shoup s discrete logarithm equality protocol [20] and Gennaro etc. s undeniable RSA signature scheme are reviewed in 3 and 4 respectively. Then, we propose an improvement to Shoup s threshold RSA signature and a newly threshold undeniable RSA signature scheme in 5 and 6 respectively. The last two sections are about some discussions and future work. 2 Notations Our systems consist of a dealer D and a group U with n members U i (i = 1, 2,, n). Let t be the threshold value and B denote a subset of size t in the index set {1, 2,, n}. The notation x R X means that an element x is selected randomly and uniformly from set X. In this paper, the RSA modulus N is selected as the product of two large secure primes p and q, i.e. there exist two primes p, q such that p = 2p + 1, q = 2p + 1 and N = pq. Let M = p q, and L(N) denote the bit-length of N. We denote by Q N the subgroup of squares in ZN. For any integer x, let J (x N) denote the Jacobi symbol symbol of x respect to the base N. In addition, we denote by J N the subgroup of elements x ZN with J (x N) = 1. Then we know that Q N J N ZN. Moreover, Q N is cyclic of order M and J N is cyclic of order 2M. 3 Discrete Logarithm Equality Protocol As a key of modern cryptography, knowledge proving plays an important role in constructing varied protocols and schemes. Among of them, the most extensively used knowledge proving protocols are based on discrete logarithm cryptosystems [3]. In this section, we briefly review a discrete logarithm equality protocol proposed by Shoup [20], which is an improvement to a well-known interactive protocol, due to Chaum and Pedersen [5]. Let g 1, g 2 are two generators of the subgroup Q N of Z N. Q N s order is not known. The prover P possesses a secret number α Z M such that log g1 h 1 = log g2 h 2 = α, i.e. h 1 = g 1 α and h 2 = g 2 α. By running the following protocol between the prover P and the verifier V, P convinces V that he indeed possesses the secret α but does not reveals which is it to V. Let H be a hash
4 function, whose output is an l 1 -bit interger, where l 1 is a second security parameter (l 1 = 128, say). For convenience, we will simply denote this protocol as DLE(g 1, h 1 ; g 2, h 2 ; α). DLE(g 1, h 1 ; g 2, h 2 ; α) Protocol (1) P randomly selects w R [0,, 2 L(N)+2l1 1], computes a 1 = g1 w mod N, a 2 = g2 w mod N, c = H(g 1 g 2 h 1 h 2 a 1 a 2 ) and r = αc + w. Then, P publishes P roof P = (r, c) as the proof of knowing the secret α. (2) From the proof (r, c), V first computes a 1 = g1h r c 1 mod N and a 2 = g2h r c 2 mod N, then determines whether P knows the secret α by checking c H(g 1 g 2 h 1 h 2 a 1 a 2 ). 4 Gennaro etc. s Undeniable RSA Signature In this section, we briefly review the first undeniable RSA signature scheme constructed by Gennaro etc. [12]. In their scheme, the signer publishes the RSA modulus and a sample signature but keeps the usual key pair secretly. The confirmation and denial of a signature are to check whether certain relations between the signature and the sample signature hold. Stage 1: Setting System Parameters If user P want to use this system, he first chooses two large secure primes p = 2p + 1 and q = 2q + 1 and let the RSA modulus as N = pq. Then he chooses the key pair e, d [1, ϕ(n) 1] such that ed = 1 mod ϕ(n). In addition, P selects an element w Z N of order at least p q as the sample message and computes the sample signature S w = w d mod N. At last, P publishes his public key information (N, w, S w ) but keeps his private key information (e, d) secretly. Where, d is used to generate signature and e to verify signature. Furthermore, P chooses a secure parameter l (usually it can be set as 1024). Stage 2: Generation of Undeniable Signature As in regular RSA signature scheme, if user P want to sign a message m, he computes S m = m d mod N and publishes (m, S m ) as his signature on message m. Stage 3: Confirmation Protocol A verifier V can not alone verify whether an alleged signature (m, S m ) is signed by P, because V does not know P s verification key e (in fact, P does not publish this information at all). But V and P can run the following confirmation protocol to convince V that (m, S m ) is P s signature on message m. (3-1) V randomly selects two numbers c 1, c 2 R [1, N], computes the value C = Sm c1 Sw c2 mod N and sends it to P. (3-2) After received C, P computes and sends the value R = C e mod N to V.
5 (3-3) After received R, V check whether R m c1 w c2 mod N holds. If yes, then V accepts S m as P s signature on message. Otherwise, V and P has to run the denial protocol to determine whether S m is indeed not signed by P. Stage 4: Denial Protocol V and P can run the following denial protocol to convince V that S m is not P s signature on message m. (4-1) V randomly selects two numbers c 1 R [1, l] and c 2 R [1, N], sends C 1 = m c1 w c2 mod N and C 2 = Sm c1 Sw c2 mod N to P. (4-2) After received (C 1, C 2 ), P searches all possible values in [1, l] to find a number r such that (m/s e m ) r = C 1 /C e 2 mod N. If such r was found, then P sends it V. (4-3) V checks whether r c 1. If yes, V convinces that S m is not signed by P. Otherwise, V believes that P is trying to deny his own signature. [12] proved two theorems about the completeness, soundness and zero- knowledge of above confirmation protocol and denial protocol. Gennaro etc. s theorems show that their scheme is secure. In practice, secure parameter l can be selected as a small number, but P and V can run denial protocol several times to guarantee security without loss efficiency. For example, let l = 1024 and running the denial protocol for ten times, then 1/2 100 security level can be reached. In other words, the probability of occurring the following event is less than one in a million: V believes that S m is not signed by P, but in fact S m is P s signature on message m. 5 Improved Threshold RSA Signature Scheme In this section, we present an improved threshold RSA signature to Shoup s scheme [20], which has the same security level and is more efficient compared to Shoup s scheme. Furthermore, it seems intractable to directly generalize Shoup s scheme to undeniable environments, but our scheme can be generalized as a threshold undeniable signature if the methods used in [12] are adopted. In the essence, we simplify the signing equation of Shoup s scheme. Now, we first describe our improved threshold signature scheme, then compare the security and efficiency between our scheme and Shoup s. 5.1 Description of Threshold RSA Signature Scheme The dealer D chooses a RSA modulus N as the product of two large secure primes described in section 2. The dealer D also chooses the RSA public exponent e as a prime such that n < e < min{p, q }, and the secret exponent d ZM is the integer which satisfies de = 1 mod M. Stage 1. Distribution of Secrets
6 (1-1) The dealer D randomly selects a polynomial f(x) with order less than (t 1). Let f(x) = t 1 j=0 a jx j Z M [x], where a 0 = d and a j R Z M (j = 1, 2,, t 1). (1-2) Dealer D computes d i as follows and sends d i to member U i secretly: d i = f(i)(n!) 1 mod M, i = 1, 2,, n. (1) For any index subset B with t elements, it is easy to see that these d i satisfy the following equation according to the Lagrange interpolation formula: d = i B d i λ Bi mod M, where λ Bi = j B\{i} j n! j i (1-3) Dealer D randomly selects a generator v of Q N and computes: v i = v di mod N Q N, i = 1, 2,, n. Z. (2) In addition, D chooses an element u ZN such that the Jacobi symbol of u is 1, i.e. J (u N) = 1. (1-4) D publishes or broadcasts N, e, n, u, v and all v i (i = 1, 2,, n). Stage 2. Generation and Verification of Partial Signatures If member U i want to sign an original message m 0, then U i first computes the digest m as { H(m0 ), if J (H(m m = 0 ) N) = 1 H(m 0 )u, if J (H(m 0 ) N) = 1. (3) This forces that J (m N) = 1. Now, U i computes his partial signature as follows: S i = m 2di mod N. (4) Last, U i runs the DLE(v, v i ; m 2, S i ; d i ) protocol (where m 2 is computed under mod N) for constructing the proof P roof Ui to show the validity of partial signature S i by revealing that log v v i = log m 2 S i (= d i ). U i publishes or broadcasts (i, m, S i, P roof Ui ) as his partial signature message. Stage 3. Generation and Verification of Threshold Signature If there is at least t honest members (i.e., they generated valid partial signatures), then by choosing any t honest members U i (i B and B = t), each member can compute the threshold RSA signature S as follows: S = i B S i 2λ Bi mod N (= m 4d mod N); (5) A verifier can check the validity of a threshold signature (m 0, S) by the following equality S e m 4 mod N. (6)
7 Of course, the m in above equality has been processed by the equation (3). We have accomplished the description of our improvement to Shoup s scheme. The essential improvement is that Shoup s signing equation, displayed by the following equation (7), is modified as equation (5) in our scheme. S = S a m b mod N = m 4ad+b mod N. (7) Where, a, b are two public integers such that 4a + eb = 1 since gcd(4, e) = 1, and S is determined by equation (5). 5.2 Discussions of Threshold RSA Signature Scheme Now, we will briefly discuss the validity, security and efficiency of our scheme. Theorem 1. (Validity of the Scheme) If at least t honest members produced valid partial signatures and correct proofs, then the threshold signature determined by equation (5) satisfies the signature verification equation (6). Proof. According to (2), for index subset B {1, 2,, n} with t elements we know that there exists an integer k such that i B (λ Bi d i ) = d+km. Therefore, from equation (5) and (4), we have S = i B S i 2λ Bi mod N = m 4diλ Bi i B mod N (8) = m 4d+4kM mod N = m 4d+kφ(N) mod N = m 4d mod N. On the other hand, ed = 1 mod M, so there exists an integer k such that ed = 1 + km. Hence, S e = (m 4d ) e mod N = m 4+4 km mod N = m 4 mod N. (9) So, the signature S on message m satisfies the verification equation (6). Theorem 2. (Unforgeability of the Scheme) An attacker I can forge a valid signature to message m in our scheme if and only if he can forge a valid signature to the same message in Shoup s scheme. Proof. If attacker I can forge a valid signature S to message m in our scheme such that S e = m 4 mod N. Then, by using the public parameters a and b of Shoup s scheme, attacker I can compute a value S = S a m b mod N. Following reasonings show that S is the valid signature to message m in Shoup s scheme: ( S) e = (S a m b ) e mod N = (S e ) a m be mod N = m 4a+eb mod N = m mod N. So attacker I has successfully forged the signature on message m in Shoup s scheme. On the other hand, if attacker I can forge a valid signature S to message m in Shoup s scheme such that S e = m mod N. Then, let S = S 4 mod N. We have S e = ( S 4 ) e mod N = ( S e ) 4 mod N = m 4 mod N. Above equalities show that attacker I has successfully forged the signature S on message m in our scheme.
8 Furthermore, as Shoup did in [20], the following theorem holds. Theorem 3. (Security of the Scheme) In the random oracle model for hash function H, our threshold signature scheme is secure (robust and non-forgeable) assuming the standard RSA scheme is secure. In addition, comparing with Shoup s scheme, our threshold signature scheme possesses several advantages as follows. Simple Signing Equation. The signing equation in our scheme is S = m 4d mod N, which is simpler than Shoup s signing equation S = S a m b mod N. In general, a and b are large integers, and one of them must be negative. Therefore, computing a signature in Shop s scheme is lower than in our scheme. Protecting the Modulus. Because one of the two parameters a and b is negative integer in Shoup s scheme, one inverse, S 1 mod N or m 1 mod N, has to be computed before generating every threshold signature. Once the inverse element cannot be found (of course, this case occurs in a negligent possibility because factoring RSA modulus is difficult.), a factor of N has been found and this RSA cryptosystem is crashed then. Therefore, Shoup s signing equation does a negative effect in protecting the RSA modulus N. But, our scheme is immune to this problem. Scalability. Our scheme can be generalized to a threshold undeniable signature scheme (see section 5 of this paper), but Shoup s scheme seems intractable to generalize to this case. Public Exponent. In fact, the public exponent e in our scheme can be selected as any element of ZM, not necessarily a prime. In addition, in order to verify the honesty of the dealer D, verifiable secret sharing [17] or publicly verifiable secret sharing schemes [21, 18] can be introduced. But the discussion about these problems is out the scope of this paper. 6 Threshold Undeniable RSA Signature Scheme In this section, we propose a threshold undeniable RSA signature scheme with fine properties. As we know, this is the first threshold undeniable signature scheme based on RSA cryptosystem so far. In our scheme, by using Shamir s secret scheme [19], the dealer D distributes the RSA signing and verifying key pair (e, d) to all n members of group U, such that each subgroup of t honest members can generate undeniable RSA signature. At the same time, any t cooperative members can represent group U to confirming or disavowing an alleged signature. In addition, the honesty of each participating member is verifiable in all the three procedures of signature s generation, confirming and denying. In the essence, this scheme is constructed by combining the Gennaro etc. s undeniable RSA signature scheme in section 4 and the improved threshold RSA
9 signature scheme in section 5. But to many details, skillful processing are conceived to construct a secure and practical scheme. Now, we describe the scheme in detail. Stage 1: System Initialization After selecting a RSA modulus N as the form defined in section 2, the dealer D chooses the signing and verifying key pair as (e, d), such that ed = 1 mod M and e is a prime. Supposing n, the number of members in group U, satisfies n < min{p, q }. In addition, let ē = e4 1 mod M. Stage 2: Distribution of Secrets (2-1) The dealer D chooses two random polynomials f(x), g(x) Z M [x], such that f(0) = d and g(0) = ē. Then, D computes the sub-keys as follows. d i = f(i)(n!) 1 mod M, ē i = g(i) (n!) 1 mod M, i = 1, 2,, n. Hence, to any subset B of size t in {1, 2, 3,, n}, sub-keys d i, ē i satisfy the following properties (λ Bi displayed in (2)): d = i B d i λ Bi mod M, ē = i B ē i λ Bi mod M. (10) (2-2) The dealer D selects a random generator w of Q N and computes: S w = w 4d mod N, T w = w 4ē mod N. S wi = w 2di mod N, T wi = w 2ēi mod N, i = 1, 2,, n. (11) (2-3) The dealer D randomly chooses a fixed element u in ZN Jacobi value respect to N is 1, i.e. such that it s J (u N) = 1, u R Z N. (12) (2-4) The dealer D publishes N, n, u, w, S w, T w and S wi, T wi (i = 1, 2,, n), but sends d i and ē i to U i secretly. (2-5) U i verifies the following equations: S wi w 2di mod N, T wi w 2ēi mod N. S w j B S wj 2λ Bj mod N, T w j B T wj 2λ Bj mod N. (13) Where, B can be any subset with t elements of {1, 2,, n}. If finding any of the above equations does not hold, U i proclaims this fact, then the dealer D is considered to be failed in distributing the secrets. Otherwise, the dealer is successful. Stage 3: Generation and Verification of Partial Signature (3-1) If the member U i wants to sign the original message m 0, he first computes message digest m of m 0 by using equation (3) such that we always have J (m N) = 1.
10 (3-2) U i computes the partial signature of m as following: S mi = m 2di mod N. (14) Then, U i runs the DLE(w 2, S wi ; m 2, S mi ; d i ) protocol (where, w 2 and m 2 all are computed in mod N) and constructs the proof P roof Ui to indicate that log w 2 S wi = log m 2 S mi (= d i ). (3-3) Using P roof Ui, any member can verify whether the partial signature S mi is signed by U i. Stage 4: Generation of Threshold Undeniable Signature If there are t members U i (i B and B = t) who have generated valid partial signatures, then the threshold undeniable signature S m on message m can be computed by the following equation: S m = i B S mi 2λ Bi mod N (= m 4d mod N). (15) Stage 5: Confirmation Protocol After getting the consent of t members U i (i B and B = t), V can run the following confirming protocol with these t members to check whether an alleged signature (m, S m ) is signed by group U. (5-1) V selects two random numbers c 1, c 2 R [1, N], computes the following challenger C and sends or broadcasts it to every member U i (i B): C = S c1 m S c2 w mod N. (16) (5-2) After U i received C, he computes his partial response R i as: R i = C 2ēi mod N. (17) Using the protocol DLE(w 2, T wi ; C 2, R i ; ē i ), U i produces the proof P roof Ui and broadcasts (R i, P roof Ui ). Obtained this information, each member can verify the validity of R i. If all these t members have produced their correct partial responses R i, then the response R can be determined by the following equation, and be sent to V : R = i B R 2λ Bi i mod N (= C 4ē mod N). (18) (5-3) V verifies whether the following equality holds after he received R: R m 4c1 w 4c2 mod N. (19) If yes, then V accepts the signature (m, S m ), i.e. he believes that S m is U s valid signature on message m. Otherwise, the denial protocol has to be run to determine whether (m, S m ) is not a signature of U.
11 Stage 6: Denial Protocol When t members U i (i B and B = t) agree to deny an alleged signature (m, S m ), V and U i (i B) run the following denial protocol. (6-1) V selects two random numbers c 1 R [1, l], c 2 R [1, N], then he computes (C 1, C 2 ) as follows and sends or broadcasts them to every U i (i B). C 1 = m c1 w c2 mod N, C 2 = S c1 m S c2 w mod N. (20) (6-2) All U i (i B) use their sub-keys ē i to compute: S 4ē m = 2ē (S i m ) 2λ Bi mod N, C 4ē 2 = 2ē i 2 ) i B i B(C 2λ Bi mod N. (21) Then they search all possible values in [1, l] to find a number r such that the following equation holds, and send this r to the verifier V : (m 4 /S m 4ē ) r = C 4 1/C 2 4ē mod N. (22) (6-3) V verifies whether r c 1. If yes, then V rejects the signature S m, i.e. V believes that S m is not group U s signature on message m. Otherwise, V considers that these members U i (i B) is trying to deny U s threshold signature S m deliberately. 7 Analysis of the Proposed Scheme Now, we give a brief discussion about the validity and security of the above threshold undeniable RSA signature scheme. First, it is not difficult to verify the completeness of our scheme according to the descriptions, i.e. if all t members are honest and have produced valid partial signatures, then the determined threshold undeniable signature will pass through the confirmation protocol. Second, Shamir s secret sharing scheme [19] is used to distributing secrets in our scheme, so it can be concluded that an attacker I cannot generate a valid threshold undeniable signature if the number of members controlled by I is less than t. Third, in all the three procedures of generation, confirmation and denial of undeniable signature, all the corrupted members will be identified, because each participating member has to run the DLE protocol for constructing necessary proof to indicate that they have operated properly in these three procedures. Last, from the security of Gennaro etc. s scheme [12], one can conclude that each sub-key will not be compromised when each member uses it to confirm or deny undeniable signature. Hence, we have successfully proposed a secure, robust and efficient threshold undeniable signature scheme with a dealer. 8 Future Work In the future research, we will consider to generalize our threshold undeniable RSA signature scheme to the distributing environment where there is no the help of a dealer or a trusted party. Some of relevant works have been done by Frankel, MacKenzie and Yung [11], Damgård and Koprowski [9].
12 References 1. J. Boyar, D. Chaum, I. Damgård, and T. Pedersen. Convertible Undeniable Signatures. In Crypto 90, LNCS 537, pp Springer-Verlag, D. Chaum. Zero-Knowledge Undeniable Signatures. In: Eurocrypt 90, LNCS 473, pp Springer-Verlag, J. Camenisch, and M. Michels. Proving in Zero-knowledge that a Number Is the Product of Two Safe Primes. In Eurocrypt 99, LNCS 1592, pp Springer- Verlag, D. Chaum, and T.P. Pedersen. Transferred Cash Grows in Size. In Eurocrypt 92, LNCS 658, pp Springer-Verlag, D. Chaum, and T.P. Pedersen. Wallet Databases With Observers. In Crypto 92, LNCS 740, pp Springer-Verlag, D. Chaum, and H. Van Antwerpen. Undeniable Signatures. In Crypto 89, LNCS 435, pp Springer-Verlag, Y. Desmedt. Society and Group Oriented Cryptography: A New Concept. In Crypto 87, LNCS 293, pp Springer-Verlag, Y. Desmedt, and Y. Frankel. Threshold Cryptosystems. In Crypto 89, LNCS 435, pp Springer-Verlag, I. Damgård, and M. Koprowski. Practical Threshold RSA Signature Without a Trusted Dealer. In Eurocrypt 2001 (to appear). Available from au.dk/ ivan/papers.html 10. I. Damgård, and T. Pedersen. New Convertible Undeniable Signature Schemes. In Eurocrypt 96, LNCS 1070, pp Springer-Verlag, Y. Frankel, P. D. MacKenzie, and M. Yung. Robust Efficient Distributed RSA-Key Generation. In 30th STOC, pp ACM, R. Gennaro, H. Krawczyk, and T. Rabin. RSA-Based Undeniable Signature. In Crypto 97, pp Springer-Verlag, L. Harn, and S. Yang. Group-Oriented Undeniable Signature Schemes without the Assistance of a Mutually Trusted Party. In Auscrypt 92, LNCS 718, pp Springer-Verlag, S.K. Langford. Weakness in Some Threshold Cryptosystems. In Crypto 96, LNCS 1109, pp Springer-Verlag, N.-Y. Lee, and T. Hwang. Group-Oriented Undeniable Signature Schemes with a Trusted Center. Computer Communications, 1999, 22: C.-H. Lin, C.-T. Wang, and C.-C. Chang. A Group-Oriented (t, n) Undeniable Signature Scheme without Trusted Center. In: Information Security and Privacy, ACISP 96, LNCS 1172, pp Springer-Verlag, T.P. Pedersen. No-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Crypto 91, LNCS 576, pp Springer-Verlag, B. Schoenmakers. A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting. In Crypto 99, LNCS 1666, pp Springer- Verlag, A. Shamir. How to Share a Secret. Communications of the ACM, 1979, 22(11): V. Shoup. Practical Threshold Signatures. In Eurocrypt 2000, LNCS 1807, pp Springer-Verlag, Avalaible from M. Stadler. Publicly Verifiable Secret Sharing. In Eurocrypt 96, LNCS 1070, pp Springer-Verlag, 1996.
Cryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationAbstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k;
New ElGamal Type Threshold Digital Signature Scheme Choonsik PARK y and Kaoru KUROSAWA z y Electronics and Telecommunications Research Institute, P.O.Box 106, Yusong-ku, Taejeon, 305-600, Korea z Tokyo
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationUniversal Undeniable Signatures
Universal Undeniable Signatures Huafei Zhu Department of Information Science and Electronics Engineering, Zhejiang University, Yuquan Campus, Hangzhou, 310027, PR. China E-mail: zhuhf@zju.edu.cn Abstract.
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationFast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests
Fast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests Maged H. Ibrahim I. I. Ibrahim A. H. El-Sawy Telecommunications Department, Faculty of Engineering, Helwan University
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationKey-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems
Key-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems Xiaofeng Chen, Fangguo Zhang, Haibo Tian, Baodian Wei, and Kwangjo Kim 1 School of Information Science and Technology,
More informationThreshold RSA for Dynamic and Ad-Hoc Groups (Extended Abstract )
Threshold RSA for Dynamic and Ad-Hoc Groups (Extended Abstract ) Rosario Gennaro, Shai Halevi, Hugo Krawczyk, Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY USA Abstract. We consider the use of
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationOne Round Threshold Discrete-Log Key Generation without Private Channels
One Round Threshold Discrete-Log Key Generation without Private Channels Pierre-Alain Fouque and Jacques Stern École Normale Supérieure, Département d Informatique 45, rue d Ulm, F-75230 Paris Cedex 05,
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationA Generalization of Paillier s Public-Key System with Applications to Electronic Voting
A Generalization of Paillier s Public-Key System with Applications to Electronic Voting Ivan Damgård, Mads Jurik and Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS Abstract. We
More information(Convertible) Undeniable Signatures without Random Oracles
Convertible) Undeniable Signatures without Random Oracles Tsz Hon Yuen 1, Man Ho Au 1, Joseph K. Liu 2, and Willy Susilo 1 1 Centre for Computer and Information Security Research School of Computer Science
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationThe Cramer-Shoup Strong-RSA Signature Scheme Revisited
The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationThreshold RSA for Dynamic and Ad-Hoc Groups
Threshold RSA for Dynamic and Ad-Hoc Groups Rosario Gennaro, Shai Halevi, Hugo Krawczyk, Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY USA Abstract. We consider the use of threshold signatures
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More information3-Move Undeniable Signature Scheme
3-Move Undeniable Signature Scheme Kaoru Kurosawa 1 and Swee-Huay Heng 2 1 Ibaraki University, 4-12-1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan kurosawa@cis.ibaraki.ac.jp 2 Multimedia University,
More informationCryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures
Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures Kallepu Raju, Appala Naidu Tentu, V. Ch. Venkaiah Abstract: Group key distribution protocol is
More informationThe Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes
Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001) (13 15 february 2001, Cheju Islands, South Korea) K. Kim Ed. Springer-Verlag, LNCS 1992, pages
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationEfficient Multiplicative Homomorphic E-Voting
Efficient Multiplicative Homomorphic E-Voting Kun Peng and Feng Bao Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract. Multiplicative homomorphic e-voting is proposed by Peng et
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationUniversity Alexandru Ioan Cuza of Iaşi Faculty of Computer Science. Threshold RSA Based on the General Chinese Remainder Theorem
University Alexandru Ioan Cuza of Iaşi Faculty of Computer Science T E C H N I C A L R E P O R T Threshold RSA Based on the General Chinese Remainder Theorem Sorin Iftene TR 05-05, August 2005 ISSN 1224-9327
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationPrivacy-enhanced Designated Confirmer Signature without Random Oracles
International Journal of Network Security, Vol.16, No.4, PP.261-269, July 2014 261 Privacy-enhanced Designated Confirmer Signature without Random Oracles Shengke Zeng 1,2 and Hu Xiong 1 (Corresponding
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationGeneric Homomorphic Undeniable Signatures
Generic Homomorphic Undeniable Signatures Jean Monnerat and Serge Vaudenay EPFL, Switzerland http://lasecwww.epfl.ch Abstract. We introduce a new computational problem related to the interpolation of group
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationEliminating Quadratic Slowdown in Two-Prime RSA Function Sharing
International Journal of Network Security, Vol.7, No.1, PP.107 114, July 2008 107 Eliminating Quadratic Slowdown in Two-Prime RSA Function Sharing Maged Hamada Ibrahim Department of Electronics, Communications
More informationduring signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech
Generating a Product of Three Primes with an Unknown Factorization Dan Boneh and Jeremy Horwitz Computer Science Department, Stanford University, Stanford, CA 94305-9045 fdabo,horwitzg@cs.stanford.edu
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationEfficient Group Signatures without Trapdoors
Efficient Group Signatures without Trapdoors Giuseppe Ateniese and Breno de Medeiros The Johns Hopkins University Department of Computer Science Baltimore, MD 21218, USA ateniese@cs.jhu.edu, breno.demedeiros@acm.org
More informationLinear Integer Secret Sharing and Distributed Exponentiation
Linear Integer Secret Sharing and Distributed Exponentiation Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We introduce the notion of Linear Integer Secret-Sharing
More informationIdentity Based Undeniable Signatures
Identity Based Undeniable Signatures Benoît Libert Jean-Jacques Quisquater UCL Crypto Group Place du Levant, 3. B-1348 Louvain-La-Neuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.
More informationA Comparative Study of RSA Based Digital Signature Algorithms
Journal of Mathematics and Statistics 2 (1): 354-359, 2006 ISSN 1549-3644 2006 Science Publications A Comparative Study of RSA Based Digital Signature Algorithms 1 Ramzi A. Haraty, 2 A. N. El-Kassar and
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationProving that a Number is the Product of Two Safe Primes 107 entity as well. An example of groups used in such schemes are subgroups of Z n. Here, it s
Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes Jan Camenisch BRICS? Department of Computer Science University of Aarhus Ny Munkegade DK { 8000 Arhus C, Denmark camenisch@daimi.au.dk
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationA Direct Anonymous Attestation Scheme for Embedded Devices
A Direct Anonymous Attestation Scheme for Embedded Devices He Ge 1 and Stephen R. Tate 2 1 Microsoft Corporation, One Microsoft Way, Redmond 98005 hege@microsoft.com 2 Department of Computer Science and
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationA METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES
Mathematica Moravica Vol. 7 (2003), 51 59 A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES Constantin Popescu Abstract. A group signature scheme allows any group member to sign on behalf of the group
More informationCompartmented Threshold RSA Based on the Chinese Remainder Theorem
Compartmented Threshold RSA Based on the Chinese Remainder Theorem Sorin Iftene Department of Computer Science, Al. I. Cuza University, 700483 Iasi, Romania siftene@info.uaic.ro Manuela Grindei LSV, ENS
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationColluding Attacks to a Payment Protocol and Two Signature Exchange Schemes
Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes Feng Bao Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 Email: baofeng@i2r.a-star.edu.sg Abstract.
More informationUndeniable Signatures Based on Characters: How to Sign with One Bit
Undeniable Signatures Based on Characters: How to Sign with One Bit Jean Monnerat and Serge Vaudenay Swiss Federal Institute of Technology (EPFL) - LASEC http://lasecwww.epfl.ch Abstract. We present a
More informationAn Improvement of the Ateniese s Verifiable Encryption Protocol
INFORMATICA, 2005, Vol. 16, No. 1, 121 130 121 2005 Institute of Mathematics and Informatics, Vilnius An Improvement of the Ateniese s Verifiable Encryption Protocol Constantin POPESCU Department of Mathematics,
More informationIdentity-Based Chameleon Hash Scheme Without Key Exposure
Identity-Based Chameleon Hash Scheme Without Key Exposure Xiaofeng Chen, Fangguo Zhang, Haibo Tian, and Kwangjo Kim 1 Key Laboratory of Computer Networks and Information Security, Ministry of Education,
More informationLinear Integer Secret Sharing and Distributed Exponentiation
Linear Integer Secret Sharing and Distributed Exponentiation Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We introduce the notion of Linear Integer Secret-Sharing
More informationSealed-bid Auctions with Efficient Bids
Sealed-bid Auctions with Efficient Bids Toru Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University 3-1-1 Tsushima-naka,
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationGeneration of Shared RSA Keys by Two Parties
Generation of Shared RSA Keys by Two Parties Guillaume Poupard and Jacques Stern École Normale Supérieure, Laboratoire d informatique 45 rue d Ulm, F-75230 Paris Cedex 05, France email: {Guillaume.Poupard,Jacques.Stern}@ens.fr
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationA New Proxy Signature Scheme for a Specified Group of Verifiers
A New Proxy Signature Scheme for a Specified Group of Verifiers Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Computer Science and Information Engineering Asia University No. 500, Lioufeng
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationA Verifiable Secret Shuffle and its Application to E-Voting
A Verifiable Secret Shuffle and its Application to E-Voting C Andrew Neff 17 August, 2001 Abstract We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationA Privacy-Aware Protocol for Sociometric Questionnaires
A Privacy-Aware Protocol for Sociometric Questionnaires Marián Novotný Institute of Computer Science, Pavol Jozef Šafárik University, Jesenná 5, 041 54 Košice, Slovakia marian.novotny@upjs.sk Abstract.
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationNew Constructions of Convertible Undeniable Signature Schemes without Random Oracles
New Constructions of Convertible Undeniable Signature Schemes without Random Oracles Qiong Huang Duncan S. Wong Abstract In Undeniable Signature, a signature s validity can only be confirmed or disavowed
More informationPrivacy Preserving Multiset Union with ElGamal Encryption
Privacy Preserving Multiset Union with ElGamal Encryption Jeongdae Hong 1, Jung Woo Kim 1, and Jihye Kim 2 and Kunsoo Park 1, and Jung Hee Cheon 3 1 School of Computer Science and Engineering, Seoul National
More informationA Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol
A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol Christian L F Corniaux and Hossein Ghodosi James Cook University, Townsville QLD 4811, Australia chriscorniaux@myjcueduau, hosseinghodosi@jcueduau
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More information