Croft RA, Harris SP (1989) Public-key cryptography and reusable shared secrets. In: Baker H, Piper F (eds) Cryptography and coding, Clarendon Press, Oxford, UK, pp 189--201  Home/Search   Document Not in Database   Summary   Related Articles   Check

....since the sharing of a secret key allows for the key to be recovered if lost, without the increased risk of disclosure that comes with making multiple backup copies. In the late 1980 s, the notion of sharing a secret was extended to sharing the power to evaluate cryptographic functions [6, 11, 13]. This lead to the development of various schemes, based mainly on existing cryptosystems, where the power to eval uate the cryptographic function is shared amongst a set of participants such that only certain (authorized) sets can correctly evaluate the function, an example being the shared ....

....bank may have one public signature verification key, though requiring for financial transactions the concurrence of two or more bank tellers to compute a valid electronic signature on the bank s behalf. The first threshold cryptosystems were introduced independently by Boyd [6] Croft and Harris [11] and Desmedt [13] Since then, various threshold cryptosystems have been developed based on variants of existing cryptosystems, examples being a threshold E1Gamal decryption scheme [15] and a threshold RSA signature scheme [17] both of which are described in more detail in Chapter 3. The concept ....

R. Croft and S. Harris. Public-Key Cryptography and Re-Usable Shared Secrets. In H. Beker and F. Piper, editors, Cryptography and Coding, pages 189-201. Clarendon Press, 1989.

....and sign extra messages. So full trust is necessary in the manufacturer of the device and the one who operates it. So this solution is not very secure. The fact that sometimes a ciphertext needs to be decrypted jointly by a group of users, instead of by a single user, was addressed in [17] and later in [26] The first solution presented is not very secure and the second one is far from practical since it relies on mental games (general secure distributed computation) mechanisms [43, 4, 13] 3 Basic schemes In this section, for simplicity, we mainly follow the description used in ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Beker and F. Piper, editors, Cryptography and coding, pp. 189--201. Clarendon Press,

....set of result of this computation the players check the VSPS property. The complete protocol appears in Appendix C. 6 Threshold Cryptography Applications In recent years it has become evident that one of the most important applications of secure multiparty computation is threshold cryptography [Boy89, CH89, Des87, Des94]. Consider for example the cryptographic function of signing which receives as input a secret key and a message, and generates the signature on the message. The signer holding the secret key can easily generate the signature. But if his computer is broken into, then the secrecy of his key is ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189--201. Claredon Press, 1989.

....an elliptic curve and results in shorter signature and secret key for the same lavel of security. 1.2 Threshold FSS In many applications group responsibility or commitment is required. For example passing a bill in a parliament, requires consent of a certain majority. Threshold signature schemes [6, 3, 5] requires collaboration of t out of n signers for a valid signature to be produced, while collusion of up to t 1 signers cannot generate a signature. In [19] a threshold FSS in which generation of a signature requires collaboration of t out of n signers, is proposed. The scheme requires a ....

R. Croft and S. Harris. Public-key cryptography and reusable shared secrets. Cryptography and Coding, pages 189 - 201, 1989.

....particular implementation (e.g. centralized or distributed) of the signing algorithm by the issuing certification authority. 1. 1 Previous Work Threshold signatures are part of a general approach known as threshold cryptography which was introduced by the works of Boyd [Boy86] Croft and Harris [CH89], Desmedt [Des88] and Desmedt and Frankel [DF90] This approach has received considerable attention in the literature; we refer the reader to [Des94] for a survey of some of the work in this area. While the existence of polynomialtime threshold signature schemes is implied by the general results ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189--201. Claredon Press, 1989.

....admit a security analysis, which yields very strong evidence for their security. As far as we know, our work is the rst of its kind to apply the random oracle model to the Byzantine agreement problem. 2 The notion of a threshold signature scheme was introduced by Desmedt, Frankel and others [17, 18, 8, 16] and has been widely studied since then (T. Rabin [33] provides new results and a survey of recent literature) It is a protocol for n parties tolerating up to t corruptions, where each party holds a share of the signing key and k cooperating parties together can generate a signature. In a ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189-201. Clarendon Press, 1989.

....fail stop faults (crashes) indeed, there is a need only for t 1 servers to be functioning in order to be able to compute the function FK , meaning that one can tolerate up to n Gamma t Gamma 1 crashes. Threshold cryptography was originated in works by Desmedt [11] Boyd [2] Croft and Harris [8], and Desmedt and Frankel [12] A survey of threshold cryptography techniques can be found in [13] Protocols for discrete log based threshold cryptosystems can be found in [2, 4, 12, 24, 31, 20] Protocols for RSA based threshold cryptosystems include [9, 10, 15, 19, 33] In Appendix B we present ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189--201. Claredon Press, 1989.

....even arbitrary malicious actions) thus increasing the availability of the signature operation without decreasing its security. Threshold signatures are part of the general approach known as threshold cryptography introduced through the works of Desmedt [Des87] Boyd [Boy89] Croft and Harris [CH89] and Desmedt and Frankel [DF89] For an early survey on threshold cryptography see [Des94] Solutions for the case of the RSA signature scheme are especially important because of its widespread use (a de facto standard) In addition, since in the RSA cryptosystem the signing algorithm coincides ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189-201. Claredon Press, 1989.

....particular implementation (e.g. centralized or distributed) of the signing algorithm by the issuing certification authority. 1. 1 Previous Work Threshold signatures are part of a general approach known as threshold cryptography which was introduced by the works of Boyd [Boy86] Croft and Harris [CH89], Desmedt [Des88] and Desmedt and Frankel [DF90] This approach has received considerable attention in the literature; we refer the reader to [Des94] for a survey of some of the work in this area. While the existence of polynomialtime threshold signature schemes is implied by the general results ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189--201. Claredon Press, 1989.

....know who actually signed the contract. If a problem with a particular contract occurs later, the company can find out which employee is to be held responsible. 1.1 Related Work There exist several other group oriented concepts for signature schemes. The most important ones are multi signatures [3,9,15] and proxy signatures [14] Multi signatures can be seen as generalized group signature without the ability of opening signatures, while proxy signatures are group signatures that do not provide anonymity. Solutions for group signature schemes were first presented in [6] and later in [7] We ....

R. Croft and S. Harris. Public key cryptography and re-usable shared secrets. In H. J. Beker and F. Piper, editors, Cryptography and Coding, pages 189--201. The Institute of Mathematics and its Applications Conference Series, Oxford Science Publications, 1989.

....of trusted party is avoided, at least in the key recovery phase. There are some threshold cryptosystems which do not require any trusted party at all. Group Oriented Cryptosystems 19 1. 5 Threshold Cryptosystems The first threshold cryptosystems [42] were independently developed by CroftHarris [35], Boyd [18] and Desmedt [41] They were, as most pioneering systems, either imperfect, having a hidden security bug, or too restrictive, or impractical. Since then, new threshold cryptosystems have been developed [43, 44, 53, 63, 71, 74] satisfying almost all of the ideal system s properties ....

....with anonymous members, in which the anonymity has a trapdoor [42] They serve the membership authentication purposes, when the actual identity of the member must remain secret. From now on, we suppose a group signature to be a threshold group signature. The scheme proposed by Croft and Harris [35] uses a prime order subgroup of Z p ( In this scheme, k out of m authorizations are performed. The authorizations are independent of the messages so that the scheme is insecure for many applications [42] The member shareholders are not anonymous. The same paper presents a faulty threshold key ....

Croft, R.A., Harris, S.P., Public-key cryptography and re-usable shared secrets, Cryptography and coding, H.Beker and F.Piper, eds., Clarendon Press, 189-- 201, 1989

....fail stop faults (crashes) indeed, there is a need only for t 1 servers to be functioning in order to be able to compute the function FK , meaning that one can tolerate up to n Gamma t Gamma 1 crashes. Threshold cryptography was originated in works by Desmedt [11] Boyd [2] Croft and Harris [8], and Desmedt and Frankel [12] A survey of threshold cryptography techniques can be found in [13] Protocols for discrete log based threshold cryptosystems can be found in [2, 4, 12, 23, 30, 19] Protocols for RSA based threshold cryptosystems include [9, 10, 15, 18, 32] In Appendix B we present ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189--201. Claredon Press, 1989.

....authorized participants. In contrast to distributed authentication systems, DD systems are simple and easier to design and implement. The reliability and security of both DD systems and distributed authentication systems rest on a trusted party so from this point of view they are equivalent. In [4] Croft and Harris proposed a distributed authorization system in which a group of t out n signatories authorize a transaction to proceed. Their system uses Shamir s secret sharing scheme [10] and the one way property of exponentiation to issue shadows to the participants which are used for a ....

R.A. Croft and S.P. Harris. Public-key cryptography and re-usable shared secrets. In Cryptography and Coding, H. Beker and F. Piper (Eds), pages 189--201. Clarendon Press, 1989.

....property for a proxy digital signature. 2. The receiver of a signature can verify that it is a valid (proxy) signature for the principal. This is the verifiability property for proxy digital signature. Proxy signature schemes are different from other related schemes, such as multisignatures [1, 3] and group signatures [2] which also involve more than one signing party for a signature on a given message. Proxy signature schemes are useful for secure communication by computing devices lacking the necessary computational power to perform cryptographic computations on an on line real time ....

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In Cryptography and Coding, pages 189--201, 1989.

....G p of (prime) order p. We let G = S k G(k) where G(k) f G p : p 2 [PrimeGen(1 k ) g, be the set of all these groups, and we assume the discrete log problem for G is hard (when the prime is chosen according to PrimeGen) Such groups have been used for cryptography by Croft and Harris [8], Schnorr [17] Chaum and Van Antwerpen [6] and others, and we refer the reader to these works for how to choose such groups. In particular, with appropriate assumptions on the distribution of primes if necessary, it can be done so that G p is a subgroup of Z q for some q of size O(k) so that ....

Croft and Harris. Public key cryptography and re-usable shared secrets. In Cryptography and Coding , Clarendon Press, 1989.

No context found.

Croft RA, Harris SP (1989) Public-key cryptography and reusable shared secrets. In: Baker H, Piper F (eds) Cryptography and coding, Clarendon Press, Oxford, UK, pp 189--201

No context found.

R. A. Croft and S. P. Harris. Public-key cryptography and reusable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189--201, 1989.

No context found.

R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189--201. Claredon Press, 1989.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC