P. MacKenzie and M. K. Reiter. Two-party generation of DSA Signatures. In Proc. CRYPTO 2001.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....next four chapters present the actual unidirectional and bidirectional functions. The paper ends with some final thoughts about learned lessons and ideas for the future. 2 Related Work The idea of delegating decryption signature rights was previously researched and presented in several papers [16, 15, 3, 22, 21, 4]. The goal of the [16, 15] paper is similar to ours. In the context of mobile computing, agents should be able to carry signature functions such that untrusted entities sign on behalf of a user without knowing his key. However, the result of signing a message m is a brand new signature that ....

....scheme splits the secret key between a client and a server such that neither is able to create a valid key without working together. The security proofs rely on the fact that the server is always trusted, thus obtaining lower levels of security then the ones we propose here. MacKenzie and Reiter [22, 21, 20] consider a similar question of two party signature generation to the one we consider here. However, their solutions, especially [22] are highly complex and interactive as compared to the notion of unidirectional proxy signatures we propose here (they also have a slightly more sophisticated ....

[Article contains additional citation context not shown here]

P. MacKenzie and M. K. Reiter. Two-Party Generation of DSA Signatures. Advances in Cryptology - CRYPTO 2001.

....This protocol is more ecient than prior art, such as [DF02] A protocol (in Section 5. 3) for veri able encryption of discrete logarithms, based on the public key cryptosystem due to Catalano, et al. CGHN01] This protocol is more ecient than a similar protocol (e.g. the one presented in [MR01]) based on the Pallier cryptosystem [P99] As mentioned earlier, the state of the art group signature scheme by Camenisch and Lysyanskaya is obtained by integrating a dynamic prime accumulator [CL02] with the bare group signature scheme in [ACJT00] This integration was needed since a prime ....

P. MacKenzie and M. Reiter. Two-Party Generation of DSA Signatures. Crypto'01.

....[6] and MacKenzie and Reiter [26] consider several flavors of two party generation of the RSA (full domain hash) signatures (building on some previous less formal work, e.g. 10, 18] The schemes are simple, elegant, and in most cases reducible to the basic RSA assumption. MacKenzie and Reiter [27] also give a protocol for two party generation of DSA signatures [16] Two party signatures can also be viewed as a special case of general secure two party computation [36] Resisting compromise. Two party signatures are also related to the notion of key insulated signature schemes [13] In this ....

P. MacKenzie and M. Reiter. Two-party generation of DSA signature. In Advances in Cryptology---Crypto'01, volume 2139 of Lecture Notes in Computer Science, pages 137--154, Berlin, 2001. Springer-Verlag.

....overlooked in the literature. Up until now, the only known way to build a veri able encryption protocol for discrete logarithms in conjunction with any known chosen ciphertext secure encryption scheme was via the relatively inecient cut and choose paradigm (e.g. 1, 10] However, it was known [11, 32] how to avoid the cut and choose paradigm if one was willing to accept a weaker form of security, namely semantic security [28] In this paper, we present a variant of the new public key encryption of Cramer and Shoup [22] based on Paillier s decision composite residuosity assumption [34] along ....

P. MacKenize and M. K. Reiter. Two-party generation of DSA signatures. In J. Kilian, editor, Advances in Cryptology | CRYPTO 2001.

....The next four chapters present the actual asymmetric and symmetric functions. The paper ends with some final thoughts about learned lessons and ideas for the future. 2 Related Work The idea of delegating decryption signature rights was previously researched and presented in several papers [13, 12, 3, 16, 15, 4]. The goal of the [13, 12] paper is similar to ours. In the context of mobile computing, agents should be able to carry signature functions such that untrusted entities sign on behalf of a user without knowing his key. However, the result of signing a message m is a brand new signature that ....

....scheme splits the secret key between a client and a server such that neither is able to create a valid key without working together. The security proofs rely on the fact that the server is always trusted, thus obtaining lower levels of security then the ones we propose here. MacKenzie and Reiter [16, 15, 14] consider a similar question of two party signature generation to the one we consider here. However, their solutions, especially [16] are highly complex and interactive as compared to the notion of online proxy signatures we propose here (they also have a slightly more sophisticated scenario, ....

[Article contains additional citation context not shown here]

P. MacKenzie and M. K. Reiter. Two-Party Generation of DSA Signatures. Advances in Cryptology - CRYPTO 2001.

....In [5] Reiter and McKenzie propose a the same additive splitting technique to improve the security for portable devices where the private key operations are password protected. Recently, they also proposed another scheme for the more challenging problem of mediated (2 party) DSA signatures [6]. Ganesan[7] also exploited (earlier, in 1996) the same idea for improving Kerberos security as part of the Yaksha system. Another way to look at SAS is as an instantiation of hybrid multi signatures [8] Viewed more broadly, the SAS method can be included in the more general framework of ....

P. MacKenzie and M. K. Reiter, "Two-party generation of dsa signatures," in Advances in Cryptology -- CRYPTO '01 (J. Kilian, ed.), no. 2139 in Lecture Notes in Computer Science, pp. 137--154, Springer-Verlag, Berlin Germany, Aug. 2001.

....targetting strong notions of security, we have explicitly considered and modeled the hash function. MacKenzie and Reiter propose a di erent two party RSA based signature scheme that is proven secure against chosen message attack [19] The same authors also propose such schemes for DSA signatures [20]. Two party signature schemes are part of the general approach of secure two party computation [26] and threshold cryptography [11] Threshold cryptography has however concentrated more on the case of n 3 parties. Distribution of the RSA function (which yields distributed signatures) is ....

P. MacKenzie and M. Reiter. Two-party generation of DSA signatures. Advances in Cryptology { CRYPTO '01, Lecture Notes in Computer Science Vol. ??, J. Kilian ed., Springer-Verlag, 2001.

No context found.

P. MacKenzie, M. K. Reiter. Two-party generation of DSA signatures. In Advances in Cryptologie -- CRYPTO 2001 (Lecture Notes in Computer Science 2139), pp. 138--154, August 2001

No context found.

P. MacKenzie and M. K. Reiter. Two-party generation of DSA signatures. In Advances in Cryptology---CRYPTO 2001.

No context found.

MacKenzie P, Reiter MK (2001) Two-party generation of DSA signatures. In: Advances in cryptology -- CRYPTO 2001, Santa Barbara, August 2001. Lecture notes in computer science, vol 2139, Springer, Berlin Heidelberg New York, pp 137--154

No context found.

P. MacKenzie and M. Reiter. Two-Party Generation of DSA Signatures. In Advances in Cryptology{ CRYPTO '01, pp 137-154, 2001.

No context found.

P. MacKenzie and M. Reiter. Two-Party Generation of DSA Signatures. In Advances in Cryptology-- CRYPTO '01, pp 137--154, 2001.

....the common reference string to contain one trapdoor commitment public key for each party. 26 Paillier encryption work in different moduli. To overcome this we use the known technique of adding a commitment to x using two generators (h 1 ; h 2 ) over a third modulus N of unknown factorization [6, 7, 8, 28, 41]. The detailed construction is presented in Appendix C. 6.4 An efficient generalized Omega For an NP relation R = f(x; w)g and a polynomial time computable function f , let R f = f(x; f(w) x; w) 2 Rg. Note that R f may not itself be an NP relation. Then we define an f extracting ....

P. MacKenzie and M. Reiter. Two-Party Generation of DSA Signatures. In Advances in Cryptology -- CRYPTO 2001.

No context found.

P. MacKenzie and M. K. Reiter. Two-party generation of DSA Signatures. In Proc. CRYPTO 2001.

No context found.

P. MacKenzie and M. Reiter. Two-party generation of DSA signatures. Advances in Cryptology { CRYPTO '01, Lecture Notes in Computer Science Vol. 2139, J. Kilian ed., Springer-Verlag, 2001.

No context found.

P. MacKenzie and M. Reiter. Two-Party Generation of DSA Signatures. Crypto'01.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC