PfWa2_91 Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Applications; accepted for Securicom '91, Paris, March 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....scheme has been broken, so that it can be stopped. This is where the name failstop comes from. For more details about possible benefits of fail stop signatures in applications, e.g. in electronic payment systems, and possible advantages for the acceptability of digital signatures in law, see [PW91, P91]. Previous Constructions So far, there have been three significantly different results about fail stop signatures. Theoretically, fail stop signature schemes are known to exist if claw free pairs of permutations (not necessarily with trap door) exist; see [BPW91, PW91] for descriptions and ....

....signatures in law, see [PW91, P91] Previous Constructions So far, there have been three significantly different results about fail stop signatures. Theoretically, fail stop signature schemes are known to exist if claw free pairs of permutations (not necessarily with trap door) exist; see [BPW91, PW91] for descriptions and [PW90] for a proof. In particular, this shows that fail stop signatures exist if factoring large integers or computing discrete logarithms is hard. The construction uses one time signatures, similar to [L79] i.e. messages are basically signed bit by bit. Therefore, although ....

[Article contains additional citation context not shown here]

Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Application; Securicom 91, Paris, 19.-22. March 1991, 145-160.

....authentication, disputes between a sender and a recipient cannot be solved. Recently, unconditional security for signers has been considered with non undeniable signature schemes. This feature is interesting in practice, even if it is only combined with cryptographic security for recipients [PW2]. In particular, if two parties exchange signed messages, both were only computationally secure before. Now, if one party uses signatures unconditionally secure for the signer, and the other party conventional ones, the former party is unconditionally secure. This is particularly suitable if there ....

....such a forgery is (mathematically) impossible. Also, if any forgery ever occurs, the organization itself is sure about this and can stop the scheme or increase the security parameters, in contrast to the case where a client s signature is forged in a conventional scheme. Previous schemes: In [WP, BPW, PW2], fail stop signatures were introduced. They are cryptographically secure against forgeries in the sense of [GMR] In addition, if a forgery occurs nevertheless, the signer can prove this (more precisely: the fact that the cryptograpic assumption has been broken) unconditionally (in the sense ....

[Article contains additional citation context not shown here]

Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Application; Securicom 91, Paris 1991, 145-160.

....signatures, too, unforgeability relies on an assumption. In the concrete scheme sketched in Section 8, called hiding scheme, this is the factoring assumption. There exists an alternative based on the discrete logarithm assumption. It has been proved that forgery is impossible on this assumption [11]. This was the property that only GMR had among the signature schemes mentioned above. The new feature of fail stop signatures is: If a signature is forged nevertheless, the supposed signer can prove that it is a forgery. More precisely: He can prove that the underlying assumption has been ....

....two additional properties: 1) d n 2. 2) The Jacobi symbol of d is 1 (see, e.g. 8] An auxiliary function g n is defined by g n (z, d) 4 z . d 2 100 mod n. If g n (z, d) n 2, then g n (z, d) g n (z, d) else g n (z, d) mod n. For a more detailed description see [11], for formal proofs [1] and [10] Specialists may have noticed that the bank, who knows p and q, can invert the function g. This doesn t matter, although the bank could thereby forge the clients signatures, because the clients could prove the forgery. Thus, according to the 3 phase protocol, the ....

Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Application; Securicom 91; 9th Worldwide Congress on Computer and Communications Security and Protection, Paris 1991, 145-160.

No context found.

PfWa2_91 Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Applications; accepted for Securicom '91, Paris, March 1991.

No context found.

PfWa2_91 Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Application; Securicom 91; 9th Worldwide Congress on Computer and Communications Security and Protection, Paris, 19.-22. March 1991, 145-160.

No context found.

PfWa_91 Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Application; Securicom 91, Paris 1991, 145-160.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC