Y. Desmedt, "Threshold Cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, July/August 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....introduces proactive cryptosystems in asynchronous networks and presents an efficient protocol for refreshing the shares of a secret key for discrete logarithm based sharings. 1 Introduction The idea of threshold cryptography is to distribute the power of a cryptosystem in a fault tolerant way [12]. The cryptographic operation is not performed by a single server but by a group of n servers, such that an adversary who corrupts up to t servers and observes their secret key shares can neither break the cryptosystem nor prevent the system as a whole from correctly performing the operation. ....

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, 1994.

....decrypt if and only if that subset is contained in the access structure. For example, one can decide that for some t n, any subset of at least t players can decrypt, whereas less than t players cannot. This notion of group encryption should not be confused with the notion of threshold encryption [17]. In the latter case, a number of parties publish a the setup of the system. In contrast, a group encryption scheme allows to choose a (possibly di#erent) access structure each time when (verifiably) encrypting a message. Another distinguishing feature is that a group encryption enables the ....

....if A # , whereas a set A # gives no information. Finally, if honest proxies forming a set A # decide to reconstruct w, they can do so successfully, even if dishonest proxies also participate. This notion of group encryption should not be confused with the notion of threshold encryption [17]. In the latter case, a number of parties publishes a the setup of the system. In contrast, a group encryption scheme allows to choose a (possibly di#erent) access structure each time when (verifiably) encrypting a message. Another distinguishing feature is that a group encryption enables the ....

Y. Desmedt and Y. Frankel. Threshold cryptography. In CRYPTO '89, vol. 435 of LNCS, pp. 307--315. Springer-Verlag, 1990.

....introduces proactive cryptosystems in asynchronous networks and presents an efficient protocol for refreshing the shares of a secret key for discrete logarithm based sharings. 1 Introduction The idea of threshold cryptography is to distribute the power of a cryptosystem in a fault tolerant way [12]. The cryptographic operation is not performed by a single server but by a group of n servers, such that an adversary who corrupts up to t servers and observes their secret key shares can neither break the cryptosystem nor prevent the system as a whole from correctly performing the operation. ....

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, 1994. 24

....negotiation and that the occurence of transactions is probable. In [2] a method based on threshold cryptography for distributing a transaction over time is introduced. A (t; n) threshold scheme, where t n, is a method by which a secret S is not revealed unless any t out of n shares are pooled [4, 5]. However, pooling t 1 shares does not reveal any information about S. Instead of distributing the shares to different participants as is done when the scheme is used for traditional secret sharing, the shares remain with the node wishing to make the transaction. In order to apply the ideas of ....

Y. Desmedt. Threshold Cryptography. In European Transactions on Telecommunications, 1994.

....an adaptive adversary, thus providing a threshold signature scheme with stronger security properties than any previously known. As a tool, we also develop an adaptively secure, erasure free threshold version of the Paillier cryptosystem. 1 Introduction The goal of threshold cryptography [14, 15] is to enable a cluster of cooperating servers to securely and eciently implement such cryptographic tasks as signing and decrypting. A threshold cryptographic system should remain functional and secure even when a fraction (say, almost one half) of the servers become malicious. This problem is ....

Yvo Desmedt and Yair Frankel. Threshold cryptography. In Advances in Cryptology | CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 307-315. Springer-Verlag, 1990.

....have witnesses is called LR . Of course, carrying out a protocol for some relation R makes sense only if it is a hard relation for (at least) one of the two involved parties. A protocol can be 1 This notion of group encryption should not be confused with the notion of threshold encryption [13]. In the latter case, a number of parties publishes a single public key and the access structure is determined by these parties during the setup of the system 3 defined by three (probabilistic) procedures t , s , and v as follows. Then, on input x and w, P uses t to compute a so called ....

....w i s, if A 2 , whereas a set A 62 gives no information. Finally, if honest proxies forming a set A 2 decide to reconstruct w, they can do so successfully, even if dishonest proxies also participate. This notion of group encryption should not be confused with the notion of threshold encryption [13]. In the latter case, a number of parties publishes single public key and the access structure is determined by these parties during the setup of the system. 10 P(u; m; y; s 0 ; E) V(u; m; y; E) # # r 2R Zq , t : y r s 0 : r, s 1 : r s (mod q) s 00 ; s 10 2R Zq s 01 : s 0 s 00 ....

Y. Desmedt and Y. Frankel. Threshold cryptography. In Advances in Cryptology --- CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 307--315. Springer-Verlag, 1990.

....decrypt if and only if that subset is contained in the access structure. For example, one can decide that for some t n, any subset of at least t players can decrypt, whereas less than t players cannot. This notion of group encryption should not be confused with the notion of threshold encryption [18]. In the latter case, a number of parties publish a single public key and the access structure is determined by these parties during the setup of the system. In contrast, a group encryption scheme allows to choose a (possibly di erent) access structure each time when (veri ably) encrypting a ....

....w i s, if A 2 , whereas a set A 62 gives no information. Finally, if honest proxies forming a set A 2 decide to reconstruct w, they can do so successfully, even if dishonest proxies also participate. This notion of group encryption should not be confused with the notion of threshold encryption [18]. In the latter case, a number of parties publishes a single public key and the access structure is determined by these parties during the setup of the system. In contrast, a group encryption scheme allows to choose a (possibly di erent) access structure each time when (veri ably) encrypting a ....

Y. Desmedt and Y. Frankel. Threshold cryptography. In CRYPTO '89, vol. 435 of LNCS, pp. 307-315. Springer-Verlag, 1990.

....We consider that the insurer of a key may not be the same entity that certifies the user key binding. This allows us to consider insurers as institutions, while still taking advantage of existing personal relationships to certify user key bindings. We also suggest the use of threshold cryptography [3] to create audited keys, which may make insurers more willing to provide insurance for keys in some circumstances. Furthermore, in order to help reason about insurance of keys and statements signed by them, we provide a formal yet simple insurance logic related to the authentication logic of ....

....an injured party will apply. A novel method for an insurer to enforce such restrictions is to require, using a threshold signature scheme, that an auditor (who is possibly the same entity as the insurer) participate in every signature. A survey of threshold cryptography can be found in [3]; some threshold signature schemes are presented in [4, 6] In two out of two threshold signature schemes, two parties hold shares of a private key K Gamma1 . Computing signatures with K Gamma1 requires participation of both parties; neither party can compute signatures without the help of ....

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications and Related Technologies, 5(4):35--43, July--August 1994.

....bids submitted. B.4 Threshold cryptography In our auction protocol, the technique used to keep the bids secret prior to the close of bidding is to share the value of the bid among the auction servers using a threshold secret sharing scheme. Alternatively, a threshold public key cryptosystem [27] could be used to encrypt bids under the public key of the auction house, so that they could be decrypted only with the cooperation of a threshold number of servers. Correct servers could prevent the premature disclosure of bids by cooperating in decryptions only after bidding had closed. The ....

.... against our protocol, because to open bids, the main costs per server per bid are polynomial interpolations and (re )encryptions, which are relatively inexpensive with an appropriate choice of encryption algorithm (e.g. RSA with reasonably small encrypting exponent) A threshold signature scheme [27], in which the cooperation of a threshold number of servers is required to sign a message with the auction house s private key, could be useful when declaring a winner. Instead of sending separate signed messages to the winning bidder in step (M5) the servers could construct a single ticket ....

Y. Desmedt, "Threshold cryptography", European Transactions on Telecommunications and Related Technologies, vol. 5, no. 4, pp. 449--457, July 1994.

....have witnesses is called LR . A protocol can be defined by three (probabilistic) procedures t , s , and v as follows. Let (x; w) 2 R. Then on input x and w, P uses t to compute a so called 1 This notion of group encryption should not be confused with the notion of threshold encryption [13]. In the latter case, a number of parties publishes a single public key and the access structure is determined by these parties during the setup of the system commitment t that the prover sends the verifier as the first message. Also, some sideinformation r for the prover is produced. Then the ....

....w i s, if A 2 , whereas a set A 62 gives no information. Finally, if honest proxies forming a set A 2 decide to reconstruct w, they can do so successfully, even if dishonest proxies also participate. This notion of group encryption should not be confused with the notion of threshold encryption [13]. In the latter case, a number of parties publishes single public key and the access structure is determined by these parties during the setup of the system. 4.1 Realisation A verifiable group encryption scheme can be realized using a secret sharing scheme for the chosen access structure . We ....

Y. Desmedt and Y. Frankel. Threshold cryptography. In Advances in Cryptology --- CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 307--315. Springer-Verlag, 1990.

.... sharing PS y and e i among some trustees [FuOk96] Then the signature scheme (G T ; S T ; V T ) will be substituted by a multisignature scheme and the probabilistic encryption scheme (E T ; D T ) by an encryption scheme with either threshold or multi decryption (for a survey of these schemes see [Desm94] In order to prevent only the linkability of payments w.r.t. the trustee, the following modifications of the opening of an account and registration protocols are sufficient, if the communication between the user and the trustee can be anonymous. In fact, this can be achieved using trusted mixes ....

Y.Desmedt, "Threshold Cryptography", European Trans. on Telecommunications, Vol. 5, No. 4, (1994), pp. 35 -- 43.

....it needed the help of trusted clerks) Later Desmedt and Frankel [6] proposed a solution to the problem. Laih and Harn [11] presented a shared decryption scheme based on the RSA cryptosystem, but in some cases their scheme is time consuming. A good review of literature in this area can be found in [4]. Note that for the majority of cryptosystems published so far, senders do not know whether the recipient is an individual or a group. Hwang [10] presented a cryptosystem in which the sender knows the participants. Unfortunately, the proposed scheme does not work well with threshold systems. As ....

Y. Desmedt. Threshold cryptography. ETT, 5(4):449--=457, August 1994.

....a share of other users private keys in order to reconstruct it whenever an escrow is necessary. In an ordinary key escrow system, the combiner learns the escrowed private key after the reconstruction. The omega system solves this problem by employing the threshold cryptography concept of Desmedt [21]. By using threshold cryptography, the shares of the escrowed private key are not revealed to the combiner directly, but it has enough information to decrypt a specific message which is encrypted using the corresponding public key, and the combiner will never learn the private key. The omega ....

....The combiner problem, which has been explained above, has been realized by some other researchers also. However, most of them examined the trusted combiner problem for general cryptosystems. Desmedt was the first which has examined that problem. His solution is named as threshold cryptography [21] which is different from threshold secret sharing schemes. Threshold cryptography is a non interactive system, therefore the share distribution and reconstruction are assumed to be done via private channels. In this system, the power of reconstruction the secret is shared among the shareholders ....

[Article contains additional citation context not shown here]

Desmedt, Y. G., "Threshold Cryptography," European Transactions on Telecommunications Related Technologies, vol. 5, no. 4, pp. 449 - 457, July 1994.

.... to reduce trust in the trustee by sharing PS y and e i among several trustees [FuOk96] Then the signature scheme (G T ; S T ; V T ) is substituted by a multisignature scheme and the probabilistic encryption scheme (E T ; D T ) by an encryption scheme with threshold decryption (for a survey see [Desm94]) 3.5 Versatility of system The k spendability or more general divisibility of coins is obtained as in the schemes [JaYu96, M Rai96] by including the spend fraction C f of the coin C into the message at payment. The overspent tracing is modified accordingly. The system also supports the use of ....

Y.Desmedt, "Threshold Cryptography", European Trans. on Telecommunications, Vol. 5, No. 4, (1994), pp. 35--43.

....to a key transport protocol in certain applications where a session key is required to be fair , in that it is dependent on both participants key materials. However, one should distinguish between key material exchange and shared generation of random numbers as achieved in threshold cryptography [3]. In particular, with a key exchange protocol a participant who is in a position to see, prior to producing his key materials, those from the other participant may control the resultant session key by carefully choosing his key materials. In this sense, a key (material) exchange protocol is ....

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, 1994.

....not to reveal the factorization of N . Our results eliminate the need for a trusted dealer since the parties can generate the modulus N themselves. Threshold cryptography is a concrete example where shared generation of RSA keys is very useful. We give a brief motivating discussion and refer to [10] for a survey. A threshold RSA signature scheme involves k parties and enables any subset of t of them to generate an RSA signature of a given message. No subset of t Gamma 1 parties can generate a signature. A complete solution to this problem was given in [9] Unfortunately, the modulus N and ....

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications and Related Technologies, Vol. 5, No. 4, July-August 1994, pp. 35--43.

....attack if 1=q. If q is a prime, then any homomorphic secret sharing scheme might be used to transform this scheme into a threshold authentication one. Indeed, let s i be a share of a and s 0 i be a share of b, then MAC i = m Delta s i s 0 i is a share of the MAC, called a partial MAC [22, 30, 27]. If Shamir s secret sharing scheme is used, as in [30] this scheme is not robust. Using the connection between threshold schemes and error correcting codes [18, 54, 48] this scheme can easily be made robust. Indeed, let the shares of a, i.e. s 1 ; s 2 ; s l ) and the shares of b, ....

Y. Desmedt. Threshold cryptography. In W. Wolfowicz, editor, Proceedings of the 3rd Symposium on: State and Progress of Research in Cryptography, pp. 110--122, February 15--16, 1993. Rome, Italy, invited paper.

....that the security of these schemes varies. One has unconditionally secure schemes, proven secure (under a computational complexity assumption) ones, some are (proven) as secure as the original cryptoscheme, and finally some threshold cryptoschemes have heuristic security. We refer the reader to [24] for a survey of research done by 1994 on these topics. While that survey was very general, we restrict ourselves to discuss only a few topics and discuss threshold cryptography in a more narrow context. So, for example, we will not discuss group signatures [14] We refer the reader interested in ....

Y. G. Desmedt. Threshold cryptography. European Trans. on Telecommunications, 5(4), pp. 449--457, July-August 1994. (Invited paper).

No context found.

Y. Desmedt, "Threshold Cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, July/August 1994.

No context found.

Y. Desmedt, "Threshold cryptography," European Transaction of Telecommunications, vol. 5, October 1994.

No context found.

Y. Desmedt, "Threshold Cryptography", Euro. Trans. Telecom. 5(4) 449--457, July-August 1994.

No context found.

Y. Desmedt, "Threshold Cryptography", Euro. Trans. Telecom. 5(4) 449--457, July-August 1994.

No context found.

Y. Desmedt, "Threshold Cryptography", Euro. Trans. Telecom. 5(4) 449--457, July-August 1994.

No context found.

Y. Desmedt, "Threshold cryptography", European Transactions on Telecommunications, 5(4):449-457, July-August 1994.

No context found.

Yvo Desmedt, Threshold Cryptography, European Trans. on Telecommunications, 5(4), pages 449-457, July-August 1994.

No context found.

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, 1994.

No context found.

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, 1994.

No context found.

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, 1994.

No context found.

Y. Desmedt. Threshold cryptography. European Trans. on Telecommunications, 5(4):449-- 457, July-August 1994. (Invited paper).

No context found.

Y. Desmedt, "Threshold Cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, July/August 1994.

No context found.

Desmedt, Y. (1994). "Threshold Cryptography." European Transactions on Telecommunications 5(4), 449-- 457.

No context found.

Y. Desmedt, "Threshold cryptography," European Transactions on Telecommunications, vol. 5, no. 4, pp. 449--457, 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC