Abstract. We exhibit efficient threshold cryptosystems which are secure against adaptive adversaries even when the players cannot erase their local data. Specifically, we present erasure-free adaptively-secure protocols for distributed decryption in Cramer-Shoup cryptosystem. Our techniques are also applicable for distributing the secret-key operation of other cryptosystems, like RSA, DSS, and ElGamal, as well as for the distributed key generation for discrete-log based schemes.
|
1001
|
How to Share a Secret
– Shamir
- 1979
|
|
844
|
Probabilistic encryption
– Goldwasser, Micali
- 1984
|
|
413
|
Efficient signature generation for smart cards
– Schnorr
- 1991
|
|
351
|
A paractical public-key cryptosystem provably secure against adaptive chosen ciphertext attack
– Cramer, Shoup
- 1998
|
|
303
|
Multiparty unconditionally secure protocols
– Chaum, Crépeau, et al.
- 1988
|
|
261
|
Security and composition of multiparty cryptographic protocols
– Canetti
- 2000
|
|
164
|
Foundations of Cryptography (Fragments of a Book). Weizmann institute of science
– Goldreich
- 1995
|
|
159
|
Verifiable secret sharing and multiparty protocols with honest majority
– Rabin, Ben-Or
- 1989
|
|
126
|
A Threshold Cryptosystem Without a Trusted Party. Eurocrypt ’91
– Pedersen
|
|
104
|
Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy
– Brands
- 2000
|
|
96
|
Robust threshold DSS signatures
– Gennaro, Jarecki, et al.
- 1996
|
|
82
|
Society and group oriented cryptography
– Desmedt
- 1987
|
|
82
|
Secure Distributed Key Generation for Discrete-Log-Based Cryptosystems. Eurocrypt ’99
– Gennaro, Jarecki, et al.
|
|
76
|
Securing Threshold Cryptosystems Against Chosen Ciphertext Attack. Eurocrypt ’98. A Proof of Equality for GM Ciphertexts Input: Blum integers N1,N2 and X1,X2 where: {X1 =(−1) b x 2 1 mod N1,X2 =(−1) b x 2 2 mod N2} with xj ∈ Z ∗ N j and b ∈{0, 1}. Repeat
– Shoup, Gennaro
|
|
70
|
Collision-resistant hashing: Towards making UOWHFs practical
– Bellare, Rogaway
- 1997
|
|
59
|
Robust and Efficient Sharing of RSA Functions
– Gennaro, Jarecki, et al.
- 2000
|
|
54
|
Simplified VSS and fast-track multiparty computations with applications to threshold cryptography
– Gennaro, Rabin, et al.
- 1998
|
|
47
|
An Efficient Threshold Public-Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack. Eurocrypt ’99
– Canetti, Goldwasser
|
|
43
|
Damg˚ard: Zero-Knowledge Proofs for Finite Field Arithmetic; or Can Zero-Knowldge be for Free
– Cramer, I
|
|
39
|
Group signature schemes and payment systems based on the discrete logarithm problem
– Camenisch
- 1998
|
|
38
|
Cryptographic protocols provably secure against dynamic adversaries
– Beaver, Haber
- 1992
|
|
29
|
A composition theorem for universal one-way hash functions
– Shoup
|
|
27
|
Why Chosen Ciphertext Security Matters
– Shoup
- 1998
|
|
24
|
Witness-Based Cryptographic Program Checking and Robust Function Sharing. STOC ’96
– Frankel, Gemmell, et al.
|
|
19
|
Magic Functions
– Dwork, Naor, et al.
|
|
17
|
How to forget a secret
– Crescenzo, Ferguson, et al.
- 1999
|
|
15
|
Wigderson: “How to Play Any Mental Game
– Goldreich, Micali, et al.
- 1987
|
|
14
|
Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation
– Canetti, Uri
- 1996
|
|
11
|
Adaptivelysecure optimal-resilience proactive RSA
– Frankel, MacKenzie, et al.
- 1999
|
|
10
|
Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely
– Santis
- 1994
|
|
9
|
Plug and play encryption
– Beaver
- 1997
|
|
8
|
Adaptively-secure distributed threshold public key systems
– Frankel, MacKenzie, et al.
- 1999
|
|
4
|
Zero-knowledge proof for arithmetics, or: Can zero-knowledge be for free
– Cramer, Damgard
- 1998
|
|
3
|
Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption
– Damgard
- 2000
|
|
2
|
Avi Widgerson. Completeness theorems for non-cryptographic fault-tolerant distributed computation
– Ben-Or, Goldwasser
- 1988
|
|
1
|
Threshold cryptography secure against the adaptive adversary, concurrently. Theory of Cryptography Library
– Lysyanskaya
- 2000
|
|
1
|
Moni Naor. Non-malleable cryptography (preliminary version
– Dolev, Dwork
- 1991
|
|
1
|
Personal communication with the authors
– Halevi
|
|
1
|
chosen ciphertext security matters. IBM Research Report RZ3076
– Why
- 1999
|
|
1
|
Common inputs: discrete-log instance (p; q; g), value y 2 Gq Prover knows: x 2 Z q such that y = g x mod p. Round 1: P \Gamma! V : Choose a trapdoor value ff 2 Z q ; send h = g ff . Round 2: P /\Gamma V : Choose c; c 2 Z q ; commit to c by sending C = g c
– ZKPK-of-DL
|
|
