T. Okamoto, Provably secure and practical identi cation schemes and corresponding signature schemes, Advances in Cryptology crypto'92, Springer-Verlag, LNCS 740, pp. 31-53, 1992.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....function h. Current proposals for a public (keyless) function h are very ecient [MD5] Due to the eciency and the ease of design, the Fiat Shamir method shortly gained much popularity both in theory and in practice. Several digital signature schemes, of which the best known ones are [Sch91, GQ88, Ok92] were designed following this paradigm. The paradigm has also been applied in other domains such as to achieve forward secure digital signature schemes in [AABN02] and to achieve better exact security in [MR02] Both of the above applications ( AABN02, MR02] actually use a variation of the ....

T. Okamoto. Provably secure and practical identi cation schemes and corresponding signature schemes. Advances in Cryptology - CRYPTO 92, Lecture Notes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992.

....are associated to a same public key. Furthermore, the views of two identi cations using two distinct secret keys associated to a same public key are indistinguishable. For example, in the Fiat Shamir protocol [15] the veri er cannot distinguish which square root the prover uses. Okamoto, in [21], proposed a witness indistinguishable adaptation of both the Schnorr [24] and the Guillou Quisquater [17] identi cation schemes. 5 3.2 Provably Secure Blind Signature Schemes As was already remarked, the technical diculty to overcome comes from the fact that, in the colluding step, we no ....

....the signer without the secret key. We will use a scheme which admits more than one secret key for a given public key. This will make the collusion possible and we will constrain the attacker to output a di erent secret key. Our candidate scheme is one of the schemes designed by Okamoto in [21]. For the reader s convenience, the adaptation of the Schnorr s scheme is on gure 2 and its blind version is on gure 3. Prover Veri er c 2 ZZ=2 ZZ R = t cr mod q S = u cs mod q Fig. 2. Witness indistinguishable adaptation of the Schnorr s identi ....

T. Okamoto. Provably Secure and Practical Identi cation Schemes and Corresponding Signature Schemes. In Crypto '92, LNCS 740, pages 31-53. Springer-Verlag, 1992.

....associated to a same public one provides the solution of a dicult problem. For example, in the Fiat Shamir protocol [21] the veri er cannot distinguish which square root the prover uses, and with probability , two distinct square roots provide the factorization of the modulus. Okamoto, in [37], proposed a witness indistinguishable adaptation of both the Schnorr [50] and the GuillouQuisquater [30] identi cation schemes. As was already remarked, the technical diculty to be overcome comes from the fact that, in the colluding step, we can no longer simulate the signer without the secret ....

....no longer simulate the signer without the secret key. We use a scheme which admits more than one secret key for a given public key. This makes the collusion possible and we constrain the attacker to output a di erent secret key. Our candidate scheme is one of the schemes designed by Okamoto in [37]. For the reader s convenience, Okamoto s adaptation of the Schnorr scheme appears in Fig. 10. 4.2. The Okamoto Schnorr Blind Signature Scheme The scheme uses two large primes p and q such that q j (p 1) and two elements g; h 2 Z p of order q. The authority chooses a secret key (r; s) 2 (Z q ....

T. Okamoto. Provably Secure and Practical Identi cation Schemes and Corresponding Signature Schemes. In Crypto '92, LNCS 740, pages 31-53. Springer-Verlag, Berlin, 1992.

....Suppose that p and q are two large primes such that qjp 1. g and h are elements of Z p with order q. We assume that it is infeasible to compute the integer d such that g = h d mod p, given g; h, and p. Okamoto Schnorr Blind Signature This blind signature scheme designed by Okamoto [13] is an extension of the Schnorr scheme in [19] An entity A creates a secret key (r; s) 2 Z q Z q and publishes the public key, y = g r h s mod p. Two party protocols between a sender A and a signer B are as follows: 1. B chooses t; u 2 Z q , and sends a = g t h u mod p to A. 2. A ....

T. Okamoto, Provably Secure and Practical Identication Schemes and Corresponding Signature Schemes, Advances in Cryptology-Crypto'92, LNCS Vol.740, pp.31-53, Springer-Verlag, 1992.

....incomparable. 2. SECURE GROUPS is stronger. Jakobsson and Schnorr [29] give security proofs using techniques that might extend to ECDSA upon further consideration, but they use a stronger set of the conditions 4 . Of course, digital signature schemes of many other kinds have security proofs [4, 5, 12, 15 17, 20, 24, 43] under a wide variety of conditions. The remaining sections are organized as follows. Section 2 describes the groups that are used in ECDSA and DSA, de nes the term conversion function together with some security de nitions, and discusses a variant of the generic group model. Section 3 recalls ....

Okamoto, T. Provably secure and practical identication schemes and corresponding signature schemes. In Advances in Cryptology | CRYPTO '92, E. F. Brickell, Ed., vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, pp. 31-53.

No context found.

T. Okamoto, Provably secure and practical identi cation schemes and corresponding signature schemes, Advances in Cryptology crypto'92, Springer-Verlag, LNCS 740, pp. 31-53, 1992.

No context found.

T. Okamoto, Provably secure and practical identi cation schemes and corresponding signature schemes, Advances in Cryptology crypto'92, Springer-Verlag, LNCS 740, pp. 31-53, 1992.

No context found.

T. Okamoto. Provably secure and practical identi cation scheme and corresponding signature scheme. In Advances in Cryptology | CRYPTO'92, volume 740 of Lecture Notes in Computer Science, pages 31-53. Springer-Verlag, 1992.

No context found.

T. Okamoto. Provably secure and practical identi cation scheme and corresponding signature scheme. In Advances in Cryptology | CRYPTO'92, volume 740, pages 31-53. Springer-Verlag, 1992.

No context found.

T. Okamoto, Provably secure and practical identi cation schemes and corresponding signature schemes, Advances in Cryptology crypto'92, Springer-Verlag, LNCS 740, pp. 31-53, 1992.

No context found.

T. Okamoto. Provably secure and practical identi cation schemes and corresponding signature schemes, Advances in Cryptology|Crypto '92, Lecture Notes in Computer Science 740 (E.F. Brickell, ed.) Springer-Verlag, 1993, 31-53.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC