C. P. Schnorr. Efficient Signature Generation for Smart Cards. In Proc. of Crypto '89, 1989. pp. 239--252.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....signature scheme on v) skA Z pkA : J such that J(sk) v = i mod n Party A s signature on M is Ssiyn(sk,M) d,D) where d = h(M IIDvJa) 6. 3 PEDL Certificate Before we proceed to describe CEMBS for the above system, we first review the Proof of Equivalence of Discrete Logarithms (PEDL) [3, 5, 17, 19]. In PEDL, a prover wants to prove to a verifier that Y = X and y = x for some a while not revealing a. Here x, y, X, Y G with G being a group, x and X having order q and a Z. Certificate Generation The prover randomly chooses w 1, 2, q 1 , sets a = x w and A = X w, and calculates c = ....

C. P. Schnorr, "Efficient signature generation for smart cards", Proceedings Crypro'89, LNCS, Springer-Verlag, pp.225-232, 1990.

....downloaded code. Designing an adequate lightweight security model is an area for research. One area of investigation is decentralized authentication techniques which do not rely on a central authentication server or certificate authority, such as zero knowledge proofs of identity [21] 22] [23]. Another area of investigation is resource negotiation, where a downloaded object is annotated with the resources it needs (security permissions, amount of memory, number of threads, and so on) the AVM checks whether it is willing to provide those resources, and if so the AVM ensures that the ....

C. Schnorr. "Efficient Signature Generation for Smart Cards." Journal of Cryptology, Volume 4, Number 3, 1991, pages 161--174.

....scheme that employs a binary tree structure. A detailed description of this technique may be found in a previous paper [17] We also discuss several improvements in the efficiency of the batch representation check. Before describing the batch tree protocol with the Schnorr signature scheme [18], we must briefly outline the batch signature scheme for an arbitrary number of messages. To generate a signature for a batch of messages, the hash of each message is placed at a leaf node of a binary tree. Each parent node is formed by concatenating each of its child nodes and hashing the ....

....(m 2 ) h x (h y (m 3 ) h y (m 4 ) Figure 1 Binary Tree of Messages T : h y (m ) for j : 1 to L r : sibling(c) if direction(r j ) Left then c : h x (c r j ) else T : h x (r c) endfor Output T (2) 2.4. 1 Batched Schnorr Signature Scheme The Schnorr signature scheme [18] has public and private keys x and h, where 0 x mod p. To sign message m with the private key x, outputting signature (c, r) the following steps are performed: mod p, where 1 w q 1. 2. c = h(m a) 3. r = w xc mod q To verify the signature (c, r) compute a = g . h mod ....

CP. Schnorr, Efficient Signature Generation for Smart Cards, Advances in Cryptology - Crypto `89, Springer-Verlag, pp239-252, 1990.

....g to be any integer x such that y = g holds, i.e. discrete logarithms are allowed to be negative. We shortly review various systems for proving knowledge of and about discrete logarithms found in literature. Proving the knowledge of a discrete logarithm x of a group element y to a basis g [11, 30]. The prover chooses a random r 2R Z Q and computes t : g and sends t to the verifier. The verifier picks a random challenge c 2R f0; 1g and sends it to the prover. The prover computes s : r cx (mod Q) and sends s to the verifier. The verifier accepts, iff g = t holds. This protocol ....

C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239--252, 1991.

....cryptography is that it allows to exploit channels that are only authenticated but not confidential. Such channels were useless for secrecy applications before public key cryptography was invented. 5 The discrete logarithms problem is today the most important cryptographic problem (e.g. see [76]) Whether it is feasible or infeasible depends on the group. The group operation proposed in [27] is multiplication modulo a large prime p; the corresponding group Z p has p Gamma 1 elements. 3 Alice insecure channel Bob A B A B A B A B A B Fig. 1. Mechanical analog of the ....

C. P. Schnorr, Efficient signature generation for smart cards, Journal of Cryptology, vol. 4, no. 3, pp. 239--252, 1991.

....sharing schemes for , e.g. the one by Shamir [28] We refer to [11] for further details. The probably best known special case of relations R with protocols are publickey identification schemes such as the ones by Feige, Fiat, and Shamir [16] by Guillou and Quisquater [22] or by Schnorr [27]. A protocol that is of interest in the context of this paper is a proof of knowledge of a pre image under a group homomorphism (see Figure 1) It turns out that this protocol is very useful in practice 2 We require perfect zero knowledge only for simplicity. Computational zero knowledge could be ....

C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239--252, 1991.

....c, he can output a different ciphertext c 0 such that the plaintexts m;m 0 for c; c 0 are meaningfully related. For example, m 0 = m 1. Tsiounis and Yung [28] and independently Jakobsson [13] showed a nonmalleable ElGamal encryption scheme by combining Schnorr s signature scheme [25] with ElGamal encryption scheme under some cryptographic assumption in the random oracle model. Jakobsson used the non malleable ElGamal encryption scheme in his MIX net for users encryption to prevent the repeated ciphertext attack [13] For a detailed study of the security consult [26] We ....

....valid results only) 1. The MIX servers publish f I1j g j2Q . 2. The computation of I1 in Blinding I is verified. 3. The MIX servers publish fae IIj g j2Q . 4. Each MIX server j proves that S j = M z j and Delta ae II j j = g z : 7) holds for some z by using one of the methods of [7, 25]. 5. The MIX servers compute oe 1 = oe 1=ae II I1 , and output oe 1 . Note that oe 1 is a permutation of (c ffi 1 ; c ffi N ) from eq. 5) Jakobsson claims that the final output oe 1 is a permutation of (c ffi 1 ; c ffi N ) if the above protocol (MIXEXP) ends ....

C. P. Schnorr, "Efficient Signature Generation for Smart Cards," Advances in Cryptology-Proceedings of Crypto '89, pp. 239-252

....of our cash scheme. Section 4 discusses various security and efficiency features of the our protocol; we also includes some comparisons between our scheme and previous works. Finally Section 5 concludes our paper. 2 Schnorr s one time signature scheme The security of Schnorr s signature scheme[5] depends on the difficulty of calculating discrete logarithms. Users in the system can share a random number g and two prime numbers, p and q such that q is a prime factor of p Gamma 1, g 6= 1 and g q j 1 mod p. To generate a particular pair of private public key, a customer (say, Alice) ....

C.Schnorr, "Efficient signature generation for smart cards", Journal of Cryptology, 4(3):161-174,1991.

....Proofs by Simulating the Randomness Source It is a standard technique in cryptographic protocol design to substitute a random challenge string by a string constructed deterministically but in such a way that the Prover has no control. For example, Fiat Shamir s scheme [10] Schnorr s scheme [15], and the DSA all use a one way hash function to construct a challenge to the Prover, hence eliminating the need for interaction. The proofs described in this work consist of rounds where Prover and Verifier first obtain a random string from a trusted source and then the Prover sends a message ....

Schnorr, C.: Efficient signature generation for smart cards. Journal of Cryptology 4 (1991) 161--174.

....and does not leak any information about the plaintext to verifiers or to a subset of the provers. 1 We use jpj = 1024; jqj = 160. Our techniques draw on ideas used in the work on proactive security (e. g, 7, 9, 10] on methods for undeniable signatures (e.g. 3, 4] Schnorr signatures [14], and methods for information theoretical secret sharing [12] Outline: We start in section 2 by reviewing related work. We then discuss the requirements on our scheme in section 3. In section 4, we then present our basic scheme for proxy re encryption, followed in section 5 by a protocol for ....

C. P. Schnorr, "Efficient Signature Generation for Smart Cards," Advances in Cryptology - Proceedings of Crypto '89, pp. 239-252

....fl ; y fl h ) f M g fl ; y fl h ) This pair is sent to the servers. 2. a) The servers distributively compute hint i = a x hi =b. b) In order to prove that every server has performed the correct exponentiation the servers run a protocol for proving valid exponentiation, e.g. [12, 32]. This is a proof that log a (hint i b) log g (y hi ) for a given quadruple (a; g; hint i b) y hi ) c) The servers compute hint as the Lagrange weighted product of the shares hint i of the servers in the quorum. This value equals [m xh ] p if R did not cheat. We also have to force the ....

C.P. Schnorr, "Efficient Signature Generation for Smart Cards," Advances of Cryptology, Proceedings of Crypto '98, pp.239--252.

....be represented by a secret key public key pair (x Coin ; y Coin ) The keys are associated with a signature scheme S that is existentially unforgeable, and that has a public verification algorithm, V . A lot of schemes may be used for this, e.g. RSA [72] ElGamal [27] and related schemes like [1, 77]. In order to heuristically produce existentially unforgeable signatures using message recovery schemes like these, the standard method is to apply a collision resistant one way function unrelated to the signature scheme to the message to be signed before the signature is calculated (see also ....

C. P. Schnorr, "Efficient Signature Generation for Smart Cards," Advances in Cryptology - Proceedings of Crypto '89, pp. 239--252.

.... signatures (introduced by Chaum and van Antwerpen [5] This is a proof that log m s = log g y for a given quadruple (m; s; g; y) There are several protocol versions developed; in order to obtain a high degree of efficiency, we will use a non interactive proof version, such as a Schnorr signature [29]. This requires one exponentiation per proof for the prover, and two per verifier. 3.2 Non Malleable ElGamal Even if we have a primitive that takes a list of encrypted messages and decrypts these in a fashion that does not reveal any information about the relationship between items in the input ....

....i as the public key (for which fl i is the corresponding secret key) and signing (a i ; b i ; aux) using this secret key, where aux is some auxiliary information in our case, a number indicating how many previous batches have been decrypted, which is public information. We suggest using Schnorr [29] signatures for this. An encryption pair is said to be valid if the above signature is valid and correpsonds to the ciphertext pair. Encryptions that are not valid are discarded. The resulting encryption scheme is non malleable in the random oracle model [26] as shown in the appendix. Remark: ....

C. P. Schnorr, "Efficient Signature Generation for Smart Cards," Advances in Cryptology - Proceedings of Crypto '89, pp. 239-252

....in mind. All protocols exposed in the following are two party protocols between a male prover and a female verifier. 3. 1 Basic Zero Knowledge Proofs of Knowledge The most basic protocol is a zero knowledge proof of knowledge of the discrete logarithm of some group element y 2 G to the base g [15, 45]. We shortly recall this protocol and its properties: The prover knowing x = log g y sends the verifier the commitment t : g r , where r 2R Z q . Then, the verifier sends the prover a random challenge c 2R f0; 1g k to which the prover responds with s : r Gamma cx (mod q) The integer k 1 ....

C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239--252, 1991.

....of the repaired scheme The security of the repaired scheme can be strengthend in the case where the signer is honest. Let the signer additionally prove in zero knowledge in the confirmation protocol that he knows the discrete logarithms of the parameters r and T using the protocol given in [15]. If the signer proves the validity of a valid signature and the verifier accepts the proof then the verifier knows that the signer knows the parameter k; t and z and therefore the secret key x. If an attacker has forged a signature for a (even non sencial) message and can convince the verifier ....

C.P.Schnorr, "Efficient signature generation for smart cards", Journal of Cryptology, Vol. 4, (1991), pp. 161--174.

....In particular, the specific public key digital signature scheme used in an implementation may allow optimization of both message size and cryptographic computations. The most widely available digital signature schemes are based on either discrete logarithm problem (DSA [15] ElGamal [7] Schnorr [23], etc. or the factoring of large numbers problem (RSA [21] 3. The final message from A to B contains a MAC generated under the shared key that complete the mutual authentication of peer crypto units. The exchange of nonces prevents replay attacks on the protocol in addition to authenticating ....

C. P. Schnorr. Efficient Signature Generation for Smart Cards. In Proceedings of Advances in Cryptology--CRYPTO '89, pages 239--252. Springer--Verlag, 1990.

....of the swap file will reveal the old values of the ram. Cryptographic protocols. In the security and cryptography literature, many protocols make the silent assumption that we can forget information. For example, the randomly chosen temporary secret key in DSS [15] and similar schemes [7, 18] should be forgotten by the signer after it has been used. If it can be found by an attacker, he will be able to reconstruct the secret key of the signer from the signature and the temporary secret key. More generally, participants to cryptographic protocols should forget al..l partial results, ....

C. P. Schnorr, Efficient signature generation for smart cards, Proc. CRYPTO 89.

....(p i ; i ) This scheme is ideal. 4 Proving Knowledge of Discrete Logarithms In this section we define and formalize the building blocks for our scheme. They are based on different interactive proofs of knowledge of discrete logarithms that are made non interactive using the techniques of [17]. To avoid confusion with the terminology of non interactive proofs of knowledge, we call these building blocks signatures of knowledge. The algebraic setting is as follows. Let G be a finite cyclic group of prime order q and let g; g 1 ; g n 2 G be generators of G such that computing ....

....y to the base g. Definition 1. A pair (c; s) satisfying c = H(gkykg s y c km) is a signature of knowledge of the discrete logarithm of a group element y to the base g for the message m and is denoted by SKDL(g; y; m) Basically, such a signature of knowledge is a Schnorr signature (see [17]) with a slightly different argument to the hash function. A SKDL can be computed only if the secret key x is known, by choosing r at random from Z q and computing c and s according to c = H(gkykg r km) and s = r Gamma cx (mod q) The values g r , c, and s are often called commitment, ....

C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239--252, 1991.

....instance in polynomial time. The function f behaves like a random oracle; in practice, this can be based on exponentiation in a finite field (of a preprocessed value) It is advantageous to choose a scheme based on discrete log, since this makes it easier to select good secret keys. We can use [12, 39, 30, 14] for (SCoin ; VCoin ) We note that applying a one way function to a message before calculating the signature (as is done by both the ombudsman and the user) is practically used to prevent against chosen message attacks or resp. to avoid transparent blinding. If rigorous provability is required, ....

C. P. Schnorr, "Efficient Signature Generation for Smart Cards," Crypto '89, pp. 239-252

....deciding valid exponentiation. We exhibit two versions, one that is interactive and based on standard protocols for verification of undeniable signatures [5, 6] the other non interactive. The noninteractive version can be based on any discrete log based signature scheme of a common format, e.g. [8, 12, 17]. We call such a proof a DLEQ signature, as it is both a signature and a proof of equality of discrete logs. The DLEQ signature is a result of potential independent interest. In order to obtain this result, we exhibit a first transformation method that takes a quadruple (g; y; m; s) as input, ....

....as a public key, and X as the corresponding secret key. This signature is given to the verifier. If the signature is valid, the verifier will conclude that log g y = log m s, since the prover with overwhelming probability must have known X . We demonstrate our new method using Schnorr signatures [17] and a variant thereof. The method for transforming the input elements to a generator and to public and secret keys draws on work by Bellare, Garay and Rabin [1] They introduced a construction that raises different factors of a product to different powers in order to improve the efficiency of ....

[Article contains additional citation context not shown here]

C.P. Schnorr, "Efficient Signature Generation for Smart Cards," Advances of Cryptology, Proceedings of Crypto '98, pp.239--252.

No context found.

C. P. Schnorr. Efficient Signature Generation for Smart Cards. In Proc. of Crypto '89, 1989. pp. 239--252.

No context found.

C. P. Schnorr. Efficient Signature Generation for Smart Cards. Journal of Cryptology, 4(3): 239-252, 1991.

No context found.

C. P. Schnorr. Efficient Signature Generation for Smart Cards. Journal of Cryptology, 4(3): 239-252, 1991.

No context found.

C. P. Schnorr, "Efficient signature generation for smart cards," Journal of Cryptology, vol. 4, no. 3, pp. 239--252, 1991.

No context found.

C. P. Schnorr, "Efficient Signature Generation for Smart Cards," Advances in Cryptology - Proceedings of Crypto '89, pp. 239--252.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC