R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, CWI and University of Amsterdam, November 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....knowledge protocol where in the second round, all that the veri er needs to do is reveal its random coins; its security is only against a veri er who chooses his coins adversarially. Although examples of such protocols were known prior to his work, the term protocol was introduced by Cramer [Cra97] The reason that he called these protocols protocol is the shape of the letter . The de nition we give here is slightly less restrictive than the one given by Cramer and by Damg ard [Dam02] in that we do not require knowledge extraction to be as ecient as they do. De nition 2.6.5 ....

Ronald Cramer. Modular Design of Secure yet Practical Cryptographic Protocol. PhD thesis, University of Amsterdam, 1997.

....and or signature scheme involved, and sometimes means that no proofs of security can be given, and always means that separability cannot be provided. For a comparison to some concrete previous schemes of this type, please refer to Section 5.2. 2 Preliminaries 2. 1 # Protocols A # protocol [13, 15] for a boolean relation R # 0, 1 # 0, 1 # is a three move honest verifier zero knowledge proof of knowledge for R. That is, a string x is the common input to a prover P and a verifier V , and P demonstrates knowledge of a w such that (x, w) # R. We call w a witness for x, and the set ....

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocol. PhD thesis, University of Amsterdam, 1997.

.... n, any subset of at least t players can decrypt, whereas less than t players cannot. Verifiable group encryption can be used to implement verifiable signature sharing, yielding more general solutions for this problem than what was previously known. 2 Preliminaries 2. 1 Protocols A protocol [9, 11] for a boolean relation R f0; 1g f0; 1g is a three move honestverifier zero knowledge proof of knowledge for R. That is, a string x is common input to prover P and verifier V, and P demonstrates knowledge of a w such that (x; w) 2 R. We call w a witness for x, and the set of x s that ....

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocol. PhD thesis, University of Amsterdam, 1997.

....and or signature scheme involved, and sometimes means that no proofs of security can be given, and always means that separability cannot be provided. For a comparison to some concrete previous schemes of this type, please refer to Section 5.2. 2 Preliminaries 2. 1 Protocols A protocol [14, 16] for a boolean relation R f0; 1g f0; 1g is a three move honest veri er zero knowledge proof of knowledge for R. That is, a string x is the common input to a prover P and a veri er V , and P demonstrates knowledge of a w such that (x; w) 2 R. We call w a witness for x, and the set of x s ....

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocol. PhD thesis, University of Amsterdam, 1997.

....3.1 Non interactive proofs of knowledge Our protocols will require certain non interactive proofs. In this paper, these proofs will basically be the non interactive versions of Sigma protocols [20, 26] i.e. Schnorr like protocols [36] However, we use a general notion of Sigma protocols [17] which encompass both proofs of knowledge and membership. We refer the reader to [17] for the full technical definitions. We also use proofs of conjunctions and disjunctions (i.e. ANDs and ORs) of certain statements which have known non interactive proofs [18] To simplify notation, we will ....

....proofs. In this paper, these proofs will basically be the non interactive versions of Sigma protocols [20, 26] i.e. Schnorr like protocols [36] However, we use a general notion of Sigma protocols [17] which encompass both proofs of knowledge and membership. We refer the reader to [17] for the full technical definitions. We also use proofs of conjunctions and disjunctions (i.e. ANDs and ORs) of certain statements which have known non interactive proofs [18] To simplify notation, we will often state these as conjunctions and disjunctions of the specific proofs (instead of the ....

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, University of Amsterdam, 1995.

.... n, any subset of at least t players can decrypt, whereas less than t players cannot. Verifiable group encryption can be used to implement verifiable signature sharing, yielding more general solutions for this problem than what was previously known. 2 Preliminaries 2. 1 Protocols A protocol [9, 11] for a boolean relation R f0; 1g f0; 1g is a three move honestverifier zero knowledge proof of knowledge for R. That is, a string x is common input to prover P and verifier V , and P demonstrates knowledge of a w such that (x; w) 2 R. We call w a witness for x, and the set of x s that ....

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocol. PhD thesis, University of Amsterdam, 1997.

....probability. 4 Usual Boolean ordering: a b iff for all bit positions where a has 1, the corresponding position in b is 1 as well. 5 This notion corresponds to semi smooth in [CDS94] Cramer et al. can be tested efficiently. The results from [CDS94] imply the following theorem (see also [Cra96] for the full version) Theorem 1. Let a Sigma protocol (A; B) for relation R be given, satisfying special honest verifier zero knowledge and special soundness. Let F = ff n g be a family of efficiently computable monotone functions. Assume that there is an efficient perfect secret sharing ....

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, CWI & Univ. of Amsterdam, November 1996. Efficient ZK-Proofs of Knowledge 13

....I ae f1; ng and jfi j j p(jff j j) for j 2 I . Then (ff; fi) 2 RF if and only if fn (I) 1 and (ff j ; fi j ) 2 R for j 2 I . Note that by our assumptions on R and F , the composite binary relation can be tested efficiently. The results from [CDS94] imply the following theorem (see also [Cra96] for the full version) Theorem 1. Let a Sigma protocol (A; B) for relation R be given, satisfying special honest verifier zero knowledge and special soundness. Let F = ffng be a family of efficiently computable monotone functions. Assume that there is an efficient perfect secret sharing scheme ....

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, CWI & Univ. of Amsterdam, November 1996.

No context found.

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, CWI and University of Amsterdam, November 1996.

No context found.

Ronald Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, CWI and University of Amsterdam, 1996.

No context found.

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. Ph.D. Thesis. CWI and University of Amsterdam, 1997.

No context found.

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. Ph.D. Thesis. CWI and University of Amsterdam, 1997.

No context found.

R. Cramer. Modular Design of Secure Yet Practical Cryptographic Protocols. PhD Thesis, CWI and U. Amsterdam, 1996.

No context found.

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, University of Amsterdam, 1995.

No context found.

R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, University of Amsterdam, 1995.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC