Amos Fiat, Adi. Shamir: How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology, Crypto '86, pp. 186-194, Springer-Verlag, 1987.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....basically all practical schemes have been based on hard problems from number theory. This has remained true with zero knowledge proofs, introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ( 6] and whose practical significance was soon demonstrated in the work of Fiat and Shamir ([4]) In 1989, there were two attempts to build identification protocols that only use simple operations (see [10, 8] One relied on the intractability of some coding problems, the other on the Permuted Kernel problem (PKP) The first of the schemes was not really practical but has been followed by ....

A. Fiat and A. Shamir: How to prove yourself: Practical solutions to identification and signature problems. In: Proceedings of Crypto 86. Lecture Notes in Computer Science 263. Berlin: Springer 1987, pp. 181-187.

....N . 7 3 Identi cation and Signature Schemes In this section we show how to repair Okamoto s identi cation protocol [Ok92] obtaining a provably secure identi cation scheme withstanding parallel active attacks. Exploiting the relationship to signature schemes via the Fiat Shamir heuristic [FS86], we then show that this identi cation protocol can be used for ordinary as well as blind signatures. 3.1 Identi cation Scheme Our identi cation protocol in Figure 2 follows the framework of Okamoto [Ok92] for the RSA setting, which in turn is an extension of the Guillou Quisquater setup [GQ88] ....

A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions to Identication and Signature Schemes, Advances in Cryptology | Proceedings Crypto '86, Lecture Notes in Computer Science, vol. 263, SpringerVerlag, pp. 186-194, 1986.

....Acknowledgments I would like to thank prof. Claus P. Schnorr, prof. Ernst M. Gabidulin, prof. Jacques Patarin and dr. Louis Goubin for helpful remarks. 1 Introduction The general problem we address is the classical problem of interactive entity authentication. It is known since Fiat Shamir [5] that solving this problem combined with a cryptographic hash function also allows noninteractive authentication, for example digital signatures, The notion of Zero knowledge identification has been formalized by Goldwasser, Micali and Racko# in [16] In such a scheme a Prover proves his identity ....

Amos Fiat, Adi. Shamir: How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology, Crypto '86, pp. 186-194, Springer-Verlag, 1987.

....4. The verifier accepts the proof if and only if g r = ah c and m r = bz c . We shall often refer to this protocol as the basic proof (of equality of discrete logarithms) Now let H be a one way hash function mapping arbitrary inputs into the set ZZ q (as in the Fiat Shamir scheme, see [FS86]) Given this function and the above protocol the signature on m is oe(m) z; c; r) It is correct if a = g r h Gammac and b = m r z Gammac satisfy c = H(m; z; a; b) The reader is referred to [CP92] for a discussion of the security of this signature scheme. In that paper it is ....

A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems, Proceedings of Crypto '86, Santa Barbara, August 1986, pp. 186--194.

....protocols are non interactive zero knowledge proofs of knowledge, and correspond to well known interactive honest veri er zero knowledge proofs of knowledge. The interactive protocols are converted to their noninteractive counterparts using the generic transformation introduced by Fiat and Shamir [7]. This transformation preserves the properties of the original protocol: Bob is convinced by Alice s proof if and only if she holds the secret whose knowledge she proves, and at the end of the protocol Bob will not have learned any information on Alice s secret. In fact, the resulting ....

A. Fiat and A. Shamir: How to prove yourself: Practical solutions to identication and signature problems. Advances in Cryptology| CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 186-194, New York, 1987. Springer-Verlag.

....systems. Whereas the recipient of a signed message can prove the signature (and thus possibly the authenticity of a statement) to third parties, an identi cation system only allows the recipient to identify the sender as possessing a certain pseudonym at the point in time when the message was sent [86, 11, 40, 74]. For simplicity the sender will enclose a pseudonym (which has probably been specially created) with the statement, or encrypt the statement with the key of a symmetric encryption system which is only known to him and the recipient. Once the statement has been received, however, a third party ....

A. Fiat, A. Shamir: How to Prove Yourself: Practical Solutions to Identication and Signature Problems; Crypto '86, LNCS 263, Springer-Verlag, Berlin 1987, 186-194

....functions required for their scheme (for a generalization, see [9] Though yielding shorter signatures asymptotically, the size grows rapidly in practice as the number of signatures made increases. Starting with [2] many practical digital signature schemes have been proposed, for instance, 15] [16], 17] 18] 19] 20] and [21] Although many of them are actually used in practice today, these schemes seem to have the property that their security is hard to analyze. We certainly do not mean to suggest here that their security is dubious. On the contrary, these schemes rely on common ....

A. Fiat, A. Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems, Proceedings of Crypto '86, pp. 186--194

....a practical identification scheme resisting adative man in themiddle impersonation attacks. Moreover, the required primitive protocols can efficiently be constructed under the factoring or discrete logarithm assumptions. 1 Introduction An (public key) identification scheme (see for instance [9]) is an (interactive) protocol by means of which one party (the prover) proves its identity to another party (the verifier) Securing log in procedures is a main application of such schemes. An identification scheme consists of an algorithm to generate public key private key pairs, and a protocol ....

.... Sigma Protocols Let (A; B) be a three move protocol where the prover A speaks first. The verifier B is required to send random bits only. A and B are probabilistic polynomial time (PPT) machines. The protocol (A; B) resembles a proof of knowledge for a binary relation R (see for instance [9] for details) in that the prover can always make the verifier accept on common input x, if the prover knows w such that (x; w) 2 R. By running (probabilistic) polynomial time algorithm a( Delta) on x and his secret witness w, the prover A computes his initial message a. After having received the ....

A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems, Proceedings of Crypto '86, Springer Verlag LNCS, vol. 263, pp. 186--194

....a given access from a user, electronically proves its identity to another computer. 2) a human user identifies himself herself to a computer in scenarios such as network access, electronic commerce, and transactions over telephones. The development of zero knowledge based identification protocols [1, 4, 2, 3, 6, 8, 9, 10] makes it possible to solve the identification problem among computers with a reasonable complexity. However, most of these protocols do not apply to the second case for the identification between a human user and a machine, largely because a human user has a very limited capacity in memorizing ....

A. Fiat and A. Shamir: How to prove yourself: Practical Solutions to Identical Solutions to Identification and Signature Problems. Advances in Cryptology-CRYPTO'86, Springer-Verlag, Santa Brabara, USA pp186-194.

....as the number of signatures made increases. Starting with the seminal paper [22] which proposed the RSA functions as the first implementation of public key cryptography as envisaged by Diffie and Hellman [9] many practical digital signature schemes have been proposed, for instance, 11] [12], 24] 14] 20] 16] and [19] Although many of them are actually used in practice today, these schemes seem to have the property that their security is hard to analyze. We certainly do not mean to suggest here that their security is dubious. On the contrary, these schemes rely on common ....

A. Fiat, A. Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems, Proceedings of Crypto '86, pp. 186--194

....the system; r equals the answer of this random oracle on query . The random oracle may be implemented by the server by using a pseudorandom function [20] In practice, one may be tempted to use a concrete publicly available function, typically a hash function, believed to behave randomly (cf. [19, 2]) However, in connection with the role that m, the bound on the number of function values an adversary can evaluate, plays in the proposition below, it would need to be a very slow function. To analyze the controlled propagation quality of these constructions, we need a technical lemma about the ....

....The verifier can compute this value pk as pk = pk Delta Gamma1 Y j=1 h j j mod p; using the values h j in the user s extended primary public key. Now the user has to give a zero knowledge proof of knowledge of val , i.e. of the discrete logarithm of pk (cf. [9, 19]) 4 An alternative is Schnorr identification [30] which needs only one exponentiation on each side, but is only known to be witness hiding [18] Proposition 5 Construction 5 satisfies 1. Restricted damage from key disclosure: Public information and the validation tags of at most Gamma 1 ....

[Article contains additional citation context not shown here]

A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems; in Crypto '86, Springer-Verlag, LNCS Vol. 263, pp. 186-194, 1987.

....a function. If we only consider polynomial time adversaries, the server can use a pseudo random function [12] instead of choosing and storing real random values. In practice, one may use a concrete publicly available function, typically a hash function, which is believed to behave randomly (cf. [10, 2]) Actually, we merely need a specific random behaviour as postulated in Assumption 1 below. To quantify what is leaked by a single secondary key triple, we refer to the formalism of knowledge complexity [15, 14] More precisely, we only quantify the knowledge leaked by the validation tag. The ....

....from [5] is quite efficient, but it needs t rounds of communication (each with one exponentiation on both sides) for a security level of 2 Gammat . Actually, some of these can be executed in parallel with the usual trade off between amount of parallelism and tightness of the security, cf. [10]. However, t need not be very large, because we do not try to exclude every single case of propagation anyway. An alternative is Schnorr identification [19] which needs only one exponentiation on each side, but is only known to be witness hiding [9] As stated above, a way of using this core ....

A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems; in Crypto '86, Springer-Verlag, LNCS Vol. 263, pp. 186-194, 1987.

....protocol, and the resulting signature is long. More efficient implementations are considered in the next sections. 4 Type I Fair Blind Signatures using Oblivious Transfer The type I fair blind signature scheme presented in this section is based on a variation of the Fiat Shamir signature scheme [12] and on the concept of one outof two oblivious transfer [10] Although the signing protocol is still inefficient, the resulting signature is very short. 4.1 A Variation of the Fiat Shamir Signature Scheme Let n = pq be the product of two large primes chosen by the signer such that 3 is ....

A. Fiat, A. Shamir: How to prove yourself: Practical solutions to identification and signature problems, Proceedings of Crypto '86, LNCS 263 , Springer Verlag, pp. 186-194.

No context found.

Amos Fiat, Adi. Shamir: How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology, Crypto '86, pp. 186-194, Springer-Verlag, 1987.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identification and Signature Problems. Proc. Crypto'86, LNCS 263, pp. 186--194, 1987.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identification and Signatyre Problems. Proc. Crypto'86, LNCS 263, Springer-Verlag, pp. 186--194, 1987.

No context found.

A. Fiat, and A. Shamir: How to Prove Yourself: Practical solutions to identification and signature problems, Advances in Cryptology - CRYPTO '86, LNCS volume 263, pp. 186-194. Springer Verlag, 1987.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identi cation and Signature Problems. Proc. Crypto'86, LNCS 263, pp. 186-194, 1987.

No context found.

A. Fiat and A. Shamir: How to prove yourself: Practical solutions to identification and signature problems. Advances in Cryptology--- CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 186--194, New York, 1987. Springer-Verlag.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identi cation and Signature Problems. Proc. Crypto'86, LNCS 263, pp. 186-194, 1987.

No context found.

A. Fiat, A. Shamir: How to proveyourself: Practical solutions to identi#cation and signature problems, Proceedings of Crypto '86, LNCS 263 , Springer Verlag, pp. 186-194.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identification and Signature Problems. Proc. Crypto'86, LNCS 263, pp. 186--194, 1987.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identi cation and Signature Problems. Proc. Crypto'86, LNCS 263, pp. 186-194, 1987.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identification and Signature Problems. Proc. Crypto'86, LNCS 263, Springer-Verlag, pp. 186--194, 1987.

No context found.

A. Fiat and A. Shamir : How to Prove Yourself: Practical Solutions of Identification and Signatyre Problems. Proc. Crypto'86, LNCS 263, Springer-Verlag, pp. 186--194, 1987.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC