E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifable secret sharing and its applications. In Advances in Cryptology -- EUROCRYPTO'98, pages 32--46, 1998.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....5 Preliminary Protocols In this section, we will show how to construct a secure protocol for signing a committed message as described in Section 1, under our basic signature scheme described in Section 2. 5. 1 Commitment Scheme The following commitment scheme is due to Fujisaki and Okamoto [23] and elaborated on by Damgard and Fujisaki [18] Its security relies on the hardness of factoring. Key generation The public key consists of a special RSA modulus n of length # n , and h QR n , g where is the group generated by h. Commitment The commitment Commit(PK, x, r) for inputs of ....

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In K. Nyberg, editor, Advances in Cryptology --- EUROCRYPT '98, volume 1403 of Lecture Notes in Computer Science, pages 32--46. Springer Verlag, 1998.

....Preliminaries In this section, we will show how to construct a secure protocol for signing a committed protocol as de ned in Section 3.2.1, under our basic signature scheme described in Section 4.2. 4.5. 1 Commitment Scheme The following commitment scheme is due to Fujisaki and Okamoto [FO98] and elaborated on by Damg ard and Fujisaki [DF01] Its security relies on the hardness of factoring. Key generation The public key consists of a special RSA modulus n of length n , and h QR n , g hhi, where hhi is the group generated by h. Commitment The commitment Commit(PK; x; r) for ....

Eiichiro Fujisaki and Tatsuaki Okamoto. A practical and provably secure scheme for publicly veri able secret sharing and its applications. In Kaisa Nyberg, editor, Advances in Cryptology | EUROCRYPT '98, volume 1403 of Lecture Notes in Computer Science, pages 32-46. Springer Verlag, 1998.

....5 Preliminary Protocols In this section, we will show how to construct a secure protocol for signing a committed message as described in Section 1, under our basic signature scheme described in Section 2. 5. 1 Commitment Scheme The following commitment scheme is due to Fujisaki and Okamoto [19] and elaborated on by Damg ard and Fujisaki [15] Its security relies on the hardness of factoring. Key generation The public key consists of a special RSA modulus n of length n , and h QR n , g hhi, where hhi is the group generated by h. Commitment The commitment Commit(PK; x; r) for inputs ....

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly veri able secret sharing and its applications. In K. Nyberg, editor, Advances in Cryptology | EUROCRYPT '98, volume 1403 of Lecture Notes in Computer Science, pages 32-46. Springer Verlag, 1998. 14

....shares. Hence, it is explicitly required that (i) can be verified publicly. As noted in [Sta96] the VSS scheme of [CGMA85] already achieved this property, but later VSS schemes weren t designed to be publicly verifiable. Problem (ii) is usually dealt with implicitly though. In the schemes of [Fel87,Ped92b,Sta96,FO98] it suffices that the participants simply release their shares. Subsequently the released shares may be verified by anybody against the output of the distribution protocol. Our PVSS schemes show that such an approach is not sufficient as a general model for PVSS. As an extension to the ....

....there is a direct connection with the security of the ElGamal cryptosystem, as, for instance, the semantic security of ElGamal encryption is equivalent to the Diffie Hellman decision problem. So, in a sense, this type of assumption is the weakest one can hope for. In contrast, the schemes of [Sta96,FO98] rely on special number theoretic settings and intractability assumptions. The discrete log scheme of [Sta96] requires a special assumption involving double discrete logarithms . Briefly, the idea is to consider expressions of the form y = g (h , where g is a generator of a group of order p, ....

[Article contains additional citation context not shown here]

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Advances in 15 Science, pages 32--46, Berlin, 1998. Springer-Verlag.

.... (we will stick to that notation for the rest of the paper) It should be mentioned, however, that if the order of the group is not known to the prover (e.g. if a subgroup of an RSA ring is used) and when believing in the non standard strong RSA assumption then larger challenges can be chosen [16, 17]. Although we describe our protocols for the setting where the group s order is known to the prover, all protocols can easily be adapted to the setting where the prover does not know the group s order using the techniques from [16, 17] All described protocols can be combined in natural ways. ....

.... strong RSA assumption then larger challenges can be chosen [16, 17] Although we describe our protocols for the setting where the group s order is known to the prover, all protocols can easily be adapted to the setting where the prover does not know the group s order using the techniques from [16, 17]. All described protocols can be combined in natural ways. First of all, one can use multiple bases instead of a single one in any of the above proofs. Then, executing any number of instances of these protocols in parallel and choosing the same challenges for all of them in each round corresponds ....

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In K. Nyberg, editor, Advances in Cryptology --- EUROCRYPT '98, volume 1403 of Lecture Notes in Computer Science, pages 32--46. Springer Verlag, 1998.

....as the con rmation protocol exhibited in Section 4. This approach is possible for signature schemes such as RSA or DSS. The resulting scheme will enjoy separability and be secure against adaptive attackers while previous solutions were either insecure [18] or secure only in a non adaptive model [8, 19]. 7 Acknowledgements The authors are grateful to Victor Shoup for various discussions and to the anonymous referees for their helpful and detailed comments. ....

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly veriable secret sharing and its applications. In EUROCRYPT '98, vol. 1403 of LNCS, pp. 32-46. Springer Verlag, 1998.

....in order to add control over the size of the secret value. Such a bounded range commitment has many applications and it has been used for group signature by Camenisch and Michels [6] for electronic cash by Chan, Frankel and Tsiounis [8] for verifiable secret sharing by Fujisaki and Okamoto [12] and finally for proving that a modulus is the product of two safe primes by Camenisch and Michels [7] However no satisfactory solution has appeared at the moment 2 . Known proposals are only able to prove that the discrete logarithm is not too far from a fixed range, their analysis is ....

....B[ The prover computes y = r ex (an integer in Z) and sends it to the verifier who checks t = G y Theta Gamma Gammae in G and 0 y A. A security analysis of this scheme is proposed in appendix A. Note that this protocol is similar to previous proposals for bounded range commitment [6, 8, 12, 7] but that the analysis is really different and does not use non standard hypothesis like the strong RSA assumption. Let us summarize the security results. A prover who knows x 2 [0; S[ is accepted with probability higher than 1 Gamma SB=A so A must be much larger than SB in order to make the ....

[Article contains additional citation context not shown here]

E. Fujisaki and T. Okamoto. A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications. In Eurocrypt '98, LNCS 1403, pages 32--46. Springer-Verlag, 1998.

....of y w.r.t. base g. The order of g being unknown, this means that this party knows an integer x satisfying y = g x . This latter condition may be completed in the sense that the party knows a discrete logarithm x lying in a given interval. It is a slight modification of a protocol appearing in [17]. Definition 12. A pair (c; s) 2 f0; 1g k Theta Sigmaf0; 1g ffl( k) 1 verifying c = H(mkykgkg s GammacX y c ) is a signature of knowledge of the discrete logarithm of y = g x w.r.t. base g and that this logarithm lies in ]X Gamma 2 ffl( k) X 2 ffl( k) on a message m 2 ....

.... knows a secret x in ]X Gamma 2 ; X 2 [ the signature only guarantees that x lies in the extended interval ]X Gamma 2 ffl( k) X 2 ffl( k) The security of all the presented building blocks has been proven in the random oracle model [2] under the Strong RSA Assumption in [7, 16, 17]. That is, if ffl 1, then the corresponding interactive protocols are statistical (honest verifier) zero knowledge proofs of knowledge. 5 4 The New Signature Scheme This section describes a new public key digital signature scheme with the security (i.e, unfogeability property) based on the ....

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Advances in Cryptology -- EUROCRYPT '98, vol. 1403 of LNCS, pp. 32--46, Springer-Verlag, 1998.

....absolute minimum and therefore allow on the fly signature using coupons. The basic idea is to design a proof of knowledge of a discrete log modulo a composite integer in such a way that the order of the used generator does not have to be known. A similar idea has also been used for secret sharing [14, 15] and group signature [7] The security analysis of GPS shows that, if an attacker is able to forge valid signatures for a non negligible fraction of the possible public keys, then he is able to compute discrete logs mod N and consequently to factor N . On the other hand, if an attacker is only ....

Fujisaki, E., and Okamoto, T. A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications. In Eurocrypt '98 (1998), LNCS 1403, Springer-Verlag, pp. 32--46.

.... rest of the paper) For more details on this protocol we refer to [6, 11] Finally, the restriction to binary challenges can be dropped if the order of the group is not known to the prover (e.g. if a subgroup of an RSA ring is used) and when believing in the non standard strong RSA assumption 2 [18, 19]. Although we describe our protocols in the following in the setting where the group s order is known to the prover, all protocols can easily be adapted to the case where the prover does not know the group s order using the techniques from [18, 19] All described protocols can be combined in ....

.... in the non standard strong RSA assumption 2 [18, 19] Although we describe our protocols in the following in the setting where the group s order is known to the prover, all protocols can easily be adapted to the case where the prover does not know the group s order using the techniques from [18, 19]. All described protocols can be combined in natural ways. First of all, one can use multiple bases instead of a single one in any of the preceding protocols. Then, executing any number of instances of these protocols in parallel and choosing the same challenges for all of them in each round ....

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Advances in Cryptology --- EUROCRYPT '98, volume 1403 of LNCS, pp. 32--46. Springer Verlag, 1998. Proving that a Number is the Product of Two Safe Primes 121

No context found.

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifable secret sharing and its applications. In Advances in Cryptology -- EUROCRYPTO'98, pages 32--46, 1998.

No context found.

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifable secret sharing and its applications. In Advances in Cryptology -- EUROCRYPTO'98, pages 32--46, 1998.

No context found.

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifable secret sharing and its applications. In Advances in Cryptology -- EUROCRYPTO'98, pages 32--46, 1998.

No context found.

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Eurocrypt '98, volume 1403 of LNCS, pages 32--46. Springer-Verlag, 1998.

No context found.

E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Kaisa Nyberg, editor, Advances in Cryptology -- EUROCRYPT '98, volume 1403 of Lecture Notes in Computer Science, pages 32--46. Springer, 1998.

No context found.

Fujisaki, E. and Okamoto, T. (1998) A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Proc. Advances in Cryptology--- EUROCRYPT '98, Espoo, Finland, May 31--June 4. Lecture Notes in Computer Science, 1403, 32--46. Springer, Berlin.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC