P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Berlin: Springer Verlag,(1995), pp. 224--237.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....of this paper that deal with partial message recovery) 1.2 Related work Many variants of the original E1Gamal [12] signature scheme have been described [1, 2, 16, 22 24, 27 30, 33, 34] Some effort has been done towards an global description of those schemes. Horster, Michels and Petersen [17 19] defined the Meta E1Gamal signature schemes. Brickell, Pointcheval, Vaudenay and Yung [6] defined the Trusted E1Gamal type signature schemes of type I and II. The security proofs in this paper are directly inspired from security proofs that were published for some DL based signature schemes [6, ....

P. HorsteL M. Michels and H. Petersen. Meta Message Recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications. Proc. Asiacrypt'9J, Wollongong, Nov. 1994. Full paper available at http://ww. geocities. c om/CapeCanaveral/Lab/8967/TR-94-9. ps. gz.

....Secure E Cash Systems. 1 Introduction The concept of blind signature was introduced by Chaum [1] It allows a requester to obtain signatures on the messages he provides to the signer without revealing these messages. A distinguishing property required by a typical blind signature scheme [1, 2, 3, 4] is so called the unlinkability , which ensures that requesters can prevent the signer from deriving the exact correspondence between the actual signing process performed by the signer and the signature which later made public. The blind signatures can realize secure electronic payment schemes ....

....in secure electronic Corresponding author. E mail: lei cc.ee.ntu.edu.tw . 1 payment schemes, or as tickets in applications such as secret voting schemes. The security of the blind signature schemes proposed in [1, 3] are based on the hardness of factorization [11] and the schemes proposed in [2, 4] is based on the hardness of computing discrete logarithm [12] Threshold signatures [13, 14] are motivated by the need that arises in organizations to have a group of employees who agree on a message before signing and by the need to protect the group private key from the attack of internal and ....

Horster, P, Michels, M and Petersen, H Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications, Proc. of AsiaCrypt'94, LNCS 917, Springer-Verlag (1994) 224-237.

....proposed a voting scheme, which preserves the privacy of the voters against the administrator and other voters. The drawback of this scheme is that if all candidates conspire the privacy of the voters is violated. For the ability of protecting the privacy of the voters, blind signature techniques [2, 4, 9, 11] are widely adopted to secure voting schemes [10, 13, 16, 26] A distinguishing property required by a typical blind signature scheme [2, 4, 9, 11] is so called the unlinkability , which ensures that the requesters can prevent the signer from deriving the exact correspondence between the actual ....

....if all candidates conspire the privacy of the voters is violated. For the ability of protecting the privacy of the voters, blind signature techniques [2, 4, 9, 11] are widely adopted to secure voting schemes [10, 13, 16, 26] A distinguishing property required by a typical blind signature scheme [2, 4, 9, 11] is so called the unlinkability , which ensures that the requesters can prevent the signer from deriving the exact correspondence between the actual signing processes performed by the signer and the signatures which later made public. The signed blind messages can be regarded as tickets in ....

[Article contains additional citation context not shown here]

P. Horster, M. Michels and H. Petersen, "Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications," Advances in Cryptology: Proc. of AisaCrypt'94, LNCS 917, pp. 224-237, SpringerVerlag, 1995.

....encryption and signature scheme. In schemes 1 and 2 any encryption and signature scheme can be used. In the scheme of pseudonymous self certified keys, the cAPC scheme, and the uAPC scheme a discrete logarithm based encryption and signature scheme is used. There are several DLP based schemes [El85, Sc91, HX94, HMP94]. 4.2.3 Anonymity, unlinkability, and untraceability If the anonymity and unlinkability of certificates is maintained in a scheme, then it is said that the untraceability of certificates is maintained. In schemes 1 and 2, given a certificate, it is impossible to know the identity of the user ....

P. Horster, M. Michels, H. Petersen, "Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications," Advances in Cryptology -- ASIACRYPT '94 , pp. 224--237, Springer-Verlag, 1995.

....by Chaum [1] It is an interactive protocol which involves two kinds of participants, the signer and requesters. It allows a requester to obtain signatures on messages he provides to the signer without revealing these messages. A distinguishing property required by a typical blind signature scheme [1 5] is called the unlinkability , which ensures that requesters can prevent the signer from deriving the exact correspondence between the actual signing process performed by the signer and the signature which is later made public. In a distributed environment, every signed blind message can be ....

.... of electronic money in secure electronic payment systems [1, 6 9] or as a ticket in applications such as secret voting schemes [10 12] The security of the blind signature schemes proposed in [1, 4] is based on the hardness of factorization [13] while the security of the schemes proposed in [2, 5] is based on the hardness of computing discrete logarithm [14 16] A relevant type of signature scheme called group signatures was introduced in [17] and several improved solutions were proposed in [18 20] The schemes in [17 20] allow a group member to sign a message on the group s behalf such ....

[Article contains additional citation context not shown here]

P. Horster, M. Michels, H. Petersen, Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications, in: Advances in Cryptology-AisaCrypt'94, LNCS 917, Springer, New York, 1994, pp. 224--237.

....Secure Voting Systems. 1 Introduction The concept of blind signature was introduced by Chaum [4] A blind signature scheme is an interactive protocol which involves two kinds of participants, the signer and a requester. A distinguishing property required by a typical blind signature scheme [2, 4, 12, 25, 26] is so called the unlinkability , which ensures that requesters can prevent the signer from deriving the exact correspondence between the actual signing process performed by the signer and the signature which later made public. The blind signatures can realize the secure electronic payment ....

P. Horster, M. Michels and H. Petersen, "Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications," Proc. of AisaCrypt'94, LNCS 917, Springer-Verlag, 1994, pp. 224-237.

....In this scheme, the recovery and verification of Alice s message need Bob s private key xB . Therefore, public verification is impossible. The computation of signature s is different from that of the original ElGamal signature scheme [5] This is an instance of the generalized ElGamal signature [10, 9]. 2.2 Bao Deng Scheme We describe the Bao Deng signcryption scheme [1] which is based on Zheng s signcryption scheme [18, 19] The initial setting and notations are similar to those of the Horster MichelsPetersen scheme. Additionally it needs a symmetric key cipher such as DES [16] and IDEA ....

P. Horster, M. Michels, and H. Petersen. Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications. In Asiacrypt '94, volume 917 of LNCS, pages 224--237. Springer-Verlag, 1995.

....In the next section, we propose a nonrepudiable proxy signature scheme which overcomes these shortcomings. 4 Nonrepudiable proxy signature scheme To achieve nonrepudiation, we use blind signature schemes to generate proxy signature keys. However, direct applying existing blind signature schemes [7, 12] results in fully blind signatures such that given a proxy signature the original signer has no idea about the identity of its proxy signer. Therefore, we have to adapt fully blind signature schemes to partially blind signature schemes in which only the proxy signer knows the secret proxy ....

....If they follow the protocol specification, the generated proxy signature keys should be independent from each other. We have shown our approach through an adapted blind Nyberg Rueppel scheme. Since all the ElGamal like signature and blind signature schemes share the same general construction [11, 12], we are able to apply our approach to other ElGamal like proxy signature schemes. Details will be given in the full paper. 7 Conclusion We have shown how to add nonrepudiation to existing proxy signature schemes. Nonrepudiation means the signature signer, both the original and proxy signers, ....

P. Horster, M. Michels, and H. Petersen, Meta-Message Recovery and Meta-Blind signature schemes based on the discrete logarithm problem and their applications, Proc. Asiacrypt'94, Lecture Notes in Computer Science 917, Springer Verlag, 1995, pp. 224 - 237.

....study another countermeasure that the ElGamal type message recovery signature is made strong against the two forgeries by improving Nyberg Rueppel s signatures. In public key certifying protocols or authenticated key exchange protocols such a countermeasure is preferable. There are many variants([4]) in the ElGamal signature and the elliptic curve versions( 7] 8] But little is known about their relative strength against forgeries. Therefore our approach would be also effective in classifying many variants under strength to forgeries, which would give a condition to select more secure ....

....property: since Equation (13) is represented as r 2 j Mx(eYA ) x b a G c a YA (mod p) two algebraic relations among e, b=a and c=a can not be derived. The same also holds in Equation (14) Therefore all MRE signatures are strong against the recoveryeq attack. In [4], the message mask equations different from that of MR signatures are presented. Theorem 1 can be also applied to their message mask equations. 4.2 Signature eq attack This subsection makes clear the condition of the signature eq attack. The signature eq attack using the basepoint Assume that ....

[Article contains additional citation context not shown here]

P. Horster, M. Michels and H. Petersen "Meta-Message Recovery and Meta-Blind signature schemes based on the discrete logarithm problem and their applications", Advances in Cryptology-Proceedings of Asiacrypt'94, Lecture Notes in Computer Science, 917(1995), Springer-Verlag, 224-237.

No context found.

P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Berlin: Springer Verlag,(1995), pp. 224--237.

No context found.

P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Berlin: Springer Verlag,(1995), pp. 224--237.

No context found.

P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Berlin: Springer Verlag,(1995), pp. 224--237.

No context found.

P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Berlin: Springer Verlag,(1995), pp. 224--237.

No context found.

P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Berlin: Springer Verlag,(1995), pp. 224--237.

....3 In this scheme, the recovery and verification of Alice s message need Bob s private key xB . Therefore, public verification is impossible. The computation of signature s is different from that of the original ElGamal signature scheme [8] This is an instance of the generalized ElGamal signature [11, 12]. 2.2 Bao Deng Scheme We describe the Bao Deng signcryption scheme [9] which is based on Zheng s signcryption scheme [1, 2] The initial setting and notations are similar to those of the Horster MichelsPetersen scheme. Additionally it needs a block encryption algorithm such as DES [13] and IDEA ....

Horster, P., Michels, M. and Petersen, H., "Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications," Asiacrypt '94, LNCS Vol.917, pp.224--237, Springer-Verlag, 1995.

....parameters if she gets a signed unblinded message. Recently blind ElGamal based signature schemes and blind message recovery signature schemes were introduced [CaPS94] In this article we show how to generalize them using the ideas of the Meta ElGamal and the Meta Message recovery signature scheme [HMP294, HMP394]. We first give a brief review of the Meta ElGamal and present the blind Meta ElGamal signature scheme. Then we give a brief review of the Meta Message recovery signature scheme and present the Meta Message recovery blind signature scheme. After that we discuss the most efficient variants and ....

....s. The message can be recovered by computing m j ff s p r A r (mod p) The security of this scheme seems to be similar to the ElGamal scheme, although an equivalence hasn t been proved yet. We can apply the Meta ElGamal scheme to this approach to obtain the Meta Message recovery scheme [HMP394]. The general signature equation is of the form A j s AB kC (mod q) 15) with A; B; C permutations of general functions e; f; g : Z q 2 Z q with arguments r and s. The parameter r can be computed by r 0 : ff k (mod p) and r : d(m; r 0 ) with a suitable function d : Z p 2 Z p , ....

[Article contains additional citation context not shown here]

P.Horster, M. Michels, H. Petersen, "Meta Message recovery and Meta blind signature schemes giving message recovery based on the discrete logarithm problem and their applications", Proc. Asiacrypt '94, Univ. of Wollongong, Nov. 28 -- Dec. 1st, (1994), 12 pages.

....with appendix, e.g. by Schnorr, Nyberg and Rueppel or Harn. All these variants can be embedded into a Meta ElGamal signature scheme [HMP194, HMP294] Other signature schemes giving message recovery, e.g. by Nyberg and Rueppel and Piveteau could be embedded into a Meta Message recovery scheme [HMP394]. Since 1981 it has been examined to use other permutations instead of the exponentiation in cryptography. For example, Muller, W.Nobauer and R.Nobauer suggested to use an RSA like scheme based on the Dickson polynomial [MuNo81, MuNo85] In 1993 a very similar RSA like scheme has been proposed by ....

.... in GF (p) As the evaluation of the Lucas function is slightly less efficient than computing exponentiations, the efficiency of the new schemes is lower than the related signature scheme in GF (p) It is straightforward to derivate signature schemes giving message recovery using the ideas given in [HMP394]. 7. Acknowledgement We thank Prof. C. S. Laih from National Cheng Kung University, Tainan, Taiwan, R.O.C. for sending us the paper [LaTT93] 8 ....

P.Horster, M.Michels, H.Petersen, "Meta Message Recovery and Meta blind signature schemes based on the discrete logarithm problem and some applications", Pre-Proc. Asiacrypt'94, Wollongong, NSW, Australia, Nov. 28 -- Dec. 1, (1994), pp. 185--196.

....Signature Algorithm (DSA) proposed by NIST [NIST91, Sim193, Sim293] We review these channels briefly in section 2 and discuss the properties of these channels. In section 3 we review the Meta ElGamal signature scheme (MEG) HMP194] in section 4 the MetaMessage recovery signature scheme (MMR) [HMP294] and show in section 5 and 6 that the subliminal channels due to Simmons can also be established in these schemes. Additionally we suggest further narrowband subliminal channels. Then we discuss a modification how these subliminal channels can be avoided using the assumption that Carol can t ....

....s. The message can be recovered by computing m j ff s p r A r (mod p) The security of this scheme seems to be similar to the ElGamal scheme, although an equivalence hasn t been proved yet. We can apply the Meta ElGamal scheme to this approach to obtain the Meta Message recovery scheme [HMP294]. The general signature equation is of the form A j xAB kC (mod q) 7) with A; B; C permutations of general functions e; f; g : Z q 2 Z q with arguments r and s. The parameter r can be computed by r 0 : ff k (mod p) and r : d(m; r 0 ) with a suitable function d : Z p 2 Z p , ....

[Article contains additional citation context not shown here]

P.Horster, M. Michels, H. Petersen, "Meta Message recovery and Meta blind signature schemes giving message recovery based on the discrete logarithm problem and their applications", Proc. Asiacrypt '94, Univ. of Wollongong, Nov. 28 -- Dec. 1st, (1994), 12 pages.

....For further discussions we have to consider only this Meta scheme. Furthermore there exist interesting applications like Metaauthentic encryption schemes [HMP194] identity based public keys used for authentication and authenticated key exchange and weak and strong blind signature schemes [HoP394, HMP394]. ....

P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Proc. Asiacrypt '94, University of Wollongong, NSW, Australia, Nov. 28 -- Dec. 1st, (1994), 12 pages.

....The use of exponentiation for computing modular inverses indicates that efficiency was not the standard designer s main motivation. An advantage of GOST 34.10 94 over DSA is its inherit suitability to extended signature concepts, e.g. for blind signatures or multisignatures as already shown in [13, 14]. This property does not hold for the DSA. ....

P.Horster, M.Michels, H.Petersen, "Meta Message recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Springer Verlag, (1995), pp. 224--237.

.... Theoretical Computer Science and Information Security, University of Technology Chemnitz Zwickau, Strae der Nationen 62, D 09111 Chemnitz, Germany E mail: fpho,mmi,hpeg informatik.tu chemnitz.de July 19, 1995 Abstract In [Harn95] Harn claims, that the signature schemes in [CaPS94] and [HoMP94] are not true blind signatures. In this comment, we prove, that this claim is fortunately totally wrong. His attempt to cryptanalyse the schemes in [CaPS94, HoMP94] is incorrect, as the proposed relationship, which is used to trace the signature by the signer, is an invariant that is satisfied ....

....fpho,mmi,hpeg informatik.tu chemnitz.de July 19, 1995 Abstract In [Harn95] Harn claims, that the signature schemes in [CaPS94] and [HoMP94] are not true blind signatures. In this comment, we prove, that this claim is fortunately totally wrong. His attempt to cryptanalyse the schemes in [CaPS94, HoMP94] is incorrect, as the proposed relationship, which is used to trace the signature by the signer, is an invariant that is satisfied by any two pairs of signed messages. We assume, that the reader is familar with the notation in [Harn95] and the notation of the Meta blind signature scheme in ....

[Article contains additional citation context not shown here]

P.Horster, M.Michels, H.Petersen, "Meta-Message recovery and Meta-blind signature schemes based on the discrete logarithm problem and their applications ", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Berlin: Springer Verlag, 1995, pp. 224 -- 237.

....1. Introduction The concept of blind signature schemes has been proposed by David Chaum in 1982 [Chau82] Since then there have been many efforts to construct blind signature schemes. They can be used in many applications like pseudonymous credentials, electronic cash or anonymous access control [Chau85, Bran93, CaPS94, HMP394]. In all cases the security of the protocols is considered at the moment when the notary signs the document. It wasn t necessary to check, that the signature keeps it s anonymity when it is presented later to the notary who can store the signature parameters of all signed documents, because the ....

....useful in many applications. Some of them are discussed at the end of this paper. Additionally it is also possible to blind only the signature parameters but not the message, which can be very useful for self certified public keys and the related authentication and authentic key exchange protocols [HoKn91, HoP294, HMP394]. In section two we present our classification of blind signature schemes [HoP394] Section three gives a brief introduction into the Meta ElGamal signature scheme [HMP294] which is necessary to develop the hidden signatures in section four [HoP294] applying the techniques described in ....

[Article contains additional citation context not shown here]

P.Horster, M. Michels, H. Petersen, "Meta Message recovery and Meta blind signature schemes giving message recovery based on the discrete logarithm problem and their applications", Proc. Asiacrypt '94, Univ. of Wollongong, Nov. 28 -- Dec. 1st, (1994), 12 pages.

.... 1991 1993 1994 1992 1988 HoP94a, HoP94b HMP94b, HMP94d NIST91 AgMV90 ElG85a ElG84a, ElG84b Har94a, Har94b Knob94 YeLa93, Boyd94, Nybe94 Simm84 HMP94l Simm93 NyR93a NyR93b,NyRu94 HMP94c, HMP94f Sch91b Schn89, Sch91a ChEG87 FiSh86 Pive93 Pinc94 BrMc91 HoKn91 HoP94c HMP94i Chau82 CaPS94 HMP94g, HMP94h Okam92 HMP94k HMP94m SuHw91 HMP94a Sary90 HMP94h, HMP94j Pete93 Pete93 Gunt89 Gira91 BaKn89 Beth88 HMP94h, HMP94j HMP94h, HMP94j Burm94 Yaco91 YaSh89 Signature schemes Subl. Chann. Blind signatures Encryption Authentication Key exchange Message recovery Okam92 HMP94n Relationship between ....

.... NIST91 AgMV90 ElG85a ElG84a, ElG84b Har94a, Har94b Knob94 YeLa93, Boyd94, Nybe94 Simm84 HMP94l Simm93 NyR93a NyR93b,NyRu94 HMP94c, HMP94f Sch91b Schn89, Sch91a ChEG87 FiSh86 Pive93 Pinc94 BrMc91 HoKn91 HoP94c HMP94i Chau82 CaPS94 HMP94g, HMP94h Okam92 HMP94k HMP94m SuHw91 HMP94a Sary90 HMP94h, HMP94j Pete93 Pete93 Gunt89 Gira91 BaKn89 Beth88 HMP94h, HMP94j HMP94h, HMP94j Burm94 Yaco91 YaSh89 Signature schemes Subl. Chann. Blind signatures Encryption Authentication Key exchange Message recovery Okam92 HMP94n Relationship between ElGamal based publications from 1984 1994 ElGamal ....

[Article contains additional citation context not shown here]

P.Horster, M.Michels, H.Petersen, "Meta-Message recovery and Meta-blind signature schemes based on the discrete logarithm problem and their applications", Pre-Proc. Asiacrypt '94, University of Wollongong, NSW, Australia, Nov. 28 -- Dec. 1st, (1994), pp. 185 -- 196.

.... y B N r C (mod p) and A; B; C chosen as above, there exist unique a; b 2 Z q with r j r a ff b (mod p) A = a C Gamma1 AC bC (mod q) B = a C Gamma1 BC (mod q) The proof is straightforward adopting the proof in [CaPS94] and can be found in the full version of the paper [HMP594] Hence the Meta ElGamal blind signature scheme can be written as MEB = Mode:Type:N o; d; e; f; g) similar to the Meta ElGamal scheme (MEG) A security and efficiency analysis is given in the full paper [HMP594] Generalized design Instead of using d(r; m) r we can also use the general ....

.... adopting the proof in [CaPS94] and can be found in the full version of the paper [HMP594] Hence the Meta ElGamal blind signature scheme can be written as MEB = Mode:Type:N o; d; e; f; g) similar to the Meta ElGamal scheme (MEG) A security and efficiency analysis is given in the full paper [HMP594] Generalized design Instead of using d(r; m) r we can also use the general suitable function d(r 0 ; m) where r 0 : r a ff b ( mod p) if m does not appear as argument in the functions e; f and g. The resulting Meta scheme is given in the following table: Meta blind scheme for ....

[Article contains additional citation context not shown here]

P.Horster, M.Michels, H.Petersen, "Meta-Message recovery and Meta-Blind signature schemes based on the discrete logarithm problem and their applications ", (Full version), Technical Report TR-94-9, University of Technology Chemnitz-Zwickau, June, (1994), 22 pages 1 .

....allows message recovery and therefore signed values don t have to be stored. The most efficient scheme w.r.t. signature storage is the blind Schnorr signature [ChP92b, Okam92] Also other variants of the family of ElGamal signature schemes that allow message recovery might be considered [NyRu94, HMP94b] which reduces the parameter size further. A provably computational secure choice is the blind Okamoto signature [PoS96b] Also other schemes, like restrictive blind signatures [Bra93b] that allow to prevent overspending without the help of the trustee, might be considered, although there is no ....

P.Horster, M.Michels, H.Petersen, "Meta-Message recovery and Meta-blind signature schemes based on the discrete logarithm problem and their applications", Lecture Notes in Computer Science 917, Advances in Cryptology: Proc. Asiacrypt '94, Springer Verlag, (1995), pp. 224 -- 237.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC