A. FIAT & A. SHAMIR, How to prove yourself: Practical solutions of identification and signature problems, Advances in Cryptology: Proceedings of Crypto'86, Lecture Notes In Computer Science, Springer-Verlag, Berlin, 263 (1987), pp 186-- 194.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....in [17] to prove the security of some generic signature schemes. The forking lemmas in [17] can be applied in any signature scheme obtained from a honest veri er zero knowledge identi cation protocol (also known as three move signature schemes) for example the ones by Schnorr [20] Fiat Shamir [13], or GuillouQuisquater [15] Analogously, our extension of the forking lemmas to the ring signatures scenario, that we have applied to a particular Schnorr ring signature scheme, could be used to prove the security of future ring signature schemes constructed from these three move signature ....

A. Fiat and A. Shamir. How to prove yourself: practical solutions of identi cation and signature problems. Advances in Cryptology-Crypto'86, LNCS 263, SpringerVerlag, pp. 186-194 (1986).

....and Shamir in [12] for the purpose of identi cation. In such a scheme, many secret keys are associated to a same public key. Furthermore, the views of two identi cations using two distinct secret keys associated to a same public key are indistinguishable. For example, in the Fiat Shamir protocol [15], the veri er cannot distinguish which square root the prover uses. Okamoto, in [21] proposed a witness indistinguishable adaptation of both the Schnorr [24] and the Guillou Quisquater [17] identi cation schemes. 5 3.2 Provably Secure Blind Signature Schemes As was already remarked, the ....

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identi cation and signature problems. In Crypto '86, LNCS 263, pages 186-194. Springer-Verlag, 1987.

....notion of claw free permutations. We refer to [6] for details. In 1986, a new paradigm for signature schemes was introduced. It is derived from zero knowledge identi cation protocols involving a prover and a veri er [5] and uses hash functions in order to create a kind of virtual veri er. In [4], Fiat and Shamir proposed a zero knowledge identi cation protocol based on the hardness of extracting square roots. They also described the corresponding signature scheme and outlined its security. Similar results for other signature schemes like Schnorr s [12] are considered as folklore results ....

....we will only consider signature schemes which, on the input message m, produce triplets ( 1 ; h; 2 ) independent of previous signature. In those triplets ( 1 ; h; 2 ) h is the hash value of (m; 1 ) and 2 just depends on 1 , the message m, and h. This covers the case of Fiat Shamir [4], Schnorr [12] and many others. In some cases, 1 or h can be omitted, but we will keep them for more generality. 2.2 Attacks We will only consider two di erent scenarios involving probabilistic polynomial time Turing machines, the no message attack and the adaptively chosen message attack ....

[Article contains additional citation context not shown here]

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identi cation and signature problems. In A. M. Odlyzko, editor, Advances in Cryptology { Proceedings of CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 186-194, Santa-Barbara, California, 1987. Springer-Verlag.

....that some underlying computational problem is hard. Unfortunately, very few schemes are currently known that allow such a proof. The next step is to hope for a proof in a non standard computational model, as proposed by Bellare and Rogaway [3] following an earlier suggestion by Fiat and Shamir [11]. In this model, called the random oracle model, concrete objects such as hash functions are treated as random objects. This allows one to carry through the usual reduction arguments to the context of relativized computations, where the hash function is treated as an oracle returning a random ....

....with the stronger CMA model. 4 Duplicates in ECDSA Let us now turn to the ECDSA signature scheme, on which we give two more examples. 4.1 Description of ECDSA The ElGamal signature scheme [10] appeared in 1985 as the rst DL based signature scheme. In 1989, using the Fiat and Shamir heuristic [11] based on fair zeroknowledge [13] Schnorr provided a zero knowledge identi cation scheme [26] together with the corresponding signature scheme. In 1994, a digital signature standard DSA [20] was proposed, whose avor was a mixture of ElGamal and Schnorr. The standard was later adapted to the ....

A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions of Identi cation and Signature Problems. In Crypto '86, LNCS 263, pages 186-194, Springer-Verlag, 1987.

....value, this property is called collision freeness. It was later realized that hash functions were an essential ingredient for the security of signature schemes. In order actually to obtain security arguments, while keeping the eciency of the designs that use hash functions, several authors (e.g. [21], 2] 3] 43] 42] and [44] have suggested using the hypothesis that f is actually a random function. We follow this suggestion by using the corresponding model, called the random oracle model. In this model the hash function can be seen as an oracle which produces a truly random value for ....

....does not prove by itself the identity of the sender. In 1986 a new paradigm for signature schemes was introduced. It is derived from fair zero knowledge identi cation protocols involving a prover and a veri er [26] and uses hash functions in order to create a kind of virtual veri er. In [21], Fiat and Shamir proposed a zero knowledge identi cation protocol based on the hardness of extracting square roots. They also described the corresponding signature scheme and outlined its security. Similar security results for other signature schemes like Schnorr s [50] 51] are considered ....

[Article contains additional citation context not shown here]

A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions of Identi cation and Signature Problems. In Crypto '86, LNCS 263, pages 186-194. Springer-Verlag, Berlin, 1987.

....amplify its influence. A system that can tolerate a fraction q0 of all identities being faulty can tolerate only qo g of all entities being faulty. In some systems, this may be acceptable. 4. Related work Most prior research on electronic identities has focused on persistence and unforgeability [14, 15, 27, 31], rather than on distinctness. Computational puzzles are an old technique [25] that has become popular recently for resisting denial of service attacks [1, 9, 20] by forcing the attacker to perform more work than the victim. Dingledine et al. 11] suggest using puzzles to provide a degree of ....

A. Fiat, A. Shamir, "How to Prove Yourself: Practical Solutions of Identification and Signature Problems", Crypro '86, 1987, pp. 186-194.

....acting for a user wants to access a secured service, he must first be authenticated. The authentication service verifies that the subject is really who he claims to be. To do this, both logical or physical techniques are available. These can be based on passwords, zero knowledge authentication [FIAT 86, GUIL 88] smartcards or chip cards. All these techniques use the same protocol principle: the subject must prove its identity to the authentication server by showing that he possesses a secret information, its authenticator. In a distributed system with several authentication servers, each ....

FIAT A., SHAMIR A., "How to Prove Yourself: Practical Solutions of Identification and Signature Problems", Advances in Cryptology - CRYPTO'86, Santa Barbara, August 1986, Lecture Notes in computer Science, Vol. 263, ISBN 0387 -18047-8, pp.186-194.

.... feature is a cheap protection against direct physical attacks on the signer s noise generator (corrupting the source to obtain twice an identical u) 4 Deterministic versions of other schemes The idea described in the previous sections can be trivially applied to other signature schemes such as [10] or [12] Suce it to say that one should replace each session s random number by a digest of the keys (secret and public) and the signed message. 7 System parameters: k, security parameter p and q prime numbers such that qj(p 1) g 2 ZZ p of order q h, hash function Key generation: ....

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identication and signature problems. In Crypto '86, LNCS 263, pages 186-194. Springer-Verlag, 1987.

....that an object belongs to a language (proof of membership) or that he knows a secret information (proof of knowledge) without revealing anything about his secret knowledge. Such proofs have practical applications since they allow to solve many cryptographic problems such as ZK identification [9], digital signature [25] or robust distributed cryptography [26] Many ZK proof systems have been published so far that are related to the presumably intractable problems on which public key cryptography is based, such as the computation of discrete logarithms [25] of square roots [9] and of e ....

.... [9] digital signature [25] or robust distributed cryptography [26] Many ZK proof systems have been published so far that are related to the presumably intractable problems on which public key cryptography is based, such as the computation of discrete logarithms [25] of square roots [9] and of e th roots [15] modulo a composite integer. In this paper, we consider the most popular such problem: the factorization of integers, i.e. how to prove to a verifier that one s knows some prime numbers whose product is a public number without giving any information about this ....

[Article contains additional citation context not shown here]

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identification and signature problems. In Crypto '86, LNCS 263, pages 186--194. Springer-Verlag, 1987.

....such attacks cannot exist. ffl Even if a prover is identified many times, no information about his secret can be learned by eavesdroppers or verifiers. 3 THE SIGNATURE SCHEME We now turn the identification scheme into a signature scheme using a technique originally proposed by Fiat and Shamir [11, 12] and used by Schnorr [33] and others. In order to go from identification to signature, the challenges e are no longer randomly chosen by a verifier but computed through a hash function H such as SHA 1 [26] or MD5 [31] Such a function maps a binary strings of arbitrary length to binary string of ....

....is equivalent to factoring N . We refer to [3] for a precise analysis of the security of those two schemes in the random oracle model. Feige Fiat Shamir and Guillou Quisquater schemes The Feige Fiat Shamir signature scheme [11] is derived from the Fiat Shamir zero knowledge authentication scheme [12]. Like Rabin s scheme, it is based on the difficulty of computing square roots modulo N . The secret key consists of k elements of Z N and the related public key is the list of their squares. As a consequence, for a reasonable value of k such that k = 80, both the public and the private keys ....

[Article contains additional citation context not shown here]

Fiat, A., and Shamir, A. How to Prove Yourself: practical solutions of identification and signature problems. In Crypto '86 (1987), LNCS 263, Springer-Verlag, pp. 186--194.

....against existential adaptive chosen message attacks since there are signatures that can be forged under this attack. different approaches for proving the security of signature schemes: complexitybased proofs of security [9, 15, 2, 19, 24, 3, 16, 8] and random oracle model proofs of security [10, 4, 21, 22]. Let us elaborate on these two notions of security: Two Notions of Security for Digital Signatures: Complexity based proofs: The complexity based approach was put forth by Diffie and Hellman [9] They suggested that the security of a cryptographic primitive could be reduced to a hardness ....

....primitives, including pseudo random generators, signatures and secure protocols were shown to exist based on general complexity assumptions. Proofs based on random oracle model: In the case when complexitybased proofs seem to be difficult to attain, the approach used, for example in [10, 4, 21, 22], is to assume that a cryptographic primitive (such as DES or MD5) behaves like a truly random function. The security of the scheme is then shown under the assumption that the underlying primitive behaves in a near ideal fashion. Such proofs are weaker than complexity based proofs. For a related ....

A. Fiat and A. Shamir. "How to Prove Yourself: Practical Solutions of Identification and Signature Problems, CRYPTO 86.

....notion of claw free permutations. We refer to [6] for details. In 1986, a new paradigm for signature schemes was introduced. It is derived from zero knowledge identification protocols involving a prover and a verifier [5] and uses hash functions in order to create a kind of virtual verifier. In [4], Fiat and Shamir proposed a zero knowledge identification protocol based on the hardness of extracting square roots. They also described the corresponding signature scheme and outlined its security. Similar results for other signature schemes like Schnorr s [12] are considered as folklore results ....

....will only consider signature schemes which, on the input message m, produce triplets (oe 1 ; h; oe 2 ) independent of previous signature. In those triplets (oe 1 ; h; oe 2 ) h is the hash value of (m; oe 1 ) and oe 2 just depends on oe 1 , the message m, and h. This covers the case of Fiat Shamir [4], Schnorr [12] and many others. In some cases, oe 1 or h can be omitted, but we will keep them for more generality. 2.2 Attacks We will only consider two different scenarios involving probabilistic polynomial time Turing machines, the no message attack and the adaptively chosen message attack ....

[Article contains additional citation context not shown here]

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identification and signature problems. In A. M. Odlyzko, editor, Advances in Cryptology -- Proceedings of CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 186--194, Santa-Barbara, California, 1987. Springer-Verlag.

....we obtain a precise evaluation of which parameters should be chosen today for a secure use of these protocols. 1 Introduction With the advent of zero knowledge proofs in 1985 (see [5] several interactive identification schemes have been proposed. The first ones, like the Fiat Shamir scheme [3], were based on number theoretical problems and used arithmetical operations with large numbers. In 1989, Shamir proposed a protocol of a new nature, PKP (Permuted Kernels Problem [8] based on an NP complete problem. The distinctive character of this scheme is its use of small integers and its ....

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identification and signature problems. In A. M. Odlyzko, editor, Advances in Cryptology -- Proceedings of CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 186--194. Springer-Verlag, 1987.

No context found.

A. FIAT & A. SHAMIR, How to prove yourself: Practical solutions of identification and signature problems, Advances in Cryptology: Proceedings of Crypto'86, Lecture Notes In Computer Science, Springer-Verlag, Berlin, 263 (1987), pp 186-- 194.

No context found.

A. FIAT & A. SHAMIR, How to prove yourself: Practical solutions of identification and signature problems, Advances in Cryptology: Proceedings of Crypto'86, Lecture Notes In Computer Science, Springer-Verlag, Berlin, 263 (1987), pp 186-- 194.

No context found.

A. FIAT & A. SHAMIR, How to prove yourself: Practical solutions of identification and signature problems, Advances in Cryptology: Proceedings of Crypto'86, Lecture Notes In Computer Science, Springer-Verlag, Berlin, 263 (1987), pp 186-- 194.

No context found.

A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions of Identification and Signature Problems. In Crypto '86, LNCS 263, pages 186--194. Springer-Verlag, Berlin, 1987.

No context found.

A. FIAT & A. SHAMIR, How to prove yourself: Practical solutions of identification and signature problems, Advances in Cryptology: Proceedings of Crypto'86, Lecture Notes In Computer Science, Springer-Verlag, Berlin, 263 (1987), pp 186-- 194.

No context found.

A. FIAT & A. SHAMIR, How to prove yourself: Practical solutions of identification and signature problems, Advances in Cryptology: Proceedings of Crypto'86, Lecture Notes In Computer Science, Springer-Verlag, Berlin, 263 (1987), pp 186-- 194.

No context found.

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identification and signature problems. In Crypto '86, LNCS 263, pages 186--194. Springer-Verlag, 1987.

No context found.

A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions of Identification and Signature Problems. In CRYPTO'86, volume 263 of LNCS, pages 186--194, Berlin, 1987. Springer-Verlag.

No context found.

A. Fiat and A.Shamir. How to Prove Yourself: Practical Solutions of Identi cation and Signature Problems. In Crypto '86, Lecture Notes in Computer Science 263, Springer-Verlag, Berlin, 1987, 186-194.

No context found.

A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions of Identification and Signature Problems. In CRYPTO'86, volume 263 of LNCS, pages 186--194, Berlin, 1987. Springer-Verlag.

No context found.

Fiat, A., Shamir, A.: How to prove yourself: practical solutions of identification and signature problems. In Advances in Cryptology -- Proceedings of CRYPTO '86 (1986) vol. Lecture Notes in Computer Science 263 Springer-Verlag pp. 186--194.

No context found.

A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identification and signature problems. In Crypto '86, LNCS 263, pages 186--194. Springer-Verlag, 1987.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC