D. Chaum. Zero-knowledge undeniable signatures. In EUROCRYPT 1990.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....knowledge of a representation of an element y with respect to several bases z 1 , z v G [CEvdG88] is denoted PK (# 1 , # v ) y = z . #v . A proof of equality of discrete logarithms of two group elements y 1 , y 2 G to the bases g and h G, respectively, [Cha91, CP93] is denoted PK (#) y 1 = g y 2 = h . Generalizations to prove equalities among representations of the elements y 1 , y w G to bases g 1 , g v are straight forward [CS97] A proof of knowledge of a discrete logarithm of y G with respect to G such that log g y ....

David Chaum. Zero-knowledge undeniable signatures. In Ivan Bjerre Damgard, editor, Advances in Cryptology --- EUROCRYPT '90, volume 473 of Lecture Notes in Computer Science, pages 458--464. Springer-Verlag, 1991.

....E1Gamal [20] and RSA [39] The chapter is split into three parts, with each part considering a different threshold variant. The first part concentrates on threshold variant [15] of the E1Gamal public key cryptosystem [20] and uses the zero knowledge proof of equality of discrete logs of Chaum [9] to construct a verifiable version of the same scheme. The second part concentrates on a threshold variant [16, 17] of RSA [39] and uses a generalization to to construct verifiable variants of the threshold RSA scheme under consideration. The third part concentrates on a different threshold ....

....decryption variant of the E1 Gamal [20] public key decryption scheme. The threshold variant was introduced by Desmedt and Frankel [15] and is provably as secure as the original E1Gamal scheme. This scheme can be combined with the zero knowledge proof of equality of discrete logs of Chaum [9] to produce a verifiable threshold E1Gamal decryption scheme. The section begins with an informal description of the threshold decryp tion variant of E1Gamal [15] A complete protocol for the verifiable scheme is then presented, along with a proof that it properly satisfies the definition of ....

[Article contains additional citation context not shown here]

D. Chaum. Zero-knowledge Undeniable Signatures. In I. Damgrd, editor, Advances in Cryptology - Eurocrypt'90 (Lecture Notes in Computer Science 473), pages 458-464. Springer-Verlag, 1991. 158

....use of RSA moduli which are a product of safe primes. This paper gives techniques which allow RSA based undeniable signatures for general moduli. Keywords: Undeniable Signatures, RSA based Undeniable Signatures. 1 Introduction Undeniable signatures were introduced by Chaum and van Antwerpen [7, 8]. They o#er good privacy for the signer since signatures cannot be verified without interaction with the signer. Undeniable signatures (and generalisations of them, such as confirmer and convertible signatures) have various applications in cryptography [2, 3, 10] The zero knowledge undeniable ....

....for the signer since signatures cannot be verified without interaction with the signer. Undeniable signatures (and generalisations of them, such as confirmer and convertible signatures) have various applications in cryptography [2, 3, 10] The zero knowledge undeniable signature scheme of Chaum [8] works in the multiplicative group of integers modulo a prime. Although Chaum, van Heijst and Pfitzmann [9] provided an undeniable signature scheme with security related to factoring, before 1997 there was not a scheme based on traditional RSA signatures. Gennaro, Krawczyk and Rabin [18] were the ....

[Article contains additional citation context not shown here]

Chaum, D. Zero-knowledge undeniable signatures, in I.B. Damgard (ed.), CRYPTO '90, Springer LNCS 473 (1991) 458-464.

....[22] 2. Non repudiatiou A dispute between Alice and Bob can be settled by a trusted third party (say a judge) by the use of a zero knowledge proof protocol between the judge and Bob. In particular, they can use a very simple 4 move zero knowledge interactive proof protocol proposed by Chauin in [5]. 3. Confidentiality We achieve our goal by reduction: wc will reduce the con fidcntiality of another encryption scheme called Ch, whose COltfidentiality is relatively wcll nndcrstood, to the confidentiality of a signcryption scheme (say SCSi) With the encryption sChClnC Ckh, the ciphertext of a ....

Chaum, D.: Zero-knowledge undeniable signatures. In Advances in Cryptology - EUROCRYPT'90 (Berlin, New York, Tokyo, 1991)) vol. 473 of Lecture Notes in Computer Science Springer-Verlag pp. 458-464.

....case compared with legal withdrawing the coins from the bank. So, the on line system will be inefficient for practical use in most cases. The system cannot be applied to other crimes such as money laundering, illegal trade etc. D. Kugler used the randomized blind undeniable signature scheme [10], which combines the 3 Okamoto Schnorr blind signature scheme [11,12] with Chaum van Antwerpen undeniable signature scheme [13] to construct his system. At the end of the withdrawal protocol, the bank must perform a confirmation protocol to prove the validity of an undeniable signature, which ....

D. Chaum, "Zero-knowledge undeniable signature"#EUROCRYPT'90, LNCS 473, Springer-Verlag, pp.458---464, 1990.

....key of K sub is K, 3) checks that NRO is A s signature on fNRO jjBjjLjjT jjC, and (4) checks that M = E(C; K; d) In step (2) B does not reveal s B and proves to the judge whether K = K sub mod p. The proving method is the same as the confirmation protocol in Chaum s undeniable signature[3]. A submits M;C;K sub ; T ; T 0 ; T 1 ; L; r and the nonrepudiation evidence NRR; con K to the judge. The judge confirms that B must receive M by the following steps : 2) checks that K sub = g mod p from r; K sub and computes K = p B mod p by B s public key, pB , fCON jjAjjLjjT jjT 1 ....

D. Chaum, "Zero-Knowledge Undeniable Signatures ", In Advances in Cryptology: Proceedings of Eurocrypt '90, LNCS 473, pp. 458-464, Springer-Verlag, 1991.

....An ordinary digital signature scheme allows a signer to create signatures of documents and the generated signatures can be verified by any person. Due to its importance, many variations of digital signature scheme were proposed, such as blind signature scheme [10] undeniable signature scheme [11][12], etc. which can be used in di#erent application situations. A proxy signature scheme [5] 6] 7] 8] 9] a variation of ordinary digital signature scheme, enables a proxy signer to sign messages on behalf of the original 1 signer. Proxy signature schemes have been shown to be useful in many ....

D. Chaum, "Zero-knowledge undeniable signatures", Advances in Cryptology-EUROCRYPT '90 Proceedings, Springer-Verlag, pp. 458-464, 1991.

....that the validity of an alleged signature cannot be veri ed without the cooperation of the signer. The concept of undeniable signature was rst proposed at Crypto 89 by Chaum and van Antwerpen [4] Followed by this pioneering work, Chaum proposed a zero knowledge undeniable signature scheme in [2]. Later, at Auscrypt 92, by combining the two concepts of undeniable signature and grouporiented signature [5, 6] Harn and Yang proposed the concept of group oriented undeniable signature [10] in which only when all members in an authorized subset of a given group operate collectively, they can ....

....n) threshold undeniable signature scheme [14] but it is also subjected to Langford s attack. To overcome the Langford attack, Lee and Hwang constructed two group oriented undeniable signature schemes with a trusted center [12] by naturally generalizing Chaum s zero knowledge undeniable signature [2] to group oriented environment. In this paper, we analyze the security of the Lee Hwang schemes [12] and demonstrate ve attacks. Under reasonable assumptions, our attacks are simple, straightforward and ecient. In these attacks, four of them are universal forgery, in which one dishonest member ....

[Article contains additional citation context not shown here]

D. Chaum. Zero-knowledge undeniable signatures. In: Eurocrypt'90, LNCS 473, pp. 458-464. Springer-Verlag, 1991.

....and keeps it secret, h leaks no information about x 1 , x l . For this reason, the number # is called a blinding factor. This is a generalization of the special case l =1, which has been used as a commitment scheme by, amongst others, Chaum and Crepeau [16] Chaum and van Antwerpen [36] Chaum [32], Boyar, Kurtz, and Krentel [8] Pedersen [49] van Heijst and Pedersen [56] and Okamoto [48] At the same time, the following basic security property holds (see Brands [15, Proposition 2.3.3. Property 1 Regardless of the choice of l, assuming it is infeasible to compute discrete logarithms ....

David Chaum. Zero-knowledge undeniable signatures. In I.B. Damgard, editor, Advances in Cryptology--EUROCRYPT '90, volume 473 of Lecture Notes in Computer Science, pages 458--464. Springer-Verlag, 1991.

....announcements issued by some authorities. However, such signatures seem to provide too much authentication than necessary in many applications. Thus it may be preferable to put some restrictions on this property to prevent potential misuse of signatures. Undeniable signatures introduced by Chaum [2] provide a way of protecting the interest of the signer. A undeniable signature is generated in such a way that it can be verified only with the help of the signer. Therefore, in this signature scheme the signer can have complete control over the use of its signatures. On the other hand, in many ....

....; s A ; mg to C. 2. C then checks that r A = h(z B ; wA ; m) If it does not hold, C halts. Otherwise, C computes fi = ff sA y rA A wA mod p. 3. Now B proves to C that log fi z B = log ff yB in a zero knowledge fashion, for example, using the protocol for simultaneous discrete logarithm in [2, 1]. We next present another method for constructing a directed signature scheme, which will be used later to construct threshold cryptosystems. The processes for signing, verifying and proving validity are summarized below. Signature generation by A to B 1. A picks at random kA1 ; kA2 2 Z q , ....

D.Chaum, "Zero-knowledge undeniable signatures," Advances in CryptologyEurocrypt '90, Springer-Verlag, LNCS 473, pp.458-464 (1991).

.... y # G with respect to bases g1 , gv # G [15] Signature of knowledge of equality of discrete logarithm: Let PK (#) y1 = g # # y2 = h # (m) denote a signature of knowledge of equality of discrete logarithms of two group elements y1 , y2 # G to the bases g # G and h # G [14, 17]. Signature of knowledge of ranges: Let PK (#) y = g # # # # [a, b] m) denote a signature of knowledge of a discrete logarithm of y # G with respect to g # G such that log g y lies in the integer interval [a, b] This protocol can be e#ciently done under the strong RSA assumption ....

D. Chaum. Zero-knowledge undeniable signatures (extended abstract). In Ivan B. Damgard, editor, Advances in Cryptology - EuroCrypt '90, pages 458--464, Berlin, 1990. Springer-Verlag. Lecture Notes in Computer Science Volume 473.

....of a representation of an element y 2 G with respect to several bases z 1 ; z v 2 G [CEvdG88] is denoted PKf( 1 ; v ) y = z 1 1 : z v v g. A proof of equality of discrete logarithms of two group elements y 1 ; y 2 2 G to the bases g 2 G and h 2 G, respectively, [Cha91, CP93] is denoted PKf( y 1 = g y 2 = h g. Generalizations to prove equalities among representations of the elements y 1 ; y w 2 G to bases g 1 ; g v 2 G are straight forward [CS97] A proof of knowledge of a discrete logarithm of y 2 G with respect to g 2 G such that log g ....

David Chaum. Zero-knowledge undeniable signatures. In Ivan Bjerre Damgard, editor, Advances in Cryptology | EUROCRYPT '90, volume 473 of Lecture Notes in Computer Science, pages 458-464. SpringerVerlag, 1991.

....signature at the withdrawal, and as the validity of a coin s signature is publicly veri able, such a modi cation of a blind signature is easy to detect. Due to this shortcomings our aim is to restrict the veri ability of coins. We basically suggest the use of blind undeniable signatures [CvA89,Cha90] instead of blind signatures so that the veri cation of a signature can only be done by interacting with the bank in non transferable zero knowledge protocols: Con rmation protocol: This protocol is used by the signer to prove the validity of an undeniable signature to another party. Disavowal ....

....protocol the customer possesses a valid coin (m; c 0 ; S 0 1 ; S 0 2 ; 0 ; w 0 ) and the validity of the undeniable signature w has to be proven in a con rmation protocol. Our con rmation protocol (see gure 3) is a designated veri er variant of the protocols described in [CvA89,Cha90] If the customer follows the withdrawal protocol correctly, then the given proof is also valid for w 0 . Bank t = f x 1 mod p u = commit(t) f = w a y b mod p e = EPKC (a; b) check if: choose a; b 2R Z=pZ e = EPKC (a; b) f = w a y b mod p wants a proof ....

[Article contains additional citation context not shown here]

D. Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology - EUROCRYPT '90, volume 473 of Lecture Notes in Computer Science, pages 458464. Springer-Verlag, 1990.

....or three months. 3 Implementation of Auditable Marking We base our implementation on the payment system of Kgler and Vogt [KV01] Their marking mechanism was based on a variant of an Okamoto Schnorr blind signature [Oka92] in combination with a Chaum van Antwerpen undeniable signature [CvA89, Cha90] The main idea of this construction is to use the blind signature to implement anonymity and the undeniable signature to implement marking. In this paper we assume that the bank will never prove the validity of an undeniable signature in a con rmation protocol, but still may prove the invalidity ....

D. Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology  EUROCRYPT '90, volume 473 of Lecture Notes in Computer Science, pages 458464. Springer-Verlag, 1990.

....a group element y 2 G with respect to several bases z 1 ; z v [15] which is denoted PKf( 1 ; v ) y = z 1 1 : z v v g. Another extension allows to prove the equality of the discrete logarithms of two group elements y 1 ; y 2 2 G to the bases g and h, respectively [14, 16]. The idea is to carry out the basic protocol for y 1 and for y 2 in parallel and requiring that the challenges (c) and the responses (s) are the same [16] If the veri er accepts, the two logarithms must be equal as can be seen by considering how the prover s secret can be derived from two ....

D. Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology | EUROCRYPT '90, vol. 473 of LNCS, pp. 458-464.

...., and v 0 = g r Deltas , if the order of G is sufficiently large and r and s are unknown, it is infeasible to determine whether log g v is equal to log g 0 v 0 or not. The assumption of DLP is considered to be reasonable from previous research, and the assumption of CDLP, which is used in [BCDP90, Ch90], has not been compromised so far to the best of our knowledge. 2.4.2 Elementary number theory notions The following notation is used hereafter to express schemes in the following sections. ffl The notation ajb means that b = k Delta a for some integer k. ffl If a, b, and n are integers, the ....

....subsequent certificate. In both cases, modification of the group public key is not needed. Any type of signature is available The signature scheme used by a member is a DLP based signature scheme. It is possible to construct an undeniable signature scheme based on a DLP based signature scheme [Ch90]; hence, undeniable group signatures are available. The conversion from a group signature to an ordinary digital signature is realized as follows. Suppose that a conventional encryption scheme is commonly used in the group signature scheme. A member makes an ordinary digital signature on a message ....

D. Chaum, "Zero-knowledge undeniable signatures," Advances in Cryptology -- EUROCRYPT '90 , pp. 458--464, Springer-Verlag, 1991.

....protocol is proven secure provided the DH problem is intractable. 8 Note that, for a reasonable degree of security, STR requires a bijective mapping f from Z p to Z q . However, f(x) x (mod q) as implicitly defined by STR, is not bijective. While there is an efficient mapping for safe primes [26] it is not clear if such efficient mappings exist also for other prime order groups such as the ones proposed in III B. Hence, the exponentiations in the CLIQUES protocols would be considerable faster than in a secure version of STR. 9 All indexes are modulo n. 10 IEEE Transactions on Parallel ....

D. Chaum, "Zero-knowledge undeniable signatures," in Advances in Cryptology -- EUROCRYPT '90, I. Damgard, Ed. May 1991, number 473 in Lecture Notes in Computer Science, pp. 458--464, Springer-Verlag, Berlin Germany.

....reached, new types of signature schemes with new security properties came up. With fail stop signature schemes, a signer who has been cheated with a forged signature can prove that it was a forgery [43] 7] 42] 30] 31] 20] 40] With so called undeniable signature schemes [11] [9], 5] the recipient of a signature cannot show it around, e.g. to his friends, without the signer s help. Because of this property, these schemes might rather be called invisible , as not being deniable is common to all types of signatures. The invisibility property is useful if it should be ....

David Chaum (1991). Zero-knowledge undeniable signatures. Eurocrypt '90, Springer-Verlag, 458--464.

....modified signature at the withdrawal, and as the validity of a coin s signature is publicly verifiable, such modifications of a blind signature are easy to detect. Due to this shortcomings our aim is to restrict the verifiability of coins. We suggest the use of blind undeniable signatures [CvA89, Cha90] instead of blind signatures so that the verification of a signature can only be done by interacting with the bank in non transferable zero knowledge protocols: Confirmation protocol: This protocol is used by the signer to prove the validity of an undeniable signature to another party. ....

....of the withdrawal protocol the customer possesses a valid coin (m; c 0 ; S 0 1 ; S 0 2 ; 0 ; w 0 ) and the validity of the undeniable signature w has to be proven in a confirmation protocol. Our confirmation protocol (see figure 3) is a variant of the protocols described in [CvA89, Cha90] If the customer follows the withdrawal protocol correctly, then the given proof is also valid for w 0 . 4.4 Marking Blackmailed Coins In the case of blackmailing marked coins are issued using a different private key SK UM = xM to generate the undeniable signature. In order to recognize ....

[Article contains additional citation context not shown here]

D. Chaum. Zero-knowledge undeniable signatures. In Proceedings of Eurocrypt '90, volume 473 of Lecture Notes in Computer Science, pages 458--464. Springer Verlag, 1990.

....to Bob that G = I qa without revealing any information about q a . Similarly, Bob publishes G 0 2 Z=MZ, and wishes to prove to Alice that G 0 = I q b . We suggest that Alice and Bob achieve this using the perfect zero knowledge confirmation protocol for undeniable signatures due to Chaum [4]. For completeness we now describe the protocol that Alice uses. The protocol used by Bob is analogous. The probability that Alice can successfully cheat in this proof is 1=L. Shared Generation of Shared RSA Keys 14 The proof system works as follows. Bob checks that G L = 1 mod M . He then ....

D. Chaum. Zero-knowledge undeniable signatures. In I.B. Damgard, editor, Advances in Cryptology -- EUROCRYPT `90, volume 473 of Lecture Notes in Computer Science, pages 458--464. Springer-Verlag. 1991.

....comparable parameter sizes. One can also construct variations for which public key recovery is possible, by applying the construction principle to variations that offer message recovery (such as described by Nyberg and Rueppel [13] Example 3. Consider the undeniable signature scheme of Chaum [8]. In this scheme the secret key x 0 and public key (G q ; g; h 0 = g x0 ; f( Delta) of the signer are defined as in the Schnorr signature scheme, and an undeniable signature on a message m is m x 0 . To verify a signature, a confirmation protocol with the signer must be performed. Undeniable ....

Chaum, D., "Zero-knowledge undeniable signatures", Eurocrypt '90, LNCS 473, Springer-Verlag, pp. 458-464.

....translates to inexpensive methods for detection of errors, followed by a conditional execution of potentially expensive methods for determining which player misbehaved. We use standard methods for proving correctness of exponentiation. These are related to veri cation of undeniable signatures [2, 1] and to discrete log based signatures. We refer to [8] for methods relating to the latter approach. All computation takes place in F [2 t ] where q = 2 t 1 is prime. This is done to avoid leaks of information relating to the Jacobi symbol of the result of the computation, and to achieve ....

....computation in this structure allows for more ecient attacks than for the standard parameter choices, as shown by Coppersmith [3] Coppersmith s result improves the asymptotic running time of the special number eld sieve. Implementations [12] suggest that if we perform all arithmetic in a eld F [2 2203 1] (corresponding to the smallest Mersenne prime of the approximate size we want) instead of the standard choice of 1024 bit moduli, the computational hardness of computing discrete logs would be maintained. We note that the speed of multiplication in this structure is about a quarter of the speed ....

D. Chaum, \Zero-Knowledge Undeniable Signatures," in Advances in Cryptology { EUROCRYPT '90, I Damgard, ed., pp. 458-464, Springer-Verlag, 1990. LNCS No. 473.

....techniques can potentially be used to introduce important concepts into our watermarking technique. Specifically, digital signatures [DH76, RSA78] revocable signatures 6 [Bon96] group signatures [Cha91, Che94] undeniable signatures [Boy91, Cha89] and zero knowledge proof signatures [Gol84, Gol89, Kil89, Cha90] may have promising applications to watermarking. 3 Objectives and Metrics This section outlines the objectives of watermarking techniques in general and presents metrics with which to measure, compare, and evaluate watermarking techniques on various instances of optimization problems, including ....

D. Chaum. Zero-knowledge undeniable signatures. Advances in Cryptology - EUROCRYPT '90, pp.458-464, 1990.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. Advances in Cryptology --- EUROCRYPT '90, LNCS 473, pp. 458--464, Springer-Verlag, 1990.

No context found.

D. Chaum, "Zero-Knowledge undeniable signatures", Advances in Cryptology -- EUROCRYPT '90, LNCS 473, (1991), pp.458-464.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. In EUROCRYPT 1990.

No context found.

Chaum, D. Zero-Knowledge Undeniable Signatures. In Advances in Cryptology { EUROCRYPT '90 (Aarhus, Denmark, May 1990), I. Damgrd, Ed., vol. 473 of Lecture Notes in Conputer Science, Springer-Verlag, pp. 458-464.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. In I. B. Damgard, editor, Advances in Cryptology --- EUROCRYPT '90, volume 473 of LNCS, pages 458--464. Springer-Verlag, 1991.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. Advances in Cryptology - EUROCRYPT '90, Lecture Notes in Computer Science, volume 473, pages 458-464, Springer-Verlag, 1991. 20

No context found.

Chaum, D.: Zero-knowledge undeniable signature. In: Advances in Cryptology -- EUROCRYPT'90. Volume 473 of LNCS., Springer-Verlag (1990) 458---464

No context found.

D. Chaum. Zero-Knowledge Undeniable Signatures. In Eurocrypt '90, LNCS 473, pages 458-464. Springer-Verlag, Berlin, 1991.

No context found.

D. Chaum, "Zero-Knowledge Undeniable Signatures," in Advances in Cryptology -- EUROCRYPT '90, I Damgard, ed., pp. 458--464, Springer-Verlag, 1990. LNCS No. 473.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. In I. B. Damgard, editor, Advances in Cryptology --- EUROCRYPT '90, volume 473 of LNCS, pages 458--464. Springer-Verlag, 1991.

No context found.

D. Chaum, Zero-knowledge undeniable signatures, Advances in CryptologyEurocrypt

No context found.

D. Chaum. Zero-knowledge undeniable signatures. In: Eurocrypt'90, LNCS 473, pp. 458-464. Springer-Verlag, 1991.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. In: EUROCRYPT'90, LNCS 473, pp. 458-464. Springer-Verlag, 1991.

No context found.

D. Chaum. Zero-Knowledge Undeniable Signatures. In: Eurocrypt'90, LNCS 473, pp. 458-464. Springer-Verlag, 1991.

No context found.

Chaum, D.: Zero-knowledge undeniable signature. In: Advances in Cryptology -- EUROCRYPT'90. Volume 473 of LNCS., Springer-Verlag (1990) 458---464

No context found.

D. Chaum, Zero-knowledge undeniable signatures, Advances in Cryptology - Crypto'90, Lecture Notes in Computer Science vol. 473, Springer-Verlag, pp. 458-464, 1990.

No context found.

D.Chaum,"Zero-knowledge undeniable signatures", Advances in Cryptology - EUROCRYPT 90, LNCS 473, SpringerVerlag, pp.458--464, 1990.

No context found.

David Chaum. Zero-knowledge undeniable signatures. In I.B. Damgard, editor, Advances in Cryptology -- EUROCRYPT '90, number 473 in Lecture Notes in Computer Science, pages 458--464. Springer-Verlag, Berlin Germany, May 1991.

No context found.

D. Chaum. Zero-Knowledge Undeniable Signatures. In Eurocrypt '90, volume 473 of LNCS, pages 458--464, Berlin, 1991. Springer-Verlag.

No context found.

D. Chaum. Zero-Knowledge Undeniable Signatures. In Eurocrypt '90, volume 473 of LNCS, pages 458--464, Berlin, 1991. Springer-Verlag.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. Advances in Cryptology - EUROCRYPT '90, Lecture Notes in Computer Science, volume 473, pages 458-464, Springer-Verlag, 1991.

No context found.

) Chaum, D.: Zero-Knowledge Undeniable Signatures, Advances in Cryptology --- EUROCRYPT '90 , LNCS 473, Springer--Verlag, pp.

No context found.

D. Chaum. Zero-knowledge undeniable signatures. Advances in Cryptology - EUROCRYPT '90, Lecture Notes in Computer Science, volume 473, pages 458-464, Springer-Verlag, 1991. 20

No context found.

D. Chaum. Zero-knowledge undeniable signatures. In I. Damgard, editor, Advances in Cryptology -- EUROCRYPT '90, number 473 in Lecture Notes in Computer Science, pages 458--464. Springer-Verlag, Berlin Germany, May 1991.

No context found.

D. Chaum. Zero-Knowledge Undeniable Signatures, Advances in Cryptology | Eurocrypt '90, Proceedings, Lecture Notes in Computer Science, Vol. 473, Springer 1991, pp. 458-464.

No context found.

D. Chaum, "Zero-knowledge undeniable signatures," in Advances in Cryptology -- Eurocrypt '90, Lecture Notes in Computer Science 473, I. Damgard, Ed., 1991, pp. 458--464, SpringerVerlag.

No context found.

Chaum, D.: Zero-knowledge undeniable signatures. In: Damgard, I. (ed): Advances in Cryptology, Proc. of Eurocrypt '90 (Lecture Notes in Computer Science 473). Springer-Verlag (1991) 458--464

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC