Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO'95 (1995) 397--409, LNCS 963, Springer-Verlag, (1995).  Home/Search   Document Not in Database   Summary   Related Articles   Check

....will be retrieved. Once these members get the group secret, they can impersonate another set of members to sign the message without holding the responsibility to the signatures or directly forge a group signature by the secret key. Here t is the threshold value. There are large number schemes [8, 10, 11, 15, 16, 17, 19, 21, 24, 26]are based on the polynomial sharing which is realized by Lagrange interpolation, the security of these schemes is based on the discrete logarithm problem, the RSA problem or the RSA variants. In general, a threshold signature scheme usually involves in 3 parties: the manager who usually produces ....

....in possession of the secret x 0, 1 g such that x loggy logny selects random integer r 0, 1 e( g )and computes (c, s) as c H(g II n II II 2 II r II n r II . d 8 r cx (in Z) The following two definitions are about the security standards about knowledge proofs. Definition 4 [19] An interactive protocol(P, V) is said to perfect statistical computational zero knowledge, if for every probabilistic polynomial time verifier V there exists a probabilistic expected polynomial simulator Sv, so that two ensembles [v ,P] x) d Sv, x) are perfect statistical computational ....

S. Langford, Threshold DSS signatures without a trusted party, Advances in Cryptology- Crypro'95, Vol. 963, pp.397-409, 1995.

....the user dispatching the agent will always (one would hope) trust themselves. Note that an alternative scheme without a trusted dealer is given in [1] This scheme also improves on [7] by not relying on an RSA modulus made up of safe primes ) An example of an E1 Gamal based scheme is given in [4]. We next briefly outline the threshold signature scheme of [7] The user (dealer) forms the following: An RSA modulus n = pq where p = 2p t 1 and q = 2q t 1 are safe primes, i.e. p , q are prime. A public exponent e where e is prime and a private key d, where de 1 (mod f q) A ....

Susan K. Langford. Threshold DSS signatures without a trusted party. In D. Coppersmith, editor, Advances in Cryptology Crypto '95 proceedings, number 963 in LNCS, pages 397 409. Springer-Verlag, 1995.

....the shares) this scheme is ideal in our setting. Note that an alternative scheme without a trusted dealer is given in [Damggrd and Koprowski, 2001] This scheme also improves on Shoup s scheme by not relying on an RSA modulus made up of safe primes ) An example of an E1 Gamal scheme is given in [Langford, 1995]. We note that a (n, n) threshold signature scheme is just a mul tisignature; such schemes have been studied for many years see, for example, page 488 of [Menezes et al. 1996] We note, however, that such a threshold signature scheme does not provide a means for the shares to incorporate an ....

Langford, S. K. (1995). Threshold DSS signatures without a trusted party. In Coppersmith, D., editor, Advances in Cryptology Crypto '95 proceedings, number 963 in LNCS, pages 397-409. Springer-Verlag, Berlin.

....has been widely employed in the literature to transform threshold schemes into conditionally secure schemes with extra properties. This idea is exploited in the papers by: Benaloh [1] Beth [10] Charnes, Pieprzyk and Safavi Naini [27] Charnes and Pieprzyk [28] Lin and Harn [58] Langford [56], and Hwang and Chang [50] It is a consequence of the linearity of equation (3) that Shamir s scheme can be modified to obtain schemes having enhanced properties such as disenrollment capability, in which shares from one or more participants can be made incapable of forming an updated secret. ....

....of threshold schemes in which all rows and all columns are ideal schemes is called an ideal threshold scheme family, or ITS family for short. In these schemes it is possible to alter dynamically the threshold values by moving from one level of the matrix to another. Lin and Harn [58] and Langford [56] use the discrete logarithm to transform Shamir s scheme into a conditionally secure scheme which does not require a trusted KDC. A similar approach is used by Langford [56] to obtain a threshold signature scheme. Beth [10] describes a protocol for verifiable secret sharing for general access ....

[Article contains additional citation context not shown here]

S. K. Langford. Threshold DSS signatures without a trusted party. Proc. Crypto'95. LNCS, Vol. 963, 397-409, Springer-Verlag, Berlin.

....the function g is not homomorphic This problem in its generality corresponds with the mental games problem [43, 4, 13] In its generality no practical solution has been proposed to address this problem. For some algorithms, such as DSS, a practical approach may be desirable. This was studied in [50, 42]. It should be noted that, even for the non robust schemes, there is a significant difference between those solutions and the RSA solution. In threshold RSA, if one trusts t shareholders (or more) but not t Gamma 1 (or less) t (non faulty) shareholders are sufficient to jointly compute the ....

S. K. Langford. Threshold DSS signatures without a trusted party. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, Proceedings (Lecture Notes in Computer Science 963), pp. 397--409. Springer-Verlag, 1995. Santa Barbara, California, U.S.A., August 27--31.

....sharing techniques than RSA or even other ElGamal type of signatures. For this reason, many variants of ElGamal type signatures, have 2 been proposed that are more suitable to being turned into threshold schemes (see for example [Har94, PK96] The specific case of DSS was studied by Langford in [Lan95]. Langford has overcome some of the DSS difficulties, exhibiting a solution which requires a group of n = t 2 Gamma t 1 players in order to tolerate up to t players that might refuse to participate in the signature protocol. Thus, for n given players this solution can resist up to p n ....

.... ElGamal like schemes appears in an earlier paper by Cerecedo, Matsumoto and Imai [CMI93] They present formal definitions of threshold signature schemes and solutions based on the ElGamal signature scheme which require only a linear increase in the number of signers (compared to quadratic as in [Lan95]) Our work, independently developed, follows an approach similar to [CMI93] However, by concentrating on the case of DSS signatures we achieve significantly better properties in our solution, and a stronger security analysis. We discuss these properties next. 1.2 Our Contribution We present ....

[Article contains additional citation context not shown here]

S. Langford. Threshold DSS signatures without a trusted party. In D. Coppermisth, editor, Advances in Cryptology -- Crypto'95, Lecture Notes in Computer Science No. 963, pp. 397--409. Springer-Verlag, 1995.

....sharing techniques than RSA or even other ElGamal type of signatures. For this reason, many variants of ElGamal type signatures, have been proposed that are more suitable to being turned into threshold schemes (see for example [Har94, PK96] The specific case of DSS was studied by Langford in [Lan95]. Langford has overcome some of the DSS di#culties, exhibiting a solution which requires a group of n = t 2 t 1 players in order to tolerate up to t players that might refuse to participate in the signature protocol. Thus, for n given players this solution can resist up to # n corrupted ....

.... ElGamal like schemes appears in an earlier paper by Cerecedo, Matsumoto and Imai [CMI93] They present formal definitions of threshold signature schemes and solutions based on the ElGamal signature scheme which require only a linear increase in the number of signers (compared to quadratic as in [Lan95]) Our work, independently developed, follows an approach similar to [CMI93] However, by concentrating on the case of DSS signatures we achieve significantly better properties in our solution, and a stronger security analysis. We discuss these properties next. 1.2 Our Contribution We present ....

[Article contains additional citation context not shown here]

S. Langford. Threshold DSS signatures without a trusted party. In D. Coppermisth, editor, Advances in Cryptology -- Crypto'95, Lecture Notes in Computer Science No. 963, pp. 397--409. Springer-Verlag, 1995.

....is indeed the study of efficient multiparty computation protocols for cryptographic functions (e.g. signing or decrypting) in which each party has as input a share of the secret key that allows the computation of such function. Examples of threshold cryptography protocols can be found in [Boy89, Des87, DF91, DF89, CMI93, Har94, DDFY94, PK96, Lan95, GJKR96b, FGY96, GJKR96a, JY]. The above cited protocols use, in various ways, expensive VSS protocols and zero knowledge proofs. Though some are more efficient than others there is still room and need for improvement. Our techniques can be readily applied to this scenario to obtain much more efficient protocols. We would ....

S. Langford. Threshold dss signatures without a trusted party. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, pages 397--409, Berlin, 1995. Springer-Verlag. Lecture Notes in Computer Science No. 963.

.... part of a general approach known as threshold cryptography which was introduced by the works of Boyd [2] Desmedt [4] and Desmedt and Frankel [6] For an overview of the field, the reader is referred to [5] Particular examples of solutions to threshold ElGamal like signatures can be found in [8, 12, 10, 7]. Generally speaking, threshold signature schemes can be classified into the following two categories: 1) schemes with the assistance of a mutually trusted party to decide the group secret signature key s and generate individual shares for all group members [16, 1, 8] and (2) schemes without the ....

....the group secret signature key s and generate individual shares for all group members [16, 1, 8] and (2) schemes without the assistance of a mutually trusted party. In schemes without a mutually trusted party, all group members collectively choose and distribute the group secret signature key s [8, 12, 10, 7]. A threshold proxy signature scheme is a threshold signature scheme with the additional requirement that the group secret s, i.e. proxy signature key, should have a special form satisfying Eq (4) In this paper, we will focus on how to generate the individual shares for every group member such ....

S. Langford, Threshold DSS Signatures without a Trusted Party, Proc. CRYPTO'95, LNCS 963, Springer-Verlag, 1995.

....0 can no longer. We will distinguish the case where insiders are assumed to be honest and the case they are not. Of particular interest is the application of the redistribution of secret shares to threshold cryptography [8, 11, 16] in such contexts as ElGamal [14, 31] RSA [12, 17] and DSS [28, 18]. In threshold cryptography shares of a secret are (re)used in combination with a cryptosystem without leaking anything new about the secret to outsiders and unauthorized insiders. In Section 2 we very briefly sketch some definitions. In Section 3 we discuss the background and notations we need to ....

....k. 5 Threshold cryptography variant It is rather straightforward to use above redistribution algorithm in the context of threshold cryptography, when the Abelian group K to which the secret belongs, is public. This is for example the case in a discrete log setting, as in ElGamal [14, 31] and DSS [28, 18]. However, in the case of RSA [33] the participants do not know the group K, being Z OE(n) as mentioned in [12] Therefore, we focus on such a scenario. 5.1 RSA scenario In the RSA scenario the secret key corresponds to d 2 Z OE(n) ae Z OE(n) In [12] the distributor of the shares ....

S. K. Langford. Threshold DSS signatures without a trusted party. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, Proceedings (Lecture Notes in Computer Science 963), pp. 397--409. Springer-Verlag, 1995. Santa Barbara, California, U.S.A., August 27--31.

....and Desmedt and Frankel [DF90] This approach has received considerable attention in the literature; we refer the reader to [Des94] for a survey of the work in this area. Particular examples of solutions to threshold signatures can be found in [DF92, SDFY94] for the case of RSA signatures, and [Har94, Lan95] for ElGamal type of signatures. In this work we present a threshold signature system for DSS, the Digital Signature Standard [fST91] The importance of providing threshold solutions for signatures schemes used in practice, is that those systems are the ones that will be deployed in the real world ....

....The importance of providing threshold solutions for signatures schemes used in practice, is that those systems are the ones that will be deployed in the real world and hence they are the ones that require the real protection. Threshold DSS signatures schemes were recently studied by Langford [Lan95]. DSS signatures turn out to be less amenable to sharing techniques than RSA or even other ElGamal type of signatures, e.g. see [Har94] Langford has overcome some of these difficulties in the case of DSS, exhibiting a solution which requires a group of n = t 2 1 players in order to tolerate ....

[Article contains additional citation context not shown here]

S. Langford. Threshold dss signatures without a trusted party. In Crypto'95, pages 397-- 409. Springer-Verlag, 1995. Lecture Notes in Computer Science No. 963.

....to sharing techniques than RSA or even other ElGamal type of signatures. For this reason, many variants of ElGamal type signatures, have been proposed that are more suitable to being turned into threshold schemes (see for example [Har94, PK96] The specific case of DSS was studied by Langford in [Lan95]. Langford has overcome some of the DSS difficulties, exhibiting a solution which requires a group of n = t 2 Gamma t 1 players in order to tolerate up to t players that might refuse to participate in the signature protocol. 1 Thus, for n given players this solution can resist up to p n ....

.... ElGamal like schemes appears in an earlier paper by Cerecedo, Matsumoto and Imai [CMI93] They present formal definitions of threshold signature schemes and solutions based on the ElGamal signature scheme which occur only a linear increase in the number of signers (compared to quadratic as in [Lan95]) Our work, independently developed, follows an approach similar to [CMI93] However, by concentrating on the case of DSS signatures we achieve better properties in our solution. We discuss these properties next. 1 Langford presents some additional schemes but of more limited applicability: a ....

[Article contains additional citation context not shown here]

S. Langford. Threshold DSS signatures without a trusted party. In Crypto'95, pages 397--409. Springer-Verlag, 1995. Lecture Notes in Computer Science No. 963.

....and Desmedt and Frankel [DF90] This approach has received considerable attention in the literature; we refer the reader to [Des94] for a survey of the work in this area. Particular examples of solutions to threshold signatures can be found in [DF92, DDFY94] for the case of RSA signatures, and [CMI93, Har94, Lan95] for ElGamal type of signatures. Threshold DSS signatures schemes were recently studied by Langford [Lan95] DSS signatures turn out to be less amenable to sharing techniques than RSA or even other ElGamal type of signatures, e.g. see [CMI93, Har94] Langford has overcome some of these ....

....to [Des94] for a survey of the work in this area. Particular examples of solutions to threshold signatures can be found in [DF92, DDFY94] for the case of RSA signatures, and [CMI93, Har94, Lan95] for ElGamal type of signatures. Threshold DSS signatures schemes were recently studied by Langford [Lan95]. DSS signatures turn out to be less amenable to sharing techniques than RSA or even other ElGamal type of signatures, e.g. see [CMI93, Har94] Langford has overcome some of these difficulties in the case of DSS, exhibiting a solution which requires a group of n = t 2 Gamma t 1 players in ....

[Article contains additional citation context not shown here]

S. Langford. Threshold DSS signatures without a trusted party. In Crypto'95, pages 397--409. Springer-Verlag, 1995. Lecture Notes in Computer Science No. 963.

No context found.

Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO'95 (1995) 397--409, LNCS 963, Springer-Verlag, (1995).

No context found.

Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO'95 (1995) 397--409, LNCS 963, Springer-Verlag, (1995).

No context found.

Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO'95 (1995) 397--409, LNCS 963, Springer-Verlag, (1995).

No context found.

Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO'95 (1995) 397--409, LNCS 963, Springer-Verlag, (1995).

No context found.

Langford S (1995) Threshold DSS signatures without a trusted party. In Proc. CRYPTO '95. LNCS, vol 963. Springer, Berlin Heidelberg New York, pp 397--409

No context found.

Susan K. Langford. Threshold DSS signatures without a trusted party. In D. Coppersmith, editor, Advances in Cryptology -- Crypto '95 proceedings, number 963 in LNCS, pages 397--409. Springer-Verlag, Berlin, 1995.

No context found.

Susan K. Langford. Threshold DSS signatures without a trusted party. In D. Coppersmith, editor, Advances in Cryptology -- Crypto '95 proceedings, number 963 in LNCS, pages 397--409. Springer-Verlag, Berlin, 1995.

No context found.

S. Langford. Threshold DSS signatures without a trusted party. In CRYPTO '95 (LNCS 963), pages 397--409, 1995.

No context found.

Langford S.[1996] : "Threshold DSS Signature without a Trusted Party", Proc. CRYPTO'95, LNCS 963, Springer -- verlag.

No context found.

S. Langford. Threshold dss signatures without a trusted party. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, pages 397--409, Berlin, 1995. Springer-Verlag. Lecture Notes in Computer Science No. 963.

No context found.

S. Langford. Threshold DSS signatures without a trusted party. In Crypto '95, pages 397--409, 1995. LNCS No. 963.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC